4:3 Workplace: Risk Management Quiz
Which best defines the concept of moral hazard? A person engages in risky behavior knowing that someone else will absorb any losses. A leader demonstrates poor ethical behavior, leading to poor choices by employees. An organization decides to behave ethically, even though this means a financial loss. Intending to behave ethically, an organization violates employment laws or regulations.
A person engages in risky behavior knowing that someone else will absorb any losses. Moral hazard exists when someone takes risks because he or she will not be affected by losses or damages that occur as a result.
What is a good example of an upside risk? A team finishes its project two weeks ahead of the schedule. An organization is a vendor's first major customer for a leading-edge technology system. Union demands for wages, benefits, and work conditions are unrealistic. A technician proves highly skilled, invaluable, and irreplaceable.
A team finishes its project two weeks ahead of the schedule. An upside risk is an opportunity that arises out of uncertainty about outcomes. Completion date is uncertain, but early project completion is an opportunity: an uncertainty that has a positive outcome.
To reinforce the importance of safety, employees' annual bonuses are linked to the aggregate safety key performance indicators (KPIs). Which effect is this likely to have on the rate of accidents? Accidents will increase due to over-reporting. Accidents will decrease due to under-reporting. Accidents will decrease due to over-reporting. Accidents will increase due to under-reporting.
Accidents will increase due to under-reporting. ying annual bonuses to aggregate safety KPIs incentivizes the wrong behavior. To get the bonus, certain safety measures are likely to be under-reported, which will lead to an increase in risks and accidents.
Several employees were hurt in an accident in the manufacturing department. To evaluate the effectiveness of the organization's risk controls, HR conducted a meeting with the department supervisor. Which document would provide the best information for this meeting? External agency incident report Compliance audit After-action debrief Occupational health and safety checklist
After-action debrief An after-action report examines what happened, why it happened, what was done at the time, and what could have been done better. The incident report, compliance audit, and OSHA checklist document only incidents, their frequency, and, in some situations, what was done; no evaluation is made of the effectiveness of the organization's existing risk controls.
How often should an organization review the components of its enterprise risk management framework? Every three years At an agreed-upon and regular interval When a new strategy is developed Only if a major incident has occurred
At an agreed-upon and regular interval Components of an organization's risk management framework should be reviewed at an agreed-upon and regular interval as well as after major incidents.
A technical recruiter receives a job description from a hiring manager. One of the requirements listed by the manager states that the position is not ideal for single parents. Which risk management strategy should the technical recruiter use to avoid similar situations in the future? Mitigate the risk by informing candidates that they have the right to information about hiring decisions. Transfer the risk by asking for legal review of this job description. Ignore the risk. It is unlikely that single parenthood will be a decisive factor for employment. Avoid the risk by training hiring managers and reviewing all job descriptions before use.
Avoid the risk by training hiring managers and reviewing all job descriptions before use. This risk can and should be avoided through training and a review process. An employer cannot ignore, mitigate (lessen), or transfer the legal obligation to avoid discrimination.
Which evaluation method is best for an emergency response plan? Asking for insurance company input Conducting a crisis drill Having a government agency review the plan Comparing the plan to the previous plan
Conducting a crisis drill A simulated crisis in which the plan is tested will alert the company to changes that need to be made and is the best way to see how the plan performs.
Which training method is best used for training employees on an emergency response plan? Showing training films, webinars, and videos Scheduling employee participation meetings Conducting drills and role plays Providing precise, easy-to-read manuals
Conducting drills and role plays The best way to practice any skill is to actually do the tasks involved. This also holds true for training in emergency response plans. If having the entire plant take part in the drill poses a production issue, parts of the plan can be drilled at a time.
An office manager is tasked with contracting with a third party to clean the office building at night. The manager hires his family-owned cleaning business without undergoing a request-for-proposal process. What risk factor does this illustrate? Strategic goals Externally imposed requirements Conflict of interest Risk capacity
Conflict of interest This is an example of conflict of interest. The manager stands to benefit from the vendor relationship, but it may not be the best choice for the employer. The manager's decision is not based on his comfort level with risk, and the need to hire a cleaning company is unrelated to the organization's goals. There are no external requirements influencing the decision.
