Section: Volume D

Section: Volume D

Explanation/Reference:
Explanation:
The COSO ERM (Enterprise Risk Management) frame work is a 3-dimensional model. The dimensions and their components include:
Strategic Objectives - includes strategic, operations, reporting, and compliance.

Risk Components - includes Internal Environment, Objectives settings, Event identification, Risk

assessment, Risk response, Control activities, Information and communication, and monitoring.
Organizational Levels - include subsidiary, business unit, division, and entity-level.

The COSO ERM framework contains eight risk components:
Internal Environment

Objective Settings

Event Identification

Risk Assessment

Risk Response

Control Activities

Information and Communication

Monitoring

Section 404 of the Sarbanes-Oley act specifies a three dimensional model- COSO ERM, comprised of Internal control components, Internal control objectives, and organization entities. All the items listed are components except Financial reporting which is an internal control objective.
Incorrect Answers:
A, C, D: They are the Internal control components, not the Internal control objectives.

Section: Volume A
Explanation/Reference:
Explanation:
The risk matrix is not included as part of the risk register updates. There are seven things that can be updated in the risk register as a result of qualitative risk analysis: relating ranking of project risks, risks grouped by categories, causes of risks, list of near-term risks, risks requiring additional analysis, watchlist of low-priority risks, trends in qualitative risk analysis.
Incorrect Answers:
A: Trends in qualitative risk analysis are part of the risk register updates.
C: Risks grouped by categories are part of the risk register updates.
D: Watchlist of low-priority risks is part of the risk register updates.

Explanation/Reference:
Explanation:
An enterprise's risk management capability maturity level is 3 when:
Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are

recognized.
There is a selected leader for risk management, engaged with the enterprise risk committee, across the

enterprise.
The business knows how IT fits in the enterprise risk universe and the risk portfolio view.

Local tolerances drive the enterprise risk tolerance.

Risk management activities are being aligned across the enterprise.

Formal risk categories are identified and described in clear terms.

Situations and scenarios are included in risk awareness training beyond specific policy and structures

and promote a common language for communicating risk.
Defined requirements exist for a centralized inventory of risk issues.

Workflow tools are used to accelerate risk issues and track decisions.

Incorrect Answers:
C: Enterprise having risk management capability maturity level 5 requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals.