QUESTION 47
Your company is covered under a liability insurance policy, which provides various liability coverage for information security risks, including any physical damage of assets, hacking attacks, etc. Which of the following risk management techniques is your company using?
A. Risk transfer
B. Risk acceptance C. Risk avoidance D. Risk mitigation
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
Risk transfer is the practice of passing risk from one entity to another entity. In other words, if a company is covered under a liability insurance policy providing various liability coverage for information security risks, including any physical damage of assets, hacking attacks, etc., it means it has transferred its security risks to the insurance company.
Incorrect Answers:
B: Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with
the risk in another way.
C: Risk avoidance is the practice of not performing an activity that could carry risk. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting (retaining) the risk may have allowed.
D: Risk mitigation is the practice of reducing the severity of the loss or the likelihood of the loss from occurring.
QUESTION 48
You work as a project manager for BlueWell Inc. Management has asked you to work with the key project stakeholder to analyze the risk events you have identified in the project. They would like you to analyze the project risks with a goal of improving the project's performance as a whole. What approach can you use to achieve this goal of improving the project's performance through risk analysis with your project stakeholders?
A. Involve subject matter experts in the risk analysis activities
B. Involve the stakeholders for risk identification only in the phases where the project directly affects them C. Use qualitative risk analysis to quickly assess the probability and impact of risk events
D. Focus on the high-priority risks through qualitative risk analysis
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
By focusing on the high-priority of risk events through qualitative risk analysis you can improve the project's performance.
Qualitative analysis is the definition of risk factors in terms of high/medium/low or a numeric scale (1 to 10). Hence it determines the nature of risk on a relative scale.
Some of the qualitative methods of risk analysis are:
Scenario analysis- This is a forward-looking process that can reflect risk for a given point in time.
Risk Control Self -assessment (RCSA) - RCSA is used by enterprises (like banks) for the identification and evaluation of operational risk exposure. It is a logical first step and assumes that business owners and managers are closest to the issues and have the most expertise as to the source of the risk. RCSA is a constructive process in compelling business owners to contemplate, and then explain, the issues at hand with the added benefit of increasing their accountability.
Incorrect Answers:
A: Subject matter experts can help the qualitative risk assessment, but by focusing on high-priority risks the project's performance can improve by addressing these risk events.
B: Stakeholders should be involved throughout the project as situations within the project demand their input to risk identification and analysis.
C: Qualitative analysis does use a fast approach of analyzing project risks, but it's not the best answer for this
QUESTION 49
Which of the following is the MOST effective method for indicating that the risk level is approaching a high or unacceptable level of risk?
A. Risk register
B. Cause and effect diagram C. Risk indicator
D. Return on investment
Correct Answer: C Section: Volume A Explanation
Explanation/Reference:
Explanation:
Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks.
Incorrect Answers:
A: A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains:
A description of the risk
The impact should this event actually occur
The probability of its occurrence
Risk Score (the multiplication of Probability and Impact)
A summary of the planned response should the event occur
A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event) Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved.
D: Return On Investment (ROI) is a performance measure used to evaluate the efficiency of an investment or to compare the efficiency of a number of different investments. To calculate ROI, the benefit (return) of an investment is divided by the cost of the investment; the result is expressed as a percentage or a ratio.
The return on investment formula:
ROI= (Gain from investment - Cost of investment) / Cost of investment
In the above formula "gains from investment", refers to the proceeds obtained from selling the investment of interest.
QUESTION 50
Which of the following represents lack of adequate controls?
A. Vulnerability B. Threat
C. Asset
D. Impact
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
Vulnerability is a weakness or lack of safeguard that can be exploited by a threat, thus causing harm to the information systems or networks. It can exist in hardware, operating systems, firmware, applications, and configuration files. Hence lack of adequate controls represents vulnerability and would ultimately cause threat to the enterprise.
Incorrect Answers:
B: Threat is the potential cause of unwanted incident.
C: Assets are economic resources that are tangible or intangible, and is capable of being owned or controlled to produce value.
D: Impact is the measure of the financial loss that the threat event may have.
QUESTION 51
Which of the following risks is the risk that happen with an important business partner and affects a large group of enterprises within an area or industry?
A. Contagious risk B. Reporting risk C. Operational risk D. Systemic risk
Correct Answer: D Section: Volume A Explanation
Explanation/Reference:
Explanation:
Systemic risks are those risks that happen with an important business partner and affect a large group of enterprises within an area or industry. An example would
be a nationwide air traffic control system that goes down for an extended period of time (six hours), which affects air traffic on a very large scale.
Incorrect Answers:
A: Contagious risks are those risk events that happen with several of the enterprise's business partners within a very short time frame.
