Domain I - Organizational Governance Related to Risk Management

Question 1

Risk management processes in entities in the governmental sector and private sectors should be generally similar. However, due to a different environment, and dissimilar characteristics and objectives, risk management processes may differ. Which of the following is most true?

a. Organizational objectives are more diverse in government.
b. Even with constrained budgets, government entities may easily exceed private sector entities’ established “risk appetites.”
c. Private sector entities face more laws and regulations than government agencies.
d. The governance organizations will bear the same names (e.g., “the board,” “audit committee,” “a CAE”) and functions the same way in both sectors.

Answer 1

Solution: a

a. Correct. Government programs are more complex and address a wider range of issues than a typical private sector entity.
b. Incorrect. Legislative bodies limit what governments can spend, making it less likely that risk appetites will be exceeded.
c. Incorrect. While the private sector must comply with many laws and regulations, government has even more.
d. Incorrect. Private firms generally have “boards” and “audit committees,” whereas government entities have a range of governance bodies, e.g., central managers, legislatures, etc

Question 2

A newly appointed risk officer begins an environmental scan by conducting interviews with key staff. She finds out that there is a strong sense of territory and she continues to hear the same issues raised at each department’s meetings. The risk officer also has discovered that action items are not shared among the various departments or management. What would be the most likely conclusion of the risk officer’s environmental scan?

a. The organizational structure does not promote integration of activities across departments.
b. It is likely that the CEO does not believe in the nonprofit’s mission.
c. The organizational structure is not designed to allow for agile and innovative responses to the external environment.
d. The managers are not given enough resources to help achieve the strategic goals

Answer 2

Solution: a

a. Correct. Cross integration and communication with departments reduces redundancy, advances effective assignment of tasks and resources, and creates efficiencies in achieving the organization’s strategic goals.
b. Incorrect. The CEO created the risk officer position to help reduce the risks to achievement of mission goals.
c. Incorrect. While this may be true, the risk officer did not assess the structure’s ability to mitigate risk factors of the external environment.
d. Incorrect. Not enough information to make this determination

Question 3

Stakeholder analysis is an important component of risk management planning. Which of the following two factors are most likely to result in conflicting interests and expectations among primary internal stakeholders?

I.The responsibility to accommodate the extra work and the level of skills and financial resources necessary to implement risk management.
II.A corporate culture that focuses management on personal or short-term gain while owners’ interests tend to be focused on long-term returns on their investment.
III.Whether a stakeholder is represented in the development of risk management processes.
IV.Whether the organization is in the private sector or the public sector.
a.I and II only.
b.II and III only.
c.I and III only.
d.III and IV only

Answer 3

Solution: a (I and II only)
I.Correct. Stakeholder analyses should consider whose interests risk management would affect negatively or positively. One party’s efficiency gain might be another’s cut income.
II.Correct. In the “agency view” of organizations, mechanisms of corporate governance should include a system of controls that are intended to align the incentives of managers with those of shareholders.
III.Incorrect. Representing a stakeholder in the development of risk management processes is a good way to surmount stakeholder conflicts, but it does not explain them.
IV.Incorrect. Whether the organization is in the public or private sector, there are still inherent differences among internal stakeholders.

Question 4

Within an organization’s structure, there is one process by which risks can be managed by increasing flexibility and creating opportunities for team members when assigning tasks to subordinates. What is this process?

a. Creating cross-functional teams.
b. Succession planning.
c. Mandatory work breaks.
d. Delegating authority.

Answer 4

Solution: d

a. Incorrect. Creating cross-functional teams can enhance enterprise-wide communications among managers and departments, but teams are not required to assign tasks to subordinates.
b. Incorrect. Succession planning is a risk management activity to ensure gaps in roles and responsibilities.
c. Incorrect. Requiring work breaks is not a process to assign tasks to team members.
d. Correct. Delegating authority is one process by which an organization can increase its flexibility in assigning tasks and increasing opportunities for subordinates as part of succession planning. However, there is a risk of failure or delayed timelines if the task is passed on to someone who does not know how to complete it.

Question 5

A company is planning a risk assessment of the IT systems that process, store, and transmit its litigation data. In accordance with GAIT-R, the first and most important planning task the assessment team should undertake is:

a. Ensuring that the risk management team or assessment contractor has access to the technical expertise necessary to understand system configurations and software vulnerabilities.
b. Conducting a thorough review of information security (InfoSec) policies and procedures.
c. Interviewing key C-suite (CEO, CIO, CFO, legal) executives and operational managers to identify and rank threats to the business.
d. Determining the types and proper mix of manual and automated controls needed to provide reasonable assurance

Answer 5

Solution: c

a. Incorrect. Having the correct expertise is important, but one must first determine which systems require assessment before determining the expertise necessary.
b. Incorrect. Reviews of InfoSec policies and procedures are part of the assessment but not the planning stage.
c. Correct. The first principal of GAIT-R states the failure of technology is only a risk that needs to be assessed, managed, and audited if it represents a risk to the business. GAIT advocates a top-down assessment of business risks, risk tolerance, and the controls required to manage or mitigate business risk
d. Incorrect. Key manual and automated controls “should be identified as a result of a top-down assessment of business risks, risk tolerance and the controls … required to … mitigate risk.” Identifying and assessing the key controls are steps 2 and 3 in GAIT-R (GAIT-R Executive Summary).

Question 6

An adjudicatory board makes decisions in cases where unsuccessful vendors contend that procurement officials treated them unfairly. Both parties appear before the board. An audit of the board identified unjustified sole-source procurements; costly, unneeded renovation work; disparity in personnel work assignments; and the establishment of a council unrelated to the board’s mission and funded by vendors and procuring offices. Which creates the most serious reputational risk to the board?

a. Wasteful spending on procurements, travel, and renovations.
b. Questionable, inappropriate, or unfair personnel practices.
c. Establishing a council unrelated to the board’s mission.
d. Seeking funding from those who appear before the board

Answer 6

Solution: d

a. Incorrect. While these issues should be addressed, the impact is not as significant as other issues.
b. Incorrect. Appropriate, fair personnel practices are required by law and regulation but are not likely to have a big impact on the board’s reputation.
c. Incorrect. This issue is significant but would not necessarily have an adverse impact on the board’s reputation.
d. Correct. Soliciting funds from affected parties who might appear before the board could easily be (or at least appear to be) a conflict of interest. The chief judge was forced to resign.

