PECB ISO 31000 Lead Risk Manager ISO-31000-Lead-Risk-Manager Exam Questions

Page: 1 / 14
Total 80 questions

Want more questions? Get Premium Access.
()

Question 1

How should risk be managed in the Intolerable region?

ARisk cannot be justified except in extraordinary circumstances.

BRisk is tolerable only if risk reduction is impracticable or its cost is grossly disproportionate to the improvement gained.

CRisk is tolerable if the cost of reducing it would exceed the benefit.

DRisk can be accepted if monitored closely.

Answer : A

The correct answer is A. Risk cannot be justified except in extraordinary circumstances. In ISO 31000-aligned risk evaluation frameworks, risks are commonly categorized into regions such as intolerable, tolerable, and acceptable based on predefined risk criteria.

Risks in the intolerable region exceed the organization's risk appetite and tolerance. ISO 31000 emphasizes that such risks require immediate treatment, including avoidance or significant reduction. Accepting intolerable risks would contradict the principle of protecting and creating value.

Option B describes the ALARP (As Low As Reasonably Practicable) principle, which applies to the tolerable region, not the intolerable region. Option C oversimplifies decision-making and ignores risk appetite boundaries. Option D contradicts ISO 31000, as monitoring alone is insufficient for intolerable risks.

From a PECB ISO 31000 Lead Risk Manager perspective, intolerable risks demand decisive action and cannot be accepted as part of normal operations. Therefore, the correct answer is risk cannot be justified except in extraordinary circumstances.

Question 2

Scenario 3:

NovaCare is a US-based healthcare provider operating four hospitals and several outpatient clinics. Following several minor system outages and an internal assessment that revealed inconsistencies in security monitoring tools, top management recognized the need for a structured approach to identify and manage risks more effectively. Thus, they decided to implement a formal risk management process in line with ISO 31000 recommendations to enhance safety and improve resilience.

After identifying key risks, Daniel and the team used a structured questioning approach to repeatedly analyze why each issue occurred, tracing cause-and-effect links and probing deeper until the underlying root causes were identified.

Based on the scenario above, answer the following question:

Which technique did Daniel and his team use to further investigate the cause-and-effect relationships of identified risks and uncover their root causes?

A5W's and 1H method

B5 Whys technique

CScenario analysis

DFault tree analysis

Answer : B

The correct answer is B. 5 Whys technique. The 5 Whys technique is a structured root cause analysis method that involves repeatedly asking ''why'' an issue occurred until the underlying cause is identified. This technique is widely used in risk analysis and problem-solving to uncover causal relationships rather than addressing symptoms.

In Scenario 3, the team explicitly used a method that involved repeatedly analyzing why each issue occurred and tracing cause-and-effect links. This description directly corresponds to the 5 Whys technique. The method supports ISO 31000's requirement to understand the sources, causes, and drivers of risk during risk analysis.

The 5W's and 1H method (Who, What, When, Where, Why, How) is typically used for information gathering rather than deep root cause analysis. Scenario analysis explores possible future situations rather than identifying root causes of existing issues. Fault tree analysis is a more complex, diagram-based technique not described in the scenario.

From a PECB ISO 31000 Lead Risk Manager perspective, selecting appropriate risk assessment techniques is essential for effective analysis. The 5 Whys technique is suitable for uncovering root causes in operational and process-related risks. Therefore, the correct answer is 5 Whys technique.

Question 3

Which activity is conducted in Phase I of the OCTAVE framework?

AMapping critical assets to IT components to highlight weak points in the system

BEstablishing baseline security needs by identifying assets, threats, and requirements

CPrioritizing risks based on likelihood and impact to guide protection strategies

DSelecting and implementing risk treatment options

Answer : B

The correct answer is B. Establishing baseline security needs by identifying assets, threats, and requirements. The OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) framework is a risk-based approach to information security, and Phase I focuses on building organizational knowledge about critical assets, security requirements, and relevant threats.

Phase I emphasizes identifying what is important to the organization, including information assets, operational assets, and their security needs. This phase relies heavily on internal knowledge and stakeholder input rather than technical testing. This approach aligns with ISO 31000's emphasis on context establishment and inclusiveness, where understanding the internal context and engaging stakeholders are essential to effective risk identification.

Option A corresponds to later phases of OCTAVE, where technical analysis and infrastructure examination are conducted. Option C relates more closely to risk analysis and evaluation activities, which occur after assets and threats have been identified. Option D reflects risk treatment activities, which are not part of Phase I.

From a PECB ISO 31000 Lead Risk Manager perspective, OCTAVE Phase I demonstrates how risk management should begin with understanding assets, objectives, and threats before moving into analysis and treatment. This reinforces ISO 31000's structured and comprehensive approach to managing risk.

Question 4

How is effectiveness defined in relation to improving the risk management framework?

