








































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The CORM Certified Operational Risk Manager Exam certifies professionals in managing operational risks in businesses and organizations. The exam evaluates knowledge in risk management frameworks, assessment techniques, and mitigation strategies. Candidates will demonstrate their ability to identify, evaluate, and manage operational risks to safeguard business operations. This certification is ideal for professionals working in risk management, compliance, and operational roles.
Typology: Exams
1 / 48
This page cannot be seen from the preview
Don't miss anything!









































1. What is the best definition of operational risk? A) The risk of market fluctuations B) The risk of credit defaults C) The risk of loss from inadequate or failed internal processes, people, and systems D) The risk of liquidity issues Answer: C Explanation: Operational risk specifically refers to losses from inadequate or failed internal processes, people, and systems rather than market or credit risks. 2. Which of the following is a primary source of operational risk? A) Interest rate changes B) IT system failures C) Foreign exchange fluctuations D) Economic downturns Answer: B Explanation: IT system failures are a typical source of operational risk as they stem from internal process issues. 3. How does operational risk differ from credit risk? A) It focuses on external market factors B) It deals with internal process failures C) It is solely related to economic cycles D) It involves only regulatory issues Answer: B Explanation: Operational risk is linked to internal failures and process issues, while credit risk deals with counterpart defaults. 4. Which regulatory framework emphasizes operational risk management? A) IFRS B) Basel III C) GAAP D) FASB Answer: B Explanation: Basel III includes strict guidelines on managing operational risk within financial institutions. 5. What does risk appetite refer to in an organization? A) The maximum amount of losses the board can tolerate B) The strategic approach to risk avoidance C) The amount and type of risk an organization is willing to pursue D) The internal process for risk reporting Answer: C Explanation: Risk appetite defines the level and type of risk an organization is willing to take in pursuit of its objectives.
6. Which of the following best describes risk tolerance? A) The willingness to exceed regulatory requirements B) The acceptable deviation from the organization’s risk appetite C) The overall risk capacity of the organization D) The complete avoidance of risk Answer: B Explanation: Risk tolerance is the acceptable range of deviation from the established risk appetite. 7. In risk management, what is a risk register? A) A log of all market risks B) A detailed list of identified risks and their assessments C) A record of financial transactions D) A compliance checklist for audits Answer: B Explanation: A risk register documents identified risks, their ratings, and action plans for mitigation. 8. What is the main goal of risk assessment? A) To eliminate all risks B) To identify, analyze, and prioritize risks for management C) To increase the risk exposure D) To meet only regulatory requirements Answer: B Explanation: Risk assessment helps organizations identify, analyze, and prioritize risks, not to completely eliminate them. 9. Which technique is commonly used for risk identification? A) Dividend analysis B) Scenario analysis C) Portfolio optimization D) Asset allocation Answer: B Explanation: Scenario analysis is an effective method for identifying potential operational risks. 10. What is the difference between qualitative and quantitative risk assessments? A) Qualitative assessments use numbers only B) Quantitative assessments rely solely on expert opinions C) Qualitative assessments use subjective measures, while quantitative assessments use numerical data D) Both are identical in methodology Answer: C Explanation: Qualitative methods rely on subjective judgments, while quantitative methods use measurable data. 11. Which risk rating system factors are most commonly evaluated? A) Sales volume and market share B) Likelihood and impact C) Profit margins and expenses D) Regulatory compliance and audits
17. How do business continuity plans (BCPs) contribute to risk mitigation? A) By increasing operational risks B) By ensuring operations can continue during disruptions C) By avoiding regulatory audits D) By reducing market competition Answer: B Explanation: BCPs ensure that essential functions continue during disruptions, minimizing the impact of operational risks. 18. Which of the following is a key element in incident management? A) Profit forecasting B) Root cause analysis C) Market expansion strategies D) Employee recruitment Answer: B Explanation: Root cause analysis helps identify the underlying reasons for an incident, aiding in corrective actions. 19. What is the purpose of key risk indicators (KRIs)? A) To measure financial performance exclusively B) To signal potential risk issues before they become critical C) To replace risk matrices D) To enforce market regulations Answer: B Explanation: KRIs are metrics that help detect emerging risks, enabling early intervention. 20. What does a risk dashboard typically include? A) Employee satisfaction scores B) Visual representations of key risk metrics and trends C) Annual sales figures D) Market share statistics Answer: B Explanation: Risk dashboards present key metrics and trends to support informed risk management decisions. 21. Which component is essential in the integration of operational risk management with organizational strategy? A) Increasing advertising budgets B) Aligning risk management objectives with overall business goals C) Outsourcing all risk functions D) Sole focus on regulatory compliance Answer: B Explanation: Aligning risk management with business objectives ensures that risk mitigation supports the organization’s strategy. 22. What does the COSO framework primarily address? A) International trade regulations
B) Enterprise risk management including operational risks C) Investment portfolio optimization D) Currency exchange risks Answer: B Explanation: COSO is widely used for enterprise risk management, covering various risk types including operational risk.
