Chartered Project Professional – Competence 8: Knowledge; Risk…

Paul Naybour

In this competence for Chartered Project Professional (ChPP) you need you need to show that you have the theoretical knowledge to be able to :

  1. Evaluate the function of risk and issue management plans and registers in the context of a project;
  2. Analyse approaches to risk identification;
  3. Analyse qualitative and quantitative methods to assess risk in the context of a project;
  4. Evaluate the importance of risk and issue impact assessments within the context of a project;
  5. Critically evaluate approaches to impact assessments and response planning;
  6. Evaluate the function of a change control process in the management of risks and issues.

So, here we are going to try an help you navigate the criteria in preparation for the interview. When we are talking about these we will be making the assumption that you have knowledge at a level of at least the APM Project Management Qualification (APM PMQ) or equivalent.

Evaluate the function of risk and issue management plans and registers in the context of a project;

As a professional project manager, the assessors will expect you to have a structured and systematic approach to risk management. This means considering the most appropriate risk management approaches as part of the planning processes at the start of the project. It may be that you have not been part of that and in this case, you will need to have a comprehensive understanding of the processes adopted by your project and of those of the organisation within which you are working. You will need to be aware that the risk management approach needs to be tailored to reflect the risk in the project. If it is a simple low-risk project, similar to many other projects in your organisation, then a simple risk approach may be appropriate. Simple could mean a basic risk register using qualitative analysis, updated once a quarter. For a highly complex project with multiple teams and contractors, you might decide that you need an online multi-level risk management tool with full quantitative assessment and a dedicated risk manager.

The critical thing is that these are conscious and pro-active decisions taken by the project management team and advisors, including the sponsor. As a professional PM you need to demonstrate that you have considered all the angles and arrived at a consensus of what is appropriate. Moreover, your approach to risk management will not just simply develop as the project does, or that you blindly follow the company process without considering if it needs to be adapted to fit the risk profile of your project. For example, if your company standard says that risks are reviewed at key gates, you could decide that this needs to be complemented by a monthly update of the top ten risks. Importantly you may well be challenged to defend your choices as to why you chose one method over another. Was it cheaper, quicker, more effective, part of a bigger strategy, etc.

It would be expected that these decisions are documented in the policy and procedures part of the project management plan and for larger project in the risk management plan. These are procedural documents which define who is responsible for risk management, how the risk will be recorded and reported, what identification and analysis techniques will be used and what the options are for the mitigation of them.

It may also be appropriate to use different levels of risk analysis at various stages in the project lifecycle. So, for example, early in the project, it may be that a high-level risk analysis is sufficient to support a business case or if you are a contractor, your decision to bid. A more detailed risk analysis may be appropriate for a commissioning or go live phase of a project.

For more details on the risk management plan visit

Checklist questions

  1. Can you demonstrate a considered approach to risk management?
  2. Have your decisions on the risk management process been documented?
  3. How have you adapted the generic risk management process to fit the risk profile of your project? And why?

Analyse approaches to risk identification;

The APM Body of Knowledge identifies several risk identification techniques from brainstorming to Delphi processes. They all have their strengths and weaknesses. The important thing here is that you do not rely on any single method and that you have a reasonable justification for the method(s) you have chosen. So, for example, within a project with many repeatable processes, such as house building, a checklist may be the most appropriate primary approach. This may include simply a list of things that are well known and understood such as poor ground conditions, weather or reliability of sub-contractors. This is in contrast to a project where a new or a novel technology is being implemented. Here the creative benefits of brainstorming might be valuable or the engagement of many experts using a Deplhi technique may be better. In many projects, a combination of different identification techniques may be required to give a complete understanding of the risks.

They will also expect you to have a clear understanding of the difference between a cause, risk and effect; the cause being the underlying fact that creates the risk. These often come from the project context. So, for example, the use of novel technology is a cause of many risks, not a risk in itself. The risk is the uncertainty that flows from the cause. So, the use of novel technology may cause problems with reliability during the commissioning phase or a shortage of people with the necessary skills. The effect is the impact of the risk on the project’s success criteria, delivery on time, cost and to quality. So the problem’s with novel technology may cause the delays during the commissioning phase of the projects. Read more about cause risk and effect here

The assessors will be looking for the approach you used to determine which of these were used and why. The strengths and weaknesses of the various techniques are well documented, and you should appraise yourself of them to help you. For example, Brainstorming is good at eliciting lots of ideas quickly, but it can be expensive. Checklists are good but of course there is a danger you only bother about the risks on the log and forget about others that are not on the log.

Checklist questions

  1. How did you decide which risk identifications would be appropriate for the project?
  2. What different risk identification techniques did you consider and why did you select the ones you used?
  3. Have you clearly differentiated between cause, risk and effect in your risk descriptions?

Analyse qualitative and quantitative methods to assess risk in the context of a project;

Again, as a project manager, you have a wide range of options for risk analysis. These could range from a simple 3×3 probability impact grid to a full quantitative assessment using Monte Carlo analysis. There reasons for doing this are to

  1. Identify the most significant priority risks for the project and
  2. Establish the initial and residual risk exposure to the project, and therefore the potential for impact on cost and time.

