CISI Risk: International Risk Regulation

Topic snapshot

Sample questions

These questions are original Securities Prep practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: International Risk Regulation

A mid-sized investment firm has expanded rapidly into leveraged FX products. It relies on a single margin model, several trading-limit breaches were not escalated promptly, and board risk packs were late for two quarters. The prudential regulator schedules a risk-assessment visit and requests board minutes, stress-test results and breach logs. What should senior management expect from this visit?

• A. A check only that current regulatory capital exceeds the minimum requirement
• B. A full review of every process at equal depth regardless of risk profile
• C. An approval meeting for the firm’s growth plan if profitability remains strong
• D. A targeted assessment of key risks and control effectiveness to set supervision and remediation

Best answer: D

What this tests: International Risk Regulation

Explanation: A risk-based regulatory visit targets the areas of greatest supervisory concern rather than reviewing everything equally or checking only one metric. Here, rapid growth, model dependence, weak escalation and delayed board reporting all point to a focused review of risk management, governance and controls.

The core concept is risk-based supervision: regulators direct attention to the risks that matter most and assess whether the firm’s governance and control framework is strong enough for those risks. In this scenario, leveraged FX activity increases inherent risk, reliance on one margin model raises model risk, unescalated limit breaches suggest weak control discipline, and late board packs indicate governance weakness. A risk-assessment visit would therefore use documents, management discussions and challenge testing to judge control effectiveness and decide whether the firm needs closer supervision or remedial action. It is broader than a simple capital compliance check and is not a forum for approving business strategy.

• Equal-depth review: risk-based supervision is targeted, so higher-risk areas receive more attention than lower-risk areas.
• Capital-only focus: capital is relevant, but the visit also examines governance, reporting, escalation and control effectiveness.
• Strategy approval: regulators assess whether risks are identified and managed within appetite; they do not endorse expansion just because profits are strong.

Risk-based visits focus on the firm’s most material risks and the adequacy of governance and controls, informing supervisory intensity and any remedial action.

Question 2

Topic: International Risk Regulation

A retail investment firm sells a structured income bond to retail clients. Sales bonuses depend only on volume, monitoring shows repeated failures to explain the capital-at-risk feature, and complaints have risen sharply. The firm’s capital and liquidity remain above regulatory requirements. What is the single best regulatory response?

• A. Conduct a customer-outcomes review and strengthen product governance, disclosure, and suitability controls.
• B. Increase the liquidity buffer, because conduct failings usually create immediate funding pressure.
• C. Limit action to remuneration and line supervision, because the issue is mainly about business standards.
• D. Increase regulatory capital, because the complaint trend points to a prudential standards breach.

Best answer: A

What this tests: International Risk Regulation

Explanation: The key issue is likely harm to retail clients, not a shortfall in prudential resources. Where disclosure, suitability, and product governance are weak and complaints are rising, the best response is to review customer outcomes and tighten conduct controls.

This scenario mainly engages the conduct side of the regulatory framework, especially consumer protection. The decisive facts are that retail clients are involved, the capital-at-risk feature is not being explained properly, incentives reward sales volume, and complaints are increasing. Those facts point to unsuitable or poorly understood sales and therefore a risk of unfair customer outcomes. Because the stem states that capital and liquidity remain above regulatory requirements, prudential or liquidity remediation is not the immediate priority. The strongest response is to review product governance, disclosures, suitability, monitoring, and sales incentives, and then remediate customers if necessary. Treating the issue only as an internal business-standards weakness is too narrow because customer harm is already evident.

• Limiting action to pay and supervision is too narrow because the problem has already moved beyond internal standards into actual retail customer detriment.
• Increasing regulatory capital is not the best response when the stem explicitly says prudential resources remain adequate.
• Building a larger liquidity buffer addresses funding stress, but no liquidity pressure is described; the weakness is in conduct and customer treatment.

The facts show foreseeable customer harm from weak sales and product controls, so the primary response should address consumer protection and conduct risk.

Question 3

Topic: International Risk Regulation

A regulator uses a risk-based approach to target supervisory resources at firms posing the greatest threat to its objectives. For upcoming on-site risk-assessment visits, it ranks firms by:

Priority score = impact score × residual risk score

Which firm should be reviewed first?

• A. Northbank should be reviewed first
• B. Cedar should be reviewed first
• C. Meridian should be reviewed first
• D. Harbour should be reviewed first

Best answer: C

What this tests: International Risk Regulation

Explanation: Risk-based regulatory reviews prioritise firms where the combination of impact and residual risk is greatest, not those with the highest score on only one factor. Meridian has the highest combined score of 16, so it would receive the earliest risk-assessment visit.

