CH 7 Operational Risk and Resiliency KGNLXY6ZAM

We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.
com
FRM Part II Exam
By AnalystPrep
Questions with Answers - Operational Risk and Resiliency
Last Updated: Mar 13, 2023
1
©2023 AnalystPrep “This document is protected by International copyright laws. Reproduction and/or distribution of this document is
prohibited. Infringers will be prosecuted in their local jurisdictions. ”

We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com
Table of Contents
99 - Introduction to Operational Risk and Resilience 280

100 - Risk Governance 101
101 - Risk Identification 121
102 - Risk Measurement and Assessment 232
103 - Risk Mitigation 121
104 - Risk Reporting 232
105 - Integrated Risk Management 232
106 - Cyber-resilience: Range of Practices 280
107 - Case Study: Cyberthreats and Information Security Risks 232
Sound Management of Risks related to Money Laundering
108 - 200
and Financing of Terrorism
109 - Case Study: Financial Crime and Fraud 232
110 - Guidance on Managing Outsourcing Risk 189
111 - Case Study: Third-Party Risk Management 232
Case Study: Investor Protection and Compliance Risks in
112 - 232
Investment Activities
113 - Supervisory Guidance on Model Risk Management 91
114 - Case Study: Model Risk and Model Validation 232
115 - Stress Testing Banks 186
Risk Capital Attribution and Risk-Adjusted Performance
116 - 153
Measurement
Range of Practices and Issues in Economic Capital
117 - 167
Frameworks
Capital Planning at Large Bank Holding Companies:
118 - Supervisory Expectations and Range of Current Practice 176
2
© 2014-2023 AnalystPrep.
119 - Capital Regulation Before the Global Financial Crisis 219

Solvency, Liquidity and Other Regulation After the Global
120 - 239
Financial Crisis
121 - High-level Summary of Basel III Reforms 248
122 - Basel III: Finalising Post-Crisis Reforms 259
3
Reading 99: Introduction to Operational Risk and Resilience
Q.5044 A risk manager at the Bank of India is presenting a holistic overview of operational risk and
resilience to a group of employees. Which of the following statements made by the manger about
operational risks management (ORM) framework is least likely correct?
A. Operational risk is the risk of loss resulting from inadequate or failed internal processes,
people, systems, or external events
B. ORM is a relatively new discipline in the financial sector
C. ORM was inspired by the failure of Barings Bank
D. Market and credit risks with their bases in operational risk events are called boundary
events.
T he correct answer is D.
Market and credit losses and not market and credit risks with their bases in operational risk events
such as errors and frauds are called boundary events.
A i s i ncorrect. Operational risk is the risk of loss resulting from inadequate or failed internal
processes, people, systems, or external events. It includes events such as fraud, employee errors,
criminal activity, and security breaches.
B i s i ncorrect. ORM is a relatively new discipline in the financial sector. Financial management has
long been based on credit, market, and actuarial risk. Moreover, since the 15th century, banks have
been lending money and managing credit risk. For a long time, banks did not require external
regulations to manage risk since banks were mainly exposed to fraud which could easily be detected
and managed. However, the evolution of the financial industry led to increased risk exposure.
C i s i ncorrect. Following the Baring's bank incident, the Basel Committee on Banking Supervision
(BCBS) developed requirements for banks to manage risks that arise from their general operations
(operational risk) beyond the risks due to credit exposure and market transactions.
4
Q.5045 Mr. Jonathan Howard, FRM, is presenting on the ORM framework. Jonathan highlights
several points regarding the ORM framework. Which of the following statements made by Jonathan
is least likely correct?
A. Companies should develop a holistic picture of their risk management practices to

understand the relationships between actions, tools, and techniques
B. A good ORM framework should include governance and conduct risk as the umbrella of all
other risk management actions
C. Regulated financial service companies are required to define their risk appetite and
tolerance as a means of achieving their objectives
D. Risk monitoring focuses on the definition, discovery, selection, and categorization, of the
risks faced by a business or in a given activity
Risk identification focuses on the definition, discovery, selection, and categorization, as exhaustively
as possible, of the risks faced by a business or in a given activity while risk monitoring indicates
whether risk management has been effective.
A i s i ncorrect. It is crucial for companies to develop a holistic picture of their risk management
practices to understand the relationships between actions, tools, and techniques.
B i s i ncorrect. A good ORM framework should include governance and conduct risk as the
umbrella of all other risk management actions. T hese management actions include risk identification,
risk appetite definition, risk assessment, risk mitigation, and risk monitoring.
C i s i ncorrect. Regulated financial service companies are required to define their risk appetite and
tolerance as a means of achieving their objectives. Risk appetite drives risk exposure and mitigation
priorities, making it a key component of an ORM approach.
5
Q.5046 A risk analyst analyzes the types of risks that fall within the ORM framework. Which of the
following statements made by the analyst is l east l i k el y correct?
A. According to BCBS, the definition of operational risk includes legal risk and strategic risk
but excludes reputational risk
B. Recently, BCBS clarified that reputation and strategic risks should be considered by banks
where appropriate.
C. Compliance risks occur when an institution incurs fines due to knowingly or unknowingly
ignoring the industry's set of rules and regulations.
D. We can argue that strategic risk forms part of the operational risk of an organization.
T he correct answer is A.
According to BCBS, the definition of operational risk includes legal risk but excludes strategic and
reputational risk.
B i s i ncorrect: T he inclusion of legal risk and the exclusion of strategic and reputation risk have
been discussed and postulated among professionals. BCBS, however, recently changed its stand by
pointing out, in its latest Revisions to the Principles for the Sound Management of Operational Risk
(2021), "Where appropriate, strategic and reputational risks should be considered by banks'
operational risk management."
C i s i ncorrect: Compliance risks occur when an institution incurs fines for knowingly or
unknowingly ignoring the industry's set of rules and regulations, internal policies, or best practices.
Some examples of compliance risks include money laundering, financing terrorism activities, and
helping clients to evade taxes.
D i s i ncorrect: It can be argued that people are not only the main cause but also the mitigant of
operational risk and that strategic performance depends largely on the competence of senior
management. We can therefore argue that strategic risk forms part of the operational risk of an
organization.
6
Q.5047 Bank ABC has identified weaknesses in its operational risk management framework and has
invited a risk consultant to enlighten them more about operational risk. Which of the following types
of risk did the consultant define correctl y within the scope of the ORM framework?
A. Legal risk refers to the possibility that a contract will be enforced or breached, the
relevance of the contract, the laws and legislation, and the risk of loss in the event of a
breach or error
B. Compliance risks occur when an institution incurs fines due to knowingly or unknowingly
ignoring the industry's set of rules and regulations
C. Strategic risk is the risk that the strategy is not executed in the way it is intended or the
risk that the strategy fails as a result of making the wrong strategic choices
D. Reputational risk is the potential for a company or organization to suffer harm to its
reputation, public image, or brand due to the negative impacts of an operational event.
Reputational risk is the potential for a company or organization to suffer harm to its reputation,
public image, or brand due to the negative impacts of an operational event.
A i s i ncorrect. Legal risk refers to the possibility that a contract will be enforced or breached, the
relevance of the contract, the laws and legislation, and the risk of loss in the event of a breach or
error.
B i s i ncorrect. Compliance risks occur when an institution incurs fines due to knowingly or
unknowingly ignoring the industry's set of rules and regulations, internal policies, or best practices.
C i s i ncorrect: Strategic risk can be nuanced between the risk that the strategy is not executed in
the way it is intended and the risk that the strategy fails as a result of making wrong strategic
choices.
7
Q.5048 BCBS categorizes operational risk into seven broad categories, commonly known as "Basel
types level 1." T hese types are further divided into regulatory types (level 2) and examples (level 3).
An FRM Part II candidate highlights several points regarding the Basel event risk type categories.
Which of the following statements is correct?
A. Internal fraud and external fraud are under the same event risk category
B. Acts that go against laws put in place to safeguard the health, safety, and general well-being
of employees and customers fall under clients, products, and business practices
C. Issues such as data entry errors and unfinished legal documents fall under execution,
delivery, and process management
D. Losses due to theft and hacking are examples of event risks under the damage to physical
assets category
T he correct answer is C.
Issues such as data entry errors and unfinished legal documents relate to the failure to execute
transactions and manage processes correctly. T his falls under the category of execution, delivery,
and process management.
A i s i ncorrect. Internal fraud and external fraud are actually two different event risk categories.
B i s i ncorrect. Acts that go against laws put in place to safeguard the health, safety, and general
well-being of both employees and customers fall under employment practices and work safety.
D i s i ncorrect. Losses due to theft and hacking are examples of event risks under external fraud.
8
Q.5049 Which of the following is most l i k el y an example of execution, delivery, and process
management (EDPM) type of operational risk of the “Basel types level 1”?
A. Destruction of equipment
B. Contract termination issues
C. Vendor disputes
D. Unauthorized activities by employees
Examples of execution, delivery, and process management (EDPM) event types include processing
errors, missing documentation, and vendor disputes.
A i s i ncorrect. Destruction of equipment is an example of damage to physical assets. Other

examples include natural disasters and losses.
B i s i ncorrect. Contract termination issues is an example of employment practices and workplace

safety (EPWS). Other examples include discrimination and employer’s liability.
D i s i ncorrect. Unauthorized activities by employees is an example of internal fraud. Another

example include fraud by employees.
9
Q.5050 A number of unique characteristics influence the management and measurement of

operational risk. T hese characteristics make operational risk, particularly challenging to manage and
complex to model. Which of the following is correct regarding the characteristics of operational
risk exposure?
A. Operational risk can only arise from risk managers within a firm
B. Losses due to operational risk materialize in a symmetric way
C. T he range of operational risk can only arise within one business line
D. Operational risk is dynamic and evolving in nature
Operational risk is dynamic and evolving in nature. For example, the evolution of operational risk in
the financial sector follows the development of the financial sector itself. T he need for operational
risk was inspired by the massive losses reported by institutions resulting from fraudulent trading and
excessive exposure in the new derivative markets in the late 1990s. A good example is the failure of
Barings Bank in 1996. With time, operational risk has been evolving to reflect the changing industry
and environment.
A i s i ncorrect. Operational risk is idiosyncratic and diffuse in nature, meaning that it arises from
each person and process within the firm; therefore, everyone has to take part in managing
operational risk.
B i s i ncorrect. Losses due to operational risk materialize in a highly asymmetric way. T he
distribution of operational risk is highly skewed, with a higher concentration of the density being in
the lowest part of the distribution. On the other hand, a heavy tail stretches to a small number of
very large events.
C i s i ncorrect. T he range of operational risk is complex and can arise in every business line. Most
operational risks arise from weaknesses in controls, biases, failing human behavior, and changes in
operating environments.
10
Q.5051 An investment firm has contracted a risk professional and wishes to discuss the
characteristics of operational loss events and challenges that may arise in managing operational risk.
Which of the following characteristics correctl y matches its description?
A. Heterogenous – Operational risk is highly heterogenous because it encompasses diverse

risks, such as fraud in retail transactions
B. Idiosyncratic and diffuse – T he distribution of operational risk is highly skewed, with a

higher concentration of the density being in the lowest part of the distribution
C. Interconnected – Operational risk arises from each person and process within the firm;
therefore, everyone has to take part in managing operational risk
D. Heavy-Tailed – Operational risk is evolving in nature
Different causes, consequences, and distributions of losses are associated with operational risk.
Operational risk events can vary greatly even within the same risk category. Operational risk is
highly heterogenous because it encompasses diverse risks such as fraud in retail transactions.
B i s i ncorrect. Operational risk is idiosyncratic and diffuse in nature since it arises from each
person and process within the firm; therefore, everyone has to take part in managing operational
risk. Back office clerks should carefully handle transactions before validating them to avoid fraud and
errors. On the other hand, IT managers should test any IT applications to avoid bugs and disruptions.
Credit managers should carefully record credit collateral to avoid further losses in case of defaults.
C i s i ncorrect. Operational risks are interconnected in a way that the range of operational risks is
complex and can arise in every business line. Most operational risks arise from weaknesses in
controls, biases, failing human behavior, and changes in operating environments. T hese factors
largely contribute to the multiplicity of operational, credit, and market risks.
D i s i ncorrect. Operational losses are heavy-tailed in that losses due to operational risk materialize
in a highly asymmetric way. T he distribution of operational risk is highly skewed, with a higher
concentration of the density being in the lowest part of the distribution. On the other hand, a heavy
tail stretches to a small number of very large events.
11
Q.5052 Bank ABC wishes to strengthen its operational resilience. T he bank invites a consultant to
give more insights into this area. In his definition of resilience, the consultant clarifies that according
to BCBS, resilience cannot be defined in a single sentence but rather comprises four components.
Which of the following components is correctl y defined?
A. Continuity of business services: To contribute to the stability of the system, firms should
respond to disruptions, maintain trust among key stakeholders, and provide clarity of
communication during a crisis
B. Important business services: From a process-based view of continuity, the regulator

moved to a service-based view to ensure continuity
C. Management of disruption: It protects vital business services from disruption
D. Lessons learned: Firms should learn from past events and cover predictable shocks only
T he correct answer is B.
Important business services: To ensure continuity, the regulator moved from a process-based view
of continuity to a service-based view.
A i s i ncorrect. Continuity of business services: It is the closest element to the classic business
continuity planning and prevention approach. It protects vital business services from disruption.
C i s i ncorrect. Management of disruption: To contribute to the stability of the system, firms should
respond to disruptions, maintain trust among key stakeholders, and provide clarity of communication
during a crisis.
D i s i ncorrect. Lessons learned: Firms should learn from past events and improve their resilience
to encompass unexpected extreme shocks.
12
Q.5053 T he Federal Reserve's Sound Practices for Strengthening Operational Resilience, published
in 2020 along similar business lines and tolerance levels, illustrates that operational resilience is an
important element in an Operational Risk Management Framework. Which of the following is not a
regulatory expectation for operational resilience in line with the BCBS?
A. Effective coordination of ORM relies on a solid foundation of governance and assigning

roles and responsibilities to each party
B. Firms are required to monitor and report the coordination and maintenance of Business
Continuity Management (BCM) and IT systems resilience
C. A strong ORM framework is necessary in order to achieve operational resilience
D. Firm are required to reduce their reliance on thrid parties
T he Federal Reserve's Sound Practices for Strengthening Operational Resilience does not encourage
firm to reduce their use of third parties. It encourages firms to properly manage third parties as they
are among typical areas that can expose firms to huge risks.
A i s i ncorrect. T he Fed document on operational resilience shows that operational resilience is a
holistic outcome of different components of ORM in the organization. Effective coordination of
ORM relies on a solid foundation of governance and assigning roles and responsibilities to each party,
and resilience is the necessary starting point.
B i s i ncorrect. Business Continuity Management (BCM) and IT systems resilience are the two
essential pillars supporting operational resilience. Firms are required to monitor and report the
coordination and maintenance of these activities.
C i s i ncorrect. T he ORM is the central component of operational resilience because resilience
cannot be achieved without a proper ORM and two of its specializations: third-party risk
management, which ensures supply chain resilience, and scenario analysis, which ensures that tail
events can be dealt with.
13
Reading 100: Risk Governance
Q.5054 Mr. Rihan, a risk specialist at Bank ABC is presenting to the board of directors on the Basel
regulatory expectations for the governance of an operational risk management Framework. What is
the purpose of supervisory risk management in the ORM framework of banks in this context?
A. To create a paper trail of compliance activities.
B. To only identify material risks per the firm's risk appetite.
C. To develop robust governance policies and processes and manage material risks per the
firm's risk appetite.
D. To oversee all the activities of banks.
Supervisory risk management in the ORM framework of banks involves assessing the risk profile in
a forward-looking manner, developing robust governance policies and processes to facilitate the
establishment of a robust risk management framework, identifying and managing all material risks per
the firm's risk appetite, and ensuring an effective control environment. T his comprehensive
approach is aimed at creating a sound and effective risk management system, not just creating a
paper trail of compliance activities.
A i s i ncorrect. Creating a paper trail of compliance activities is not the sole purpose of
supervisory risk management.
B i s i ncorrect. Identifying material risks per the firm's risk appetite is just one part of the
supervisory risk management process.
D i s i ncorrect. Overseeing the activities of banks is not the main objective of supervisory risk
management in the ORM framework of banks.
14
Q.5055 In an FRM presentation on the Basel regulatory expectations for the governance of an
operational risk management framework, an FRM candidate wishes to know how one can examine
whether the ORM framework is being implemented at a firm. Which of the following questions
should least likely be used to examine the above case?
A. Is there evidence that all material events are captured in event reports? Do reports
provide lessons and root-cause analysis? Does this include near misses?
B. Does the value of each risk indicator come from an independent source?
C. Are the presented data sufficient for decision-making?
D. Does the information pertain to the senior management?
To examine whether an ORM framework is being implemented in a firm, the following questions
should be asked:
I. Is there evidence that all material events are captured in event reports? Do reports provide
lessons and root-cause analysis? Does this include near misses?
II. Is the basis for risk and control assessments robust and consistent? Are the right people
involved? Are the assessments challenged and peer-reviewed to ensure consistency across
the organization?
III. Does the value of each risk indicator come from an independent source? Do line managers
(the risk owners) approve of the indicators as being the best? How often are they
refreshed?
IV. Scenarios: Are they sufficient enough? Do they remain realistic while being sufficiently
extreme? Is the assessment objective, documented, and repeatable?
V. Coverage: Do the reports sufficiently cover the ORM scope?
VI. Risk reporting: Are the presented data sufficient for decision-making? Does the information
pertain to the level of management it is intended for?
15
Q.5056 A company's operational risk is managed through several committees that make collegial
decisions based on information provided by different levels of the firm's decision-making hierarchy
and information escalated by those committees. Which of the following is the correct function
operational risk committee?
A. Overseeing, managing, and reporting a comprehensive picture to the executive risk

