CISI Risk: Principles of Risk Management

Topic snapshot

Sample questions

These questions are original Securities Prep practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: Principles of Risk Management

A financial services group introduces a central treasury control to net same-day internal cash positions before borrowing externally.

A negative figure means the unit needs cash; a positive figure means surplus cash. By how much does netting reduce the group 7s external funding requirement?

• A. £11 million
• B. £18 million
• C. £4 million
• D. £7 million

Best answer: D

What this tests: Principles of Risk Management

Explanation: Without netting, the units with deficits would need £11m of external funding. Netting allows the £7m of internal surpluses to offset part of that need, leaving only £4m to borrow, so the reduction is £7m.

This tests how a simple risk management control can protect and add value to an organisation. Central cash netting reduces unnecessary external borrowing by using surplus liquidity in one part of the group to offset deficits elsewhere.

Here, the gross cash shortfall is £9m + £2m = £11m. The available internal surplus is £4m + £3m = £7m. After netting, the group only needs £11m - £7m = £4m from external sources. The benefit created by the control is therefore a £7m reduction in external funding need.

That protects stakeholders by lowering liquidity pressure and funding cost, while improving group-wide use of cash.

• Choosing £4 million confuses the reduction with the remaining external funding need after netting.
• Choosing £11 million gives the gross borrowing requirement before any internal offsets are used.
• Choosing £18 million incorrectly adds all cash positions by absolute value instead of offsetting surpluses against deficits.

Gross funding needed is £11m, net funding needed after offsetting £7m of surpluses is £4m, so the reduction is £7m.

Question 2

Topic: Principles of Risk Management

A firm wants to trial a new digital onboarding tool. It wants to learn from limited live use while keeping operational, conduct and compliance exposure tightly controlled through caps, monitoring and a clear rollback trigger. Which option best matches this approach?

• A. A controlled pilot with customer limits, enhanced monitoring and rollback criteria
• B. A stress test of extreme onboarding volumes and system failures
• C. A proof of concept in a non-production environment
• D. A board-approved increase in the firm’s risk appetite

Best answer: A

What this tests: Principles of Risk Management

Explanation: The best match is a controlled pilot because it combines innovation with practical risk containment. It permits real-world learning, but only within pre-set boundaries, with monitoring and a stop mechanism if outcomes are unacceptable.

A controlled pilot is a standard way to balance innovation benefit against control risk in financial services. It allows a firm to test a new tool on a small scale in live conditions, while limiting the size of any operational, conduct or compliance failure. The key features are restricted scope, explicit limits, enhanced oversight and predefined rollback or stop criteria.

This makes it different from related tools:

• a proof of concept mainly tests feasibility, usually outside live customer use
• a risk appetite statement sets overall boundaries but does not itself control implementation
• a stress test assesses resilience under adverse scenarios but does not govern a limited rollout

The key takeaway is that innovation is best controlled through phased deployment with clear guardrails, not by governance statements or analysis alone.

• Non-production testing: A proof of concept can confirm technical feasibility, but it does not provide the same live customer and process learning.
• Governance only: Raising risk appetite may permit more risk in principle, but it is not a deployment control for a new tool.
• Assessment not rollout: Stress testing helps understand resilience under strain, but it does not create a bounded live trial with exit criteria.

This approach allows measured live testing while capping exposure and preserving a defined exit route if control issues emerge.

Question 3

Topic: Principles of Risk Management

A mid-sized bank relies heavily on short-term wholesale funding and provides payment services to several smaller financial firms. After market rumours trigger sharp liquidity outflows, the board finds that its recovery options and operational continuity arrangements for resolution have not been updated. What is the single best reason robust recovery and resolution planning matters here?

• A. It enables early recovery actions and orderly resolution of critical services.
• B. It ensures emergency official funding will be provided automatically.
• C. It replaces routine liquidity management and stress testing.
• D. It guarantees shareholders and creditors avoid losses in failure.

Best answer: A

What this tests: Principles of Risk Management

Explanation: Recovery and resolution planning prepares a firm and the authorities for severe stress before a crisis escalates. In this case, the bank’s funding weakness and payment-service role mean planning is important both for restoring viability and for maintaining critical services if recovery fails.

The core concept is that recovery planning and resolution planning serve different but linked purposes. Recovery planning is the firm’s pre-agreed set of actions to stabilise itself under severe stress, such as raising liquidity, reducing risk or selling assets. Resolution planning is for the case where recovery is not enough: it allows the firm to fail in an orderly way while preserving critical functions, such as payment services, and limiting contagion to the wider system.

That matters here because the bank has concentrated wholesale funding and performs services used by other firms. Without credible plans, a liquidity shock could become a disorderly failure that disrupts financial stability. Automatic public support is not the objective; continuity and orderly loss allocation are.

