CISI Risk in Financial Services Practice Test

The CISI Risk in Financial Services paper is the broad risk product in this UK set. It spans the principles of risk management, international risk regulation, operational, credit, market, investment, and liquidity risk, plus model risk, governance, oversight, and enterprise risk management. If you are searching for Risk in Financial Services sample questions, a practice test, mock exam, or simulator, this is the main Securities Prep page to start on web and continue on iPhone or Android with the same Securities Prep account.

Free diagnostic: Try the 100-question CISI Risk in Financial Services full-length practice exam before subscribing. Use it as one risk-management baseline, then return to Securities Prep for timed mocks, topic drills, explanations, and the full Risk in Financial Services question bank.

What this page gives you

• a direct route into Securities Prep practice for CISI Risk in Financial Services
• 24 sample questions with detailed explanations spread across all current topic areas on the page
• UK-specific practice language around capital, liquidity, governance, operational events, model risk, and enterprise-risk oversight
• free-preview access on web before you subscribe
• the same Securities Prep account across web, iPhone, iPad, macOS, and Android

CISI Risk in Financial Services exam snapshot

Topic coverage for CISI Risk in Financial Services

Best fit by UK role

Real-paper timing target

CISI Risk decision filters

• Risk type first: decide whether the scenario is operational, credit, market, investment, liquidity, model, governance, or ERM before selecting a control.
• Control owner: identify whether the action belongs to front office, risk, compliance, audit, senior management, or the board.
• Measurement vs mitigation: separate risk identification, measurement, monitoring, reporting, escalation, capital, and control response.
• Interaction risk: watch for scenarios where one failure creates operational, liquidity, conduct, or market consequences together.

When Risk in Financial Services practice is enough

If several unseen mixed attempts are above roughly 75% and you can explain the risk type, control owner, and mitigation logic behind each answer, you are likely ready. More practice should improve risk classification and escalation judgment, not repeated-definition recall.

Best page to open next

What CISI Risk in Financial Services is really testing

• whether you can identify the main risk type from the facts rather than describing the symptom only
• whether governance, escalation, and control ownership sit in the right place for the risk that appears
• whether operational, credit, market, liquidity, and investment risk are being distinguished cleanly under time pressure
• whether enterprise-risk thinking still works when multiple risk categories interact in one scenario

How Risk in Financial Services differs from similar routes

How to use the Risk in FS simulator efficiently

1. Make the definitions and signals for operational, credit, market, and liquidity risk automatic before doing full mixed sets.
2. Treat risk identification and governance ownership as one review loop, because many misses are really escalation mistakes.
3. Review market, investment, and liquidity questions together so you do not collapse them into one generic volatility label.
4. Finish with timed mixed blocks that force you to switch between frontline events, governance failures, and ERM-level responses.

Free preview vs premium

• Free preview: 24 public sample questions on this page plus the web app entry so you can validate the question style and explanation depth.
• Premium: the full Risk in FS practice bank, focused drills, mixed sets, timed mock exams, detailed explanations, and progress tracking across web and mobile.

Focused sample questions

Use these child pages when you want focused Securities Prep practice before returning to mixed sets and timed mocks.

• Free CISI Risk Full-Length Practice Exam
• CISI Risk: Principles of Risk Management
• CISI Risk: International Risk Regulation
• CISI Risk: Operational Risk
• CISI Risk: Credit Risk
• CISI Risk: Market Risk
• CISI Risk: Investment Risk
• CISI Risk: Liquidity Risk
• CISI Risk: Model Risk
• CISI Risk: Risk Oversight and Corporate Governance
• CISI Risk: Enterprise Risk Management (ERM)

Free review resources

Use these free SecuritiesMastery.com resources for concept review, then return to this page when you are ready to practice in Securities Prep.

• CISI Risk in Financial Services Cheat Sheet
• CISI Risk in Financial Services Study Guide

Free samples and full practice

• Live now: this practice route is available in Securities Prep on web, iOS, and Android.
• On-page sample set: this page includes 24 public sample questions for this route.
• Full practice: open the Securities Prep web app or mobile app for mixed sets, topic drills, and timed mocks.

Good next pages after Risk in FS

• Combating Financial Crime if you want the narrower AML and sanctions follow-on
• UK Regulation & Professional Integrity if you want the FCA/PRA and conduct core beside the risk paper
• Investment Management (Level 4) if your target role shifts from risk to portfolio and valuation work
• UK securities roadmap if you want the whole UK route sequence before specialising further

24 Risk in FS sample questions with detailed explanations

These are original Securities Prep practice questions aligned to the live CISI Risk in Financial Services route and the main blueprint areas shown above. Use them to test readiness here, then continue in Securities Prep with mixed sets, topic drills, and timed mocks.

