Explanation/Reference:
Explanation:
The risk register does not examine the network diagram and the critical path. There may be risks associated with the activities on the network diagram, but it does not address the network diagram directly.
The risk register is updated at the end of the plan risk response process with the information that was discovered during the process. The response plans are recorded in the risk register. In the risk register, risk is stated in order of priority, i.e., those with the highest potential for threat or opportunity first. Some risks might not require response plans at all, but then too they should be put on a watch list and monitored throughout the project. Following elements should appear in the risk register:
List of identified risks, including their descriptions, root causes, and how the risks impact the project

objectives
Risk owners and their responsibility

Outputs from the Perform Qualitative Analysis process

Agreed-upon response strategies

Risk triggers

Cost and schedule activities needed to implement risk responses

Contingency plans

Fallback plans, which are risk response plans that are executed when the initial risk response plan

proves to be ineffective
Contingency reserves

Residual risk, which is a leftover risk that remains after the risk response strategy has been

implemented
Secondary risks, which are risks that come about as a result of implementing a risk response

Section: Volume C
Explanation:
The primary goal of qualitative risk analysis is to determine proportion of effect and theoretical response. The inputs to the Qualitative Risk Analysis process are:
* Organizational process assets
* Project Scope Statement
* Risk Management Plan
* Risk Register
Incorrect Answers:
B: The cost management plan is the input to the perform quantitative risk analysis process.

Explanation/Reference:
Explanation:
0 nonexistent: An enterprise's risk management capability maturity level is 0 when:
The enterprise does not recognize the need to consider the risk management or the business impact

from IT risk.
Decisions involving risk lack credible information.

Awareness of external requirements for risk management and integration with enterprise risk

management (ERM) do not exists.
Incorrect Answers:
A, C, D: These all are much higher levels of the risk management capability maturity model and in all these enterprises do take decisions considering the risk credential information. Moreover, in these levels enterprise is aware of external requirements for risk management and integrate with ERM.

Section: Volume B
Explanation:
NIST SP 800-53 is used to review security in any organization, that is, in reviewing physical security. The Physical and Environmental Protection family includes 19 different controls. Organizations use these controls for better physical security. These controls are reviewed to determine if they are relevant to a particular organization or not. Many of the controls described include additional references that provide more details on how to implement them. The National Institute of Standards and Technology (NIST) SP 800-53 rev 3 identifies
18 families of controls. It groups these controls into three classes:
* Technical
* Operational
* Management