The purpose of a risk-based review is to direct limited supervisory attention to the firms that present the greatest overall threat to regulatory objectives. In this process, the regulator combines the firm’s impact with its residual risk and then ranks firms for review.

• Northbank: 5 × 2 = 10
• Meridian: 4 × 4 = 16
• Harbour: 3 × 5 = 15
• Cedar: 2 × 4 = 8

Meridian has the highest priority score, so it should be reviewed first. The key distinction is that regulators do not focus only on size or only on riskiness; they prioritise the strongest combination of potential impact and remaining unmanaged risk.

• Choosing Northbank gives too much weight to impact alone; its lower residual risk reduces the overall score to 10.
• Choosing Harbour gives too much weight to residual risk alone; 15 is close, but still below Meridian’s 16.
• Choosing Cedar ignores that both its impact and combined score are materially lower than the leading firms.

Its priority score is 4 × 4 = 16, the highest, so a risk-based review would target it first.

Question 4

Topic: International Risk Regulation

A supervisor finds that a bank’s quarterly capital adequacy return misstated risk-weighted assets because data from the credit system were not reconciled to the general ledger before submission. Which option correctly matches the regulatory-risk issue with the firm-level control issue?

• A. Market risk limit breach; weak independent price verification
• B. Pillar 2 capital shortfall; weak model validation
• C. Breach of risk appetite; weak second-line challenge
• D. Inaccurate prudential reporting; weak source-data reconciliation

Best answer: D

What this tests: International Risk Regulation

Explanation: The regulatory-risk issue is the inaccurate capital adequacy return submitted to the supervisor. The firm-level control issue is the failed reconciliation between internal data sources before submission.

This scenario combines an external regulatory obligation with an internal control failure. The regulatory-risk issue is inaccurate prudential reporting, because the bank sent a misstated capital adequacy return to its supervisor. The firm-level control issue is weak source-data reconciliation, because data from the credit system were not checked against the general ledger before the return was filed. Reconciliation is an internal control designed by the firm to support complete and accurate reporting; it is not the regulatory issue itself, but the weakness that led to it. The key distinction is between the breach of an external reporting requirement and the internal process failure that caused that breach.

• Risk appetite confusion: an internal appetite breach concerns the firm’s own limits, not whether a regulatory return is accurate.
• Capital versus reporting: a Pillar 2 capital shortfall would mean insufficient capital, whereas the stem describes misreporting of risk-weighted assets.
• Wrong control area: independent price verification applies to valuation and trading controls, not reconciliation of prudential reporting data.

The supervisor-facing issue is the misstated return, and the unreconciled system data are the internal control weakness that caused it.

Question 5

Topic: International Risk Regulation

Under Basel sound-practice principles, an effective risk appetite framework should be:

• A. expressed only through regulatory capital ratios and compliance policies
• B. kept separate from strategy to preserve objective oversight
• C. owned by the risk function and updated mainly after breaches
• D. board-approved and translated into limits, controls, and management information

Best answer: D

What this tests: International Risk Regulation

Explanation: Basel sound-practice principles require risk appetite to be more than a policy statement. It should be approved by the board and embedded in day-to-day management through limits, controls, and reporting so exposures can be monitored and challenged.

Basel sound-practice principles treat risk appetite as a governance tool that must be implemented across the firm, not merely documented. The board approves the appetite, senior management converts it into operational limits and control thresholds, and systems produce management information to monitor exposures and escalate breaches. This links governance, systems, controls, and reporting in a practical framework.

A framework is weak if it sits only with the risk function, relies only on regulatory capital metrics, or is detached from business strategy. Basel expects risk appetite to guide decision-making across the organisation. The closest distractor is risk-function ownership: the second line supports and challenges, but it does not replace board oversight and business implementation.

• Risk function confusion: The second line helps design and monitor the framework, but board approval and firm-wide embedding are still required.
• Too narrow: Regulatory capital ratios and compliance policies matter, but they do not on their own express the full risk appetite.
• Strategy link: Risk appetite should support strategy and decision-making, not be kept separate as an isolated oversight document.

Basel expects risk appetite to be governed by the board and embedded through measurable limits, control processes, and timely management reporting.

Question 6

Topic: International Risk Regulation

A wealth manager sells higher-risk bond funds to retail clients. Its monthly suitability-exception report has not been reviewed for three months after a staff departure. The regulator then launches a sector review of higher-risk product sales and asks the board to attest within 10 days that client risk profiling is operating effectively. What is the single best assessment of these two issues?

• A. Both issues are one operational matter and should not be separated.
• B. The missed report review is the regulatory-risk issue; the attestation request is routine administration.
• C. Potential non-compliance under the attestation request is regulatory risk; the missed report review is a control weakness.
• D. Both issues are primarily market risk because higher-risk bond funds are volatile.

