Domain I - Organizational Governance Related to Risk Management Flashcards
Risk management processes in entities in the governmental sector and private sectors should be generally similar. However, due to a different environment, and dissimilar characteristics and objectives, risk management processes may differ. Which of the following is most true?
a. Organizational objectives are more diverse in government.
b. Even with constrained budgets, government entities may easily exceed private sector entities’ established “risk appetites.”
c. Private sector entities face more laws and regulations than government agencies.
d. The governance organizations will bear the same names (e.g., “the board,” “audit committee,” “a CAE”) and functions the same way in both sectors.
Solution: a
a. Correct. Government programs are more complex and address a wider range of issues than a typical private sector entity.
b. Incorrect. Legislative bodies limit what governments can spend, making it less likely that risk appetites will be exceeded.
c. Incorrect. While the private sector must comply with many laws and regulations, government has even more.
d. Incorrect. Private firms generally have “boards” and “audit committees,” whereas government entities have a range of governance bodies, e.g., central managers, legislatures, etc
A newly appointed risk officer begins an environmental scan by conducting interviews with key staff. She finds out that there is a strong sense of territory and she continues to hear the same issues raised at each department’s meetings. The risk officer also has discovered that action items are not shared among the various departments or management. What would be the most likely conclusion of the risk officer’s environmental scan?
a. The organizational structure does not promote integration of activities across departments.
b. It is likely that the CEO does not believe in the nonprofit’s mission.
c. The organizational structure is not designed to allow for agile and innovative responses to the external environment.
d. The managers are not given enough resources to help achieve the strategic goals
Solution: a
a. Correct. Cross integration and communication with departments reduces redundancy, advances effective assignment of tasks and resources, and creates efficiencies in achieving the organization’s strategic goals.
b. Incorrect. The CEO created the risk officer position to help reduce the risks to achievement of mission goals.
c. Incorrect. While this may be true, the risk officer did not assess the structure’s ability to mitigate risk factors of the external environment.
d. Incorrect. Not enough information to make this determination
Stakeholder analysis is an important component of risk management planning. Which of the following two factors are most likely to result in conflicting interests and expectations among primary internal stakeholders?
I.The responsibility to accommodate the extra work and the level of skills and financial resources necessary to implement risk management.
II.A corporate culture that focuses management on personal or short-term gain while owners’ interests tend to be focused on long-term returns on their investment.
III.Whether a stakeholder is represented in the development of risk management processes.
IV.Whether the organization is in the private sector or the public sector.
a.I and II only.
b.II and III only.
c.I and III only.
d.III and IV only
Solution: a (I and II only)
I.Correct. Stakeholder analyses should consider whose interests risk management would affect negatively or positively. One party’s efficiency gain might be another’s cut income.
II.Correct. In the “agency view” of organizations, mechanisms of corporate governance should include a system of controls that are intended to align the incentives of managers with those of shareholders.
III.Incorrect. Representing a stakeholder in the development of risk management processes is a good way to surmount stakeholder conflicts, but it does not explain them.
IV.Incorrect. Whether the organization is in the public or private sector, there are still inherent differences among internal stakeholders.
Within an organization’s structure, there is one process by which risks can be managed by increasing flexibility and creating opportunities for team members when assigning tasks to subordinates. What is this process?
a. Creating cross-functional teams.
b. Succession planning.
c. Mandatory work breaks.
d. Delegating authority.
Solution: d
a. Incorrect. Creating cross-functional teams can enhance enterprise-wide communications among managers and departments, but teams are not required to assign tasks to subordinates.
b. Incorrect. Succession planning is a risk management activity to ensure gaps in roles and responsibilities.
c. Incorrect. Requiring work breaks is not a process to assign tasks to team members.
d. Correct. Delegating authority is one process by which an organization can increase its flexibility in assigning tasks and increasing opportunities for subordinates as part of succession planning. However, there is a risk of failure or delayed timelines if the task is passed on to someone who does not know how to complete it.
