PECB ISO-31000 Lead Risk Manager 시험

Question No : 1

Scenario 3:
NovaCare is a US-based healthcare provider operating four hospitals and several outpatient clinics. Following several minor system outages and an internal assessment that revealed inconsistencies in security monitoring tools, top management recognized the need for a structured approach to identify and manage risks more effectively. Thus, they decided to implement a formal risk management process in line with ISO 31000 recommendations to enhance safety and improve resilience.
To address these issues, the Chief Risk Officer of NovaCare, Daniel, supported by a team of departmental representatives and risk coordinators, initiated a comprehensive risk management process. Initially, they carried out a thorough examination of the environment in which risks arise, defining the conditions under which potential issues would be assessed and managed.
Afterwards, Daniel and the team explored potential risks that could affect various departments. Using structured interviews and brainstorming workshops, they gathered potential risk events across departments.
Based on the scenario above, answer the following question:
In Scenario 3, what risk management activity did Daniel and the team conduct using structured interviews and brainstorming workshops?

• A.Risk identification
• B.Risk analysis
• C.Risk evaluation
• D.Risk treatment

답을 확인하기

정답:
Explanation:
The correct answer is A. Risk identification. ISO 31000:2018 defines risk identification as the process of finding, recognizing, and describing risks that could affect the achievement of objectives. Techniques such as structured interviews, brainstorming workshops, and expert consultations are explicitly recognized as appropriate methods for identifying risks.
In Scenario 3, Daniel and the team used structured interviews and brainstorming workshops to gather potential risk events across departments. This activity resulted in identifying key risks such as data breaches, record-keeping errors, and regulatory noncompliance. These outcomes clearly demonstrate risk identification rather than analysis or evaluation.
Risk analysis would involve understanding the nature of risks, including their causes, likelihood, and consequences. While the team later performed cause-and-effect analysis, the specific activity described in this question focuses on collecting and listing risk events, which is the core objective of risk identification.
From a PECB ISO 31000 Lead Risk Manager perspective, effective risk identification is critical for ensuring that significant risks are not overlooked and that subsequent analysis and treatment are meaningful. Therefore, the correct answer is risk identification.

Question No : 2

Scenario 3:
NovaCare is a US-based healthcare provider operating four hospitals and several outpatient clinics. Following several minor system outages and an internal assessment that revealed inconsistencies in security monitoring tools, top management recognized the need for a structured approach to identify and manage risks more effectively. Thus, they decided to implement a formal risk management process in line with ISO 31000 recommendations to enhance safety and improve resilience.
To address these issues, the Chief Risk Officer of NovaCare, Daniel, supported by a team of departmental representatives and risk coordinators, initiated a comprehensive risk management process. Initially, they carried out a thorough examination of the environment in which risks arise, defining the conditions under which potential issues would be assessed and managed. Internally, they reviewed IT security policies and procedures, capabilities of the IT team, and reports from the internal assessment. Externally, they analyzed regulatory requirements, emerging cybersecurity threats, and evolving practices in IT security and resilience.
Based on this analysis, to ensure uninterrupted healthcare services, compliance with regulatory requirements, and protection of patient data, top management and Daniel decided to reduce minor system outages by 50% and achieve full coverage of security monitoring tools across all critical IT systems.
Afterwards, Daniel and the team explored potential risks that could affect various departments. Using structured interviews and brainstorming workshops, they gathered potential risk events across departments. As a result, key risks emerged, including data breaches linked to unsecured backup systems, record-keeping errors due to IT system issues, and regulatory noncompliance in reporting of breaches and outages.
Furthermore, the team assessed the effectiveness and maturity of existing controls and processes, particularly in system monitoring and data backup management. Through document reviews and interviews with department heads, the team found that these processes were applied inconsistently and lacked standardization, with procedures followed on a case-by-case basis rather than through documented, uniform methods.
Based on the scenario above, answer the following question:
Based on Scenario 3, when evaluating the effectiveness and maturity of NovaCare’s existing controls and processes, which maturity level did the team determine they were at?