committee, management committee, and board risk committee
B. Overseeing the activities of a specific business line or function
C. Overseeing all operational risks
D. Reviewing and monitoring the investigation of large incidents
Operational Risk Committee is responsible for overseeing, managing, and reporting a comprehensive
picture to the executive risk committee, management committee, and board risk committee.
B i s i ncorrect. Overseeing the activities of a specific business line or function is the responsibility
of the business line operational risk committee.
C i s i ncorrect. Overseeing all operational risks is the responsibility of the Risk Committee of the
board.
D i s i ncorrect. Reviewing and monitoring the investigation of large incidents is also a responsibility
of the board's risk committee.
16
Q.5057 T he 3rd principle of operational risk management outlines the roles of the board of directors
in operational risk governance. Which of the following roles of the board is in line with principle 3?
A. Identify the types and levels of operational risks the bank is willing to assume, as well as
approve risk appetite and risk tolerance statements
B. Regularly review the bank's risk appetite and tolerance statements' appropriateness
C. Ensure the ORM framework is subject to independent review by sufficiently skilled

personnel
D. Ensure that they consider all risks when approving the bank's risk appetite and tolerance
statements which provide details on risk limits and thresholds.
With respect to Principle 3, the board of directors should:
Establish a culture and processes that help everyone – including board members, managers,
and employees – understand the nature and scope of operational risks.
Regularly review the ORM Framework to ensure that it considers emerging/evolving
risks.
Provide senior management with guidance regarding operational risk management and
approve policies developed by senior management to manage operational risk.
Ensure that the bank has identified and is managing operational risks arising from external
market changes and other environmental factors by reviewing and evaluating, and
approving the ORM Framework on a regular basis.
Ensure the ORM framework is subject to independent review by sufficiently skilled
personnel.
Ensure that management follows the evolution of best practices and avails themselves of
these changes.
A, B and D are i ncorrect. T he options fall under principle 4 for risk appetite and tolerance.
17
Q.5058 T he bank of India wishes to get a deeper understanding of the three lines of defense. To
achieve this, the bank has invited an operational risk specialist to shed more light on this topic.
Which of the following roles did the specialist highlight under the first line of defense?
A. Keeping track of the operational risk profiles of the business units and reporting them
B. T he development and maintenance of operational risk management and measurement

policies, standards, and guidelines, as well as the design and delivery of operational risk
C. Reviewing other lines of business
D. Reviewing and taking part in the monitoring and reporting of the operational risk profile
T he front-line risk management involves all commercial and front-office operational functions or
simply business functions. An effective first line of defense consists of the following responsibilities:
Evaluating and identifying operational risks inherent in the business.
Developing appropriate controls.
Evaluating the effectiveness and design of these controls.
Keeping track of the operational risk profiles of the business units and reporting them.
B i s i ncorrect. T he development and maintenance of operational risk management and
measurement policies, standards, and guidelines, as well as the design and delivery of operational risk,
falls under the second line of defense.
C i s i ncorrect. T he third line of defense is the one responsible for reviewing both the first and the
second line of business.
D i s i ncorrect. T he second line of defense is the one responsible for reviewing, monitoring, and
reporting the operational risk profile.
18
Q.5059 T he second line of defense also referred to as the independent corporate operational risk
function, is involved in policy setting and provides assurance over first-line activities. T he CORF
generally complements the operational risk management activities of individual business lines. T he
following are the responsibilities of the second line of defense except?
A. Establishing an independent view of the business units' risk management activity
B. Evaluating and identifying operational risks inherent in the business
C. Reviewing and taking part in the monitoring and reporting of the operational risk profile
D. Assessing the relevance and consistency of the department's implementation of

operational risk management tools, measurement activities, and reporting systems
Evaluating and identifying operational risks inherent in the business is the role of the first line of
defense.
T he second line of defense is responsibilities for:
T he development and maintenance of operational risk management and measurement
policies, standards, and guidelines, as well as the design and delivery of operational risk
training to promote awareness and competency concerning operational risk.
Establishing an independent view of the business units' risk management activity, including
the identification of material operational risks, the design and effectiveness of key
controls, and the respect of risk appetites and tolerances.
Assessing the relevance and consistency of the department's implementation of
operational risk management tools, measurement activities, and reporting systems and
providing evidence that this is an effective approach.
Reviewing and taking part in the monitoring and reporting of the operational risk profile.
19
Q.5060 T he third line of defense consists of the bank's audit function, which performs independent
oversight of the first two lines. Everyone involved in the auditing process must not be a participant
in the process under review. According to the Institute of Internal Auditors (IIA, 2017), in which of
the following ways should the internal audit least likely interact with risk management, compliance,
board of directors and finance?
A. Corporate governance structures must include effective risk management, compliance,

and finance functions
B. A company's internal audit should never rely exclusively on risk management, compliance,
or finance to evaluate the effectiveness of internal controls
C. T he internal audit should make informed decisions regarding the appropriateness of

incorporating relevant work handled by others, such as risk management, compliance, or
finance
D. T he internal audit should assess the effectiveness and adequacy of risk management,
compliance, board of directors and finance functions.
According to the Institute of Internal Auditors (IIA, 2017), the internal audit should interact with the
risk management, compliance, and finance functions in the following ways:
Corporate governance structures must include effective risk management, compliance,
and finance functions. T his should not be the responsibility of, or a part of, an internal
audit.
An internal audit should assess the effectiveness and adequacy of risk management,
compliance, and finance functions. A company's internal audit should never rely
exclusively on risk management, compliance, or finance to evaluate the effectiveness of
internal controls. T he internal audit itself should always assess a sample of the activities
under review. Internal audit does not assess the board of directors.
As part of its risk assessment, internal audit should make informed decisions regarding the
appropriateness of incorporating relevant work handled by others, such as risk
management, compliance, or finance.
20
Q.5061 According to the 4th principle of operational risk management, the board must identify the
types and levels of operational risks the bank is willing to assume, as well as approve risk appetite
and risk tolerance statements. Which of the following is least likely a correct feature of these
statements?
A. Be easy to communicate and understand
B. Provide reasons for taking or avoiding certain operational risks
C. Be forward-looking and subject to scenario and stress testing
D. Perform scenario analysis retrospectively
According to principle 4, the risk appetite and risk tolerance statements should be:
be easy to communicate and understand;
provide the assumptions and information used by the bank to prepare its business plan;
provide reasons for taking or avoiding certain operational risks
ensure risk limits align with the bank-wide risk appetite statement; and
be forward-looking and subject to scenario and stress testing.
21
Q.5062 Mr. Ibrahim Rashid is a lecturer at Oxford University. In one of his lectures on risk appetite
and tolerance, Rashid states several points regarding risk appetite and risk tolerance. Which of the
following statements made by Rashid is least likely correct?
A. As a good practice of risk appetite, a risk owner should be assigned to each risk type;
control owners to design, implement, and evaluate controls
B. Risk appetite should be consistent with the firm's objectives and the firm's risk
management strategy
C. To demonstrate their risk appetite and tolerance for disruptions, firms must set maximum
impact tolerances for critical business services
D. Risk Appetite and tolerance statement for operational risk to be approved and periodically
reviewed by senior management
Risk Appetite and tolerance statement for operational risk to be approved and periodically reviewed
by the board and not senior management.
A i s i ncorrect. As a good practice of risk appetite, a risk owner should be assigned to each risk
type; Control owners to design, implement, and evaluate controls. Metrics owners are responsible
for collecting, reporting, and monitoring metrics that measure the organization's risk appetite.
Owners of risk are managers who manage, maintain, and monitor risk within defined appetite and
tolerance limits.
B i s i ncorrect. Risk appetite should be consistent with the firm's objectives and the firm's risk
management strategy. Such a well-articulated risk appetite that is strategically aligned with the firm's
objectives can be used as guidance for making important business decisions.
C i s i ncorrect. To demonstrate their risk appetite and tolerance for disruptions, firms must set
maximum impact tolerances for critical business services.
22
Q.5063 According to the 1st principle of operational risk management, the bank should maintain a
strong risk management culture spearheaded by the bank's board of directors and senior managers.
T he bank should strive to propagate a culture of operational risk resilience where everyone
understands the need to manage risk. With respect to principle 1, the board of directors and/or
senior management should least likely perform which of the following?
A. Provide a sound foundation for a strong risk management culture within the bank
B. Establish a code of conduct (or ethics policy) for all employees that outline expectations
for ethical behavior
C. Provide risk training throughout all levels of the bank
D. Senior management should receive assurance of of operational resilience and timelt

reporting from the board of directors
T he board should receive assurance of ongoing operational resilience through timely reporting from
senior management, particularly when significant deficiencies could affect the delivery of the firm’s
critical operations. Its the board that recieves assurances and reports from senior management.
A i s i ncorrect. T he board should provide a sound foundation for a strong risk management culture
within the bank. With a strong risk management culture and ethical business practices, the bank is
less likely to experience potentially damaging operational risk events. If the bank ends up
experiencing such an event, it would be better placed to deal effectively with the outcome.
B i s i ncorrect. Establish a code of conduct (or ethics policy) for all employees that outline
expectations for ethical behavior. T he code of conduct should identify acceptable business practices
and prohibited conflicts.
C i s i ncorrect. Provide risk training throughout all levels of the bank. T raining should consider the
level of seniority, roles, and responsibilities of the trainee.
23
Q.5064 In an FRM Exam discussion forum on risk culture, which of the following statements stated
by one candidate is least likely correct?
A. Banks with a strong risk culture are less likely to be affected by damaging operational risk
events
B. It is easy to implement an effective risk appetite framework where there is already a

strong risk culture
C. Firms should organize training and compensation structures to reinforce the codes of
contact to promote a strong risk culture
D. To promote a strong risk culture, a firm must have well-documented policies and codes
that apply to the senior management of the firm
To promote a strong risk culture, a firm must have well-documented policies and codes that apply to
everyone in the firm. Creating awareness and alerting people of the firm's policies and rules
contributes towards a strong risk culture.
A i s i ncorrect. Banks with a strong risk culture are less likely to be affected by damaging
operational risk events and are better positioned to deal with such events when they occur.
B i s i ncorrect. It is easy to implement an effective risk appetite framework where there is
already a strong risk culture. Success on the risk appetite journey is extremely difficult without a
strong risk culture.
C i s i ncorrect. Firms should organize training and compensation structures to reinforce the codes
of contact to promote a strong risk culture. Educating all participants about operational risks
embedded in activities and processes is another critical component of creating a sound risk culture.
24
Reading 101: Risk Identification
Q.5065 Which of the following is most likely a document that includes all operational risks of a firm,
the likelihood of the risks and the controls applied to each risk?
A. Risk universe
B. Top-ten risks
C. Risk register
D. Shock scenarios
T he risk register is the central repository of all operational risks in financial firms. It is a document
that includes all operational risks of a firm, the likelihood of the risks and the controls applied to each
risk.
A i s i ncorrect. T he risk universe is a list of all the risks a firm believe it is exposed to. It is a
comprehensive risk inventory.
B i s i ncorrect. T he top-ten risks are the most important risks for the organization in terms of both
likelihood and impact.
D i s i ncorrect. Shock scenarios are events that would be extremely impactful but highly unlikely
to occur.
25
Q.5066 Which of the following four main categories of controls are implemented to reduce the
likelihood of risks materializing by mitigating their possible causes?
A. Detective controls
B. Corrective controls
C. Preventative controls
D. Directive controls
Preventative controls are implemented to reduce the likelihood of risks materializing by mitigating
their possible causes.
A i s i ncorrect. Detective controls take place during the event or soon after, with the objective of
early detection to reduce the impact.
B i s i ncorrect. Corrective controls are implemented to reduce or correct the negative impacts
generated by incidents.
D i s i ncorrect. Directive controls include the set guidelines, procedures, and training that
structure the conduct of operations to reduce risks.
26
Q.5067 Which of the following risk identification processes begins at the executive level, then to the
business units and finally to individual business processes?
A. Bottom-up risk identification
B. Event and loss data analysis
C. Top down risk identification
D. Risk and control self-assessment
T he process of top-down risk identification begins at the board/executive level of the company,
moves down through the departments of the business units, and ends with the individual business
processes. T he goal of top-down risk identification is to identify the most significant corporate
dangers that could compromise strategic goals.
A i s i ncorrect. Bottom-up risk identification is the process carried out at the local company level,
in a department, or at the level of a specific process. It is a complement to the top-down risk
identification.
B i s i ncorrect. Event and loss data analysis is a bottom-up risk identification tool that uses the
analysis of internal losses, external losses and near misses to identify risk.
D i s i ncorrect. A risk and control self-assessment (RCSA) exercise a risk identification tool where
an organization or a business line evaluates the likelihood and the impact of its operational risks.
27
Q.5068 Which of the following is most likely risks that a firm has identified as being on the horizon,
relatively small but on the rise with the potential for significant impact in the future?
A. Emerging risks
B. Risk universe
C. Taxonomies
D. Risk register
Emerging risks are risks that a firm has identified as being on the horizon, relatively small but on the
rise with the potential for significant impact in the future and not well understood yet.
B i s i ncorrect. T he risk universe is a list of all the risks a firm believe it is exposed to. It is a
comprehensive risk inventory.
C i s i ncorrect. Taxonomies are a range of impacts that are a results of risks from the possible
combinations of causes, control failures and change in environment.
D i s i ncorrect. T he risk register is the central repository of all operational risks in financial firms.
It is a document that includes all operational risks of a firm, the likelihood of the risks and the
controls applied to each risk.
28
Q.5069 Which of the following is not a top-down risk identification tool?
A. Exposures and vulnerabilities
B. Risk wheel
C. Process mapping
D. Horizon scanning
Process mapping is a bottom-up risk identification technique. It entails outlining the steps of a
process step by step, considering the risks associated with a particular set of actions, and asking
what could go wrong at each stage.
Exposures and vulnerabilities, risk wheel and horizon scanning are all top-down risk identification
techniques.
29
Q.5070 Which of the following is least likely classified as an exposure under top-down risk
identification tools?
A. Critical third parties
B. Key distribution channels
C. Systems overdue for updates
D. Main drivers of revenues
Exposures and vulnerabilities are top-down risk identification tools. Business risk exposure is
inherent in every financial firm while vulnerabilities are the weakest links in business activities.
T he key benefit of using a list of exposures and vulnerabilities as a brainstorming technique for risk
identification is that it is business specific.
Examples of exposures are critical third parties, key persons, key distribution channels, main drivers
of revenue, sources of goodwill among others.
Examples of vulnerabilities are issues in control systems, systems overdue for updates, overdue
resolutions of issues, stand-alone systems, unmonitored operations or people, blind spots among
others.
30
Q.5071 Which of the following bottom-up risk identification tools relates to incidents that could have
resulted in operational losses but did not due to interventions outside normal controls?
A. Internal losses
B. External losses
C. Near misses
D. Process mapping
Near misses are incidents that could have resulted in an operational loss but did not because of good
luck or intervention outside of the normal course of controls. An example would be sending funds to
the wrong person but having the funds reversed before the funds could be withdrawn.
A i s i ncorrect. Internal losses are losses resulting from fraud, misappropriation of assets, or
actions that violate the law, corporate policy, or regulations that involve at least one internal party.
B i s i ncorrect. External losses are losses brought on by third-party fraud, property theft, or law-
breaking actions with the intent to deceive.
D i s i ncorrect. Process mapping laying out the tasks of a process, step by step, and asking what
can go wrong in each step, is a structured way of reflecting on the risks attached to a set of
activities.
31
Q.5072 Which of the following is not one of the six components of PEST LE that are used for
scanning horizon risks?
A. Political component
B. Economic component
C. Labor market component
D. Environmental component
A structured way of scanning horizon risks is the PEST LE analysis, an acronym that encapsulates the
various components of an operating environment:
Political
Economic
Social
Technological
Legal
Environmental
32
Q.5073 Which of the following is most likely a bias that an external expert can help mitigate during
scenario analysis?
A. An excessive focus on scenarios driven by internal causes
B. Myopia
C. Initiation of discussions
D. External loss data
Myopia is the over-estimation of recent events. It is one of the biases that an external expert can
help mitigate during scenario analysis. T he involvement of additional external experts is advisable but
not overly common in practice.
A i s i ncorrect. Another bias that an external expert can help mitigate during scenario analysis, is an
excessive focus on scenarios driven by external causes.
C i s i ncorrect. Initiation of discussions is a task for the facilitators of workshops for operational
risk scenario analysis. T hey are also tasked with coordinating debates and reaching consensus based
on the input of participants.
D i s i ncorrect. External loss data is a preparation document for scenario identification.
33
Q.5074 Which of the following Basel Category level 1 event relates to losses arising from acts
inconsistent with employment, health, or safety laws or from diversity / discrimination events?
A. Client, products & business practices
B. Employment practices and workplaces safety
C. Damage to physical assets
D. Business disruption and system failures
Employment practices and workplace safety are losses resulting from violations of employment,
health, or safety regulations or agreements, from having to pay for personal damage claims, or from
incidents involving diversity or prejudice.
A i s i ncorrect. Clients, products & business practices are losses brought about by an inadvertent
or negligent failure to fulfill a professional duty to a particular client or by the structure or design of
a product.
C i s i ncorrect. Damage to physical assets are losses caused by natural disasters or other
occurrences that result in the loss of or damage to physical assets.
D i s i ncorrect. Business disruption and system failures are losses brought on by system
breakdowns or business interruption.
34
Reading 102: Risk Measurement and Assessment
Q.5156 In the context of incident data collection recommendations by the Basel Committee, which of
the following statements is incorrect?
A. When reporting operational incidents, banks should use as many data fields as possible to
maximize the documentation of important information.
B. Companies should strive to utilize the same data fields when reporting operational
incidents.
C. While markets and credit risks usually follow easily identifiable external conditions,
operational events chance more subtly and their effects are harder to predict.
D. In addition to collecting internal incident data, it is also beneficial for organizations to