Question 7

Hard controls are affected by policies, processes, and structure. Soft controls rely on the behavior and attitude of individuals. Identify the controls below as hard (H) or soft (S) and decide whether an auditor would find it difficult (D), slightly challenging (C), or relatively easy (E) to assess the effectiveness of the control.

a. Physical counts (S)/(E).
b. Policies (H)/(C).
c. Openness (S)/(D).
d. Shared values (H)/(E)

Answer 7

Solution: c

a. Incorrect. Physical counts are hard controls.
b. Incorrect. Policies are often soft and may be difficult to assess, but some policies (e.g., travel, attendance) can be seen as hard, and thus not challenging to assess.
c. Correct. Due to subjectivity and lack of clear evidence in some cases, openness is more soft and challenging to assess than the other options.
d. Incorrect. Shared values are a soft control

Question 8

A small toy company was challenged to find a way to prioritize its risks, and the owners looked to its senior managers to help make decisions about new products. New products were considered in light of factors such as price, regulatory requirements, consumer demand, and time to market. The factors were given a weight for relative importance. Each prospective new toy was scored against each of the factors. Once numerical values were attributed to each of the toys, the elements were multiplied to determine an overall value for each toy. The toys with the highest value were deemed the best business choices for the next manufacturing and development cycle. This type of decision-making is known as:

a. Monte-Carlo simulation.
b. Grid analysis.
c. ISO 31000.
d. Chunking

Answer 8

Solution: b

a. Incorrect. Monte Carlo simulation is a mathematical process to simulate risks through the use of algorithms and random sampling. The decision-making process used by the toy company did not do this.
b. Correct. Grid analysis is an effective decision-making process that helps analyze the available options and weigh risks that can influence governance.
c. Incorrect. ISO 31000 is a set of standards to help organizations manage risks.
d. Incorrect. Chunking is a decision-making process that breaks down a problem into “chunks.”

Question 9

Value engineering (VE) is a technique to reduce cost while still achieving the desired end result, product, or service. A company has a formal policy to use VE in developing new products and provides VE training and incentives. One division’s reported VE savings lag, and that division head supplements formal policies with his personal views on VE. What is the most likely explanation of the disparity in VE savings?

a. Reported VE savings data in one division are unreliable.
b. The VE training programs need improvement.
c. Informal comments by the head of one division disparaged VE, increasing the risk that VE goals would not be reached.
d. Staff in one division has a cultural bias against the use of VE.

Answer 9

Solution: c

a. Incorrect. There is no basis for this conclusion.
b. Incorrect. There is no indication that training is inadequate.
c. Correct. The informal comments of the division head could have been negative about VE.
d. Incorrect. There was no particular reason to suggest that one division had an anti-VE culture

Question 10

Unable to rely solely on its own factories, toy company PlayGo contracts with foreign-owned manufacturers. Despite its requirement that factories use materials provided by certified suppliers, a foreign manufacturer uses lead paint and PlayGo issues a recall. What are the two most effective strategies to limit PlayGo’s reputational damage and reduce the likelihood of future product defects?

I.Participating in a highly publicized initiative by the Toy Industry Association and Consumer Product Safety Commission to introduce new regulations requiring more stringent safety checks.
II.Issuing a statement that the toys were made in factories in a foreign country, and that PlayGo had met its risk management responsibilities by issuing the requirement that contractors use material provided by certified suppliers.
III.Reducing the number of toys it makes through contract factories.
IV.Refining further its memoranda of understanding with contractors and partners to include stricter monitoring and tougher penalties for noncompliance.
a.I and II only.
b.II and III only.
c.I and III only.

Answer 10

Solution: d (I and IV only)
I.Correct. This collaborative initiative can improve assurance of product safety throughout the supply chain.
II.Incorrect. “The engagement of a third party to undertake some activity does not absolve the organization of responsibility for risk.” This statement is not the strongest public relations approach because it sounds as if PlayGo is denying responsibility for and not being proactive in redressing the problem.
III.Incorrect. While there may be a higher probability of unacceptable risk when dealing with organizations operating in different regulatory and cultural environments, the company determined it cannot rely solely on its own factories. Playgo is better served by reducing residual risk through stronger enforcement of penalties for third-party contractual noncompliance and participating in an industrywide effort to strengthen safety monitoring.
IV.Correct. As long as Playgo continues to determine that the benefits of lower cost offshore manufacturing capacity exceed the risks, enforcing stronger penalties and leveraging better industry monitoring will be sound elements of its residual risk equation. Playgo should, however, use this incident and findings from enhanced monitoring to consider whether it should outsource to different foreign manufacturers

Question 11

For a board, a member’s independent status can be a disadvantage because his or her knowledge of staff operations and daily governance is limited to what is revealed at board meetings and other timely information. When thinking about documentation to the board, which of the following is false?

a. It contributes to openness and transparency.
b. It provides information that can support the decision-making, planning, and analysis of strategic initiatives.
c. It tilts the balance of power so that the board has more information than the CEO does about risk management.
d. It allows stakeholders to have timely and relevant information to make decisions

Answer 11

Solution: c

a. Incorrect. Documentation is an appropriate governance tool to ensure openness and transparency
b. Incorrect. When independent board members are selected, they need to have access to information that will enable them to govern effectively and make knowledgeable decisions.
c. Correct. For a board to be effective when it has limited day-to-day interaction with management and staff, its independent members must be given enough information to allow them to make decisions. Balance of power refers to a situation where there is appropriate oversight and the CEO is not also the board chair.
d. Incorrect. Timely

Question 12

A defense department assigned its highest priority to developing an advanced aircraft using materials not previously used and untested technologies. A firm fixed-price contract was awarded to a qualified vendor. Controls were in place at all levels, and progress reports—noting challenges—were sent to top officials. Top officials reported that progress was excellent, but the project failed due to enormous expenditures with no aircraft developed. Which risks were not adequately considered?