23. How does a decentralized risk management model differ from a centralized one? A) It uses a single risk framework for all branches B) It delegates risk responsibilities to individual units C) It focuses only on financial risks D) It is less flexible in implementation Answer: B Explanation: A decentralized model gives individual business units the authority to manage their own risks. 24. Which of the following is a key component of a risk management framework? A) Governance, policies, and procedures B) Only financial reporting C) Exclusive IT management D) Sole reliance on market data Answer: A Explanation: A robust risk management framework includes governance, well-defined policies, and procedures. 25. What is the primary role of the board of directors in operational risk management? A) To implement IT solutions B) To set risk appetite and oversee risk policies C) To perform daily risk assessments D) To manage customer relationships Answer: B Explanation: The board is responsible for setting the risk appetite and ensuring that effective risk policies are in place. 26. How can risk management policies be aligned with business goals? A) By ignoring risk exposure B) By integrating risk objectives with strategic business initiatives C) By solely focusing on regulatory demands D) By minimizing stakeholder involvement Answer: B Explanation: Risk management policies that align with business objectives help ensure that risk-taking supports overall strategy. 27. What is a typical role of internal auditors in operational risk management? A) To generate profits B) To evaluate and improve risk management controls C) To market the company
33. How does scenario analysis benefit operational risk assessment? A) It guarantees risk elimination B) It evaluates potential outcomes under different hypothetical situations C) It increases risk exposure D) It replaces the need for internal controls Answer: B Explanation: Scenario analysis helps organizations prepare for various possible events by modeling different risk outcomes. 34. What is stress testing in the context of operational risk? A) A method to determine employee stress levels B) A technique to assess the impact of extreme conditions on risk exposure C) A process for evaluating marketing strategies D) A regulatory reporting requirement only Answer: B Explanation: Stress testing examines how extreme conditions can impact an organization’s operational risk profile. 35. Why is sensitivity analysis important in risk management? A) It increases market share B) It determines how changes in variables affect risk outcomes C) It minimizes employee training needs D) It solely focuses on IT risks Answer: B Explanation: Sensitivity analysis identifies which variables most influence risk outcomes, allowing for better management strategies. 36. What is the primary goal of corrective controls? A) To detect issues before they occur B) To fix problems after a risk event has occurred C) To expand market operations D) To increase operational complexity Answer: B Explanation: Corrective controls are implemented after an event to remedy and prevent recurrence of the issue. 37. Which of the following is an example of an automation tool used in risk control? A) Manual data entry B) Real-time monitoring software C) Handwritten logs D) Paper-based filing systems Answer: B Explanation: Real-time monitoring software automates the detection of anomalies and risk indicators. 38. What is the role of business continuity planning (BCP) in risk mitigation? A) To focus solely on profit growth B) To ensure critical operations continue during disruptions
C) To avoid all risks D) To manage employee performance Answer: B Explanation: BCPs are designed to maintain essential functions during and after an operational disruption.
