3PRI – CPE Assessment

Please add www.3prinstitute-qa.com to your Safe Senders list

/175

C3PRMP Qualifying Assessment - Modules (1-7)

A performance curve in a third party contract that provides a significant increase in the value of incentive payouts following a relatively small increase in performance level is typically:

A) Low risk

B) Moderate risk

C) High risk

Which of the following are particularly important for effective risk reporting for senior management?

A) Policies and procedures

B) Overseeing all revenue generating businesses

C) Actual, emerging and potential risks

Which of the following is an example of a separation of duties?

A) Requiring a relationship management plan

B) Requiring a 2nd signature on financial transactions

C) Requiring a reporting structure

Management adopts and implements policies and procedures designed to promote both legal compliance and appropriate standards of honesty, integrity and ethics that are established by:

A) Regulators

B) The board

C) Laws

What defines a company’s tolerance for accepting third party risks to ensure it is aligned with their Risk Appetite?

A) Risk Tolerance

B) Risk Thresholds

C) Risk Management Framework

The lifecycle of a third party relationship begins with identifying a business need that will be fulfilled by a third-party and ends with __________.

A) Execution of the contingency plan

B) Execution of the exit strategy

C) Execution of due diligence and contracting

What is the most efficient way to enable comprehensive third party risk reporting?

A) Documented procedures

B) An enterprise-wide risk register

C) A third-party risk management technology solution

The third party risk management framework should align with the corporate:

A) Operational risk management framework

B) Enterprise risk management framework

C) Both A and B

An example of systemic third party Concentration Risk is:

A) Many companies offering the same services to the same target customers

B) Many companies concurrently deploying the same or similar new third party technologies

C) Many companies in the same industry using the same third party in the same location

10)

A Metric that determines which third party risks will be measured, how they will be measured, and the frequency of measurement is a:

A) Key Risk Indicator

B) Risk Appetite

C) Risk tolerance

11)

The simplest way to aggregate third party risks is to:

A) Report them by business unit

B) Align them with Risk Appetite

C) Organize them according to a hierarchy

12)

A standard of comparison of third party risks that is comprised of definitions and rating levels that enable consistent interpretation by different constituencies is:

A) Tiering

B) A defined scale for rating risks

C) Criticality

13)

Site visits are recommended for

A) All third parties with access to systems and networks

B) All offshore third parties

C) The most critical and/or high-risk relationships

14)

What is the most important lesson learned by the Equifax breach?

A) Train staff on the threat of phishing emails

B) Homeland Security should have notified the public sooner

C) Third party software should be subjected to the same degree of due diligence as any other third party relationship

15)

To fulfill their fiduciary duties, boards must:

A) Review risk oversight policies and procedures at the board and committee levels

B) Navigate organizational growth while protecting the organization from unnecessary risk

C) Both A and B

16)

Is “one size fits all” approach to third party risk management effective?

A) Yes, technology enables a risk-adjusted approach

B) No, it misaligns exposure to risk and work effort

C) Yes, the three Lines of Defense have different roles and responsibilities

17)

Cyber risk management is how precious assets such as financial assets, and re-saleable information and intellectual property are protected from:

A) accidental destruction or loss

B) duplication or inaccuracy

C) unauthorized electronic access, use, changes, or destruction

18)

Your company and its third parties by formally defining expectations and agreeing on specific requirements is which type of agreement?

A) Service Level Agreement

B) Operating Level Agreement

C) Controls Level Agreement

19)

Which of the following is an intangible asset?

A) Inventory

B) Land

C) Trademark

20)

What is the best course of action to determine the effectiveness of third party due diligence, evaluation, controls, processes and tools?

A) Conducting root cause analysis on third party issues and incidents

B) Conducting root cause analysis on deficiencies in third party controls

C) By monitoring third party compliance

21)

“Tone at the Top” is a term that has been widely adopted to describe

A) The role of the board and senior management

B) Appropriate business behaviors that align with a strong risk management culture

C) The basis for senior management compensation

22)

The primary responsibility of Internal Audit in disaster recovery planning is to

A) Participate in developing an enterprise-wide Disaster Recovery Plan

B) Ensure the company’s Disaster Recovery Plan has been approved by senior management

C) Include the Disaster Recovery Plan within the scope of business unit’s audit

23)

What is the main lesson that can be learned from engaging with social media/traditional media?

