An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:

• A.transferred
• B.avoided
• C.mitigated.
• D.accepted

Comment: *

Name: *

Email: *

Verification: *

Which of the following items is considered as an objective of the three dimensional model within the framework described in COSO ERM?

• A.Risk assessment
• B.Financial reporting
• C.Control environment
• D.Monitoring

Correct Answer: B

Explanation/Reference:
Explanation:
The COSO ERM (Enterprise Risk Management) frame work is a 3-dimensional model. The dimensions and their components include:
Strategic Objectives - includes strategic, operations, reporting, and compliance.

Risk Components - includes Internal Environment, Objectives settings, Event identification, Risk

assessment, Risk response, Control activities, Information and communication, and monitoring.
Organizational Levels - include subsidiary, business unit, division, and entity-level.

The COSO ERM framework contains eight risk components:
Internal Environment

Objective Settings

Event Identification

Risk Assessment

Risk Response

Control Activities

Information and Communication

Monitoring

Section 404 of the Sarbanes-Oley act specifies a three dimensional model- COSO ERM, comprised of Internal control components, Internal control objectives, and organization entities. All the items listed are components except Financial reporting which is an internal control objective.
Incorrect Answers:
A, C, D: They are the Internal control components, not the Internal control objectives.

Comment: *

Name: *

Email: *

Verification: *

The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?

• A.The risk classification changes.
• B.The inherent risk changes.
• C.The residual risk changes.
• D.The risk impact changes.

Comment: *

Name: *

Email: *

Verification: *

Which of the following come under the phases of risk identification and evaluation?
Each correct answer represents a complete solution. Choose three.

• A.Maintain a risk profile
• B.Collecting data
• C.Analyzing risk
• D.Applying controls

Correct Answer: A,B,C

Explanation/Reference:
Explanation:
Risk identification is the process of determining which risks may affect the project. It also documents risks' characteristics.
Following are high-level phases that are involved in risk identification and evaluation:
Collecting data- Involves collecting data on the business environment, types of events, risk categories,

risk scenarios, etc., to identify relevant data to enable effective risk identification, analysis and reporting.
Analyzing risk- Involves analyzing risk to develop useful information which is used while taking risk-

decisions. Risk-decisions take into account the business relevance of risk factors.
Maintain a risk profile- Requires maintaining an up-to-date and complete inventory of known threats

and their attributes (e.g., expected likelihood, potential impact, and disposition), IT resources, capabilities, and controls as understood in the context of business products, services and processes to effectively monitor risk over time.
Incorrect Answers:
D: It comes under risk management process, and not in risk identification and evaluation process.

Comment: *

Name: *

Email: *

Verification: *

Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

• A.Implement an organization-specific risk taxonomy.
• B.Align business objectives to the risk profile.
• C.Assess risk against business objectives
• D.Explain risk details to management.

Comment: *

Name: *

Email: *

Verification: *