AFull alignment of the risk management framework with the organization's structure, operations, culture, and business systems

BThe extent to which the risk management framework has been appropriately implemented

CSuccessful achievement of the intended outcomes of the risk management framework

DThe number of risks identified and documented

Answer : C

The correct answer is C. Successful achievement of the intended outcomes of the risk management framework. ISO 31000:2018 defines effectiveness as the extent to which planned activities are realized and planned results are achieved. In the context of improving the risk management framework, effectiveness refers to whether the framework delivers its intended outcomes, such as improved decision-making, enhanced resilience, and protection and creation of value.

Option A describes alignment, which supports effectiveness but does not define it. Option B refers to implementation status, which indicates progress but does not measure whether objectives have been achieved. Option D is a quantitative activity metric and does not reflect effectiveness.

ISO 31000 emphasizes that continual improvement of the risk management framework should be based on monitoring, review, and learning to ensure that intended outcomes are achieved over time. From a PECB ISO 31000 Lead Risk Manager perspective, effectiveness is outcome-focused, making option C the correct answer.

Question 5

Scenario 2:

Bambino is a furniture manufacturer headquartered in Florence, Italy, specializing in daycare furniture, including tables, chairs, children's beds, shelves, mats, changing stations, and indoor playhouses. After experiencing a major supply chain disruption that caused delays and revealed vulnerabilities in its operations, Bambino decided to implement a risk management framework and process based on ISO 31000 guidelines to systematically identify, assess, and manage risks.

As the first step in this process, top management appointed Luca, the operations manager of Bambino, to facilitate the adoption and integration of the framework into the company's operations, ensuring that risk awareness, communication, and structured practices became part of everyday decision-making.

After Luca took on the responsibility, he reviewed how responsibilities and decision-making were distributed across the company's units, with each unit overseen by a director managing strategic, administrative, and operational matters. At the same time, in consultation with top management, he analyzed the broader environment of Bambino, namely its mission, governance, culture, resources, information flows, and stakeholder relationships.

Building on this, Luca outlined concrete actions to strengthen risk management by engaging stakeholders, breaking the process into stages, and aligning objectives with the company's goals. Progress was tracked through existing systems, allowing timely adjustments. Additionally, clear objectives were linked to the mission and strategy, responsibilities were defined, leadership demonstrated commitment, and expectations for daily integration were clarified. Finally, resources for people, skills, and technology were allocated, supported by communication, reporting, and escalation mechanisms.

Additionally, Luca reviewed the requirements the company was bound by, including safety laws for children's products, local labor regulations, and permits needed for operations. He also considered voluntary commitments, such as sustainability labels and agreements with daycare institutions. Through this review, he identified the likelihood of occurrence and potential consequences of failing to meet these requirements, ranging from legal penalties to loss of customer trust, making this area a clear source of exposure. This included the possibility of fines for breaching product safety laws, sanctions for violating labor regulations, and reputational harm if sustainability or contractual commitments were not fulfilled.

Based on the scenario above, answer the following question:

What role did the top management of Bambino assign to Luca?

ARisk manager

BRisk owner

CRisk officer

DCompliance officer

Answer : A

The correct answer is A. Risk manager. According to ISO 31000:2018, the establishment of a risk management framework requires assigning clear roles and responsibilities to ensure effective design, implementation, maintenance, and continual improvement of risk management across the organization. A risk manager (or equivalent role) is typically responsible for facilitating and coordinating the adoption and integration of the risk management framework into organizational processes and decision-making.

In the scenario, Luca was explicitly appointed by top management to facilitate the adoption and integration of the risk management framework, ensure risk awareness, support communication, and embed structured risk management practices into everyday activities. These responsibilities are fully aligned with the role of a risk manager as described in ISO 31000, particularly within the framework elements related to leadership and commitment, integration, design, implementation, and improvement.

Luca's activities went beyond managing a single risk or owning a specific risk exposure. He reviewed governance structures, analyzed internal and external context, aligned objectives with strategy, engaged stakeholders, defined responsibilities, allocated resources, and established communication, reporting, and escalation mechanisms. These are framework-level responsibilities, not risk ownership responsibilities.

Option B. Risk owner is incorrect because a risk owner is accountable for managing a specific risk, including monitoring and treatment, rather than overseeing the overall framework. Option C. Risk officer is not a formally defined role in ISO 31000 and is often used informally or in regulated environments, but the described responsibilities exceed that scope. Option D. Compliance officer is incorrect because Luca's role covered broader risk management activities beyond compliance alone.

From a PECB ISO 31000 Lead Risk Manager perspective, the scenario clearly demonstrates that Luca was acting as a risk manager, making option A the correct answer.

Question 6

Scenario 1:

Gospeed Ltd. is a trucking and logistics company headquartered in Birmingham, UK, specializing in domestic and EU road haulage. Operating a fleet of 25 trucks for both heavy loads and express deliveries, it provides transportation services for packaged goods, textiles, iron, and steel. Recently, the company has faced several challenges, including stricter EU regulations, customs delays, driver shortages, and supply chain disruptions. Most critically, limited and unreliable information has created uncertainty in anticipating delays, equipment failures, or regulatory changes, complicating effective decision-making.

