CRA - Certified Risk Architect Risk Mitigation and Controls Questions and Answers

Question 1

A financial services company identifies a high risk of data breach through phishing attacks.
After a thorough analysis, the company decides to implement a mandatory, quarterly security awareness training program for all employees, deploy an advanced email filtering system, and establish a clear incident response plan.
This combination of actions BEST represents which risk mitigation strategy?

Accepted Answer

Risk Reduction

Answer

Risk Transference

Answer

Risk Avoidance

Answer

Risk Acceptance

Question 2

A Certified Risk Architect is developing a control framework for a manufacturing plant. To address the risk of equipment failure, they implement a predictive maintenance program that uses sensors to monitor machinery health and schedule maintenance before a breakdown occurs. What type of control is this predictive maintenance program?

Accepted Answer

Preventive

Answer

Detective

Answer

Corrective

Answer

Directive

Question 3

Which of the following is the PRIMARY purpose of establishing Key Risk Indicators (KRIs) as part of a risk control system?

Accepted Answer

To provide an early warning that a risk is more likely to occur.

Answer

To assign ownership of risks to specific individuals within the organization.

Answer

To calculate the exact financial impact of a risk event.

Answer

To eliminate all residual risk after controls have been implemented.

Question 4

A construction firm is building in a region known for seismic activity. The firm decides to purchase a comprehensive earthquake insurance policy to cover potential damages to the structure and equipment. This action is an example of:

Accepted Answer

Risk Transference

Answer

Risk Reduction

Answer

Risk Acceptance

Answer

Risk Avoidance

Question 5

When evaluating the effectiveness of a risk control, a Certified Risk Architect should consider its design and operating effectiveness. What is the key difference between these two concepts?

Accepted Answer

Design effectiveness is whether the control is theoretically capable of mitigating the risk, while operating effectiveness is whether it is actually working as intended.

Answer

Design effectiveness is assessed by internal auditors, while operating effectiveness is assessed by external regulators.

Answer

Design effectiveness relates to the cost of the control, while operating effectiveness relates to its benefits.

Answer

Design effectiveness applies to automated controls, while operating effectiveness applies to manual controls.

Question 6

A software development company has a zero-appetite for risks related to the breach of customer personally identifiable information (PII). Which of the following control sets would be most appropriate to align with this stated risk appetite?

Accepted Answer

Implementing end-to-end encryption, multi-factor authentication, regular vulnerability scanning, and strict access controls.

Answer

A single annual data backup and a basic firewall.

Answer

Accepting the risk and setting aside a contingency fund for potential fines.

Answer

Transferring the risk by purchasing a basic cyber liability insurance policy.