Try 100 free CISI Risk questions across the exam domains, with answers and explanations, then continue in Securities Prep.
This free full-length CISI Risk practice exam includes 100 original Securities Prep questions across the exam domains.
The questions are original Securities Prep practice questions aligned to the exam outline. They are not official exam questions and are not copied from any exam sponsor.
Count note: this page uses the full-length practice count maintained in the Mastery exam catalog. Some exam sponsors publish total questions, scored questions, duration, or unscored/pretest-item rules differently; always confirm exam-day rules with the sponsor.
For concept review before or after this set, use the CISI Risk guide on SecuritiesMastery.com.
| Item | Detail |
|---|---|
| Issuer | CISI |
| Exam route | CISI Risk |
| Official exam name | Risk in Financial Services |
| Full-length set on this page | 100 questions |
| Exam time | 120 minutes |
| Topic areas represented | 10 |
| Topic | Approximate official weight | Questions used |
|---|---|---|
| Principles of Risk Management | 14% | 14 |
| International Risk Regulation | 7% | 7 |
| Operational Risk | 15% | 15 |
| Credit Risk | 15% | 15 |
| Market Risk | 15% | 15 |
| Investment Risk | 11% | 11 |
| Liquidity Risk | 10% | 10 |
| Model Risk | 3% | 3 |
| Risk Oversight and Corporate Governance | 5% | 5 |
| Enterprise Risk Management (ERM) | 5% | 5 |
Topic: Enterprise Risk Management (ERM)
Which statement best defines enterprise-wide risk management rather than silo-based risk handling?
Best answer: D
What this tests: Enterprise Risk Management (ERM)
Explanation: Enterprise-wide risk management is a firm-level approach that brings together different risks so they can be assessed in total against strategy and risk appetite. That is the key difference from a silo approach, where risks are handled separately by function or business unit.
The core idea in ERM is integration. A firm identifies and assesses material risks across business lines, products and risk types, then considers the combined exposure against a common risk appetite and governance framework. This helps management see concentrations, correlations and trade-offs that separate teams might miss.
A silo-based approach can still involve capable specialists, but each area mainly manages its own risks independently. That makes it harder to understand the firm’s overall risk profile. Focusing only on operational controls or only on regulatory capital reporting is narrower than ERM. The key distinction is firm-wide aggregation and oversight, not isolated management.
ERM is distinguished by aggregating risks across the organisation and assessing them against a shared risk appetite, rather than managing them in isolation.
Topic: Market Risk
A fund manager’s order to sell a listed share was delayed solely by an internal order-management outage. Ignoring fees, which statement correctly separates the market-risk effect from the execution failure?
Intended sale: 50,000 shares at £6.40
Actual sale after outage: 50,000 shares at £6.10
Best answer: A
What this tests: Market Risk
Explanation: The share price fell by £0.30 while the order was delayed, so the seller received £15,000 less: 50,000 × £0.30. That shortfall is the market-risk effect of adverse price movement, while the outage is the operational execution failure that caused the delay.
The key distinction is between the trigger of the problem and the source of the price impact. Market risk is loss from movements in market prices. Here, the delayed sale left the position exposed to the share price, and the fall from £6.40 to £6.10 reduced proceeds by £15,000.
The internal outage is not itself market risk; it is an operational execution failure. A sound risk assessment separates the operational event from the adverse market move that determined the size of the financial impact. The closest error is to call the whole outcome purely operational and ignore the price movement component.
The 30p fall before execution reduced sale proceeds by £15,000, while the system outage is the separate execution-failure event.
Topic: Credit Risk
Which statement best describes a main limitation of credit-risk measurement?
Best answer: D
What this tests: Credit Risk
Explanation: Credit-risk measurement is not purely objective. Even strong models depend on assumptions, input data quality, and historical default or recovery experience, so results can understate risk when conditions change.
A key limitation of credit-risk measurement is that it is model-dependent rather than certain. Measures such as probability of default or loss given default are produced using assumptions about borrower behaviour, correlations, recoveries, and time horizons. If source data are incomplete, inconsistent, or stale, the estimate can already be flawed. In addition, many inputs are backward-looking, drawing on past defaults, ratings migration, or recovery data. Those historic relationships may break down during stress, structural shifts, or a turning credit cycle. More data and better calibration can improve estimates, but they do not remove model risk or make past patterns a guarantee of future losses. The closest traps confuse improvement with elimination of the limitation.
Credit-risk measures remain limited because they depend on model assumptions, reliable inputs, and historical relationships that may not hold in future conditions.
Topic: Principles of Risk Management
When a financial-services firm deploys an AI-based decision model, which term describes the risk of loss caused by flawed design, poor data, incorrect assumptions, or misuse of the model’s outputs?
Best answer: A
What this tests: Principles of Risk Management
Explanation: The correct term is model risk. Disruptive innovation often relies on complex analytics, and losses can arise when a model is poorly designed, fed weak data, built on faulty assumptions, or used beyond its limits.
Model risk is the risk of adverse consequences from decisions based on incorrect, misused, or misunderstood model outputs. In disruptive innovation, such as AI underwriting, automated pricing, or algorithmic decisioning, this exposure can increase because models may be complex, opaque, highly data-dependent, and introduced quickly into live processes. The key clue in the stem is that the source of the loss is the model itself: its design, assumptions, inputs, validation, or interpretation. Operational risk is broader and can include failures in systems, processes, or people around deployment, but the stem points more specifically to weaknesses in the model and its outputs. That makes model risk the best answer.
This is model risk because the loss driver is the flawed or misunderstood model itself, rather than the wider business process around it.
Topic: International Risk Regulation
Under the Basel framework, which element allows a national regulator to require extra supervisory measures when country-specific risks are not fully captured by Pillar 1 minimum capital rules?
Best answer: B
What this tests: International Risk Regulation
Explanation: The correct concept is the Pillar 2 supervisory review process. Basel sets minimum standards in Pillar 1, but national regulators use Pillar 2 to address risks that are specific to their own market or not fully reflected in standard capital rules.
Pillar 2 is the part of the Basel framework that gives supervisors scope to assess whether a firm’s risks are adequately covered beyond the standard minimum capital requirements. This is where a national regulator can respond to country-specific conditions, concentrations, governance weaknesses, or other local prudential concerns by requiring additional capital, stronger controls, or closer supervision. Pillar 1 sets baseline quantitative requirements, while Pillar 3 focuses on disclosure and market discipline rather than direct supervisory intervention.
The key distinction is that Pillar 2 lets supervisors go beyond the global minimum where local risk conditions justify it.
Pillar 2 allows supervisors to impose additional measures where minimum capital rules do not fully capture local or firm-specific risks.
Topic: Credit Risk
A bank’s corporate lending book includes many committed revolving facilities. Management information to the credit committee measures exposure using only amounts currently drawn. During a downturn, several weaker borrowers fully use their remaining limits shortly before default. Which credit-risk metric is most directly being understated?
Best answer: B
What this tests: Credit Risk
Explanation: The weakness is measuring only today’s utilisation on facilities that can be drawn further before default. That means the bank is understating the amount it may actually be exposed to at the moment of default, which is exposure at default. PD and LGD are separate dimensions of credit risk.
Exposure at default is the credit-risk measure of how much the bank is owed when a borrower actually defaults. For committed revolving facilities, current drawn balances can understate that amount because stressed borrowers often draw down unused limits shortly before failure. In the scenario, the reporting weakness is therefore an EAD problem.
The key point is that undrawn commitments need an EAD view that reflects likely future usage, not just present utilisation.
EAD captures the amount outstanding when default occurs, including likely pre-default drawdowns on committed lines.
Topic: Investment Risk
A wealth manager must place £4,000,000 into one fund for a client who may need the full amount in 2 business days.
| Fund | 1-week price volatility | Sale terms |
|---|---|---|
| Listed bond ETF | 2.4% | Same-day sale at market price |
| Direct property fund | 0.8% | 10 business days’ notice, or immediate transfer at 94% of NAV |
If the client unexpectedly needs all cash in 2 business days, which investment presents the greater decisive risk?
Best answer: B
What this tests: Investment Risk
Explanation: The direct property fund is riskier here because the client may need cash before the normal redemption window ends. Selling immediately at 94% of NAV turns £4,000,000 into £3,760,000, so illiquidity is the decisive risk rather than the lower stated volatility.
This tests illiquidity risk versus price volatility. When an investor may need cash quickly, the key issue is whether the asset can be converted into cash in time and at or near fair value. The direct property fund shows lower 1-week volatility, but it cannot normally be redeemed within 2 business days. An immediate transfer at 94% of NAV gives:
\[ \begin{aligned} £4,000,000 \times 0.94 = £3,760,000 \end{aligned} \]That creates a £240,000 haircut. The listed bond ETF may have higher short-term price variability, but it can be sold the same day, so it is less exposed to illiquidity for this specific need. Lower volatility does not make an investment safer if the investor cannot exit when required.
At 94% of NAV, an immediate exit raises only £3,760,000, so illiquidity outweighs the lower quoted volatility.
Topic: Operational Risk
At an investment bank’s FX options desk, repeated trade-feed breaks were not investigated by middle office, so several client hedges were not booked before market close. Overnight, sterling moved sharply and the bank suffered a loss on the unintended open position. Which is the single best description of the risks involved?
Best answer: D
What this tests: Operational Risk
Explanation: The unresolved trade-feed break and missed reconciliation are operational-risk failures because they arise from failed systems and processes. Once the bank was left unintentionally unhedged, the adverse sterling movement created market risk as a consequence of that operational event.
Operational risk is the risk of loss arising from failed processes, people, systems or external events. In this scenario, the initiating event is the uninvestigated trade-feed break and the resulting failure to book hedges, so the root cause is operational risk. However, that control failure left the bank with an unintended open FX position. From that point, changes in sterling created market risk, and the eventual loss reflects that additional exposure.
Good risk analysis separates the operational trigger from the consequential risk it creates, because each needs different controls, reporting and ownership. The key takeaway is that the failed booking is not reclassified as purely market or purely model risk just because the loss crystallised after prices moved.
The failed process is the operational-risk event, while the unhedged position then exposes the bank to market risk.
Topic: Credit Risk
A lender has a collateralised exposure that is already revalued daily, but the collateral value is likely to fall when the borrower’s credit quality deteriorates. Which credit-risk management response is most appropriate?
Best answer: A
What this tests: Credit Risk
Explanation: This is a wrong-way risk problem: the mitigation may lose value when the borrower weakens. The best response is to use collateral or other credit support whose value is less dependent on the borrower, so protection is more reliable at default.
The core concept is wrong-way risk in credit mitigation. When collateral is likely to decline in value as the obligor’s credit quality worsens, the lender may discover that the apparent protection is weakest exactly when default risk is highest. Daily revaluation helps monitor and call margin, but it does not remove the underlying dependence between the exposure and the collateral. The strongest response is to replace or supplement that collateral with assets, guarantees, or other support that are less correlated with the borrower, with prudent haircuts where appropriate. This remains a credit-risk management issue, not a reclassification into market risk.
Independent credit support reduces wrong-way risk by breaking the link between the borrower’s weakness and the value of the protection.
Topic: Operational Risk
In operational risk measurement, historical loss data is primarily used to:
Best answer: D
What this tests: Operational Risk
Explanation: Historical loss data is used to identify patterns in past operational risk events, especially how often they occur and how severe they are. Those patterns help calibrate operational risk measurement, but they do not remove the need for forward-looking judgement.
The main use of historical loss data in operational risk measurement is to inform estimates of event frequency and loss severity. By reviewing previous losses from fraud, processing failures, system outages, or other operational events, a firm can see which event types recur and how large losses have been when they happen. This supports risk assessments, scenario analysis, control reviews, and broader measurement frameworks. However, historical data has limits: operational risk also includes rare, severe, or emerging events that may not yet appear in the data. Historical loss data therefore informs measurement, rather than serving as a complete substitute for expert judgement or forward-looking analysis. It is about operational loss behaviour, not counterparty exposure or investment performance.
Past loss data helps calibrate how often operational events occur and how large the resulting losses may be.
Topic: International Risk Regulation
A prudential regulator requires banks with large domestic mortgage books to apply tighter lending standards and hold extra capital because house prices and household leverage are rising unusually fast in its own market. Which regulatory function does this illustrate?
Best answer: B
What this tests: International Risk Regulation
Explanation: The regulator is responding to risks that are specific to its own country rather than creating global rules for all markets. That is the role of a national supervisor using supervisory tools to address domestic vulnerabilities within the broader international framework.
The core concept is national supervisory discretion within international risk regulation. Basel and other international frameworks set broad minimum standards, but domestic regulators must supervise firms in light of local conditions. If risks are building in one country’s housing market, leverage cycle, funding structure, or sector concentrations, the national regulator can impose tighter measures such as stronger underwriting standards, extra capital expectations, or enhanced monitoring.
This is different from writing global standards, which is an international standard-setting role. It is also different from a firm’s own governance tasks, such as setting risk appetite, or assurance tasks, such as testing controls. The key takeaway is that national regulators implement supervision measures to address country-specific risks that may not be equally material elsewhere.
This matches a national regulator tailoring supervision to risks specific to its own market, such as an overheated housing sector.
Topic: Liquidity Risk
A broker-dealer funds a large inventory of UK gilts through overnight repo with three counterparties. After the dealer is put on ratings negative watch, two counterparties refuse to roll their repo and demand extra collateral. The gilts remain actively traded and can still be sold close to quoted prices. Which is the single best description of the primary liquidity risk?
Best answer: B
What this tests: Liquidity Risk
Explanation: This is funding-liquidity risk because the pressure comes from repo lenders refusing to renew short-term financing and asking for more collateral. The stem also states that the gilts remain readily saleable near quoted prices, so the assets themselves are not the main liquidity problem.
Funding-liquidity risk arises when a firm may struggle to meet cash outflows or refinance maturing liabilities. In this scenario, the broker-dealer relies on overnight repo and then faces non-rollover by counterparties plus extra collateral demands after its own credit standing weakens. That is classic refinancing pressure.
Asset-liquidity risk would be the main issue if the gilt inventory had become hard to sell quickly except at a material discount. The stem explicitly says the gilts remain actively traded and can be sold close to quoted prices, so marketability of the assets is not the decisive problem. The key distinction is whether stress comes from inability to sell assets or inability to replace funding. Here it is the latter.
