GRC - Governance, Risk, and Compliance Enterprise Risk Management Frameworks Questions and Answers

Question 1

A global manufacturing company is implementing an Enterprise Risk Management (ERM) framework. The Chief Risk Officer (CRO) wants to ensure the framework is adaptable to different business units and promotes a proactive risk culture. Which ERM framework is best known for its flexible, principles-based approach that can be customized to any organization's context?

Accepted Answer

ISO 31000

Answer

ISO 31000 is recognized for its flexible and principles-based approach, providing guidelines rather than mandatory requirements. This allows organizations to tailor the framework to their specific size, industry, and risk context. COSO ERM is more prescriptive, particularly for organizations focused on financial reporting and internal controls. NIST RMF is primarily for managing information security risk within U.S. federal agencies, and COBIT is a framework for the governance and management of enterprise IT.

Question 2

A financial services firm is updating its ERM framework to better align with its strategic objectives and performance metrics. The board of directors has emphasized the importance of integrating risk management directly into the strategy-setting process. Which of the following is a key component of the COSO ERM 2017 framework that directly addresses this requirement?

Accepted Answer

Strategy and Objective-Setting

Answer

The COSO ERM 2017 framework, titled "Enterprise Risk Management—Integrating with Strategy and Performance," explicitly includes 'Strategy and Objective-Setting' as one of its five core components. This component emphasizes considering risk during the strategic planning process to ensure that the chosen strategy aligns with the organization's risk appetite.

Question 3

Which of the following best describes a primary objective of establishing an ERM framework within an organization?

Accepted Answer

To provide a structured and consistent approach for identifying, assessing, and managing risks across the enterprise.

Answer

The core purpose of an ERM framework is to establish a consistent, enterprise-wide approach to managing risk. It provides a structure for identifying potential events that may affect the entity, managing risk to be within its risk appetite, and providing reasonable assurance regarding the achievement of entity objectives. It is not possible to eliminate all risks, and while it aids audits, its purpose is much broader. ERM integrates with, rather than replaces, internal controls.

Question 4

A technology company is deciding between the COSO ERM and ISO 31000 frameworks. The company operates globally and has a diverse range of stakeholders. A key difference the GRC team should consider is that:

Accepted Answer

COSO ERM is more prescriptive and detailed, often favored by audit and accounting professionals, while ISO 31000 is a more concise, high-level guideline.

Answer

A significant distinction between the two frameworks is their presentation and level of detail. COSO's framework is substantially longer and more detailed, with a historical focus on internal controls and accounting, making it popular with auditors. ISO 31000 is a shorter, more flexible set of principles and guidelines. Neither framework offers a formal certification for compliance. Geographically, ISO 31000 has broader international adoption, while COSO is more prevalent in North America.

Question 5

During a risk committee meeting, a new manager suggests that the company's ERM framework should focus on responding to risks by either avoiding or accepting them. A GRC professional should advise that this view is incomplete because a comprehensive risk response strategy also includes:

Accepted Answer

Reducing and sharing

Answer

A standard ERM framework includes four primary risk responses: Avoid, Accept, Reduce (or Mitigate), and Share (or Transfer). Reducing risk involves implementing controls to lower its likelihood or impact. Sharing risk typically involves transferring a portion of it to a third party, such as through insurance.

(GRC) Governance, Risk, and Compliance Certification Practice Test

(GRC) Governance, Risk, and Compliance Certification Practice Test

GRC - Governance, Risk, and Compliance Enterprise Risk Management Frameworks Questions and Answers