A) Privacy laws protect consumers when they are engaged with social/traditional media

B) That anything spoken, actioned or written down could unexpectedly turn up in some form of social or traditional media

C) With sound privacy controls negotiated into contracts, a third party’s use of social/traditional media presents minimal risk

24)

In which of the following scenarios is it not advisable to proceed with the third party relationship?

A) There is high criticality and low residual risk

B) There is moderate criticality and a high value proposition

C) There is high residual risk and a low value proposition

25)

An important contribution to third party risk management made by Internal Audit is to:

A) Develop methodologies and define required controls

B) Conduct independent evaluation of controls effectiveness for critical third parties

C) Assess the effectiveness of the third party risk management program

26)

To increase monitoring effectiveness, management should periodically rank third party relationships according to risk to determine:

A) which third parties require closer monitoring

B) risk management capabilities within the 1st Line of Defense

C) controls effectiveness

27)

Which of these is often the weakest link in a company’s defenses?

A) The firewall

B) Inadequate controls

C) Risk culture

28)

The third party relationship is “critical” to the company and/or the business if:

A) The contract requires senior management and board approval

B) There would be a significant impact to day-to-day business operations and/or customers should the third party be unable to perform

C) The third party relationship delivers innovation and untried technologies

29)

Which of the following services is infrequently outsourced to a third party?

A) Call center

B) Internal Audit

C) Financial transaction processing

30)

Which type of controls could be imposed to offset deficiencies in the third party’s controls and/or immature risk management capabilities in the contracting business unit?

A) Compensating

B) Residual

C) Strong

31)

When Internal Audit’s role extends beyond its core role/purpose, it should be:

A) In a consultative role

B) As a decision maker

C) As a risk domain expert

32)

What does a company’s “Risk Tolerance” define?

A) How much risk the company is comfortable taking on

B) How much risk the third party presents to the company

C) How the risk the company is actually willing to take on

33)

Which of the following is one of the most important benefits of a third-party risk management program?

A) Accelerates response and resolution to a serious third party incident

B) Minimizes insider threats

C) Defined roles and responsibilities

34)

The most challenging “pane” to address in Johari’s Window is:

A) You don’t know what you know

B) You know what you don’t know

C) You don’t know what you don’t know

35)

The core role of Internal Audit in ERM is to:

A) Verify and report on compliance to regulations and laws

B) Provide objective assurance to senior management on the effectiveness of risk management policies and practices

C) Provide objective assurance to the board on the effectiveness of risk management policies and practices

36)

Unexpected events of such magnitude and consequence that they have a dominant role in history are called:

A) Black Swans

B) Systemic events

C) Natural disasters, including earthquakes and floods

37)

For core functions, a Disaster Recovery Readiness Assessment Audit should be conducted

A) Annually

B) Quarterly

C) Monthly

38)

Cyber criminals were most likely to unleash ransomware using:

A) insecure websites

B) phishing

C) A and B: phishing and insecure websites

39)

Ransomware is:

A) A sophisticated piece of malware that blocks the victim’s access to his/her files until a ransom is paid, typically in an “untraceable” form such as Bitcoin or cash

B) A sophisticated form of extortion where the hacker blackmails the company or target by threatening to publicly reveal confidential or private information

C) A sophisticated way to launder money, virtually undetectable by lawmakers

40)

A key indicator of third party information and cyber security risk is:

A) Transaction processing in the third party’s offshore data center

B) Access to your company’s confidential data, regardless of whether the data is in transit or at rest (stored)

C) The third party’s use of material 4th parties (subcontractors) to deliver contracted services

41) A company's Risk Appetite is:

A) The organization's readiness to bear the risk after risk treatment in order to achieve its objectives, expressed in quantitative terms

B) The desired amount, type and level of risk that an organization is prepared to accept, linked to expected returns

C) The norms or traditions of behaviors that determine the way they identify, understand and act on the risk the organization takes

42)

What is one of the most serious outcomes of a serious third party cyber security breach?

A) Fines

B) Legal action

C) Damage to your company’s reputation

43)

The type and amount of third party risk that remains after taking into consideration the strength of the third party’s control environment is called:

A) Risk exposure

B) Inherent risk

C) Residual risk

44)

Which type of risk is your company exposed to in the following case study?

