CISI Risk in Financial Services Quick Reference
Compact independent Quick Reference for Chartered Institute for Securities & Investment CISI Risk in Financial Services (CISI Risk) candidates: risk types, controls, governance, formulas, and scenario decision points.
Exam identity and study focus
This Quick Reference supports candidates preparing for the Chartered Institute for Securities & Investment CISI Risk in Financial Services exam, code CISI Risk. It is an independent exam-prep aid, not an official Chartered Institute for Securities & Investment publication.
Use it to revise the applied logic the exam commonly tests:
- Identify the risk type from a short scenario.
- Separate cause, event, impact, control, and owner.
- Choose the best control or governance response.
- Interpret risk metrics and formulas without confusing related terms.
- Recognize common traps: residual vs inherent risk, market vs credit risk, conduct vs compliance risk, liquidity vs solvency, audit vs risk ownership.
Core risk-management workflow
flowchart LR
A[Identify risk] --> B[Assess inherent risk]
B --> C[Select response and controls]
C --> D[Measure residual risk]
D --> E[Monitor KRIs, limits, losses]
E --> F[Report and escalate]
F --> G[Review appetite, policies, lessons learned]
G --> A
| Step | Candidate focus | Typical exam clue |
|---|---|---|
| Identify | What could go wrong? Which risk category? | New product, failed process, counterparty default, cyber incident |
| Assess | Likelihood, impact, velocity, correlation, concentration | Heat map, scoring, scenario estimate, expected loss |
| Respond | Avoid, reduce, transfer, accept | Hedge, insure, collateralize, outsource, set limits |
| Control | Preventive, detective, corrective measures | Segregation, reconciliation, confirmation, monitoring |
| Monitor | Indicators and breaches | KRI trend, limit excess, near miss, audit finding |
| Report | Right audience, frequency, escalation | Board risk pack, risk committee, regulatory notification |
| Review | Lessons learned and continuous improvement | Post-incident review, control redesign, policy update |
High-yield risk vocabulary
| Term | Meaning | Exam trap |
|---|---|---|
| Risk | Effect of uncertainty on objectives | Risk is not always purely negative; some risk is accepted for return |
| Risk event | Occurrence that creates loss or adverse outcome | Do not confuse event with root cause |
| Cause | Underlying driver of a risk event | Example: weak access control causes unauthorized payment |
| Impact | Consequence if the event occurs | Can be financial, regulatory, customer, operational, reputational |
| Inherent risk | Risk before controls | Usually higher than residual risk if controls are effective |
| Residual risk | Risk remaining after controls | Not automatically acceptable; compare with appetite |
| Risk appetite | Amount/type of risk the firm is willing to accept | Board-level concept, not a single operational limit |
| Risk tolerance | Permitted variation around appetite | Often expressed through thresholds or ranges |
| Risk capacity | Maximum risk the firm can bear | Capacity constrains appetite |
| Risk limit | Quantified boundary for activity or exposure | Breach should trigger action/escalation |
| KRI | Key risk indicator; forward-looking or risk-focused metric | Different from KPI, which measures performance |
| KPI | Key performance indicator | High sales KPI can increase conduct risk |
| KCI | Key control indicator | Measures whether a control is operating |
| RCSA | Risk and control self-assessment | Self-assessment needs challenge; not independent assurance |
| Loss event | Actual incident causing loss | Near misses matter even without financial loss |
| Near miss | Incident avoided before loss crystallized | Useful for trend analysis and control improvement |
| Risk owner | Person/function accountable for managing the risk | Usually first line, not internal audit |
| Control owner | Person responsible for operating a control | Control ownership may differ from risk ownership |
| Assurance | Independent check over control design/effectiveness | Assurance does not transfer risk ownership |
| Escalation | Raising a breach or issue to the right level | Reporting alone is not remediation |
Risk appetite, limits, and escalation
| Concept | Level | Practical example | What to remember |
|---|---|---|---|
| Capacity | Firm survival / capital / liquidity | Maximum loss the firm could withstand | Hard boundary; appetite must sit within it |
| Appetite | Board and strategy | Low appetite for regulatory breaches | Guides business decisions |
| Tolerance | Business/risk policy | Acceptable range of operational losses | More granular than appetite |
| Limit | Desk, portfolio, product, counterparty | FX VaR limit, single-name credit limit | Breach requires defined action |
| Trigger | Early warning | 80% of limit used, rising complaints | Prompts monitoring before breach |
| Breach | Control boundary exceeded | Trader exceeds position limit | Requires escalation and remediation |
Common distinction: risk appetite is a governance choice; risk limit is an operating control.
