Module 6 - Midterm Pt 1

Question 1

An indisputable tenant of risk management

Answer 1

one must understand risk in order to manage it

Question 2

Understanding risk requires

Answer 2

the ability to measure and monitor a given risk so
that mitigating plans can be put in place to reduce the risk to an acceptable level, that is in line with the organization’s approved risk appetite

Question 3

Importance of Understanding Business Risks

Answer 3

Without the ability to effectively measure and monitor risk, no risk program can be successful

Question 4

Assessing risk is not a simple task (True/False)

Answer 4

TRUE: Anyone who has ever performed a risk assessment knows that they can be notoriously difficult, some risk types more so than others

Question 5

Common Tools and Methodologies

Answer 5

• Loss Data Collection & Loss Event Root Cause Analysis
• Risk and Control Self-Assessment
• Key Risk Indicators
• Scenario Analysis

Question 6

Loss Data Collection & Loss Event Root Cause Analysis

Answer 6

The goal is to understand so future losses and
events can be prevented (focused on the past)

Question 7

Risk and Control Self-Assessment

Answer 7

Goal is to implement controls so that risks
are better managed to within acceptable levels (focused on the present)

Question 8

Key Risk Indicators

Answer 8

Goal is to inform choices about portfolio and take mitigating actions (focused on the future)

Question 9

Scenario Analysis

Answer 9

Goal is to identify and understand potential future risk events so that management can take action (focused on the future)

Question 10

Common Tools and Methodologies Framework examples

Answer 10

Heat Map, Bow-tie, FMEA

Question 11

The losses incurred by an organization should be recorded in a database based on

Answer 11

a defined taxonomy and on a consistent basis

Question 12

Regulators require banks to use the Basel-defined seven event type classifications for lost data

Answer 12

1. Clients, Products and Business Practices
2. Business Disruption and System Failures
3. Execution, Delivery and Process Management
4. Internal Fraud
5. External Fraud
6. Employment Practices and Workplace Safety
7. Damage to Physical Assets

Question 13

Clients, Products, and Business Practices examples

Answer 13

Non-compliance with laws and regulations, inadequate disclosures

ex event: A company is fined by a regulatory agency for failure to comply with anti-money laundering laws

Question 14

Business Disruption and System Failures examples

Answer 14

Extended system downtime

ex event: server outage causes key internal systems to be inaccessible for a prolonged period of time

Question 15

Execution, Delivery, and Process Management examples

Answer 15

Data entry error, failure to conduct due diligence, reporting failure

e.g. event: When making a payment for an outstanding invoice, an employee pays the vendor $6,000 instead of $600

Question 16

Internal Fraud examples

Answer 16

Collusion, embezzlement

e.g. event: An employee redirects internal funds to his or her personal bank account

Question 17

External Fraud examples

Answer 17

Robbery, hacking, theft of information

e.g. event: A bank’s retail branch is robbed, resulting in financial losses

Question 18

Employment Practices and Workplace Safety Examples

Answer 18

Allegations of discrimination, unsafe work environment

e.g. event: Lawsuit against a company alleging that an employee was denied a promotion due to being a member of a protected class

Question 19

Damage to Physical Assets examples

Answer 19

Natural disaster

e.g. event: A hurricane causes physical damage to a company’s office, forcing temporary relocation

Question 20

Regulators expect banks to use ‘External
Losses’ suffered by other banks to

Answer 20

monitor and measure their risk exposures

Question 21

Review of External Losses ensures

Answer 21

• adequate data
• understand current industry trends
• a more holistic view of all your risk exposures

Question 22

To make Review of External Losses exercise productive

Answer 22

should establish a clear relevance criterion for external losses that is based on Business activities

Question 23

Operational Riskdata eXchange Association
(ORX)

Answer 23

an Industry Association established in 2002 to collect anonymized Operational Loss data and disseminate it to banks

Question 24

Heat Map Purpose

Answer 24

Visual prioritization of risks

Question 25

Bow-Tie Analysis Purpose

Answer 25

Detailed cause-effect risk analysis

Question 26

RCSA Purpose

Answer 26

Risk identification and control evaluation

Question 27

Heat Map Focus

Answer 27

Prioritizing risks by impact/likelihood

Question 28

Bow-Tie Analysis Focus

Answer 28

Preventive and mitigating controls

Question 29

RCSA Focus

Answer 29

Operational-level risk management