Which of the following BEST contributes to the implementation of an effective risk response action plan?
Correct Answer: B
Section: Volume D
Question 792
What are the responsibilities of the CRO? Each correct answer represents a complete solution. Choose three.
Correct Answer: A,B,D
Section: Volume A Explanation: Chief Risk Officer is the executive-level manager in an organization. They provide corporate, guidance, governance, and oversight over the enterprise's risk management activities. The main priority for the CRO is to ensure that the organization is in full compliance with applicable regulations. They may also deal with areas regarding insurance, internal auditing, corporate investigations, fraud, and information security. CRO's responsibilities include: * Managing the risk assessment process * Implementation of corrective actions * Communicate risk management issues * Supporting the risk management functions
Question 793
Which of the following will BEST help to ensure new IT policies address the enterprise's requirements?
Correct Answer: B
Question 794
An organization is implementing internet of Things (loT) technology to control temperature and lighting in its headquarters. Which of the following should be of GREATEST concern?
Correct Answer: D
Question 795
Which of the following phases is involved in the Data Extraction, Validation, Aggregation and Analysis?
Correct Answer: B
Section: Volume B Explanation: The basic concepts related to data extraction, validation, aggregation and analysis is important as KRIs often rely on digital information from diverse sources. The phases which are involved in this are: * Requirements gathering: Detailed plan and project's scope is required for monitoring risks. In the case of a monitoring project, this step should involve process owners, data owners, system custodians and other process stakeholders. * Data access: In the data access process, management identifies which data are available and how they can be acquired in a format that can be used for analysis. There are two options for data extraction: - Extracting data directly from the source systems after system owner approval - Receiving data extracts from the system custodian (IT) after system owner approval Direct extraction is preferred, especially since this involves management monitoring its own controls, instead of auditors/third parties monitoring management's controls. If it is not feasible to get direct access, a data access request form should be submitted to the data owners that detail the appropriate data fields to be extracted. The request should specify the method of delivery for the file. * Data validation: Data validation ensures that extracted data are ready for analysis. One of its important objective is to perform tests examining the data quality to ensure data are valid complete and free of errors. This may also involve making data from different sources suitable for comparative analysis. Following concepts should be considered while validating data: - Ensure the validity, i.e., data match definitions in the table layout - Ensure that the data are complete - Ensure that extracted data contain only the data requested - Identify missing data, such as gaps in sequence or blank records - Identify and confirm the validity of duplicates - Identify the derived values - Check if the data given is reasonable or not - Identify the relationship between table fields - Record, in a transaction or detail table, that the record has no match in a master table * Data analysis: Analysis of data involves simple set of steps or complex combination of commands and other functionality. Data analysis is designed in such a way to achieve the stated objectives from the project plan. Although this may be applicable to any monitoring activity, it would be beneficial to consider transferability and scalability. This may include robust documentation, use of software development standards and naming conventions. * Reporting and corrective action: According to the requirements of the monitoring objectives and the technology being used, reporting structure and distribution are decided. Reporting procedures indicate to whom outputs from the automated monitoring process are distributed so that they are directed to the right people, in the right format, etc. Similar to the data analysis stage, reporting may also identify areas in which changes to the sensitivity of the reporting parameters or the timing and frequency of the monitoring activity may be required. Incorrect Answers: D: These are the phases that are involved in risk management.