A company is planning a risk assessment of the IT systems that process, store, and transmit its litigation data. In accordance with GAIT-R, the first and most important planning task the assessment team should undertake is:
a. Ensuring that the risk management team or assessment contractor has access to the technical expertise necessary to understand system configurations and software vulnerabilities.
b. Conducting a thorough review of information security (InfoSec) policies and procedures.
c. Interviewing key C-suite (CEO, CIO, CFO, legal) executives and operational managers to identify and rank threats to the business.
d. Determining the types and proper mix of manual and automated controls needed to provide reasonable assurance
Solution: c
a. Incorrect. Having the correct expertise is important, but one must first determine which systems require assessment before determining the expertise necessary.
b. Incorrect. Reviews of InfoSec policies and procedures are part of the assessment but not the planning stage.
c. Correct. The first principal of GAIT-R states the failure of technology is only a risk that needs to be assessed, managed, and audited if it represents a risk to the business. GAIT advocates a top-down assessment of business risks, risk tolerance, and the controls required to manage or mitigate business risk
d. Incorrect. Key manual and automated controls “should be identified as a result of a top-down assessment of business risks, risk tolerance and the controls … required to … mitigate risk.” Identifying and assessing the key controls are steps 2 and 3 in GAIT-R (GAIT-R Executive Summary).
An adjudicatory board makes decisions in cases where unsuccessful vendors contend that procurement officials treated them unfairly. Both parties appear before the board. An audit of the board identified unjustified sole-source procurements; costly, unneeded renovation work; disparity in personnel work assignments; and the establishment of a council unrelated to the board’s mission and funded by vendors and procuring offices. Which creates the most serious reputational risk to the board?
a. Wasteful spending on procurements, travel, and renovations.
b. Questionable, inappropriate, or unfair personnel practices.
c. Establishing a council unrelated to the board’s mission.
d. Seeking funding from those who appear before the board
Solution: d
a. Incorrect. While these issues should be addressed, the impact is not as significant as other issues.
b. Incorrect. Appropriate, fair personnel practices are required by law and regulation but are not likely to have a big impact on the board’s reputation.
c. Incorrect. This issue is significant but would not necessarily have an adverse impact on the board’s reputation.
d. Correct. Soliciting funds from affected parties who might appear before the board could easily be (or at least appear to be) a conflict of interest. The chief judge was forced to resign.
Hard controls are affected by policies, processes, and structure. Soft controls rely on the behavior and attitude of individuals. Identify the controls below as hard (H) or soft (S) and decide whether an auditor would find it difficult (D), slightly challenging (C), or relatively easy (E) to assess the effectiveness of the control.
a. Physical counts (S)/(E).
b. Policies (H)/(C).
c. Openness (S)/(D).
d. Shared values (H)/(E)
Solution: c
a. Incorrect. Physical counts are hard controls.
b. Incorrect. Policies are often soft and may be difficult to assess, but some policies (e.g., travel, attendance) can be seen as hard, and thus not challenging to assess.
c. Correct. Due to subjectivity and lack of clear evidence in some cases, openness is more soft and challenging to assess than the other options.
d. Incorrect. Shared values are a soft control
A small toy company was challenged to find a way to prioritize its risks, and the owners looked to its senior managers to help make decisions about new products. New products were considered in light of factors such as price, regulatory requirements, consumer demand, and time to market. The factors were given a weight for relative importance. Each prospective new toy was scored against each of the factors. Once numerical values were attributed to each of the toys, the elements were multiplied to determine an overall value for each toy. The toys with the highest value were deemed the best business choices for the next manufacturing and development cycle. This type of decision-making is known as:
a. Monte-Carlo simulation.
b. Grid analysis.
c. ISO 31000.
d. Chunking
Solution: b
a. Incorrect. Monte Carlo simulation is a mathematical process to simulate risks through the use of algorithms and random sampling. The decision-making process used by the toy company did not do this.
b. Correct. Grid analysis is an effective decision-making process that helps analyze the available options and weigh risks that can influence governance.
c. Incorrect. ISO 31000 is a set of standards to help organizations manage risks.
d. Incorrect. Chunking is a decision-making process that breaks down a problem into “chunks.”
Value engineering (VE) is a technique to reduce cost while still achieving the desired end result, product, or service. A company has a formal policy to use VE in developing new products and provides VE training and incentives. One division’s reported VE savings lag, and that division head supplements formal policies with his personal views on VE. What is the most likely explanation of the disparity in VE savings?
a. Reported VE savings data in one division are unreliable.
b. The VE training programs need improvement.
c. Informal comments by the head of one division disparaged VE, increasing the risk that VE goals would not be reached.
d. Staff in one division has a cultural bias against the use of VE.
