Download ARM 400 EXAM TEST BANK AND STUDY GUIDE 2024 | CONTAINS 2 CURRENTLY TESTING EXAMS and more Exams Nursing in PDF only on Docsity! ARM 400 EXAM TEST BANK AND STUDY GUIDE 2024 | CONTAINS 2 CURRENTLY TESTING EXAMS WITH A VERIFIED STUDY GUIDE | ACCURATE AND DETAILED FOR GUARANTEED PASS | LATEST UPDATE Which one of the following is an example of an internal key risk indicator (KRI) that a contractor might monitor? A. Availability of skilled labor B. Cost of lumber C. Budget variances D. Interest rates C. Budget variances An organization's goals and objectives are met by establishing and attaining measurable standards for the many activities it pursues. Which one of the following statements is correct with respect to those standards? A. A key performance indicator (KPI) answers the question, "What will make our organization a success?" B. Organizations with key performance indicators (KPIs) established for critical success factors (CSFs) will typically achieve organizational goals. C. For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable. D. Generally, an organization's risk tolerance has little impact on its critical success factors (CSFs) and key performance indicators (KPIs). C. For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable. The service representatives for Tauton Insurance will be eligible for a bonus only if the customer retention rate is increased by 5%. This is an example of which one of the following standards? A. A key performance indicator based on financial ratios B. A corrective measure linked with an identified tolerance level C. A severe risk tolerance level D. A critical success factor derived from a strategic objective B. A corrective measure linked with an identified tolerance level Which one of the following terms refers to information used as a basis for measuring the significance of a risk? A. Risk appetite B. Risk threshold C. Risk criteria D. Risk tolerance C. Risk criteria Which one of the following is a main characteristic of effective key risk indicators (KRIs)? A. They define the boundaries of risk tolerance. B. They are lagging in nature. C. They are based on quantifiable information. D. They measure progress toward achieving objectives. C. They are based on quantifiable information. Successful organizations have goals and objectives. A financial or nonfinancial measurement that defines how successfully an organization is progressing toward its long-term goals is referred to as A. An operating standard (OS). B. A key performance indicator (KPI). C. A critical success factor (CSF). D. An objective gauge (OG). B. A key performance indicator (KPI). An organization's goals and objectives are met by establishing and attaining measurable standards for the many activities it pursues. Which one of the following statements is correct with respect to those standards? A. Organizations with key performance indicators (KPIs) established for critical success factors (CSFs) will typically achieve organizational goals. B. A key performance indicator (KPI) answers the question, "What will make our organization a success?" C. Generally, an organization's risk tolerance has little impact on its critical success factors (CSFs) and key performance indicators (KPIs). D. For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable. D. For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable. An organization has established a key performance indicator to "reduce employee injuries by 6%." Which one of the following would indicate a low risk tolerance for this KPI? A. Reduce employee injuries by 2% B. Reduce employee injuries by 4% C. Reduce employee injuries by 5 to 6% D. Employee injury rate remains unchanged C. Reduce employee injuries by 5 to 6% The service representatives for Tauton Insurance will be eligible for a bonus only if the customer retention rate is increased by 5%. This is an example of which one of the following standards? A. A severe risk tolerance level C. Payments to offshore subsidiaries. D. Corporate compliance costs. B. Pollution costs. Which one of the following categories of agency costs is assumed by managers? A. Advertising costs B. Bonding costs C. Incentive alignment costs D. Monitoring costs B. Bonding costs Encouraging the expression of feelings as well as facts and following up with employees on the problems they report are two ways that managers and supervisors can A. Cultivate two-way communication. B. Facilitate active listening. C. Support diverse groups. D. Maintain control of the conversation. A. Cultivate two-way communication. Before speaking with a group or individual, the speaker should think about what he or she wants the other person(s) to do as a result of the conversation. Which one of the following steps in the communication process does the speaker complete by doing this? A. Analyze your audience B. Set aside judgement C. Set a clear communication objective D. Deliver a message the recipient(s) want to hear C. Set a clear communication objective According to the law of large numbers, as the number of exposure units insured increases, A. The size of the average loss declines. B. The relative accuracy of predictions about future losses increases. C. The probability of an underwriting loss increases. D. Fewer losses are expected to occur. B. The relative accuracy of predictions about future losses increases. When communicating a decision up the organization's chain of command, consulting with outside experts can help a risk management professional do which one of the following? A. Define the organization's risk appetite B. Stay focused on the organization's objectives C. Enhance stakeholders' confidence in the process D. Seek feedback from stakeholders C. Enhance stakeholders' confidence in the process Company G is a manufacturer of high profile golf equipment. The risk management professional for Company G is concerned about loss of business related to product design. Failing to respond to changing customer demand and preferences in the design of golf clubs could cost Company G significant market share. Categorized according to the quadrants of risk, this exposure to loss is classified as A. An operational risk. B. A strategic risk. C. A financial risk. D. A hazard risk. B. A strategic risk. Which one of the following risk management objectives is critical for a manufacturer seeking new capital from investors, stockholders, and creditors? A. Social responsibility B. Anticipate and recognize emerging risks C. Eliminate downside risk D. Reduce the deterrent effects of hazard risks D. Reduce the deterrent effects of hazard risks In addition to metal detectors, many airports have installed a second type of scanning technology for checked baggage and cargo. The checked bags and cargo pass through a portal with scanners programmed to detect and test for explosive trace fumes. These scanners, which detect explosives based on air samples, are an example of what type of sensor used for risk assessment and control? A. Radiant sensors. B. Mechanical sensors. C. Biochemical sensors. D. Thermal sensors. C. Biochemical sensors. AMRM Insurance Company sells insurance in Virginia, North Carolina, South Carolina, and Georgia. The company has compiled a policyowner data base that can be used to send text messages when hurricanes approach. The company provides early warnings, storm updates from the National Weather Service, and hurricane safety measures. The company credits the system with reduced hurricane claims. The use of the texting system is an example of A. Artificial intelligence. B. Preventive analytics. C. Experience rating. D. Sensor networks. B. Preventive analytics. Mutual Fund Company (MFC) offers a wide array of mutual fund options to investors. Each mutual fund has a different fund objective and set of investment guidelines that apply to the fund. While MFC gives considerable freedom to its fund portfolio managers, they are required to abide by the fund's investment guidelines. To monitor compliance, MFC developed a computer algorithm. The computer algorithm continuously monitors each fund's compliance with investment guidelines. If a fund manager violates the investment guidelines, the computer immediately notifies MFC's internal control director, and corrective action is taken. MFC's use of the computer algorithm to monitor investment compliance and to provide notification when corrective action is necessary illustrates use of A. Computer vision. B. Artificial intelligence. C. Transducer technology. D. Mechanical sensors. B. Artificial intelligence. Southwest Interstate Railroad (SIR) is concerned about the number derailments in recent years. It's not cost effective to use human assets to inspect tracks, bridges, and trestles. Instead, SIR has started to use drones. A drone can fly low over tracks and above/below bridges and trestles. The drones record video that is transmitted to corporate headquarters where it is simultaneously scanned for derailment hazards. In the past six months, the drones detected a track blockage caused by a rock slide and damage to tracks in a remote area cause by an earthquake. SIR dispatched work crews to make the tracks once again passable, and no derailments occurred. SIR's use of drones, video, real-term video scanning, and computer analysis illustrates which one of the following? A. Risk management information systems B. Insurtech C. Preventative analytics D. Big data analytics C. Preventative analytics A risk management professional is identifying the organization's key stakeholders as part of the enterprise risk management program. Which one of the following would be considered an internal stakeholder? A. Unions B. General public C. Stockholders D. Suppliers C. Stockholders Parker International tends to communicate only the information that stakeholders need to complete their tasks and achieve goals. The management style at Parker International is A. Responsive. B. Directive. C. Delegating. D. Supportive. C. Metadata D. Data lineage C. Metadata The data quality principle of reasonability refers to A. The materiality or relevance of data. B. The systematic process of tracing data. C. The comprehensive nature of data. D. The appropriateness of current data. A. The materiality or relevance of data. Which one of the following defines the duties of a data steward? A. A data steward is a project manager. B. A data steward is an experienced business analyst. C. A data steward measures data compliance. D. A data steward provides technological support. B. A data steward is an experienced business analyst. Which one of the following is an element of a data security program? A. Increasing the overall efficiency of data systems. B. Storing data back-ups off site. C. Installing agile project management. D. Implementing a data governance program. B. Storing data back-ups off site. There are two types of associated risk for data privacy, individual and general risk. General data privacy risk A. Can be categorized operational or reputational. B. Involves legal and regulatory requirements. C. Varies by the type of business or industry. D. Is of specific concern to the European Union. A. Can be categorized operational or reputational. Ensuring quality data requires a A. Systematic and purpose-driven review process. B. Data governance committee C. More efficient deployment of resources. D. Business Analyst. A. Systematic and purpose-driven review process. The data quality principle of reasonability refers to A. The comprehensive