Question 1

Topic: Risk Oversight and Corporate Governance

A firm’s board states a low risk appetite, but remuneration rewards aggressive growth and staff avoid escalating limit breaches. Which concept most directly explains the gap between the stated appetite and day-to-day behaviour?

• A. Risk culture
• B. Risk appetite
• C. Risk capacity
• D. Risk tolerance

Best answer: A

Explanation: The key clue is the mismatch between the board’s formal statement and the behaviour encouraged in practice. That gap is about risk culture, because culture shapes incentives, challenge and escalation, while risk appetite is only the stated level of risk the firm intends to accept. Risk culture is the shared behaviours, incentives and norms that shape how people identify, discuss, escalate and take risk. In the stem, the firm says it has a low risk appetite, but pay structures and weak escalation encourage the opposite. That means the lived behaviour is inconsistent with the approved appetite, which points to a weakness in risk culture.

A strong risk culture supports challenge, transparent escalation and decisions aligned with board-approved limits. When incentives reward short-term growth over control discipline, actual risk-taking can drift above the firm’s stated appetite. The key distinction is simple: risk appetite is what the firm says it is willing to accept; risk culture is what employees actually do.

---

Question 2

Topic: Investment Risk

A client will invest £100,000 for 10 years with no withdrawals, fees or tax. Product Alpha quotes a 6.0% effective annual return. Product Beta quotes a 5.9% nominal annual rate, compounded monthly. Which conclusion is most appropriate when comparing likely maturity values?

• A. Alpha, because 6.0% is higher than 5.9% on the quoted annual rate.
• B. They are effectively the same because the quoted rates differ by only 0.1%.
• C. Beta, because monthly compounding makes its effective annual return slightly higher.
• D. Use simple interest for both because no withdrawals are planned.

Best answer: C

Explanation: Quoted annual rates are not directly comparable when one is effective and the other is nominal with intra-year compounding. Product Beta’s 5.9% nominal rate compounds monthly, giving an effective annual rate slightly above 6.0%, so over 10 years it should finish higher. The key concept is that compounding changes the true annual growth rate. An effective annual return already includes the impact of compounding within the year, while a nominal annual rate does not. To compare Product Alpha and Product Beta fairly, both must be put onto the same basis. Product Beta’s effective annual rate is approximately \((1+0.059/12)^{12}-1\), which is about 6.06%, slightly above Product Alpha’s 6.0% effective rate. Over a 10-year holding period with no withdrawals, that small annual difference compounds into a higher maturity value for Product Beta.

The closest mistake is to compare 6.0% and 5.9% directly without adjusting for compounding frequency.

---

Question 3

Topic: Liquidity Risk

A securities firm defines:

• a 7-day funding gap as outflows - inflows - immediately available cash, where a positive result is a shortfall
• a pricing problem as funding remaining available but only at a higher spread

For the next 7 days it projects:

• Outflows: £95m
• Inflows: £80m
• Immediately available cash: £25m
• New 7-day funding remains available at 0.60% above normal cost

Which statement best describes the position?

• A. A £10m surplus; this is mainly a pricing problem.
• B. No liquidity concern; the spread widening is market risk only.
• C. A £15m shortfall; this is mainly a funding-gap problem.
• D. A £10m shortfall; this is mainly a funding-gap problem.

Best answer: A

Explanation: Using the definition in the stem, the 7-day gap is £95m - £80m - £25m = -£10m. Because the result is not positive, there is no funding shortfall; funding is still available, but at a worse spread, so the issue is pricing rather than a funding gap. A funding gap is about the quantity and timing of cash needed over the horizon, while a pricing problem is about the cost of obtaining funding when it is still available. Here, the stated measure gives £95m minus £80m minus £25m = -£10m. That negative result means the firm has a £10m liquidity surplus over the next 7 days, not a shortfall.

• Outflows = £95m
• Inflows + cash = £105m
• Net position = £10m surplus

The 0.60% wider spread matters because funding has become more expensive, but the firm is not projected to run out of cash on this measure. The closest trap is to ignore the available cash and wrongly call it a £15m gap.

---

Question 4

Topic: International Risk Regulation

A bank expands its unsecured corporate loan book, opens a small bond-trading desk, and then suffers repeated payments-processing failures after outsourcing operations. Under the Basel framework, which set of risk drivers will primarily determine the bank’s minimum regulatory capital requirement?

