Identify
Name the risk present if no controls or mitigating factors were in place.
What is inherent risk?
Controls can be categorized as Preventive, Detective, Corrective or __.
What is Directive?
A risk acceptance typically expires after ___ months.
What is 12-months?
Reporting of events is the responsibility of:
What is all crew?
Issues can be identified by Audit and business. What other group can also identify issues?
What is Compliance or Third-Party Risk Management (xSP assessments)?
Before kicking off an assessment, you must develop a clear understanding of the environment. Name one activity or type of research that you would undertake.
What is research, past assessments, issues, event history, process maps, industry research, department procedures, control effectiveness, etc.?
The most common risk response options are to create an action plan or to accept the risk. Name one of the other two.
What is transfer or avoid?
Should an issue be created in Ballast Point for every Risk Event?
What is not necessarily?
The amount of risk an organization is willing to accept in pursuit of its strategic objectives and to provide value to stakeholders.
What is Risk Appetite?
If residual risk is determined to be above risk appetite, a risk response is required. Who owns the decision on how to respond to the risk?
Who is the business?
Describe how a Key Risk Indicator (KRI) differs from a Key Performance Indicator (KPI).
What is: KRIs indicate when a risk may potentially breach its risk appetite threshold, or tolerance levels. KRIs are generally forward-looking and serve as predictors of risk. KPIs typically measure performance as defined in business dashboards (i.e., answering calls within 20 seconds) and are backward-looking. In other words, they reflect how the business performed.
Events with impacts rated high or critical must be reported to this governing body:
What is The Risk Advisory Forum (RAF)?