5.2

Question 1

Risk Management

Answer 1

the process involving identification, analysis, treatment, monitoring and reporting of risks

Question 2

Risk identification

Answer 2

roactive process recognizing potential risks
● Goal
○ Create a comprehensive list based on events hindering objectives

Question 3

Risk Analysis

Answer 3

● Evaluate likelihood and potential impact
● Qualitative or quantitative methods
● Outcome
○ Prioritized list for guiding risk treatmen

Question 4

Risk Treatment

Answer 4

● Develop strategies
○ Avoidance
○ Reduction
○ Sharing
○ Acceptance
Strategy choice based on potential impact and risk tolerance

Question 5

Risk Monitoring

Answer 5

● Ongoing process tracking identified risks
● Monitor residual risks, identify new risks, and review risk management
effectiveness
● Ensures dynamic responsiveness to organizational change

Question 6

Risk Reporting

Answer 6

● Communicate risk information and effectiveness of risk management to
stakeholders
● Various forms
○ Dashboards
○ Heat Maps
○ Detailed Reports
● Crucial for accountability and informed decision-ma

Question 7

When are ad-hoc risk assessments used

Answer 7

when needed often for specific things like launching a new product

Question 8

one time risk assessment

Answer 8

used for a new it system for example not repeated

Question 9

Techniques for risk identification

Answer 9

brainstorming, checklists, interviews and scenario analysis

Question 10

BIA

Answer 10

business impact analysus
■ Evaluates effects of disruptions on business functions
■ Identifies and prioritizes critical functions
■ Assesses impact of risks on functions
■ Determines required recovery time for function

Question 11

RTO

Answer 11

recovery time objective
max acceptable time before there is a severe impact

Question 12

RPO

Answer 12

recovery point objective
max acceptable data loss measured in time

Question 13

MTTR

Answer 13

average time to repair a failed component or system

Question 14

MTBF

Answer 14

a high MTBF means system doesnt fail often
mean time between failures

Question 15

Risk register

Answer 15

■ Records identified risks, descriptions, impacts, likelihoods, and mitigation actions
■ Key tool in risk management
■ May resemble a heat map risk matrix
■ Facilitates communication and risk tracking
■ Key component of project and business operations
its a document
includes risk description, impact, likelihood,outcome, level and threshold

Question 16

Risk impact

Answer 16

potential consequences of risk occurence
rated on scale low medium or high

Question 17

Risk likelihood

Answer 17

probability of risk occurence
rated on scale numerically or descriptive

Question 18

Risk outcome

Answer 18

result of the risk if it occurs related to impact and likelihood of

Question 19

Risk level or threshold

Answer 19

determined by combining the impact and likelihood
prioritize risks high medium and low

Question 20

Risk Tolerance/Acceptance

Answer 20

● An organization or individual’s willingness to deal with uncertainty in
pursuit of their goals
● Maximum amount of risk they are willing to accept
● Acceptance without countermeasures

Question 21

Risk Appetite

Answer 21

willingess to pursue risk
expansionary
conservative
neutral

Question 22

KRIs

Answer 22

key risk indicators
Predictive metrics signaling increasing risk exposure
■ Provide early warning of potential risks
■ Tied to the organization’s objectives
■ Used to monitor risk changes and take proactive step

Question 23

Risk owner

Answer 23

■ Responsible for managing the risk
■ Monitors, implements mitigation actions, and updates Risk Register
■ Accountable for risk management

Question 24

Qualitative Risk Analysis

Answer 24

■ Primary method in risk management
■ Assesses risks based on potential impact and likelihood
■ Categorizes risks as high, medium, or low
■ Subjective and relies on expertise and experience
■ Avoids quantitative complexity
includes low medium and high impact

Question 25

Quantitative Risk Analysis

Answer 25

■ Provides objective and numerical evaluation of risks
■ Used for financial, safety, and scheduling decisions
■ Utilizes key components
● Single Loss Expectancy (SLE)
● Exposure Factor (EF)
● Annualized Rate of Occurrence (ARO)
● Annualized Loss Expectancy (ALE)

Question 26

EF

Answer 26

exposure factor
● Proportion of asset lost in an event (0% to 100%)
● Indicates asset loss severity
ex flooding hitting headquarters would be 70% loss in assets

Question 27

SLE

Answer 27

single loss expectancy
Calculated as Asset Value x Exposure Factor (EF)
70% x say $5,000 (cost of asset)

Question 28

ARO

Answer 28

annualized rate of occurrence
● Estimated frequency of threat occurrence within a year
● Provides a yearly probability

Question 29

ALE

Answer 29

Annualized Loss Expectancy (ALE)
SLE x ARO

Question 30

Give an example of risk transference

Answer 30

insurance

Question 31

Contract indemnity clauses

Answer 31

■ A contractual agreement where one party agrees to cover
the other’s harm, liability, or loss stemming from the
contrac

Question 32

Risk Acceptance

Answer 32

Used when cost of managing the risk outweighs potential loss or risk is
unlikely to have a significant impac

Question 33

exception

Answer 33

Exception (allows party to avoid rule under specific conditions)

Question 34

Risk avoidance

Answer 34

● Change plans or strategies to eliminate a specific risk
● Chosen when the risk is too great to accept or transfer

Question 35

Risk mitigation

Answer 35

● Take steps to reduce likelihood or impact of risk
● Common strategy involving various actions

Question 36

Risk Monitoring

Answer 36

● Tracking identified risks
● Monitoring residual risks
● Identifying new risks
● Evaluating risk response plan

Question 37

Residual Risk

Answer 37

The likelihood and impact of the risk after mitigation,
transference, or acceptance measures have been taken on the
initial risk assessment

Question 38

Control Risk

Answer 38

○ Assessment of how a security measure has lost effectiveness over
time