“Your third party is left without electrical power as a result of a serious fire”

A) Reputational

B) Operational

C) Strategic

45)

“IoT” The Internet of Things are:

A) portal-enabled devices that interact with one another via internet-based applications

B) devices with RFID tags or embedded chips that intentionally interact with one another, and with people as required, via internet-based applications.

C) devices with RFID tags or embedded chips that can only interact with one another via networked systems

46)

Contract provisions should clearly state that the primary third party has accountability for:

A) all services that the third party provides, including business continuity capabilities

B) all services that the third party and its subcontractors provide, including business continuity capabilities

C) providing a copy of the results of business continuity resiliency testing

47)

An important responsibility of third party risk oversight committees is a willingness to:

A) Challenge the company’s Risk Appetite

B) Challenge their peers when they are prepared to accept undue third party risks

C) Challenge the company’s KRI’s

48)

FCPA is an acronym for:

A) Federal Consumer Privacy Act

B) Federal Compliance Protection Act

C) Foreign Corrupt Practices Act

49)

An analytical method that consists of an expert opinion of the likelihood of a risk event occurring based on a set of known variables that can be used to determine the probability of each risk event occurring is called:

A) Qualitative analysis

B) Quantitative analysis

C) Risk segmentation

50)

The type and amount of third party risk that your company assumes by entering in a relationship with a third party before evaluating the strength of the third party’s controls is called:

A) Residual risk

B) Inherent risk

C) Controls risk

51)

The Financial Accounting Standards Board (FASB) recognizes the long-term value of intangible assets that have indefinite useful lives. How frequently should their value be tested for impairment?

A) Annually

B) Every six months

C) Every five years

52)

The findings from a completed Risk Control Self-Assessment (RCSA) can be used:

A) As input to third party trend analysis and senior management reporting

B) To assess the business unit’s knowledge of third party controls

C) To formulate appropriate action plans to address identified control gaps

53)

A documented plan that defines the preferred course of action in the event of a serious business interruption or failure, where recovery by the third party is in serious doubt or not expected, is a

A) Business Continuity Plan

B) Contingency Plan

C) Business Continuity Management System

54)

U.S. Sarbanes-Oxley Act specifically stipulates that senior management has personal liability for:

A) Third party issues and incidents

B) The accuracy and completeness of financial statements

C) Information and cyber security breaches

55)

Systemic issues are:

A) An unmanaged opportunity to reduce risk across an industry sector

B) A serious deficiency in third party controls over their network security

C) Ineffective third party controls over employee access to confidential data

56)

A best practice for business continuity management is:

A) Negotiating SLAs for availability of services, including RTOs and order in which services are restored

B) Negotiating a “change of control” clause into the contract

C) Negotiating participation in the third party’s annual BIA

57)

BIA’s should consider:

A) Contractual controls in third party contracts

B) The impact of legal and regulatory requirements

C) ISO 22301 standards

58)

Which of the following is typically not in scope for third party cyber and information security due diligence?

A) Whether access is strictly on a need to know basis, including for the third party’s sub-contractors, your company’s material 4th parties

B) Whether they use multi-factor authentication

C) Their technology and new products road map

59)

Inherent risk is ________________ the critical services delivered by the third party.

A) Separable from

B) Inseparable from

C) Incremental to

60)

What is a significant and recent change in practices related to oversight of third-party risk?

A) Risk committees of the board

B) Creation of third-party risk oversight committees

C) Risk acceptance by the business unit

61)

A third party information security risk event is is more likely to occur and has a higher impact than insurance risk, so would be given ____________ in a risk evaluation model.

A) A lower value

B) A higher value

C) A critical value

62)

During third party due diligence, risk control experts should request

A) SOC 2 reports

B) Only information that’s needed and can be evaluated

C) Copies of in-scope policies

63)

Which of the following makes the greatest contribution to effective performance management of critical third parties?

A) Concise Service and Operating Level agreements

B) Policies, processes and tools

C) Strategic Business Reviews

64)

After implementing a third party risk management program, cycle time - the time it takes to complete third party due diligence, controls evaluation and contracting – is typically:

A) Longer, due to more comprehensive risk assessments

B) Shorter, due to more efficient processes

C) Unchanged

65)

In which stage of a third-party’s lifecycle do manufacturers typically excel?

