Exam questions Flashcards
Which of the following is correct regarding the historical development of risk management?
- Risk management as a formalised discipline has been around for 20 years.
- The first appearance of ‘Chief Risk Officer’ is associated with implementation of ERM.
- The inherent defects in the risk management approach failed to prevent the global financial crisis of 2008.
- During the 2000s, financial services firms have been encouraged to develop internal risk management systems and capital models.
2 is correct as during the 1990s corporate governance encouraged directors to place greater emphasis on ERM and the first appointment of a chief risk officer occurred.
This followed financial service firms being encouraged to develop internal risk management systems and capital models during the 2000s. Thus point 4 is correct.
Incorrect
1. Been around for more than 100 years
3. The failure was in correctly applying risk management processes and procedures, rather than any defects in the risk management approach.
Hopkin states ‘Most standard definitions of risk refer to risks being attached to corporate objectives’. What else may risks be attached to?
Core processes
Hazard management or
risk correlation
Core Processes
Risk attachment is covered in Fig 1.2 in Hopkin which shows how risks can be attached to core processes as well as corporate objectives.
Enterprise Risk Management (ERM) is considered to have significant advantages over traditional risk management approaches because ERM:
Ensures that an organisation’s objectives will be achieved.
takes an integrated or holistic approach or
addresses strategic, tactical and operational risk management.
The key differentiator for ERM is that it takes an integrated or holistic approach. Option A is incorrect as neither traditional or ERM approaches can ensure that an organisation’s objectives will be achieved whilst both can address the management of strategic, tactical and operational risks.
Which of the following would you expect to see in the context of risk strategy in the risk architecture, strategy and protocols framework (RASP)?
The risk and audit team report to the Board quarterly.
The attitude to risk is clearly defined.
Ownership of risk is delegated to business units.
The organisation has a defined risk appetite.
2 & 4
Risk appetite is part of the risk management strategy element of the RASP framework set out in Table 23.1 in Hopkin. Risk reporting and roles and responsibilities are parts of the risk management architecture within the same framework.
What elements in addition to Operations make up the COSO ERM risk classification system?
Compliance.
Reporting.
Reputational.
Strategic.
1,2,4
The elements of the COSO ERM cube classification headings include strategic, operations, reporting and compliance. Reputational is one of the classification headings in the FIRM risk scorecard and not part of COSO ERM.
Which factors are most likely to influence assigning a low, medium or high rating for the likelihood and impact of an interruption to production due to a natural disaster?
The length of time since the last natural disaster in the vicinity of the production unit.
Where your suppliers are located.
Long range models and stress scenarios.
What you produce.
2,4
A key consideration is where your suppliers are located, as production would be harder hit if they were located nearby and affected by the same disaster. The second consideration is what you produce as this will determine the extent to which production might be disrupted by a natural disaster, for example products that are reliant on just-in-time deliveries would be more impacted if deliveries could not be made.
The length of time since the last natural disaster is not a relevant consideration as it is unlikely to impact the likelihood of another natural disaster occurring. Similarly, modelling is of limited value when assessing the likelihood of natural disasters occurring.
Which of the following factors are likely to influence the risk classification approach adopted by an organisation?
Risk appetite.
The complexity of operations.
Stakeholder views.
The types of risk that are most common.
2,4
Organisations will choose a risk classification approach that is most suited to its size, nature and complexity. Although there are different risk classification approaches many offer a combination of event, impact, source and consequence categories. They all help organisations define the scope of risk management providing a structure for risk identification and giving an opportunity to aggregate similar kinds of risks. This makes options 2 and 4 correct.
Classification of risks enables organisations to better identify risk appetite, risk capacity and total risk exposures in relation to each risk. Stakeholder views do not form part of the factors that can influence a risk classification system. This makes options 1 and 3 incorrect.
Which one of the following are consequences of people with different risk perceptions undertaking risk assessments?
Risk treatments could be applied to the less significant risks
Risks are not fully identified
It is not possible to determine a risk rating for a particular risk
A
One consequence of people having different risk perceptions is that the significance of some risks may be incorrectly determined and therefore treatments could be applied to less significant ones. The failure to identify risks fully is possible but this is relevant to the risk identification stage of risk assessment only and with people having different risk perceptions it is possible that more risks are identified and more fully discussed. In terms of risk assessment ratings, risk perceptions may result in an incorrect rating being applied but a rating will eventually be determined, possibly by the most senior person and even if not everybody agrees. The correct answer is Risk treatments could be applied to the less significant risks
Which of the following controls can be used to reduce the likelihood of IT failure?
IT penetration testing
Robust business continuity plans
Robust breach response plan
C
Hopkin, Chapter 19, Page 207
The correct answer is:
IT penetration testing
Which of the following are common characteristics of a traditional risk management approach?
1. There is no ownership of risk in this organisation.
2. The culture of the organisation embraces risk management.
3. Risk is looked after by the organisation’s insurance department.
4. This organisation adopts an integrated approach to risk management.
1,3
Traditional risk management tends to focus on the mathematics of hazard-based risks or financial risks amongst other specific risks and not an enterprise-wide approach. This means options 2 & 4 are incorrect as they refer to an enterprise-wide approach.
Enterprise risk management offers a holistic approach to risk management and recognises that risks in one part of the organisation can relate to risks occurring elsewhere and these links and relationships need to be managed just as much as individual risks in isolation. In this manner there is specific ownership of risks in the organisation.
This means options 1 & 3 are traditional risk management characteristics rather than enterprise-wide approach, as they manage risks in isolation.
s part of the ISO 31000 (2018) risk management process monitoring and review is best thought of as which of the following?
An extra stage.
A feedback loop.
Part of an iterative process.
3
Monitoring and review is part of the ISO 31000 risk management process set out in Fig 6.4 in Hopkin. It is iterative, rather than just an extra stage or a feedback loop, because each of the stages in the process may be executed multiple times before the risk evaluation is finalised and the appropriate risk treatment agreed.
Which of the MADE2 objectives is most relevant to a manufacturing organisation, in managing the risk of production cost overruns?
Mandatory.
Decision making.
Effective and efficient processes.
3
A manufacturing organisation’s risk management considerations will assist with achieving effective operations and compliance in managing the risk of production cost overruns. Option C is the most aligned to this objective.
Among the loss control tools and techniques, which of the following is used for cost containment, after a business interruption?
Fire drills.
Crisis communication plan.
Restrictions on smoking.
2
Loss containment techniques are concerned with the activities for minimizing the costs following any business interruption. As such, crisis communication plan is used by organisations in order to minimize any loss or damage to reputation following the incident. Fire drills and routine maintenance and related to damage limitation and loss prevention, respectively.
What sort of control would appear on the left side of a Bowtie analysis?
Response improve.
Preventative.
Detective.
2
Preventative controls occur before the risk materialises in the disruption event.
In the longer term which of the following can ERM result in?
Impaired resource deployment.
Enhancement of enterprise resilience.
Assured profit margins.
Over the longer term ERM can see organisations anticipate and respond to change, not only to survive but also to evolve and thrive. Thus enhances resilience
Over longer term ERM allows organisations to prioritise resource deployment and assess overall resource needs. This improves resource deployment rather than reducing it.
ERM cannot not by itself result in guaranteed increased profits. It is possible but cannot be guaranteed or assured.
Which of these factors is most likely to determine an organisation’s attitude to risk?
The maturity of the sector or industry.
The maturity of the organisation.
The level of risk management sophistication.
2
An organisation’s attitude to risk is specific to that organisation and is different when an organisation is a start-up operation compared to a mature organisation. This is all related to the maturity of the organisation, not to the sector / industry or risk management sophistication.
What should a company do if faced with a high risk/ high reward situation that is outside of its risk appetite, and has not been able to find a partner to work with in this circumstance?
Explore.
Exploit.
Exit.
C
In a high risk/ high reward scenario an organisation that does not have the risk appetite, capacity or resources but has been able to find a partner to buy or share will want to exploit the opportunity.
However, in this question the organisation is unable to find a suitable partner and thus the most appropriate response would be to exit. Option C is correct.
Which of the following best describes control risks?
Risks that can only inhibit achievement of corporate mission.
Risks that cause doubt about the ability to achieve the organisation’s mission.
Risks that are deliberately sought or embraced by the organisation.
2
Hazard risks are the risks that can only inhibit achievement of corporate mission. Opportunity risks are the risks that are deliberately sought or embraced by the organisation. Options A and C are incorrect.
Control risks are associated with uncertainty and cause doubt about the ability to achieve the organisations mission.
What is an advantage of a detective control?
They eliminate the hazard, so that no further consideration of it is required.
Risk control requirements can be explained during a training session
They are often simple to administer and can distinguish the lessons learnt from projects that can be applied in future
C
Preventive controls are designed to limit the possibility of an undesirable outcome being realised. Examples include limits of authorisation and segregation of duties.
Corrective controls are designed to limit the scope for loss and reduce any undesirable outcomes that have been realised.
Directive controls are designed to ensure that a particular outcome is achieved. They are based on giving directions to people on how to ensure losses do not occur. Typical examples include written systems and procedures and training.
A risk matrix is commonly used by organisations to:
Provide a visual presentation of an organisation’s strategic objectives
Display the likelihood of an event against its magnitude or impact
Facilitate an effective allocation of resources to risk-reducing counter measures.
B
It does demonstrate the relationship between the likelihood of the risk materialising and the impact of the event should the risk materialise.
The highest level of risk management sophistication is related to which of the following?
control management.
achievement of benefits.
recognition of stakeholder expectations.
B
The achievement of benefits is indeed related to the highest level of risk management sophistication [Hopkin, ibid.].
Control management is related to the third level (CONFORM) of the four levels hierarchy of risk management sophistication [Hopkin, p. 53, figure 3.2].
The recognition of stakeholder expectations is a result of becoming aware of requirements that have to be met, which is part of the initial level of risk management sophistication (INFORM).
Which of the following conditions is a necessity for defining risk in corporate settings?
Changing circumstances.
Declared organisational objectives.
Suitability for own purposes.
A
Change in circumstances is a source of uncertainty, which is a form of risk. “In order for a risk to materialize, an event must occur.” [Hopkin, p. 16, paragraph 3]. Without a change in circumstances, there can never be an event, and therefore no risk occurrence. If a risk can never materialize, it does not exist.
Declared organisational objectives is wrong. It is true that “Risk in an organisational context is usually defined as anything that can impact the fulfilment of corporate objectives.” [Hopkin, p. 16, second paragraph] but this doesn’t necessarily mean that risk cannot be defined without having declared corporate objectives, let alone that “corporate objectives are usually not fully stated by most organisations” [Hopkin, ibid.].
Suitability for own purposes is wrong. We can read in Hopkin [p. 16, first paragraph] that because “there are many available definitions for the word risk, it is important that the organisation chooses the definition that is most suitable for its own purposes.” In other words, the “suitability for own purposes” is not a necessary condition for defining risk but an optimisation in making the best use of risk management.
Which of the following are determinants of the organisational attitude to risk?
- Opportunity pursuit.
- Business maturity.
- Area of activity.
- Decision-making
2,3
Option 1 is wrong. As opportunities arise their pursuit is inherently a matter of “short-term willingness to take risk”, which is an indicator of risk appetite, not risk attitude.
Option 2 is correct. The attitude to risk is often different “when an organisation is a start-up operation rather than a mature organisation”.
Option 3 is correct. The “attitude of the organisation to risk will depend on the sector … within which it operates” and area of activity is another term for sector.
Option 4 is wrong. Decision-making is a result of risk management, not a determinant of the risk attitude. “Improvement in the robustness of decision-making activities is one of the key benefits of risk management.”.
When evaluating the effectiveness of controls on an inherent risk which of the following must be considered?
- Target level of risk.
- Risk magnitude.
- Resulting risk exposure.
- Likelihood / impact scales.
2,3,4
To evaluate the effect of a risk control we need a start point, an end point and a measuring instrument.
Option 1 is incorrect. The target level of risk is an objective, and the question is about the evaluation of a variation in the level of risk, which may or may not reach the target level of risk.
Option 2 is correct. “Magnitude represents the gross or inherent level of the risk.” This is the start point.
Option 3 is correct. According to Hopkin “The exposure presented by an individual risk can be defined in terms of the likelihood of the risk materializing and the impact of the risk when it does materialize.” We can therefore measure a risk exposure for the inherent risk and a risk exposure for the residual risk. As Option 3 is about “Resulting risk exposure”, it clearly identifies the exposure associated with the residual (current) risk remaining after the application of the risk control, and this is the end point.
Option 4 is also correct. An instrument of measure is necessary to determine both the start point (inherent risk in the case of this question) and the end point (residual risk). In this case, the package of the likelihood / impact scales represents the measuring instrument.