The immediate threat is loss of short-term funding and higher collateral demands, not difficulty selling the gilts.
Topic: Market Risk
A bank’s trading desk holds £5,000,000 nominal of a UK gilt, quoted per £100 nominal.
Ignoring funding effects, which statement is correct?
Best answer: C
What this tests: Market Risk
Explanation: This is a mark-to-market loss on a traded security caused by an adverse market move. The gilt price falls by 1.50 points, which is 1.5% of £5,000,000 nominal, so the loss is £75,000, and the stem explicitly excludes credit and operational failure.
The core concept is market risk classification: the trading position loses value because the market price of the gilt moved against the bank. A fall from 102.40 to 100.90 is a drop of 1.50 points, and gilt prices are quoted per £100 nominal.
Because all counterparties performed and there were no booking, valuation, or settlement errors, the main risk shown is not credit or operational risk. The key takeaway is that adverse changes in market prices create market risk even when every party and process works as expected.
The price fell by 1.50 points, so the long position lost 1.5% of £5,000,000 = £75,000, and the stem rules out default and process failure.
Topic: Liquidity Risk
A securities firm has had steady client cash balances and uninterrupted access to short-term wholesale funding for the past six months. Daily liquidity reports show all internal limits are comfortably met. The CFO proposes scaling back liquidity stress testing because current conditions look stable. Which response best applies sound liquidity-risk management?
Best answer: C
What this tests: Liquidity Risk
Explanation: The best response is to keep liquidity stress testing in place even when current metrics look strong. Normal-condition reports show today’s position, but stress tests show whether the firm could withstand sudden cash outflows, loss of funding, or market disruption and still meet obligations.
Liquidity risk can change very quickly, especially when funding sources dry up or clients withdraw cash at the same time. Current reports and limit monitoring are useful, but they mostly describe conditions that have already been observed. Stress testing matters because it explores severe but plausible scenarios that may not be visible in stable markets, such as a wholesale funding freeze, concentrated client withdrawals, or reduced asset sale capacity.
A sound approach is to use stress testing to:
So, stable conditions are exactly when firms should keep testing resilience, not stop. The closest distractor relies on historical cash data, which is informative but does not substitute for forward-looking stress analysis.
Liquidity stress tests assess resilience under adverse conditions that normal daily reports do not reveal.
Topic: Operational Risk
A bank’s online platform becomes unavailable because its outsourced cloud provider suffers a regional power outage. Under the people, processes, systems and external events framework, what is the primary source of this operational risk?
Best answer: D
What this tests: Operational Risk
Explanation: This event is classified by its primary cause, not just by where the impact appears. Although the bank’s platform is unavailable, the triggering cause is a regional power outage at the outsourced provider, which makes it an external event operational risk.
Operational risk is often grouped by source into people, processes, systems and external events. The key is to identify the main driver of the loss event. Here, the bank experiences system downtime, but the initiating cause is a regional power outage affecting the cloud provider. That sits outside the firm’s internal staff, workflows and technology estate, so the primary category is external events.
A useful way to think about it is:
The closest distractor is systems failure, because the customer-facing symptom is platform unavailability, but the source remains external.
The outage is caused by a regional power disruption outside the firm’s direct control, so the primary classification is an external event.
Topic: Credit Risk
A counterparty credit team notes that its derivatives exposure to an energy trader tends to increase when energy prices fall, and those same price falls also weaken the trader’s credit quality. Which credit-risk concept best matches this relationship?
Best answer: A
What this tests: Credit Risk
Explanation: Wrong-way risk exists when exposure to a counterparty increases at the same time that the counterparty becomes less creditworthy. In the stem, falling energy prices both enlarge the derivatives exposure and weaken the trader, so the risks reinforce each other.
The core concept is wrong-way risk in counterparty credit risk. It arises when the size of the firm’s exposure is positively linked to deterioration in the counterparty’s credit quality. Here, lower energy prices do two things at once: they increase the firm’s exposure to the energy trader and they make that trader more likely to suffer financial stress or default. That dependency makes the position riskier than if exposure and credit quality were unrelated. By contrast, exposure at default is only the amount outstanding when default occurs, loss given default is the proportion lost after default, and probability of default is the likelihood of default. The key distinction is the adverse link between exposure and counterparty weakness.
This is wrong-way risk because the firm’s exposure rises under the same market conditions that make the counterparty more likely to default.
Topic: Principles of Risk Management
A UK wealth manager plans to add 15% direct crypto assets to a retail model portfolio. Valuations would use prices from a single offshore exchange, holdings would sit with an unregulated third-party custodian in omnibus wallets, and marketing would describe crypto as a “liquid diversifier”. The risk committee has not set product-specific limits or a plan for sudden regulatory restrictions. What is the single best action before launch?
Best answer: B
What this tests: Principles of Risk Management
Explanation: The scenario highlights crypto-specific risks beyond market volatility: uncertain valuation, weak custody arrangements, possible conduct issues in client messaging, and regulatory uncertainty. The best response is enhanced product governance covering pricing, custody, disclosure and contingency planning before launch.
Crypto assets can create several risk types at once. Using a single offshore exchange price can weaken fair valuation, especially if trading becomes fragmented or stressed. Omnibus custody with an unregulated provider raises operational and asset-protection concerns, including uncertainty over segregation and recovery if the custodian fails. Calling the assets a “liquid diversifier” may create conduct risk if liquidity dries up or access is restricted. The lack of product-specific limits and a plan for regulatory change shows a governance gap. The strongest action is therefore to require a dedicated control framework for pricing validation, custody due diligence, clear client disclosures and contingency planning. A pure market-risk or counterparty measure would only address part of the exposure.
Crypto creates valuation, custody, conduct and regulatory risks that need dedicated product governance rather than relying on standard market-risk limits alone.
Topic: Operational Risk
A retail bank tracks errors in its payments team.
| Month | Failed reconciliations | Manual overrides | Direct loss |
|---|---|---|---|
| Jan | 4 | 3 | £0 |
| Feb | 6 | 5 | £300 |
| Mar | 9 | 8 | £400 |
Policy: escalate to the operational risk team if failed reconciliations plus manual overrides exceed 15 in a month, even if direct losses are low.
Using the exhibit, which activity is the bank mainly performing when it escalates March?
Best answer: A
What this tests: Operational Risk
Explanation: March has 9 failed reconciliations and 8 manual overrides, so the total is 17 and the escalation threshold is breached. The bank is using simple incident indicators to spot an emerging operational risk, which is risk identification rather than risk measurement or mitigation.
This case is mainly about operational risk identification. The bank adds two incident indicators for March: 9 failed reconciliations + 8 manual overrides = 17, which is above the escalation trigger of 15. That means the figures are being used to recognise an emerging control or process weakness in the payments function.
The key point is that the bank is not yet estimating loss distributions, regulatory capital, or expected severity. It is also not yet changing the process or buying protection. The small direct losses reinforce that the purpose of the threshold is early identification from KRIs and incident patterns, not detailed measurement. The closest distractor is risk measurement, but here the numbers are only a trigger for escalation.
March breaches the incident threshold at 17, so the escalation is mainly about recognising an emerging operational risk pattern rather than quantifying or treating it.
Topic: Credit Risk
Exhibit:
What is the most appropriate credit-risk management response?
Best answer: D
What this tests: Credit Risk
Explanation: Credit risk should be assessed against the effective value of collateral after applying the haircut. Here, the bonds count as £4.32m, leaving £680,000 unsecured, which is £180,000 above the allowed £500,000. The right response is therefore a cash margin call for £180,000.
The key credit-risk management concept is collateral adequacy after haircuts. The bonds have a market value of £4.8m, but with a 10% haircut their effective value is only £4.32m. Residual unsecured exposure is therefore £5.0m minus £4.32m, which equals £680,000. Since policy allows up to £500,000 unsecured after collateral, the firm needs to cure only the excess: £680,000 minus £500,000 = £180,000.
Because the stem states that any extra margin will be posted in cash with no haircut, the correct action is to call exactly £180,000. Calling for more would go beyond the stated control requirement, while taking no action would leave the exposure outside limit.
After the haircut, the bonds cover £4.32m, leaving £680,000 unsecured, so only £180,000 cash is needed to reduce unsecured exposure to the £500,000 limit.
Topic: Investment Risk
A client gives an external manager a global equity mandate for capital growth. After a year, 35% of the portfolio is invested in three thinly traded frontier-market bank shares. The client still wants active global equity exposure but wants the mandate to reduce concentration and liquidity risk. Which revision is most appropriate?
Best answer: B
What this tests: Investment Risk
Explanation: Mandate constraints work best when they target the source of risk. Here, the problem is a large exposure to a few illiquid shares, so issuer and liquidity limits would reduce both concentration risk and exit risk while keeping the portfolio within an active global equity strategy.
An investment mandate should set the portfolio objective and define the risk boundaries within which the manager may operate. Common mandate features include permitted asset classes, benchmark, concentration limits, liquidity limits, and rules on derivatives or leverage. In this case, the main concern is that too much of the portfolio is concentrated in a small number of hard-to-sell shares. The most effective revision is therefore to add explicit limits on position size and on illiquid holdings. That directly constrains the manager’s ability to build exposures that could cause large losses or become difficult to unwind in stressed conditions. By contrast, giving the manager more discretion or changing pay does not create a hard control over these risks. Good mandate constraints translate risk appetite into day-to-day portfolio rules.
Explicit issuer and liquidity limits directly curb concentration and the risk of being unable to sell holdings in stressed markets.
Topic: Investment Risk
A UK authorised multi-asset fund offers investors daily dealing. Its investment committee wants to increase allocations to venture capital, private equity and direct property because their reported quarterly returns appear less volatile than listed equities. Which action best applies a sound risk management principle to this proposal?
Best answer: C
What this tests: Investment Risk
Explanation: Illiquid assets can diversify a portfolio, but for a daily-dealing fund the key principle is to keep exposure within liquidity risk appetite. Venture capital, private equity and property may show smoother reported returns because they are priced less frequently, not because they are inherently low risk.
The core issue is that illiquid assets are harder to sell quickly and are often valued periodically rather than continuously. That can make reported volatility look lower than the underlying economic risk. In a fund offering daily dealing, sound risk management means checking whether redemption obligations can still be met in stress without forced sales of private assets at discounted prices.
A prudent approach is to:
Diversification across private managers may reduce manager-specific risk, but it does not solve the dealing-term mismatch.
This addresses the liquidity mismatch between illiquid assets and daily dealing rather than relying on smoothed return data.
Topic: Principles of Risk Management
A bank is assessing a regtech tool for customer due diligence.
Exhibit:
If volumes stay unchanged for 12 months, what is the net annual saving, and which potential benefit of disruptive innovation does this best illustrate?
Best answer: A
What this tests: Principles of Risk Management
Explanation: Manual processing costs £576,000 a year, while the regtech option costs £384,000 plus the £120,000 platform fee, or £504,000. The net saving is therefore £72,000, illustrating a common regtech benefit: lower compliance-processing cost.
The core concept is that disruptive innovation, especially regtech, can improve efficiency in control and compliance activities. Here, the bank reviews the same volume of files, so the calculation compares annual manual cost with annual regtech cost.
That supports the benefit of more efficient compliance operations, not a change in market risk or credit concentration.
Manual annual cost is £576,000 versus £504,000 with regtech, so the £72,000 saving shows a key regtech benefit: more efficient compliance processing.
Topic: Credit Risk
A bank tightens its commercial property lending policy after rising sector concentration. The first line drafts lower loan-to-value limits, an independent risk function challenges the assumptions, the board credit committee approves the policy, and underwriters are trained and systems updated. During the first three months of live use, management compares policy overrides, limit breaches and early arrears with expectations. Under a Basel-aligned framework, which stage is this?
Best answer: D
What this tests: Credit Risk
Explanation: The policy has already been drafted, independently challenged, approved and embedded in systems and staff procedures. Measuring overrides, breaches and early arrears in the first months of live operation is post-implementation monitoring, because it tests whether the policy is working as intended in practice.
The deciding point is that the policy is already in force and management is now observing real-world results. The stem shows that development, validation, approval and implementation have all happened: the business drafted the policy, an independent risk function challenged it, the committee approved it, and the policy was embedded through training and system changes. Comparing overrides, breaches and early arrears with expected behaviour is therefore post-implementation monitoring.
A periodic policy review is broader and asks whether the policy remains suitable or needs amendment, often using evidence generated by monitoring. Validation occurs before approval, and implementation is the rollout into people, processes and systems. The key takeaway is that early live-use performance checks are monitoring, not validation or implementation.
The policy is already live, so comparing actual exceptions and early performance with expected outcomes is post-implementation monitoring.
Topic: Enterprise Risk Management (ERM)
A firm’s CRO reviews the following same-day positions after a sharp interest-rate move:
| Item | Amount |
|---|---|
| Opening cash buffer | £12m |
| Variation margin payable today | £9m |
| Cash expected today from a securities sale | £5m |
| Proportion of sale proceeds delayed by a settlement outage | 80% |
Which interpretation is most appropriate?
Best answer: D
What this tests: Enterprise Risk Management (ERM)
Explanation: Only 20% of the £5m sale proceeds is available today because 80% is delayed, so usable cash is £4m. The key point is that the firm’s position is being driven by interacting market, liquidity and operational factors, which makes this mainly an ERM coordination issue.
ERM is about understanding how different risks combine at firm level rather than viewing each one in isolation. In this scenario, the interest-rate move creates a variation margin payment, the cash buffer determines the liquidity effect, and the settlement outage delays planned funding. The arithmetic is:
Because the firm’s same-day cash position depends on linked market, liquidity and operational events, the main issue is cross-risk coordination and escalation through the ERM framework. Looking at only one discipline would miss the combined effect on the firm.
Only £1m of the sale proceeds arrives today, so usable cash is £12m - £9m + £1m = £4m and the issue spans market, liquidity and operational risks.
Topic: Market Risk
Which statement best describes market depth and immediacy, and why they matter for market-risk exit costs?
Best answer: A
What this tests: Market Risk
Explanation: Market depth and immediacy are core aspects of market liquidity. Depth is the market’s capacity to absorb trade size near current prices, while immediacy is the ability to trade quickly at a reasonable price; when either is weak, exit costs rise through wider spreads and larger price concessions.
