CRA - Certified Risk Architect Risk Mitigation and Controls Questions and Answers

Question 1

A financial services company identifies a high risk of data breach through phishing attacks. After a thorough analysis, the company decides to implement a mandatory, quarterly security awareness training program for all employees, deploy an advanced email filtering system, and establish a clear incident response plan. This combination of actions BEST represents which risk mitigation strategy?

Accepted Answer

Risk Reduction

Answer

Risk Reduction, also known as risk mitigation, involves taking active steps to decrease the likelihood or impact of a risk. By implementing training, new technology (email filtering), and a response plan, the company is actively working to reduce the severity and probability of a data breach, which is the core of this strategy.

Question 2

A Certified Risk Architect is developing a control framework for a manufacturing plant. To address the risk of equipment failure, they implement a predictive maintenance program that uses sensors to monitor machinery health and schedule maintenance before a breakdown occurs. What type of control is this predictive maintenance program?

Accepted Answer

Preventive

Answer

Preventive controls are designed to stop an undesirable event from occurring in the first place. The predictive maintenance program is proactive; it aims to prevent equipment failure by addressing potential issues before they lead to a breakdown. Detective controls would only identify a failure after it happened, and corrective controls would focus on fixing it.

Question 3

Which of the following is the PRIMARY purpose of establishing Key Risk Indicators (KRIs) as part of a risk control system?

Accepted Answer

To provide an early warning that a risk is more likely to occur.

Answer

Key Risk Indicators (KRIs) are metrics used to provide an early warning signal that a risk exposure may be changing. They are leading indicators that help an organization monitor a risk and take action before the risk materializes into a loss event. While related to risk management, assigning ownership and calculating financial impact are different processes.

Question 4

A construction firm is building in a region known for seismic activity. The firm decides to purchase a comprehensive earthquake insurance policy to cover potential damages to the structure and equipment. This action is an example of:

Accepted Answer

Risk Transference

Answer

Risk Transference is a strategy that involves shifting the financial consequences of a particular risk to a third party. By purchasing an insurance policy, the construction firm is transferring the potential financial loss from an earthquake to the insurance company.

Question 5

When evaluating the effectiveness of a risk control, a Certified Risk Architect should consider its design and operating effectiveness. What is the key difference between these two concepts?

Accepted Answer

Design effectiveness is whether the control is theoretically capable of mitigating the risk, while operating effectiveness is whether it is actually working as intended.

Answer

Design effectiveness evaluates whether a control, if it operates as prescribed, will prevent or detect errors or fraud. Operating effectiveness, on the other hand, is concerned with whether the control is actually being performed consistently and correctly by the right people. A control can be perfectly designed but fail if it's not operated properly.

(CRA) Certified Risk Architect Practice Test

(CRA) Certified Risk Architect Practice Test

CRA - Certified Risk Architect Risk Mitigation and Controls Questions and Answers