Risk Management Foundations

Question 1

What is the definition of risk according to the Enterprise Risk Management Framework by the IMA?

Answer 1

A risk is any event or action that can keep an organization from achieving its objectives.

Question 2

What distinguishes ‘risk’ from ‘uncertainty’?

Answer 2

Risk involves events that might cause harm, while uncertainty refers to events that are not known to occur and can lead to positive or negative outcomes.

Question 3

What are the benefits of effective risk management?

Answer 3

• Improved shareholder value
• Fewer operational disruptions
• Better use of resources
• Increased confidence among stakeholders
• More effective strategic planning
• Greater agility in responding to opportunities
• More thorough contingency planning

Question 4

What are the common categories of risk?

Answer 4

• Business risk
• Strategic risk
• Operational risk
• Financial risk
• Hazard risk

Question 5

What is business risk?

Answer 5

Refers to any factor that creates variability in earnings, such as fluctuations in demand or changes in input costs.

Question 6

What is strategic risk?

Answer 6

Encompasses risks at the organizational level, including macroeconomic risks, internal risks, and competitor actions.

Question 7

What is operational risk?

Answer 7

Results from deficiencies in internal processes, systems, or personnel, such as technological failures or cybersecurity breaches.

Question 8

What is financial risk?

Answer 8

Involves threats to the organization’s financial health, such as difficulties in accessing capital or changes in interest rates.

Question 9

What is hazard risk?

Answer 9

Includes insurable events like property damage or personal injury.

Question 10

What are internal risks?

Answer 10

They arise from within the company’s structure, processes, or systems.

Question 11

What are external risks?

Answer 11

They stem from the broader environment in which the company operates.

Question 12

What is systematic risk?

Answer 12

It refers to risks that affect the entire market or economy and cannot be eliminated through diversification.

Question 13

What is unsystematic risk?

Answer 13

It is specific to a particular company or industry and can be mitigated through diversification.

Question 14

What are common types of cyber threats?

Answer 14

• Denial of Service (DoS) attacks
• Buffer overflow attacks
• Man-in-the-Middle (MitM) attacks
• Password attacks
• Malware
• Ransomware
• Zero-day exploits

Question 15

What is ransomware?

Answer 15

It encrypts system data and demands payment for its release.

Question 16

What is social engineering in the context of cybersecurity?

Answer 16

It is the use of deception to manipulate people into revealing confidential information.

Question 17

What are the three categories of logical access controls?

Answer 17

• Something you know
• Something you are
• Something you have

These categories include knowledge-based factors like passwords, biometric data like fingerprints, and possession-based factors like authentication devices.

Question 18

What is the purpose of encryption in cybersecurity?

Answer 18

To secure both stored data and data in transit by rendering it unreadable to unauthorized users.

Encryption ensures that even if data is intercepted, it remains unintelligible without the decryption key.

Question 19

What is the role of ethical hacking in cybersecurity?

Answer 19

To simulate attacks on systems with an organization’s permission to uncover vulnerabilities before malicious actors can exploit them.

Ethical hacking involves vulnerability testing and penetration testing to assess real-world risk.

Question 20

What differentiates advanced firewalls from traditional firewalls?

Answer 20

Advanced firewalls inspect the actual content of data packets, distinguishing between safe and unsafe applications, even if using the same communication protocols.

These are also known as Next Generation Firewalls (NGFW).

Question 21

What is Two-Factor Authentication (2FA)?

Answer 21

A security process that requires two independent methods of verification before granting system access.

2FA significantly reduces the likelihood of unauthorized access by introducing an additional barrier to entry.

Question 22

What are the key components of the risk management process?

Answer 22

• Risk identification
• Risk assessment
• Risk prioritization
• Response planning
• Risk monitoring

These steps help organizations systematically respond to uncertainties and align risk levels with company strategy and objectives.

Question 23

What is intellectual property (IP)?

Answer 23

Intangible creations such as inventions, written works, brand identifiers, and artistic expressions.

Common forms of IP include patents, copyrights, and trademarks, which are crucial for competitive advantage in many industries.

Question 24

What is the primary purpose of risk assessment in risk management?

Answer 24

To analyze and quantify identified risks in terms of likelihood, potential impact, and interaction with other risks across the organization.

Risk assessment helps evaluate the seriousness of risks and their potential effects on business outcomes.

Question 25

What are the **common forms** of intellectual property risks?

