RIMS-CRMP CERTIFIED RISK MANAGEMENT
PROFESSIONAL EXAM 2026/2027 | Complete Study Guide |
Questions & Verified Answers | Pass Guaranteed - A+ Graded
Section 1: Risk Governance & Culture (Q1-20)
Q1. According to ISO 31000:2018, how many core principles underpin the risk
management framework?
A. Five principles: integration, structured and comprehensive, customized, inclusive, and
dynamic.
B. Seven principles: integration, structured and comprehensive, customized, inclusive,
dynamic, best available information, and human and cultural factors. [CORRECT]
C. Three principles: identify, assess, and treat.
D. Ten principles covering governance, process, and performance metrics.
Rationale: ISO 31000:2018 establishes seven principles for risk management:
integration, structured and comprehensive, customized, inclusive, dynamic, best
available information, and human and cultural factors. Options A undercounts, C
confuses principles with process steps, and D invents principles.
Correct Answer: B
Q2. A mid-sized manufacturing firm establishes plant-level safety committees that
report operational hazards to regional managers. According to the Three Lines of
Defense model, these committees represent which line?
A. Second line of defense because they perform risk monitoring functions.
B. First line of defense because they own and manage operational risks as part of core
business activities. [CORRECT]
C. Third line of defense because they provide independent assurance.
D. External audit function because they are not part of corporate headquarters.
Rationale: The first line of defense consists of operational management and staff who
own and manage risks as part of their daily activities. Plant-level safety committees
managing operational hazards are first line. Option A incorrectly assigns them to
risk/compliance oversight; C confuses them with independent audit; D mischaracterizes
their role.
,Correct Answer: B
Q3. A board approves a statement that the organization will accept up to $50 million in
aggregate trading losses annually. The chief risk officer establishes desk-level limits of
$5 million. The $5 million limit best represents:
A. Risk appetite, as it reflects the board's aggregate risk-taking desire.
B. Risk tolerance, as it represents the acceptable variation at the trading desk level.
[CORRECT]
C. Risk capacity, as it reflects the maximum available capital.
D. Risk limit, which is unrelated to either appetite or tolerance.
Rationale: The $5 million desk-level limit represents risk tolerance—the acceptable
variation relative to a specific objective or unit—while the $50 million aggregate reflects
risk appetite. Option A incorrectly labels the sub-limit as appetite; C confuses tolerance
with absolute capacity; D incorrectly denies the relationship to tolerance.
Correct Answer: B
Q4. Under COSO ERM 2024 (updated framework), which component addresses the
organization's risk culture, ethical values, and governance structure?
A. Strategy and Objective-Setting.
B. Governance and Culture. [CORRECT]
C. Performance.
D. Review and Revision.
Rationale: The COSO ERM 2024 framework includes five components, with "Governance
and Culture" addressing the board's oversight role, organizational culture, and ethical
values. Option A addresses strategic planning; C addresses risk management in
operations; D addresses continuous improvement.
Correct Answer: B
Q5. A risk manager surveys employees and finds that 40% believe risk is solely the risk
department's responsibility and that reporting near-misses is discouraged. Which risk
culture indicator is most deficient?
A. Risk governance structure.
B. Risk awareness and ownership. [CORRECT]
C. Risk quantification capability.
D. External stakeholder communication.
,Rationale: The belief that risk is not everyone's responsibility and reluctance to report
near-misses indicates poor risk awareness and ownership culture. Option A relates to
governance architecture; C relates to analytical capability; D relates to external
communication, none of which are indicated by the survey findings.
Correct Answer: B
Q6. A board of directors reviews the organization's ERM framework and finds that risk
considerations are not integrated into strategic planning sessions. Under COSO ERM
2024, which component is deficient, and what is the likely consequence?
A. Governance and Culture; the consequence is poor ethical decision-making.
B. Strategy and Objective-Setting; the consequence is misaligned risk-taking that may
jeopardize strategic goals. [CORRECT]
C. Information, Communication, and Reporting; the consequence is inadequate risk
disclosures.
D. Review and Revision; the consequence is failure to update the risk register.
Rationale: COSO ERM 2024's "Strategy and Objective-Setting" component requires
integrating risk into strategy formulation. Failure to do so leads to strategies that do not
account for risk capacity and may jeopardize objectives. Option A addresses culture,
not strategic integration; C addresses reporting; D addresses framework updates.
Correct Answer: B
Q7. In the Three Lines of Defense model, which functions typically comprise the second
line?
