Risk Management And Security Controls - claymation artwork

Risk Management And Security Controls Quiz

14 – 29 Questions 11 min

This risk management and security controls quiz extends mandatory OSHA and NFPA training on hazard identification, control selection, and protection of critical assets. You will review how to classify risks, match them to appropriate security control types, and prioritize mitigations. Strong performance reduces workplace incidents, injuries, and regulatory penalties that follow non compliance.

Start Quiz Explore related quizzes

Part 1 — Questions

Answer each question on paper. Do not turn the page until you are ready to check your work.

In a workplace safety program, what is the primary purpose of risk management?

Reduce the likelihood and impact of harm to acceptable levels
Document incidents for legal defense
Eliminate all possible hazards from the workplace
Transfer all risk to external insurers

In risk management, a hazard is any source with the potential to cause harm.

True
False

Which type of security control is a badge-based door lock that requires employees to tap an ID card before entry?

Preventive control
Compensating control
Detective control
Corrective control

After safety and security controls have been implemented, what does the term "residual risk" describe?

The initial inherent risk before controls
The risk transferred to a third party
The risk that remains after controls are applied
The risk of hiring new staff

If an organization follows a recognized safety standard, residual risk will always be zero.

True
False

Which document typically defines roles, responsibilities, and authorities for making risk decisions in a safety and security program?

Incident log
Risk appetite statement
Risk management policy
Risk register

Administrative controls include policies, procedures, and training that guide how people behave.

True
False

During a formal risk assessment for safety and security, which activities are typically performed? Select all that apply.

A.Identify assets or processes that could be harmed
B.Design marketing materials
C.Negotiate supplier pricing
D.Estimate likelihood and impact of potential events
E.Identify threats and vulnerabilities

A laboratory installs spill sensors that trigger an alarm if a chemical leak occurs, in addition to locked cabinets and staff training. How is the spill sensor best classified?

Corrective control
Detective control
Compensating control
Preventive control

10.

Arrange the phases of a basic risk management process for safety and security from first to last.

Put these in the correct order (write 1–4 beside each):

____Evaluate and prioritize risks
____Select and plan treatment options
____Analyze likelihood and impact
____Identify hazards and assets

11.

A warehouse has non-slip flooring and training for working on wet surfaces, but minor slip incidents still occur. Management decides not to add further controls because the cost would exceed the benefit. Which risk response are they choosing?

Risk sharing
Risk acceptance
Risk avoidance
Risk transfer

12.

During a quarterly risk review in a safety and security program, a manager needs a current list of identified risks, owners, and treatment status. Which tool should they consult?

Access control list
Audit charter
Business continuity plan
Risk register

13.

Risk transfer eliminates the original risk from the organization.

True
False

14.

A contractor performs many tasks, but working at height has a much higher potential severity than office work. Which maintenance strategy best demonstrates risk-based prioritization?

Increase inspection frequency for high-risk tasks such as work at height
Apply the same minimal visual checks to all tasks
Inspect all equipment once every five years
Rely on workers to self-assess their own equipment

15.

Which of the following are examples of detective controls in a security and safety environment? Select all that apply.

A.Video surveillance with recording
B.Intrusion detection system alerts
C.Fire suppression system
D.Log review of access records
E.Security awareness training

16.

An organization is updating its incident response plan for security breaches and safety incidents. Which elements should be included in the plan? Select all that apply.

A.Schedule for staff holidays
B.Communication procedures with regulators
C.Marketing slogans for public campaigns
D.Clearly defined roles and responsibilities
E.Steps for evidence preservation

17.

In a finance department, invoice approval is separated from payment processing to reduce the chance of fraud. Which category best describes this type of control?

Corrective control
Physical control
Technical control
Administrative control

18.

After a safety incident shuts down a production line, leadership wants to know the longest outage the organization can tolerate before critical impacts occur. Which metric are they asking for?

Maximum tolerable downtime
Control coverage score
Residual risk rating
Key risk indicator

19.

A hospital wants to reduce the risk of unauthorized access to patient records and also reduce downtime of its clinical systems. Which controls together best address both confidentiality and availability concerns? Select all that apply.