analyze external loss data from other firms.
Although the inclusion of more data fields can add to a comprehensive understanding of any given
incident, it also poses several risks. Too much information can lead to reporting and analysis overload
as well as excessive use of resources. As such, it is best practice to include only the most essential
data points and avoid overcomplicating the intake process.
B i s i ncorrect. It is virtually universal that companies across all sectors utilize the same set of
core data fields whenever operational incidents are reported. T his allows for better internal and
external benchmarking and visibility, helping the business to increase its efficiency on many levels.
C i s i ncorrect. While market and credit risks usually follow easily identifiable external conditions,
operational events chance more subtly and their effects are harder to predict. For example, imagine
a bug in a digital banking app that results in delays in payment transfer for clients. Such an
occurrence could have wide-reaching repercussions beyond those immediately present at the time
of failure. T hese delayed payments can lead to customer complaints, demands for compensation from
the bank, and negative reviews on social media—all of which damage the reputation of the bank’s
services and mean extra costs in terms of management attention and IT resources. Identification and
quantification of the impacts of such an event is less straightforward than recording a credit loss on a
corporate loan or a market loss on a derivatives portfolio.
35
D i s i ncorrect. In addition to collecting internal incident data, it is also beneficial for organizations
to analyze external loss data from other firms. Doing so provides rich insights into the risk exposure
for other companies; these insights can be used by organizations to compare their own operations
against those of their peers or competitors—which helps them identify any areas needing
improvement—and then design appropriate strategies accordingly.
36
Q.5157 Joel and Mark, FRM Part II candidates, are discussing BCBS’ guidelines on the need to report
comprehensive data regarding operational risk events. During the discussion, the following
statements are made. Which statement is most likely correct?
A. While the Basel Committee has set a minimum threshold for loss reporting at €20,000
($22,000), setting reporting thresholds at zero is considered best practice so as to capture
every operational loss or simplify instructions to the business units that do not need to
estimate a loss before deciding to report incidents.
B. Regulatory guidelines dictate that firms must report any incidents causing them both
financial losses and non-financial impacts.
C. Both direct and indirect losses must be reported.
D. Grouped losses are distinct operational risk events connected through a common loss
amount.
It is important to remember that both direct and indirect losses must be reported. Direct losses are
the ones incurred immediately after the event: for example, the cost of remediation, any financial
outcomes due to wrongful transactions, or compensation to clients. Indirect losses are much trickier
to identify as they are results of further consequences from an operational risk event.
A i s i ncorrect. Even though some banks do set a threshold of zero for operational risk events, this
strategy is fading away among large banking institutions because of the sheer number of small
incidents that must be reported with little information value gained in return. Instead, most banks and
insurance companies are preferring a threshold slightly lower than the regulatory limit. T hresholds
of €20,000, €10,000, or €5,000 are common.
B i s i ncorrect. Banks are only required to report any incidents causing them financial losses. But
from a management perspective, it's also good practice to record the non-financial impacts
associated with any material operational risk events.
D i s i ncorrect. Grouped losses are defined as distinct operational risks connected to a single core
event or cause. For example, if an IT failure occurs impacting various departments in different ways,
this sequence of events would likely constitute one grouped loss.
37
Q.5158 During a RCSA workshop, a bank executive makes the following statement: “At the moment,
our research shows that a large-scale cyber attack in the banking industry is a one-in-ten-year
event.” T he statement implies that:
A. there’s a 1% chance of a cyber attack over the next 10 years.
B. there’s a 1% chance of a cyber attack over the next 10 years.
C. there’s a 10% chance of a cyber attack over the next 10 years.
D. there’s a 10% chance of a cyber attack over the next 1 year.
Risk Control Self Assessment (or RCSA) exercises typically have a time horizon of one year or less
and may even be shorter depending on the organization's preferences. For example, when discussing
a one-in-ten-year event, this description actually refers to an event that has a 10% chance of
happening in the next year - not once every ten years. Similarly, a one-in-twenty-year event has a 5%
chance of happening in the next year.
38
Q.5159 What is the primary use of the Swiss Cheese model?
A. A method to assess the impact of an attack on an asset.
B. A tool for generating scenarios with FAIR methodology
C. A framework for analyzing and identifying security
D. A concept that uses layers of defense to prevent hazards
T he Swiss Cheese model is a concept that describes how multiple defenses (or "layers of cheese")
are necessary to create effective safety systems. Each layer serves as a defense against hazards, and
each has its own weaknesses, creating holes in the protective barrier. T he idea is that all defenses
need to be in place and working properly in order to protect against potential hazards. T he model was
first proposed by James Reason, and it has become widely used in risk management as a way to
identify vulnerabilities and increase safety protocols.
Opti on A i s i ncorrect because the Swiss Cheese Model does not assess the impact of an attack,
but rather operates as a way to identify vulnerabilities and increase safety protocols.
Opti on B i s i ncorrect because the Swiss Cheese Model does not generate scenarios (as does the
FAIR model), but rather operates as a way to identify vulnerabilities and increase safety protocols.
Opti on C i s i ncorrect because while the Swiss Cheese Model can be used for analyzing security
risks, its primary purpose is as a way to identify vulnerabilities and increase safety protocols.
39
Q.5160 What is the purpose of Monte Carlo simulations in the FAIR model of managing operational
risk?
A. To estimate the frequency and magnitude of a potential loss event.
B. To generate scenarios with an asset at risk, a threat community, a threat type and an
effect.
C. To provide the distribution of simulated scenario losses as output.
D. To determine the best course of action to prevent a potential loss event.
Monte Carlo simulations are used in the FAIR model to provide the distribution of simulated scenario
losses based on factor estimates expressed as distributions. T he factor estimates come from
business experts who estimate the frequency and probable loss magnitude for each scenario. T he
Monte Carlo simulations then use these factor estimates as inputs to generate outputs in the form of
distributions of simulated scenario losses.
Opti on A i s i ncorrect because Monte Carlo simulations do not estimate the frequency and
magnitude - this is done by business experts.
Opti on B i s i ncorrect because Monte Carlo simulations do not generate scenarios with an asset at
risk, a threat community, a threat type and an effect - this is done through risk assessment and
analysis.
Opti on D i s i ncorrect because Monte Carlo simulations are not used to determine the best course
of action to prevent a potential loss event - this is determined through other methods such as
cost/benefit analysis or decision trees.
40
Q.5161 Which of the following statements best describes the purpose of Root Cause Analysis?
A. To identify an immediate cause of a significant operational risk event.
B. To compare the results of multiple investigations and identify patterns leading to

