Domain II - Principles of Risk Management Processes

Question 1

1.	A ministry of health wants to assess its ability to respond to an outbreak of cholera. The ministry assesses the inherent risks associated with cholera and with different scenarios under which an epidemic might unfold, such as an earthquake or a severe weather event. Which risk criteria best describe the ministry’s expanded “terms of reference against which the significance of risk is evaluated?”
I.	Volatility.
II.	Correlation.
III.	Velocity.
IV.	Interdependency.
a.	I and IV.
b.	II and IV.
c.	II and III.
d.	III and IV

Answer 1

Solution: c (II and III)
I. Incorrect. Volatility refers to situations in which conditions vary greatly and therefore make it
harder to predict the likelihood of a given event. The ministry is controlling its risk variables by
accounting for different scenarios.
II. Correct. The ministry uses correlation analysis to determine both the increased impact and
likelihood of a cholera outbreak due to weather or natural disaster-related disruptions to the
food supply and emergency medical intervention.
III. Correct. The ministry’s primary objective is gauging risk velocity as it measures how much time
it will have between the trigger events and the impact or onset of cholera.
IV. Incorrect. While interdependency is similar to correlation in that it “relates to the connection of
two or more risks,” interdependency relates to the “mutual dependency of risks precipitating new
and potentially unexpected risks.” The ministry is focusing on how its ability to respond to a
cholera outbreak will vary under different geological and weather scenarios.

Question 2

HAL, a leading software and hardware vendor in the private sector, is weighing the pros and
cons of expanding into the public sector. Which are the most appropriate terms to describe
the risks that HAL is evaluating?
I. Speculative risk.
II. Market risk.
III. Enterprise risk.
IV. Technology risk.
a. I and II.
b. I and III.
c. II and IV.
d. III and IV.

Answer 2

Solution: b (I and III)
I. Correct. “Risks that can be exploited for gain can be called speculative risk (or upside risk or
opportunity).”
II. Incorrect. Market risk relates to changes in the value of the stock (share price.)
III. Correct. Enterprise risk is a business risk associated with selecting and undertaking business
activities.
IV. Incorrect. Technology risks are those that new technology brings to all aspects of activity. HAL
faces technology risks regardless of whether it remains focused on the private sector or expands
to include the public sector.

Question 3

The state assembly decrees that the state’s Pension Investment Division (PID) must divest of
all holdings related to a certain country. Soon after, the financial markets soar on unexpected
predictions of a dramatic economic recovery. In response, PID sells large positions of its
portfolio at a premium and covers its losses from the mandated divestiture. According to the
bowtie diagram analysis methodology, what two terms best describe the risk factors leading
to the sale?
I. Consequence.
II. Trigger event.
III. Risk event.
IV. Intermediate event.
a. II and IV.
b. I and III.
c. I and II.
d. III and IV.

Answer 3

Solution: a (II and IV)
I. Incorrect. The consequence—the PID’s profits covering its losses—occurs after the risk has
materialized.
II. Correct. Trigger event is the correct term for the divestment mandate.
III. Incorrect. The risk event is the PID’s decision to sell.
IV. Correct. The intermediate events were the unexpected predictions for a long-sought upturn in
the economy.

Question 4

An advertising agency that has experienced steady growth for a decade gathers its staff
together for a control risk self-assessment (CRSA) and identifies the following top concerns:
I. Heavy reliance “legacy” on former clients rather than cultivating new clients.
II. High staff turnover. Only the CEO and the award-winning creative director have been with the
firm since inception.
III. Effects of the economy on each business sector they serve.
IV. The firm’s new focus on a global, rather than a regional, market.
Which of the above risks represents a potential single point of failure?
a. Risk I.
b. Risk II.
c. Risk III.
d. Risk IV.

Answer 4

Solution: b
a. Incorrect. Business development needs to be addressed but is not a single point of failure. The
agency can implement a business development plan to address this issue in the time frame
necessary.
b. Correct. The critical human capital asset is the firm’s creative director, both in terms of talents
and relationships with clients. If the creative director leaves, the agency will lack the key talent
that differentiates it from its competitors.
c. Incorrect. This is an ongoing risk that should be addressed by the agency as changes in the
economy warrant.
d. Incorrect. This is an ongoing risk that should be addressed by the agency but is not a single
point of failure.

Question 5

Two real-estate investment partners are assessing the relative risks of a prime property in Los
Angeles, California, and a comparable property in a similarly vibrant area of Brooklyn, New
York. One partner discounts heavily the value of the Los Angeles property because of the
potential for earthquake damage. The Los Angeles-averse partner is most likely influenced by
which element of risk management analysis?
a. Risk psychology.
b. Risk prioritization.
c. Risk severity.
d. Risk response.

Answer 5

Solution: a
a. Correct. Risk psychology addresses the perceived level of acceptable risk based on an
individual’s personal perceptions and thus individual risk appetite. Risk psychology also notes
that the “psychological weight” that an individual associates with a risk is based primarily upon
impact and not likelihood, and that the perceived impact is dependent upon one’s ability to
control or intervene in an event.
b. Incorrect. Although one partner may prioritize the risk of an earthquake higher than the other
partner, risk prioritization is an aggregated profile of all risks in the enterprise’s portfolio
consistent with the general attitude of the enterprise.
c. Incorrect. Risk severity measures the “level of the inherent risk, defined as the magnitude of a
combination of risks, expressed in terms of the … consequences and likelihood.” In this
instance, likelihood is (correctly or incorrectly) distorted due to the psychological weight of the
potential impact.
d. Incorrect. Risk response refers to the level of response an enterprise feels is appropriate to take
as a result of a risk materializing.