A.Regular secure data backups stored offsite
B.Posters reminding patients of visiting hours
C.Removal of all remote access capabilities
D.Multi-factor authentication for clinical systems
E.Role-based access control for staff accounts

20.

A facility is located in an area where severe earthquakes are rare but could be catastrophic. Full structural reinforcement to the highest standard is extremely expensive, so leadership chooses partial reinforcement plus earthquake insurance. Which risk treatment approach best describes this decision?

Avoid the risk by closing the facility
Accept the risk with no additional action
Transfer the risk entirely to the insurer
Mitigate the risk and also share it with an insurer

21.

In a quantitative safety and security risk analysis, a specific event has a Single Loss Expectancy of $250,000 and an Annual Rate of Occurrence of 0.2. What is the Annualized Loss Expectancy (ALE) for this event?

$1,250,000
$500,000
$250,000
$50,000

Part 2 — Answer key

Compare your answers after you have finished Part 1.

In a workplace safety program, what is the primary purpose of risk management?
Reduce the likelihood and impact of harm to acceptable levels
In risk management, a hazard is any source with the potential to cause harm.
True
Which type of security control is a badge-based door lock that requires employees to tap an ID card before entry?
Preventive control
After safety and security controls have been implemented, what does the term "residual risk" describe?
The risk that remains after controls are applied
If an organization follows a recognized safety standard, residual risk will always be zero.
False
Which document typically defines roles, responsibilities, and authorities for making risk decisions in a safety and security program?
Risk management policy
Administrative controls include policies, procedures, and training that guide how people behave.
True
During a formal risk assessment for safety and security, which activities are typically performed? Select all that apply.
Identify assets or processes that could be harmed; Estimate likelihood and impact of potential events; Identify threats and vulnerabilities
A laboratory installs spill sensors that trigger an alarm if a chemical leak occurs, in addition to locked cabinets and staff training. How is the spill sensor best classified?
Detective control
Arrange the phases of a basic risk management process for safety and security from first to last.
Correct order: Identify hazards and assets → Analyze likelihood and impact → Evaluate and prioritize risks → Select and plan treatment options
A warehouse has non-slip flooring and training for working on wet surfaces, but minor slip incidents still occur. Management decides not to add further controls because the cost would exceed the benefit. Which risk response are they choosing?
Risk acceptance
During a quarterly risk review in a safety and security program, a manager needs a current list of identified risks, owners, and treatment status. Which tool should they consult?
Audit charter
Risk transfer eliminates the original risk from the organization.
False
A contractor performs many tasks, but working at height has a much higher potential severity than office work. Which maintenance strategy best demonstrates risk-based prioritization?
Increase inspection frequency for high-risk tasks such as work at height
Which of the following are examples of detective controls in a security and safety environment? Select all that apply.
Video surveillance with recording; Intrusion detection system alerts; Log review of access records
An organization is updating its incident response plan for security breaches and safety incidents. Which elements should be included in the plan? Select all that apply.
Communication procedures with regulators; Clearly defined roles and responsibilities; Steps for evidence preservation
In a finance department, invoice approval is separated from payment processing to reduce the chance of fraud. Which category best describes this type of control?
Administrative control
After a safety incident shuts down a production line, leadership wants to know the longest outage the organization can tolerate before critical impacts occur. Which metric are they asking for?
Maximum tolerable downtime
A hospital wants to reduce the risk of unauthorized access to patient records and also reduce downtime of its clinical systems. Which controls together best address both confidentiality and availability concerns? Select all that apply.
Regular secure data backups stored offsite; Multi-factor authentication for clinical systems; Role-based access control for staff accounts
A facility is located in an area where severe earthquakes are rare but could be catastrophic. Full structural reinforcement to the highest standard is extremely expensive, so leadership chooses partial reinforcement plus earthquake insurance. Which risk treatment approach best describes this decision?
Mitigate the risk and also share it with an insurer
In a quantitative safety and security risk analysis, a specific event has a Single Loss Expectancy of $250,000 and an Annual Rate of Occurrence of 0.2. What is the Annualized Loss Expectancy (ALE) for this event?
$50,000

1In a workplace safety program, what is the primary purpose of risk management?