39. How does disaster recovery (DR) differ from business continuity planning? A) DR focuses on IT systems recovery; BCP addresses overall operational continuity B) They are the same C) DR is for marketing while BCP is for finance D) BCP is used only after disasters occur Answer: A Explanation: Disaster recovery specifically targets the restoration of IT and technical systems, whereas BCP ensures overall business operations continue. 40. What is the importance of documenting incident management processes? A) It increases the cost of operations B) It facilitates learning and improvement after incidents C) It solely satisfies external auditors D) It is only used for public relations Answer: B Explanation: Documentation of incident management allows organizations to analyze events, learn lessons, and improve future responses. 41. How does real-time risk monitoring differ from periodic reviews? A) Real-time monitoring provides continuous updates, while periodic reviews are scheduled audits B) Both methods are identical C) Periodic reviews are more frequent than real-time monitoring D) Real-time monitoring is only used for compliance reporting Answer: A Explanation: Real-time monitoring continuously tracks risks, whereas periodic reviews occur on a set schedule. 42. What is the primary function of key performance indicators (KPIs) in risk management? A) To evaluate marketing success B) To measure performance against risk management objectives C) To calculate salaries D) To track customer satisfaction Answer: B Explanation: KPIs help determine whether risk management initiatives are effective in achieving desired outcomes. 43. Which of the following best describes risk reporting? A) A process to communicate risk information to stakeholders B) A method to hide risks from management C) An annual financial audit D) A customer feedback tool
49. Which aspect of risk management is enhanced by using data analytics? A) Employee recruitment B) Identification of trends and anomalies in risk exposure C) Setting sales targets D) Conducting market research Answer: B Explanation: Data analytics help identify patterns and anomalies that can signal emerging risks. 50. What is the primary aim of developing KRIs? A) To confuse management B) To provide early warning signals of increasing risk C) To replace all other risk metrics D) To determine marketing strategies Answer: B Explanation: KRIs are designed to alert organizations about potential risk escalations before they become critical. 51. What is a key element in fostering a risk-aware culture? A) Eliminating all risks B) Training and educating employees on risk issues C) Centralizing all decision-making D) Outsourcing risk management entirely Answer: B Explanation: Employee training and education help build a culture where everyone is aware of and proactive about risk. 52. How can leadership influence an organization’s risk culture? A) By ignoring risk management frameworks B) By demonstrating commitment to risk management practices C) By focusing solely on short-term profits D) By delegating all responsibilities without oversight Answer: B Explanation: Leadership commitment sets the tone for risk awareness and encourages proactive risk management across the organization. 53. Which factor can negatively affect organizational risk behavior? A) Transparent communication B) Incentive structures that reward risk-taking without controls C) Comprehensive training programs D) Robust internal controls Answer: B Explanation: Incentives that reward excessive risk-taking can lead to behaviors that increase overall risk exposure. 54. What is one way to mitigate cognitive biases in risk decision-making? A) Rely solely on intuition B) Implement structured decision-making frameworks
C) Avoid external consultation D) Focus only on past successes Answer: B Explanation: Structured frameworks help minimize biases by standardizing the assessment process.
55. Which of the following is an example of managing change in risk management? A) Ignoring new market trends B) Conducting risk assessments during mergers and acquisitions C) Eliminating all organizational changes D) Reducing training budgets during restructuring Answer: B Explanation: Assessing risks during organizational changes ensures that potential disruptions are managed effectively. 56. How does organizational change affect operational risk? A) It always reduces risk B) It can introduce new risks and increase complexity C) It is unrelated to risk management D) It solely impacts financial performance Answer: B Explanation: Change often brings new processes and challenges that may introduce additional risks. 57. Which legal framework is often associated with operational risk management? A) HIPAA B) SOX (Sarbanes-Oxley Act) C) COPPA D) DMCA Answer: B Explanation: The Sarbanes-Oxley Act (SOX) has significant implications for operational risk management in financial reporting and internal controls. 58. What role does insurance play in mitigating operational risk? A) It guarantees the elimination of risk B) It transfers certain risk exposures to a third party C) It increases operational risk exposure D) It solely focuses on regulatory compliance Answer: B Explanation: Insurance can transfer some risk exposures, reducing the financial impact of potential losses. 59. Why are regulatory stress tests important? A) They are used only for marketing purposes B) They assess an institution’s resilience against adverse scenarios C) They replace internal risk assessments D) They are conducted solely by external auditors Answer: B
65. What is a compliance framework? A) A system for managing sales pipelines B) A set of guidelines and standards that ensure adherence to laws and regulations C) A marketing strategy tool D) A technology platform for employee engagement Answer: B Explanation: Compliance frameworks outline the standards and procedures organizations must follow to comply with legal and regulatory requirements. 66. What is the primary focus of technology risk management? A) Managing market risks B) Addressing risks related to IT systems, cybersecurity, and data breaches C) Overseeing employee benefits D) Enhancing customer service Answer: B Explanation: Technology risk management deals with challenges in IT systems, cybersecurity threats, and potential data breaches. 67. Which risk is most associated with cybersecurity? A) Liquidity risk B) Data breach C) Interest rate risk D) Reputational risk only Answer: B Explanation: Cybersecurity risks primarily involve data breaches and cyberattacks that compromise information security. 68. What is one of the best practices in cybersecurity risk management? A) Ignoring regular updates B) Implementing defense-in-depth strategies C) Outsourcing all IT functions without oversight D) Relying solely on antivirus software Answer: B Explanation: Defense-in-depth provides multiple layers of security, reducing the likelihood of a successful cyberattack. 69. How do emerging technologies like blockchain influence operational risk management? A) They eliminate all operational risks B) They introduce new challenges and opportunities for risk control C) They are irrelevant to operational risk D) They solely focus on financial risk Answer: B Explanation: While emerging technologies can streamline operations, they also introduce unique risks that must be managed. 70. Which of the following is a benefit of using AI in risk management? A) Reduced decision-making accuracy
B) Enhanced data analytics and predictive capabilities C) Increased manual workload D) Complete removal of risk Answer: B Explanation: AI improves risk management by analyzing large datasets to predict and identify potential risks.