nature of data. B. The appropriateness of current data. C. The systematic process of tracing data. D. The materiality or relevance of data. D. The materiality or relevance of data. Which one of the following is an example of a data governance tool? A. Data integration B. Metadata C. Risk Management D. External Policy D. External Policy Under the General Data Protection Regulation (GDPR), a data controller's role is to A. Define how and for what purpose personal data should be processed. B. Manage the flow of data for the rest of the organization. C. Define the metrics used to measure an organization's overall data quality. D. Represent the business aspects of data governance. A. Define how and for what purpose personal data should be processed. Cheryl Babson works in internal control at Software Company. She contacted company security and asked them to immediately go to the office of a software engineer and to detain him. As part of the internal control process, Cheryl had scanning software installed at the company that randomly searched all e-mails and text messages sent from on-site, searching for key words. The scanning software detected the words: "gun," "bomb," "revenge," and "kill" in communications sent from the engineer's office. Company security found a loaded assault rifle, two loaded handguns, and a pipe bomb in the engineer's office. He confessed to planning a workplace attack at the company cafeteria later that day. The emerging technology Cheryl deployed is called A. Data analytics. B. Radio frequency identification. C. Natural language processing. D. Computer simulation. C. Natural language processing. Which one of the following best describes why the Institute for Internal Auditors (IIA) has designed standards addressing the need for internal audit to evaluate the effectiveness of risk management? A. Audits may be self-serving to an organization depending on the experience level of an auditor. By indicating specific criteria, an auditor should be able to conduct a valid audit. B. Audits are objective and independent of the politics of an organization. A pronouncement assists the auditor by defining review criteria. C. Audits are conducted under diverse legal and cultural environments. Requiring an auditor to validate particular points ensures that auditors and their activities meet their responsibilities. D. Audits are conducted annually in many organizations. Requiring an auditor to validate the findings of prior years provides a comfort level to stakeholders. C. Audits are conducted under diverse legal and cultural environments. Requiring an auditor to validate particular points ensures that auditors and their activities meet their responsibilities. Martin Pruitt was hired by Regional Bank Company (RBC) to strengthen the company's internal control efforts. Martin implemented a computer scanning program to detect fraud. The scanning program flagged a suspicious account. When Martin investigated the account, he learned that someone in the bank's technology department had created the account. When the bank credits monthly interest on depositor accounts, any fractional cents are rounded-down to the nearest cent. The technology department official programmed the system so that any fractional cents lost due to rounding were deposited to the account owned by the technology department official. The scanning program Martin Pruitt implemented used computers to learn from the data analyzed. This application of emerging technology illustrates the use of A. Artificial intelligence. B. Machine learning. C. Risk management information systems. D. Computer simulation. B. Machine learning. Colossal Casualty Insurance Company decided to conduct an internal audit of the company's operations. As part of the internal audit, several fictitious claims were submitted to the claims department to see if the claims would be approved and paid. Which one of the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) components of internal control was examined by this internal audit test? A. Control environment. B. Information and communication. C. Monitoring activities. D. Risk assessment. A. Control environment. It is necessary to define functions that should be performed by internal audit rather than the enterprise risk management (ERM) team because A. Clarification of functions helps avoid redundancy and foster a strong working relationship. B. ERM is all encompassing and if not controlled will absorb internal audit functions. C. Internal audit and risk managers share responsibilities for governance and compliance for the organization. D. The Institute of Internal Auditors (IIA) guidelines are used to avoid confusion in an organization and clarify financial compliance issues. A. Clarification of functions helps avoid redundancy and foster a strong working relationship. An independent auditor has been given the task of evaluating internal controls at Westside Company (Westside). The auditor has determined that Westside's board of directors has endorsed a framework requiring management to have documented internal reporting controls to ensure efficient operations, accuracy of financial statements, and compliance with regulations. The B. Monitoring activities. C. Information and communication. D. Control environment. D. Control environment. Emerging technologies such as artificial intelligence and machine learning are being applied by some businesses as part of their internal audit and control process. A key benefit of such applications is A. Detection of fraud and inefficient practices in real time. B. Greater ability to quantify losses. C. Gaining an historical perspective on inefficient and ineffective internal control measures. D. Reduced labor costs in the risk management department. A. Detection of fraud and inefficient practices in real time. Which one of the following is the first step that should be taken by the senior manager who is responsible for the organization's compliance program? A. Establish incentives and disciplinary actions to enforce the program B. Assemble a task force from all major functions within the organization C. Train all employees on how to report compliance violations to the federal government D. Review all employee files for any relevant history of illegal behavior B. Assemble a task force from all major functions within the organization Sims Cinnamon Rolls and Donuts creates confectionery masterpieces for business conventions. Knowing how much a warm cinnamon roll or fresh donut means to a conventioneer just arriving from out of town, Sims' decides to implement a standard that 100% of its orders be delivered 60 minutes before the start of each convention. This is an example of which of the following kinds of compliance requirements? A. External and Voluntary B. Internal and Mandatory C. Internal and Voluntary D. External and Mandatory C. Internal and Voluntary Which one of the following regulatory approaches allocates resources based on the concept of achieving the greatest potential good while simultaneously minimizing the overall costs? A. Risk-based regulation B. Evidence-based regulation C. Rules-based regulation D. Performance-based regulation A. Risk-based regulation Based on Basel III principles, which one of the following groups should take the lead in establishing a strong risk management culture? A. Risk managers B. Board of directors C. Employees D. Senior management B. Board of directors Which one of the following statements is true regarding Basel III? A. Basel III was developed to address both the risk of individual organizations and systemic risk in the banking sector. B. Basel III is a regulatory standard for banks of the European Union and the United Kingdom. C. Basel III was developed to reduce the likelihood of insurer insolvency, market disruption, and consumer loss. D. Basel III is a voluntary standard for the insurers which encourages senior management to take the lead in establishing a strong risk management culture. A. Basel III was developed to address both the risk of individual organizations and systemic risk in the banking sector. Claim representative Klee is reviewing an auto liability claim concerning a two-car collision that has just been assigned to him. He discovers that the insured was clearly 100 percent at fault for the accident and although nobody was injured, it is company policy for him to set a $500 reserve. Klee sets the reserve and then calls the insured driver involved in the accident for a recorded statement. During the conversation with the insured driver, Klee takes it upon himself to recommend a company-approved collision center where the insured driver can have her vehicle repaired to pre-accident condition. Klee's application of setting reserves and mentioning the collision repair center would best represent which two compliance requirements in this case? A. Internal and mandatory B. Internal and voluntary C. External and voluntary D. External and mandatory B. Internal and voluntary When comparing principles-based regulation with rules-based regulation, which one of the following statements is correct? A. Principles-based regulation emphasizes conformity rather than the outcome. B. Principles-based regulation requires less communication between the regulator and regulated entity. C. Principles-based regulation responds more quickly to a changing environment. D. Principles-based regulation tends to use a one-size-fits-all approach. C. Principles-based regulation responds more quickly to a changing environment. Solvency II is a regulatory standard that should reduce the likelihood of insolvency, market disruption, and consumer loss in which one of the following industries? A. Insurance B. Banking C. Automobile D. Health care A. Insurance Which one of the following statements about standards—risk management, Solvency II, and Basel II and III— is true? A. The Solvency II standards were approved by the U.S. Congress and now must be satisfied by all U.S. insurers. B. The Basel II and Basel III standards apply to all European corporations no matter the sector of the economy in which the corporation operates. C. Many risk management standards, such as ISO 31000, are voluntary. D. The Solvency II standards were promulgated to strengthen U.S. regulation and supervision of the banking sector. C. Many risk management standards, such as ISO 31000, are voluntary. Which one of the following regulatory approaches provides an organization with more certainty and greater predictability? A. Risk-based B. Principles-based C. Evidence-based D. Rules-based D. Rules-based All of the following are true regarding the Federal Sentencing Guidelines, EXCEPT: A. They require an organization to have written standards and procedures. B. They are mandatory. C. They can be used by federal courts. D. They establish minimum components for an effective compliance program. B. They are mandatory. One of the major objectives of a compliance program is to receive benefits from external sources. Which one of the following is an example of a potential benefit from an external source? A. Improved employee health and safety B. Reductions in insurance premiums C. Reductions in corporate taxes D. Increased product safety B. Reductions in insurance premiums Which one of the following is an example of a principles-based traffic control regulation? A. Driver and passengers must wear a safety belt when the car is in motion B. Driver must maintain a reasonable following distance appropriate