2In risk management, a hazard is any source with the potential to cause harm.

True / False

3Which type of security control is a badge-based door lock that requires employees to tap an ID card before entry?

4After safety and security controls have been implemented, what does the term "residual risk" describe?

5If an organization follows a recognized safety standard, residual risk will always be zero.

True / False

6Which document typically defines roles, responsibilities, and authorities for making risk decisions in a safety and security program?

7Administrative controls include policies, procedures, and training that guide how people behave.

True / False

8During a formal risk assessment for safety and security, which activities are typically performed? Select all that apply.

Select all that apply

9A laboratory installs spill sensors that trigger an alarm if a chemical leak occurs, in addition to locked cabinets and staff training. How is the spill sensor best classified?

10Arrange the phases of a basic risk management process for safety and security from first to last.

Put in order

1Evaluate and prioritize risks

2Select and plan treatment options

3Analyze likelihood and impact

4Identify hazards and assets

11A warehouse has non-slip flooring and training for working on wet surfaces, but minor slip incidents still occur. Management decides not to add further controls because the cost would exceed the benefit. Which risk response are they choosing?

12During a quarterly risk review in a safety and security program, a manager needs a current list of identified risks, owners, and treatment status. Which tool should they consult?

13Risk transfer eliminates the original risk from the organization.

True / False

14A contractor performs many tasks, but working at height has a much higher potential severity than office work. Which maintenance strategy best demonstrates risk-based prioritization?

15Which of the following are examples of detective controls in a security and safety environment? Select all that apply.

Select all that apply

16An organization is updating its incident response plan for security breaches and safety incidents. Which elements should be included in the plan? Select all that apply.

Select all that apply

17In a finance department, invoice approval is separated from payment processing to reduce the chance of fraud. Which category best describes this type of control?

18After a safety incident shuts down a production line, leadership wants to know the longest outage the organization can tolerate before critical impacts occur. Which metric are they asking for?

19A hospital wants to reduce the risk of unauthorized access to patient records and also reduce downtime of its clinical systems. Which controls together best address both confidentiality and availability concerns? Select all that apply.

Select all that apply

20A facility is located in an area where severe earthquakes are rare but could be catastrophic. Full structural reinforcement to the highest standard is extremely expensive, so leadership chooses partial reinforcement plus earthquake insurance. Which risk treatment approach best describes this decision?

21In a quantitative safety and security risk analysis, a specific event has a Single Loss Expectancy of $250,000 and an Annual Rate of Occurrence of 0.2. What is the Annualized Loss Expectancy (ALE) for this event?

Disclaimer

This quiz is for educational purposes only. It does not replace official safety training, certification, or regulatory compliance programs.

Frequent Errors in Risk Management and Security Control Decisions

Relying on informal risk identification

Many practitioners skip structured techniques such as task analysis, job hazard analysis, and incident trend review. Hazards, cyber threats, and process deviations remain undocumented. To avoid this, maintain a written risk register tied to OSHA and NFPA obligations and update it after inspections, near misses, and change management reviews.

Confusing security control types

People often mislabel administrative, technical, and physical controls or mix preventive, detective, and corrective functions. For example, CCTV is treated as preventive instead of detective. During the quiz, first ask what the control actually does, then assign both its layer and purpose. This reduces errors on questions about control categorization.

Ignoring the hierarchy of controls

A common mistake is jumping straight to PPE or monitoring tools while leaving higher order controls untouched. Candidates underestimate elimination, substitution, and engineering controls in risk reduction. In scenario questions, prioritize removing or isolating the hazard before choosing administrative rules and PPE, consistent with OSHA and NFPA 70E expectations.

Assuming controls reduce risk to zero

Another frequent error is treating implemented controls as a guarantee that incidents cannot occur. Residual risk, risk acceptance, and periodic review are overlooked. For quiz items that ask what to do after controls are in place, think about verifying effectiveness, monitoring indicators, documenting residual risk, and scheduling formal reassessment.