I.Because the requirements were not specific, the use of a firm fixed-price contract made the project risky.
II.The personnel at many levels sent false reports forward on cost incurred and progress made.
III.The contractor lacked adequate technical skills to deal with technology that was still evolving.
IV.Top procurement officials did not act on “red flags” due to a “can do” mentality on a high priority of the program.
a.I, II, III, and IV.
b.II and III only.
c.I and IV only.
d.I only

Answer 12

Solution: c (I and IV only)
I.Correct. For weapons development that will employ embryonic technology, cost-based contracts are preferable to firm fixed price.
II.Incorrect. There is no basis presented to suggest that risk 2 was present.
III.Incorrect. There is no basis presented to suggest that risk 3 was present.
IV.Correct. Given the extensive monitoring and reporting, senior procurement managers were not responding appropriately to “red flags.”

Question 13

A developed country runs a program to send volunteers overseas to assist less-developed countries in education, health, and community development. Statutory objectives include assisting country development and enhancing cross-cultural understanding. This program is popular but faces many risks. Of the following four risks, which one would likely be the most challenging?

a. Health care for volunteers.
b. Inadequate in-country representation of the agency that manages the program.
c. Inadequate housing for volunteers.
d. Developing clear ways for measuring performance against the statutory objectives

Answer 13

Solution: d

a. Incorrect. While this is a real risk, the program can, and did, assign medical staff to the foreign countries.
b. Incorrect. Justifying budget resources can present a challenge, but that problem is not unique to this government program.
c. Incorrect. Finding adequate housing is a problem, but onsite pre-approvals and monitoring are available options.
d. Correct. The broadness of the objectives, and the frequent difficulty of gathering sufficient, reliable, relevant information, makes it hard to assess achievement of objectives

Question 14

The internal environment of the enterprise risk management (ERM) framework and the control environment of the internal control framework provide positive contributions to the governance process and organizational performance. What is not one of the applications of the frameworks to achieve an organization’s goals?

a. A board of directors is given authority to define the controls required to execute the strategy.
b. ERM is applied to strategy setting to identify and mitigate risks to strategy.
c. Internal control addresses the risks identified and provides assurances that strategy can be met.
d. One principle of both frameworks is the establishment of boundaries that delineate the roles and responsibilities of the board and management

Answer 14

Solution: a

a. Correct. The board of directors does not define the controls. The board demonstrates independence from management and exercises oversight of the development and performance of internal control.
b. Incorrect. When strategic planning is integrated with ERM and includes internal control, it deals with alternative risk responses to achieve value as part of the governance process.
c. Incorrect. Risk reduction is a goal of internal control, which assures management and the board that the organizational goals are being met.
d. Incorrect. The internal environment component of the ERM framework and the control environment principle of the internal control framework both articulate the importance of boundaries between board and management in the context of managing risks.

Question 15

OWA, Inc. wants to determine the optimal scope and scheduling of its IT risk assessment. What is the most efficient sequence of pre-assessment planning activities?

I.Define the impact values of operational threat scenarios to OWA.
II.Determine the vulnerability of OWA’s hardware and software to hacker exploits or internal abuse.
III.Identify the data that affect OWA’s ability to be a safe and reliable source of water, and determine the criticality of the confidentiality, integrity, and availability of each class of OWA data.
IV.Identify where and how critical data are stored, transmitted, and processed.
a.III, I, II, and IV.
b.I, III, IV, and II.
c.III, IV, II, and I.
d.II, IV, I, and III

Answer 15

Solution: b (I, III, IV, and II)
I.Incorrect. Action III translates the results of action I into the data that must be protected to maintain OWA’s financial sustainability and operational security.
II.Correct. The first step is to identify and rank the severity of threats to OWA’s ability to continue to serve as part of the nation’s critical infrastructure.
III.Incorrect. Again, one needs to understand all existential threats to OWA first, map those threats to the data that must be protected, identify where those data reside, are acted upon, and travel, and, finally, identify and remediate relevant hardware and software vulnerabilities.
IV.Incorrect. Action II is the last step after identifying existential risks, the type of data that must be protected for OWA to remain viable and secure, and the systems that store, process, and transmit these data

Question 16

Objectives of the risk management process include all of the following except:

a. To link growth, risk, and return.
b. To act as a reasonable “brake” on strategic growth.
c. To look for ways to take advantage of opportunities.
d. To comply with laws and regulations.

Answer 16

Solution: b

a. Incorrect. This is an accepted objective of risk management processes.
b. Correct. This is a common misconception concerning objectives of risk management processes.
c. Incorrect. Again, this is an accepted objective of these processes.
d. Incorrect. Again, this is an accepted objective of these processes

Question 17

The following are definitions of risk management terms:

I.The amount of risk an organization accepts.
II.The level of risk remaining after treatment.
III.Acceptable variance from appetite.
IV.Overall “picture” of risk across categories.
Match the above definitions to the terms below:
a.I. Appetite. II. Risk profile. III. Residual risk. IV. Inherent risk.
b.I. Appetite. II. Residual risk. III. Risk profile. IV. Risk tolerance.
c.I. Appetite. II. Residual risk. III. Risk tolerance. IV. Risk profile.
d.I. Risk profile. II. Risk tolerance. III. Residual risk. IV. Appetite

Answer 17

Solution: c

a. Incorrect. See definitions in the CRMA Exam Study Guide.
b. Incorrect. See definitions in the CRMA Exam Study Guide.
c. Correct. Aligns with risk management literature.
d. Incorrect. See definitions in the CRMA Exam Study Guide.

Question 18

A nonprofit microfinance organization wants to establish a for-profit subsidiary. Which of the following are the greatest organizational risks that must be assessed before the organization commits to the initiative?

I.Determining whether the organization has the appropriate governance structure to support the proposed expansion in its activities.
II.Determining whether the nonprofit’s existing skill set is transferrable and applicable to the activities of the proposed for-profit subsidiary.
III.Assessing whether the nonprofit’s “Theory X” view of its workforce is appropriate for a for-profit operation.
IV.Assessing whether a for-profit subsidiary is consistent with the values (tone at the top) and strategic objectives of the nonprofit.
a.I and IV only.
b.II and III only.
c.I, III, and IV only.
d.II and IV only.

Answer 18

Solution: a (I and IV only)
I.Correct. Determining that sufficient governance exists is essential before the organization can launch a successful for-profit undertaking.
II.Incorrect. Ultimately, the for-profit employee skill set must be aligned with the demands of the new subsidiary, but a strong management team and governance structure will identify and fill skill gaps through training or new hires. Alternatively, management can forego the undertaking if it cannot meet the skill requirements of the for-profit subsidiary by training existing staff or hiring new employees.
III.Incorrect. A Theory X approach translates into a work environment that mitigates risk and maximizes performance using a set of hard controls, but is not inherently consistent or inconsistent with establishing a new for-profit.
IV.Correct. The nonprofit must ensure that establishing the for-profit subsidiary is not out of the scope of its organizational mission and that it will not alienate the nonprofit’s core donor base

Question 19

CCC has recently separated from its parent company. The CEO recently appointed herself as chair to the newly formed board of directors. The board will have the responsibility for oversight of strategy, so the CEO believes the role as chair will allow her to make decisions more quickly. She does not believe there has to be a formal documentation and decision-making process. Given this scenario, what are some of the likely key reasons that CCC’s structure may not succeed?

I.As board chair, the CEO can make decisions quickly without the interference of a collaborative decision-making process.
II.Decision-making that is not integrated with risk analysis and a methodical process for providing information that is timely and relevant will not foster transparency to the key stakeholders.
III.Without documentation, a historical record for experience-based decision-making in the future will limit timely oversight and management accountability.
IV.The organization’s governing body is not being provided with clear decision-making records and is not able to collaborate on strategic oversight.
a.I and IV.
b.II and III.
c.II, III, and IV.
d.I, II, and III

Answer 19

Solution: c (II, III, and IV)
I.Incorrect. Balance of power does not exist when the CEO is also the board chair, which is an ineffective organizational structure.
II.Correct. A reason that the organization’s structure may not succeed is that the CEO is not using a methodical process for decision-making. Transparent decision-making with timely and relevant information is needed to ensure risk oversight by the board.
III.Correct. Without documentation that provides a historical record, future decisions could take longer to make and it will be difficult to hold anyone accountable for risks as a result of bad decisions.
IV.Correct. The board is left in the dark and cannot provide strategic oversight that can lead to a better decision

Question 20

After a country significantly increased the budget for its military services, the defense department accumulated “excess” spare parts valued at US $33 billion. Examples included a 14,000-year supply of one aircraft part and 126 sizes of women’s shirts. Which one of the following risk management approaches would likely have had the best chance of avoiding the risk of the large wasteful expenditures?

a. Limiting the budgetary resources approved (and made available) for procuring spare parts, and rigorously monitoring related expenditures.
b. Reducing the number of spare part items managed by each item manager, thereby reducing their individual workloads.
c. Improved and updated methods of computing valid requirements for spare parts procurement.
d. More reliable and current information on existing spare parts for decision-makers

Answer 20

Solution: a

a. Correct. If the agency has more budgetary resources than needed, it would likely use resources wastefully for fear of having next year’s budget decreased.
b. Incorrect. This action may help to make better procurement decisions, but not as directly as A.
c. Incorrect. Again, this action may mitigate procuring unneeded parts over time, but option A is more direct.
d. Incorrect. This action may also mitigate unneeded procurements, but the decision-makers may not use the available information.

Question 21

PTP receives 95% of its project funding from donor BD. PTP draws down funds as needed through BD’s letter of credit (LoC) and submits its rationale for the project drawdowns at the end of each quarter. The board of directors directs PTP to broaden its funding base, which PTP does using existing BD funds. An external audit discovers that PTP has used program funds to solicit new donors. As a result, BD terminates the LoC and PTP goes out of business. Which of PTP’s deficiencies was the least critical threat facing PTP?

a. The policies and procedures for the use of the LoC, which allowed PTP to draw down funds as needed but not report until the end of the financial quarter.
b. No findings reported by the external auditor. Whether these accounting irregularities were the result of intentional fraud or honest mistakes, the external auditor should have been fluent in BD’s contractual requirements and flagged the misallocation of expenses.
c. Senior management and the board were so focused on the risk of PTP’s reliance on BD funding that they failed to explore the risks associated with its efforts to find other funding. Consultation with program managers and contract specialists would have made the board aware that it could not fund its exploratory efforts using BD program funds.
d. Senior management and the board failed to ensure that the three lines of defense in risk management were operational.

Answer 21

Solution: a

a. Correct. Even though the ability to access funds as needed and report later is akin to “shutting the barn door after the horse got out,” had the three lines of defense and external audit functioned appropriately, PTP would not have been able to misuse the LoC.
b. Incorrect. A thorough examination and report by the external auditors would have been especially important given the lack of internal audit and PTP’s requirements to report to big donor.
c. Incorrect. Consultation with program directors (the first line of defense) would have made the board and executive team aware that it could not fund its exploratory efforts using BD program funds. Operational management, as the “owners” of the contracts, should have known, for example, that while certain program development costs such as proposal preparation were allowable overhead, other development activities such as fund-raising, direct mail, and travel to non-program sites were not allowable uses of BD program funds.
d. Incorrect. PTP’s lack of a three lines of defense risk management structure proved to be a critical contributor to its failure.

Question 22

A charitable organization that provides shelter to the homeless is defining its value drivers. Which one of these is not one of its primary activities in Porter’s Value Chain model?

a. Operations—all the main activities that are needed to create the service or product, such as finding and providing shelter and food.
b. Client intake—the activities that are performed to identify the clients in need and bring them to the shelters.
c. Social work—including counseling the clients.
d. Grants administration—the writing and securing of grants to fund the charity

Answer 22

Solution: d

a. Incorrect. Primary activity that has a direct bearing on adding value; operations requires skills and resources to deliver its products and services
b. Incorrect. Primary activity that has a direct bearing on adding value; client intake requires skills in assessing and selecting the right clients.
c. Incorrect. Primary activity that has a direct bearing on adding value; social work requires qualified training and special skills.
d. Correct. Grants administration is a support activity that facilitates the primary activities that serve the clients directly

Question 23

A corporation staffs its foreign sites with its own country’s employees (two to four years) and local employees (longer). Local employees who separate voluntarily are entitled to a lump-sum payment to be computed under a clear agreement between the local employees and the corporation. Yet, separating local employees are being paid 40% more than in the agreement. Rank the risks that likely led to overpayments.

