Risk Management

Question 1

Fundamental process involving identification, analysis, treatment, monitoring, and reporting of risks

■ Crucial for projects and business, it involves the identification and assessment of uncertainties that may impact objectives

Answer 1

Risk Management

Question 2

Proactive process recognizing potential risks, with a goal of creating a comprehensive list based on events hindering objectives

■ Crucial first step in risk management
■ Involves recognizing potential risks that could impact an organization
■ Risks can vary from financial and operational to strategic and reputational

Answer 2

Risk Identification

Question 3

Evaluate likelihood and potential impact.

It can be qualitative or quantitative method

The outcome is prioritized list for guiding risk treatment

Answer 3

Risk Analysis

Question 4

Developing strategies to manage identified risk

Develop Strategies Include:
Risk Avoidance
Risk Reduction
Risk Sharing
Risk Acceptance

Answer 4

Risk Treatment

Question 5

Ongoing process tracking identified risks, Monitor residual risks, Identify new risks, and Review risk management effectiveness
● Ensures dynamic responsiveness to organizational changes

Answer 5

Risk Monitoring

Question 6

Communicate risk information and effectiveness of risk management to stakeholders

Various forms
○ Dashboards
○ Heat Maps
○ Detailed Reports

● Crucial for accountability and informed decision-makin

Answer 6

Risk Reporting

Question 7

Regularity with which risk assessments are conducted within an organization

Answer 7

Risk Assessment Frequency

Question 8

● Conducted as needed, often in response to specific events or situations
● Address potential new risks or changes in existing risks

Answer 8

Ad-Hoc Risk Assessments

Question 9

● Conducted at regular intervals (e.g., annually, quarterly, monthly)
● Part of standard operating procedures for continual risk identification and management

Answer 9

Recurring Risk Assessments

Question 10

● Conducted for specific projects or initiatives
● Not repeated, associated with a particular purpose

Answer 10

One-Time Risk Assessments

Question 11

● Ongoing monitoring and evaluation of risks
● Enabled by technology, involving real-time data collection and analysis
● Used for proactive threat and vulnerability monitoring, facilitating quick responses

Answer 11

Continuous Risk Assessments

Question 12

■ Evaluates effects of disruptions on business functions
■ Identifies and prioritizes critical functions
■ Assesses impact of risks on functions
■ Determines required recovery time for functions

Answer 12

Business Impact Analysis (BIA)

Question 13

○ Maximum acceptable time before severe impact
○ Target time for restoring a business process

Answer 13

Recovery Time Objective (RTO)

(Key Metrics in BIA)

Question 14

○ Maximum acceptable data loss measured in time
○ Point in time data must be restored to

Answer 14

Recovery Point Objective (RPO)

(Key Metrics in BIA)

Question 15

○ Average time to repair a failed component or system
○ Indicator of repair speed and downtime minimization

Answer 15

Mean Time to Repair (MTTR)

(Key Metrics in BIA)

Question 16

○ Average time between system or component failures
○ Measure of reliability

Answer 16

Mean Time Between Failures (MTBF)

(Key Metrics in BIA)

Question 17

■ Records identified risks, descriptions, impacts, likelihoods, and mitigation actions
■ Key tool in risk management
■ May resemble a heat map risk matrix
■ Facilitates communication and risk tracking
■ Key component of project and business operations

Answer 17

Risk Register

Question 18

Components of Risk Register

Answer 18

Risk Description - Identifies and describes the risk
Risk Impact - Potential consequences of risk occurrence
Risk Likelihood - Probability of risk occurrence
Risk Outcome - Result of the risk if it occurs
Risk Level or Threshold - Determined by combining impact&likelihood
Cost - Financial impact on the project

Question 19

● An organization or individual’s willingness to deal with uncertainty in pursuit of their goals
● Maximum amount of risk they are willing to accept
● Acceptance without countermeasures

Answer 19

Risk Tolerance/Risk Acceptance

Question 20

Willingness to pursue or retain risk

Types:
○ Expansionary
○ Conservative
○ Neutral

Can be the amount of residual risk an organization is willing to accept

Answer 20

Risk Appetite

Question 21

■ Predictive metrics signaling increasing risk exposure
■ Provide early warning of potential risks
■ Tied to the organization’s objectives
■ Used to monitor risk changes and take proactive steps

Answer 21

Key Risk Indicators (KRIs)

Question 22

■ Responsible for managing the risk
■ Monitors, implements mitigation actions, and updates Risk Register
■ Accountable for risk management

Answer 22

Risk Owner

Question 23

■ Primary method in risk management
■ Assesses risks based on potential impact and likelihood
■ Categorizes risks as high, medium, or low
■ Subjective and relies on expertise and experience
■ Avoids quantitative complexity

Answer 23

Qualitative Risk Analysis

Key componenys Include:
Likelihood/Probability
Impact

Question 24

■ Provides objective and numerical evaluation of risks
■ Used for financial, safety, and scheduling decisions

Answer 24

Quantitative Risk Analysis

Utilizes key components
● Single Loss Expectancy (SLE)
● Exposure Factor (EF)
● Annualized Rate of Occurrence (ARO)
● Annualized Loss Expectancy (ALE)

Question 25

Proportion of asset lost in an event (0% to 100%) ● Indicates asset loss severity

Answer 25

Exposure Factor (EF)

Question 26

Monetary value expected to be lost in a single event ● Calculated as Asset Value x Exposure Factor (EF)

Answer 26

Single Loss Expectancy (SLE)

Question 27

Estimated frequency of threat occurrence within a year ● Provides a yearly probability

Answer 27

Annualized Rate of Occurrence (ARO)

Question 28

Expected annual loss from a risk ● Calculated as SLE x ARO

Answer 28

Annualized Loss Expectancy (ALE)

Question 29

Shifts risk to another party ● Common methods: Insurance Contract Indemnity Clause

Answer 29

Risk Transference (Risk Management Strategies)

Question 30

● Acknowledge and deal with risk if it occurs ● Used when cost of managing the risk outweighs potential loss or risk is unlikely to have a significant impact ● No actions to mitigate the risk are taken

Answer 30

Risk Acceptance (Risk Management Strategies)

Question 31

● Change plans or strategies to eliminate a specific risk ● Chosen when the risk is too great to accept or transfer

Answer 31

Risk Avoidance (Risk Management Strategies)

Question 32

● Take steps to reduce likelihood or impact of risk ● Common strategy involving various actions

Answer 32

Risk Mitigation (Risk Management Strategies)

Question 33

Process of ● Tracking identified risks ● Monitoring residual risks ● Identifying new risks ● Evaluating risk response plans ■ Involves ongoing tracking of risks and their response actions ■ Helps determine Residual Risk and Control Risk

Answer 33

Risk Monitoring

Question 34

The likelihood and impact of the risk after mitigation, transference, or acceptance measures have been taken on the initial risk

Answer 34

Residual Risk

Question 35

Assessment of how a security measure has lost effectiveness over time

Answer 35

Control Risk

Question 36

■ Communicating information about risk management activities to stakeholders ■ Includes results of risk identification, assessment, response, and monitoring ■ Often presented in the form of a risk report

Answer 36

Risk Reporting