GAQM CBCP-002 Certified Business Continuity Professional (CBCP) Exam Practice Test

Operational risk is the type of risk that is related to human error or achievement. Operational risk is the uncertainty or variability of the execution or outcome of an organization’s functions or processes. Operational risk can result from factors such as inadequate policies, procedures, systems, controls, skills, training, supervision, or compliance. Operational risk can affect an organization’s operational efficiency, quality, safety, security, reputation, or profitability. Verified References:

A disaster lasting longer than seventy-two (72) hours requires implementation of a business continuity and disaster recovery plan. A business continuity and disaster recovery plan is a comprehensive document that outlines how an organization will respond to and recover from a disaster that disrupts its normal operations. It covers both the IT aspects (disaster recovery) and the business aspects (business continuity) of restoring the critical functions and processes within an acceptable time frame. A disaster lasting longer than seventy-two (72) hours is likely to have significant impacts on the organization’s performance, reputation, assets, and stakeholders, and therefore requires a coordinated and structured approach to ensure its survival and resilience. Verified References:

Risk ownership must be clearly set out, documented and agreed with the individual owners at all levels of the operational risk management process. This is true because risk ownership is oneof the key principles of business continuity management. Risk ownership means that each risk has a designated person who is responsible and accountable for its identification, assessment, treatment, monitoring, and reporting. Risk owners should have the authority and resources to manage their risks effectively and efficiently. Verified References:

The three components of a business continuity plan are emergency response, incident management, and disaster recovery. They are:

• Emergency response: This component involves the immediate actions taken to protect the life, health, and safety of people and the environment in the event of a disruption. Emergency response may include activating alarms, evacuating premises, contacting emergency services, or providing first aid.
• Incident management: This component involves the coordination and communication of the activities and resources required to manage and resolve a disruption. Incident management may include activating the business continuity team, declaring a disaster, assessing the impact, activating the recovery strategies, or communicating with stakeholders.
• Disaster recovery: This component involves the restoration and recovery of the IT systems, data, and infrastructure that support the critical functions and processes of the organization. Disaster recovery may include activating the backup systems, restoring the data, repairing or replacing the equipment, or testing the functionality. Verified References: https://www.ready.gov/business-continuity-plan https://www.csoonline.com/article/515730/business-continuity-and-disaster-recovery-planning-the-basics.html

A consultant is a person who borrows your watch to tell you the time, charges you for doing so and then sells you back your watch. This is false because it is a cynical and unfair description of a consultant’s role and value. A consultant is a person who provides professional or expert advice in a specific field or domain. A consultant can help an organization to identify problems, analyze situations, develop solutions, implement changes, improve performance, or achieve goals. A consultant can also provide knowledge, skills, tools, or resources that the organization may not have or need temporarily. Verified References:

In pre-crisis management, CM activities are focused on prevention and preparedness activities. This is true because pre-crisis management is the phase before a crisis occurs, where theorganization tries to anticipate and avoid potential crises or reduce their likelihood and impact. Pre-crisis management involves activities such as risk assessment, business impact analysis, business continuity planning, contingency planning, crisis communication planning, training and awareness, testing and exercising, monitoring and reviewing. Verified References:

Business continuity planning is not a one-time activity, but a dynamic and ongoing process that needs to be reviewed and updated regularly to reflect changes in the internal and external environment. The frequency of review may vary depending on the nature and size of the organization, but it is generally recommended to conduct a review at least annually or whenever significant changes occur that may affect the continuity of the organization’s functions and processes. Such changes may include organizational restructuring, new products or services, new technologies, new regulations, new threats or vulnerabilities, or lessons learned from incidents or exercises. Verified References:

A disaster can also be declared for an illness pandemic where a significant portion of employees are sick. This is true because an illness pandemic is a type of natural disaster that can affect an organization’s ability to continue its normal operations. An illness pandemic can cause absenteeism, reduced productivity, increased costs, supply chain disruptions, customer dissatisfaction, or regulatory compliance issues. Therefore, an organization may need to declare a disaster and activate its business continuity and disaster recovery plan if an illness pandemic impacts its critical functions and processes beyond an acceptable level. Verified References:

Business impact analysis (BIA) is the process of identifying and prioritizing the organization’s functions and processes based on their importance to the organization’s objectives, and assessing the potential impacts of a disruption to those functions and processes over time. The BIA helps to determine the recovery time objectives (RTOs), recovery point objectives (RPOs), and resource requirements for each function and process, as well as the interdependencies and dependencies among them. The BIA provides the basis for developing recovery strategies and plans. Verified References:

A risk register is a register that maintains information on all the identified risks relating to an organization. A risk register is a document or a tool that records and tracks the details of each risk, such as its description, source, impact, likelihood, rating, owner, status, response strategy, action plan, and monitoring method. A risk register is a useful tool for managing risks and communicating them to stakeholders. Verified References:

A policy statement is a statement that is authorized at an appropriate level and should codify the company’s attitude to a particular risk. A policy statement is a document that defines the scope, objectives, principles, roles, and responsibilities of a business continuity management program. It should also express the organization’s commitment to managing risks and ensuring continuity of its critical functions and processes. A policy statement should be approved by senior management and communicated to all relevant stakeholders. Verified References:

Technical risk is the type of risk that is associated with risk of physical assets failing/being damaged or enhanced. Technical risk is the uncertainty or variability of the performance or reliability of physical assets, such as equipment, systems, infrastructure, or data. Technical risk can result from factors such as design flaws, manufacturing defects, maintenance issues, obsolescence, human error, natural disasters, or cyberattacks. Technical risk can affect an organization’s operational efficiency, quality, safety, security, or profitability. Verified References: