Chapter 3: Domain Three: Risk Managment

Question 1

All-Hazards Approach

Answer 1

Looks not only at high-consequence, low-probability events (Terrorism, extreme natural disasters), but also lower-consequence, high-probability events (power outages, cyberattacks).

Question 2

Asset

Answer 2

Anything that has tangible or intangible value to the organziation.

NOTE 1: Tangible assets include human, physical, and enviromental assets.

NOTE 2: Intangible assets include informatoin, intellectuval protpery, bruand, and reputation.

Question 3

Audit

Answer 3

Systematic, independent, objective, and documented process for obtaining, examining, verifying, and evaulating informaotin relative to a set of criteria.

Question 4

Business Continuity

Answer 4

A comprehensive, managed effort to prioritize key business processes and identify significant threats to normal operations. It also includes planning mitigation strategies to ensure effective and efficient organizational responses to the challenes that surgace during and after a crisis.

Question 5

Business Impact Analysis

Answer 5

(BIA) Provides a structured approach to gaining informatoin about the critical activities, functions, and processes of the organization and the associated resources necessary for an organization to mitigate the impacts of undesirable and disruptive events.

Question 6

Capability Analysis

Answer 6

Process of evaluating the competence, aptitude, and experience of people and the organization; the suitablity of technology; and the application of processes for particular purposes to determine whethere or not the expected output will fall within an acceptable range.

Question 7

Client

Answer 7

Organization or person that receives a product or service.

NOTE 1: Examples include consumers, contractors, end users, retailers, beneficiaries, and purchasers.

NOTE 2: A client can be inernal or external to the organization.

Question 8

Community

Answer 8

A group of associated organizations and people sharing common interests.

Question 9

Competence

Answer 9

Demonstable ability to apply knowlede and skills to achieve intended results.

Question 10

Conformity

Answer 10

Compliance with a requirement.

Question 11

Consequence

Answer 11

Results or effect of an action, condition, or decision.

NOTE 1: Uncertainties interact and may result in singular or multiple consequences with a potential for postive or negative effects on objectives.

NOTE 2: Consequences should consider both tangible and intangible factors and can be expressed qualitatively or quantitively, or both.

NOTE 3: Consequence may be cascading effects.

Question 12

Consultation

Answer 12

Ongoing, iterative, and two-way processes for the exchange of information with and between stakeholders and decision makers regarding the managment of risk.

NOTE 1: Informatoin may relate to the context of the organization of the reisks and assessment and the slection and evaulation of risk treatment options.

NOTE 2: Communication and consulatation informs the decision-making process but does not infer joint decision making.

Question 13

Continual Improvement

Answer 13

Ongoing processes to improve products, services, and maagment practives to enahe the ability to fulfill requirments.

NOTE: Canges may be incremetntal or comprehensive.

Question 14

Corrective Action

Answer 14

An action made to rectify the causes of a detected nonconformity or other undersirable circumstances.

NOTE 1: There can more than one cause for a nonconformity.

NOTE 2: Corrective action is taken to prevent recurrence, whereas preventive action is taken to prevent occurrence.

Question 15

Critical Control Point

Answer 15

(CCP) A point, step, or process at whic controls can be applied to modify risk.

NOTE 1: A threat or hazard can be prevented, eliminated, or reduced to targeted levels.

NOTE 2: A point at which opportunity can be leveraged.

Question 16

Criticality

Answer 16

Of essential importance with respected to objectives and outcomes. (ANSI/ASIS SPC.1-2009)

Question 17

Criticality Analysis

Answer 17

A process designed to systematically identify, evaluate, and rank postive and negative impacts on an organization’s stakeholders, assets, services, and activities, based on the importance of its mission or function or the significance of risks on the organization’s ability to meet its objectives and expections.

NOTE: Determines which qualities or degress of risk are of the highest importance for successful execution of an organization’s objectives or which might represent a decisive turning point in the execution of strategy.

Question 18

Derivative Criticality

Answer 18

Indicates the indirect conssequences of a risk event and how the resulant consequences indirectly related to the asset, activity, or function will affect the organization achieving its objectives.

Question 19

Disruptive Event

Answer 19

An event that interrupts planned activities, operations, or functions, whether anticipated or unanticipated.

Question 20

Document

Answer 20

INformation and supporting medium in any format.

