Chapter 10: Risk Mitigation

Question 1

What is the definition of “Risk Mitigation”?

Answer 1

• Risk mitigation involves implementing measures to reduce the likelihood and impact of identified risks.

Question 2

What is “Avoidance”, in relation to risk mitigation strategies?

Give an example.

Answer 2

Eliminating activities or condiions that expose the organisation to risk e.g. Avoiding high risk investments

Question 3

What is “Reduction”, in relation to risk mitigation strategies?

Give an example.

Answer 3

Implementing controls to reduce the liklehood or impact of risk e.g. enhancing cybersecurity measures

Question 4

What is “Sharing”, in relation to risk mitigation strategies?

Give an example.

Answer 4

Transferring or sharing risk with other parties e.g. bying an insurance contract.

Question 5

What is “Acceptance”, in relation to risk mitigation strategies?

Give an example.

Answer 5

Acknowledging the risk and chosing to go ahead without preventative measures e.g. putting aside recovery funds

Question 6

What is the aim of a “Preventative Control”?

Give and example.

Answer 6

Aims to reduce the likelihood of an event happening.

e.g. Car seat belts, segregation of duties

Question 7

What is the aim of “Detective Control”?

Give an example.

Answer 7

Aims to detect events during, or just after they occur.

e.g. Smoke alarms or file reconcilliation.

Question 8

What is the purpose of “Directive Controls”?

What do they cover?

Answer 8

Directive controls cover all the required actions and rules to execute a process: policies and procedures, training and guidance, governance structure, roles and responsibilities

Question 9

What is the aim of “Corrective Controls”?

Give an example.

Answer 9

Aims to mitigate the impact after an event.

e.g. Redundancies, backups, crisis communication strategies

Question 10

What are the 4 forms of Control Testing?

When are each of these procedures typically used?

Answer 10

• Self-certification/inquiry: Interview with control owner; used for low-risk or secondary controls due to limited evidence.
• Examination: Review of documentation; offers moderate assurance, ideal for automated controls.
• Observation: Real-time oversight of control execution; assesses design and effectiveness of key controls.
• Reperformance: Replicates control processes on sample transactions; provides highest assurance, recommended for high-risk environments.

Question 11

What are “Optimistic Controls”?

What does these rely on? Give an example.

Answer 11

Rely on exceptional ability or motivation, often becoming superficial “tick-box” tasks.

e.g. Lat minute sign offs on large document volumes.

Question 12

What are “Duplicative Controls”?

Known as the “Four……….”, what can this lead to?

Answer 12

Commonly known as the “four eyes” check, where more than one person review the same information. This dilutes accountability, reducing focus. Works most effectively when involving people from different roles/functions.

Question 13

What is meant by “more of the same” in respect of controls?

What can this do?

Answer 13

Adding more controls of the same design after a failure, which can often worsen the issue.

Question 14

What is meant by a “slip” in realtion to human error?

What are some solutions?

Answer 14

Involuntary errors due to distraction, inattention, or poor work envirnments

improving workspaces, reducing noise, and clarifying responsibilities.

Question 15

What are the 2 forms of “Mistake”?

Answer 15

• Rule-based Mistakes: Caused by flawed or conflicting rules
• Knowledge-based Mistakes: Results from unfarmiliartity or lack of training.

Question 16

What is a “Violation”?

How are these mitigated, FOS?

Answer 16

Deliberate disregard for rules. Mitigated by supervision and strong organisational culture.

Question 17

Conceptually, what is Human Error a symptom of?

What causes it?

Answer 17

Problems with proceses, not personal incompetence.

Question 18

What are the benefits of “effective risk mitigation”?

5 points

Answer 18

• Reduced Risk Exposure
• Enhanced Resilience
• Regulatory Compliance
• Increased Stakeholder Confidence
• Operational Continuity

Question 19

What are some methods for “Prevention by Design”?

5 points

Answer 19

• Process Redesign: Improve reliability of actions.
• Checklists: Ensure all steps are followed.
• Strong Communication Protocols: Facilitate clear andconsistent communication.
• Standardization: Uniform procedures to reduce variability.
• Better Work Environments: Enhance overall operational efficiency

Question 20

What are the 2 main considerations when transferring risk?

What cannot be outsourced?

Answer 20

• Cost vs Risk Reduction
• Reputation risk cannot be outsourced