Certification Examination Questions
And Correct Answers (Verified Answers)
Plus Rationales 2026 Q&A | Instant
Download Pdf
Question 1
Which of the following best defines enterprise risk management (ERM) as
opposed to traditional risk management?
A. ERM focuses exclusively on financial risks, while traditional risk management
covers operational risks.
B. ERM is a siloed approach that delegates risk ownership to individual
departments.
C. ERM is a holistic, integrated framework that manages risks across the entire
organization in alignment with strategy.
D. ERM eliminates all negative risks and only retains positive uncertainties.
Answer: C. ERM is a holistic, integrated framework that manages risks across
the entire organization in alignment with strategy.
Rationale: ERM differs from traditional risk management by breaking down silos
and considering the aggregate portfolio of risks, including strategic, operational,
financial, and compliance risks, all in the context of organizational objectives.
Question 2
Which component of the COSO ERM framework explicitly addresses the
organization’s mission, vision, and core values?
,A. Governance and Culture
B. Strategy and Objective-Setting
C. Performance
D. Review and Revision
Answer: B. Strategy and Objective-Setting.
Rationale: In the COSO ERM framework, Strategy and Objective-Setting is the
component where the entity defines its mission, vision, and core values, and
establishes risk appetite and tolerances aligned with strategic planning.
Question 3
A risk that arises from the potential failure of internal processes, people, or
systems is classified as:
A. Strategic risk
B. Operational risk
C. Financial risk
D. Hazard risk
Answer: B. Operational risk.
Rationale: Operational risk is defined as the risk of loss resulting from inadequate
or failed internal processes, people, and systems, or from external events, as per
Basel II and standard ERM taxonomies.
Question 4
In the context of risk appetite, which statement is most accurate?
A. Risk appetite is the amount of risk an organization can tolerate, which is always
static.
B. Risk appetite is a broad-based description of the desired level of risk-taking that
an entity is willing to accept in pursuit of its mission.
C. Risk appetite and risk tolerance are identical terms and can be used
interchangeably.
D. Risk appetite is set solely by the chief risk officer without board involvement.
,Answer: B. Risk appetite is a broad-based description of the desired level of risk-
taking that an entity is willing to accept in pursuit of its mission.
Rationale: Risk appetite is a high-level, strategic statement of willingness to accept
risk, while risk tolerance is more granular and quantitative. Risk appetite is set by
the board and senior management, not by one individual.
Question 5
Which of the following is a key benefit of implementing an ERM program?
A. Guaranteed elimination of all downside risks.
B. Enhanced ability to identify, assess, and respond to interconnected risks across
the enterprise.
C. Reduced need for internal audits and compliance functions.
D. Complete certainty in achieving strategic objectives.
Answer: B. Enhanced ability to identify, assess, and respond to interconnected
risks across the enterprise.
Rationale: ERM provides a portfolio view of risks, highlighting correlations and
dependencies, which improves decision-making. It does not eliminate all risks nor
guarantee certainty.
Question 6
Under the ISO 31000:2018 standard, which principle is foundational for effective
risk management?
A. Risk management is separate from organizational activities.
B. Risk management is integrated and structured.
C. Risk management focuses only on negative consequences.
D. Risk management is a one-time project.
Answer: B. Risk management is integrated and structured.
Rationale: ISO 31000 emphasizes that risk management should be an integral part
of all organizational activities, structured, comprehensive, and customized, rather
than a standalone or periodic exercise.
, Question 7
Which risk response strategy involves reducing the likelihood or impact of a risk to
an acceptable level?
A. Avoidance
B. Mitigation
C. Transfer
D. Acceptance
Answer: B. Mitigation.
Rationale: Mitigation (or reduction) involves actions to decrease the probability
and/or severity of a risk. Avoidance eliminates the risk, transfer shifts it to a third
party, and acceptance acknowledges it without action.
Question 8
A company decides to purchase insurance for its manufacturing plant against fire
damage. This is an example of which risk response?
A. Avoidance
B. Mitigation
C. Transfer
D. Exploitation
Answer: C. Transfer.
Rationale: Insurance is a classic risk transfer mechanism where the financial
consequences of a loss are shifted to an insurer, though some residual risk may
remain.
Question 9
Which of the following is a forward-looking key risk indicator (KRI) for credit risk in
a bank?
A. Historical loan default rate
B. Current non-performing loan ratio