8020 PRMIA ORM Certificate - 2023 Update Free Practice Exam Questions (2025 Updated)

TheThree Lines of Defense (3LoD) modelensures thatrisk management responsibilities are properly segregated:

First Line: Business units (own and manage risk).

Second Line: Compliance and risk management (independent oversight).

Third Line: Internal audit (provides assurance).

PRMIA andBasel Compliance Principlesstate that compliance shouldnot report to business units, as this creates aconflict of interest.

Compliance must beindependent to ensure objective oversightof regulatory adherence.

Option A ("Report to the business")→ Incorrect becausecompliance must provide independent oversight, not report to business units.

Option C ("Outsource compliance if risk function exists")→ Incorrect becausecompliance and risk functions have distinct roles.

Option D ("Outsource risk if compliance exists")→ Incorrect becauserisk management is a core function, not an outsourcing candidate.

Step 1: Compliance Function and the Three Lines of Defense ModelStep 2: Why Compliance Must Be IndependentStep 3: Why the Other Options Are Incorrect

PRMIA Compliance Risk Governance– States compliance must beindependentunder the Three Lines of Defense model.

Basel Compliance Principles– Recommends separate reporting structures for compliance and business units.

PRMIA Risk References Used:

Final Conclusion:Compliance must be independent from the business to avoid conflicts of interest, makingOption B the correct answer.

Near Misses in Operational Risk

Anear missis an event that could have led to a loss but wasavoided or mitigatedbefore actual financial impact occurred.

PRMIA emphasizes that near misses should bereported, recorded, and analyzedbecause they provide valuable insights intopotential vulnerabilitiesin risk controls.

However, since they did not result in actual financial losses,they are not included in the calculation of Operational Risk Capital.

Opportunity Costs in Operational Risk

Opportunity costsrefer to theloss of potential gainsdue to missed strategic opportunities.

These arenot directly quantifiable as operational risk lossesand are not included in Operational Risk Capital calculations.

PRMIA’sOperational Risk Frameworkstates thatoperational risk is about actual lossesrather than theoretical costs.

Why Other Answers Are Incorrect

Option

Explanation

A. Ignored.

Incorrect– Near misses and opportunity costs provide valuable insights into operational risk, so they should never be ignored.

B. Recorded and Analyzed. Used in calculation of Operational Risk Capital.

Incorrect– While they should be recorded and analyzed, they arenot included in Operational Risk Capital calculationsbecause they do not result in actual losses.

D. Reported, Recorded, and Analyzed, Used in calculation of Operational Risk Capital.

Incorrect– Reporting, recording, and analysis are correct, but theyshould not be included in capital calculations.

PRMIA Operational Risk Management Standards– Defines near misses and opportunity costs.

Basel II & III Operational Risk Framework– Outlines the principles of operational risk capital calculations.

PRMIA References for Verification

TheTSB outagein 2018 was caused by afailed IT migrationfrom its old banking system to a new one.

The transitionlocked millions of customers out of their accounts for weeks, resulting infinancial losses and reputational damage.

TSB attempted tomove customer data to a new banking platform, butserious defects in the migration processled to service failures.

PRMIA andUK Financial Conduct Authority (FCA) reportsconfirmed thatpoor IT risk managementwas a key failure.

Option A ("Liquidity squeeze by hedge-fund")

Incorrect because TSB's failure was due toIT migration issues, not a liquidity crisis.

Option B ("Sub-standard risk pricing and risk management")

Incorrect becausepricing models were not the cause—it was anIT system failure.

Option D ("IT models did not work if prices were discontinuous")

Incorrect as this issue ismore common in high-frequency trading failures, not banking system outages.

Step 1: Understanding the TSB CaseStep 2: Why Option C Is CorrectStep 3: Why the Other Options Are Incorrect

UK FCA Investigation on TSB Incident– Confirms IT migration failure as root cause.

PRMIA IT Risk Management Framework– Highlights risks of major IT transitions.

PRMIA Risk References Used:

Final Conclusion:TheTSB outage was caused by a failed IT migration, makingOption C the correct answer.

Definition of Key Risk Indicators (KRIs)

KRIs arequantitative metricsused to monitor risk levels and detect early warning signs of potential risk events.

Top-down KRIsare identified at thesenior management leveland focus onenterprise-wide risk exposure.

