ERM 602 - OPERATIONAL RISK MANAGEMENT Midterm

Which of the following reviews will provide the MOST insight into an enterprise's operational readiness and effectiveness capabilities associated with risk? A. A Capability Maturity Model Integrated (CMMI) review B. A capability comparison with industry standards or regulations C. A self-assessment of capabilities D. An internal audit review of capabilities

A. A Capability Maturity Model Integrated (CMMI) review

Which of the following would BEST assist an operational risk/ control professional in measuring the existing level of maturity of risk management processes against their desired state? A. A capability Maturity Model (CMM) B. Risk management audit reports C. A balanced scorecard (BSC) D. Enterprise security architecture

A. A capability Maturity Model (CMM)

Which of the following assessments of an enterprise's operational risk monitoring process will provide the BEST information about its alignment with industry-leading practices? A. A capability assessment by an outside firm B. A self-assessment of capabilities C. An independent benchmark of capabilities D. An internal audit review of capabilities

A. A capability assessment by an outside firm

An operational risk response report would include recommendations for: A. Acceptance. B. Assessment. C. Evaluation. D. Quantification.

A. Acceptance.

Which of this following is a recommended practice to mitigate the risk of pandemic break from business continuity aspects? A. Pandemic assessment B. Business closure C. Facial masks D. Telecommuting

A. Pandemic assessment

Previously accepted risk should be: A. Reassessed periodically since the risk can be escalated to an unacceptable level due to revised conditions. B. Removed from the risk log once it is accepted. C. Accepted permanently because management has already spent resources (time and labor) to conclude that the risk level is acceptable. D. Avoided next time because risk avoidance provides the best protection to the enterprise.

A. Reassessed periodically since the risk can be escalated to an unacceptable level due to revised conditions.

Which of the following is MOST important to determine when defining operational risk management (ORM) strategies? A. Risk assessment criteria B. IT architecture complexity C. Enterprise disaster recovery plans (DRPs) D. Organizational objectives and risk tolerance

A. Risk assessment criteria

During an operational risk management exercise, an analysis was conducted on the identified risk and new control-based mitigations. Which choice BEST reflects residual risk? A. Risk left after the implementation of new or enhanced controls B. Risk mitigated as a result of the implementation of new or enhanced controls C. Risk identified prior to implementation of new or enhanced controls D. Risk classified as high after the implementation of new or enhanced controls

A. Risk left after the implementation of new or enhanced controls

A PRIMARY reason for initiating a policy exception process is when: A. The risk is justified by the benefit. B. Policy compliance would be difficult to enforce. C. Operations are too busy to comply. D. Users may be inconvenienced.

A. The risk is justified by the benefit.

One way to determine control effectiveness is by determining: A. The test results of intended control objectives. B. Whether it is preventive, detective or compensatory. C. The capability of providing notification of failure. D. The evaluation and analysis of reliability.

A. The test results of intended control objectives.

A lack of adequate controls represents: A. a vulnerability. B. an impact. C. an asset. D. a threat.

A. a vulnerability.

It is most important for operational risk evaluation to: A. take into account the potential impact and likelihood of a loss. B. consider inherent and control risk. C. include a benchmark of similar companies in its scope. D. assume an equal degree of protection for all assets.

A. take into account the potential impact and likelihood of a loss.

Which of the following is MOST important for measuring the effectiveness of a security awareness program? A. Increased interest in focus groups on security issues B. A reduced number of security violation reports C. A quantitative evaluation to ensure user comprehension D. An increased number of security violation complaints

B. A reduced number of security violation reports

An enterprise has learned of a security breach at another company that utilizes similar technology. The FIRST thing the enterprise should do is: A. Discontinue the use of the vulnerable technology. B. Assess the likelihood of incidents from the reported cause. C. Remind staff that no similar security breaches have taken place. D. Report to senior management that the enterprise is not affected.

B. Assess the likelihood of incidents from the reported cause.

When proposing the implementation of a specific operational risk mitigation activity, a risk/control professional would PRIMARILY utilize a: A. Technical evaluation report. B. Cost benefit based business case. C. Vulnerability assessment report. D. Budgetary requirements.

B. Cost benefit based business case.

Which of the following would MOST likely indicate that a customer database and warehouse should remain in-house rather than be outsourced to an offshore operation? A. The telecommunications costs could be much higher in the first year. B. Privacy laws could prevent a cross-border flow of information. C. Time zone differences could impede communications between IT teams. D. Software development may require more detailed specifications.

B. Privacy laws could prevent a cross-border flow of information.

Which of the following is the BEST way to ensure that an accurate risk register is maintained? A. Monitor key risk indicators (KRIs), and record the findings in the risk register. B. Publish the risk register in a knowledge management platform with workflow features that periodically contacts and polls risk assessors to ensure accuracy of content. C. Distribute the risk register to business process owners for review and updating. D. Utilize audit personnel to perform regular audits and to maintain the risk register.