to speed and conditions C. Organizational resiliency. Which one of the following continuity strategy models involves maintaining two or more active sites that are geographically dispersed? A. Active back-up model B. Prioritization model C. Split operations model D. Risk transfer model C. Split operations model Which one of the following groups in an organization are often in the best position to anticipate possible risks from vendors or customers? A. Information technology consultants B. Upper management C. Human resources staff D. Front-line workers D. Front-line workers The opening day finally arrived for a local amusement park that advertised its new roller coaster for months. The crowds were bigger than normal that day as folks lined up to try the new thrill ride. Everything was going well for the first few hours until around mid-day the ride all of a sudden screeched to a halt in the middle of a run. Fortunately the delay was only 15 minutes and the coaster was on flat track at the time and not a loop. However some technical issues prevented the ride from continuing that day and it had to be shut down. As a result, many patrons were upset and disappointed with the outcome. Knowing that successfully managing reputational risk involves quickly recognizing the risk to reputation, rapidly making important decisions to manage the risk and relying on leadership and culture for a favorable outcome, all of the following fit this criteria, EXCEPT: A. Providing vouchers that give free ice cream cones to all patrons in the park that day. B. Contacting the local news channel and speaking honestly about what happened and that the issue was resolved and should not occur again. C. Reminding patrons that their attendance comes with an assumption of risk and no guarantees. D. Publishing a press release on the root cause and corrective action taken to avoid future incidents. C. Reminding patrons that their attendance comes with an assumption of risk and no guarantees. Which one of the following best describes how internal audit compliments a risk management initiative? A. Risk managers identify, assess and prioritize risks with the assistance of internal audit. Internal audit requires that the controls for the risks are tested. B. Internal audit tests controls for risks identified by risk managers. Risk management and internal audit are similar in that they are both charged with protecting the assets of an organization. C. Internal audit tests the controls initiated by the risk management team. The risk management team reviews the results and responds to internal audit on the control assessment. D. Risk managers identify, assess and prioritize risks. Internal audit develops a risk-based auditing plan that addresses material risks to an organization. D. Risk managers identify, assess and prioritize risks. Internal audit develops a risk-based auditing plan that addresses material risks to an organization. Martin Pruitt was hired by Regional Bank Company (RBC) to strengthen the company's internal control efforts. Martin implemented a computer scanning program to detect fraud. The scanning program flagged a suspicious account. When Martin investigated the account, he learned that someone in the bank's technology department had created the account. When the bank credits monthly interest on depositor accounts, any fractional cents are rounded-down to the nearest cent. The technology department official programmed the system so that any fractional cents lost due to rounding were deposited to the account owned by the technology department official. The scanning program Martin Pruitt implemented used computers to learn from the data analyzed. This application of emerging technology illustrates the use of A. Computer simulation. B. Risk management information systems. C. Artificial intelligence. D. Machine learning. D. Machine learning. The individual responsible for ensuring compliance within an organization usually reports to which one of the following? A. Senior management B. Human resources C. General counsel D. Operations Management A. Senior management The Federal Sentencing Guidelines require a senior manager to have responsibility for the organization's entire compliance program. The individual selected is typically from which one of the following functions of the organization? A. Human development B. Internal audit C. Legal D. Operations B. Internal audit Tom is the Chief Underwriting Officer (CUO) of a large commercial insurance carrier and has been tasked with updating the current compliance program. The internal audit results for the past few years have been poor and highlight a need for immediate correction in certain functional areas. Instead of modifying the current program, Tom decides to start from scratch and build a new, ground-up program. What is a fundamental component Tom should be implementing to ensure his company's compliance program is effective? A. Reference the U.S. Sentencing Commission's Guidelines manual for ideas. B. Consult with his CUO peers at competitor firms who have had success in this area. C. Use due diligence to prevent and detect criminal behavior. D. Conduct his own internal audit to see the laws the employees are following. C. Use due diligence to prevent and detect criminal behavior. There are four major objectives of a compliance program. Which one of the following would NOT be considered an objective? A. Notifying the United States Sentencing Commission of all reported incidents B. Provide assurance to key stakeholders that the firm is in compliance with all laws, regulations and policies C. Receive benefits from external sources for having an effective compliance program such as regulatory approval D. Create a culture that encourages compliance and oversight within the firm A. Notifying the United States Sentencing Commission of all reported incidents Which one of the following is a critical component to achieving true operational resiliency? A. A top management view of potential risks B. A culture of openness and trust C. A long-term commitment to a single vendor D. A facilities based operation B. A culture of openness and trust During which stage of a strategic redeployment plan does the organization need to consider the supply chain, as well as the facilities and machinery that are available? A. Alternative marketing stage B. Communication stage C. Emergency stage D. Contingency production stage D. Contingency production stage When communicating a decision up the organization's chain of command, consulting with outside experts can help a risk management professional do which one of the following? A. Seek feedback from stakeholders B. Stay focused on the organization's objectives C. Define the organization's risk appetite D. Enhance stakeholders' confidence in the process D Which of the following risk management program goals is an essential goal for all public entities? C. Analyze your audience D. Set a clear communication objective C Before speaking with a group or individual, the speaker should think about what he or she wants the other person(s) to do as a result of the conversation. Which one of the following steps in the communication process does the speaker complete by doing this? A. Deliver a message the recipient(s) want to hear B. Set aside judgement C. Set a clear communication objective D. Analyze your audience C Which one of the following risk management objectives is critical for a manufacturer seeking new capital from investors, stockholders, and creditors? A. Anticipate and recognize emerging risks B. Social responsibility C. Reduce the deterrent effects of hazard risks D. Eliminate downside risk C Which one of the following data capture tools has led to an explosion of risk management innovation by allowing smart products to transmit data to each other and to central hubs? A. Blockchain B. Cloud computing C. Internet of Things D. Artificial intelligence C Jean is the Risk Manager for a Fortune 1000 company. Her CFO has tasked her to analyze vulnerabilities in the firm's supply chain. The adequacy of suppliers to meet an organization's needs would be an example of which one of the following types of risk? A. Financial risk B. Strategic risk C. Operating risk D. Operational risk D An organization must meet the standard of care that it owes to others in order to ensure that A. Legal obligations are satisfied. B. Post-loss goals are in place. C. Operations are efficient. D. Contracts are not breached. A According to the law of large numbers, as the number of exposure units insured increases, A. Fewer losses are expected to occur. B. The size of the average loss declines. C. The relative accuracy of predictions about future losses increases. D. The probability of an underwriting loss increases. C Risk can be classified as diversifiable or nondiversifiable. Which one of the following statements is true with respect to this type of risk classification? A. Diversifiable risks tend not to be correlated so they can be managed through diversification or spread of risk. B. Systemic risks are generally diversifiable. C. Private insurance tends to concentrate on nondiversifiable risks; government insurance is often suitable for diversifiable risks. D. Inflation, unemployment and natural disasters, such as hurricanes, are examples of diversifiable risk. A The fundamental purpose of a risk management framework is to A. Maximize profits for all stakeholders. B. Integrate risk management throughout the organization. C. Define and eliminate potential losses. D. Reduce the cost of risk. B Which one of the following is one of the five steps of the risk management process? A. Align and integrate B. Establish accountability C. Scan environment D. Allocate resources C Which one of the following best explains how most smart products potentially improve risk management? A. They measure worker fatigue. B. They scan and inspect structures for unsafe conditions. C. They assess risks in dangerous areas. D. They generate big data to which advanced analytics can be applied. D Clear-Rite Company specializes in the clean-up of hazardous chemical spills. Workers performing clean-up operations must use safety suits to prevent exposure to the chemicals. The suits include pulse and respiration monitors, body temperature sensors, and chemical sensors. The monitors and sensors report data to a mobile operations center which is deployed to each clean-up site. The pulse and respiration monitors and the sensors that are part of the protective gear are called A. Magnetometers. B. Drone technologies. C. Wearable technologies. D. Accelerometers. C Data Entry Company (DEC) offers customers data entry services. A customer can hire DEC to enter survey data to be analyzed. Many DEC employees spend long hours entering data on a computer. DEC has experienced neck strain and wrist pain complaints from their employees, increasing the company's workers compensation costs. DEC investigated the complaints of its data-entry employees. DEC adopted curved keyboards for data entry, wrist-rests for those entering data, and uniform chair heights and display monitor heights to reduce neck strain claims. The science of designing work spaces based on the health concerns of those who will operate in the work space is called A. Big data. B. Accelerometer technology. C. Predictive analytics. D. Ergonomics. D Which one of the following statements about the use of drones is true? A. The use of drones is limited to military applications. B. Space