Topic 1, Volume A
Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?
A. In order to avoid risk
B. Complex metrics require fine-tuning
C. Risk reports need to be timely
D. Threats and vulnerabilities change over time
Threats and vulnerabilities change over time and KRI maintenance ensures that KRIs continue
to effectively capture these changes.
The risk environment is highly dynamic as the enterprise's internal and external environments
are constantly changing. Therefore, the set of KRIs needs to be changed over time, so that they
can capture the changes in threat and vulnerability.
Answer B is incorrect. While most key risk indicator (KRI) metrics need to be optimized in
respect to their sensitivity, the most important objective of KRI maintenance is to ensure that
KRIs continue to effectively capture the changes in threats and vulnerabilities over time. Hence
the most important reason is that because of change of threat and vulnerability overtime.
Answer C is incorrect. Risk reporting timeliness is a business requirement, but is not a reason
for KRI maintenance.
Answer A is incorrect. Risk avoidance is one possible risk response. Risk responses are based
on KRI reporting, but is not the reason for maintenance of KRIs.
You are the project manager of a HGT project that has recently finished the final compilation
process. The project customer has signed off on the project completion and you have to do few
administrative closure activities. In the project, there were several large risks that could have
wrecked the project but you and your project team found some new methods to resolve the risks
without affecting the project costs or project completion date. What should you do with the risk
responses that you have identified during the project's monitoring and controlling process?
A. Include the responses in the project management plan.
B. Include the risk responses in the risk management plan.
C. Include the risk responses in the organization's lessons learned database.
D. Nothing. The risk responses are included in the project's risk register already.
The risk responses that do not exist up til then, should be included in the organization's lessons
learned database so other project managers can use these responses in their project if relevant.
Answer D is incorrect. If the new responses that were identified is only included in the project's
risk register then it may not be shared with project managers working on some other project.
Answer A is incorrect. The responses are not in the project management plan, but in the risk
response plan during the project and they'l be entered into the organization's lessons learned