B, C: Their scopes do not limit to the important or general enterprise's business partners. These risks can occur with both.
Operational risks are those risks that are associated with the day-to-day operations of the enterprise. It is the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.
Reporting risks are caused due to wrong reporting which leads to bad decision. This bad decision due to wrong report hence causes a risk on the functionality of the organization.
QUESTION 52
Which of the following is described by the definition given below? "It is the expected guaranteed value of taking a risk."
A. Certainty equivalent value B. Risk premium
C. Risk value guarantee
D. Certain value assurance
Correct Answer: A Section: Volume A Explanation
Explanation/Reference:
Explanation:
The Certainty equivalent value is the expected guaranteed value of taking a risk. It is derived by the uncertainty of the situation and the potential value of the situation's outcome.
Incorrect Answers:
B: The risk premium is the difference between the larger expected value of the risk and the smaller certainty equivalent value.
C, D: These are not valid answers.
QUESTION 53
You are the project manager of GHT project. Your hardware vendor left you a voicemail saying that the delivery of the equipment you have ordered would not arrive on time. She wanted to give you a heads-up and asked that you return the call. Which of the following statements is TRUE?
A. This is a residual risk.
B. This is a trigger.
C. This is a contingency plan. D. This is a secondary risk.
Correct Answer: B Section: Volume A Explanation
Explanation/Reference:
Explanation:
Triggers are warning signs of an upcoming risk event. Here delay in delivery signifies that there may be a risk event like delay in completion of project. Hence it is referred to as a trigger.
Incorrect Answers:
A: Residual risk is the risk that remains after applying controls. But here in this scenario, risk event has not occurred yet.
C: A contingency plan is a plan devised for a specific situation when things go wrong. Contingency plans are often devised by governments or businesses who want to be prepared for anything that could happen. Here there are no such plans.
D: Secondary risks are risks that come about as a result of implementing a risk response. But here in this scenario, risk event has not occurred yet.
QUESTION 54
Stephen is the project manager of the GBB project. He has worked with two subject matter experts and his project team to complete the risk assessment technique. There are approximately 47 risks that have a low probability and a low impact on the project. Which of the following answers best describes what Stephen should do with these risk events?
A. Because they are low probability and low impact, Stephen should accept the risks.
B. The low probability and low impact risks should be added to a watchlist for future monitoring. C. Because they are low probability and low impact, the risks can be dismissed.
D. The low probability and low impact risks should be added to the risk register.
Correct Answer: B Section: Volume A Explanation
Explanation/Reference:
Explanation:
The low probability and low impact risks should be added to a watchlist for future monitoring.
Incorrect Answers:
A: The risk response for these events may be to accept them, but the best answer is to first add them to a watchlist.
C: Risks are not dismissed; they are at least added to a watchlist for monitoring.
D: While the risks may eventually be added to the register, the best answer is to first add them to the watchlist for monitoring.
QUESTION 55
Jenny is the project manager for the NBT projects. She is working with the project team and several subject matter experts to perform the quantitative risk analysis process. During this process she and the project team uncover several risks events that were not previously identified. What should Jenny do with these risk events?
A. The events should be entered into qualitative risk analysis.
B. The events should be determined if they need to be accepted or responded to. C. The events should be entered into the risk register.
D. The events should continue on with quantitative risk analysis.
Correct Answer: C Section: Volume A Explanation
Explanation/Reference:
Explanation:
All identified risk events should be entered into the risk register.
A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains:
A description of the risk
The impact should this event actually occur
The probability of its occurrence
Risk Score (the multiplication of Probability and Impact)
A summary of the planned response should the event occur
A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event) Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved.
Incorrect Answers:
A: Before the risk events are analyzed they should be documented in the risk register.
B: The risks should first be documented and analyzed.
D: These risks should first be identified, documented, passed through qualitative risk analysis and then it should be determined if they should pass through the quantitative risk analysis process.
QUESTION 56
Which of the following are risk components of the COSO ERM framework? Each correct answer represents a complete solution. Choose three.
A. Risk response
B. Internal environment C. Business continuity D. Control activities
Correct Answer: ABD Section: Volume A Explanation
Explanation/Reference:
Explanation:
The risk components defined by the COSO ERM are internal environment, objective settings, event identification, risk assessment, risk response, control objectives, information and communication, and monitoring.
Incorrect Answers:
C: Business continuity is not considered as risk component within the ERM framework.
QUESTION 57
Fred is the project manager of a large project in his organization. Fred needs to begin planning the risk management plan with the project team and key stakeholders. Which plan risk management process tool and technique should Fred use to plan risk management?
