Risk-Based Auditing and Risk Management

Questions and Answers

What is the primary focus of risk-based auditing?

Prioritizing areas that pose the greatest risk to the organization

What is the purpose of an organization's policy and procedures documentation?

To ensure employees and departments adhere to established standards

What is a goal of the Risk Management Department's vision?

To provide insurance and risk management solutions

What is the primary responsibility of a line underwriter?

Recommending or providing coverage

What is a common objective of risk management?

Balancing risk and reward

What is the purpose of an underwriting policy?

To guide individual and aggregate policy selection

Which of the following is NOT a goal of risk management?

Eliminating all risks

What is a key principle of risk-based auditing?

Focusing on the materiality of the risk

What is a key aspect of an underwriter's knowledge?

The relationship between loss exposures and pricing

What is an example of a risk management goal?

Business continuity

What is a responsibility of a staff underwriter?

Formulating underwriting policy

Why is risk-based auditing important?

To prioritize areas that pose the greatest risk to the organization

What do successful underwriters need to know?

A wide range of knowledge about insurance

What do underwriters use to support their decisions?

Useful internal and external sources of information

What is an important aspect of an underwriter's role?

Finding useful sources of information

What do line underwriters directly support?

Producers and insureds

What is the main purpose of rating in risk management?

To determine the policy premium for an exposure

What type of hazard is characterized by intentional loss or exaggeration?

Moral hazard

What information does a property application typically provide?

Loss history and COPE elements

What is the purpose of supplemental sources of information in underwriting?

To assess the quality of a property account

What is a loss run report?

A report detailing an insured's history of claims

What do underwriters analyze when evaluating submissions for property insurance?

COPE elements

What is a characteristic of morale hazard?

Carelessness or indifference

What is not considered a supplemental source of information in underwriting?

Property application

What is the primary purpose of evaluating residential loss exposures from invited guests?

To identify potential hazards that could increase the chance of liability loss

What is a fire division?

A section of a structure so well protected that fire cannot spread from that section to another

Why do underwriters analyze the loss exposures posed by immediate neighboring properties or the surrounding area?

Because a fire in one building can spread to surrounding buildings

What is the primary purpose of asking about an applicant's occupation or employment on personal insurance applications?

To identify potential hazards that could increase the chance of loss frequency and severity

What is public fire protection?

Fire protection equipment and services made available through governmental authority to all properties within a defined area

Why is it important for underwriters to carefully evaluate applications and questionnaires for personal liability insurance?

To identify potential hazards that could increase the chance of liability loss

What is private fire protection?

Measures taken by property owners to protect their assets from loss by fire

Why do underwriters need to know about the hazards that could increase the chance of liability loss from invited guests?

Because property owners have an active duty to exercise care for an invited visitor's safety

What is the primary purpose of underwriting in an insurance company?

To develop and maintain a growing, profitable book of business

What is the consequence of adverse selection in insurance?

Insurers attract high-risk customers

What is the main role of underwriters in an insurance company?

To guard against adverse selection

What is capacity in the context of insurance?

The amount of business an insurer can write based on regulatory guidelines

What is the purpose of underwriting guidelines in insurance?

To provide a standard for accepting or rejecting applicants

What is a book of business in the context of insurance?

A group of policies with a common characteristic

What is the outcome of effective underwriting in insurance?

A growing, profitable book of business

What is the relationship between capacity and an insurer's ability to write policies?

Capacity increases as an insurer writes more policies

What is the primary purpose of a rating plan in insurance?

To determine the premium for a particular line of insurance

What does a combined ratio of less than 100 indicate?

The insurer is making an underwriting profit

Which of the following is a nonfinancial measure used to monitor underwriting results?

Customer service

What is the primary reason why retaining policies is more profitable than acquiring new business for an insurer?

Because most of the underwriting investigation work has been completed for existing policies

What does a high retention ratio indicate about an insurer's business?

The insurer is providing good customer service and is profitable

What is the primary purpose of the hit ratio in insurance?

To determine how well underwriters are meeting sales goals

Which of the following is a characteristic of a rating plan?

It specifies criteria of the exposure base, the exposure unit, and rate per exposure unit

What is the relationship between a low retention ratio and an insurer's service?

A low retention ratio indicates that the insurer is experiencing customer dissatisfaction with its claims service

What type of control is implemented in the computing environment to limit access to protected information or facilities?

Technical Control

Which control stops a security incident from occurring, such as background screenings?

Preventative Control

What type of control alerts security professionals to a security violation attempt?

Detective Control

What type of control responds to a security violation to reduce or eliminate its impact?

Corrective Control

What type of control is used to return a system to an operational state after a failure to protect the CIA triad?

Recovery Control

What type of control discourages individuals from violating security policies because of the effort required to circumvent it or the negative consequences of doing so?

Deterrent Control

What is the term for a condition or activity that has the potential for harm?

Hazard

What type of control is implemented when a system cannot provide the protection required by policy, in order to mitigate the risk down to an acceptable level?

Compensating Control

What is the term for the overall process of risk identification, risk analysis, and risk evaluation?

Risk Assessment

Which type of control specifies expected employee behavior and often takes the form of policies and guidelines?

Directive Control

What does ALARA stand for?

As Low As Reasonably Achievable

What are the consequences that are most effective in risk management?

Soon, certain, and positive

What is the domino theory in risk management?

All accidents are caused by a chain of events

What is an example of a loss control measure?

Hazcom training

What is the primary focus of the four risk response strategies?

Risk avoidance, risk transfer, risk retention, and risk reduction

What is the term for an event in which a work-related injury, illness or fatality occurred or could have occurred?

Incident

What is the underlying assumption of Petersen's Accident/Incident theory?

Accidents can be prevented by removing any chain of events.

Which of the following is a category of hazard analysis?

Environmental Issues that create stress

What is the main difference between Risk Analysis and Risk Management?

Risk Analysis estimates risk, while Risk Management determines the acceptable level of risk.

What is the primary focus of Risk Management?

Determining the acceptable level of risk and reducing it to an acceptable level

What is an example of a financial method for reducing the costs of accidents in an organization?

Risk transfer

What contributes to the uncertainty of risk?

Exposure, consequence, and likelihood

What is the goal of Risk Management with regards to risk?

To reduce risk to an acceptable level

What is a type of hazard that is characterized by?

Intentional loss or exaggeration

At what pressure level does unfired pressure vessel regulations NOT apply to unfired pressure vessels?

Below 15 psi(g)

Which of the following is NOT an objective of Risk Management for a business?

Attracting investment capital

What is the primary focus of the Poka-Yoke technique?

Mistake-proofing methods

What is the primary goal of the 5-S technique?

Effective housekeeping

What is the purpose of the Design of Experiments technique?

Determining the most influential variables

What is the first step in NIOSH's three-step process for conducting occupational risk assessments?

Identify the hazard

What is the term for continuous improvement in Japanese?

Kaizen

What is the third step in NIOSH's three-step process for conducting occupational risk assessments?

Characterize the workplace risk

What is the term for the total dollar amount of losses for all occurrences during a specific time period?

Total dollar losses

Which of the following is a measure to prevent or reduce losses?

Risk control

What is the purpose of evaluating forecasted losses in risk management?

To determine the types and limits of insurance

Who typically implements risk financing techniques?

Risk management professionals

What is considered in evaluating and selecting risk management techniques?

Both financial and nonfinancial considerations

What is the term for the amount, in dollars, of a loss for a specific occurrence?

Loss severity

When are loss payments typically made?

After the loss has been reported

What is the primary purpose of risk management techniques?

To all of the above

What is the primary purpose of a rating plan in insurance?

To specify the criteria for underwriting a particular line of insurance

What does a combined ratio of less than 100 indicate?

The insurer is making a profit from underwriting

Which of the following is a nonfinancial measure used to monitor underwriting results?

Customer service

What is the primary reason why retaining policies is more profitable than acquiring new business for an insurer?

Because most of the underwriting investigation work has been completed for existing policies

What does a high retention ratio indicate about an insurer's business?

That the insurer is providing good customer service

What is the primary purpose of the hit ratio in insurance?

To measure the success of underwriters

What is the relationship between a low retention ratio and an insurer's service?

A low retention ratio indicates poor customer service

What is the exposure base in a rating plan?

The unit of measurement for the exposure being insured

What is the primary underwriting concern in umbrella and excess liability underwriting?

Loss severity

What is the purpose of reinsurance?

To transfer risk to another insurer

What is an underwriting guideline?

A written manual that communicates an insurer's underwriting policy

What type of reinsurance involves the primary insurer choosing which loss exposures to submit to the reinsurer?

Facultative reinsurance

Why do underwriters need a thorough understanding of the insured's operations?

To identify loss exposures and determine appropriate coverage

What is the primary focus of underwriters in umbrella and excess liability underwriting?

Potential for large, catastrophic claims

What is the purpose of underwriters evaluating catastrophe loss exposures?

To identify potential losses and determine appropriate coverage

What is the result of an insurer transferring risk to another insurer through reinsurance?

Reduced risk for the insurer

What does FRAP stand for?

Facilitated Risk Analysis Process

What is the purpose of the Delphi Method?

To obtain asset value forecasts from independent experts

What is the formula for Exposure Factor (EF)?

EF = Loss Value / AV

What is the formula for Single Loss Expectancy (SLE)?

SLE = EF * AV

What is the Annual Rate of Occurrence (ARO)?

A percentage factor that estimates the number of times an identified event or threat will occur within a year

What is Qualitative Assessment?

An asset valuation approach that uses categorical or non-numeric values

What is OCTAVE?

Operationally Critical Threat, Asset and Vulnerability Evaluation

What is SOMAP?

Security Officers Management and Analysis Project

What is the number of steps in the EPA Human Health Risk Assessment?

Four

What is the first step in the EPA Human Health Risk Assessment?

Hazard Identification

What is the purpose of the EPA Human Health Risk Assessment?

To identify potential health risks

What is ISO 31000?

Risk Management Guidelines

What is the purpose of ISO 31000?

To provide guidelines for risk management

What is ISO 45001?

Occupational Health and Safety Management Systems

What is the purpose of ISO 14000?

To provide guidelines for environmental management

According to ANSI/ASSP/ISO 31000, the risk management process should be:

An integral part of management

Why do underwriters focus on loss severity rather than frequency in umbrella and excess liability underwriting?

Because large, catastrophic claims are the primary concern

What is the purpose of reinsurance?

To decrease an insurer's risk exposure

What is facultative reinsurance?

Reinsurance of individual loss exposures chosen by the primary insurer

What is an underwriting guideline?

A manual for underwriters to follow

Why is it important for underwriters to have a thorough understanding of the insured's operations?

To identify loss exposures and determine appropriate coverage

What is a primary concern for underwriters in catastrophic loss exposures?

Loss severity

What is the purpose of catastrophe insurance?

To provide coverage for large, catastrophic losses

Why do insurers require higher limits of liability and deductibles for certain loss exposures?

To ensure adequate coverage for high-risk loss exposures

What do underwriters monitor to identify potential loss exposures?

All of the above

What is a hazard in the context of insurance?

A condition that increases the frequency or severity of a loss

What is the purpose of a premium audit?

To determine the actual exposure units and premium for insurance coverages

What is telematics in the context of insurance?

The use of technological devices to transmit data via wireless communication and GPS tracking

What is a catastrophe model?

A type of computer program that estimates losses from future potential catastrophic events

What is the purpose of predictive modeling in insurance?

To construct models of anticipated future outcomes based on historical data and multiple variables

What do underwriters use to supplement their decision-making process?

Expert systems or knowledge-based systems

What do risk control and safety inspections aim to reveal?

New loss exposures, additional hazards, or operations

What type of insurance is designed to cover low-probability, high-cost events?

Catastrophe Insurance

What is the process of assigning liability to a person who did not cause the injury but has a particular legal relationship to the person who acted negligently?

Vicarious Liability

What is the term for the portion of risk or amount of insurance that a company chooses not to retain?

Retrocession

What is the hierarchy of controls used to mitigate hazards?

Elimination, Substitution, Engineering Controls, Warnings, Admin Controls

Who is responsible for conducting an incident investigation?

Front-line Supervisor

What is the type of insurance between a primary insurer and secondary insurer where the secondary agrees to cover all or part of the losses of the primary insurer?

Reinsurance

According to the Human Factors Theory, what are the three broad categories of accident causes?

Overload, Inappropriate Worker Response, Inappropriate Activities

What type of risk is characterized by intentional loss or exaggeration?

Moral Hazard

What is the primary purpose of monitoring claims activity for significant or unique losses?

