Question 1: During a quarterly risk review meeting, several stakeholders question whether the implemented risk responses for technology obsolescence are achieving their intended outcomes. The risk manager has data showing mixed results. How should the risk manager structure this discussion to maximize stakeholder engagement and decision-making?
- A. Present only the successful response outcomes to maintain stakeholder confidence in the risk management process
- B. Share both positive and negative performance data, facilitate discussion on root causes, and collaboratively identify adjustments (Correct Answer)
- C. Defer the discussion until all response actions show positive results to avoid premature conclusions
- D. Provide the raw data to stakeholders and allow them to independently analyze effectiveness
Explanation: Hosting meetings to discuss effectiveness and future actions requires transparency and collaboration. Sharing complete performance data—both successes and challenges—enables honest discussion about root causes and necessary adjustments. This approach treats stakeholders as partners in risk management rather than passive recipients of information. Presenting only successes undermines credibility, deferring discussion delays necessary course corrections, and providing raw data without facilitation misses the opportunity for collaborative problem-solving.
Question 2: (Select all that apply) A risk response plan has been executed to address regulatory compliance risks through new training programs, updated procedures, and enhanced monitoring systems. When communicating these actions to the board of directors, which elements should be included to effectively inform them of the response implementation?
- A. Quantitative assessment of residual risk levels after response implementation (Correct Answer)
- B. Detailed technical specifications of the monitoring system software
- C. Timeline showing when each response action was completed (Correct Answer)
- D. Resource expenditure compared to the approved response budget (Correct Answer)
Explanation: Effective communication of risk response actions to senior stakeholders requires presenting information relevant to their oversight responsibilities. Quantitative residual risk assessment (A) shows the effectiveness of responses, timeline information (C) demonstrates execution accountability, and budget comparison (D) addresses resource stewardship—all critical for board-level understanding. Technical software specifications (B) are unnecessarily detailed for board communication and should be summarized at a strategic level instead. The competency emphasizes presenting detailed summaries appropriate to stakeholder needs, not overwhelming them with technical minutiae.
Question 3: A risk manager needs to communicate the status of response actions for cybersecurity risks to a diverse stakeholder group that includes technical staff, business unit leaders, and external auditors. Each group has different information needs and technical understanding. What approach would most effectively ensure all stakeholders receive appropriate communication about the risk response actions?
- A. Create a single comprehensive technical document and distribute it to all stakeholders for consistency
- B. Develop stakeholder-specific communication materials that address each group's information needs while maintaining consistent core messaging (Correct Answer)
- C. Hold separate meetings with each stakeholder group and adjust the message based on their reactions
- D. Provide all stakeholders with access to the risk management information system and allow self-service reporting
Explanation: Effective risk communication requires tailoring the presentation to stakeholder needs while ensuring message consistency—a critical aspect of presenting detailed summaries of response actions. Developing stakeholder-specific materials allows technical depth for IT staff, business impact focus for unit leaders, and compliance evidence for auditors, while ensuring everyone receives accurate information about the same response actions. A single technical document (A) may be incomprehensible to non-technical audiences, adjusting messages based on reactions (C) risks inconsistency and appears reactive rather than planned, and self-service access (D) abdicates the risk manager's responsibility to actively communicate and ensure understanding.
Question 4: Based on the scenario, what communication action would best address the stakeholder's concerns while maintaining transparency about the risk response effectiveness?
- A. Organize a dedicated meeting to present comparative analysis of pre- and post-response incident data with trend visualizations (Correct Answer)
- B. Acknowledge the concern via email and commit to providing an update in the next quarterly report
- C. Explain that response effectiveness requires a longer evaluation period and cannot yet be assessed
- D. Share anecdotal feedback from team members who believe the responses are working well
Explanation: This scenario requires both presenting detailed summaries and hosting discussions about effectiveness—core performance indicators for this competency. Organizing a dedicated meeting with data-driven analysis directly addresses the stakeholder's legitimate concern while demonstrating professional risk communication. It provides objective evidence for evaluation and creates a forum for discussion. Email acknowledgment (B) delays meaningful engagement, claiming insufficient time (C) appears defensive when data exists, and anecdotal feedback (D) lacks the rigor needed for stakeholder confidence in risk response assessment.
Question 5: A project manager has just completed implementing a series of risk mitigation actions for supply chain disruptions. The actions included diversifying vendors, establishing buffer inventory, and creating expedited shipping agreements. What communication approach would most effectively inform executive stakeholders of these completed response actions?
- A. Distribute a comprehensive written report detailing each action taken, associated costs, and expected risk reduction metrics (Correct Answer)
- B. Schedule brief one-on-one conversations with each executive to verbally summarize the key actions
- C. Add a bullet-point summary to the next monthly project status report
- D. Create an email distribution list and send periodic updates as actions are completed
Explanation: Presenting detailed summaries of response actions to stakeholders is a key performance indicator for this competency. A comprehensive written report provides the necessary detail, documentation, and metrics that executive stakeholders need to understand the actions taken and their impact. This approach ensures all relevant information is captured and accessible. Brief conversations, status report bullets, or periodic emails lack the depth and formality required for communicating significant risk response actions to executives.
