4-Risk Management Flashcards

1
Q

Define risk management.

A

Risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

List the five processes of risk management.

A
Identification of context
Risk identification
Risk assessment and prioritization (i.e., risk analysis)
Risk response
Risk monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the three levels at which risk identification should be performed?

A

Entity level
Division level
Business level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Give examples of methods used for risk identification.

A
Event inventories
Questionnaires and surveys
Leading event indicators and escalation triggers
Facilitated workshops and interviews
Process flow analysis
Loss event data methodologies
Brainstorming
SWOT analysis
Scenario analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

List the three risk assessment processes.

A

Assessing the significance of an event
Assessing the event’s likelihood
Considering the means of managing the risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Give examples of qualitative and quantitative risk assessment methods.

A

Qualitative Quantitative
Risk listing Probabilistic models
Risk ranking
Risk map (e.g., heat map, risk matrix)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

List the four risk monitoring processes.

A

Tracking identified risks
Evaluating current risk response plans
Monitoring residual risks
Identifying new risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the risk management responsibilities of (1) the board, (2) management, and (3) the internal audit activity?

A

Party Responsibility
The board Overseeing and determining that risk management processes are in place, adequate, and effective
Management Ensuring that sound risk management processes are functioning
Internal audit activity Assurance: Examining, evaluating, reporting, or recommending improvements Consulting:
Identifying, evaluating, and implementing risk management methods and controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

_____________________ determine the internal audit activity’s role in risk management.

A

Senior management and the board

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define (1) culture, (2) capabilities, and (3) practices in the context of Enterprise Risk Management.

A

Culture
The attitudes, behaviors, and understanding about risk, both positive and negative, that influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization
Capabilities
The skills needed to carry out the entity’s mission and vision
Practices
The collective methods used to manage risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define (1) mission, (2) vision, and (3) core values in the context of the culture component of Enterprise Risk Management.

A

Term Definition
Mission The organization’s core purpose
Vision The organization’s aspirations for what it intends to achieve over time
Core values The organization’s essential beliefs about what is acceptable or unacceptable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define (1) strategy and (2) business objectives in the context of Enterprise Risk Management.

A

Strategy
How the organization will achieve its mission and vision and apply its core values

Business objectives
Steps taken to achieve the strategy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Define (1) risk inventory, (2) risk capacity, and (3) risk appetite in the context of Enterprise Risk Management.

A

Risk inventory
All identified risks that affect strategy and business objectives
Risk capacity
The maximum amount of risk the organization can assume
Risk appetite
The amount and types of risk the organization is willing to accept in pursuit of value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When is value (1) created, (2) preserved, (3) realized, and (4) eroded?

A

Value is:
Created when the benefits obtained from the resources used exceed their costs.
Preserved when the value of resources used is sustained.
Realized when benefits are transferred to stakeholders.
Eroded when management’s strategy does not produce expected results or management does not perform day-to-day tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the responsibilities of (1) the board and (2) management regarding Enterprise Risk Management (ERM)?

A

Party Responsibility
The board Oversight of ERM culture, capabilities, and practices
Management Day-to-day managing of risk (the CEO has ultimate responsibility for ERM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the three lines in the Three Line Model?

A

First line Principal owners of risk
Second line Supporting (business-enabling) functions
Third line Assurance function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Categorize the five components of the COSO ERM framework into (1) the supporting aspect and (2) the common process.

A

Supporting Aspect Common Process
Governance and culture Strategy and objective-setting
Information, communication, and reporting Performance
Review and revision

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the five principles of the Governance and Culture component of the COSO ERM framework?

A

The board exercises risk oversight.
The organization establishes operating structures.
The organization defines the desired culture.
The organization demonstrates commitment to core values.
The organization attracts, develops, and retains capable individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are the four principles of the Strategy and Objective Setting component of the COSO ERM framework?

A

The organization analyzes business context and its effect on the risk profile.
The organization defines risk appetite.
The organization evaluates alternative strategies and their effects on the risk profile.
The organization establishes business objectives that align with and support strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

List and define the three types of business contexts.

