CISI Risk in Financial Services: 32 Questions & Simulator

The CISI Risk in Financial Services paper is the broad risk product in this UK set. It spans the principles of risk management, international risk regulation, operational, credit, market, investment, and liquidity risk, plus model risk, governance, oversight, and enterprise risk management. If you are searching for Risk in Financial Services sample questions, a practice test, mock exam, or simulator, this is the main Securities Prep page to start on web and continue on iPhone or Android with the same account.

Interactive Practice Center

Start a practice session for CISI Risk in Financial Services below, or open the full app in a new tab. For the best experience, open the full app in a new tab and navigate with swipes/gestures or the mouse wheel—just like on your phone or tablet.

▶ Click to Load Interactive App

Open Full App in a New Tab

A small set of questions is available for free preview. Subscribers can unlock full access by signing in with the same account they use on web and mobile.

Prefer to practice on your phone or tablet? Download the Securities Prep app:

Scan for iOS (United States)

Scan for Android (United States)

• iOS: United States · Canada
• Android: United States · Canada

If you already subscribed on web or mobile, sign in with the same account here to continue on desktop.

What this page gives you

• a direct route into the live Securities Prep simulator for CISI Risk in Financial Services
• 32 sample questions with detailed explanations spread across all current topic areas on the page
• UK-specific practice language around capital, liquidity, governance, operational events, model risk, and enterprise-risk oversight
• free-preview access on web before you subscribe
• the same account across web, iPhone, iPad, macOS, and Android

CISI Risk in Financial Services exam snapshot

Topic coverage for CISI Risk in Financial Services

Best fit by UK role

Real-paper timing target

Best page to open next

What CISI Risk in Financial Services is really testing

• whether you can identify the main risk type from the facts rather than describing the symptom only
• whether governance, escalation, and control ownership sit in the right place for the risk that appears
• whether operational, credit, market, liquidity, and investment risk are being distinguished cleanly under time pressure
• whether enterprise-risk thinking still works when multiple risk categories interact in one scenario

How to use the Risk in FS simulator efficiently

1. Make the definitions and signals for operational, credit, market, and liquidity risk automatic before doing full mixed sets.
2. Treat risk identification and governance ownership as one review loop, because many misses are really escalation mistakes.
3. Review market, investment, and liquidity questions together so you do not collapse them into one generic volatility label.
4. Finish with timed mixed blocks that force you to switch between frontline events, governance failures, and ERM-level responses.

Free preview vs premium

• Free preview: 32 public sample questions on this page plus the web app entry so you can validate the question style and explanation depth.
• Premium: the full Risk in FS practice bank, focused drills, mixed sets, timed mock exams, detailed explanations, and progress tracking across web and mobile.

Good next pages after Risk in FS

• Combating Financial Crime if you want the narrower AML and sanctions follow-on
• UK Regulation & Professional Integrity if you want the FCA/PRA and conduct core beside the risk paper
• Investment Management (Level 4) if your target role shifts from risk to portfolio and valuation work
• UK securities roadmap if you want the whole UK route sequence before specialising further

32 Risk in FS sample questions with detailed explanations

These 32 questions are drawn from the live CISI Risk in Financial Services bank and spread across every current topic area in the exam configuration. Use them to test readiness here, then continue into the full Securities Prep simulator for broader timed coverage and deeper review.

Question 1

Topic: Credit Risk

A bank’s treasury desk has a £45 million unsecured receivable from a BBB-rated corporate counterparty. After a sector shock, the counterparty’s bond spread over gilts widens from 110 basis points to 340 basis points, but the external rating remains BBB. Which is the best interpretation of the counterparty’s credit risk?

• A. Exposure has increased because the bond spread has widened.
• B. Risk is unchanged because the external rating is unchanged.
• C. Exposure is unchanged, but the credit-risk premium signals deterioration ahead of ratings.
• D. The wider spread reflects market risk rather than credit risk.

Best answer: C

Explanation: The £45 million receivable is the credit exposure, so it shows the amount at risk if default occurs. The sharp rise in the bond spread is a higher credit-risk premium, which signals worsening credit quality even though the external rating has not yet changed.

Credit exposure, credit-risk premium, and credit ratings measure different aspects of credit risk. Credit exposure is the size of the amount at risk, here the £45 million unsecured receivable. Credit ratings give a broad external assessment of credit quality, but they may change less frequently and can lag new information. The bond spread over gilts is a market-implied credit-risk premium: when it widens sharply, investors are demanding more return for bearing higher default risk. In this scenario, the exposure amount is unchanged, but the market signal of credit deterioration has clearly increased despite the stable BBB rating. The key point is that exposure measures loss size, while spreads and ratings help indicate default risk, with spreads often reacting faster.

Question 2

Topic: Principles of Risk Management

A lender wants a technique that examines how a recession, falling collateral values and weak underwriting standards could reinforce each other and increase losses. It does not want a one-factor test or a retrospective assurance review. Which risk-management technique best matches this purpose?

• A. Scenario analysis
• B. Internal audit
• C. Key risk indicator monitoring
• D. Sensitivity analysis

Best answer: A

Explanation: Scenario analysis is designed to explore how several risk drivers can occur together and amplify losses. In this case, the external downturn and internal underwriting weakness interact, so a combined scenario is the best fit.

The core concept is that risk drivers rarely act in isolation. Scenario analysis helps a firm assess the effect of linked events, such as an external recession and falling collateral values combining with an internal weakness like poor underwriting. That makes it suitable for understanding overlapping and interactive risks in a practical business setting.

