Pass the PECB ISO 31000 ISO-31000-Lead-Risk-Manager Questions and answers with ExamsMirror

The correct answer isC. Key risk indicators (KRIs). ISO 31000 emphasizes that effective monitoring and review require the use of indicators that provideearly warning signalsabout changes in risk exposure. KRIs are metrics specifically designed to signal increasing or decreasing risk levels before adverse events occur.

In Scenario 7, Maxime introduced measures explicitly described asearly warning indicatorsacross operational, financial, regulatory, and technological areas. Examples include production line stoppages, defective batches, raw material price volatility, inspection nonconformities, and system downtime. These measures do not merely assess performance outcomes but indicatepotential deterioration in risk conditions, which is the defining characteristic of KRIs.

Critical control points (CCPs) are specific stages in a process where controls are applied, commonly used in HACCP, not as monitoring indicators. Key performance indicators (KPIs) focus on performance achievement rather than risk exposure. Risk acceptance criteria define thresholds for accepting risks, not monitoring them.

From a PECB ISO 31000 Lead Risk Manager perspective, KRIs are essential tools for proactive risk monitoring, enabling timely corrective actions and supporting resilience. Therefore, the correct answer isKey risk indicators (KRIs).

The correct answer is A. Issuing press releases and interviews tailored to health, safety, and CSR-related challenges. ISO 31000 highlights that communication with external stakeholders must be appropriate, consistent, controlled, and aligned with organizational objectives and governance arrangements.

The media represents a broad external audience with limited need for technical detail but high sensitivity to issues related to health, safety, environmental impact, and corporate social responsibility (CSR). Therefore, communication should be carefully crafted, accurate, and contextualized, focusing on key messages that inform without causing unnecessary alarm or misinterpretation.

Providing full technical risk registers (Option B) would overwhelm non-technical audiences and may expose sensitive information. Allowing multiple departments to issue independent statements (Option C) risks inconsistency, confusion, and reputational damage. Sharing internal dashboards publicly (Option D) contradicts good governance and information control practices.

From a PECB ISO 31000 Lead Risk Manager perspective, media communication should be centralized, authorized, and strategically managed, ensuring transparency while protecting the organization’s interests. Tailored press releases and interviews allow organizations to communicate responsibly, maintain trust, and demonstrate accountability. Therefore, the correct answer is issuing tailored press releases and interviews.

The correct answer isB. Risk drivers. ISO 31000:2018 explains that risk analysis involves identifying factors that influence both thelikelihoodandconsequencesof risk events. These influencing factors are commonly referred to asrisk drivers, as they shape how and why risks materialize and escalate.

In the scenario, Gospeed’s top management examined operational factors such as supply chain disruptions, technological failures, and human errors. These elements do not represent individual risk events themselves, but ratherconditions and factors that increase the probability and impact of multiple risks. According to ISO 31000, understanding such drivers is critical for effective risk analysis and evaluation, as they provide insight into the underlying causes that amplify risk exposure.

Risk sources, while related, refer more broadly to elements that give rise to risk. In practice, ISO 31000 distinguishes between sources of risk and drivers that influence risk behavior and severity. The scenario specifically emphasizes factors thatsignificantly influence likelihood and impact, which aligns more precisely with the concept of risk drivers rather than generic sources or isolated threats.

Threats represent potential adverse events, while consequences refer to outcomes after a risk has materialized. Neither term accurately reflects the management activity described, which focused on analyzing influencing factors before risks occur.

From a PECB ISO 31000 Lead Risk Manager perspective, identifying risk drivers is essential for prioritizing risks, designing effective controls, and selecting appropriate treatment options. By focusing on these drivers, organizations can proactively reduce exposure and improve resilience. Therefore, the correct answer isrisk drivers.

The correct answer is A. Only if the risk level meets the risk acceptance criteria and no additional controls are required. ISO 31000 recognizes risk retention as a legitimate risk treatment option when risks are within acceptable limits defined by the organization’s risk criteria.

Retention means consciously accepting a risk with full awareness of its potential consequences, typically because further treatment would be unnecessary, impractical, or disproportionate. Crucially, retention decisions must be based on risk acceptance criteria, not on subjective judgment alone.

Option B is incorrect because even minor risks must meet acceptance criteria. Option C promotes deferral without evaluation, which contradicts ISO 31000 principles. Option D is invalid because unidentified risks cannot be retained.

From a PECB ISO 31000 Lead Risk Manager perspective, retaining risks must be a deliberate, documented, and authorized decision aligned with risk appetite and tolerance. Therefore, the correct answer is only if the risk level meets the risk acceptance criteria and no additional controls are required.

The correct answer isB. A risk treatment plan. ISO 31000 defines a risk treatment plan as a documented set of actions specifying how selected risk treatment options will be implemented, including responsibilities, timelines, and required resources.

In Scenario 6, Trunroll explicitlyoutlined and documented clear actions with defined responsibilities and timelinesto address identified risks. These actions included avoiding third-party delivery partnerships, strengthening hygiene controls, investing in staff training, upgrading monitoring systems, and reserving internal financial resources to manage residual risk. These characteristics directly align with ISO 31000’s definition of a risk treatment plan.

A risk report focuses on communicating risk information and decisions, not implementation actions. A risk register is a structured record of identified risks and their attributes but does not by itself define treatment actions, responsibilities, or schedules. A risk policy sets overall direction and commitment rather than operational actions.