Question 21

Effectiveness

Answer 21

Extent to which planned activities accomplish a purprose, thereby producing the intended or expected outcomes.

Question 22

Error Analysis

Answer 22

Considers the kind of quantity of error that may occur in a risk assessment.

Question 23

Event

Answer 23

Change occurring in an interval of time with the potential to alter outcomes.

NOTE 1: Likelihood and consequence of an event may be predictable using qualiative or quantitative measures.

NOTE 2: An event may be due to singular or multiple causes and may have more than one occurrence.

NOTE 3: The nononccurrence of an anticipated change is also an event.

NOTE 4: An event is not a risk, rather it is the uncertainity in the outcomes that create risk.

Question 24

External Threat

Answer 24

Can Include theft/burglary, vandalism, and assault.

Question 25

Gap Analysis

Answer 25

Technique that can be used to determine what steps might need to be taken to improve the organziation’s capacity to condut a risk assessment to move from a current state to a desired, future state. Also referenced as need-gap analysis, needs analysis, and needs assessment, gap analysis seeks to answer the questions : “where are we?” - the currentl state: and “where do we want to be?” the future state. The gap analysis includes an evaulation of the suitablity of the current process for assessing risk and if it is suffient to manage risks. Gap analysis can also be used withing the indvidual risk assessment.

Question 26

Holistic Approach

Answer 26

Should include a prevention paln, an all-hazards emergency operations plan (EOP), a mitigation plan, a recovery plan, and a continuity-of operations plan (COOP).

Question 27

Impact

Answer 27

The positive or negative effect on someone or something (see consequence).

Question 28

Impact Analysis

Answer 28

Process that identifies and evaluates the potential effects of change upon an organization. This may include an assessment of the pros and cons of pursuing a course of action in light of its posssible consequences or the extent and nature of further change (intended or unintended) that such change may cause.

Question 29

Incident

Answer 29

An event that has the capacity to lead to human, intangible, or physical loss or a disruption of an organization’s operations, services, or function. If not managed, an incident can escalate in an emergency, crisis, or disaster.

Question 30

Intergrity

Answer 30

Assuring the soundess, reliability, and completeness of tangible and intangible assets.

Question 31

Instrinsic Criticality

Answer 31

Indicates the direct value of the asset, activity, or function in achieveing the objectives of the organziation.

Question 32

Likelihood

Answer 32

Chance or probablity that something will happen.

Question 33

Managment System

Answer 33

Framework of policies, processes, and procedures used to ensure that an organization can fulfill all tasks required to achieve its objectives.

NOTE: Management systems are used by organization to establish their policies, objectivies, and targets; determine and allocate resources; define roles and authorities: implement procedures; and evaulate performance to achieve desired outcomes and objectives.

Question 34

Monitoring

Answer 34

Ongoing scruntiny, oversight, evaluation, and situational awareness for determining the current status of performance and to indentify changes in the internal and external enviroments.

Question 35

Nonconformity

Answer 35

Failure to fulfill a requirement.

Question 36

Opportunity Analysis

Answer 36

Process of indentifying uncertainties that may be exploited and analyzing the organization’s capability and readiness to exploit them. The process may include indentifying unmet or underserved customer/client needs, indentifying target markets, analyzing competitive advantages, and analyzing the organizatoin’s resource capacity to unertake an opportunity.

Question 37

Organization

Answer 37

Group of people and facilities with an arrangement of responsbilities, authorities, and realtionships.

NOTE: An organization can be a goverment or public entity, company, corporation, firm, enterprise, institution, charity, sole trader, association, or parts or combinations thereof.

Question 38

Organizational Resilience

Answer 38

The adaptive capacity of an organization in an complex and changing enviroment.

Question 39

Planning

Answer 39

Part of a magagement process focused on setting objectives, projecting risks to these objectivies, and ensuring resources and systems are in place to ensure objectives are achieved.

Question 40

Prevention

Answer 40

Measures that enable an organization to avoid, preclude, or limit the impact of an undesired or potentially disruptive event.

Question 41

Preventive action

Answer 41

Proactive change or improvement implemented ot address a weakness that is not yet respobsible for causing nonconformity.

NOTE 1: A potential nonconformity may have one or more root causes.

NOTE 2: Preventive action is taken to avoid occurence whereas corrective action is taken to rectify a problem and prevent recurrence.

Question 42

Procedure

Answer 42

An established or specified way to conduct an activity or a process.