Which option best defines risk? Quantifiable and enterprise-wide picture of organizational loss exposure Effect of uncertainty on the ability to meet organizational objectives Negative impact an event can exert on an organization's well-being Organization's vulnerabilities from an enterprise perspective
Effect of uncertainty on the ability to meet organizational objectives The ISO definition of risk is simply "the effect of uncertainty on objectives." Uncertainty can be positive or negative in its effects. The other choices emphasize negative risk or assessments of risk occurrence.
Which risk strategy is being enhanced when a global HR organization establishes enterprise-wide evacuation procedures and communication plans and creates a website that sits outside the company's firewall for easy access in the event of terrorist act? Business continuity plan Risk matrix response Terrorist response program Emergency response planning
Emergency response planning An emergency response plan describes the actions to be taken in the event of a natural disaster, emergency evacuation, terrorist attack, or any other incident that disrupts the normal work pattern. Emergency response plans tell employees what to do. The organization's easy access website is an attempt to guide employees during the chaos.
What is the role of HR when it comes to whistleblowing? Gathering, assessing, and categorizing complaints from whistleblowers and presenting them to upper-level management during annual review cycles Seeking to prevent whistleblowing by any means necessary, including reassigning, retraining, or terminating employees found whistleblowing Working with mid-level managers to determine who is whistleblowing and seeking to ensure that the complaints are handled and withdrawn Establishing a communication process that allows direct access to upper-level decision makers and protecting whistleblowers from retaliation
Establishing a communication process that allows direct access to upper-level decision makers and protecting whistleblowers from retaliation HR should ensure that whistleblowing complaints reach upper-level management and should protect whistleblowers from retaliation by coworkers or managers. In some locations, whistleblowers are protected by law. HR should not seek to independently address whistleblowing complaints or encourage or engage in retaliation against whistleblowers.
To meet a safety goal, an organization provided training to employees. The number of injuries, however, has not decreased over the last three years. What should the HR training manager do? Require all employees to attend the training. Hire an outside consultant to provide the training. Develop new training content. Evaluate and adjust the training.
Evaluate and adjust the training. Evaluating the training will allow the company to identify whether the issue is with the training or the people, and adjustments can be made accordingly. Developing new content or hiring an outside consultant without evaluating the training could be a waste of time and resources. Making the training mandatory doesn't help if the training is ineffective.
The vice president of operations has asked the chief human resources officer (CHRO) to determine the risk levels across the organization's three offices. With the help of the HR team, the CHRO conducts surveys, interviews, and focus groups to collect data. During which phase of the risk management process are these activities occurring? Evaluating risks Identifying risks Analyzing risks Managing risks
Identifying risks Surveys, interviews, and focus groups are methods used to identify risks. The organization must first identify the risks so that they can be analyzed, evaluated, and then managed.
Which is the most appropriate example of risk mitigation? Implementing an emergency communication system for assignees Requiring criminal background checks for applicants Training interviewers about proper questions to ask during hiring interviews Requiring vaccination programs for assignees
Implementing an emergency communication system for assignees A risk mitigation strategy seeks to reduce the negative impact of an event. A communication system cannot prevent crises, but it can decrease stress and reduce assignees' exposure to threats.
Which best identifies the impact of cognitive barriers on risk management? Managers perceive risks in an outdated manner. Leadership's example does not motivate good risk management practices. Units or functions may not communicate well with each other. Teams are rewarded for being risk-averse.
Managers perceive risks in an outdated manner. Cognitive barriers to risk management relate to managers' tendencies to rely on older perceptions of the risks they face and the most effective ways of managing them.
Management decides that training supervisors to identify and prevent bullying is not necessary, and they do not fund a program budget. What does this illustrate? Poor governance Risk avoidance management strategy Precedence of global standardization in the organization Organization's risk tolerance
Organization's risk tolerance Management has decided that it is willing to accept the risk that bullying will occur and possible organizational costs. This is an example of an organization's risk tolerance, the amount of unmanaged risk that management is willing to accept.
