According to ISO 31000:2018, "residual risk" is the specific term for the risk that remains after risk treatment measures have been implemented. The risk management process involves identifying risks, analyzing them, and then applying treatments (controls) to modify them. However, it is rare for treatment to eliminate risk entirely. The level of risk that is left over after these controls are in effect is known as residual risk. This remaining risk must then be monitored, reviewed, and formally accepted by management.

A. Controlled risk: This is not a standard term defined in ISO 31000. While treatments are controls, "controlled risk" is not the formal name for the risk that remains.

C. Avoidance risk: Risk avoidance is a type of risk treatment option where an organization decides not to start or to exit an activity to prevent exposure to a risk. It is a strategy, not the remaining risk.

D. Accepted risk: Risk acceptance (or retention) is a decision to take on a particular risk. While residual risk is often the risk that is formally accepted, "accepted risk" refers to the decision itself, not the state of the risk after treatment.

1. International Organization for Standardization (ISO). (2018). ISO 31000:2018 Risk management — Guidelines. Geneva

Switzerland: ISO.

Section 3.9: Defines residual risk as the "risk remaining after risk treatment."

Section 6.5.2: Lists "avoiding the risk" and "retaining the risk" (acceptance) as options for risk treatment

distinguishing them from the concept of residual risk.

2. Purdy

G. (2010). ISO 31000:2009—Setting a New Standard for Risk Management. Risk Analysis: An International Journal

30(6)

881-886.

Page 884: The article explains the ISO 31000 process

noting that after risk treatment

"the resulting level of risk is called 'residual risk'." This confirms that residual risk is the outcome of the treatment step. DOI: https://doi.org/10.1111/j.1539-6924.2010.01442.x

3. Leitch

M. (2010). ISO 31000:2009—The New International Standard on Risk Management. Risk Management

12(4)

180-181.

Page 181: In describing the risk treatment phase of the ISO 31000 process

the author states

"The intention of risk treatment is to produce a residual risk that is as low as reasonably practicable

" clearly identifying residual risk as the post-treatment state. DOI: https://doi.org/10.1057/rm.2010.9

The statement is correct. According to ISO 31000:2018, the risk assessment process is not an exact science and is based on the "best available information," which inherently has limitations. Therefore, it is crucial for the credibility and utility of the assessment that its limitations, including the accuracy of data and the reliability of the methods used, are clearly identified and communicated. This transparency allows decision-makers to understand the degree of confidence they can place in the assessment's outputs and to account for any significant uncertainties when making decisions.

The alternative, "False," is incorrect because it would suggest that the limitations and uncertainties of a risk assessment do not need to be disclosed. This contradicts the core principles of ISO 31000, which emphasize transparency, communication, and providing a sound basis for decision-making. An assessment presented as perfectly accurate and reliable when it is not can lead to flawed decisions, either by creating a false sense of security or by misallocating resources based on unreliable data.

1. ISO 31000:2018

Risk management — Guidelines

Clause 6.4.3 Risk analysis: This clause states

"Confidence in the determination of the level of risk and its sensitivity to preconditions and assumptions should be considered in the analysis

and communicated effectively to decision makers and

as appropriate

other stakeholders." This directly supports the need to identify the reliability and accuracy of the assessment.

2. Purdy

G. (2010). ISO 31000:2009—Setting a new standard for risk management. Risk Analysis: An International Journal

30(6)

881-886. https://doi.org/10.1111/j.1539-6924.2010.01442.x: While referencing the 2009 version

the principle remains central in the 2018 update. Purdy emphasizes that the standard moves away from a purely quantitative view

acknowledging that risk assessment must deal with uncertainty. The paper notes that the quality of information is a key input and that understanding its limitations is fundamental to the process (p. 884).

3. Lalonde

C.

& Boiral

O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management

14(4)

272-300. https://doi.org/10.1057/rm.2012.9: This academic review discusses the implementation of ISO 31000. It highlights that a critical aspect of the standard is its emphasis on the context and the quality of the risk management process itself. The authors note that the effectiveness of the risk assessment depends on acknowledging and managing the inherent uncertainties and assumptions

which aligns with identifying its accuracy and reliability (pp. 280-281).