Solution: c
a. Incorrect. There is no basis for this conclusion.
b. Incorrect. There is no indication that training is inadequate.
c. Correct. The informal comments of the division head could have been negative about VE.
d. Incorrect. There was no particular reason to suggest that one division had an anti-VE culture
Unable to rely solely on its own factories, toy company PlayGo contracts with foreign-owned manufacturers. Despite its requirement that factories use materials provided by certified suppliers, a foreign manufacturer uses lead paint and PlayGo issues a recall. What are the two most effective strategies to limit PlayGo’s reputational damage and reduce the likelihood of future product defects?
I.Participating in a highly publicized initiative by the Toy Industry Association and Consumer Product Safety Commission to introduce new regulations requiring more stringent safety checks.
II.Issuing a statement that the toys were made in factories in a foreign country, and that PlayGo had met its risk management responsibilities by issuing the requirement that contractors use material provided by certified suppliers.
III.Reducing the number of toys it makes through contract factories.
IV.Refining further its memoranda of understanding with contractors and partners to include stricter monitoring and tougher penalties for noncompliance.
a.I and II only.
b.II and III only.
c.I and III only.
Solution: d (I and IV only)
I.Correct. This collaborative initiative can improve assurance of product safety throughout the supply chain.
II.Incorrect. “The engagement of a third party to undertake some activity does not absolve the organization of responsibility for risk.” This statement is not the strongest public relations approach because it sounds as if PlayGo is denying responsibility for and not being proactive in redressing the problem.
III.Incorrect. While there may be a higher probability of unacceptable risk when dealing with organizations operating in different regulatory and cultural environments, the company determined it cannot rely solely on its own factories. Playgo is better served by reducing residual risk through stronger enforcement of penalties for third-party contractual noncompliance and participating in an industrywide effort to strengthen safety monitoring.
IV.Correct. As long as Playgo continues to determine that the benefits of lower cost offshore manufacturing capacity exceed the risks, enforcing stronger penalties and leveraging better industry monitoring will be sound elements of its residual risk equation. Playgo should, however, use this incident and findings from enhanced monitoring to consider whether it should outsource to different foreign manufacturers
For a board, a member’s independent status can be a disadvantage because his or her knowledge of staff operations and daily governance is limited to what is revealed at board meetings and other timely information. When thinking about documentation to the board, which of the following is false?
a. It contributes to openness and transparency.
b. It provides information that can support the decision-making, planning, and analysis of strategic initiatives.
c. It tilts the balance of power so that the board has more information than the CEO does about risk management.
d. It allows stakeholders to have timely and relevant information to make decisions
Solution: c
a. Incorrect. Documentation is an appropriate governance tool to ensure openness and transparency
b. Incorrect. When independent board members are selected, they need to have access to information that will enable them to govern effectively and make knowledgeable decisions.
c. Correct. For a board to be effective when it has limited day-to-day interaction with management and staff, its independent members must be given enough information to allow them to make decisions. Balance of power refers to a situation where there is appropriate oversight and the CEO is not also the board chair.
d. Incorrect. Timely
A defense department assigned its highest priority to developing an advanced aircraft using materials not previously used and untested technologies. A firm fixed-price contract was awarded to a qualified vendor. Controls were in place at all levels, and progress reports—noting challenges—were sent to top officials. Top officials reported that progress was excellent, but the project failed due to enormous expenditures with no aircraft developed. Which risks were not adequately considered?
I.Because the requirements were not specific, the use of a firm fixed-price contract made the project risky.
II.The personnel at many levels sent false reports forward on cost incurred and progress made.
III.The contractor lacked adequate technical skills to deal with technology that was still evolving.
IV.Top procurement officials did not act on “red flags” due to a “can do” mentality on a high priority of the program.
a.I, II, III, and IV.
b.II and III only.
c.I and IV only.
d.I only
Solution: c (I and IV only)
I.Correct. For weapons development that will employ embryonic technology, cost-based contracts are preferable to firm fixed price.
II.Incorrect. There is no basis presented to suggest that risk 2 was present.
III.Incorrect. There is no basis presented to suggest that risk 3 was present.
IV.Correct. Given the extensive monitoring and reporting, senior procurement managers were not responding appropriately to “red flags.”