A) Managing and monitoring operational inputs and performance

B) Getting to contract

C) Orderly termination and exit

66)

Deficiencies in the third party’s controls identified during due diligence may be mitigated by :

A) Residual controls

B) Inherent controls

C) Compensating controls

67)

In relative terms, getting a cold back up site and a hot back up site up and running will take

A) The same length of time

B) A hot back up site will take longer to get up and running than a cold back up site

C) A cold back up site will take longer to get up and running than a hot back up site

68)

Governance practices may not be as critically dependent on direct expenditures as they are on the ability of management, boards, audit committees and internal auditors to work together to properly focus oversight attention, and larger banks have an edge in focusing that attention more efficiently.” Collectively, these practices are referred to as:

A) Tone at the Top

B) Risk Tolerance

C) Strategic risk

69)

The purpose of third party due diligence is to:

A) Identify required controls

B) Verify facts and evaluate controls

C) Communicate business needs

70)

During third party due diligence, requesting details of physical security controls, including for visitors and contractors, is:

A) A best practice

B) Not required

C) Protected information

71)

Risk-Based Authentication:

A) detects anomalies or changes in the normal use patterns of a person

B) requires verification of the person’s identity when anomalies or changes are detected, such as “challenge” questions

C) A and B: detects anomalies or changes in the normal use patterns of a person AND requires verification of the person’s identity when anomalies or changes are detected, such as “challenge” questions

72)

A common challenge that companies face when creating methodologies that enable consistent interpretation of third party risk by different constituencies is

A) Finding the right balance between simplicity and comprehensiveness

B) Reporting to senior management and the board

C) Complying with regulations and laws

73)

What is a third-party risk management cost driver?

A) A standard equation that translates third party risk into costs

B) Fees for third party services

C) Any activity or series of activities to identify, assess, manage and control risk throughout the lifetime of the relationship

74)

The inter-related set of ISO standards for cyber and information security are specifically designed to:

A) Specify the requirements for establishing, implementing, maintaining and continually improving an information security management system

B) Ensure your company meets or exceeds national and international regulations and laws

C) Enable collaboration on best practices between cyber and information security experts

75)

12. ISO 27001, a high-level framework, helps companies establish a set of Information Security Management Standards (ISMS) to guide development and implementation of a framework for managing the security of their information assets, including:

A) Financial information, intellectual property, information entrusted to them by customers, and third parties

B) Security posture, protection of confidential information and intellectual property

C) Regulatory requirements, protection of financial assets and information entrusted to them by customers

76)

Designating a high proportion of your company’s critical third party relationships as “high risk” results in

A) Stronger risk-informed decisions

B) Too much “noise”, interfering with risk insight

C) A low Risk Appetite

77)

Which of the following third party risk management activities is commonly performed by the 1st Line of Defense?

A) Risk reporting

B) Managing performance

C) Evaluating the effectiveness of the third party’s controls

78)

A process that is useful for assessing third party risks and tying them back to strategic objectives is:

A) Scenario analysis

B) Contingency planning

C) Risk modelling

79)

A framework widely used by global companies to help them protect against, prepare for, respond to, and recover from disruptive incidents is:

A) BIA

B) ISO 22301

C) FFIEC

80)

A disadvantage of qualitative assessments of third party risks is that it:

A) Gives limited differentiation between levels of risk

B) Is very time consuming

C) Requires defined units of measure

81)

To fulfill their responsibilities to customers, shareholders and the board, senior management must have:

A) Detailed Key Risk Indicators (KRIs)

B) Timely and accurate risk information and insight

C) An enterprise risk management function

82)

In the Cloud, identity management, security and compliance:

A) can be controlled with the same rigor as any technology

B) are much more difficult to manage than other technologies

C) are less difficult to manage than other technologies

83)

If a third-party has access to your network or information assets, or if your company accesses a third-party’s services via their web-portal, consider negotiating contractual obligations that:

A) require two-factor authentication and strong passwords with pre-scheduled changes

B) limit access to your company’s data to a “need to know” basis

C) require annual security training for employees

84)

DDOS (Distributed Denial of Service) attack occurs when:

A) A malicious hacker or group of hackers takes control of internet-connected devices and launches many thousands of requests for service to a website in an attempt to overwhelm it and shut it down

B) A company falls victim to a Zero Day hacker, exposing them to an undetected breach that shuts down their network

C) A serious failure by a critical third party disrupts delivery of products or services to its customers

85)

How does mass digitization of records increase operational risk?

A) Digital records are more portable than paper records, making them hard to trace if they are lost or stolen

B) Large volumes of confidential data stored in digital formats are high value assets that can be sold on the dark web or used for identify-theft, making them the primary target of hackers

C) Digital records stored in third party cloud solutions are less secure than those stored in onsite servers

86)

The nature and depth of third party due diligence should be proportional with:

A) Criticality and inherent risks

B) Criticality and residual risks

C) Key risk indicators

87)

An important characteristic of any critical third party relationship is:

A) Could cause significant customer impacts if the third party fails to meet expectations

B) Cost to replace/switch is in excess of $100,000. USD

C) Annual contract value is in excess of $1,000,000. USD

88)

Your company has outsourced its call center to a third-party and they are changing telecom providers. What is the relationship your company has with the third party’s telecom provider?

A) A third party relationship

B) A “non-vendor” third party relationship

C) A fourth party relationship

89)

NPPI stands for:

A) Non-public personal information

B) No personal or public information

C) No personal information or intellectual property

90)

A structured, consistent and continuous framework across the whole organization for identifying, assessing and deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives is:

A) Enterprise Risk Management (ERM)

B) Operational Risk Management (ORM)

C) Third Party Risk Management (3PRM)

91)

An effective tool for providing assurance of compliance with policies, plans, procedures, laws, regulations and contracts is a:

A) RACI

B) RCSA

C) SMART

92)

The best KRIs enable business leaders and risk managers with an opportunity to __________ significant third party risks that are expected to become incidents or losses, before they happen?

A) Identify

B) Classify

C) Action

93)

Which is one of the most important responsibilities that senior management has to create and maintain a strong risk culture?

A) Approving policies and procedures

B) Establishing and modeling “tone at the top”

C) Auditing the effectiveness of third party risk management capabilities

94)

The best defense against a successful Ransomware attack, one where the company has no feasible alternative to paying the hacker’s ransom, is:

A) Employee education, designed to prevent “insider” threats

B) A complete and current backup of the targeted records

C) Multi-factor authentication for all users

95)

Internal Audit provides independent assurance to ________________ concerning the effectiveness of third party risk management and controls

A) Senior management

B) The board

C) Both A and B

96)

Effective risk management, and therefore effective third-party risk management, is strongest in which type of corporate culture?

A) Hierarchical

B) Risk-centric

C) Aligned

97)

Which type of third party risk is described in the following case study?

“One of your critical third party’s employees secretly recorded one of their senior executives harassing one of your customers, and the video went viral”

A) Operational

B) Compliance

C) Reputational

98)

At a minimum, well written information and cyber security policies should address:

A) Data classification; offsite storage; change management processes

B) Data classification; asset inventory and device management; access controls and identity management

C) Access controls and identity management; security awareness training; incident response plan

99)

The BIA should identify:

A) The potential impact of outsourcing a critical function to a third party

B) The potential impact of inadequate third party due diligence

C) The potential impact of uncontrolled, non-specific events on these business functions and processes

100)

A Disaster Recovery Plan is a detailed description of:

A) How services will be restored, timing and order in which they’ll be restored

B) Whether services can be restored in an orderly manner

C) A list of critical third party relationships and the services/products contracted for

101)

A copy of the third party’s ISO 22301 Certificate of Compliance that covers contracted services could be an efficient and effective substitute for:

A) Establishing a hot back up site

B) Developing a Contingency Plan

C) Conducting your own due diligence

102)

A risk management strategy where your company contracts with more than one third party to spread the risk may:

A) Increase your pricing

B) Increase your lifecycle management, governance and oversight costs

C) A and B

103)

A framework that helps define the role of the board and management, delineates duties and helps prevent duplicated efforts and the overlooking of critical issues is called a ____________ framework:

A) Enterprise Risk Management

B) Third Party Risk Management

C) Governance

104)

The difference and relationship between assurance and other monitoring activities is clarified by the:

A) Risk Appetite Statement

B) Risk committee of the board

C) Three Lines of Defense model

105)

To assess the potential impact a third party has on your company’s business resilience you should periodically review

A) The third party’s business continuity plan testing activities

B) The third party’s management information systems (MIS) reports

C) Both A and B

106)

To be useful, risk taxonomy - a common language to identify, classify, understand and communicate risks - must be:

A) Recorded in a risk register

B) Understandable, consistent and communicated effectively

C) Approved by the board

107)

A process/tool that focuses on specific events or processes, compares measures and results using common metrics, and identifies improvement opportunities is:

A) Benchmarking

B) Controls evaluation

C) Risk rating

108)

In the event that one of your company’s third parties suffers a catastrophic failure, which course of action is often the least feasible?