A. Information gathering techniques
B. Data gathering and representation techniques C. Planning meetings and analysis
D. Variance and trend analysis
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
There is only one tool and technique available for Fred to plan risk management: planning meetings and analysis. Planning Meeting and Analysis is a tool and technique in the Plan Risk Management process. Planning meetings are organized by the project teams to develop the risk management plan. Attendees at these meetings include the following:
Project manager
Selected project team members
Stakeholders
Anybody in the organization with the task to manage risk planning
Sophisticated plans for conducting the risk management activities are defined in these meetings, responsibilities related to risk management are assigned, and risk contingency reserve application approaches are established and reviewed.
Incorrect Answers:
A, B, D: These are not plan risk management tools and techniques.
QUESTION 58
Which of the following is the HIGHEST risk of a policy that inadequately defines data and system ownership?
A. User management coordination does not exist
B. Audit recommendations may not be implemented
C. Users may have unauthorized access to originate, modify or delete data D. Specific user accountability cannot be established
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
There is an increased risk without a policy defining who has the responsibility for granting access to specific data or systems, as one could gain system access without a justified business needs. There is better chance that business objectives will be properly supported when there is appropriate ownership.
Incorrect Answers:
A, B, D: These risks are not such significant as compared to unauthorized access.
QUESTION 59
Marie has identified a risk event in her project that needs a mitigation response. Her response actually creates a new risk event that must now be analyzed and planned for. What term is given to this newly created risk event?
A. Residual risk B. Secondary risk C. Infinitive risk D. Populated risk
Correct Answer: B Section: Volume B Explanation
Explanation/Reference:
Explanation:
Secondary risks are the risks that come about as a result of implementing a risk response. This new risk event must be recorded, analyzed, and planned for management.
Incorrect Answers:
A: A residual risk event is similar to a secondary risk, but is often small in probability and impact, so it may just be accepted.
C: Infinitive risk is not a valid project management term.
D: Populated risk event is not a valid project management term.
QUESTION 60
Which one of the following is the only output for the qualitative risk analysis process?
A. Project management plan
B. Risk register updates
C. Organizational process assets D. Enterprise environmental factors
Correct Answer: B Section: Volume B Explanation
Explanation/Reference:
Explanation:
Risk register update is the only output of the choices presented for the qualitative risk analysis process. The four inputs for the qualitative risk analysis process are the risk register, risk management plan, project scope statement, and organizational process assets. The output of perform qualitative risk analysis process is Risk
Register Updates. Risk register is updated with the information from perform qualitative risk analysis and the updated risk register is included in the project documents. Updates include the following important elements:
Relative ranking or priority list of project risks
Risks grouped by categories
Causes of risk or project areas requiring particular attention List of risks requiring response in the near-term
List of risks for additional analysis and response
Watchlist of low priority risks
Trends in qualitative risk analysis results
Incorrect Answers:
A, C, D: These are not the valid outputs for the qualitative risk analysis process.
QUESTION 61
FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?
A. Annually
B. Quarterly
C. Every three years D. Never
Correct Answer: A Section: Volume B Explanation
Explanation/Reference:
Explanation:
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:
Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not test every policy, procedure, and practice. Instead, a representative sample is tested.
An assessment or report: This report identifies the agency's compliance as well as lists compliance with FISMA. It also lists compliance with other standards and guidelines.
Incorrect Answers:
B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.
QUESTION 62
Which of the following is the FOREMOST root cause of project risk? Each correct answer represents a complete solution. Choose two.
A. New system is not meeting the user business needs
B. Delay in arrival of resources
C. Lack of discipline in managing the software development process D. Selection of unsuitable project methodology
Correct Answer: CD Section: Volume B Explanation
Explanation/Reference:
Explanation:
The foremost root cause of project risk is:
A lack of discipline in managing the software development process
Selection of a project methodology that is unsuitable to the system being developed
Incorrect Answers:
A: The risk associated with new system is not meeting the user business needs is business risks, not project risk. B: This is not direct reason of project risk.
QUESTION 63
You are the project manager of a SGT project. You have been actively communicating and working with the project stakeholders. One of the outputs of the "manage stakeholder expectations" process can actually create new risk events for your project. Which output of the manage stakeholder expectations process can create risks?
A. Project management plan updates
B. An organizational process asset updates C. Change requests
D. Project document updates
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
The manage stakeholder expectations process can create change requests for the project, which can cause new risk events to enter into the project.
Change requests are requests to expand or reduce the project scope, modify policies, processes, plans, or procedures, modify costs or budgets or revise schedules. These requests for a change can be direct or indirect, externally or internally initiated, and legally or contractually imposed or optional. A Project Manager needs to ensure that only formally documented requested changes are processed and only approved change requests are implemented.
Incorrect Answers:
A: The project management plan updates do not create new risks.
B: The organizational process assets updates do not create new risks.
D: The project document updates do not create new risks.
QUESTION 64
Which of the following characteristics of risk controls can be defined as under?
"The separation of controls in the production environment rather than the separation in the design and implementation of the risk"
A. Trusted source B. Secure
C. Distinct
D. Independent
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
A control or countermeasure which does not overlap in its performance with another control or countermeasure is considered as distinct. Hence the separation of controls in the production environment rather than the separation in the design and implementation of the risk refers to distinct.
Incorrect Answers:
A: Trusted source refers to the commitment of the people designing, implementing, and maintenance of the control towards the security policy.
B: Secure controls refers to the activities ability to protect from exploitation or attack.
D: The separation in design, implementation, and maintenance of controls or countermeasures are refer to as independent. Hence this answer is not valid.
QUESTION 65
Shelly is the project manager of the BUF project for her company. In this project Shelly needs to establish some rules to reduce the influence of risk bias during the qualitative risk analysis process. What method can Shelly take to best reduce the influence of risk bias?
A. Establish risk boundaries
B. Group stakeholders according to positive and negative stakeholders and then complete the risk analysis C. Determine the risk root cause rather than the person identifying the risk events
D. Establish definitions of the level of probability and impact of risk event
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
By establishing definitions for the level of probability and impact a project manager can reduce the influence of bias.
Incorrect Answers:
A: This is not a valid statement for reducing bias in the qualitative risk analysis.
B: Positive and negative stakeholders are identified based on their position towards the project goals and objectives, not necessarily risks.
C: Root cause analysis is a good exercise, but it would not determine risk bias.
QUESTION 66
You are the IT manager in Bluewell Inc. You identify a new regulation for safeguarding the information processed by a specific type of transaction. What would be the FIRST action you will take?
A. Assess whether existing controls meet the regulation B. Update the existing security privacy policy
C. Meet with stakeholders to decide how to comply
D. Analyze the key risk in the compliance process
Correct Answer: A Section: Volume B Explanation
Explanation/Reference:
Explanation:
When a new regulation for safeguarding information processed by a specific type of transaction is being identified by the IT manager, then the immediate step would be to understand the impact and requirements of this new regulation. This includes assessing how the enterprise will comply with the regulation and to what extent
the existing control structure supports the compliance process. After that manager should then assess any existing gaps.
Incorrect Answers:
B, C, D: These choices are appropriate as well as important, but are subsequent steps after understanding and gap assessment.
QUESTION 67
Which of the following operational risks ensures that the provision of a quality product is not overshadowed by the production costs of that product?
A. Information security risks
B. Contract and product liability risks C. Project activity risks
D. Profitability operational risks
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
Profitability operational risks focus on the financial risks which encompass providing a quality product that is cost-effective in production. It ensures that the provision of a quality product is not overshadowed by the production costs of that product.
Incorrect Answers:
A: Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security risks are the risks that are associated with the protection of these information and information systems.
B: These risks do not ensure that the provision of a quality product is not overshadowed by the production costs of that product.
C: Project activity risks are not associated with provision of a quality product or the production costs of that product.
QUESTION 68
Which of the following is the process of numerically analyzing the effects of identified risks on the overall enterprise's objectives?
A. Identifying Risks
B. Quantitative Risk Assessment C. Qualitative Risk Assessment
D. Monitoring and Controlling Risks
Correct Answer: B
Section: Volume B Explanation
Explanation/Reference:
Explanation:
A quantitative risk assessment quantifies risk in terms of numbers such as dollar values. This involves gathering data and then entering it into standard formulas. The results can help in identifying the priority of risks. These results are also used to determine the effectiveness of controls. Some of the terms associated with quantitative risk assessments are:
Single loss expectancy (SLE)-It refers to the total loss expected from a single incident. This incident can occur when vulnerability is being exploited by threat. The loss is expressed as a dollar value such as $1,000. It includes the value of data, software, and hardware.
SLE = Asset value * Exposure factor
Annual rate of occurrence (ARO)-It refers to the number of times expected for an incident to occur in a year. If an incident occurred twice a month in the past year, the ARO is 24. Assuming nothing changes, it is likely that it will occur 24 times next year.
Annual loss expectancy (ALE)-It is the expected loss for a year. ALE is calculated by multiplying SLE with ARO. Because SLE is a given in a dollar value, ALE is also given in a dollar value. For example, if the SLE is $1,000 and the ARO is 24, the ALE is $24,000. ALE = SLE * ARO
Safeguard value-This is the cost of a control. Controls are used to mitigate risk. For example, antivirus software of an average cost of $50 for each computer. If there are 50 computers, the safeguard value is $2,500.
