ARM 400 - Segment B - Chapters 4, 5, & 6
A privacy impact assessment (PIA) is Select one: A. Proprietary software used to detect malware. B. A tool used to identify and assess privacy risks. C. An example of metadata that defines key data attributes. D. A collaborative tool that facilitates workflows.
B. A tool used to identify and assess privacy risks.
Which one of the following categories of agency costs is assumed by managers? Select one: A. Advertising costs B. Bonding costs C. Incentive alignment costs D. Monitoring costs
B. Bonding costs
Which one of the following is an example of an internal key risk indicator (KRI) that a contractor might monitor? Select one: A. Availability of skilled labor B. Budget variances C. Interest rates D. Cost of lumber
B. Budget variances
Which one of the following statements is true regarding the roles of a risk champion and a chief risk officer? Select one: A. A chief risk officer reports to a risk champion, who in turn interacts with the company executives and the board of directors. B. A risk champion is a member of the board of directors who has been selected to concentrate his or her efforts on assessing the risks faced by an organization. C. A chief risk officer is more likely to have a dedicated staff to assist with the responsibilities of his or her job. D. A chief risk officer usually has less influence on corporate decision making than a risk champion.
C. A chief risk officer is more likely to have a dedicated staff to assist with the responsibilities of his or her job.
There are two types of associated risk for data privacy, individual and general risk. General data privacy risk Select one: A. Is of specific concern to the European Union. B. Involves legal and regulatory requirements. C. Can be categorized operational or reputational. D. Varies by the type of business or industry.
C. Can be categorized operational or reputational.
Donna's Dog Treats has been very successful in the Boston area and would like to expand to new cities. Donna knows that she cannot make this decision based on customer advice and blind faith. She has collected internal financial and operational data as well as external data from reliable sources. Donna has hired an analyst to review the data quality. The analyst is reviewing the data to see if it includes the demographics for each target city that Donna is considering. Which one of the following data-quality principles is being evaluated? Select one: A. Reasonableness B. Appropriateness C. Comprehensiveness D. Validity
C. Comprehensiveness
One corporate governance issue is accountability of directors. One method to increase accountability of directors is to Select one: A. Include more inside directors. B. Decrease the independence of audit and compensation committees. C. Conduct regular meetings of outside directors without management being present. D. Ensure that the chief executive officer serves as board chairman.
C. Conduct regular meetings of outside directors without management being present.
Which one of the following is an example of an external key risk indicator (KRI) that a manufacturer might monitor? Select one: A. Amount of budget variances B. Number of employee injuries C. Cost of raw materials D. Age of accounts payable
C. Cost of raw materials
Which one of the following data governance tools allows the data governance committee to look at data relationships and interdependencies across the organization? Select one: A. External compliance guidelines B. Internal coding procedures C. Enterprise data models D. Project management programs
C. Enterprise data models
A subset of data integration that allows user to generate a dynamic view of data without moving it or needing temporary or intermediary storage of it
Data virtualization
Sound risk management decisions are predicated on Select one: A. Quality data. B. Operational efficiencies. C. Effective decision-making. D. Regulations and compliance
A. Quality data.
Business process management (BPM) focuses on coordinating all activities of an organization on which one of the following? Select one: A. Profitability B. Technology C. Client satisfaction D. Regulatory requirements
C. Client satisfaction
The lifeblood of every organizational function is Select one: A. Risk management. B. Regulation. C. Employees. D. Data.
D. Data.
Which one of the following statements regarding the structure and role of a board of directors is true? Select one: A. The board of directors must be comprised of ten directors, with an equal number of inside and outside directors. B. The board is responsible for the day-to-day decisions at a corporation. C. Members of the board are appointed by the president of the company. D. Members of the board elect a director to be chairman of the board.
D. Members of the board elect a director to be chairman of the board.
Ensuring quality data requires a Select one: A. Data governance committee B. Business Analyst. C. More efficient deployment of resources. D. Systematic and purpose-driven review process.
