Risk Management Awareness for Senior Management Quiz

Questions and Answers

What is the purpose of defining a risk response?

• To completely eliminate risk
• To bring risk in line with management's acceptable level of risk (correct)
• To accept any risk regardless of circumstances
• To minimize risk at all costs

What should the risk assessment report and risk register document?

• Assessed level or priority of each risk (correct)
• Technical details of each risk
• Potential benefits of each risk
• Overall financial impact of each risk

Who is responsible for evaluating and responding to the recommendations included in the report?

• External consultants
• Risk management team
• Stakeholders
• Management (correct)

What is the strategy to reduce the impact of risk by assigning or sharing it with another enterprise?

Risk transfer (D)

What is crucial for understanding liability, compliance, due care, and creating a risk management culture?

Awareness training for senior management (B)

What are essential for risk mitigation and can be categorized as managerial, technical, or physical in a control matrix?

Controls (B)

What is the focus of risk mitigation?

Reducing the frequency or impact of risks (C)

What is an effective way to mitigate enterprise risk?

Awareness education and training (C)

What is essential for effective risk management with procedural controls?

Training to ensure correct performance (A)

What is the primary focus of incident management team?

Restoring normal service (A)

Which factor is considered in the decision to implement a control?

Current risk level (D)

What does incident management focus on?

Returning affected systems to normal service (B)

What is included in control management procedures?

Policy creation and change management (A)

What should business continuity and disaster recovery planning consider?

Budgets and staff availability (C)

How are controls monitored in an enterprise?

Through specific metrics (B)

Flashcards are hidden until you start studying

Study Notes

• Controls are chosen to mitigate risks to an acceptable level and are monitored through specific metrics.
• Enterprise sets own metrics and thresholds for control performance, which may be compared to industry standards.
• Control management procedures include installation, policy creation, change management, staff training, and scheduling for review and reporting.
• Decision to implement a control factors in current risk level, laws and regulations, ongoing projects, strategic plans, budgets, staff availability, public pressure, and actions of competitors.
• Risk environment changes require review and revision of business continuity and disaster recovery plans.
• Incident management focuses on returning affected systems and operations to normal service as quickly as possible, but it may impact evidence collection.
• Incident response plan includes prevention, detection, containment, and recovery measures.
• Incident management team consists of internal and external resources, with a primary focus on restoring normal service.
• Each incident must be thoroughly reviewed to extract lessons learned for future prevention and detection improvements.
• Threats, vulnerabilities, and impact can be identified from incident reports.
• Business continuity and disaster recovery planning must consider available resources, expected services, and the types and severity of threats.
• Recovery plans should balance risk management efforts, incident management, and business continuity/disaster recovery planning for the most cost-effective solution.