operational risk events.
C. To evaluate the impact of a near miss or incident on operational performance.
D. To support or challenge the initiatives proposed by the second line of defense.
Root Cause Analysis is designed to investigate incidents or near misses that led or could have led to
operational impacts above the materiality threshold. It is more valuable to compare the results of
previous investigations and look for links and commonalities in the causes and failures leading to
significant operational risk events, in order to identify patterns within an organization that can help
create action plans across it. A key purpose of RCA is thus not only identifying an immediate cause,
but also recognizing underlying trends that can lead to greater understanding and preventative
measures.
A i s i ncorrect. T hough this statement is partially true, it does not encompass all elements of root
cause analysis. Identifying immediate causes is just one part; recognizing underlying trends in order
to formulate preventive action plans is another.
C i s i ncorrect. While RCA certainly includes evaluation, its main purpose is not solely limited to
assessment; rather, it involves systematic investigation into why an incident has happened in order to
build greater understanding and develop preventative measures.
D i s i ncorrect. T he statement does not accurately reflect RCA’s true purpose. Root cause analysis
involves assessing incidents and near misses in order to recognize underlying trends which can then
be used for preventative measures, as opposed to supporting or challenging particular initiatives.
41
Reading 103: Risk Mitigation
Q.5075 According to the international standards of enterprise risk management ISO 31000, there are
four ways to address risks. Which of the following is correct in this context?
A. All risks can be transferred to a third party
B. Termination should be the first response action in case of an operational risk event
C. Risk can be transferred through external insurance and outsourcing
D. Tolerance involves all types of risk mitigations, especially internal controls aimed at
reducing the probability
Risk transfer entails moving the risk to another party. Risk can be transferred through external
insurance and outsourcing.
A i s i ncorrect. Some risks, such as reputational risks and the risk of accountability, cannot be
transferred.
B i s i ncorrect. Termination involves the removal of all risk exposure. T his should be the last
response action when all other options are not applicable. Removing all the risk exposure also
removes the revenues attached to the risk-taking.
D i s i ncorrect. Tolerance is about accepting the risk as it is without reactions. T his is an
acceptable option for either low inherent risks or residual risk exposure already controlled.
42
Q.5076 Christian Grey, an FRM Part II candidate, wishes to present on different types of internal
controls, the process of internal control design, and control testing in operational risk management.
Which of the following statement made by Grey is correct?
A. According to the Institute of Internal Auditors, controls can be of four types, i.e.,
preventive, detective, corrective, and directive controls
B. Directive controls aim to alert the firm if an incident occurs to accelerate its resolution
and limit the impact of the incident on the firm or its stakeholders
C. Examples of preventive controls include smoke alarms and credit card notifications of
potentially fraudulent transactions
D. Directive controls are always part of control taxonomies
Controls can be of different classes. However, according to the Institute of Internal Auditors,
controls can be of four types, i.e., preventive, detective, corrective, and directive controls.
B i s i ncorrect. T his is the function of detective controls but not directive controls.
C i s i ncorrect. Examples of preventive controls include: segregation of duties – different parties
perform different functions in a firm, access controls, level of authorization, and process
automation.
D i s i ncorrect. Directive controls are not always part of control taxonomies, but they exist in
every firm.
43
Q.5077 Among the four ways to address risk, treatment is the most common risk response, which
involves risk mitigation through various control plans. Controls can be of different classes. In this
chapter, however, we have adopted the classification used by the Institute of Internal Auditors.
Which of the following types of control fall under this classification?
A. Preventive controls
B. Key controls
C. Manual controls
D. Automated controls
According to the Institute of Internal Auditors, controls can be of four types, i.e., preventive,
detective, corrective, and directive controls.
Preventive Controls reduce the likelihood of an incident occurring.
Detective controls aim to alert the firm if an incident occurs to accelerate its resolution and limit
the impact of the incident on the firm or its stakeholders.
Corrective controls are intended to mitigate the impact of adverse events on an institution.
Directive Controls include all the prescriptions and rules for executing a process: policies and
procedures, training and guidance, governance structure, and roles and responsibilities.
B, C, and D are i ncorrect. T hey do not fall under the said classification.
44
Q.5078 David Hans, FRM, works as the risk manager at ABC bank. In one of his presentations, David
states that a firm's internal controls are its foundation for risk mitigation. He further goes ahead to
state several issues concerning internal controls. Which of the following statements is least likely
correct in this regard?
A. A key control is a control that can sufficiently mitigate risk on its own
B. Controls can either be manual or automated in nature
C. Control automation is prone to human errors, which can transform into technology and
model risk
D. Automated data back-up is an essential component of control testing.
Automated data back-up is a component of control automation and not control testing.
A i s i ncorrect. A key(primary) control is a control that can sufficiently mitigate risk on its own.
Key controls can be corrective if it neutralizes the impact of adverse events on an institution. A non-
key control, on the other hand, can not sufficiently prevent the risk from materializing. T his control
complements the key controls.
B i s i ncorrect. Controls can either be manual or automated in nature. Automation greatly increases
the reliability of a control contributing to an effective mitigation process.
C i s i ncorrect. With the advancement in modern technology, banks no longer find it reasonable to
rely on manual controls. However, control automation is prone to human errors, which can
transform into technology and model risk.
45
Q.5079 An FRM candidate is preparing for May 2023 exam. In one of the open discussion forums, the
candidate states that a control should be effectively designed so as to be applied effectively and
hence be able to mitigate risk effectively. Ineffectively designed controls waste resources and may
give unrealistic expectations resulting in vulnerabilities. He goes ahead to state the types of weakly
designed controls. Which of the following is a least likely a type of a weakly designed control
highlighted by the candidate?
A. "Optimistic control."
B. "More of the same."
C. "Collective controls."
D. "System-based data validation."
System-based data validation checks in data collection tools is an example of automated controls.
A i s i ncorrect. "Optimistic controls" - Since they are cursory rather than comprehensive, these
controls are commonly called "tick-boxes." For these controls to be effective, the controller must
have either exceptional skill or experience.
B i s i ncorrect. "More of the same." T his refers to adding more controls of the same design as the
ones that failed after an operational incident caused by a control failure. For example, adding more
controllers doesn't help resolve a failure of collective controls, nor does it reinforce an onboarding
process that managers already bypass due to its disproportionate and cumbersome nature.
C i s i ncorrect. "Collective controls." T hese reduce individual accountability by distributing the
responsibility for verification and quality control among several people.
Q.5080 T he Bank of India is in the process of implementing an effective control system. Its risk
management unit has clarified that control designs should be assessed, and if satisfactory, they can be
tested to check whether they are operationally effective. Which of the following is least likely a
type of control testing?
A. Examination
B. Observation
C. Self-certification
46
D. Independence
Independence of the testing party is one of the factors that influence the effectiveness of control
testing.
We have four primary types of control testing, presented in their level of scrutiny. T he greater the
inherent risk, the more rigorous the control testing must be.
T he following are the main types of control testing:
Self-certification or inquiry. Given the lack of evidence, it is reasonable to limit this
assessment to secondary controls or controls related to environments with low inherent
risk.
Examination. Written documentation of the process, as well as written evidence of the
results, is needed to support this claim. T he quality and relevance of documentation
determine the effectiveness of this testing method. In addition, it is more suitable for
automated checks and sampling of manual checks since it provides moderate assurance.
Observation. It involves observing the execution of the control process in real time so
that its design and effectiveness can be judged. T his testing control is suitable for key
controls.
Reperformance (reproduction or parallel testing). T his is the strongest form of testing,
which involves the tester reproducing the control process on a sample of transactions and
comparing the results with those previously obtained by the process.
47
Q.5081 Joseph Bolts, FRM, is a risk manager at the Bank of Baroda. In his recent presentation to the
board of directors, Joseph highlights that while the firm strives to establish effective control testing,
we have several factors that determine the level of this effectiveness. Which of the following
factors least likely influence the effectiveness of control testing?
A. T he independence of the testing party
B. T he frequency of testing
C. Scope and sample
D. Reperformance
Reperformance is one of the four types of control testing.
A i s i ncorrect. T he independence of the testing party – To avoid conflict of interest and bias, the
testing party should be independent of the owner of the control process (except in the case of self-
certification).
B i s i ncorrect. T he frequency of testing. Control assessments should be performed more
frequently for higher risks or unstable risk environments in proportion to the severity of the risk.
C i s i ncorrect. Scope and sample. T he results of a test depend on the scope of testing, and the size
of the sample tested. To adequately represent the population, the sample should be large enough.
48
Q.5082 To effectively mitigate human errors, we should first categorize these errors accordingly.
Identifying slips and mistakes is the first step in categorizing human error. Which of the following
categories of human errors is correctly described?
A. Slips – T hese are wrong choices made when someone faces a new situation due to a lack
of familiarity with a process
B. Rule-based mistakes – T he perpetrator understands the right thing to do but decides to act
against the rules
C. Knowledge-based mistakes – T hese are the wrong choices made when someone faces a
new situation due to a lack of familiarity with a process or a lack of training and guidance
D. Violation – T hese are involuntary errors caused by inattention, distraction, and fatigue
Knowledge-based mistakes are the wrong choices made when someone faces a new situation due to a
lack of familiarity with a process or training and guidance.
A i s i ncorrect. Slips are involuntary errors caused by inattention, distraction, and fatigue. T here
are many ways to respond to slips, including improving the work environment, speeding up work
appropriately, reducing noise levels, clarifying accountabilities, and explaining the consequences of
every action.
B i s i ncorrect. Rule-based mistakes refer to a result of voluntary action. In other words, it is
"strong but wrong." Mis-selling to customers due to commercial incentives is a good example of such
mistakes.
D i s i ncorrect. A violation is an act of voluntary misconduct rather than an error. T he perpetrator
understands the right thing to do but decides to act against the rules.
Q.5083 To improve the quality of an operational process and reduce the potential for human error,
the risk management unit should first identify these errors and then apply several methods to assess
and mitigate risks related to these errors. Which of the following statements is i ncorrect in light of
this statement?
A. T he Lean Six Sigma is applied to remove and reduce waste and variation by analyzing
processes and collaborative tasks hence minimizing variations
49
B. Six Sigma improves quality by identifying and eliminating causes of errors or defects and
minimizing variability in industrial processes
C. Quality improvement follows the plan, do, study, act (PDSA) cycle or "Dr. Deming cycle."
D. Under the "Dr. Deming cycle", Do refers to analyzing the collected data, comparing the
set targets, and evaluating opportunities for improvement.
Under the "Dr. Deming cycle":
Plan is about setting goals, determining expectations, and deciding what, where, when, and
who will implement the plan.
Do means to execute the plan and record its progress.
Study refers to analyzing the collected data, comparing the set targets, and evaluating
opportunities for improvement.
Act is about understanding lessons learned and adjusting our expectations for the coming
cycle.
A i s i ncorrect. In Lean Six Sigma, waste and variation are systematically removed and reduced by
analyzing processes and collaborative tasks hence minimizing variations. Lean Six Sigma combines
Lean and Six Sigma techniques which aim at eliminating eight kinds of "waste."
B i s i ncorrect. Six Sigma improves quality by identifying and eliminating causes of errors or
defects and minimizing variability in industrial processes. Both methods apply the define, measure,
analyze, improve, and control (DMAIC) cycle.
C i s i ncorrect. Quality improvement follows the plan, do, study, act (PDSA) cycle or "Dr. Deming
cycle."
T he following questions are key to addressing quality improvement:
What is the goal?
What makes a change an improvement?
50
What changes will result in improvement?
Q.5084 Businesses face significant operational risks when they embark on new projects, products,
and initiatives that are unfamiliar or unfamiliar to them. Which of the following statements is
correct in this context?
A. As a best practice, the owner of each new initiative should present a business case to
show the allocation of resources
B. When acquiring new assets, it is easier to assess operational risk than credit risk
C. T he acquired firm should not provide any information as this makes operational risk
assessment even more difficult
D. When projects are merged, the risks of the acquired assets remain with the original firm
As a best practice, the owner of each new initiative should present a business case to show the
allocation of resources. A good business case covers at least five topics, namely: objective,
alternatives, expected benefits, commercial aspects, and risks.
B i s i ncorrect. Credit risk can easily be assessed provided the data of collateral, obligors, and terms
and conditions are available. On the other hand, operational risk is very difficult to assess since it is
the risk related to the results of people, systems, and processes over time. T herefore, it may take
time before the inherited operational risk is discovered. Banks should therefore be very keen to
assess operational risks, especially when acquiring new assets.
C i s i ncorrect. If a firm is acquired, it should be integrated to provide its own set of additional
operational risks. T he acquired firm should present customer and account platforms, payroll and
management systems, and its communications with other companies.
D i s i ncorrect. When projects are merged, the acquiring firm inherits the risks of the acquired
assets. When a firm acquires assets, a portfolio, or the entire entity, it inherits all risks associated
with those assets, necessitating a more comprehensive risk management.
51
Q.5085 Bank A wishes to acquire all the assets of Bank B. T he risk unit of Bank B is therefore
concerned about the possible operational risks that may arise if they go ahead to acquire assets of
Bank A. Which of the following is least likely a correct way in which the risk function of Bank B will
involve in the acquisition of assets of Bank A?
A. Doing a thorough assessment of the operational risk related to the assets of Bank B
B. T he risk unit should ask Bank B to present information on payrolls, customers, payroll and
management systems, and its communication with other companies
C. T he board of directors can create a risk profile to familiarize the management with
potential operational risks related to these new business initiatives.
D. Bank B should provide Bank A with data on collateral, obligors, and terms and conditions in
order for them to assess credit risk
T he ORM function is what should create a risk profile to familiarize the management with potential
operational risks related to these new business initiatives and not the board of directors.
A i s i ncorrect. It may take time before the inherited operational risk is discovered. T he acquiring
firm (in this case, Bank A) should therefore be very keen to assess operational risks when acquiring
new assets. T he ORM function can support these new initiatives by creating a risk profile to
familiarize the management with potential operational risks related to these new business initiatives.
B i s i ncorrect. Bank B should be requested to present customer and account platforms, payroll and
management systems, and its communications with other companies. T he ORM of Bank A can help
the firm identify these risks through risk identification workshops and work with the integrating
teams to set mitigation measures to address potential risks related to a complex acquisition.
D i s i ncorrect. Bank B should provide Bank A with data on collateral, obligors, and terms and
conditions in order for them to assess credit risk. Credit risk can easily be assessed provided the data
of collateral, obligors, and terms and conditions are available.
52
Q.5086 Paul Schering, FRM, works as a risk manager at ABC Bank. Paul wishes to present to the
bank approaches firms should use to mitigate the impact of operational risk events. Which of the
following statements highlighted by Paul is correct?
A. A contingency plan is simply a "Plan B" or an alternative action if the result of a future
event does not go as expected
B. T he first step in business continuity management (BCM) is identifying threats and risks
and linking these risks to the firm's key operational risks
C. In case of a crisis, a firm should have at least two response teams: a technical team, a
media team, and a communications team
D. A communications team to assesses the risk event and restores normal processes
A contingency plan is simply a "Plan B" or an alternative action if the result of a future event does
not go as expected. Contingency planning is part of business continuity management (BCM), disaster
recovery plans (DRP), and corrective risk management. Contingency planning should clearly state
who does what and when in case of an event. In broader terms, contingency planning involves
providing alternatives in systems, people, and processes.
B i s i ncorrect. T he first step in BCM is to ensure senior-level commitment. T he next step is to
initiate the management process. After this, threats and risks should also be identified and linked to
the firm's key operational risks. Once these risks have been identified, actions should be taken to
manage these risks as part of risk management. A business impact analysis is carried out to
determine the terms of risk mitigation. Strategies and plans for mitigating these risks are developed
and implemented accordingly. T he plan is then tested and maintained.
C i s i ncorrect. In case of a crisis, firms should have at least two response teams:
T he technical team assesses the risk event and restores normal processes as soon as
possible.
A communications team (external or internal) to handle media and stakeholder groups.
Q.5087 T he risk management team of the ABC Bank is presenting the results of event and crisis
53
management to the operational risk committee of the bank. In its presentation, the team highlights
the following: Which of the above statements highlighted by the team is incorrect?
A. A firm should demonstrate three qualities when managing a crisis or major operational
event, which include speed, competence, and transparency.
B. We have four phases of a major operational risk event: crisis, emergency response,
recovery, and restoration
C. We have two traditional recovery measures: a Recovery Point Objective (RPO) and
Recovery T ime Objective (RT O)
D. In the event of a crisis, each recovery job should be handled by senior management.
A i s i ncorrect. In the event of disruptions, the business continuity plan (BCP) will be activated. A
firm should demonstrate three qualities when managing a crisis or major operational event:
Speed: A crisis can spread very fast (e.g., cyberattacks). It is, therefore, crucial to respond
swiftly, decisively, and appropriately to crises.
Competence: In the event of a crisis, each recovery job should be handled by a suitable
specialist.
T ransparency: T rust of key stakeholders should be maintained by always telling the truth
and being open and honest even in the face of a large operational loss.
B i s i ncorrect. T here are four typical phases of a major operational risk event:
Crisis: After an incident, the type and scale of the problem become apparent.
Emergency response: Experts must assess the situation and quickly decide how to
proceed.
Recovery: If the plan goes as planned, essential operations will resume in recovery format
within the expected time frame.
Restoration is simply bringing things back to normal.
C i s i ncorrect. T here are two traditional recovery measures:
54
i. A Recovery Point Objective indicates how much data will be lost or have to be re-entered
after an outage.
ii. Recovery T ime Objective measures how much downtime a business can tolerate.
55
Q.5088 Operational risk can be transferred through external insurance and outsourcing. Which of
the following statements is incorrect regarding risk transfer?
A. T here is a trade-off decision between the insurance premium versus the volatility
B. In external insurance, the risk is not necessarily fully transferred, as the amount of
compensation depends on the premiums paid
C. Outsourcing may result in third-party risk
D. It is hard to transfer both risk exposure and consequences
External insurance policies for operational risk are suitable for operational risks that:
T hey are fairly predictable, allowing for proper underwriting and pricing for the insurer,
and
It is easy to transfer both risk exposure and consequences, so risk mitigation is effective
for insurance takers.
A i s i ncorrect. T here is a trade-off decision between the insurance premium versus the volatility.
Many firms will tend to self-insure small losses or absorb the volatility and only seek external
insurance to cover losses from extreme operational events. Any large potential operational risk
event, therefore, necessitates external insurance.
B i s i ncorrect. In external insurance, the risk is not necessarily fully transferred, as the amount of
compensation depends on the premiums paid. In some cases, the firm may experience delays from
the insurer, which may expose the firm to liquidity risks.
C i s i ncorrect. Outsourcing may result in third-party risk since the firm is exposed to the risk of
failure of third-party controls. Furthermore, not all risks are transferable. T he risk of accountability,
for example, is not transferred through this process. Increasingly, outsourcing is perceived as a risk-
sharing and not a risk-transfer method. Reputational damage is another risk that cannot be outsourced
or transferred through insurance.
56
Q.5089 In the definition of operational risk, reputational risk has been left out intentionally. T his is
because reputational risk is not necessarily caused by operational risk. Both internal and external
operational events can cause reputational risk. Operational risk controls and mitigation strategies can
be implemented to protect a company's reputation. Which of the following is least likely a correct
way to prevent reputational risk?
A. T he use of detective controls to identify operational failures and reduce their reputational
effects
B. Carefully choosing business partners and third parties
C. Considering stakeholder differentiation when designing a specific remedy for a

reputational risk event
D. T ransferring responsibility from one party to another in order to limit exposure.
T ransferring responsibility from one party to another in order to limit exposure is one of the four
ways firms address their operational risk exposures.
A i s i ncorrect. One way to prevent reputational risk is to build and maintain customer confidence.
T he use of detective controls to identify operational failures and reduce their reputational effects
are among the methods used to protect against them. Detective controls include monitoring
customer complaints on social media and tracking refund requests or system downtimes.
B i s i ncorrect. Firms should be careful when contracting third parties to avoid the wrong type of
people with reputation issues.
C i s i ncorrect. In addition to image and relationship building, stakeholder analysis contributes to an
effective reputational management process. An organization's stakeholders are not all equally
important or affected by operational events. Stakeholder differentiation is essential when designing a
specific remedy for a reputational risk event.
57
Reading 104: Risk Reporting
Q.5090 Which of the following events will least likely trigger the requirement to notify regulators of
operational risk events?
A. T he significance of the events relative to a materiality threshold
B. Any event affecting the firm’s management
C. Any event that could affect the firm’s ability to continue to provide adequate services
D. Any event that could result in serious consequences to the financial system
Any event affecting the firm’s management does not trigger the requirement to notify regulators
unless it affects the firm materially above a certain threshold, its reputation, its resilience, or its
stability.
T he requirement to notify regulators of operational risk events may be triggered by any of the
following criteria:
T he significance of the events, relative to a loss or materiality threshold.
Any event significantly affecting the firm’s reputation.
Any event that could affect the firm’s ability to continue to provide adequate services to
its customers, and that could result in serious detriment to a customer of the firm.
Any event that could result in serious.
58
Q.5091 Which of the following is least likely a type of information critical in the operational risk
requirements?
A. Qualitative information on operational risk management
B. Historical losses
C. Business indicator and subcomponents
D. Risk appetite metrics
T he risk appetite metrics is one of the main components of operational risk and not a type of
information in the operational risk requirements.
Operational risk disclosure requirements include three types of information:
Qualitative information on operational risk management.
Historical losses.
Business indicator and subcomponents.
59
Q.5092 Which of the following types of information required relates to presenting the governance
and risk management structures that an entity has established to manage and mitigate risk?
A. Qualitative information on operational risk management
B. Historical losses
C. Business indicators and subcomponents
D. Incidents and near misses
Qualitative information on operational risk management relates to ensuring companies present the
governance and risk management structures that they have established to manage and mitigate risk.
B i s i ncorrect. Historical losses requires regulated entities to provide appropriate details on the
total operational losses accumulated during the previous ten years.
C i s i ncorrect. Business indicator and subcomponents entails disclosing the business indicator and
its necessary components, which serve as the basis for the computations of operational risk capital.
D i s i ncorrect. Incidents and near misses is one of the main components of operational risk
reporting.
60
Q.5093 Which of the following is not one of the main components of operational risk?
A. Risk appetite metrics
B. Incidents and near misses
C. Frequency and severity
D. Action plans and follow-up
T he frequency and severity per period is one of the areas that need to be reported when reporting
in risk events and near misses. It is not one of the main components of operational risk.
T here are seven main components of operational risk reporting:
i. Top-10 risks and risk outlook

