Use this as your “executive next step” playbook for PDO scenarios. Pair it with the Syllabus for coverage and Practice for speed and judgment.
PDO in 60 seconds (what the exam rewards)
PDO tends to reward candidates who can do three things quickly:
- Name the risk theme (regulatory, conduct, operational, capital, cyber, AML, governance).
- Choose the first correct action (document, supervise, escalate, remediate, restrict activity).
- Justify defensibility (clear rationale + evidence of oversight + controls).
The executive’s three questions (high-scoring habit)
When you’re unsure, pressure-test decisions with:
- Do we have permission? (mandate, policy, restrictions, regulator expectations)
- Is it defensible? (client protection, conflicts managed, fair dealing, documentation)
- Can we run it safely? (controls, supervision, reporting, operational capacity)
Regulation vs civil vs criminal (quick sorting)
| If the fact pattern is… | Think… | Typical executive move |
|---|
| Rule breach / supervision failure | regulatory/compliance | contain + escalate to compliance + document + remediate controls |
| Client harm / misrepresentation / negligence | civil exposure | preserve evidence + investigate + communicate carefully + remediate + involve legal |
| Fraud / theft / deliberate misconduct | criminal exposure | stop activity + preserve evidence + escalate (compliance/legal) + cooperate appropriately |
Exam cue: the “best” answer often improves documentation quality and escalation discipline.
Business model map (what risks show up where)
Private client brokerage (Ch. 3)
Common risk hot spots
- unsuitable recommendations and KYC staleness
- conflicts from compensation/incentives
- supervision gaps (exceptions not reviewed, documentation weak)
Executive controls that matter
- supervision dashboards (exceptions, concentration, trading patterns, complaints)
- documented suitability standards and QA
- clear escalation and remediation process
Online investing / digital advice (Ch. 4)
Common risk hot spots
- cybersecurity and account takeover
- privacy and data governance
- model risk (portfolio algorithm/assumptions) and suitability drift
Executive controls that matter
- third‑party/vendor oversight and incident playbooks
- model governance (testing, changes, approvals, monitoring)
- clear disclosure and recordkeeping for digital journeys
Investment banking (Ch. 5)
Common risk hot spots
- conflicts of interest and information barriers
- due diligence and disclosure quality
- approvals for higher‑risk transactions
Executive controls that matter
- clear approval gates and documentation
- restricted lists / information controls (conceptually)
- monitoring of conduct and reputational risk
Distribution of securities (Ch. 6) — the “red flag” list
High-yield cues that often appear in questions:
- unclear or missing risk disclosure
- pressure selling or unsuitable concentration into a new issue
- weak documentation for exempt distributions
- conflicts around allocations and fairness
Best answers often involve: suitability + disclosure + documentation + supervision.
Ethics + governance (Ch. 7–8)
Ethical decision framework (use in scenarios)
- Gather facts (what happened, who is impacted, what rules apply).
- Identify conflicts and incentives.
- List options and consequences (client, firm, market).
- Choose the most defensible action (client protection + integrity).
- Document and escalate appropriately.
Governance “red flags” (memorize)
- unclear accountability (“nobody owns it”)
- weak reporting or inconsistent methodology
- unmanaged conflicts of interest
- controls exist on paper but aren’t tested
Director/officer liability (Ch. 9) — defensibility checklist
What often makes an executive decision defensible:
- clear policy basis and documented rationale
- evidence of oversight (reports reviewed, exceptions acted on)
- escalation when uncertainty or severity is high
- remediation plan with follow‑up testing
Due diligence defence (how it appears in questions)
If asked “what reduces liability most?”, look for answers that show:
- reasonable process, not perfect outcomes
- documentation and approvals
- supervision and controls that are actually used
Risk management framework (Ch. 10–11)
Risk cycle (the simplest mental model)
flowchart TD
A["Identify risks"] --> B["Assess (likelihood/impact)"]
B --> C["Mitigate (controls)"]
C --> D["Monitor + report"]
D --> A
Simple risk scoring (concept)
\[
\text{Risk score} = \text{Likelihood} \times \text{Impact}
\]
What it tells you: A fast way to prioritize remediation and monitoring effort (higher score → higher urgency).
Common pitfall: scoring without evidence (use incidents, exceptions, and control test results).
Significant risk areas PDO expects you to recognize
- onboarding/KYC completeness
- account supervision and exception handling
- recordkeeping and auditability
- AML/ATF red flags and escalation
- privacy and cybersecurity incident response
Capital + financial compliance (Ch. 12)
PDO doesn’t require you to compute capital, but it does expect you to recognize:
- minimum capital is a constraint on business activity
- early warning systems exist to trigger oversight and corrective action
- failure to maintain adequate capital has serious consequences (restrictions, supervision, potential wind‑down)
High-scoring answers typically include: escalate early + implement a plan + reduce risk exposure + document decisions.
Consequences of non-compliance (Ch. 13)
Complaint handling workflow (what PDO wants you to do)
flowchart LR
A["Complaint received"] --> B["Intake + log + acknowledge"]
B --> C["Escalate (severity check)"]
C --> D["Investigate (preserve evidence)"]
D --> E["Resolve + communicate"]
E --> F["Remediate controls + training"]
F --> G["Monitor for recurrence"]
Investigation mindset
- preserve evidence (don’t “fix” logs)
- scope first, then test hypotheses
- communicate carefully (accuracy + confidentiality)
- convert the root cause into a control improvement
Glossary (PDO terminology)
Executive + governance
- Executive registration category: registration category covering senior executives (partner, director, senior officer) as required by rules.
- Tone at the top: leadership behaviours that shape compliance culture and risk-taking.
- Governance: structures and processes that ensure accountability and oversight (board, committees, controls, reporting).
- Oversight: supervision and monitoring by executives/board to ensure policies are followed and risks are managed.
- Due diligence defence (concept): demonstrating a reasonable process, oversight, and documentation to reduce liability exposure.
Regulation + legal exposure
- Regulatory enforcement: sanctions/remedies imposed for rule breaches (conceptually).
- Civil liability: private legal exposure for harm or loss (conceptually).
- Criminal exposure: law-enforcement matters involving fraud/theft or serious misconduct (conceptually).
- Recordkeeping: maintaining accurate, complete, retrievable records to support supervision and investigations.
Risk management
- Risk appetite: overall level and types of risk a firm is willing to accept.
- Risk limit: a measurable constraint on risk-taking that triggers escalation when breached.
- Control: a policy/process/technology that prevents or detects problems.
- Exception: an out-of-policy event (e.g., concentration breach, missing documentation) requiring review.
- Escalation: raising an issue to the appropriate authority (supervision/compliance/legal/board).
Conduct + client protection
- KYC (Know Your Client): collecting and maintaining client facts used for suitability decisions.
- Suitability: ensuring recommendations/transactions fit client objectives and constraints.
- Conflict of interest: incentive or relationship that could impair client-first judgment.
- Complaint handling: structured intake, investigation, resolution, and remediation process for client issues.
AML, privacy, cyber (high-level)
- AML/ATF: anti-money laundering and anti-terrorist financing controls and reporting (conceptually).
- Red flag: unusual pattern suggesting elevated risk requiring review/escalation.
- Privacy breach: unauthorized access/use/disclosure of personal information.
- Cyber incident: event affecting confidentiality, integrity, or availability of systems/data (phishing, takeover, breach).
Sources: https://www.csi.ca/en/learning/courses/pdo/curriculum and https://www.csi.ca/en/learning/courses/pdo/exam-credits