Question 6: During a multi-year infrastructure program, a cross-project risk concerning regulatory approval dependencies between three component projects has been tracked at the program level for 18 months. Project A has now completed all deliverables requiring regulatory input, Project B has pivoted to an alternative approach eliminating the dependency, and Project C continues under the original regulatory pathway. The program risk register shows this as a single consolidated risk entry with shared ownership across all three project managers. What procedural consideration should guide the risk closure decision at this stage?
- A. Maintain the consolidated risk entry at program level until Project C completes its regulatory pathway, then archive the risk with unified closure documentation reflecting the complete timeline and resolution across all projects to preserve institutional knowledge for future programs
- B. Decompose the consolidated risk into project-specific entries, close the risk for Projects A and B through their respective project risk registers with project manager authority, while elevating the remaining Project C regulatory risk for continued program-level monitoring with revised impact assessment
- C. Close the program-level risk immediately since two of three projects have eliminated the dependency, transferring residual regulatory concerns for Project C to an operational issue log rather than maintaining it as an active program risk given the reduced scope of impact
- D. Convene a program governance review to validate closure criteria across the portfolio hierarchy, ensuring that Projects A and B have documented dependency elimination through their change control processes before pursuing partial closure while maintaining program-level oversight of Project C's continuing exposure (Correct Answer)
Explanation: In portfolio and program risk management, closing risks that span multiple projects requires differentiated analysis of governance authority, validation processes, and hierarchical approval mechanisms. Option D correctly recognizes that cross-project risks consolidated at the program level cannot be unilaterally closed by individual project managers without program governance validation, even when some component projects have eliminated their exposure. The governance review ensures that dependency elimination is formally documented through change control, satisfies portfolio-level closure criteria, and appropriately maintains oversight of continuing exposure in Project C. Option A incorrectly delays all closure actions until the slowest project completes, which fails to recognize that risk status can evolve differently across projects and should be reflected through appropriate closure mechanisms. Option B oversimplifies by suggesting decomposition without governance validation, potentially creating gaps in program-level visibility and failing to ensure proper authority channels are followed for a previously consolidated program risk. Option C prematurely closes the program-level risk and inappropriately downgrades continuing regulatory exposure to an operational issue, which could result in inadequate monitoring and response capability for Project C's legitimate ongoing risk. The competency of closing risks no longer applicable requires understanding when partial closure is appropriate in multi-project contexts, how organizational hierarchy affects closure authority, and why governance validation is essential before removing risks from program-level registers when dependencies span project boundaries.
Question 7: A project risk related to vendor delivery delays has been mitigated through an alternative sourcing strategy that was successfully implemented three months ago. The risk manager is now preparing to formally close this risk in the risk register. What foundational elements should be verified before marking this risk as closed?
- A. Confirmation that the mitigation actions achieved their intended outcome, approval from relevant stakeholders that the risk no longer poses a threat, and complete documentation of the risk resolution process in the risk register (Correct Answer)
- B. Verification that the project schedule has been updated to reflect the changes, notification sent to the project sponsor about the closure decision, and archival of all vendor communications related to the original threat
- C. Assessment that no new risks have emerged from the mitigation actions, calculation of the cost savings achieved through early resolution, and updating the lessons learned database with key observations
- D. Documentation that the risk response owner has been reassigned to other duties, confirmation that contingency reserves allocated to this risk have been released, and certification that similar risks are being monitored
Explanation: When closing a risk that is no longer applicable, the risk manager must verify three foundational criteria: (1) factual confirmation that the implemented actions successfully addressed the risk and achieved the desired outcome, (2) formal agreement from relevant stakeholders (such as the project manager, risk response owner, and affected team members) that the risk truly no longer threatens project objectives, and (3) complete and accurate documentation of the closure rationale, actions taken, and final status in the risk register for audit trails and organizational learning. Option A correctly captures these essential closure criteria. Option B focuses on secondary administrative tasks rather than the core validation requirements. Option C emphasizes analytical activities that may be valuable but are not the fundamental prerequisites for risk closure. Option D addresses resource reallocation and reserve management, which are consequences of closure rather than closure criteria themselves. This competency ensures risks are closed systematically with appropriate validation and documentation rather than being removed prematurely from active monitoring.
Question 8: What action should the risk manager take to appropriately handle these obsolete risks?
