Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

PECB Exam ISO-22301-Lead-Auditor Topic 2 Question 43 Discussion

Actual exam question for PECB's ISO 22301 Lead Auditor exam
Question #: 43
Topic #: 2
[All ISO 22301 Lead Auditor Questions]

The purpose of risk management for business continuity is to find out what problems an organization may face.

How should the level of risk for an organization be determined?

Show Suggested Answer Hide Answer
Suggested Answer: A

According to ISO 22301:2019, Clause 6.1.2, the organization must establish, implement, and maintain a documented process to manage risks related to the continuity of its critical functions and the achievement of its business continuity objectives. The risk management process should include the identification, analysis, and evaluation of the risks that may cause disruption to the organization's operations, products, and services. The level of risk for an organization should be determined by combining the consequence and likelihood of the events that may lead to disruption, as well as the organization's risk criteria, risk appetite, and risk tolerance. The consequence of an event is the impact or effect that it may have on the organization's objectives, reputation, stakeholders, and resources. The likelihood of an event is the probability or frequency that it may occur, based on historical data, statistical analysis, expert judgment, or other methods. The organization should use appropriate tools and techniques to assess the level of risk, such as risk matrices, risk registers, risk maps, or risk software. The organization should also document the results of the risk assessment and communicate them to relevant interested parties. The purpose of risk management for business continuity is to find out what problems an organization may face, and to take appropriate actions to prevent, mitigate, or transfer the risks, or to accept them if they are within the organization's risk criteria.Reference: ISO 22301:2019, Clause 6.1.2; ISO 22301 Auditing eBook, Chapter 4.2.2.


Contribute your Thoughts:

Annabelle
1 months ago
I think profitability and analysis of events should also be taken into account to assess the risk for an organization.
upvoted 0 times
...
Adell
1 months ago
A is the clear winner here. Gotta love that good old-fashioned risk = consequence x likelihood formula!
upvoted 0 times
Tawna
4 days ago
It's a classic method for assessing risk in organizations.
upvoted 0 times
...
Derrick
14 days ago
A) Combining consequence and likelihood of events
upvoted 0 times
...
Penney
28 days ago
Definitely, that formula is key for determining the level of risk.
upvoted 0 times
...
Mariann
29 days ago
A) Combining consequence and likelihood of events
upvoted 0 times
...
...
Luis
1 months ago
I believe combining acceptable and tolerable events is also crucial in determining the level of risk.
upvoted 0 times
...
Stephane
1 months ago
I agree with Dan. It's important to consider both the impact and the probability of risks.
upvoted 0 times
...
Ronald
1 months ago
Haha, C is just a mess. Acceptable and tolerable events? Sounds like a vacation planning questionnaire, not a risk assessment.
upvoted 0 times
Florinda
26 days ago
User 2
upvoted 0 times
...
Tomoko
29 days ago
User 1
upvoted 0 times
...
...
Dan
1 months ago
I think the level of risk should be determined by combining consequence and likelihood of events.
upvoted 0 times
...
Lorita
2 months ago
D is a bit of a stretch. Profitability and analysis? I'm pretty sure that's not the core purpose of risk management.
upvoted 0 times
Mollie
1 months ago
B) Combining importance and acceptance of events
upvoted 0 times
...
Mollie
1 months ago
A) Combining consequence and likelihood of events
upvoted 0 times
...
...
Virgie
2 months ago
B is just plain wrong. Importance and acceptance? What does that even mean in the context of risk management?
upvoted 0 times
...
Janine
2 months ago
Combining consequence and likelihood of events is the way to go. Risk management is all about identifying potential issues and their impacts.
upvoted 0 times
Chi
26 days ago
B) Combining importance and acceptance of events
upvoted 0 times
...
Stephania
29 days ago
That's right, by considering both the consequences and the likelihood of events, we can determine the level of risk for an organization.
upvoted 0 times
...
Pete
2 months ago
A) Combining consequence and likelihood of events
upvoted 0 times
...
...

Save Cancel