To identify potential hazards

What is the role of expert systems in underwriting decision-making?

To ensure all necessary information is considered

What is a hazard in the context of insurance?

A condition that increases the frequency or severity of a loss

What is the primary underwriting concern for umbrella and excess liability insurance?

Loss severity

What is the purpose of a premium audit?

To determine the actual exposure units and premium for insurance coverages

What is the primary purpose of telematics in insurance?

To transmit data via wireless communication and GPS tracking

What is the purpose of reinsurance?

To transfer risk to another insurer

What is predictive modeling in insurance?

A process of blending historical data with multiple variables to construct models of anticipated future outcomes

What type of reinsurance involves the primary insurer choosing which loss exposures to submit to the reinsurer?

Facultative reinsurance

What is the primary purpose of a catastrophe model?

To estimate losses from future potential catastrophic events

What is an underwriting guideline?

A written manual outlining an insurer's underwriting policy

Why is it important for underwriters to have a thorough understanding of the insured's operations?

To identify loss exposures and determine the existing loss experience

What is the primary goal of risk management in insurance?

To identify potential hazards and minimize losses

What type of loss exposure is of primary concern for umbrella and excess liability insurance?

Catastrophe loss

What is the purpose of an underwriter's analysis of an insured's operations?

To identify loss exposures and determine the existing loss experience

What is the primary benefit of reinsurance for an insurer?

Transferring risk to another insurer

What type of insurance is used to cover low-probability, high-cost events?

Catastrophe Insurance

What is the portion of risk or amount of insurance that a company chooses not to retain?

Retrocession

According to the Human Factors Theory, what is a category of accident causes?

Overload

Who is responsible for conducting an Incident Investigation?

The Front-Line Supervisor

What is the term for assigning liability for an injury to a person who did not cause the injury but has a particular legal relationship to the person who did act negligently?

Vicarious Liability

What is the Hierarchy of Controls in the context of risk management?

Elimination, Substitution, Engineering Controls, Warnings, Admin Controls

What type of insurance involves a contract between a primary insurer and a secondary insurer, where the secondary insurer agrees to cover all or part of the losses of the primary insurer?

Reinsurance

What is the purpose of reinsurance in the context of insurance companies?

To reduce the risk of losses for the primary insurer

What is the primary purpose of Preliminary Hazard Analysis (PHA)?

To identify hazards and recommend risk reduction alternatives

Which type of reasoning is specific to general?

Inductive reasoning

What is the purpose of Fault Tree Analysis (FTA)?

To select an undesired outcome and diagram all possible happenings

Which of the following techniques is used to identify hazards and recommend risk reduction alternatives?

PHA

What is the purpose of hazard analysis?

To identify hazards and recommend risk reduction alternatives

Which of the following reasoning types is general to specific?

Deductive reasoning

What is the outcome of Fault Tree Analysis (FTA)?

The probability of the undesired event and the most likely chain of events leading up to it

What is the relationship between hazard identification and risk management?

Hazard identification is a part of risk management

What is the term for an event in which a work-related injury, illness, or fatality occurred or could have occurred?

Incident

Which of the following is NOT a risk response strategy?

Detection

What is the primary focus of ALARP?

As Low As Reasonably Practical

What is a condition or activity that has the potential for harm?

Hazard

What are examples of loss control measures?

Machine guards, confined space programs, Hazcom training

What is the overall process of risk identification, risk analysis, and risk evaluation termed?

Risk Assessment

What is the Domino Theory?

A chain of events that leads to an accident

What are the consequences that are most effective?

Soon, certain, and positive

What is the primary purpose of a Job Safety Analysis (JSA)?

To measure the inherent risk of each step in a work process and assign risk levels

What is the main objective of cost-benefit analysis in safety improvement projects?

To justify project costs and benefits

What is the purpose of safety benchmarking?

To measure a company's safety program and identify best practices

What type of design philosophy includes redundant systems?

Double parallel design

What is the Bathtub Curve?

A graph of the typical failure rate of a product over time

What factors are considered when prioritizing jobs for analysis in a Job Safety Analysis (JSA)?

Incident frequency, rate of disabling injuries, and incident severity potential

What is the purpose of SWOT analysis?

To evaluate a company's strengths, weaknesses, opportunities, and threats

What type of analysis is used to evaluate the inherent risk of each step in a work process?

Job Safety Analysis (JSA)

What is a circumstance that may require revision to a risk management program?

New loss exposures after a merger or acquisition

Which of the following tools is used to identify and analyze an organization's risks?

All of the above

What is the primary technique for treating loss exposures that involves not owning an asset or engaging in an activity that could result in a loss?

Avoid the risk

What is the risk management technique that involves generating the funds to pay for losses oneself?

Retain the risk

What is the primary focus of risk control techniques?

Reducing the frequency of a particular loss

Which of the following is NOT a primary technique for treating loss exposures?

Analyze the risk

What is the primary consideration when selecting risk management techniques for individuals?

Supporting and reinforcing personal objectives

What is the relationship between the frequency and severity of losses in an organization?

High-severity losses are rare and uncertain, while low-severity losses are frequent and predictable

What is the purpose of using audits as a tool to identify and analyze an organization's risks?

To evaluate the effectiveness of risk management techniques

Which of the following is an example of a tool used to identify and analyze an organization's risks?

Flowcharts and organizational charts

What is the primary purpose of risk financing in an organization?

To transfer financial responsibility for losses to another party

What is the benefit of using sophisticated risk management techniques in an organization?

It provides tax and investment implications

What is the primary goal of risk management for individuals?

To support and reinforce personal objectives

What is the purpose of analyzing losses by frequency and severity in an organization?

To understand the relationship between frequency and severity

What is the primary benefit of using insurance to manage risk for individuals?

It transfers financial responsibility for losses

What is the outcome of analyzing losses by frequency and severity in an organization?

Understanding of the relationship between frequency and severity

What type of businesses typically have loss exposures that are evaluated based on activities or operations?

Service businesses

What is the basis for underwriting in service businesses?

Quality of work

What type of loss exposure can result from false arrest, wrongful eviction, and slander?

Personal and advertising injury

What is the primary purpose of medical payments coverage?

To pay necessary medical expenses

What is considered real property?

Land, buildings, and whatever is growing on the land

What is a common loss exposure that underwriters evaluate?

Personal and advertising injury

What is a key factor that underwriters consider when evaluating an applicant's loss exposures?

