CISI Risk: Enterprise Risk Management (ERM)

Topic snapshot

Sample questions

These questions are original Securities Prep practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: Enterprise Risk Management (ERM)

A mid-sized bank is redesigning its ERM programme after three events: a conduct issue in sales, a payment outage caused by a systems change, and short-term funding pressure because treasury assumptions were not shared with business units. Which approach best applies ERM principles?

• A. Create a cross-functional ERM forum with business heads, finance/treasury, operations/IT, compliance and central risk; use common KRIs and escalation, with internal audit giving assurance.
• B. Restrict ERM participation to revenue-generating business units so risk ownership stays in the first line.
• C. Make the central risk function solely responsible for ERM and request updates from departments each quarter.
• D. Ask internal audit to chair the ERM committee and approve cross-functional risk decisions.

Best answer: A

What this tests: Enterprise Risk Management (ERM)

Explanation: ERM needs participation from the main business areas and key support and control functions because risks rarely stay within one silo. In this case, sales, treasury, operations and technology all affected the bank’s risk profile, so a shared framework for appetite, KRIs and escalation is the best fit.

The core ERM principle is that risks are owned where they arise, but they must be identified, assessed and escalated across the whole firm. Here, the bank’s problems span conduct, operational resilience and liquidity, so effective ERM needs input from first-line business heads plus finance/treasury, operations/technology, compliance and the central risk function. Cross-functional involvement matters because it allows the firm to spot dependencies, aggregate exposures, challenge assumptions and escalate breaches against risk appetite using a common language and set of indicators. Internal audit should remain independent as the third line, providing assurance on whether the framework is working rather than running it. The key takeaway is broad participation with clear separation of responsibilities.

• Risk-only ownership: A central risk team can coordinate ERM, but it cannot replace input from businesses and support functions that generate the underlying exposures and data.
• First-line only: Keeping only revenue units involved misses important information from treasury, operations, technology and compliance, where many enterprise-wide risks emerge or are detected.
• Audit as manager: Internal audit should assess the ERM framework independently; chairing and approving risk decisions would compromise that independence.

This structure captures enterprise-wide risk interdependencies while preserving first-line ownership, second-line oversight and third-line independence.

Question 2

Topic: Enterprise Risk Management (ERM)

A mid-sized bank has expanded from corporate lending into securities financing. Credit, market and liquidity risks are still reported separately by each business line, and a recent wholesale-funding shock showed several desks relied on the same short-term source. The regulator found that the board receives no consolidated view of group risk. Which action would BEST align the firm’s ERM programme with regulatory and sound-practice expectations?

• A. Hold a larger liquidity buffer first and postpone changes to governance and reporting.
• B. Transfer ownership of risk policy and limit approval to internal audit.
• C. Let each business line set tighter limits and escalate issues within its own management chain.
• D. Establish a board-approved risk appetite, independent CRO oversight, and enterprise-wide risk aggregation with stress testing.

Best answer: D

What this tests: Enterprise Risk Management (ERM)

Explanation: Regulation and sound practice have pushed ERM towards board oversight, explicit risk appetite and independent second-line challenge. Here, the weakness is siloed reporting and hidden group concentration, so the best response is an enterprise-wide framework with aggregation and stress testing, not a local or purely balance-sheet fix.

Industry regulation and sound practice have shaped ERM into a group-wide discipline rather than a set of separate risk silos. Common expectations include board accountability, a clear risk appetite framework, an independent risk function led by a CRO, and the ability to aggregate exposures across businesses and assess them through stress testing. In this scenario, several desks depend on the same short-term funding source, but the board cannot see that concentration because reporting is fragmented. An enterprise-wide ERM framework addresses both the governance gap and the measurement gap.

A bigger buffer may improve resilience, but it does not replace the need for proper ERM design. The key takeaway is that modern ERM must give senior management and the board a consolidated view of risk across the whole firm.