ii. Heatmap and risk register
iii. Risk appetite metrics
iv. KRIs and issue monitoring
v. Incidents and near misses
vi. Action plans and follow-up
vii. Emerging risks and horizon scan findings
61
Q.5094 Which of the following components of operational risk reporting involves reporting a list of
the top overall risks?
A. Heatmap and Risk Register
B. Risk Appetite Metrics
C. Top-10 risks and risk outlook
D. Incidents and Near Misses
T he top-10 risks and risk outlook is one of the components of operational risk reporting that
involves reporting a list of the top overall risks or the 10 most significant risks from the risk register
or risk inventory.
A i s i ncorrect. T he heatmap and risk register provides a two-dimensional visual depiction of the
risk register without forcing the audience to read fine print.
B i s i ncorrect. Risk appetite metrics is the tracking of risk appetite and the monitoring metrics
that go along with it. It enables the board to assess if the company is functioning within its risk
appetite and choose the best course of action.
D i s i ncorrect. Incidents and near misses is one of the most important components of ORM
reporting that involves reporting of risk occurrences, losses, and near misses.
62
Q.5095 Why are near-miss occurrences included in the reporting of incidents in organizations with
strong risk cultures?
A. To assess the cost of close calls.
B. To determine the importance of close calls.
C. To analyze the potential consequence that was unintentionally avoided.
D. To evaluate the frequency of close calls.
Organizations with strong risk cultures include near-miss occurrences in the reporting of incidents
to analyze the potential consequence that was unintentionally avoided.
A i s i ncorrect because the cost of close calls is not the reason for including near-miss occurrences
in the reporting of incidents in organizations with strong risk cultures.
B i s i ncorrect because importance is not the specific reason for including near-miss occurrences,
but rather to assess the significance of close calls based on the potential consequence that was
unintentionally avoided.
D i s i ncorrect because the frequency of close calls is not the reason for including near-miss
occurrences in the reporting of incidents in organizations with strong risk cultures.
63
Q.5096 Which of the following is not one of the three options worth considering when aggregating
qualitative data?
A. Conversion and addition
B. Categorization
C. Horizon scanning
D. Worst-case reporting
Horizon scanning is one of the main components of operational risk reporting that involves finding
new trends and potential risks. It is not one of the three options that need to be considered when
aggregating qualitative data.
T he three options are:
Conversion and addition
Categorization
Worst-case reporting
64
Q.5097 Which of the following stakeholder groups is authorized by the board to monitor the
effectiveness of the firm’s risk management framework?
A. T he audit committee
B. T he risk committee
C. Executive committee
D. Business line managers
T he board risk committee is authorized by the board to monitor the effectiveness of the firm’s risk
management framework.
A i s i ncorrect. T he audit committee is a subcommittee of the board and is responsible for a third
level of operational risk oversight managed by the firm’s internal audit activities.
C i s i ncorrect. T he executive committee is a subcommittee of the board, composed of elected
board members and senior executives, that prioritizes issues for the full board to address, is
responsible for overseeing board policies, and ensures good governance practices.
D i s i ncorrect. Business-line managers typically monitor the status of their KRIs, the progress of
their action plans, and the nature and severity of operational risk events experienced by their
business lines.
65
Q.5098 Which of the following stakeholder groups is responsible for collecting all relevant
operational risk information from the business lines to produce aggregated, synthesized reporting and
provide feedback to the business lines?
A. T he risk champions
B. T he operational risk committee
C. T he audit committee
D. T he executive committee
T he operational risk committee collects all relevant operational risk information from the business
lines to produce aggregated, synthesized reporting for the operational risk committee and provide
feedback to the business lines.
A i s i ncorrect. T he risk champions typically monitor the status of their KRIs, the progress of their
action plans, and the nature and severity of operational risk events experienced by their business
lines.
C i s i ncorrect. T he audit committee is a subcommittee of the board and is responsible for a third
level of operational risk oversight managed by the firm’s internal audit activities.
D i s i ncorrect. T he executive committee is a subcommittee of the board, facilitates decision-
making between board meetings and/or during times of crisis, prioritizes issues for the full board to
address, is responsible for overseeing board policies, and ensures good governance practices.
66
Q.5099 Which of the following is a challenge of non-financial risk data reporting?
A. Risk appetite metrics
B. Action plans and follow up
C. Asymmetry of operational risk event data
D. Incidents and near misses
Addressing the asymmetry of operational risk event data is one of the challenges of non-financial risk
data reporting i.e., A relatively small number of low-frequency, high-severity loss occurrences
frequently account for the majority of operational loss severity.
A i s i ncorrect. Risk appetite metrics is one of the main components of operational risk reporting.
It involves tracking of risk appetite and the monitoring metrics that go along with it.
B i s i ncorrect. Action plans and follow-up is one of the main components of operational risk
reporting. T hese are risk-reduction strategies created to strengthen the regulatory environment and
reactive measures used to address an unexpected operational loss event.
D i s i ncorrect. Incidents and near misses is one of the main components of operational risk
reporting. It involves outlining what incidents involving operational risk occurred and how much
each incident cost the company.
67
Reading 105: Integrated Risk Management
Q.5100 Ibrahim Asman, FRM, is the operational risk manager at the Bank of India. In one of his
presentations to the board of directors, Mr. Asman says that a bank should have a wider view of risk
assessment frameworks and capital assessment in addition to its operational risk framework. Which
of the following points highlighted by Asman on risk governance is least likely correct in the context
of ERM?
A. T he first line of defense comprises the staff and management of business lines. It is
responsible for making decisions for managing risks
B. T he second line of defense comprises banks' credit risk management, market risk
management, and operational risk management departments
C. T he board risk committee is responsible for overseeing all risks across a firm
D. T he board risk committee reports independently to the board of directors.
T he board risk committee is responsible for overseeing all risks across a firm and is independent of
the board of directors. It recommends risk-based decisions, risk exposure, and risk management to
the full board.
T he three lines of defense define the roles and responsibilities for the overall risk management of a
firm.
A i s i ncorrect. T he first line of defense consists of staff and the management of risk. T he first line
makes risk management decisions. Risk owners identify, measure, mitigate, and report risks. It is the
responsibility of risk owners to make decisions to ensure an appropriate balance between risk and
reward for the firm. Risk owners have the authority to expose the firm to risk within the firm's risk
appetite limits.
B i s i ncorrect. From an ERM view, the second line of defense comprises banks' credit risk
management, market risk management, and operational risk management departments. Also included
are other oversight functions, such as compliance or information security, and parts of hybrid
functions, such as legal, finance, and IT.
C i s i ncorrect. T he board risk committee is responsible for overseeing all risks across a firm. T his
68
committee is independent of the board of directors and recommends risk-based decisions, risk
exposure, and risk management to the full board. T he term of reference or a committee charter
governs the operations of this committee.
Q.5101 Risk culture is inseparable from corporate culture and goes beyond the culture of alertness
and reporting of operational risk incidents, as well as the sharing of lessons learned. Which of the
following statements is least likely correct regarding risk culture from an ERM view?
A. Corporate culture is "what happens when no one is looking"
B. Risk culture influences the effectiveness of an ERM framework
C. A robust and independent risk management function can reduce tail risk exposures at
banks
D. A risk culture is a structure that is put in place to outline a firm's approach to the
management, and control of risk.
A structure that is put in place to outline a firm's approach to the management, measurement, and
control of risk is referred to as a risk appetite framework and not a risk culture.
A i s i ncorrect. Risk culture is inseparable from corporate culture and goes beyond the culture of
alertness and reporting of operational risk incidents, as well as the sharing of lessons learned. From
an enterprise-wide perspective, corporate culture is "what happens when no one is looking."
B i s i ncorrect. Risk culture influences the effectiveness of an ERM framework. T he absence of a
risk culture leads to dire consequences, emphasizing the need for firms to establish and maintain a
risk culture.
C i s i ncorrect. Post-financial crisis reports emphasized that a lack of risk culture led to risk
management failure in large financial institutions. According to the seminal paper issued by the
Journal of Finance in 2013, bank holding companies with a higher lagged risk management index have
lower tail risk and higher return on assets. T his aligns with the hypothesis that a robust and
independent risk management function can reduce tail risk exposures at banks.
69
Q.5102 Which of the following is most likely a role and responsibility of the second line of defense
for the overall risk management of a firm under risk governance?
A. making decisions for managing risks.
B. establishing risk management methods, and measurement methods.
C. overseeing the risk management activities.
D. reports independently to the board of directors.
T he second line of defense is responsible for establishing risk management methods, tools, models,
and measurement methods, training the first line of defense, raising risk awareness, developing risk
management policies, and ensuring effective risk management.
A i s i ncorrect. Making decisions for managing risks is a role of the first line of defense. It
comprises the staff and management of business lines.
C i s i ncorrect. Overseeing the risk management activities is a role of the third line of defense.
D i s i ncorrect. Reporting independently to the board of directors is a role of the third line of
defense.
70
Q.5103 A newly hired risk manager is preparing to present to the risk committee on the role of ERM
in financial services in ensuring the solvency and sustainability of an institution through appropriate
capital funding that covers any unexpected losses relating to any of the main risk classes. Which of
the following points highlighted by the risk manager is correct?
A. An enterprise risk management framework and activities consist of regulatory capital and
economic capital only
B. Regulatory capital is the internal capital that firms estimate, reflecting both their risk
profile and potential needs to cover unexpected losses
C. Pillar 2, introduced under Basel II, is about market discipline
D. Basel regulations bear no legal grounds
Basel regulations bear no legal ground, but rather countries choose to include the Basel standard
through domestic laws and regulations.
A i s i ncorrect. An enterprise risk management framework and activities consist of, but it is not
limited to, regulatory capital and supervision, economic capital, risk-adjusted return on capital
(RAROC) thresholds, and capital aggregation and diversification.
B i s i ncorrect. Regulatory capital is the mandatory minimum level of capital required by banks to
cover credit, market, and operational risks and the minimum liquidity ratio.
C i s i ncorrect. Pillar 2: Supervisory Review Process – is about additional capital requirements
("add-ons") depending on a regulated entity's risk profile.
71
Q.5104 T he CEO of a bank has recommended that the bank should calculate RAROC in order to
determine the risk-return trade-off of their products and services. Which of the following is correct
with respect to RAROC?
A. RAROC can be used to provide a quantitative estimate of the bank's funding costs for each
transaction product and type of client
B. RAROC is given by expected after-tax risk-adjusted net income divided by regulatory

capital
C. RAROC is estimated using historical data
D. RAROC is used to measure operational risk
RAROC is used to provide a quantitative estimate of the bank's funding costs for each transaction
product and type of client, manage scarce capital and expensive resource, and manage commercial
agents of the bank using objectives.
B i s i ncorrect. RAROC Is given by expected after-tax risk-adjusted net income divided by economic
capital. Mathematically, RAROC = (Expected after-tax risk-adjusted net income)/(Economic Capital)
C i s i ncorrect. RAROC is more straightforward for credit activities, while EL can be estimated
using historical data. In contrast, market risk EL is less straightforward and is often set to 0.
D i s i ncorrect. Operational risk is generally not measured with RAROC since it is difficult to
attribute explicit revenues to operational risk, and economic capital is uncertain.
72
Q.5105 A risk manager of a large bank recommends that the bank should consider not only regulatory
and economic capital requirements but also assess aggregate capital needs. Which of the following
statements is correct regarding capital aggregation and diversification in the ERM context?
A. Diversification can only be achieved across different risk classes
B. To /determine the risk capital for a particular business unit within a larger firm, the units
are viewed together
C. We have diversification benefits whenever we have a correlation of exactly +1
D. We can have large diversification benefits when operational risk is aggregated with other
risks
It can be observed that credit and market risk correlations tend to increase during a crisis;
operational risk, on the other hand, moves independently. T his implies that we can have large
diversification benefits when operational risk is aggregated with other risks.
A i s i ncorrect. Diversification can be of two types: intra-risk diversification – diversification
within each risk class and inter-risk diversification – diversification that involves different risk
classes.
B i s i ncorrect. To determine the risk capital for a particular business unit within a larger firm,
each unit is typically viewed on a stand-alone basis.
C i s i ncorrect. To achieve diversification, the correlation between different risks should be less
than +1.
73
Q.5106 A risk manager at a bank proposes that the bank should stress test its activities in order to
determine its stability and resilience. T he manager, however, stated that a number of issues led to
the failure of stress testing during the great financial crisis. Which of the following factors
highlighted by the manager is least likely correct?
A. Scenario selection
B. Stress testing of specific risks and products
C. Stress testing methodologies
D. Including stress tests in a global risk framework
Use of stress testing and integration in risk governance is one of the factors why stress testing failed
during the great financial crisis. Stress tests were not included in a global risk framework as other
businesses doubted the credibility of the analysis. Senior management was not involved enough,
implying the non-existence of a worldwide aggregation of stress test results.
A i s i ncorrect. Scenario selection: Minor severity and missing correlations between scenarios
affected results as they could not comprehensively represent the aggregate risks across the bank.
Scenarios were undertaken at a business level and were unrelated to capital adequacy and liquidity.
B i s i ncorrect. Stress testing of specific risks and products: New complex products or strategies,
such as complex hedging strategies, were not covered under credit risk, liquidity, and contingent risk.
Furthermore, funding and reputational constraints were not tested.
C i s i ncorrect. Stress testing methodologies: Several risk management tools employed historical
statistical relationships to assess risks. Similarly, the banking sector lacked a firm-wide approach and
focused so much on models calibrated on historical data. Historical information revealed that the
method did not consider future risk exposures.
74
Q.5107 T he operational risk manager of a bank wishes to establish a robust operational risk stress-
testing framework. Which of the following is least likely a component of a robust operational risk
stress-testing framework?
A. Expected non-legal loss forecast module
B. Legal loss module
C. Idiosyncratic scenario add-on module
D. Regression models
Regression models is one two methodologies used by banks to model the frequency and severity of
operational risk losses. T he other is Loss distribution approach (LDA).
A robust operational risk stress-testing framework consists of three elements to facilitate an
operational risk loss forecast based on quantitative and qualitative techniques.
A i s i ncorrect. Expected non-legal loss forecast module: this module consists of a quantitative
model that projects and refines a loss forecast for each risk category depending on expert judgment.
B i s i ncorrect. Legal loss module: T his module forecasts immaterial "bulk" litigation losses,
conditional litigation losses, and incremental litigation losses (the unknown unknowns).
C i s i ncorrect. Idiosyncratic scenario add-on module: the module is developed to cover a bank's
idiosyncratic operational risk profile and bank-specific risk exposures derived from storylines.
75
Q.5108 T he operational risk manager of a bank has asked a junior analyst to model total operational
risk losses and the frequency and severity of operational risk losses. Which of the following method
would the junior analyst apply?
A. Reverse stress testing
B. Loss distribution approach
C. Monte Carlo simulation
D. AMA approach
Generally, banks prefer modeling the frequency and severity of operational risk losses using two
methodologies:
Regression models – capture the dependency between operational losses and
macroeconomic conditions. Here, frequency and severity are modeled separately and
brought together through multiplication.
Loss distribution approach (LDA) – some LDA models, e.g., frequency and severity models,
project losses based on Monte Carlo simulations.
A i s i ncorrect. Reverse stress testing is not used for modeling but seeks to analyze immeasurable
risks by starting from the opposite end and trying to identify circumstances that might cause a firm
to fail.
C i s i ncorrect. Monte Carlo simulation is an approach applied under LDA to project losses.
D i s i ncorrect. AMA approach is used for modeling regulatory and economic capital.
76
Q.5109 A newly hired risk manager of a bank wishes to implement a robust operational risk stress
testing framework at the bank. Which of the following is a potential challenge the manager is least
likely to face when developing and implementing models used in stress testing Operational risk?
A. Legal risk is characterized by the delay between adverse macroeconomic conditions and
legal losses suffered by banks
B. It is challenging for Conditional LDA to justify the severity percentile choice
C. Some LDA assumptions do not align with stress testing objectives
D. Quantitative – Qualitative Approach Dimension
Quantitative–Qualitative Approach Dimension is one of the two stress testing dimensions. A stress
testing taxonomy helps to understand the evolution of stress testing and the range of stress testing
practices.
A i s i ncorrect. T here is a challenge associated with legal risk – Legal risk is characterized by the
delay between adverse macroeconomic conditions and legal losses suffered by banks. It may take
years for business practices that result in litigation to materialize in actual settlement losses.
Consequently, forecasts developed under this module must take into account lags between factors
leading to the estimate and actual losses.
B i s i ncorrect. To stress severity, a higher percentile of the distribution reflecting the firm's
expectations for average losses per event under stressed conditions is selected based on expert
judgment. T he selected losses are then combined with frequency forecasts through Monte Carlo
simulation. Expert judgment and data can also be combined with conditional LDA. However, it is
challenging for Conditional LDA to justify the severity percentile choice.
C i s i ncorrect. LDAs lack risk drivers thus, they assume that a firm's risk exposure remains the
same over time. T his assumption does not align with the stress testing objectives, which is to
understand how an organization's risk exposure changes with time to reflect the changing
microeconomic environment and the broader operating environment.
77
Reading 106: Cyber-resilience: Range of Practices
Q.4263 Assume you are the chief systems manager at your local bank. How best would you approach
the issue of cyber security in line with the Basel Committee Report on cyber-resilience among
regulated institutions?
A. To identify all instances of cyber warfare and establish the severity and potential damage
of attacks, and ensure that findings are publicized and acted upon immediately.
B. To single out all potentially crippling cyber-related vulnerabilities that expose the bank to
large-scale monetary or nonmonetary loss
C. Accept that there can be no absolute security and instead work on developing a robust IT
system and build local and international cooperation and information exchange in order to
reduce threat and build resilience
D. To identify all instances of cyber warfare and potential vulnerabilities with an eye on
complete eradication of threats
T here’s growing acceptance that there can be no ‘absolute security” against cyber weapons. Each
passing day, new data antitheft and anti-malware software are getting developed but cyber threats are
growing as fast. In reality, it is nearly impossible to prohibit the weapons and avenues that may be
used to propagate cyber warfare. It is not possible to identify all potential “attack points.” In fact,
attempts to “root out” and eradicate all potential vulnerabilities maybe counterproductive. T his
explains why A and B are incorrect.
Cyber threats can never be truly eliminated; instead, the ultimate goal for institutions should be the
development of a robust, cyber-resilient IT system and building of local and international cooperation
and information exchange in order to reduce threat and protect critical information infrastructures.
78
Q.4264 In response to the increasing number of threats in the cyber space, the Basel committee has
come up with a report aimed at inculcating cyber resilience across the banking industry. T he cyber
risk resilience framework encompasses all of the following EXCEPT :
A. T hreat anticipation
B. Adapting to changes in the cyber space
C. Rapid recovery from cyber incidents
D. None - All of the above form part of the cyber risk resilience framework
According to the Financial Stability Board (FSB), cyber resilience is the “ability of an organization to
continue to carry out its mission by anticipating and adapting to cyber threats and other relevant
changes in the environment and by withstanding, containing and rapidly recovering from cyber
incidents.”
As such, the report encompasses all of the above.
79
Q.4265 Capital Bank just went through a serious system breach that resulted in massive loss of
sensitive customer data. T he information security department is attempting to restore the system as
well as located critical data backups. Unfortunately, it appears no one knows exactly what they are
supposed to do. T he bank also has a rapid recovery plan in place but the relevant personnel do not
know what protocol to follow in the execution process. What’s more, the recovery team is
struggling to put in a well-coordinated effort to carry out specific tasks. Which of the following
vulnerabilities is most likely to blame for this scenario?
A. Lack of a business impact analysis
B. Failure to back up sensitive data adequately
C. Failure to set up an alternate system
D. Failure to test the disaster recovery strategy
One of the issues raised in the Basel Committee Report on Cyber-Resilience Practices has much to
do with insufficient business continuity testing, and this appears to be the main culprit that has led to
the situation at the bank.
T he report notes that although most regulated entities do have a contingency and recovery plan in
readiness for a serious attack, there’s a general lack of testing to determine if the plan indeed works.
A disaster recovery test would ensure that everyone in the team knows exactly what they are
supposed to do and familiarize everyone with the steps to follow throughout the recovery period.
Options A is incorrect. T hat the bank has a recovery plan means it must have conducted a business
impact analysis, which is essentially an exercise aimed at identifying the most important parts of the
business that should be protected and restored immediately after an attack.
Option B is incorrect. T he bank does have a back-up system only that the recover team is not
familiar with the recovery process
C is incorrect. Even with a good and working alternate system, it would be very difficult to use it if
the bank has not conducted tests to make sure that everyone knows how the system works.
80
Q.4266 Considering commerce and marketing, which of the following is a significant obstacle to
developing cyber resilience among regulated institutions around the globe?
A. Use of technology, including high-level automation and integration with third parties
B. Large-scale use of third party services
C. Cloud computing and related services
D. All of the above
T he biggest stumbling block toward inculcating cyber resilience among regulated institutions has
been high-level automation and use of systems that are heavily integrated with third-party service
providers and customers. T his has resulted in an attack surface that is growing by the day and has
only served to increase accessibility from potential adversaries. Increased third party integration
implies that the perimeter of interest to financial sector regulators has gotten bigger, and cloud
computing means the perimeter is shared.
Options B, and C all come up as a result of high-level automation and integration.
81
Q.4267 According to the Basel Committee report on cyber resiliency among institutions, which of
the following jurisdictions tend to have the least robust regulatory information sharing frameworks?
A. T hose with minimum freewill information sharing arrangements
B. T hose with observable practices for information-sharing among banks
C. Jurisdictions that have recorded the smallest number of cyber-related incidences
D. Jurisdictions with the highest number of systematically important banks
T he Basel committee observes that jurisdictions with observable, well-established information-
sharing mechanisms among banks tend to have less robust policies that have been developed by the
relevant regulators. T his means that the regulators do not feel the need to enforce tough
information-sharing if (voluntary) peer sharing practice is well established and effective.
C and D are incorrect. T here’s no clear and observable link between the regulatory robustness and
cyber frequency or the number of banks in a region.
82
Q.4268 T he Basel committee notes that most jurisdictions have adopted some information-sharing
mechanism between banks and regulators. According to the committee’s report, the following are
potential sources of concern EXCEPT ?
A. T he absence of a common standard
B. Sharing of information only when it is mandatory to do so
C. Absence of bank to bank information sharing
D. Reactive reporting of threats
According to the Basel Committee report on Cyber-Resilience Practices, various cybersecurity
information-sharing mechanisms are in force, key among them being communications among banks,
mostly on a voluntary basis, and communications between banks and regulators. In other words, we
do have bank to bank information sharing and that’s not a real concern at the moment. Option A
presents a potential source of concern. T he committee notes that there is no common standard.
T his could lead to withholding of crucial information on possible threats or indicators of compromise.
Option B presents a potential source of concern. T he report notes that Information-sharing by banks
with regulators is typically focused on sharing of cyber-incidents based on mandatory reporting
requirements. Institutions should be encouraged to provide information on a voluntary basis which
will in turn lead to positive discourse on matters risk and increase threat awareness.
T he report also notes that most banks favor reactive reporting rather than a more proactive
approach. T his could being about delays in the time taken to develop robust protection
infrastructures.
83
Q.4269 With respect to cyber security strategy as outlined in the Basel Committee report on cyber-
resilience, all of the following statements are correct EXCEPT ?
A. All regulators expect regulated entities to have a board approved information security
strategy
B. Most jurisdictions have included cyber-risk within their broader risk management
frameworks
C. Most supervisors review regulated entities' information security strategies, but very few
require or evaluate those entities' standalone cyber-security strategies.
D. In most jurisdictions the development of a cyber-security strategy is a mandatory