Quality of work

Why do underwriters evaluate an applicant's personal and advertising injury loss exposures?

Because they are likely to occur

What type of risk is left over after risk treatment has been implemented?

Residual Risk

A Pareto analysis chart is used to rank items in order of their _______.

Frequency

According to ISO 19011, what is one of the seven principles for auditing?

Independence

What is 'Pure Risk'?

A risk that presents the chance of loss

What is the primary purpose of identifying residual risk?

To prioritize risk treatment

What is the benefit of using a Pareto analysis chart?

It helps to identify the most frequent risks

What is one of the principles of auditing according to ISO 19011?

Evidence-based approach

What is the purpose of identifying retained risk?

To assess risk appetite

What is the primary principle of an evidence-based approach in risk management?

It is based on the available data and empirical evidence.

Which of the following is a characteristic of 'pure risk'?

It presents a chance of loss but no opportunity for gain.

What is the purpose of a life care plan in risk management?

To identify a person's medical condition and ongoing care requirements.

According to ISO 45001, what is the first step in the audit process?

Plan, establish, implement, and maintain an audit program.

What is the primary focus of the whole person theory in risk management?

To assess the impact of an injury on an individual's daily life.

What is the primary benefit of the indemnity approach in risk management?

It allows for the calculation of the financial benefits of an employee's wage replacement.

What is the primary purpose of the wage loss theory in risk management?

To determine the percentage of the difference between the wages earned and the wages that could have been earned had the injury not occurred.

What is the primary focus of the risk-based approach in auditing?

To identify and assess the risks associated with an organization's operations.

What is the primary component of risk?

Uncertainty and loss

What is the primary goal of traditional risk management?

To decrease the frequency or severity of losses

What is the primary focus of Enterprise Risk Management?

To manage risks from many different sources and maximize value to the organization's stakeholders

What is a characteristic of Pure Risk?

It can result in a loss or no loss

What is a characteristic of Speculative Risk?

It can result in a loss, no loss, or gain

What type of risk is characterized by the risk of a fire loss?

Pure Risk

What is the primary difference between Pure Risk and Speculative Risk?

The opportunity for gain

What is the primary benefit of Enterprise Risk Management compared to traditional risk management?

It provides a coordinated strategy to manage risks from many different sources

What is the primary focus of implementing a risk management program?

To identify and prioritize risks

What is the purpose of asset valuation in risk management?

To place value on assets using one or more valuation methods

What is the purpose of risk analysis in risk management?

To identify the impact of risk on the organization

What is the purpose of risk monitoring in risk management?

To measure the effectiveness of risk responses

What is the purpose of Qualitative Assessment in risk management?

To use categorical or non-numeric values to assess risk

What is the purpose of risk prioritization in risk management?

To address larger risks more quickly and thoroughly

What is the formula to calculate the Single Loss Expectancy (SLE)?

EF * AV

What is the purpose of risk response in risk management?

To respond to risk in different ways depending on the context

What is the primary purpose of the Delphi Method in risk management?

To question a panel of independent experts to obtain asset value forecasts

What is the purpose of risk avoidance in risk management?

To avoid risks that are very likely and may have a huge impact

What is the definition of Asset Value (AV) in risk management?

The numerical value of an asset

What is the purpose of risk acceptance in risk management?

To accept risks that are unlikely and will have a minor impact, or ones that are simply not cost-effective

What is the purpose of the Exposure Factor (EF) in risk management?

To estimate the potential percentage of loss to an asset

What is the definition of the Annual Rate of Occurrence (ARO) in risk management?

The percentage factor that estimates the number of times an identified event or threat will occur within a year

What is the purpose of Quantitative Method in risk management?

To collect historical data on incidents

What is the purpose of FMEA (Failure Modes and Effect Analysis) in risk management?

To identify potential failure modes in a system

In Fault Tree Analysis, what is the effect of 'AND' gates on the probability of failure?

The probability of failure is the product of all the individual input probabilities

What is the purpose of Event Tree Analysis?

To identify possible outcomes of an initiating event

What is the primary use of the Naked Man technique?

To evaluate the effect of adding controls to a system

What is the primary use of THERP?

To predict the probability of human error

What is the role of 'AND' gates in Fault Tree Analysis?

They require that all events occur

What is the purpose of initiating an event in Event Tree Analysis?

To identify possible outcomes

What is the benefit of using THERP in system design?

It provides a means for quantitatively evaluating the contributions of human error to the degradation of product quality

What is the relationship between Fault Tree Analysis and Event Tree Analysis?

They are used for different purposes

What is the primary purpose of a dynamic risk assessment?

To expedite the risk assessment process

What are the general steps involved in all risk assessments?

Identify, decide, assess, record, and review

What is the correct sequence of steps in the EPA Human Health Risk Assessment?

Hazard identification, exposure assessment, dose-response assessment, and risk characterization

What should a risk management process be according to ANSI/ASSP/ISO 31000?

All of the above

What kind of consequences have the greatest impact on employee behavior?

Soon, certain, and positive consequences

What is ISO 14000?

Environmental Management Systems

What is the purpose of a generic risk assessment?

To provide a foundation for building dynamic risk assessments

What is the main purpose of risk assessment?

To identify hazards or risks

Which type of control is used to limit an individual's physical access to protected information or facilities?

Physical Control

What is the purpose of a deterrent control?

To discourage individuals from violating security policies

What is the purpose of a preventative control?

To stop a security incident from occurring

What is the purpose of a compensating control?

To mitigate the risk when the system cannot provide protection required by policy

What is the purpose of a detective control?

To detect security violations

What is a physical hazard in the context of risk management?

A tangible characteristic of property, persons, or operations that tends to increase the frequency or severity of loss

What is the purpose of a corrective control?

To reduce or eliminate the impact of a security violation

What is the primary purpose of a personal umbrella policy?

To add liability limits above existing policies and cover claims not covered by underlying policies

What is the purpose of a recovery control?

To return the system to an operational state after a failure

Why do underwriters analyze underlying coverage when issuing a personal umbrella policy?

To check if the underlying requirements are met

Which type of control is implemented in the computing environment?

Technical Control

What happens when an umbrella policy pays the excess above the liability limit of an underlying policy?

The umbrella policy pays the excess above the limit of the underlying policy

What is a characteristic of a personal umbrella policy?

It adds liability limits above existing policies and covers claims not covered by underlying policies

Why do underwriters require a certain amount of underlying coverage for a personal umbrella policy?