By contrast, sensitivity analysis usually changes one input at a time, so it is less effective when the main issue is interaction. Internal audit provides independent assurance over controls and governance, but it is not the main tool for modelling combined risk outcomes. Key risk indicators can warn of rising risk, but they do not by themselves show the potential impact of multiple drivers acting together.

The key takeaway is that when the question is about combined causes and amplified outcomes, scenario analysis is the best match.

Question 3

Topic: Liquidity Risk

A bank relies heavily on overnight wholesale funding and holds many assets that would be hard to sell quickly in a stressed market without a material discount. Which liquidity-risk management response best matches this profile?

• A. Run liquidity stress tests more frequently
• B. Tighten single-name borrower concentration limits
• C. Increase transfer-pricing charges on illiquid assets
• D. Lengthen funding maturities and hold more unencumbered liquid assets

Best answer: D

Explanation: The bank faces both funding liquidity risk and poor asset marketability. Extending funding maturities reduces reliance on constant refinancing, while holding more unencumbered liquid assets improves its capacity to meet cash outflows during stress.

The core concept is matching the response to both sides of liquidity risk. Heavy use of overnight wholesale funding creates refinancing or rollover risk, because the bank must replace funding frequently. Assets that cannot be sold quickly without a large discount weaken market liquidity, making it harder to generate cash in stress. The best response is therefore to term out funding and maintain a larger buffer of unencumbered high-quality liquid assets, which strengthens resilience to outflows and reduces pressure to sell illiquid positions at distressed prices.

Monitoring tools and behavioural pricing can help, but they do not change the underlying liquidity profile as directly as balance-sheet actions do.

Question 4

Topic: Model Risk

A bank is validating a model for its corporate loan book.

Exhibit:

• Exposure at default: £5,000,000
• Probability of default: 3%
• Loss given default: 40%
• Calculated expected loss: £60,000

Which major type of risk model is being used?

• A. Liquidity gap model
• B. Credit expected-loss model
• C. Market Value at Risk model
• D. Operational loss-distribution model

Best answer: B

Explanation: The exhibit uses exposure at default, probability of default and loss given default to calculate expected loss. Those are core credit risk model inputs, so this is a credit expected-loss model rather than a market, operational or liquidity model.

This is a credit risk model because it estimates expected credit loss using the standard relationship:

[ \begin{aligned} \text{Expected loss} &= \text{EAD} \times \text{PD} \times \text{LGD} \ &= 5{,}000{,}000 \times 0.03 \times 0.40 \ &= 60{,}000 \end{aligned} ]

EAD, PD and LGD are the classic building blocks of credit risk modelling for loans and counterparties. The model is assessing loss from borrower default, not loss from market-price movements, operational events, or funding mismatches. A close distractor is market Value at Risk, but VaR would normally be framed by a confidence level and holding period, not by PD and LGD.

Question 5

Topic: Model Risk

Senior management uses a portfolio model to compare how a proposed increase in leveraged lending would affect expected loss, earnings volatility and capital usage in both base and stressed conditions. Which main benefit of modelling does this best illustrate?

• A. Testing predictions against actual results
• B. Providing independent challenge to model design
• C. Setting the board’s risk appetite and limits
• D. Quantifying future outcomes to support strategic decisions

Best answer: D

Explanation: The key benefit shown is forward-looking decision support. The model converts assumptions about a proposed lending change into quantified estimates of loss, volatility and capital usage, helping management compare choices before committing resources.

A core benefit of modelling in risk management is that it provides a structured, forward-looking view of possible outcomes. In the stem, management is not using the model to check whether the model itself is sound, nor to carry out a governance approval step. Instead, it is using the model to estimate how a business decision could affect risk and capital under different conditions, including stress. That is classic decision support: models help firms compare alternatives, assess downside risk, and understand trade-offs before taking action.

Models can inform governance and must be validated and monitored, but those are separate functions. The main benefit here is better-informed decision-making through quantified scenario analysis.

Question 6

Topic: Risk Oversight and Corporate Governance

A firm maps every principal risk to a named executive, and committee papers show who owns each control weakness and remediation action so no material risk is left “between departments”. Which factor that shapes a firm’s risk and control culture is most directly strengthened by this arrangement?

• A. Accountability
• B. Ownership
• C. Transparency
• D. Risk appetite or tolerance

Best answer: B

Explanation: The arrangement is mainly about clear ownership. By assigning each principal risk, control weakness, and remediation action to a named person, the firm reduces diffusion of responsibility and makes it clear who is expected to manage each issue.

Ownership is the cultural factor most directly shown when a firm assigns each material risk or control issue to a named individual or role. In risk management, clear ownership means nobody can assume that another team is dealing with the matter, so escalation, monitoring, and remediation have an obvious starting point. That is a core feature of a strong risk and control culture.

• Ownership allocates the risk or action to a specific person.
• Accountability is the next layer: being answerable for outcomes and challenge.
• Transparency concerns how openly information is reported.
• Risk appetite sets how much risk the firm is willing to accept.

The closest distractor is accountability, but the stem focuses first on allocation of responsibility rather than being held to account for results.

Question 7

Topic: Risk Oversight and Corporate Governance

A bank’s treasury desk has exceeded its approved interest-rate risk limit three times in one month. Each time, the desk head granted a temporary waiver. The second-line market risk team receives breach reports only weekly, and the policy does not state who may approve waivers or when the board risk committee must be informed. Which action best addresses the governance-structure issue?

• A. Define independent waiver authority and mandatory escalation to CRO and risk committee.
• B. Ask operations to circulate limit reports more quickly.
• C. Require traders to retake market-risk limit training.
• D. Have desk management review positions at midday and close.