A

Dynamic
New, emerging, and changing risks can appear at any time
Complex
A context may have many interdependencies and interconnections
Unpredictable
Change occurs rapidly and in unanticipated ways

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the four criteria for business objectives?

A

Specific
Measurable
Observable
Obtainable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the five principles of the Performance component of the COSO ERM framework?

A

The organization identifies risks that affect the performance of strategy and business objectives.
The organization assesses the severity of risk.
The organization prioritizes risks at all levels.
The organization identifies and selects risk responses, recognizing that risk may be managed but not eliminated.
The organization develops and evaluates its portfolio view of risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are the two measurements of the severity of risk?

A

Impact

Likelihood

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

List the five categories of risk responses.

A
Acceptance (retention)
Avoidance
Pursuit
Reduction (mitigation)
Sharing (transfer)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the four levels of risk views?

A
Risk view (minimal integration)
Risk category view (limited integration)
Risk profile view (partial integration)
Portfolio view (full integration)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are the three principles of the Review and Revision component of the COSO ERM framework?

A

The organization identifies and assesses changes that may substantially affect strategy and business objectives.
The organization reviews entity performance results and considers risk.
The organization pursues improvement of ERM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What are the three principles of the Information, Communication, and reporting component of the COSO ERM framework?

A

The organization leverages its information systems to support ERM.
The organization uses communication channels to support ERM.
The organization reports on risk, culture, and performance at multiple levels and across the entity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Give examples of the limitations of ERM.

A
Faulty human judgment
Cost-benefit considerations
Simple errors or mistakes
Collusion
Management override of ERM practices
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

List the eight principles of the ISO 31000 Risk Management Framework.

A
Integrated
Structured and comprehensive
Customized
Inclusive
Dynamic
Best available information
Human and cultural factors
Continual improvement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

List the six components of the ISO 31000 Risk Management Framework.

A
Leadership and commitment
Integration
Design
Implementation
Evaluation
Improvement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

List the six risk management processes in the ISO Risk Management Framework.

A
Communication and consultation
Scope, context, criteria
Risk assessment
Risk treatment
Monitoring and review
Recording and reporting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What are the responsibilities of (1) the board, (2) management, and (3) the internal audit activity defined in the ISO 31000 Risk Management Framework?

A

Party Responsibility
The board Overseeing risk management
Ensuring that risks are managed and the risk management system is effective
Management Setting the organization’s risk attitude
Identifying and managing risks
Internal audit activity Providing assurance regarding the entire risk management system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

The ISO Risk Management Framework describes what three approaches to providing assurance on the risk management process?

A

The key principles approach
The process element approach
The maturity model

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What are the five maturity levels defined by the capability maturity model (CMM)?

A

Level 1
Initial: Few processes are defined.
Level 2
Repeatable: Basic processes are established.
Level 3
Defined: Standards are developed.
Level 4
Managed: Performance measures are defined.
Level 5
Optimizing: Continuous improvement is enabled.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What are the five maturity levels defined by the Capability Maturity Model Integration (CMMI) Development V2.0?

A

Level 0
Incomplete: Whether work can be completed is not known.
Level 1
Initial: Work can be completed, but not on time or within the budget.
Level 2
Managed: Projects are planned, implemented, managed, and monitored.
Level 3
Defined: Standards for projects are defined throughout the organization.
Level 4
Quantitatively managed: The organization quantifies performance improvement goals to meet stakeholder needs.
Level 5
Optimizing: The organization pursues continuous improvement, responds to change, and innovates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

ERM is expected to manage risks effectively and to help create, preserve, and realize value when

A

The components, principles, and supporting controls are present and functioning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

How is risk defined in the Glossary?

A

“The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What are the fourbroad categories of risk?

A

Strategic risks
Operational risks
Financial risks
Hazard risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What is risk capacity?

A

Risk capacity is the maximum amount of risk that an organization can tolerate without irreparably damaging the company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

What is risk appetite?

A

Risk appetite is defined in the IIA Glossary as “the level of risk that an organization is willing to accept.”