The core concept is market liquidity within market risk. Market depth refers to how much can be bought or sold at or near the current market price without causing a material move in price. Immediacy refers to how quickly a participant can execute that trade at a fair price. If depth is poor, larger trades move the market more. If immediacy is poor, a firm may need to wait, split trades, or accept a worse price to exit promptly. In both cases, realised losses on exit can exceed what a simple mark-to-market snapshot suggests.
This is different from funding liquidity, which is about obtaining cash, and different again from model or settlement issues, which concern measurement or post-trade process rather than the market’s ability to absorb trades.
These are both dimensions of market liquidity, so poor depth or immediacy makes unwinding positions more costly and can worsen realised losses.
Topic: Operational Risk
Historical loss data in operational-risk management is most useful, beyond quantifying past losses, for which purpose?
Best answer: A
What this tests: Operational Risk
Explanation: Historical loss data helps firms learn from past operational failures. Patterns in loss events can reveal weak controls, repeated process breakdowns, or vulnerable business areas, so management can prioritise corrective action rather than using the data only for measurement.
Historical loss data is not only a measurement input. In operational-risk management, it is reviewed to identify where losses occur, which event types recur, and what root causes or control failures sit behind them. That supports practical management actions such as strengthening controls, updating risk and control assessments, refining key risk indicators, and directing remediation to the highest-risk areas.
Historical data is backward-looking, so it should complement rather than replace forward-looking tools such as scenario analysis. It also does not directly measure inherent risk, because recorded losses arise in the real operating environment where controls already exist. The key point is that loss data helps improve the control framework, not just count past losses.
Loss patterns reveal repeated process or control failures, helping management target remediation and improve the control environment.
Topic: Operational Risk
A bank is replacing its payments workflow in phases while the new and old processes are both live.
Exhibit:
Using failure rates, which statement best identifies the main risk arising from change rather than business as usual?
Best answer: A
What this tests: Operational Risk
Explanation: The migrated branches have a failure rate of 0.30%, while the unchanged branches have a failure rate of 0.15%. Because the higher rate is in the migrated population and is caused by a release defect, the main live issue is change-project risk rather than business-as-usual operational risk.
This item tests the difference between business-as-usual operational risk and change-project risk in a live environment. Both sets of branches are processing live payments, but the deciding factors are the incident rate and the cause. Migrated branches have 120 failures out of 40,000 payments, or 0.30%. Unchanged branches have 180 failures out of 120,000 payments, or 0.15%. The migrated population therefore has double the failure rate, and its failures are explicitly linked to a defect introduced by the rollout. That makes the main incremental risk a change-project risk, even though it is affecting live operations.
The closest trap is to focus on absolute failures only; volume-adjusted rates and the source of the control breakdown are what matter here.
120/40,000 is 0.30%, which is higher than 180/120,000 at 0.15%, and the higher-rate issue is linked to the new release.
Topic: Credit Risk
Under a Basel-aligned credit-risk framework, a bank has just launched a revised unsecured lending policy. Over the next six months, it tracks override rates, early arrears and policy exceptions against expected tolerances, escalating any material deviations. Which stage of the policy lifecycle does this activity best match?
Best answer: C
What this tests: Credit Risk
Explanation: This is post-implementation monitoring because the bank is observing actual lending outcomes after the policy has gone live and comparing them with expected tolerances. That is distinct from rollout, pre-launch testing, or a later formal policy review.
The core concept is the credit-policy lifecycle under Basel-style governance. After a policy has been approved and implemented, the firm should monitor real-world outcomes such as arrears, override rates and exception volumes to confirm that the policy is operating as intended and remains within risk appetite. That is post-implementation monitoring.
Validation is earlier and focuses on whether the policy design, assumptions and controls are appropriate before the firm relies on them. Implementation is the rollout stage, including embedding procedures, systems and training. Review is the broader periodic reassessment of whether the policy still remains suitable, often informed by the results of ongoing monitoring.
The key clue is that the bank is using live post-launch performance indicators over time.
It uses live performance data after go-live to confirm the policy is working as intended and to escalate adverse outcomes.
Topic: Market Risk
A bank’s rates trading desk holds a concentrated long position in 30-year gilts. Daily VaR has stayed within limit because the model uses a recent low-volatility period, but an inflation surprise has sharply steepened the yield curve and produced losses well beyond expectation. Which risk-management approach is the single best fit for this exposure?
Best answer: D
What this tests: Market Risk
Explanation: The main issue is market risk from a concentrated long-duration rates position, made worse by VaR calibrated to unusually calm conditions. The best response is to add yield-curve stress testing and explicit concentration limits so severe but plausible rate shocks are captured before losses escalate.
This is a market-risk control problem involving interest-rate risk, especially duration and yield-curve exposure. The position is concentrated in long-dated gilts, and the existing VaR measure is based on a low-volatility period, so it can understate losses from a sharp curve move. The best-fit approach is therefore to supplement VaR with stress tests for severe rate scenarios and to set concentration or duration limits on the long-dated position. That addresses both weaknesses in the stem: poor sensitivity to tail events and excessive exposure size. Back-testing and stop-losses can still be useful secondary controls, but they do not provide the same forward-looking protection against a concentrated rates shock. The key takeaway is that historical VaR should be complemented by stress testing and position limits when concentrations are material.
This directly addresses both the concentrated duration exposure and the VaR model’s failure to capture a severe yield-curve shock.
Topic: Operational Risk
A private bank suffered repeated payment-processing errors. A review found that line managers, operations staff and the Risk function each assumed someone else owned control testing and remediation. The firm is rewriting its operational risk policy. Which policy statement best applies clear roles and responsibilities?
Best answer: B
What this tests: Operational Risk
Explanation: A sound operational risk policy must allocate responsibility clearly across the three lines of defence. Business owners should own and operate controls, the Risk function should set the framework and challenge, and Internal Audit should provide independent assurance.
The core principle is clear accountability. In the scenario, losses persisted because control testing and remediation were not explicitly owned, so people assumed that another team was responsible. A strong operational risk policy should therefore state who owns the risk and controls in the business, who provides oversight and challenge, and who gives independent assurance. In practice, this means business or process owners in the first line manage controls and fix weaknesses, the Risk function in the second line sets policy and monitors compliance with it, and Internal Audit in the third line reviews the framework independently. This separation reduces gaps, duplication and conflicts of interest. Committees can oversee and escalate matters, but they should not replace named management ownership.
It assigns first-line ownership, second-line oversight and third-line assurance, removing ambiguity over who must act.
Topic: Investment Risk
Which statement best describes the difference between nominal return and real return on an investment?
Best answer: B
What this tests: Investment Risk
Explanation: Real return shows the change in purchasing power because it adjusts the stated, or nominal, return for inflation. Nominal return can appear positive even when the investor is worse off in real terms if prices rise quickly.
The core concept is purchasing power. Nominal return is the percentage return reported on an investment without allowing for inflation. Real return adjusts that nominal figure for inflation, so it shows whether the investor can actually buy more or less after general prices have changed. This is why inflation can reduce the investor’s true economic outcome even when the nominal return looks satisfactory. Tax, fees, and the split between income and capital growth are separate issues and do not define the difference between nominal and real return. The key distinction is simply whether inflation has been taken into account.
Real return is the nominal return adjusted for inflation, so it reflects the investor’s purchasing power.
Topic: Principles of Risk Management
A regulatory approach monitors common exposures, funding-market linkages and the risk that distress at one firm could spread to others, aiming to limit instability across the financial system as a whole. Which concept does this describe?
Best answer: C
What this tests: Principles of Risk Management
Explanation: The best match is macroprudential regulation because it is designed to protect the financial system as a whole, not just individual firms. It targets contagion channels, interconnectedness and shared vulnerabilities that can transmit losses across markets and institutions.
Macroprudential regulation is the system-wide approach to risk oversight. Its core purpose is to reduce the build-up and spread of instability caused by interconnected firms, common exposures, funding dependencies and procyclical behaviour. In other words, it looks at how problems at one institution or market can transmit losses or liquidity stress elsewhere, creating broader financial instability.
By contrast, supervision aimed mainly at the safety and soundness of a single firm is microprudential. Planning for the orderly failure of a distressed firm is recovery and resolution planning, and enterprise risk management is an internal firm-level framework for managing risks across the business. The key distinction is the focus on the financial system as a network, rather than on one institution alone.
It focuses on system-wide stability by addressing contagion, interconnectedness and common shocks across firms and markets.
Topic: Credit Risk
A bank’s risk team independently challenges the assumptions in a probability-of-default model, checks whether its calibration sample remains representative, and investigates missing borrower data that could bias outputs. Which control function best matches this work?
Best answer: B
What this tests: Credit Risk
Explanation: The work described is independent model validation. It focuses on whether the model’s assumptions, calibration choices and source data are appropriate, because weaknesses in any of these can distort credit-risk metrics such as probability of default.
Model validation is the control function that challenges whether a credit-risk model is fit for purpose. In the stem, the team is not approving loans or monitoring exposures; it is reviewing the model itself. That review covers three common drivers of model risk in credit measurement: assumptions, calibration and data quality. If assumptions are unrealistic, the calibration sample is outdated or unrepresentative, or borrower data are incomplete, measures such as PD and expected loss can be biased. Independent validation helps detect those weaknesses before the model is used for pricing, limits, provisioning or capital decisions.
The closest distractor is stress testing, but stress testing examines performance under adverse scenarios rather than validating whether the core model has been built and fed correctly.
This is model validation because it independently tests whether assumptions, calibration and input data make the credit-risk metric reliable.
Topic: Liquidity Risk
A treasury team wants a report that places expected cash inflows and outflows into daily and weekly time buckets so it can identify exactly when net funding gaps arise over the next month. Which liquidity measure or analysis approach best matches this need?
Best answer: B
What this tests: Liquidity Risk
Explanation: The best match is cash-flow maturity ladder analysis because it shows when cash is expected to come in and go out across short time buckets. That makes it suitable for spotting specific near-term liquidity gaps rather than giving only a high-level ratio or an extreme-scenario view.
A cash-flow maturity ladder is a core liquidity measurement tool used to map expected inflows and outflows into time buckets such as overnight, one week, and one month. In the situation described, the team wants to know exactly when mismatches appear over the next month, so a bucketed cash-flow view is the most appropriate approach.
This tool helps firms:
By contrast, the liquidity coverage ratio is a regulatory buffer measure over a stressed 30-day horizon, and the net stable funding ratio is a longer-term structural funding measure. Reverse stress testing asks what scenario would make the firm fail, rather than mapping routine cash gaps by date.
A cash-flow maturity ladder groups inflows and outflows by time bucket, making the timing and size of liquidity mismatches visible.
Topic: Risk Oversight and Corporate Governance
In a financial-services firm, what is meant by risk culture?
Best answer: C
What this tests: Risk Oversight and Corporate Governance
Explanation: Risk culture refers to the behaviours, norms and attitudes that influence how risk is handled across a firm. A strong risk culture supports challenge, escalation and disciplined decisions, which can both reduce losses and improve long-term performance.
The core concept is that risk culture is about how people actually behave in relation to risk, not just what policies say. In a financial-services firm, it includes openness to challenge, willingness to escalate concerns, accountability, and alignment between incentives and the firm’s risk appetite. Managing risk culture well adds value because it improves decision-making, supports early identification of issues, and reduces the chance that staff take inappropriate risks or ignore warning signs.
The closest confusion is risk appetite, which is the amount and type of risk the board is willing to accept. Risk culture is broader: it determines whether that appetite is understood and followed in practice.
Risk culture is the organisation-wide pattern of attitudes and behaviours that influences day-to-day risk decisions.
Topic: International Risk Regulation
For this question, assume the Basel Pillar 1 minimum total capital ratio is 8%.
A bank reports:
Which statement best explains how Basel Pillars 1, 2 and 3 interact in this case?
Best answer: C
What this tests: International Risk Regulation
Explanation: Pillar 1 sets the minimum regulatory capital requirement, so 8% of £500 million gives £40 million and the bank has a £6 million surplus. Pillar 2 still matters because the bank’s ICAAP says £52 million is needed for its fuller risk profile, so supervisors may require further action. Pillar 3 is the disclosure pillar that supports market discipline.
Basel Pillar 1 provides a minimum capital floor based on risk-weighted assets. In this case, the Pillar 1 requirement is £40 million, calculated as 8% of £500 million, so the bank meets that minimum with £46 million of capital. Pillar 2 then adds the bank’s own assessment of risks and supervisory review, recognising that formula-based minimums may not capture all firm-specific exposures; the ICAAP estimate of £52 million suggests the supervisor may expect extra capital, stronger controls, or other remediation. Pillar 3 is separate again: it requires public disclosure of capital, risks and risk management so that the market can assess the firm. The key point is that the three pillars are complementary, not substitutes.
£46 million exceeds the £40 million Pillar 1 minimum, but is below the £52 million ICAAP assessment under Pillar 2, while Pillar 3 concerns disclosure.
Topic: Risk Oversight and Corporate Governance
A financial-services firm’s board has approved growth targets but has not stated the amount and types of risk it is willing to accept in pursuing them. Which oversight response best addresses this governance gap?
Best answer: C
What this tests: Risk Oversight and Corporate Governance
Explanation: The missing governance element is risk appetite: the board has set strategy but not defined the risks it is willing to accept to achieve it. The best response is therefore to approve a risk appetite statement and turn it into measurable limits, thresholds and escalation rules.
Risk appetite is the board-approved expression of the amount and types of risk a firm is willing to take in pursuit of its objectives. When growth targets exist without clear risk boundaries, the governance weakness is not a lack of capital or reporting detail; it is the absence of a formal risk appetite framework. Good oversight means setting that appetite at board level and cascading it into business-line limits, KRIs and escalation triggers so management decisions stay within agreed boundaries.
Risk capacity is different: it is the maximum risk the firm could absorb, not the level it chooses to take. Internal audit provides independent assurance as a third-line function and should not own or set first-line risk limits.
This sets board-level boundaries for risk-taking and translates them into practical controls and escalation points.
Topic: Enterprise Risk Management (ERM)
A firm uses exception-based escalation in its ERM programme:
This month:
| Unit | Loss |
|---|---|
| Retail operations | £1.8m |
| Wealth operations | £1.7m |
| Treasury operations | £1.6m |
Which conclusion is most appropriate?
Best answer: D
What this tests: Enterprise Risk Management (ERM)
Explanation: The losses aggregate to £5.1m, which exceeds the firm’s £5.0m group threshold. This shows why ERM implementation needs central aggregation and clear accountability for escalation, even when no individual business unit breaches its own limit.