Best answer: A

Explanation: The main weakness is not simply poor desk discipline; it is unclear decision rights and escalation. Sound risk governance requires independent oversight of limit waivers and a defined route for escalating repeated breaches to senior management and the risk committee.

This scenario points to a governance-structure problem because the firm has not set clear authority for approving limit waivers or defined when breaches must be escalated. Under a sound three-lines-of-defence approach, the treasury desk is the first line and manages positions, but it should not be the sole authority for waiving its own limits. The second line should receive timely information, and repeated or material breaches should have a formal escalation path to the CRO and, where appropriate, the board risk committee. Training, extra desk reviews, or faster report circulation may improve day-to-day execution, but they do not correct the underlying weakness in accountability and oversight. The key fix is to redesign approval and escalation, not just improve desk routines.

Question 8

Topic: Principles of Risk Management

A prudential framework requires a firm to identify credible actions to restore viability under severe stress, while authorities prepare for an orderly failure that preserves critical functions and limits wider market disruption. Which concept does this describe?

• A. Contingency funding planning
• B. Internal capital adequacy assessment process
• C. Recovery and resolution planning
• D. Business continuity planning

Best answer: C

Explanation: Recovery and resolution planning is designed to help a stressed firm recover if possible and, if not, to allow it to fail in an orderly way. This matters because it supports continuity of critical functions and reduces contagion across the financial system.

The core concept is recovery and resolution planning. A recovery plan is prepared by the firm and sets out credible management actions to restore capital, liquidity, or viability under severe stress. A resolution plan is prepared by the relevant authority to enable an orderly failure if recovery is not possible, while maintaining critical functions and limiting systemic disruption. Together, they are intended to reduce disorderly collapse, contagion, and reliance on taxpayer support, which is why they are important for systemic resilience and continuity in financial services.

By contrast, the closest distractors focus on narrower objectives such as liquidity stress, operational disruption, or capital assessment rather than orderly firm recovery and resolution.

Question 9

Topic: Investment Risk

An asset manager runs a GBP corporate bond fund. The fund now has 30% invested in three thinly traded bonds. After a sharp widening in credit spreads, valuations still rely on broker quotes entered by portfolio managers, and the board risk pack is issued 10 days after month-end. Which change would MOST improve investment-risk management?

• A. Temporary widening of concentration limits until credit spreads stabilise
• B. Daily independent exposure, valuation and liquidity reporting with breach escalation
• C. Quarterly external review of prices for the concentrated bond holdings
• D. More detailed month-end performance commentary from portfolio managers

Best answer: B

Explanation: The key problem is delayed and non-independent risk information after a market shock. Daily independent reporting on exposure, valuation and liquidity would improve both the accuracy and timeliness of monitoring, allowing quicker management action and escalation.

Effective investment-risk management depends on timely, accurate and independent monitoring being linked to prompt reporting and action. Here, the fund has a concentrated position in illiquid bonds, valuations are coming from the front office, and reporting to governance is delayed after spreads have widened. Daily independent reporting would address all three weaknesses by improving measurement quality, highlighting liquidity and concentration deterioration sooner, and escalating exceptions before they become larger losses.

• Independent valuation reduces the risk of biased or stale marks.
• Frequent exposure and liquidity reporting shortens the time between risk emergence and response.
• Breach escalation connects monitoring to governance and management action.

A less frequent control may help assurance, but it does not solve the core issue of timely risk visibility.

Question 10

Topic: Market Risk

A UK fund reporting in GBP buys 2,000 shares in a US-listed oil producer at USD 40 each, financed partly by a USD 50,000 floating-rate loan.

After one month:

• share price: USD 44
• FX rate: 1 GBP = USD 1.25 at purchase, then USD 1.20
• oil price: higher than at purchase
• short-term USD rates: higher than at purchase
• loan principal: still USD 50,000; ignore one month’s interest accrual

Which statement is most accurate?

• A. Net sterling value rises about £7,667; equity, currency, commodity and interest-rate risk interact.
• B. Net sterling value rises about £6,400; equity, commodity and interest-rate risk interact.
• C. Net sterling value falls about £7,667; currency risk outweighs the share-price gain.
• D. Net sterling value rises about £9,333; only equity and currency risk interact.

Best answer: A

Explanation: This is a foreign, commodity-linked equity position funded with floating-rate debt, so several market risks sit in one trade. The net position moves from USD 30,000 to USD 38,000, which translates from about £24,000 to £31,667, giving a gain of roughly £7,667 before interest.

A single position can carry several market-risk drivers at the same time. Here, the oil producer shares create equity risk, the producer’s sensitivity to oil prices adds commodity risk, the USD asset and USD loan translated into GBP create currency risk, and the floating-rate loan adds interest-rate risk.

• Initial asset value = 2,000 × USD 40 = USD 80,000
• Initial net USD position = USD 80,000 - USD 50,000 = USD 30,000 = £24,000 at 1.25
• Final net USD position = 2,000 × USD 44 - USD 50,000 = USD 38,000 = about £31,667 at 1.20

So the simplified gain is about £7,667 before any loan interest. The key point is that one funded foreign equity holding can be exposed to multiple market-risk factors at once.

Question 11

Topic: International Risk Regulation

A mid-sized bank is above its Pillar 1 minimum capital requirements, but plans to expand into leveraged lending and rely more heavily on a single cloud provider. Before approving the strategy, the board asks how the ICAAP should be used. Which response best reflects the purpose of the ICAAP?

