⋆ ⋆ ⋆
RSK2602: Fundamentals of
Operational & Financial Risk
OCT/NOV Examination 2026
Comprehensive Revision Pack — Covering Past Papers: 2023, 2024 & 2025
⋆ ⋄ ⋆ ⋄ ⋆ ⋄ ⋆ ⋄ ⋆
Risk Management — Economic & Management Sciences
Exam Revision Guide
RSK2602
Module Code:
Fundamentals of Operational & Financial Risk
Module Name:
OCT/NOV 2023, OCT/NOV 2024, OCT/NOV
Papers Covered: 2025
2026
Revision Year:
100 marks (typical exam)
Total Marks:
2 hours
Duration:
This revision document covers all examinable topics across the 2023–2025 exami-
nation period. Work through each question and answer carefully. Focus on under-
standing the reasoning, not memorisation.
Exam Revision Notes | RSK2602 | 2026
,RSK2602 | Exam Revision 2026 Operational & Financial Risk
Question 1 — Risk Management Fundamentals [20 marks]
(a) [5 marks]
Question: Evaluate the accuracy of the following statement and provide a full motivation
for your answer: “Risk management should be focused exclusively on preventing losses,
and risk should always be viewed as a negative event.” (5)
Answer:
This statement is FALSE. Risk management must address both the downside (loss preven-
tion) and the upside (opportunity exploitation) of potential risk events.
• Dual nature of risk: Risk has two dimensions. One side seeks to prevent or minimise
losses when adverse events occur. The other side deliberately takes on risk with the objec-
tive of generating profit or competitive advantage.
• Positive vs negative view: A purely negative view of risk ignores the reality that or-
ganisations must take calculated risks to grow. Modern enterprise risk management (ERM)
explicitly requires that risk be viewed from both a positive and negative perspective.
• Risk as opportunity: Opportunities such as entering new markets, launching new prod-
ucts, or adopting new technology all carry risk, yet they also carry potential reward. Re-
fusing all risk would prevent an organisation from advancing.
• Balanced approach: Risk management should therefore be focused on both risk avoid-
ance (downside management) and risk-taking (upside exploitation), within the boundaries
of the organisation’s risk appetite.
Key Concept
Risk is defined as the possibility that an event will occur and adversely affect the
achievement of objectives — but equally, risk management encompasses identifying and
exploiting opportunities. ERM integrates both dimensions into a single, coordinated
framework.
Page 2 of 32
,RSK2602 | Exam Revision 2026 Operational & Financial Risk
(b) [5 marks]
Question: Identify and discuss five key drivers that have increased the risk profiles of
organisations. (5)
Answer:
The following drivers have substantially increased the risk exposure of modern organisations:
• More vigilant regulatory environment: Regulators globally have tightened compli-
ance requirements (Basel III/IV, King IV, GDPR), forcing organisations to manage a far
wider range of compliance risks. Non-compliance now carries severe financial and reputa-
tional penalties.
• Increased focus on governance: Shareholders, boards, and regulators demand greater
accountability and transparency, which means failures in governance structures are imme-
diately visible and costly.
• Globalisation: Operating across borders exposes organisations to currency risk, political
risk, cultural risk, and supply chain vulnerabilities that did not exist for domestic-only
businesses.
• More sophisticated consumers: Customers are better informed and more demanding.
Product failures, service disruptions, or ethical lapses quickly translate into reputational
damage and revenue loss.
• Technological advances: The rise of digital systems, cloud computing, and artificial
intelligence has introduced new technology and cyber risks while also creating dependence
on interconnected infrastructure.
Watch Out
A common exam error is listing “less vigilant regulatory environment” as a driver. The
correct driver is a more vigilant (stricter) regulatory environment, which increases
compliance risk exposure.
Page 3 of 32
,RSK2602 | Exam Revision 2026 Operational & Financial Risk
(c) [5 marks]
Question: Distinguish between financial risk and non-financial risk by providing
relevant examples of each. (5)
Answer:
Table 1: Financial Risk vs Non-Financial Risk
Financial Risk Non-Financial Risk
Aspect
Risk of financial loss arising from Risk arising from operational
Definition adverse movements in market failures, strategic missteps, or
variables or counterparty failure reputational damage
Credit risk, market risk, liquidity Operational risk, strategic risk,
Examples risk, exchange rate risk, country reputational risk, technology risk,
risk, interest rate risk legal risk
Typically quantifiable in mone- Often difficult to quantify; mea-
Nature tary terms sured qualitatively
Derivatives, hedging, diversifica- Controls, policies, business conti-
Primary tools tion, capital adequacy nuity plans
• Country risk is classified as a financial risk because it relates to the failure of a sovereign
government to service its debt obligations.
• Strategic, reputational, and operational risks are non-financial risks.
(d) [5 marks]
Question: Explain the concept of risk appetite and distinguish it from risk tolerance.
How does an organisation’s attitude towards risk influence its risk management strategy?
(5)
Answer:
Risk appetite is the maximum amount of risk (expressed financially) that an organisation
is prepared to accept and tolerate in pursuit of its objectives within a given time period. It re-
flects a deliberate, board-approved stance on how much uncertainty the organisation is willing
to live with.