A developed country runs a program to send volunteers overseas to assist less-developed countries in education, health, and community development. Statutory objectives include assisting country development and enhancing cross-cultural understanding. This program is popular but faces many risks. Of the following four risks, which one would likely be the most challenging?
a. Health care for volunteers.
b. Inadequate in-country representation of the agency that manages the program.
c. Inadequate housing for volunteers.
d. Developing clear ways for measuring performance against the statutory objectives
Solution: d
a. Incorrect. While this is a real risk, the program can, and did, assign medical staff to the foreign countries.
b. Incorrect. Justifying budget resources can present a challenge, but that problem is not unique to this government program.
c. Incorrect. Finding adequate housing is a problem, but onsite pre-approvals and monitoring are available options.
d. Correct. The broadness of the objectives, and the frequent difficulty of gathering sufficient, reliable, relevant information, makes it hard to assess achievement of objectives
The internal environment of the enterprise risk management (ERM) framework and the control environment of the internal control framework provide positive contributions to the governance process and organizational performance. What is not one of the applications of the frameworks to achieve an organization’s goals?
a. A board of directors is given authority to define the controls required to execute the strategy.
b. ERM is applied to strategy setting to identify and mitigate risks to strategy.
c. Internal control addresses the risks identified and provides assurances that strategy can be met.
d. One principle of both frameworks is the establishment of boundaries that delineate the roles and responsibilities of the board and management
Solution: a
a. Correct. The board of directors does not define the controls. The board demonstrates independence from management and exercises oversight of the development and performance of internal control.
b. Incorrect. When strategic planning is integrated with ERM and includes internal control, it deals with alternative risk responses to achieve value as part of the governance process.
c. Incorrect. Risk reduction is a goal of internal control, which assures management and the board that the organizational goals are being met.
d. Incorrect. The internal environment component of the ERM framework and the control environment principle of the internal control framework both articulate the importance of boundaries between board and management in the context of managing risks.
OWA, Inc. wants to determine the optimal scope and scheduling of its IT risk assessment. What is the most efficient sequence of pre-assessment planning activities?
I.Define the impact values of operational threat scenarios to OWA.
II.Determine the vulnerability of OWA’s hardware and software to hacker exploits or internal abuse.
III.Identify the data that affect OWA’s ability to be a safe and reliable source of water, and determine the criticality of the confidentiality, integrity, and availability of each class of OWA data.
IV.Identify where and how critical data are stored, transmitted, and processed.
a.III, I, II, and IV.
b.I, III, IV, and II.
c.III, IV, II, and I.
d.II, IV, I, and III
Solution: b (I, III, IV, and II)
I.Incorrect. Action III translates the results of action I into the data that must be protected to maintain OWA’s financial sustainability and operational security.
II.Correct. The first step is to identify and rank the severity of threats to OWA’s ability to continue to serve as part of the nation’s critical infrastructure.
III.Incorrect. Again, one needs to understand all existential threats to OWA first, map those threats to the data that must be protected, identify where those data reside, are acted upon, and travel, and, finally, identify and remediate relevant hardware and software vulnerabilities.
IV.Incorrect. Action II is the last step after identifying existential risks, the type of data that must be protected for OWA to remain viable and secure, and the systems that store, process, and transmit these data
Objectives of the risk management process include all of the following except:
a. To link growth, risk, and return.
b. To act as a reasonable “brake” on strategic growth.
c. To look for ways to take advantage of opportunities.
d. To comply with laws and regulations.
Solution: b
a. Incorrect. This is an accepted objective of risk management processes.
b. Correct. This is a common misconception concerning objectives of risk management processes.
c. Incorrect. Again, this is an accepted objective of these processes.
d. Incorrect. Again, this is an accepted objective of these processes
The following are definitions of risk management terms:
I.The amount of risk an organization accepts.
II.The level of risk remaining after treatment.
III.Acceptable variance from appetite.
IV.Overall “picture” of risk across categories.
Match the above definitions to the terms below:
a.I. Appetite. II. Risk profile. III. Residual risk. IV. Inherent risk.
b.I. Appetite. II. Residual risk. III. Risk profile. IV. Risk tolerance.
c.I. Appetite. II. Residual risk. III. Risk tolerance. IV. Risk profile.
d.I. Risk profile. II. Risk tolerance. III. Residual risk. IV. Appetite
Solution: c
a. Incorrect. See definitions in the CRMA Exam Study Guide.
b. Incorrect. See definitions in the CRMA Exam Study Guide.
c. Correct. Aligns with risk management literature.
d. Incorrect. See definitions in the CRMA Exam Study Guide.
A nonprofit microfinance organization wants to establish a for-profit subsidiary. Which of the following are the greatest organizational risks that must be assessed before the organization commits to the initiative?