The question likely refers to a scorecard based on the principles of FERMA (Federation of European Risk Management Associations), which align with ISO 31000. According to these standards, risk is the "effect of uncertainty on objectives." This effect can be positive (opportunity) or negative (threat).

"Loss of income" (a threat) and "Financial gain" (an opportunity) are both direct financial impacts and are readily quantifiable in monetary units. "Reputational damage" is an intangible risk. While its financial consequences can be estimated, the damage itself is most often assessed using qualitative or semi-quantitative scales (e.g., low, medium, high impact) on a scorecard, as direct, objective quantification is notoriously difficult.

B. This option incorrectly includes reputational damage, which is primarily assessed qualitatively, while excluding financial gain, a quantifiable opportunity defined within modern risk frameworks.

C. This option incorrectly includes reputational damage for its qualitative nature and excludes loss of income, which is a fundamental and directly quantifiable financial risk.

1. ISO 31000:2018 - Risk management — Guidelines.

Clause 6.4.3 (Risk analysis): States that "Risk analysis can be undertaken with varying degrees of detail and complexity

depending on the purpose of the analysis

the availability and reliability of the information

and the resources available. Analysis techniques can be qualitative

quantitative or a combination of both." This supports the distinction between easily quantified risks (financial) and those often assessed qualitatively (reputational).

2. FERMA. (2003). A Risk Management Standard. Federation of European Risk Management Associations.

Section 4.3 (Risk Analysis): "The assessment of the significance of a risk will normally contain a combination of quantitative and qualitative analysis." This official standard acknowledges that different methods are used for different risks

corroborating that financial risks are quantified while others like reputational risk may be assessed qualitatively.

3. Power

M. (2009). The risk management of nothing. Accounting

Organizations and Society

34(6-7)

849-855.

Page 851: The paper discusses the significant challenges and "incoherence" in attempts to quantify non-financial risks like reputational risk

arguing they are fundamentally different from financial risks and often defy simple quantification. This academic source validates treating reputational damage differently from direct financial impacts. DOI: https://doi.org/10.1016/j.aos.2009.06.001

4. Fraser

J. R. S.

& Simkins

B. J. (2016). The challenges of and solutions for implementing enterprise risk management. Journal of Applied Corporate Finance

28(4)

64-73.

Page 68: This article discusses risk assessment techniques

noting that financial risks are typically modeled quantitatively

whereas strategic risks like reputational damage often rely on "qualitative assessments using scorecards and heat maps." This distinguishes the practical application of quantifying different risk types. DOI: https://doi.org/10.1111/jacf.12202

Scenario-based risk identification is a creative process that involves constructing plausible narratives about the future. This technique explores different pathways and sequences of events, which inherently involves "creating alternative ways" that an objective might be achieved or impacted. By imagining various future states, organizations can identify risks that may not be apparent when considering only a single, expected path. This forward-looking method is particularly useful for identifying risks associated with significant uncertainty and long-term strategic objectives.

B. Objectives-Based: This approach identifies risks by considering what might prevent the achievement of established objectives. It focuses on threats to a pre-defined plan, not on creating alternative ways to achieve the objective.

1. International Organization for Standardization (ISO). (2019). IEC 31010:2019

Risk management — Risk assessment techniques.

Section B.2.4 (Scenario analysis): This section describes scenario analysis as a technique used "to identify risks by considering a set of potential future events and exploring their potential consequences." It emphasizes the creative process of imagining future developments

which aligns directly with considering alternative ways events could unfold.

2. Aven

T. (2017). Risk Assessment and Risk Management: Review of Recent Advances on their Foundation. Published by the University of Stavanger

Norway.

Section 4.2 (The new risk assessment and management paradigm): Professor Aven discusses the importance of using scenarios to describe potential future developments and surprises. This supports the idea that scenario analysis is the tool for exploring alternative futures

rather than just analyzing a static plan.

3. Sadgrove

K. (2016). The Complete Guide to Business Risk Management (3rd ed.). Routledge. (Peer-reviewed academic publication).

Chapter 6

"Risk Assessment and Analysis": This chapter explains that scenario analysis helps managers "think creatively about the future" by developing a "range of possible scenarios." This process of developing a range of possibilities is synonymous with creating alternative ways to view the path to an objective.