To ensure the applicant has adequate coverage

What is the effect of an umbrella policy paying the excess above the liability limit of an underlying policy?

The total coverage is increased to the policy limit

What is the relationship between underlying coverage and a personal umbrella policy?

The umbrella policy adds liability limits above the underlying policy

What kind of consequences have the greatest impact on employee behavior?

Both positive or negative

According to modern management theory, what type of consequences are most effective?

Both immediate or future, and certain or uncertain

Risk is defined as a combination of what two factors?

Probability and severity

What is contributory negligence?

The plaintiff's failure to exercise reasonable care for their safety

Who is a competent person, according to OSHA?

A person who is capable of identifying existing or predictable hazards in the workplace

What type of analysis should be done when changes are introduced in the workplace?

Change analysis

What is residual risk?

Risk that remains after risk treatment

What is a Pareto analysis chart used for?

To rank items in order of severity or frequency

What is the primary approach used by Failure Modes and Effects Analysis (FMEA)?

Inductive reasoning

What is the main goal of Fault Hazard Analysis (FHA)?

To expand FMEA and identify specific hazards

What is the primary purpose of Common Cause Failure Analysis?

To analyze multiple failures caused by a single event

What is the relationship between FMEA and Fault Tree Analysis (FTA)?

FMEA and FTA are used together to evaluate a product's safety

Who is typically responsible for performing a Failure Modes and Effects Analysis (FMEA)?

Reliability engineers

What is the primary focus of Failure Modes and Effects Analysis (FMEA)?

Analyzing a single failure or unit failure

What is the primary advantage of using Failure Modes and Effects Analysis (FMEA) in conjunction with Fault Tree Analysis (FTA)?

It provides a more comprehensive understanding of possible failures

What is the primary benefit of using Common Cause Failure Analysis?

It helps to identify failures that can cause multiple 'independent' safeguards to fail

What is the primary goal of risk financing for an individual?

To transfer financial responsibility for losses to another party

How do organizations typically analyze their losses?

By probability and impact

What is a characteristic of high-severity losses?

They are rare and unpredictable

What is the relationship between frequency and severity of losses?

Low-frequency losses are high-severity

What is the primary goal of risk management for an individual?

To achieve a personal objective

What is an example of a risk financing technique used by organizations?

Insurance

What is the primary focus of risk analysis for organizations?

Frequency and severity of losses

What is the purpose of analyzing losses by frequency and severity?

To develop risk management strategies

Study Notes

Risk-Based Auditing

• Risk-based auditing prioritizes the use of an organization's limited internal audit resources in areas that pose the greatest risk to the organization.
• It emphasizes three principles: auditing to business objectives, focusing on materiality of risk, and identifying threats to business goals and objectives.

Risk Management and Organizational Alignment

• Risk management involves providing insurance and risk management solutions to control or contain losses and satisfy customers.
• Common objectives for risk management include balancing risk and reward, supporting decision making, and achieving goals such as tolerable uncertainty, legal and regulatory compliance, survival, business continuity, earnings stability, profitability, growth, and social responsibility.

Underwriting

• Underwriting helps insurers develop and maintain a growing, profitable book of business by minimizing adverse selection, ensuring adequate policyholders' surplus, and enforcing underwriting guidelines.
• Underwriters select insureds, classify and price accounts, recommend or provide coverage, manage a book of business, support producers and insureds, and support the achievement of the insurer's marketing objectives.

Staff Underwriters

• Staff underwriters research the market, formulate underwriting policy, revise underwriting guidelines, evaluate loss experience, develop coverage forms, review rates, arrange reinsurance, assist with complex accounts, and conduct underwriting audits.

Underwriting Policy

• Underwriting policy is a guide to individual and aggregate policy selection that supports an insurer's mission statement.

Essential Knowledge for Underwriters

• Successful underwriters possess knowledge about insurance principles and practices, loss exposures and pricing, insurance rates, loss analysis, and internal and external information sources.

Rating

• Rating involves applying an applicable rate and rating plan to an exposure and performing necessary calculations to determine the policy premium.

Moral Hazard

• Moral hazard is a condition that increases the likelihood of intentional loss or exaggeration.

Property Application

• Underwriters examine crucial information in a property application, including loss history, COPE elements, and property values.

Supplemental Information

• Supplemental information, such as risk management programs, financial statements, risk control reports, and property valuation guides, helps underwriters further assess the quality of a property account.

COPE and Loss Run

• COPE elements include construction, occupancy, protection, and external exposures, which are analyzed by commercial property underwriters.
• A loss run is a report detailing an insured's history of claims that have occurred over a specific period.

Morale Hazard

• Morale hazard is a condition of carelessness or indifference that increases the frequency or severity of loss.

Fire Protection and Division

• Underwriters analyze loss exposures posed by immediate neighboring properties or the surrounding area.
• A fire division is a section of a structure that is well protected and cannot spread fire to another section or vice versa.

Public and Private Fire Protection

• Public fire protection refers to equipment and services made available through governmental authority to all properties within a defined area.
• Private fire protection refers to measures taken by property owners to protect their assets from loss by fire.

Residential and Occupational Loss Exposures

• Underwriters should evaluate residential loss exposures by considering hazards that can increase liability losses from invited guests.
• Personal insurance applications include questions about occupation or employment to determine potential loss frequency and severity.

Rating Plan

• A set of directions specifying criteria for exposure base, exposure unit, and rate per exposure unit to determine premiums for a particular line of insurance.

Combined Ratio

• A combined ratio of less than 100 means the insurer is making a profit from underwriting insurance.
• A combined ratio of more than 100 means the insurer is not making an underwriting profit.

Nonfinancial Measures

• Used to monitor underwriting results, including:
  • Selection
  • Product or line of business mix
  • Pricing
  • Retention ratio
  • Hit ratio
  • Customer service
  • Premium volume

Retention Ratio

• The percentage of expiring policies an insurer renews.
• Retaining policies is more profitable than acquiring new business because most of, if not all, the underwriting investigation work has been completed for existing policies.
• A low retention rate may indicate a problem with the insurer's service, such as customer dissatisfaction with claims service.

Hit Ratio

• Determines how well underwriters are meeting sales goals by comparing the number of policies written with applications that have been quoted.

Physical Controls

• Used to limit an individual's physical access to protected information or facilities, e.g., locks, doors, fences.