Key Properties of Top-Down KRIs

Selected by senior managementto ensure alignment with strategic objectives.

Tied to material external and internal loss exposuresto capture critical financial, operational, and strategic risks.

Used to manage changes in the business environmentto ensure proactive risk response, especially under stress conditions.

Why Other Answers Are Incorrect

Option

Explanation

B. Selected by senior management, used to manage changes in the business environment, especially under periods of stress, and reported on a daily basis.

Incorrect– Top-down KRIs arenot reported daily; they are monitored periodically (e.g., quarterly).

C. Selected by junior management, used to manage changes in the business environment, especially under periods of stress, and reported on an annual basis.

Incorrect– Junior management does not definetop-down KRIs; senior management does. Also, annual reporting is too infrequent.

D. Can only be selected by the board in line with risk ratings.

Incorrect– The board provides oversight, butsenior risk management selects KRIs, not just the board.

PRMIA Risk Indicator Guidelines

Basel Committee on Banking Supervision (BCBS) Principles for Effective Risk Data Aggregation

PRMIA References for Verification

PRMIA and global financial regulators defineclimate riskas the financial, operational, and societal risks arising fromclimate change.

Climate risks impact businesses throughphysical risks(e.g., floods, wildfires) andtransition risks(e.g., regulatory changes, carbon pricing).

Option A ("Climate risk has been moved out of all risk taxonomies due to international agreement")

Incorrect becauseclimate risk is now a central part of risk taxonomies, as emphasized by PRMIA, Basel III, and TCFD.

Option B ("Climate risk refers to the growing impacts of credit risk on the business environment")

Incorrect because credit risk is justone aspectof climate risk, not the full definition.

Option C ("Climate risk refers to change in the business climate during a recession")

Incorrect becauseclimate risk is about environmental change, not economic cycles.

Step 1: Definition of Climate RiskStep 2: Why the Other Options Are Incorrect

PRMIA Climate Risk Guidelines– Defines climate risk as a financial and societal risk due to climate change.

TCFD (Task Force on Climate-Related Financial Disclosures)– Outlines regulatory expectations for climate risk management.

PRMIA Risk References Used:

Final Conclusion:Climate risk involvesphysical and transition risks from climate change, makingOption D the correct answer.

A well-designed policy should include:

Scope– Who the policy applies to.

Exception Handling– How and where exceptions should be requested.

Accountability– Who is responsible for enforcement.

A policy must clearly define exceptions and the process for requesting them.

It should also define areas where the policy does not applyto avoid confusion.

Option A ("List of exceptions for board members' families")→ Incorrect because policies should applyconsistently to all stakeholders.

Option B ("List of acceptable fonts and margin types")→ Incorrect becauseformatting is secondary to content clarity.

Option D ("To whom the policy applies and an additional management report")→ Incorrect becausepolicy scope should not include unnecessary reports.

Step 1: Key Elements of a Well-Designed Policy DocumentStep 2: Why Option C is CorrectStep 3: Why the Other Options Are Incorrect

PRMIA Policy Writing Guidelines– Defines policy structure and exception handling.

ISO 19600 Compliance Management Standard– Supports clear, well-documented policies.

PRMIA Risk References Used:

Final Conclusion:A well-designed policy clearly defines exceptions and their handling process, makingOption C the correct answer.

Risk Appetiteis theamount of risk an organization is willing to take to achieve its objectives.

ARisk Appetite Statement(RAS) communicatesrisk tolerance levels and management expectations.

Risk Capacity(not Risk Appetite)defines the maximum risk the firm can withstand.

Risk Appetite is about willingness to take risk, not the absolute limit.

Option A ("Improves risk management standards")→Correct, as RAShelps define better risk management.

Option B ("Governing body articulates expectations")→Correct, as RAS isapproved by the board.

Option D ("Assists strategic discussions")→Correct, as RASguides decision-making.

Step 1: Understanding a Risk Appetite StatementStep 2: Why Option C is IncorrectStep 3: Why the Other Options Are Correct

PRMIA Risk Appetite Framework– Differentiates between Risk Appetite and Risk Capacity.

Basel III Governance Principles– Encourages organizations to establish clear risk appetite statements.

PRMIA Risk References Used:

Final Conclusion:Risk Appetite does not establish the maximum risk the firm can withstand—that isRisk Capacity, makingOption C the correct answer.