Risk appetite is shaped by the expectations of stakeholders, regulatory and contractual requirements, and the influence of technology, capital, and human resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is risk tolerance?

A

Risk tolerance is the amount of variance in the returns from an activity that a company is willing to tolerate.

The higher the risk tolerance, the greater the range of outcomes a company is willing to accept.

42
Q

What are some factorsthat influence a company’srisk appetite?

A

Their position in the business-development cycle.
The viewpoints of the major stakeholders.
Accounting factors.
The opportunity for fraud.
Entity-level factors – the personnel, changes in the organization’s structure, and changes in key personnel.
External factors – changes in the economy, industry, or technology.
Governmental restrictions.

43
Q

What are the five steps in the risk management process?

A
Risk identification
Risk assessment
Risk prioritization
Response planning
Risk monitoring
44
Q

What are some eventidentification techniques?

A
Brainstorming sessions
Event inventories and loss event data
Interviews and self-assessment
Facilitated workshops
SWOT analysis
Risk questionnaires and risk surveys
Scenario analysis
Technology
45
Q

What is inherent risk?

A

SMA:ERMF defines inherent risk as “the level of risk that resides with an event or process prior to management taking a mitigation action.”
It is the amount of risk that occurs naturally in the activities of the company.
Management cannot do anything about the existence of inherent risk; however, it can take steps to address and, where appropriate, mitigate its effects.

46
Q

What is residual risk?

A

SMA: ERMF defines residual risk as: “The level of risk that remains after management has taken action to mitigate the risk.”

Inherent risk −	Activities of management to mitigate/address the risk =	Residual risk
47
Q

What two factors are used to assess the exposure to risk?

A

Loss frequency or probability

Loss severity

48
Q

What is a risk map?

A

A visual depiction of relative risks based on their expected frequency and expected loss.

49
Q

What are the fourmeasures of potential loss?

A

Expected loss
Unexpected loss
Maximum probable loss
Maximum possible loss (also called extreme or catastrophic loss)

50
Q

What is the expected loss?

A

The amount that management expects to lose to a given risk per year on average over a period of several years. Because the loss is expected, it should be included in the budget.

51
Q

What is the unexpected loss?

A

The amount that could likely be lost to the risk event in a very bad year, in excess of the amount budgeted for the expected loss, up to the maximum probable loss. The business should reserve the unexpected loss amount as capital.

52
Q

What is the maximumprobable loss?

A

The largest loss that can occur under foreseeable circumstances. Damage greater than the maximum probable loss could occur, but, in the judgment of management, it is very unlikely to occur.

53
Q

What is the maximumpossible loss?

A

The worst-case scenario. It represents the greatest possible loss from a specific risk or event.

54
Q

What are the fiveresponses to risk?

A
Avoiding or eliminating the risk
Reducing or mitigating the risk
Transferring or sharing the risk
Retaining the risk
Exploiting or accepting the risk
55
Q

What is Enterprise Risk Management?

A

“[Enterprise risk management] is the culture, capabilities, and practices that organizations integrate with strategy-setting and apply when they carry out that strategy, with a purpose of managing risk in creating, preserving, and realizing value.”

Definition from COSO

56
Q

What are the five components of the COSO ERM Framework?

A
Governance and culture
Strategy and objective-setting
Performance
Review and revision
Information, communication, and reporting
57
Q

What are the principles of the “governance and culture” component of ERM?

A
Exercises board risk oversight. 
Establishes operating structures. 
Defines desired culture. 
Demonstrates commitment to core values. 
Attracts, develops, and retains capable individuals.
58
Q

What are the principles of the “strategy and objective setting” component of ERM?

A

Analyzes business context
Defines risk appetite
Evaluates alternative strategies
Formulates business objectives

59
Q

What are the principles of the “performance”component of ERM?

A
Identifies risk
Assesses severity of risk
Prioritizes risks
Implements risk responses
Develops portfolio view
60
Q

What are the principles of the “review and revision”component of ERM?

A

Assesses substantial change
Reviews risk and performance
Pursues improvement in enterprise risk management

61
Q

What are the principles of the “information, communication and reporting” component of ERM?