and weight limitations prevent drones from being equipped with sensors and cameras. C. Drones may be equipped with cameras that relay data in real-time. D. The reliance on humans to operate drones severely limits their application for commercial uses. C Many auto manufacturers have automated a portion of their assembly lines by introducing a smart product. The smart product performs repetitive tasks, such as making the same weld on each vehicle frame as it passes the smart product. These smart products, which can be fixed or mobile, reduce repetitive motion injuries that humans might suffer. They can also be used to perform dangerous tasks and in heavy-lifting jobs. These smart products are called A. Wearables. B. Automated sensors. C. Robots. D. Drones. D Last year, three Metro City firemen died responding to a fire at a chemical plant, when they were overcome by toxic fumes. In response, Metro City is purchasing advanced first responder gear. It includes special flame retardant suits with chemical and explosive fume sensors, air quality sensors, and heat sensors. Responders will also wear special watches that will track a responder's pulse, respiration, and blood pressure; and helmets that include video cameras. All of these sensors will feed data to a computer in real-time. The computer will analyze the data and issue threat levels and evacuation orders, if necessary. The protective gear Metro City will purchase and the data transmission and analysis capability illustrate the use of A. Insurtech. B. Smart products. C. Risk management information systems. D. Catastrophe modeling. B The emerging technologies applied to risk assessment and control link the physical domain to the virtual domain. Together, these domains linked by the emerging technologies create a A. Connected ecosystem. B. Risk management information system. C. Smart system. D. Risk management matrix. A Precision Electronic Components manufactures circuit boards, microchips, and other electronic products. Given the precision necessary for their products, the manufacturing environment must be controlled. Temperature, humidity, static electricity and other factors must be monitored. After losing several batches of products due to human monitoring failures and imprecise adjustments, the company moved to a system of sensors. The sensors monitor and regulate temperature, humidity, static electricity, and other factors. The sensors transmit data to and from each other, and the manufacturing environment is continuously adjusted to assure production is successful. The network of sensors transmitting data and the autonomous corrective actions without human interaction is called A. Sensitivity analysis. B. Computer-directed manufacturing. C. Web-based manufacturing. D. The Internet of Things. D It is necessary to assess the risk appetite of a business supplier prior to doing business because understanding the risk appetite allows the organization to A. Ascertain whether the relationship is a good fit. B. Negotiate better prices and delivery times. C. Better control its production. D. Leverage its payments to the supplier to the organization's advantage A An organization evaluates key stakeholders' attitude toward risk in order to A. Understand what risks are acceptable and to develop an effective enterprise-wide risk management program. B. Understand acceptable risks and gauge its ability to attract new shareholders. C. Understand acceptable risks and gauge its ability to raise capital. D. Understand the risk appetite in order to determine what information is disseminated. A A speaker imparts information in verbal communications by A. Using appropriate facial expressions and gestures while other parties express their opinions and concerns. B. Expressing facts and emotions quickly, inviting written questions for discussion at a future session. C. Having good listening skills and expressing facts and emotions through words and sometimes visual displays. D. Listening and verbally responding with anecdotes of prior meetings, leveraging humor as opposed to facts for discussion. C Which one of the following should be part of an organization's standard operating procedures (SOPs) concerning external stakeholder communications? A. Instructions to always use written communication, rather than verbal or nonverbal communication B. Instructions regarding what types of information can and cannot be released C. Instructions requiring the use of formal, rather than informal communication D. Instructions to avoid the use of social media B North American Furnishings has been in business for 18 years. The organization's primary objectives are profitability and bottom-line results. It always sets aggressive goals. North American Furnishings values its customer bases. Which one of the following types of corporate culture exists at North American Furnishings? A. Hierarchy B. Clan C. Market D. Adhocracy C After opening its third store, Shoehorn Shoes decided to purchase new inventory tracking software for all of its stores. Which one of the following external or internal environments does this decision relate to? A. Operations environment B. Physical environment C. Economic environment D. Product environment A Senior management of CAZ Company decides to cut its involvement with the local youth association and no longer allow its employees to work with kids during business hours. Additionally, they will no longer fund the Youth House. Which one of the following best describes how this action may affect its risk management profile? A. Corporation may increase its external social risk by negating any goodwill the community has for the company. B. Corporation may increase its financial exposure by not having tax credits to offset its profits or losses. C. Corporation may decrease its external political risk by removing itself from any community involvement. D. Corporation may decrease its operations environment as the staff will have more time to devote to the company. A Which one of the following organizational policies or practices is based on a code of ethics? A. An annual compliance audit of each field underwriting office that is conducted by the home office staff B. The designation of 2 workdays a year for employees to participate in local civic and volunteer activities C. A company policy that offers a 10 percent discount to teachers and members of the military D. A disclosure requirement regarding any potential conflict of interest an accountant might have in working with specific clients D Which one of the following statements is correct regarding an organization's code of ethics? A. The code of ethics should provide an organization with a set of parameters within which it should operate, with little room for interpretation. B. The code of ethics should provide a list of dos and don'ts that employees can use as a framework in making day-to-day decisions. C. The code of ethics should include principles and concepts that are dynamic enough to remain relevant in a rapidly changing business environment. D. The code of ethics should primarily consider the social and ethical needs of its external stakeholders. C. It attempts to join with another organization for a joint venture taking little of the actual risk on itself. D. It seeks methods of transferring the potential risks or avoids the risk totally. B The main advantage of a formal internal communication system is that A. Employees do not have direct access to each other. B. Formal internal communications takes time which may resolve issues. C. Individuals know to whom to report. D. It is easily accessed. C BD Company has made widgets for over 79 years using the same production techniques for fear of the huge costs from potential consumer lawsuits if production is changed and product quality suffers. With respect to its risk attitude, this organization would be classified as A. Risk seeking. B. Risk naïve. C. Risk avoiding. D. Risk optimizing. C The service representatives for Tauton Insurance will be eligible for a bonus only if the customer retention rate is increased by 5%. This is an example of which one of the following standards? A. A critical success factor derived from a strategic objective B. A severe risk tolerance level C. A key performance indicator based on financial ratios D. A corrective measure linked with an identified tolerance level D Key risk indicators (KRIs) help organizations identify issues that can lead to losses. Effective KRIs are based on a company's A. Organizational structure. B. Product or industry. C. Strategic objectives. D. Sales volume. C An organization's goals and objectives are met by establishing and attaining measurable standards for the many activities it pursues. Which one of the following statements is correct with respect to those standards? A. A key performance indicator (KPI) answers the question, "What will make our organization a success?" B. Generally, an organization's risk tolerance has little impact on its critical success factors (CSFs) and key performance indicators (KPIs). C. Organizations with key performance indicators (KPIs) established for critical success factors (CSFs) will typically achieve organizational goals. D. For each key performance indicator (KPI), there is a tolerance level for how much deviation from the standard established in the KPI will be acceptable. D Organizations use key risk indicators (KRIs) to plan for and respond to risk. Which one of the following statements is correct with respect to KRIs? A. A KRI can reveal an upward trend in the level of a risk that, if it continues, will exceed the designated risk threshold for that risk. B. KRIs are effective internal indicators of changes such as budget variances; however they are not effective external indicators. C. An organization's risk criteria, predefined tolerance ranges that measure variances from expected outcomes, are based on risk thresholds. D. Risk criteria relating to an organization's strategic risks generally do not serve as the bases for KRIs, which tend to be operational in focus. A Organizations use key risk indicators (KRIs) to plan for and respond to A. Failure. B. Risk. C. Questions. D. Emergencies. B Which one of the following statements is true regarding the business process management (BPM) life cycle model? A. The model is driven by the collaboration of human and technological input. B. The model is designed to review one business process at a time. C. The model is primarily used by organizations in the manufacturing sector. D. The model is ineffective unless all five steps are completed on a continuous basis. A Carbon Manufacturing Company just hired a new chief risk officer (CRO) and one of his first tasks was to recommend updated key risk indicators (KRIs) to the chief executive officer (CEO). The CEO was especially interested in KRIs measuring the company's profitability. One area of measurement that the new CRO might want to use is A. Personnel changes. B. Customer invoices. C. Customer orders. D. Aged accounts receivable. D The business process management (BPM) life cycle incorporates five steps. Which one of the following best describes the first step in the BPM process? A. Critical processes that support achievement of the organization's goals are selected for analysis. B. Processes are modeled to identify the organization's response to what-if scenarios. C. Processes are designed or redesigned by considering workflows and affected personnel. D. Processes