• A.Nonexistent
• B.Initial
• C.Managed
• D.Optimized

답을 확인하기

정답:
Explanation:
The correct answer is B. Initial. In maturity models commonly referenced alongside ISO 31000 (such as capability or process maturity concepts), an initial maturity level is characterized by processes that exist but are applied inconsistently, are largely informal, and depend on individual practices rather than standardized and documented procedures.
In Scenario 3, the team found that system monitoring and data backup processes were present but lacked standardization, with procedures followed on a case-by-case basis. This clearly indicates that the controls were not nonexistent, as activities were being performed. However, they were also not at a managed level, which would require documented, standardized, consistently applied, and monitored processes.
ISO 31000 emphasizes that effective risk management requires structured and consistent application across the organization. The observed inconsistencies demonstrate a low level of maturity, where processes are reactive and dependent on individuals rather than institutionalized practices.
From a PECB ISO 31000 Lead Risk Manager perspective, identifying an initial maturity level is a critical input for improvement planning. It highlights the need to formalize procedures, standardize controls, and improve consistency to strengthen resilience and effectiveness. Therefore, the correct answer is Initial.

Question No : 3

Scenario 3:
NovaCare is a US-based healthcare provider operating four hospitals and several outpatient clinics. Following several minor system outages and an internal assessment that revealed inconsistencies in security monitoring tools, top management recognized the need for a structured approach to identify and manage risks more effectively. Thus, they decided to implement a formal risk management process in line with ISO 31000 recommendations to enhance safety and improve resilience.
To address these issues, the Chief Risk Officer of NovaCare, Daniel, supported by a team of departmental representatives and risk coordinators, initiated a comprehensive risk management process. Initially, they carried out a thorough examination of the environment in which risks arise, defining the conditions under which potential issues would be assessed and managed. Internally, they reviewed IT security policies and procedures, capabilities of the IT team, and reports from the internal assessment. Externally, they analyzed regulatory requirements, emerging cybersecurity threats, and evolving practices in IT security and resilience.
Based on this analysis, to ensure uninterrupted healthcare services, compliance with regulatory requirements, and protection of patient data, top management and Daniel decided to reduce minor system outages by 50% within a year and achieve full coverage of security monitoring tools across all critical IT systems.
Afterwards, Daniel and the team explored potential risks that could affect various departments using structured interviews and brainstorming workshops. As a result, key risks emerged, including data breaches linked to unsecured backup systems, record-keeping errors due to IT system issues, and regulatory noncompliance in reporting breaches and outages.
Furthermore, the team assessed the effectiveness and maturity of existing controls and processes, particularly in system monitoring and data backup management. Through document reviews and interviews with department heads, the team found that these processes were applied inconsistently and lacked standardization, with procedures followed on a case-by-case basis rather than through documented, uniform methods.
Based on the scenario above, answer the following question:
In Scenario 3, NovaCare’s top management and Daniel examined the environment in which risks arise, defining the conditions under which potential issues would be assessed and managed.
What did they examine in this case?

• A.The compliance obligations regarding the risk management process
• B.The criteria for emerging risks
• C.The context of the risk management process
• D.The risk treatment framework

답을 확인하기

정답:
Explanation:
The correct answer is C. The context of the risk management process. ISO 31000:2018 clearly states that establishing the context is a foundational step in the risk management process. Context defines the internal and external parameters to be considered when managing risk and sets the conditions under which risks are identified, analyzed, evaluated, and treated.
In Scenario 3, NovaCare’s team examined both internal context (IT security policies, procedures, team capabilities, and internal assessment reports) and external context (regulatory requirements, emerging cybersecurity threats, and evolving industry practices). This comprehensive examination directly aligns with ISO 31000’s guidance on context establishment.
Option A is incorrect because compliance obligations are only one element of the external context and do not represent the full scope of the activity described.
Option B refers to emerging risk criteria, which are not explicitly defined in the scenario.
Option D relates to treatment, which occurs later in the process.
From a PECB ISO 31000 Lead Risk Manager perspective, understanding the context ensures that risk management is tailored, relevant, and effective. Therefore, the correct answer is the context of the risk management process.