I.Determining whether the organization has the appropriate governance structure to support the proposed expansion in its activities.
II.Determining whether the nonprofit’s existing skill set is transferrable and applicable to the activities of the proposed for-profit subsidiary.
III.Assessing whether the nonprofit’s “Theory X” view of its workforce is appropriate for a for-profit operation.
IV.Assessing whether a for-profit subsidiary is consistent with the values (tone at the top) and strategic objectives of the nonprofit.
a.I and IV only.
b.II and III only.
c.I, III, and IV only.
d.II and IV only.
Solution: a (I and IV only)
I.Correct. Determining that sufficient governance exists is essential before the organization can launch a successful for-profit undertaking.
II.Incorrect. Ultimately, the for-profit employee skill set must be aligned with the demands of the new subsidiary, but a strong management team and governance structure will identify and fill skill gaps through training or new hires. Alternatively, management can forego the undertaking if it cannot meet the skill requirements of the for-profit subsidiary by training existing staff or hiring new employees.
III.Incorrect. A Theory X approach translates into a work environment that mitigates risk and maximizes performance using a set of hard controls, but is not inherently consistent or inconsistent with establishing a new for-profit.
IV.Correct. The nonprofit must ensure that establishing the for-profit subsidiary is not out of the scope of its organizational mission and that it will not alienate the nonprofit’s core donor base
CCC has recently separated from its parent company. The CEO recently appointed herself as chair to the newly formed board of directors. The board will have the responsibility for oversight of strategy, so the CEO believes the role as chair will allow her to make decisions more quickly. She does not believe there has to be a formal documentation and decision-making process. Given this scenario, what are some of the likely key reasons that CCC’s structure may not succeed?
I.As board chair, the CEO can make decisions quickly without the interference of a collaborative decision-making process.
II.Decision-making that is not integrated with risk analysis and a methodical process for providing information that is timely and relevant will not foster transparency to the key stakeholders.
III.Without documentation, a historical record for experience-based decision-making in the future will limit timely oversight and management accountability.
IV.The organization’s governing body is not being provided with clear decision-making records and is not able to collaborate on strategic oversight.
a.I and IV.
b.II and III.
c.II, III, and IV.
d.I, II, and III
Solution: c (II, III, and IV)
I.Incorrect. Balance of power does not exist when the CEO is also the board chair, which is an ineffective organizational structure.
II.Correct. A reason that the organization’s structure may not succeed is that the CEO is not using a methodical process for decision-making. Transparent decision-making with timely and relevant information is needed to ensure risk oversight by the board.
III.Correct. Without documentation that provides a historical record, future decisions could take longer to make and it will be difficult to hold anyone accountable for risks as a result of bad decisions.
IV.Correct. The board is left in the dark and cannot provide strategic oversight that can lead to a better decision
After a country significantly increased the budget for its military services, the defense department accumulated “excess” spare parts valued at US $33 billion. Examples included a 14,000-year supply of one aircraft part and 126 sizes of women’s shirts. Which one of the following risk management approaches would likely have had the best chance of avoiding the risk of the large wasteful expenditures?
a. Limiting the budgetary resources approved (and made available) for procuring spare parts, and rigorously monitoring related expenditures.
b. Reducing the number of spare part items managed by each item manager, thereby reducing their individual workloads.
c. Improved and updated methods of computing valid requirements for spare parts procurement.
d. More reliable and current information on existing spare parts for decision-makers
Solution: a
a. Correct. If the agency has more budgetary resources than needed, it would likely use resources wastefully for fear of having next year’s budget decreased.
b. Incorrect. This action may help to make better procurement decisions, but not as directly as A.
c. Incorrect. Again, this action may mitigate procuring unneeded parts over time, but option A is more direct.
d. Incorrect. This action may also mitigate unneeded procurements, but the decision-makers may not use the available information.
PTP receives 95% of its project funding from donor BD. PTP draws down funds as needed through BD’s letter of credit (LoC) and submits its rationale for the project drawdowns at the end of each quarter. The board of directors directs PTP to broaden its funding base, which PTP does using existing BD funds. An external audit discovers that PTP has used program funds to solicit new donors. As a result, BD terminates the LoC and PTP goes out of business. Which of PTP’s deficiencies was the least critical threat facing PTP?
a. The policies and procedures for the use of the LoC, which allowed PTP to draw down funds as needed but not report until the end of the financial quarter.
b. No findings reported by the external auditor. Whether these accounting irregularities were the result of intentional fraud or honest mistakes, the external auditor should have been fluent in BD’s contractual requirements and flagged the misallocation of expenses.
c. Senior management and the board were so focused on the risk of PTP’s reliance on BD funding that they failed to explore the risks associated with its efforts to find other funding. Consultation with program managers and contract specialists would have made the board aware that it could not fund its exploratory efforts using BD program funds.
d. Senior management and the board failed to ensure that the three lines of defense in risk management were operational.
