Try 10 focused CISI Risk questions on Risk Oversight and Corporate Governance, with answers and explanations, then continue with Securities Prep.
| Field | Detail |
|---|---|
| Exam route | CISI Risk |
| Issuer | CISI |
| Topic area | Risk Oversight and Corporate Governance |
| Blueprint weight | 5% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Risk Oversight and Corporate Governance for CISI Risk. Work through the 10 questions first, then review the explanations and return to mixed practice in Securities Prep.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 5% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original Securities Prep practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Risk Oversight and Corporate Governance
A bank reviews its monthly payments control report:
Under the three lines of defence, which statement is correct?
Best answer: C
What this tests: Risk Oversight and Corporate Governance
Explanation: The payments unit remains the first line because it runs the process and its daily checks identified most of the exceptions. Operational risk is the second line because it independently reviews and challenges the business, while internal audit is the third line because it provides separate assurance on control effectiveness.
The three lines of defence separate ownership, oversight and assurance. In this report, payments operations is clearly the first line because it operates the payments process and performs the daily checks that detected 24 of the 30 exceptions. That means it owns the controls and the remediation of weaknesses. The independent operational risk team is the second line: it sets expectations, monitors, reviews and challenges the first line, as shown by its separate review finding the remaining 6 exceptions. Internal audit is the third line: its later review should provide independent assurance to senior management or the board on whether the framework is designed and working effectively. Finding some issues does not transfer control ownership away from the business.
The business running the process is first line, risk oversight is second line, and internal audit is the independent third line.
Topic: Risk Oversight and Corporate Governance
An investment firm’s structured products desk has expanded rapidly. The market risk team reports to the head of trading, and the desk head may defer escalation of limit breaches until the weekly risk meeting. During a recent volatility spike, several intraday breaches were not escalated promptly. Which action would most strengthen the firm’s risk-governance framework?
Best answer: C
What this tests: Risk Oversight and Corporate Governance
Explanation: The main problem is that the risk function is not sufficiently independent from the business it is meant to challenge. Moving market risk to the CRO and allowing direct escalation of breaches is the strongest way to restore authority, autonomy, and segregation of duties.
This scenario tests risk-governance design rather than the risk limit itself. A market risk team that reports to the head of trading lacks independence because the first line can influence the second line’s challenge. That weakness becomes more serious when the desk head can delay escalation of repeated breaches during a volatility shock.
The best governance response is to place market risk in an independent reporting line, typically to the CRO, and give it clear authority to escalate breaches directly to senior management or the board risk committee. This strengthens:
Better information or closer desk interaction can help, but not if trading still controls objectives, reporting, or breach handling.
Independent reporting to the CRO with direct escalation authority fixes the autonomy and segregation weaknesses shown by the delayed breach reporting.
Topic: Risk Oversight and Corporate Governance
A firm’s written risk policies have not changed. However, senior leaders now openly discuss losses and near misses, challenge front-office staff who push past agreed tolerances, and praise employees who escalate concerns early. Which risk-management concept does this most directly match?
Best answer: D
What this tests: Risk Oversight and Corporate Governance
Explanation: The key facts are behavioural, not documentary. Senior leaders are signalling what conduct is expected, rewarding escalation, and challenging excessive risk-taking, which are core features of risk culture driven by tone from the top.
Risk culture is shown by what leaders consistently emphasise, reward, challenge, and tolerate in day-to-day decisions. In this scenario, the firm has not rewritten policy documents, but senior leaders are changing behaviours by openly discussing near misses, confronting boundary-pushing, and supporting early escalation. That directly strengthens tone from the top and a speak-up culture.
A formal policy refresh would mainly change wording, ownership, or documentation. A risk appetite redesign would change board-approved limits, metrics, or tolerances. Internal audit provides independent assurance and review rather than setting daily behavioural expectations. The deciding clue is that leadership behaviour has changed while formal policy has not.
The scenario is about leadership behaviours shaping attitudes to challenge and escalation, which is the essence of risk culture.
Topic: Risk Oversight and Corporate Governance
A bank’s control-function remuneration policy states: “No more than 25% of a risk manager’s annual variable pay may be linked to the profit of the business unit they oversee.”
Exhibit:
For a senior market risk manager assigned to the rates desk, which conclusion is most accurate?