• A. Confirm that current Pillar 1 ratios remain above the minimum, so no further capital assessment is needed unless a breach occurs.
• B. Set daily front-office risk limits, because ICAAP is primarily a trading-desk market-risk control process.
• C. Transfer responsibility for capital adequacy to internal audit, because independent assurance should replace management’s assessment.
• D. Assess whether capital is adequate for all material risks under normal and stressed conditions, and use that assessment in board and supervisory review.

Best answer: D

Explanation: ICAAP is intended to give the board and supervisor a forward-looking view of whether a firm holds adequate capital for its material risks, including those not fully captured by Pillar 1. In this case, strategy changes create concentration and operational exposures that should be assessed under stress, not ignored because minimum ratios are currently met.

The core purpose of the ICAAP is to help a firm identify its material risks, assess whether its capital is adequate for those risks, and demonstrate that assessment to both the board and the supervisor. It is broader than a mechanical check of Pillar 1 minima. In the scenario, expansion into leveraged lending increases credit and concentration risk, while greater dependence on one cloud provider increases operational and resilience risk. ICAAP should therefore test capital adequacy on a forward-looking basis, including stress scenarios, and link the results to strategy, risk appetite, and governance.

A simple compliance check against minimum ratios is too narrow; ICAAP exists precisely because some risks are firm-specific and may not be fully captured by standard regulatory formulas. The key takeaway is that ICAAP supports prudent decision-making and supervisory review, rather than serving as a front-line control tool or an internal audit substitute.

Question 12

Topic: Market Risk

Which market-risk term describes the risk that the relationship between a position and its hedge changes, so the hedge no longer offsets movements as expected?

• A. Yield curve risk
• B. Funding liquidity risk
• C. Basis risk
• D. Tracking error

Best answer: C

Explanation: This is basis risk. It arises when an exposure and its hedge fail to move in line with each other, so the hedge becomes imperfect even if the general market view was broadly right.

Basis risk is a form of market risk caused by imperfect correlation between an exposure and the instrument used to hedge it. The defining issue is not simply that market prices move, but that the spread or relationship between two related prices or rates changes. That means a hedge can underperform even when it was chosen to offset the main market move. Typical examples include hedging one interest-rate benchmark with another or using a proxy hedge for a similar asset. This makes basis risk a boundary issue within market risk, because the problem lies in relative movement rather than pure directional movement.

The key clue is a breakdown in co-movement between the position and the hedge.

Question 13

Topic: Investment Risk

An investor buys a fund unit for £20 and sells it for £22 exactly 6 months later. No income is paid during the period. What are the holding-period return and the annualised return on a compound basis?

• A. 10.0% and 21.0%
• B. 21.0% and 10.0%
• C. 5.0% and 10.0%
• D. 10.0% and 20.0%

Best answer: A

Explanation: The holding-period return is the actual return earned over the 6-month investment period: ((22-20)/20 = 10%). Annualising on a compound basis converts that 6-month growth to a one-year equivalent: (1.10^2 - 1 = 21%), so the annualised figure is higher than the holding-period return.

Holding-period return measures the total gain over the period actually invested, while annualised performance expresses that same outcome as an equivalent yearly compound rate. Here, the price rises from £20 to £22 in 6 months, so the holding-period return is 10%.

[ \begin{aligned} \text{HPR} &= \frac{22-20}{20} = 10% \ \text{Annualised return} &= (1.10)^{12/6} - 1 = 1.21 - 1 = 21.0% \end{aligned} ]

The key point is that 10% is the return over 6 months, whereas 21.0% is the one-year compound equivalent, not the return actually earned during the 6-month holding period.

Question 14

Topic: Credit Risk

A bank’s commercial real-estate lending desk has a sector limit of 20% of total corporate exposures and single-name borrower limits. After a sharp fall in office values, several loans moved to the watchlist and the sector limit was exceeded for 10 days before this appeared in the quarterly board pack. Which step would best strengthen credit-risk management, limit control and governance oversight?

• A. Replace breach reporting with a quarterly stress-test summary for finance.
• B. Temporarily raise the sector limit until property prices stabilise.
• C. Create exception reporting for limit breaches and watchlist moves, with immediate escalation to the credit committee and trend reporting to the board risk committee.
• D. Leave escalation to relationship managers through annual credit reviews.

Best answer: C

Explanation: The main weakness is delayed visibility of a material concentration breach and worsening borrower quality. Exception reporting linked to immediate escalation and board-level trend reporting gives timely management action, stronger limit discipline and better governance oversight.

The core concept is that credit-risk reporting must do more than describe the portfolio; it must trigger timely escalation and accountable action. In this scenario, the bank has both concentration risk and signs of borrower deterioration, yet the sector-limit breach was not visible beyond normal reporting until the quarterly board pack. The strongest response is an exception-based report that flags limit breaches, watchlist migrations and unresolved actions, with clear thresholds for immediate escalation to the credit committee and regular trend reporting to the board risk committee. This supports operational control by management, oversight by the second line and effective governance challenge. Simply changing limits or relying on slower reporting reduces control rather than strengthening it.

Question 15

Topic: Investment Risk

An investor holds a share for one year.

Exhibit:

• Purchase price: £250
• Sale price after 1 year: £255
• Cash dividend received: £10
• Inflation over the year: 3%

Using the simple approximation real return ≈ total return - inflation, what was the investor’s real return for the holding period?

• A. 2%
• B. 9%
• C. 6%
• D. 3%

Best answer: D

Explanation: Total return over the holding period includes both the £5 price gain and the £10 dividend. That gives a nominal return of 6%, and adjusting for 3% inflation gives an approximate real return of 3%.

The key distinction is that total return for a holding period includes income plus capital movement, while real return adjusts that nominal performance for inflation. Here, the investor gains £5 in price and receives £10 in dividend income, so total gain is £15 on a £250 investment.