Answer 25

* Infringement and unauthorized use * Improper use or transfer by licensees ## Footnote IP risks can lead to lost revenue, brand dilution, or reputational harm, especially if enforcement involves jurisdictions with varying legal protections.

Question 26

What does **capital adequacy** ensure in risk management?

Answer 26

That a company has sufficient resources to implement its risk management plan and withstand potential disruptions. ## Footnote Capital adequacy is crucial for maintaining liquidity, solvency, and operational continuity during adverse events.

Question 27

What are the **two categories** of risk considered in the risk management process?

Answer 27

* Inherent risk * Residual risk ## Footnote Inherent risk is the level of risk present before any mitigation actions, while residual risk is what remains after mitigation efforts.

Question 28

What is **Inherent risk**?

Answer 28

It is the level of risk that exists in the absence of any controls or risk mitigation, reflecting the natural exposure to potential loss in a given activity, process, or environment.

Question 29

What is **residual risk**?

Answer 29

It is the level of risk that remains after controls and risk mitigation strategies have been implemented.

Question 30

What does a **risk map** visually represent?

Answer 30

The probability of each risk occurring and the severity of its potential financial impact. ## Footnote Risks are plotted on a horizontal axis (probability) and a vertical axis (potential loss), highlighting the most threatening risks in the upper right corner.

Question 31

What is **Value at Risk** (VaR)?

Answer 31

It measures the potential loss in value of a risky asset as the result of a specific risk event over a defined period for a given confidence interval. ## Footnote VaR assumes outcomes follow a normal distribution, helping predict results with a measured level of confidence.

Question 32

What is the purpose of **Cash Flow at Risk** (CFaR)?

Answer 32

It measures the likelihood that cash flows will drop by more than a specified amount over a given period. ## Footnote CFaR tests expected cash flows for sensitivity to specific risks.

Question 33

What is the **difference** between expected loss and unexpected loss?

Answer 33

* Expected loss is the average amount management expects to lose from a specific risk event each year. * Unexpected loss is the amount that could be lost in a very bad year, greater than the expected loss, up to the maximum probable loss.

Question 34

How is expected loss **calculated** for a single loss event with multiple possible outcomes?

Answer 34

By multiplying each possible loss amount by its probability and summing the results. ## Footnote This calculation represents the weighted average of possible losses given their probabilities.

Question 35

What is the **role of benchmarking** in risk assessment?

Answer 35

It compares the company’s risk profile and potential impacts to those of similar companies, often using industry data or peer group analysis. ## Footnote It helps identify how a company's risk strategies compare to others in the industry.

Question 36

What is an **unexpected loss** in risk management?

Answer 36

The amount that could likely be lost to the risk event in a very bad year that is greater than the amount budgeted for the expected loss, up to the maximum probable loss.

Question 37

# Define: Maximum probable loss

Answer 37

The largest loss that could reasonably be expected under foreseeable circumstances.

Question 38

What **factors** should be considered when estimating the probable maximum loss for real property?

Answer 38

* Building's physical characteristics * Size of the building * Presence of fire protection systems * Occupancy status

Question 39

What is the **maximum possible loss**?

Answer 39

The greatest loss that could result from a particular risk, often referred to as catastrophic loss.

Question 40

List the **five main types** of responses to risk.

Answer 40

* Avoiding or eliminating the risk * Reducing or mitigating the risk * Transferring or sharing the risk * Retaining the risk * Exploiting or accepting the risk

Question 41

What is the importance of **risk monitoring**?

Answer 41

To ensure that the response remains effective and relevant as circumstances can change.

Question 42

What role do **internal controls** play in risk mitigation?

Answer 42

They are effective tools for reducing, but not eliminating, the risk of errors or misconduct.

Question 43

**Differentiate** between risk appetite and risk tolerance.

Answer 43

* Risk appetite is the general level of risk an organization is willing to accept. * Risk tolerance refers to the acceptable level of variation around specific objectives.

Question 44

What is **diversification** in the context of risk reduction?

Answer 44

A strategy that spreads exposure across different activities, markets, or product lines to lower the chance of a catastrophic impact.

Question 45

Name some **financial instruments** used to manage financial risk.

Answer 45

* Derivatives * Forward contracts * Futures * Options * Swaps

Question 46

What is **contingency planning** in risk management?

Answer 46

Preparing 'what if?' scenarios in advance to react more quickly and effectively when adverse events occur.