Certified Risk And Compliance
Management Professional (CRCMP)
Exam Question And Correct Answers
(Verified Answers) Plus Rationales 2026
Q&A Instant Download Pdf
1. The primary objective of enterprise risk management (ERM) is to:
A. Eliminate all risks
B. Reduce compliance costs
C. Increase audit frequency
D. Align risk management with organizational strategy
ERM focuses on identifying, assessing, and managing risks in alignment
with strategic objectives rather than eliminating all risks.
2. Which risk category arises from failures in internal processes, people, or
systems?
A. Strategic risk
B. Financial risk
C. Operational risk
D. Reputational risk
Operational risk stems from internal process breakdowns, system failures,
or human error.
3. Compliance risk is best defined as the risk of:
A. Market volatility
B. Business competition
C. Legal or regulatory sanctions and financial loss
D. Technology obsolescence
, Compliance risk relates to failure to adhere to laws, regulations, or
standards.
4. The COSO ERM framework emphasizes which of the following components?
A. Risk avoidance
B. Governance and culture
C. External audits
D. Budget controls
COSO ERM highlights governance, culture, strategy, and performance as
core elements.
5. A risk appetite statement primarily communicates:
A. Audit procedures
B. Risk mitigation costs
C. The level of risk an organization is willing to accept
D. Regulatory thresholds
Risk appetite defines acceptable risk levels in pursuit of objectives.
6. Which document outlines an organization’s commitment to compliance?
A. Risk register
B. Audit charter
C. Compliance policy
D. Business plan
A compliance policy formally states management’s expectations and
commitment.
7. In the “three lines model,” risk management responsibility primarily lies
with:
A. External auditors
B. Regulators
C. Management (first and second lines)
D. Board committees only
Management owns and manages risk, while assurance is provided by
internal audit.
, 8. Which is an example of inherent risk?
A. Residual risk after controls
B. Risk before controls are applied
C. Risk transferred through insurance
D. Risk accepted by management
Inherent risk exists in the absence of controls.
9. A risk register is mainly used to:
A. Record audit findings
B. Track employee performance
C. Document identified risks and controls
D. Store financial data
Risk registers consolidate risks, impacts, likelihoods, and mitigation
actions.
10.Which regulation focuses on internal controls over financial reporting in the
US?
A. Basel III
B. GDPR
C. Sarbanes-Oxley Act (SOX)
D. FATF Recommendations
SOX emphasizes internal control and corporate governance.
11.Residual risk refers to:
A. Risk before mitigation
B. Risk remaining after controls are applied
C. Risk transferred externally
D. Unknown risks
Residual risk is what remains after mitigation efforts.
12.Which approach avoids risk entirely?
A. Risk transfer
B. Risk reduction
Management Professional (CRCMP)
Exam Question And Correct Answers
(Verified Answers) Plus Rationales 2026
Q&A Instant Download Pdf
1. The primary objective of enterprise risk management (ERM) is to:
A. Eliminate all risks
B. Reduce compliance costs
C. Increase audit frequency
D. Align risk management with organizational strategy
ERM focuses on identifying, assessing, and managing risks in alignment
with strategic objectives rather than eliminating all risks.
2. Which risk category arises from failures in internal processes, people, or
systems?
A. Strategic risk
B. Financial risk
C. Operational risk
D. Reputational risk
Operational risk stems from internal process breakdowns, system failures,
or human error.
3. Compliance risk is best defined as the risk of:
A. Market volatility
B. Business competition
C. Legal or regulatory sanctions and financial loss
D. Technology obsolescence
, Compliance risk relates to failure to adhere to laws, regulations, or
standards.
4. The COSO ERM framework emphasizes which of the following components?
A. Risk avoidance
B. Governance and culture
C. External audits
D. Budget controls
COSO ERM highlights governance, culture, strategy, and performance as
core elements.
5. A risk appetite statement primarily communicates:
A. Audit procedures
B. Risk mitigation costs
C. The level of risk an organization is willing to accept
D. Regulatory thresholds
Risk appetite defines acceptable risk levels in pursuit of objectives.
6. Which document outlines an organization’s commitment to compliance?
A. Risk register
B. Audit charter
C. Compliance policy
D. Business plan
A compliance policy formally states management’s expectations and
commitment.
7. In the “three lines model,” risk management responsibility primarily lies
with:
A. External auditors
B. Regulators
C. Management (first and second lines)
D. Board committees only
Management owns and manages risk, while assurance is provided by
internal audit.
, 8. Which is an example of inherent risk?
A. Residual risk after controls
B. Risk before controls are applied
C. Risk transferred through insurance
D. Risk accepted by management
Inherent risk exists in the absence of controls.
9. A risk register is mainly used to:
A. Record audit findings
B. Track employee performance
C. Document identified risks and controls
D. Store financial data
Risk registers consolidate risks, impacts, likelihoods, and mitigation
actions.
10.Which regulation focuses on internal controls over financial reporting in the
US?
A. Basel III
B. GDPR
C. Sarbanes-Oxley Act (SOX)
D. FATF Recommendations
SOX emphasizes internal control and corporate governance.
11.Residual risk refers to:
A. Risk before mitigation
B. Risk remaining after controls are applied
C. Risk transferred externally
D. Unknown risks
Residual risk is what remains after mitigation efforts.
12.Which approach avoids risk entirely?
A. Risk transfer
B. Risk reduction