Focusing on a single discipline

Some learners think only about cyber security or only about physical safety. Many controls span physical access, process safety, and information security. When a question references mixed environments such as industrial control systems, consider both safety outcomes and data protection, and select controls that address both where feasible.

Risk Management and Security Control Scenario Practice

Scenario 1: Access control gap in a warehouse

Your OSHA inspection notes show repeated incidents of unauthorized forklift use after hours. Doors are locked, but badges are shared and CCTV is rarely reviewed. Identify the primary risks, then select a combination of administrative, technical, and physical controls that are preventive and detective rather than relying solely on disciplinary action.

Scenario 2: NFPA 70E electrical maintenance task

An electrician must rack out a breaker in a live switchgear lineup. The existing control is PPE rated for the arc flash boundary. The arc flash study is five years old and equipment has changed. Decide which higher level controls to pursue first, how to reassess risk, and what to document before work proceeds.

Scenario 3: Phishing and social engineering surge

Your incident log shows multiple successful phishing attacks that bypassed email filtering. The security awareness course was completed six months ago. Evaluate the likelihood and impact, then determine which control types are weak. Consider technical filtering changes, administrative policies, and detective monitoring such as simulated phishing and log review.

Scenario 4: Chemical process modification

A new solvent is introduced into a mixing line, changing flash point and exposure risk. Existing controls cover only the previous chemical. Decide how to update the risk assessment, which engineering and administrative controls to modify, and how to document residual risk for management acceptance.

Scenario 5: Policy mapping for 5.4.2 and 26.4.2

Your corporate standard assigns risk management responsibilities to section 5.4.2 and security control selection to section 26.4.2. A new cloud system is proposed. Determine which activities belong in each section, which baselines to apply, and how to justify any compensating controls.

Authoritative References on Risk Management and Security Controls

Use these authoritative resources to strengthen your understanding of risk management concepts and security control types referenced in this quiz.

OSHA Hazard Prevention and Control: Explains the hierarchy of controls, hazard control planning, and evaluation of control effectiveness for workplace safety programs.
NIST Risk Management Framework Project: Describes the structured process for categorizing systems, selecting security controls, and managing information security risk.
NIST SP 800-53 Rev. 5 Security and Privacy Controls: Provides the federal control catalog used for administrative, technical, and physical safeguards across many environments.
CISA Cybersecurity Performance Goals: Offers prioritized baseline practices that map to common control families and help reduce cyber risk.
NFPA 70E Standard for Electrical Safety in the Workplace: Details risk assessment, energized work criteria, and control expectations for electrical hazards.

Risk Management and Security Controls Quiz FAQ

Common Questions on the Risk Management and Security Controls Quiz

How does this quiz relate to OSHA and NFPA requirements?

The quiz reinforces concepts that support OSHA safety management guidelines and NFPA standards such as NFPA 70E. Questions focus on identifying hazards, selecting appropriate control types, and documenting risk decisions that help demonstrate a systematic approach to compliance.

What security control types are covered by the quiz?

You will encounter questions on administrative, technical, and physical controls, along with preventive, detective, corrective, and compensating categories. Expect items that ask you to classify a control, identify missing layers, or choose the most effective control set for a given risk scenario.

What do references to 5.4.2 and 26.4.2 mean in this context?

Many training programs group risk management and security control activities into numbered sections such as 5.4.2 or 26.4.2. The quiz mirrors that style by testing how you assign responsibilities, select baselines, and document control decisions across policy sections and procedures.

How should I approach questions on likelihood and impact ratings?

Use a structured risk matrix. First identify credible consequences such as injury, outage, or data loss. Then estimate realistic likelihood based on exposure, threat activity, and existing controls. The best answer usually reflects documented criteria rather than intuition.

Can this risk management and security controls quiz help with audit preparation?

Yes. The scenarios align with the reasoning auditors expect to see in risk registers, control selection justifications, and residual risk statements. Use wrong answers as a signal that your current documentation or control mapping might be incomplete or inconsistent.

What mistakes should I watch for while taking the quiz?

Do not focus only on cyber security or only on safety. Avoid choosing PPE when elimination or engineering controls are viable. Read carefully for hints about whether the question targets preventive, detective, or corrective actions before selecting an answer.