I.The computation method is not well understood.
II.The employee who makes the computations is deliberately increasing the amount in exchange for kickbacks from local employees, or a personal belief that the local employees “deserve” more.
III.The supervisor(s) of the individual who computes and makes separation payments was not adequately reviewing the computations and payments.
IV.The comptroller is exhibiting an impoverished management style over local employees.
a.III, IV, II, and I.
b.I, II, III, and IV.
c.IV, III, II, and I.
d.II, IV, III, and I

Answer 23

Solution: a (III, IV, II, and I)

a. Correct. The computation method is likely well understood, so the other three (II, III, IV) are ranked higher.
b. Incorrect. Again, the computation is likely well understood, so this is not the most likely sequence.
c. Incorrect. Risk IV implies that the comptroller has an overall impoverished style; not only one weakness is identified—but likely a pervasive style that had a negative effect on all supervisors’ attitude on control.
d. Incorrect. Considering risk II first tends to point a finger prematurely at the individual who does the computations

Question 24

A biomedical company is marketing its new protocol to treat early stage cancer. Absent the new treatment, a patient’s risk of the cancer recurring is 80%; with the treatment, the risk of recurrence drops to 2%. In risk management terms, the situation before treatment is called [fill in the blank} and the patient’s prospects after treatment is [fill in the blank]:

a. Inherent risk and risk tolerance.
b. Inherent risk and residual risk.
c. Risk profile and risk tolerance.
d. Risk-aware and risk-managed.

Answer 24

Solution: b

a. Incorrect. “Inherent risk” is correct as it is the level of risk in the absence of any response, but “risk tolerance” is incorrect in this scenario because it is the “acceptable variance from risk appetite.”
b. Correct. This is the proper usage of both “inherent risk” and “residual risk,” which is “the level of risk remaining after a risk treatment.”
c. Incorrect. “Risk profile” is the overall picture of risk across a range of categories. “Risk tolerance” is also applied incorrectly as stated above.
d. Incorrect. These terms refer to levels of organizational risk maturity.

Question 25

Porter’s Five Forces model is widely used to determine the degree of marketplace rivalry. Which of the following is not a factor in Porter’s model?

a. The bargaining power of suppliers and their ability to dictate prices and keep customers locked into their offerings.
b. The threat of substitute products or services becoming available.
c. Government regulations or incentives that influence the ability to introduce a competing product or service into the market.
d. The bargaining power of customers and their ability to dictate prices or switch suppliers

Answer 25

Solution: c

a. Incorrect. The power of suppliers is a key factor in the Five Forces model
b. Incorrect. The threat of substitute products or services entering the market is a key factor in the Five Forces model.
c. Correct. While organizations should address the needs and expectations of the government and regulators, these are not explicit factors in Porter’s rivalry model.
d. Incorrect. The power of customers is a key force in Porter’s model

Question 26

Recently a large nonprofit organization performed a risk assessment to identify the top risks to achieving strategy. The risk assessment identified that the organization does not have a good grasp on what its core capabilities are, which may protect it from external funding competition. Core capabilities are best defined as:

a. An organization’s unique range of products and services, resources, and processes.
b. A mechanism by which employees are trained and given roles they can best perform.
c. The translation of services and products into a cost that customers are willing to pay.
d. The physical assets and systems that can be transformed into value for the organization.

Answer 26

Solution: a

a. Correct. Core capabilities arise from the organization’s unique range of products and services; its resources, including time, people, systems, and capital; and its processes.
b. Incorrect. When employees are in roles where they have the skills to perform, this is the core capability of the employees.
c. Incorrect. An organization will deliver products and services at a cost perceived to be their value, and value is driven by core capabilities. Cost is not driven by value alone.
d. Incorrect. Physical assets and systems are only two of the capabilities that add value to an organization. Others include capital, time, processes, and people

Question 27

Literature and guidance recognize primary stakeholders and three lines of defense for operational and effective risk management as follows:

I.Internal auditors’ assurance.
II.Operational management.
III.Senior management and governance body.
IV.Risk management and compliance functions.
Which is the correct hierarchy of the above four elements?
a.I, II, III, and IV.
b.III, II, IV, and I.
c.IV, III, II, and I.
d.IV, I, III, and II.

Answer 27

Solution: b (III, II, IV, and I)

a. Incorrect.
b. Correct. This is the only option that is consistent with IIA guidance.
c. Incorrect.
d. Incorrect

Question 28

A software company, MIB, wants to increase sales of its products in a market segment. It conducts stakeholder analysis and categorizes potential customers according to their awareness of MIB’s software and their ability to influence purchasing decisions. Which types of stakeholders should MIB target for its new marketing and sales campaign?

a. Apathetics.
b. Latents.
c. Supporters.
d. Promoters

Answer 28

Solution: b

a. Incorrect. While MIB could increase apathetics’ awareness of their offerings, apathetics are least likely to be interested in MIB software and have little power to affect change.
b. Correct. Latents, while they may presently have no particular interest or awareness of their products, have the power to influence it greatly if they become interested. MIB’s objective should be to make latents understand that its products will make their company, and thus their careers, more successful.
c. Incorrect. Supporters already have a positive view of the product but can do little to compel their organization to buy the product.
d. Incorrect. Promoters are already keen advocates of their products and they have done what they can to make sure their company buys MIB’s products. While MIB cannot take its clients for granted and must continue to “win” their business, the primary objective of MIB’s new marketing and sales campaign should be to increase awareness and convert folks on the sidelines to becoming active clients. Focusing on promoters would be like “preaching to the choir.”