Technical Controls

• Also called logical controls, implemented in the computing environment, e.g., operating systems, application programs, database frameworks, firewalls.

Directive Control

• Specifies expected employee behavior, often in the form of policies and guidelines, e.g., acceptable use policy.

Deterrent Control

• Discourages individuals from violating security policies because of the effort to circumvent it or the negative consequences of doing so, e.g., CCTV monitoring.

Preventative Control

• Stops a security incident, e.g., background screenings.

Compensating Control

• Implemented when the system cannot provide protection required by policy, to mitigate the risk down to an acceptable level, e.g., an acceptable agreed exceptional process.

Detective Control

• Alerts the security professional to the attempted security violation.

Corrective Control

• Responds to the security violation to reduce or eliminate the impact, e.g., escorting unauthorized persons offsite.

Hazard

• A condition or activity that has the potential for harm.

Risk

• The chance or probability of occurrence of an injury, loss, or hazard.

Incident

• An event in which a work-related injury, illness, or fatality occurred or could have occurred.

Risk Response Strategies

• Four strategies:
  • Avoidance
  • Transfer
  • Retention
  • Reduction

Risk Assessment

• The overall process of risk identification, risk analysis, and risk evaluation.

ALARA and ALARP

• ALARA: As Low As Reasonably Achievable.
• ALARP: As Low As Reasonably Practical.

Loss Control Measures

• Examples include:
  • Hazcom training
  • Machine guards
  • Confined space programs

Domino Theory

• All accidents are caused by a chain of events, and the removal of any chain of events can prevent the accident.

Petersen's Accident/Incident Theory

• Causes of accidents/incidents are human error and/or system failure.

Risk Analysis vs. Risk Management

• Risk Analysis: a scientific activity that estimates risk.
• Risk Management: determines whether the risk is acceptable and what methods will be used to reduce the risk to an acceptable level.

Hazard Analysis Categories

• Three categories:
  • Environmental issues that create stress
  • Inherent properties that create hazards
  • Failures of people and materials

Primary Methods for Reducing Accidents

• Two methods:
  • Prevention (loss control)
  • Financial (cost reduction)

Objectives of Risk Management

• For a business, objectives include:
  • Reducing anxiety prior to a loss
  • Meeting responsibilities as a good corporate citizen
  • Continued growth after suffering a loss

Poka-Yoke

• A lean manufacturing technique that focuses on prevention or detection of errors, mistake-proofing methods aimed at designing fail-safe systems that minimize human error.

Kaizen

• A Japanese term for continuous improvement.

5-S

• An effective housekeeping technique that includes:
  • Sort
  • Straighten
  • Scrub
  • Systematize
  • Standardize

Risk Management Techniques

• Risk control: measures to prevent or reduce losses
• Risk financing: purchasing insurance to help pay for losses that do occur

Risk Management

• Examining the feasibility of risk management techniques involves financial and non-financial considerations
• Financial considerations include forecasted losses, insurance types, and deductibles
• Non-financial considerations include business operations, customer and employee safety, and reputation

Implementing Risk Management Techniques

• Risk financing techniques are implemented by risk management professionals
• Risk control techniques are implemented by operations managers, involving communication and training

Insurance

• Rating plan: a set of directions specifying criteria for exposure base, exposure unit, and rate per exposure unit to determine premiums
• Combined ratio: a ratio of less than 100 indicates an underwriting profit, while a ratio of more than 100 indicates no underwriting profit
• Non-financial measures used to monitor underwriting results include selection, product or line of business mix, pricing, retention ratio, hit ratio, and customer service

Underwriting

• Retention ratio: the percentage of expiring policies an insurer renews
• Hit ratio: determines how well underwriters are meeting sales goals by comparing policies written with applications quoted
• Underwriting elements include limits of liability, deductibles, and underlying insurer
• Loss severity, rather than frequency, is the primary underwriting concern

Reinsurance

• Reinsurance: transferring some of the risk to another insurer through a contractual agreement
• Facultative reinsurance: reinsurance of individual loss exposures, where the primary insurer chooses which loss exposures to submit

Underwriting Guidelines

• Underwriting guidelines: a written manual communicating an insurer's underwriting policy and specifying the attributes of an account that an insurer is willing to insure

Qualitative and Quantitative Risk Assessment

• Qualitative assessment: uses categorical or non-numeric values to estimate risk
• Quantitative assessment: uses numerical estimates based on historical occurrences of incidents and likelihood of risk re-occurrence
• Methods include Delphi Method, Facilitated Risk Analysis Process (FRAP), and Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)

Risk Assessment Formulas

• ARO (Annual Rate of Occurrence): estimates the number of times an identified event or threat will occur within a year
• EF (Exposure Factor): the potential percentage of loss to an asset if a threat is realized
• SLE (Single Loss Expectancy): the impact of the event, calculated by multiplying the Exposure Factor by the Asset Value

EPA Human Health Risk Assessment

• Four steps: hazard identification, dose-response assessment, exposure assessment, and risk characterization

Underwriting Elements

• Underwriters can require higher limits of liability and deductibles for certain loss exposures.
• The underlying insurer is an important underwriting element to consider, with some insurers only providing umbrella or excess coverage over their own primary policies.

Loss Analysis

• Underwriters need a thorough understanding of the insured's operations to identify loss exposures and determine whether the existing loss experience is appropriate for the insured's operations.
• Loss severity, rather than frequency, is the primary underwriting concern in umbrella and excess liability underwriting.
• Underwriters also analyze catastrophe loss exposures.

Reinsurance

• Reinsurance is a process where an insurer transfers some of its risk to another insurer through a contractual agreement.
• Facultative reinsurance involves the primary insurer choosing which loss exposures to submit to the reinsurer, who can accept or reject any submitted losses.

Underwriting Guidelines

• Underwriting guidelines are written manuals that communicate an insurer's underwriting policy and specify the attributes of an account that an insurer is willing to insure.

Hazard and Risk Management

• A hazard is a condition that increases the frequency or severity of a loss.
• Premium audits are methodical examinations of a policyholder's operations, records, and books of account to determine the actual exposure units and premium for insurance coverages already provided.
• Telematics involves the use of technological devices to transmit data via wireless communication and GPS tracking.

Predictive Modeling

• Predictive modeling is a process that blends historical data based on behaviors and events with multiple variables to construct models of anticipated future outcomes.
• Catastrophe models are computer programs that estimate losses from future potential catastrophic events.

