Try 10 focused CISI Risk questions on Operational Risk, with answers and explanations, then continue with Securities Prep.
| Field | Detail |
|---|---|
| Exam route | CISI Risk |
| Issuer | CISI |
| Topic area | Operational Risk |
| Blueprint weight | 15% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Operational Risk for CISI Risk. Work through the 10 questions first, then review the explanations and return to mixed practice in Securities Prep.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 15% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original Securities Prep practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Operational Risk
An investment platform has recently changed its trade-settlement system. Since the change, staff have used manual overrides to clear a backlog, end-of-day reconciliations have sometimes been skipped, and two near-miss settlement failures were not escalated beyond the desk manager. What is the single best action for the operational-risk management function?
Best answer: A
What this tests: Operational Risk
Explanation: The operational-risk function should do more than record incidents. In this scenario, the right response is to identify the control failures, assess their likely frequency and potential impact, and ensure management actions reduce the risk promptly.
The core aim of operational-risk management is to identify risks, assess their significance, and support actions that reduce both the chance of loss and the size of any loss. Here, the software change, manual overrides, missed reconciliations, and poor escalation all point to a weakened control environment in a critical process. A focused risk and control assessment is therefore the best response because it brings the issue into the formal framework, evaluates impact and likelihood, and drives corrective actions such as stronger reconciliations, tighter change controls, and proper escalation.
Logging events alone is too passive, insurance may absorb some financial effect but does not fix the process, and internal audit should provide independent assurance rather than own control design.
This best fits operational-risk management because it identifies the weakness, assesses severity, and drives actions to reduce both likelihood and impact.
Topic: Operational Risk
An investment platform suffers a two-hour payments outage after a software change. Operations identifies the issue, IT restores service, and Compliance notifies the regulator late because each team assumed another team owned incident escalation and client-impact assessment. Which change to the firm’s operational-risk policy would BEST reduce the risk of a repeat?
Best answer: D
What this tests: Operational Risk
Explanation: The main weakness is not a lack of analysis or risk appetite, but unclear accountability during an incident. An operational-risk policy should specify who in the first line owns response actions, who escalates, and how the second line oversees the process.
This scenario shows a classic operational-risk governance failure: several teams were involved, but no one had clearly assigned responsibility for impact assessment and escalation. A strong operational-risk policy should define roles and responsibilities across the lines of defence so that incidents are managed quickly and consistently. In practice, that means naming control or incident owners, setting escalation triggers and timelines, and clarifying the oversight role of the risk function. These measures directly address the delay caused by each team assuming someone else was responsible. Training, scenario analysis, and risk appetite can support the framework, but they do not replace explicit accountability in the policy. The key takeaway is that clear ownership is a primary control against delayed response and weak escalation.
Clear policy ownership removes ambiguity over who must assess impact, escalate promptly, and coordinate oversight during an operational incident.
Topic: Operational Risk
A firm’s payments policy requires an independent callback before any change to supplier bank details is released. A loss occurs when an operator updates the details from an email request without performing the callback. Post-event review confirms the policy wording and control design were clear and sufficient. Which option best matches the weakness?
Best answer: B
What this tests: Operational Risk
Explanation: This is an execution weakness because the required control was already defined in the policy and was adequate for the risk. The event happened because the operator did not perform the callback, so the failure was in operation of the control, not in its design.
The core distinction is between what the policy requires and how the control is actually carried out. A policy weakness exists when the policy is missing a necessary control, is unclear, or sets an inadequate standard. An execution weakness exists when the policy is sound but staff fail to follow it, apply it inconsistently, or bypass it in practice.
Here, the policy clearly required an independent callback before changing supplier bank details, and the review confirmed that this requirement was sufficient. The loss therefore came from non-compliance with an adequate control. That makes the issue an execution weakness. The closest distractor is policy weakness, but that would only apply if the callback requirement were absent, vague, or poorly designed.
The policy already required the right control, so the loss arose from failure to operate it rather than from weak policy design.
Topic: Operational Risk
On an investment bank’s FX desk, a trader exceeded authorised limits, entered fictitious offsetting trades to conceal losses, and weak independent reconciliation delayed detection for several days. Under Basel operational-risk event types, what is the single best classification of the loss?