• Silo problem: Tighter divisional limits still leave risk managed within business lines and do not solve the missing group view.
• Symptom not framework: A larger liquidity buffer may help in the short term, but it does not fix weak governance, risk appetite or aggregation.
• Wrong line of defence: Internal audit is the third line and should provide assurance, not own risk policy or approve risk-taking limits.

Modern ERM is expected to be board-led and enterprise-wide, with independent risk oversight and aggregated reporting that reveals concentrations and cross-risk exposures.

Question 3

Topic: Enterprise Risk Management (ERM)

A financial-services firm sets out the types and amount of risk it is willing to accept, converts this into limits for business units, and requires escalation when thresholds are breached. Which ERM feature does this describe?

• A. Stress-testing programme
• B. Business continuity plan
• C. Risk and control self-assessment
• D. Risk appetite framework

Best answer: D

What this tests: Enterprise Risk Management (ERM)

Explanation: This describes a risk appetite framework. In ERM, it translates board-approved strategy into practical risk boundaries so managers can prioritise actions, make consistent decisions, and escalate breaches clearly.

A risk appetite framework states the nature and level of risk the organisation is prepared to take in pursuit of its objectives. In a financial-services firm, it is typically approved by the board and then cascaded into tolerances or limits for business units. That improves ERM by giving a common basis for prioritisation, clearer accountability for staying within boundaries, and better decision quality when trade-offs are made across the organisation. When a threshold is breached, escalation is triggered because the firm is moving outside its agreed risk appetite. The closest distractors may help assess or manage risk, but they do not set the firm-wide boundary for acceptable risk-taking.

• RCSA confusion: A risk and control self-assessment helps identify and assess process risks and controls, but it does not define the firm’s overall willingness to take risk.
• Scenario analysis confusion: A stress-testing programme explores how the firm would perform under adverse conditions, rather than setting day-to-day risk limits.
• Resilience confusion: A business continuity plan supports operations during disruption, but it is not the mechanism for defining acceptable risk levels and escalation triggers.

A risk appetite framework defines acceptable risk-taking, cascades it into limits, and sets escalation points when those boundaries are exceeded.

Question 4

Topic: Enterprise Risk Management (ERM)

A bank reviews same-day stressed GBP cash flows within one legal entity, and central treasury can move cash freely between units.

Exhibit:

• Retail banking: +£18m
• Trading margin calls: -£25m
• Corporate lending drawdowns: -£7m

Which conclusion best reflects enterprise-wide risk management?

• A. Central treasury should manage a net £14m outflow for the firm.
• B. Each unit should fund its own shortfall without firm-wide netting.
• C. The firm-wide liquidity requirement is £50m, the sum of all movements.
• D. The firm has no liquidity exposure because the unit cash flows offset.

Best answer: A

What this tests: Enterprise Risk Management (ERM)

Explanation: Enterprise-wide risk management considers the aggregate position where cash can be centrally transferred. Here, the firm-wide stressed cash flow is +£18m - £25m - £7m = -£14m, so the relevant response is central management of a net £14m liquidity need.

Enterprise risk management looks across the whole firm and assesses how exposures combine, instead of treating each business area in isolation. Because the cash flows are in the same legal entity, same currency and same day, and treasury can move cash freely, netting is appropriate for the funding decision. The calculation is simple: £18m inflow less £25m and £7m outflows gives a net stressed outflow of £14m. That £14m is the residual liquidity exposure the firm must manage centrally within its risk appetite.

A silo approach would make each unit deal with its own cash position separately, while a gross-sum approach would confuse total activity with the firm’s actual residual exposure. The key point is firm-wide aggregation with sensible netting.

• Full-offset error: the inflow does not cancel all outflows; there is still a £14m net cash need.
• Silo view: making each unit self-fund ignores the firm’s ability to aggregate and manage liquidity centrally.
• Gross-sum error: £50m is the total absolute movement, not the residual exposure ERM focuses on here.

ERM nets transferable same-day cash flows across the firm, leaving a residual £14m outflow for central management.