Insurance Types

• Catastrophe insurance is for low-probability, high-cost events.
• Reinsurance is between a primary insurer and secondary insurer, where the secondary agrees to cover all or part of the losses of the primary insurer.
• Retrocession is the portion of risk or amount of insurance the company chooses not to retain.

Human Factors Theory

• The Human Factors Theory by David Yates categorizes accident causes into three broad categories: overload, inappropriate worker response, and inappropriate activities.

Vicarious Liability and Incident Investigation

• Vicarious liability assigns liability for an injury to a person who did not cause the injury but has a particular legal relationship to the person who did act negligently.
• The front-line supervisor is responsible for conducting an incident investigation.
• The Hierarchy of Controls includes elimination, substitution, engineering controls, warnings, administrative controls, and personal protective equipment.

Underwriting Elements

• Underwriters can require higher limits of liability and deductibles for certain loss exposures.
• The underlying insurer is an important underwriting element to consider, with some insurers only providing umbrella or excess coverage over their own primary policies.

Loss Analysis

• Underwriters need a thorough understanding of the insured's operations to identify loss exposures and determine whether the existing loss experience is appropriate for the insured's operations.
• Loss severity, rather than frequency, is the primary underwriting concern in umbrella and excess liability underwriting.
• Underwriters also analyze catastrophe loss exposures.

Reinsurance

• Reinsurance is a process where an insurer transfers some of its risk to another insurer through a contractual agreement.
• Facultative reinsurance involves the primary insurer choosing which loss exposures to submit to the reinsurer, who can accept or reject any submitted losses.

Underwriting Guidelines

• Underwriting guidelines are written manuals that communicate an insurer's underwriting policy and specify the attributes of an account that an insurer is willing to insure.

Hazard and Risk Management

• A hazard is a condition that increases the frequency or severity of a loss.
• Premium audits are methodical examinations of a policyholder's operations, records, and books of account to determine the actual exposure units and premium for insurance coverages already provided.
• Telematics involves the use of technological devices to transmit data via wireless communication and GPS tracking.

Predictive Modeling

• Predictive modeling is a process that blends historical data based on behaviors and events with multiple variables to construct models of anticipated future outcomes.
• Catastrophe models are computer programs that estimate losses from future potential catastrophic events.

Insurance Types

• Catastrophe insurance is for low-probability, high-cost events.
• Reinsurance is between a primary insurer and secondary insurer, where the secondary agrees to cover all or part of the losses of the primary insurer.
• Retrocession is the portion of risk or amount of insurance the company chooses not to retain.

Human Factors Theory

• The Human Factors Theory by David Yates categorizes accident causes into three broad categories: overload, inappropriate worker response, and inappropriate activities.

Vicarious Liability and Incident Investigation

• Vicarious liability assigns liability for an injury to a person who did not cause the injury but has a particular legal relationship to the person who did act negligently.
• The front-line supervisor is responsible for conducting an incident investigation.
• The Hierarchy of Controls includes elimination, substitution, engineering controls, warnings, administrative controls, and personal protective equipment.

Hazard Analysis

• Hazard Analysis is a process to identify hazards and recommend risk reduction alternatives in procedurally controlled activities during all phases of intended use.
• Preliminary Hazard Analysis (PHA) is the most commonly used systems safety analysis technique.

Inductive and Deductive Reasoning

• Inductive reasoning is specific to general, e.g., FMEA, FHA, or ETA.
• Deductive reasoning is general to specific, e.g., FTA.

Fault Tree Analysis (FTA)

• FTA is a deductive analysis/technique that selects an undesired outcome (top-level event) and all possible modes of happenings.
• In a FTA, an undesired event is selected, and all possible happenings that can contribute to the event are diagrammed in the form of a tree.
• The branches are continued until independent events are reached.
• Probabilities are determined for the independent events, and after simplifying the tree, both the probability of the undesired event and the most likely chain of events leading up to it can be computed.

Hazard and Risk

• A condition or activity that has the potential for harm is a hazard.
• Risk is the chance or probability of occurrence of an injury, loss, or a hazard or potential hazard.

Incident and Risk Response Strategies

• An incident is an event in which a work-related injury, illness, or fatality occurred or could have occurred.
• The four risk response strategies are Avoidance, Transfer, Retention, and Reduction.

Risk Assessment and Evaluation

• Risk Assessment is the overall process of risk identification, risk analysis, and risk evaluation.
• ALARA means As Low As Reasonably Achievable.
• ALARP means As low as reasonably practical.

Loss Control Measures and Domino Theory

• Examples of loss control measures include Hazcom training, machine guards, and confined space programs.
• The Domino Theory states that all accidents are caused by a chain of events.

Other Risk Management Concepts

• SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis is a way to evaluate risks, geared more toward business strategy in general.
• Job Safety Analysis (JSA) measures the inherent risk of each step in a work process and assigns risk levels to each step and ways to minimize the risk.
• Safety benchmarking is a technique for measuring a company's safety program to identify best practices.

Risk Management Program

• Circumstances may require revision to a risk management program, such as new loss exposures or new developments in existing loss exposures.

Risk Identification and Analysis

• Various tools and methods can be used to identify and analyze an organization's risks, including:
  • Loss histories
  • Checklists
  • Audits
  • Computer software
  • Team approaches
  • Flowcharts and organizational charts
  • Personal inspections
  • Company documents or records
  • Risk registers
  • Risk maps
  • Root cause analysis

Risk Treatment Techniques

• The primary techniques for treating loss exposures are:
  • Avoid the risk
  • Modify the risk
  • Transfer the risk
  • Retain the risk

Risk Control Techniques

• Risk control techniques aim to reduce the frequency or severity of a loss, including:
  • Avoiding a risk
  • Modifying a risk
  • Loss prevention techniques

Risk Financing Techniques

• Risk financing techniques involve planning to pay for losses, including:
  • Retention (planning to generate funds to pay for losses)
  • Transfer (shifting financial responsibility for losses to another party through a contract)

Selecting Risk Management Techniques

• The most appropriate risk management techniques are those that support and reinforce, rather than prevent or undermine, achievement of a personal objective.

How Organizations Select Risk Management Treatments

• Organizations analyze their losses by frequency and severity.
• Severity is the amount of a loss, typically measured in dollars.
• Frequency is the number of losses that occur within a specified period.

