Section: Volume A
Explanation:
The Delphi technique uses rounds of anonymous surveys to build consensus on project risks. Delphi is a technique to identify potential risk. In this technique, the responses are gathered via a question and their inputs are organized according to their contents. The collected responses are sent back to these experts for further input, addition, and comments. The final list of risks in the project is prepared after that. The participants in this technique are anonymous and therefore it helps prevent a person from unduly influencing the others in the group. The Delphi technique helps in reaching the consensus quickly.
Incorrect Answers:
B: Root cause analysis is not an anonymous approach to risk identification.
C: Isolated pilot groups is not a valid risk identification activity.
D: SWOT analysis evaluates the strengths, weaknesses, opportunities, and threats of the project.

Explanation/Reference:
Explanation:
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:
Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not

test every policy, procedure, and practice. Instead, a representative sample is tested.
An assessment or report: This report identifies the agency's compliance as well as lists compliance with

FISMA. It also lists compliance with other standards and guidelines.
Incorrect Answers:
B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.

Explanation/Reference:
Explanation:
When the project team needs training to be able to complete the project work it is a cost of conformance to quality.
The cost of conformance to quality defines the cost of training, proper resources, and the costs the project must spend in order to ascertain the expected levels of quality the customer expects from the project. It is the capital used up throughout the project to avoid failures. It consists of two types of costs:
Prevention costs: It is measured to build a quality product. It includes costs in training, document

processing, equipment, and time to do it right.
Appraisal costs: It is measured to assess the quality. It includes testing, destructive testing loss, and

inspections.
Incorrect Answers:
A: Benchmarking compares any two items, such as materials, vendors, or resources.
B: Cost-benefit analysis is the study of the benefits in relation to the costs to receive the benefits of a decision, a project, or other investment.
D: Team development describes activities the project manager uses to create a more cohesive and responsive project team.

Explanation/Reference:
Explanation:
The output of the risk assessment process is identification of appropriate controls for reducing or eliminating risk during the risk mitigation process. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.
Once risk factors have been identified, existing or new controls are designed and measured for their strength and likelihood of effectiveness. Controls are preventive, detective or corrective; manual or programmed; and formal or ad hoc.
Incorrect Answers:
A: Risk identification acts as input of the risk assessment process.
C: This is an output of risk mitigation process, that is, after applying several risk responses.
D: Residual risk is the latter output after appropriate control.

Section: Volume A
Explanation:
Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks.
Incorrect Answers:
B, D: Estimation of risk's consequence and priority for awareness is conducted by using probability and impact matrix. These matrices specify the mixture of probability and impact that directs to rating the risks as low, moderate, or high priority.
C: A risk scenario is a description of an event that can lay an impact on business, when and if it would occur.
Some examples of risk scenario are of:
* Having a major hardware failure
* Failed disaster recovery planning (DRP)
* Major software failure