A) Take over the third party’s operations

B) Contract with an alternative third party

C) Rely on the third party’s insurer to fund resumption of operations

109)

The risk thresholds that are aligned with each KRI should be clearly aligned with your company’s:

A) Risk Management Framework

B) Risk Tolerance

C) Risk Appetite

110)

Third party relationships are:

A) Your company’s contracted partners only

B) Your company’s vendors and other relationships that are not those as your customer

C) Your company’s customers

111)

The best type of back-up site for critical services, those that would have a high impact if there is an outage or serious interruption is a:

A) Cold site

B) Hot site

C) DR site

112)

A Risk and Control Self-Assessment (RCSA) is:

A) A process through which third party risks are identified and assessed

B) A process through which operational risks and the effectiveness of controls are assessed and examined.

C) A process through which senior management and the board establish the risk culture of the organization

113)

The most common source of vulnerability to a successful cyber-attack is:

A) Failure to conduct penetration testing at least annually

B) Insider threat

C) Weak physical security controls

114)

A third party relationship of such importance that a serious incident or failure would affect most or all of company operations and customers is typically referred to as:

A) Enterprise/Mission critical

B) High residual risk

C) SOX reportable

115)

The weakest link in your company’s defensive perimeter is

A) Your critical third parties’ control environment

B) Your employees’ and critical third party’s mobile devices

C) Both A and B

116)

Trend analysis can identify opportunities:

A) to improve the third-party risk management

B) to determine whether third party risk is increasing, decreasing or stable

C) both A and B

117)

When assessing exposure to third party risk, which of the following assessments is subjective?

A) Financial

B) Operational

C) Reputational

118)

Which Line of Defense owns the third party relationship and its risks?

A) 1st Line of defense

B) 2nd Line of defense

C) 3rd Line of defense

119)

In-depth risk business continuity management risk assessments should be conducted for:

A) The third-party “finalist” – the one you want to engage

B) All third parties that responded to your “go to market” process (RFP, invitation to bid, etc.)

C) Third and fourth parties

120)

Why are “point of sale” technologies especially vulnerable?

A) Ease of compromising the hardware

B) They aren’t networked devices, so they are secure

C) Software bugs

121)

Effective risk management, and therefore effective third-party risk management, is strongest in which type of corporate culture?

A) Hierarchical

B) Risk-centric

C) Aligned

122)

Which Line of Defense is the domain of a company’s risk specialists?

A) 1st Line of defense

B) 2nd Line of defense

C) 3rd Line of defense

123)

Requiring the third-party to outsource deficient services to another company

A) Decreases your risk

B) Improves risk visibility

C) Increases your risk

124)

Business line should not approve their ______?

A) Exceptions to approved Risk Tolerances

B) Third party Service Level Agreements

C) Risk reporting to senior management

125)

Specific and measurable Service Level Agreements benefit:

A) Your company

B) The third party

C) Both parties

126)

If the third party is unable to meet your company’s expectations and/or control requirements, possible next steps include:

A) Contractually binding the third party to make appropriate changes within a specific time frame

B) Sourcing an alternate third party that can meet your control requirements

C) Both A and B

127)

An information or cyber security event is:

A) a deficiency in information and cyber security risk detection, prevention, and management

B) a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information,

C) any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on the Information System.

128)

Which of the following is an indicator of strong incident management practices?

A) A process for conducting root cause analysis post-incident

B) Operational risk management policies

C) A process for orderly termination and exit

129)

In a weighted risk rating methodology, an important benefit of isolating criticality of the third party relationship is to:

A) Implement targeted controls

B) Free up more “points” to allocate to risk

C) Weight residual risks

130)

Tying compensation to the actions of employees and senior management should promote:

A) The company’s reputation

B) The company’s risk culture and accountability for results

C) Compliance to the Code of Conduct

131)

How is a strong risk culture most effectively expressed within any company?