Best answer: C
What this tests: Operational Risk
Explanation: This is internal fraud because the primary cause is intentional deception by an employee, not a simple processing mistake or a third-party attack. The weak reconciliation is a control weakness, but it does not change the Basel event-type classification.
Basel operational-risk event types are classified by the main nature of the event. Here, the decisive facts are that the trader was an employee, breached authorised limits, and used fictitious trades to hide the true position. That is internal fraud: an internal act intended to defraud, misappropriate, or circumvent rules or controls. The delayed detection caused by weak independent reconciliation explains why the loss became larger, but that control failure is secondary to the employee’s deliberate misconduct. If the loss had come from an honest booking error, failed settlement, or broken process without intent to deceive, execution, delivery and process management would be a better fit. The key distinction is deliberate internal deception versus accidental process failure.
The loss arose from deliberate misconduct by an employee who concealed unauthorised activity, which is the defining feature of internal fraud.
Topic: Operational Risk
A broker’s operational-risk team estimates residual exposure in a settlement process as Expected annual loss = incidents per year × average loss per incident.
Current estimate: 12 incidents a year and £20,000 average loss.
| Proposed control | Incidents/year | Average loss per incident |
|---|---|---|
| Staff refresher training | 8 | £20,000 |
| Dual authorisation | 10 | £14,000 |
| Automated validation checks | 6 | £18,000 |
| Insurance cover | 12 | £8,000 |
Using this measure, which proposed control both reduces likelihood and impact and leaves the lowest residual expected annual loss?
Best answer: B
What this tests: Operational Risk
Explanation: Automated validation checks cut incident frequency from 12 to 6 and average loss from £20,000 to £18,000. That reduces expected annual loss from £240,000 to £108,000, making it the best option that addresses both likelihood and impact rather than only one side of the risk.
The operational-risk function aims to identify and assess risk, then manage it by lowering the chance of incidents and the loss if they occur. Here, the firm uses expected annual loss as a simple assessment tool. Current expected annual loss is 12 × £20,000 = £240,000. Automated validation checks reduce both dimensions of risk and produce 6 × £18,000 = £108,000. Dual authorisation also reduces both, but only to 10 × £14,000 = £140,000. Controls that change only frequency or only impact do not fully meet the stated objective.
The key point is to choose the control that improves both likelihood and severity while leaving the strongest residual risk position under the measure used.
It reduces incidents and average loss, giving residual expected annual loss of £108,000, the lowest option that improves both likelihood and impact.
Topic: Operational Risk
A bank’s risk team maintains a loss-event database, requires business units to complete risk and control self-assessments, tracks KRIs such as failed settlements and system downtime, and tests business continuity plans. These tools and controls are primarily used to manage which type of risk?
Best answer: D
What this tests: Operational Risk
Explanation: The controls listed are classic operational-risk practices. They focus on breakdowns in processes, systems, people, and external events, rather than borrower default, market price movements, or weaknesses in quantitative models.
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, systems, or from external events. A loss-event database, risk and control self-assessments, KRIs such as failed settlements and downtime, and business continuity testing are all core elements of an operational-risk framework. They help firms identify process weaknesses, monitor incidents and near misses, and improve resilience when disruptions occur.
By contrast, credit risk is managed through tools such as underwriting standards, counterparty limits, and collateral; market risk through measures such as sensitivities, VaR, and stress testing of price moves; and model risk through validation, back-testing, and model governance. The presence of continuity planning and incident-based KRIs is the strongest clue that the focus is operational risk.
These are standard operational-risk tools for losses arising from failed processes, people, systems, or external events.
Topic: Operational Risk
A bank’s operational-risk appetite requires escalation to the Operational Risk Committee if any KRI is amber for two consecutive months or red once. The payments team’s KRI for unreconciled nostro breaks has been amber for the past two months. The monthly MI pack shows only the latest count and no action owner. Which change best supports monitoring, escalation, and control?
Best answer: A
What this tests: Operational Risk
Explanation: The best management information is timely, linked to the firm’s risk appetite, and actionable. Here, the KRI has already met the stated escalation trigger, so MI should show the trend, flag the breach clearly, and support remediation through named ownership and deadlines.
