Question 13 - ISC2 CISSP-ISSEP Real Exam Questions [Jan 2026 Update]

Q: 13

There are seven risk responses for any project. Which one of the following is a valid risk response for a negative risk event

Options

Correct Answer:

Explanation

Risk response strategies are tailored to whether the risk is negative (a threat) or positive (an opportunity). For negative risks, the primary responses are to avoid, transfer, mitigate, or accept the risk. Acceptance is a valid strategy where an organization decides to acknowledge a risk and not take any action unless the risk occurs, having concluded that the cost of other responses outweighs the potential loss. The other options listed—Enhance, Share, and Exploit—are strategies for responding to positive risks (opportunities), not negative ones.

Why Incorrect

B. Enhance: This response is used for positive risks (opportunities) to increase the probability and/or impact of the event occurring.

C. Share: This is a strategy for positive risks, involving allocating ownership to a third party best able to capture the opportunity's benefit. The counterpart for negative risks is "Transfer."

D. Exploit: This strategy is for positive risks and involves taking actions to ensure that the opportunity is fully realized.

References

1. NIST Special Publication 800-30 Revision 1

Guide for Conducting Risk Assessments. Section 3.3

"Risk Response

" page 29

identifies "Risk acceptance" as a fundamental response strategy. It states

"The appropriate level of management can formally accept the risk and

in doing so

agrees to incur the costs associated with the potential materialization of the risk."

2. Project Management Institute (PMI)

A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition. Section 11.5.2.4

"Strategies for Negative Risks or Threats

" lists Avoid

Transfer

Mitigate

and Accept. Section 11.5.2.5

"Strategies for Positive Risks or Opportunities

" lists Exploit

Enhance

and Accept. This framework is a foundational element of risk management taught in university-level project and engineering management courses.

3. University of Maryland

Project Management Center for Excellence

Course: ENCE627 - Risk Management. The course syllabus and materials outline risk response planning

explicitly differentiating strategies for threats (Avoid

Transfer

Mitigate

Accept) from those for opportunities (Exploit

Enhance

Accept)

confirming the distinct application of these terms.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE