Module 1 - Unit 6: Risk response and risk treatment Flashcards

1
Q

Define what is meant by risk treatment

A

A risk response to risks that can be further treated by the introduction of cost-effective corrective controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which one of the following best describes risk analysis prior to any risk treatment?

a residual risk
b target risk
c current risk
d gross risk.

A

d - gross risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which one of the following options from the 4Ts of hazard risk management would not result in a reduction in risk severity?

a terminating the source of the risk
b treating the risk
c transferring the risk
d tolerating the risk.

A

d - tolerating the risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Summarise the differences between risk responses to opportunity risk with that of hazard risk.

A

Opportunity:

Exploit
Exist
Explore
Exit

Hazard:

Tolerate
Transfer
Treat
Terminate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Explain the nature of preventive, corrective, directive and detective (PCDD) controls.

A

Preventive: Limit the possibility of an undesirable outcome occurring

Corrective: Limit the scope of loss once a risk has been realised e.g. insurance

Directive: Controls to ensure a particular outcome is achieved e.g. PPE

Detective: Controls designed to identify occasions when undesirable outcomes have been realised e.g. incident reporting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Identify two ways in which monitoring and review can help to improve risk management.

A

Monitoring and review ensures that the organisation monitors risk performance and learns from experience.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Explain what is meant by a near miss.

A

A near miss could be described as the realisation of a risk that does not result in significant impact, but could have been worse.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

List the three main categories of insurance.

A
  1. Mandatory/legal/contractual
    e. g. employers liability, public liability, professional indemnity
  2. Balance sheet profit and loss protection
    e. g. business premises, business interruption, motor insurance
  3. Employee benefit/protection of employee assets
    e. g. Life and health, directors’ and officers’ liability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Identify two advantages and two disadvantages of insurance.

A

Advantages:

  1. indemnity against an expected loss
  2. access to specialist services as part of the premium

Disadvantages:

  1. Time taken to obtain settlement
  2. Potential for disputes around level of cover and term of policy
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

List the key stages of a business continuity plan.

A
  1. Identify crucial risk factors already affecting the org
  2. understand needs and obligations of the org
  3. establish, implement and maintain business continuity management system
  4. measure the overall capability to manage disruptive incidents
  5. guarantee conformity with stated BCP
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which one of the following types of control is a fire insurance policy a good example of?

a preventive
b corrective
c directive
d detective.

A

b directive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which one of the following outcomes does a fire alarm produce as a risk treatment in the case of a fire?

a reduce likelihood but not impact
b reduce impact but not likelihood
c reduce both impact and likelihood
d reduce neither impact nor likelihood.

A

d reduce impact but not likelihood.

Without any further response (normally a corrective control) the alarm will just ring but nothing else will automatically happen to reduce the impact of the fire (for example, the use of an extinguisher or the evacuation of staff, which are corrective controls).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which one of the following scenarios is an anticipatory response relevant to?

a emerging future situations
b providing clear guidelines for risk treatment
c a type of preventive control
d the activity of learning and improving the risk management process.

A

a emerging future situations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which one of the following types of risk is “accept” a suitable response to?

a operational risk
b tactical risk
c business continuity risk
d opportunity risk.

A

b tactical risk

One of the 4A responses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which one of the following types of risk can a “fifth T” be used as a response to?

a hazard risk
b operational risk
c business continuity risk
d opportunity risk.

A

d opportunity risk - “Take”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which one of the following outcomes is the initial treatment of risk in an organisation not likely to result in?

a reduce the inherent risk
b reduce the high-level severity risks
c reduce the medium-level severity risks
d reduce the overall risk exposure.

A

c reduce the medium-level severity risks

High level severity risks will be treated initially

17
Q

What is a captive insurance company?

A

An insurance company owned by a parent org that is not otherwise involved in insurance.

They cover losses up to an agreed threshold after which the primary insurer will pay out.

18
Q

Describe 2 advantages of captive insurance

A
  1. Savings achieved as premiums are set lower
  2. Allows access to reinsurance markets where premium rated and risk capacity are favourable
  3. Exposure to the cost of claims creates greater awareness and concern about loss control
  4. Greater insurance cover can be provided than in the commercial market
  5. Some tax benefits associated with captive insurance companies
19
Q

Describe 2 disadvantages of captive insurance

A
  1. The captive is exposed to claims that would otherwise be covered by commercial insurers
  2. Parent company has to allocate capital to ensure adequate solvency of captive insurance co.
  3. When large losses are paid by the captive they are consolidated on the parent’s balance sheet
  4. Compliance issues associated with captives operating in non-domicile territories
  5. Admin cost, time and effort can be involved in management of the captive by the parent head office
20
Q

Name the 6 Cs of insurance buying

A
Cost
Coverage
Capacity
Capabilities
Claims
Compliance
21
Q

Describe the 4As of project risk response

A

Adopt (appropriate contingency plans)
Accept (the uncertainty attached to the risk)
Avoid (the uncertainty attached to the risk)
Adapt (procedure and introduce controls)

22
Q

What side of a bow tie diagram would control measure relate to and why?

A

Left hand side as these address the causes of risk.

23
Q

What side of a bow tie diagram would recovery measures relate to and why?

A

Right side as they address the consequences of risks materialising

24
Q

Loss control relates to the mitigation of hazard risk. What are the three components that make up loss control?

A
Loss prevention (focuses on likelihood)
Damage limitation (focuses on magnitude)
Cost containment (focuses on reducing impact and consequence)
25
Q

What is a Preventative control?

A

Eliminates or reduces source of risk (not always cost effective e.g. CUK can’t stop delivering potentially risky patient care)

Response: terminate
Loss control: loss prevention

26
Q

What are Corrective controls?

A

Steps to limit the scope of loss i.e. barriers/job rotation/passwords

Response: treat
Loss control: loss prevention, damage limitation and cost containment

27
Q

What are Directive controls?

A

Designed to ensure a particular outcome is achieved i.e. training and supervision, PPE, written systems and procedures

Response: transfer
Loss control: loss prevention, damage limitation and cost containment

28
Q

What are Detective controls?

A

Designed to identify occasions when risks have been realised i.e. audit, incident investigation, health monitoring (NEWS).

Response: tolerate
Loss control: cost containment

29
Q

Here are three key features that regulators are likely to require for managing cyber risk. They all have much in common with Business Continuity Planning. However, which one of the terms in bold forms a specific part of BCP?

Select one:

a A security culture, driven from the top down

b. Good governance around cyber security
c. Systems and controls to ensure recovery and response in the event of an attack

A

c. Systems and controls to ensure recovery and response in the event of an attack