Question 6

Which of the following is not a benefit of risk mapping and prioritization?
a. The results help an enterprise to communicate better its risk aggregated risk profile to key
external stakeholders.
b. Ranking risks by their level of severity helps an organization determine the optimal allocation of
resources devoted to risk response or treatment.
c. Risk maps are key graphical representations of the variance in risk appetites across different
divisions within an organization.
d. Helping the enterprise identify how certain risks can offset other risks to ensure that the
enterprise maintains an overall risk profile that remains within risk capacity.

Answer 6

Solution: c
a. Incorrect. This is a key benefit of risk mapping and prioritization as external stakeholders are
interested in the overall, not the segmented, risk profile of the organization.
b. Incorrect. This is a key benefit for management that arises from risk mapping and prioritization.
c. Correct. While risk appetite may well vary in different divisions of an organization, the
objective of mapping and prioritization exercises is to compare the overall risk profile against
the total risk capacity of the enterprise.
d. Incorrect. This is a key benefit for management that arises from risk mapping and prioritization.

Question 7

A city comptroller was the sole signatory on the city’s accounts. Over two decades she
embezzled $30 million from the municipality by shifting public funds through multiple city
bank accounts before hiding them in a secret account. Despite regular external audits, her
fraud went undetected until a colleague discovered the secret bank account. What are the
most likely reasons that this fraud was perpetuated over such a long time?
I. Incomplete understanding of the risk conditions leading to a faulty risk response mechanism.
II. The cost of treating the risk to keep the level within appetite outweighed the benefits gained
from treating the risk.
III. Inadequate directive controls.
IV. Inadequate preventative controls.
a. II, III, and IV.
b. I and III only.
c. I and IV only.
d. I, II, and III

Answer 7

Solution: c (I and IV only)
I. Correct. Fraud is often considered a low probability/moderately high impact risk and, as such,
the municipality should have considered adjustments to routine operations and other treatments.
Given that the comptroller was in a very powerful position and the only signatory on the
accounts, this risk could also have been elevated to a medium probability risk that required closer attention. Regardless of the classification, the municipality appears to have tolerated the
risk when it should have treated the risk.
II. Incorrect. Low-cost preventative and detective controls, such as requiring an additional signatory
and having periodic internal reviews of the comptroller’s books, would have been a good
investment, especially compared to the significant loss of public funds and the likely attendant
loss of public confidence in its government.
III. Incorrect. Directive controls, such as accounting manuals, training and supervision, and strategic
plans, encourage desired behaviors and outcomes. While these are valid controls, the
comptroller’s senior position and lack of a co-signer translated into a lack of supervision. These
longstanding conditions left the city vulnerable to fraud. It is unlikely that manuals, training, or
strategic plans would have been strong enough deterrents given the lack of meaningful
preventative and detective controls.
IV. Correct. These are controls designed to stop or limit the possibility of an undesirable event from
happening. Key examples are segregation of duties, access controls, and authorization
procedures.

Question 8

Community Hospital Systems (CHS) set a goal that all patients be seen within 30 days of their
requests. Employees who met the scheduling goal were rewarded with bonuses.
Unbeknownst to senior executives, schedulers were entering fraudulent data into the
scheduling system to disguise the much longer actual wait time. Significant numbers of
patients experienced deteriorating health, and several died before seeing a medical
professional. Which of the following were the primary drivers behind the fraudulent
reporting?
I. A bureaucracy that had been taught over time to hide its problems from senior management.
II. Incomplete or inappropriate reliance on performance metrics.
III. Reducing treatment wait time was an inappropriate operating objective. Therefore, CHS did not
deploy its resources effectively to achieve its strategic objectives.
IV. Lack of alignment between its organizational objectives and risk management processes.
a. I and II only.
b. II and III only.
c. III and IV only.
d. II and IV only.

Answer 8

Solution: d (II and IV)
I. Incorrect. The bureaucratic culture should be examined to determine whether it was a factor
contributing to the fraud, but the scenario’s stem does not give us the data to determine whether
this was the case.
II. Correct. CHS placed primary emphasis on the treatment wait time metric and, as a result, the
system did not reward CHS for the quality of its service and outcomes, but rather by metrics that
were easily manipulated.
III. Incorrect. The desire to reduce treatment wait time is not an inherently incorrect operating
objective. The failure to recognize and monitor the risks introduced by its organizational
objectives (IV) and its flawed performance and incentive structure (II) are the primary
conditions that enabled the fraud.
IV. Correct. Achieving alignment between organizational objectives and risk management processes
is key to ERM. CHS failed to recognize and monitor the risks introduced by its organizational
objectives, performance metrics, and reward structure.

Question 9

A summer camp is known for its expertise in wilderness training and adventures. The camp
carries $50 million of liability insurance, and parents of campers must sign liability waivers.
All counselors are certified in wilderness first aid and activity instruction and are required to
undergo periodic refresher training. All campers receive training and must meet stringent
skill and safety requirements before embarking on a wilderness trip. Which two response
options best summarize the camp’s risk response strategy?
I. Avoid.
II. Transfer.
III. Mitigate.
IV. Tolerate.
a. II and III.
b. I and II.
c. II and IV.
d. III and IV.

Answer 9

Solution: a (II and III)
I. Incorrect. The activities that give rise to the risks are core to the purpose of the organization.
The camp cannot avoid or terminate these risks.
II. Correct. Both the required liability waivers and the liability insurance covering the camp
apportion some of the risk to a third party.
III. Correct. Ensuring that counselors are highly trained instructors, leaders, and athletes and
requiring that the campers demonstrate adequate preparedness before participating in a
wilderness trip are strong mitigation responses for inherently risky activities.
IV. Incorrect. The option to tolerate or accept a risk is best suited for low-probability, low-impact
risks. The camp correctly assessed that risk levels associated with its core activities require more
proactive responses.