71. What does the term “third-party risk” refer to in technology risk management? A) Risks only associated with internal teams B) Risks arising from external vendors and service providers C) Risks related to competitors D) Risks solely related to market trends Answer: B Explanation: Third-party risk involves potential vulnerabilities from external partners, such as outsourced IT services. 72. What is the primary objective of a disaster recovery (DR) plan? A) To expand business operations B) To restore IT systems and operations after a disruption C) To increase risk appetite D) To evaluate employee performance Answer: B Explanation: A DR plan is designed to quickly restore critical IT functions following a disruptive event. 73. Which term best describes the process of ensuring that essential business functions continue during a crisis? A) Crisis marketing B) Business Continuity Management (BCM) C) Risk outsourcing D) Operational scaling Answer: B Explanation: BCM ensures that critical business processes continue even during crises. 74. What is a critical aspect of crisis communication plans in operational risk management? A) Ignoring stakeholder concerns B) Timely and accurate dissemination of information C) Focusing solely on financial details D) Delaying communication until full resolution Answer: B Explanation: Effective crisis communication involves promptly informing stakeholders with accurate information. 75. Which of the following is a key benefit of post-crisis reviews? A) Increasing operational downtime B) Identifying lessons learned and improving future responses C) Avoiding regulatory audits D) Reducing employee morale
Explanation: A risk-return matrix helps balance potential risks against anticipated rewards in strategic initiatives.
81. How can companies build long-term resilience against emerging risks? A) By ignoring market changes B) Through forward-looking risk management practices and scenario planning C) By solely relying on past performance D) By increasing short-term risk exposure Answer: B Explanation: Proactive risk management and scenario planning enable organizations to anticipate and prepare for emerging risks. 82. What is one common lesson from past operational risk failures? A) Risk management is unnecessary B) Inadequate internal controls can lead to significant losses C) External factors are always to blame D) Technology investments eliminate all risks Answer: B Explanation: Many failures have occurred due to weak internal controls, emphasizing the need for robust risk management. 83. Which method is often used to evaluate operational risk management strategies in case studies? A) Qualitative analysis of historical events B) Analysis of employee uniforms C) Sales revenue comparisons D) Customer loyalty studies Answer: A Explanation: Qualitative analyses of historical failures help extract lessons and best practices for future risk management. 84. What is the purpose of group discussions in practical risk management exercises? A) To delay decision-making B) To share diverse perspectives and collectively solve complex risk challenges C) To increase meeting durations unnecessarily D) To avoid risk assessments Answer: B Explanation: Group discussions foster collaboration and allow teams to pool insights for more effective risk solutions. 85. In case studies, why is it important to examine root causes of operational failures? A) To assign blame only B) To identify underlying issues and prevent future occurrences C) To justify increased budgets D) To confirm that failures are unavoidable Answer: B Explanation: Understanding root causes is critical for developing strategies to mitigate similar risks in the future.