A

Leverages information systems
Communicates risk information
Reports on risk, culture, and performance

62
Q

What are the three areas of principles and guidance in ISO 31000?

A

Principles. The interrelated values that are foundational to the risk-management process.
Framework. The ways in which the risk-management plan should be integrated into “significant activities and functions.”
Process. A step-by-step list of procedures to design and execute risk management.

63
Q

What are the eight principles that ISO 31000 sets forth to guide risk-management procedures?

A
Integrated
Structured and comprehensive
Customized
Inclusive
Dynamic
Best available information
Human and cultural factors
Continual improvement
64
Q

What are the six steps of therisk-management processin ISO 31000?

A
Communication and consultation
Scope, context, and criteria
Risk assessment
Risk treatment
Monitoring and review
Recording and reporting
65
Q

What is the role of the IAA in the risk-management process?

A

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.
Standard 2120

66
Q

What must an assessmentof the risk-managementprocess address?

A

The internal auditor must be satisfied that the organization’s risk management processes addresses:
Risks that arise from business strategies and activities are identified and prioritized.
Management and the board set the level of risk acceptable to the organization (assess risk appetite).
Risk mitigation or reduction activities are designed and implemented to reduce or otherwise manage risk at acceptable levels.
Risk are periodically reassessed on an ongoing basis.
Reports are given periodically to the board and management on the risk assessment process.

67
Q

How is evidence forrisk-managementassessments gathered?

A

Evidence to support the risk assessment is usually obtained from engagements throughout the year.

Because there is no formula to follow, the successful assessment of risk often rests with the professional judgment and experience of the internal auditors and the CAE.

68
Q

What should the IAA do when there is no risk-management process?

A

The CAE must convince the board and senior management to establish one, even if it just an informal set of procedures.

69
Q

In what three areas should the IAA provide assurance about the effectiveness of risk management?

A

The design and implementation of the risk management processes.
Identification of key risks and the effectiveness of their controls.
Assessment and reporting of risk and controls.

70
Q

What are consulting engagements connected to risk management that are core roles of the IAA?

A

Giving assurance on the risk management process
Giving assurance that risks are correctly evaluated
Evaluating risk management processes
Evaluating the reporting of key risks
Reviewing the management of key risks

71
Q

What are consulting engagements connected to risk management that are legitimate roles of the IAA?

A

Facilitating identification and evaluating risks
Coaching management in responding to risks
Coordinating ERM activities
Consolidated reporting on risks
Maintaining and developing the ERM framework
Championing the establishment of ERM
Developing the ERM strategy for board approval

72
Q

What are consulting engagements connected to risk management that the IAA should not undertake?

A
Setting the risk appetite
Imposing risk management processes
Management assurance on risks
Taking decisions on risk responses
Implementing responses on management’s behalf
Accountability for risk management
73
Q

How does the IIA Glossary define control?

A

“Any action taken by management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes, and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.”

74
Q

Internal control provides reasonable assurance about the achievement of objectives in what three areas?

A

Operations
Reporting
Compliance

75
Q

What are five types of controls?

A
Directive
Preventive
Detective
Corrective
Compensating
76
Q

What are the threetimings of controls?

A

Feedforward controls
Concurrent controls
Feedback controls

77
Q

What are characteristics of effective controls?

A
Economical
Meaningful
Appropriate
Congruent
Timely
Simple
Operational
78
Q

What are the limitations of internal controls?

A

Internal controls can provide only reasonable assurance that objectives can be achieved. Internal controls should never be promoted as a guarantee.
Human error, faulty judgment, collusion, and fraud can all limit the effectiveness of controls.
Excessive or unreasonable controls can increase bureaucracy and reduce productivity. Controls must be evaluated in terms of their cost and benefit to avoid wasting resources.

79
Q

Who is responsible forinternal controls?

A

The board of directors oversees the control system.
The CEO is responsible for the “tone at the top.”
Senior managers delegate responsibility for establishing specific internal control policies and procedures.
Financial officers and their staffs are central to the exercise of control.
Internal auditors play a monitoring role.
Virtually all employees are involved in internal control.
External parties such as independent auditors often provide information useful to effective internal control.

