Module 1 - Unit 6: Risk response and risk treatment

Question 1

Define what is meant by risk treatment

Answer 1

A risk response to risks that can be further treated by the introduction of cost-effective corrective controls.

Question 2

Which one of the following best describes risk analysis prior to any risk treatment?

a residual risk
b target risk
c current risk
d gross risk.

Answer 2

d - gross risk

Question 3

Which one of the following options from the 4Ts of hazard risk management would not result in a reduction in risk severity?

a terminating the source of the risk
b treating the risk
c transferring the risk
d tolerating the risk.

Answer 3

d - tolerating the risk.

Question 4

Summarise the differences between risk responses to opportunity risk with that of hazard risk.

Answer 4

Opportunity:

Exploit
Exist
Explore
Exit

Hazard:

Tolerate
Transfer
Treat
Terminate

Question 5

Explain the nature of preventive, corrective, directive and detective (PCDD) controls.

Answer 5

Preventive: Limit the possibility of an undesirable outcome occurring

Corrective: Limit the scope of loss once a risk has been realised e.g. insurance

Directive: Controls to ensure a particular outcome is achieved e.g. PPE

Detective: Controls designed to identify occasions when undesirable outcomes have been realised e.g. incident reporting

Question 6

Identify two ways in which monitoring and review can help to improve risk management.

Answer 6

Monitoring and review ensures that the organisation monitors risk performance and learns from experience.

Question 7

Explain what is meant by a near miss.

Answer 7

A near miss could be described as the realisation of a risk that does not result in significant impact, but could have been worse.

Question 8

List the three main categories of insurance.

Answer 8

1. Mandatory/legal/contractual
   e. g. employers liability, public liability, professional indemnity
2. Balance sheet profit and loss protection
   e. g. business premises, business interruption, motor insurance
3. Employee benefit/protection of employee assets
   e. g. Life and health, directors’ and officers’ liability

Question 9

Identify two advantages and two disadvantages of insurance.

Answer 9

Advantages:

1. indemnity against an expected loss
2. access to specialist services as part of the premium

Disadvantages:

1. Time taken to obtain settlement
2. Potential for disputes around level of cover and term of policy

Question 10

List the key stages of a business continuity plan.

Answer 10

1. Identify crucial risk factors already affecting the org
2. understand needs and obligations of the org
3. establish, implement and maintain business continuity management system
4. measure the overall capability to manage disruptive incidents
5. guarantee conformity with stated BCP

Question 11

Which one of the following types of control is a fire insurance policy a good example of?

a preventive
b corrective
c directive
d detective.

Answer 11

b directive

Question 12

Which one of the following outcomes does a fire alarm produce as a risk treatment in the case of a fire?

a reduce likelihood but not impact
b reduce impact but not likelihood
c reduce both impact and likelihood
d reduce neither impact nor likelihood.

Answer 12

d reduce impact but not likelihood.

Without any further response (normally a corrective control) the alarm will just ring but nothing else will automatically happen to reduce the impact of the fire (for example, the use of an extinguisher or the evacuation of staff, which are corrective controls).

Question 13

Which one of the following scenarios is an anticipatory response relevant to?

a emerging future situations
b providing clear guidelines for risk treatment
c a type of preventive control
d the activity of learning and improving the risk management process.

Answer 13

a emerging future situations

Question 14

Which one of the following types of risk is “accept” a suitable response to?

a operational risk
b tactical risk
c business continuity risk
d opportunity risk.

Answer 14

b tactical risk

One of the 4A responses

Question 15

Which one of the following types of risk can a “fifth T” be used as a response to?

a hazard risk
b operational risk
c business continuity risk
d opportunity risk.

Answer 15

d opportunity risk - “Take”

Question 16

Which one of the following outcomes is the initial treatment of risk in an organisation not likely to result in?

a reduce the inherent risk
b reduce the high-level severity risks
c reduce the medium-level severity risks
d reduce the overall risk exposure.

Answer 16

c reduce the medium-level severity risks

High level severity risks will be treated initially

Question 17

What is a captive insurance company?

Answer 17

An insurance company owned by a parent org that is not otherwise involved in insurance.

They cover losses up to an agreed threshold after which the primary insurer will pay out.

Question 18

Describe 2 advantages of captive insurance

Answer 18

1. Savings achieved as premiums are set lower
2. Allows access to reinsurance markets where premium rated and risk capacity are favourable
3. Exposure to the cost of claims creates greater awareness and concern about loss control
4. Greater insurance cover can be provided than in the commercial market
5. Some tax benefits associated with captive insurance companies

Question 19

Describe 2 disadvantages of captive insurance

Answer 19

1. The captive is exposed to claims that would otherwise be covered by commercial insurers
2. Parent company has to allocate capital to ensure adequate solvency of captive insurance co.
3. When large losses are paid by the captive they are consolidated on the parent’s balance sheet
4. Compliance issues associated with captives operating in non-domicile territories
5. Admin cost, time and effort can be involved in management of the captive by the parent head office

Question 20

Name the 6 Cs of insurance buying

Answer 20

Cost
Coverage
Capacity
Capabilities
Claims
Compliance

Question 21

Describe the 4As of project risk response

Answer 21

Adopt (appropriate contingency plans)
Accept (the uncertainty attached to the risk)
Avoid (the uncertainty attached to the risk)
Adapt (procedure and introduce controls)

Question 22

What side of a bow tie diagram would control measure relate to and why?

Answer 22

Left hand side as these address the causes of risk.

Question 23

What side of a bow tie diagram would recovery measures relate to and why?

Answer 23

Right side as they address the consequences of risks materialising

Question 24

Loss control relates to the mitigation of hazard risk. What are the three components that make up loss control?

Answer 24

Loss prevention (focuses on likelihood)
Damage limitation (focuses on magnitude)
Cost containment (focuses on reducing impact and consequence)

Question 25

What is a Preventative control?

Answer 25

Eliminates or reduces source of risk (not always cost effective e.g. CUK can’t stop delivering potentially risky patient care)

Response: terminate
Loss control: loss prevention

Question 26

What are Corrective controls?

Answer 26

Steps to limit the scope of loss i.e. barriers/job rotation/passwords

Response: treat
Loss control: loss prevention, damage limitation and cost containment

Question 27

What are Directive controls?

Answer 27

Designed to ensure a particular outcome is achieved i.e. training and supervision, PPE, written systems and procedures

Response: transfer
Loss control: loss prevention, damage limitation and cost containment

Question 28

What are Detective controls?

Answer 28

Designed to identify occasions when risks have been realised i.e. audit, incident investigation, health monitoring (NEWS).

Response: tolerate
Loss control: cost containment

Question 29

Here are three key features that regulators are likely to require for managing cyber risk. They all have much in common with Business Continuity Planning. However, which one of the terms in bold forms a specific part of BCP?

Select one:

a A security culture, driven from the top down

b. Good governance around cyber security
c. Systems and controls to ensure recovery and response in the event of an attack

Answer 29

c. Systems and controls to ensure recovery and response in the event of an attack