Question 5

Topic: Enterprise Risk Management (ERM)

A bank has designed its ERM programme around board-approved stress testing, reflecting Basel-style supervisory expectations. The board requires any stressed loss above 25% of available capital to be escalated.

Exhibit:

• Available capital: £800m
• Credit stress loss: £110m
• Market stress loss: £55m
• Operational stress loss: £45m

Which conclusion best reflects sound ERM implementation?

• A. The stress loss equals the 25% limit exactly, so monitoring alone is sufficient.
• B. The aggregate stress loss is £210m, breaching the £200m limit, so escalation is required.
• C. Only the largest single stress loss should be compared with the limit, so the firm is within appetite.
• D. The aggregate stress loss is £190m, so the firm remains within the board limit.

Best answer: B

What this tests: Enterprise Risk Management (ERM)

Explanation: A key ERM practice reinforced by regulation and sound practice is to aggregate material risks under a common stress and compare them with board-approved appetite. Here, total stressed loss is £210m and the limit is £200m, so the result is outside appetite and must be escalated.

Modern ERM programmes, influenced by supervisory expectations and industry sound practice, are designed to give senior management and the board a group-wide view of risk rather than separate silos. That means aggregating material stress losses and testing them against a clear risk appetite threshold.

• Total stress loss = £110m + £55m + £45m = £210m
• Limit = 25% of £800m = £200m

Because £210m is greater than £200m, the scenario breaches the board limit. Sound ERM implementation therefore requires escalation under the stated policy. The key takeaway is that ERM focuses on aggregated exposure and governance response, not just the biggest individual risk.

• Addition error: The three stress losses sum to £210m, not £190m.
• Threshold error: 25% of £800m is £200m, so the result is above the limit, not exactly on it.
• Silo view: ERM requires aggregation across material risk types; looking only at the largest single loss misses the purpose of enterprise-wide oversight.

ERM compares aggregated stressed losses with board appetite; £110m + £55m + £45m = £210m versus a £200m limit.

Question 6

Topic: Enterprise Risk Management (ERM)

A securities firm is deciding which functions must be central to an ERM review after a price promotion increased same-day client trades.

Exhibit:

• Planned daily trades: 9,000
• Actual daily trades: 12,000
• Operations capacity: 10,500 trades
• Settlement cash needed per trade: £1,000
• Treasury intraday cash arranged: £11m

Which business functions should be most involved?

• A. Operations, treasury and internal audit
• B. Front office, operations and compliance
• C. Front office, treasury and finance
• D. Front office, operations and treasury

Best answer: D

What this tests: Enterprise Risk Management (ERM)

Explanation: The exhibit shows two linked gaps: trades exceed operations capacity by 1,500 and settlement cash needed is £12m, creating a £1m intraday shortfall. Because the volume surge originated in the front office, the most relevant ERM participants are front office, operations and treasury.

This tests the ERM principle that the right participants are the functions that create, process and fund the activity. The price promotion sits with the front office, actual trades of 12,000 exceed operations capacity of 10,500, and settlement cash needed is £12m against £11m arranged by treasury. That means the issue crosses business boundaries and cannot be understood properly in a single silo.

Cross-functional involvement matters because each function sees a different part of the same risk chain:

• front office: demand generation and client activity
• operations: processing and settlement capacity
• treasury: intraday liquidity provision

Oversight functions may support the review, but they do not replace the business functions needed to fix the root cause and the immediate strain.

• Replacing treasury with compliance misses the £1m intraday funding gap; the main issue shown is settlement liquidity, not rule interpretation.
• Replacing operations with finance ignores the clear processing shortfall between actual trades and operational capacity.
• Replacing front office with internal audit omits the function that drove the promotion and can change future trade volumes at source.

Actual volume exceeds operations capacity by 1,500 trades and requires £12m of settlement cash versus £11m arranged, so these three functions are the core ERM participants.

Question 7

Topic: Enterprise Risk Management (ERM)

Exhibit: Standalone stressed losses are Lending £12m, Trading £9m, and Operations £6m. The risk team estimates a £4m diversification benefit when these risks are aggregated.