Question No : 4

Scenario 3:
NovaCare is a US-based healthcare provider operating four hospitals and several outpatient clinics. Following several minor system outages and an internal assessment that revealed inconsistencies in security monitoring tools, top management recognized the need for a structured approach to identify and manage risks more effectively. Thus, they decided to implement a formal risk management process in line with ISO 31000 recommendations to enhance safety and improve resilience.
To address these issues, the Chief Risk Officer of NovaCare, Daniel, supported by a team of departmental representatives and risk coordinators, initiated a comprehensive risk management process. Initially, they carried out a thorough examination of the environment in which risks arise, defining the conditions under which potential issues would be assessed and managed. Internally, they reviewed IT security policies and procedures, capabilities of the IT team, and reports from the internal assessment. Externally, they analyzed regulatory requirements, emerging cybersecurity threats, and evolving practices in IT security and resilience.
Based on this analysis, to ensure uninterrupted healthcare services, compliance with regulatory requirements, and protection of patient data, top management and Daniel decided to reduce minor system outages by 50% within one year and achieve full coverage of security monitoring tools across all critical IT systems.
Afterwards, Daniel and the team explored potential risks that could affect various departments. Using structured interviews and brainstorming workshops, they gathered potential risk events across departments. As a result, key risks emerged, including data breaches linked to unsecured backup systems, record-keeping errors due to IT system issues, and regulatory noncompliance in reporting breaches and outages. To better understand these risks, the team used a structured questioning approach to repeatedly analyze why each issue occurred, tracing cause-and-effect links and probing deeper until underlying root causes were identified.
Furthermore, the team assessed the effectiveness and maturity of existing controls and processes, particularly in system monitoring and data backup management. Through document reviews and interviews with department heads, the team found that these processes were applied inconsistently and lacked standardization, with procedures followed on a case-by-case basis rather than through documented, uniform methods.
Based on the scenario above, answer the following question:
The top management and Daniel decided to reduce minor system outages by 50% within a year and achieve full coverage of security monitoring tools across all critical IT systems.
What did they define in this case?

• A.The objectives of the risk management process
• B.The scope of the risk management process
• C.The threshold of risk acceptance
• D.The risk treatment options

답을 확인하기

정답:
Explanation:
The correct answer is A. The objectives of the risk management process. ISO 31000:2018 emphasizes that setting objectives is a critical part of initiating the risk management process. Objectives define what the organization intends to achieve through risk management and provide a basis for evaluating performance and effectiveness.
In the scenario, NovaCare’s top management and Daniel clearly articulated measurable and time-bound targets, such as reducing minor system outages by 50% within one year and achieving full coverage of security monitoring tools across all critical IT systems. These statements describe desired outcomes aligned with organizational goals, including uninterrupted healthcare services, regulatory compliance, and patient data protection. According to ISO 31000, such statements are characteristic of objectives, as they guide risk identification, analysis, evaluation, and treatment.
The scope of the risk management process would define boundaries such as organizational units, activities, locations, or timeframes to which the process applies. While the scenario mentions critical IT systems, the focus of the question is on what they decided to achieve, not where or to whom the process applies.
The threshold of risk acceptance relates to risk criteria and tolerance levels, which determine what level of risk is acceptable. Although the targets imply performance expectations, they do not define acceptance thresholds for individual risks.
From a PECB ISO 31000 Lead Risk Manager perspective, clearly defining objectives ensures alignment between risk management activities and strategic priorities and enables effective monitoring and review. Therefore, the correct answer is the objectives of the risk management process.