Question 10

The term risk escalation refers to:
a. Risks that have materialized as events.
b. Weaknesses in the internal control system that raise residual risks beyond the limits of the risk
appetite.
c. The increase in an enterprise’s risk profile resulting from previously unknown risks arising from
changes in the internal or external environments or changes to the organization’s objectives and
activities.
d. The process of and procedures for reporting risk incidents up the chain of command.

Answer 10

Solution: d
a. Incorrect. This is the definition of “risk incidents.”
b. Incorrect. Still, identification of such weaknesses is a critical component of strong risk
management reporting.
c. Incorrect. This is the definition of an emerging risk.
d. Correct. The purpose of escalation is “partly to keep managers informed of risk incidents as well
as to precipitate implementation of a contingency plan.”

Question 11

Put the following risk identification activities in the proper sequence:
I. Develop initial risk register.
II. Conduct Control Risk Self-Assessment (CRSA).
III. Calculate risk severity.
IV. Define the risk universe.
a. I, II, III, and IV.
b. II, IV, I, and III.
c. II, III, IV, and I.
d. III, IV, II, and I.

Answer 11

Solution: b (II, IV, I, and III)
I. Development of the risk register is the third in the series of activities. The risk register documents
the results of risk identification and the definition of the risk universe. It also assigns risk owners
who are responsible for monitoring, responding, and reporting. As risk analyses and evaluations
are conducted, and risk monitoring and response plans are developed, the risk register will also
be updated to incorporate these data.
II. CRSA is a highly structured, participatory approach to identifying risks. A CRSA could include a
variety of risk assessment exercises such as questionnaires, brainstorming sessions or workshops,
and vulnerability assessments. A CRSA or its components would be the first activity in this risk
identification series of events.
III. Determining risk severity is the last step in the series and occurs after risk identification
exercises are conducted or updated.
IV. Defining the risk universe is the second step in the series. Sobel and Reding’s steps to move from
a list of identified risks toward a more detailed articulation of the risk universe include
consideration of the possible outcomes of the risks and defining and grouping risks according to
similar sources, causes, or related impacts.

1. CRSA
2. Define the risk universe
3. Risk register (owners)
4. Risk severity

Question 12

An information broker, InfoMart, suffered an information security breach that exposed
hundreds of thousands of customers’ sensitive personal information. The breach was a result
of fraud perpetrated by criminals pretending to be legitimate customers. In addition to heavy
fines and redress costs, the company is now on probation subject to 20 years of external
auditing by the Federal Trade Commission. What would be the most important improvement
that InfoMart should make to avoid future breaches?
a. Implement better IT general controls and IT application controls, with special emphasis on
automating controls that force employees to adhere to policies affecting change management
and access rights as well as authentication and authorization of system users.
b. Make the chief information security officer (CISO) responsible for monitoring vulnerabilities in
business processes and IT.
c. Strengthen business processes for vetting customers and their activities and create offices of
customer credentialing, compliance, and privacy that would report directly to the board of
directors’ privacy committee.
d. Eliminate products that contain personal data regarding an individual’s financial assets, criminal
and employment histories, and known associates/family members.

Answer 12

Solution: c
a. Incorrect. While strong IT controls are critical elements of risk management, there is no
evidence that the criminals exploited vulnerabilities in IT policies, architecture, or software.
b. Incorrect. While CISOs have come to be regarded as protectors of information, no matter the
threat, the CISO must work in concert with a number of divisions tackling privacy and security
from different angles, such as a corporate credentialing center, a compliance and privacy
division, and internal audit.
c. Correct. InfoMart should create the organizational infrastructure and policies that will allow it
to employ an integrated monitoring and detection defense against fraud.
d. Incorrect. These knowledge services were core to the businesses’ mission, and the elimination of
these data would be an existential threat to InfoMart.

Question 13

Risk severity is often calculated as a function of likelihood, categorized as “unlikely,”
“possible,” or “likely,” and impact, categorized as “catastrophic,” “disruptive,” or
“problematic.” Using the InfoMart case above and the study guide’s definitions of likelihood
and impact categories, one would most likely assign a likelihood of ___________ and an impact of
___________ to a future InfoMart data breach:
a. Unlikely, disruptive.
b. Unlikely, catastrophic.
c. Likely, problematic.
d. Possible, disruptive.

Answer 13

Solution: d
a. Incorrect. Unlikely is defined as “May occur once in a working life, such as premises being
destroyed by fire.” The nature of security threats is that they always evolve and require ongoing
offensive and defensive measures. Realistically, InfoMart can only decrease the likelihood of
another breach to possible.
b. Incorrect. Catastrophic is defined as “requiring nearly all of the management team to focus all of
its attention on responding to the problem such as destruction of main premises or financial
losses that threaten total reserves.” See also the discussion of unlikely in rationale a.
c. Incorrect. Likely is defined as “May occur more than once a year, such as being unable to access
emails.” InfoMart’s responses to its prior data breach should decrease likelihood to possible.
Furthermore, problematic is defined as requiring “a few of the management team to focus some
of its attention on responding to the problem.” Maintaining the integrity of InfoMart’s data
requires that key members of InfoMart’s management continue to focus on an enterprise-wide
response.
d. Correct. Possible is defined as “May occur every few years, such as an industrial action or
terrorist (intruder) incident.” The nature of data security is that data are constantly exposed to
threats, which can, however, be mitigated to within acceptable levels. Disruptive is defined in
part as requiring “some of the management team to focus the majority of their attention to
responding to the problem.” Repeated breaches will weaken InfoMart’s brand as a provider of
reliable data. Key members of InfoMart’s management will need to focus on maintaining the
real and perceived integrity of the data it supplies to its customers.

Question 14

What is the greatest challenge that is unique to conducting and interpreting risk
prioritization exercises?
a. Likelihood and impact are not the only risk criteria that the organization needs to consider.
b. The assumption that different risk criteria (such as likelihood and impact) carry equal weight in
the analysis.
c. Attaching numbers to measures of risk requires a degree of subjectivity and judgment.
d. Risk analysis, evaluation, and prioritization are processes that require regular updates.

