Module 1 - Specimen Paper (2019)

Question 1

Which of the three actions Tom Brown is undertaking is categorised as a pure risk?

A. Buying 100 lottery tickets.

B. Selling his house even though he receives less than he paid for it because he thinks prices will fall further.

C. Going horse riding without wearing a riding helmet.

Answer 1

C

Pure, or hazard, risks only result in negative outcomes which is why option C is the correct answer. Buying a lottery ticket involves an initial outlay but there is only upside or opportunity risk thereafter. Having decided to sell his house at a lower price than it was purchased for Tom has eliminated his exposure to the impact of changes in house prices.

Question 2

Hopkin states ‘Most standard definitions of risk refer to risks being attached to corporate objectives’. What else may risks be attached to?

A. Core processes.

B. Hazard management.

C. Risk correlation.

Answer 2

A

Risk attachment is covered in Fig 2.1 in Hopkin which shows how risks can be attached to core processes as well as corporate objectives.

Question 3

Enterprise Risk Management (ERM) is considered to have significant advantages over traditional risk management approaches because ERM

A. ensures that an organisation’s objectives will be achieved.

B. takes an integrated or holistic approach.

C. addresses strategic, tactical and operational risk management.

Answer 3

B

The key differentiator for ERM is that it takes an integrated or holistic approach. Option A is incorrect as neither traditional or ERM approaches can ensure that an organisation’s objectives will be achieved whilst both can address the management of strategic, tactical and operational risks.

Question 4

Which of the following would you expect to see in the context of risk strategy in the risk architecture, strategy and protocols framework (RASP)

1. The risk and audit team report to the board quarterly.
2. The attitude to risk is clearly defined.
3. Ownership of risk is delegated to business units.
4. The organisation has a defined risk appetite.

A. 2 and 3

B. 1 and 4

C. 2 and 4

Answer 4

C

• Risk appetite (2, 4) is part of the risk management strategy element of the RASP framework set out in Table 21.1 in Hopkin.*
• Risk reporting (1) and roles and responsibilities (3) are parts of the risk management architecture within the same framework.*

Question 5

As part of the ISO 31000 risk management process monitoring and review is best thought of as which of the following?

A. An extra stage.

B. A feedback loop.

C. Part of an iterative process.

Answer 5

C

Monitoring and review is part of the ISO 31000 risk management process set out in Fig 6.4 in Hopkin. It is iterative, rather than just an extra stage or a feedback loop, because each of the stages in the process may be executed multiple times before the risk evaluation is finalised and the appropriate risk treatment agreed.

Question 6

What three elements in addition to Operations make up the COSO ERM risk classification system?

1. Compliance
2. Strategic
3. Reputational
4. Reporting

A. 2,3 and 4

B. 1 and 3

C. 1, 2 and 4

Answer 6

C

The elements of the COSO ERM cube classification headings include strategic, operations, reporting and compliance (SORC). Reputational is one of the classification headings in the FIRM risk scorecard and not part of COSO ERM.

Question 7

Which factors are likely to influence your view when assigning a low, medium or high rating for the likelihood and impact of an interruption to production due to a natural disaster?

1. The length of time since the last natural disaster in the vicinity of the production unit
2. Where your suppliers are located.
3. Long range models and stress scenarios.
4. What you produce.

A. 1 and 2

B. 1, 3 and 4

C. 2 and 4

Answer 7

C

A key consideration is where your suppliers are located, as production would be harder hit if they were located nearby and affected by the same disaster. The second consideration is what you produce as this will determine the extent to which production might be disrupted by a natural disaster, for example products that are reliant on just-in-time deliveries would be more impacted if deliveries could not be made. The length of time since the last natural disaster is not a relevant consideration as it is unlikely to impact the likelihood of another natural disaster occurring. Similarly, modelling is of limited value when assessing the likelihood of natural disasters occurring.

Question 8

Which one of the following are consequences of people with different risk perceptions undertaking risk assessments?

