1. Right Answer: A
Explanation: The purpose of qualitative risk analysis is to determine what impact the identified risk events will have on the project and the probability they'll occur. It also puts risks in priority order according to their effects on the project objectives and assigns a risk score for the project.Incorrect Answers:B: Risk Management is used to identify, assess, and control risks. It includes analyzing the value of assets to the business, identifying threats to those assets, and evaluating how vulnerable each asset is to those threats. Assessing the probability and consequences of identified risks is only the part of risk management.C: It involves listing of all the possible risks so as to cure them before it can occur. In risk identification both threats and opportunities are considered, as both carry some level of risk with them.D: This process does not involve assessing the probability and consequences of identified risks. Quantitative analysis is the use of numerical and statistical techniques rather than the analysis of verbal material for analyzing risks. Some of the quantitative methods of risk analysis are: Internal loss method External data analysis Business process modeling (BPM) and simulation Statistical process control (SPC)

2. Right Answer: D
Explanation: Risk owner for each risk should be the person who has the most influence over its outcome. Selecting the risk owner thus usually involves considering the source of risk and identifying the person who is best placed to understand and implement what needs to be done. They are also responsible for responding to the event and reporting on the risk status.Incorrect Answers:A: A risk owner will monitor the identified risks for status changes, but all project stakeholders should be iteratively looking to identify the risks.B: Risk owners do not pay for the cost of the risk event.C: Risk owners are not the people who cause the risk event.

3. Right Answer: C
Explanation: Threat and vulnerability assessment consider the full spectrum of risks. It identifies the likelihood of occurrence of risks and impact of the significant risks on the organization using the risk scenarios. For example: Natural threats can be evaluated by using historical data concerning frequency of occurrence for given natural disasters such as tornadoes, hurricanes, floods, fire, etc.Incorrect Answers:A, B: These use either some technical evaluation tool or assessment methodologies to evaluate risk but do not use risk scenarios.D: Risk assessment uses quantitative and qualitative analysis approaches to evaluate each significant risk identified.

4. Right Answer: A
Explanation: Risk probability and assessment is completed through interviews and meetings with the participants that are most familiar with the risk events, the project work, or have other information that can help determine the affect of the risk.Incorrect Answers:B: The true cost of the risk event is not a qualitative risk assessment approach. It is often done during the quantitative risk analysis process.C: The probability and impact matrix is a tool and technique to prioritize the risk events, but it's not the best answer for assessing risk events within the project.D: Root cause analysis is a risk identification technique, not a qualitative assessment tool.

5. Right Answer: B
Explanation: Risk factors are those features that influence the likelihood and/or business impact of risk scenarios. They have heavy influences on probability and impact of risk scenarios. They should be taken into account during every risk analysis, when likelihood and impact are assessed.Incorrect Answers:A: The enterprise must consider risk that has not yet occurred and should develop scenarios around unlikely, obscure or non-historical events.Such scenarios can be developed by considering two things: Visibility RecognitionFor the fulfillment of this task enterprise must: Be in a position that it can observe anything going wrong Have the capability to recognize an observed event as something wrongC: A risk analysis involves identifying the most probable threats to an organization and analyzing the related vulnerabilities of the organization to these threats. A risk from an organizational perspective consists of: Threats to various processes of organization. Threats to physical and information assets. Likelihood and frequency of occurrence from threat. Impact on assets from threat and vulnerability.Risk analysis allows the auditor to do the following tasks: Identify threats and vulnerabilities to the enterprise and its information system. Provide information for evaluation of controls in audit planning. Aids in determining audit objectives.Supporting decision based on risks.D: A risk event represents the situation where you have a risk that only occurs with a certain probability and where the risk itself is represented by a specified distribution.