Answer 14

Solution: b
a. Incorrect. There are other criteria to consider, but analysts can add columns to the matrix to
account for other factors such as volatility and velocity.
b. Correct. For example, a high likelihood multiplied by medium impact comes out with the same
numeric severity score as medium likelihood multiplied by high impact.
c. Incorrect. While subjectivity presents challenges, it can be redressed if practitioners articulate
clearly the parameters associated with a numeric score, especially if aided with examples.
d. Incorrect. Regular review, revision, and updating are essential to all risk management processes
to ensure they are aligned with the organizational context. These requirements are not unique to
conducting and interpreting risk prioritization exercises.

Question 15

According to COSO guidance, the term sweet spot refers to:
a. Identifying and investing the optimal amount of money devoted to risk management.
b. The point at which the aggregate risk exposure of different divisions in an enterprise are
balanced in accordance with overall risk appetite.
c. An enterprise achieving a state in which overall risk profile is equal to its total risk capacity.
d. The point at which an organization’s risk-taking results in the highest net gain in value.

Answer 15

Solution: d
a. Incorrect. Optimal risk management requires more than determining the desired amount of
resources devoted to determining, implementing, and monitoring risk and risk responses.
b. Incorrect. While an organization must ensure it has a balanced portfolio of risk that meets the
general risk attitude, having a balanced portfolio is not necessarily sufficient to obtain the sweet
spot. It is possible that an enterprise that has balanced its risks across divisions is nonetheless so
risk averse that it fails to achieve better net results in return for undertaking additional risk
(insufficient risk-taking). Conversely, an organization with a balanced portfolio of risk may have
an overall risk attitude that translates into excessive risk-taking.
c. Incorrect. While this is a goal of risk management, it is not COSO’s definition of the sweet spot.
d. Correct. Furthermore, “finding the sweet spot and manipulating risk to keep it there is the
purpose of risk management.”

Question 16

Review or audit of risk management processes has three primary goals. Which of the following is not one of the three goals?

a. To identify and repair weaknesses and faults.
b. To avoid impugning the reputation of top management.
c. To identify changes in the organization’s objectives and environment and ensure alignment.
d. To determine that the organization is achieving its goals (because risk management is working).

Answer 16

Solution: b
a. Incorrect. Identified as a goal in Enterprise Risk Management: Achieving and Sustaining Success
(Sobel and Reding, 2012).
b. Correct. Not identified as a goal by Sobel and Reding.
c. Incorrect. Same as a.
d. Incorrect. Same as a.

Question 17

A corporation uses a risk management plan form that includes a section on methodology
with the following steps:
I. Control risks.
II. Monitor risks.
III. Risk response tracking.
IV. Risk response planning.
V. Prioritize risks.
VI. Risk identification.
VII. Categorize risks.
VIII. Risk impact assessment.
Which is the logical sequence of the above steps?
a. I, II, III, VIII, IV, VII, VI, V.
b. VI, VII, VIII, V, IV, III, II, I.
c. VIII, VII, VI, V, IV, III, II, I.
d. VI, VII, IV, III, II, VIII, V.

Answer 17

Solution: b (VI, VII, VIII, V, IV, III, II, I)

a. Incorrect. Illogical sequence, i.e., consideration of risks precedes those of control.
b. Correct. Logical (and found in use).
c. Incorrect. Illogical sequence, e.g., risk identification precedes planning.
d. Incorrect. Illogical, e.g., prioritization cannot be the last step.

Question 18

In a school cafeteria, an employee was accused of stealing $500 a day in cash by operating a
cash only line for a la carte items, without a cash register. The employee was charged with
stealing more than $1 million over 20 years. Effective monitoring should have identified the
following as red flags except:
a. Large amounts of an asset (cash) with inherent risk.
b. Absence of a cash register in the a la carte line.
c. Lack of monitoring of ratio of inventory consumption for the a la carte line to the ratio for four
cash receipts lines.
d. Lack of an annual ethics briefing for all employees.

Answer 18

Solution: d
a. Incorrect. A commonly recognized red flag.
b. Incorrect. Again, a common red flag, especially when cash is the only form of revenue.
c. Incorrect. This should have been an additional red flag in view of a and b.
d. Correct. It is unlikely that an annual ethics briefing would influence the behavior of a long-term
thief.

Question 19

Some literature and guidance advocates assessing the context as an early step in the risk
management process. In using the term context, what are important considerations?
a. Mapping the social scope of risk management (what are stakeholders facing?).
b. What are the objectives of the stakeholder (financial impact, programmatic impact, other)?
c. What resources are available to mitigate resources?
d. All three of the above are elements of context.

Answer 19

Solution: d

a. Incorrect. Option d is best because it is inclusive of the other three options.
b. Incorrect. Option d is best because it is inclusive of the other three options.
c. Incorrect. Option d is best because it is inclusive of the other three options.
d. Correct. Option d is best because it is inclusive of the other three options.

Question 20

An investment company is constructing a complex of four residential rental buildings that
will have more than 100 units. The complex is in a geographic area that has a long rainy
season. Which of the following steps would likely be most essential to monitoring and
mitigating the risk of rain damage?
a. Assuring compliance with local codes during construction.
b. Establish a reserve for capital expenditures, if needed.
c. Monthly inspections by internal maintenance staff and annual assessments by external
engineering firms.
d. Actively encouraging renters to report possible problems.

Answer 20

Solution: c
a. Incorrect. Codes may be lax and compliance may be minimal.
b. Incorrect. While it is important to have reserves, the amounts may be insufficient, and this is a
reactive approach.
c. Correct. This would be the most proactive and aggressive approach.
d. Incorrect. This approach is too passive.