86. Which of the following best describes a real-life application exercise in risk management? A) Memorizing definitions only B) Simulating risk scenarios to apply mitigation strategies C) Solely reading risk manuals D) Avoiding group interactions Answer: B Explanation: Practical exercises simulate real-world scenarios, enabling participants to apply risk management techniques in a controlled environment. 87. What is a common challenge when applying risk management techniques in practice? A) Too much available data B) Complexity and uncertainty in real-world situations C) Lack of regulatory requirements D) Over-simplified processes Answer: B Explanation: The dynamic nature of real-world operations often makes risk assessment and mitigation complex and uncertain. 88. How can lessons from case studies influence future risk management strategies? A) By eliminating the need for audits B) By providing insights that drive continuous improvement C) By proving that risks cannot be controlled D) By solely focusing on historical data Answer: B Explanation: Case studies offer valuable insights that help organizations refine and improve their risk management approaches. 89. Which of the following is a future trend in operational risk management? A) Relying only on manual controls B) Greater use of AI and machine learning for risk analytics C) Eliminating all risk assessments D) Ignoring emerging technologies Answer: B Explanation: Emerging technologies such as AI are increasingly used to enhance the accuracy and efficiency of risk analytics. 90. What does ESG stand for in risk management contexts? A) Economic, Sales, and Growth B) Environmental, Social, and Governance C) Efficiency, Security, and Governance D) Energy, Strategy, and Globalization Answer: B Explanation: ESG stands for Environmental, Social, and Governance, important factors in modern risk assessment. 91. How does climate change represent an emerging operational risk? A) It solely affects marketing strategies
D) It replaces the need for controls entirely Answer: B Explanation: While automation minimizes human error, it may also introduce risks such as system vulnerabilities if not properly managed.
97. What is the primary goal of operational resilience planning? A) To maximize profits regardless of risk B) To ensure the organization can adapt and recover from disruptions C) To eliminate all risks D) To reduce employee training Answer: B Explanation: Operational resilience focuses on the ability to quickly adapt to and recover from unexpected events. 98. How can scenario planning contribute to strategic risk management? A) By predicting exact future events B) By preparing organizations for a range of possible outcomes C) By ignoring market trends D) By reducing stakeholder involvement Answer: B Explanation: Scenario planning enables organizations to envision multiple futures and develop flexible strategies. 99. Which of the following is a benefit of aligning operational risk management with corporate strategy? A) Increased operational silos B) Enhanced decision-making and long-term planning C) Complete risk elimination D) Reduced need for training Answer: B Explanation: Aligning risk management with strategy supports proactive decision-making and resilience. 100. How can organizations ensure continuous improvement in their risk management practices? A) By setting fixed processes without review B) By establishing feedback loops and regular risk audits C) By focusing only on past incidents D) By ignoring technological advancements Answer: B Explanation: Continuous improvement is achieved through systematic reviews, audits, and adjustments based on feedback. 101. What is a primary characteristic of an effective operational risk framework? A) It is static and unchanging B) It integrates governance, policies, and continuous monitoring C) It ignores regulatory changes D) It is developed solely by IT departments Answer: B
Explanation: An effective framework combines clear governance, policies, and continuous monitoring to adapt to evolving risks.
102. What does the term “risk capacity” refer to? A) The maximum amount of risk an organization can absorb without impairing operations B) The total market share of the organization C) The number of risks identified D) The speed of decision-making Answer: A Explanation: Risk capacity indicates the maximum loss an organization can sustain before its core operations are affected. 103. Which of the following is a direct benefit of conducting regular risk assessments? A) Reduced regulatory oversight B) Early identification of emerging risks C) Increased market volatility D) Higher operational costs Answer: B Explanation: Regular risk assessments help organizations identify new threats early, enabling proactive management. 104. What is a key characteristic of an effective risk management lifecycle? A) One-time identification and resolution B) Continuous monitoring, assessment, and response C) Sole reliance on external audits D) Ignoring past incidents Answer: B Explanation: An effective lifecycle involves ongoing identification, evaluation, mitigation, and monitoring of risks. 105. What is the relationship between risk exposure and risk capacity? A) They are unrelated B) Risk exposure should remain within the organization’s risk capacity C) Risk capacity is always greater than risk exposure D) Risk exposure is determined solely by market conditions Answer: B Explanation: It is critical for an organization to keep its risk exposure within its overall risk capacity to avoid operational distress. 106. Which of the following best describes the term “loss data analysis”? A) A process to determine sales trends B) A method of reviewing historical loss events to identify risk patterns C) A marketing analysis tool D) A strategy to predict future profits Answer: B Explanation: Loss data analysis reviews past incidents to identify recurring issues and improve risk mitigation strategies.