[ \begin{aligned} \text{Nominal total return} &= \frac{255 - 250 + 10}{250} = 6% \ \text{Real return} &\approx 6% - 3% = 3% \end{aligned} ]

So the correct figure is the inflation-adjusted return of 3%, not the unadjusted nominal return.

Question 16

Topic: Principles of Risk Management

A bank wants a tool that starts with one event, such as a large counterparty default, and traces knock-on effects on credit losses, collateral calls, market prices and funding liquidity. Which risk-management technique best matches that purpose?

• A. Risk and control self-assessment
• B. Enterprise-wide scenario analysis
• C. Value at Risk modelling
• D. Market-risk back-testing

Best answer: B

Explanation: Enterprise-wide scenario analysis follows a single shock through different parts of the firm. It is specifically used to identify secondary effects across multiple risk categories rather than measure one risk in isolation.

The core concept is cross-risk scenario analysis within enterprise risk management. Starting with an event such as a counterparty default, the firm assesses not only the immediate credit loss but also secondary consequences such as collateral calls, market repricing and liquidity strain. This helps management understand interconnected risks, concentrations and whether funding and control arrangements would remain effective under stress. Tools such as Value at Risk and back-testing are much narrower, and risk and control self-assessment is mainly about identifying control weaknesses rather than tracing a multi-risk event path. The key takeaway is that one risk event can propagate across several categories.

Question 17

Topic: Enterprise Risk Management (ERM)

A banking group has exposures to the same commercial property market through corporate loans, treasury securities, and committed but undrawn credit lines. Each business line is within its own limit, but the board receives no consolidated report. After a sharp property-market fall, what is the single best reason for producing an aggregated risk view for senior management and the board?

• A. To remove the need for board escalation while mandates are unchanged
• B. To allow gains in one book to fully offset losses in another
• C. To show that meeting desk limits means overall exposure is acceptable
• D. To reveal whether correlated exposures and concentrations exceed group risk appetite

Best answer: D

Explanation: Risk aggregation matters because boards must assess the firm’s total exposure, including concentrations and correlations across business lines. Separate reports can hide that several activities are exposed to the same underlying shock, so individual limit compliance does not guarantee that overall risk remains within appetite.

The core ERM concept is that senior management and boards need a group-wide view of exposure, not a collection of silo reports. In this scenario, loans, securities, and undrawn facilities are all linked to the same commercial property downturn. Even if each area stays within its own limit, the combined effect may create a sector concentration large enough to threaten earnings, capital, or liquidity and to breach the firm’s risk appetite.

Aggregation helps the board to:

• identify common risk drivers across businesses
• see concentrations that are hidden in separate reports
• make escalation and risk appetite decisions on a whole-firm basis

It complements local controls; it does not replace stress testing or board oversight.

Question 18

Topic: Operational Risk

An investment firm can fund automation for only one manual process this quarter. Automation is expected to cut errors in the chosen process by 80%.

Based on the expected monthly loss reduction, which response best manages the firm’s operational-risk exposure?

• A. Prioritise higher counterparty limits
• B. Prioritise a larger liquidity buffer
• C. Prioritise automating client money payments
• D. Prioritise automating trade bookings

Best answer: C

Explanation: Operational-risk controls should be prioritised where they remove the most expected loss from process failures. Both processes generate about six errors a month, but client money payments have far higher loss severity, so automation there reduces exposure much more.

The core concept is expected operational loss: frequency multiplied by severity, then adjusted for the control effect. Here, both manual processes have the same expected number of monthly errors, but the financial impact of each client money payment error is far greater.

• Client money payments: 500 × 1.2% = 6 errors; 6 × £2,000 = £12,000 expected monthly loss; 80% reduction = £9,600
• Trade bookings: 2,000 × 0.3% = 6 errors; 6 × £250 = £1,500 expected monthly loss; 80% reduction = £1,200

So automating client money payments gives the largest reduction in operational-risk exposure. The closest distractor focuses on higher transaction volume, but volume alone is not the deciding factor when loss severity differs sharply.

Question 19

Topic: International Risk Regulation

A consumer lender launches an AI underwriting model in a market where the regulator sets broad duties on fair customer outcomes, governance and accountability, but few detailed process rules. The model uses postcode data, validation is incomplete, and the board has not reviewed the related risk appetite. Which response best reflects a principles-based approach to regulation?

• A. Regulatory action should wait until customer complaints confirm actual harm.
• B. The firm must show its model, governance and outcomes meet broad principles.
• C. Compliance is judged only against a prescribed underwriting checklist set by law.
• D. Compliance depends on whether legislation explicitly bans postcode data in underwriting.

Best answer: B

Explanation: A principles-based regime focuses on whether the firm can demonstrate fair outcomes, sound governance and effective risk management against broad standards. In this scenario, incomplete validation and weak board oversight matter even if no specific law expressly bans the model feature.

The key difference is that principles-based regulation sets high-level expectations and leaves firms to apply them appropriately in their own business context. Here, the lender cannot rely on the absence of a detailed prohibition because the regulator expects it to justify the use of postcode data, complete proper validation, and show that the board has overseen the risk within appetite.

The scenario points to three issues:

• a potentially sensitive model input
• incomplete model validation
• weak governance oversight

Under a principles-based approach, those facts create regulatory risk because compliance is assessed against broad duties such as fair treatment, accountability and effective control. A more statutory approach would lean more heavily on whether specific legal rules or prescribed steps had been broken.

Question 20

Topic: Liquidity Risk

A broker-dealer is assessing its same-day liquidity position.