Incorrect Answers:
A: The first thing we must do in risk management is to identify the areas of the project where the risks can occur. This is termed as risk identification. Listing all the possible risks is proved to be very productive for the enterprise as we can cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them.
C: Unlike the quantitative risk assessment, qualitative risk assessment does not assign dollar values. Rather, it determines risk's level based on the probability and impact of a risk. These values are determined by gathering the opinions of experts.
Probability- establishing the likelihood of occurrence and reoccurrence of specific risks, independently, and combined. The risk occurs when a threat exploits vulnerability. Scaling is done to define the probability that a risk will occur. The scale can be based on word values such as Low, Medium, or High. Percentage can also be assigned to these words, like 10% to low and 90% to high.
Impact- Impact is used to identify the magnitude of identified risks. The risk leads to some type of loss. However, instead of quantifying the loss as a dollar value, an impact assessment could use words such as Low, Medium, or High. Impact is expressed as a relative value. For example, low could be 10, medium could be 50, and high could be 100.
Risk level = Probability*Impact
D: This is the process of implementing risk response plans, tracking identified risks, monitoring residual risks, identifying new risks, and evaluating risk process effectiveness through the project.
QUESTION 69
Which of the following are the principles of risk management? Each correct answer represents a complete solution. Choose three.
A. Risk management should be an integral part of the organization
B. Risk management should be a part of decision-making
C. Risk management is the responsibility of executive management D. Risk management should be transparent and inclusive
Correct Answer: ABD Section: Volume B Explanation
Explanation/Reference:
Explanation:
The International Organization for Standardization (ISO) identifies the following principles of risk management. Risk management should: create value
be an integral part of organizational processes
be part of decision making
explicitly address uncertainty
be systematic and structured
be based on the best available information
be tailored
take into account human factors
be transparent and inclusive
be dynamic, iterative, and responsive to change
be capable of continual improvement and enhancement
QUESTION 70
Jeff works as a Project Manager for www.company.com Inc. He and his team members are involved in the identify risk process. Which of the following tools & techniques will Jeff use in the identify risk process?
Each correct answer represents a complete solution. (Choose three.)
A. Information gathering technique B. Documentation reviews
C. Checklist analysis
D. Risk categorization
Correct Answer: ABC Section: Volume B Explanation
Explanation/Reference:
Explanation:
The various tools & techniques used in the identify risk process are as follows: Documentation reviews
Information gathering technique
Checklist analysis
Assumption analysis Diagramming techniques SWOT analysis
Expert judgment
QUESTION 71
Which of the following type of risk could result in bankruptcy?
A. Marginal
B. Negligible C. Critical
D. Catastrophic
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
Catastrophic risk causes critical financial losses that have the possibility of bankruptcy.
Incorrect Answers:
A: Marginal risk causes financial loss in a single line of business and a reduced return on IT investment.
B: It causes minimal impact on a single line of business affecting their ability to deliver services or products.
C: Critical risk causes serious financial losses in more than one line of business with a loss in productivity.
QUESTION 72
Risks with low ratings of probability and impact are included for future monitoring in which of the following?
A. Risk alarm
B. Observation list C. Watch-list
D. Risk register
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
Watch-list contains risks with low rating of probability and impact. This list is useful for future monitoring of low risk factors.
Incorrect Answers:
A, B: No such documents as risk alarm and observation list is prepared during risk identification process.
D: Risk register is a document that contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning. Description, category, cause, probability of occurring, impact on objectives, proposed responses, owner, and the current status of all identified risks are put in the risk register.
QUESTION 73
You are working as the project manager of the ABS project. The project is for establishing a computer network in a school premises. During the project execution, the school management asks to make the campus Wi-Fi enabled. You know that this may impact the project adversely. You have discussed the change request with other stakeholders. What will be your NEXT step?
A. Update project management plan. B. Issue a change request.
C. Analyze the impact.
D. Update risk management plan.
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
The first step after receiving any change request in a project must be first analyzed for its impact. Changes may be requested by any stakeholder involved with the project. Although, they may be initiated verbally, they should always be recorded in written form and entered into the change management and/or configuration management.
Incorrect Answers:
A, B, D: All these are the required steps depending on the change request. Any change request must be followed by the impact analysis of the change.
QUESTION 74
You are working in an enterprise. You project deals with important files that are stored on the computer. You have identified the risk of the failure of operations. To address this risk of failure, you have guided the system administrator sign off on the daily backup. This scenario is an example of which of the following?
