ARM 400

In terms of data governance, IT employees hold the role of A. Data custodians. B. Rule developers. C. Data stewards. D. Compliance regulators.

A. Data custodians.

Which one of the following regulatory approaches allocates resources based on the concept of achieving the greatest potential good while simultaneously minimizing the overall costs? A. Risk-based regulation B. Evidence-based regulation C. Rules-based regulation D. Performance-based regulation

A. Risk-based regulation

Which one of the following is an element of a data security program? A. Increasing the overall efficiency of data systems. B. Storing data back-ups off site. C. Installing agile project management. D. Implementing a data governance program.

B. Storing data back-ups off site.

The importance of strong control environments with independent oversight have become increasingly important A. Because international trade is dependent upon consistent accounting processes. B. As business complied with the provisions of the Sarbanes Oxley Act. C. As organizations became more complex. D. Because the Federation of European Risk Management Associations (FERMA) made it a requirement for international trade.

C. As organizations became more complex.

Which one of the following continuity strategy models involves maintaining two or more active sites that are geographically dispersed? A. Active back-up model B. Prioritization model C. Split operations model D. Risk transfer model

C. Split operations model

A risk management professional is identifying the organization's key stakeholders as part of the enterprise risk management program. Which one of the following would be considered an internal stakeholder? A. Unions B. General public C. Stockholders D. Suppliers

C. Stockholders

The data quality principle of reasonability refers to A. The comprehensive nature of data. B. The appropriateness of current data. C. The systematic process of tracing data. D. The materiality or relevance of data.

D. The materiality or relevance of data.

Which one of the following statements is true regarding the business process management (BPM) life cycle model? A. The model is designed to review one business process at a time. B. The model is ineffective unless all five steps are completed on a continuous basis. C. The model is primarily used by organizations in the manufacturing sector. D. The model is driven by the collaboration of human and technological input.

D. The model is driven by the collaboration of human and technological input.

There are two types of associated risk for data privacy, individual and general risk. General data privacy risk A. Can be categorized operational or reputational. B. Involves legal and regulatory requirements. C. Varies by the type of business or industry. D. Is of specific concern to the European Union.

A. Can be categorized operational or reputational.

Which one of the following stages of a strategic redeployment plan is designed to protect people, physical assets, and reputation? A. Emergency stage B. Alternate marketing stage C. Contingency stage D. Communication stage

A. Emergency stage

Solvency II is a regulatory standard that should reduce the likelihood of insolvency, market disruption, and consumer loss in which one of the following industries? A. Insurance B. Banking C. Automobile D. Health care

A. Insurance

Which one of the following categories of agency costs is assumed by managers? A. Advertising costs B. Bonding costs C. Incentive alignment costs D. Monitoring costs

B. Bonding costs

Parker International tends to communicate only the information that stakeholders need to complete their tasks and achieve goals. The management style at Parker International is A. Responsive. B. Directive. C. Delegating. D. Supportive.

B. Directive.

Which one of the following is an example of a principles-based traffic control regulation? A. Driver and passengers must wear a safety belt when the car is in motion B. Driver must maintain a reasonable following distance appropriate to speed and conditions C. Driver must maintain liability insurance that meets the state minimum financial responsibility limit D. Driver must drive at a speed within the posted speed limit

B. Driver must maintain a reasonable following distance appropriate to speed and conditions

One of the strategic objectives for Cromley Insurance Group is customer satisfaction. Which one of the following is a critical success factor (CSF) that would help refine this strategic objective? A. Reduce claim activity by 4 to 6% B. High customer retention C. High profitability D. Increase retention ratio by 5%

B. High customer retention

The Federal Sentencing Guidelines require a senior manager to have responsibility for the organization's entire compliance program. The individual selected is typically from which one of the following functions of the organization? A. Human development B. Internal audit C. Legal D. Operations

B. Internal audit

One of the major objectives of a compliance program is to receive benefits from external sources. Which one of the following is an example of a potential benefit from an external source? A. Improved employee health and safety B. Reductions in insurance premiums C. Reductions in corporate taxes D. Increased product safety

B. Reductions in insurance premiums

Which one of the following statements is correct regarding an organization's code of ethics? A. The code of ethics should primarily consider the social and ethical needs of its external stakeholders. B. The code of ethics should include principles and concepts that are dynamic enough to remain relevant in a rapidly changing business environment. C. The code of ethics should provide an organization with a set of parameters within which it should operate, with little room for interpretation. D. The code of ethics should provide a list of dos and don'ts that employees can use as a framework in making day-to-day decisions.