Best answer: C
What this tests: Risk Oversight and Corporate Governance
Explanation: The key governance issue is the autonomy of the risk manager from the business they oversee. Here, total variable pay is £50,000 and £18,000 is tied to the rates desk P&L, so 36% is desk-linked, which breaches the 25% policy limit.
This tests control-function independence within a risk-governance framework. A risk manager should be able to challenge the business without having too much of their own reward depend on that business unit’s profit. In the exhibit, total variable pay is £50,000 and the amount linked specifically to the rates desk is £18,000, so the relevant proportion is 36%.
That exceeds the stated 25% limit, so the remuneration structure weakens autonomy from the first line. Bank-wide profit linkage does not change that calculation, because the policy refers to the business unit the manager oversees. The main issue is independence of the risk function, not market-risk measurement or a compensating effect from other bonus components.
£18,000 out of £50,000 variable pay is 36%, which exceeds the 25% cap and undermines the risk manager’s autonomy from the business unit overseen.
Topic: Risk Oversight and Corporate Governance
A financial-services firm’s board has approved growth targets but has not stated the amount and types of risk it is willing to accept in pursuing them. Which oversight response best addresses this governance gap?
Best answer: D
What this tests: Risk Oversight and Corporate Governance
Explanation: The missing governance element is risk appetite: the board has set strategy but not defined the risks it is willing to accept to achieve it. The best response is therefore to approve a risk appetite statement and turn it into measurable limits, thresholds and escalation rules.
Risk appetite is the board-approved expression of the amount and types of risk a firm is willing to take in pursuit of its objectives. When growth targets exist without clear risk boundaries, the governance weakness is not a lack of capital or reporting detail; it is the absence of a formal risk appetite framework. Good oversight means setting that appetite at board level and cascading it into business-line limits, KRIs and escalation triggers so management decisions stay within agreed boundaries.
Risk capacity is different: it is the maximum risk the firm could absorb, not the level it chooses to take. Internal audit provides independent assurance as a third-line function and should not own or set first-line risk limits.
This sets board-level boundaries for risk-taking and translates them into practical controls and escalation points.
Topic: Risk Oversight and Corporate Governance
A financial-services firm uses risk and control self-assessments in each business unit. Internal audit found that managers rate their own controls, no central risk function independently challenges the results, and breaches of the board’s risk appetite are not formally escalated. Which oversight response best matches this control gap?
Best answer: D
What this tests: Risk Oversight and Corporate Governance
Explanation: The weakness is a governance gap in independent challenge and escalation, not a shortage of capital or assurance. A second-line risk function should review self-assessments, test whether residual risks are within appetite, and escalate breaches through the governance framework.
This item tests the role of second-line oversight within the three-lines model. The first line owns risks and operates controls, so business managers may complete self-assessments, but those assessments should be subject to independent challenge by the risk function. That second-line role also monitors alignment with the board’s risk appetite and ensures breaches are escalated to the appropriate committee or senior management body. In the stem, both missing elements are oversight functions: challenge of management’s ratings and formal escalation of appetite breaches. Strengthening second-line risk therefore fits the control gap most directly. Internal audit should provide independent assurance over whether the framework works, but it should not own controls or replace management responsibility.
Independent challenge and formal escalation are core second-line oversight activities that directly address the weakness described.
Topic: Risk Oversight and Corporate Governance
A bank’s treasury desk has exceeded its approved interest-rate risk limit three times in one month. Each time, the desk head granted a temporary waiver. The second-line market risk team receives breach reports only weekly, and the policy does not state who may approve waivers or when the board risk committee must be informed. Which action best addresses the governance-structure issue?
Best answer: D
What this tests: Risk Oversight and Corporate Governance
Explanation: The main weakness is not simply poor desk discipline; it is unclear decision rights and escalation. Sound risk governance requires independent oversight of limit waivers and a defined route for escalating repeated breaches to senior management and the risk committee.
This scenario points to a governance-structure problem because the firm has not set clear authority for approving limit waivers or defined when breaches must be escalated. Under a sound three-lines-of-defence approach, the treasury desk is the first line and manages positions, but it should not be the sole authority for waiving its own limits. The second line should receive timely information, and repeated or material breaches should have a formal escalation path to the CRO and, where appropriate, the board risk committee. Training, extra desk reviews, or faster report circulation may improve day-to-day execution, but they do not correct the underlying weakness in accountability and oversight. The key fix is to redesign approval and escalation, not just improve desk routines.