Exhibit:

• Opening cash: £12m
• Contractual inflows due today: £5m
• Wholesale funding maturing today: £15m
• Variation margin payable today: £6m
• Expected client withdrawals today: £9m

Using only these figures, which statement is most accurate?

• A. A £13m shortfall; delayed settlements or forced sales could spread stress.
• B. A £17m shortfall; the main issue is borrower default losses.
• C. A £30m shortfall; the impact would remain within this firm.
• D. A £13m surplus; the main issue is market-price volatility.

Best answer: A

Explanation: The firm has £17m available today from opening cash and contractual inflows, but it must meet £30m of same-day outflows, leaving a £13m shortfall. That is a funding liquidity problem: the firm may need emergency funding, delay payments, or sell assets quickly, and similar actions by several firms can transmit stress through markets and counterparties.

Liquidity risk is the risk that cash is not available when obligations fall due. Here, the firm can access £17m today from opening cash and contractual inflows, but it must meet £30m of same-day outflows, so its net liquidity position is -£13m.

• Available cash today = £12m + £5m = £17m
• Required outflows today = £15m + £6m + £9m = £30m
• Net liquidity gap = £17m - £30m = -£13m

A negative same-day position means the firm may need emergency borrowing, use liquid assets, delay settlements, or make forced asset sales. If several firms face similar shortfalls at once, these actions can reduce market liquidity and put pressure on counterparties, turning an individual funding problem into wider systemic stress. The key point is cash-timing pressure, not market-price volatility or borrower default.

Question 21

Topic: Credit Risk

A bank’s trade finance portfolio contains 200 obligors, and no single counterparty exceeds the internal name limit. However, 42% of total exposure is to copper exporters in one country. After a sharp fall in copper prices, that country also imposes foreign-exchange controls. What is the single best assessment of the bank’s credit risk?

• A. Name limits mean the portfolio is already well diversified.
• B. FX controls make this primarily a liquidity-risk issue.
• C. The copper price shock is mainly market risk for the bank.
• D. Sector and country concentration can create correlated credit losses.

Best answer: D

Explanation: This is concentration risk within credit risk. Although each name is small, many borrowers depend on the same commodity and the same country conditions, so the shock can weaken repayment capacity across the portfolio at the same time.

Concentration risk arises when exposures that appear acceptable individually share the same underlying drivers. Here, the bank has avoided a large single-name exposure, but 42% of the book depends on copper exporters in one country. A fall in copper prices weakens sector cash flows, and foreign-exchange controls can obstruct payment from that jurisdiction. As a result, default risk and potential losses may rise across many borrowers together, creating a cluster of credit losses rather than one isolated problem.

• Name limits reduce idiosyncratic risk.
• They do not remove sector or geographic concentration.
• Shared drivers increase default correlation and can also weaken recoveries.

A portfolio can therefore look diversified by borrower count while still being dangerously concentrated.

Question 22

Topic: Enterprise Risk Management (ERM)

A firm’s central risk team does not run day-to-day credit, market or operational controls. Instead, it uses a common risk taxonomy, aggregates exposures across business units, compares the combined profile with the board’s risk appetite, and escalates conflicts between divisions. Which function is this?

• A. Operational loss event management
• B. Enterprise-wide risk aggregation and coordination
• C. Credit underwriting and counterparty approval
• D. Internal audit independent assurance

Best answer: B

Explanation: The stem is about joining up different risks across the whole firm, not managing one discipline in isolation. Using a common taxonomy, aggregating exposures and comparing the total profile with board-approved risk appetite are classic ERM coordination tasks.

ERM provides a whole-of-firm view of risk. In the scenario, the central team is combining information from several risk disciplines, applying one risk language, assessing the aggregated position against the board’s risk appetite, and escalating trade-offs between business units. That is broader than credit, market, operational or liquidity risk management on their own. It is also broader than assurance work, because the team is actively coordinating and reporting the live enterprise risk profile rather than independently reviewing it after the fact. The key clue is the cross-risk, cross-business aggregation and escalation to support senior management and board oversight.

Question 23

Topic: Operational Risk

A firm’s internal operational-loss database is too small and backward-looking to assess a planned outsourcing arrangement. The risk team runs structured workshops with managers to estimate the frequency and severity of severe but plausible service-failure events. Which operational-risk technique does this best describe?

• A. Risk and control self-assessment
• B. Internal loss-event collection
• C. Scenario analysis
• D. Key risk indicator monitoring

Best answer: C

Explanation: This describes scenario analysis. It is particularly useful when internal loss data are sparse or too backward-looking to capture emerging operational risks, such as a new outsourcing arrangement.

Scenario analysis is a forward-looking operational-risk assessment technique. A practical constraint in building and maintaining an operational-risk framework is that internal loss data are often incomplete, inconsistent, or too limited to capture new or low-frequency, high-severity risks. In the stem, the firm is trying to assess outsourcing risk before enough relevant incidents exist, so it uses structured expert workshops to estimate plausible failure events and their likely impact. That is the typical role of scenario analysis.

It helps firms:

• assess emerging risks
• consider tail events
• supplement sparse loss data
• support control and risk-appetite decisions

Risk and control self-assessment is the closest alternative, but it focuses more on scoring existing process risks and controls than on estimating severe plausible event outcomes.

Question 24

Topic: Principles of Risk Management

An investment platform relies on one outsourced administrator for daily client valuations. The administrator has made two processing errors in one month, and the platform has no service KRIs or tested contingency plan. What is the single best response by the firm?

• A. Log it as operational outsourcing risk, assess severity, add KRIs, and test fallback arrangements.
• B. Wait for the annual supplier review before changing controls.
• C. Treat it as market risk and widen valuation tolerances.
• D. Increase insurance cover and leave day-to-day oversight unchanged.