Of these, understanding the high priority risks is by far the most important and can most efficiently be accomplished using a simple probability impact grid. However here you also have some choices. For a simple project a 3×3 grid using high, medium and low scales might be best, but for a more complex project, a 5×5 grid using a weighting towards impact might work the best. You might also want to consider developing a project-specific scale which helps to consistently define the meaning of very high probability or impact. Again, these decisions would be documented in the risk management plan or the project management plan as part of consolidated planning. For more on qualitative risk assessments visit

For some projects, it may be appropriate to calculate the overall risk exposure using Monti Carlo simulation methods. This is not a replacement for qualitative analysis, but it provides additional confirmation of the prudent contingency needed for the project. These techniques can help predict cost and time-based contingencies. A detailed discussion of quantitative analysis is beyond the scope of this post, but in summary, the analysis involves the following steps

  1. Building a risk-based model for the project based on either the risk register (for cost analysis) or a simplified schedule for time-based analysis.
  2. Evaluating the likelihood of risk events as a percentage probability and the impact as a three-point estimate (best case, most likely and worst case)
  3. Modelling the risk exposure using a risk analysis tool. Usually, this is where most project managers use the services of a specialist risk analyst.
  4. Reviewing the reports generated to understand the overall risk exposure. These are expressed typically as probability statements such as “This project has an 80% (P80) chance of completing within this budget” or “This project has a 50% (P50) chance of completing within this timescale.
  5. Optimising the risk exposure by identifying the key risk drivers (using correlation analysis) and building in additional risk reduction measures to reduce the overall risk exposure.
  6. Reporting the results of the analysis and taking a decision on the project strategy, e.g. do we defer the end date of the project or can we change the causes of some of the significant risks.

In practice, this level of analysis can be a significant undertaking in terms of time and money and as a project manager you need to be convinced that the additional rigour and insight will be worth the effort involved. For more information about quantitative risk analysis visit this link

Checklist questions

  1. What options did you consider for risk analysis?
  2. Why did you choice to analyse your risk in the way you did?

Evaluate the importance of risk and issue impact assessments within the context of a project;

Having evaluated the individual risk, the assessors will be expecting you to evaluate the overall risk exposure in the project. They will expect these reviews to occur at critical gates in the project lifecycle such as approval of the business case/decision to bid, before the project management plan is baselined, before any commissioning or go live events and as part of a lessons learned review at the end of the project. These evaluations can also occur if the project risk is likely to push the project beyond its tolerance, such that it exceeds its overall approved budget or is going to be significantly late. This would include evaluating its’ overall impact on the project business case or decision to bid for the project.

It may be that after evaluating the project risk it is decided to not proceed with the project or that the target dates, scope and cost plans may need to be re-baselined. Often, for example, it may become clear that the full scope is not achievable, and the risk review can trigger a realistic appraisal of the project scope and stakeholder expectations. Typically, this may include de-scoping the risky elements of the project. If you are working for a contractor, the risk assessment may lead to a decision not to bid for the project.

It is important for ChPP that you can show that these key strategic decisions are informed by risk management and are not just driven by events.

Checklist questions

  1. How did an evaluation of the overall risk exposure inform the decisions taken on the project?

Critically evaluate approaches to impact assessments and response planning;

Having identified and prioritised the key project risks the next and arguably the most crucial step is to design and implement risk reduction measures or actions. Here they will be looking for a structured approach to the identification of risk owners, action owners and risk reduction budgets. Together with rigorous ways of making sure that risk reduction measures are implemented effectively. How are these tracked and monitored? They will expect you to know the different types of risk reduction strategy (avoid, transfer, reduce and accept) and how these have been applied practically.

Here you should also be able to discuss any secondary risks generated as a result of your risk reduction measures. So, for example, upgrading to the latest server software might reduce some risks but introduces the additional risk of incompatibility.

Here they are asking for a critical evaluation. This means understanding the strengths and weaknesses of your approaches and how they could be improved in the future. What worked what didn’t work? What risk did you successfully identify and manage, which risk caught you unawares and how could you have anticipated these risks in advance

Checklist Questions

  1. What process did you use to manage risk responses?
  2. How effective were these risk responses?
  3. What could you have done better to improve the effectiveness of these responses?

Evaluate the function of a change control process in the management of risks and issues.

The progressive implementation of changes can significantly increase risk. What starts out as a project with a reasonable level of risk can soon become increasingly risky as changes are implemented. Each change might in itself, only have a minor impact on the risk profile, but the cumulative effect can be disastrous for the project. Therefore they expect you to integrate risk and issue management into the change control process. We should be evaluating the impact of each change or issue on the overall risk exposure. The key question is to what extent does this change or issue increase the level of risk in the project? They will expect you to say how the evaluation of risk is implemented as part of the change control and issue management approach. What examples can you present that describe how risk management was used to inform decisions on changes.

Check List Questions

  1. How is risk management integrated into your change control process?
  2. Can you describe a change assessment that was informed by the evaluation of the impact on the project risk?
  3. How effective was your evaluation of the impact of changes on the overall risk profile for the project?

We hope you found this Chartered Project Professional post useful and informative. For more posts in this series, please subscribe to our newsletter. If you need any further advice on how to become a Chartered Project Professional, please do get in touch. Remember at Parallel we’re with you all the way.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Upcoming Courses

Scroll to Top