B. The code of ethics should include principles and concepts that are dynamic enough to remain relevant in a rapidly changing business environment.

Which one of the following is an example of an internal key risk indicator (KRI) that a contractor might monitor? A. Availability of skilled labor B. Cost of lumber C. Budget variances D. Interest rates

C. Budget variances

An organization has established a key performance indicator to "reduce employee injuries by 6%." Which one of the following would indicate a low risk tolerance for this KPI? A. Reduce employee injuries by 2% B. Reduce employee injuries by 4% C. Reduce employee injuries by 5 to 6% D. Employee injury rate remains unchanged

C. Reduce employee injuries by 5 to 6%

The opening day finally arrived for a local amusement park that advertised its new roller coaster for months. The crowds were bigger than normal that day as folks lined up to try the new thrill ride. Everything was going well for the first few hours until around mid-day the ride all of a sudden screeched to a halt in the middle of a run. Fortunately the delay was only 15 minutes and the coaster was on flat track at the time and not a loop. However some technical issues prevented the ride from continuing that day and it had to be shut down. As a result, many patrons were upset and disappointed with the outcome. Knowing that successfully managing reputational risk involves quickly recognizing the risk to reputation, rapidly making important decisions to manage the risk and relying on leadership and culture for a favorable outcome, all of the following fit this criteria, EXCEPT: A. Providing vouchers that give free ice cream cones to all patrons in the park that day. B. Contacting the local news channel and speaking honestly about what happened and that the issue was resolved and should not occur again. C. Reminding patrons that their attendance comes with an assumption of risk and no guarantees. D. Publishing a press release on the root cause and corrective action taken to avoid future incidents.

C. Reminding patrons that their attendance comes with an assumption of risk and no guarantees.

Paragon Coffee Company has 15 locations throughout California. It serves a wide variety of imported coffee and a small selection of baked goods. Within a period of 24 hours, over 30 individuals arrived at local hospitals suffering from severe stomach pain and nausea. It was quickly discovered that they had all consumed products from Paragon Coffee Company in the prior days. The managers at two of the locations were notified of the concern by the hospitals, and immediately contacted the corporate office per corporate guidelines. Which one of the following should be the first priority as Paragon Coffee Company begins to deal with this crisis? A. Determining the supplier that is responsible B. Controlling communication from hospitals and customers C. Protecting the company assets D. Protecting people

D. Protecting people

Which one of the following risk management objectives is critical for a manufacturer seeking new capital from investors, stockholders, and creditors? A. Social responsibility B. Anticipate and recognize emerging risks C. Eliminate downside risk D. Reduce the deterrent effects of hazard risks

D. Reduce the deterrent effects of hazard risks

Which one of the following statements is true regarding Basel III? A. Basel III was developed to address both the risk of individual organizations and systemic risk in the banking sector. B. Basel III is a regulatory standard for banks of the European Union and the United Kingdom. C. Basel III was developed to reduce the likelihood of insurer insolvency, market disruption, and consumer loss. D. Basel III is a voluntary standard for the insurers which encourages senior management to take the lead in establishing a strong risk management culture.

A. Basel III was developed to address both the risk of individual organizations and systemic risk in the banking sector.

It is necessary to define functions that should be performed by internal audit rather than the enterprise risk management (ERM) team because A. Clarification of functions helps avoid redundancy and foster a strong working relationship. B. ERM is all encompassing and if not controlled will absorb internal audit functions. C. Internal audit and risk managers share responsibilities for governance and compliance for the organization. D. The Institute of Internal Auditors (IIA) guidelines are used to avoid confusion in an organization and clarify financial compliance issues.

A. Clarification of functions helps avoid redundancy and foster a strong working relationship.

Colossal Casualty Insurance Company decided to conduct an internal audit of the company's operations. As part of the internal audit, several fictitious claims were submitted to the claims department to see if the claims would be approved and paid. Which one of the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) components of internal control was examined by this internal audit test? A. Control environment. B. Information and communication. C. Monitoring activities. D. Risk assessment.