A. Risk avoidance B. Risk transference C. Risk acceptance D. Risk mitigation
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
Mitigation is the strategy that provides for the definition and implementation of controls to address the risk described. Here in this scenario, you are trying to reduce the risk of operation failure by guiding administrator to take daily backup, hence it is risk mitigation.
Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together. The main control types are:
Managerial(e.g.,policies)
Technical (e.g., tools such as firewalls and intrusion detection systems) Operational (e.g., procedures, separation of duties)
Preparedness activities
Incorrect Answers:
A: The scenario does not describe risk avoidance. Avoidance is a strategy that provides for not implementing certain activities or processes that would incur risk.
B: The scenario does not describe the sharing of risk. Transference is the strategy that provides for sharing risk with partners or taking insurance coverage.
C: The scenario does not describe risk acceptance, Acceptance is a strategy that provides for formal acknowledgment of the existence of a risk and the monitoring of that risk.
QUESTION 75
Risks to an organization's image are referred to as what kind of risk?
A. Operational B. Financial C. Information
D. Strategic
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
Strategic risks are those risks which have potential outcome of not fulfilling on strategic objectives of the organization as planned. Since the strategic objective will shape and impact the entire organization, the risk of not meeting that objective can impose a great threat on the organization.
Strategic risks can be broken down into external and internal risks:
External risks are those circumstances from outside the enterprise which will have a potentially damaging or helpful impact on the enterprise. These risks include sudden change of economy, industry, or regulatory conditions. Some of the external risks are predictable while others are not. For instance, a recession may be predictable and the enterprise may be able to hedge against the dangers economically; but the total market failure may not as predictable and can be much more devastating.
Internal risks usually focus on the image or reputation of the enterprise. some of the risks that are involved in this are public communication, trust, and strategic agreement from stakeholders and customers.
QUESTION 76
Which of the following steps ensure effective communication of the risk analysis results to relevant stakeholders? Each correct answer represents a complete solution. Choose three.
A. The results should be reported in terms and formats that are useful to support business decisions
B. Provide decision makers with an understanding of worst-case and most probable scenarios,due diligence exposures and significant reputation, legal or regulatory considerations
C. Communicate the negative impacts of the events only, it needs more consideration D. Communicate the risk-return context clearly
Correct Answer: ABD Section: Volume B Explanation
Explanation/Reference:
Explanation:
The result of risk analysis process is being communicated to relevant stakeholders. The steps that are involved in communication are:
The results should be reported in terms and formats that are useful to support business decisions.
Coordinate additional risk analysis activity as required by decision makers, like report rejection and scope adjustment
Communicate the risk-return context clearly, which include probabilities of loss and/or gain, ranges, and confidence levels (if possible) that enable management
to balance risk-return.
Identify the negative impacts of events that drive response decisions as well as positive impacts of events that represent opportunities which should channel back into the strategy and objective setting process.
Provide decision makers with an understanding of worst-case and most probable scenarios, due diligence exposures and significant reputation, legal or regulatory considerations.
Incorrect Answers:
C: Communicate the negative impacts of events that drive response decisions as well as positive impacts of events that represent opportunities which should channel back into the strategy and objective setting process, for effective communication. Only negative impacts are not considered alone.
QUESTION 77
You are the product manager in your enterprise. You have identified that new technologies, products and services are introduced in your enterprise time-to-time. What should be done to prevent the efficiency and effectiveness of controls due to these changes?
A. Receive timely feedback from risk assessments and through key risk indicators, and update controls B. Add more controls
C. Perform Business Impact Analysis (BIA)
D. Nothing, efficiency and effectiveness of controls are not affected by these changes
Correct Answer: A Section: Volume B Explanation
Explanation/Reference:
Explanation:
As new technologies, products and services are introduced, compliance requirements become more complex and strict; business processes and related information flows change over time. These changes can often affect the efficiency and effectiveness of controls. Formerly effective controls become inefficient, redundant or obsolete and have to be removed or replaced.
Therefore, the monitoring process has to receive timely feedback from risk assessments and through key risk indicators (KRIs) to ensure an effective control life cycle.
Incorrect Answers:
B: Most of the time, the addition of controls results in degradation of the efficiency and profitability of a process without adding an equitable level of corresponding risk mitigation, hence better controls are adopted in place of adding more controls.
C: A BIA is a discovery process meant to uncover the inner workings of any process. It helps to identify about actual procedures, shortcuts, workarounds and the types of failure that may occur. It involves determining the purpose of the process, who performs the process and its output. It also involves determining the value of the process output to the enterprise.
D: Efficiency and effectiveness of controls are not affected by the changes in technology or product, so some measure should be taken.