Solution: a
a. Correct. Even though the ability to access funds as needed and report later is akin to “shutting the barn door after the horse got out,” had the three lines of defense and external audit functioned appropriately, PTP would not have been able to misuse the LoC.
b. Incorrect. A thorough examination and report by the external auditors would have been especially important given the lack of internal audit and PTP’s requirements to report to big donor.
c. Incorrect. Consultation with program directors (the first line of defense) would have made the board and executive team aware that it could not fund its exploratory efforts using BD program funds. Operational management, as the “owners” of the contracts, should have known, for example, that while certain program development costs such as proposal preparation were allowable overhead, other development activities such as fund-raising, direct mail, and travel to non-program sites were not allowable uses of BD program funds.
d. Incorrect. PTP’s lack of a three lines of defense risk management structure proved to be a critical contributor to its failure.
A charitable organization that provides shelter to the homeless is defining its value drivers. Which one of these is not one of its primary activities in Porter’s Value Chain model?
a. Operations—all the main activities that are needed to create the service or product, such as finding and providing shelter and food.
b. Client intake—the activities that are performed to identify the clients in need and bring them to the shelters.
c. Social work—including counseling the clients.
d. Grants administration—the writing and securing of grants to fund the charity
Solution: d
a. Incorrect. Primary activity that has a direct bearing on adding value; operations requires skills and resources to deliver its products and services
b. Incorrect. Primary activity that has a direct bearing on adding value; client intake requires skills in assessing and selecting the right clients.
c. Incorrect. Primary activity that has a direct bearing on adding value; social work requires qualified training and special skills.
d. Correct. Grants administration is a support activity that facilitates the primary activities that serve the clients directly
A corporation staffs its foreign sites with its own country’s employees (two to four years) and local employees (longer). Local employees who separate voluntarily are entitled to a lump-sum payment to be computed under a clear agreement between the local employees and the corporation. Yet, separating local employees are being paid 40% more than in the agreement. Rank the risks that likely led to overpayments.
I.The computation method is not well understood.
II.The employee who makes the computations is deliberately increasing the amount in exchange for kickbacks from local employees, or a personal belief that the local employees “deserve” more.
III.The supervisor(s) of the individual who computes and makes separation payments was not adequately reviewing the computations and payments.
IV.The comptroller is exhibiting an impoverished management style over local employees.
a.III, IV, II, and I.
b.I, II, III, and IV.
c.IV, III, II, and I.
d.II, IV, III, and I
Solution: a (III, IV, II, and I)
a. Correct. The computation method is likely well understood, so the other three (II, III, IV) are ranked higher.
b. Incorrect. Again, the computation is likely well understood, so this is not the most likely sequence.
c. Incorrect. Risk IV implies that the comptroller has an overall impoverished style; not only one weakness is identified—but likely a pervasive style that had a negative effect on all supervisors’ attitude on control.
d. Incorrect. Considering risk II first tends to point a finger prematurely at the individual who does the computations
A biomedical company is marketing its new protocol to treat early stage cancer. Absent the new treatment, a patient’s risk of the cancer recurring is 80%; with the treatment, the risk of recurrence drops to 2%. In risk management terms, the situation before treatment is called [fill in the blank} and the patient’s prospects after treatment is [fill in the blank]:
a. Inherent risk and risk tolerance.
b. Inherent risk and residual risk.
c. Risk profile and risk tolerance.
d. Risk-aware and risk-managed.
Solution: b
a. Incorrect. “Inherent risk” is correct as it is the level of risk in the absence of any response, but “risk tolerance” is incorrect in this scenario because it is the “acceptable variance from risk appetite.”
b. Correct. This is the proper usage of both “inherent risk” and “residual risk,” which is “the level of risk remaining after a risk treatment.”
c. Incorrect. “Risk profile” is the overall picture of risk across a range of categories. “Risk tolerance” is also applied incorrectly as stated above.
d. Incorrect. These terms refer to levels of organizational risk maturity.