• Automatic funding: A plan may identify possible funding sources, but it does not guarantee central bank or government support.
• Replacing routine controls: Recovery and resolution planning complements day-to-day liquidity management, contingency funding and stress testing; it does not replace them.
• Avoiding losses: Resolution is designed to manage failure in an orderly way, not to shield shareholders and creditors from bearing losses.

Recovery and resolution planning is meant to restore viability if possible and, if not, support an orderly failure while keeping critical services running.

Question 4

Topic: Principles of Risk Management

An investment firm has board-approved trading limits, daily management information and a monthly risk committee. In practice, desk heads discourage staff from reporting small limit breaches, and repeated exceptions are relabelled as “timing issues” so dashboards appear within appetite. Which action would best apply sound risk management principles?

• A. Add more limit metrics to the monthly risk committee pack
• B. Give the independent risk function direct escalation authority over breaches and overrides
• C. Widen the trading limits to reduce the number of exceptions
• D. Ask internal audit to review the breach process at year end

Best answer: B

What this tests: Principles of Risk Management

Explanation: The main weakness is not the formal framework but the reluctance to escalate bad news. Giving the independent risk function direct authority to challenge and escalate breaches reinforces risk appetite, supports effective second-line oversight and reduces the chance that front-line pressure will hide issues.

This scenario shows how weak risk culture can undermine otherwise sound controls. The firm already has limits, management information and a risk committee, but those tools fail if staff are discouraged from reporting breaches and managers can reclassify exceptions to avoid scrutiny. The best application of sound risk management is to strengthen independent escalation so the second line can challenge the first line and report breaches or overrides without front-line veto.

A healthy framework needs both design and behaviour:

• clear risk appetite and breach rules
• independent challenge from the risk function
• escalation of exceptions and near misses
• a speak-up culture so issues are surfaced early

More reporting or later review helps less if the underlying culture still suppresses information. The key point is that governance only works when escalation is trusted and protected.

• More metrics: Extra management information does not solve a culture where breaches are hidden before they enter the reports.
• Internal audit review: Internal audit is a third-line, retrospective check; it cannot replace timely second-line escalation of live breaches.
• Wider limits: Raising limits to cut exceptions weakens risk appetite discipline and masks the real behavioural problem.

This addresses the cultural failure by ensuring independent challenge and escalation cannot be blocked by front-line management.

Question 5

Topic: Principles of Risk Management

An investment firm adopts a regtech platform to map a new regulatory rule to existing controls, assign action owners, and flag overdue remediation. The board wants the tool to improve compliance monitoring without weakening accountability. Which implementation best applies the three lines of defence?

• A. Business owners remediate gaps; compliance challenges and escalates; internal audit reviews later.
• B. Internal audit assigns actions and approves remediation in real time.
• C. Each desk tailors rule mappings locally and self-certifies compliance.
• D. Compliance remediates control gaps for the business and reports completion.

Best answer: A

What this tests: Principles of Risk Management

Explanation: Regtech should strengthen governance, not replace it. The best use keeps first-line ownership of controls and remediation, gives the second line oversight and escalation, and leaves internal audit independent.

The core principle is that regtech supports risk identification, monitoring, reporting, and compliance processes, but it does not transfer accountability away from the business. In a three-lines-of-defence model, the first line owns the controls and fixes gaps, the second line validates regulatory interpretation and monitors exceptions, and the third line provides independent assurance after the fact. A regtech platform can map rules to controls, track overdue actions, and produce exception reports, but those functions must sit within clear governance. Using internal audit for live control ownership would weaken its independence, while having compliance or individual desks own remediation would blur responsibilities and reduce effective challenge. The key point is that technology improves control discipline and visibility; it does not change who is accountable.

• Audit independence: Giving internal audit live task ownership or approval compromises the third line’s independent assurance role.
• Role confusion: Having compliance fix business control gaps makes the second line the control owner instead of the overseer.
• Inconsistent monitoring: Letting each desk rewrite rule mappings locally weakens standardisation, comparability, and central challenge.

This keeps remediation with the first line, oversight and escalation with compliance, and independent assurance with internal audit.

Question 6

Topic: Principles of Risk Management

A lender plans to distribute loans through a large retail platform. The risk team is mainly concerned about dependence on one partner for customer access, very thin margins, and the growth assumptions needed to break even, rather than the loan features themselves. Which risk-management focus best matches this review?

• A. Business-model risk assessment
• B. Operational resilience mapping
• C. Model validation testing
• D. New product approval review

Best answer: A

What this tests: Principles of Risk Management

Explanation: This is about whether the firm’s proposed way of making money is sustainable, not whether the product itself is well designed. Reliance on one platform, low margins and optimistic growth assumptions are classic business-model risk indicators.