A. Control environment.

Emerging technologies such as artificial intelligence and machine learning are being applied by some businesses as part of their internal audit and control process. A key benefit of such applications is A. Detection of fraud and inefficient practices in real time. B. Greater ability to quantify losses. C. Gaining an historical perspective on inefficient and ineffective internal control measures. D. Reduced labor costs in the risk management department.

A. Detection of fraud and inefficient practices in real time.

Which one of the following is true regarding internal audit involvement with enterprise risk management (ERM) efforts? A. Internal audit is increasingly asked to evaluate organizational risks, including strategic, financial and hazard risks. B. Internal audit is not becoming more involved with ERM efforts because internal audit must remain independent and objective. C. Internal audit is responsible for reviewing controls in an organization which includes ERM programs. D. Internal audit is responsible for the organization's compliance with all governance issues, including ERM compliance.

A. Internal audit is increasingly asked to evaluate organizational risks, including strategic, financial and hazard risks.

Which one of the following measures the progress an organization has made toward attaining its goals within a specific amount of time? A. Key performance indicator B. Key risk indicator C. Critical success factor D. Risk tolerance level

A. Key performance indicator

The board of directors must use a thorough understanding of the organization's overall risk philosophy to determine the amount of risk the organization is willing to seek or accept in the pursuit of long-term objectives. This amount of risk is called the organization's A. Risk appetite. B. Retention level. C. Maximum possible loss. D. Probable maximum loss.

A. Risk appetite.

The individual responsible for ensuring compliance within an organization usually reports to which one of the following? A. Senior management B. Human resources C. General counsel D. Operations Management

A. Senior management

Ensuring quality data requires a A. Systematic and purpose-driven review process. B. Data governance committee C. More efficient deployment of resources. D. Business Analyst.

A. Systematic and purpose-driven review process.

The data quality principle of reasonability refers to A. The materiality or relevance of data. B. The systematic process of tracing data. C. The comprehensive nature of data. D. The appropriateness of current data.

A. The materiality or relevance of data.

Some best practices models call for the formation of a risk committee with a risk management focus at the organization's executive management level. Which one of the following statements best describes one of the responsibilities of an executive-level risk committee? A. To approve the organization's risk management strategies, including their design and implementation. B. To oversee exposures of the organization's critical risks and advise the board on risk strategy. C. To assist the board in establishing the organization's risk appetite and risk tolerance levels D. To monitor the organization's compliance with established risk limits and how noncompliance is addressed

A. To approve the organization's risk management strategies, including their design and implementation.

Many organizations treat business continuity management (BCM) and risk management as complementary endeavors. While risk management protects tangible property from loss, A. BCM protects the human exposure. B. BCM deals primarily with consequences of operational disruption. C. BCM concentrates on pure risk. D. BCM focuses on reducing the likelihood of the occurrence.

B. BCM deals primarily with consequences of operational disruption.

Based on Basel III principles, which one of the following groups should take the lead in establishing a strong risk management culture? A. Risk managers B. Board of directors C. Employees D. Senior management

B. Board of directors

Which one of the following is a critical component to achieving true operational resiliency? A. A top management view of potential risks B. A culture of openness and trust C. A long-term commitment to a single vendor D. A facilities based operation

B. A culture of openness and trust

Sound risk management decisions are predicated on A. Regulations and compliance. B. Effective decision-making. C. Quality data. D. Operational efficiencies.

C. Quality data.

Which one of the following defines the duties of a data steward? A. A data steward is a project manager. B. A data steward is an experienced business analyst. C. A data steward measures data compliance. D. A data steward provides technological support.

B. A data steward is an experienced business analyst.

Successful organizations have goals and objectives. A financial or nonfinancial measurement that defines how successfully an organization is progressing toward its long-term goals is referred to as A. An operating standard (OS). B. A key performance indicator (KPI). C. A critical success factor (CSF). D. An objective gauge (OG).

B. A key performance indicator (KPI).

According to the law of large numbers, as the number of exposure units insured increases, A. The size of the average loss declines. B. The relative accuracy of predictions about future losses increases. C. The probability of an underwriting loss increases. D. Fewer losses are expected to occur.

B. The relative accuracy of predictions about future losses increases.

Organizations use key risk indicators (KRIs) to plan for and respond to risk. Which one of the following statements is correct with respect to KRIs? A. KRIs are based on quantifiable information and support management decisions. B. To be effective, KRIs should be detailed and specific. C. To best manage risk, an organization should have as many KRIs as possible. D. KRIs are usually only established for the executive level within an organization.