QUESTION 78
You work as a project manager for BlueWell Inc. Your project is using a new material to construct a large warehouse in your city. This new material is cheaper than traditional building materials, but it takes some time to learn how to use the material properly. You have communicated to the project stakeholders that you will be able to save costs by using the new material, but you will need a few extra weeks to complete training to use the materials. This risk response of learning how to use the new materials can also be known as what term?
A. Benchmarking
B. Cost-benefits analysis
C. Cost of conformance to quality D. Team development
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
When the project team needs training to be able to complete the project work it is a cost of conformance to quality.
The cost of conformance to quality defines the cost of training, proper resources, and the costs the project must spend in order to ascertain the expected levels of quality the customer expects from the project. It is the capital used up throughout the project to avoid failures. It consists of two types of costs:
Prevention costs: It is measured to build a quality product. It includes costs in training, document processing, equipment, and time to do it right. Appraisal costs: It is measured to assess the quality. It includes testing, destructive testing loss, and inspections.
Incorrect Answers:
A: Benchmarking compares any two items, such as materials, vendors, or resources.
B: Cost-benefit analysis is the study of the benefits in relation to the costs to receive the benefits of a decision, a project, or other investment.
D: Team development describes activities the project manager uses to create a more cohesive and responsive project team.
QUESTION 79
You work as a Project Manager for www.company.com Inc. You have to measure the probability, impact, and risk exposure. Then, you have to measure how the selected risk response can affect the probability and impact of the selected risk event. Which of the following tools will help you to accomplish the task?
A. Project network diagrams B. Delphi technique
C. Decision tree analysis
D. Cause-and-effect diagrams
Correct Answer: C Section: Volume B Explanation
Explanation/Reference:
Explanation:
Decision tree analysis is a risk analysis tool that can help the project manager in determining the best risk response. The tool can be used to measure probability, impact, and risk exposure and how the selected risk response can affect the probability and/or impact of the selected risk event. It helps to form a balanced image of the risks and opportunities connected with each possible course of action. This makes them mostly useful for choosing between different strategies, projects, or investment opportunities particularly when the resources are limited. A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible consequences, including chance event outcomes, resource costs, and utility.
Incorrect Answers:
A: Project network diagrams help the project manager and stakeholders visualize the flow of the project work, but they are not used as a part of risk response planning.
B: The Delphi technique can be used in risk identification, but generally is not used in risk response planning. The Delphi technique uses rounds of anonymous surveys to identify risks.
D: Cause-and-effect diagrams are useful for identifying root causes and risk identification, but they are not the most effective ones for risk response planning.
QUESTION 80
Which of the following decision tree nodes have probability attached to their branches?
A. Root node
B. Event node
C. End node
D. Decision node
Correct Answer: B Section: Volume B Explanation
Explanation/Reference:
Explanation:
Event nodes represents the possible uncertain outcomes of a risky decision, with at least two nodes to illustrate the positive and negative range of events. Probabilities are always attached to the branches of event nodes.
Incorrect Answers:
A: Root node is the starting node in the decision tree, and it has no branches.
C: End node represents the outcomes of risk and decisions and probability is not attached to it.
D: It represents the choice available to the decision maker, usually between a risky choice and its non-risky counterpart. As it represents only the choices available to the decision makers, hence probability is not attached to it.
QUESTION 81
You are the risk professional of your enterprise. You need to calculate potential revenue loss if a certain risks occurs. Your enterprise has an electronic (e- commerce) web site that is producing US $1 million of revenue each day, then if a denial of service (DoS) attack occurs that lasts half a day creates how much loss?
A. US $250,000 loss B. US $500,000 loss C. US $1 million loss D. US $100,000 loss
Correct Answer: B Section: Volume B Explanation
Explanation/Reference:
Explanation:
Denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name-servers. The term is generally used with regards to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management. As the total revenue of the website for the day is $1 million, and due to denial of service attack it is unavailable for half day.
Therefore,
Revenue loss = $1,000,000/2
= $500,000
Incorrect Answers:
A, C, D: These are wrong answers.
QUESTION 82
Which of the following process ensures that extracted data are ready for analysis?
A. Data analysis B. Data validation C. Data gathering D. Data access
Correct Answer: B Section: Volume B Explanation
Explanation/Reference:
Explanation:
Data validation ensures that extracted data are ready for analysis. One objective is to perform data quality tests to ensure data are valid complete and free of errors. This may also involve making data from different sources suitable for comparative analysis.