A key ERM implementation challenge is that exception-based reporting can fail if risks are viewed only in silos. Here, each unit is below the £2.0m local trigger, but the enterprise total is £5.1m, so the group-level exception has been breached and escalation to the Group CRO is required.
An effective ERM programme therefore needs:
The main lesson is that aggregation and accountability are essential; local reporting alone would miss this enterprise-wide breach.
The three losses total £5.1m, so the group threshold is breached and the Group CRO should be notified.
Topic: Market Risk
A bank’s trading desk has built a concentrated position in long-dated government bonds. The desk remains within its daily VaR limit, but a 200 basis-point rise in yields under stress testing would produce a loss above the board’s approved market-risk appetite. Which approach best fits this market-risk control problem?
Best answer: A
What this tests: Market Risk
Explanation: The core issue is concentrated interest-rate risk that appears acceptable under normal VaR but becomes unacceptable under a severe yield shock. The best approach is to use stress testing within the firm’s risk-appetite framework, with explicit stress-loss limits and escalation when tolerance is exceeded.
This is a market-risk control problem driven by duration concentration. VaR is useful for day-to-day monitoring, but it may understate losses from large rate moves or concentrated positions, especially when recent volatility has been subdued. Because the stress scenario shows losses above the board’s approved appetite, the appropriate response is to add or enforce stress-based limits and require escalation to senior management or the relevant risk committee when those limits are breached.
That approach links the desk’s activity to governance, risk appetite and tail-risk control. Raising a VaR limit would weaken discipline, while operational checks or counterparty-limit changes address different risk types. The key takeaway is that market-risk oversight should not rely on VaR alone when stress testing reveals exposure outside appetite.
Stress testing captures the tail interest-rate move that VaR can miss, so exposure beyond board appetite should trigger limits and escalation.
Topic: Credit Risk
A financial group has three material exposures: a bilateral FX swap with Bank Q that is currently in the group’s favour, a £25 million holding of bonds issued by Utility Z, and a residential mortgage book vulnerable to a nationwide fall in house prices. The CRO wants controls that best match the main risk type in each case. Which action is most appropriate?
Best answer: D
What this tests: Credit Risk
Explanation: Different credit exposures need different primary controls. The FX swap creates counterparty risk to Bank Q, the bond position is issuer risk to Utility Z, and the mortgage book is exposed to systematic housing stress, so collateral and limits, issuer concentration controls, and stress testing are the best fit.
The key principle is to match the control to the dominant source of credit loss. A bilateral FX swap that is in the firm’s favour exposes the firm to Bank Q if that counterparty defaults, so counterparty limits and collateral management are appropriate. A holding of Utility Z bonds is mainly a single-issuer exposure, so issuer concentration limits and diversification are the relevant tools. A residential mortgage book can be hit by broad macro factors such as a nationwide fall in house prices, which is systematic credit risk and is best assessed through scenario analysis and stress testing.
Diversification can reduce single-name concentration, but it does not remove market-wide housing stress, and market VaR is not a substitute for core credit-risk controls.
It matches the dominant risk in each exposure: counterparty for the swap, issuer for the bond, and systematic risk for the mortgage book.
Topic: Principles of Risk Management
A firm exchanges daily variation margin with no threshold.
Exhibit:
Which statement best describes the firm’s risk position at close?
Best answer: C
What this tests: Principles of Risk Management
Explanation: The exposure gap at close is £13m minus £8m, so the firm has a £5m uncollateralised exposure. The important risk point is that this gap reflects both an external driver, the market move, and an internal driver, the systems failure that stopped the margin call.
This item tests how risk drivers can overlap in practice. The external driver is the sharp market move, which increased the firm’s counterparty exposure from £8m to £13m. The internal driver is the systems outage, which prevented the normal control response of calling additional variation margin. Because the firm has daily margining with no threshold, collateral should have been increased to match the new £13m exposure. Instead, collateral remained at £8m, so the firm ended the day with a £5m uncollateralised exposure.
The key lesson is that business risk events are often interactive rather than isolated: market conditions create the need for action, and internal control weaknesses can magnify the resulting exposure. Calling this solely market risk misses the operational weakness that allowed the gap to remain.
Exposure rose to £13m while collateral stayed at £8m, leaving a £5m gap caused by an external market move and an internal control failure.
Topic: Operational Risk
A firm monitors failed settlements, manual overrides, and system outages against pre-set thresholds. Breaches are escalated monthly to senior management, and business units with worsening trends must strengthen controls first. Which function best matches this use of operational risk measurement?
Best answer: D
What this tests: Operational Risk
Explanation: This describes the use of operational risk indicators as a management tool. Measuring trends against thresholds helps the firm identify areas of concern, prioritise control action, and provide structured reporting to senior management.
The core concept is operational risk measurement as a basis for action, not just record-keeping. In the stem, the firm tracks operational indicators, compares them with thresholds, escalates breaches, and focuses control improvement on business units showing deterioration. That means the measurement is serving three linked purposes: early warning, prioritisation of remediation, and reporting through governance channels.
Operational risk is assessed and measured so management can decide where exposures are increasing, whether controls need strengthening, and what should be escalated to committees or senior leaders. This differs from assurance work, which tests controls independently, and from specialist market or credit models, which measure different risk types. The key takeaway is that operational metrics support monitoring and management response.
Threshold-based operational metrics highlight rising exposures, help rank areas needing remediation, and support escalation through management reporting.
Topic: Market Risk
An investment firm uses daily VaR and sensitivity limits on its trading book. After a sharp rise in gilt yields, it records a mark-to-market loss on a portfolio of fixed-rate bonds. Counterparties remain sound and systems operate normally. Which risk category do these controls primarily address in this case?
Best answer: C
What this tests: Market Risk
Explanation: This is market risk because the loss is driven by a change in market yields that reduces bond prices. VaR and sensitivity limits are standard tools for monitoring trading losses caused by movements in rates and other market variables.
The core concept is market-risk classification. A rise in gilt yields causes fixed-rate bond prices to fall, so a trading portfolio holding those bonds can suffer an immediate mark-to-market loss even when issuers, counterparties and internal processes are all functioning normally. Daily VaR and sensitivity limits are designed to monitor exactly this type of exposure: potential losses from adverse movements in market factors such as interest rates, FX rates, equity prices or spreads.
Credit risk would require deterioration in the issuer or counterparty’s ability to meet obligations, while operational risk would require a failure in people, processes, systems or external events. Liquidity risk is about being unable to fund positions or exit them at a reasonable price. Here, the decisive fact is the adverse yield move, so the case is mainly about market risk.
The loss comes from a market price change, as higher yields reduce the value of fixed-rate bonds even though counterparties and operations are unaffected.
Topic: Liquidity Risk
A bank treasury team is preparing a 7-day liquidity report.
Exhibit:
| Item | Amount | Note |
|---|---|---|
| Wholesale funding maturity | £40m | Due in 7 days |
| Loan principal repayment | £12m | Contractually due in 7 days |
| Bond coupon receivable | £8m | Contractually due in 7 days |
| Instant-access retail deposits | £50m | No fixed maturity; assume 10% runoff |
| Undrawn committed facilities | £30m | Not yet drawn; assume 20% drawdown |
What is the bank’s 7-day net contractual cash flow position?
Best answer: B
What this tests: Liquidity Risk
Explanation: The contractual view includes only cash flows that are legally due within 7 days. That gives £40m of contractual outflows and £20m of contractual inflows, so the bank has a £20m net contractual outflow; assumed deposit runoff and facility drawdown belong to a behavioural view, not a contractual one.
The key distinction is between scheduled cash flows and assumed behaviour. Contractual cash-flow facts are amounts legally due on known dates, while behavioural assumptions estimate likely actions on balances with no fixed maturity or on contingent commitments.
Here, the contractual items are:
So the 7-day net contractual position is:
\[ \text{Net contractual cash flow} = 20 - 40 = -£20m \]That is a £20m net outflow. The assumed 10% runoff on instant-access deposits and assumed 20% drawdown on undrawn facilities are useful for behavioural or stress liquidity planning, but they are not contractual cash-flow facts.
Only the funding maturity, loan repayment, and coupon are contractual cash flows; the deposit runoff and facility drawdown are behavioural assumptions.
Topic: Liquidity Risk
Which liquidity-management technique best matches this description: it reduces rollover risk by locking in funding for a longer tenor, but it can create a new vulnerability because more assets become encumbered and are therefore less available to meet unexpected outflows?
Best answer: C
What this tests: Liquidity Risk
Explanation: The best match is greater use of term secured funding. It improves funding stability by reducing near-term refinancing needs, but it can also weaken flexibility because pledged assets are encumbered and cannot be used as freely during a liquidity stress.
The core concept is the trade-off between refinancing risk and asset encumbrance. When a firm replaces shorter-dated or less stable funding with longer-term secured funding, such as repo, it reduces the chance that it must refinance in stressed markets at short notice. That improves funding liquidity resilience. However, the assets pledged as collateral are now encumbered, so they are less available to generate cash, support further borrowing, or absorb unexpected outflows. This means one liquidity vulnerability is reduced while another can increase.
The closest alternatives either measure liquidity risk or improve resilience without creating the same encumbrance effect. The key match is the action that improves tenor by tying up assets as collateral.
Secured term funding lowers refinancing pressure, but pledging collateral encumbers assets and can reduce the buffer available in a stress.
Topic: Credit Risk
An investment bank has a bilateral OTC derivatives exposure to a hedge fund. The exposure is margined daily under a collateral agreement, but the hedge fund posts only a concentrated pool of government bonds. After a sharp market move, margin calls rise and the bank’s collateral team must reconcile disputes manually on spreadsheets. What is the single best assessment?
Best answer: A
What this tests: Credit Risk
Explanation: Daily collateralisation reduces unsecured counterparty exposure, so it does mitigate credit risk. However, the scenario also includes manual collateral processing and concentrated non-cash collateral, which can create operational delays and liquidity pressure during stressed margin calls.
The core concept is that collateral is a credit risk mitigant, not a complete risk eliminator. Daily margining should reduce the bank’s current exposure to the hedge fund because more of the mark-to-market is secured. But the other facts in the scenario matter: manual spreadsheet reconciliation can delay dispute resolution, settlement, and escalation, which is an operational-risk weakness. A concentrated pool of government bonds may be high quality, yet it can still create liquidity complications if large calls arrive quickly, haircuts increase, or the bank cannot mobilise or re-use the collateral as needed.
The key takeaway is that collateral can reduce exposure while still introducing operational and liquidity complications, especially in stressed conditions.
Collateral reduces unsecured counterparty exposure, but manual dispute handling and reliance on concentrated bond collateral can still cause process failures and funding strain.
Topic: Enterprise Risk Management (ERM)
A firm’s central risk team does not run day-to-day credit, market or operational controls. Instead, it uses a common risk taxonomy, aggregates exposures across business units, compares the combined profile with the board’s risk appetite, and escalates conflicts between divisions. Which function is this?
Best answer: A
What this tests: Enterprise Risk Management (ERM)
Explanation: The stem is about joining up different risks across the whole firm, not managing one discipline in isolation. Using a common taxonomy, aggregating exposures and comparing the total profile with board-approved risk appetite are classic ERM coordination tasks.
ERM provides a whole-of-firm view of risk. In the scenario, the central team is combining information from several risk disciplines, applying one risk language, assessing the aggregated position against the board’s risk appetite, and escalating trade-offs between business units. That is broader than credit, market, operational or liquidity risk management on their own. It is also broader than assurance work, because the team is actively coordinating and reporting the live enterprise risk profile rather than independently reviewing it after the fact. The key clue is the cross-risk, cross-business aggregation and escalation to support senior management and board oversight.
These are core ERM activities because they integrate multiple risk types and assess the firm’s overall profile against board-approved risk appetite.
Topic: Operational Risk
A wealth manager responds to a rise in payment-fraud attempts by issuing a new operational-risk policy for client cash withdrawals. The risk team requires a second approval for every same-day payment above £50,000. However, the front office uses a separate workflow system, payment operations is outsourced, and compliance was not consulted on vulnerable-client exceptions. Staff begin using email approvals outside the formal process. What is the single best reason cross-functional involvement and agreement were needed before the policy was approved?
Best answer: C
What this tests: Operational Risk
Explanation: Operational-risk controls only work if the affected functions agree how they will operate in practice. Here, separate systems, outsourced operations and undefined exceptions led to email workarounds, showing the policy was not aligned to the end-to-end process or clear ownership.
Cross-functional involvement matters because an operational-risk policy must match the real end-to-end process, not just the intended control. In this case, the approval rule affected front-office workflow, outsourced payment operations and compliance treatment of vulnerable clients. Because those functions were not aligned, staff created email workarounds outside the formal process, weakening auditability, increasing execution risk and blurring ownership of exceptions.
Agreement across business, operations, technology and oversight functions helps the firm design feasible controls, define exceptions, confirm system support, and assign clear responsibility for execution, monitoring and escalation. The second line should set standards and challenge, but it should not take over first-line control ownership. The key takeaway is that a control which is not jointly workable will often fail in practice, even if it looks strong on paper.
Cross-functional agreement ensures the control fits the actual process, systems, outsourcing arrangements and exception handling, so it can be applied consistently.
Topic: Investment Risk
A pension scheme wants its external equity manager to remain close to the agreed benchmark and to avoid unintended style drift. Which mandate constraint best matches this purpose?
Best answer: C
What this tests: Investment Risk
Explanation: A tracking-error limit is the mandate feature that most directly controls how far portfolio returns are expected to deviate from the benchmark. By setting an explicit active-risk budget, it helps reduce style drift and excessive benchmark-relative bets.
Tracking error is a standard measure of active risk: it shows how much a portfolio’s returns are expected to vary relative to its benchmark. When an investment mandate sets a maximum tracking-error limit, it constrains the manager’s freedom to take large sector, stock, country, or factor positions away from the benchmark. That makes it a direct control for keeping the portfolio aligned with the agreed investment style and risk appetite.
This differs from other mandate constraints, which address different risks. A concentration cap limits exposure to any one holding, a credit-quality rule manages default risk in fixed income, and a turnover limit controls trading activity and costs. The closest distractor is the concentration cap, but it does not directly set a benchmark-relative risk budget.
