Week 4

Question 1

What is the definition of risk mitigation?

Answer 1

Risk mitigation involves implementing measures to reduce the likelihood and impact of identified risks.

Question 2

What are the four main risk mitigation strategies?

Answer 2

Avoidance, Reduction, Sharing, and Acceptance.

Question 3

What is risk avoidance?

Answer 3

Eliminating activities or conditions that expose the organization to risk.

Question 4

What is risk reduction?

Answer 4

Implementing controls to reduce the likelihood or impact of risks.

Question 5

What is risk sharing?

Answer 5

Transferring or sharing the risk with other parties, such as purchasing insurance or outsourcing activities.

Question 6

What is risk acceptance?

Answer 6

Acknowledging the risk and choosing to accept it without additional controls, such as setting aside contingency funds.

Question 7

What are preventive controls?

Answer 7

Controls that aim to reduce the likelihood of an event happening, such as car seat belts or segregation of duties.

Question 8

What are detective controls?

Answer 8

Controls that aim to detect events during or just after they occur, such as smoke detectors or file reconciliations.

Question 9

What are corrective controls?

Answer 9

Controls that aim to mitigate impacts after an event, such as redundancies, backups, or crisis communication strategies.

Question 10

What is self-certification/inquiry in control testing?

Answer 10

An interview with the control owner, limited to low-risk or secondary controls due to lack of evidence.

Question 11

What is examination in control testing?

Answer 11

Review of supporting documentation that provides moderate assurance and suits automated controls.

Question 12

What is observation in control testing?

Answer 12

Real-time oversight of control execution, suitable for key controls to assess design and effectiveness.

Question 13

What is reperformance in control testing?

Answer 13

The most rigorous test, replicating control processes on sample transactions; provides the highest assurance, recommended for high-risk environments.

Question 14

What are optimistic controls?

Answer 14

Controls that rely on exceptional ability or motivation, often becoming superficial ‘tick-box’ tasks, such as last-minute sign-offs on large document volumes.

Question 15

What are duplicative controls?

Answer 15

Controls where more than one person reviews the same information (e.g., ‘four-eyes check’), which can dilute accountability and reduce focus.

Question 16

What are slips in human error typology?

Answer 16

Involuntary errors due to distraction, inattention, or poor work environments.

Question 17

What are rule-based mistakes in human error typology?

Answer 17

Voluntary but incorrect actions caused by flawed or conflicting rules.

Question 18

What are knowledge-based mistakes in human error typology?

Answer 18

Voluntary but incorrect actions resulting from unfamiliarity or lack of training.

Question 19

What are violations in human error typology?

Answer 19

Deliberate disregard for rules, mitigated by supervision and strong organizational culture.

Question 20

What is the difference between active and latent errors?

Answer 20

Active errors are direct operator actions (e.g., pressing the wrong button), while latent errors are flawed processes or systems that only manifest later.

Question 21

What is risk transfer?

Answer 21

Moving the consequence or causes of a risk to another party, often via insurance or outsourcing.

Question 22

Why can’t reputational risk be outsourced?

Answer 22

Because the reputation of the organization remains tied to its name and brand, regardless of who performs the activities.

Question 23

What are the key components of a risk mitigation plan?

Answer 23

Risk description, mitigation measures, responsibilities, resources, and timeline.

Question 24

What is Root Cause Analysis (RCA)?

Answer 24

A systematic process used to identify the underlying causes of problems or incidents to prevent recurrence.

Question 25

What is the '5 Whys' technique in Root Cause Analysis?

Answer 25

A technique where you ask 'why' multiple times to drill down to the root cause of a problem.

Question 26

What is a Fishbone Diagram (Ishikawa)?

Answer 26

A visual tool that categorizes potential causes of problems in a structured way.

Question 27

What is the Bow-tie tool used for?

Answer 27

An effective tool for root cause analysis that links causes, events, and consequences to visualize controls.

Question 28

What are the steps in Root Cause Analysis?

Answer 28

Define the problem, collect data, identify possible causes, analyze causes, develop solutions, implement and monitor.

Question 29

When should standardized root cause analysis be conducted according to BCBS?

Answer 29

For significant operational risk events and near misses, typically setting thresholds (e.g., $100,000).

Question 30

Which line of defense leads root cause analysis and creates action items?

Answer 30

The first line of defense.

Question 31

What is the role of the second line of defense in root cause analysis?

Answer 31

Monitors and tracks action items, escalating issues above higher thresholds to senior management or risk committees.

Question 32

What are the key elements of an effective action plan?

Answer 32

Problem statement, objectives, actions, responsibilities, resources, timeline, and evaluation metrics.

Question 33

What triggers the need for an action plan?

Answer 33

Risk events or assessments that reveal impacts above risk appetite.

Question 34

What is conduct in the context of operational risk?

Answer 34

The behavior of individuals within the organization and how they adhere to policies, rules, and ethical standards.

Question 35

What is culture in the context of operational risk?

Answer 35

The shared values, beliefs, and norms that influence how employees think, behave, and interact within an organization.

Question 36

What are the elements of a strong risk culture?

Answer 36

Leadership commitment, clear values and expectations, training and awareness, open communication, and accountability.

Question 37

What are the three levels of incentives for behavioral change?

Answer 37

Personal motivation, social motivation, and structural motivation.

Question 38

What is propinquity and how does it affect risk culture?

Answer 38

Proximity that fosters familiarity, understanding, and acceptance, enhancing collaboration and communication between teams.

Question 39

What is conduct risk?

Answer 39

The risk of inappropriate, unethical, or unlawful behavior by employees.

Question 40

What are examples of conduct risk?

Answer 40

Fraud, insider trading, bribery, harassment, and discrimination.

Question 41

What methods can be used to assess conduct risk?

Answer 41

Surveys and questionnaires, incident reporting systems, audits and reviews, and behavioral analytics.

Question 42

What strategies promote ethical conduct?

Answer 42

Code of conduct, leadership by example, reward and recognition, whistleblower protection, and regular training.

Question 43

What is the role of leadership in shaping organizational culture?

Answer 43

Articulating vision and values, setting behavioral expectations, fostering inclusion, ensuring consistent actions, and encouraging feedback for improvement.

Question 44

What tools can measure culture and conduct?

Answer 44

Culture surveys, focus groups, performance metrics, exit interviews, and 360-degree feedback.

Question 45

What are the benefits of a strong conduct and culture framework?

Answer 45

Enhanced reputation, increased employee engagement, risk mitigation, regulatory compliance, and better organizational performance.

Question 46

What is one future trend in conduct and culture?

Answer 46

Increased focus on behavioral regulation to influence and monitor good behaviors.

Question 47

What does the Bow-tie analysis help identify?

Answer 47

Common features across incidents to implement organization-wide solutions.

Question 48

Why is it important to simplify risk reporting processes?

Answer 48

To encourage engagement and prevent underreporting by reducing complexity and confusion.

Question 49

What is the 80/20 rule in Pareto Analysis?

Answer 49

A technique that focuses on identifying the most significant causes, based on the principle that 80% of problems come from 20% of causes.

Question 50

How should action plans be treated according to best practices?

Answer 50

They should be treated as projects, with phased deliverables and periodic reporting, especially for large plans.