Definition of an Effective Key Risk Indicator (KRI) A KRI is a metric used to identify, measure, and monitor emerging risks. To be effective, KRIs must be both quantitative and qualitative, allowing for a comprehensive risk view. Key Characteristics of Effective KRIs Quantitative - Uses numerical data for trend analysis. Qualitative - Incorporates expert judgment and scenario-based insights. Consistent - Maintains uniform definitions across reporting periods. Efficient & Repeatable - Must be easily measured and consistently reported. Why Other Answers Are Incorrect Option Explanation: B . Qualitative, Consistent, Efficient & Repeatable. Incorrect - Excludes quantitative aspects, which are essential for KRIs. C . Quantitative, Consistent, Comparable, Efficient & Repeatable. Incorrect - While comparison is useful, qualitative factors are missing, making this answer incomplete. D . Quantitative, Repeatable and Efficient. Incorrect - Lacks qualitative insights and consistency as key factors for KRIs. PRMIA Reference for Verification PRMIA Risk Indicator Guidelines Basel Committee's Principles on Risk Data and KRI
Question 2
Compliance departments traditionally provide policy, oversight, and set the standards for monitoring personal dealing. Which control below would assist in implementing such policies?
Correct Answer: C
Definition of DORA The Digital Operational Resilience Act (DORA) is a regulation by the European Union (EU) aimed at strengthening the digital resilience of financial institutions. It establishes a regulatory framework for managing information and communication technology (ICT) risks in the financial sector. Key Objectives of DORA Ensures that financial institutions can withstand, respond to, and recover from cyber threats and ICT-related disruptions. Introduces standards for risk management, incident reporting, and third-party ICT risk oversight. Why Other Answers Are Incorrect Option Explanation: A . Domain for Operational Risk Act. Incorrect - No such regulation exists under this name. B . Digital Operational Risk Act. Incorrect - The official name is Digital Operational Resilience Act (DORA). C . Daily Operational Resilience Act. Incorrect - DORA is not focused on daily operations but rather long-term digital resilience. PRMIA Reference for Verification PRMIA Risk Governance & Digital Resilience Standards European Commission's Official DORA Regulation
Question 3
What are the objectives of conducting an internal loss investigation?
Correct Answer: A
tep 1: Purpose of Internal Loss Investigations Internal loss investigations analyze past loss events to identify root causes, improve controls, and enhance risk assessments. Step 2: Why Option A Is Correct Root Cause Analysis: Identifying why the loss occurred. Focus on Remediation: Implementing corrective measures to prevent recurrence. Scenario Analysis Improvement: Using lessons learned to enhance risk scenario modeling. Step 3: Why the Other Options Are Incorrect Option B ("Focus on who caused the issue") → Incorrect because loss investigations are about systemic issues, not assigning blame. Option C ("Ascertain responsibility for the loss event") → Incorrect because the focus is on process improvements, not individual accountability. Option D ("Determined by HR on a case-by-case basis") → Incorrect because HR does not dictate risk investigations-risk and compliance functions do. PRMIA Risk Reference Used: PRMIA Operational Risk Framework - Emphasizes loss investigations for systemic risk management. Basel III Risk Governance Standards - Defines loss event analysis as a key risk management tool.
Question 4
ISO 27000 relates to what topic / area?
Correct Answer: B
Step 1: Definition of ISO 27000 ISO 27000 is a global standard for information security management systems (ISMS), issued by the International Organization for Standardization (ISO). It provides a framework for protecting sensitive information through policies, controls, and risk management practices. Step 2: Why Option B Is Correct ISO 27001 (part of ISO 27000 series) is one of the most widely recognized certifications for information security governance. It sets guidelines on risk assessment, incident response, and data protection. Step 3: Why the Other Options Are Incorrect Option A ("ESG investing") Incorrect because ISO 27000 deals with cybersecurity, not environmental, social, and governance (ESG) issues. Option C ("International Risk Management") Incorrect because ISO 27000 focuses on information security, not general risk management. Option D ("Auditing of financial controls") Incorrect because financial auditing standards (e.g., SOX, COSO) are separate from information security standards. PRMIA Risk Reference Used: ISO 27000 Series Documentation - Defines cybersecurity risk management practices. PRMIA IT Risk Governance Framework - Reference ISO 27001 as a cybersecurity standard.
Question 5
How should Near Misses and Opportunity Costs be treated within Operational Risk?
Correct Answer: C
Near Misses in Operational Risk A near miss is an event that could have led to a loss but was avoided or mitigated before actual financial impact occurred. PRMIA emphasizes that near misses should be reported, recorded, and analyzed because they provide valuable insights into potential vulnerabilities in risk controls. However, since they did not result in actual financial losses, they are not included in the calculation of Operational Risk Capital. Opportunity Costs in Operational Risk Opportunity costs refer to the loss of potential gains due to missed strategic opportunities. These are not directly quantifiable as operational risk losses and are not included in Operational Risk Capital calculations. PRMIA's Operational Risk Framework states that operational risk is about actual losses rather than theoretical costs. Why Other Answers Are Incorrect Option Explanation: A . Ignored. Incorrect - Near misses and opportunity costs provide valuable insights into operational risk, so they should never be ignored. B . Recorded and Analyzed. Used in calculation of Operational Risk Capital. Incorrect - While they should be recorded and analyzed, they are not included in Operational Risk Capital calculations because they do not result in actual losses. D . Reported, Recorded, and Analyzed, Used in calculation of Operational Risk Capital. Incorrect - Reporting, recording, and analysis are correct, but they should not be included in capital calculations. PRMIA Reference for Verification PRMIA Operational Risk Management Standards - Defines near misses and opportunity costs. Basel II & III Operational Risk Framework - Outlines the principles of operational risk capital calculations.