Tracking error directly limits expected benchmark-relative active risk, helping keep the portfolio close to its benchmark.
Topic: Credit Risk
At a bank’s mid-market lending unit, overdue balances and internal downgrades rise over one quarter across many unrelated borrowers after a sharp rise in interest rates and weaker consumer demand. No borrower represents more than 3% of the loan book, and the rating model has not changed. What is the single best interpretation of this pattern?
Best answer: C
What this tests: Credit Risk
Explanation: The key clue is that arrears and downgrades are increasing across many unrelated borrowers after a macroeconomic shock. That indicates broad credit deterioration in the portfolio, not a problem confined to one obligor, one oversized exposure, or a changed model.
This scenario describes common-factor credit stress rather than an idiosyncratic borrower event. A sharp rise in interest rates and weaker demand are external conditions that can weaken debt-servicing capacity across many obligors at the same time. Because overdue balances and downgrades are appearing across many unrelated borrowers, the most sensible reading is systemic deterioration in credit conditions.
The other facts help rule out alternatives:
An isolated obligor-specific event would normally involve one borrower suffering its own problem, such as fraud, litigation, or a contract loss. The deciding feature here is the shared macro driver affecting many borrowers simultaneously.
The deterioration is broad-based and linked to a common macroeconomic shock, indicating systemic credit weakening rather than a single-name event.
Topic: Model Risk
A firm uses a market-risk model calibrated from several years of unusually low volatility. Management relies heavily on the output when setting limits. After a sudden regime shift, losses materially exceed the model estimate. Which modelling limitation does this best illustrate?
Best answer: C
What this tests: Model Risk
Explanation: This illustrates a core model limitation: models are simplifications built on assumptions and historical data that may not hold in future conditions. When regimes change, reliance on past relationships can create false confidence and understate risk.
The key issue is dependence on historical data and assumed relationships remaining stable. A model calibrated during unusually calm markets may fit that period well, but it can fail when volatility, correlations, or customer behaviour change sharply. In risk management, this is a main limitation of modelling: outputs can look precise even though they are only estimates conditional on assumptions, data quality, and the environment staying broadly similar.
Over-reliance on the model for limit setting increases the problem because decision-makers may treat the output as fact rather than as one input among several. The closest alternative is stress testing, but that is a complementary tool used to explore conditions that the core model may miss.
The model understated risk because it relied on past low-volatility patterns continuing after market conditions changed.
Topic: International Risk Regulation
A banking group operates in six countries. Home and host supervisors want a more consistent approach to the group’s liquidity risk, but each authority must still use its own legal powers. Which action best reflects how the Bank for International Settlements supports international monetary and financial stability and cooperation?
Best answer: C
What this tests: International Risk Regulation
Explanation: The BIS promotes stability by fostering cooperation among central banks and supporting bodies such as the Basel Committee, which develop common standards. Those standards guide consistent regulation across borders, but local supervisors still implement and enforce them under their own laws.
The core concept is coordinated regulatory implementation. The BIS helps international monetary and financial stability by acting as a forum for cooperation and by supporting the development of common prudential standards, notably through Basel work. In a cross-border banking group, the best application is to use those shared standards as a common benchmark so home and host supervisors can align their approach while retaining their own statutory authority.
The BIS does not directly regulate individual banks, replace national supervisors, or act as a routine lender to commercial banks in firm-specific stress. Its role is to enable cooperation, consistency and information-sharing across jurisdictions. The key takeaway is that the BIS supports stability through frameworks and coordination, not through direct day-to-day supervision of banks.
The BIS supports cooperation mainly by providing the forum and infrastructure for shared international standards, while national authorities apply and enforce them.
Topic: Market Risk
Which statement best explains why interest-rate, currency, commodity and equity risk can interact within a single position or portfolio?
Best answer: B
What this tests: Market Risk
Explanation: Market risk categories are analytical labels, not mutually exclusive boxes. A single position or portfolio can respond to several underlying variables at the same time, and correlations between those variables can increase or offset the total effect.
The core concept is that many financial positions have multi-factor market exposure. Their value may depend on more than one underlying driver, such as discount rates, exchange rates, commodity prices and equity prices. For example, a foreign equity holding can be affected by the share price itself, the currency in which it is priced, commodity prices that influence the issuer’s earnings, and interest rates that affect valuation. Because these factors can move together or apart, firms need to identify both the separate sensitivities and how they interact. Putting a position into one reporting category does not mean the other market risks disappear.
A dominant risk factor may exist, but it should not blind risk managers to additional exposures.
One position can depend on multiple market factors at once, so changes in those factors can combine in overall profit or loss.
Topic: Market Risk
A trading desk’s report shows:
Exhibit: One-day 99% VaR = £2,000,000
Which interpretation best matches this statistic?
Best answer: D
What this tests: Market Risk
Explanation: A one-day 99% VaR of £2,000,000 is a percentile estimate, not an average or a hard limit. It means the model suggests daily trading losses should exceed £2,000,000 only about 1% of the time under normal market conditions.
Value at Risk (VaR) is a market-risk measure that estimates a loss threshold over a stated time horizon and confidence level. Here, the horizon is one day and the confidence level is 99%, so the statistic means losses greater than £2,000,000 are expected on about 1 out of 100 days, based on the VaR model and usual market conditions.
VaR does not tell you:
Those ideas relate to different tools: expected shortfall, stress testing, and stop-loss controls. The key distinction is that VaR gives a percentile loss threshold, not tail severity or a management action limit.
A 99% one-day VaR estimates the loss threshold that should only be exceeded on roughly 1% of trading days, given the model assumptions.
Topic: Credit Risk
A bank enters into a commodity derivative with an airline. If oil prices rise, the bank’s mark-to-market receivable from the airline increases, but the airline’s ability to repay weakens at the same time. Which credit-risk description best matches this exposure?
Best answer: A
What this tests: Credit Risk
Explanation: This is wrong-way risk because the bank’s exposure grows at the same time the counterparty becomes weaker. The same market factor, rising oil prices, drives both the larger receivable and the airline’s reduced capacity to pay.
Wrong-way risk is a form of counterparty credit risk in which the exposure to a counterparty is adversely correlated with that counterparty’s credit quality. In the stem, rising oil prices increase the bank’s derivative receivable from the airline, while also damaging the airline’s financial position. That combination is particularly dangerous because the bank stands to lose more precisely when the counterparty is more likely to default.
This differs from other credit-risk concepts:
The key feature is the linked movement between exposure size and counterparty weakness.
Wrong-way risk exists when exposure increases as the counterparty’s creditworthiness deteriorates because both are affected by the same factor.
Topic: Liquidity Risk
A broker-dealer is assessing its same-day liquidity position.
Exhibit:
Using only these figures, which statement is most accurate?
Best answer: C
What this tests: Liquidity Risk
Explanation: The firm has £17m available today from opening cash and contractual inflows, but it must meet £30m of same-day outflows, leaving a £13m shortfall. That is a funding liquidity problem: the firm may need emergency funding, delay payments, or sell assets quickly, and similar actions by several firms can transmit stress through markets and counterparties.
Liquidity risk is the risk that cash is not available when obligations fall due. Here, the firm can access £17m today from opening cash and contractual inflows, but it must meet £30m of same-day outflows, so its net liquidity position is -£13m.
A negative same-day position means the firm may need emergency borrowing, use liquid assets, delay settlements, or make forced asset sales. If several firms face similar shortfalls at once, these actions can reduce market liquidity and put pressure on counterparties, turning an individual funding problem into wider systemic stress. The key point is cash-timing pressure, not market-price volatility or borrower default.
Opening cash plus inflows is £17m against £30m of outflows, leaving a £13m liquidity gap that could trigger payment delays or fire sales affecting counterparties.
Topic: Market Risk
Under its VaR model and normal market conditions, a trading portfolio has a one-day 99% Value at Risk of £5 million. What does this indicate?
Best answer: C
What this tests: Market Risk
Explanation: VaR is a market risk measure that sets a loss threshold for a given confidence level and time horizon. A one-day 99% VaR of £5 million means losses greater than £5 million are expected only about 1% of the time, assuming the model and normal conditions hold.
Value at Risk estimates the loss level that should not be exceeded at a specified confidence level over a stated holding period. Here, the confidence level is 99% and the holding period is one day, so the figure means the portfolio has about a 1% probability of losing more than £5 million in a day under the model assumptions. VaR does not tell you the worst possible loss, and it does not tell you the average loss. It also says nothing about achieving a particular profit. This is why firms usually use VaR alongside stress testing and other market risk measures to understand tail risk more fully.
VaR gives a loss threshold for a stated horizon and confidence level, not a maximum or average loss.
Topic: Principles of Risk Management
During a calm trading week, a bank loses £8 million after a single property developer to which it had a large exposure enters administration. Sector credit spreads, market indices and wholesale funding conditions remain broadly unchanged. Which response best applies sound risk-management principles?
Best answer: A
What this tests: Principles of Risk Management
Explanation: This is a firm-specific credit concentration event, not a market-wide or systemic shock. Because the loss arises from one large obligor while broader market and funding conditions are stable, the correct response is to assess it against risk appetite, escalate it, and review single-name limits.
The key principle is to distinguish idiosyncratic loss drivers from systemic stress. In the stem, the trigger is the failure of one borrower, while sector spreads, market indices and funding conditions are broadly unchanged. That means the event is firm-specific and mainly reflects credit concentration risk rather than a wider market breakdown. The appropriate action is therefore to compare the exposure with approved single-name limits and overall risk appetite, then escalate the event and review limit design or monitoring if needed. Systemic responses are meant for broad disruptions affecting many exposures at once. A large loss by itself does not prove systemic stress; the pattern and source of the loss are what matter.
The loss comes from one obligor in otherwise stable markets, so it should be treated as an idiosyncratic concentration event and escalated against appetite.
Topic: Risk Oversight and Corporate Governance
A UK broker’s new leveraged-products desk is growing quickly. Traders are rewarded mainly on short-term revenue, intraday limit breaches are often corrected before close and not escalated, and the board risk committee receives only monthly summary reports. Which action would most strengthen the firm’s risk and control culture?
Best answer: D
What this tests: Risk Oversight and Corporate Governance
Explanation: The scenario shows a weak culture because revenue incentives dominate control discipline, breaches are hidden if fixed quickly, and oversight is delayed. The best response is to link behaviour to a board-approved risk appetite, make the business accountable, and require prompt transparent escalation.
Risk and control culture is determined by how leaders set expectations and how those expectations are reinforced through ownership, incentives, transparency and accountability. Here, short-term revenue pay encourages risk-taking, unreported intraday breaches show weak openness and challenge, and monthly summary reporting delays governance response. Aligning remuneration and desk accountability to a board-approved risk appetite, with immediate escalation of breaches, directly addresses the cultural drivers in the scenario. It makes the first line responsible for operating within agreed boundaries and ensures senior oversight is timely and visible. In contrast, stronger measurement or extra reporting alone would not fix the underlying behaviours.
It addresses incentives, ownership, risk appetite and transparent escalation together, which are core drivers of risk and control culture.
Topic: Investment Risk
A client will invest £100,000 for 10 years with no withdrawals, fees or tax. Product Alpha quotes a 6.0% effective annual return. Product Beta quotes a 5.9% nominal annual rate, compounded monthly. Which conclusion is most appropriate when comparing likely maturity values?
Best answer: D
What this tests: Investment Risk
Explanation: Quoted annual rates are not directly comparable when one is effective and the other is nominal with intra-year compounding. Product Beta’s 5.9% nominal rate compounds monthly, giving an effective annual rate slightly above 6.0%, so over 10 years it should finish higher.
The key concept is that compounding changes the true annual growth rate. An effective annual return already includes the impact of compounding within the year, while a nominal annual rate does not. To compare Product Alpha and Product Beta fairly, both must be put onto the same basis. Product Beta’s effective annual rate is approximately \((1+0.059/12)^{12}-1\), which is about 6.06%, slightly above Product Alpha’s 6.0% effective rate. Over a 10-year holding period with no withdrawals, that small annual difference compounds into a higher maturity value for Product Beta.
The closest mistake is to compare 6.0% and 5.9% directly without adjusting for compounding frequency.
Monthly compounding lifts 5.9% nominal to about 6.06% effective, so Beta should produce a slightly higher maturity value.
Topic: Operational Risk
A bank classifies operational incidents under Basel event types. Use net loss = gross loss - recovery.
| Incident | Gross loss | Recovery |
|---|---|---|
| Employee diverted client cash to a personal account | £900,000 | £50,000 |
| Criminals used stolen credentials to make unauthorised payments | £1,100,000 | £400,000 |
| Payments platform outage led to compensation payments | £650,000 | £0 |
| Staff keyed the wrong settlement details and trades failed | £700,000 | £20,000 |
Which incident has the highest net loss, and what is its Basel operational-risk event type?
Best answer: D
What this tests: Operational Risk
Explanation: Subtract recovery from gross loss for each incident. The employee diversion of client cash produces the largest net loss at £850,000, and because the misconduct was deliberate and carried out by a member of staff, Basel classifies it as internal fraud.
The key is to compare net losses first and then identify the correct Basel event type for the largest one. The net losses are £850,000 for the employee cash diversion, £700,000 for the criminal payment fraud, £650,000 for the systems outage, and £680,000 for the settlement input error. The largest is therefore the employee cash diversion.
Under Basel operational-risk event types, a deliberate act such as theft or misappropriation by someone inside the firm is internal fraud. By contrast, fraud by outsiders is external fraud, a platform outage is business disruption and systems failures, and a staff processing mistake is execution, delivery and process management. The main trap is choosing the highest gross loss instead of the highest net loss.
£900,000 less £50,000 gives the highest net loss, £850,000, and theft by an employee is classified as internal fraud.
Topic: Principles of Risk Management
A digital savings platform allows customers to move funds instantly through its mobile app. Risk management is assessing the impact of a social-media-driven stress.
Exhibit:
Assume no asset price change. Which option best describes the firm’s position and the main risk exposure highlighted by the exhibit?
Best answer: D
What this tests: Principles of Risk Management
Explanation: The stressed outflow is £96 million, calculated as 12% of £800 million. Since the platform holds only £70 million of liquid assets against that outflow, it faces a £26 million shortfall, highlighting liquidity risk made more acute by instant digital access.