Using these figures, which statement best explains the main goal of the firm’s ERM programme?

• A. Report £23m as the firm-wide stressed loss and use it to prioritise risks across the group.
• B. Report £27m as the firm-wide stressed loss, because ERM should ignore interaction between risk types.
• C. Report £12m as the key figure, because ERM mainly focuses on the largest single silo risk.
• D. Report £31m as the firm-wide stressed loss, because diversification benefits increase total risk.

Best answer: A

What this tests: Enterprise Risk Management (ERM)

Explanation: The aggregated stressed loss is £23m: £12m + £9m + £6m - £4m. ERM exists to combine risks into a firm-wide view so management can prioritise material exposures and make consistent decisions for the whole firm, rather than manage each risk in isolation.

A core goal of ERM is risk aggregation: bringing together exposures from different business areas and risk types into one decision-useful view. In this case, the firm-wide stressed loss is £23m after allowing for the stated £4m diversification benefit. That aggregated figure helps the board and senior management compare the total exposure with risk appetite, decide where controls or capital are most needed, and prioritise action across the whole firm.

ERM therefore supports enterprise-level decision making, not silo reporting. The closest distractor is the simple £27m sum, but that ignores the interaction information explicitly provided in the exhibit.

• Simple sum error: Using £27m ignores the stated diversification benefit, so it overstates the combined firm-wide loss.
• Sign error: Using £31m wrongly adds the diversification benefit, even though a benefit reduces the total stressed loss.
• Silo view: Focusing only on the £12m lending loss misses ERM’s purpose of aggregating and prioritising risks across the whole firm.

£23m is the correct aggregated loss, and ERM uses that firm-wide view to prioritise risks and support board decisions.

Question 8

Topic: Enterprise Risk Management (ERM)

Which statement best describes enterprise risk management rather than silo-based risk management?

• A. Managing each risk category independently within specialist functions
• B. Limiting risk management to operational and compliance matters
• C. Managing the firm’s total risk profile against strategy and risk appetite
• D. Aggregating only quantifiable risks for regulatory reporting

Best answer: C

What this tests: Enterprise Risk Management (ERM)

Explanation: ERM is an organisation-wide approach that views risk as a combined portfolio, not as isolated categories. It manages the total set of risks that could affect objectives and aligns decisions with strategy and risk appetite.

Enterprise risk is the overall set of uncertainties that could affect a firm’s objectives across all business lines and risk types. Enterprise risk management is the coordinated framework used to identify, assess, monitor and manage that total risk profile, including concentrations and interactions between risks, so decisions support strategy and stay within risk appetite.

Silo-based risk management is different because it treats risks separately within functions or business units. That can leave gaps where linked risks are missed or where local optimisation increases total firm risk. The key distinction is integration across the whole enterprise, not just separate control of individual risk categories.

• Managing risks independently within specialist functions is the classic silo approach, because it lacks an enterprise-wide view of interdependencies.
• Aggregating only quantifiable risks for regulatory reporting is too narrow; ERM also covers qualitative, strategic and emerging risks.
• Limiting risk management to operational and compliance matters ignores other major exposures such as market, credit and liquidity risk.

ERM is holistic: it considers aggregate exposures and interactions across the organisation and manages them in line with objectives and risk appetite.

Question 9

Topic: Enterprise Risk Management (ERM)

A bank’s new online savings product has grown faster than expected. Treasury reports rising dependence on one broker channel, operations is using manual workarounds to fix onboarding errors, and model validation says customer lapse assumptions are no longer reliable. The board’s risk appetite states that material issues on a new product spanning funding, controls, and model limitations must be escalated jointly. Which action best applies an ERM approach?

• A. Pause use of the lapse model until validation is complete, then reassess.
• B. Tell treasury to reduce broker concentration before any wider review.
• C. Escalate to the executive risk committee for a joint risk appetite review and coordinated actions.
• D. Require operations to remove manual workarounds and report next quarter.