requirement anchored in law
T he committee notes that most regulators do not require regulated entities to have a functional
cyber security strategy, but they do expect them to have a board-approved information security
strategy, policy and procedures under the broad remit of effective oversight of technology (hence
option A is correct)
B is also correct. Many jurisdictions expect that cyber-risk should be covered by the organization-
wide risk management framework and/or information security framework which should be
monitored and reviewed by senior managers.
C is also correct. Although most supervisors do review regulated entities’ information security
frameworks, most of them do not review or evaluate those entities’ standalone cyber-security
strategies
84
Q.4270 Which of the following regulatory approaches has been adopted by jurisdictions as a way of
enforcing cyber-security strategy requirements among regulated entities?
I. Mandatory sector specific or cross-sector cyber-security requirements

II. A requirement to develop internal cyber-security strategies by financial institutions
III. Examining whether institutions have an active IT strategy and accompanying security
provisions
A. I and II only
B. II only
C. III only
D. All three
T he Basel Committee report on Cyber-resilience notes that jurisdictions enforce cyber-security
strategy requirements using one or a combination of the following:
I. Regulator-developed cyber security strategy requirements that must be observed by all

financial institutions. T his is by far the most common approach especially among emerging
market economies
II. Financial institutions may be required to developed their own cyber-security strategies that
are in compliance with existing risk management principles
III. T he regulators actively examine whether financial entities have an IT strategy and security
provisions. T his is especially common in Europe
85
Q.4271 John Henderson, FRM, is the newly appointed chief officer in charge of information systems
and security at Capital Bank. Upon scrutinizing the bank’s cyber-security strategy, he has found that
the bank lacks a well thought out business continuity plan that can be adopted in the event of an
exceptional event or crisis. With the help of other executives, he proceeds to conduct a business
impact assessment and singles out the most critical activities, resources, and services that would be
in need of rapid restoration in the event of a cyber-attack. Which of the following activities would be
most cri ti cal before finalizing and implementing the newly developed plan?
A. Consultations with other banks in the same jurisdiction
B. Continuity tests
C. A detailed review of past cyber-related incidences
D. Data recovery tests
Although all four choices present possible procedures that should form part of any business
continuity plan, the Basel committee singles out the business continuity test as a key activity that
should be undertaken before implementation begins. T he test is meant to confirm the validity of the
outlined business continuity and crisis response plans. For example, the test can evaluate whether it
is indeed possible to restore services within the specified timelines.
86
Q.4272 According to the Basel Committee Report on Cyber-Resilience Practices, which of the
following is the “least observed practice across jurisdictions” with respect to information sharing?
A. Information sharing among banks
B. Information sharing among regulators
C. Information sharing by banks with regulators
D. Information sharing by banks with security agencies
T he committee notes that the least observed information-sharing practice occurs among regulators.
T his is a worrying situation especially when we consider that cyber-fraud is increasingly becoming
sophisticated and global. T here’s a need to increase information sharing among regulators so as to not
only increase awareness with regard to emerging risks but also to be able to develop a wholesome
well-coordinated response that does not leave some industry sectors exposed.
87
Q.4273 Exim Bank has just completed a risk assessment and business impact analysis (BIA) with
respect to cyber-attacks and the latest emerging threats and vulnerabilities in the cyber space.
However, the bank’s information security manager and business department manager don’t seem to
agree on who will ultimately be responsible for detailed evaluation of the results and risk analysis.
Which of the following would be the best cause of action in these circumstances?
A. Acceptance and implementation of the information security manager’s decision on the risk
to the bank
B. Acceptance and implementation of the business department manager’s decision on the risk
to the bank
C. Creation of a new risk assessment and BIA plan to iron out the differences
D. Review the report with senior management for final input
Senior management and executives have a critical role to play in the evaluation and management of
cyber risk, and the Basel Committee Report on Cyber Resilience notes as much. Just like with other
risks, the senior management is ultimately responsible for propagating and maintaining cyber
resilience in their institutions. T he senior management has a role to streamline and resolve any
issues that might come up in the process of putting in place a working solution against cyber risk.
88
Q.4478 In the context of cyber-resilience practices, which of the following is/are considered (a)
third-party(ies)?
A. Cloud computing services
B. Computer hardware
C. T rading platforms
D. All of the above
To establish a clear understanding of the practices associated with cyber-resilience, third-parties are
taken as:
All forms of outsourcing such as cloud computing services;
Standardized and non-standardized services and products (not considers outsourcing) such
as power supply and computer hardware; and
Interlinked counterparties such as trading platforms and central securities depositories.
Q.4479 Assume that you are a human resource manager at a reputable bank. Your bank has advertised
the supply chain manager post, which you are entrusted to shortlist the candidates based on their
qualifications. Based on the Basel committee report on regulated institutions, what are the required
qualifications for the candidates you should look for?
A. Certified by Certified Information Systems Security Professionals
B. Certified by an institution which is compliant to ISO 9001 Quality Management System
C. Should have considerable skills in risk management
D. All of the above
T he personnel who are certified by Certified Information Systems Security Professionals or any
other institutions that complies with ISO 9001 Quality Management System provides an extra
assurance that the personnel have the required qualifications to manage third-party connections. T he
personnel should be able to manage the associated risks beyond compliance.
89
Q.4480 According to the Basel Committee report on regulated institutions, information sharing from
the banks to regulators has some advantages, which includes:
I. T he regulator can systematically monitor the financial industry

II. T he financial institutions can effectively oversight the incident resolution
III. T hrough excessive information between the regulator and industries weakens the cyber-risk
response framework.
IV. T hrough the information collected by the regulators, they can give recommendations or
requirements to the industries, which can lead to an adjustment of the policies and
strategies.
Which of the above advantages are CORRECT ?
A. I and II
B. I and III
C. II and III
D. I and IV
T he bank-regulator information sharing is essential because:
Enables the systematic monitoring of the financial industry by the regulators
T he regulatory requirements or recommendations by the regulators can be enhanced to
adjust the policies and strategies given the information collected
T he regulators can effectively oversight the incident resolution
A robust cyber-risk response framework can be developed through the active sharing of
the information with industries and the regulators.
90
Q.4481 What is cyber resilience?
A. T he ability of an entity to continue to execute its purpose by anticipating and adapting to

cyber threats
B. T he ability of an entity to rapidly recover from the cyber occurrence
C. All of the above
D. None of the above
Cyber resilience is the ability of an organization to continue to carry out its mission by anticipating
and adapting to cyber threats and other relevant changes in the environment and by withstanding,
containing and rapidly recovering from cyber incidents
Q.4482 Assume that you are a cyber risk manager for a regulated company in a country where
cybersecurity regulations are absent. What is the best course of action you should take to ensure
that your company is secured against cyber threats?
A. Implement the international standard and use prescribed guidance and supervisory
practices
B. Develop new regulations to govern cyber risk in your organization
C. Develop a sound cybersecurity regulation according to regulations
D. Develop cyber risk awareness culture in your company according to regulations
In areas where specific cybersecurity regulations are absent, the supervisors encourage the
regulated organizations to implement the international standard and use prescribed guidance and
supervisory practices according to hierarchical initiatives of national cyber agencies.
Opti on B i s i ncorrect: It contradicts option A.
Opti ons C and D are i ncorrect: T he question suggests that there are no cyber regulations in this
country, but these options suggest otherwise.
91
Q.4483 In the context of cyber governance, as described in the Basel Committee report on regulated
institutions, one of the following statements is INCORRECT about cyber-security strategy?
A. Most of the regulators require institutions to develop a cyber-security strategy
B. T he organizations are expected to have a board-approved information security strategy,

policy, and procedures based on the rule of effective oversight of technology
C. T he regulator or an authority enforces the cybersecurity strategy requirements in

sector-specific or across multiple industries with which financial institutions must comply
D. T he financial institutions might develop their way of cybersecurity strategies, but they
should comply with the principled-based risk management practices
Most of the regulators do not require organizations to develop a cyber-security strategy.
Opti on B i s true: T he organizations are expected to have a board-approved information security
strategy, policy, and procedures based on the rule of effective oversight of technology.
Opti ons C and D are true: T hey are among the three types of non-mutually regulatory types of
cyber-security strategy requirements.
92
Q.4484 According to the Basel Committee’s report on the regulated institutions, cyber risk
awareness and risk culture is enhanced through:
A. Cyber training, incorporated in all phases of employment-recruitment to the termination

in a regulated institution
B. Having effective processes and controls that ensure that employees, contractors, and
third-party dealers understand their roles and responsibilities in the quest to reduce the risk
of theft, fraud, or misuse of the institution’s facilities
C. Establishing a common risk culture to ensure effective cyber-risk management
D. All of the above
Regulators require that cyber training should be incorporated in all phases of employment-
recruitment to the termination. In some jurisdictions, regulators determine whether the banks have
effective processes and controls that ensure that employees, contractors, and third-party dealers
understand their roles and responsibilities in the quest to reduce the risk of theft, fraud, or misuse of
the institution’s facilities.
Lastly, most of the regulators advocate for the establishment of a common risk culture to ensure
effective cyber-risk management.
93
Reading 107: Case Study: Cyberthreats and Information Security Risks
Q.5110 Which of the following is not an example of an involuntary disclosure under the taxonomy of
information security risks?
A. Database loss
B. Virus infection
C. System disruptions
D. Loss of printed documents
Virus hacking is an example of data theft/corruption under external causes. Other examples of
theft/corruption include hacking and phishing, theft, and transfer of digital/physical information,
departing employees take proprietary information.
Examples of loss/involuntary disclosure include disaster, systems disruptions, database loss, loss of
devices by staff members, loss of printed documents and errors or accidental mentions of
confidential information when communicating to outsiders.
94
Q.5111 Which of the following is not one of the five guidelines offered by T he National Institute of
Standards and Technology (NIST ) on cybersecurity standards?
A. Identify
B. Protect
C. Mitigate
D. Recover
Mitigate is not one of the five guidelines offered by T he National Institute of Standards and
Technology (NIST ) on cybersecurity standards. It is one of the information security risks.
T he National Institute of Standards and Technology (NIST ) provides a framework for cybersecurity,
which includes the following five guidelines:
Identi fy: T his step involves identifying and understanding the risks, threats, and vulnerabilities that
could impact the organization's information and systems.
Protect: T his step involves implementing appropriate safeguards to ensure the confidentiality,
integrity, and availability of information and systems.
Detect: T his step involves continuously monitoring the organization's information and systems to
detect any potential cybersecurity events.
Respond: T his step involves having a plan in place to respond to any detected cybersecurity events,
including containing the impact and recovering from the event.
Recover: T his step involves Repairing and restoring damaged equipment and network components
after an attack and informing staff and clients of your response and recovery efforts.
95
Q.5112 Which of the following is an external cause of information security risk?
A. Database loss
B. Loss of printed documents
C. Systems disruptions
D. Departing employees taking proprietary information
External causes of information security risks are factors that originate outside of the organization
but can still impact the confidentiality, integrity, and availability of information and systems. Examples
of external causes include system disruptions, hacking, phishing, theft, or transfer of digital/physical
information
Opti ons A, B, and D are examples of internal causes of information security risks. T hese are
factors that originate within the organization and can impact the confidentiality, integrity, and
availability of information and systems. Examples of internal causes include database loss, loss of
printed documents, departing employees taking proprietary information, and errors or accidental
mentions of confidential information when communicating with outsiders.
96
Q.5113 Which of the following five guidelines offered by T he National Institute of Standards and
Technology (NIST ) on cybersecurity standards is related to reporting an attack to law enforcement
and other authorities?
A. Recover
B. Respond
C. Protect
D. Detect
T he respond guideline creates and regularly tests a plan for reporting an attack to law enforcement
and other authorities.
A i s i ncorrect. T he recover guideline attempts to ensures that after an attack, there is repairing
and restoring of the equipment and parts of your network that were affected, as well as keeping
employees and customers informed of your response and recovery activities.
C i s i ncorrect. T he protect guideline attempts to ensure that there are controls on who logs into
networks, encryption of sensitive data, updating of security regularly and having formal policies for
safely disposing of electronic files.
D i s i ncorrect. T he detect guideline ensures there is monitoring of computers for any
unauthorized personnel access, devices, and software.
97
Q.5114 Which of the following is not one of the actions under the respond guideline of the National
Institute of Standards and Technology (NIST ) on cybersecurity standards?
A. Notifying customers, employees, and others whose data may be at risk
B. Keeping business operations up and running
C. Investigating any unusual activities on your network or by your staff
D. Reporting the attack to law enforcement and other authorities
Investigating any unusual activities on your network or by your staff is an action under the ‘detect’
guideline of the National Institute of Standards and Technology (NIST ) on cybersecurity standards.
T here are six actions under the respond guideline of the National Institute of Standards and
Technology (NIST ) on cybersecurity standards.
Notifying customers, employees, and others whose data may be at risk.
Keeping business operations up and running.
Reporting the attack to law enforcement and other authorities.
Investigating and containing an attack.
Updating your cybersecurity policy and plan with lessons learned.
Preparing for inadvertent events (like weather emergencies) that may put data at risk.
98
Q.5115 Which of the following is a category of informational controls that address actions taken by
people when it comes to handling and protecting information?
A. Technical controls
B. Behavioral controls
C. Prevention controls
D. Detection controls
T here are two broad categories of informational controls: Behavioral and technical controls.
Behavioral controls are a category of informational controls that address actions taken by people
when it comes to handling and protecting information. Behavioral controls are a type of
administrative control that focuses on influencing the behavior of people within an organization to
reduce information security risks. Examples of behavioral controls include security awareness
training, policies and procedures, background checks, and security clearances.
A i s i ncorrect. Technical controls are controls that use technology to manage information security
risks, such as firewalls, intrusion detection systems, and encryption.
C i s i ncorrect. Prevention controls are controls that aim to prevent security incidents from
occurring, such as access control policies, and change.
D i s i ncorrect. Detection controls are controls that aim to detect and respond to security
incidents, such as intrusion detection systems, security monitoring, and incident response plans.
Options C and D are actually subcategories under technical controls.
Q.5116 Which of the following is not a requirement for a company to be certified as ISO27001
compliant?
A. Have an Information Security Management System (ISMS) that manages its information
security risks
B. Design and implement information security, including effective and comprehensive
99
controls
C. Adopt an ongoing risk management process
D. Guidance in response and recovery from cybersecurity incidents
T he NIST Framework for Improving Critical Infrastructure Cybersecurity provides guidance in
response and recovery from cybersecurity incidents. T his is not a requirement for a company to be
certified as ISO27001 compliant.
For a company to be certified as ISO27001 complaint, it needs to:
Create and implement an Information Security Management System (ISMS) that manages
information security risks and ensures information confidentiality, integrity, and availability.
Perform a risk assessment to identify and evaluate the threats to information
confidentiality, integrity, and availability.
Create and implement a risk management strategy to address the identified risks.
Establish and enforce information security controls to keep risks to a manageable level.
Create a process for monitoring, measuring, analyzing, and evaluating the ISMS's
performance.
Improve the ISMS on a continuous basis based on the results of the monitoring and
evaluation process.
Employees should be trained and made aware of the risks to information security and the
importance of adhering to the ISMS.
Conduct regular internal audits to ensure that the ISMS is working properly and efficiently.
Undergo external audits by an accredited certification body to ensure compliance with the
ISO 27001 standard.
Create a procedure for responding to and managing information security incidents, as well
100
as conducting post-incident reviews.
Q.5117 A risk manager at a large bank claims that when talking about information control, it is
important to consider the different types or categories of control that exist. T hese categories can
provide a framework for understanding how information is being controlled, who has control over it,
and what the implications of that control may be. Which of the following is a correct category of
information control?
A. Protect
B. Recover
C. Behavioral
D. Detect
Information control can be grouped into two broad categories:
Behavioral controls: T hese involve putting policies, procedures, and training programs in
place to influence the behavior of people who handle sensitive information. T his
information control category seeks to minimize the possibility of human error or
intentional wrongdoing that could jeopardize the confidentiality, integrity, or availability of
information by addressing human behaviors related to information handling and protection.
Technical controls: T hese are a type of information control in which technology-based
solutions are used to manage access to information and protect it from various threats. To
secure information systems and applications, technical controls may be set up at various
levels, including hardware, software, and network layers. Firewalls, intrusion detection and
prevention systems, encryption, access controls, and monitoring tools are examples of
technical controls.
Opti ons A, B, and D are i ncorrect. T hese are guidelines offered by the National Institute of
Standards and Technology (NIST ) on cybersecurity standards
101
Q.5118 Which of the following five guidelines offered by T he National Institute of Standards and
Technology (NIST ) on cybersecurity standards involves creating and sharing a company
cybersecurity policy that covers roles and responsibilities of employees?
A. Recover
B. Protect
C. Identify
D. Detect
T he identify guideline makes a list of all equipment, software, and data used by the company as well
as creating and sharing a company cybersecurity policy that covers roles and responsibilities of
employees.
A i s i ncorrect. T he recover guideline attempts to ensures that after an attack, there is repairing
and restoring of the equipment and parts of your network that were affected, as well as keeping
employees and customers informed of your response and recovery activities.
B i s i ncorrect. T he protect guideline attempts to ensure that there are controls on who logs into
networks, encryption of sensitive data, updating of security regularly and having formal policies for
safely disposing of electronic files.
D i s i ncorrect. T he detect guideline ensures there is monitoring of computers for any
unauthorized personnel access, devices, and software.
102
Q.5119 Which of the following actions does not fall under the ‘protect’ step of the National Institute
of Standards and Technology (NIST ) guidelines?
A. Controlling who logs onto a company’s network
B. Updating security software regularly
C. Creating a company cybersecurity policy that covers roles and responsibilities of