Question 43

Random Error

Answer 43

Inaccuracies that cluctuate from one measurement to the next and yield results where the man value varies.

NOTE: Random errors can occur for a variety of reasons, including poor written questions, imprecise definition of terminology, or lack of sensitivity of the analysis models.

Question 44

Record

Answer 44

A document set down in writing or some other permanent form for later reference.

Question 45

Residual Risk

Answer 45

Remaining risk after treatment.

NOTE: Residual risk may include risk retained by informed decision, untreatable risk, and/or unidentified risk.

Question 46

Resilience

Answer 46

Adaptive capacity of an organization in a complex and changing enviroment. (ANSI/ASIS SPC.1-2009)

Question 47

Resources

Answer 47

Any asset (human, physical, information, or intangible), facilities, equipment, materials, products, or waste that has potential value and can be used. (ANSI/ASIS SPC.1-2009)

Question 48

Review

Answer 48

Activity undetaken to determine the suitability, adequacy, and effectiveness of the management system and its component elements to achieve established objectives.

Question 49

Risk

Answer 49

Effect of uncertainty on the achievement of strategic, tactical, and operational objectives.

NOTE 1: Risk is considered as potentially having positive and/or negative outcomes.

NOTE 2: Uncertaint is the state where outcomes are unknown, lacking sufficient informatoin, or otherwise undeterminded or undefined in the course of decision-making.

NOTE 3: Objectives may include strategic goals related to the whole or parts of the organization and its value chain, as well as operational and tactical issues at levels of the organization.

NOTE 4: Risk can be characterized by the effect of uncertainty on tangible and/or intangible assets and/or potential risk events.

NOTE 5: Risk is often expressed in terms of a combination of the consequences and likelihood of the outcomes of uncertainty.

NOTE 6: Sometimes risk is focused on negative outcomes where it is considered a function of threats, vulnerabilities, and consequences.

Question 50

Risk Acceptance

Answer 50

Informed action of consenting to retain, recieve, or undertake a particular risk

Question 51

Risk Analysis

Answer 51

Process to characterize and understand the nature of risk and to define the level of risk.

NOTE: Risk analysis assesses the likelihood and consqequences of a risk to provide the basis for risk evaluation and risk treatment decision making.

Question 52

Risk Appetite

Answer 52

The total exposed amount that an organization wishes to undertake on the basis of risk-return tade-offs for one or more desired and expected outcomes. (RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance)

Question 53

Risk Assessment

Answer 53

Overall and systematic process of evaluating the effects of uncertainty on achieving objectives.

NOTE: Risk assessment includes risk indentification, risk analysis, and risk evaluation.

Question 54

Risk Attitude

Answer 54

Organization’s or individual’s view/perspective of the perceived qualitative and quantitative value that may be gained in comparision to the related potential loss or losses. (RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance)

Question 55

Risk Criteria

Answer 55

Terms of reference used to measure and evaluate the significance and effects of risk.

NOTE 1: Risk criteria are a function of the organization’s objectives, values, and policies, as well as the external and internal enviroment.

NOTE 2: Risk criteria can be derived from jurisdictional laws, obligations, and other requirements.

Question 56

Risk Driver

Answer 56

Event, individual(s), process, or trends having impact on the objectives of the organization.

Question 57

Risk Evaluation

Answer 57

Process of equating the results of risk analysis with risk criteria to determine whether a particular risk level is within an acceptable tolerance or presents a potential opportunity.

Note: Risk evaluation provides the basis for decision about risk treatment methods.

Question 58

Risk Identification

Answer 58

Process for determining what risks are anticipated, their characteristics, time dependencies, frequencies, duration period, and possible outcomes.

NOTE: Risk indentification involves the identification of threats, opportunities, criticalities, weaknesses, and strengths, as well as identifying sources of risk and potential events and their causes and impacts.

Question 59

Risk Management

Answer 59

A strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio. (RIMS Resources)

Question 60

Risk Register

Answer 60

A compilation of all risks indentified, analysex, and evaluated in the resk assessment process.

NOTE: The risk register includes informatoin on likelihood, consequences, treatments, and risk owners.

Question 61

Risk Source

Answer 61

A factor with the potential to create uncertainty in achieving objectives.

NOTE: The risk source may include tangible or intangible factors alone or in combination.