The core concept is that disruptive innovation can change the speed and shape of risk, not just the amount. Here, instant app-based withdrawals and social-media-driven behaviour can accelerate deposit outflows, creating a sharper liquidity stress than a traditional channel might.
The calculation is:
That means the exhibit points to a liquidity gap, not a credit or market loss. The key emerging exposure is faster run dynamics caused by digital channels. The closest distractor reverses the sign and treats the shortfall as a surplus.
Withdrawals of £96 million exceed the £70 million liquid-asset buffer by £26 million, showing digitally accelerated liquidity stress.
Topic: Operational Risk
On an investment bank’s FX desk, a trader exceeded authorised limits, entered fictitious offsetting trades to conceal losses, and weak independent reconciliation delayed detection for several days. Under Basel operational-risk event types, what is the single best classification of the loss?
Best answer: D
What this tests: Operational Risk
Explanation: This is internal fraud because the primary cause is intentional deception by an employee, not a simple processing mistake or a third-party attack. The weak reconciliation is a control weakness, but it does not change the Basel event-type classification.
Basel operational-risk event types are classified by the main nature of the event. Here, the decisive facts are that the trader was an employee, breached authorised limits, and used fictitious trades to hide the true position. That is internal fraud: an internal act intended to defraud, misappropriate, or circumvent rules or controls. The delayed detection caused by weak independent reconciliation explains why the loss became larger, but that control failure is secondary to the employee’s deliberate misconduct. If the loss had come from an honest booking error, failed settlement, or broken process without intent to deceive, execution, delivery and process management would be a better fit. The key distinction is deliberate internal deception versus accidental process failure.
The loss arose from deliberate misconduct by an employee who concealed unauthorised activity, which is the defining feature of internal fraud.
Topic: International Risk Regulation
A multinational bank has identical risk exposures in three countries.
Exhibit:
The 6 percentage point spread is caused only by different national supervisory rules. What does this best show about why the Basel Committee on Banking Supervision was established and the purpose of its standard-setting role?
Best answer: C
What this tests: International Risk Regulation
Explanation: The same bank showing 5%, 8%, and 11% solely because national rules differ highlights inconsistent cross-border supervision. The Basel Committee was established to improve supervisory cooperation and issue common prudential standards so internationally active banks are assessed more consistently.
A 6 percentage point spread for the same exposures shows the core problem the Basel Committee was created to address: different national rules could produce very different regulatory outcomes for the same bank. Under the BIS framework, the Committee develops internationally agreed prudential standards to improve the quality and consistency of supervision, strengthen banking-system resilience, and reduce opportunities for regulatory arbitrage.
Its role is to set standards and support cooperation between national supervisors. It does not lend to banks, directly supervise individual firms, or automatically create binding law. National authorities implement Basel standards through their own legal and regulatory systems.
The key takeaway is that Basel exists to improve international consistency in banking supervision, not to replace national regulators.
Different ratios for identical exposures show why common international standards are needed to reduce inconsistency and improve cross-border supervisory cooperation.
Topic: Operational Risk
A retail bank outsources its online card-authorisation platform to a single provider. The bank’s board-approved operational risk appetite states that any critical customer payment service must be recoverable within 4 hours. During a joint business continuity test, the provider demonstrates a likely recovery time of 12 hours after a data-centre failure. Which action best applies the bank’s operational-risk framework?
Best answer: A
What this tests: Operational Risk
Explanation: Outsourcing does not transfer accountability for operational risk. Because the tested recovery time for a critical payment service exceeds the bank’s board-approved tolerance, the issue should be escalated as a breach and corrected through stronger continuity arrangements.
The core principle is that risk appetite and continuity standards still apply to outsourced critical services. The bank has set a clear tolerance of 4 hours, and the test result shows 12 hours, so the current arrangement is outside approved limits. The right response is to escalate the breach through governance channels and require remediation from the provider, such as stronger recovery capability, alternate-site arrangements, or other proven continuity measures. Insurance or financial reserves may reduce some loss impact, but they do not restore the service or bring the arrangement back within appetite. Nor can the bank treat the risk as fully transferred simply because a third party operates the platform. The key takeaway is that outsourcing changes who performs the activity, not who remains accountable for managing the risk.
An outsourced critical service remains within the bank’s risk framework, so a tested recovery gap beyond appetite must be escalated and remediated.
Topic: Credit Risk
A bank’s corporate lending desk has 28% of its loan book to three property developers and 46% to commercial real estate borrowers in one country. It applies single-name limits but has no country, sector or industry concentration limits. Property values in that country are expected to fall sharply. Which action would best strengthen the bank’s resilience?
Best answer: D
What this tests: Credit Risk
Explanation: Concentration risk is not only about one borrower; it also arises when many exposures depend on the same country, sector or industry. Here, a single property-market shock could weaken several borrowers and their collateral at the same time, so aggregate limits and stress testing across those dimensions best improve resilience.
Concentration risk exists when losses can cluster because exposures share a common driver. In this scenario, the bank already uses single-name limits, but a large part of the book is still concentrated in commercial real estate and in one country. A fall in local property values could therefore hit several borrowers simultaneously and also reduce collateral values, creating correlated losses.
The strongest control is to aggregate exposures across single-name, country, sector and industry dimensions, set limits for each, and test them under stress scenarios. This supports resilience by stopping excessive build-up, triggering earlier escalation, and reducing the chance that one shock causes outsized losses. Measures such as repricing, shortening tenor, or monitoring collateral may help, but they do not materially remove the concentration itself.
Multi-dimensional concentration limits and stress testing reduce the chance that one connected shock causes correlated defaults and collateral losses across the book.
Topic: Model Risk
A firm uses a new liquidity-risk model to set dealing limits for a portfolio of thinly traded corporate bonds. The model was calibrated using three years of data from orderly markets, and no comparable stress-period data are available. Which approach best applies sound model-risk management?
Best answer: D
What this tests: Model Risk
Explanation: The key limitation is that the model is based only on benign market data, so it may be unreliable when liquidity conditions deteriorate. Sound practice is to use model output as one input, add stress testing, and keep independent challenge before changing limits.
Models are simplified representations of reality and are only as strong as their assumptions, design and data. Here, the main weakness is calibration to orderly markets with no comparable stress-period evidence. That means the model may understate liquidity risk exactly when markets become dislocated, so it should not be treated as a sole control for limit-setting.
A sound response is to:
More frequent recalibration may improve fit to recent data, but it does not solve missing stress data or structural model limitations. The closest distractor is reliance on observed data, but observed data from calm periods do not prove reliability in stressed conditions.
Because the model is built only on normal-condition data, stressed-liquidity risk should be addressed with stress testing and independent challenge rather than sole reliance on model output.
Topic: Liquidity Risk
A dealer holds less-traded corporate bonds that typically take more than five days to sell in stressed markets. The portfolio is 75% funded through overnight repo from two counterparties, and repo haircuts on the bonds have recently increased. The board’s liquidity-risk appetite states that no more than 30% of assets with stressed liquidation periods above five days may be funded overnight. Which response is most appropriate?
Best answer: C
What this tests: Liquidity Risk
Explanation: This is a funding-liquidity problem driven by poor asset marketability, concentrated overnight funding, and rising haircuts. The best response is to escalate the appetite breach and reduce reliance on unstable short-term funding by extending tenor and diversifying sources.
Sound liquidity-risk management matches funding stability to the marketability of the assets being funded. Here, the bonds may be hard to sell in stress, yet 75% of the portfolio is funded overnight through only two repo counterparties, and haircuts are already rising. That creates refinancing risk and funding concentration risk, and it also breaches the board-approved risk appetite.
Waiting for conditions to improve is not a control, and hedging spread moves addresses market risk rather than the immediate funding mismatch.
The portfolio breaches liquidity appetite, so management should reduce rollover and concentration risk by terming out and diversifying funding.
Topic: Market Risk
An asset manager holds a £10 million UK mid-cap equity portfolio and hedges it with a £10 million short FTSE 100 futures position.
| Position | Daily move |
|---|---|
| Mid-cap portfolio | -3.0% |
| FTSE 100 futures | -2.2% |
Assume the futures gain equals the futures price move on the hedged notional, and ignore costs. What does the remaining £80,000 net loss primarily illustrate?
Best answer: A
What this tests: Market Risk
Explanation: The portfolio loses £300,000 and the short futures gain £220,000, so the net loss is £80,000. That residual loss shows basis risk: the hedge instrument moved in the right direction, but not by the same amount as the exposure being hedged.
This is basis risk, which arises when the item being hedged and the hedge instrument are related but not identical. The manager chose the correct hedge direction: a long equity portfolio is typically hedged with a short equity futures position, so falling prices should produce a futures gain.
The remaining loss exists because a UK mid-cap portfolio will not track the FTSE 100 perfectly. Their returns can differ in magnitude even on the same day, especially in a cross-hedge using a related index rather than an identical underlying. The key point is that a hedge can be directionally correct and still leave exposure when the basis changes.
The hedge was directionally correct, but the portfolio and FTSE 100 futures did not move by the same percentage, leaving a residual loss.
Topic: Principles of Risk Management
An SME lender has 40% of its loan book in hospitality businesses, and its affordability model still assumes pre-shock energy costs. After a sharp rise in energy prices and weaker consumer spending, arrears rise quickly. Which is the BEST assessment of the risk drivers?
Best answer: D
What this tests: Principles of Risk Management
Explanation: This scenario combines external and internal risk drivers. The external shock is higher energy costs and weaker demand, but the lender’s concentrated exposure and outdated affordability assumptions make the credit deterioration worse. The best answer recognises that the drivers interact rather than acting in isolation.
The core concept is that business losses often arise from interacting risk drivers, not from one isolated cause. Here, the external environment has worsened for hospitality borrowers, but the lender has also increased its vulnerability through two internal choices: a concentrated sector exposure and a model that understates current borrower stress. Credit risk is the outcome that is materialising, but its severity is being amplified by internal portfolio and measurement weaknesses.
A sound risk assessment would separate:
The key point is to recognise both the trigger and the internal factors that increase sensitivity to it.
The external shock triggered stress, but internal sector concentration and outdated assumptions magnified the lender’s credit exposure.
Topic: Principles of Risk Management
A bank adopts a regtech platform that scans new regulations, maps them to affected policies, and routes exceptions to control owners. The first line still implements changes and compliance retains oversight. Which potential benefit of this disruptive innovation is most likely?
Best answer: B
What this tests: Principles of Risk Management
Explanation: The main benefit here is improved regulatory implementation. By automating rule scanning, mapping and exception routing, regtech can reduce manual error, increase consistency and produce better evidence of actions taken, while governance remains with the firm.
Regtech delivers value when it strengthens an existing control framework rather than replacing it. In this case, the platform helps with horizon scanning, policy mapping and workflow routing, so the bank can respond to regulatory change more quickly and consistently. It also creates clearer audit trails, which supports management oversight and supervisory review.
Because the first line still implements changes and compliance retains oversight, the technology supports the three lines of defence rather than removing them. It does not shift legal or regulatory accountability to the vendor, and it does not directly change the bank’s credit exposures. The key benefit is better execution of regulatory change within the existing governance structure.
Regtech can automate regulatory change workflows, improving speed, consistency and traceability while leaving accountability and oversight in place.
Topic: Model Risk
A fixed-income trading desk uses a daily 99% VaR model calibrated on the last 250 trading days. It has built a concentrated position in a thinly traded emerging-market bond, and after a geopolitical shock the market becomes one-way. Management continues to treat the VaR limit as the main control. What is the single best assessment of this reliance on the model?
Best answer: C
What this tests: Model Risk
Explanation: This is a model-risk issue. The VaR model depends on historical behaviour and implicit liquidity assumptions, but the scenario includes concentration and a stressed, one-way market. In those conditions, the model can understate losses, so using it as the main control is weak risk management.
Model risk arises because models are simplified representations of reality and depend on assumptions, data and how users rely on them. A historical VaR model can be useful in normal conditions, but it may not capture regime shifts, extreme tail outcomes or the difficulty of exiting a concentrated, illiquid position after a shock. In this scenario, the one-way market means the desk may be unable to unwind at prices or speed consistent with the model’s assumptions, so actual losses could be materially higher than the reported VaR. Treating the VaR limit as the main control therefore creates control-reliance risk as well as measurement risk. VaR should be supplemented by stress testing, concentration limits, liquidity measures and informed management challenge. Clean inputs or formal limit compliance do not remove assumption failure.
Historical VaR can miss regime shifts and stressed liquidity, so it should not be the sole control for a concentrated, illiquid position.
Topic: International Risk Regulation
What best describes the purpose of a regulator’s risk-assessment visit within a risk-based supervisory review?
Best answer: C
What this tests: International Risk Regulation
Explanation: A risk-assessment visit helps the regulator understand a firm’s main risks and how effectively they are governed and controlled. The findings are used to prioritise supervisory focus and any follow-up action, not to manage the firm or remove risk completely.
The core concept is risk-based supervision. Regulators use risk-assessment visits to evaluate the firm’s material inherent risks, the strength of governance and controls, and the residual risk that remains after mitigation. This allows them to direct supervisory resources proportionately, focusing more closely on firms or business areas that could cause greater harm if weaknesses exist. The visit is therefore an evidence-gathering and judgement process, not a substitute for management, internal audit or external audit. It also does not aim to eliminate all risk, because financial firms must manage risk rather than avoid it entirely.
The key distinction is that a risk-based review is targeted at the most significant risks, not a blanket check of everything.
Risk-based visits gather evidence on material risks and control quality so regulators can apply proportionate supervisory attention.
Topic: Principles of Risk Management
A mid-sized bank relies heavily on short-term wholesale funding and provides payment services to several smaller financial firms. After market rumours trigger sharp liquidity outflows, the board finds that its recovery options and operational continuity arrangements for resolution have not been updated. What is the single best reason robust recovery and resolution planning matters here?
Best answer: A
What this tests: Principles of Risk Management
Explanation: Recovery and resolution planning prepares a firm and the authorities for severe stress before a crisis escalates. In this case, the bank’s funding weakness and payment-service role mean planning is important both for restoring viability and for maintaining critical services if recovery fails.
The core concept is that recovery planning and resolution planning serve different but linked purposes. Recovery planning is the firm’s pre-agreed set of actions to stabilise itself under severe stress, such as raising liquidity, reducing risk or selling assets. Resolution planning is for the case where recovery is not enough: it allows the firm to fail in an orderly way while preserving critical functions, such as payment services, and limiting contagion to the wider system.