employees
D. Having formal policies for safely disposing of electronic files
Creating a company cybersecurity policy that covers roles and responsibilities of employees is a
step under 'identity' in the National Institute of Standards and Technology (NIST ).
Under the ‘protect’ step of the National Institute of Standards and Technology (NIST ) guidelines, a
company should:
control who logs on to their network and uses your computers and other devices;
use security software to protect data;
encrypt sensitive data;
conduct regular backups of data;
update security software regularly;
have formal policies for safely disposing of electronic files and old devices; and
train everyone who uses your computers, devices, and network about cybersecurity.
103
Reading 108: Sound Management of Risks related to Money

Laundering and Financing of Terrorism
104
Q.2986 A Russian money launder sends corruption proceeds to a foreign bank account of a
corporation X. A new Russian investment company Y is incorporated where he is appointed a
director. To invest in real estate in Russia, the new company borrows from corporation X. T he
estate is rented out to members of the public and the funds used to repay the loan. What is the
common name given to this method of laundering?
A. Manipulation of loan
B. Real estate transactions offsetting
C. Loan back
D. Layering
"Loan back" refers to a money laundering technique in which illicit funds are routed through a front
company before being transferred back to the launderer via a loan or other financial transaction.
T his gives the appearance of a legitimate loan or investment, and the funds can be used for additional
illegal activities or to appear as legitimate profits.
A i s i ncorrect. Loan manipulation is a type of loan fraud in which a borrower provides misleading
or inaccurate information in order to obtain a loan or changes the terms of an existing loan without
the lender's knowledge or consent.
B i s i ncorrect. Real estate transactions offsetting refers to a is a legal practice in the real estate
industry in which profits from one real estate transaction are used to offset losses from another.
However, in this case, it refers to using real estate transactions to launder money by drastically
increasing the value of a property, buying and selling properties quickly to generate large profits, or
using real estate transactions to conceal the true source of funds.
D i s i ncorrect. Layering is a type of money laundering in which illicit funds are moved through a
complex series of transactions or accounts to conceal their origin and make tracing them difficult.
T here is evidence of funds being moved through multiple accounts in the scenario described, but
there is no evidence of complex transactions or accounts being used to conceal the origin of the
funds.
105
Q.2987 Which of the following is the main driver behind the Know Your Customer (KYC) programs
outlined in the Basel Committee's papers on customer due diligence for banks?
A. Protecting the integrity of the banking systems.
B. T he Financial Action Task Force's (FAT F) recommendations.
C. Protecting the integrity of the capital markets.
D. Customer protection.
T he primary motivation for the KYC programs outlined in the Basel Committee's papers on customer
due diligence for banks is to prevent money laundering, terrorist financing, and other financial crimes
that can jeopardize the banking system's integrity. KYC programs assist banks in identifying and
verifying their customers' identities, assessing the risks associated with their activities, and
monitoring their transactions for suspicious activity.
B i s i ncorrect. T he FAT F establishes international standards for anti-money laundering and
counter-terrorism financing, but the Basel Committee develops guidelines for banks to use in their
KYC programs.
C i s i ncorrect. Protecting the integrity of the capital markets is an important consideration for
KYC programs. However, it is not a primary motivation behind the KYC programs outlined in the
papers of the Basel Committee.
D i s i ncorrect. Customer protection is not a primary motivation. KYC programs help banks to
identify and verify the identity of their customers, assess the risks associated with their activities,
and monitor their transactions for suspicious activity.
106
Q.2988 What is the most useful report to be used by a bank’s anti-money laundering representative
to inform the senior management concerning the progress of the anti-money laundering program in
the organization?
A. Law enforcement inquiry details
B. Credit exposure report
C. Management changes notification
D. Report on audits and examinations results
Reports on audit and examination results would be the most useful report for informing senior
management about the organization's anti-money laundering program's progress. T his report would
provide an in-depth look at the organization's anti-money laundering program, highlighting its
strengths and weaknesses. It would contain information on any audits or examinations that have
taken place, as well as any findings or recommendations made by auditors or examiners. T he report
would also detail any actions taken in response to these findings, as well as any improvements or
enhancements made to the program over time.
A i s i ncorrect. T hese details are typically related to specific cases and investigations, rather than
the overall progress of the program.
B i s i ncorrect. Credit exposure report: A credit exposure report provides information about the
amount of credit risk the bank is exposed to, but it is not necessarily related to the progress of the
anti-money laundering program.
C i s i ncorrect. While changes in management can impact the program's effectiveness, this
information does not provide an overview of the program's progress or its strengths and
weaknesses.
107
Q.2989 A suspected individual in a bank is being investigated for money laundering. T hree of the
following are important financial records the anti-money laundering team should provide to the legal
representatives. Which one is NOT ?
A. All wire transfer for the individual for the said period of time.
B. Signature cards for the accounts opened by the individual.
C. Security trading activities for the individual during the time provided.
D. T he individual’s monthly statement and transaction activities over the period involved.
With signature cards, banks can identify rightful signatories for personal or business accounts and is
therefore not sufficient enough record for investigating money launderers.
Q.2990 T he misuse of non-profit organizations for the financing of terrorism is coming to be

recognized as a crucial weak point in the global struggle to stop such funding at its source. T he
following are characteristics that can facilitate the misuse. Which one is NOT ?
A. T he public trust gained
B. T he listing as government non-profit organization
C. Global presence enabling national and international operations and financial transactions
D. Many sources of funds
T he listing as a government non-profit organization is NOT a feature that can facilitate the misuse of
non-profit organizations for terrorist financing.
Terrorists may be drawn to non-profit organizations (NPOs) because they can provide a legitimate-
appearing cover for the transfer of funds. T here are several characteristics that can facilitate the
misuse of NPOs for terrorist financing, but one of them is being listed as a government non-profit
organization. Indeed, being government-listed may subject an NPO to more stringent regulations and
oversight, making it more difficult to misuse.
T he other options are characteristics that can facilitate the misuse of NPOs for financing terrorism
108
Q.2991 Blackest Bank wants to promote an anti-money laundering culture. Which of the following is
an appropriate action by the senior management to enable them to achieve the said task?
A. As an employment condition, compliance with anti-money laundering procedures should be

included.
B. T he management should have close ties with the anti-money laundering program’s
independent auditors.
C. Employee’s compensation should be based on the how many suspicious activities they
engage in.
D. Back-end employees must attend training sessions with frontline employees.
By signing a pact to complying with anti-money laundering procedures, employees are legally liable
for any misconduct regarding corruption and laundering.
109
Q.3121 A new customer walks into a bank and requests to open a commercial account. In the
process, the customer provides an address for the account located across the city. He reveals that
he is also interested in opening a personal stocks trading account. He goes a head to ask how deposits
can be made into his account and if there are any additional identification documents required, and
how to go about moving balances out of the account using wire transfers. He does not ask any
questions regarding the fees associated with these transactions. What red flags should the account
representative look out for during the onboarding process for this new customer?
A. T he customer provides an address for the account located across the city from the
branch.
B. T he customer expresses interest in opening a personal stocks trading account.
C. T he customer asks questions about how to make deposits and move balances out of the
account using wire transfers.
D. T he customer does not ask any questions regarding the fees associated with transactions.
T he customer expressing interest in opening a personal stocks trading account should be a red flag
for the account representative during the onboarding process for this new customer. T his could be
an indication that the customer is looking to move funds around or engage in other suspicious
activities.
A i s i ncorrect. T he customer providing an address for the account that is across town from the
branch is not necessarily a red flag, as many customers live or work far away from the bank branch
where they open their account.
C i s i ncorrect. T he customer inquiring about how to make deposits and transfer balances out of
the account via wire transfers is not necessarily a red flag, as these are legitimate questions that any
new customer would have.
D i s i ncorrect. A customer who does not ask questions about transaction fees is not necessarily a
red flag, as some customers may be more concerned with other aspects of their account and are less
interested in the fees. However, the account representative should still make sure that the
customer is informed of any account fees and charges.
110
Q.3122 Under what circumstances may a bank rely on a third party for customer due diligence
(CDD)?
A. When the third party has an established business relationship with the customer.
B. When the third party is a bank or financial institution, regardless of the nature of the
relationship with the customer.
C. When the third party is subject to different levels of supervision and regulation than the
bank, but is able to demonstrate a strict AML/CFT program.
D. When the bank conducts periodic checks to ensure the third party's CDD process is more
comprehensive than its own.
A bank may rely on a third party for customer due diligence When the third party has an established
business relationship with the customer and the bank establishes a written document acknowledging
the reliance on the other party's CDD processes.
B i s i ncorrect. In some jurisdictions, banks can only rely on CDD from fellow banks and financial
institutions.
C i s i ncorrect. T he third-party should be subject to the same level of supervision and regulation as
the bank.
D i s i ncorrect. T he bank should conduct periodic checks to ensure that the third party's CDD
process is as comprehensive as its own, but not more comprehensive.
111
Q.3123 A bank in Italy holds a business account for an Italian company that sells suits throughout
Europe and North America. Information provided during the account opening process states that the
purpose of this account is to receive payment for sales. A year-long review of the account shows a
pattern of wire transfers coming from pass-through accounts. T here are also significant transactions
involving purchases of garment and cotton from China and India. T he MOST important factor in
assessing whether money laundering is a threat is that:
A. T he account is apparently used for both sales and purchases.
B. Payments originate from third party accounts.
C. Account holder maintains raw materials rather than finished pieces of clothing.
D. Most transactions involve wire transfers rather than cash deposits.
T hat the money comes from third parties through pass-through accounts raises the toughest
questions about the integrity of the account. Pass-through (payable-through) accounts are accounts
through which banking agencies extend money transfer privileges to the customers of other
institutions, often foreign banks. PTAs may be prone to higher risk because banks do not subject the
foreign customers to the same level of due diligence as domestic customers who want to open
checking and other accounts. It’s possible that the money wired into the account comes from illicit
activity.
112
Q.3124 Which of the following is the main role of supervisors in banks under the Anti-Money
Laundering (AML) and Countering Financing of Terrorism (CFT ) framework put forth by the Basel
Committee?
A. Approval and oversight of AML/CFT risk management policies and procedures.
B. Advising banks on the best risk management strategies.
C. Evaluating whether the reporting entity has an appropriate and reasonable risk
assessment, and an AML/CFT programme that reflects inherent risks.
D. Helping banks to develop a sound AML/CFT risk management system that can keep track
of all customer transactions.
T he role of supervisors is to independently scrutinize and verify AML/CFT policies and procedures.
T hey have a mandate to ensure that banks in their jurisdiction maintain sound ML/FT risk
management to protect the integrity of both the banks and the financial system as a whole.
A is incorrect. Approval and oversight is the responsibility of the board.
B and D are duties of the chief AML/CFT officer.
113
Q.3125 What is the role of the AML/CFT chief officer in the second layer of defense in anti-money
laundering and countering the financing of terrorism?
A. Conducting customer due diligence checks.
B. Continuously monitoring the bank's compliance with AML/CFT duties.
C. Conducting forensic investigations into suspicious transactions.
D. Reviewing and approving high-risk transactions.
T he AML/CFT chief officer is responsible for continuously monitoring the bank's compliance with
AML/CFT duties as part of the second layer of defense in anti-money laundering and countering the
financing of terrorism. T his includes conducting sample testing to ensure compliance and reviewing
exception reports to alert senior management or the board of directors if there are concerns that
AML/CFT procedures are not being addressed in a responsible manner.
A i s i ncorrect. Customer due diligence checks are typically conducted by the first line of defense,
which includes customer-facing employees such as relationship managers.
C i s i ncorrect. Forensic investigations into suspicious transactions are typically conducted by
specialized units within the bank's compliance function.
D i s i ncorrect. Reviewing and approving high-risk transactions is typically the responsibility of the
bank's compliance function or risk management function.
114
Q.3126 Paul Khan, a risk manager at the bank of India, is presenting to the board of directors on
important AML/CFT considerations including responsibilities of various components of AML/CFT
governance. What is the responsibility of internal audit in the bank's AML/CFT policies and
procedures?
A. Monitoring customer transactions.
B. Approving new customer accounts.
C. Evaluating the effectiveness of risk management and controls.
D. Developing AML/CFT policies and procedures.
T he internal audit is responsible for evaluating the effectiveness of risk management and controls in
the bank's AML/CFT policies and procedures. T hey report their findings to the board of directors'
audit committee or a similar oversight body. /p>
A i s i ncorrect. Monitoring customer transactions is typically the responsibility of the first line of
defense, such as front-line staff.
B i s i ncorrect. Approving new customer accounts is typically the responsibility of the second line
of defense, such as compliance staff.
D i s i ncorrect. Developing AML/CFT policies and procedures is typically the responsibility of the
second line of defense, such as compliance staff.
115
Q.3127 T he following are lines of defense in the context of AML/CFT EXCEPT :
A. T he supervisor
B. T he internal audit function
C. T he chief AML/CFT officer and the compliance department
D. Customer-facing activities
T he three lines of defense are:

