很难分清楚policy 跟training哪个是指令性的

问题如下：

An operational risk analyst at a commercial bank is tasked with categorizing the bank's risk management controls as preventive, detective, corrective, or directive. Which of the following should the analyst classify as a preventive control?

选项：

A.

A system - generated alert that notifies the fraud department when a customer's transaction exceeds a predefined threshold.

B.

A policy that mandates the segregation of duties between employees handling cash deposits and those responsible for cash withdrawals.

C.

A post - incident review process that evaluates the effectiveness of the bank's response to a cyber - attack and suggests improvements.

D.

A training session for customer service representatives that outlines the procedures for handling customer complaints related to unauthorized account access.

解释：

Option A：A system - generated alert for transactions exceeding a threshold is a detective control. Its purpose is to identify potential fraud after it has started to occur, rather than preventing it from happening in the first place. So, this option is incorrect.

Option B：The segregation of duties policy is a preventive control. By separating the responsibilities of employees handling different aspects of cash transactions, it reduces the likelihood of fraud or errors occurring. This is a measure taken in advance to prevent risks. Thus, this option is correct.

Option C：A post - incident review process is a corrective control. It focuses on evaluating and improving the bank's response after an incident has occurred, rather than preventing the incident itself. So, this option is incorrect.

Option D：A training session for handling customer complaints is a directive control. It provides guidance and procedures for employees to follow, but it does not directly prevent unauthorized account access. So, this option is incorrect.

选项 A：当客户交易超过预定义阈值时系统生成的警报属于检测性控制。它的目的是在潜在欺诈行为开始发生后进行识别，而非一开始就防止其发生。所以该选项错误。

选项 B：职责分离政策是预防性控制。通过将处理现金存款和负责现金取款的员工职责分开，降低了欺诈或错误发生的可能性。这是预先采取的预防风险措施。所以该选项正确。

选项 C：事件后审查流程是纠正性控制。它侧重于在事件发生后评估和改进银行的应对措施，而非防止事件本身发生。所以该选项错误。

选项 D：处理客户投诉的培训课程是指令性控制。它为员工提供指导和程序，但并不能直接防止未经授权的账户访问。所以该选项错误。