Three lines and governance roles
| Role | Main responsibility | Should not be mistaken for |
|---|---|---|
| Board / governing body | Set strategy, risk appetite, oversight culture | Day-to-day control operator |
| Board risk committee | Challenge risk profile, limits, major exposures | First-line risk owner |
| Senior management | Implement strategy, allocate resources, enforce accountability | Independent assurance |
| First line | Own and manage risks in business activities | Passive recipient of risk reports |
| Second line | Risk, compliance, oversight, frameworks, challenge | Final owner of business risk |
| Third line | Internal audit; independent assurance | Control designer/operator for management |
| External audit | Financial statement assurance and selected controls review | Substitute for internal risk management |
| Regulator | Supervisory expectations and enforcement | Internal governance function |
Governance traps
- Internal audit does not own risk; it provides independent assurance.
- Risk function challenge is not the same as business approval.
- A policy is not a control unless implemented and evidenced.
- Tone from the top matters, but culture also depends on incentives, accountability, escalation, and consequences.
- Conflicts of interest are conduct and governance risks, not merely administrative issues.
Major risk categories
| Risk type | What can go wrong | Common measures | Common controls / mitigants | Exam distinction |
|---|---|---|---|---|
| Credit risk | Borrower/counterparty fails to meet obligation | PD, LGD, EAD, ratings, arrears, exposure limits | Credit approval, limits, collateral, covenants, diversification | Default risk is not the same as market price movement |
| Counterparty risk | Trading counterparty defaults before final settlement | Current exposure, potential future exposure, net exposure | Netting, margin, collateral, central clearing | Often arises in derivatives and securities financing |
| Settlement risk | One party delivers but does not receive value | Failed settlements, unmatched trades | Delivery versus payment, payment versus payment, confirmations | Short-lived but potentially severe |
| Market risk | Loss from market price movements | VaR, stress loss, sensitivities, volatility | Limits, hedging, diversification, stop-loss, stress testing | Includes rates, FX, equity, commodity, spreads, volatility |
| Liquidity risk | Cannot meet obligations or exit positions at fair price | Cash-flow gaps, funding concentration, liquidity coverage metrics | Buffers, contingency funding, maturity ladder, diversified funding | Liquidity risk differs from solvency risk |
| Operational risk | Failure of people, process, systems, or external events | Loss data, KRIs, RCSA scores, incidents | Segregation, reconciliations, access controls, BCP, training | Includes cyber, fraud, processing, outsourcing |
| Conduct risk | Poor customer/market outcomes from firm behavior | Complaints, redress, sales patterns, suitability exceptions | Product governance, training, surveillance, incentives review | Broader than rule breach; focuses on outcomes |
| Compliance risk | Breach of laws, rules, regulations, or standards | Breaches, monitoring findings, regulatory correspondence | Policies, monitoring, advice, training, attestations | Related to conduct, but not identical |
| Legal risk | Contracts unenforceable or litigation exposure | Claims, disputes, contract exceptions | Legal review, enforceable documentation, jurisdiction analysis | Often embedded in credit, collateral, outsourcing |
| Financial crime risk | Money laundering, fraud, bribery, sanctions evasion | Alerts, suspicious activity, fraud losses | CDD/KYC, screening, transaction monitoring, segregation | Control failure can create regulatory and reputational impact |
| Model risk | Model produces wrong or misused output | Backtesting, validation findings, overrides | Independent validation, governance, documentation, limitations | A correct model can still be misused |
| Strategic risk | Poor strategic decisions or business model weakness | Revenue concentration, competitor trends, plan variance | Strategy review, scenario planning, board challenge | Not usually solved by a simple operational control |
| Reputational risk | Stakeholder trust damaged | Media, complaints, client exits, funding impact | Strong governance, incident response, conduct controls | Often secondary to another risk event |
| Climate / ESG risk | Physical, transition, liability, or governance exposure | Sector concentration, scenario results, disclosures | Due diligence, limits, scenario analysis, engagement | Can transmit through credit, market, operational, legal risk |
Credit risk quick reference
| Concept | Meaning | Practical use |
