1. Right Answer: C
Explanation: If it is necessary to quickly implement control by applying technical solution that deviates from the company's policies, then risk assessment should be conducted to clarify the risk. It is up to the management to accept the risk or to mitigate it.Incorrect Answers:A: As in this case it is important to mitigate the risk, hence risk professional should once recommend a risk assessment. Though the decision for the conduction of risk assessment in case of violation of company's policy, is taken by management.B: The recommendation to revise the current policy should not be triggered by a single request.D: Risk professional can only recommend the risk assessment if the company's policies is violating, but it can only be conducted when the management allows.

2. Right Answer: D
Explanation: A positive risk event is also known as an opportunity. Opportunities within the project to save time and money must be evaluated, analyzed, and responded to.Incorrect Answers:A: A contingency risk is not a valid risk management term.B: Benefits are the good outcomes of a project endeavor. Benefits usually have a cost factor associated with them.C: Residual risk is the risk that remains after applying controls. It is not feasible to eliminate all risks from an organization. Instead, measures can be taken to reduce risk to an acceptable level. The risk that is left is residual risk.

3. Right Answer: D
Explanation: The cost of the project is not an indicator of risk urgency. The affect of the risk on the overall cost of the project may be considered, but it is not the best answer.Incorrect Answers:A: Warning signs are an indicator of the risk urgency.B: Symptoms are an indicator of the risk urgency.C: The risk rating can be an indicator of the risk urgency.

4. Right Answer: B
Explanation: The basic concepts related to data extraction, validation, aggregation and analysis is important as KRIs often rely on digital information from diverse sources. The phases which are involved in this are: Requirements gathering: Detailed plan and project's scope is required for monitoring risks. In the case of a monitoring project, this step should involve process owners, data owners, system custodians and other process stakeholders. Data access: In the data access process, management identifies which data are available and how they can be acquired in a format that can be used for analysis. There are two options for data extraction:- Extracting data directly from the source systems after system owner approval- Receiving data extracts from the system custodian (IT) after system owner approvalDirect extraction is preferred, especially since this involves management monitoring its own controls, instead of auditors/third parties monitoring management's controls. If it is not feasible to get direct access, a data access request form should be submitted to the data owners that detail the appropriate data fields to be extracted. The request should specify the method of delivery for the file. Data validation: Data validation ensures that extracted data are ready for analysis. One of its important objective is to perform tests examining the data quality to ensure data are valid complete and free of errors. This may also involve making data from different sources suitable for comparative analysis. Following concepts should be considered while validating data:- Ensure the validity, i.e., data match definitions in the table layout- Ensure that the data are complete- Ensure that extracted data contain only the data requested- Identify missing data, such as gaps in sequence or blank records- Identify and confirm the validity of duplicates- Identify the derived values- Check if the data given is reasonable or not- Identify the relationship between table fields- Record, in a transaction or detail table, that the record has no match in a master table Data analysis: Analysis of data involves simple set of steps or complex combination of commands and other functionality. Data analysis is designed in such a way to achieve the stated objectives from the project plan. Although this may be applicable to any monitoring activity, it would be beneficial to consider transferability and scalability. This may include robust documentation, use of software development standards and naming conventions. Reporting and corrective action: According to the requirements of the monitoring objectives and the technology being used, reporting structure and distribution are decided. Reporting procedures indicate to whom outputs from the automated monitoring process are distributed so that they are directed to the right people, in the right format, etc. Similar to the data analysis stage, reporting may also identify areas in which changes to the sensitivity of the reporting parameters or the timing and frequency of the monitoring activity may be required.Incorrect Answers:D: These are the phases that are involved in risk management.

5. Right Answer: B
Explanation: The COSO ERM (Enterprise Risk Management) frame work is a 3-dimensional model. The dimensions and their components include: Strategic Objectives - includes strategic, operations, reporting, and compliance. Risk Components - includes Internal Environment, Objectives settings, Event identification, Risk assessment, Risk response, Control activities, Information and communication, and monitoring. Organizational Levels - include subsidiary, business unit, division, and entity-level.The COSO ERM framework contains eight risk components: Internal Environment Objective Settings Event Identification Risk Assessment Risk Response Control Activities Information and CommunicationMonitoring -Section 404 of the Sarbanes-Oley act specifies a three dimensional model- COSO ERM, comprised of Internal control components, Internal control objectives, and organization entities. All the items listed are components except Financial reporting which is an internal control objective.Incorrect Answers:A, C, D: They are the Internal control components, not the Internal control objectives.