- A. Document the reason for obsolescence in each risk record, update their status to 'closed,' transfer them to a retired risks archive with timestamp references to the scope change documentation, and notify relevant stakeholders of the closure (Correct Answer)
- B. Delete the obsolete risks from the active register immediately to reduce clutter, create a summary note in the project lessons learned log referencing the scope changes, and redistribute the updated risk register to the project team
- C. Mark the risks as 'on hold' in the register until project completion, attach the scope change documents to each risk entry, and defer the final closure decision to the project closeout phase when all documentation is finalized
- D. Reassign the obsolete risks to a lower probability and impact rating to deprioritize them, move them to the bottom of the register for future reference, and include a footnote explaining their reduced relevance due to scope modifications
Explanation: When risks become obsolete due to project changes such as scope modifications, proper risk closure procedures require maintaining complete documentation and audit trails. The appropriate approach involves: (1) documenting the specific reason each risk is no longer applicable, (2) formally updating the risk status to 'closed' rather than leaving them in ambiguous states, (3) archiving them in a manner that preserves historical project records while removing them from active monitoring, (4) maintaining traceability through timestamp references and linkages to the triggering change documentation, and (5) communicating the closure to stakeholders who may have been monitoring these risks. This approach ensures audit trail integrity, supports lessons learned processes, and maintains organizational process assets for future projects. Option B is incorrect because deleting risks destroys the historical record and violates documentation standards. Option C is inappropriate because 'on hold' status does not accurately reflect that risks are definitively obsolete, and deferring closure prevents accurate current-state reporting. Option D fails to properly close the risks and instead misrepresents their status through artificial rating manipulation, which compromises the integrity of the risk register and active risk prioritization.
Question 9: A project risk initially assessed at 80% probability and high impact has been addressed through three phases of mitigation over six months. Current data shows probability reduced to 15% with low impact. The risk manager proposes formally closing this risk, while a team member argues it should remain in active monitoring status. What factor most directly determines whether this risk qualifies for closure?
- A. Comparison of the current residual risk level against the organization's defined risk tolerance threshold to verify it falls within acceptable parameters (Correct Answer)
- B. Verification that all three mitigation phases achieved their planned objectives and documented the lessons learned for future reference
- C. Confirmation that the risk probability decreased by more than 50% from its original assessment and the trend analysis shows continued decline
- D. Assessment of whether the risk response budget was fully expended and the allocated resources can be reallocated to other priorities
Explanation: Risk closure decisions fundamentally depend on whether residual risk levels fall within the organization's established risk tolerance thresholds. Even with significant probability reduction (from 80% to 15%), a risk should only be closed when the remaining exposure is demonstrably acceptable per organizational standards. While Option B addresses important documentation practices, mitigation success alone doesn't justify closure if residual risk remains above tolerance. Option C focuses on trend metrics, but a 50% reduction is arbitrary—what matters is absolute residual risk versus tolerance, not percentage improvement. Option D considers resource optimization but confuses budget exhaustion with risk acceptability; risks may require continued monitoring regardless of spent funds. The competency of closing risks no longer applicable requires evaluating current risk state against predefined acceptance criteria, not historical improvement or resource factors.
Question 10: (Select all that apply) A pharmaceutical development project experiences a significant regulatory pathway change when the FDA approves an alternative accelerated review process for the therapeutic area. This change eliminates several previously identified regulatory compliance risks. Before archiving these closed risks, which documentation elements must the risk manager ensure are completed?
- A. Final risk status assessment documenting the regulatory change rationale, captured lessons regarding pathway monitoring effectiveness, and confirmation that no residual exposure remains from the original risk conditions (Correct Answer)
- B. Stakeholder acknowledgment records confirming the risk closure decision, transfer of relevant insights to the organizational risk knowledge repository, and updated risk register entries showing closure dates and justifications (Correct Answer)
- C. Post-closure audit findings verifying no reactivation potential exists, financial reconciliation of risk response budget allocations, and certification that all planned mitigation activities have been formally discontinued
- D. Historical risk tracking data showing probability and impact trends over time, documented approval from project governance for the closure action, and integration of regulatory insights into future project templates (Correct Answer)
Explanation: Comprehensive risk closure documentation requires multiple elements to ensure organizational learning and proper archival. Option A correctly identifies the need for final status assessment explaining the closure trigger (regulatory change), lessons learned about monitoring effectiveness, and confirmation of zero residual exposure. Option B appropriately includes stakeholder sign-off (essential for governance), knowledge transfer to organizational repositories (critical for future projects), and proper risk register updates with audit trails. Option D correctly requires historical tracking data for trend analysis, governance approval for closure decisions, and template integration for continuous improvement. Option C contains an error: while financial reconciliation and mitigation discontinuation are relevant, requiring 'post-closure audit findings verifying no reactivation potential' is impractical for risks closed due to external regulatory changes—the risk context itself has fundamentally changed, making reactivation verification unnecessary. The Monitor and Close Risks competency emphasizes that proper closure includes documentation, stakeholder communication, lessons learned capture, and knowledge management integration to support organizational risk maturity.
Ready for More?
These 10 questions are just a preview. Create a free account to practice up to 3 topics with 50 questions per day — or upgrade to Pro for unlimited access.