|---|---|---|
| PD | Probability of default | Likelihood borrower/counterparty defaults |
| LGD | Loss given default | Severity after recoveries and collateral |
| EAD | Exposure at default | Amount exposed when default occurs |
| Expected loss | Average credit loss expected over time | Pricing, provisioning, portfolio planning |
| Unexpected loss | Loss above expected level | Economic capital and stress resilience |
| Credit rating | Relative creditworthiness indicator | Input to limits and pricing, not a guarantee |
| Collateral | Asset pledged to reduce loss | Reduces LGD, but introduces valuation/legal/liquidity risk |
| Covenant | Contractual restriction or trigger | Early warning or control over borrower behavior |
| Concentration risk | Too much exposure to one name, sector, geography, or correlation | Diversification and limits |
| Wrong-way risk | Exposure increases as counterparty credit quality worsens | Important in derivatives and collateral arrangements |
| Netting | Offsetting exposures under enforceable agreement | Reduces net exposure if legally valid |
| Margin | Collateral exchanged to cover exposure | Requires operations, valuation, and liquidity management |
Credit-risk scenario clues
| Scenario wording | Likely issue | Best response logic |
|---|---|---|
| Borrower misses interest payment | Default / credit deterioration | Review rating, provisions, collateral, recovery |
| Collateral value falls sharply | Higher LGD / margin shortfall | Revalue, call margin, review haircut |
| Large exposure to one industry | Concentration risk | Set sector limits, diversify, stress test |
| Derivative counterparty weakens as exposure rises | Wrong-way counterparty risk | Increase collateral, reduce exposure, review limits |
| Loan documentation unclear | Legal risk within credit exposure | Legal review, documentation remediation |
Market risk quick reference
| Risk factor | Exposure example | Measure / sensitivity | Candidate note |
|---|---|---|---|
| Interest rate | Bond portfolio, swaps, loans | Duration, PV01/DV01, yield curve shift | Bond prices generally fall when yields rise |
| Equity | Shares, equity derivatives | Beta, delta, stress loss | Diversification reduces idiosyncratic risk, not all market risk |
| FX | Foreign currency assets/liabilities | Net open position, VaR, sensitivity | Translation, transaction, and economic FX exposures differ |
| Commodity | Energy, metals, agricultural positions | Price sensitivity, basis risk | Hedging may create margin/liquidity needs |
| Credit spread | Corporate bonds, CDS | Spread duration, spread VaR | Spread widening can cause loss without default |
| Volatility | Options | Vega | Option value often rises with volatility, depending on position |
| Correlation | Multi-asset portfolio | Correlation stress | Correlations can increase in stress |
| Basis | Hedge and underlying do not move together | Basis sensitivity | Hedge may reduce but not eliminate risk |
Derivatives sensitivity terms
| Term | Main meaning | Common trap |
|---|---|---|
| Delta | Price sensitivity to underlying | Delta changes for nonlinear instruments |
| Gamma | Sensitivity of delta to underlying | High gamma means delta hedge changes quickly |
| Vega | Sensitivity to volatility | Not the same as value-at-risk |
| Theta | Sensitivity to time decay | Often important for options |
| Rho | Sensitivity to interest rates | Relevant for options and rates products |
| Duration | Bond price sensitivity to yield | Longer duration usually means more rate sensitivity |
| Convexity | Change in duration as yield changes | Improves estimate for large yield moves |
Liquidity risk quick reference
| Liquidity concept | Meaning | Exam use |
|---|---|---|
| Funding liquidity | Ability to obtain cash to meet obligations | Payroll, margin calls, deposit outflows, debt maturities |
| Market liquidity | Ability to sell/hedge assets without large price impact | Bid-ask spread, market depth, time to liquidate |
| Maturity mismatch | Short-term liabilities fund longer-term assets | Core banking and broker-dealer funding risk |
| Liquidity buffer | Readily available cash/high-quality liquid assets | Buys time during stress |
| Encumbrance | Assets pledged or restricted | Reduces assets available for new funding |
| Contingency funding plan | Pre-agreed stress funding actions | Should include triggers, roles, communication |
| Cash-flow ladder | Time-bucketed inflows and outflows | Identifies gaps and rollover needs |
| Fire-sale risk | Forced sale at depressed prices | Links liquidity risk and market risk |
Key distinction: a firm can be solvent but illiquid if assets exceed liabilities but cash is unavailable when needed. A firm can also appear liquid temporarily while being economically weak.