A. KRIs are based on quantifiable information and support management decisions.

The development and implementation of a business continuity plan entails seven steps. Which one of the following steps involves assessing what events may occur, when they will occur, and how they could affect achievement of key objectives? A. Developing a continuity plan B. Performing a risk assessment C. Conducting a business impact analysis D. Understanding the business

C. Conducting a business impact analysis

There are four major objectives of a compliance program. Which one of the following would NOT be considered an objective? A. Notifying the United States Sentencing Commission of all reported incidents B. Provide assurance to key stakeholders that the firm is in compliance with all laws, regulations and policies C. Receive benefits from external sources for having an effective compliance program such as regulatory approval D. Create a culture that encourages compliance and oversight within the firm

A. Notifying the United States Sentencing Commission of all reported incidents

Which one of the following plans calls for action before, during, and after catastrophes with a focus on saving lives, reducing property losses, and conserving resources during recovery? A. Crisis management plan B. Emergency response plan C. Disaster recovery plan D. Risk management plan

A. Crisis management plan

Encouraging the expression of feelings as well as facts and following up with employees on the problems they report are two ways that managers and supervisors can A. Cultivate two-way communication. B. Facilitate active listening. C. Support diverse groups. D. Maintain control of the conversation.

A. Cultivate two-way communication.

Under the General Data Protection Regulation (GDPR), a data controller's role is to A. Define how and for what purpose personal data should be processed. B. Manage the flow of data for the rest of the organization. C. Define the metrics used to measure an organization's overall data quality. D. Represent the business aspects of data governance.

A. Define how and for what purpose personal data should be processed.

The service representatives for Tauton Insurance will be eligible for a bonus only if the customer retention rate is increased by 5%. This is an example of which one of the following standards? A. A key performance indicator based on financial ratios B. A corrective measure linked with an identified tolerance level C. A severe risk tolerance level D. A critical success factor derived from a strategic objective

B. A corrective measure linked with an identified tolerance level

Company G is a manufacturer of high profile golf equipment. The risk management professional for Company G is concerned about loss of business related to product design. Failing to respond to changing customer demand and preferences in the design of golf clubs could cost Company G significant market share. Categorized according to the quadrants of risk, this exposure to loss is classified as A. An operational risk. B. A strategic risk. C. A financial risk. D. A hazard risk.

B. A strategic risk.

Mathias Manufacturing (Mathias) suffered a major business disruption due to a fire at one of its locations. Management has set up a center of operations with the business intelligence information available to test various production scenarios. Mathias is in which one of the following stages of strategic redeployment planning? A. Contingency production stage B. Alternative marketing stage C. Communication stage D. Emergency stage

B. Alternative marketing stage

Mutual Fund Company (MFC) offers a wide array of mutual fund options to investors. Each mutual fund has a different fund objective and set of investment guidelines that apply to the fund. While MFC gives considerable freedom to its fund portfolio managers, they are required to abide by the fund's investment guidelines. To monitor compliance, MFC developed a computer algorithm. The computer algorithm continuously monitors each fund's compliance with investment guidelines. If a fund manager violates the investment guidelines, the computer immediately notifies MFC's internal control director, and corrective action is taken. MFC's use of the computer algorithm to monitor investment compliance and to provide notification when corrective action is necessary illustrates use of A. Computer vision. B. Artificial intelligence. C. Transducer technology. D. Mechanical sensors.

B. Artificial intelligence.

Which one of the following is the first step that should be taken by the senior manager who is responsible for the organization's compliance program? A. Establish incentives and disciplinary actions to enforce the program B. Assemble a task force from all major functions within the organization C. Train all employees on how to report compliance violations to the federal government D. Review all employee files for any relevant history of illegal behavior

B. Assemble a task force from all major functions within the organization

Claim representative Klee is reviewing an auto liability claim concerning a two-car collision that has just been assigned to him. He discovers that the insured was clearly 100 percent at fault for the accident and although nobody was injured, it is company policy for him to set a $500 reserve. Klee sets the reserve and then calls the insured driver involved in the accident for a recorded statement. During the conversation with the insured driver, Klee takes it upon himself to recommend a company-approved collision center where the insured driver can have her vehicle repaired to pre-accident condition. Klee's application of setting reserves and mentioning the collision repair center would best represent which two compliance requirements in this case? A. Internal and mandatory B. Internal and voluntary C. External and voluntary D. External and mandatory