ARisk Functionensures that an organization followsbest practices in risk governance, assessment, and control implementation.

It should bealigned with the board’s risk strategyand ensureindependent oversight.

Theboard sets the overall risk strategy, and therisk function implements risk controls accordingly.

PRMIA emphasizesboard oversight as the guiding force behind risk management.

Option A ("Implement management’s direction")→ Incorrect becauserisk oversight should be board-driven, not solely management-driven.

Option C ("Ensure opinions are listened to")→ Incorrect becauserisk functions enforce policies, not just share opinions.

Option D ("Lower risk-taking to zero")→ Incorrect becauserisk-taking is necessary for growth—excessive risk aversion harms business.

Step 1: Role of a Risk FunctionStep 2: Why Option B is CorrectStep 3: Why the Other Options Are Incorrect

PRMIA Risk Governance Framework– Highlights board oversight in risk management.

Basel III Risk Management Standards– Emphasizes board-driven risk controls.

PRMIA Risk References Used:

Final Conclusion:The Risk Function must follow the board’s direction in implementing risk controls, makingOption B the correct answer.

TheNational Australia Bank (NAB) FX Options Case Studyis a well-known example ofoperational risk, fraud, and governance failure.

What Happened?

Traders engaged inunauthorized foreign exchange (FX) options trading, usingdeep-in-the-money optionsand other complex instruments.

They manipulated profits and losses tosmooth earningsand mislead risk managers and auditors.

Why Answer C is Correct

The traderssmoothed both profits and lossesto avoid detection and ensure continued trading bonuses.

This aligns with PRMIA’sOperational Risk Management Guidelines, which highlight thathidden trading losses and smoothing techniques increase financial crime risk.

Why Other Answers Are Incorrect

Option

Explanation

A. Complex structured transactions aided in the smoothing of losses.

Incorrect– Smoothing occurred with bothprofits and losses, not just losses.

B. Deep-in-the-money options and other complex structured transactions aided in the smoothing of losses.

Incorrect– Profits were also manipulated, making this answer incomplete.

D. Deep-in-the-money options aided in the smoothing of losses.

Incorrect– This focuses only on deep-in-the-money options and ignores other structured transactions involved in the fraud.

PRMIA Fraud and Risk Management Case Studies

Basel Principles on Market Risk and Internal Control Failures

PRMIA References for Verification

Risk-sensitive pricing ensures that financial institutions and businesses properlyaccount for risk in their pricing strategiesto maintain stability and sustainability. PRMIA’sRisk Pricing and Capital Adequacy Guidelinesdefine the importance of risk-sensitive pricing in ensuringfair compensation for risk exposureand avoidingrisk concentration issues.

Aligns risk with return: Pricing should be designed to reflect the underlying risk and return trade-off.

Protects investors: Investors expect compensation forcapital at risk(Option Ais correct).

Reinforces risk-aware culture: PRMIA promoteslinking incentives to risk-adjusted returns(Option Bis correct).

Prevents adverse selection: Proper risk pricing preventslow-quality assets from accumulating(Option Cis correct).

Income targets are business-driven, not risk-driven.

Risk-sensitive pricing aims tobalance risk and reward, not just maximize revenue.

PRMIA discouragesprofit-seeking behavior at the expense of risk considerations.

Step 1: Why Risk-Sensitive Pricing Is ImportantStep 2: Why Option D Is Incorrect

PRMIA Risk Pricing Guidelines– Defines the principles of risk-sensitive pricing.

PRMIA Risk-Adjusted Return Standards– Stresses linking incentives to risk-aware decisions.

PRMIA Capital Adequacy Framework– Highlights the role of risk-sensitive pricing in portfolio management.

PRMIA Risk References Used:

Final Conclusion:Risk-sensitive pricing is designed to alignreturns with risk exposure, not simply tomeet or exceed income targets, makingOption D the correct answer.

Material customer detrimentrefers to service disruptions thatcause financial loss, inability to access essential services, or significant hardship.

PRMIA andUK FCA Operational Resilience Standardsdefine"significant harm" as going beyond inconvenienceto includemonetary or operational distress.

Significant harm occurs when customers face tangible financial or service losses, not just reputational inconvenience.

Regulatory frameworks (e.g.,Basel, FCA, PRMIA) require banks toprotect customers from material disruptions.