• A. Liquidity risk, model risk and operational risk
• B. Market risk, conduct risk and strategic risk
• C. Credit risk, market risk and operational risk
• D. Credit risk, liquidity risk and reputational risk

Best answer: C

Explanation: Basel capital adequacy is primarily based on credit risk, market risk and operational risk. The scenario maps directly to those drivers through unsecured lending, trading activity and outsourced processing failures, so they are the best answer. Under the Basel framework developed by the Basel Committee at the BIS, a bank’s minimum regulatory capital is primarily linked to exposures for credit risk and market risk, plus a capital charge for operational risk. Here, the unsecured corporate loan expansion increases credit risk, the bond-trading desk creates market risk, and repeated processing failures after outsourcing indicate operational risk. Liquidity, reputational, strategic and model risks can still matter for wider risk management and supervisory review, but they are not the core set being tested as the main drivers of minimum capital adequacy in this scenario. The key is to match each fact in the stem to the Basel capital driver it most directly creates.

---

Question 5

Topic: Operational Risk

A firm estimates next year’s operational loss using only its last four annual internal loss figures.

Exhibit:

• Year 1: £0.3m
• Year 2: £0.4m
• Year 3: £0.5m
• Year 4: £5.8m from a single external fraud event

The simple average is £1.75m. Which practical difficulty in measuring operational risk is most clearly illustrated?

• A. Operational losses should be shown as negative figures in the average.
• B. A simple average removes the need for expert scenario assessment.
• C. A fraud loss caused by outsiders should be excluded from operational risk.
• D. Short data series can be distorted by rare, high-severity losses.

Best answer: D

Explanation: The result is driven mainly by one exceptional loss rather than a stable pattern. This highlights a key operational-risk measurement problem: limited historical data are often skewed by low-frequency, high-severity events. Operational risk is difficult to measure because losses are often unevenly distributed: many periods show small losses, while occasional events are very large. In the exhibit, three years are clustered between £0.3m and £0.5m, but one fraud event is £5.8m. That makes the simple average of £1.75m highly sensitive to a single tail event rather than a reliable picture of recurring loss experience.

In practice, firms therefore do not rely only on short internal loss histories. They often supplement them with scenario analysis, external loss data, and expert judgement to assess exposures that may be rare but severe. The key takeaway is that operational-risk data can be sparse and heavily skewed, so simple averages may mislead.

---

Question 6

Topic: Credit Risk

A bank uses an internal scorecard to set exposure limits for lending to housebuilders. The scorecard was calibrated on the last six years, when defaults were unusually low, and 20% of borrower cash-flow fields are missing from the source data. With interest rates now rising sharply, which action BEST applies a sound risk-management principle to these measurement limitations?

• A. Ask the lending team to validate the model so assumptions reflect current market conditions.
• B. Supplement it with forward-looking stress tests and independent risk challenge before setting limits.
• C. Increase exposure limits to achieve diversification across more housebuilders.
• D. Keep using it unchanged because internally consistent historical data are the most objective basis.

Best answer: B

Explanation: The best response is to treat the scorecard as one input, not the whole answer. Because it is based on a benign historical period and incomplete data, forward-looking stress testing with independent challenge is the sound way to avoid setting limits on false precision. Credit-risk measurement is limited by model dependency, data quality and backward-looking inputs. In this case, the scorecard was fitted to a period of unusually low defaults, so it may understate risk when rates rise. Missing borrower cash-flow data further weakens the reliability of the estimates. A sound risk principle is to supplement the model with forward-looking stress scenarios and have independent risk challenge the results before limits are approved. That approach recognises that model outputs are uncertain, especially when conditions change and input data are incomplete. It is better than relying on the scorecard alone or changing exposures without fixing the measurement weakness. Internal consistency is not enough if the model is consistently wrong for the current environment.

---

Question 7

Topic: Principles of Risk Management

An investment platform plans to distribute its existing low-cost portfolios through a large “super-app”. The portfolios and target market are unchanged, but 65% of forecast first-year revenue would come from one external distributor. The board’s risk appetite states that no single distributor should generate more than 40% of forecast revenue in a new channel, and the partner may change access terms on 30 days’ notice. Which action best applies sound risk-management principles?

• A. Treat it as business-model risk: escalate the appetite breach and stress test partner dependency before launch.
• B. Prioritise stronger onboarding and reconciliation controls, because higher processing volumes are the main new risk.
• C. Handle it through the standard new-product process only, because the portfolios themselves are unchanged.
• D. Widen the portfolios’ asset mix, because diversification is the most relevant response.

