1. Right Answer: D
Explanation: Among the given choices only Acceptance response is used for negative risk events. Risk acceptance means that no action is taken relative to a particular risk; loss is accepted if it occurs. If an enterprise adopts a risk acceptance, it should carefully consider who can accept the risk. Risk should be accepted only by senior management in relationship with senior management and the board. There are two alternatives to the acceptance strategy, passive and active. Passive acceptance means that enterprise has made no plan to avoid or mitigate the risk but willing to accept the consequences of the risk. Active acceptance is the second strategy and might include developing contingency plans and reserves to deal with risks.Incorrect Answers:A, B, C: These all are used to deal with opportunities or positive risks, and not with negative risks.

2. Right Answer: D
Explanation: Probability that an actual return on an investment will be lower than the investor's expectations is termed as investment risk or expense risk. All investments have some level of risk associated with it due to the unpredictability of the market's direction. This includes consideration of the overall IT investment portfolio.Incorrect Answers:A: The risk that data cannot be relied on because they are unauthorized, incomplete or inaccurate is termed as integrity risks.B: The risk of IT projects failing to meet objectives due to lack of accountability and commitment is referring to as project risk ownership.C: The risk associated with not receiving the right information to the right people (or process or systems) at the right time to allow the right action to be taken is termed as relevance risk.

3. Right Answer: A,B
Explanation: Creating a scenario requires determination of the value of an asset or a business process at risk and the potential threats and vulnerabilities that could cause loss.The risk scenario should be assessed for relevance and realism, and then entered into the risk register if found to be relevant.In practice following steps are involved in risk scenario development: First determine manageable set of scenarios, which include: Frequently occurring scenarios in the industry or product area. Scenarios representing threat sources that are increasing in count or severity level. Scenarios involving legal and regulatory requirements applicable to the business. After determining manageable risk scenarios, perform a validation against the business objectives of the entity. Based on this validation, refine the selected scenarios and then detail them to a level in line with the criticality of the entity. Lower down the number of scenarios to a manageable set. Manageable does not signify a fixed number, but should be in line with the overall importance and criticality of the unit. Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time. Risk factors kept in a register so that they can be reevaluated in the next iteration and included for detailed analysis if they have become relevant at that time. Include an unspecified event in the scenarios, that is, address an incident not covered by other scenarios.Incorrect Answers:C, D: Determination of actors and threat type are not the primary requirements for developing risk scenarios, but are the components that are determined during risk scenario development.

4. Right Answer: A,B,D
Explanation: Chief Risk Officer is the executive-level manager in an organization. They provide corporate, guidance, governance, and oversight over the enterprise's risk management activities. The main priority for the CRO is to ensure that the organization is in full compliance with applicable regulations. They may also deal with areas regarding insurance, internal auditing, corporate investigations, fraud, and information security.CRO's responsibilities include: Managing the risk assessment process Implementation of corrective actions Communicate risk management issues Supporting the risk management functions

5. Right Answer: A
Explanation: The contract change control system is part of the project's change control system. It addresses changes with the vendor that may affect the project contract.Change control system, a part of the configuration management system, is a collection of formal documented procedures that define how project deliverables and documentation will be controlled, changed, and approved.Incorrect Answers:B: The scope may change because of the stakeholder change request.Vendors relationship to the project, hence this choice is not the best answer.C: The cost change control system manages changes to costs in the project.D: There is no indication that the change could affect the project schedule.