are tracked so that statistics on their performance can be gathered. C For an organization, a key performance indicator (KPI) measures the performance of a specific activity at a predetermined level or amount. Which one of the following is an example of a KPI based on a ratio? A. Customer-focused website B. High employee morale C. Safe transport of customer goods D. Inventory turnover D North American Furnishings is using business process management to help it identify risks that threaten its processes. Which one of the following risks would be considered an internal risk? A. The loss of available materials due to tornadoes B. The loss of skilled craftspeople due to retirement C. The drop in demand due to rising interest rates D. The rise in the cost of materials due to new forestry regulations B Which one of the following is an example of an internal key risk indicator (KRI) that a contractor might monitor? A. Cost of lumber B. Interest rates C. Availability of skilled labor D. Budget variances D One of the strategic objectives for Cromley Insurance Group is customer satisfaction. Which one of the following is a critical success factor (CSF) that would help refine this strategic objective? A. High profitability B. Increase retention ratio by 5% C. Reduce claim activity by 4 to 6% D. High customer retention D implementation. D. To assist the board in establishing the organization's risk appetite and risk tolerance levels C Which one of the following statements is true regarding separation of ownership and control in corporations? A. The incentive for managers and non-management board members to pursue their own interests at the expense of shareholders gives rise to agency costs. B. Corporate governance is not concerned with the separation of ownership and control. C. Shareholders retain decision-making authority while managers control business operations. D. Limited liability of shareholders impedes the separation of ownership and control in corporations. A Corporate governance is evolving towards the separation of oversight and control for boards of directors. This separation may be accomplished by A. Requiring a company executive to chair each board committee. B. Requiring the majority of the directors to be outside directors. C. Requiring the audit committee to be comprised of inside directors. D. Using company-appointed board members rather than shareholder-elected board members. B Rufus owns 1500 shares in the ARM Corporation. Recently, ARM has shouldered significant liabilities due to pollution problems. Generally, Rufus' liability as a shareholder would be limited to which one of the following? A. The value of their shares B. Treble damages C. The amount of assets they have D. The amount of insurance coverage they have A Karen Williams, a retired chief financial officer of a bank, was invited to join the board of directors of ABC Property and Liability Insurance Company. She was asked to serve on the Audit Committee and the Risk Committee of the ABC board. Which of the following statements is true regarding Karen's service on the ABC board of directors? A. The entire board retains oversight responsibility over risks that are assigned to Karen's Audit Committee. B. The work of Karen's Risk Committee is limited to a review of the insurance company's underwriting results and the company's investment portfolio. C. Karen's Audit Committee takes precedence over the board of directors with regard to oversight responsibility. D. As a board member, Karen is expected to be a disinterested party, only questioning the management team when new corporate initiatives fail. A Max is a new investor and the only stocks he owns are his 1,500 shares of Large Corporation. Large operates in a volatile high-tech sector. Max could readily trim his risk of owning shares by A. Concentrating his investments in one sector. B. Diversifying his insurance coverage. C. Diversifying his investment across many corporations. D. Concentrating his investments in one company. C One of the categories of agency costs associated with managing the relationship between management and shareholders is A. Implementation costs. B. Monitoring costs. C. Acquisition costs. D. Commission costs. B Which one of the following statements is true regarding the roles of a risk champion and a chief risk officer? A. A chief risk officer usually has less influence on corporate decision making than a risk champion. B. A chief risk officer is more likely to have a dedicated staff to assist with the responsibilities of his or her job. C. A risk champion is a member of the board of directors who has been selected to concentrate his or her efforts on assessing the risks faced by an organization. D. A chief risk officer reports to a risk champion, who in turn interacts with the company executives and the board of directors. B The board of directors must use a thorough understanding of the organization's overall risk philosophy to determine the amount of risk the organization is willing to seek or accept in the pursuit of long-term objectives. This amount of risk is called the organization's A. Probable maximum loss. B. Retention level. C. Risk appetite. D. Maximum possible loss. C A corporate board of director's chair person is elected by A. The board of directors. B. The shareholders. C. Executive management. D. Proxies. A Which one of the following statements is correct with respect to the role of a board of directors in risk oversight? A. Increasing pressure on boards of directors to provide greater enterprise-wide risk oversight comes from sources such as investors, rating agencies, and regulators. B. A 2012 survey of executives revealed that practically all boards have formally assigned risk oversight responsibility to a board committee. C. A board's risk management strategy and broad objectives typically have little effect in setting the tone for risk management across the entire organization. D. Financial services organizations are far less subject to regulatory pressure for increased transparency and risk oversight than are corporations in nonfinancial business sectors A Which of the following statements best describes the risk governance role and responsibility of a corporate board of directors? A. To set the organization's risk appetite and to stay informed of the most significant risks to the organization and management's responses. B. To convert strategy into operational objectives and to identify and assess the impact of risks on the achievement of the objectives. C. To establish risk management policies, to define risk management roles and responsibilities, and to set risk management implementation goals. D. To assign risk management procedures for day-to-day functions and internal controls. A Corporate governance is defined as A. The reporting chain of command within an organization. B. A diagram of reporting relationships and levels of authority within an organization. C. The mechanisms and procedures that determine how corporations are run. D. A body of law that specifies how corporations are legally formed and chartered. C The fees paid to external auditors to verify the corporation's financial statements are an example of A. A bonding cost. B. A fiduciary cost. C. A monitoring cost. D. An incentive alignment cost. C A Metadata contains A. Accounting ledger entries as well as big data. B. Both material limitations and sampling methodology. C. Information about data as well as rules about that data. D. A combination of structured and unstructured data. C Which one of the following defines the duties of a data steward? A. A data steward measures data compliance. B. A data steward is an experienced business analyst. C. A data steward provides technological support. D. A data steward is a project manager. B Which one of the following data governance tools allows the data governance committee to look at data relationships and interdependencies across the organization? A. External compliance guidelines B. Internal coding procedures C. Enterprise data models D. Project management programs C Internal data entry processes that capture accounting transactions, customer data or other operational transactions are called A. Data capture. B. Data quality. C. Data integration. D. Data governance. A Which one of the following provides the frame of reference needed so data can be used appropriately for analysis and decision-making? A. Metadata B. Data lineage C. Data custodian D. Data virtualization A Under the General Data Protection Regulation (GDPR), a data controller's role is to A. Represent the business aspects of data governance. B. Define the metrics used to measure an organization's overall data quality. C. Define how and for what purpose personal data should be processed. D. Manage the flow of data for the rest of the organization. C Encrypting data to block its use if stolen is an example of a A. Software-based security solution. B. Cyber-threat inventory approach. C. Incident response plan. D. Hardware-based security solution. A Data governance provides A. Definitions, standards and procedures for how data is used. B. The internal data entry processes needed to capture accounting transactions. C. A road map that details where data is located. D. A dynamic view of data without needing to move it between systems. A In terms of data quality principles, validity is defined as A. The accuracy of data within predefined and accepted parameters or values. B. The process of tracing data from its source to its destination. C. The true value of data relative to the business information being analyzed. D. The extent that each dataset contains all elements necessary for business needs. A Encrypting data is an example of A. An enterprise risk management program B. A regulatory compliance program. C. A data governance program. D. A data security program. D Cyber extortion is another name for A. Phishing. B. Bitcoin C. Ransomware. D. Social engineering. C Donna's Dog Treats has been very successful in the Boston area and would like to expand to new cities. Donna knows that she cannot make this decision based on customer advice and blind faith. She has collected internal financial and operational data as well as external data from reliable sources. Donna has hired an analyst to review the data quality. The analyst is reviewing the data to see if it includes the demographics for each target city that Donna is considering. Which one of the following data-quality principles is being evaluated? A. Comprehensiveness B. Appropriateness C. Reasonableness D. Validity A To gain a competitive advantage, maintain profitability, and satisfy customers an organization must A. Be able to trust its data. B. Pay attention to the marketplace. C. Adopt current accounting rules. D. Have an effective risk management program. A Malware is defined as A. Software designed to cause damage. B. Software technology used to encrypt data. C. A hardware-based security breach. D. A tool for managing data security. A Which one of the following is an example of a data governance tool? A. Metadata B. Risk Management C. Data integration D. External Policy D A data governance committee (DGC) A. Is cross-functional. B. Cleanses big data. C. Reports to risk management. D. Is comprised of IT architects. A In accordance with the Three Lines of Defense Model, how does risk management act as the second line of defense? A. Risk management alerts internal audit of potential threats within a department and works with