Best answer: C

What this tests: Enterprise Risk Management (ERM)

Explanation: Several linked risks are emerging from the same product, and the risk appetite statement explicitly requires joint escalation. The best ERM response is a coordinated review of the aggregate exposure, with shared ownership and oversight, rather than a silo response from one specialist function.

ERM coordinates interconnected risks so management can judge the overall exposure and response at enterprise level. In this scenario, funding concentration, manual workarounds, and unreliable behavioural assumptions all arise from the same fast-growing product. Together they affect liquidity risk, operational risk, and model risk, and the board has already stated that this mix of issues must be escalated jointly.

The best action is to take the matter to the executive risk committee or equivalent forum, assess the combined position against risk appetite, decide whether product growth or controls need to change, and assign actions across the relevant functions. A single-discipline response may help one symptom, but it does not meet the stated escalation requirement or provide enterprise-wide coordination.

• Treasury only: Reducing broker concentration addresses one element, but it ignores the control and model issues affecting the same product.
• Model only: Waiting for validation completion treats the matter as isolated model risk and delays the required joint escalation.
• Operations only: Removing manual workarounds is sensible, but ERM requires an immediate aggregate decision and coordinated oversight, not a silo update later.

Because the issue spans multiple risk disciplines and the appetite statement requires joint escalation, a coordinated executive review is the correct ERM response.

Question 10

Topic: Enterprise Risk Management (ERM)

A diversified financial-services firm reports market, credit, liquidity and operational risks separately by division. The board is considering a new lending product and wants its ERM programme to support firm-wide decisions within risk appetite, rather than produce more silo reporting. Which approach would best achieve that aim?

• A. Use one risk taxonomy, aggregate exposures across divisions, and prioritise material risks against appetite.
• B. Prioritise risks solely by last year’s losses before approving the product.
• C. Let each division escalate its own key risks separately for the board to compare.
• D. Give internal audit responsibility for approving the product because it is independent.

Best answer: A

What this tests: Enterprise Risk Management (ERM)

Explanation: An ERM programme adds value when it turns separate risk data into a consistent enterprise view for management and the board. Aggregating exposures and prioritising material risks against risk appetite is what allows a strategic decision, such as launching a lending product, to be taken on a firm-wide basis.

The core ERM goal here is decision support across the whole firm, not just better individual risk reports. Using a common taxonomy lets different risk types and business units be viewed on a consistent basis; aggregation then shows total exposure, concentrations and interdependencies; prioritisation highlights which risks matter most relative to the firm’s appetite and capacity. That enterprise view is what the board needs when deciding whether a new lending product fits strategy, controls, capital and liquidity resources.

• Common definitions improve comparability.
• Aggregation reveals firm-wide exposure and concentrations.
• Prioritisation focuses attention on material risks and trade-offs.

Separate escalations, purely historical loss ranking, or giving approval to the third line do not meet ERM’s main purpose.

• Silo view: Separate divisional escalations may be useful, but the board still lacks one comparable, aggregated view of total risk.
• Backward looking: Historical losses inform analysis, but ERM must also consider potential severity, correlations and emerging exposures.
• Wrong governance role: Internal audit should provide independent assurance over the framework, not make first-line business approval decisions.

This creates a single enterprise view of total exposure and key priorities, allowing the board to judge the product against overall risk appetite.

Continue with full practice

Use the CISI Risk Practice Test page for the full Securities Prep route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Related focused pages

• Free CISI Risk Full-Length Practice Exam
• CISI Risk: Principles of Risk Management
• CISI Risk: International Risk Regulation
• CISI Risk: Operational Risk
• CISI Risk: Credit Risk
• CISI Risk: Market Risk
• CISI Risk: Investment Risk
• CISI Risk: Liquidity Risk
• CISI Risk: Model Risk
• CISI Risk: Risk Oversight and Corporate Governance

Free review resource

Read the CISI Risk guide on SecuritiesMastery.com, then return to Securities Prep for timed practice.