Question No : 5

How is effectiveness defined in relation to improving the risk management framework?

• A.Full alignment of the risk management framework with the organization’s structure, operations, culture, and business systems
• B.The extent to which the risk management framework has been appropriately implemented
• C.Successful achievement of the intended outcomes of the risk management framework
• D.The number of risks identified and documented

답을 확인하기

정답:
Explanation:
The correct answer is C. Successful achievement of the intended outcomes of the risk management framework. ISO 31000:2018 defines effectiveness as the extent to which planned activities are realized and planned results are achieved. In the context of improving the risk management framework, effectiveness refers to whether the framework delivers its intended outcomes, such as improved decision-making, enhanced resilience, and protection and creation of value.
Option A describes alignment, which supports effectiveness but does not define it.
Option B refers to implementation status, which indicates progress but does not measure whether objectives have been achieved.
Option D is a quantitative activity metric and does not reflect effectiveness.
ISO 31000 emphasizes that continual improvement of the risk management framework should be based on monitoring, review, and learning to ensure that intended outcomes are achieved over time. From a PECB ISO 31000 Lead Risk Manager perspective, effectiveness is outcome-focused, making option C the correct answer.

Question No : 6

What is an example of a requirement related to risk management that an organization mandatorily must comply with?

• A.Permits, licenses, or other forms of authorization
• B.Obligations arising under contractual arrangements with the organization
• C.Organizational requirements, such as policies and procedures
• D.Voluntary industry guidelines

답을 확인하기

정답:
Explanation:
The correct answer is A. Permits, licenses, or other forms of authorization. ISO 31000 requires organizations to consider mandatory requirements when establishing the context for risk management. Mandatory requirements are those imposed by laws and regulations and are legally binding. Failure to comply with such requirements can result in sanctions, fines, or loss of the right to operate.
Permits, licenses, and authorizations are classic examples of mandatory compliance obligations. Organizations must obtain and maintain these to conduct their activities legally. ISO 31000 highlights that noncompliance with mandatory requirements represents a significant source of risk and must be identified, analyzed, and managed appropriately.
Option B refers to contractual obligations, which are binding but arise from voluntary agreements rather than legal mandates applicable to all organizations in a jurisdiction.
Option C refers to internal requirements, which are self-imposed and not mandatory from a legal perspective.
Option D involves voluntary guidelines, which do not carry legal enforceability.
From a PECB ISO 31000 Lead Risk Manager perspective, distinguishing between mandatory and voluntary requirements is essential for accurate risk identification and prioritization. Mandatory requirements typically carry higher consequences and must be given appropriate attention. Therefore, the correct answer is permits, licenses, or other forms of authorization.

Question No : 7

Which statement regarding the risk management policy is correct?

• A.A risk management policy cannot be aligned with other internal policies
• B.A risk management policy should clearly define the organization’s risk appetite
• C.A risk management policy should undergo a review only when the organization’s internal context changes
• D.A risk management policy should be developed only after risks are identified

답을 확인하기

정답:
Explanation:
The correct answer is B. A risk management policy should clearly define the organization’s risk appetite. ISO 31000:2018 states that the risk management policy is a key document through which top management expresses its commitment, direction, and expectations regarding risk management. One of the essential elements of this policy is a clear articulation of the organization’s risk appetite, which defines the type and level of risk the organization is willing to accept in pursuit of its objectives.
Defining risk appetite within the policy supports consistent decision-making, aligns risk-taking with strategic objectives, and guides managers and employees in managing uncertainty. ISO 31000 emphasizes that risk management should be integrated into governance and strategy, and a clearly defined risk appetite ensures this alignment across all levels of the organization.
Option A is incorrect because ISO 31000 explicitly encourages alignment between the risk management policy and other internal policies, such as strategy, quality, sustainability, and compliance policies.
Option C is incorrect because ISO 31000 requires the risk management framework and its components, including the policy, to be continually improved and reviewed regularly, not only when the internal context changes.
Option D is incorrect because the policy is a foundational element that guides the entire risk management process, including risk identification.
From a PECB ISO 31000 Lead Risk Manager perspective, a well-defined risk management policy with a clear risk appetite is essential for effective and consistent risk management. Therefore, option B is correct.