A) A clear Risk Appetite Statement on the company’s website

B) The decisions, actions and behaviors of senior leadership

C) A requirement for employees’ to annually attest to their compliance with the company’s Code of Conduct

132)

Open and candid communications throughout the organization, clear lines of authority and responsibility and transparency are key elements of:

A) A strong risk culture

B) A Risk Appetite Statement

C) Key Risk Indicators (KRIs)

133)

What was the most likely cause for Johnson + Johnson to observe possible damage to their reputation or loss of public trust?

A) Change to key technologies

B) Change to consumer spending habits

C) Change to the nature of products sold

134)

The most challenging “pane” to address in Johari’s Window is:

A) You don’t know what you know

B) You know what you don’t know

C) You don’t know what you don’t know

135)

If it was permissible to record a critical third party relationship as an asset, what type of asset would it be?

A) Tangible

B) Intangible

C) Contingent

136)

Due Diligence is which type of third party risk management tool?

A) Productivity

B) Financial assessment

C) Verification and analysis

137)

Which type of risk is your company exposed to in the following case study?

“Your third party’s senior leadership team is experiencing a period of rapid turnover”

A) Operational Risk

B) Financial Risk

C) Strategic Risk

138)

Value from any third party relationship is a function of:

A) Risk Appetite

B) Risk and return

C) Control

139)

All companies need to define the goals and objectives related to Strategic, Financial, Reputational and Operational risk management. What is a common approach for accomplishing this?

A) Developing an Enterprise Risk Management framework

B) Developing an Operational Risk Management framework

C) Developing an Independent Challenge framework

140)

How are a company’s Risk Appetite and Risk Tolerances tied together?

A) By setting key performance indicators based on the company’s strategic direction

B) By setting risk thresholds or limits based on the company’s business and the impact of exposure to risk

C) In the company’s Annual Report to shareholders

141)

The most effective way to eliminate third party risks is to:

A) Outsource the risks to the third party

B) Comply with regulations and laws

C) You can never eliminate third party risk

142)

Any serious misalignment between risk control functions, processes and risk taxonomy will:

A) Frustrate the business while creating gaps, overlaps, and missed opportunities

B) Justify increased investment in risk management professionals

C) Lead to fines and other penalties

143)

Accounting for third party vendor services are recorded as _______ on a company’s Income Statement?

A) Expenses

B) Liabilities

C) Intangible assets

144)

Third party risk that your company accepts after analyzing the third party’s controls over those risks is called:

A) Inherent risk

B) Risk Appetite

C) Residual risk

145)

To be effective, a core principle of “controllable” metrics in an effective Service Level Agreement is that:

A) the third party has the ability to control the outcome

B) the contracting company has the ability to control the outcome

C) both parties agree on the controls to be measured

146)

Risk assessment is often performed as a two-stage process. An initial screening of the risks and opportunities is performed using qualitative techniques followed by:

A) An onsite review

B) Quantitative treatment of the most important risks

C) Identification of key performance indicators

147) The COSO Internal Control – Integrated Framework is used to:

A) Manage risk and control to accomplish objectives

B) Set the organization's objectives

C) Design the organizational structure to execute risk and control duties

148)

____________ third parties are out of scope for most third party risk management programs

A) Low risk, low spend

B) Monopolistic

C) Publicly traded, AAA rated

149)

What is the most important “lesson learned” from the story about “Larry’s Laptop”?

A) You may not know where your company’s confidential data is being stored

B) Remote access to your company’s network and systems may not always be secure

C) The days of contracting with a third party that lacks a strong risk culture and has serious controls deficiencies is over, regardless of their expertise

150)

What is the primary cause of privacy breaches?

A) Human error

B) Hackers

C) Failure to store data appropriately

151)

A “risk-centric” third party lifecycle management framework:

A) Promotes risk culture

B) Takes a risk-based approach

C) Has a well-defined RACI

152)

The use of a cloud service provider typically means that:

A) Senior management must approve the contract prior to implementation

B) The relationship is critical to the company and/or the business unit

C) The relationship is within the scope of the third party risk management program

153)

For greater clarity about the importance and risks of each relationship and easy comparison of risks across your portfolio of critical third party relationships, effective third party risk management programs separate third parties into Tiers, according to:

A) Criticality and ease of replacement

B) Criticality and contingency

C) Criticality and inherent risks

154)

Which function owns the third-party relationship and the risks?