Best answer: C

What this tests: International Risk Regulation

Explanation: Regulatory risk is exposure to supervisory challenge, sanction, or remediation for failing external requirements. Here, that is signalled by the regulator’s sector review and request for a board attestation, while the missed suitability report review is a firm-level control weakness that may contribute to the regulatory problem.

The key distinction is between an external regulatory exposure and an internal control breakdown. The sector review and board attestation request point to regulatory risk because the firm may be unable to demonstrate compliance with conduct and suitability expectations, which could lead to supervisory intervention or remediation. By contrast, the unreviewed suitability-exception report is a firm-level control issue: a monitoring process has failed after a staff departure. That control weakness matters because it can allow unsuitable sales to go undetected, but it is not itself the regulatory category. In practice, the control failure can be a cause of regulatory risk, while the regulatory risk is the potential breach and supervisory consequence. The closest distractor confuses the internal cause with the external regulatory exposure.

• Treating the missed report review as the regulatory issue confuses the control failure with the resulting exposure to supervision or sanction.
• Calling both matters market risk mistakes product price volatility for conduct, compliance, and oversight concerns.
• Collapsing both into one operational matter ignores the separate external dimension created by the regulator’s review and attestation request.

Regulatory risk arises from possible breach and supervisory action, while the unreviewed exception report is an internal monitoring failure.

Question 7

Topic: International Risk Regulation

Under the Basel framework, minimum Pillar 1 capital adequacy is primarily calculated against which three broad risk categories?

• A. Market risk, liquidity risk and reputational risk
• B. Credit risk, market risk and liquidity risk
• C. Credit risk, liquidity risk and operational risk
• D. Credit risk, market risk and operational risk

Best answer: D

What this tests: International Risk Regulation

Explanation: Basel’s minimum capital framework centres on three core Pillar 1 risks: credit, market and operational risk. These are the main categories used to calculate regulatory capital adequacy, while liquidity and reputational risks are important but handled elsewhere in the wider risk framework.

The Basel framework, developed through the BIS Basel Committee, sets minimum capital requirements by linking regulatory capital to a bank’s exposure to credit risk, market risk and operational risk. Credit risk covers losses from borrower or counterparty default. Market risk covers adverse movements in prices, interest rates, foreign exchange or similar market factors. Operational risk covers losses arising from failed processes, people, systems or external events.

Liquidity risk is a major concern for banks, but Basel generally addresses it through liquidity standards and supervisory expectations rather than as one of the three main Pillar 1 capital drivers. Reputational risk may be serious in practice, but it is not a core minimum-capital category. The key distinction is between capital adequacy drivers and other important risks managed through broader oversight.

• Liquidity confusion: Liquidity risk is important, but it is not one of the three main Pillar 1 capital categories.
• Incomplete set: Any combination that replaces market risk with liquidity risk misses an explicit Basel capital driver.
• Reputational trap: Reputational risk can harm a bank, but it is not a primary Pillar 1 capital risk category.

Basel Pillar 1 links minimum regulatory capital mainly to credit, market and operational risk exposures.

Question 8

Topic: International Risk Regulation

A wealth manager must segregate all client money daily. At close of business, client ledger balances total £6.40 million and the segregated client money account contains £6.28 million. The firm still meets its own capital and liquidity requirements. Which statement is most accurate?

• A. A £120,000 shortfall; consumer protection is the main concern
• B. A £120,000 shortfall; prudential standards are the main concern
• C. A £12,000 shortfall; business standards are the main concern
• D. A £120,000 surplus; consumer protection is the main concern

Best answer: A

What this tests: International Risk Regulation

Explanation: The shortfall is £120,000 because required client money of £6.40 million exceeds segregated money of £6.28 million. Since the firm still meets its own capital and liquidity requirements, the primary regulatory issue is protection of client assets rather than prudential soundness.

This tests the distinction between consumer protection and prudential regulation. The calculation is simple: £6.40 million of client money should be segregated, but only £6.28 million has been set aside, leaving a £120,000 shortfall. Client money rules are mainly designed to protect customers by keeping their assets separate from the firm’s own resources and available for return if the firm gets into difficulty.

Poor reconciliations and controls may also indicate weak business standards, but the stem explicitly says the firm still satisfies its own capital and liquidity requirements. That removes prudential adequacy as the main issue here. The key point is that under-segregation exposes clients, so the primary regulatory concern is consumer protection.

• Treating the position as a surplus reverses the arithmetic; the amount held is lower than the amount required.
• Using £12,000 misreads the figures by a factor of ten and understates the breach.
• Focusing on prudential standards confuses client-asset protection with the firm’s own solvency; the stem says capital and liquidity remain compliant.