Best answer: A

Explanation: The best response is to run the core risk-management cycle on the outsourcing exposure. Repeated processing errors and the absence of KRIs and a contingency plan show that the firm must identify the risk formally, assess its significance, improve controls, and monitor it more closely.

This is primarily an operational risk arising from outsourcing dependency and weak control design. Sound risk management requires the firm to identify the specific exposure, assess its likelihood and impact, implement mitigation, and then monitor it against clear indicators. In this case, the concentration in one administrator, recent errors, and missing contingency plan mean the firm should escalate the issue into the risk framework, set service KRIs, and test fallback arrangements so disruption can be managed within risk appetite.

A response that only transfers some financial loss, delays action until a periodic review, or misclassifies the issue does not address the immediate control weakness. The key point is that effective risk management is a continuous process, not a one-off reaction.

Question 25

Topic: Credit Risk

A bank’s risk team independently challenges the assumptions in a probability-of-default model, checks whether its calibration sample remains representative, and investigates missing borrower data that could bias outputs. Which control function best matches this work?

• A. Concentration limit monitoring
• B. Independent model validation
• C. Credit underwriting approval
• D. Portfolio stress testing

Best answer: B

Explanation: The work described is independent model validation. It focuses on whether the model’s assumptions, calibration choices and source data are appropriate, because weaknesses in any of these can distort credit-risk metrics such as probability of default.

Model validation is the control function that challenges whether a credit-risk model is fit for purpose. In the stem, the team is not approving loans or monitoring exposures; it is reviewing the model itself. That review covers three common drivers of model risk in credit measurement: assumptions, calibration and data quality. If assumptions are unrealistic, the calibration sample is outdated or unrepresentative, or borrower data are incomplete, measures such as PD and expected loss can be biased. Independent validation helps detect those weaknesses before the model is used for pricing, limits, provisioning or capital decisions.

The closest distractor is stress testing, but stress testing examines performance under adverse scenarios rather than validating whether the core model has been built and fed correctly.

Question 26

Topic: Operational Risk

An asset manager’s fund-operations team recorded 18 NAV correction incidents in the last 12 months. Most losses were small, but the four largest occurred when pricing files were uploaded manually after a data-vendor delay. The COO asks how this historical loss data should best be used in the next operational-risk review. What is the single best answer?

• A. Use the loss history mainly to calibrate operational-risk capital.
• B. Set one incident threshold from the average loss across operations.
• C. Analyse incident patterns to strengthen controls and KRIs around manual uploads.
• D. Remove small incidents so management focuses only on the largest losses.

Best answer: C

Explanation: Historical loss data is useful for management when it shows where and why events recur. Here, the concentration of larger losses in manual uploads after vendor delays points to a specific control weakness, so the best use is to strengthen that process and monitor it with KRIs.

Historical loss data does more than support loss measurement or capital assessment. In operational-risk management, it helps identify recurring causes, weak control points, and concentrations that need action. In this case, the key fact is that the largest NAV corrections occurred during the same manual workaround after vendor delays. That pattern supports practical management steps such as tightening controls, reducing manual intervention, setting KRIs for vendor delays or manual uploads, and escalating the dependency risk through governance forums. Using only the annual loss total, excluding small incidents, or relying on an overall average would hide the frequency pattern and the specific process weakness. The most useful application is targeted control improvement based on the observed loss pattern.

Question 27

Topic: International Risk Regulation

A bank meets its minimum Pillar 1 capital requirements, but its loan book is highly concentrated in one commercial property sector. Internal stress tests show losses in a downturn could exceed the board’s risk appetite. Which response best applies the Basel framework?

• A. Reclassify the problem as operational risk, because stress-test losses are outside the credit risk framework.
• B. Rely on Pillar 1 ratios, because minimum capital rules already capture all credit concentration risk.
• C. Address the issue mainly through Pillar 3 by increasing disclosures instead of changing capital or risk management.
• D. Use Pillar 2 to review the concentration and stress-testing weakness, require stronger controls and extra capital if needed, and use Pillar 3 disclosure to support market discipline.

Best answer: D

Explanation: Meeting Pillar 1 minimums does not end prudential assessment. A concentrated loan book and stress-test losses beyond risk appetite point to a Pillar 2 issue, while Pillar 3 disclosures help market discipline but do not replace capital assessment or control improvement.

Basel’s three pillars are designed to work together. Pillar 1 sets minimum capital requirements for specified risks, but it cannot capture every firm-specific exposure in full. Pillar 2 covers supervisory review of a bank’s overall risk profile, including concentration risk, stress testing, governance, and whether capital and controls remain adequate relative to risk appetite. Pillar 3 requires public disclosure so investors and counterparties can exert market discipline.

In this case, the property-sector concentration and the stress-test breach show a material risk and a risk-management concern that may need additional capital, tighter limits, or stronger oversight under Pillar 2. Disclosure is useful, but it is complementary, not a substitute for supervisory review and remediation.

Question 28

Topic: Operational Risk

In a wealth manager’s payments team, one operations employee can both amend a client’s standing settlement instruction and release a same-day cash payment. A transfer is later found to have gone to an account linked to that employee. Which action best applies a durable operational-risk principle to reduce recurrence of this Basel event type?

• A. Separate instruction changes from payment release and verify changes independently.
• B. Split client payments across two settlement banks for diversification.
• C. Keep current access but use zero tolerance for payment losses and monthly escalation.
• D. Require internal audit to authorise instruction changes before payment release.