Best answer: A

Explanation: This is not mainly a new-product issue. The underlying portfolios are unchanged, but the firm would become heavily dependent on one distributor beyond its stated risk appetite, so the right response is to treat it as emerging business-model risk and test it under stress before launch. Business-model risk arises when strategy, economics, or external dependencies threaten the firm’s viability even if the product itself is unchanged. In this scenario, the key facts are the projected reliance on one external distributor for 65% of revenue, the board limit of 40%, and the partner’s ability to change access terms quickly. That combination points to strategic concentration and earnings fragility, not merely product innovation.

• Compare the proposal with approved risk appetite.
• Escalate the breach to the appropriate governance body.
• Stress test lower volumes, margin pressure, and partner withdrawal.
• Decide whether to redesign, reject, or approve an exception.

A product-only review is too narrow because it ignores the firm’s altered revenue model and dependency risk.

---

Question 8

Topic: Market Risk

An options desk buys long call options because it expects the underlying share price to rise modestly over the next month. The share price does rise, but the position still loses value after implied volatility falls sharply. Which market-risk measure best matches the exposure revealed?

• A. Theta
• B. Gamma
• C. Delta
• D. Vega

Best answer: D

Explanation: The exposure described is volatility risk in an option position, measured by vega. A long call can benefit from a rise in the underlying, but it can still lose value if implied volatility falls enough to outweigh that directional gain. This is a classic example of why market risk is not only about getting direction right. A long call option is sensitive both to the underlying price and to implied volatility. The favourable move in the share price helps the option through delta, but the sharp fall in implied volatility reduces the option’s premium through vega because the market now expects less future price variability. If that volatility effect is larger than the gain from the underlying move, the option can still fall in value.

The key takeaway is that options carry separate directional and volatility exposures, and both matter when identifying market risk. Delta is the closest distractor because it captures price direction, but it does not measure the loss caused by lower implied volatility.

---

Question 9

Topic: Model Risk

A bank values an illiquid note using an approved pricing model. Policy requires escalation for valuation uncertainty if a plausible valuation falls below £10.0m.

Model outputs under plausible inputs

• Base calibration: £10.4m
• Stressed correlation input: £9.7m
• Wider bid-offer input: £9.5m

Which conclusion best reflects sound model-risk practice?

• A. Accept £10.4m as the definitive valuation.
• B. Use the outputs as a range, apply judgement, and escalate.
• C. Ignore the model and price the note manually.
• D. Use the average, about £9.9m, as definitive.

Best answer: B

Explanation: The model is still useful, but the figures show that the valuation is sensitive to plausible assumptions. Because credible outputs fall below the £10.0m threshold, the result should be treated as an input to judgement and escalated, not relied on mechanically as a single final number. This tests a core model-risk principle: an approved model is not a substitute for judgement when outputs vary materially under plausible assumptions. Here, the valuation range is £9.5m to £10.4m, and two credible outputs are below the firm’s escalation threshold. That means the bank should not rely only on the base case or on a simple average.

• Identify the range of plausible outputs.
• Compare that range with the policy trigger.
• Escalate because the range crosses the threshold.
• Use expert judgement to assess valuation uncertainty.

Averaging the results may summarise them, but it does not remove the uncertainty shown by the range.

---

Question 10

Topic: Enterprise Risk Management (ERM)

A firm uses exception-based escalation in its ERM programme:

• A business-unit head escalates any monthly operational loss above £2.0m.
• The Group CRO must be notified if total monthly operational losses exceed £5.0m.

This month:

Which conclusion is most appropriate?

• A. The largest single loss should drive escalation.
• B. Group-level aggregation should trigger escalation to the Group CRO.
• C. The losses need reclassifying as market risk.
• D. Unit-level exception reporting is sufficient.

Best answer: B

Explanation: The losses aggregate to £5.1m, which exceeds the firm’s £5.0m group threshold. This shows why ERM implementation needs central aggregation and clear accountability for escalation, even when no individual business unit breaches its own limit. A key ERM implementation challenge is that exception-based reporting can fail if risks are viewed only in silos. Here, each unit is below the £2.0m local trigger, but the enterprise total is £5.1m, so the group-level exception has been breached and escalation to the Group CRO is required.

An effective ERM programme therefore needs:

• consistent capture of risk data across units
• aggregation against group appetite or limits
• a named owner for escalation and response

The main lesson is that aggregation and accountability are essential; local reporting alone would miss this enterprise-wide breach.

---

Question 11

Topic: Risk Oversight and Corporate Governance

A wholesale bank is embedding credit-risk managers alongside its leveraged-finance origination team so proposed deals can be challenged early. Senior management wants the business to remain accountable for the risks it takes, while risk managers retain autonomy and authority to challenge and escalate. Which arrangement best applies sound risk-governance principles?