The creation and deployment of a training program follow a structured lifecycle, often modeled by frameworks like ADDIE (Analysis, Design, Development, Implementation, Evaluation). The act of "validating the training curricula" signifies the completion of the Design and Development phases. Validation is the final quality assurance step where the training content and structure are formally approved. Once validated, the program moves into the Implementation phase. This phase involves the logistical and executional steps of scheduling the training sessions for the target audience and then conducting the actual delivery of the training.

A. develops training.

This is incorrect because the development of training materials and content must occur before the validation step. You validate what has already been developed.

B. develops and schedules training.

This is incorrect as the development phase precedes validation. While scheduling occurs after validation, the development part of this option is misplaced in the sequence.

C. matches training to audience.

This is incorrect because matching training to the audience's needs is a foundational activity performed during the initial Analysis and Design phases, well before the curriculum is ready for validation.

1. Instructional Design Model (ADDIE): University courseware widely references the ADDIE model

which outlines the standard sequence for creating training programs. The "Implementation" phase

which includes scheduling and conducting the training

follows the "Development" phase and its associated reviews or validations.

Source: Northern Illinois University

Faculty Development and Instructional Design Center. (n.d.). Instructional Design Models. Retrieved from https://www.niu.edu/facdev/resources/guide/instructionaldesign/instructionaldesignmodels.shtml. (This source describes the ADDIE model where Implementation (delivery) follows Design and Development).

2. Risk Management Implementation Framework: Guides for implementing risk management frameworks outline a similar logical progression for training components. The development of a training plan and its materials is followed by delivery.

Source: Manab

N. A.

Othman

S. N.

& Kassim

I. (2014). A framework for implementing ISO 31000:2009 in a manufacturing environment. Jurnal Teknologi

70(7)

pp. 117-123. In their proposed framework

the "Training and awareness program" component follows the sequence: 1) Identify training needs

2) Develop training module

3) Conduct training

4) Evaluate training effectiveness. The validation of the curricula is the final part of step 2

making step 3 the next action. (DOI: https://doi.org/10.11113/jt.v70.3579)

3. Enterprise Risk Management (ERM) Guidance: Professional guidance on ERM implementation confirms this sequence. After a training plan and its content are developed and approved

the next step is delivery.

Source: Association of Government Accountants (AGA). (2016). Enterprise Risk Management: A Guide for Government Professionals. Section: "Implement ERM

" Subsection: "Communicate and Provide Training

" p. 56. The guide states

"Once the [training] plan is developed

the next step is to deliver the training." Validating the curricula is the final step of development

making delivery (scheduling and conducting) the subsequent action.

The statement is correct. The ISO 31000:2018 standard is fundamentally built upon the concept of uncertainty. It explicitly defines risk as the "effect of uncertainty on objectives." This definition places uncertainty at the very core of risk, making it the primary driver and rationale for implementing a risk management framework. The entire purpose of the risk management process, as outlined in the standard, is to identify, analyze, evaluate, and treat the potential positive or negative deviations (effects) from what is expected, which arise from a state of incomplete knowledge or information (uncertainty).

The alternative, "False," is incorrect because it contradicts the foundational definition provided in Clause 3.1 of the ISO 31000:2018 standard. To claim that uncertainty is not the driver would be to ignore the explicit linkage the standard makes between "risk" and "uncertainty." While concepts like threats, hazards, or opportunities are inputs to the risk management process, they are all considered within the context of the uncertainty surrounding their potential impact on the organization's objectives.

1. International Organization for Standardization (ISO). (2018). ISO 31000:2018 Risk management — Guidelines.

Clause 3.1

Terms and definitions: Defines risk as the "effect of uncertainty on objectives."

Note 2 to entry 3.1: Clarifies that "Uncertainty is the state

even partial

of deficiency of information related to

understanding or knowledge of

an event

its consequence

or likelihood." This directly establishes uncertainty as the basis for risk.

2. Leitch

M. (2010). ISO 31000:2009—The new international standard on risk management. Risk Analysis: An International Journal

30(6)

887-892.

Page 888: "The definition of risk as 'the effect of uncertainty on objectives' is arguably the most important sentence in the whole of ISO 31000. It is a clear statement that risk is not an object

but a consequence. It is also a clear statement that risk is related to uncertainty." This academic review emphasizes that the entire standard's philosophy is driven by this definition. (Note: While this refers to the 2009 version

the core definition and its centrality were maintained in the 2018 revision).