Which best demonstrates HR's role in managing organizational risk? Identifying past and current risks and avoiding those risks that affect the HR function Following management's lead in identifying, prioritizing, and managing risks within the HR function Defining the risk level that the organization is willing and able to assume Participating in the identification and management of threats and opportunities across the organization
Participating in the identification and management of threats and opportunities across the organization The best role for HR is one that is proactive, not reactive, and that considers risk from an integrated enterprise perspective. The definition of risk appetite and risk tolerance is best made by senior management, however.
What is the primary distinguishing characteristic of an enterprise risk management framework? Perception of risk as an integrated organizational issue Emphasis on strategic risks that threaten organizational goals Focus on values and ethical systems that affect governance Proactive as opposed to reactive approach to managing risk
Perception of risk as an integrated organizational issue An enterprise risk management (ERM) system, such as COSO ERM, sees risk as an integrated issue that must be managed across divisions and functions in an enterprise.
Which situation that leads to workplace violence can be controlled by an organization? Domestic problems Low employee self-esteem Pressure for increased productivity Unstable economy
Pressure for increased productivity Conditions causing employee frustration and anger can lead to violence. Examples include pressure for productivity, rigid management style, and layoffs.
What factors does the risk equation use to determine level of risk? Speed of onset and effectiveness of current controls Source of risk and number of business processes affected Probability of occurrence and magnitude of impact Potential for secondary risk and effectiveness of strategies
Probability of occurrence and magnitude of impact In the risk equation, the level of risk equals the probability of occurrence multiplied by the magnitude of the impact of the risk event.
What is the usefulness of a key risk indicator (KRI)? Provides early warning of organizational risk emergence Identifies a global assessment of organizational exposure to risk Establishes greater accountability of risk control measures Assists in preventing the emergence of identified risks
Provides early warning of organizational risk emergence A KRI signals when risk exposure may be increasing. It can be used to identify emerging risks to the organization. KRIs monitor risk but do not prevent risks from occurring. They are not enough in themselves to create transparency and accountability.
An employee's ex-husband waits outside her place of work. When she emerges, he begins yelling. She retreats inside the building. The husband attempts to follow but is prevented by a door that locks automatically behind the employee. An HR staff member observes the incident. What action should the staff member take? Call for immediate revision of the organization's security policies. Recommend that those involved debrief the incident. Write a memo to the HR head, documenting the incident. None. The security measures worked as intended.
Recommend that those involved debrief the incident. After-action debriefs are a good way to examine the effectiveness of a specific risk response strategy, presenting an opportunity for learning and improvement.
The HR department monitors the emergency response plans and updates them as needed, at least annually. Which is the best way to evaluate the plan as part of the annual review? Testing procedures for each department Meeting groups of employees to get feedback Rehearsing drills of the plan Evaluating employees' knowledge of the plan through an online test
Rehearsing drills of the plan A rehearsal (drill) of the plan will reveal its inevitable shortcomings as well as provide employees with valuable training. The time to test is before a crisis, not during one.
A mining company has had a safety program in place for over ten years. It has been effective in decreasing accidents and injuries. What should HR recommend? Consider scaling the program back, since it has apparently changed employee behavior and created a safer workplace. Review the technology used in the program to see if newer, more effective technology is now available. End the program and develop an entirely new program. Ten years is too long. Leave the program as it is, since it appears to be effective.
Review the technology used in the program to see if newer, more effective technology is now available. Changes in technology may mean that the organization could be better able to detect and deter threats. However, that doesn't mean that the organization should start from scratch with a new program. HR should work to assess the program and look for opportunities for continuous improvement.
What is secondary risk? Risk that is deemed lower in priority Risk events that occur as a result of primary risk occurrence Risk events that closely follow primary events Risk created by a risk management tactic
Risk created by a risk management tactic Secondary risk refers to risks that are created by the risk management strategy itself. Before they are implemented, strategies must be analyzed to determine if they present secondary risks.
What phase of risk management is represented in the acronym MECE, which stands for "mutually exclusive and comprehensively exhaustive?" Risk management Risk-averse Risk identification Risk mitigation
Risk identification The organization wants to be confident that all plausible risks for strategic and operational aspects of the business avoid duplication or overlapping in the identification step.
