1. Right Answer: B
Explanation: Risk governance is a continuous life cycle that requires regular reporting and ongoing review, not once a year.Incorrect Answers:A, C, D: These are true for risk governance.

2. Right Answer: B
Explanation: Secondary risk is a risk that is generated as the result of risk response.Incorrect Answers:A: A pure risk is a risk that has only a negative effect on the project. Pure risks are activities that are dangerous to complete and manage such as construction, electrical work, or manufacturing.C, D: These terms are not applied for the risk that is generated as a result of risk response.

3. Right Answer: C,D,E
Explanation: The outputs of the risk response planning process are: Risk Register Updates: The risk register is written in detail so that it can be related to the priority ranking and the planned response. Risk Related Contract Decisions: Risk related contract decisions are the decisions to transmit risk, such as services, agreements for insurance, and other items as required. It provides a means for sharing risks. Project Management Plan Updates: Some of the elements of the project management plan updates are:- Schedule management plan- Cost management plan- Quality management plan- Procurement management plan- Human resource management plan- Work breakdown structure- Schedule baseline- Cost performance baseline Project Document Updates: Some of the project documents that can be updated includes:- Assumption log updates- Technical documentation updatesIncorrect Answers:A: Risk priority number is not an output for risk response but instead it is done before applying response. Hence it act as one of the inputs of risk response and is not the output of it.B: Residual risk is not an output of risk response. Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk. As,Risk = Threat Vulnerability -andTotal risk = Threat Vulnerability Asset ValueResidual risk can be calculated with the following formula:Residual Risk = Total Risk - ControlsSenior management is responsible for any losses due to residual risk. They decide whether a risk should be avoided, transferred, mitigated or accepted. They also decide what controls to implement. Any loss due to their decisions falls on their sides.Residual risk assessments are conducted after mitigation to determine the impact of the risk on the enterprise. For risk assessment, the effect and frequency is reassessed and the impact is recalculated.

4. Right Answer: B
Explanation: The output of the risk assessment process is identification of appropriate controls for reducing or eliminating risk during the risk mitigation process. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for theIT system.Once risk factors have been identified, existing or new controls are designed and measured for their strength and likelihood of effectiveness. Controls are preventive, detective or corrective; manual or programmed; and formal or ad hoc.Incorrect Answers:A: Risk identification acts as input of the risk assessment process.C: This is an output of risk mitigation process, that is, after applying several risk responses.D: Residual risk is the latter output after appropriate control.

5. Right Answer: D
Explanation: Once the set of risk scenarios is defined, it can be used for risk analysis. In risk analysis, likelihood and impact of the scenarios are assessed. Important components of this assessment are the risk factors.Incorrect Answers:A: Risk mitigation is the latter step after analyzing risk.B: Risk monitoring is the latter step after risk analysis and risk mitigation.C: Risk analysis comes under risk management, therefore management is a generalized term, and is not the best answer for this question.