Question No : 8

Which element should the organization analyze when examining its external context?

• A.Standards, guidelines, and models adopted by the organization
• B.Contractual relationships and commitments
• C.Key drivers and trends affecting the objectives of the organization
• D.Internal policies and procedures

답을 확인하기

정답:
Explanation:
The correct answer is C. Key drivers and trends affecting the objectives of the organization. ISO 31000:2018 requires organizations to establish the external context as part of the risk management process. The external context includes external factors that influence the organization’s ability to achieve its objectives.
According to ISO 31000, examining the external context involves analyzing political, economic, social, technological, legal, environmental, and market-related factors. These are often referred to as key drivers and trends, such as regulatory changes, economic conditions, market dynamics, and technological developments.
Option A relates to internal governance and methodological choices rather than the external environment.
Option B, contractual relationships, may involve external parties but are generally considered part of the organization’s internal context when they relate to internal obligations and arrangements.
Option D clearly refers to internal context elements.
From a PECB ISO 31000 Lead Risk Manager perspective, understanding external drivers and trends is essential for anticipating emerging risks and opportunities and for setting appropriate risk criteria. Therefore, the correct answer is key drivers and trends affecting the objectives of the organization.

Question No : 9

An organization ensures that risk management is embedded into its governance structures, aligning accountability and oversight roles with its strategic objectives and culture.
Which component of the risk management framework is being applied?

• A.Integration
• B.Design
• C.Implementation
• D.Evaluation

답을 확인하기

정답:
Explanation:
The correct answer is A. Integration. ISO 31000 defines integration as the process of embedding risk management into all aspects of the organization, including governance, strategy, planning, management, and culture. Integration ensures that risk management is not a standalone activity, but an inherent part of how the organization operates and makes decisions.
In the question, the organization aligns accountability and oversight roles with strategic objectives and culture, which directly reflects the integration component of the risk management framework. ISO 31000 emphasizes that integration is achieved when risk management influences governance structures and supports informed decision-making at all levels.
Option B, Design, refers to structuring the framework by understanding context, defining roles, allocating resources, and establishing communication mechanisms. While related, design precedes integration.
Option C, Implementation, focuses on putting the framework into operation, while option D, Evaluation, involves assessing effectiveness.
From a PECB ISO 31000 Lead Risk Manager perspective, integration is critical to ensure that risk management supports value creation and protection. Therefore, the correct answer is integration.

Question No : 10

According to ISO 31000, how can top management and oversight bodies demonstrate their commitment to risk management?

• A.By developing and communicating a clear policy that expresses the organization’s objectives and commitment to risk management
• B.By avoiding formal documentation to maintain flexibility in risk management practices
• C.By relying on external experts to handle all risk-related matters
• D.By delegating all risk responsibilities to operational managers

답을 확인하기

정답:
Explanation:
The correct answer is A. By developing and communicating a clear policy that expresses the organization’s objectives and commitment to risk management. ISO 31000:2018 places strong emphasis on leadership and commitment as a foundational element of the risk management framework. Top management and oversight bodies are expected to demonstrate commitment by establishing direction, ensuring alignment with organizational objectives, and visibly supporting risk management activities.
ISO 31000 explicitly states that leadership commitment should be demonstrated through actions such as issuing a risk management policy, allocating resources, assigning responsibilities, and ensuring integration of risk management into governance and decision-making. A clearly communicated policy provides a common understanding of the organization’s approach to risk, reinforces expectations, and promotes consistent behavior across all levels.
Option B is incorrect because ISO 31000 does not advocate avoiding documentation. While flexibility is important, formal documentation such as policies and frameworks is necessary to ensure clarity, consistency, and accountability.
Option C is incorrect because reliance on external experts does not replace leadership responsibility; risk management accountability remains with the organization.
Option D is also incorrect, as delegation without leadership involvement contradicts ISO 31000’s emphasis on top management responsibility.
From a PECB ISO 31000 Lead Risk Manager perspective, visible and documented commitment by leadership is essential for embedding risk management into organizational culture and operations. Therefore, option A is correct.

