Chapter 5 MCQs

Question 1

What does the RCSA process involve?
a) Identifying, assessing, monitoring, reporting risks and controls
b) Assessing controls and monitoring their effectiveness
c) Reporting risks to senior management
d) Taking corrective actions when risks materialize

Answer 1

a

Question 2

RCSA can be undertaken by:
a) Only senior managers at the top of the organization
b) Only within business entities and central functions
c) At various levels in the organization
d) External consultants only

Answer 2

c

Question 3

A key factor behind an effective approach to RCSA is:
a) Using a standardised questionnaire
b) Clear risk governance
c) Automated reporting functionality
d) Holding workshops facilitated by internal audit

Answer 3

b

Question 4

One benefit of an effective RCSA process is:
a) Increased workload for senior managers
b) Alignment of risk management to organizational strategy
c) Dependence on external consultants
d) Additional expenditure on control systems

Answer 4

b

Question 5

Failure to identify operational risks using RCSA:
a) Enables resources to be focused elsewhere
b) Is not an issue as risks are unpredictable
c) Prevents understanding of likelihood and impact
d) Means they will not materialize

Answer 5

c

Question 6

Using the risk categorization scheme in identifying risks:
a) Provides the initial scoping of required risks
b) Should validate risks identified by other means
c) Is unimportant as risks are unpredictable
d) Is too high level to be useful

Answer 6

b

Question 7

In assessing risk, impact relates to:
a) The underlying causes of the risk
b) The frequency of control testing
c) The expected consequences if the risk occurs
d) The level of inherent risk appetite

Answer 7

c

Question 8

Which of the following is NOT an advantage of workshop based RCSAs:
a) Buy in from attendees
b) Collection of a wide range of views
c) Quicker to arrange than interviews
d) Opportunity to raise awareness

Answer 8

c

Question 9

In assessing controls, effectiveness depends on:
a) Having a mix of manual and automated controls
b) Frequency of control operation
c) Design and operation in practice
d) Testing on a statistically significant sample

Answer 9

c

Question 10

Preventative controls:
a) Seek to address underlying risk causes
b) Mitigate likelihood rather than impact
c) Take effect after a risk materializes
d) Cannot totally prevent risks from occurring

Answer 10

b

Question 11

Residual risk differs from inherent risk in that it:
a) Focuses on underlying risk causes rather than impacts
b) Assesses exposures before consideration of control effects
c) Is a theoretical concept with no practical application
d) Adjusts likelihood rather than impact ratings

Answer 11

b

Question 12

Which is NOT a way to respond to identified risk exposures:
a) Introduce additional controls
b) Completely eliminate the risk
c) Transfer outside the organization
d) Accept at the residual level

Answer 12

d

Question 13

What is a ‘control’ in risk management terms?
a) An legal entity within the corporate group
b) A mitigating action taken to reduce likelihood or impact
c) A method of quantifying probabilities
d) An independent test of effectiveness

Answer 13

b

Question 14

Directive controls most commonly take the form of:
a) Automated alerts of process breaches
b) Organizational policies and procedures
c) Risk transfer mechanisms
d) Process key performance indicators

Answer 14

b

Question 15

What indicates control effectiveness?
a) Regular operational use
b) Being preventative rather than corrective
c) Either manual or automated mechanisms
d) Suitability of design AND operation in practice

Answer 15

d

Question 16

When would operational risks require re-assessment after mitigating actions?
a) Annually as part of business planning cycle
b) If likelihood, impacts or controls change
c) Only if triggered by internal audit findings
d) Quarterly in preparation for regulatory reporting

Answer 16

b

Question 17

Who is responsible for designing and operating controls?
a) The risk owner
b) The control owner
c) The board risk committee
d) The 3rd line assurance function

Answer 17

b

Question 18

What key element of RCSA reporting provides a visual summary of exposures?
a) Scope statement
b) Executive summary
c) Risk description
d) Heat map diagram

Answer 18

d

Question 19

A risk owner is responsible for all the following EXCEPT:
a) Identification and assessment of risks
b) Determining appropriate mitigations
c) Control operation and monitoring
d) Regular reporting of risks

Answer 19

c

Question 20

What indicates sound economics in managing identified risk exposures?
a) Mitigating residual exposures according to regulatory guidance
b) Ensuring risk treatments are proportional to potential impacts
c) Introducing controls where costs are less than residual exposures
d) Minimizing expenditures through inappropriate risk acceptances

Answer 20

c

Question 21

Which is NOT an appropriate trigger for an ad hoc RCSA?
a) A change in the external operating environment
b) Regular time interval as per policy and framework
c) Roll out of a new product range
d) Major regulatory enforcement action

Answer 21

b

Question 22

A key input when identifying emerging risks should be:
a) Historic internal loss data
b) Peer bank risk assessments
c) Regulator risk evaluation report
d) Forward-looking business environment assessment

Answer 22

d

Question 23

Risk Indicators can provide validation of which aspects of RCSA risk assessments?
a) Loss impact estimates
b) Required responses
c) Likelihood or impact ratings
d) List of referenced controls

Answer 23

c

Question 24

What does residual risk exposure indicate?
a) Inherent risk appetite
b) Regulatory capital requirement
c) Risk level remaining after controls
d) Maximum probable loss

Answer 24

c

Question 25

Which of the following represents a hierarchy applicable to operational risk reporting?
a) Risk owner - control owner - board risk committee
b) Heat map - risk description - mitigation actions
c) Inherent exposure - residual exposure - target exposure
d) Operational - conduct - prudential risk

Answer 25

c

Question 26

What is a limitation of using spreadsheet software for operational risk management systems?
a) Restrictive licensing costs
b) Manual maintenance leading to potential errors
c) Excessive functionality
d) Over reliance on subject matter experts

Answer 26

b

Question 27

Risk avoidance differs from risk transfer in which aspect?
a) Speed of implementation
b) Impact on residual exposure
c) Ongoing resource requirements
d) Target of the mitigation

Answer 27

d

Question 28

Which meet the definition of detective controls?
a) Process reviews and reconciliations
b) System access rights and payment limits
c) Mandatory training and policy attestation
d) Product approval criteria

Answer 28

a

Question 29

High reliance on manual controls introduces which additional risk?
a) Inflexible response capability
b) Unnecessary automation complexity
c) Periodic performance failure
d) Lower operating costs

Answer 29

c

Question 30

A limitation of risk reporting heat maps is:
a) Difficulty of construction
b) Exclusion of financial impacts
c) Increased focus on priorities
d) Potential for confusion without supporting detail

Answer 30

d