• A. Transfer deal approval to internal audit to create a fully independent second line.
• B. Have risk managers both challenge deals and operate the desk’s key controls.
• C. Keep risk ownership with origination, with risk managers reporting to the CRO and able to escalate.
• D. Make risk managers report only to the origination head and share deal-based incentives.

Best answer: C

Explanation: The best arrangement keeps origination as the first line that owns the risk, while embedded risk managers provide independent second-line challenge. A reporting line to the CRO and formal escalation rights protect autonomy without removing business accountability. The key principle is that risk ownership and independent oversight should be separate. In a sound three-lines structure, the business originates and owns the risk within appetite, while the risk function advises, challenges, and escalates where necessary. Embedding risk managers close to the business can improve decision quality and speed, but their independence must be protected through separate reporting, authority to challenge, and escalation access to senior risk governance.

If embedded risk staff report only to the desk they oversee, share front-office incentives, or operate the desk’s own controls, their autonomy is weakened and segregation of duties is blurred. Internal audit is the third line and should provide assurance over the framework, not routine deal approval. The closest distractors confuse independence with removing accountability from the business.

---

Question 12

Topic: Investment Risk

A UK equity manager compares two funds against the same benchmark. Tracking error is the standard deviation of active return, where active return = fund return minus benchmark return. Ignoring annualisation, which statement is most accurate?

• A. Both funds have the same tracking error because average active return is zero.
• B. Fund B has higher tracking error because benchmark deviations are larger.
• C. Fund A has higher tracking error because returns alternate around zero.
• D. Fund B has lower tracking error because positive and negative deviations offset.

Best answer: B

Explanation: Tracking error shows how much a portfolio’s returns vary relative to its benchmark over time. Fund B’s active returns are larger in magnitude in every quarter, so it has the higher tracking error and therefore higher benchmark-relative risk. The core concept is that tracking error measures the variability of active returns, not the average level of outperformance or underperformance. In the exhibit, both funds have an average active return of 0%, but Fund A moves by only ±0.5% while Fund B moves by ±1.5%. Because Fund B’s active returns are more dispersed around zero, its standard deviation of active return is higher.

A higher tracking error means the fund is likely to stray further from the benchmark from period to period. It indicates greater benchmark-relative risk, not better or worse manager skill. The closest confusion is average active return, which relates more to tracking difference than to tracking error.

---

Question 13

Topic: Liquidity Risk

A daily-dealing bond fund has built a GBP 40 million position in a smaller corporate bond issue. The quoted bid-offer spread is narrow in normal markets, but dealers say only about GBP 3 million can be sold quickly near that quote and larger sales move prices sharply for several days. To set asset-liquidity limits consistent with the fund’s risk appetite, which approach is best?

• A. Set limits by whether the bond trades every day.
• B. Set limits using the quoted bid-offer spread alone.
• C. Set limits mainly from the issuer’s credit rating.
• D. Set limits using spread, market depth, time-to-exit, and resilience under stress.

Best answer: D

Explanation: Bid-offer spread is useful, but it mainly reflects the cost of a small trade at current quotes. Here the fund’s position is much larger than normal market capacity, so sound limit-setting should also consider market depth, how quickly size can be sold, and how well prices recover after stress. Asset-liquidity risk should be measured with complementary indicators rather than a single headline metric. In this case, the narrow bid-offer spread shows that small trades may be cheap, but it does not show whether a GBP 40 million position can be exited without material delay or price impact. The dealer feedback points to weak market depth, limited immediacy for the full holding, and poor resilience because larger sales push prices down for several days. A risk-appetite approach should therefore set limits using spread together with depth, time-to-exit, and stressed resilience. The key takeaway is that quoted spreads alone can understate true liquidation risk for large positions.

---

Question 14

Topic: International Risk Regulation

A supervisory regime requires firms to hold adequate capital, maintain documented systems and controls, and submit regular returns to the regulator. Which feature of the regulatory framework does this best describe?

• A. Corporate governance
• B. Consumer protection
• C. Business standards
• D. Regulatory standards

Best answer: D

Explanation: The stem focuses on prudential and organisational requirements set by the regulator: capital adequacy, systems and controls, and formal reporting. Those are regulatory standards rather than customer-facing protections or broader conduct expectations. Regulatory standards are the part of the framework that sets minimum supervisory requirements for how a financial-services firm is organised, controlled, and financially resourced. In the stem, the key features are adequate capital, documented systems and controls, and regular returns to the regulator. These are classic prudential and oversight requirements designed to support firm resilience and effective supervision.