Question No : 11

A risk manager wants to improve organizational resilience by embedding climate-related considerations into performance measures, while also fostering open communication about risks across all levels of the organization.
Which of the following practices are they considering?

• A.Commitment to ongoing learning and strengthening of collaboration
• B.Integration of sustainability and promotion of risk culture
• C.Adoption of new technologies and focus on compliance
• D.Risk avoidance and risk transfer strategies

답을 확인하기

정답:
Explanation:
The correct answer is B. Integration of sustainability and promotion of risk culture. ISO 31000 emphasizes that risk management should be integrated into organizational activities, including performance management, decision-making, and strategic planning. Embedding climate-related considerations into performance measures reflects the integration of sustainability-related risks into the organization’s risk management and performance framework.
At the same time, fostering open communication about risks across all organizational levels aligns with the development and promotion of a positive risk culture, which ISO 31000 identifies as a key enabler of effective risk management. A strong risk culture encourages transparency, awareness, and proactive engagement with risk, supporting resilience and informed decision-making.
Option A focuses on learning and collaboration, which are important but do not directly address sustainability integration and risk culture.
Option C emphasizes technology and compliance, which are supporting elements but not the core practices described.
Option D refers to specific risk treatment options rather than organizational practices aimed at resilience.
From a PECB ISO 31000 Lead Risk Manager perspective, integrating sustainability considerations and promoting a strong risk culture enhances the organization’s ability to anticipate, respond to, and adapt to evolving risks such as climate change. Therefore, the correct answer is integration of sustainability and promotion of risk culture.

Question No : 12

Which of the following is an example of an internal stakeholder?

• A.Shareholders seeking returns and sustained performance
• B.Customers concerned with product and service quality
• C.Managers reporting and escalating risks within the organization
• D.Regulatory authorities enforcing compliance requirements

답을 확인하기

정답:
Explanation:
The correct answer is C. Managers reporting and escalating risks within the organization. ISO 31000 defines stakeholders as persons or organizations that can affect, be affected by, or perceive themselves to be affected by a decision or activity. Stakeholders can be internal or external, depending on their relationship with the organization.
Internal stakeholders are individuals or groups within the organization, such as employees, managers, executives, and internal committees. In the scenario provided, managers who report and escalate risks are clearly internal stakeholders, as they are directly involved in organizational processes and decision-making.
Option A, shareholders, are typically considered external stakeholders, as they are not involved in daily operations, even though they have a strong interest in performance.
Option B, customers, are also external stakeholders concerned with outputs rather than internal processes.
Option D, regulators, are external stakeholders representing legal and regulatory interests.
ISO 31000 emphasizes the importance of inclusiveness, requiring organizations to involve both internal and external stakeholders appropriately. Internal stakeholders play a critical role in risk identification, analysis, reporting, and treatment because of their proximity to operations and decision-making.
From a PECB ISO 31000 Lead Risk Manager perspective, correctly identifying internal stakeholders supports effective communication, accountability, and integration of risk management into everyday activities.

Question No : 13

According to ISO 31000, what is the main difference between the roles of the oversight body and top management in risk management?

• A.The oversight body manages daily risk management activities, while top management manages only opportunity-based risks.
• B.The oversight body supervises risk management, while top management manages risk.
• C.Both the oversight body and top management are equally responsible for risk management.
• D.The oversight body performs risk assessments, while top management approves risk treatments.