Operational risk and resilience
| Operational risk source | Example | Key controls |
|---|---|---|
| People | Error, fraud, lack of training, key-person dependency | Segregation, supervision, training, mandatory leave, fit-and-proper checks |
| Process | Failed reconciliation, manual workaround, weak approval | Process mapping, maker-checker, reconciliations, exception reporting |
| Systems | Outage, data corruption, poor access control | Change management, backups, access reviews, monitoring |
| External events | Natural disaster, vendor outage, cyberattack | BCP, insurance, alternate sites, incident response |
| Outsourcing | Service failure, data breach, concentration on vendor | Due diligence, SLAs, right to audit, exit plan |
| Cyber | Phishing, ransomware, unauthorized access | MFA, patching, monitoring, awareness, response plan |
| Change | New system/product not controlled | Project governance, testing, approvals, post-implementation review |
Business continuity and incident terms
| Term | Meaning | Exam trap |
|---|---|---|
| BCP | Business continuity plan to maintain critical operations | Broader than IT recovery |
| DR | Disaster recovery, usually technology recovery | Part of resilience, not the whole plan |
| RTO | Recovery time objective: target time to restore | Time measure |
| RPO | Recovery point objective: acceptable data loss point | Data-loss measure |
| Crisis management | Strategic response and communications | Includes clients, regulators, staff, media |
| Incident management | Detect, contain, recover, learn | Should include root-cause analysis |
| Resilience | Ability to prevent, adapt, respond, recover, learn | Not just backup systems |
Conduct, compliance, and financial crime
| Area | Focus | Common controls | Exam distinction |
|---|---|---|---|
| Conduct risk | Fair customer and market outcomes | Product governance, suitability checks, remuneration review, complaints analysis | Outcome-focused, even where no explicit rule breach is obvious |
| Compliance risk | Breach of rules or regulatory obligations | Compliance monitoring, policy advice, training, breach logs | Rule-focused |
| Market abuse risk | Insider dealing, manipulation, misuse of information | Surveillance, restricted lists, wall-crossing controls | Often linked to trading and information barriers |
| Conflicts of interest | Firm/staff incentive conflicts with client duty | Disclosure, avoidance, independent approval, gifts policy | Disclosure alone may not be enough |
| Financial crime | AML, fraud, bribery, sanctions evasion | CDD/KYC, transaction monitoring, screening, suspicious activity processes | Red flags require investigation and escalation |
| Data protection / confidentiality | Misuse or loss of client/personal data | Access controls, encryption, clean desk, data retention | Also operational, legal, and reputational risk |
Capital, prudential risk, and Basel-style concepts
| Concept | Meaning | Candidate note |
|---|---|---|
| Regulatory capital | Capital required under applicable rules | Rule-based and externally supervised |
| Economic capital | Internal estimate of capital needed for risks | Model-based and management-focused |
| Risk-weighted assets | Assets/exposures adjusted for risk | Higher-risk exposures generally require more capital |
| Capital adequacy | Sufficiency of capital relative to risks | Links risk appetite, strategy, and resilience |
| Pillar 1 | Minimum capital framework for key risk categories | Conceptual categories matter more than memorizing figures unless supplied |
| Pillar 2 | Supervisory/internal review of wider risks and capital adequacy | Captures risks not fully covered by minimum formulas |
| Pillar 3 | Market discipline through disclosure | Transparency to external stakeholders |
| Leverage | Use of debt or exposure relative to capital | Can magnify losses even if risk weights appear low |
| Stress capital impact | Capital effect under adverse scenarios | Tests resilience beyond normal conditions |
Key formulas and calculation reminders
Expected credit loss
\[ \text{Expected loss} = \text{PD} \times \text{LGD} \times \text{EAD} \]Use this for average expected credit loss. Do not confuse expected loss with worst-case loss or capital for unexpected loss.
Risk score
\[ \text{Risk score} = \text{Likelihood} \times \text{Impact} \]Risk matrices are simple prioritization tools. They are not precise measurement models.
Capital ratio
\[ \text{Capital ratio} = \frac{\text{Eligible regulatory capital}}{\text{Risk-weighted assets}} \]Higher capital supports loss absorption. Do not assume a specific required percentage unless it is provided in the question or study material.