Question 29

When a supplier does not deliver a product needed for the final manufacturing of a consumer good, the manufacturer is responsible for nonconformance to the delivery timeline. The mitigating activity should be on the exposure to what type of risk?

a. Emerging.
b. Financial.
c. Third party.
d. Inventory

Answer 29

Solution: c

a. Incorrect. Mitigating emerging risk is the focus of strategic risk management.
b. Incorrect. Financial risk will be an effect of the negative event that could result in loss of revenue, but it is not the primary risk to mitigate in the supply chain relationship.
c. Correct. Third-party relationships require risk management processes to control a supplier’s activity or otherwise mitigate by having secondary suppliers in the event a product is not delivered.
d. Incorrect. Inventory levels will be affected if supplier relationships are not managed first

Question 30

A firm operates under a “tall/hierarchical” organizational structure. The only employees with information security (InfoSec) technical expertise are in the IT department. The risk manager has completed a review with business units to update its InfoSec policy. What is the most effective approach for developing effective InfoSec procedures consistent with the firm’s strategic vision?

a. Solicit input from each business unit regarding the resources required to implement the InfoSec risk management policy.
b. Emphasize the importance of information security in obtaining the strategic business and risk management goals of the company.
c. Task the information security department with writing enterprise-wide procedures because they are the technical experts.
d. Develop different sets of procedures that are consistent with overarching InfoSec policy yet tailored to the different needs and responsibilities of the various business units.

Answer 30

Solution: d

a. Incorrect. Identifying resources necessary to implement InfoSec’s risk management policy should be part of the firm’s strategic planning and budget processes, but the business units are not always capable of translating InfoSec policies into technical procedures.
b. Incorrect. Articulating the importance of InfoSec to achieve business objectives is a key element of policy, not procedure. It is true, however, that procedures must be in alignment with policy, and employees’ full understanding of policy can promote compliance with resulting procedures.
c. Incorrect. The company’s technical expertise will be most germane for its own operations, i.e., the testing, monitoring, and remediation of systems and application vulnerabilities. However, the operating units will need procedures focused primarily upon access control, password management, working remotely, and use of wireless and personal technology devices. These types of procedures would be best defined by the risk management department because it has a more holistic view of primary stakeholders’ and operational managers’ needs to balance security with availability and continuity of operations.
d. Correct. This is the most effective approach, especially given the “tall/hierarchical” organizational structure, which is marked by high vertical differentiation and high degrees of vertical specialization as well as a clear demarcation of roles and responsibilities by teams. This approach does not burden operating units with procedures that are not germane to their operations and thus relevant procedures are more likely to be remembered and used consistently

Question 31

Below are characteristics of common ways to subdivide entities:

I.Finance, marketing, research, etc.
II.Product lines, geographic regions, customers, etc.
III.Cross-functional teams.
IV.Teams with various focuses.
V.Organizations joining together in common objectives.
Match these characteristics to the terms below:
a.I. Matrix. II. Functions. III. Networks. IV. Divisions. V. Teams.
b.I. Functions. II. Divisions. III. Matrix. IV. Teams. V. Networks.
c.I. Divisions. II. Functions. III. Matrix. IV. Teams. V. Networks.
d.I. Functions. II. Divisions. III. Networks. IV. Matrix. V. Teams.

Answer 31

Solution: b

a. Incorrect. Characteristics and terms are not aligned.
b. Correct. Characteristics and terms are aligned.
c. Incorrect. Characteristics and terms are not aligned.
d. Incorrect. Characteristics and terms are not aligned

Question 32

In a government contract, the prime contractor who is awarded the contract assumes all the risks associated with delivery and performance of the government’s requirements. Prime contractors carve out performance and delivery to third parties, known as subcontractors. What is the most effective activity to manage the risks in a subcontractor arrangement?

a. Create checklists that will make the subcontractor aware of its responsibilities.
b. Execute an agreement between the prime and subcontractor that flows down the terms and conditions of the government’s requirements.
c. Require weekly reports and meetings between the prime and subcontractors.
d. Have the subcontractor manage the government’s requirements and the prime contractor provide administrative and contract support

Answer 32

Solution: b

a. Incorrect. Checklists are a quality control process.
b. Correct. A formal agreement confirms responsibilities, deliverables, timelines, authority, and controls, thus sharing the risks with the third party.
c. Incorrect. Effective communication is critical in a third-party relationship, but it is not the best way to manage the risks.
d. Incorrect. The prime contractor is liable for all risks associated with the contract and should manage the requirements with direct involvement.

Question 33

Two partners rush to launch an Internet services firm using their own funds rather than waiting to secure investors. They assess risk by analyzing their business pipeline. There is no board of directors. The company wins many contracts but requires ongoing partner capital. After 18 months, one partner, who expected to cash out within a year, refuses to invest further and the partners sell the company at a significant loss. Which of the following factors were the two most significant drivers of the startup’s collapse?

I.The decision to launch the firm by self-funding; if the partners had waited until it secured investor financing, they would have had the cash flow to weather downturns in business and could have hired more staff to develop new business.
II.The partners’ failure to establish and articulate their risk appetite and tolerance before launching the firm.
III.The lack of a board of directors.
IV.The firm’s “produce or perish” management style as articulated by Blake and Mouton.
a.I and II.
b.II and III.
c.III and IV.
d.IV and I

Answer 33

Solution: b (II and III)
I.Incorrect. While the probability of success may have been improved with the advantages of investor capital and expertise, a self-funded firm could have flourished. The partners should have assessed their appetite for future financial injections into the firm and should have adopted a continuous risk management approach throughout the life of the business.
II.Correct. Defining risk appetite is a formal starting point for risk management, which the firm never developed. Risks are about the future and not about the present; relying solely on business pipeline analysis does not provide a comprehensive analysis of internal and external threats to a firm’s competitive positioning.
III.Correct. A board of directors could have contributed much-needed connections as well as insight into the ways to finance and operate the company so that the partners could meet their goal of selling the company quickly.
IV.Incorrect. We do not know the culture and the effect it had on employees. While the firm’s culture could have become produce or perish because of failures stated in II and III, the culture would have been the product, not the driver, of risk management failures

Question 34

Recently Interlock, Inc. was informed by an outside consultant that 63% of its current workforce that conducts day-to-day functions of one of its operational areas is set to retire in the next three years. The consultant recommended workforce planning that identifies critical skills to meet future needs, defines skill gaps, and considers succession planning. However, Interlock, Inc. has not created a workforce plan to manage retirements or hire staff with needed skills. What are the necessary steps that Interlock, Inc. can take to address staffing risks?

I.Develop a succession plan that identifies workforce needs and addresses future program goals.
II.Wait to see where the largest gap will occur once the workforce begins to retire and then make decisions about where to align human capital and budget considerations.
III.Conduct a risk assessment to anticipate the areas where critical skills are needed most to address emerging risks.
IV.Develop strategies that address gaps in the number, skills, and competencies of staff.
a.I and II.
b.I, III, and IV.
c.I and III.
d.I, II, and III.