DOI: https://doi.org/10.1111/j.1539-6924.2010.01426.x

3. Purdy

G. (2010). ISO 31000:2009—Setting a new standard for risk management. Risk Analysis: An International Journal

30(6)

881-886.

Page 882: The author discusses the significance of the definition

stating

"The definition of risk as the 'effect of uncertainty on objectives' is a significant element of the standard... It moves the focus of risk management away from the 'risk' itself and toward the reasons why organizations should manage risk—to achieve their objectives." This highlights that managing the effects of uncertainty is the core rationale.

DOI: https://doi.org/10.1111/j.1539-6924.2010.01442.x

ISO 31000:2018 is a descriptive standard. It provides principles and generic guidelines for establishing, implementing, maintaining, and continually improving a risk management framework. The standard describes a recommended process but does not prescribe specific methods, tools, or mandatory requirements. This non-prescriptive nature allows organizations the flexibility to adapt the guidance to their specific objectives, context, and culture. The standard explicitly states it is not intended for certification purposes, which is a key characteristic of a descriptive guideline rather than a prescriptive, auditable standard.

B. prescriptive: The standard provides guidelines, not mandatory requirements for certification, making it non-prescriptive.

C. visionitive: This is not a recognized term used to classify management system standards and is an irrelevant distractor.

D. cursive: This term relates to a style of handwriting and has no relevance to risk management standards.

1. International Organization for Standardization (ISO). (2018). ISO 31000:2018 Risk management — Guidelines.

Clause 1

Scope: "This document provides guidelines on managing risk faced by organizations... This document is not intended for certification purposes." The use of "guidelines" and the explicit exclusion of certification confirm its descriptive

non-prescriptive nature.

2. Purdy

G. (2010). ISO 31000:2009—Setting a New Standard for Risk Management. Risk Analysis

30(6)

881-886. https://doi.org/10.1111/j.1539-6924.2010.01425.x

Page 882

Section 2: The author states

"ISO 31000 is a principles-based standard... It is a guideline

not a certification standard." This distinction is fundamental to understanding its descriptive character

a principle that was maintained in the 2018 revision.

3. Lalonde

C.

& Boiral

O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management

14(4)

272-300. https://doi.org/10.1057/rm.2012.9

Page 275: The paper emphasizes that ISO 31000 "is based on a generic and descriptive approach... it does not prescribe a particular model of risk management but rather proposes a series of principles to be respected." This directly supports the answer.

In the ISO 31000:2018 standard, 'monitoring and review' is depicted as a continuous and integral activity that occurs concurrently with all other stages of the risk management process (e.g., establishing context, risk assessment, risk treatment). Its purpose is to assure and improve the quality and effectiveness of the process design, implementation, and outcomes. By systematically checking for changes, learning from events, and verifying the effectiveness of controls, it provides crucial information that is fed back into the process for decision-making and continual improvement. This iterative function is best described as a feedback loop, ensuring the risk management process remains dynamic and relevant.

A. It is not an "extra" or sequential stage but an integral, continuous activity that runs in parallel with all other process steps from start to finish.

C. It is a distinct activity that oversees the entire process, including risk assessment. Risk assessment is one of the components being monitored, not the other way around.

1. ISO 31000:2018(en)

Risk management — Guidelines.

Clause 6.6

"Monitoring and review

" states its purpose is to "assure and improve the quality and effectiveness of process design

implementation and outcomes."

Figure 4

"Risk management process

" visually represents 'Monitoring and review' as a vertical component that runs alongside all sequential steps

demonstrating its continuous and overarching nature

not as a final stage.

2. Purdy

G. (2010). ISO 31000:2009—Setting a New Standard for Risk Management. Risk Analysis

30(6)

881-886. https://doi.org/10.1111/j.1539-6924.2010.01442.x

Page 884

Section "The Risk Management Process

" describes the process as dynamic and iterative. It highlights that monitoring and review "should be an integral part of the risk management process... providing the basis for decisions on improving the risk management process

" which defines the function of a feedback loop.

3. Lalonde

C.