D. Systematic and purpose-driven review process.
Organizations are increasingly creating chief risk officer (CRO) positions. Which one of the following statements is correct with respect to CROs? Select one: A. A 2012 survey indicated that, in companies with annual revenue greater than $20 billion, fewer than 20% had created a CRO position. B. Typically, a CRO analyzes, measures, and monitors risk; compiles reports; and facilitates risk workshops without the need for staff. C. CROs' roles are relatively standardized from industry to industry; they focus primarily on measuring and controlling risk. D. The CRO's rank and importance to the board of directors are equal to those of the organization's other executive officers.
D. The CRO's rank and importance to the board of directors are equal to those of the organization's other executive officers.
a type of malware, serving as cyber extortion for financial gain; Criminals can hide links to this in seemingly normal emails or web pages
Ransomware
The service representatives for Tauton Insurance will be eligible for a bonus only if the customer retention rate is increased by 5%. This is an example of which one of the following standards? Select one: A. A corrective measure linked with an identified tolerance level B. A critical success factor derived from a strategic objective C. A severe risk tolerance level D. A key performance indicator based on financial ratios
A. A corrective measure linked with an identified tolerance level
Which one of the following is a data governance committee (DGC) responsibility? Select one: A. A data governance committee ensures there are few conflicts or redundancies in data standards and practices. B. A data governance committee both retrieves and prepares metadata for use by an organization. C. A data governance committee is charged with monitoring the volume of big data within an organization. D. A data governance committee plays a key role in project management for data projects.
A. A data governance committee ensures there are few conflicts or redundancies in data standards and practices.
Successful organizations have goals and objectives. A financial or nonfinancial measurement that defines how successfully an organization is progressing toward its long-term goals is referred to as Select one: A. A key performance indicator (KPI). B. A critical success factor (CSF). C. An operating standard (OS). D. An objective gauge (OG).
A. A key performance indicator (KPI).
Carbon Manufacturing Company just hired a new chief risk officer (CRO) and one of his first tasks was to recommend updated key risk indicators (KRIs) to the chief executive officer (CEO). The CEO was especially interested in KRIs measuring the company's profitability. One area of measurement that the new CRO might want to use is Select one: A. Aged accounts receivable. B. Customer orders. C. Customer invoices. D. Personnel changes.
A. Aged accounts receivable.
All of the following are true regarding the composition of boards of directors, EXCEPT: Select one: A. Corporate boards are uniform in size with 13 directors. B. Boards include both inside directors and outside directors. C. Directors elect the chairman of the board. D. Outside directors serve on the compensation committee.
A. Corporate boards are uniform in size with 13 directors.
In terms of data governance, IT employees hold the role of Select one: A. Data custodians. B. Compliance regulators. C. Rule developers. D. Data stewards.
A. Data custodians.
Data governance provides Select one: A. Definitions, standards and procedures for how data is used. B. The internal data entry processes needed to capture accounting transactions. C. A dynamic view of data without needing to move it between systems. D. A road map that details where data is located.
A. Definitions, standards and procedures for how data is used.
Organizations use key risk indicators (KRIs) to plan for and respond to risk. Which one of the following statements is correct with respect to KRIs? Select one: A. KRIs are effective internal indicators of changes such as budget variances; however they are not effective external indicators. B. An organization's risk criteria, predefined tolerance ranges that measure variances from expected outcomes, are based on risk thresholds C. Risk criteria relating to an organization's strategic risks generally do not serve as the bases for KRIs, which tend to be operational in focus. D. A KRI can reveal an upward trend in the level of a risk that, if it continues, will exceed the designated risk threshold for that risk.
D. A KRI can reveal an upward trend in the level of a risk that, if it continues, will exceed the designated risk threshold for that risk
To gain a competitive advantage, maintain profitability, and satisfy customers an organization must Select one: A. Have an effective risk management program. B. Pay attention to the marketplace. C. Adopt current accounting rules. D. Be able to trust its data.
D. Be able to trust its data.
The business process management (BPM) life cycle incorporates five steps. Which one of the following best describes the first step in the process? Select one: A. Processes are modeled to identify the organization's response to what-if scenarios. B. Processes are designed or redesigned by considering workflows and affected personnel. C. Processes are tracked so that statistics on their performance can be gathered. D. Critical processes that support achievement of the organization's goals are selected for analysis.