From a PECB ISO 31000 Lead Risk Manager perspective, a risk treatment plan is essential for translating risk decisions into actionable, accountable steps. Therefore, the correct answer isa risk treatment plan.

The correct answer isC. Risk appetite. ISO 31000:2018 explains that top management is responsible for setting the overall direction for risk management, including defining how much risk the organization is willing to accept in pursuit of its objectives. Risk appetite represents thetype and amount of risk an organization is prepared to pursue or retainto achieve value creation.

In the scenario, Gospeed’s top management explicitly stated that they were willing to acceptmoderate financial risks, such as fuel price fluctuations or minor delays, while clearly rejecting risks related to safety or regulatory compliance. This high-level statement reflects the organization’srisk appetite, as it sets boundaries for acceptable risk-taking aligned with strategic objectives.

Risk tolerance, by contrast, refers to theacceptable variation around specific objectives, usually applied at an operational or tactical level. It defines how much deviation from expected performance is permissible. While Gospeed may later establish tolerance thresholds (e.g., maximum delay duration), the scenario focuses on a broad strategic declaration, not measurable limits.

Risk criteria are used to evaluate the significance of risk and support decision-making during risk assessment. Although related, risk criteria involve thresholds and evaluation parameters rather than an overarching willingness to accept risk.

ISO 31000 emphasizes that defining risk appetite supports consistent decision-making, improves alignment between strategy and operations, and helps ensure risks are managed within acceptable boundaries. From a PECB Lead Risk Manager perspective, the actions described clearly demonstrate the definition ofrisk appetite, making option C the correct answer.

The correct answer isC. Successful achievement of the intended outcomes of the risk management framework. ISO 31000:2018 defineseffectivenessas the extent to which planned activities are realized and planned results are achieved. In the context of improving the risk management framework, effectiveness refers to whether the framework delivers itsintended outcomes, such as improved decision-making, enhanced resilience, and protection and creation of value.

Option A describesalignment, which supports effectiveness but does not define it. Option B refers to implementation status, which indicates progress but does not measure whether objectives have been achieved. Option D is a quantitative activity metric and does not reflect effectiveness.

ISO 31000 emphasizes that continual improvement of the risk management framework should be based on monitoring, review, and learning to ensure that intended outcomes are achieved over time. From a PECB ISO 31000 Lead Risk Manager perspective, effectiveness is outcome-focused, making option C the correct answer.

The correct answer isB. Establishing baseline security needs by identifying assets, threats, and requirements. The OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) framework is a risk-based approach to information security, andPhase I focuses on building organizational knowledgeabout critical assets, security requirements, and relevant threats.

Phase I emphasizes identifying what is important to the organization, including information assets, operational assets, and their security needs. This phase relies heavily on internal knowledge and stakeholder input rather than technical testing. This approach aligns with ISO 31000’s emphasis oncontext establishment and inclusiveness, where understanding the internal context and engaging stakeholders are essential to effective risk identification.

Option A corresponds to later phases of OCTAVE, where technical analysis and infrastructure examination are conducted. Option C relates more closely to risk analysis and evaluation activities, which occur after assets and threats have been identified. Option D reflects risk treatment activities, which are not part of Phase I.

From a PECB ISO 31000 Lead Risk Manager perspective, OCTAVE Phase I demonstrates how risk management should begin with understanding assets, objectives, and threats before moving into analysis and treatment. This reinforces ISO 31000’s structured and comprehensive approach to managing risk.

The correct answer isB. Causes and events, emerging risk indicators, internal capabilities, limitations of available knowledge. ISO 31000 defines risk as the effect of uncertainty on objectives, making the identification of uncertainties a central element of risk management.

Organizations must consider potentialcauses and eventsthat could lead to deviations from objectives, as well as emerging indicators that signal changing risk conditions. Internal capabilities and constraints influence how well an organization can respond to uncertainty, while limitations in knowledge introduce additional uncertainty.

Option A focuses on static internal information. Option C and D relate more to planning and compliance rather than uncertainty identification.

From a PECB ISO 31000 Lead Risk Manager perspective, identifying uncertainties requires a forward-looking and evidence-based approach. Therefore, the correct answer iscauses, events, emerging indicators, capabilities, and knowledge limitations.

The correct answer isC. Structured What-If Technique (SWIFT). SWIFT is a facilitated, structured risk identification technique that usesguidewords and promptssuch as “what if…?” and “how could…?” to stimulate discussion and identify potential risks, causes, consequences, and existing controls.

In the scenario, the facilitator explicitly used guidewords and open-ended prompts during a workshop, which is characteristic of SWIFT. ISO 31010, which complements ISO 31000, describes SWIFT as a flexible and collaborative technique suitable for workshops and group discussions, particularly when time or resources are limited.

Checklists and taxonomies rely on predefined lists rather than interactive questioning. FMEA focuses on identifying failure modes and their effects in a systematic, often component-level analysis, rather than open-ended facilitated discussion. The Delphi technique uses anonymous expert surveys conducted in multiple rounds, which does not match the described workshop format.

From a PECB ISO 31000 Lead Risk Manager perspective, SWIFT is especially useful for early-stage risk identification and for engaging cross-functional stakeholders. Therefore, the correct answer isStructured What-If Technique (SWIFT).