Answer 34

Solution: b (I, III, and IV)
I.Correct. Development of a succession plan that is predicated on the actions in III and IV is a crucial element of risk management.
II.Incorrect. Interlock will not be proactive in addressing workforce risks if it takes a “wait and see” approach.
III.Correct. Conducting a risk assessment will help Interlock develop mitigation strategies to address workforce gaps.
IV.Correct. Developing strategies that address these gaps is critical for workforce risk management

Question 35

What is the difference between risk appetite and risk tolerance?

a. Only risk appetite can be expressed as the product of likelihood and impact.
b. Risk appetite is a higher-level statement expressing levels of risks that management deems acceptable, while risk tolerance sets the acceptable level of variation from particular objectives.
c. Risk appetite is tactical and operational, while risk tolerance is a broad statement of an acceptable enterprise wide portfolio of risk.
d. Risk tolerance is an acceptable variance from risk capacity.

Answer 35

Solution: b

a. Incorrect.
b. Correct. For example, a company that says that it does not accept risks that could result in a significant loss of its revenue base is expressing appetite. When the same company says that it does not wish to accept risks that would cause revenue from a particular product or sales channel to decline by more than 10%, it is expressing tolerance.
c. Incorrect. The definitions are reversed. Risk tolerance is tactical and operational.
d. Incorrect. Risk tolerance is an acceptable variance from risk appetite

Question 36

To ensure compliance regulations on conflict minerals, an organization’s risk management strategy for its supply chain should include which of the following?

a. A written code of conduct and business ethics policy.
b. Transparency in the manufacturing suppliers that extends all the way down the supply chain.
c. A memorandum of understanding that binds the supplier to the manufacturing distributor.
d. Manufacturing several sources of the mineral products.

Answer 36

Solution: b

a. Incorrect. A written code of conduct and ethics statement will not guarantee compliance nor ensure integrity in third-party activities.
b. Correct. A framework for compliance that includes transparency through the supply chain will better enable companies to identify risks with all the suppliers in the mineral sourcing chain and identify whether products contain conflict minerals.
c. Incorrect. A memorandum of understanding will not guarantee that companies will comply with the regulations. A broad risk management framework is needed that includes a memorandum of understanding or other contractual agreements to identify how compliance will be monitored.
d. Incorrect. While manufacturing several of the components needed in a product’s supply chain can lead to efficiencies and cost savings, it will not alone manage the compliance risks with mineral suppliers.

Question 37

In a period of great civil unrest about economic decline and perceived disparities, a national government established an antipoverty program with fixed amount grants to cities. Two broad provisions of the national law received much attention: funds were “to improve the conditions under which residents live, learn, or work,” and “maximum feasible participation of the areas and groups served” was required in implementation of activities. Using current concepts, which of the following are valid observations?

I.The program includes an unlimited risk appetite.
II.An expected risk would be difficulties choosing activities and agreeing on meaningful performance measures.
III.Due to the importance of the program, political risks are likely to be minimal.
IV.The antipoverty program’s eventual success will be largely dependent on whether the external environment had been appropriately considered.
a.I, II, III, and IV.
b.I and II only.
c.III and IV only.
d.II and IV only

Answer 37

Solution: d (II and IV only)
I.Incorrect. Grants are limited to specific amounts approved.
II.Correct. Determining the appropriate activities and programs to fund and agreeing on meaningful performance measures are critical success factors for the initiative.
III.Incorrect. When citizens are given more power, there will likely be more political conflict.
IV.Correct. If the environment is misunderstood, the success of the antipoverty program will be in jeopardy.

Question 38

In risk management, the acronym PESTEL refers to __________ and stands for __________:

a. An organization’s risk culture: Pervasive, Enabled, Stakeholder-focused, Ethical, Linked to strategy.
b. An organization’s capabilities or competitive environment: Processes, Employees, Systems, Technology, Entrepreneurship, Leadership.
c. A means to evaluate the external drivers and trends affecting an organization: Political, Economic, Social, Technological, Environmental, Legal.
d. An organization’s legal and organizational structure: Private vs. public, Employee-owned, Subject to regulation, Taxable, Equity, Liability for losses

Answer 38

Solution: c

a. Incorrect. Although risk culture is defined as “the prevailing attitude and approach to risk,” these would be desirable elements of risk culture.
b. Incorrect.
c. Correct.
d. Incorrect.

Question 39

A condominium association has 125 members and an elected board. Two studies have concluded a major, costly renovation project is needed, and governing documents require a vote by owners. The vote outcome is in doubt due to the board’s lack of enforcement of rules and alleged favoritism of board members. Which board action will likely be the most powerful catalyst to obtain owners’ approvals?

a. Newsletters and door-to-door marketing campaign.
b. A preliminary survey(s), before moving ahead, to judge the likelihood of majority approval.
c. Distribution of all detailed specifications of renovation.
d. Issuance and distribution of a new or enhanced code of ethics and value statement for the board.

Answer 39

Solution: d

a. Incorrect. The risk to a vote of approval is more about trust of the board than advocacy of this project.
b. Incorrect. This tactic could “backfire” as owners may feel “pressured.”
c. Incorrect. Details of the corrective action are not as important as getting community agreement on the legitimacy of the need.
d. Correct. Overcoming the past history, and thus getting members to trust the board, is critical

Question 40

The IT department of a membership association has been asked to implement a pricing solution to assist in pricing the spices the member firms produce for sale for its food kits for overseas deployment. Multiple member firms have manufacturing and production plants for the spices, each with its own costing elements. The government is rejecting many of the member firms’ proposals for spices because it cannot understand the rationale behind the pricing. The COO of the association believes that if a single pricing system is used by all the member firms, then the pricing will be more consistent and more understandable. The COO’s decision is not based on a critical decision-making process. What are the outcomes that can be expected if a single pricing system is put in place without critical analysis?

a. The problem is identified; however, the intended goal is not the right one, and the final decision is not the right solution.
b. The problem is identified, the right information is collected, and the available options are analyzed.
c. The relevant factors are identified before the new pricing system is implemented.
d. The cost for implementing a single pricing system will be far less than the cost of the lost opportunities in sales to the government

