1. Right Answer: D
Explanation: In a blame culture, business units tend to point the finger at IT when projects are not delivered on time or do not meet expectations. In doing so, they fail to realize how the business unit's involvement up front affects project success. In extreme cases, the business unit may assign blame for a failure to meet the expectations that the unit never clearly communicated.Incorrect Answers:A, B, C: These are not relevant to the pointing of finger at IT when projects are not delivered on time.

2. Right Answer: D
Explanation: Cause-and-effect analysis involves the use of predictive or diagnostic analytical tool for exploring the root causes or factors that contribute to positive or negative effects or outcomes. These tools also help in identifying potential risk.Incorrect Answers:A: This analysis is not a method for exposing risk factors. It is used for analyzing scenarios.B: Sensitivity analysis is the quantitative risk analysis technique that: Assist in determination of risk factors that have the most potential impact Examines the extent to which the uncertainty of each element affects the object under consideration when all other uncertain elements are held at their baseline valuesC: Fault tree analysis (FIA) is a technique that provides a systematic description of the combination of possible occurrences in a system, which can result in an undesirable outcome. It combines hardware failures and human failures.

3. Right Answer: B
Explanation: Sammy She certainly can create an assessment for a risk event for time cost, and scope. It is probable that a risk event may have an effect on just one or more objectives so an assessment of the objective is acceptable.Incorrect Answers:A: Just because Sammy is the project manager, it is not necessary that she is right.C: Harry is incorrect as there are multiple approaches to risk assessment for a projectD: Harry's reasoning is flawed as each objective can be reviewed for the risk's impact rather than the total project.

4. Right Answer: A
Explanation: Key Risk Indicators are the prime monitoring indicators of the enterprise. KRIs are highly relevant and possess a high probability of predicting or indicating important risk. KRIs help in avoiding excessively large number of risk indicators to manage and report that a large enterprise may have.Incorrect Answers:B: Lag indicators are the risk indicators that is used to indicate risk after events have occurred.C: Lead indicators are the risk indicators that is used to indicate which capabilities are in place to prevent events from occurring.D: Risk indicators are metrics used to indicate risk thresholds, i.e., it gives indication when a risk level is approaching a high or unacceptable level of risk. The main objective of a risk indicator is to ensure tracking and reporting mechanisms that alert staff about the potential risks.

5. Right Answer: D
Explanation: Threats and vulnerabilities change over time and KRI maintenance ensures that KRIs continue to effectively capture these changes.The risk environment is highly dynamic as the enterprise's internal and external environments are constantly changing. Therefore, the set of KRIs needs to be changed over time, so that they can capture the changes in threat and vulnerability.Incorrect Answers:A: Risk avoidance is one possible risk response. Risk responses are based on KRI reporting, but is not the reason for maintenance of KRIs.B: While most key risk indicator (KRI) metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure thatKRIs continue to effectively capture the changes in threats and vulnerabilities over time. Hence the most important reason is that because of change of threat and vulnerability overtime.C: Risk reporting timeliness is a business requirement, but is not a reason for KRI maintenance.