D. Critical processes that support achievement of the organization's goals are selected for analysis.
Under the General Data Protection Regulation (GDPR), a data controller's role is to Select one: A. Manage the flow of data for the rest of the organization. B. Represent the business aspects of data governance. C. Define the metrics used to measure an organization's overall data quality. D. Define how and for what purpose personal data should be processed.
D. Define how and for what purpose personal data should be processed.
All of the following are mechanisms to align manager and shareholder interests, EXCEPT: Select one: A. Incentive compensation B. Legal liability C. Management reputation D. Expansion and growth
D. Expansion and growth
the general term to describe any software intentionally designed to cause damage to a computer, server, client, or computer network.
Malware
Information about data and is generally attached to the data in someway; contains information about business rules and data processing
Metadata
a tool used to identify and assess privacy risks through out the development life cycle of a program or system and should identify whether the info being collected complies with privacy-related legal and regulatory requirements
Privacy Impact Assessment (PIA)
Simone works for a large accounting firm, and upper management has tasked her with coming up with an organization-wide data management strategy. Identify Simone's starting point for managing that data.
Simone's starting point, as well as the starting point for any data management initiative, is data governance. Data governance is the rules and decisions behind how the data in question will be managed.
One of the strategic objectives for Cromley Insurance Group is customer satisfaction. Which one of the following is a critical success factor (CSF) that would help refine this strategic objective? Select one: A. High customer retention B. Increase retention ratio by 5% C. Reduce claim activity by 4 to 6% D. High profitability
A. High customer retention
Which one of the following defines individual risk? Select one: A. Individual risk varies according to the type of business. B. Individual risk is defined by the data governance committee. C. Individual risk may be categorized as operational. D. Individual risk is reputational in nature.
A. Individual risk varies according to the type of business.
For an organization, a key performance indicator (KPI) measures the performance of a specific activity at a predetermined level or amount. Which one of the following is an example of a KPI based on a ratio? Select one: A. Inventory turnover B. High employee morale C. Customer-focused website D. Safe transport of customer goods
A. Inventory turnover
Malware is defined as Select one: A. Software designed to cause damage. B. A tool for managing data security. C. Software technology used to encrypt data. D. A hardware-based security breach.
A. Software designed to cause damage.
Encrypting data to block its use if stolen is an example of a Select one: A. Software-based security solution. B. Hardware-based security solution. C. Incident response plan. D. Cyber-threat inventory approach.
A. Software-based security solution.
A corporate board of director's chair person is elected by Select one: A. The board of directors. B. The shareholders. C. Executive management. D. Proxies.
A. The board of directors.
Which one of the following statements is true regarding separation of ownership and control in corporations? Select one: A. The incentive for managers and non-management board members to pursue their own interests at the expense of shareholders gives rise to agency costs. B. Corporate governance is not concerned with the separation of ownership and control. C. Shareholders retain decision-making authority while managers control business operations. D. Limited liability of shareholders impedes the separation of ownership and control in corporations.
A. The incentive for managers and non-management board members to pursue their own interests at the expense of shareholders gives rise to agency costs.
Some best practices models call for the formation of a risk committee with a risk management focus at the organization's executive management level. Which one of the following statements best describes one of the responsibilities of an executive-level risk committee? Select one: A. To approve the organization's risk management strategies, including their design and implementation. B. To assist the board in establishing the organization's risk appetite and risk tolerance levels C. To oversee exposures of the organization's critical risks and advise the board on risk strategy. D. To monitor the organization's compliance with established risk limits and how noncompliance is addressed
A. To approve the organization's risk management strategies, including their design and implementation.
One example of a bonding cost, as it relates to separation of ownership and control in a corporation, is a manager's Select one: A. Willingness to accept non-cash compensation that links the manager's compensation to the corporation's performance B. Avoidance of a project that is perceived to be too risky. C. Decision to direct corporate resources to risk reduction or risk transfer rather than maximize the corporation's stock. D. Decision to hire external auditors to verify the corporation's financial statements.
