Module 40: Project Management
Every project is a controlled introduction of change — and change is where new risk lives.
Project management ensures that:
- Scope is controlled
- Risks are identified early
- Controls are embedded during design
- Governance oversight exists
- Stakeholders are aligned
- Risk treatment is integrated into delivery
CRISC evaluates project governance — not scheduling techniques.
What the exam is really testing
When project management appears, CRISC is asking:
- Was risk assessed before execution?
- Are risks tracked throughout the project lifecycle?
- Is scope creep controlled?
- Are security and control requirements embedded early?
- Is governance oversight maintained?
- Are residual risks formally accepted?
Projects increase inherent risk if unmanaged.
Risk in project lifecycle
Projects introduce risk through:
- New technology deployment
- System integration
- Vendor onboarding
- Data migration
- Organizational restructuring
- Cloud migration
- Regulatory change implementation
Each phase creates exposure.
Risk must be managed continuously.
Risk identification in projects
Effective project governance includes:
- Early risk assessment
- Risk register integration
- Control requirements definition
- Security-by-design principles
- Stakeholder engagement
- Escalation thresholds
CRISC favors proactive risk inclusion — not post-launch correction.
Scope creep risk
Uncontrolled scope changes lead to:
- Budget overruns
- Timeline delays
- Control bypass
- Security compromise
- Compliance gaps
Scope creep without risk reassessment increases exposure.
CRISC frequently tests scope control discipline.
Example scenario
A project adds new functionality late in development without reassessing risk impact.
Primary governance weakness?
A. Failure to reassess risk due to scope change
B. Strong mitigation
C. Excessive appetite
D. Weak inherent risk
Correct answer:
A. Failure to reassess risk due to scope change
Scope changes require risk reassessment.
Risk ownership in projects
Who owns risk during a project?
Still the business.
Project managers coordinate.
Security advises.
Business accepts or rejects risk.
CRISC maintains ownership discipline even during transformation.
Security & control integration
Controls should be:
- Designed into the system early
- Aligned to architecture
- Embedded in requirements
- Tested before deployment
- Integrated into change management
If security is added after deployment, cost and exposure increase.
CRISC favors “security by design.”
Vendor & third-party projects
Projects involving vendors require:
- Due diligence
- Contractual control requirements
- SLA monitoring
- Data protection provisions
- Escalation clarity
Vendor-led projects do not eliminate accountability.
Project risk monitoring
Project governance should include:
- Risk tracking logs
- Escalation thresholds
- Residual risk documentation
- KPI/KRI integration
- Milestone validation
- Post-implementation review
If risk logs are maintained but not reviewed, governance fails.
Example scenario
A project completes on time and within budget, but security requirements were deferred to a later phase.
Most significant concern?
A. Strong governance
B. Excessive mitigation
C. Residual risk accepted without formal review
D. Reduced inherent risk
Correct answer:
C. Residual risk accepted without formal review
Security deferral without formal acceptance increases exposure.
Post-implementation review
After deployment:
- Validate control effectiveness
- Reassess residual risk
- Update risk register
- Document lessons learned
- Adjust monitoring
Project completion ≠ risk elimination.
The most common exam mistakes
A project that finishes on time and on budget can still be a risk governance failure. If scope changed without risk reassessment, if controls were deferred, or if the business never formally accepted residual risk, the project delivered a product — not a governed outcome. The exam tests whether you see past delivery metrics to the underlying risk discipline.
Try this one
A high-priority transformation project bypasses formal risk assessment due to executive urgency.
What governance principle is MOST compromised?
A. Strong innovation
B. KPI monitoring
C. Control redundancy
D. Risk governance consistency
Correct answer:
D. Risk governance consistency
Urgency does not eliminate governance discipline.
Quick knowledge check
1) Risk in projects should be assessed:
A. After deployment
B. Continuously throughout lifecycle
C. Only at initiation
D. Only during testing
Answer & reasoning
Correct: B
Risk evolves during projects.
2) Scope changes require:
A. Immediate acceptance
B. Risk reassessment and governance review
C. No action
D. Avoidance
Answer & reasoning
Correct: B
Scope changes alter exposure.
3) Completing a project on time guarantees low risk.
A. True
B. False
Answer & reasoning
Correct: B
Schedule success does not equal risk reduction.
Final takeaway
Project Management in CRISC is about:
- Embedding risk discipline early
- Maintaining governance oversight
- Reassessing risk with scope change
- Integrating controls during design
- Monitoring throughout lifecycle
- Ensuring formal acceptance of residual risk
The exam is looking for candidates who prioritize structured oversight over speed of delivery. Governance must follow transformation — not trail behind it.