B. Internal and voluntary

Martin Pruitt was hired by Regional Bank Company (RBC) to strengthen the company's internal control efforts. Martin implemented a computer scanning program to detect fraud. The scanning program flagged a suspicious account. When Martin investigated the account, he learned that someone in the bank's technology department had created the account. When the bank credits monthly interest on depositor accounts, any fractional cents are rounded-down to the nearest cent. The technology department official programmed the system so that any fractional cents lost due to rounding were deposited to the account owned by the technology department official. The scanning program Martin Pruitt implemented used computers to learn from the data analyzed. This application of emerging technology illustrates the use of A. Artificial intelligence. B. Machine learning. C. Risk management information systems. D. Computer simulation.

B. Machine learning.

A corporate goal of a not-for-profit corporation most likely includes A. Maximizing the corporation's economic value. B. Maximizing the value of goods or services provided to constituencies. C. Maximizing the corporation's cash flow. D. Maximizing the value of the corporation's total economic value.

B. Maximizing the value of goods or services provided to constituencies.

Corporations do not always internalize the costs of their decisions. Some costs are not borne by the corporation but are a result of their decisions. One example of this is A. Corporate philanthropy. B. Pollution costs. C. Payments to offshore subsidiaries. D. Corporate compliance costs.

B. Pollution costs.

AMRM Insurance Company sells insurance in Virginia, North Carolina, South Carolina, and Georgia. The company has compiled a policyowner data base that can be used to send text messages when hurricanes approach. The company provides early warnings, storm updates from the National Weather Service, and hurricane safety measures. The company credits the system with reduced hurricane claims. The use of the texting system is an example of A. Artificial intelligence. B. Preventive analytics. C. Experience rating. D. Sensor networks.

B. Preventive analytics.

In accordance with the Three Lines of Defense Model, how does risk management act as the second line of defense? A. Risk management alerts internal audit of potential threats within a department and works with internal audit to neutralize the threat. B. Risk management supports and monitors operational management's implementation of risk management practices. C. Risk management has authority to initiate activity demanding an external audit should a risk be deemed imminent. D. Risk management provides oversight to the operational management's assessment of risk and internal controls.

B. Risk management supports and monitors operational management's implementation of risk management practices.

An independent auditor has been given the task of evaluating internal controls at Westside Company (Westside). The auditor has determined that Westside's board of directors has endorsed a framework requiring management to have documented internal reporting controls to ensure efficient operations, accuracy of financial statements, and compliance with regulations. The framework is applied at the entity and divisional levels, but not the operating unit or functional levels. The program is new so it has not yet been monitored. The auditor is likely to report that A. The selected method does not align with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework. It must also be applied at the operating unit level, but not the functional level. Regular monitoring must be implemented. B. The selected method does not align with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework because it must also be applied at the operating unit and functional levels and it must be monitored. C. The selected method aligns with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework because it is applied at the entity level. Monitoring is not a requirement. D. The selected method aligns with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework because it is applied at the entity level. Monitoring will be required after the framework has been in place for one year.

B. The selected method does not align with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework because it must also be applied at the operating unit and functional levels and it must be monitored.

All of the following are true regarding the Federal Sentencing Guidelines, EXCEPT: A. They require an organization to have written standards and procedures. B. They are mandatory. C. They can be used by federal courts. D. They establish minimum components for an effective compliance program.

B. They are mandatory.

Parker International sets realistic goals for employees, and provides mentorships and educational opportunities to help them succeed. The company also provides profit sharing and employee wellness incentives. Which one of the following key resiliency traits does Parker International demonstrate? A. A culture of openness and trust B. Valued employees C. Clear company objectives D. Strong relationships with vendors and customers

B. Valued employees

Which one of the following best describes why the Institute for Internal Auditors (IIA) has designed standards addressing the need for internal audit to evaluate the effectiveness of risk management? A. Audits may be self-serving to an organization depending on the experience level of an auditor. By indicating specific criteria, an auditor should be able to conduct a valid audit. B. Audits are objective and independent of the politics of an organization. A pronouncement assists the auditor by defining review criteria. C. Audits are conducted under diverse legal and cultural environments. Requiring an auditor to validate particular points ensures that auditors and their activities meet their responsibilities. D. Audits are conducted annually in many organizations. Requiring an auditor to validate the findings of prior years provides a comfort level to stakeholders.