A. Willingness to accept non-cash compensation that links the manager's compensation to the corporation's performance
At Northern Consolidated (NC), Yu is a business analyst and Grace an IT technician. Compare Yu's role with Grace's in NC's data governance.
As a business analyst, Yu is qualified to assess or provide feedback on the data needed for analysis. Yu may develop business rules for the IT Department's data model and make informed and timely decisions regarding the use of data, data-quality expectations, and information access. In her role in IT, Grace serves as a data custodian and provides technological expertise.
Which one of the following defines the duties of a data steward? Select one: A. A data steward measures data compliance. B. A data steward is an experienced business analyst. C. A data steward provides technological support. D. A data steward is a project manager.
B. A data steward is an experienced business analyst.
Max is a new investor and the only stocks he owns are his 1,500 shares of Large Corporation. Large operates in a volatile high-tech sector. Max could readily trim his risk of owning shares by Select one: A. Concentrating his investments in one sector. B. Diversifying his investment across many corporations. C. Concentrating his investments in one company. D. Diversifying his insurance coverage.
B. Diversifying his investment across many corporations.
Which one of the following statements is correct with respect to the role of a board of directors in risk oversight? Select one: A. A board's risk management strategy and broad objectives typically have little effect in setting the tone for risk management across the entire organization. B. Increasing pressure on boards of directors to provide greater enterprise-wide risk oversight comes from sources such as investors, rating agencies, and regulators. C. Financial services organizations are far less subject to regulatory pressure for increased transparency and risk oversight than are corporations in nonfinancial business sectors. D. A 2012 survey of executives revealed that practically all boards have formally assigned risk oversight responsibility to a board committee.
B. Increasing pressure on boards of directors to provide greater enterprise-wide risk oversight comes from sources such as investors, rating agencies, and regulators.
The managers and executives at Oakes Corporation feel pressure to improve quarterly financial results because they have become the laughingstock of their competitive niche. They wish to change this and restore the excellent light in which competitors once viewed them. Such concerns on the part of Oakes' leadership reflect concern for Select one: A. Legal liability. B. Management reputation. C. Takeover threats. D. Shareholder reputation.
B. Management reputation.
A corporate goal of a not-for-profit corporation most likely includes Select one: A. Maximizing the value of the corporation's total economic value. B. Maximizing the value of goods or services provided to constituencies. C. Maximizing the corporation's cash flow. D. Maximizing the corporation's economic value
B. Maximizing the value of goods or services provided to constituencies.
Which one of the following steps in the Business Process Management (BPM) life cycle allows an organization to map out the most efficient process by using what-if analysis? Select one: A. Execute Process Changes B. Model Scenarios C. Monitor Results D. Optimizes Processes
B. Model Scenarios
Corporate governance is evolving towards the separation of oversight and control for boards of directors. This separation may be accomplished by Select one: A. Requiring the audit committee to be comprised of inside directors. B. Requiring the majority of the directors to be outside directors. C. Using company-appointed board members rather than shareholder-elected board members. D. Requiring a company executive to chair each board committee.
B. Requiring the majority of the directors to be outside directors.
Which one of the following statements regarding corporate governance and risk oversight is true? Select one: A. Board oversight should be limited to past history and current conditions, and should avoid consideration of uncertain future events. B. Some board of directors delegate risk oversight tasks to board committees, such as the audit committee, risk committee, and compensation committee. C. Nonfinancial organizations are subject to greater regulatory pressure for transparency and astute risk management than financial organizations. D. Corporate governance and risk oversight have no impact on the value of the organization.
B. Some board of directors delegate risk oversight tasks to board committees, such as the audit committee, risk committee, and compensation committee.
As a category of agency costs, bonding costs include Select one: A. Cash compensation. B. Stock options and restricted stock. C. Fees paid to outside auditors. D. Fees paid to outside directors.