A. Risks are not fully identified.

B. Risk treatments could be applied to the less significant risks.

C. It is not possible to determine a risk rating for a particular risk

Answer 8

B

One consequence of people having different risk perceptions is that the significance of some risks may be incorrectly determined and therefore treatments could be applied to less significant ones. The failure to identify risks fully is possible but this is relevant to the risk identification stage of risk assessment only and with people having different risk perceptions it is possible that more risks are identified and more fully discussed. In terms of risk assessment ratings, risk perceptions may result in an incorrect rating being applied but a rating will eventually be determined, possibly by the most senior person and even if not everybody agrees.

Question 9

Which of the following factors are likely to influence the risk classification approach adopted by an organisation?

1. Risk appetite
2. The complexity of operations
3. Stakeholder views
4. The types of risk that are most common

A. 1, 2 and 3.

B. 2 and 4.

C. 1 and 4.

Answer 9

B

• Organisations will choose risk classification approach that is most suited to its size, nature and complexity. Although there are different risk classification approaches many offer a combination of event, impact, source and consequence categories. They all help organisations define the scope of risk management providing a structure for risk identification and giving an opportunity to aggregate similar kinds of risks. This makes options 2 and 4 correct.*
• Classification of risks enables organisations to better identify risk appetite, risk capacity and total risk exposures in relation to each risk. Stakeholder views do not form part of the factors that can influence a risk classification system. This makes options 1 and 3 incorrect.*

Question 10

Which of the following would be classed as directive control measure?

A. Training staff in the use of personal protective equipment.

B. Providing hearing tests for staff exposed to noise in the workplace.

C. Limiting the time staff spend on any one piece of equipment.

Answer 10

A

• Directive controls are designed to ensure that a particular outcome is achieved. They are based on giving directions to people on how to ensure that losses do not occur. They are important, but depend on people following safe systems of work. Option A is correct.*
• Option B and C are examples of a corrective controls. These controls limit the scope for loss and reduce any undesirable outcome that has been realised.*

Question 11

Which of the following are common characteristics of a traditional risk management approach?

1. There is no ownership of risk in this organisation.
2. The culture of the organisation embraces risk management.
3. Risk is looked after by the organisation’s insurance department.
4. This organisation adopts an integrated approach to risk management.

A. 1, 2 and 3

B. 1 and 3

C. 2 and 4

Answer 11

B

• Traditional risk management tends to focus on the mathematics of hazard-based risks or financial risks amongst other specific risks and not an enterprise-wide approach. This means options 2 & 4 are incorrect as they refer to an enterprise-wide approach.*
• Enterprise risk management offers a holistic approach to risk management and recognises that risks in one part of the organisation can relate to risks occurring elsewhere and these links and relationships need to be managed just as much as individual risks in isolation. In this manner there is specific ownership of risks in the organisation. This means options 1 & 3 are traditional risk management characteristics rather than enterprise-wide approach, as they manage risks in isolation.*

Question 12

Which of the following statements about captive insurance companies are correct?

1. The domicile for captives is limited to those with favourable regulatory and accounting regimes.
2. A captive can access reinsurance markets.
3. A captive can sometimes offer greater cover than is available in the insurance market.
4. Captives are not permitted to insure the risks of third parties.

A. 1 and 4

B. 1 and 2

C. 2 and 3

Answer 12

C

Captive insurance companies are able to access reinsurance markets, can provide cover to group companies that may not be available from other insurers, are able to offer insurance cover to third parties and can decide to locate their domicile in any country not simply those with favourable regulatory and accounting regimes.

Question 13

The following questions consist of TWO statements. Read each statement and consider if each one is ‘True’ or ‘False’. If Statement 1 is ‘True’, consider if Statement 2 is a correct or an incorrect explanation for why Statement 1 is ‘True’.

Statement 1: Business Continuity Planning can be classified as a directive control.

Because

Statement 2: Business Continuity Planning is a technique used to control a low level risk which has occurred.

Choose from the following FIVE possible combinations where the first

A. True/False refers to Statement 1 and the second to Statement 2.

B. True True and Statement 2 is a correct explanation

C. True True but Statement 2 is NOT a correct explanation.

D. TrueFalse

E. False True

F. False False

Answer 13

C

• Statement 1 is True as following pre-agreed directions can significantly reduce impact once a risk event has occurred.*
• Statement 2 is False as BCP is applied only where significant risks, rather than low level risks, have occurred.*