Risk tolerance is narrower — it refers to the acceptable deviation from the risk appetite for
Page 4 of 32
,RSK2602 | Exam Revision 2026 Operational & Financial Risk
specific objectives or activities.
Attitude towards risk influences strategy in three ways:
• Risk-averse organisations (conservative approach) require a significant increase in re-
turn to justify accepting additional risk. They prefer low-risk, stable strategies and are
unlikely to enter highly volatile markets.
• Risk-neutral organisations are indifferent to risk; they make decisions based purely on
expected return without adjusting for variability.
• Risk-seeking organisations are willing to accept lower expected returns in exchange for
the chance of a high payoff. This attitude is often associated with speculative behaviour.
Exam Tip
The exam frequently tests the distinction between risk appetite (what the board is
prepared to accept) and the common misconception that it is the maximum financial
amount a business is capable of accepting. Capability and preparedness are different
things — always write “prepared to accept and tolerate.”
Page 5 of 32
, RSK2602 | Exam Revision 2026 Operational & Financial Risk
Question 2 — Operational Risk Management [25 marks]
(a) [6 marks]
Question: With reference to the Basel Committee on Banking Supervision (2003), define
operational risk and identify and discuss the four primary operational risk factors
that business organisations face. Use examples to illustrate your answer. (6)
Answer:
Key Concept
The Basel Committee (2003) defines operational risk as: “the risk of loss resulting
from inadequate or failed internal processes, people and systems, or from
external events.” This definition excludes strategic and reputational risk.
The four primary operational risk factors are:
1. People risk: Losses arising from human error, fraud, misconduct, skills shortages, or key
person dependency. Example: A bank teller processes a transaction incorrectly, leading to
client funds being credited to the wrong account. Internal fraud by an employee manipu-
lating the payroll system is another major people-risk event.
2. Process risk: Losses from failed or inadequate internal processes, procedures, or controls.
Example: A financial institution fails to implement a daily reconciliation procedure, al-
lowing errors to accumulate over months before detection, resulting in a material financial
loss.
3. Systems/Technology risk: Losses from IT system failures, software bugs, cyberattacks,
or data breaches. Example: A bank’s core banking system goes offline for several hours
due to a server failure, preventing customers from accessing their accounts and causing
significant reputational damage.
4. External events risk: Losses from events outside the organisation’s control, including
natural disasters, criminal activities, regulatory changes, or terrorism. Example: Flooding
destroys a company’s data centre, disrupting operations for days.
Page 6 of 32
RSK2602: Fundamentals of
Operational & Financial Risk
OCT/NOV Examination 2026
Comprehensive Revision Pack — Covering Past Papers: 2023, 2024 & 2025
⋆ ⋄ ⋆ ⋄ ⋆ ⋄ ⋆ ⋄ ⋆
Risk Management — Economic & Management Sciences
Exam Revision Guide
RSK2602
Module Code:
Fundamentals of Operational & Financial Risk
Module Name:
OCT/NOV 2023, OCT/NOV 2024, OCT/NOV
Papers Covered: 2025
2026
Revision Year:
100 marks (typical exam)
Total Marks:
2 hours
Duration:
This revision document covers all examinable topics across the 2023–2025 exami-
nation period. Work through each question and answer carefully. Focus on under-
standing the reasoning, not memorisation.
Exam Revision Notes | RSK2602 | 2026
,RSK2602 | Exam Revision 2026 Operational & Financial Risk
Question 1 — Risk Management Fundamentals [20 marks]
(a) [5 marks]
Question: Evaluate the accuracy of the following statement and provide a full motivation
for your answer: “Risk management should be focused exclusively on preventing losses,
and risk should always be viewed as a negative event.” (5)
Answer:
This statement is FALSE. Risk management must address both the downside (loss preven-
tion) and the upside (opportunity exploitation) of potential risk events.
• Dual nature of risk: Risk has two dimensions. One side seeks to prevent or minimise
losses when adverse events occur. The other side deliberately takes on risk with the objec-
tive of generating profit or competitive advantage.
• Positive vs negative view: A purely negative view of risk ignores the reality that or-
ganisations must take calculated risks to grow. Modern enterprise risk management (ERM)
explicitly requires that risk be viewed from both a positive and negative perspective.
• Risk as opportunity: Opportunities such as entering new markets, launching new prod-
ucts, or adopting new technology all carry risk, yet they also carry potential reward. Re-
fusing all risk would prevent an organisation from advancing.
• Balanced approach: Risk management should therefore be focused on both risk avoid-
ance (downside management) and risk-taking (upside exploitation), within the boundaries
of the organisation’s risk appetite.
Key Concept
Risk is defined as the possibility that an event will occur and adversely affect the
achievement of objectives — but equally, risk management encompasses identifying and
exploiting opportunities. ERM integrates both dimensions into a single, coordinated
framework.