internal audit to neutralize the threat. B. Risk management supports and monitors operational management's implementation of risk management practices. stakeholders while also complying with statutory and regulatory requirements. D. Not a system of controls, but a framework for auditors to provide independent, objective, and reasonable assurances that management has adopted a system of controls that is effective and functioning as intended. B Which one of the following best describes why the Institute for Internal Auditors (IIA) has designed standards addressing the need for internal audit to evaluate the effectiveness of risk management? A. Audits are objective and independent of the politics of an organization. A pronouncement assists the auditor by defining review criteria. B. Audits may be self-serving to an organization depending on the experience level of an auditor. By indicating specific criteria, an auditor should be able to conduct a valid audit. C. Audits are conducted under diverse legal and cultural environments. Requiring an auditor to validate particular points ensures that auditors and their activities meet their responsibilities. D. Audits are conducted annually in many organizations. Requiring an auditor to validate the findings of prior years provides a comfort level to stakeholders. C Which one of the following best describes how internal audit compliments a risk management initiative? A. Internal audit tests controls for risks identified by risk managers. Risk management and internal audit are similar in that they are both charged with protecting the assets of an organization. B. Internal audit tests the controls initiated by the risk management team. The risk management team reviews the results and responds to internal audit on the control assessment. C. Risk managers identify, assess and prioritize risks. Internal audit develops a risk-based auditing plan that addresses material risks to an organization. D. Risk managers identify, assess and prioritize risks with the assistance of internal audit. Internal audit requires that the controls for the risks are tested. C Which one of the following best explains how the role of the internal auditor changed with the passage of the Sarbanes-Oxley Act of 2002? A. The internal auditor must adapt to the ever changing environment of risk control through the use of electronic reconciliation programs. B. The internal auditor must adopt a stakeholder orientation by anticipating, monitoring and assessing business and operational risk. C. The internal auditor must adopt the attitude of an external auditor, carefully reviewing and critiquing the finances of an organization. D. The internal auditor must be able to recognize current fraud risks as well computer theft of intellectual property. B An auditor identifies risks under the risk-based approach by A. Reviewing the organization, department by department to determine if the controls overlap asking, "Is the redundancy needed?" B. Reviewing prior audits, comparing results and asking, and "Has the control environment changed?" C. Looking at each objective, testing each control by asking, "Does this seem appropriate?" D. Looking at each objective and its controls identifying risks by asking, "What might go wrong?" D Which one of the following is true regarding internal audit involvement with enterprise risk management (ERM) efforts? A. Internal audit is not becoming more involved with ERM efforts because internal audit must remain independent and objective. B. Internal audit is responsible for the organization's compliance with all governance issues, including ERM compliance. C. Internal audit is responsible for reviewing controls in an organization which includes ERM programs. D. Internal audit is increasingly asked to evaluate organizational risks, including strategic, financial and hazard risks. D Colossal Casualty Insurance Company decided to conduct an internal audit of the company's operations. As part of the internal audit, several fictitious claims were submitted to the claims department to see if the claims would be approved and paid. Which one of the Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) components of internal control was examined by this internal audit test? A. Control environment. B. Information and communication. C. Monitoring activities. D. Risk assessment. A An independent auditor has been given the task of evaluating internal controls at Westside Company (Westside). The auditor has determined that Westside's board of directors has endorsed a framework requiring management to have documented internal reporting controls to ensure efficient operations, accuracy of financial statements, and compliance with regulations. The framework is applied at the entity and divisional levels, but not the operating unit or functional levels. The program is new so it has not yet been monitored. The auditor is likely to report that A. The selected method does not align with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework. It must also be applied at the operating unit level, but not the functional level. Regular monitoring must be implemented. B. The selected method aligns with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework because it is applied at the entity level. Monitoring will be required after the framework has been in place for one year. C. The selected method does not align with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework because it must also be applied at the operating unit and functional levels and it must be monitored. D. The selected method aligns with the Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control—Integrated Framework because it is applied at the entity level. Monitoring is not a requirement. C Cheryl Babson works in internal control at Software Company. She contacted company security and asked them to immediately go to the office of a software engineer and to detain him. As part of the internal control process, Cheryl had scanning software installed at the company that randomly searched all e-mails and text messages sent from on-site, searching for key words. The scanning software detected the words: "gun," "bomb," "revenge," and "kill" in communications sent from the engineer's office. Company security found a loaded assault rifle, two loaded handguns, and a pipe bomb in the engineer's office. He confessed to planning a workplace attack at the company cafeteria later that day. The emerging technology Cheryl deployed is called A. Blockchain Technology. B. Natural language processing. C. Computer simulation. D. Radio frequency identification. B Developing a risk-based audit plan requires a risk assessment. Under the model of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework, which one of the following explains how risk assessment is addressed? A. It expands the risk assessment concept by comparing it to competitor audits. B. It expands the risk assessment concept by identifying five interrelated components of internal control. C. It is narrower and it provides concrete steps which are recommended and differ by industry. D. It is essentially the same as the traditional model, but is codified in steps that are reported. B Martin Pruitt was hired by Regional Bank Company (RBC) to strengthen the company's internal control efforts. Martin implemented a computer scanning program to detect fraud. The scanning program flagged a suspicious account. When Martin investigated the account, he learned that someone in the bank's technology department had created the account. When the bank credits monthly interest on depositor accounts, any fractional cents are rounded-down to the nearest A A risk-based auditing approach is deemed to be a top-down approach because A. It involves an external review of known potential threats to the organization and then developing an organizational response to those threats. B. It involves review of each department's dependence on financial controls, compliance with federal statutes and audit history. C. It involves review of the current financial controls and compliance to regulations as determined by external auditors. D. It involves identifying and analyzing material risks to the achievement of the organization's objectives and then determining how the risks should be managed. D Which one of the following best describes an effective way to construct internal controls? A. The controls should be system based with oversight by one or two individuals. B. The controls should be quantitative and include segregation and transfer options. C. The controls should lend themselves to true risk management concerns. D. The controls should be linear and create checks and balances. D The Committee of Sponsoring Organizations of the Treadway Commission (COSO) describes internal control as consisting of five essential components, one of which is risk assessment. This component A. Sets the tone for internal control by providing resources, discipline, and structure. B. Should be included in the audit as an internal control to minimize unforeseen events. C. Considers management's efforts to identify and analyze risks relevant to achieving predetermined objectives. D. Verifies adherence to control results and assists in identifying other procedures that the entity may wish to adopt. C Be-Ne-Lux Insurance is an insurer operating in Belgium, the Netherlands, and Luxembourg. Be- Ne-Lux is subject to the Solvency II standards. Company managers believed the company was adequately financed, however it was determined that the company did not have adequate assets based on the uncertainty of its operating performance. The standard that Be-Ne-Lux failed to meet is A. Risk-based capital. B. Basel II. C. Own risk and solvency assessment. D. Underwriting leverage. A Which one of the following standards was developed in response to the financial crisis that began in 2007? A. Basel III B. ISO 31000 C. Capital Adequacy Framework D. Solvency II A The Federal Sentencing Guidelines require a senior manager to have responsibility for the organization's entire compliance program. The individual selected is typically from which one of the following functions of the organization? A. Internal audit B. Operations C. Human development D. Legal A The Chief Compliance Officer's responsibilities include all of the following, EXCEPT: A. Being the legal expert on employment laws B. Promoting education of compliance requirements C. Monitoring compliance programs D. Acting as a liaison for compliance issues A Which one of the following is an example of a principles-based traffic control regulation? A. Driver and passengers must wear a safety belt when the car is in motion B. Driver must maintain a reasonable following distance appropriate to speed and conditions C. Driver must maintain liability insurance that meets the state minimum financial responsibility limit D. Driver must drive at a speed within the posted speed limit B Bo's Diving Adventures (BDA) is one of the largest recreational SCUBA diving businesses in the world. While enjoying much success in the diving aspect of its business, it has had its challenges adhering to the different government and industry regulations over the years. The board of directors decided to hire a Chief Compliance Officer (CCO) to remedy this issue and ensure that each diving excursion the company charts is in full compliance with all regulations regardless of destination. After a week on the job the new CCO has discovered that