That matters here because the bank has concentrated wholesale funding and performs services used by other firms. Without credible plans, a liquidity shock could become a disorderly failure that disrupts financial stability. Automatic public support is not the objective; continuity and orderly loss allocation are.
Recovery and resolution planning is meant to restore viability if possible and, if not, support an orderly failure while keeping critical services running.
Topic: Operational Risk
An operational-risk policy states that business managers must identify and own process risks, the central risk function must set standards and provide challenge, and internal audit must independently review the framework. Which policy element is being defined?
Best answer: C
What this tests: Operational Risk
Explanation: The stem describes how operational-risk duties are divided between the business, the risk function and internal audit. That is the policy’s role-allocation framework, which is essential for avoiding gaps, overlaps and unclear accountability.
The core concept is governance through clear role definition. In an operational-risk policy, stating that business managers own risks, the risk function sets standards and challenges, and internal audit provides independent review is a classic allocation of responsibilities across the lines of defence. This matters because operational-risk failures often worsen when nobody is clearly accountable for identifying issues, escalating incidents or testing whether controls work.
Clear role allocation helps by:
The other options are important operational-risk tools, but they do not primarily define who is responsible for what.
It assigns ownership, oversight and independent assurance to distinct functions, which is the core purpose of defining clear roles and responsibilities.
Topic: Liquidity Risk
A retail bank faces sudden withdrawals from a small number of large corporate depositors. To avoid selling assets, treasury raises cash by entering overnight repo transactions against most of its gilt portfolio with a single dealer each day. The bank’s secured-funding concentration trigger has not been refreshed. Which is the best assessment of this action?
Best answer: A
What this tests: Liquidity Risk
Explanation: Using overnight repo against gilts can quickly meet withdrawals and avoid an immediate asset sale, so near-term funding pressure falls. But relying on one dealer and rolling the funding daily creates a new vulnerability if that counterparty steps back or market conditions tighten.
The core concept is that a liquidity action can reduce one risk while increasing another. Here, the bank improves immediate liquidity by monetising gilts through overnight repo instead of selling assets under pressure. That helps today’s cash position and may avoid fire-sale losses. However, the funding is very short term and concentrated with a single dealer, so the bank now faces greater rollover risk and concentration risk: the repo must be renewed frequently, and access could disappear or become more expensive in stress. The outdated concentration trigger is also a governance warning that this new dependency may not be properly monitored. Interest-rate moves and operational processing matter, but they are secondary to the new funding fragility.
Overnight repo provides immediate cash, but daily renewal with one dealer creates refinancing and concentration vulnerability.
Topic: Market Risk
A bank’s rates trading desk reports a one-day VaR of £3.2 million at 95% confidence and £5.1 million at 99% confidence after a volatility spike. Positions are assumed unchanged over the day. Which statement best explains the 99% figure?
Best answer: B
What this tests: Market Risk
Explanation: A higher confidence level produces a more conservative VaR because it looks further into the loss tail. Here, the 99% one-day VaR of £5.1 million is the approximate threshold exceeded on about 1% of days under the model assumptions, not a cap on losses.
Value-at-Risk estimates a loss threshold for a stated holding period and confidence level. In this scenario, moving from 95% to 99% confidence pushes the threshold further into the tail of the loss distribution, so the reported one-day VaR increases from £3.2 million to £5.1 million. Properly interpreted, the 99% figure means that, assuming the model is valid and positions stay unchanged, losses greater than about £5.1 million should occur on roughly 1% of days. It does not mean losses cannot exceed £5.1 million, and it does not describe how large tail losses could be beyond that point. The key takeaway is that confidence level changes the exceedance frequency of the VaR threshold, not the basic definition of loss itself.
At 99% confidence, VaR estimates a higher loss threshold that should be exceeded only about 1% of the time under the model assumptions.
Topic: Market Risk
An investment bank’s rates desk has built a concentrated long position in long-dated gilt futures. After a sharp rise in yields, losses increase but reported VaR remains within limit. VaR is produced by the desk, assumes normal market liquidity, and the head of trading can waive breaches until a weekly committee meets. Which action would most strengthen the effectiveness of the firm’s market-risk management function?
Best answer: D
What this tests: Market Risk
Explanation: The key weakness is not just the VaR setting but the lack of independent oversight. A sound market-risk management function should be separate from trading, challenge assumptions such as normal liquidity, monitor limits daily, and escalate breaches promptly through the risk governance framework.
Effective market-risk management combines independent oversight, robust measurement, and clear escalation. In this scenario, the rates desk is producing its own VaR, the model assumes normal liquidity despite a stressed market move, and the head of trading can waive breaches. Those features weaken independence and can understate risk in a concentrated position. The strongest improvement is to move market-risk measurement and limit oversight to a function reporting outside the front office, typically to the CRO, with daily stress testing and immediate escalation of breaches.
A stronger function should:
Raising VaR sensitivity alone would not fix the governance weakness.
An effective market-risk function is independent of the front office, uses measures beyond VaR, and can escalate breaches promptly.
Topic: Risk Oversight and Corporate Governance
A bank’s trading desk has daily market-risk limits and desk managers monitor them. However, the board risk committee and executive risk committee have overlapping terms of reference, and neither is clearly accountable for approving risk appetite or challenging limit design. Which issue does this most clearly indicate?
Best answer: A
What this tests: Risk Oversight and Corporate Governance
Explanation: This is a governance-structure issue because the weakness lies in unclear committee mandates and ownership of key risk decisions. The stem also says desk managers are already monitoring daily limits, so it is not mainly a line-management execution problem.
A governance-structure issue arises when responsibilities, decision rights, or escalation ownership are not clearly allocated at senior oversight level. In this scenario, the key problem is that two senior committees have overlapping terms of reference and no clear accountability for approving risk appetite or challenging limit design. Those are core governance responsibilities, because the framework should define who sets boundaries, who challenges them, and who is ultimately accountable.
A line-management execution issue would involve the first line failing to operate controls properly, such as not monitoring limits, not escalating breaches, or ignoring policy. Here, the stem points away from that by stating that desk managers do monitor the limits. The closest distractor is second-line monitoring, but the primary flaw is governance design, not ongoing oversight activity.
The problem is unclear committee mandate and accountability at oversight level, which is a governance design issue rather than a day-to-day execution failure.
Topic: Risk Oversight and Corporate Governance
A bank introduced a leadership-led speak-up programme to encourage early escalation of booking errors and challenge of weak practices. Assume business volumes were broadly unchanged.
Exhibit:
Which conclusion is most appropriate?
Best answer: A
What this tests: Risk Oversight and Corporate Governance
Explanation: A stronger speak-up culture often increases near-miss reporting because staff escalate issues earlier. Here actual loss events fell from 20 to 8, so avoided loss costs are £180,000; after deducting the £120,000 programme cost, net value added is £60,000.
The core concept is that effective risk culture and leadership can both reduce risk and create measurable value. A leadership-led speak-up programme should make staff more willing to report near misses early, so a rise in near-miss reporting is not automatically negative. In this exhibit, actual loss events fell from 20 to 8, meaning 12 loss events were avoided. At £15,000 each, that is £180,000 of avoided loss cost. After subtracting the £120,000 annual programme cost, the net value added is £60,000. The higher near-miss count is consistent with earlier escalation and challenge, while the lower actual-loss count shows that issues were being caught before becoming expensive events. The key takeaway is that better culture can show up as more transparency and fewer realised losses.
Higher near-miss reporting with fewer actual losses suggests better escalation and challenge, and net value is 12 × £15,000 - £120,000 = £60,000.
Topic: Principles of Risk Management
Which statement best describes the purpose of recovery and resolution planning for a financial institution?
Best answer: A
What this tests: Principles of Risk Management
Explanation: Recovery planning identifies actions a firm can take to survive severe stress. Resolution planning prepares for the case where recovery fails, so the firm can be dealt with in an orderly way while critical functions continue and wider market disruption is reduced.
The core concept is resilience in extreme stress and failure. A recovery plan is the firm’s own plan for restoring viability, for example through capital, liquidity, or business actions. A resolution plan is the framework for dealing with the firm if recovery is no longer credible, so that critical economic functions can continue, losses can be absorbed within the resolution framework, and contagion to the wider financial system is limited.
This matters because disorderly failure can damage confidence, interrupt essential services, and amplify stress across markets and institutions. Recovery and resolution planning therefore supports continuity and systemic resilience, rather than routine business-as-usual risk management or a promise of public rescue.
The key distinction is that these plans address severe stress and failure scenarios, not normal operating limits or standard capital-setting.
This captures both elements: recovery aims to restore the firm’s viability, while resolution aims to preserve critical functions and limit systemic disruption if recovery fails.
Topic: International Risk Regulation
Under Basel prudential supervision, which concept matches this description: a firm’s documented internal process for assessing whether its capital is adequate for all material risks, including under stress, and for supporting supervisory review under Pillar 2?
Best answer: A
What this tests: International Risk Regulation
Explanation: ICAAP is designed to ensure a firm understands its material risks and holds sufficient capital for them, not just the minimum calculated under Pillar 1. It is also a key document and process used by supervisors in their Pillar 2 review of prudential soundness.
The core concept is ICAAP, which links a firm’s internal risk assessment to its capital adequacy. It goes beyond formulaic minimum capital rules by requiring management to identify material risks, assess capital needs against those risks, and consider whether capital remains adequate in stressed conditions. Supervisors then use the ICAAP as an important input when reviewing the firm under Pillar 2.
A useful way to think about it is:
The closest distractor is ILAAP, but that focuses on liquidity adequacy rather than capital adequacy.
ICAAP is the firm’s own assessment of capital adequacy against its full risk profile and is a core input to Pillar 2 supervisory review.
Topic: Market Risk
A treasury desk is long €2.4 million and has no hedge. Exhibit: initial spot rate £1 = €1.20; new spot rate £1 = €1.25. What is the mark-to-market effect on the position, measured in sterling?
Best answer: B
What this tests: Market Risk
Explanation: This is foreign exchange market risk on an unhedged euro position reported in sterling. The euro holding is worth £2.0 million at the initial rate and £1.92 million at the new rate, so the desk suffers a £80,000 loss.
Foreign exchange market risk arises when an unhedged position in one currency is valued in another. Here the desk is long euros but measures performance in sterling, so when the quote moves from £1 = €1.20 to £1 = €1.25, sterling strengthens and the euro holding is worth fewer pounds.
A gain would apply to the opposite currency exposure, not to a long euro position.
Revaluing €2.4 million at the two spot rates gives £2,000,000 then £1,920,000, so the unhedged position makes an £80,000 loss.
Topic: Investment Risk
Which statement best explains compound interest in the context of the time value of money?
Best answer: A
What this tests: Investment Risk
Explanation: Compound interest means reinvesting returns so that later returns are earned on a growing base. This is a core reason money available today can become worth more in the future.
The key concept is that compound interest applies returns to both the initial principal and any returns already earned. That makes growth accelerate over time compared with simple interest, where returns are calculated only on the original amount. In time value of money terms, a sum received today is more valuable because it can be invested immediately and compounded into a larger future amount. Inflation may affect real value, but it is not what defines compounding. The closest confusion is simple interest, which does not include returns on prior returns.
Compound interest increases future value because each period’s return is calculated on principal plus reinvested returns.
Topic: Investment Risk
An investor makes large contributions and withdrawals at different points in the year and wants a return measure that reflects that personal cash-flow timing. Which return concept is most appropriate?
Best answer: D
What this tests: Investment Risk
Explanation: Money-weighted return is the best fit when the timing and size of contributions and withdrawals matter. It captures the investor’s actual experience because periods with more capital invested have more influence on the result.
The core concept is the distinction between returns that include external cash-flow timing and returns that neutralise it. When an investor adds or withdraws money during the measurement period and wants a result that reflects their own outcome, the appropriate measure is money-weighted return. This approach gives greater weight to periods when more money was actually invested, so large contributions or withdrawals affect the calculated return. That makes it suitable for assessing the investor’s realised return, not just the manager’s pure investment skill.
The closest confusion is time-weighted return, which is designed to remove the distorting effect of external cash flows and is therefore more suitable for manager-performance comparison.
It reflects the size and timing of external cash flows, so it matches the investor’s own return experience.
Topic: Liquidity Risk
A firm has a £12.0m cash outflow due tomorrow. Treasury plans a one-day repo with a single dealer, using all unencumbered securities shown below.
| Security | Market value | Repo haircut |
|---|---|---|
| UK gilts | £8.0m | 2% |
| Covered bonds | £5.0m | 8% |
Which statement is most accurate?
Best answer: C
What this tests: Liquidity Risk
Explanation: Repo cash is based on market value after haircuts, so the firm can raise £12.44m and meet the £12.0m outflow. However, using all available collateral with one dealer reduces immediate liquidity risk while creating new vulnerability through asset encumbrance and reliance on a single secured-funding source.
The core concept is that a liquidity action can solve a short-term cash gap but create a different weakness. Here, repo capacity is calculated after haircuts, so the firm can meet tomorrow’s outflow. The trade-off is that all unencumbered securities become pledged and funding is concentrated with one dealer, which can reduce flexibility in a stress.
That exceeds the £12.0m need by £0.44m. The closest trap is to treat repo as a sale; the more relevant new vulnerability is secured-funding dependence and encumbered collateral.
Haircut-adjusted repo proceeds are £12.44m, so the cash gap is closed, but pledging all securities to one dealer increases concentration and asset-encumbrance vulnerability.
Topic: Credit Risk
Which credit-risk control matches this description: it ensures loans, guarantees and derivatives are assigned to the correct obligor and exposure class before internal ratings, limit usage and expected-loss measures are applied?
Best answer: C
What this tests: Credit Risk
Explanation: The best match is the credit exposure classification framework. Its purpose is to identify what the exposure is and who ultimately bears the credit risk before downstream tools such as ratings, limits and loss measures are used.
This description refers to a credit exposure classification framework. In credit risk, identification comes first: the firm must correctly classify the facility type, exposure class and relevant obligor or counterparty before it can measure probability of default, expected loss, concentration or limit usage reliably. If a guarantee, derivative or other contingent exposure is misclassified, later reports and controls may look precise but still be wrong because they are built on a faulty starting point.
An internal obligor rating system assesses borrower credit quality, not exposure classification. Collateral haircuts adjust the recognised value of security. Stress testing examines how a portfolio behaves under adverse scenarios after exposures have already been identified and grouped. The key point is that weak classification undermines later measurement and control.
