Risk Management

Question 1

Annualized loss expectancy (ALE)

Answer 1

Expected monetary loss for an asset due to a risk over a one-year period; calculated by multiplying single loss expectancy by annualized rate of occurrence.

Question 2

Conflict of Interest

Answer 2

Situation in which a person or organization may benefit from undue influence due to involvement in outside activities, relationships, or investments that conflict with or have an impact on the employment relationship or its outcomes.

Question 3

Contingency plan

Answer 3

Protocol that an organization implements when an
identified risk event occurs.

Question 4

Duty of care

Answer 4

Principle that organizations should take all steps that
are reasonably possible to ensure the health, safety,
and well-being of employees and protect them from
foreseeable injury.

Question 5

Hazard

Answer 5

Potential for harm, often associated with a condition or
activity that, if left uncontrolled, can result in injury or
illness.

Question 6

Key risk indicators (KRIs)

Answer 6

Metrics that provide an early signal of increasing risk
exposures for an enterprise.

Question 7

Moral hazard

Answer 7

Situation in which one party engages in risky behavior
knowing that it is protected against the risk because
another party will incur any resulting loss.

Question 8

Principal-agent problem

Answer 8

Situation in which an agent (for example, an employee)
makes decisions for a principal (for example, an
employer) potentially on the basis of personal incentives
that may not be aligned with the principal’s incentives.

Question 9

Residual risk

Answer 9

Amount of uncertainty that remains after all risk
management efforts have been exhausted.

Question 10

Risk

Answer 10

Uncertainty that has an effect on an objective, where
outcomes may include opportunities, losses, and threats.

Question 11

Risk appetite

Answer 11

A high-level characterization of the amount of uncertainty
(acceptable risk) an organization is willing to pursue or to
accept to attain its risk management goals.

Question 12

Risk control

Answer 12

Action taken to manage a risk.

Question 13

Risk management

Answer 13

System for identifying, evaluating, and controlling actual
and potential risks to an organization.

Question 14

Risk position

Answer 14

Organization’s desired gain or acceptable loss in value.

Question 15

Risk scorecard

Answer 15

Tool used to gather individual assessments of various
characteristics of risk (for example, frequency of
occurrence; degree of impact, loss, or gain for the
organization; degree of efficacy of current controls).

Question 16

Risk tolerance

Answer 16

A characterization of the amount of uncertainty
(acceptable risk) an organization is willing to pursue or to
accept to attain its risk management goals, defined in a
range above and below a target.

Question 17

Single loss expectancy (SLE)

Answer 17

Expected monetary loss every time a risk occurs; calculated by multiplying asset value by exposure factor.

Question 18

Whistleblowing

Answer 18

Reporting of an organization’s violations of policies and
processes by employees.

Question 19

Which risk category would include the risk posed by infectious disease?

Hazard
Financial
Strategic
Operational

Answer 19

Hazard

The hazard risk category includes risk sources from injury and illness. Infectious disease would fall under this risk category.

Question 20

Which evaluation method is best for an emergency response plan?

Comparing the plan to the previous plan
Asking for insurance company input
Conducting a crisis drill
Having a government agency review the plan

Answer 20

Conducting a crisis drill

A simulated crisis in which the plan is tested will alert the company to changes that need to be made and is the best way to see how the plan performs.

Question 21

Which option best defines risk?

Quantifiable and enterprise-wide picture of organization loss exposure.
Negative impact an event can exert on an organization’s well-being
Organization’s vulnerabilities from an enterprise perspective
Effect of uncertainty on the ability to meet organization objectives.

Answer 21

Effect of uncertainty on the ability to meet organization objectives.

The ISO definition of risk is simply “the effect of uncertainty on objectives.” Uncertainty can be positive or negative in its effects. The other choices emphasize negative risk or assessments of risk occurrence.

Question 22

An employee’s ex-husband waits outside her place of work. When she emerges, he begins yelling. She retreats inside the building. The husband attempts to follow but is prevented by a door that locks automatically behind the employee. An HR staff member observes the incident. What action should the staff member take?

Answers

Call for immediate revision of the organization’s security policies.

Recommend that those involved debrief the incident.

Write a memo to the HR head, documenting the incident.

None. The security measures worked as intended.

Answer 22

Recommend that those involved debrief the incident.

After-action debriefs are a good way to examine the effectiveness of a specific risk response strategy, presenting an opportunity for learning and improvement.

Question 23

Which situation that leads to workplace violence can be controlled by an organization?

Answers

Domestic problems

Pressure for increased productivity

Low employee self-esteem

Unstable economy

Answer 23

Pressure for increased productivity.

Conditions causing employee frustration and anger can lead to violence. Examples include pressure for productivity, rigid management style, and layoffs.

Question 23

What is the appropriate role for an HR manager in an investigatory interview for a dischargeable offense?