B. Stock options and restricted stock.
Humongous Corporation has announced that it seeks strategic growth through acquisition. It is carefully eyeing a smaller company, Tiny Corporation. Tiny Corporation is aware of such scrutiny and interest. Within Tiny Corporation, a market force that can help align interests of its corporate decision makers and shareholders is which one of the following? Select one: A. Regulatory action B. Takeover threats C. Merger opportunities D. Quarterly earnings announcements
B. Takeover threats
North American Furnishings is using business process management to help it identify risks that threaten its processes. Which one of the following risks would be considered an internal risk? Select one: A. The loss of available materials due to tornadoes B. The loss of skilled craftspeople due to retirement C. The rise in the cost of materials due to new forestry regulations D. The drop in demand due to rising interest rates
B. The loss of skilled craftspeople due to retirement
Corporate governance is defined as Select one: A. A body of law that specifies how corporations are legally formed and chartered. B. The mechanisms and procedures that determine how corporations are run. C. A diagram of reporting relationships and levels of authority within an organization. D. The reporting chain of command within an organization.
B. The mechanisms and procedures that determine how corporations are run.
Which one of the following is a main characteristic of effective key risk indicators (KRIs)? Select one: A. They measure progress toward achieving objectives. B. They are based on quantifiable information. C. They are lagging in nature. D. They define the boundaries of risk tolerance.
B. They are based on quantifiable information.
continually networking, researching, and testing new tactics, techniques, and procedures to deploy cyber threats. They're also always looking for ways to disrupt operations, make money, or spy on their targets.
Bad Actors
Juan has been asked to develop a data security program for a regional retail chain. To date, the retail chain has not invested at all in data security, and the employees are resistant to making changes. However, management realizes the chain could easily be put out of business if customer data is breached. Juan isn't sure where to start. Identify some basic processes that should be part of any data security program and that Juan can implement while working to fully understand the organization's risks.
Basic processes in any data security program should include defining a plan and policies, managing who has access to the data, developing stronger passwords, and establishing extensive backup procedures. Juan should start with implementing these practices as he begins to work on the retail chain's data security program.
The chief financial officer of Strapped Enterprises laments to his staff, "These corporate monitoring costs are killing us! They were up 38% in the second quarter!" Which one of the following is an example of monitoring costs? Select one: A. Fees paid to insurers B. Expenses incurred due to Board meetings C. Fees paid to outside auditors D. Fees paid to outside directors
C. Fees paid to outside auditors
An organization's goals and objectives are met by establishing and attaining measurable standards for the many activities it pursues. Which one of the following statements is correct with respect to those standards? Select one: A. A key performance indicator (KPI) answers the question, "What will make our organization a success?" B. Organizations with key performance indicators (KPIs) established for critical success factors (CSFs) will typically achieve organizational goals. C. For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable. D. Generally, an organization's risk tolerance has little impact on its critical success factors (CSFs) and key performance indicators (KPIs).
C. For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable.
Organizations use key risk indicators (KRIs) to plan for and respond to risk. Which one of the following statements is correct with respect to KRIs? Select one: A. To best manage risk, an organization should have as many KRIs as possible. B. To be effective, KRIs should be detailed and specific. C. KRIs are based on quantifiable information and support management decisions. D. KRIs are usually only established for the executive level within an organization.
C. KRIs are based on quantifiable information and support management decisions.
An evolving tenet of corporate governance is that control and oversight be separated at the board level. In a board context, this separation is often achieved by requiring that most directors be Select one: A. Executives. B. Inside directors. C. Outside directors. D. Unpaid directors.
C. Outside directors.
An organization has established a key performance indicator to "reduce employee injuries by 6%." Which one of the following would indicate a low risk tolerance for this KPI? Select one: A. Reduce employee injuries by 2% B. Reduce employee injuries by 4% C. Reduce employee injuries by 5 to 6%. D. Employee injury rate remains unchanged
C. Reduce employee injuries by 5 to 6%.
The board of directors must use a thorough understanding of the organization's overall risk philosophy to determine the amount of risk the organization is willing to seek or accept in the pursuit of long-term objectives. This amount of risk is called the organization's Select one: A. Maximum possible loss. B. Retention level. C. Risk appetite. D. Probable maximum loss.