Personal and Advertising Injury Liability Loss Exposures

• Personal and advertising injuries can result from various offenses, including false arrest, wrongful eviction, slander, libel, invasion of privacy, and copyright infringement.
• Liability for personal and advertising injury is a commonly covered commercial loss exposure.

Medical Payments Loss Exposures

• Medical payments coverage pays necessary medical expenses for anyone injured while on the insured's property or because of the insured's activities.

Real Property (Realty)

• Real property includes land, structures permanently attached to the land, and whatever is growing on the land.

Ethical Principles

• Ethical principles for risk management include:
  • Fair presentation
  • Confidentiality
  • Due professional care
  • Independence
  • Evidence-based approach
  • Risk-based approach

Pure Risk

• Pure risk is a risk that presents the chance of loss but no opportunity for gain.

Other Concepts

• Whole person theory is a method of evaluating a person's ability after an injury.
• Indemnity is the benefit associated with wage replacement.
• Wage loss theory is a method of evaluating a person's lost wages after an injury.
• A life care plan is a comprehensive report that identifies a person's medical condition and ongoing care requirements.
• Residual risk is the risk remaining after risk treatment.
• Retained risk is the risk that an organization chooses to retain.
• A Pareto analysis chart is used to rank items in order of severity or frequency.
• ISO 19011 outlines seven principles for auditing, including integrity, fair presentation, and confidentiality.

Risk Management

• Risk: Uncertainty about whether a loss will occur, consisting of two key elements: uncertainty and loss.
• Risk Management: Process to best handle uncertainty about whether losses will occur, trying to decrease the frequency or severity of losses, and/or paying for those losses that occur despite an individual's or business' best efforts.

Types of Risk

• Pure Risk: Can result only in a loss or no loss, presents no opportunity for gain. Example: owner of an apartment building faces the risk of a fire loss.
• Speculative Risk: Can result in loss, no loss, or gain. Must be managed differently than pure risk.

Risk Management Frameworks

• Enterprise Risk Management (ERM): Emphasizes the interrelationship of risks from many different sources and a coordinated strategy to manage risks, and it assesses and treats risks to maximize value to the organization's stakeholders.
• Common Risk Frameworks: Risk IT Framework - ISACA, ISO31000, Enterprise Risk Management - Integrated Framework (COSO), Risk Management Framework (NIST)

Risk Assessment Methods

• Qualitative Assessment: An asset valuation approach that uses categorical or non-numeric values rather than absolute numerical measures.
• Quantitative Method: Numerical based estimate on the historical occurrences of incidents and the likelihood of risk re-occurrence.
• Delphi Method: Qualitative assessment of risk involving questioning a panel of independent experts to obtain asset value forecasts.
• FMEA (Failure Modes and Effect Analysis): A method for identifying various possible outcomes.

Risk Assessment Steps

• Identify the hazard or risk
• Decide or determine who could be affected
• Assess or evaluate how they might be affected
• Record the results or findings
• Review the results on a recurring basis

Risk Management Guidelines

• Construct your risk management program around a process of analysis, prioritization, response, and monitoring and measuring.
• Integrate Risk Management into larger framework of governance, risk management, and compliance (GRC) to simplify and improve all three processes.
• Follow the phases of the Risk Analysis Process to identify the impact of risk to your organization.
• Comprehensively identify all your assets that are susceptible to risk.
• Place value on your assets using one or more valuation methods.
• Identify how each asset is vulnerable.
• Identify the threats to each vulnerable asset.
• Assess risk using Qualitative or Quantitative language, depending on the context of the risk and the business needs of your organization.
• Prioritize risks so larger risks are addressed more quickly and thoroughly than smaller ones.
• Respond to risk in different ways depending on context: avoid, mitigate, transfer, or accept risks.

Risk Management Techniques

• Risk financing is handled by insurance, with insurance professionals suggesting appropriate limits, coverages, endorsements, and other options.
• Organizations analyze their losses by frequency and severity, where frequency is the number of losses that occur within a specified period, and severity is the amount of a loss, typically measured in dollars.

Transfer of Risk

• A risk financing transfer shifts financial responsibility for losses from one party to another through a contract.

Personal Umbrella Policy

• An umbrella policy provides an additional level of protection for large liability losses by adding to the liability limits above existing policies.
• It might also cover claims that underlying policies do not cover at all.

Underwriting

• A personal umbrella policy requires a certain amount of underlying coverage, so one of the first things an underwriter does after receiving an application is to check whether the underlying requirements are met.

Physical and Technical Controls

• Physical controls limit an individual's physical access to protected information or facilities, e.g., locks, doors, fences.
• Technical controls, also called logical controls, are implemented in the computing environment, e.g., in Operating Systems, application programs, database frameworks, firewalls.

Types of Controls

• Directive Control specifies expected employee behavior and often takes the form of policies and guidelines.
• Deterrent Control discourages individuals from violating security policies because of the effort to circumvent it or the negative consequences of doing so.
• Preventative Control stops a security incident.
• Compensating Control is implemented when the system cannot provide protection required by policy in order to mitigate the risk down to an acceptable level.
• Detective Control alerts the security professional to the attempted security violation.
• Corrective Control responds to the security violation to reduce or completely eliminate the impact.
• Recovery Control is used to return the system to an operational state after a failure to protect the CIA triad.

Consequences in Modern Management Theory

• Consequences must be positive or negative.
• Consequences must be immediate or future.
• Consequences must be certain or uncertain.
• Consequences must be a very powerful motivator.

Risk Definition and Analysis

• Risk is defined as a combination of severity and probability.
• Risk remaining after risk treatment is termed Residual Risk.
• Residual risk can contain unidentified risk and can also be termed Retained Risk.

Analysis Techniques

• Pareto analysis chart is used for ranking in the order of severity or frequency.
• Failure Modes and Effects Analysis (FMEA) or Failure Modes, Effects, and Criticality Analysis (FMECA) is a bottom-up system safety technique.
• Fault Tree Analysis (FTA) is used to evaluate a product's safety and can be used in conjunction with FMEA.
• Fault Hazard Analysis (FHA) follows an inductive reasoning approach to problem-solving.
• Common Cause Failure Analysis is used to evaluate multiple failures that may be caused by a single event or causal factor common to or shared by multiple components.

Description

Learn about risk-based auditing and its principles, as well as risk management and organizational alignment. Understand how to prioritize audit resources and control losses.