Independent waiver authority and formal escalation fix the governance design weakness rather than just tightening first-line execution.
Topic: Risk Oversight and Corporate Governance
A bank’s corporate lending team has a documented sector-concentration policy and a formal approval process. To hit quarterly revenue targets, the desk head tells staff to book deals first and obtain limit approval later. Risk analysts have flagged repeated overrides, but senior management praises growth and does not challenge the pattern. Which response best addresses the root cause?
Best answer: B
What this tests: Risk Oversight and Corporate Governance
Explanation: This scenario is mainly about risk culture and leadership, not missing policy wording. The key facts are that leaders encourage staff to bypass approvals and senior management rewards the outcome, so the root cause is behaviour and incentives that undermine risk appetite.
The core concept is risk culture: how leaders’ actions, incentives, and tolerance of behaviour affect whether formal controls are actually followed. Here, the bank already has a documented concentration policy, a formal approval process, and risk analysts who have identified the overrides. That means the framework exists and the issue is not simply a drafting gap.
The decisive facts are that the desk head tells staff to ignore the approval sequence to meet revenue targets, and senior management praises growth without challenging the repeated breaches. This shows weak tone from the top, poor accountability, and ineffective challenge.
A clearer policy, a different model, or faster reporting would not fix a culture in which managers tolerate or reward non-compliance.
The policy already exists; the real failure is leadership behaviour rewarding breaches and weakening effective challenge.
Topic: Risk Oversight and Corporate Governance
At a bank’s fixed-income trading desk, several small limit breaches were reported late because the desk head told staff to avoid escalating issues before quarter-end. The desk is under pressure after a weak revenue quarter, and traders’ bonuses are driven mainly by short-term P&L. Which leadership action would best support a sound control environment?
Best answer: D
What this tests: Risk Oversight and Corporate Governance
Explanation: A sound control environment depends on leadership setting clear expectations, encouraging timely escalation, and aligning incentives with good risk behaviour. In this scenario, staff are discouraged from speaking up and rewarded mainly for P&L, so the best action is to reset both escalation culture and remuneration signals.
The core concept is that leadership shapes the control environment through tone from the top, accountability, and incentives. Here, the late reporting did not arise mainly from a technical failure; it arose because the desk head discouraged escalation and staff were paid chiefly for short-term revenue. The strongest response is therefore to require prompt escalation, make it safe to challenge, and reflect control behaviour in pay decisions. That supports a healthier risk culture and makes first-line control ownership more credible. A sound control environment is not created just by more reporting or reminders if leaders’ messages and reward structures still push staff to stay silent. The key takeaway is that culture improves when expected behaviours and consequences are aligned.
This directly addresses the two root culture weaknesses in the scenario: suppressed escalation and incentives that favour short-term revenue over controls.
Topic: Risk Oversight and Corporate Governance
A firm’s board states a low risk appetite, but remuneration rewards aggressive growth and staff avoid escalating limit breaches. Which concept most directly explains the gap between the stated appetite and day-to-day behaviour?
Best answer: D
What this tests: Risk Oversight and Corporate Governance
Explanation: The key clue is the mismatch between the board’s formal statement and the behaviour encouraged in practice. That gap is about risk culture, because culture shapes incentives, challenge and escalation, while risk appetite is only the stated level of risk the firm intends to accept.
Risk culture is the shared behaviours, incentives and norms that shape how people identify, discuss, escalate and take risk. In the stem, the firm says it has a low risk appetite, but pay structures and weak escalation encourage the opposite. That means the lived behaviour is inconsistent with the approved appetite, which points to a weakness in risk culture.
A strong risk culture supports challenge, transparent escalation and decisions aligned with board-approved limits. When incentives reward short-term growth over control discipline, actual risk-taking can drift above the firm’s stated appetite. The key distinction is simple: risk appetite is what the firm says it is willing to accept; risk culture is what employees actually do.
Risk culture is the set of behaviours, incentives and escalation norms that shows how risk is actually taken in practice.
Use the CISI Risk Practice Test page for the full Securities Prep route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Read the CISI Risk guide on SecuritiesMastery.com, then return to Securities Prep for timed practice.