답을 확인하기

정답:
Explanation:
The correct answer is B. The oversight body supervises risk management, while top management manages risk. ISO 31000:2018 clearly distinguishes between governance and management responsibilities within the risk management framework. The oversight body (such as a board of directors or equivalent governing body) is responsible for oversight, ensuring that risk management is appropriate, effective, and aligned with the organization’s purpose, strategy, and governance arrangements.
Top management, on the other hand, is responsible for managing risk by establishing, implementing, and maintaining the risk management framework and ensuring that risk management is integrated into organizational activities and decision-making. ISO 31000 emphasizes leadership and commitment by top management as essential for embedding risk management into strategy, operations, and culture.
Option A is incorrect because the oversight body does not manage daily risk activities, nor does top management limit its role to opportunity-based risks.
Option C is incorrect because, while both have responsibilities, their roles are distinct and complementary, not identical.
Option D incorrectly assigns operational risk assessment responsibilities to the oversight body.
From a PECB ISO 31000 Lead Risk Manager perspective, understanding this distinction ensures proper governance, accountability, and effectiveness of risk management across all levels of the organization.

Question No : 14

Scenario 2:
Bambino is a furniture manufacturer headquartered in Florence, Italy, specializing in daycare furniture, including tables, chairs, children’s beds, shelves, mats, changing stations, and indoor playhouses. After experiencing a major supply chain disruption that caused delays and revealed vulnerabilities in its operations, Bambino decided to implement a risk management framework and process based on ISO 31000 guidelines to systematically identify, assess, and manage risks.
As the first step in this process, top management appointed Luca, the operations manager of Bambino, to facilitate the adoption and integration of the framework into the company’s operations, ensuring that risk awareness, communication, and structured practices became part of everyday decision-making.
After Luca took on the responsibility, he reviewed how responsibilities and decision-making were distributed across the company’s units, with each unit overseen by a director managing strategic, administrative, and operational matters. At the same time, in consultation with top management, he analyzed the broader environment of Bambino, namely mission, governance, culture, resources, information flows, and stakeholder relationships.
Building on this, Luca outlined concrete actions to strengthen risk management by engaging stakeholders, breaking the process into stages, and aligning objectives with the company’s goals. Progress was tracked through existing systems, allowing timely adjustments. Additionally, clear objectives were linked to the mission and strategy, responsibilities were defined, leadership demonstrated commitment, and expectations for daily integration were clarified. Finally, resources for people, skills, and technology were allocated, supported by communication, reporting, and escalation mechanisms.
Additionally, Luca reviewed the requirements the company was bound by, including safety laws for children’s products, local labor regulations, and permits needed for operations. He also considered voluntary commitments, such as sustainability labels and agreements with daycare institutions. Through this review, he identified the likelihood of occurrence and potential consequences of failing to meet these requirements, ranging from legal penalties to loss of customer trust, making this area a clear source of exposure. This included the possibility of fines for breaching product safety laws, sanctions for violating labor regulations, and reputational harm if sustainability or contractual commitments were not fulfilled.
Based on the scenario above, answer the following question:
As stated in Scenario 2, Luca identified the likelihood of Bambino’s noncompliance with relevant laws and regulations and the potential consequences.
What did he identify in this case?

• A.Compliance performance
• B.Compliance obligations
• C.Compliance risks
• D.Compliance controls

답을 확인하기

정답:
Explanation:
The correct answer is C. Compliance risks. ISO 31000 defines risk as the effect of uncertainty on objectives, expressed through the combination of likelihood and consequences. When Luca assessed the probability of noncompliance with laws, regulations, permits, and voluntary commitments, along with the associated impacts such as fines, sanctions, and reputational damage, he was clearly identifying compliance risks.
Compliance obligations refer to the laws, regulations, standards, and voluntary commitments that an organization must or chooses to comply with. In the scenario, these obligations included product safety laws, labor regulations, permits, and sustainability agreements. However, Luca went further by analyzing what could happen if those obligations were not met, which is the essence of risk identification and analysis.
Compliance performance would involve measuring how well Bambino is currently complying, while compliance controls are the measures implemented to ensure adherence. Neither term reflects the activity described, which focused on uncertainty, likelihood, and consequences.
From a PECB ISO 31000 Lead Risk Manager perspective, identifying compliance risks is a key part of risk identification and analysis, enabling organizations to prioritize actions, allocate resources, and protect value. Therefore, the correct answer is compliance risks.