Answers

Champion of employee’s perspective and position

Prosecutor presenting evidence and challenging the employee

Risk manager for the organization

Supporter for manager/supervisor of involved department

Answer 23

Risk manager for the organization.

In this situation, the role of HR is to be proactive and manage the legal and physical safety risks to the organization. HR managers must be aware of the need to ensure due process to employees and to provide a safe work environment for all employees. HR should not take a prosecutorial or defense role; the organization should approach the situation and the evidence objectively and calmly.

Question 23

What phase of risk management is represented in the acronym MECE, which stands for “mutually exclusive and comprehensively exhaustive”?

Answers

Risk-averse

Risk management

Risk identification

Risk mitigation

Answer 23

Risk identification

The organization wants to be confident that all plausible risks for strategic and oeprational aspects of the business avoid duplication or overlapping in the identification step.

Question 23

Which best identifies the outcome of requiring all employees to be trained in business continuity and disaster recovery plans?

Decreased size of risk management budgets

Decreased risk of occurrence of risk events

Increased risk of poor public relations

Increased confidence among organization shareholders

Answer 23

Increased confidence among organization shareholders.

Preparation for crises and business interruptions demonstrates quality management practices and would boost stakeholder confidence and public image. It would not affect the likelihood of occurrence, nor would it decrease risk management budgets.

Question 24

How is a risk control best understood by an organization?

Answers

Sharing a risk’s occurrence or impact and its likelihood

Indicating what triggers a specific risk management response

Restricting the amount of risk the organization assumes in its dealings

Ensuring that employees are following risk management guidelines

Answer 24

Sharing a risk’s occurrence or impact and its likelihood

A risk control is an action taken to manage a risk: to enhance the potential of an upside risk or to decrease the potential negative effects of a downside risk.

Question 25

Management decides that training supervisors to identify and prevent bullying is not necessary, and they do not fund a program budget. What does this illustrate?

Answers

Organization’s risk tolerance

Risk avoidance management strategy

Precedence of global standardization in the organization

Poor governance

Answer 25

Organization’s risk tolerance

Management has decided that it is willing to accept the risk that bullying will occur and possible organizational costs. This is an example of an organization’s risk tolerance, the amount of unmanaged risk that management is willing to accept.

Question 26

An organization examines the level of probability for all types of losses to which it may be exposed. What aspect of risk is the organization studying?

Answers

Mitigation planning

Impact

Vulnerability

Risk tolerance

Answer 26

Vulnerability

Vulnerability refers to the degree of probability that a loss will occur. Impact is the possible effect on the organization, and tolerance is the amount of risk the organization can handle if an event occurs. Mitigation planning occurs after analysis of probability, risk, and speed of onset.

Question 27

In terms of risk management, what is a risk control?

Answers

Contingency plan to be implemented in the event of a crisis

Mechanism to collect data for reporting to management

Measure taken to reduce the probability or severity of a threat

System to prevent the occurrence of a risk

Answer 27

Measure taken to reduce the probability or severity of a threat

In risk management terminology, the most inclusive answer here is that a risk control is any measure that modifies risk by decreasing the likelihood that a risk event will occur or the impact that the event would have on the organization.

Question 28

How often should an organization review the components of its enterprise risk management framework?

Answers

Only if a major incident has occurred

At an agreed-upon and regular interval

Every three years

When a new strategy is developed

Answer 28

At an agreed-upon and regular interval

Components of an organization’s risk management framework should be reviewed at an agreed-upon and regular interval as well as after major incidents.

Question 29

To meet a safety goal, an organization provided training to employees. The number of injuries, however, has not decreased over the last three years. What should the HR training manager do?

Answers

Require all employees to attend the training.

Hire an outside consultant to provide the training.

Develop new training content.

Evaluate and adjust the training.

Answer 29

Evaluate and adjust the training.

Evaluating the training will allow the company to identify whether the issue is with the training or the people, and adjustments can be made accordingly. Developing new content or hiring an outside consultant without evaluating the training could be a waste of time and resources. Making the training mandatory doesn’t help if the training is ineffective.

Question 30

A risk scorecard provides a weighted number for each event or threat and the probability of that threat occurring. Which other factors are needed to complete a threat ranking index?

Answers

Speed of onset, existing mitigation, and severity of impact

Risk category, classification, and reporting requirements

Risk level, impact, and the probability of event occurrence

Known knowns, known unknowns, and unknown unknowns

Answer 30

Speed of onset, existing mitigation, and severity of impact

A risk scorecard starts by identifying the event or threat. After factoring in the event/threat probability, speed of onset, existing mitigation, and severity of the impact, the user will see a final number that displays a weighted threat ranking index. Risk level, impact, and the probability of event occurrence are components of a risk matrix that visually demonstrates risk levels. Risk category, classification, and reporting requirements may be documented in a risk register but are not used in scoring. Known knowns, known unknowns, and unknown unknowns are categories of risk from the perspective of the amount and kinds of knowledge available when evaluating the risk.

