Exam ISO-31000-Lead-Risk-Manager Topic 3 Question 70 Discussion

Actual exam question for PECB's ISO-31000-Lead-Risk-Manager exam
Question #: 70
Topic #: 3
Scenario 5:
Crestview University is a well-known academic institution that recently launched a digital learning platform to support remote education. The platform integrates video lectures, interactive assessments, and student data management. After initial deployment, the risk management team identified several key risks, including unauthorized access to research data, system outages, and data privacy concerns.
To address these, the team discussed multiple risk treatment options. They considered limiting the platform's functionality, but this conflicted with the university's goals. Instead, they chose to partner with a reputable cybersecurity firm and purchase cyber insurance. They also planned to reduce the likelihood of system outages by upgrading server capacity and implementing redundant systems. Some risks, such as occasional minor software glitches, were retained after careful evaluation because they did not significantly affect Crestview's operations.
Once the treatment options were selected, Crestview's risk management team developed a detailed risk treatment plan. They prioritized actions based on which processes carried the highest risk, ensuring cybersecurity measures were addressed first.
Based on the scenario above, answer the following question:
In Scenario 5, Crestview University focused on the highest-risk areas first when developing the risk treatment plan. Is this acceptable?

Suggested Answer: C Vote an answer

The correct answer is C. Yes, actions in the risk treatment plan should be prioritized based on processes carrying the highest level of risk. ISO 31000:2018 explicitly supports a risk-based approach to treatment planning, where resources and actions are prioritized according to the significance of risks.
Risk treatment planning aims to allocate resources efficiently and effectively. Addressing the highest-risk areas first ensures that the most significant threats to objectives are reduced as a priority. This is particularly important when resources such as time, budget, and expertise are limited, which is a common organizational reality.
Option A is incorrect because treating all risks simultaneously is often impractical and may dilute focus on critical risks. Option B contradicts ISO 31000's emphasis on proportionality and value protection. Option D is incorrect, as prioritization is a core principle of effective risk management.
From a PECB ISO 31000 Lead Risk Manager perspective, prioritizing risk treatments based on risk level supports informed decision-making, resilience, and protection of value. Therefore, the correct answer is yes, actions should be prioritized based on the highest level of risk.

by Nicholas at May 22, 2026, 11:02 AM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10