Option A ("Low threshold, any complaint")→ Incorrect becausenot all complaints indicate material detriment.

Option B ("Inconvenience and reputational damage")→ Incorrect becausetrue material harm is more than just inconvenience.

Option C ("Financial system resilience")→ Incorrect because thisdescribes systemic financial stability, not customer impact.

Step 1: Definition of Material Customer DetrimentStep 2: Why Option D is CorrectStep 3: Why the Other Options Are Incorrect

PRMIA Operational Resilience Framework– Defines material customer detriment.

UK FCA Operational Resilience Guidelines– Requires firms to minimize severe harm to customers.

PRMIA Risk References Used:

Final Conclusion:Material customer detriment involves actual financial hardship, not just inconvenience, makingOption D the correct answer.

Definition of Control Rating Scales

Control rating scalesmeasure the effectiveness and performance of risk management controls.

They help organizationsevaluate control strength and identify weaknesses.

Key Components

Control effectiveness→ Measureshow well the control mitigates risks.

Control performance→ Assesseswhether the control operates as designed in practice.

Why Answer C is Correct

Botheffectivenessandperformancearecrucial for assessing control reliability.

A control may bedesigned effectively but fail in execution, makingboth factors essential.

Why Other Answers Are Incorrect

Option

Explanation

A. They are enhanced by the use of software that includes inherent risk.

Incorrect– Software can improve ratings, but control scales arebased on evaluation criteria, not just software tools.

B. A control rating scale should consider control effectiveness but not control performance.

Incorrect– Ignoring performance could lead tomisjudging actual control reliability.

D. A control rating scale should consider neither control effectiveness nor control performance.

Incorrect– This wouldrender the control rating scale useless.

PRMIA Governance and Control Framework

Basel Operational Risk Management Guidelines

PRMIA References for Verification

TheTurnbull Report (1999)was a UK corporate governance report thatset risk management expectations for boards.

Itrequired companies to assess and manage risks effectivelyas part of corporate governance.

Turnbull was the first report to mandate that boards must consider risk management in corporate governance.

This reportestablished risk assessment as a board-level responsibility.

Option A ("Defined risk governance for insurance")→ Incorrect becauseTurnbull applied to all sectors, not just insurance.

Option B ("First report to propose board structure")→ Incorrect becausecorporate boards existed long before Turnbull.

Option D ("Led to the US Federal Reserve")→ Incorrect becausethe Federal Reserve was established in 1913, long before Turnbull.

Step 1: What Is the Turnbull Report?Step 2: Why Option C is CorrectStep 3: Why the Other Options Are Incorrect

PRMIA Corporate Governance Guidelines– Highlights Turnbull's role in board-level risk oversight.

UK Corporate Governance Code– Turnbull contributed to defining board risk responsibilities.

PRMIA Risk References Used:

Final Conclusion:The Turnbull Report was the first to require boards to consider risks in corporate governance, makingOption C the correct answer.

Overview of the National Australia Bank (NAB) FX Options Case Study

Traders atNational Australia Bank (NAB)engaged inunauthorized foreign exchange (FX) options trading.

Theysmoothed profits and concealed lossesusingfictitious transactions and manipulated reporting.

This led toa major financial scandal and loss of investor confidence.

Key Findings of the Investigation

Tradersartificially smoothed profitsto avoid drawing attention to large fluctuations.

Losses wereconcealed from internal risk controlsby manipulating trade records.

The bank’srisk management and governance controls failedto detect and prevent these activities.

Why Other Answers Are Incorrect

Option

Explanation

A. Currency traders were allowed access to the risk system by the CEO.

Incorrect– No evidence suggests CEO involvement in granting system access.

B. Currency traders concealed losses using back-office knowledge.

Incorrect– While they concealed losses, they alsosmoothed profitsto manipulate earnings trends.

D. Currency traders were able to complete a Management Buy Out (MBO).

Incorrect– This event wasnot related to a Management Buyout (MBO); it was atrading scandal.

PRMIA Fraud and Risk Management Case Studies

Basel Principles on Market Risk and Internal Control Failures

PRMIA References for Verification

ESG (Environmental, Social, and Corporate Governance)refers to the three core factors used to evaluate a company's sustainability and ethical impact.