RAROC
\[ \text{RAROC} = \frac{\text{Risk-adjusted return}}{\text{Economic capital}} \]RAROC helps compare business returns after considering the risk capital consumed.
Parametric VaR approximation
\[ \text{VaR} \approx z_c \times \sigma \times V \times \sqrt{t} \]Where \(z_c\) is the confidence-level factor, \(\sigma\) is volatility, \(V\) is portfolio value, and \(t\) is the time horizon. Watch sign conventions: VaR is normally expressed as a positive loss amount.
Bond price sensitivity
\[ \Delta P \approx -D_{\text{mod}} \times P \times \Delta y \]A rise in yield usually reduces a fixed-rate bond price. Longer modified duration means greater sensitivity.
PV01 / DV01 approximation
\[ \text{PV01} \approx D_{\text{mod}} \times P \times 0.0001 \]PV01 estimates the price change for a one basis point yield move.
VaR, stress testing, and scenarios
| Tool | Purpose | Strength | Limitation |
|---|---|---|---|
| VaR | Estimates loss not expected to be exceeded at a confidence level over a time horizon | Useful common market-risk metric | Does not show size of losses beyond the confidence level |
| Expected shortfall | Average loss beyond VaR threshold | Better tail-risk view | More model-dependent |
| Sensitivity analysis | Changes one variable or factor | Easy to interpret | Ignores multi-factor interactions |
| Scenario analysis | Applies a coherent set of assumptions | Captures plausible narratives | Scenario selection is subjective |
| Stress testing | Tests extreme but plausible conditions | Highlights vulnerabilities | Not a forecast |
| Reverse stress testing | Starts with failure outcome and asks what could cause it | Identifies existential vulnerabilities | Can be uncomfortable and judgment-heavy |
| Backtesting | Compares model predictions with actual outcomes | Tests model performance | Past data may not represent future stress |
| Benchmarking | Compares against alternatives or peers | Helps challenge assumptions | Benchmark may not fit portfolio |
VaR traps
- A 99% VaR is not the maximum possible loss.
- VaR depends on horizon, confidence level, data, model, and assumptions.
- Diversification benefits may disappear when correlations rise in stress.
- VaR may understate illiquid positions, basis risk, jump risk, and model risk.
- Backtesting exceptions do not automatically prove fraud or misconduct; they may indicate model weakness, volatility change, or data issues.
Controls and assurance
| Control type | Purpose | Examples | Exam clue |
|---|---|---|---|
| Preventive | Stop error or breach before it occurs | Pre-trade limits, approvals, access restrictions | Best when loss prevention is critical |
| Detective | Identify errors or breaches after occurrence | Reconciliations, exception reports, surveillance | Useful where prevention cannot be complete |
| Corrective | Fix issue and reduce recurrence | Root-cause remediation, system patch, process redesign | Not just compensation or apology |
| Directive | Guide expected behavior | Policies, procedures, training | Weak if not monitored |
| Automated | System-enforced control | Hard limits, mandatory fields | Strong consistency but needs change control |
| Manual | Human-operated control | Review sign-off, call-back confirmation | Flexible but prone to error |
| Compensating | Alternative control when primary control is weak/unavailable | Extra review during system outage | Usually temporary or risk-based |
Control effectiveness
| Assessment | Question to ask | Evidence |
|---|---|---|
| Design effectiveness | Would the control address the risk if performed correctly? | Policy, process map, control description |
| Operating effectiveness | Did the control operate as intended over time? | Samples, logs, approvals, reconciliations |
| Coverage | Does it cover all relevant products/entities/processes? | Scope, population testing |
| Timeliness | Is the control performed soon enough? | Timestamps, escalation records |
| Independence | Is review performed by someone sufficiently independent? | Role segregation, reporting lines |
Risk responses
| Response | Meaning | Best for | Trap |
|---|---|---|---|
| Avoid | Stop the activity | Risk outside appetite | May sacrifice return or strategic opportunity |
| Reduce | Lower likelihood or impact | Most controllable operational and credit risks | Requires control evidence |
| Transfer | Shift some financial impact | Insurance, guarantees, hedging, outsourcing | Does not remove all risk; creates counterparty/legal/basis risk |
| Accept | Retain risk knowingly | Low risk or cost of control exceeds benefit | Must be within appetite and documented |
| Exploit / pursue | Take risk for reward | Market, credit, strategic opportunities | Needs pricing, limits, and governance |
Reporting and escalation
| Report element | Why it matters |
|---|---|
| Current exposure vs limit | Shows whether activity is within approved boundaries |
| Trend | Deterioration may matter before a breach occurs |
| Appetite status | Links metrics to board-approved risk stance |
| Breaches and exceptions | Requires ownership, root cause, remediation date |
| Losses and near misses | Indicates control weakness and emerging risk |
| Top and emerging risks | Helps governance focus on material risks |
| Stress/scenario results | Shows vulnerability under adverse conditions |
| Action tracking | Ensures reporting leads to remediation |
| Owner and due date | Creates accountability |
Good risk reporting is accurate, timely, relevant, escalated, and action-oriented.
