Explanation: The cost management plan is an input to the quantitative risk analysis process because of the cost management control it provides. The cost management plan sets how the costs on a project are managed during the project’s life cycle. It defines the format and principles by which the project costs are measured, reported, and controlled. The cost management plan identifies the person responsible for managing costs, those who have the authority to approve changes to the project or its budget, and how cost performance is quantitatively calculated and reported upon.
Incorrect Answers:
B: The cost management plan defines the estimating, budgeting, and control of the project’s cost.
C: While the cost management plan does define the cost change control system, this is not the best answer for this
D: This is not a valid statement. The cost management plan is an input to the quantitative risk analysis process.

Explanation:
CCTV is a physical control.
Physical controls protect the physical environment. They include basics such as locks to protect access to secure areas. They also include environmental controls. This section presents the following examples of physical controls:

• Locked doors, guards, access logs, and closed-circuit television
• Fire detection and suppression
• Temperature and humidity detection
• Electrical grounding and circuit breakers
• Water detection

Incorrect Answers: A, C, D CCTV is a physical control.

Explanation:
Teaming agreements are often coming under sharing risk response, as they involves joint ventures to realize an opportunity that an organization would not be able to seize otherwise.
Sharing response is where two or more entities share a positive risk. Teaming agreements are good example of sharing the reward that comes from the risk of the opportunity.
Incorrect Answers:
A: Acceptance is a risk response that is appropriate for positive or negative risk events. It does not pursue the risk, but documents the event and allows the risk to happen. Often acceptance is used for low probability and low impact risk events.
B: Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together.
C: Transference is a negative risk response where the project manager hires a third party to own the risk event.

Explanation:
All identified risks, their characteristics, responses, and their status should be added and monitored as part of the risk register. A risk register is an inventory of risks and exposure associated with those risks. Risks are commonly found in project management practices, and provide information to identify, analyze, and manage risks. Typically a risk register contains:

• A description of the risk
• The impact should this event actually occur
• The probability of its occurrence
• Risk Score (the multiplication of Probability and Impact)
• A summary of the planned response should the event occur
• A summary of the mitigation (the actions taken in advance to reduce the probability and/or impact of the event)
• Ranking of risks by Risk Score so as to highlight the highest priority risks to all involved.

Incorrect Answers:
A: Control management charts are not the place where risk events are recorded.
B: This is a risk event and should be recorded in the risk register.
D: Risks that have a low probability and a low impact may go on the low-level risk watch-list.

Explanation:
An enterprise’s risk management capability maturity level is 1 when:

• There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk.
• Any risk identification criteria vary widely across the enterprise.
• Risk appetite and tolerance are applied only during episodic risk assessments.
• Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms.
• Risk management skills exist on an ad hoc basis, but are not actively developed.
• Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.

Incorrect Answers:
A: In level 3 of risk management capability maturity model, local tolerances drive the enterprise risk tolerance.
B: In level 2 of risk management capability maturity model, risk tolerance is set locally and may be difficult to aggregate.
C: In level 4 of risk management capability maturity model, business risk tolerance is reflected by enterprise policies and standards reflect.

Explanation:
Contingent response strategy, also known as contingency planning, involves adopting alternatives to deal with the risks in case of their occurrence. Unlike the mitigation planning in which mitigation looks to reduce the probability of the risk and its impact, contingency planning doesn’t necessarily attempt to reduce the probability of a risk event or its impacts. Contingency comes into action when the risk event actually occurs.
Incorrect Answers:
A: Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active.

• Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk.
• Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.
• [/*]
• B: Risk mitigation attempts to reduce the probability of a risk event and its impacts to an acceptable level. Risk mitigation can utilize various forms of control carefully integrated together. The main control types are: Managerial(e.g.,policies)
• [*]
• Technical (e.g., tools such as firewalls and intrusion detection systems)
• Operational (e.g., procedures, separation of duties)
• Preparedness activities

C: Risk avoidance means to evade risk altogether, eliminate the cause of the risk event, or change the project plan to protect the project objectives from the risk event.

Explanation:
The cost of the response, which is applied so as to reduce risk within tolerance levels, is one of the most important parameter. By considering the cost of response, it is decided whether or not benefits of applying response is greater than accepting the risk; and according to this analysis it is decided whether the certain response should be applied or not. For example, if risk transfer response is applied by using insurance, then cost would be the cost of insurance.
Incorrect Answers:
B: This parameter is considered after analyzing the cost of response, which will further decide the level of sophistication of risk response. The enterprise’s capability to implement the response means that if the risk management process is mature then the risk response is more
C: This is one of the parameters that is considered but is not as important as considering cost of response. The importance of the risk is determined by the combination of likelihood and magnitude levels along with its position on the risk map.
D: Efficiency of response can only be analyzed after applying the response. So it is the latter stage in selection of response.

Explanation:
Risks and the corresponding responses are documented in the risk register for the project. Risk register is a document that contains the results of the qualitative risk analysis, quantitative risk analysis, and risk response planning. Description, category, cause, probability of occurring, impact on objectives, proposed responses, owner, and the current status of all identified risks are put in the risk register.
Incorrect Answers:
A: The stakeholder management strategy defines how stakeholders and their threats, perceived threats, opinions, and influence over the project objectives will be addressed and managed.
B: The outcome of risk events and the corresponding risk responses may be documented in the project’s lessons learned documented, but the best answer is to document the risk responses as part of the risk register.
D: The risk management plan defines how risks will be identified and analyzed, the available responses, and the monitoring and controlling of the risk events. The actual risk responses are included in the risk register.

Explanation: The potential choices of risk based decisions are represented in decision tree analysis via. Decision node, as decision nodes refers to the available choices.
Incorrect Answers:
A: End nodes are the final outcomes of the entire decision tree framework, especially in multilayered decision-making situations.
B: Root nodes represent the start of a decision tree.
C: Event nodes represents the possible uncertain outcomes of the decision, and not the available choices.

Explanation:
Risk identification is the process of determining which risks may affect the project. It also documents risks’ characteristics.
Following are high-level phases that are involved in risk identification and evaluation:

• Collecting data- Involves collecting data on the business environment, types of events, risk categories, risk scenarios, etc., to identify relevant data to enable effective risk identification, analysis and reporting.
• Analyzing risk- Involves analyzing risk to develop useful information which is used while taking risk-decisions. Risk-decisions take into account the business relevance of risk factors.
• Maintain a risk profile- Requires maintaining an up-to-date and complete inventory of known threats and their attributes (e.g., expected likelihood, potential impact, and disposition), IT resources, capabilities, and controls as understood in the context of business products, services and processes to effectively monitor risk over time.

Incorrect Answers:
D: It comes under risk management process, and not in risk identification and evaluation process.