C. Audits are conducted under diverse legal and cultural environments. Requiring an auditor to validate particular points ensures that auditors and their activities meet their responsibilities.

In addition to metal detectors, many airports have installed a second type of scanning technology for checked baggage and cargo. The checked bags and cargo pass through a portal with scanners programmed to detect and test for explosive trace fumes. These scanners, which detect explosives based on air samples, are an example of what type of sensor used for risk assessment and control? A. Radiant sensors. B. Mechanical sensors. C. Biochemical sensors. D. Thermal sensors.

C. Biochemical sensors.

The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control—Integrated Framework provides A. International standards to help ensure that organizations meet the needs of customers and stakeholders while also complying with statutory and regulatory requirements. B. Not a system of controls, but a framework for auditors to provide independent, objective, and reasonable assurances that management has adopted a system of controls that is effective and functioning as intended. C. Common standards designed to increase effectiveness and efficiency of operations and reliability of financial reporting while ensuring compliance with applicable laws and regulations. D. Guidance on assessing risk and evaluating internal controls to government agencies but not to other organizations.

C. Common standards designed to increase effectiveness and efficiency of operations and reliability of financial reporting while ensuring compliance with applicable laws and regulations.

One corporate governance issue is accountability of directors. One method to increase accountability of directors is to A. Include more inside directors. B. Decrease the independence of audit and compensation committees. C. Conduct regular meetings of outside directors without management being present. D. Ensure that the chief executive officer serves as board chairman.

C. Conduct regular meetings of outside directors without management being present.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) describes internal control as consisting of five essential components, one of which is risk assessment. This component A. Verifies adherence to control results and assists in identifying other procedures that the entity may wish to adopt. B. Should be included in the audit as an internal control to minimize unforeseen events. C. Considers management's efforts to identify and analyze risks relevant to achieving predetermined objectives. D. Sets the tone for internal control by providing resources, discipline, and structure.

C. Considers management's efforts to identify and analyze risks relevant to achieving predetermined objectives.

When communicating a decision up the organization's chain of command, consulting with outside experts can help a risk management professional do which one of the following? A. Define the organization's risk appetite B. Stay focused on the organization's objectives C. Enhance stakeholders' confidence in the process D. Seek feedback from stakeholders

C. Enhance stakeholders' confidence in the process

An organization's goals and objectives are met by establishing and attaining measurable standards for the many activities it pursues. Which one of the following statements is correct with respect to those standards? A. A key performance indicator (KPI) answers the question, "What will make our organization a success?" B. Organizations with key performance indicators (KPIs) established for critical success factors (CSFs) will typically achieve organizational goals. C. For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable. D. Generally, an organization's risk tolerance has little impact on its critical success factors (CSFs) and key performance indicators (KPIs).

C. For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable.

Sims Cinnamon Rolls and Donuts creates confectionery masterpieces for business conventions. Knowing how much a warm cinnamon roll or fresh donut means to a conventioneer just arriving from out of town, Sims' decides to implement a standard that 100% of its orders be delivered 60 minutes before the start of each convention. This is an example of which of the following kinds of compliance requirements? A. External and Voluntary B. Internal and Mandatory C. Internal and Voluntary D. External and Mandatory

C. Internal and Voluntary

Which one of the following statements about standards—risk management, Solvency II, and Basel II and III— is true? A. The Solvency II standards were approved by the U.S. Congress and now must be satisfied by all U.S. insurers. B. The Basel II and Basel III standards apply to all European corporations no matter the sector of the economy in which the corporation operates. C. Many risk management standards, such as ISO 31000, are voluntary. D. The Solvency II standards were promulgated to strengthen U.S. regulation and supervision of the banking sector.

C. Many risk management standards, such as ISO 31000, are voluntary.

Which one of the following provides the frame of reference needed so data can be used appropriately for analysis and decision-making? A. Data custodian B. Data virtualization C. Metadata D. Data lineage

C. Metadata

Cheryl Babson works in internal control at Software Company. She contacted company security and asked them to immediately go to the office of a software engineer and to detain him. As part of the internal control process, Cheryl had scanning software installed at the company that randomly searched all e-mails and text messages sent from on-site, searching for key words. The scanning software detected the words: "gun," "bomb," "revenge," and "kill" in communications sent from the engineer's office. Company security found a loaded assault rifle, two loaded handguns, and a pipe bomb in the engineer's office. He confessed to planning a workplace attack at the company cafeteria later that day. The emerging technology Cheryl deployed is called A. Data analytics. B. Radio frequency identification. C. Natural language processing. D. Computer simulation.