the number one non-compliance issue over the past few years could be rectified with better internal training. As such, the BEST move the CCO should make would be which of the following? A. Make a phone call to the National Diving Control Board and refute the non-compliance citations. B. Replace the current head of Human Resources for allowing the non-compliance issues to fester. C. Sit down with the head of Human Resources and outline a comprehensive training program for all employees which address the non-compliance issues. D. Approach the board of directors to cease all diving excursions until each employee is better trained C Which one of the following statements is true regarding Basel III? A. Basel III is a voluntary standard for the insurers which encourages senior management to take the lead in establishing a strong risk management culture. B. Basel III was developed to reduce the likelihood of insurer insolvency, market disruption, and consumer loss. C. Basel III was developed to address both the risk of individual organizations and systemic risk in the banking sector. D. Basel III is a regulatory standard for banks of the European Union and the United Kingdom C When comparing principles-based regulation with rules-based regulation, which one of the following statements is correct? A. Principles-based regulation requires less communication between the regulator and regulated entity. B. Principles-based regulation tends to use a one-size-fits-all approach. C. Principles-based regulation responds more quickly to a changing environment. D. Principles-based regulation emphasizes conformity rather than the outcome. C The Sarbanes-Oxley Compliance (SOX) category involves all of the following compliance levels, EXCEPT: A. External B. Mandatory C. Internal D. Voluntary D Solvency II is a regulatory standard that should reduce the likelihood of insolvency, market disruption, and consumer loss in which one of the following industries? A. Insurance B. Automobile C. Banking D. Health care A The individual responsible for ensuring compliance within an organization usually reports to which one of the following? A. Operations management B. General counsel C. Senior management D. Human resources C Disaster recovery planning arose from the increasing use of and dependency on A. High-rise construction. B. International travel. C. Global financial institutions. D. Technology. D Mathias Manufacturing (Mathias) suffered a major business disruption due to a fire at one of its locations. Management has set up a center of operations with the business intelligence information available to test various production scenarios. Mathias is in which one of the following stages of strategic redeployment planning? A. Alternative marketing stage B. Communication stage C. Emergency stage D. Contingency production stage A Many organizations treat business continuity management (BCM) and risk management as complementary endeavors. While risk management protects tangible property from loss, A. BCM concentrates on pure risk. B. BCM focuses on reducing the likelihood of the occurrence. C. BCM deals primarily with consequences of operational disruption. D. BCM protects the human exposure. C Delaney is a new manager with a company that runs surf shops along the east coast. Recently, she reprimanded a long-term employee for purchasing new surf board products from a supplier much farther inland than their other suppliers incurring higher delivery costs. She counseled the employee to look for the lowest price and sent him to a seminar on using supply chains to your advantage. She explained the company's objective to be the lowest price on the island with the best products. The employee was also given an opportunity to respond to the reprimand with a copy of his response to the Human Resources Department. What mistake did Delaney make in dealing with this employee? A. If you send an employee to an educational seminar, it sends a bad message to other employees and shows improvement is needed in your job performance. B. By including Human Resources, the employee will feel they are being unfairly treated and unwilling to offer ideas or feedback. C. The employee is being discouraged from creating relationships with suppliers that may be needed if a large scale event disrupts local suppliers in their supply chain. D. Employees should not be expected to adhere to corporate objectives that do not apply to their specific location. C The development and implementation of a business continuity plan entails seven steps. Which one of the following steps involves assessing what events may occur, when they will occur, and how they could affect achievement of key objectives? A. Understanding the business B. Developing a continuity plan C. Performing a risk assessment D. Conducting a business impact analysis D Which one of the following is a critical component to achieving true operational resiliency? A. A long-term commitment to a single vendor B. A top management view of potential risks C. A culture of openness and trust D. A facilities based operation C Which one of the following groups in an organization are often in the best position to anticipate possible risks from vendors or customers? A. Information technology consultants B. Front-line workers C. Upper management D. Human resources staff B The White Canary is a restaurant that serves breakfast and lunch. It has two locations in New Orleans. One weekend, the head cook and two servers at one location called out sick for work. While the manager and other employees worked hard to keep the restaurant running on Saturday, they were not successful. The same thing happened on Sunday, and the customers were very unhappy. Almost immediately, customer complaints about long waits, poor service, and food quality started appearing on social media. The employees returned to work on Monday, but both locations saw business drop off over the following weeks. The White Canary could have managed this reputational risk better by doing which one of the following? A. The White Canary could have better managed the reputational risk by quickly recognizing the risk on Saturday and rapidly making decisions to get other employees in for Sunday. B. The White Canary could have better managed the reputational risk making the leadership decision to close the restaurant for the weekend. C. The White Canary could have better managed the reputational risk by encouraging customers to go to their other location which is 15 minutes away. D. The White Canary could have better managed the reputational risk by treating their employees better. A A big-box store recently moved into a small town where mom and pop shops flourished for years. Knowing there could be some negative backlash from the long time loyal residents, the big-box store's executives went through the framework of managing their reputational risk to try to lessen any perceived negativity. The executives believed there are four key steps in handling reputational risk that are measuring, monitoring, managing and mitigating. Understanding that each step is critical to the overall process, The Chief Financial Officer wants to focus his attention and resources on mitigating reputational damage as he believes that is the most important step in the overall process. As such, what would be an example of mitigating reputational damage? A. Screen opinions of employees, customers, vendors, shareholders, analysts and activists. B. Publish a list of reputation drivers such as quality, leadership and workplace environment and rank them. C. Hiring a crisis-management firm to promote the big-box's corporate social responsibility program and respond if a disaster occurs. D. Watch social media and public opinion from the local populace. C Paragon Coffee Company has 15 locations throughout California. It serves a wide variety of imported coffee and a small selection of baked goods. Within a period of 24 hours, over 30 individuals arrived at local hospitals suffering from severe stomach pain and nausea. It was quickly discovered that they had all consumed products from Paragon Coffee Company in the prior days. The managers at two of the locations were notified of the concern by the hospitals, and immediately contacted the corporate office per corporate guidelines. Which one of the following should be the first priority as Paragon Coffee Company begins to deal with this crisis? A. Protecting the company assets B. Controlling communication from hospitals and customers C. Determining the supplier that is responsible D. Protecting people D Which one of the following statements is correct regarding a business continuity plan (BCP)? A. A BCP generally concentrates on one key function or process of an organization. B. The BCP concept involves eliminating the internal, external, and project exposures that could negatively impact operations. C. A BCP is about sustaining operations so an organization isn't irrevocably harmed by an C. Distribution inefficiencies D. Attracting investor interest D Which one of the following is an internal source that can often provide information regarding risks that aren't obvious? A. Internal auditing B. Production manager C. Board of directors D. Human resources A In an effort to grow its personal lines book, an insurer decides to offer discounts on homeowners and personal auto insurance to the employees of its largest business lines account. Which one of the following risk measures is most likely to increase as a result of this marketing decision? A. Volatility B. Time horizon C. Correlation D. Consequences C Risk managers today differ from traditional risk managers in which one of the following ways? A. They attempt to minimize threats and optimize opportunities. B. They struggle with data that is too large to capture, store, and analyze. C. They attempt to identify a loss's predominant cause. D. They generally look backward for risk factors. A The relationship between which two basic measures is critical for risk management in assessing risk and deciding whether and how to manage it? A. Exposure and time horizon B. Likelihood and consequences C. Correlation and likelihood D. Volatility and time horizon B Which one of the following risk management objectives is critical for a manufacturer seeking new capital from investors, stockholders, and creditors? A. Reduce the deterrent effects of hazard risks B. Eliminate downside risk C. Social responsibility D. Anticipate and recognize emerging risks A One enterprise risk management (ERM) approach to categorizing risks involves dividing risks into four risk quadrants. The risks categorized as hazard risks are A. Speculative risks that fall outside the operational risk category. B. Fundamental to an organization's existence and business plans. C. Traditionally handled by the treasury function. D. Traditionally managed by risk management professionals. D Hardware Store has been able to control its prices and inventory since it has no competitors. A new highway currently being constructed is going to allow increased competition for Hardware Store. According to the quadrants of risk, this risk of increased competition falls into the category of A. Hazard risk. B. Financial risk. C. Strategic risk. D. Operational risk. C Aligning risks with the organization's risk appetite defines A. Social responsibility. B. Tolerable uncertainty. C. Compliance. D. Value at risk. B Southwest Interstate Railroad (SIR) is concerned about the number derailments