80
Q

What are the three main elements of the control process?

A

Setting the objectives.
Measuring performance against a standard.
Evaluating the results then correcting or regulating the performance.

81
Q

What are input controls in an automated control system?

A
Edit checks
Key verifications
Redundancy checks
Echo checks
Completeness checks
82
Q

What are processing controls in an automated control system?

A
Posting checks
Cross-footing
Zero balance checks
Run-to-run control totals
Internal header and trailer labels
Concurrency controls
Key integrity checks
83
Q

What are output controls in an automated control system?

A

Output distribution controls
Output retention controls
Forms controls
Error logs

84
Q

What four duties shouldalways be segregated?

A

1) Authorizing a transaction.
2) Recording the transaction, preparing source documents, and maintaining journals.
3) Keeping physical custody of the related asset. For example, receiving checks in the mail.
4) The periodic reconciliation of the physical assets to the recorded amounts for those assets.

85
Q

What is collusion?

A

Collusion is when two or more people work together to get around the controls that are in place.

86
Q

What are the five components of internal control?

A
Control environment
Risk assessment
Control activities
Information and communication
Monitoring activities
87
Q

What is the control environmentin the COSO Model?

A

The control environment sets the tone for the organization, influencing the control consciousness of its people. The control environment is the foundation for the other components of internal control.

88
Q

What is risk assessmentin the COSO Model?

A

Risk assessment is the identification and analysis of relevant risks to the achievement of objectives and forms a basis for how risks should be managed.

89
Q

What are control activitiesin the COSO Model?

A

Control activities ensure that management directives are carried out. These policies and procedures also outline the necessary steps to address risks to the organization’s objectives.

90
Q

What is information and communicationin the COSO Model?

A

These are the systems or processes that support the identification, capture, and exchange of information in a form and time frame that enable people to carry out their responsibilities.

91
Q

What is monitoringin the COSO Model?

A

These are processes used to assess the quality of internal control performance over time. This objective is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.

92
Q

What are the five principles of the control environment under the COSO Model?

A

The organization demonstrates a commitment to integrity and ethical values.
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

93
Q

What are the four principles ofrisk assessment under theCOSO Model?

A

The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
The organization considers the potential for fraud in assessing risks to the achievement of objectives.
The organization identifies and assesses changes that could significantly impact the system of internal control.

94
Q

What are the three principles ofthe control activities under the COSO Model?

A

The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
The organization selects and develops general control activities over technology to support the achievement of objectives.
The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

95
Q

What are the three principles of information and communication under the COSO Model?

A

The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
The organization communicates with external parties regarding matters affecting the functioning of internal control.

96
Q

What are the two principles of monitoring activitiesunder the COSO Model?

A

The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.

97
Q

What type of controls do both COSO and CoCo emphasize?

A

Soft controls, which emphasize ideas and expectations (for example, shared values, expectations, commitment, competence, and trust) rather than specific tasks (for example, policies and procedures).

98
Q

What are the key tenets of the Turnbull Report?

A

Board’s responsibility for internal controls
Management’s responsibility for internal controls
Employees’ responsibility for internal controls
Adopting a risk-based approach
Ongoing monitoring of risks and controls

99
Q

What is the role of the IAA in the company’s control system?

A

The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.
Standard 2130

100
Q

What are the steps inthe evaluation of theeffectiveness of controls?

A

Identify objectives and any associated risks.
Determine the significance of any risks.
Make note of the responses to these risks.
Identify the “key controls.”
Assess how well a given control is designed.
Test the control to ascertain the effectiveness of the design.

101
Q

What three criteria can help the IAA measure the effectiveness of a specific control?

A

The level of control must be “appropriate for the risk it addresses.” For example, petty cash does not need as many controls as cash received from customers.
The costs of the control must not exceed the benefits it provides. For example, the office supply cabinet does not need 24/7 surveillance and a biometric scanner for access, but a server room certainly would.
No control should “create significant business concerns.” For example, regardless of how efficiently a control manages a particular risk, if the control breaks the law, it puts the company in significant legal jeopardy.