Incorrect Answers:
A: Analysis of data involves simple set of steps or complex combination of commands and other functionality. Data analysis is designed in such a way to achieve the stated objectives from the project plan. Although this may be applicable to any monitoring activity, it would be beneficial to consider transferability and scalability. This may include robust documentation, use of software development standards and naming conventions.
C: Data gathering is the process of collecting data on risk to be monitored, prepare a detailed plan and define the project's scope. In the case of a monitoring project, this step should involve process owners, data owners, system custodians and other process stakeholders.
D: In the data access process, management identifies which data are available and how they can be acquired in a format that can be used for analysis. There are two options for data extraction:
Extracting data directly from the source systems after system owner approval Receiving data extracts from the system custodian (IT) after system owner approval
QUESTION 83
Which of the following is NOT true for risk governance?
A. Risk governance is based on the principles of cooperation, participation, mitigation and sustainability, and is adopted to achieve more effective risk management.
B. Risk governance requires reporting once a year.
C. Risk governance seeks to reduce risk exposure and vulnerability by filling gaps in risk policy.
D. Risk governance is a systemic approach to decision making processes associated to natural and technological risks.
Correct Answer: B
Section: Volume B Explanation
Explanation/Reference:
Explanation:
Risk governance is a continuous life cycle that requires regular reporting and ongoing review, not once a year.
Incorrect Answers:
A, C, D: These are true for risk governance.
QUESTION 84
What are the various outputs of risk response?
A. Risk Priority Number
B. Residual risk
C. Risk register updates
D. Project management plan and Project document updates E. Risk-related contract decisions
Correct Answer: CDE Section: Volume B Explanation
Explanation/Reference:
Explanation:
The outputs of the risk response planning process are:
Risk Register Updates: The risk register is written in detail so that it can be related to the priority ranking and the planned response.
Risk Related Contract Decisions: Risk related contract decisions are the decisions to transmit risk, such as services, agreements for insurance, and other items as required. It provides a means for sharing risks.
Project Management Plan Updates: Some of the elements of the project management plan updates are:
- Schedule management plan
- Cost management plan
- Quality management plan
- Procurement management plan
- Human resource management plan - Work breakdown structure
- Schedule baseline
- Cost performance baseline
Project Document Updates: Some of the project documents that can be updated includes:
- Assumption log updates
- Technical documentation updates
Incorrect Answers:
A: Risk priority number is not an output for risk response but instead it is done before applying response. Hence it acts as one of the inputs of risk response and is not the output of it.
B: Residual risk is not an output of risk response. Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk. As,
Risk = Threat Vulnerability and
Total risk = Threat Vulnerability Asset Value
Residual risk can be calculated with the following formula: Residual Risk = Total Risk - Controls
Senior management is responsible for any losses due to residual risk. They decide whether a risk should be avoided, transferred, mitigated or accepted. They also decide what controls to implement. Any loss due to their decisions falls on their sides.
Residual risk assessments are conducted after mitigation to determine the impact of the risk on the enterprise. For risk assessment, the effect and frequency is reassessed and the impact is recalculated.
QUESTION 85
What is the IMMEDIATE step after defining set of risk scenarios?
A. Risk mitigation
B. Risk monitoring C. Risk management D. Risk analysis
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
Once the set of risk scenarios is defined, it can be used for risk analysis. In risk analysis, likelihood and impact of the scenarios are assessed. Important components of this assessment are the risk factors.
Incorrect Answers:
A: Risk mitigation is the latter step after analyzing risk.
B: Risk monitoring is the latter step after risk analysis and risk mitigation.
C: Risk analysis comes under risk management, therefore management is a generalized term, and is not the best answer for this question.
QUESTION 86
Which of the following is the most accurate definition of a project risk?
A. It is an unknown event that can affect the project scope.
B. It is an uncertain event or condition within the project execution.
C. It is an uncertain event that can affect the project costs.
D. It is an uncertain event that can affect at least one project objective.
Correct Answer: D Section: Volume B Explanation
Explanation/Reference:
Explanation:
Risk is an uncertain event or condition that, if it occurs, has an effect on at least one project objective.
Project risk is concerned with the expected value of one or more results of one or more future events in a project. It is an uncertain condition that, if it occurs, has an effect on at least one project objective. Objectives can be scope, schedule, cost, and quality. Project risk is always in the future.
Incorrect Answers:
A: Risk is not unknown, it is uncertain; in addition, the event can affect at least one project objective - not just the project scope.
B: This statement is almost true, but the event does not have to happen within project execution.
C: Risks can affect time, costs, or scope, rather affecting only cost.
Certified in Risk and Information Systems Control CRISC Questions + Answers Part 2
-
answerhappygod
- Site Admin
- Posts: 899603
- Joined: Mon Aug 02, 2021 8:13 am