It classifies exposures correctly at the outset, which supports accurate later measurement, aggregation and control.
Topic: Enterprise Risk Management (ERM)
An ERM report combines credit, market, liquidity and operational exposures across business lines and legal entities into one view, highlighting concentrations and interdependencies. Which function does this best match?
Best answer: B
What this tests: Enterprise Risk Management (ERM)
Explanation: This describes risk aggregation: combining exposures across the firm into a single view. That matters to senior management and boards because it shows total exposure, concentration risk and whether apparent diversification is still reliable against the firm’s risk appetite.
Risk aggregation is an ERM function that brings together material exposures across risk types, business lines and legal entities instead of viewing each risk in isolation. For senior management and boards, this is essential because overall firm exposure may be very different from separate silo reports: concentrations can build up, interdependencies can increase in stress, and diversification benefits may be overstated. A firm-wide aggregated view supports oversight of risk appetite, escalation, strategic decisions, and capital or liquidity planning.
By contrast, model validation tests whether a model is sound, operational exception checking monitors process failures, and expected-loss estimation on one borrower measures a single credit exposure. Those activities are important, but they do not show the board the firm’s overall risk position.
Risk aggregation gives senior management and the board a consolidated view of exposures, concentrations and correlations so they can judge overall exposure against risk appetite.
Topic: Operational Risk
At a securities broker, a temporary operations employee is given both payment-file preparation and release access during a staff shortage. Over six weeks, the employee alters client withdrawal instructions and diverts funds to a personal account; daily reconciliations are produced but not independently reviewed. Under Basel operational-risk event types, which category best fits the resulting loss?
Best answer: C
What this tests: Operational Risk
Explanation: This is internal fraud because the loss arises from a firm employee deliberately diverting client money for personal gain. The weak segregation of duties and lack of independent review explain how the event occurred, but the event type is determined by the intentional insider misconduct.
Under Basel event types, internal fraud covers losses from acts intended to defraud, misappropriate assets, or bypass controls when an internal party is involved. Here, the perpetrator is an employee, the act is deliberate, and the funds are diverted to a personal account. The access weakness and failed independent reconciliation are important control failures, but they are enabling factors rather than the event type itself.
A process-management event would usually involve an error in booking, settlement, or administration rather than intentional theft. An external-fraud event would require an outsider as the perpetrator. The key takeaway is that deliberate insider misappropriation is classified as internal fraud, even when weak processes helped it happen.
The loss stems from deliberate misconduct by an employee who misappropriated client funds, which Basel classifies as internal fraud.
Topic: Credit Risk
A bank uses a simple expected-loss provision of EAD × PD × LGD when reviewing credit limits. An obligor currently has EAD of £25 million, base PD of 1.5% and LGD of 40%. After a stress test triggered by an external downgrade, PD is raised to 4.0%. What additional provision does the stress indicate?
Best answer: A
What this tests: Credit Risk
Explanation: This uses a simple credit-risk expected-loss calculation: EAD × PD × LGD. Because the bank already provides for the base case, the extra provision is based only on the PD increase from 1.5% to 4.0%, which gives £250,000.
The core concept is stressed expected loss in credit risk management. Expected loss combines exposure at default, probability of default and loss given default, and a stress test changes one or more of those inputs to show how provisioning or limits may need to change. Here, the bank already has a provision based on the base PD, so the question asks for the incremental amount.
The key trap is choosing the full stressed expected loss rather than the increase over the existing provision.
£150,000 is the current base expected loss, so it does not answer the question about the additional amount after stress.£400,000 is the total stressed expected loss, not the increase above the provision already held.£625,000 applies the PD increase to exposure but ignores the 40% loss given default.Additional provision is the increase in expected loss: £25,000,000 × (4.0% − 1.5%) × 40% = £250,000.
Topic: Liquidity Risk
A treasury team wants a metric that estimates the potential net cash outflow over the next 30 days at a 99% confidence level. Which liquidity risk management tool best matches this description?
Best answer: B
What this tests: Liquidity Risk
Explanation: Liquidity at risk is the only option that gives a confidence-based estimate of future net cash outflows over a defined period. The stem describes a quantitative measure, not a stress-testing method, behavioural assumption process, or governance limit.
Liquidity at risk is a probabilistic liquidity measure. It estimates how much net funding could be lost or needed over a chosen time horizon, such as 30 days, at a specified confidence level such as 99%. That combination of horizon plus confidence level is the key identifier.
Scenario analysis is different because it tests the impact of named events or stressed conditions rather than producing a confidence-based metric. Behavioural analysis refines expected cash flows by using observed customer or counterparty behaviour, such as deposit stickiness or drawdown patterns. Liquidity limits are control boundaries used to cap exposures, mismatches, or concentrations, not the underlying measure itself.
The closest distractor is scenario analysis, but the confidence-level wording points to liquidity at risk instead.
It is the measure that quantifies potential net cash outflow over a set horizon using a stated confidence level.
Topic: Investment Risk
A benchmark-relative equity portfolio has a tight tracking-error limit and cannot change its benchmark. Which risk-mitigation response best fits the risk of excessive active deviation?
Best answer: D
What this tests: Investment Risk
Explanation: Tracking error is benchmark-relative active risk, so the best mitigation is to control how far the portfolio can drift from the benchmark. Tightening active issuer, sector and factor limits addresses that exposure directly without altering the mandate.
The core concept is tracking error, which measures the volatility of return differences between a portfolio and its benchmark. When the exposure is excessive active deviation in a benchmark-relative mandate, the most suitable mitigation is to restrict active bets such as stock, sector and factor overweights or underweights. That reduces benchmark-relative risk at its source while preserving the benchmark and the investment objective.
A hedge to near-zero beta targets absolute market exposure instead, and changing the benchmark would avoid the measure rather than manage the stated risk within the mandate.
Tracking error is reduced most directly by constraining active positions versus the benchmark while keeping the existing mandate unchanged.
Topic: Investment Risk
Which term best describes the investment risk that a holding cannot be sold promptly at or near its quoted value, even though the investor itself has sufficient cash resources?
Best answer: B
What this tests: Investment Risk
Explanation: The decisive issue is tradability, not volatility or the investor’s own cash position. When an asset cannot be sold quickly at or near its quoted value, the relevant investment risk is market liquidity risk.
Market liquidity risk is the risk that an asset cannot be traded quickly, in the required size, and at or near its observed valuation. In the stem, the investor has enough cash, so the problem is not funding pressure. The concern is that the holding itself may be hard to sell without delay or a material discount, which makes illiquidity the key investment risk rather than volatility alone.
A low-volatility asset can still be risky if there is little market depth behind the quoted price. The key distinction is that market risk is about adverse price moves, whereas market liquidity risk is about the ability to transact at a fair price when needed.
The issue is the inability to trade the asset quickly and close to its quoted price, which is market liquidity risk.
Topic: Principles of Risk Management
A wealth manager routes most client equity orders through an outsourced order-management platform.
Exhibit:
Based on the exhibit, which conclusion is most appropriate?
Best answer: C
What this tests: Principles of Risk Management
Explanation: The outsourced platform carries 85% of 2,400 orders, so 2,040 orders per hour depend on the provider. Over 4 hours that is 8,160 orders; after using 1,200 orders of manual fallback capacity, 6,960 remain unprocessed, showing a significant resilience gap caused by third-party dependence.
The core concept is that outsourcing a critical activity can create concentration, control and operational resilience risk if the fallback arrangement is much weaker than normal processing capacity. Here, 85% of 2,400 orders means 2,040 orders per hour rely on the external platform. Over a 4-hour outage, that equals 8,160 affected orders. Manual fallback handles 300 per hour, or 1,200 over 4 hours, so the residual backlog is 6,960 orders.
That large shortfall shows the firm remains heavily dependent on the third party even though a fallback exists. In risk terms, the control is insufficient to maintain service through a plausible disruption. Price movement may be a consequence of delay, but the primary issue shown by the figures is weak resilience in an outsourced critical process.
It correctly nets manual fallback capacity against outsourced order volume, leaving 6,960 unprocessed orders and evidencing material reliance on a critical supplier.
Topic: Principles of Risk Management
Which term refers to the level of risk that remains after a financial-services firm has applied its controls and other risk mitigants?
Best answer: A
What this tests: Principles of Risk Management
Explanation: Residual risk is the risk left over after controls, limits, insurance, collateral, segregation of duties, or other mitigants have been taken into account. It is a core concept in risk assessment because firms compare residual risk with their appetite and decide whether further action is needed.
The core distinction is between risk before controls and risk after controls. Inherent risk is the raw level of exposure arising from an activity if no controls or mitigants are considered. Residual risk is the remaining exposure once the firm has applied its current control framework and any other mitigants.
In practice, firms assess risks by asking:
Risk capacity is different again: it is the maximum risk the firm could bear without threatening its viability or breaching key constraints. The key takeaway is that residual risk is the post-control view used for management and escalation decisions.
Residual risk is the exposure left after existing controls and mitigants have reduced the original risk.
Topic: Investment Risk
A discretionary fund manager runs a multi-asset portfolio heavily invested in UK equities and listed property shares. During recent interest-rate shocks, these holdings fell together and showed a stressed correlation of +0.8. Short-dated government bonds showed near-zero correlation with the existing assets over the same period. Why could adding the bonds improve diversification?
Best answer: D
What this tests: Investment Risk
Explanation: Correlation shows how closely asset returns move together. Here, equities and listed property are strongly positively correlated in stress, so adding government bonds with near-zero correlation can reduce the chance of simultaneous losses and improve diversification.
Correlation is a key diversification concept because it measures whether assets tend to move in the same direction at the same time. A stressed correlation of +0.8 indicates that UK equities and listed property have behaved very similarly during rate shocks, so the portfolio has less true diversification than it may appear. Adding short-dated government bonds with near-zero correlation introduces exposure that is driven differently, which can reduce overall portfolio volatility and drawdown risk. Diversification does not mean eliminating risk; it means avoiding a portfolio where all major holdings respond to the same shock in the same way.
The closest mistake is to assume that simply adding more holdings is enough, when the real issue is how those holdings co-move.
Diversification improves when an added asset has low or negative correlation, so losses are less likely to occur at the same time.
Topic: Principles of Risk Management
Which statement best describes systemic risk in financial services?
Best answer: A
What this tests: Principles of Risk Management
Explanation: Systemic risk is about contagion and financial instability across the system, not just a large loss at one institution. The key feature is that interconnected firms, markets or infrastructures can transmit stress to others.
Systemic risk is the risk that distress at one or more firms, markets or financial infrastructures spreads and disrupts the wider financial system. Interconnectedness matters because institutions are linked through funding markets, derivatives, payment systems, common asset holdings and confidence effects. A problem that starts in one place can therefore trigger liquidity shortages, fire sales, counterparty losses or loss of market confidence elsewhere.
This differs from other risk concepts because the defining issue is system-wide transmission, not simply the source of the initial loss. The core takeaway is that systemic risk is about contagion and broader financial stability.
Systemic risk is defined by transmission of stress beyond one firm into broader financial instability.
Topic: Operational Risk
A firm has limited internal loss history for a potential cloud-service outage. It asks managers to estimate the likelihood and impact of that severe but plausible event and to judge whether existing controls and contingency plans would be adequate. Which operational-risk assessment method is this?
Best answer: D
What this tests: Operational Risk
Explanation: Scenario analysis is a forward-looking operational-risk tool used to examine severe but plausible events, particularly when historical loss data are sparse. It relies on expert judgement to estimate likelihood and impact and to test whether current controls and contingency plans would be sufficient.
Scenario analysis is designed to assess low-frequency, high-impact operational events that may not be captured well by a firm’s own historical loss data. In the stem, managers are estimating the likelihood and impact of a serious cloud-service outage and evaluating whether existing controls and contingency plans would be adequate. That is the classic use of scenario analysis: structured expert judgement applied to plausible stress events to support risk assessment, control evaluation, and escalation where needed. Bottom-up analysis differs because it starts with detailed process-level risks and control weaknesses, then aggregates them upward, while KRIs and internal loss data are monitoring and evidence inputs rather than the primary technique described here. The key clue is the forward-looking assessment of a severe but plausible event.
It uses expert judgement to assess severe plausible events, especially where internal loss data are limited.
Topic: Market Risk
Which statement best explains why volatility risk matters even when market direction seems favourable?
Best answer: C
What this tests: Market Risk
Explanation: Volatility measures how widely returns can vary around an expected outcome. Even if the expected direction is positive, high volatility means a wider range of actual results and a greater chance of adverse moves or losses.
The core concept is that volatility risk reflects uncertainty and dispersion in market returns, not just the most likely direction of travel. A positive market view means an investor expects gains, but it does not make gains certain. If volatility is high, the range of possible outcomes is wider, so the position may still suffer significant losses over the holding period or before the expected move occurs. That is why volatility matters for market-risk limits, VaR, and risk appetite even when expected return looks attractive.
The closest confusion is benchmark-relative risk: that is tracking error, not the asset’s own return volatility.
Volatility risk is about the spread of possible outcomes, so a favourable expected direction does not remove the chance of material losses.
Topic: Market Risk
A market risk analyst is summarising daily portfolio returns. She needs a volatility measure that uses all observations, gives extra weight to larger deviations because they are squared, and is reported in the same units as the returns. Which measure matches this description?
Best answer: B
What this tests: Market Risk
Explanation: Standard deviation fits because it is derived from squared deviations from the mean but then converted back into the original units by taking the square root. In market risk management, this makes it a practical and interpretable measure of return volatility.
Standard deviation is a core dispersion measure in market risk because it shows how widely returns tend to vary around their average using all observations in the data set. It is built from squared deviations, so larger moves have a greater effect, but taking the square root means the final figure is expressed in the same units as the original returns rather than squared units. That makes it more intuitive for volatility reporting, risk limits, and portfolio comparisons. Variance is closely related, but it remains in squared units. Mean deviation does not use squared deviations, and range only looks at the highest and lowest observations. The key clue is the combination of squared deviations and original units.
Standard deviation is the square root of variance, so it reflects squared deviations while remaining in the same units as the original returns.
Use the CISI Risk Practice Test page for the full Securities Prep route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Read the CISI Risk guide on SecuritiesMastery.com for concept review, then return here for Securities Prep practice.