C. Natural language processing.

A holistic approach that allows companies to better withstand short-term shocks and help ensure long-term business viability is known as A. Business process management. B. Strategic redeployment plan. C. Organizational resiliency. D. Preparedness planning

C. Organizational resiliency.

Southwest Interstate Railroad (SIR) is concerned about the number derailments in recent years. It's not cost effective to use human assets to inspect tracks, bridges, and trestles. Instead, SIR has started to use drones. A drone can fly low over tracks and above/below bridges and trestles. The drones record video that is transmitted to corporate headquarters where it is simultaneously scanned for derailment hazards. In the past six months, the drones detected a track blockage caused by a rock slide and damage to tracks in a remote area cause by an earthquake. SIR dispatched work crews to make the tracks once again passable, and no derailments occurred. SIR's use of drones, video, real-term video scanning, and computer analysis illustrates which one of the following? A. Risk management information systems B. Insurtech C. Preventative analytics D. Big data analytics

C. Preventative analytics

When comparing principles-based regulation with rules-based regulation, which one of the following statements is correct? A. Principles-based regulation emphasizes conformity rather than the outcome. B. Principles-based regulation requires less communication between the regulator and regulated entity. C. Principles-based regulation responds more quickly to a changing environment. D. Principles-based regulation tends to use a one-size-fits-all approach.

C. Principles-based regulation responds more quickly to a changing environment.

Which one of the following terms refers to information used as a basis for measuring the significance of a risk? A. Risk appetite B. Risk threshold C. Risk criteria D. Risk tolerance

C. Risk criteria

Before speaking with a group or individual, the speaker should think about what he or she wants the other person(s) to do as a result of the conversation. Which one of the following steps in the communication process does the speaker complete by doing this? A. Analyze your audience B. Set aside judgement C. Set a clear communication objective D. Deliver a message the recipient(s) want to hear

C. Set a clear communication objective

Which one of the following is a main characteristic of effective key risk indicators (KRIs)? A. They define the boundaries of risk tolerance. B. They are lagging in nature. C. They are based on quantifiable information. D. They measure progress toward achieving objectives.

C. They are based on quantifiable information.

Tom is the Chief Underwriting Officer (CUO) of a large commercial insurance carrier and has been tasked with updating the current compliance program. The internal audit results for the past few years have been poor and highlight a need for immediate correction in certain functional areas. Instead of modifying the current program, Tom decides to start from scratch and build a new, ground-up program. What is a fundamental component Tom should be implementing to ensure his company's compliance program is effective? A. Reference the U.S. Sentencing Commission's Guidelines manual for ideas. B. Consult with his CUO peers at competitor firms who have had success in this area. C. Use due diligence to prevent and detect criminal behavior. D. Conduct his own internal audit to see the laws the employees are following.

C. Use due diligence to prevent and detect criminal behavior.

Which one of the following statements is true regarding the roles of a risk champion and a chief risk officer? A. A chief risk officer reports to a risk champion, who in turn interacts with the company executives and the board of directors. B. A risk champion is a member of the board of directors who has been selected to concentrate his or her efforts on assessing the risks faced by an organization. C. A chief risk officer usually has less influence on corporate decision making than a risk champion. D. A chief risk officer is more likely to have a dedicated staff to assist with the responsibilities of his or her job.

D. A chief risk officer is more likely to have a dedicated staff to assist with the responsibilities of his or her job.

The service representatives for Tauton Insurance will be eligible for a bonus only if the customer retention rate is increased by 5%. This is an example of which one of the following standards? A. A severe risk tolerance level B. A critical success factor derived from a strategic objective C. A key performance indicator based on financial ratios D. A corrective measure linked with an identified tolerance level

D. A corrective measure linked with an identified tolerance level

Donna's Dog Treats has been very successful in the Boston area and would like to expand to new cities. Donna knows that she cannot make this decision based on customer advice and blind faith. She has collected internal financial and operational data as well as external data from reliable sources. Donna has hired an analyst to review the data quality. The analyst is reviewing the data to see if it includes the demographics for each target city that Donna is considering. Which one of the following data-quality principles is being evaluated? A. Reasonableness B. Validity C. Appropriateness D. Comprehensiveness