To address these issues and strengthen organizational resilience, Gospeed's top management decided to implement a risk management framework and apply a risk management process aligned with ISO 31000 guidelines. Considering the importance of stakeholders' perspectives when initiating the implementation of the risk management framework, top management brought together all relevant stakeholders to evaluate potential risks and ensure alignment of risk management efforts with the company's strategic objectives.

Top management outlined the general level and types of risks it was prepared to accept to pursue opportunities, while also clarifying which risks would not be acceptable under any circumstances. They accepted moderate financial risks, such as fuel price fluctuations or minor delivery delays, but ruled out compromising safety or breaching regulatory requirements.

As part of the risk management process, the company moved from setting its overall direction to a closer examination of potential risk exposures, ensuring that identified risks were systematically analyzed, evaluated, and treated. Top management examined the main operational factors that significantly influence the likelihood and impact of risks. This analysis highlighted concerns related to supply chain disruptions, technological failures, and human errors.

Additionally, Gospeed's top management identified several external risks beyond their control, including interest rate changes, currency fluctuations, inflation trends, and new regulatory requirements. Consequently, top management agreed to adopt practical strategies to protect the company's financial stability and operations, including hedging against interest rate fluctuations, monitoring inflation trends, and ensuring regulatory compliance through staff training sessions.

However, further challenges emerged when top management proceeded with a new contract for international deliveries without fully considering risk implications at the planning stage. Operational staff raised concerns about unreliable customs data and potential delays, but their input was overlooked in the rush to secure the deal. This resulted in delivery setbacks and financial penalties, revealing weaknesses in how risks were incorporated into day-to-day decision-making.

Based on the scenario above, answer the following question:

Gospeed faced limited and unreliable information, which created uncertainty about potential delays, equipment failures, or regulatory changes. What type of uncertainty did they face in this case?

AAleatory uncertainty

BDecision uncertainty

CEpistemic uncertainty

DOperational uncertainty

Answer : C

The correct answer is C. Epistemic uncertainty. ISO 31000:2018 defines risk as the effect of uncertainty on objectives and emphasizes that uncertainty can arise from limitations in knowledge, availability of information, data quality, and understanding of complex situations. Epistemic uncertainty specifically relates to incomplete, inaccurate, or unreliable information, and unlike inherent variability, it can be reduced through better information, learning, and analysis.

In the Gospeed Ltd. scenario, the most critical issue was the lack of reliable information to anticipate operational delays, equipment failures, and regulatory changes. Unreliable customs data, insufficient insight into regulatory developments, and overlooked feedback from operational staff demonstrate clear knowledge gaps. These conditions directly correspond to epistemic uncertainty as described in ISO 31000, which stresses that risk management should be based on the best available information, while explicitly acknowledging its limitations.

Aleatory uncertainty is not applicable, as it refers to inherent randomness or natural variability, such as weather conditions, which cannot be reduced through improved knowledge. In contrast, Gospeed's uncertainty could have been mitigated through improved data quality, stronger communication channels, and effective consultation with stakeholders.

Decision uncertainty is also incorrect, as it relates to uncertainty arising from choosing among alternatives rather than from information deficiencies. Although management made poor decisions by ignoring operational concerns, the root cause of the problem was the information gap, not the act of decision-making itself.

ISO 31000 further highlights the importance of inclusiveness, communication, and consultation to reduce uncertainty and support informed decision-making. Gospeed's failure to adequately address epistemic uncertainty weakened the integration of risk management into daily operations, ultimately resulting in delivery delays and financial penalties. Therefore, from a PECB ISO 31000 Lead Risk Manager perspective, the uncertainty faced by Gospeed is clearly epistemic uncertainty.

Question 7

What is one of the outputs of Business Impact Analysis (BIA)?

APrioritized list of critical processes and their interdependencies

BOverview of the organization's business products and their relationship with processes

CDetails of the organization's activities and resources

DRisk acceptance criteria

Answer : A

The correct answer is A. Prioritized list of critical processes and their interdependencies. Business Impact Analysis (BIA) is a structured technique used to assess the consequences of disruptions to business activities and to identify which processes are critical to organizational objectives.

One of the key outputs of a BIA is the prioritization of critical processes, along with an understanding of their interdependencies, recovery time objectives, and potential impacts if disrupted. This information supports risk analysis, continuity planning, and resilience-building, all of which align with ISO 31000's emphasis on understanding consequences and supporting informed decision-making.

Option B may be an input to BIA but is not a primary output. Option C refers to general organizational descriptions rather than impact-focused analysis. Option D relates to risk evaluation, not BIA.

From a PECB ISO 31000 Lead Risk Manager perspective, BIA outputs are essential for prioritizing risks and allocating resources effectively. Therefore, the correct answer is a prioritized list of critical processes and their interdependencies.