Free Practice Questions for GAQM ISO-31000-CLA Exam

the last step of the risk assessment process, which starts with risk identification, moves to risk assessment, and finally risk evaluation, is Risk evaluation.

Risk evaluation involves comparing the estimated level of risk against the risk criteria established during the risk assessment phase, to determine the significance of the risk and whether it is acceptable or not. This decision is made in consultation with stakeholders, who may provide additional context and information to inform the decision.

The American Society for Quality (ASQ) describes risk evaluation as "the process of comparing an estimated risk against given risk criteria to determine the acceptability of the risk." [1]

Similarly, ISO/IEC 27001:2013 (Information technology — Security techniques — Information security management systems — Requirements) defines risk evaluation as "the process of comparing the estimated risk against given risk criteria in order to determine the significance of the risk." [2]

References: [1] ASQ Glossary - Risk evaluation, https://asq.org/quality-resources/risk-evaluation  [2] ISO/IEC 27001:2013, Clause 6.1.3(c), https://www.iso.org/standard/54534.html

Monitoring and review is a critical part of risk assurance5. This step involves checking whether the risk management framework, policy, and plan are implemented, whether they remain suitable, and whether they need improvement.

According to 1, page 15-16, external risks are “those arising from events outside the organization” and marketplace risks are “those arising from changes in market conditions such as customer demand, competition, regulation”. Economic changes in different countries can affect the market conditions for an international bank’s operations.

Monte Carlo simulation is a risk analysis technique that uses random variables to model uncertainty and generate possible outcomes2. This helps to assess the probability and impact of different scenarios.

Scoping framework boundaries is a major challenge in implementing the ISO 31000:2018 risk management framework. Scoping framework boundaries involves defining the scope of application of risk management within the organization’s context,

structure, and objectives.

According to ISO 31000:2018, a risk management framework consists of four critical elements: design (B), implement (D), evaluate (E) and improve (F)5. These elements guide an organization in integrating risk management into all functions and processes.

Risk management processes, outcomes, and activities should be traceable5. This means that there should be a clear record of how risks were identified, analyzed, evaluated, treated, monitored, reviewed, and communicated.

Uncertainty leads to a changing context2. This means that uncertainty creates variability in outcomes and expectations, which may affect the objectives and scope of risk management.

Transparency and inclusiveness are key ISO 31000:2018 attributes. Transparency means that risk management activities are visible, understandable, and verifiable by relevant stakeholders. Inclusiveness means that appropriate stakeholders are involved in risk management decisions and actions.

External and internal risks are significant risks of reporting that are outside the risk appetite of the organization and can impact compliance, which may also be reportable to regulatory agencies1. These risks may arise from external factors such as market changes, natural disasters, or cyberattacks, or internal factors such as human errors, fraud, or system failures.