What is the appropriate role for an HR manager in an investigatory interview for a dischargeable offense? Risk manager for the organization Champion of employee's perspective and position Supporter for manager/supervisor of involved department Prosecutor presenting evidence and challenging the employee
Risk manager for the organization In this situation, the role of HR is to be proactive and manage the legal and physical safety risks to the organization. HR managers must be aware of the need to ensure due process to employees and to provide a safe work environment for all employees. HR should not take a prosecutorial or defense role; the organization should approach the situation and the evidence objectively and calmly.
The HR department is instructed to fill a critical management position as quickly as possible. Using multiple agencies will produce more candidates more quickly but will increase the cost by several times. Which critical input should HR seek before deciding how to proceed? Desired applicant-to-hire ratio to indicate success Risk tolerance of the organization Job description for the ideal candidate Networking connections and employee referrals
Risk tolerance of the organization HR needs to know how management rates the level of risk in not filling this position quickly: their risk tolerance. This will help HR decide whether the increased cost of using multiple search firms is appropriate.
An assembly operation has completely redesigned its work floor and added new machines. What would be the best way for HR to fulfill its duty of care to the operation's employees? Conduct a survey of the issue with a small sample of employees in this area. Interview affected managers and supervisors about new hazards. Review the revised floor plans with the organization's insurers. Schedule a walk-through of the redesigned area during a work shift.
Schedule a walk-through of the redesigned area during a work shift. The best approach is to observe the workplace directly by conducting a walk-through. Visual inspection of both the space and the processes as they occur in the space can help HR identify new hazards created by the changes. The interview approach relies on the assessments of managers and supervisors who may not share HR's awareness of safety issues and regulations. Insurers can provide some general input about workplace safety but not specific input. As with managers and supervisors, employees may not be aware of the organization's safety obligations, and a walk-through is a more direct and complete way to gather this information than a partial survey.
How is a risk control best understood by an organization? Indicating what triggers a specific risk management response Ensuring that employees are following risk management guidelines Sharing a risk's occurrence or impact and its likelihood Restricting the amount of risk the organization assumes in its dealings
Sharing a risk's occurrence or impact and its likelihood A risk control is an action taken to manage a risk: to enhance the potential of an upside risk or to decrease the potential negative effects of a downside risk.
What are the primary categories of barriers to effective risk management? Structural, cognitive, and cultural Opportunities, threats, and weaknesses Location, personnel, and equipment Time, money, and resources
Structural, cognitive, and cultural The primary categories of barriers to effective risk management are structural, cognitive, and cultural. An organization's structure, willingness to change, and values will impact its willingness to engage in risk management. Time, money, and resources and location, personnel, and equipment may be impacted by risk management efforts, but they don't drive those efforts. Similarly, opportunities, threats, and weaknesses may be part of what the organization looks at as part of its risk management efforts, but they don't drive those efforts.
How does duty of care translate to an organization's responsibilities? Managing risks to employees on assignment Providing health benefits to all of its employees and their families Complying with all local health and safety requirements Taking all steps reasonable to ensure employee health and safety
Taking all steps reasonable to ensure employee health and safety Duty of care reflects an employer's responsibility to take all steps reasonably possible to support employee health and safety and prevent harm, whether the employee is in the workplace or on a remote assignment. This may involve but is not restricted to providing access to health care and complying with regulatory requirements.
What is the primary purpose of a safety self-audit? To eliminate unsafe acts and environmental factors in the company To identify roles and responsibilities in the event of an industrial accident To ensure employee compliance with the organization's safety programs To lower workers' compensation insurance premiums for the company
To ensure employee compliance with the organization's safety programs A safety self-audit is conducted by an employer to assure the organization that employees are following safety-related policies and procedures. Workers' compensation premiums are most directly affected by an organization's rate of injuries. Being prepared to handle an emergency is a good practice, but it is more related to procedures and training than to an audit. An audit can only capture evidence of compliance or noncompliance. Compliance alone, especially if policies and training are faulty, will not eliminate unsafe acts.
An organization examines the level of probability for all types of losses to which it may be exposed. What aspect of risk is the organization studying? Risk tolerance Vulnerability Impact Mitigation planning
Vulnerability Vulnerability refers to the degree of probability that a loss will occur. Impact is the possible effect on the organization, and tolerance is the amount of risk the organization can handle if an event occurs. Mitigation planning occurs after analysis of probability, risk, and speed of onset.
