IT Risk Assessment for CRISC

Sample Practice Questions

1. Question 1

   You are the project manager of a HGT project that has recently finished the final compilation process. The project customer has signed off on the project completion and you have to do few administrative closure activities. In the project, there were several large risks that could have wrecked the project but you and your project team found some new methods to resolve the risks without affecting the project costs or project completion date. What should you do with the risk responses that you have identified during the project's monitoring and controlling process?
   1. A. Include the responses in the project management plan.
   2. B. Include the risk responses in the risk management plan.
   3. C. Include the risk responses in the organization's lessons learned database.
   4. D. Nothing. The risk responses are included in the project's risk register already.
   Explanation

   The correct answer is: C. Include the risk responses in the organization's lessons learned database..

   Effective novel responses are exactly the kind of organizational know-how that closing-process activities are designed to capture, so the lessons learned database is where they belong. Recording them there moves the insight from this project's archive into the organization's reusable knowledge base, available to future project managers facing similar risks. Adding them to the project management plan is wrong on two counts: the plan is being archived as well, and project plans do not store reusable enterprise lessons. The risk management plan defines the process for managing risk on a project rather than recording solutions; it is also project-bounded. The risk register does already record the responses chosen on this project, but the register expires with the project; without a lessons-learned entry the novel approach is lost as soon as the archive is filed.

2. Question 2

   You are the project manager of a large construction project. This project will last for 18 months and will cost $750,000 to complete. You are working with your project team, experts, and stakeholders to identify risks within the project before the project work begins. Management wants to know why you have scheduled so many risk identification meetings throughout the project rather than just initially during the project planning. What is the best reason for the duplicate risk identification sessions?
   1. A. The iterative meetings allow all stakeholders to participate in the risk identification processes throughout the project phases.
   2. B. The iterative meetings allow the project manager to discuss the risk events which have passed the project and which did not happen.
   3. C. The iterative meetings allow the project manager and the risk identification participants to identify newly discovered risk events throughout the project.
   4. D. The iterative meetings allow the project manager to communicate pending risks events during project execution.
   Explanation

   The correct answer is: C. The iterative meetings allow the project manager and the risk identification participants to identify newly discovered risk events throughout the project..

   Risk identification is iterative because the project's risk picture evolves throughout execution — new dependencies emerge, assumptions get tested, vendor performance surfaces issues, scope adjustments change exposure — and the best reason for repeated sessions is that they let the team capture newly discovered risk events that did not exist or were not visible at project kickoff. PMBOK explicitly treats risk identification as a process that recurs across phases for this reason. The iterative sessions allowing all stakeholders to participate is a side benefit but does not by itself justify the recurrence; participation could be solved by other means. Discussing risks that did not happen is a closure-style activity, useful occasionally but not the primary reason for recurrence. Communicating pending risk events during execution is a communication discipline that benefits from sessions but is not the foundational reason; the foundational reason is newly discoverable risk that emerges as the project progresses.

3. Question 3

   You are the project manager of GHT project. Your project team is in the process of identifying project risks on your current project. The team has the option to use all of the following tools and techniques to diagram some of these potential risks EXCEPT for which one?
   1. A. Process flowchart
   2. B. Ishikawa diagram
   3. C. Influence diagram
   4. D. Decision tree diagram
   Explanation

   The correct answer is: D. Decision tree diagram.

   The decision tree diagram is not used for diagramming potential project risks during identification; it is a quantitative analysis tool that supports response selection by computing expected monetary value across decision branches. Decision trees operate after risks have been identified and evaluated, not during identification. A process flowchart is a legitimate diagramming technique for risk identification because following a process step-by-step exposes where exceptions and failures can occur. The Ishikawa (fishbone) diagram visualizes contributors to a potential outcome by category, useful during identification for surfacing risk contributors systematically. An influence diagram maps causal relationships among variables and is used during identification to reveal how factors propagate, which can expose risks that ripple through dependencies. Confusing decision trees with identification diagramming is a common error because all four diagrams visualize relationships, but only the decision tree is reserved for the response-selection stage.

4. Question 4

   Courtney is the project manager for her organization. She is working with the project team to complete the qualitative risk analysis for her project. During the analysis Courtney encourages the project team to begin the grouping of identified risks by common causes. What is the primary advantage to group risks by common causes during qualitative risk analysis?
   1. A. It helps the project team realize the areas of the project most laden with risks.
   2. B. It assist in developing effective risk responses.
   3. C. It saves time by collecting the related resources, such as project team members, to analyze the risk events.
   4. D. It can lead to the creation of risk categories unique to each project.
   Explanation

   The correct answer is: B. It assist in developing effective risk responses..

   Grouping identified risks by common causes during qualitative risk analysis primarily helps the team develop effective risk responses, because risks sharing a common cause often share an effective response — addressing the cause once treats every related scenario simultaneously. The grouping makes response planning more efficient and more powerful. Realizing the areas of the project most laden with risks is a useful side benefit of grouping but is narrower than the response-design value that justifies the grouping discipline. Saving time by collecting related resources to analyze risk events is a logistical benefit, again narrower than the response-design advantage. Creating risk categories unique to each project is one outcome of cause-based grouping but is methodologically secondary; many organizations use standard categories that grouping populates rather than redefines. The response-development efficiency is the primary advantage that justifies the analytical effort of grouping by common causes.

5. Question 5

   You are an experienced Project Manager that has been entrusted with a project to develop a machine which produces auto components. You have scheduled meetings with the project team and the key stakeholders to identify the risks for your project. Which of the following is a key output of this process?
   1. A. Risk Register
   2. B. Risk Management Plan
   3. C. Risk Breakdown Structure
   4. D. Risk Categories
   Explanation

   The correct answer is: A. Risk Register.

   Risk identification meetings with the project team and key stakeholders produce a key output of the Identify Risks process: the risk register, which records each identified risk along with its initial characterization, potential owners, and any preliminary responses identified during the discussion. PMBOK explicitly names the risk register as the primary output of identification. The risk management plan is an upstream artifact produced during Plan Risk Management; it defines how risk will be managed on the project rather than being produced by identification. The risk breakdown structure organizes risks into categories and is typically established during planning rather than identification; the RBS may be referenced during identification to ensure category coverage but is not the meeting's output. Risk categories are part of the RBS or the risk management plan; like the RBS, categories exist before identification rather than being produced by it.

Other CRISC domains

• Governance (319 questions)
• Information Technology and Security (328 questions)
• Risk Response and Reporting (881 questions)