Question 21

Risk management processes can fail. Which of the following accurately identifies three
reasons why the processes are prone to failure?
a. All systems will naturally fail; systems designed to solve problems may generate new problems;
complex systems tend to defeat themselves.
b. Systems do not attract systems people; individual interactions squeeze out large systems;
effective systems do not need information.
c. Simple systems are too elemental; individuals are too rigorous in doing what they are supposed
to do; systems are not allowed enough “mission creep.”
d. Issues or problems are changed by the systems that are designed to solve them; systems do not
develop their own goals; complex systems always avoid self-defeat.

Answer 21

Solution: a

a. Correct. All three of these are possible reasons.
b. Incorrect. None of these three are possible reasons.
c. Incorrect. None of these three are possible reasons.
d. Incorrect. Only the first of these three is a possible reason.

Question 22

In reporting risk incidents, there is a value in reporting near misses. Which of the following
would not be considered a near miss?
a. A restaurant was bombed by a criminal organization during the hours it was closed.
b. A poisonous snake was stolen from a zoo and taken aboard a crowded city bus, but it was killed
by a policewoman before it could bite any passengers.
c. A tornado warning system was not functioning, but the residents of the area were all attending
church services and not in residences that were struck.
d. Citizens reported a gas leak, but the investigators did not arrive in time to avoid a major
explosion.

Answer 22

Solution: d
a. Incorrect. Customers were unhurt.
b. Incorrect. Passengers avoided injury or death.
c. Incorrect. At least fatalities and injuries were avoided.
d. Correct. The ineffective or untimely response allowed property damage, personal injury, or
worse.

Question 23

A national legislature provides authority and foreign aid funds to be spent on constructing
schools in a country that is prone to rebel attacks. The risk of the schools being destroyed is
deemed very high. In this situation, which of the four responses is likely not an option?
a. Avoidance.
b. Transference.
c. Mitigation.
d. Acceptance.

Answer 23

Solution: a
a. Correct. A law authorizes this program and provides funds.
b. Incorrect. Partnering countries with similar projects (and thus risks) may agree to join in (share)
monitoring.
c. Incorrect. More creative controls (e.g., aerial videotaping, etc.) might be added.
d. Incorrect. The legislature and the president may be willing to accept some risk.

Question 24

A manufacturing firm with a range of locations and products is hierarchical. For 10 years,
clear but detailed criteria were used to report up through many layers. Due to voluminous
reporting, the firm simplified the criteria allowing judgment so that only a very few risks get
to the top. Some managers are concerned that the revised system may not be effective. What
would you suggest?
a. Revert to the old system, because important risks might be missed.
b. Continue with the new system to show confidence that managers’ judgments at all levels are
trusted at the top.
c. Start over with a completely new third approach.
d. Involve managers in developing a hybrid of the old and revised systems.

Answer 24

Solution: d
a. Incorrect. The old system had information overload and did not sufficiently separate the more
serious risks from the lesser ones.
b. Incorrect. It appears that important risks may not be identified at a high enough level to get
attention.
c. Incorrect. Starting over may be inefficient and does not take advantage of years of experience.
d. Correct. This approach takes full advantage of years of experience and involves a wide range of
managers.

Question 25

A corporation has 10 regions and offices in 90 countries. The firm annually assesses risks on
an entity-wide basis. Broad guidance is sent from the corporate level, but wide latitude is
permitted in the field—from very informal to very structured, with no requirement for
documentation. What is needed?
a. The corporate office should establish a consistent approach.
b. Every office needs supporting evidence, and it should be subject to a minimum review process from a higher level.
c. The timing should be clear and the same (or similar) format should be used for input.
d. All of the above.

Answer 25

Solution: d

a. Incorrect. Incorporated in option d.
b. Incorrect. Incorporated in option d.
c. Incorrect. Incorporated in option d.
d. Correct. This is consistent with the content in II.B.7 in the CRMA Exam Study Guide.

Question 26

Risk assessment reviews can be qualitative or quantitative. In periodic reviews of risk
management, use of these two types should be taken into account. In this regard, which of
the following statements is true?
a. Quantitative assessment techniques include interviews and workshops.
b. Benchmarking assessment techniques include sensitive analysis, scenario analysis, and stress
tests.
c. Non-probabilistic models using subjective assumptions include cash flow at risk, earnings at
risk, and back testing.
d. Quantitative assessments are more complex than qualitative assessments but typically yield
more precise measures.

Answer 26

Solution: d

a. Incorrect. Interviews and workshops are qualitative.
b. Incorrect. These three models are called non-probabilistic.
c. Incorrect. These three models are called probabilistic.
d. Correct. This is a correct comparison of the two types

Question 27

A list of common pitfalls in risk assessment would likely not include which of the following?

a. Limiting risk assessment to financial hazards.
b. Oversimplifying risk quantification.
c. Limiting the number of significant risks to be managed.
d. Developing risks in a vacuum.

Answer 27

Solution: b
a. Incorrect. Considering only financial risks is a typical pitfall.
b. Correct. The typical pitfall is overcomplicating quantification.
c. Incorrect. Citing too many risks is a typical pitfall.
d. Incorrect. Developing risks in a vacuum and blindly selecting from a generic risk framework are
both typical pitfalls.

Question 28

When assigning responsibilities for monitoring risk mitigation plans, which of the following
criteria is most important?
a. To insure an independent attitude, monitoring responsibility should be limited to higher levels
rather than at levels where detailed processes occur.
b. Those with monitoring responsibility can generally minimize consideration of cost-benefit
analysis.
c. To properly assess the monitoring process, those doing the monitoring must hear from those
close to the risks/controls.
d. Monitoring should focus on established, not emerging, risks.