Best answer: A

Explanation: This is an internal fraud event arising in payments operations because one employee controlled both client instruction data and cash release. The best response is segregation of duties, supported by independent verification of changes to standing settlement instructions.

The core concept is segregation of duties within the first line of defence. In the scenario, the Basel operational-risk event type is internal fraud: an employee used combined control over client static data and payment release to divert funds. The strongest preventive control is to separate maintenance of settlement instructions from payment authorisation and add independent verification for any bank-detail change. That directly addresses where and how the event arose in the business process. Risk appetite and escalation help oversight, but they do not remove the underlying opportunity for abuse. Internal audit should review whether the control framework is effective, not operate the approval step itself. The key takeaway is that internal fraud in operations usually points to weak access design and missing maker-checker controls.

Question 29

Topic: Market Risk

A bank’s market risk team compares each day’s actual trading profit and loss with the previous day’s one-day 99% VaR estimate, and counts how often losses exceed that estimate. Which VaR-related function does this process match?

• A. Position limit monitoring
• B. Stress testing
• C. Back testing
• D. Independent model validation

Best answer: C

Explanation: This process is back testing because it compares realised trading outcomes with prior VaR forecasts and looks for exceptions. Its purpose is to see whether the VaR model is performing consistently with its stated confidence level over time.

Back testing is the VaR control that compares actual daily trading results with the model’s predicted loss threshold. If a one-day 99% VaR model is working reasonably, losses should exceed the VaR estimate only infrequently, so the number and pattern of exceptions help assess model reliability. This is narrower than full model validation, which reviews methodology, assumptions, data, implementation, and governance more broadly.

The key distinction is that back testing uses realised outcomes to test forecast performance, whereas the closest alternative, independent model validation, is a wider review of whether the model is fit for purpose.

Question 30

Topic: Liquidity Risk

A bank can cover current cash outflows from cash and committed facilities, but most of its securities portfolio is thinly traded and could only be sold quickly at steep discounts if withdrawals increased. Which liquidity-risk description best matches this concern?

• A. Difficulty selling assets quickly without major price concessions
• B. Losses because a counterparty fails to pay
• C. Difficulty replacing maturing funding or meeting cash outflows
• D. A shortfall in high-quality liquid assets against a regulatory measure

Best answer: A

Explanation: The deciding fact is that the securities are hard to sell without taking steep discounts. Because current outflows are already covered, the immediate issue is not funding liquidity but market liquidity: the firm may be unable to turn assets into cash at or near fair value.

This is a classic distinction within liquidity risk. Market liquidity risk arises when assets cannot be sold quickly, in sufficient size, and at prices close to their fair value. The stem says the bank can currently meet cash outflows from cash and committed facilities, so there is no immediate indication that it cannot fund payments as they fall due. The concern is instead that, if withdrawals rise, the bank would have to sell thinly traded securities at steep discounts. That points to weak asset marketability, which is market liquidity risk. A regulatory liquidity ratio issue could result from such stress, but it is not the underlying description being tested here.

Question 31

Topic: Operational Risk

An investment firm has recently moved its order-management platform to a single external cloud provider. Internal loss data are limited, but management wants to assess the effect of a severe but plausible outage on a peak trading day and judge whether fallback arrangements would work. Which operational-risk assessment method is the single best choice?

• A. Market VaR modelling of trading-book positions
• B. Bottom-up mapping of routine order-processing controls
• C. Review of average internal loss data over recent years
• D. Scenario analysis involving trading, operations, IT and risk teams

Best answer: D

Explanation: Scenario analysis is most suitable when management is concerned about a rare but plausible operational event and wants to test the effectiveness of fallback arrangements. The stem points to a severe cloud outage, limited historical losses, and a need to evaluate resilience rather than routine processing errors.

The core concept is choosing the assessment method that best fits the risk being examined. Scenario analysis is designed for low-frequency, high-impact operational events where historical loss data may be sparse or uninformative. Here, the firm has a recent migration to a single cloud provider, so there is concentration risk and little internal loss history, but management wants to understand what would happen if a major outage occurred on a peak trading day.

A scenario workshop can:

• estimate plausible gross and net impacts
• test whether fallback arrangements are realistic
• involve business, operations, IT and risk owners
• highlight control gaps in severe conditions

Bottom-up analysis is more useful for detailed process-level control reviews in normal operations, not as the primary tool for assessing a severe outage scenario.

Question 32

Topic: Market Risk

A dealer hedges a fixed-rate swap position with gilt futures. The general level of market yields changes very little, but the hedge still loses money because swap rates and gilt yields move by different amounts. Which form of market risk does this illustrate?

• A. Market-liquidity risk
• B. Basis risk
• C. Interest-rate risk
• D. Volatility risk

Best answer: B

Explanation: This is basis risk because the swap exposure is being hedged with a related but not identical instrument. The problem is not a large move in overall rates, but a change in the relationship between swap rates and gilt yields.

Basis risk arises when a firm uses a proxy hedge and the hedge instrument does not move exactly in line with the position being hedged. In this case, the underlying exposure is to swap rates, while the hedge is in gilt futures linked to government bond yields. If the swap spread changes, the two rates can move by different amounts, so the hedge becomes imperfect and produces a residual loss even when overall yields are broadly stable.

The key point is that the risk comes from divergence between two related market prices, not from the general direction of rates. That is why basis risk, rather than pure interest-rate risk, is the best match.

Trademark note: Mastery Exam Prep and Tokenizer Inc. are independent exam-prep providers and are not affiliated with, endorsed by, or sponsored by the Chartered Institute for Securities & Investment (CISI), the FCA, the PRA, HMRC, or any regulator.