Risk Implementation Approach Flashcards

1
Q

Risk Record & Risk Framework - lifecycle and role to create

A

active - inactive

Risk manager or above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Risk Lifecycle

A
Draft
Assess
Respond
Review
Monitor
Retired
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Who can create a risk

A

Risk User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who performs risk assessment

A

Risk Owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who can move risk into monitor

A

Risk Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Who can retire a risk

A

Risk Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Risk Response Lifecycle

A

Draft
Work in Progress
Review
Closed

if it is an “accepted” risk (not mitigate, avoid, transfer) “awaiting approval” state is included after WiP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Who/How are Risk Responses generated

A

Automatically when risk is in “respond” state

or by Risk User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Who can be assigned Risk Response

A

Risk User

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Who can assign Risk Response

A

Risk Manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who can close Risk Response

A

Assigned Risk User

or grc_manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Primary Risk Relationship

A

Risk Framework Risk Statement Risk

RF–>RS =m2m, RS–>RF=0to1, RS–>Risk=m2m, Risk–>RS= NotSpecified?(P.188

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

**Recommend studying page 189

A

**recommend studying page 189

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Indicator template - name and scope

A

sn_grc_indicator_template

GRC: Profiles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Indicator - name and scope

A

sn_grc_indicator

GRC: Profiles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Risk Statement - name and scope

A

sn_risk_definition

GRC: Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Risk - name

A

sn_risk_risk

GRC: Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Entity Type - name and scope

A

sn_grc_profile_type

GRC: Profiles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Entity - name and scope

A

sn_grc_profile

GRC: Profile

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Issue - name and scope

A

sn_grc_issue

GRC: Profiles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Risk Assessment - name an scope

A

asmt_metric_type

GRC: Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Risk Response Task - name and scope

A

sn_risk_response_task

GRC: Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Controls - name and scope

A

sn_compliance_control

GRC: Policy and Compliance

24
Q

Risk Event - name and scope

A

sn_risk_advanced_event

GRC: Risk

25
Q

Risk to Control table name

A

sn_risk_m2m_risk_control

26
Q

Entity Type to Risk Statement table name

A

sn_risk_m2m_risk_definition_policy_statement

27
Q

Risk Framework to Entity Type

A

sn_risk_m2m_framework_profile_type

28
Q

Modify the calculations of multiple risks on an entity

A

RiskUtils

29
Q

Add additional calculations to risks

A

RiskALECalculator

30
Q

Change the relationship behavior between a Control and a Risk

A

Mitigation Controls

31
Q

Change the states and behaviors of risk mitigation

A

RiskResponse

32
Q

Modify how Risks are generated and associated to entitties

A

RiskGeneratorStrategy

33
Q

Adjust the colors and display settings when creating a risk heat map

A

RiskHeatMap

34
Q

Risk Assessment Methods

A

Quantitative (SLE & ARO) (default)

Qualitative (Impact & Likelihood)

35
Q

4 components of a risk score

A

[SLE/Impact]
[ARO/Likelihood]
ALE (Annualized Loss Expectancy)
Score

36
Q

Scoring Types

A

Inherent
Calculated
Residual

37
Q

SLE * ARO =
Inherent ($18M60%=)
Residual ($6M
40%=)

A

= ALE
Inherent (=$10.8M)
Residual (=$2.4M)

38
Q

Regardless of Quant vs. Qual. ALE will….

A

always be the same

39
Q

Where to change risk criteria

A

Risk Criteria Matrix

Risk > Administration > Risk Criteria

40
Q
Impact:
1 - very low
2 - low
3 - moderate
4 - high
5 - very high
(what are default currency values)
A
$1M
$5M
$10M
$20M
$25M
41
Q
Likelihood:
1 - extremely unlikely
2 - unlikely
3 - neutral
4 - likely
5 - extremely likely
(what are default percentages)
A
20%
40%
60%
80%
100%
42
Q
Score:
1 - very low
2 - low
3 - moderate
4 - high
5 - very high
(what are currency values)
A
$1M
$5M
$10M
$20M
$25M
43
Q

What is Control Failure Facture

A

impact of control failures on calculated score

%=(weight of non-compliant controls)/(weight of all controls)

44
Q

Indicator Failure Factor

A

Impact of risk indicator failures on the calculated score of risks
%=(failed risk indicators)/(all risk indicators)

45
Q

Calculated risk factor

A

represents the average impact factor that is used to compute calculated score or risk
%(CFF+IFF)/2

(if IFF is null, CRF will not calculate)

46
Q

Calculated ALE

A

residual ALE + [(inherent ALE - residual ALE)*(CRF/100)]

47
Q

Biggest benefit of Advanced Risk

A

rollup/hierarchy

reporting

48
Q

Different Risk Assessment with Advanced Risk

A

Operational Assessment
Application Assessment
Project Assessment

49
Q

3 assessment types that can be included in Risk Assessment Methodology (RAM)

A

Inherent
Control Effectiveness
Residual Risk

50
Q

Service Portal Customization

A

Separate portal for risk and compliance
add approvals
add task management

51
Q

import options

A

import into risk framework & statement tables

52
Q

Risk Framework Form customizations

A
Add fields - importing
owner/owning group
reviewers
approvers
valid from/valid to
53
Q

Risk Statement form customizations

A
Add fields - imported
order
classification (need choices)
type (need choices)
active flag
54
Q

Risk form customizations

A

add fields - created manually
type
status (not assessed, acceptable warning, exceeds tolerance)

55
Q

Risk Response Tasks form customization

A

Add fields - work notes list, watch list
assignment group
due date

56
Q

Tables extending rom Risk Response Tasks

A

Risk Acceptance Task
Risk Avoidance Task
Risk Mitigation Task
Risk Transfer Task