Answer 28

Solution: c
a. Incorrect. Monitoring must consider levels close to the risks.
b. Incorrect. Cost-effectiveness is generally a key consideration.
c. Correct. Effective monitoring needs to consider detailed levels (i.e., operational, financial, etc.)
where risks/controls have key impacts.
d. Incorrect. Effective monitoring must go beyond previously established risks and also look
forward to those emerging.

Question 29

In considering risk mitigation plans for supply chain management, assume the following four
items are identified and labeled as shown:
I. Government legislation—External risk.
II. Every employee is considered a risk manager—Internal risk.
III. Market volatility—Not considered a risk.
IV. Asset productivity—Internal risk.
Which of the above four items is/are accurately labeled?
a. I and IV.
b. I, II, III, and IV.
c. I only.
d. I, II, and IV.

Answer 29

Solution: a (I and IV)
I. Correct. This item is identified in a logical manner that is consistent with authoritative sources.
II. Incorrect. Item II is not a risk but is really a solution.
III. Incorrect. Item III is an external risk.
IV. Correct. This item is identified in a logical manner that is consistent with authoritative sources.

Question 30

A large agricultural firm produces crops that rely on honeybees for cross-pollination to
increase and enhance production. An unknown, uncontrolled disease has killed large
numbers of bees (diminishing crops) and is now moving toward the firm’s fields. What is the
best response to this emerging risk?
a. Acceptance/toleration.
b. Avoidance/termination.
c. Sharing/transference.
d. Treatment/reduction.

Answer 30

Solution: c
a. Incorrect. The firm’s crops will suffer greatly, leading to significant economic losses.
b. Incorrect. The firm relies on agricultural revenue and likely would not easily transition to other
types of business.
c. Correct. Bringing in healthy bees from other geographic areas can help, but it can also add
(share) risk to the areas from which the bees were transported.
d. Incorrect. A treatment of the disease is unknown, so no viable treatment exists.

Question 31

What is the most likely reason that an organization may fail in its efforts to implement
enterprise risk management (ERM)?
a. ERM is not uniformly applied across the company and there is not a comprehensive focus on all
key business risks.
b. ERM is not driving everything that management drives.
c. It was not implemented in a discrete time frame, usually 12 months or less.
d. The organization did not adhere to regulatory requirements for ERM use.

Answer 31

Solution: a
a. Correct. ERM must be applied with a holistic approach and has to truly be enterprise-wide.
Unless ERM implementation is tightly linked to the assessment and formulation of business
strategy, it is not meeting the COSO requirements.
b. Incorrect. ERM is integral to managing a company, but as COSO explains, many management
decisions are not part of ERM. For example, management’s choices as to the relevant business
objectives and the allocation of entity resources are management decisions and may not be part
of ERM.
c. Incorrect. While ERM is no different from the standpoint of applying project management
discipline, it is a growth process. Thus, the length of time to implement ERM varies from
organization to organization depending on many variables.
d. Incorrect. While a regulatory requirement on internal control over financial reporting highlights
the development of risk management in the reliability of financial reporting, and COSO’s ERM
framework would facilitate compliance with these requirements, any regulatory requirements
would not be the only driver of effective risk management implementation.

Question 32

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s)
Enterprise Risk Management – Integrated Framework states, “Where potential events are not
directly related, management assesses them individually.” However, when correlation exists
between events, management must take which of the following actions first?
a. Make a judgment about the priority of risks through executive decision.
b. Segregate the events and assess the effects, impact, or contribution to the severity of another
event.
c. Quantifying the risks of the events and deciding which risks to mitigate using the results.
d. Complete a gap analysis.

Answer 32

Solution: b
a. Incorrect. Correlated events must be assessed by asking what effect one event will have on
another event.
b. Correct. By asking how the occurrence of one event, either individually or in combination with
other events, will affect whether another event will happen, or affect the severity of another
event, then management can understand them and make decisions to mitigate them.
c. Incorrect. It is important to quantify the risks as part of the risk assessment; however,
quantification alone is not the mitigation strategy for correlated risks.
d. Incorrect. A gap analysis should be part of the overall risk assessment of the correlated events.

Question 33

How is the COSO ERM framework different from the ISO 31000 guide?
a. The COSO framework is applicable only in the United States, while ISO guidance is used
internationally.
b. The COSO framework describes ERM as an iterative process and ISO 31000 guidance describes
ERM as a serial process.
c. The COSO ERM framework is broad and includes ISO 31000 as a source of its input to the
development of the ERM framework.
d. ISO 31000 views risks as loss events, while COSO ERM views risks as related to uncertainty.

Answer 33

Solution: c
a. Incorrect. Both the COSO and the ISO guide are used internationally.
b. Incorrect. ERM is a multidirectional, iterative process, and both COSO and ISO 31000 describe
the objectives of ERM with this in mind.
c. Correct. ISO 31000 is a widely recognized set of principles and framework and is considered by
the COSO ERM framework as a set of principles in achieving ERM.
d. Incorrect. Both ISO 31000 and COSO ERM view risk as related to uncertainty rather than loss.

Question 34

The COSO ERM framework encompasses more specific frameworks relating to specific risks
to corporate objectives. How is The IIA’s Guide to the Assessment of IT Risk (GAIT)
incorporated into the COSO ERM framework?
a. Once key risks are identified in a risk assessment, an organization can use an appropriate
framework for IT risks. GAIT would be used in developing best practices and measures to
manage and monitor IT risks.
b. GAIT should be used to manage risks that impact financial reporting and should not be used as
part of an ERM discipline.
c. The ERM framework incorporated the four key principles of GAIT into components.
d. GAIT does not require that key IT controls be identified as a result of a top-down assessment of
business risks and the controls required to mitigate enterprise-wide risks. Instead, the ERM
framework calls for management to take risk mitigation into account.

