Controls

Question 1

What is a hazard risk

Answer 1

Pure Risk Category - these risks need to be mitigated

Question 2

Directive control

Answer 2

based on giving direction to people to behave in a certain way and or follow established procedures

Question 3

what is a control

Answer 3

actions to reduce the likelihood and or magnitude of a risk. Hazard risks can be preventative, corrective, directive or detective (PCDD)

Question 4

Corrective

Answer 4

type of control designed to limit the scope for loss and reduce any undesirable outcomes that have been realised.

Question 5

Directive

Answer 5

based on giving directions to people to behave in a certain way and or follow established procedures.
Directive controls are designed to ensure that a particular outcome is achieved. They are based on giving directions to people on how to ensure losses do not occur. Typical examples include written systems and procedures and training.

Question 6

Detective

Answer 6

designed to identify that a hazard risk has materialised, so that actions can be taken to avoid further or greater losses.

Question 7

What’s a control risk

Answer 7

Associated with uncertainty and cause doubt about ability to achieve orgs mission

Question 8

What’s a hazard risk

Answer 8

Risks that inhibit achievement of corporate missions

Question 9

Advantage of directive control

Answer 9

Simpler to administer and can distinguish the lessons learnt from projects that can be applied in future

Question 10

Preventative control

Answer 10

Designed to limit possibility of an undesirable outcome being realised

🔒 1. Preventative Controls

Stop problems before they happen.

Think: Locking the door so no one breaks in.

Examples:
• Passwords to stop hackers.
• Security tags on products to stop shoplifters.
• Training staff to avoid mistakes.

Question 11

Directive

Answer 11

📢 2. Directive Controls

Guide people to do the right thing.

Think: A sign that says “Employees must wash hands.”

Examples:
• Company policies.
• Instructions or warning signs.
• Safety briefings.

They don’t block problems directly, but they tell people how to avoid them.

Question 12

Detective

Answer 12

3. Detective Controls

Spot problems after they happen.

Think: Security cameras showing someone stealing.

Examples:
• Alarms or alerts.
• Inventory checks that reveal missing items.
• Audit logs that show who accessed files.

These help you notice something went wrong. Lessons learnt

Question 13

Corrective

Answer 13

4. Corrective Controls

Fix the problem after it happens.

Think: Resetting your password after a hacker breaks in.

Examples:
• Restoring backup files after a cyberattack.
• Patching software after a bug is found.
• Disciplinary action after a rule is broken.

Question 14

Difference between PCDD

Answer 14

House Example

Preventative
Locking your doors

Directive
A sign that says “No trespassing”

Detective
Security cameras or motion sensors

Corrective
Fixing the window after a break-in

Question 15

Which of these best describes a control risk
a. Risks that can only inhibit achievement of corporate mission.
b. Risks that cause doubt about the ability to achieve the organisation’s mission.
c. Risks that are deliberately sought or embraced by the organisation.

Answer 15

B. Control risks can ‘cause doubt’ about ability to achieve mission and are associated with uncertainty

Note: hazard risks are A - HR inhibit achievement of corporate mission
Opportunity risks are C - obvious

Question 16

When evaluating the effectiveness of controls on an inherent risk which of the following must be considered?

1. Target level of risk.
2. Risk magnitude.
3. Resulting risk exposure.
4. Likelihood / impact scales.

Answer 16

To figure out how effective a control is, you need:
A starting point (what the risk looked like before the control),
An ending point (what the risk looks like after the control),
And a way to measure the difference.

Option 1 is incorrect. The target level of risk is an objective, and the question is about the evaluation of a variation in the level of risk, which may or may not reach the target level of risk. (The target risk level is just a goal. This question is about measuring the change in risk, not whether you hit the goal.)

Option 2 is correct. “Magnitude represents the gross or inherent level of the risk.” This is the start point. (The “magnitude” of the risk before any controls is your starting point. This is called the inherent risk.)

Option 3 is correct. According to Hopkin “The exposure presented by an individual risk can be defined in terms of the likelihood of the risk materializing and the impact of the risk when it does materialize.” We can therefore measure a risk exposure for the inherent risk and a risk exposure for the residual risk. As Option 3 is about “Resulting risk exposure”, it clearly identifies the exposure associated with the residual (current) risk remaining after the application of the risk control, and this is the end point. (After applying the control, you measure the remaining risk. This is called the residual risk, and it’s your ending point.)

Option 4 is also correct. An instrument of measure is necessary to determine both the start point (inherent risk in the case of this question) and the end point (residual risk). In this case, the package of the likelihood / impact scales represents the measuring instrument. (Option 4 is right: You need a tool to measure the change. In this case, using a scale for likelihood and impact helps you measure both the starting and ending risk levels)