By contrast, consumer protection is mainly about fair treatment of customers, suitable products, clear disclosure, and complaint handling. Business standards are more about behaviour and conduct, such as integrity, competence, and managing conflicts of interest. The key distinction is that regulatory standards focus on the firm’s prudential soundness and control environment.

---

Question 15

Topic: Operational Risk

Under a firm’s operational-risk policy, a business unit must notify the CRO and the Operational Risk Committee within 24 hours if a key risk indicator breaches its red threshold or a material control failure is identified. Which stage of the operational-risk management framework does this requirement best match?

• A. Remediation
• B. Monitoring
• C. Management information
• D. Escalation

Best answer: D

Explanation: This requirement is about formal upward referral after a trigger event. In an operational-risk framework, that is escalation: ensuring significant breaches or control failures are brought quickly to the attention of senior management or governance committees. Escalation is the stage that defines when an operational-risk issue must be raised above the originating business area and who must be told. The stem gives clear escalation features: a red-threshold KRI breach or material control failure, named recipients, and a 24-hour deadline. That means the focus is not on detecting the issue, calculating the metric, or fixing the weakness, but on promptly routing it to the right authority for oversight and decision-making.

Monitoring would identify that the KRI or control status has worsened, management information would present risk data in reports or dashboards, and remediation would involve corrective actions and follow-up. The key clue is the mandatory notification to senior governance bodies once a severity trigger is hit.

---

Question 16

Topic: Credit Risk

A bank has current exposure to a counterparty of £12 million. Its policy requires eligible collateral, after haircuts, to cover 110% of exposure. The counterparty posts securities worth £13 million and the applicable haircut is 10%. What is the collateral shortfall?

• A. £1.5 million
• B. £0.3 million
• C. £1.3 million
• D. £0.2 million

Best answer: A

Explanation: Collateral adequacy is assessed using the collateral value after the haircut, not its full market value. Here, the bank needs £13.2 million of effective collateral and has only £11.7 million, leaving a £1.5 million shortfall. This tests simple collateral adequacy using a haircut. The required effective collateral is 110% of the £12 million exposure, so the target is £13.2 million. The posted securities have a market value of £13 million, but after a 10% haircut their recognised value is only £11.7 million.

• Required effective collateral: £12.0m × 110% = £13.2m
• Recognised collateral: £13.0m × 90% = £11.7m
• Shortfall: £13.2m − £11.7m = £1.5m

The key point is that adequacy is measured against haircut-adjusted collateral, not the unadjusted market value of securities.

---

Question 17

Topic: Principles of Risk Management

A UK investment firm plans to move trade surveillance, margin monitoring and liquidity reporting onto one AI-enabled cloud platform. Pilot results show fewer manual errors and faster limit alerts, but the platform would become a single provider for several critical risk controls. Which response best applies sound risk-management principles?

• A. Approve it because fewer manual errors mean lower net risk.
• B. Rely on the vendor’s assurance and reduce second-line oversight.
• C. Move more controls onto the same platform to maximise standardisation.
• D. Treat it as a critical dependency; apply risk appetite, outage testing and exit planning.

Best answer: D

Explanation: Better automation can reduce operational errors and improve timeliness, but it can also create dependency on a single technology provider. The best response is to recognise both effects and manage the new concentration risk through risk appetite, resilience testing and exit planning. The core principle is that a technology change should not be judged only by its efficiency gain. In this case, the new platform improves control quality by reducing manual error and speeding alerts, but placing several critical controls on one external provider also creates concentration and dependency risk. Sound risk management therefore treats the provider as a critical dependency, checks that the exposure is within the firm’s risk appetite, and tests whether key services can continue or recover if the provider fails. Practical steps include dependency mapping, outage or failover testing, and a credible exit plan. Vendor assurance can support oversight, but accountability remains with the firm and its control functions. The key distinction is between a genuine control improvement and a new vulnerability created by the same technology decision.

---

Question 18

Topic: Market Risk

An exchange-traded interest-rate futures position is margined daily. If the margin balance falls below the maintenance margin, the account must be restored to the initial margin.

Exhibit:

• Initial margin: £500,000
• Maintenance margin: £350,000
• Current margin balance: £320,000

How much cash must the firm post today?

• A. £180,000
• B. £30,000
• C. £150,000
• D. £0

Best answer: A

Explanation: The margin balance has fallen below the maintenance threshold, so a margin call is triggered. Under the rule given, the account must be topped back up to the initial margin, which requires £180,000. This is a margin adequacy calculation. The maintenance margin is the trigger point for a margin call, but it is not the level the account is restored to. Once the current balance of £320,000 falls below the £350,000 maintenance margin, the firm must top the account back up to the £500,000 initial margin.