in recent years. It's not cost effective to use human assets to inspect tracks, bridges, and trestles. Instead, SIR has started to use drones. A drone can fly low over tracks and above/below bridges and trestles. The drones record video that is transmitted to corporate headquarters where it is simultaneously scanned for derailment hazards. In the past six months, the drones detected a track blockage caused by a rock slide and damage to tracks in a remote area cause by an earthquake. SIR dispatched work crews to make the tracks once again passable, and no derailments occurred. SIR's use of drones, video, real-term video scanning, and computer analysis illustrates which one of the following? A. Preventative analytics B. Risk management information systems C. Insurtech D. Big data analytics A Which one of the following statements is true with regard to preventive analytics? A. Preventive analytics uses smart products and data analytics to identify root loss causes and their implications. B. Preventative analytics uses human assets to analyze data collected by smart products. C. Preventive analytics is backward-looking, basing corrective prescriptions on the organization's past loss history. D. Preventive analytics involves data collection at discrete points in time, such as 10 AM or 4 PM each day, and comparison of these values at discrete points in time. A Mutual Fund Company (MFC) offers a wide array of mutual fund options to investors. Each mutual fund has a different fund objective and set of investment guidelines that apply to the fund. While MFC gives considerable freedom to its fund portfolio managers, they are required to abide by the fund's investment guidelines. To monitor compliance, MFC developed a computer algorithm. The computer algorithm continuously monitors each fund's compliance with investment guidelines. If a fund manager violates the investment guidelines, the computer immediately notifies MFC's internal control director, and corrective action is taken. MFC's use of the computer algorithm to monitor investment compliance and to provide notification when corrective action is necessary illustrates use of A. Mechanical sensors. B. Artificial intelligence. C. Computer vision. D. Transducer technology. B The difference between risk tech and insurtech is A. Insurtech applies to many different industries while risk tech is limited in focus to insurance, reinsurance, and nontraditional risk financing alternatives. B. Risk tech is applicable in personal risk management situations, which insurtech is designed for application in commercial business situations. C. Risk tech goes beyond insurtech by expanding its focus to making risk financing more efficient and preventing and mitigating losses in a variety of industries. D. Insurtech is a broader concept and incorporates risk tech as one of its underlying tenets. C After opening its third store, Shoehorn Shoes decided to purchase new inventory tracking software for all of its stores. Which one of the following external or internal environments does this decision relate to? A. Economic environment B. Physical environment C. Product environment D. Operations environment The data quality principle of reasonability refers to A. The materiality or relevance of data. B. The comprehensive nature of data. C. The systematic process of tracing data. D. The appropriateness of current data. A Which one of the following is a basic process in any data security program? A. Establish metrics for timeliness of data refresh in systems. B. Perform random sampling of data for accuracy. C. Develop and enforce stronger password protocols. D. Establish a data governance committee (DGC). C In terms of data governance, IT employees hold the role of A. Rule developers. B. Data stewards. C. Compliance regulators. D. Data custodians. D Ensuring quality data requires a A. Systematic and purpose-driven review process. B. Business Analyst. C. Data governance committee A Which one of the following is an example of a compliance requirement that is internal and mandatory? A. Requiring that all full-time employees have workers compensation insurance B. Requiring employees to conserve energy by turning off the lights at the end of the day C. Requiring all employees to consider car-pooling with other employees D. Requiring all employees working in the foundry to wear hearing protection D Based on Basel III principles, which one of the following groups should take the lead in establishing a strong risk management culture? A. Employees B. Board of directors C. Senior management D. Risk managers B Which one of the following is the first step that should be taken by the senior manager who is responsible for the organization's compliance program? A. Establish incentives and disciplinary actions to enforce the program B. Assemble a task force from all major functions within the organization C. Train all employees on how to report compliance violations to the federal government D. Review all employee files for any relevant history of illegal behavior B The owners of West Coast Inn have identified a number of external risks to their business that are uncontrollable. They have decided to a business continuity plan in order to minimize the negative effects of the risks on its operations. West Coast Inn's plan will use a combination of a contingency model and a risk-transfer model. Which one of the following activities would be part of the risk-transfer model? A. Contracting with a nearby inn to be backup for each other's customers B. Purchasing a generator to help maintain operations C. Maintaining a separate site in a neighboring town D. Purchasing business interruption insurance D In many organizations, disaster recovery is considered a function of which one of the following departments? A. Information technology B. Facilities C. Customer service D. Accounting A Which one of the following continuity strategy models involves maintaining two or more active sites that are geographically dispersed? A. Split operations model B. Prioritization model C. Risk transfer model D. Active back-up model A During which stage of a strategic redeployment plan does the organization need to consider the supply chain, as well as the facilities and machinery that are available? A. Contingency production stage B. Alternative marketing stage C. Emergency stage D. Communication stage A Which one of the following steps of the risk management process requires the risk professional to carefully balance his or her own experience and that of the subject matter experts? A. Identifying risks B. Scanning the environment C. Treating risks C Carol has worked as a payroll clerk for a small organization for 20 years. Over the years she received only two small salary increases and began to embezzle funds from the company since she felt she was not adequately compensated for her job efforts. In terms of the quadrants of risk, Carol's theft risk can be classified as A. A strategic risk. B. A financial risk. C. Both a hazard risk and a financial risk. D. Both a hazard risk and an operational risk. D Jack is a regional sales manager. He is having a staff meeting to present the business plan and goals for the upcoming year. Jack will use a PowerPoint presentation to present some of the data visually. Which one of the following best describes Jack's method of communication? A. Informal written communication B. Formal nonverbal communication C. Informal verbal communication D. Formal verbal communication D While board-level and executive-level risk committee characteristics differ significantly among organizations, they share some common general responsibilities. Which one of the following is a common general responsibility of executive-level risk committees? B. The executives that must serve on the committee are specified in the Dodd-Frank Act and must include a risk management expert. C. They provide the board with information about key risks and how they are managed (internal risk intelligence). D. They focus on the alignment of the organization's risk profile with its risk appetite and risk tolerance. C An analysis of an organization's external environments will help identify its A. Opportunities and threats. B. Culture and values. C. Strengths and weaknesses. D. Products and services. C. The communication must address the level of technical, legal or financial understanding of the audience for the message to be received. C An organization evaluates the social environment as part of its enterprise risk management (ERM) because A. Society is in a constant state of change. B. New sales or production methodology can affect consumers. C. Society norms and values influence how an organization manages its risks. C Business process management (BPM) focuses on coordinating all activities of an organization on which one of the following? A. Technology B. Profitability C. Regulatory requirements D. Client satisfaction D Risk leadership structures and approaches vary significantly, based on an organization's size, culture, risk profile, and complexity. Which one of the following statements is correct with respect to risk champions? A. They use their judgment and experience to develop information about unquantifiable uncertainties and to detect vulnerabilities. B. They ensure the organization's compliance with regulatory and stakeholder requirements by creating a framework of standards and controls. C. They often report to an executive-level officer, facilitate risk discussions, compile risk information, and develop and support enterprise risk management processes. C During the international financial crisis of 2008-2009, banking regulators in the U.S., Europe, and Asia developed bank stress tests to identify financial institutions that posed a significant threat to the national and international economy. These capital adequacy measures were applied only to those large financial institutions that posed the most significant threat. Which one of the following types of regulation would these stress tests be best classified as? A. Rules-based regulation B. Evidence-based regulation C. Risk-based regulation. D. Compliance-based regulation C Sean recently started a small consulting practice. Sean is the only employee of the business and the sole generator of revenue. Sean is very concerned that in the event that he becomes disabled due to an accident or disease there will be no revenue coming into the business. Which one of the following goals best identify Sean's concerns? A. Legality and profitability B. Tolerable uncertainty and earnings stability C. Social responsibility and earnings stability D. Economy of operations and survival B Corporate officers and boards of directors have the ultimate responsibility for ensuring that corporations meet or exceed legal and regulatory requirements. Which one of the following statements is correct with respect to the role of directors and officers? A. In part because of the 2008-2009 financial crisis, regulation now holds boards of directors fully accountable to their shareholders, the public, and other stakeholders. B. Directors and officers are generally not responsible for balancing the benefits and costs of strategic decisions about risk management. C. In general, corporate governance should seek to ensure that controls are in place to discourage risk taking. D. Directors and officers must instill a culture of integrity in which managers and employees strive to behave appropriately under all circumstances. D