B. Publish the risk register in a knowledge management platform with workflow features that periodically contacts and polls risk assessors to ensure accuracy of content.

Which of the following will produce comprehensive results when performing a qualitative operational risk analysis? A. A vulnerability assessment B. Scenarios with threats, likelihood, and impacts C. The value of information assets D. Estimated productivity losses

B. Scenarios with threats, likelihood, and impacts

After the completion of an operational risk assessment, it is determined that the cost to mitigate a particular risk is much greater than the benefit to be derived. The risk/ control professional should recommend to business management that the risk be: A. Treated. B. Terminated. C. Accepted. D. Transferred.

C. Accepted.

Which of the following is the MOST important reason for conducting security awareness programs throughout an enterprise? A. Reducing the operational risk of a social engineering attack B. Training personnel in security incident response C. Informing business units about the security strategy D. Maintaining evidence of training records to ensure compliance

C. Informing business units about the security strategy

Which of the following is the BEST method to ensure the overall effectiveness of an operational risk management program? A. Assignment of risk within the enterprise B. Comparison of the program results with industry standards C. Participation by applicable members of the enterprise D. User assessment of changes in risk

C. Participation by applicable members of the enterprise

Overall business risk for a particular threat can be expressed as the: A. Magnitude of the impact should a threat source successfully exploit the vulnerability. B. Likelihood of a given threat source exploiting a given vulnerability. C. Product of the probability and magnitude of the impact if a threat exploits vulnerability. D. Collective judgment of the risk assessment team.

C. Product of the probability and magnitude of the impact if a threat exploits vulnerability.

Which of the following is the MOST effective way to treat an operational risk such as natural disaster that has a low probability and a high impact level? A. Eliminate the risk. B. Accept the risk. C. Transfer the risk. D. Implement countermeasures.

C. Transfer the risk.

Operational risk management (ORM) programs are designed to reduce risk to: A. The point at which the benefit exceeds the expense. B. A level that is too small to be measurable. C. A rate of return that equals the current cost of capital. D. A level that the enterprise is willing to accepts.

D. A level that the enterprise is willing to accepts.

Which of the following would BEST provide assurance of the integrity of new staff? A. References B. Bonding C. Qualifications listed on a resume D. Background screening

D. Background screening

The PRIMARY concern of an operational risk/control professional documenting a formal data retention policy would be: A. Storage availability. B. Applicable organizational standards. C. Generally accepted industry best practices. D. Business and regulatory requirements.

D. Business and regulatory requirements.

Which of the following is the MOST important reason for conducting periodic operational risk assessments? A. Risk assessments are not always precise. B. Reviewers can optimize and reduce the cost of controls. C. Periodic risk assessments demonstrate the value of the risk management function to senior management. D. Business risk is subject to frequent change.

D. Business risk is subject to frequent change.

A global financial institution has decided not to take any further action on a denial of service (DoS) risk found by the IT risk assessment team. The MOST likely reason for making this decision is that business is unaffected by: A. Availability of information B. Integrity of information C. Storage media of information D. Confidentiality of information

D. Confidentiality of information

A global bank that is subject to customer privacy regulations by multiple governmental jurisdictions with differing requirements should: A. Bring all locations into conformity with the aggregate requirements of all governmental jurisdictions. B. Bring all location info conformity with a generally accepted set of industry best practices. C. Establish a baseline standard incorporating those requirements that all jurisdictions have in common. D. Establish baseline standards for all locations and add supplemental standards as required.

D. Establish baseline standards for all locations and add supplemental standards as required.

Whether an operational risk from information systems has been reduced to an acceptable level should be determined by: A. IS requirements. B. Information security requirements. C. International standards. D. Organizational requirements.

D. Organizational requirements.

Which of the following is the MOST effective way to ensure that outsourced service provider complies with the enterprise's information security policy? A. Security awareness training B. Penetration testing C. Service level monitoring D. Periodic auditing

D. Periodic auditing

An objective of an operational risk management program is to: A. Maintain residual risk at an acceptable level. B. Implement preventive controls for every threat. C. Remove all inherent risk. D. Reduce inherent risk to zero.

D. Reduce inherent risk to zero.

The preparation of a risk register begins in which risk management process? A. Risk response planning B. Risk monitoring and control C. Risk management planning D. Risk identification

D. Risk identification

Which of the following is the MOST important information to include in an operational risk management strategic plan? A. Risk management staffing requirements B. The risk management mission statement C. Risk mitigation investment plans D. The current state and desired future state

D. The current state and desired future state

An operational risk manager requests that the finance department buy US $50,000 of insurance for equipment installed in a cyclone-prone area. What risk management strategy is the manager adopting? A. Avoiding risk B. Accepting risk C. Exploiting risk D. Transferring risk

D. Transferring risk