• Required cash = initial margin - current balance
• Required cash = £500,000 - £320,000
• Required cash = £180,000

The key distinction is between the breach threshold and the restored balance: falling below maintenance creates the call, but the account is replenished to initial margin.

---

Question 19

Topic: Model Risk

A lender’s scorecard model classifies a large SME borrower as low risk. The credit team also knows the borrower’s main customer has just entered administration, a factor outside the model’s approved data set. Which action best applies sound model-risk practice?

• A. Decline automatically because one missing factor invalidates the model
• B. Rebuild the model before making any decision
• C. Use the score, add documented judgment, and escalate approval
• D. Approve on standard terms because the model is validated

Best answer: C

Explanation: The model result is still useful, but it does not capture a newly emerged and material risk factor. Good model-risk practice is to use the score as one input, then apply documented judgment and escalate because the case falls outside normal model use. The core principle is that models support decisions within their assumptions and approved scope; they do not replace judgment when a material fact sits outside that scope. Here, the borrower’s dependence on a customer that has just entered administration is highly relevant to repayment risk, yet it is not captured by the scorecard’s approved data set. The firm should therefore keep the model output as an input, apply a documented expert overlay, and escalate the approval if required by governance.

A validated model is not a complete substitute for human assessment. Validation shows the model works as intended within scope, not that it captures every real-world development. The best response is controlled judgment with clear governance, not automatic reliance, automatic rejection, or immediate redevelopment.

---

Question 20

Topic: Enterprise Risk Management (ERM)

A firm combines credit, market, liquidity and operational risk information in one governance process so senior management can assess aggregate exposure against risk appetite and make trade-offs across businesses. What is this approach called?

• A. Enterprise risk management
• B. Risk culture programme
• C. Operational risk management
• D. Risk appetite framework

Best answer: A

Explanation: The stem describes a firm-wide process that integrates several risk types and reports their combined effect against overall risk appetite. That is enterprise risk management, which focuses on coordination and aggregation across the organisation rather than one risk discipline alone. Enterprise risk management is the umbrella framework for identifying, assessing, aggregating and governing risk across the whole organisation. The key clues are the combined view of credit, market, liquidity and operational risks, the comparison with overall risk appetite, and management trade-offs across businesses. A risk appetite framework is an important ERM tool, but it only sets boundaries and tolerances; it is not the full coordination process. Risk culture affects how people behave and escalate issues, and operational risk management covers only one category. The hallmark of ERM is managing interactions and aggregate exposure across multiple risk types at enterprise level.

---

Question 21

Topic: Risk Oversight and Corporate Governance

A bank states a low risk appetite for leveraged lending concentrations. In practice, relationship managers are paid mainly on loan volume, exceptions to concentration limits are approved informally by the head of lending, and the risk function is informed only after facilities are signed. Which action would best align lived behaviour with the stated risk appetite?

• A. Keep current incentives but provide extra training on the appetite statement
• B. Allow business-line approvals to continue, with second-line review at month-end
• C. Require pre-commitment escalation of limit exceptions to independent risk and link pay to risk-adjusted performance
• D. Increase the concentration limit so fewer deals are recorded as exceptions

Best answer: C

Explanation: The issue is not the wording of the appetite statement but the behaviours being rewarded and the weak escalation route. The best response is to make exceptions subject to independent challenge before commitment and to align remuneration with risk-adjusted outcomes rather than pure volume. Risk appetite is credible only when it is translated into how decisions are made and how people are rewarded. Here, the bank says it has a low appetite for concentration risk, but lived behaviour points the other way: volume-based incentives encourage more lending, informal waivers bypass governance, and second-line risk is involved too late. The best application of the risk appetite principle is therefore to require escalation of proposed limit breaches before facilities are signed and to align remuneration with risk-adjusted performance. That creates a real control point and reduces pressure to override stated limits for revenue reasons. Raising limits would simply redefine appetite to fit behaviour, while training or retrospective review would not correct the incentive and governance mismatch.

---

Question 22

Topic: Investment Risk

A portfolio manager holds a £8 million UK equity portfolio with a beta of 1.25 to the FTSE All-Share. The manager wants to hedge the portfolio’s systematic market risk for one month without selling any shares. One FTSE All-Share futures contract gives £100,000 of market exposure. What is the most appropriate hedge?

