Secure Software Lifecycle Professional – CSSLP – Question287

Harry is the project manager of the MMQ Construction Project. In this project, Harry has identified a supplier who can create stained glass windows for 1,000 window units in the construction project. The supplier is an artist who works by himself, but creates windows for several companies throughout the United States. Management reviews the proposal to use this supplier and while they agree that the supplier is talented, they do not think the artist can fulfill the 1,000 window units in time for the project's deadline. Management asked Harry to find a supplier who can fulfill the completion of the windows by the needed date in the schedule. What risk response has management asked Harry to implement?

A.
Transference
B. Avoidance
C. Mitigation
D. Acceptance

Correct Answer: C

Explanation:

Explanation: This is an example of mitigation. By changing to a more reliable supplier, Harry is reducing the probability the supplier will be late. It’s still possible that the vendor may not be able to deliver the stained glass windows, but the more reputable supplier reduces the probability of the lateness. Mitigation is a risk response planning technique associated with threats that seeks to reduce the probability of occurrence or impact of a risk to below an acceptable threshold. Risk mitigation involves taking early action to reduce the probability and impact of a risk occurring on the project. Adopting less complex processes, conducting more tests, or choosing a more stable supplier are examples of mitigation actions. Answer: A is incorrect. Transference is when the risk is transferred to a third party, usually for a fee. While this question does include a contractual relationship, the risk is the lateness of the windows. Transference focuses on transferring the risk to a third party to manage the risk event. In this instance, the management of the risk is owned by a third party; the third party actually creates the risk event because of the possibility of the lateness of the windows. Answer: B is incorrect. Avoidance changes the project plan to avoid the risk. If the project manager and management changed the window-type to a standard window in the project requirements, then this would be avoidance. Risk avoidance is a technique used for threats. It creates changes to the project management plan that are meant to either eliminate the risk completely or to protect the project objectives from its impact. Risk avoidance removes the risk event entirely either by adding additional steps to avoid the event or reducing the project scope requirements. It may seem the answer to all possible risks, but avoiding risks also means losing out on the potential gains that accepting (retaining) the risk might have allowed. Answer: D is incorrect. Acceptance accepts the risk that the windows could be late and offers no response.