£6.40 million minus £6.28 million gives a £120,000 client money shortfall, directly affecting protection of client assets.

Question 9

Topic: International Risk Regulation

A national regulator is reviewing banks in a market where many households earn in local currency but borrow in foreign currency. All major banks still meet Basel minimum capital standards.

Exhibit:

• Average borrower net income: LCU 2,500 per month
• Average FX mortgage payment now: LCU 750 per month
• Stress assumption: 20% local-currency depreciation
• Mortgage payments rise one-for-one with depreciation
• The regulator introduces local supervisory measures if stressed payment-to-income exceeds 35%

Which supervisory response is most appropriate?

• A. Wait for Basel global standards to change
• B. Tighten trading-book market-risk limits instead
• C. Keep underwriting limits unchanged because the ratio stays below 35%
• D. Tighten underwriting limits on new foreign-currency mortgage lending

Best answer: D

What this tests: International Risk Regulation

Explanation: After the 20% depreciation, the average mortgage payment rises to 900 and the payment-to-income ratio becomes 36%. Because this is above the regulator’s 35% trigger, the national regulator should impose a local supervisory measure aimed at foreign-currency mortgage risk.

National regulators are responsible for applying supervisory measures when a vulnerability is specific to their own market, even if firms still meet Basel minimum standards. Here, the country-specific risk is that borrowers earn in local currency but repay in foreign currency, so a depreciation increases repayment strain and therefore local credit risk.

• Stressed payment = 750 × 1.20 = 900
• Stressed payment-to-income = 900 / 2,500 = 36%
• 36% is above the 35% trigger

That supports tightening local underwriting or lending restrictions on new FX mortgages. The key point is that national supervisors should act on domestic vulnerabilities rather than wait for global standards to be amended.

• Calculation error: Leaving limits unchanged depends on misreading the stress result; the ratio rises to 36%, not below 35%.
• Wrong risk lens: Trading-book market-risk limits address banks’ market positions, not borrowers’ FX repayment strain and resulting credit risk.
• Wrong responsibility: Waiting for Basel changes confuses international standard setting with the national regulator’s duty to respond to local risks.

The stressed payment is 750 × 1.20 = 900, so payment-to-income is 900 / 2,500 = 36%, above the 35% trigger for local supervisory action.

Question 10

Topic: International Risk Regulation

A bank standardises risk-data definitions across subsidiaries, assigns clear data ownership, adds automated reconciliations, and can produce ad hoc group exposure reports for the board during stress. Under Basel sound-practice principles, which capability is this primarily implementing?

• A. Independent model validation
• B. Group-wide risk data aggregation and reporting
• C. Internal capital allocation
• D. Recovery and resolution planning

Best answer: B

What this tests: International Risk Regulation

Explanation: This setup is about producing accurate, comprehensive and timely risk information for decision-makers, especially during stress. Common definitions, clear ownership, reconciliation controls and rapid ad hoc reporting are core Basel sound-practice features of risk data aggregation and reporting.

Basel sound-practice principles expect firms to have governance, systems and controls that can aggregate risk data across entities and deliver reliable reports to senior management and the board. The features in the stem directly support that objective: standard definitions improve consistency, named owners improve accountability, automated reconciliations strengthen control, and ad hoc reporting improves timeliness in stress.

In practice, this capability helps a firm to:

• combine exposures across business lines and legal entities
• identify concentrations and emerging issues quickly
• support oversight, escalation and capital-related decisions

The key point is that the described measures build the reporting infrastructure itself, rather than a separate capital, modelling or recovery tool.

• Internal capital allocation uses risk information to distribute capital, but it is not the primary purpose of common data standards and ad hoc board reporting.
• Independent model validation checks whether models are conceptually sound and perform as intended; it does not create firm-wide exposure reporting capability.
• Recovery and resolution planning relies on risk information for severe scenarios, but the controls described are broader day-to-day and stress-period reporting foundations.

These features are designed to ensure accurate, complete and timely risk information reaches senior management and the board, especially in stressed conditions.

Continue with full practice

Use the CISI Risk Practice Test page for the full Securities Prep route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Related focused pages

• Free CISI Risk Full-Length Practice Exam
• CISI Risk: Principles of Risk Management
• CISI Risk: Operational Risk
• CISI Risk: Credit Risk
• CISI Risk: Market Risk
• CISI Risk: Investment Risk
• CISI Risk: Liquidity Risk
• CISI Risk: Model Risk
• CISI Risk: Risk Oversight and Corporate Governance
• CISI Risk: Enterprise Risk Management (ERM)

Free review resource

Read the CISI Risk guide on SecuritiesMastery.com, then return to Securities Prep for timed practice.