Question 31

A mining company has had a safety program in place for over ten years. It has been effective in decreasing accidents and injuries. What should HR recommend?

Answers

Review the technology used in the program to see if newer, more effective technology is now available.

End the program and develop an entirely new program. Ten years is too long.

Leave the program as it is, since it appears to be effective.

Consider scaling the program back, since it has apparently changed employee behavior and created a safer workplace.

Answer 31

Review the technology used in the program to see if newer, more effective technology is now available.

Changes in technology may mean that the organization could be better able to detect and deter threats. However, that doesn’t mean that the organization should start from scratch with a new program. HR should work to assess the program and look for opportunities for continuous improvement.

Question 32

Which is the most appropriate example of risk mitigation?

Answers

Requiring criminal background checks for applicants

Training interviewers about proper questions to ask during hiring interviews

Implementing an emergency communication system for assignees

Requiring vaccination programs for assignees

Answer 32

Implementing an emergency communication system for assignees

A risk mitigation strategy seeks to reduce the negative impact of an event. A communication system cannot prevent crises, but it can decrease stress and reduce assignees’ exposure to threats.

Question 33

What are the primary categories of barriers to effective risk management?

Answers

Time, money, and resources

Location, personnel, and equipment

Structural, cognitive, and cultural

Opportunities, threats, and weaknesses

Answer 33

Structural, cognitive, and cultural

The primary categories of barriers to effective risk management are structural, cognitive, and cultural. An organization’s structure, willingness to change, and values will impact its willingness to engage in risk management. Time, money, and resources and location, personnel, and equipment may be impacted by risk management efforts, but they don’t drive those efforts. Similarly, opportunities, threats, and weaknesses may be part of what the organization looks at as part of its risk management efforts, but they don’t drive those efforts.

Question 34

What is a good example of an upside risk?

Answers

An organization is a vendor’s first major customer for a leading-edge technology system.

A technician proves highly skilled, invaluable, and irreplaceable.

Union demands for wages, benefits, and work conditions are unrealistic.

A team finishes its project two weeks ahead of the schedule.

Answer 34

A team finishes its project two weeks ahead of the schedule.

An upside risk is an opportunity that arises out of uncertainty about outcomes. Completion date is uncertain, but early project completion is an opportunity: an uncertainty that has a positive outcome.

Question 35

What is the primary purpose of a safety self-audit?

Answers

To eliminate unsafe acts and environmental factors in the company

To ensure employee compliance with the organization’s safety programs

To identify roles and responsibilities in the event of an industrial accident

To lower workers’ compensation insurance premiums for the company

Answer 35

To ensure employee compliance with the organization’s safety programs

A safety self-audit is conducted by an employer to assure the organization that employees are following safety-related policies and procedures. Workers’ compensation premiums are most directly affected by an organization’s rate of injuries. Being prepared to handle an emergency is a good practice, but it is more related to procedures and training than to an audit. An audit can only capture evidence of compliance or noncompliance. Compliance alone, especially if policies and training are faulty, will not eliminate unsafe acts.

Question 36

Which method is most effective for controlling hazards and their negative consequences?

Answers

Control the hazard by enclosing or guarding it at its source.

Require protective equipment to shield personnel against the hazard.

Abate and eliminate the hazard from the workplace.

Train personnel on awareness and safety procedures to avoid it.

Answer 36

Abate and eliminate the hazard from the workplace.

The most effective way to control hazards and their consequences is to engineer them out of the workplace. For example, a sawmill may design the cutting process so that the level of sawdust is acceptable.

Question 37

How does duty of care translate to an organization’s responsibilities?

Answers

Taking all steps reasonable to ensure employee health and safety

Complying with all local health and safety requirements

Providing health benefits to all of its employees and their families

Managing risks to employees on assignment

Answer 37

Taking all steps reasonable to ensure employee health and safety

Duty of care reflects an employer’s responsibility to take all steps reasonably possible to support employee health and safety and prevent harm, whether the employee is in the workplace or on a remote assignment. This may involve but is not restricted to providing access to health care and complying with regulatory requirements.

Question 38

What is the role of HR when it comes to whistleblowing?

Answers

Seeking to prevent whistleblowing by any means necessary, including reassigning, retraining, or terminating employees found whistleblowing

Gathering, assessing, and categorizing complaints from whistleblowers and presenting them to upper-level management during annual review cycles

Establishing a communication process that allows direct access to upper-level decision makers and protecting whistleblowers from retaliation

Working with mid-level managers to determine who is whistleblowing and seeking to ensure that the complaints are handled and withdrawn

Answer 38

Establishing a communication process that allows direct access to upper-level decision makers and protecting whistleblowers from retaliation

HR should ensure that whistleblowing complaints reach upper-level management and should protect whistleblowers from retaliation by coworkers or managers. In some locations, whistleblowers are protected by law. HR should not seek to independently address whistleblowing complaints or encourage or engage in retaliation against whistleblowers.