Page 2 of 32
,RSK2602 | Exam Revision 2026 Operational & Financial Risk
(b) [5 marks]
Question: Identify and discuss five key drivers that have increased the risk profiles of
organisations. (5)
Answer:
The following drivers have substantially increased the risk exposure of modern organisations:
• More vigilant regulatory environment: Regulators globally have tightened compli-
ance requirements (Basel III/IV, King IV, GDPR), forcing organisations to manage a far
wider range of compliance risks. Non-compliance now carries severe financial and reputa-
tional penalties.
• Increased focus on governance: Shareholders, boards, and regulators demand greater
accountability and transparency, which means failures in governance structures are imme-
diately visible and costly.
• Globalisation: Operating across borders exposes organisations to currency risk, political
risk, cultural risk, and supply chain vulnerabilities that did not exist for domestic-only
businesses.
• More sophisticated consumers: Customers are better informed and more demanding.
Product failures, service disruptions, or ethical lapses quickly translate into reputational
damage and revenue loss.
• Technological advances: The rise of digital systems, cloud computing, and artificial
intelligence has introduced new technology and cyber risks while also creating dependence
on interconnected infrastructure.
Watch Out
A common exam error is listing “less vigilant regulatory environment” as a driver. The
correct driver is a more vigilant (stricter) regulatory environment, which increases
compliance risk exposure.
Page 3 of 32
,RSK2602 | Exam Revision 2026 Operational & Financial Risk
(c) [5 marks]
Question: Distinguish between financial risk and non-financial risk by providing
relevant examples of each. (5)
Answer:
Table 1: Financial Risk vs Non-Financial Risk
Financial Risk Non-Financial Risk
Aspect
Risk of financial loss arising from Risk arising from operational
Definition adverse movements in market failures, strategic missteps, or
variables or counterparty failure reputational damage
Credit risk, market risk, liquidity Operational risk, strategic risk,
Examples risk, exchange rate risk, country reputational risk, technology risk,
risk, interest rate risk legal risk
Typically quantifiable in mone- Often difficult to quantify; mea-
Nature tary terms sured qualitatively
Derivatives, hedging, diversifica- Controls, policies, business conti-
Primary tools tion, capital adequacy nuity plans
• Country risk is classified as a financial risk because it relates to the failure of a sovereign
government to service its debt obligations.
• Strategic, reputational, and operational risks are non-financial risks.
(d) [5 marks]
Question: Explain the concept of risk appetite and distinguish it from risk tolerance.
How does an organisation’s attitude towards risk influence its risk management strategy?
(5)
Answer:
Risk appetite is the maximum amount of risk (expressed financially) that an organisation
is prepared to accept and tolerate in pursuit of its objectives within a given time period. It re-
flects a deliberate, board-approved stance on how much uncertainty the organisation is willing
to live with.
Risk tolerance is narrower — it refers to the acceptable deviation from the risk appetite for
Page 4 of 32
,RSK2602 | Exam Revision 2026 Operational & Financial Risk
specific objectives or activities.
Attitude towards risk influences strategy in three ways:
• Risk-averse organisations (conservative approach) require a significant increase in re-
turn to justify accepting additional risk. They prefer low-risk, stable strategies and are
unlikely to enter highly volatile markets.
• Risk-neutral organisations are indifferent to risk; they make decisions based purely on
expected return without adjusting for variability.
• Risk-seeking organisations are willing to accept lower expected returns in exchange for
the chance of a high payoff. This attitude is often associated with speculative behaviour.
Exam Tip
The exam frequently tests the distinction between risk appetite (what the board is
prepared to accept) and the common misconception that it is the maximum financial
amount a business is capable of accepting. Capability and preparedness are different
things — always write “prepared to accept and tolerate.”
Page 5 of 32
, RSK2602 | Exam Revision 2026 Operational & Financial Risk
Question 2 — Operational Risk Management [25 marks]
(a) [6 marks]
Question: With reference to the Basel Committee on Banking Supervision (2003), define
operational risk and identify and discuss the four primary operational risk factors
that business organisations face. Use examples to illustrate your answer. (6)
Answer:
Key Concept
The Basel Committee (2003) defines operational risk as: “the risk of loss resulting
from inadequate or failed internal processes, people and systems, or from
external events.” This definition excludes strategic and reputational risk.
The four primary operational risk factors are:
1. People risk: Losses arising from human error, fraud, misconduct, skills shortages, or key
person dependency. Example: A bank teller processes a transaction incorrectly, leading to
client funds being credited to the wrong account. Internal fraud by an employee manipu-
lating the payroll system is another major people-risk event.
2. Process risk: Losses from failed or inadequate internal processes, procedures, or controls.
Example: A financial institution fails to implement a daily reconciliation procedure, al-
lowing errors to accumulate over months before detection, resulting in a material financial
loss.
3. Systems/Technology risk: Losses from IT system failures, software bugs, cyberattacks,
or data breaches. Example: A bank’s core banking system goes offline for several hours
due to a server failure, preventing customers from accessing their accounts and causing
significant reputational damage.
4. External events risk: Losses from events outside the organisation’s control, including
natural disasters, criminal activities, regulatory changes, or terrorism. Example: Flooding
destroys a company’s data centre, disrupting operations for days.
Page 6 of 32