Business-model risk arises when a firm’s strategy, revenue drivers or distribution approach may not be commercially sustainable under realistic conditions. In the scenario, the main concern is not the loan product’s features or customer suitability, but whether the lender can profitably and safely operate through a single external platform with thin margins and ambitious growth assumptions.

That makes the review a business-model risk assessment because it is testing:

• partner dependency
• economic viability
• scalability assumptions
• strategic sustainability

A new product approval review would focus more on product design, target market, disclosures and customer outcomes. The key takeaway is that emerging business-model risk often sits in how the firm plans to distribute and monetise a product, not only in the product innovation itself.

• Product governance trap: New product approval is mainly about design, target market and customer treatment, not whether the distribution economics are viable.
• Resilience trap: Operational resilience mapping tests the ability to continue important services through disruption, rather than the sustainability of the commercial model.
• Model trap: Model validation would examine a specific model’s methodology or data, but the scenario is broader and centres on strategic dependency and margin assumptions.

The review is challenging the sustainability of distribution, margins and growth assumptions, which are business-model issues rather than product-design issues.

Question 7

Topic: Principles of Risk Management

A wealth manager routes most client equity orders through an outsourced order-management platform.

Exhibit:

• Average client orders received: 2,400 per hour
• Orders routed through the outsourced platform: 85%
• In-house manual fallback capacity during an outage: 300 per hour
• Estimated platform outage: 4 hours

Based on the exhibit, which conclusion is most appropriate?

• A. The firm is sufficiently resilient, because 15% of orders avoid the outsourced platform.
• B. A backlog of 8,160 orders would remain, because fallback capacity is irrelevant in an outage.
• C. A backlog of 6,960 orders would remain, showing material third-party resilience dependence.
• D. The main issue is market risk, because delayed orders expose the firm to price movements.

Best answer: C

What this tests: Principles of Risk Management

Explanation: The outsourced platform carries 85% of 2,400 orders, so 2,040 orders per hour depend on the provider. Over 4 hours that is 8,160 orders; after using 1,200 orders of manual fallback capacity, 6,960 remain unprocessed, showing a significant resilience gap caused by third-party dependence.

The core concept is that outsourcing a critical activity can create concentration, control and operational resilience risk if the fallback arrangement is much weaker than normal processing capacity. Here, 85% of 2,400 orders means 2,040 orders per hour rely on the external platform. Over a 4-hour outage, that equals 8,160 affected orders. Manual fallback handles 300 per hour, or 1,200 over 4 hours, so the residual backlog is 6,960 orders.

That large shortfall shows the firm remains heavily dependent on the third party even though a fallback exists. In risk terms, the control is insufficient to maintain service through a plausible disruption. Price movement may be a consequence of delay, but the primary issue shown by the figures is weak resilience in an outsourced critical process.

• Ignoring fallback: Treating the full 8,160 outsourced orders as residual backlog misses that manual capacity should be deducted when assessing the remaining disruption.
• Wrong risk type: Focusing on market risk describes a possible effect of delayed execution, not the root control weakness from third-party dependency.
• False comfort: Pointing to the 15% processed elsewhere overlooks the concentration problem, because most order flow still depends on one outsourced platform.

It correctly nets manual fallback capacity against outsourced order volume, leaving 6,960 unprocessed orders and evidencing material reliance on a critical supplier.

Question 8

Topic: Principles of Risk Management

A bank activates its recovery plan after severe funding stress.

Exhibit:

Using the exhibit, which statement best explains why recovery and resolution planning both matter?

• A. A £150m surplus remains, so recovery planning alone is sufficient.
• B. Quantified recovery actions mean creditors must be repaid in full in resolution.
• C. The figures mainly show market risk, so resolution planning is secondary.
• D. A £150m gap may remain, so resolution planning helps preserve critical services if recovery fails.

Best answer: D

What this tests: Principles of Risk Management

Explanation: The exhibit shows a £600m net cash gap before recovery actions and a remaining £150m shortfall after them. Recovery planning aims to restore viability, while resolution planning matters because it provides an orderly way to maintain critical functions and limit wider disruption if recovery is not enough.

Recovery and resolution planning are complementary parts of systemic resilience. From the exhibit, net cash outflow over 5 days is £900m minus £300m, which equals £600m. Recovery actions raise £450m, so a £150m shortfall remains. That means management actions in the recovery plan may still be insufficient to return the firm to viability.

A recovery plan sets out actions the firm can take in stress, such as asset sales or use of eligible collateral. A resolution plan prepares for the situation where those actions do not fully work, so authorities can resolve the firm in an orderly way, maintain critical functions, and reduce contagion to the wider financial system. The key point is that resolution planning is the backstop when recovery cannot fully close the gap.