A. Operational management and front-line staff.
B. Risk management, compliance, legal, and quality assurance functions. [CORRECT]
C. Internal audit and external audit.
D. Board of directors and executive management.
Rationale: The second line of defense includes risk management, compliance, legal, and
other oversight functions that monitor and facilitate risk management. Option A
describes the first line; C describes the third line and external assurance; D describes
governance.
Correct Answer: B
Q8. A global bank's board approves a risk appetite statement allowing up to $500
million in aggregate trading losses annually. The chief risk officer establishes sub-limits
of $50 million per trading desk. The $50 million limit best represents:
, A. Risk appetite, as it reflects the board's aggregate risk-taking desire.
B. Risk tolerance, as it represents the acceptable variation at the trading desk level.
[CORRECT]
C. Risk capacity, as it reflects the maximum available capital.
D. Risk limit, which is unrelated to either appetite or tolerance.
Rationale: The $50 million desk-level limit represents risk tolerance—the acceptable
variation relative to a specific objective or unit—while the $500 million aggregate
reflects risk appetite. Option A incorrectly labels the sub-limit as appetite; C confuses
tolerance with absolute capacity; D incorrectly denies the relationship to tolerance.
Correct Answer: B
Q9. A hospital's compliance department conducts quarterly reviews of patient privacy
procedures and reports findings to the C-suite. According to the Three Lines of Defense
model, this compliance function operates as:
A. First line, because it is embedded within operational units.
B. Second line, because it monitors compliance and provides oversight without being
directly involved in patient care operations. [CORRECT]
C. Third line, because it reports independently to the board.
D. External line, because it reports to regulators.
Rationale: Compliance functions that monitor and facilitate risk management without
directly delivering core services represent the second line of defense. Option A
incorrectly assigns them to operations; C would require independence and board
reporting typical of internal audit; D mischaracterizes the reporting relationship.
Correct Answer: B
Q10. Which of the following is NOT one of the five components of the COSO ERM 2024
framework?
A. Governance and Culture.
B. Strategy and Objective-Setting.
C. Risk Assessment and Quantification. [CORRECT]
D. Review and Revision.
Rationale: COSO ERM 2024 comprises five components: Governance and Culture,
Strategy and Objective-Setting, Performance, Information, Communication, and
Reporting, and Review and Revision. "Risk Assessment and Quantification" is not a
PROFESSIONAL EXAM 2026/2027 | Complete Study Guide |
Questions & Verified Answers | Pass Guaranteed - A+ Graded
Section 1: Risk Governance & Culture (Q1-20)
Q1. According to ISO 31000:2018, how many core principles underpin the risk
management framework?
A. Five principles: integration, structured and comprehensive, customized, inclusive, and
dynamic.
B. Seven principles: integration, structured and comprehensive, customized, inclusive,
dynamic, best available information, and human and cultural factors. [CORRECT]
C. Three principles: identify, assess, and treat.
D. Ten principles covering governance, process, and performance metrics.
Rationale: ISO 31000:2018 establishes seven principles for risk management:
integration, structured and comprehensive, customized, inclusive, dynamic, best
available information, and human and cultural factors. Options A undercounts, C
confuses principles with process steps, and D invents principles.
Correct Answer: B
Q2. A mid-sized manufacturing firm establishes plant-level safety committees that
report operational hazards to regional managers. According to the Three Lines of
Defense model, these committees represent which line?
A. Second line of defense because they perform risk monitoring functions.
B. First line of defense because they own and manage operational risks as part of core
business activities. [CORRECT]
C. Third line of defense because they provide independent assurance.
D. External audit function because they are not part of corporate headquarters.
Rationale: The first line of defense consists of operational management and staff who
own and manage risks as part of their daily activities. Plant-level safety committees
managing operational hazards are first line. Option A incorrectly assigns them to
risk/compliance oversight; C confuses them with independent audit; D mischaracterizes
their role.
,Correct Answer: B
Q3. A board approves a statement that the organization will accept up to $50 million in
aggregate trading losses annually. The chief risk officer establishes desk-level limits of
$5 million. The $5 million limit best represents:
A. Risk appetite, as it reflects the board's aggregate risk-taking desire.
B. Risk tolerance, as it represents the acceptable variation at the trading desk level.
[CORRECT]
C. Risk capacity, as it reflects the maximum available capital.
D. Risk limit, which is unrelated to either appetite or tolerance.
Rationale: The $5 million desk-level limit represents risk tolerance—the acceptable
variation relative to a specific objective or unit—while the $50 million aggregate reflects
risk appetite. Option A incorrectly labels the sub-limit as appetite; C confuses tolerance
with absolute capacity; D incorrectly denies the relationship to tolerance.