& Boiral

O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management

14(4)

272-300. https://doi.org/10.1057/rm.2012.9

Page 278

the article discusses the cyclical and iterative nature of the ISO 31000 process

where "monitoring and review" ensures that the risk management plan is updated

reinforcing its role as a mechanism for continuous feedback and adaptation.

A holistic approach to risk management considers the entire organization as a single, interconnected system. It moves beyond managing risks in isolated silos (e.g., finance, IT) to an integrated, enterprise-wide perspective. This view ensures that the interdependencies between risks, departments, and strategic objectives are understood and managed collectively. The principles of ISO 31000, particularly the emphasis on integration into all organizational activities and decision-making, directly support this holistic philosophy, which is the foundation of modern Enterprise Risk Management (ERM).

A. Cross-functional: This describes collaboration between departments, which is a component of a holistic approach but does not represent the entire organization-wide concept itself.

B. Comprehensive: While a holistic approach is comprehensive, this is a general adjective. "Holistic" is the specific term in risk management theory for an all-encompassing, organization-wide view.

C. Interrelational: This focuses specifically on the connections between different risks, which is an important analysis within a holistic framework but is not the name for the overall approach.

1. International Organization for Standardization (ISO). (2018). ISO 31000:2018 Risk management — Guidelines. Clause 4

Principles. The principle that risk management must be "Integrated" states it is "an integral part of all organizational activities

" which is the functional definition of a holistic

organization-wide approach.

2. Lalonde

C.

& Boiral

O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management

14(4)

272-300. The article discusses how ISO 31000 promotes a "holistic and integrated vision of risk management" (p. 275) that must be embedded throughout the organization

contrasting it with fragmented

silo-based approaches.

3. Hopkin

P. (2018). Fundamentals of risk management: understanding

evaluating and implementing effective risk management (5th ed.). Kogan Page Publishers. Chapter 1

"Introduction to risk management

" describes the evolution of risk management towards an "enterprise or holistic approach" (Section: "Development of risk management")

which is supported by frameworks like ISO 31000.

The statement is correct. A risk treatment plan, as outlined in the ISO 31000 framework, is not a static, one-time document. It is a dynamic or "living" document that specifies how chosen risk treatment options will be implemented. Its primary functions are to define the strategic direction for risk mitigation and to serve as the baseline against which progress is continuously monitored. The iterative nature of the ISO 31000 risk management process, particularly the "Monitoring and Review" stage, requires the plan to be regularly revisited and updated to ensure its ongoing effectiveness and relevance.

Stating this is "False" would incorrectly imply that a risk treatment plan is created and then archived without further use. This contradicts the core principles of the ISO 31000 process, which emphasizes continuous monitoring, review, and improvement. The plan is fundamental to tracking the implementation and success of risk mitigation efforts, a process that is inherently ongoing.

1. ISO 31000:2018

Risk management — Guidelines

Clause 6.5.3

"Preparing and implementing risk treatment plans". This clause details that treatment plans should include

among other things

the proposed actions

resource requirements

responsibilities

timing

and the measures by which success will be evaluated. This establishes the plan as the basis for action and measurement.

2. ISO 31000:2018

Risk management — Guidelines

Clause 6.6

"Monitoring and review". This section explicitly states that a purpose of monitoring and review is to track "progress in implementing risk treatment plans." This confirms that the plan is actively used for monitoring

reinforcing its status as a living document.

3. Purdy

G. (2010). ISO 31000:2009—Setting a New Standard for Risk Management. Risk Analysis

30(6)

881-886. In his analysis of the standard

Purdy emphasizes the iterative nature of the risk management process. He notes

"The risk management process is iterative... Monitoring and review should be a planned part of the risk management process... to ensure that controls are effective and efficient" (p. 884). This cyclical process of planning

implementing

and reviewing necessitates that the treatment plan be a dynamic tool rather than a static artifact. DOI: https://doi.org/10.1111/j.1539-6924.2010.01442.x

4. Lalonde

C.

& Boiral

O. (2012). Managing risks through ISO 31000: A critical analysis. Risk Management

14(4)

272-300. The authors discuss the practical application of the standard

highlighting that "the implementation of risk treatment plans must be monitored to ensure their effectiveness" (p. 280). This continuous monitoring function is what makes the plan a "living document" used to guide and adjust actions over time. DOI: https://doi.org/10.1057/rm.2012.9