Risk Implementation Approach

Question 1

Risk Record & Risk Framework - lifecycle and role to create

Answer 1

active - inactive

Risk manager or above

Question 2

Risk Lifecycle

Answer 2

Draft
Assess
Respond
Review
Monitor
Retired

Question 3

Who can create a risk

Answer 3

Risk User

Question 4

Who performs risk assessment

Answer 4

Risk Owner

Question 5

Who can move risk into monitor

Answer 5

Risk Manager

Question 6

Who can retire a risk

Answer 6

Risk Manager

Question 7

Risk Response Lifecycle

Answer 7

Draft
Work in Progress
Review
Closed

if it is an “accepted” risk (not mitigate, avoid, transfer) “awaiting approval” state is included after WiP

Question 8

Who/How are Risk Responses generated

Answer 8

Automatically when risk is in “respond” state

or by Risk User

Question 9

Who can be assigned Risk Response

Answer 9

Risk User

Question 10

Who can assign Risk Response

Answer 10

Risk Manager

Question 11

Who can close Risk Response

Answer 11

Assigned Risk User

or grc_manager

Question 12

Primary Risk Relationship

Answer 12

Risk Framework Risk Statement Risk

RF–>RS =m2m, RS–>RF=0to1, RS–>Risk=m2m, Risk–>RS= NotSpecified?(P.188

Question 13

**Recommend studying page 189

Answer 13

**recommend studying page 189

Question 14

Indicator template - name and scope

Answer 14

sn_grc_indicator_template

GRC: Profiles

Question 15

Indicator - name and scope

Answer 15

sn_grc_indicator

GRC: Profiles

Question 16

Risk Statement - name and scope

Answer 16

sn_risk_definition

GRC: Risk

Question 17

Risk - name

Answer 17

sn_risk_risk

GRC: Risk

Question 18

Entity Type - name and scope

Answer 18

sn_grc_profile_type

GRC: Profiles

Question 19

Entity - name and scope

Answer 19

sn_grc_profile

GRC: Profile

Question 20

Issue - name and scope

Answer 20

sn_grc_issue

GRC: Profiles

Question 21

Risk Assessment - name an scope

Answer 21

asmt_metric_type

GRC: Risk

Question 22

Risk Response Task - name and scope

Answer 22

sn_risk_response_task

GRC: Risk

Question 23

Controls - name and scope

Answer 23

sn_compliance_control

GRC: Policy and Compliance

Question 24

Risk Event - name and scope

Answer 24

sn_risk_advanced_event

GRC: Risk

Question 25

Risk to Control table name

Answer 25

sn_risk_m2m_risk_control

Question 26

Entity Type to Risk Statement table name

Answer 26

sn_risk_m2m_risk_definition_policy_statement

Question 27

Risk Framework to Entity Type

Answer 27

sn_risk_m2m_framework_profile_type

Question 28

Modify the calculations of multiple risks on an entity

Answer 28

RiskUtils

Question 29

Add additional calculations to risks

Answer 29

RiskALECalculator

Question 30

Change the relationship behavior between a Control and a Risk

Answer 30

Mitigation Controls

Question 31

Change the states and behaviors of risk mitigation

Answer 31

RiskResponse

Question 32

Modify how Risks are generated and associated to entitties

Answer 32

RiskGeneratorStrategy

Question 33

Adjust the colors and display settings when creating a risk heat map

Answer 33

RiskHeatMap

Question 34

Risk Assessment Methods

Answer 34

Quantitative (SLE & ARO) (default)

Qualitative (Impact & Likelihood)

Question 35

4 components of a risk score

Answer 35

[SLE/Impact]
[ARO/Likelihood]
ALE (Annualized Loss Expectancy)
Score

Question 36

Scoring Types

Answer 36

Inherent
Calculated
Residual

Question 37

SLE * ARO =
Inherent ($18M60%=)
Residual ($6M40%=)

Answer 37

= ALE
Inherent (=$10.8M)
Residual (=$2.4M)

Question 38

Regardless of Quant vs. Qual. ALE will….

Answer 38

always be the same

Question 39

Where to change risk criteria

Answer 39

Risk Criteria Matrix

Risk > Administration > Risk Criteria

Question 40

Impact:
1 - very low
2 - low
3 - moderate
4 - high
5 - very high
(what are default currency values)

Answer 40

$1M
$5M
$10M
$20M
$25M

Question 41

Likelihood:
1 - extremely unlikely
2 - unlikely
3 - neutral
4 - likely
5 - extremely likely
(what are default percentages)

Answer 41

20%
40%
60%
80%
100%

Question 42

Score:
1 - very low
2 - low
3 - moderate
4 - high
5 - very high
(what are currency values)

Answer 42

$1M
$5M
$10M
$20M
$25M

Question 43

What is Control Failure Facture

Answer 43

impact of control failures on calculated score

%=(weight of non-compliant controls)/(weight of all controls)

Question 44

Indicator Failure Factor

Answer 44

Impact of risk indicator failures on the calculated score of risks
%=(failed risk indicators)/(all risk indicators)

Question 45

Calculated risk factor

Answer 45

represents the average impact factor that is used to compute calculated score or risk
%(CFF+IFF)/2

(if IFF is null, CRF will not calculate)

Question 46

Calculated ALE

Answer 46

residual ALE + [(inherent ALE - residual ALE)*(CRF/100)]

Question 47

Biggest benefit of Advanced Risk

Answer 47

rollup/hierarchy

reporting

Question 48

Different Risk Assessment with Advanced Risk

Answer 48

Operational Assessment
Application Assessment
Project Assessment

Question 49

3 assessment types that can be included in Risk Assessment Methodology (RAM)

Answer 49

Inherent
Control Effectiveness
Residual Risk

Question 50

Service Portal Customization

Answer 50

Separate portal for risk and compliance
add approvals
add task management

Question 51

import options

Answer 51

import into risk framework & statement tables

Question 52

Risk Framework Form customizations

Answer 52

Add fields - importing
owner/owning group
reviewers
approvers
valid from/valid to

Question 53

Risk Statement form customizations

Answer 53

Add fields - imported
order
classification (need choices)
type (need choices)
active flag

Question 54

Risk form customizations

Answer 54

add fields - created manually
type
status (not assessed, acceptable warning, exceeds tolerance)

Question 55

Risk Response Tasks form customization

Answer 55

Add fields - work notes list, watch list
assignment group
due date

Question 56

Tables extending rom Risk Response Tasks

Answer 56

Risk Acceptance Task
Risk Avoidance Task
Risk Mitigation Task
Risk Transfer Task