Correct Answer: B
Q4. Under COSO ERM 2024 (updated framework), which component addresses the
organization's risk culture, ethical values, and governance structure?
A. Strategy and Objective-Setting.
B. Governance and Culture. [CORRECT]
C. Performance.
D. Review and Revision.
Rationale: The COSO ERM 2024 framework includes five components, with "Governance
and Culture" addressing the board's oversight role, organizational culture, and ethical
values. Option A addresses strategic planning; C addresses risk management in
operations; D addresses continuous improvement.
Correct Answer: B
Q5. A risk manager surveys employees and finds that 40% believe risk is solely the risk
department's responsibility and that reporting near-misses is discouraged. Which risk
culture indicator is most deficient?
A. Risk governance structure.
B. Risk awareness and ownership. [CORRECT]
C. Risk quantification capability.
D. External stakeholder communication.
,Rationale: The belief that risk is not everyone's responsibility and reluctance to report
near-misses indicates poor risk awareness and ownership culture. Option A relates to
governance architecture; C relates to analytical capability; D relates to external
communication, none of which are indicated by the survey findings.
Correct Answer: B
Q6. A board of directors reviews the organization's ERM framework and finds that risk
considerations are not integrated into strategic planning sessions. Under COSO ERM
2024, which component is deficient, and what is the likely consequence?
A. Governance and Culture; the consequence is poor ethical decision-making.
B. Strategy and Objective-Setting; the consequence is misaligned risk-taking that may
jeopardize strategic goals. [CORRECT]
C. Information, Communication, and Reporting; the consequence is inadequate risk
disclosures.
D. Review and Revision; the consequence is failure to update the risk register.
Rationale: COSO ERM 2024's "Strategy and Objective-Setting" component requires
integrating risk into strategy formulation. Failure to do so leads to strategies that do not
account for risk capacity and may jeopardize objectives. Option A addresses culture,
not strategic integration; C addresses reporting; D addresses framework updates.
Correct Answer: B
Q7. In the Three Lines of Defense model, which functions typically comprise the second
line?
A. Operational management and front-line staff.
B. Risk management, compliance, legal, and quality assurance functions. [CORRECT]
C. Internal audit and external audit.
D. Board of directors and executive management.
Rationale: The second line of defense includes risk management, compliance, legal, and
other oversight functions that monitor and facilitate risk management. Option A
describes the first line; C describes the third line and external assurance; D describes
governance.
Correct Answer: B
Q8. A global bank's board approves a risk appetite statement allowing up to $500
million in aggregate trading losses annually. The chief risk officer establishes sub-limits
of $50 million per trading desk. The $50 million limit best represents:
, A. Risk appetite, as it reflects the board's aggregate risk-taking desire.
B. Risk tolerance, as it represents the acceptable variation at the trading desk level.
[CORRECT]
C. Risk capacity, as it reflects the maximum available capital.
D. Risk limit, which is unrelated to either appetite or tolerance.
Rationale: The $50 million desk-level limit represents risk tolerance—the acceptable
variation relative to a specific objective or unit—while the $500 million aggregate
reflects risk appetite. Option A incorrectly labels the sub-limit as appetite; C confuses
tolerance with absolute capacity; D incorrectly denies the relationship to tolerance.
Correct Answer: B
Q9. A hospital's compliance department conducts quarterly reviews of patient privacy
procedures and reports findings to the C-suite. According to the Three Lines of Defense
model, this compliance function operates as:
A. First line, because it is embedded within operational units.
B. Second line, because it monitors compliance and provides oversight without being
directly involved in patient care operations. [CORRECT]
C. Third line, because it reports independently to the board.
D. External line, because it reports to regulators.
Rationale: Compliance functions that monitor and facilitate risk management without
directly delivering core services represent the second line of defense. Option A
incorrectly assigns them to operations; C would require independence and board
reporting typical of internal audit; D mischaracterizes the reporting relationship.
Correct Answer: B
Q10. Which of the following is NOT one of the five components of the COSO ERM 2024
framework?
A. Governance and Culture.
B. Strategy and Objective-Setting.
C. Risk Assessment and Quantification. [CORRECT]
D. Review and Revision.
Rationale: COSO ERM 2024 comprises five components: Governance and Culture,
Strategy and Objective-Setting, Performance, Information, Communication, and
Reporting, and Review and Revision. "Risk Assessment and Quantification" is not a