• Treating the outcome as a surplus reverses the calculation: £900m less £300m gives a £600m gap, and £450m of recovery actions still leaves £150m unmet.
• Reclassifying the exhibit as mainly market risk misses the point; the figures show a funding shortfall, while resolution planning is about orderly continuity if the firm fails.
• Full repayment of every creditor is not the purpose of resolution planning; the aim is continuity of critical functions and reduced systemic disruption.

Net outflows are £600m and recovery actions cover £450m, leaving a £150m shortfall that makes orderly resolution planning important if viability cannot be restored.

Question 9

Topic: Principles of Risk Management

A dealer’s interest-rate derivatives book moves sharply against it. Counterparties remain solvent, systems operate normally, and no other funding is available today.

Exhibit:

• Mark-to-market loss today: GBP 6 million
• Variation margin payable today: GBP 6 million
• Cash immediately available today: GBP 4 million

Which statement best describes the risk impact?

• A. A liquidity risk event has created a secondary GBP 2 million market loss.
• B. A market risk loss has created a secondary GBP 6 million liquidity shortfall.
• C. A market risk loss has created a secondary GBP 2 million liquidity shortfall.
• D. A credit risk event has created a secondary GBP 2 million liquidity shortfall.

Best answer: C

What this tests: Principles of Risk Management

Explanation: The primary event is a market risk loss on the derivatives book. That loss triggers a same-day margin payment of GBP 6 million, but only GBP 4 million cash is available, so it also creates a GBP 2 million liquidity shortfall.

One risk event can spill into another risk category. Here, the initial problem is market risk: the value of the derivatives book has fallen by GBP 6 million. Because variation margin of GBP 6 million must be paid today and only GBP 4 million cash is available, the firm also faces a liquidity problem.

• Margin due today: GBP 6 million
• Cash available today: GBP 4 million
• Liquidity shortfall: GBP 2 million

So the correct interpretation is a market risk event with a secondary liquidity consequence. It is not credit risk, because the stem explicitly says counterparties remain solvent.

• Treating the liquidity shortfall as GBP 6 million ignores the GBP 4 million cash already available.
• Putting liquidity risk first reverses the sequence; the market move caused the margin call and the funding pressure.
• Calling it credit risk is incorrect because no counterparty default or deterioration is described.

The market move is the primary event, and the same-day funding gap is GBP 6 million minus GBP 4 million, or GBP 2 million.

Question 10

Topic: Principles of Risk Management

A broker launches a commission-free mobile trading app. Management initially labels the main emerging risk as “product innovation”. Assume the platform and controls operate as intended, and the broker does not take principal market positions.

Assume no other material revenues or costs. Based on the figures, which interpretation is most appropriate?

• A. It is mainly market risk from clients’ exposure to listed shares.
• B. It is mainly business-model risk from negative lifetime client economics.
• C. It is mainly operational risk from mobile account opening and processing.
• D. It is mainly product innovation risk from offering commission-free trading.

Best answer: B

What this tests: Principles of Risk Management

Explanation: The figures show weak unit economics, not just novelty. Annual contribution is £6 per client, so over a two-year life the broker earns £12 before acquisition cost, which is less than the £25 spent to win the client. That makes the core issue business-model sustainability.

Business-model risk arises when a firm’s strategy or revenue model is not economically sustainable, even if the product itself is innovative and operations work properly. Here, the app generates annual contribution of £6 per client (£28 revenue less £22 servicing and compliance cost). Over the stated two-year average client life, that totals £12. After the £25 upfront acquisition cost, expected lifetime value is -£13 per client.

Negative unit economics mean growth would scale losses rather than solve them, so the main emerging risk is the viability of the business model. The closest distractor is product innovation, but the stem’s figures show the bigger issue is monetisation, not novelty.

• Product novelty: Commission-free trading may be innovative, but the key evidence is that expected revenues do not recover acquisition cost over the average client life.
• Wrong risk owner: Market risk does not fit because the broker is not taking principal positions; the clients’ trading exposure is not the firm’s own market exposure.
• Control versus strategy: Operational risk could exist in a digital launch, but the stem asks what the figures mainly show after assuming the platform and controls work as intended.

Each client produces only £12 of contribution over two years versus £25 acquisition cost, so the expected lifetime loss indicates business-model risk.

Continue with full practice

Use the CISI Risk Practice Test page for the full Securities Prep route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Related focused pages

• Free CISI Risk Full-Length Practice Exam
• CISI Risk: International Risk Regulation
• CISI Risk: Operational Risk
• CISI Risk: Credit Risk
• CISI Risk: Market Risk
• CISI Risk: Investment Risk
• CISI Risk: Liquidity Risk
• CISI Risk: Model Risk
• CISI Risk: Risk Oversight and Corporate Governance
• CISI Risk: Enterprise Risk Management (ERM)

Free review resource

Read the CISI Risk guide on SecuritiesMastery.com, then return to Securities Prep for timed practice.