ESG is now akey part of risk management, influencinginvestment decisions, regulatory compliance, and corporate strategy.

Environmental (E): Climate change, carbon emissions, resource management.

Social (S): Diversity & inclusion, labor rights, community engagement.

Governance (G): Board structure, executive pay, corporate ethics.

Option A ("Environmental, Strategy, and Corporate Governance")

Incorrect becauseStrategy is not part of ESG.

Option C ("Enhanced Social Governance")

Incorrect because ESGcovers more than just social governance.

Option D ("Extra Social Governance")

Incorrect as it does not align with the recognized ESG definition.

Step 1: Definition of ESGStep 2: Breakdown of ESG ComponentsStep 3: Why the Other Options Are Incorrect

PRMIA ESG Risk Management Guidelines– Defines ESG factors as Environmental, Social, and Governance.

PRI (Principles for Responsible Investment)– Aligns ESG with financial risk management.

PRMIA Risk References Used:

ThePrinciples for Risk Governance, as established by PRMIA (Professional Risk Managers' International Association), emphasize theThree Lines of Defense (3LoD) Model, which is widely used in risk management and governance frameworks.

Business Line Ownership of Risk (First Line of Defense)

The business units are responsible for identifying, assessing, managing, and monitoring risks within their operations.

Since they generate the risks through their activities, they must own the risk assessment process.

This aligns withPRMIA Governance Principles, which state that risk management should be embedded within business operations to ensure proactive risk identification and control.

Risk Management’s Role (Second Line of Defense)

The risk management function isnot directly responsible for conducting risk assessmentsbut plays a key role in designing and maintaining the risk assessment framework.

This includes setting standards, methodologies, and tools for assessing risks across business functions.

Risk management providessupervision and oversight, ensuring that risk assessments align with organizational policies and regulatory expectations.

Oversight from Senior Management & the Board (Third Line of Defense)

Internal audit (third line of defense) independently reviews and provides assurance that the risk management framework is effective and that risk assessments are conducted properly.

PRMIA’sRisk Governance Standardsemphasize that internal audit should evaluate the effectiveness of the risk assessment framework without being involved in its direct execution.

Why Other Answers Are IncorrectOption

Explanation

A.Risk management, in its role as second line of defense, performs the risk assessment process from beginning to end. There is no business line involvement.

Incorrect– Risk management facilitates and oversees the risk assessment process, but the business must take ownership of the risks it generates.

C.Business owns the risk assessment process so risk management does not play a role in the process.

Incorrect– While the business owns the process, risk management plays a crucial role in developing the framework, setting policies, and providing oversight.

D.Business management's role in the risk assessment process should be confined to oversight.

Incorrect– Business management is actively responsible for executing risk assessments, not just overseeing them.

PRMIA Standards for Risk Governance– Establishes theThree Lines of Defenseand the separation of responsibilities.

PRMIA Risk Management Framework (RMF) Guidelines– Defines the roles of business and risk management in risk assessment.

PRMIA Enterprise Risk Management Best Practices– Outlines how risk management facilitates risk assessments while the business retains ownership.

PRMIA References for Verification

This answer is verified according to PRMIA’sofficial risk governance documents and best practices. Would you like additional clarification or supporting documentation references?

Definition of an Effective Key Risk Indicator (KRI)

AKRIis a metric used toidentify, measure, and monitor emerging risks.

To be effective, KRIs must beboth quantitative and qualitative, allowing for acomprehensive risk view.

Key Characteristics of Effective KRIs

Quantitative– Uses numerical data for trend analysis.

Qualitative– Incorporates expert judgment and scenario-based insights.

Consistent– Maintains uniform definitions across reporting periods.

Efficient & Repeatable– Must be easily measured and consistently reported.

Why Other Answers Are Incorrect

Option

Explanation

B. Qualitative, Consistent, Efficient & Repeatable.

Incorrect– Excludesquantitativeaspects, which are essential for KRIs.

C. Quantitative, Consistent, Comparable, Efficient & Repeatable.

Incorrect– While comparison is useful,qualitative factors are missing, making this answer incomplete.

D. Quantitative, Repeatable and Efficient.

Incorrect– Lacksqualitativeinsights andconsistencyas key factors for KRIs.

PRMIA Risk Indicator Guidelines

Basel Committee’s Principles on Risk Data and KRI

PRMIA References for Verification