Scenario decision table
| If the question emphasizes… | Think first of… | Strong answer usually includes… |
|---|---|---|
| Customer sold unsuitable product | Conduct risk | Product governance, suitability, training, incentive review |
| Policy exists but staff bypass it | Control operating failure / culture | Monitoring, enforcement, root-cause analysis |
| Unreconciled cash breaks | Operational risk | Daily reconciliation, exception escalation |
| Bond portfolio loses value after yield rise | Market risk, interest-rate risk | Duration/PV01, hedging, limits |
| Client defaults on loan | Credit risk | PD/LGD/EAD, collateral, recovery |
| Derivative counterparty fails before maturity | Counterparty credit risk | Netting, collateral, exposure replacement |
| Cannot sell assets except at large discount | Market liquidity risk | Liquidity buffer, stress haircut, funding plan |
| Cannot roll over short-term funding | Funding liquidity risk | Cash-flow ladder, contingency funding |
| Losses exceed model forecast repeatedly | Model risk | Backtesting, validation, recalibration, governance |
| Outsourced provider outage | Operational / outsourcing risk | SLA, resilience testing, exit plan, incident management |
| Suspicious transaction pattern | Financial crime risk | Monitoring, investigation, escalation |
| Traders share confidential information improperly | Conduct / market abuse / information barrier risk | Surveillance, restricted lists, training, discipline |
| Concentrated exposure to one sector | Concentration risk | Limits, diversification, stress testing |
| Rapid business growth with weak controls | Strategic plus operational risk | Governance, capacity, control investment |
| Regulator criticizes breach reporting | Compliance/governance risk | Breach process, accountability, timely escalation |
Common exam traps checklist
- Do not choose insurance as eliminating operational risk; it only transfers some financial impact.
- Do not call every regulatory issue conduct risk; conduct focuses on customer/market outcomes, compliance on rule adherence.
- Do not call every price movement credit risk; market risk can occur without default.
- Do not treat collateral as risk-free; value, enforceability, liquidity, and concentration matter.
- Do not confuse funding liquidity with market liquidity.
- Do not confuse risk appetite with risk capacity or limits.
- Do not assume diversification removes systemic risk.
- Do not assume outsourcing transfers accountability away from the firm.
- Do not treat VaR as a worst-case loss.
- Do not let a strong KPI hide a worsening KRI.
- Do not confuse root cause remediation with temporary workaround.
- Do not select internal audit as the owner of first-line controls.
- Do not assume high capital fixes poor culture, conduct, or operational control weaknesses.
- Do not ignore correlation and concentration in stress scenarios.
- Do not overlook reputational impact as a secondary consequence.
Fast revision drill
For any practice question, answer in this order:
- Risk type: credit, market, liquidity, operational, conduct, compliance, model, strategic, reputational, financial crime, or legal.
- Risk driver: people, process, system, market factor, counterparty, behavior, governance, external event.
- Exposure metric: PD/LGD/EAD, VaR, duration, cash-flow gap, KRI, loss data, breach count, complaints.
- Control: preventive, detective, corrective, or governance response.
- Owner: first line owns; second line challenges; third line assures.
- Escalation: compare with appetite/limit, report breach, remediate root cause.
- Residual risk: decide whether remaining risk is acceptable.
Practical next step
Use this Quick Reference as a checklist while working mixed CISI Risk in Financial Services practice questions. After each missed question, label the error as risk classification, formula, governance role, control choice, or scenario interpretation, then repeat a focused set of questions in that category.