D. Comprehensiveness

During which stage of a strategic redeployment plan does the organization need to consider the supply chain, as well as the facilities and machinery that are available? A. Alternative marketing stage B. Communication stage C. Emergency stage D. Contingency production stage

D. Contingency production stage

Colossal Casualty Insurance Company decided to conduct an internal audit of the company's operations. As part of the internal audit, several fictitious claims were submitted to the claims department to see if the claims would be approved and paid. Which one of the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) components of internal control was examined by this internal audit test? A. Risk assessment. B. Monitoring activities. C. Information and communication. D. Control environment.

D. Control environment.

Which one of the following is an example of a data governance tool? A. Data integration B. Metadata C. Risk Management D. External Policy

D. External Policy

An organization's goals and objectives are met by establishing and attaining measurable standards for the many activities it pursues. Which one of the following statements is correct with respect to those standards? A. Organizations with key performance indicators (KPIs) established for critical success factors (CSFs) will typically achieve organizational goals. B. A key performance indicator (KPI) answers the question, "What will make our organization a success?" C. Generally, an organization's risk tolerance has little impact on its critical success factors (CSFs) and key performance indicators (KPIs). D. For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable.

D. For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable.

Which one of the following groups in an organization are often in the best position to anticipate possible risks from vendors or customers? A. Information technology consultants B. Upper management C. Human resources staff D. Front-line workers

D. Front-line workers

Martin Pruitt was hired by Regional Bank Company (RBC) to strengthen the company's internal control efforts. Martin implemented a computer scanning program to detect fraud. The scanning program flagged a suspicious account. When Martin investigated the account, he learned that someone in the bank's technology department had created the account. When the bank credits monthly interest on depositor accounts, any fractional cents are rounded-down to the nearest cent. The technology department official programmed the system so that any fractional cents lost due to rounding were deposited to the account owned by the technology department official. The scanning program Martin Pruitt implemented used computers to learn from the data analyzed. This application of emerging technology illustrates the use of A. Computer simulation. B. Risk management information systems. C. Artificial intelligence. D. Machine learning.

D. Machine learning.

Which one of the following best describes how internal audit compliments a risk management initiative? A. Risk managers identify, assess and prioritize risks with the assistance of internal audit. Internal audit requires that the controls for the risks are tested. B. Internal audit tests controls for risks identified by risk managers. Risk management and internal audit are similar in that they are both charged with protecting the assets of an organization. C. Internal audit tests the controls initiated by the risk management team. The risk management team reviews the results and responds to internal audit on the control assessment. D. Risk managers identify, assess and prioritize risks. Internal audit develops a risk-based auditing plan that addresses material risks to an organization.

D. Risk managers identify, assess and prioritize risks. Internal audit develops a risk-based auditing plan that addresses material risks to an organization.

Lucy is a chef at a restaurant. She is growing tired of working such long hours and not reaping the financial benefits. Lucy has been saving money with the goal of opening her own restaurant. She recently talked to a financial advisor about the options market as a way to grow her savings quickly. The financial advisor explained that it is a risky choice, but could potentially allow her to reach her goal of owning a restaurant in the near future. Lucy has decided to invest her savings in the options market. Which one of the following types of risk attitude does Lucy exhibit? A. Risk obsessed B. Risk managed C. Risk optimizing D. Risk seeking

D. Risk seeking

Which one of the following regulatory approaches provides an organization with more certainty and greater predictability? A. Risk-based B. Principles-based C. Evidence-based D. Rules-based

D. Rules-based

Encrypting data to block its use if stolen is an example of a A. Cyber-threat inventory approach. B. Incident response plan. C. Hardware-based security solution. D. Software-based security solution.

D. Software-based security solution.

Rufus owns 1500 shares in the ARM Corporation. Recently, ARM has shouldered significant liabilities due to pollution problems. Generally, Rufus' liability as a shareholder would be limited to which one of the following? A. Treble damages B. The amount of insurance coverage they have C. The amount of assets they have D. The value of their shares

D. The value of their shares

A business impact analysis (BIA) should identify the points in time when the interruption would have the greatest impact, what the operational impact would be, and A. What continuity strategy to use. B. Whether the exposures are external, internal, or project. C. Who should be on the recovery team. D. What the financial impact would be.

D. What the financial impact would be.