A) The business unit in the 1st Line of Defense

B) Procurement

C) Senior management

155)

The nature and amount of residual risk in a third party relationship can only be determined when:

A) Risks are segmented, and the relationship has been tiered

B) Due diligence is complete, contractual terms finalized, and internal controls established

C) Inherent risks have been mitigated

156)

Which one of the following is used to control third party risks?

A) A sound contract

B) Due diligence

C) Site visit

157)

Using Johari’s window, in which “pane” would your company’s business requirements reside in a Request for Proposal for a new third party relationship?

A) 1st pane – You know what you know

B) 2nd pane – You know what you don’t know

C) 3rd pane – You don’t know what you know

158)

The primary role of the board is to:

A) Directly manage risks

B) Oversee management and corporate issues that affect risk

C) Approve Key Risk Indicators

159)

Which function(s) is responsible for establishing Tone at Top?

A) Third Party Risk Management program office

B) Senior management and the board

C) 2nd Line of Defense

160)

A client-specific business continuity or disaster recovery plan is:

A) Included within the scope and pricing of most third party contracts

B) A legal and regulatory requirement for critical services in most jurisdictions

C) A special service that results in incremental pricing/costs

161)

Another name for a “risk map” is a

A) Key risk indicator

B) Heat map

C) Risk model

162)

Collectively, the risk management responsibilities of senior management and the board are referred to as?

A) Fiduciary

B) Risk-centric

C) Compliance-related

163)

What is the difference between an incident and an issue?

A) Incidents require immediate attention while issues are typically systemic, becoming evident over time

B) Issues require immediate attention while incidents are typically systemic, becoming evident over time

C) These two terms are interchangeable

164)

Internal risk management controls within market-dominant third parties are always:

A) Standardized

B) Variable in terms of their strength

C) Strong

165)

The majority of companies that paid a ransom as a result of a Malware attack did not report the incident to law enforcement due to:

A) Inability to recover the ransom paid to the hacker because the funds are untraceable (Bitcoin, cash)

B) Did not want to publicize the incident

C) Fear of reprisal by the hacker in the form of another attack

166)

In a well-designed RACI matrix, if there is more than one designated Responsible party for a specific task there is a need to “zoom in” further detail on the sub process associated with “obtain resource commitment” to:

A) name each Responsible party

B) separate the individual responsibilities

C) seek approval to proceed

167)

A third party relationship is:

A) Any business relationship between your company and another person or entity, except as your customer, where monies are exchanged

B) Any business relationship between your company and another person or entity

C) Any business relationship between your company and another person or entity, except as your customer, regardless of whether monies are exchanged

168)

Privacy laws are enacted to:

A) Protect corporations from class action lawsuits

B) codify the reasonable expectation that their customers’ confidential, proprietary information is safeguarded

C) reinforce board members’ accountability to the company’s customers and shareholders

169)

Spyware is not used to:

A) Spread computer viruses

B) Monitor activity on infected computers while users are on line

C) Make it appear that the user clicked an advertising link on a site to fraudulently generate payment from the advertiser

170)

What is an important “lesson learned” from serious information security breaches experienced by a large, reputable third parties?

A) Due diligence addresses key risks

B) Well-known, trusted companies with a solid reputation can still experience a serious information security breach

C) Their failure to respond appropriately can affect the market value of the company

171)

Actionable service-level agreements are primarily used to manage the third party’s:

A) Compliance with regulations and laws

B) Performance

C) Implementation plan

172)

Computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware are examples of:

A) Software bugs

B) Malware

C) Encryption

173)

Transparency and predictability are key indicators of effective:

A) Risk management practices

B) Due diligence

C) Risk reporting

174)

The most effective cyber and information security due diligence is:

A) Standardized with automated controls evaluation and risk ratings processes, delivering consistent information and risk ratings across the portfolio of third parties

B) Outsourced to a third party with specialized expertise

C) Standardized, with quantitative and qualitative controls evaluation processes that leverage expertise and judgement while improving consistency across your portfolio of third parties

175)

Which step(s) in the third party lifecycle must be completed before risk experts can confidently define controls that are required for a critical third party?

A) Risk identification and analysis

B) Monitoring

C) Trend analysis

Your score is