Question No : 15

Scenario 2:
Bambino is a furniture manufacturer headquartered in Florence, Italy, specializing in daycare furniture, including tables, chairs, children’s beds, shelves, mats, changing stations, and indoor playhouses. After experiencing a major supply chain disruption that caused delays and revealed vulnerabilities in its operations, Bambino decided to implement a risk management framework and process based on ISO 31000 guidelines to systematically identify, assess, and manage risks.
As the first step in this process, top management appointed Luca, the operations manager of Bambino, to facilitate the adoption and integration of the framework into the company’s operations, ensuring that risk awareness, communication, and structured practices became part of everyday decision-making.
After Luca took on the responsibility, he reviewed how responsibilities and decision-making were distributed across the company’s units, with each unit overseen by a director managing strategic, administrative, and operational matters. At the same time, in consultation with top management, he analyzed the broader environment of Bambino, namely mission, governance, culture, resources, information flows, and stakeholder relationships.
Building on this, Luca outlined concrete actions to strengthen risk management by engaging stakeholders, breaking the process into stages, and aligning objectives with the company’s goals. Progress was tracked through existing systems, allowing timely adjustments. Additionally, clear objectives were linked to the mission and strategy, responsibilities were defined, leadership demonstrated commitment, and expectations for daily integration were clarified. Finally, resources for people, skills, and technology were allocated, supported by communication, reporting, and escalation mechanisms.
Additionally, Luca reviewed the requirements the company was bound by, including safety laws for children’s products, local labor regulations, and permits needed for operations. He also considered voluntary commitments, such as sustainability labels and agreements with daycare institutions. Through this review, he identified the likelihood of occurrence and potential consequences of failing to meet these requirements, ranging from legal penalties to loss of customer trust, making this area a clear source of exposure. This included the possibility of fines for breaching product safety laws, sanctions for violating labor regulations, and reputational harm if sustainability or contractual commitments were not fulfilled.
Based on the scenario above, answer the following question:
According to Scenario 2, Luca outlined a concrete set of actions to strengthen the company’s risk management capabilities.
What did he develop in this case?

• A.Risk management policy
• B.Risk management plan
• C.Risk treatment plan
• D.Risk register

답을 확인하기

정답:
Explanation:
The correct answer is B. Risk management plan. ISO 31000:2018 explains that once leadership commitment and context are established, organizations must design and implement the risk management framework through structured and coordinated actions. A risk management plan translates strategic intent into practical, actionable steps that enable the integration of risk management into everyday operations.
In the scenario, Luca outlined concrete actions such as stakeholder engagement, breaking the process into stages, aligning objectives with organizational goals, tracking progress through existing systems, defining responsibilities, allocating resources, and establishing communication, reporting, and escalation mechanisms. These elements collectively describe a risk management plan, which specifies how risk management will be implemented, monitored, and improved across the organization.
A risk management policy is typically a high-level statement expressing top management’s commitment, principles, and overall direction regarding risk management. While leadership demonstrated commitment in the scenario, Luca’s activities went beyond policy formulation and focused on execution.
A risk treatment plan is developed later in the risk management process and focuses specifically on actions to modify individual risks. In Scenario 2, Luca’s work addressed the framework and integration level, not the treatment of specific risks. A risk register, likewise, is a recording tool and not a set of actions.
From a PECB ISO 31000 Lead Risk Manager perspective, developing a risk management plan is a critical step in ensuring that risk management is integrated, structured, and sustainable. Therefore, the correct answer is risk management plan.