C. Risk appetite.
Which one of the following is the term used for a person—usually a manager—who advocates for and supports a specific aspect of the risk management process in an organization? Select one: A. Internal auditor B. Risk manager C. Risk champion D. Chief risk officer (CRO)
C. Risk champion
Which one of the following terms refers to information used as a basis for measuring the significance of a risk? Select one: A. Risk tolerance B. Risk appetite C. Risk criteria D. Risk threshold
C. Risk criteria
Organizations use key risk indicators (KRIs) to plan for and respond to Select one: A. Emergencies. B. Failure. C. Risk. D. Questions.
C. Risk.
Which one of the following is an element of a data security program? Select one: A. Installing agile project management. B. Implementing a data governance program. C. Storing data back-ups off site. D. Increasing the overall efficiency of data systems.
C. Storing data back-ups off site.
In terms of data quality principles, validity is defined as Select one: A. The extent that each dataset contains all elements necessary for business needs. B. The true value of data relative to the business information being analyzed. C. The accuracy of data within predefined and accepted parameters or values. D. The process of tracing data from its source to its destination.
C. The accuracy of data within predefined and accepted parameters or values.
Karen Williams, a retired chief financial officer of a bank, was invited to join the board of directors of ABC Property and Liability Insurance Company. She was asked to serve on the Audit Committee and the Risk Committee of the ABC board. Which of the following statements is true regarding Karen's service on the ABC board of directors? Select one: A. Karen's Audit Committee takes precedence over the board of directors with regard to oversight responsibility. B. The work of Karen's Risk Committee is limited to a review of the insurance company's underwriting results and the company's investment portfolio. C. The entire board retains oversight responsibility over risks that are assigned to Karen's Audit Committee. D. As a board member, Karen is expected to be a disinterested party, only questioning the management team when new corporate initiatives fail.
C. The entire board retains oversight responsibility over risks that are assigned to Karen's Audit Committee.
The data quality principle of reasonability refers to Select one: A. The comprehensive nature of data. B. The appropriateness of current data. C. The materiality or relevance of data. D. The systematic process of tracing data.
C. The materiality or relevance of data.
Which of the following statements best describes the risk governance role and responsibility of a corporate board of directors? Select one: A. To establish risk management policies, to define risk management roles and responsibilities, and to set risk management implementation goals. B. To convert strategy into operational objectives and to identify and assess the impact of risks on the achievement of the objectives C. To set the organization's risk appetite and to stay informed of the most significant risks to the organization and management's responses. D. To assign risk management procedures for day-to-day functions and internal controls.
C. To set the organization's risk appetite and to stay informed of the most significant risks to the organization and management's responses.
Key risk indicators (KRIs) can be established for various levels within an organization. Which one of the following levels of an organization usually has the most detailed KRIs? Select one: A. Board of director level B. Senior management level C. Business-unit level D. Department level
D. Department level
Business process management (BPM) uses risk indicators. Which one of the following best defines the term "risk indicator"? Select one: A. It sets a project's risk threshold based on the organization's overall risk tolerance. B. It is a basis used for gauging an organization's tolerance for risk. C. It is a measurement of how successfully an organization is avoiding risk. D. It is a tool used to measure the level of uncertainty in an activity, project, or process.
D. It is a tool used to measure the level of uncertainty in an activity, project, or process
Which one of the following answers the question, "What shows we are a success?" Select one: A. Critical success factor B. Strategic objective C. Risk tolerance level D. Key performance indicator
D. Key performance indicator
While corporate governance is concerned with separating ownership and control, it is also concerned with separating control from Select one: A. Management. B. Shareholding. C. Compliance. D. Oversight.
D. Oversight.
Cyber extortion is another name for Select one: A. Social engineering. B. Bitcoin C. Phishing. D. Ransomware.
D. Ransomware.
Key risk indicators (KRIs) help organizations identify issues that can lead to losses. Effective KRIs are based on a company's Select one: A. Product or industry. B. Organizational structure. C. Sales volume. D. Strategic objectives.
D. Strategic objectives.
Which one of the following statements is true regarding the business process management (BPM) life cycle model? Select one: A. The model is designed to review one business process at a time. B. The model is ineffective unless all five steps are completed on a continuous basis. C. The model is primarily used by organizations in the manufacturing sector. D. The model is driven by the collaboration of human and technological input.
D. The model is driven by the collaboration of human and technological input.