The correct answer isA. Incident and audit reports. ISO 31000 distinguishes betweenrecords,documents, andprocedureswithin risk management. Records provide evidence that activities have been performed and capture outcomes of events, assessments, and reviews.
Incident reports and audit reports are classic examples ofrisk management recordsbecause they document what actually happened, what was discovered, and what actions were taken. These records support learning from events, monitoring trends, and improving controls and processes.
Option B refers to formal documents that define intent and planned actions, not records of events or outcomes. Option C includes a risk register, which may contain both records and working documents, but “risk assessment procedure” is a procedural document, not a record. Option D relates to strategic planning rather than risk management records.
From a PECB ISO 31000 Lead Risk Manager perspective, distinguishing records from policies and procedures is critical for effective documentation and governance. Therefore, the correct answer isincident and audit reports.