Answer 34

Solution: a
a. Correct. If IT risks are identified, GAIT provides an organization with a methodology to identify
IT general controls that need to be tested to manage IT risks.
b. Incorrect. While GAIT methodology is widely used to identify IT general control risks, the GAIT
framework is much more effective when considered as part of an ERM framework.
c. Incorrect. While the COSO ERM framework included other frameworks into its development and
implementation, COSO did not incorporate specific control elements specific only to GAIT, nor
any other framework, into the COSO ERM framework.
d. Incorrect. GAIT fosters risk mitigation as part of its key principles but not in a vacuum. Instead,
the objectives of the COSO ERM framework consider all business risks, and any identified IT
risks are assessed for their impact on the business.

Question 35

ISO 31000 and COSO’s ERM provide frameworks that help organizations with framing their
risk management activities. Which of the following is the best approach in assessing an
organization’s risk management approach?
a. Create inventories of the ISO and COSO frameworks and align them with the organization’s
activities to determine gaps.
b. Find out what is the most common framework being used by competitors in the industry.
c. Meet with the internal auditors to find out which approach they assess as the best.
d. Consider multiple components of an organization’s industry, culture, and objectives to
determine the most effective risk management approach.

Answer 35

Solution: d
a. Incorrect. Creating comprehensive inventories and lists is an exhaustive exercise and does not
lead to a qualitative opinion about best practices in risk management.
b. Incorrect. ERM is not a one-size-fits-all approach. Any framework should be assessed against the
culture, size, and resources of the organization.
c. Incorrect. Internal audit should not be a key stakeholder in the best risk management
framework. Management and the chief risk officer should make this decision.
d. Correct. Reviewing multiple frameworks in relation to an organization’s principles, culture,
objectives, and industry is the best approach.

Question 36

When evaluating the risk management process using a process elements approach, ISO
31000 identifies seven components that must exist for a risk management process. Which of
these components is not one of the process elements?
a. Risk identification.
b. Risk analysis.
c. Risk evaluation.
d. Risk deliberation.

Answer 36

Solution: d
a. Incorrect. Identifying the risks should be a formal, structured process that considers sources of
risk, areas of impact, and potential events and their causes and consequences.
b. Incorrect. The organization should use a formal technique to consider the consequence and
likelihood of each risk.
c. Incorrect. The organization should have a mechanism to rank the relative importance of each
risk so that a treatment priority can be established.
d. Correct. Deliberating risks is not a formal process element.

Question 37

Internal audit can play a key role in evaluating risk management processes. Which of the
following are possible roles that internal audit should take when evaluating an organization’s
risk management processes?
I. Assurance on the risk management process itself.
II. Follow up on risk treatment plan status.
III. Setting the risk appetite.
IV. Assurance on significant risks and management assertions.
a. I, II, and III.
b. I, II, and IV.
c. II, III, and IV.
d. I, III, and IV.

Answer 37

Solution: b (I, II, and IV)
I. Correct. Assurance on the risk management process itself can be performed to provide
reasonable assurance to senior management and the board that an organization’s risk
management program is effectively designed, documented, and operating to achieve its
objectives.
II. Correct. Monitoring risk treatment and control remediation performance against the risk
management plan should be designed to provide management with an assessment of progress
against milestones and validate risk treatment plan status reports to the board.
III. Incorrect. Setting the risk appetite is not an activity that internal audit should perform. Risk
appetite is set by management and the board to identify the risk exposure that the organization
will accept to achieve its strategic goals.
IV. Correct. Reports to management (and the board) can describe the potential exposure and
management’s assessment of current risks (with the implied value of the controls in place)
together with the audit evaluation of the risk ratings.

Question 38

Which of the following is not one of the formal components of COSO’s ERM framework?
a. Management must consider internal and external events that create threats and opportunities.
b. Consider how objectives can be achieved by assessing the likelihood and probability of events
that may affect the achievement of objectives.
c. An entity’s tone at the top, ethical values, and operating style will help management establish a
risk management philosophy and risk appetite.
d. Risk appetite is defined and communicated as part of the entity’s mission statement.

Answer 38

Solution: d
a. Incorrect. This describes event identification, which refers to management’s consideration of
internal and external factors that have potential negative or positive impact, or both.
b. Incorrect. This describes risk assessment, the formal application of considering how events will
affect objectives.
c. Incorrect. This describes elements of the internal environment, which are integral to advancing
ERM.
d. Correct. While it is critical to establish a risk appetite that allows for management to understand
which risks it will take, establishing a risk appetite is not one of the components of the COSO
ERM framework.

Question 39

Strategic objectives are generally set for three or more years and cascade down to
operational objectives, which are usually shorter in term. Determine which of the options
below is stated first as a strategic objective, then next as an operational objective:
a. We will end world hunger by creating partnerships with other nations to integrate resources. We
will set goals to end hunger globally by working with hunger organizations in other countries.
b. Creating new job opportunities for people with the most severe intellectual disabilities.
Identifying choices that consider the strengths of the person with intellectual disabilities and
matching him/her up with employers.
c. We want to be the place that everyone calls home when they are away from theirs. We will
make our bedding choices wider so that guests can choose from several options.
d. Our science and medicine will end cancer. Find a cure for cancer, one survivor at a time.

Answer 39

Solution: b
a. Incorrect. These statements repeat the same operational objective to build partnerships with
other countries, which can be an activity-based objective.
b. Correct. The objective is specific enough that it can be achieved through operational activities,
such as in the second statement, which is a short-term task that can be initiated in less than 12
months
c. Incorrect. The first statement is very broad and is a vision statement. The second statement is
very narrow and is an operational objective.
d. Incorrect. Both of these statements are vision statements, which tend to be aspirational in
nature.