Answer 40

Solution: a

a. Correct. While the problem of inconsistent and understandable pricing was identified, the best goal may not be to have uniform pricing, but it could be any other goal such as lean manufacturing, supply chain management, or consolidating production to regional plants, any of which could help streamline pricing and bring more transparency.
b. Incorrect. The COO’s decision did not bear any additional options for the IT department to analyze.
c. Incorrect. The decision did not include any analysis of relevant factors to understand the root cause of the problem and find the optimum solution.
d. Incorrect. There was no cost-benefit analysis performed and this conclusion cannot be made

Question 41

The way that an organization structures itself can contribute to its culture of risk management. There are many different types of structures from which to choose. If a firm is reorganizing to better align its staff and strategic objectives, what would be one of the benefits of a hierarchical structure?

a. Culture that fosters innovation.
b. Shorter chains of command.
c. Clear demarcation of roles and responsibilities by teams and individuals.
d. Decentralized control.

Answer 41

Solution: c

a. Incorrect. Hierarchical structures tend to have a risk of lower innovative cultures.
b. Incorrect. Shorter chain of command is a benefit of a flat organizational structure.
c. Correct. Organizations wishing to create structures with high degrees of specialization and easily understood roles and responsibilities tend to implement hierarchical teams and chains of command.
d. Incorrect. Hierarchical organizational structures tend to have centralized control and management lines

Question 42

Telegiant financed acquisitions using its own stock. When the telecomm market sank, management resorted to non-GAAP accounting methods to project profitability. Investigators later discovered that Telegiant’s assets were inflated by billions of dollars. Telegiant filed for Chapter 11, the CEO was convicted of fraud, and investors also sued Telegiant’s external auditor. The external auditor settled out of court. What were the two most significant risk factors that enabled the fraud?

I.Failures in governance, as documented in the “Report of Investigation” prepared for the Federal Bankruptcy Court that included a lack of effective checks and balances on the power of senior management.
II.Telegiant’s overreliance on stock-based, rather than cash-based, financing of its acquisitions.
III.Insufficient federal regulations regarding the preparation, reporting, and retention of financial statements and records of publicly traded companies.
IV.Failures of scope and possibly integrity of external audits.
a.I and II.
b.II and III.
c.III and IV.
d.I and IV.

Answer 42

Solution: d (I and IV)
I.Correct. In fact, such failures in governance are fertile ground for fraud.
II.Incorrect. If Telegiant operated with adequate governance and thorough external auditing, the risks associated with stock-based financing could have been mitigated or detected earlier.
III.Incorrect. Similar scandals in the past resulted in comprehensive regulations on the preparation, reporting, and retention of financial statements and records of publicly traded companies.
IV.Correct. The external auditor should have been more diligent, especially given the deteriorating strength of the telecommunications sector and Telegiant’s reliance upon stock-based acquisitions. The auditor’s settlement was widely viewed as an admission that the evidence against the auditor was very damaging

Question 43

In making a decision on a major capital investment, the technique most likely to be used by a business would be:

a. The 80-20 rule.
b. Cause and effect.
c. Chunking.
d. Cost-benefit analysis

Answer 43

Solution: d

a. Incorrect. The 80-20 technique points the focus away from the “trivial many” to the “vital few.”
b. Incorrect. Cause and effect diagrams possible causes and assesses relationships, looking for the cause of known problem.
c. Incorrect. Chunking is related to a “series of decisions,” as opposed to a single decision.
d. Correct. Cost-benefit analysis is common in choosing among several high-cost and complex alternatives.

Question 44

When Solid Financial Group (SFG) reported financial and investment losses of US $30 million, the shareholders filed a suit claiming that SFG’s board failed to provide oversight of its investments and financial decisions and breached its fiduciary duty of care. Which of the following facts may be relevant to claim that the board did not breach its fiduciary duty?

a. SFG’s CEO was the board chair.
b. The external auditors failed to address obvious concerns like large risk derivatives that were not hedged.
c. The company’s ethics and compliance programs were not assessing risks effectively.
d. After the losses, SFG replaced its board members with new directors who possessed expertise in finance and investments.

Answer 44

Solution: d

a. Incorrect. When the CEO is the board chair, it can be an ineffective organizational structure, but it does not indicate that the board breached a duty of care for fiduciary responsibility.
b. Incorrect. The board is not held accountable for not questioning the procedures of the external auditors.
c. Incorrect. The court did not believe it should second-guess a director who says he or she believed the compliance and ethics programs were adequate.
d. Correct. The previous board was not made up of experts in investments or finances. Thus, the court’s opinion was that the board did not act with actual or constructive knowledge that its inaction would harm the corporation.

Question 45

Motown Motors (MM) recently recalled 6 million cars due to faulty third-party ignition switches that were linked to 13 deaths. For more than a decade, MM decided against a very inexpensive switch upgrade and continued to use the vendor’s ignition switches even though they did not meet MM’s performance specifications. A growing number of lawsuits ensued and MM’s stock sank due to heavy media attention, congressional inquiries, and a Department of Justice criminal investigation. The most significant risk management lesson to date from the MM recall is:

a. An organization that ignores or mistreats its external stakeholders does so at its own peril.
b. Reliance upon third-party vendors results in unacceptable levels of residual risk.
c. MM failed to develop an ethical organizational culture that guided its strategic planning and daily operations.
d. Cost-benefit analysis is an ineffective decision-making technique, as demonstrated in GM rejecting a 57-cent fix for the ignition switches

Answer 45

Solution: a

a. Correct. MM cannot escape the effects of private lawsuits, congressional and Department of Justice inquiries, and extensive media coverage on its reputation and financial health.
b. Incorrect. While third-party vendors can introduce elements of inherent risk, the residual risk can be reduced so that it falls within an organization’s risk appetite. MM ignored even the most basic elements of risk management by accepting parts that did not even meet its own standards.
c. Incorrect. While an ethical culture is of paramount importance to risk management, until internal and external investigations prove otherwise, it is premature to conclude that a failure of culture caused MM’s problems.
d. Incorrect. Cost-benefit analysis is just a decision-making tool. How MM chose to use the cost-benefit results could be evidence of a flawed ERM culture and strategy