Question 39

The vice president of operations has asked the chief human resources officer (CHRO) to determine the risk levels across the organization’s three offices. With the help of the HR team, the CHRO conducts surveys, interviews, and focus groups to collect data. During which phase of the risk management process are these activities occurring?

Answers

Managing risks

Analyzing risks

Evaluating risks

Identifying risks

Answer 39

Identifying risks

The vice president of operations has asked the chief human resources officer (CHRO) to determine the risk levels across the organization’s three offices. With the help of the HR team, the CHRO conducts surveys, interviews, and focus groups to collect data. During which phase of the risk management process are these activities occurring?

Question 40

The HR department is instructed to fill a critical management position as quickly as possible. Using multiple agencies will produce more candidates more quickly but will increase the cost by several times. Which critical input should HR seek before deciding how to proceed?

Answers

Job description for the ideal candidate

Desired applicant-to-hire ratio to indicate success

Risk tolerance of the organization

Networking connections and employee referrals

Answer 40

Risk tolerance of the organization

HR needs to know how management rates the level of risk in not filling this position quickly: their risk tolerance. This will help HR decide whether the increased cost of using multiple search firms is appropriate.

Question 41

Risk

Answer 41

A broad set of factors, originating from both internal and external sources, that may impact business operations

Question 42

Moral hazard

Answer 42

The alignment and balance between an organizations goals and associated risks is a necessary requirement for a sustainable business model.

Question 43

Iinternational Organization for Standardization Standard 31000

Answer 43

ISO 31000 presented definitions related to risk, principles for organizations to follow in making themselves more resilient and capable of managing risk.

Question 44

ISO definition of risk

Answer 44

The effect of uncertainty on objectives

Question 45

Risk management

Answer 45

coordinated activities to direct and control an organization with regard to risk

Question 46

What are the categories of risks

Answer 46

known unknowns and unknown unknowns and known knowns

Question 47

What is a known known risk

Answer 47

Events that are to be expected and so involve little uncertainty

Question 48

What is a known unknown risk

Answer 48

uncertainties that we know exist but we don’t know much about their probability or impact

Question 49

What is an unknown unknown risk?

Answer 49

Risks that we don’t know exist

Question 50

What are Kaplan and Mike’s risk categories

Answer 50

Internal and Preventable
External
Strategy

Question 51

What is the Internal and Preventable risk category

Answer 51

These risks come from within the organization and could include violations of ethics and failure in routine processes.

Question 52

What is the External Risk Category

Answer 52

These sources of uncertainty are outside the organization and beyond its control. They would include changes in the economy or laws and regulations, disruptive technologies, and availability of trained employees.

Question 53

What is the strategy Risk Category

Answer 53

There are times when an organization is willing to take on a certain amount of risk when it commits to a strategy. For example, uncertainty as to whether loans can be repaid, employees will be fully productive, projects might fail, or resource shortages might occur. This willingness to accept risk is based on assessment of potential benefits that can be reaped from a successfully executed strategy.

Question 54

What are the 4 categories of enterprise risk

Answer 54

Strategic
Operational
Financial
Hazard

Question 55

What is strategic risk

Answer 55

Risks that affect the organization’s ability to achieve it’s objectives

Question 56

What is Operational Risk?

Answer 56

Risks that affect the myriad of ways in which the organization creates valuew

Question 57

What is Financial Risk?

Answer 57

Risks that affect the accuracy and timeliness of information about the organization’s financial performance and condition.

Question 58

What is Hazard Risks?

Answer 58

Risks that have the potential to cause physical harm to property or people in the immediate and long term.

Question 59

What are the 3 barriers to risk management

Answer 59

Structural
Cognitive
Cultural

Question 60

What is the structural barrier to risk management

Answer 60

An organizations structure can make it difficult to respond to risk and communication may be more difficult

Question 61

What are the ISO 31000 Principles that an effective risk management program should have/do?

Answer 61

Create and protect value
Be an integral part of all organizational processes
Be part of decision making
Explicitly address uncertainty
Be systematic, structured, and timely
Be based on the best available information
Fit an organization’s risk and control environment
Take into account human and cultural factors
Be transparent and inclusive
Be dynamic, iterative, and responsive to change
Facilitate continual improvement of the organization

Question 62

What are the 3 common examples of misaligned risks?

Answer 62

Moral Hazard
Principal-Agent Problem
Conflict of Interest

Question 63

What is the risk equation?

Answer 63

A tool that is an attempt to quantify the amount of uncertainty a risk represents.
Risk level = Probability of occurrence x Magnitude of impact