Question 62

Risk Tolerance

Answer 62

The amount of uncertainty an organization is prepared to accept in total or more narrowl within a certain business unit, a particular risk category, or for a specific initiative.

NOTE: The level of tolerance or acceptable level or variation related to achieving objectives may be influenced by jurisdiction law and stakeholder requirements. (RIMS Executive Report on Exploring Risk Appetite and Risk Tolerance)

Question 63

Risk Treatment

Answer 63

Process of selecting and implementing measures to modify risk to achieve objectives.

NOTE 1: Risk treatment can change the characteristics of existing risks or gererate new risks.

NOTE 2: Risk treatment may require a reallocation of resources or modification of plans and priorities.

Question 64

Sampling

Answer 64

The process or Technique of selecting a representative part of a population for the purpose of determining parameters or characteristics of the whole population.

Question 65

Scenario Analysis

Answer 65

A process using descriptive models to ascertain and analyze possible events that may occur in the future and their potential outcomes. It can be used identify risks by considering possible future developments and exploring their implications.

NOTE: Sets of scenarios reflecting best case, worse case, and expected case may be used to analyze potential consequences and probabilities for each scenario as a form of sensitivity analysis when analyzing risk.

Question 66

Security

Answer 66

The condition of being protected against hazards, threats, risk, or loss.

Question 67

Sensitivity Analysis

Answer 67

Any systematic technique used to understand how risk estimates and risk-based decisions are dependent on variablity and uncertainty in the factors contributing to risk.

NOTE 1: Sensitivity generally referes to the variation in output of a risk analysis model with respect to changes in the values of the model’s input.

NOTE 2: Sensitivity analysis attempts to provide a ranking of the model inputs based on their reative contribut9ions to model output variablity and uncertainty.

Question 68

Stakeholder

Answer 68

Person or organization with an interest or concern.

NOTE: A stakeholder can affect and may be affected by the organization and its achievement of its objectives (real or perceived).

Question 69

Stress Test

Answer 69

A form simulation used to determine reactions to different situations and is also used to guage how certain stressors will affect a company or industry.

Question 70

Supply Chain

Answer 70

A two-way realtionship of organizations, people, activities, logistics, informatoin, technology, and resources engaged in activities and creating values from point of orginin to point of consumption, including transforming materials/components to products and services for end users.

NOTE: The supply chain may include vendors, subcontractors, manufacturing facilities, logistics providers, internal distribution centers, distributors, wholesalers, and other entities that lead to the end user.

Question 71

Systematic Error

Answer 71

Inaccuracies that tend to shift all mesasurements in a systematic way so that their mean value is displaced.

NOTE: This may be due to such things as biased questionnaries or the preconceived notions of the people conducting the measurements.

Question 72

Threat Analysis

Answer 72

Process of identifying and quantifying the potential cause of the unwanted event that may result in harm to inviduals, assets, a system or organization, the enviroment, or the community.

Question 73

Threat From

Answer 73

Based on the nature and attributes of the threat and how the threat may cause harm and/or uncertainty.

Question 74

Threat To

Answer 74

Considers the locations of the potential assets and services.

Question 75

Top Management

Answer 75

Person or group of people responsible and accountable for formulating organizational goals, objectives, strategies, policies, and/or allocating resources.

Question 76

Undesirable Event

Answer 76

Any event that has the potential to cause a negative impact on the achievement of objectivbies or assets whether tangible or intangible.

Question 77

Value Chain

Answer 77

The series of functions, processes, or activities from raw materials to the eventual end user that creates and builds value at every step to deliver a product or service.

Question 78

Violence Risk Assessment

Answer 78

The investigative and analystical process followed by a qualified professional to determine the nature and level of risk of violence presented by a person and the steps that could be taken to respond to, manage, and mitigate the risk.

Question 79

Violence Risk Screening

Answer 79

The investigative and analystical process followed by the threat management team to make a gross and general determination of whether particular behavior should be viewed as generating a concern for possible violence and thereby should be treated under the organization’s threat management protocols. Distinct from the violence risk assessment, which requires specifically trained and qualified personnel.

Question 80

Vulnerability

Answer 80

Susceptibility related to the entity’s preparedness, agility, and adaptability.

Question 81

Workplace Violence

Answer 81

A spectrum of behaviors, including overt acts of violence, threats, and other conduct, that generate a reasonable concern for safety of employees and others (such as customers, clients and business associates) on site or off-site when related to the organization.