Within an operational-risk framework, management information is useful only if it helps the business and oversight functions monitor exposures, recognise when appetite has been breached, and take controlled action. In this case, two consecutive amber months already require escalation, so a pack showing only the latest number is incomplete. Strong MI would include the trend, the current status against appetite, a brief explanation of the issue, the responsible owner, and a target date for remediation, then route the matter to the Operational Risk Committee as required.
This supports all three purposes: monitoring through trend data, escalation through clear trigger reporting, and control through accountability and follow-up. Waiting for a loss, ignoring the threshold, or pushing ownership to Internal Audit would weaken the framework rather than strengthen it.
Good MI should show threshold breaches over time, assign ownership, and trigger escalation when appetite rules are met.
Topic: Operational Risk
A bank expects 8 payment-processing error incidents a year, with an average loss of £30,000 each.
Exhibit: The bank is considering an insurance policy costing £30,000 a year that reimburses 75% of each loss.
Which option best describes the risk-response method and the bank’s expected annual net cost under this proposal?
Best answer: C
What this tests: Operational Risk
Explanation: This is risk transfer because the bank buys insurance and shifts most of the financial impact of the operational losses to an insurer. The expected annual gross loss is £240,000, so the bank retains 25% (£60,000) and pays the £30,000 premium, giving a net annual cost of £90,000.
Risk transfer means passing some or all of the financial consequences of an operational-risk event to another party, commonly through insurance. In this case, the bank continues the activity and does not change the underlying error rate, so it is not avoiding the activity or mitigating the process failure. It is transferring most of the loss impact to the insurer.
The closest distractor is risk mitigation, but mitigation would reduce the frequency or severity of errors through stronger controls rather than shift the loss externally.
Insurance shifts 75% of the loss to a third party, and the bank’s net cost is the retained £60,000 loss plus the £30,000 premium.
Topic: Operational Risk
Under Basel, which statement best matches the definition of operational risk?
Best answer: A
What this tests: Operational Risk
Explanation: Basel operational risk focuses on losses arising from the way a firm operates: its processes, people, systems and exposure to external events. It includes legal risk, which helps distinguish it from credit, market and liquidity risk.
Operational risk under Basel is the risk of loss arising from inadequate or failed internal processes, people and systems, or from external events. This covers common operational loss sources such as processing errors, staff misconduct, system outages and external fraud or disruption. Basel also treats legal risk as included within operational risk, while strategic and reputational risk are not part of the core definition. By contrast, the other options describe distinct risk categories driven by borrower default, market movements or funding stress. A useful memory aid is: people, processes, systems and external events.
This is Basel’s definition of operational risk and it identifies the main operational loss sources.
Topic: Operational Risk
A bank asks each operations manager to complete a quarterly checklist confirming whether key reconciliations, access reviews and maker-checker controls were performed, and to disclose any exceptions or overdue actions. The responses are used to flag control weaknesses and emerging issues. Which operational-risk technique does this best describe?
Best answer: C
What this tests: Operational Risk
Explanation: The technique described is self-certification by the first line. Process owners use a standard checklist to confirm control performance and disclose gaps, which helps identify operational risks and control weaknesses before they crystallise into losses.
Self-assessment or self-certification is an operational-risk identification method in which the business reviews its own processes against a defined set of controls or questions and confirms what actually happened. In the stem, operations managers are asked to attest whether reconciliations, access reviews and maker-checker controls were completed, and to report exceptions or overdue actions. That is a classic self-certification process because it relies on structured first-line confirmation to surface weaknesses, control failures and emerging issues.
This differs from tools that monitor metrics, model extreme events or provide independent assurance. The main value of self-certification is early identification: it highlights where a process may be drifting out of control so management can escalate and remediate it. The closest distractor is key risk indicator monitoring, but KRIs track warning signals rather than requiring direct attestation from control owners.
This is self-certification because managers formally attest whether key controls operated and report exceptions, helping the first line identify operational-risk weaknesses.
Use the CISI Risk Practice Test page for the full Securities Prep route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Read the CISI Risk guide on SecuritiesMastery.com, then return to Securities Prep for timed practice.