Question 40

A mid-size firm has set up its ERM framework and wants to assess whether its ERM components are working properly. To do this, what are some of the ways to judge “effective”
ERM?
a. Assess whether risks have been controlled across COSO’s ERM framework components with
reasonable assurances that risk management will allow the firm’s objectives to be achieved.
b. Review the firm’s operational objectives and determine if each of them has been met.
c. Assess ERM effectiveness by using the results of the financial auditor’s report.
d. Use the corporate scorecard results as an indicator of the effectiveness of ERM.

Answer 40

Solution: a
a. Correct. Management and the board should have reasonable assurance that risks have been
controlled across all the ERM framework components with no material weaknesses.
b. Incorrect. The operational objectives are not a driver for ERM effectiveness. Effective risk
management will help drive operational objectives.
c. Incorrect. The financial auditor’s report will provide management with information on how it is
doing on financial controls, not ERM.
d. Incorrect. While the corporate scorecard can provide metrics that could be traced to effective
risk management, using a metric approach to determine how

Question 41

Some companies are not mature in identifying risks that will prevent them from meeting
their strategic objectives. What is not a way that ERM can help with achieving strategic
objectives?
a. ERM can help companies achieve objectives by assigning priorities and resources that help
achieve operational objectives, which push the strategy forward.
b. With proper internal controls, companies have reasonable assurance that risk management is
working effectively, which provides a continuous basis for achieving objectives at all levels.
c. Once the ERM vision and the related goals and objectives are articulated, management can
conduct a risk assessment to decide how to manage the risks to achieving the goals across all
levels of the organization.
d. Companies should make a list of all their risks and assign ownership to a department that can
routinely monitor and manage them.

Answer 41

Solution: d
a. Incorrect. Risk analysis can help companies identify, measure, and prioritize risks to all levels of
objectives, which will allow the company to decide which risks to take and which to mitigate
other ways.
b. Incorrect. Internal controls are one way to manage risks to organizational objectives.
c. Incorrect. Risk assessments are an important tool to identify, measure, and prioritize risks.
d. Correct. A “risk list” is not enough to achieve strategic goals, and assigning each of the risks to
an owner is not an effective technique. Only by implementing an ERM framework and
performing comprehensive risk analyses across all the objectives of the company will a company
effectively manage its risks to stated objectives with resources that are aligned to the risk
owners.

Question 42

You are the risk officer for an organization that has a social mission. Resources are limited,
so the organization must set strategic objectives that represent options that consider the
potential for uncertainties as well as the opportunities that exist and could exist to achieve
objectives and goals. As the organization sets goals, it cascades the importance of SMART
objectives down through the organization. What does the mnemonic SMART stand for?
a. Success, Maturity, Appropriateness, Resources, Talent.
b. Specific, Measurable, Achievable, Realistic, Time-limited.
c. Specific, Measurable, Achievable, Repeatable, Tested.
d. Stated, Measured, Achievable, Risk-averse, Time-sensitive.

Answer 42

Solution: b
a. Incorrect. See b.
b. Correct. SMART is the mnemonic that every team and individual should understand is expected
of them with regard to contributing to the goals of the organization.
c. Incorrect. See b.
d. Incorrect. See b.

Question 43

When an organization uses training and written manuals to guide and supervise behavior
and control outcomes of its accounting functions and responsibilities, this is a control
method for treating risks. Which type of control is this?
a. Preventative control.
b. Detective control.
c. Directive control.
d. Corrective control.

Answer 43

Solution: c
a. Incorrect. A preventative control is designed to stop or limit the possibility of an undesirable
event from happening. An example is segregating duties of the treasury function from the
disbursement function in an accounting department.
b. Incorrect. A detective control would detect the occurrence of undesirable events, such as a
control total run after the end of a disbursement batch of checks.
c. Correct. Accounting manuals that describe specific accounts receivables procedures and training
that encourages staff in appropriate business expense transactions are examples of directive
controls.
d. Incorrect. After the occurrence of an undesirable event, such as an accounting software crash,
corrective controls are necessary to restore normality, such as business continuity plans for
processing payments manually instead of through the accounting software.

Question 44

Internal controls need to be considered for their effectiveness in reducing or eliminating the
risks for which they are intended to control, but also the cost effectiveness of the internal
control. To assess cost effectiveness, what does the analysis need to include as part of the risk
treatment decision?
I. The cost of implementing the control.
II. The effect of the control on external stakeholders.
III. The cost of internal auditors assessing the effectiveness of the control.
IV. The cost of not implementing the control.
a. I and II.
b. II and III.
c. I and III.
d. I and IV.

Answer 44

Solution: d (I and IV)
I. Correct. First, the cost of implementation has to be established. This has to be calculated with
some accuracy because it quickly becomes the baseline against which cost effectiveness is
measured.
II. Incorrect. While external stakeholders may feel the effect of an internal control, it is not a
primary consideration that can be measured alone, but it is instead part of the cost of
implementing or the cost of not implementing the control.
III. Incorrect. This is not a risk treatment consideration.
IV. Correct. The loss to be expected if no action is taken must also be estimated, and by comparing
the results, management can decide whether or not to implement the risk control measures.

Question 45

When an organization focuses on short-term tactics that provide some protection from risks,
it can destroy shareholder value and result in being overly risk-averse. Value-creating
organizations focus on long-term risks and develop far-reaching strategies to address them.
Which of the following is not an example of issues that an organization addresses in value
creation?
a. Short-term market fluctuations.
b. Nonfinancial value.
c. Environmental and social issues.
d. Innovation.

Answer 45

Solution: a
a. Correct. Short-term fluctuations in share prices should not be the focus of long-term value
creation. This can lead to risk-averse strategies.
b. Incorrect. Focusing on nonfinancial values such as intangible assets—goodwill, brand—help
build long-term value.
c. Incorrect. Creating value for multiple stakeholders, including the community, regulators, and
customers, supports the extent of value creation.
d. Incorrect. Value creation is maximized when organizations create new mechanisms to sustain
strategic advantage or generate new outcomes.