• A. Buy 80 futures contracts
• B. Sell 100 futures contracts
• C. Buy 100 futures contracts
• D. Sell 80 futures contracts

Best answer: B

Explanation: This is a portfolio-hedging question using beta-adjusted market exposure. The portfolio’s systematic risk is £10 million of index exposure, so selling 100 futures contracts offsets that exposure without selling the underlying shares. The core concept is hedging systematic equity risk with index futures. Because the portfolio has a beta of 1.25, its market sensitivity is greater than its £8 million market value alone suggests. The correct hedge size is based on beta-adjusted exposure:

\[ \begin{aligned} \text{Hedge exposure} &= £8{,}000{,}000 \times 1.25 = £10{,}000{,}000 \\ \text{Contracts needed} &= £10{,}000{,}000 / £100{,}000 = 100 \end{aligned} \]

The manager is already long equities, so the futures position must be a sale to offset that market exposure. Using only 80 contracts would hedge the portfolio’s value but ignore its higher beta. Buying futures would increase, not reduce, systematic market risk.

---

Question 23

Topic: Liquidity Risk

A liquidity report tracks the speed at which a corporate bond’s price returns towards its pre-trade level after a large order temporarily moves the market. Which asset-liquidity measure does this describe?

• A. Market depth
• B. Bid-offer spread
• C. Resilience
• D. Immediacy

Best answer: C

Explanation: The measure described is resilience. It focuses on how fast the market returns towards normal pricing after a trade or shock has temporarily displaced the price, rather than on transaction cost, available size, or execution speed. Resilience is a key asset-liquidity measure that captures the market’s ability to recover after temporary price pressure. In the stem, a large order pushes the corporate bond price away from its earlier level, and the report is tracking how quickly that distortion fades. That is resilience.

This differs from other liquidity measures:

• bid-offer spread: the cost of transacting
• market depth: how much volume the market can absorb at or near current prices
• immediacy: how quickly a trade can be executed

A narrow spread or fast execution does not by itself show whether prices rebound after a temporary dislocation.

---

Question 24

Topic: International Risk Regulation

Under the Basel framework, which concept is intended to strengthen market discipline by requiring banks to disclose information on their capital, risk exposures and risk management practices?

• A. Pillar 1 minimum capital requirements
• B. Pillar 3 disclosure requirements
• C. Pillar 2 supervisory review process
• D. ICAAP internal capital assessment

Best answer: B

Explanation: The Basel framework uses Pillar 3 to promote market discipline through transparency. It requires banks to disclose key information about capital, risks and risk management so external stakeholders can assess the firm more effectively. This question tests the three-pillar structure of the Basel framework. Pillar 3 is the disclosure pillar: it requires banks to publish information about their capital position, risk exposures and risk-management approach so that investors, counterparties and other market participants can make informed judgements. That transparency is intended to reinforce prudent behaviour through market discipline.

By contrast, Pillar 1 sets minimum regulatory capital requirements, while Pillar 2 focuses on supervisory review and the firm’s internal assessment of capital adequacy. The key clue in the stem is the requirement to disclose information publicly, which points directly to Pillar 3.

In this section

• CISI Risk: Principles of Risk Management
  Try 10 focused CISI Risk questions on Principles of Risk Management, with answers and explanations, then continue with Securities Prep.
• CISI Risk: International Risk Regulation
  Try 10 focused CISI Risk questions on International Risk Regulation, with answers and explanations, then continue with Securities Prep.
• CISI Risk: Operational Risk
  Try 10 focused CISI Risk questions on Operational Risk, with answers and explanations, then continue with Securities Prep.
• CISI Risk: Credit Risk
  Try 10 focused CISI Risk questions on Credit Risk, with answers and explanations, then continue with Securities Prep.
• CISI Risk: Market Risk
  Try 10 focused CISI Risk questions on Market Risk, with answers and explanations, then continue with Securities Prep.
• CISI Risk: Investment Risk
  Try 10 focused CISI Risk questions on Investment Risk, with answers and explanations, then continue with Securities Prep.
• CISI Risk: Liquidity Risk
  Try 10 focused CISI Risk questions on Liquidity Risk, with answers and explanations, then continue with Securities Prep.
• CISI Risk: Model Risk
  Try 10 focused CISI Risk questions on Model Risk, with answers and explanations, then continue with Securities Prep.
• CISI Risk: Risk Oversight and Corporate Governance
  Try 10 focused CISI Risk questions on Risk Oversight and Corporate Governance, with answers and explanations, then continue with Securities Prep.
• CISI Risk: Enterprise Risk Management (ERM)
  Try 10 focused CISI Risk questions on Enterprise Risk Management (ERM), with answers and explanations, then continue with Securities Prep.
• Free CISI Risk Full-Length Practice Exam: 100 Questions
  Try 100 free CISI Risk questions across the exam domains, with answers and explanations, then continue in Securities Prep.