Line 1: Business units/ customer facing activity charged with identifying, assessing, and controlling
the ML/FT risks inherent in their business.
Line 2: Chief Officer in charge of AML/CFT, the compliance function, and human resources or
technology. T he chief AML/CFT officer should be in charge of continuous monitoring of all ML/FT
objectives.
Line 3: Internal audit office: T he office should regularly perform an independent assessment of the
AML/CFT policies and procedures and seek to find out whether such policies are being followed to
the letter.
Q.3128 What is the reasoning behind implementing a “risk-based anti-money laundering and combating
financial terrorism approach”?
A. It allows banks to focus on selling products that surpass a specified “hurdle” rate of
return.
B. A qualitative approach would yield better results than a quantitative approach.
C. Banks can best detect instances of money laundering by customers where the money
laundering risks are high.
D. It allows banks to best monitor their profits.
A bank should consider all the relevant inherent and residual risk factors at the country, sectoral,
bank, and business relationship level, among others, to determine its risk profile. A risk-based
AML/CFT approach ensures that the bank comes up with customers' risk profiles as guided by the
nature and amount of their transactions. T he bank can even place accounts in distinct groups
depending on the level of risk posed, making it easier to identify and flag suspicious activity.
116
Q.3129 Simon works as the chief risk officer at XYZ Bank. He is looking at the transactions of one of
the bank’s customers, Mr. Lincoln, a commercial account holder and owner of a check cashing
company. Over the last eight months, Mr. Lincoln has made multiple check deposits but not a single
withdrawal of cash against those deposits. Mr. Lincoln also deposited two checks for US$10,000 each
that were issued by an infamous casino in town. When checking the account’s details, Simon finds
out that during account opening, Mr. Lincoln went to great lengths to establish the various fees and
commisions attached to his account. Mr. Lincoln also has a savings account at the bank, but it has had
little activity over the same period. What should arouse Simon’s suspicion the most? Mr. Lincoln:
A. Showed an untypical level of curiosity about fees.
B. Made significant deposits from casinos.
C. Has multiple accounts at the institution.
D. Did not make withdrawals of cash against check deposits.
Check cashing companies, also known as money services businesses, provide customers with an
easy way to turn their checks into cash without having to rely on a bank account. As such, one would
expect to see deposit activity that’s commensurate with cash withdrawals as the money is released
to the relevant persons. T hat this did not happen for a prolonged period raises questions as to the
source of the check deposits.
117
Q.3130 A large banking group has an AML compliance program that addresses procedures for filing
Suspicious T ransaction Reports and includes policies, procedures and internal controls for customer
identification, information sharing, account monitoring, and identifying money laundering red flags.
Each of the bank’s 12 branches undergoes mandatory AML/CFT trainings in April and November
each year, all conducted as online conferences via a video link. T he board does not take the Internet
training. Instead, the chief risk officer organizes a luncheon at the head office where an outsider
comes in and trains them. T he program provides for the appointment of a chief ALM/CFT officer,
and twice a year the chief ALM/CFT officer conducts an audit of the ALM/CFT framework. In what
respect does the program need improvement?
A. T he AML program should be tested more than twice per year.
B. Employees should be trained in a classroom, not via the internet because physical training
is better.
C. T he group should consolidate the training sessions across its subsidiaries into a single
event.
D. T he AML/CFT program should be tested by an independent party, not the chief ALM/CFT
officer.
Internal audit, the third line of defense, plays an important role in independently evaluating a bank’s
risk management and controls. T he office should be sufficiently independent so that adherence to the
various policies and procedures is assessed without compromise. Since the chief risk officer doubles
up as the developer and advisor on matters ALM and FT, there could be a conflict of interest if they
were to assess the same policies and procedures that they have developed.
118
Reading 109: Case Study: Financial Crime and Fraud
Q.5120 An operational risk manager at the bank is presenting on financial crimes and fraud. He starts
his presentation by defining financial crime. Which of the following is the correct definition of a
financial crime?
A. Any criminal conduct relating to money or to, financial services, or markets
B. Losses due to acts intended to defraud, misappropriate property or circumvent

regulations, the law, or company policy excluding diversity/discrimination events involving at
least one internal party
C. Losses due to acts of a type intended to defraud, misappropriate property or circumvent

the law by a third party
D. Misappropriation of assets, such as extortion, embezzlement, malicious destruction of

assets, bribery, and tax evasion
According to the Financial Conduct Authority's (FCA) Handbook of the UK, financial crime refers to
"any kind of criminal conduct relating to money or to financial services or markets, including any
offence involving: fraud or dishonesty; or misconduct in, or misuse of information relating to, a
financial market; or handling the proceeds of crime; or the financing of terrorism."
B i s i ncorrect. T his is the definition of internal fraud.
C i s i ncorrect. T his is the definition of external fraud.
D i s i ncorrect. Refers to a sub-category of internal fraud, i.e., "theft and fraud."
Q.5121 Different countries may have different laws against money laundering and terrorism
financing. On 20 May 2015, the European Parliament and Council issued a directive to prevent the
use of the financial system for money laundering or terrorist financing. According to the European
Union, which of the following activities are considered money laundering?
A. Knowingly converting or transferring property derived from criminal activity in order to

disguise the illicit origin of the property or to assist someone involved in such an activity to
evade the legal consequences of his actions
B. T he provision or collection of funds to be used, partly or in full, to facilitate any offense

considered by the authorities as a terrorism act
119
C. Any intentional violation of the law or of internal policies perpetrated by the firm's
employees
D. Getting the money out to use while evading taxes and law enforcement through activities
such as fake payments to employees, fake loans, or dividends to accomplices
On 20 May 2015, the European Parliament and Council issued a directive to prevent the use of the
financial system for money laundering or terrorist financing. According to article 1 of this directive,
money laundering involves any of the following:
i. Knowingly converting or transferring property derived from criminal activity in order to

disguise the illicit origin of the property or to assist someone involved in such an activity to
evade the legal consequences of his actions;
ii. T he disguise of the true nature, source, location, disposition, movement, or ownership rights
of property derived from criminal activity or participation in criminal activity knowingly;
iii. Acquiring, possessing, or using property, knowing, at the time of ownership, that the
property had been obtained through criminal activity;
iv. Associating with, participating in, committing, attempting to commit, as well as aiding,
assisting, facilitating, and counseling the commission of any of the actions listed in points (i),
(ii), and (iii).
B i s i ncorrect. T his is the IMF definition of terrorism financing.
C i s i ncorrect. T his is just a sub-category of internal fraud. Internal fraud can be of two types:
"unauthorized activities" and "theft and fraud." "Unauthorized activities" may lead to loss of money
for the organization, and it also includes any intentional violation of the law or of internal policies
perpetrated by the firm's employees.
D i s i ncorrect. T his is among the phases of money laundering. i.e., Integration or extraction. Other
phases of money laundering include placement and layering.
120
Q.5122 A risk manager at a large bank states that the bank has zero tolerance for internal fraud. He
goes ahead to highlight that the bank has a robust framework of controls and measures to mitigate
internal fraud risks. Which of the following is a component of such a framework?
A. Inspections
B. Selection
C. Placement
D. Layering
T he following are the components of a framework of controls and measures to mitigate internal
fraud risks:
i. Selection: Involves screening of employees and associated third parties. T he organization's

culture is also considered in this step. When firms employ people who share the same values
and ethical standards, it is easier for the firms to manage such employees. Selection is also an
important mitigation mechanism in AML and third-party risk management.
ii. Prevention: T he key controls for fraud prevention are found in this step. T he rights,
authority, and access of each function must be clearly defined in order to manage fraud risk
effectively.
iii. Detection: T ime to detection is critical in limiting the effects of an operational risk event.
Detective controls are essential in internal fraud management and act as a deterrent as well:
Fraud is least likely to happen if the consequences are severe. Effective supervision and
monitoring help to limit internal fraud.
iv. Deterrents are sanctions and actions announced following any act of fraud. Deterrents also
disincentivize employees to commit fraud, thus promoting the risk-reward balance.
A i s i ncorrect. Historically, the internal audit department was responsible for managing internal
and external fraud for banks. Some banks used to have "inspections," which was a subdivision of the
internal audit responsible for detecting, monitoring, and reporting fraud.
C i s i ncorrect. T his is a phase of money laundering.
D i s i ncorrect. T his is also a phase of money laundering.
121
Q.5123 An operational risk manager at a bank has asked a junior analyst to prepare a presentation on
AML risk management to be presented to the board's risk committee. Which of the following
controls falls under the ''deterrents" step of AML controls?
A. T ransaction monitoring system.
B. Staff information and training.
C. Ethos and values.
D. Legal pursuits
Deterrents are sanctions and actions announced following any act of fraud. Deterrents also
disincentivize employees to commit fraud, thus promoting the risk-reward balance. Deterrents
include escalation to relevant financial intelligence unit (FIU), Legal pursuits, and closure of
accounts.
A i s i ncorrect. T ransaction monitoring system falls under ''detection.''
B i s i ncorrect. Staff information and training fall under ''prevention.''
C i s i ncorrect. Ethos and values fall under ''selection.''
122
Q.5124 A newly hired money laundering risk officer is presenting on AML risk management. He
highlights that it is common for criminals to disguise the proceeds of their criminal activities into
legitimate sources of funds in two or three phases. Which of the following is a phase of money
laundering?
A. Placement
B. Deterrent
C. Detection
D. Protection
It is common for criminals to disguise the proceeds of their criminal activities into legitimate
sources of funds in two or three phases. T he following are the three phases of money laundering:
1. Placement: involves all methods intended to disguise the origins of the funds: cash transfer to
business, false invoicing, use of trusts and offshore companies, "smurfing" (keeping a bank
account or credit card under the AML reporting threshold by making a series of small
transactions rather than a single large transaction), using foreign bank accounts, etc.
2. Layering: involves different placement and extraction strategies to make tracking
transactions as difficult as possible and circumvent AML controls.
3. Integration or extraction: involves getting the money out to use while evading taxes and law
enforcement through activities such as fake payments to employees, fake loans, or dividends
to accomplices.
B, C and D are i ncorrect. T hese are control measures for AML.
123
Q.5125 T he CEO of a bank highlights that the bank is practicing comprehensive AML risk
management. Which of the following statements would justify the CEO's claim that the bank is
practicing comprehensive Anti-Money Laundering (AML) risk management?
A. T he bank has established robust customer due diligence (CDD) procedures.
B. T he bank has never had a customer involved in a money laundering scheme.
C. T he bank has hired a new CEO with extensive experience in AML risk management.
D. T he bank has reported suspicious transactions to the relevant authorities.
Comprehensive AML risk management entails developing and putting in place strong policies,
procedures, and controls to prevent money laundering and terrorism financing. Customer due
diligence (CDD) is an important component of AML risk management that requires the bank to
perform background checks and verify customers' identities. T he bank is taking a proactive
approach to mitigating AML risks and complying with regulatory requirements by establishing robust
CDD procedures.
B i s i ncorrect. T he fact that the bank has never had a customer involved in a money laundering
scheme is not sufficient evidence to support the claim that the bank is practicing comprehensive
AML risk management. T he bank may simply have been lucky and not yet detected any such activity.
C i s i ncorrect. T he fact that the bank has hired a new CEO with extensive experience in AML risk
management is not enough to justify the claim that the bank is practicing comprehensive AML risk
management. While having a knowledgeable CEO is important, the bank's policies and procedures
must be in place and followed to ensure comprehensive AML risk management.
D i s i ncorrect. Reporting suspicious transactions to the relevant authorities is a critical aspect of
AML risk management. However, it alone is not sufficient evidence to justify the claim that the bank
is practicing comprehensive AML risk management. T he bank must have a robust AML program in
place, including customer due diligence, transaction monitoring, and training for employees.
124
Q.5126 In its 2022 report, the FCA examines financial crime controls at challenger banks, which are
fully digital and offer customers the ability to open accounts very quickly. Which of the following is a
key finding highlighted by UK regulators in their examination of financial crime controls at challenger
banks in their 2022 report?
A. Challenger banks tend to perform better than traditional banks in identifying higher-risk
customers.
B. Challenger banks need to improve their systems for identifying and verifying customer
information.
C. Challenger banks are not required to follow AML regulations because they operate fully
digitally.
D. T raditional banks are more susceptible to financial crime than challenger banks.
T he key finding highlighted by the UK regulators in their examination of financial crime controls at
challenger banks in their 2022 report is that challenger banks need to improve their systems for
identifying and verifying customer information. T he report highlights the risk that accounts opening
information may be insufficient to identify higher-risk customers, which makes it difficult for
challenger banks to effectively manage their AML risks. T herefore, the regulators are
recommending that challenger banks improve their systems for identifying and verifying customer
information.
A i s i ncorrect. T he claim that challenger banks tend to perform better than traditional banks in
identifying higher-risk customers is not highlighted in the report. In fact, the report highlights the
risk that accounts opening information may be insufficient to identify higher-risk customers.
C i s i ncorrect. Just like traditional banks, challenger banks are subject to AML regulations and must
have robust AML programs in place to prevent financial crime.
D i s i ncorrect. T he claim that traditional banks are more susceptible to financial crime than
challenger banks is highlighted in the report. While the report does not directly compare the
susceptibility of traditional banks and challenger banks to financial crime, it highlights the need for
challenger banks to improve their systems for identifying and verifying customer information to
effectively manage their AML risks.
125
Q.5127 Which of the following is a lesson learned from the USAA Federal Savings Bank (FSB) case
study, where it was fined $140 million by the Financial Crimes Enforcement Network (FinCEN) and
the Office of the Comptroller of the Currency (OCC) for failing to implement and maintain a
BSA/AML compliance program?
A. Banks should prioritize customer service over compliance to remain competitive.
B. Banks should implement robust BSA/AML compliance programs to avoid penalties.
C. Banks should minimize their reporting of suspicious activities to avoid regulatory scrutiny.
D. Banks should shift their compliance focus away from AML to other areas such as
cybersecurity.
T he USAA FSB case study highlights the importance of implementing and maintaining a robust Bank
Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program to avoid penalties. T he bank
was fined $140 million for failing to implement and maintain a BSA/AML compliance program, which
put the bank at risk for money laundering and terrorist financing activities. T herefore, the lesson
learned from this case is that banks should prioritize BSA/AML compliance to avoid penalties and
regulatory scrutiny.
A i s i ncorrect. Compliance is a fundamental aspect of banking and is critical to maintaining
customer trust and protecting the integrity of the financial system.
C i s i ncorrect. Banks are required by law to report suspicious activities to regulatory authorities,
and failure to do so can result in severe penalties.
D i s i ncorrect. While cybersecurity is a critical area of concern for banks, AML compliance is also
essential for preventing money laundering and terrorist financing activities. Banks must have robust
programs in place for both areas to effectively manage their risks.
126
Q.5128 A junior analyst is analyzing the USAA Federal Savings Bank (FSB) case in which FinCEN and
OCC charged USAA FSB $140 million. Which of the following is the main reason why USAA FSB was
fined $140 million?
A. USAA FSB failed to offer competitive interest rates to its customers.
B. USAA FSB failed to provide adequate customer service to its customers.
C. USAA FSB failed to implement and maintain a BSA/AML compliance program.
D. USAA FSB failed to invest in innovative financial technology.
T he main reason why USAA FSB was fined $140 million by FinCEN and OCC was for failing to
implement and maintain a Bank Secrecy Act/Anti-Money Laundering (BSA/AML) compliance program.
Deficiencies pointed out include inadequate internal controls; detection, evaluation, and reporting of
suspicious activity; staffing; training, and third-party risk management, as well as significantly
understaffed BSA/AML compliance departments. T he bank's failure to comply with BSA/AML
requirements put it at risk for money laundering and terrorist financing activities.
A i s i ncorrect. Interest rates are not related to the bank's BSA/AML compliance program.
B i s i ncorrect. Customer service is not related to the bank's BSA/AML compliance program.
D i s i ncorrect. While technology can assist with compliance, the failure to invest in innovative
financial technology is not related to the bank's failure to implement and maintain a BSA/AML
compliance program.
127
Reading 110: Guidance on Managing Outsourcing Risk
Q.2318 T ummers Bank from New York, USA, is considering outsourcing some of its activities to a
third party. Which of the following risks (among others) should the bank consider before making a
final decision?
A. Credit, market, and operational risks
B. Reputational, operational, and compliance risks
C. Portfolio, counterparty, and market risks
D. Country, legal, and counterparty risks
Financial institutions should consider the following risks before entering into (and also during)
outsourcing arrangements.
Compliance risks
Concentration risks
Reputational risks
Country risks
Operational risks
Legal risks
128
Q.2319 A bank based in Texas, USA, is considering outsourcing its human resource activities from an
HR agency. Its risk management team is considering all potential risks that could arise from this
arrangement, particularly compliance risks. Which of the following would qualify as a compliance
risk?
A. Advertising jobs without regard to existing labor laws.
B. Negative public opinion because of poor performance of outsourced activities.
C. Acceptance of fake academic documents.
D. Delays in service delivery.
Compl i ance ri sk arises when a service provider fails to comply with existing laws and regulations.
Advertising jobs without regard to existing labor laws could be interpreted as an act of condoning
integrity and can expose the bank to lawsuits sponsored by the government or some other regulatory
body.
Q.2321 LAB Bank from Los Angeles, USA, is considering outsourcing its IT activities to East IT India,
an Indian company. East IT India would provide the bank with IT services such as database hosting,
software development and maintenance, problem-solving, etc. Which risk should be specially taken
into consideration while making the final decision about this arrangement?
A. Outsourcing risk
B. Operational risk
C. Country risk
D. Competency risk
Country ri sk s arise when a financial institution engages a foreign-based service provider, exposing
the institution to possible economic, social, and political conditions and events from the country
where the provider is located. In this scenario, the bank would be exposing itself to possible
economic/political/infrastructural risks in India.
129
Q.2322 New Savings Bank from Texas, USA, recently outsourced its IT services to Novel IT
Service company (NIS) from Los Angeles, USA. NIS has a rich history spanning several decades but
has recently been the subject of public criticism for various legal violations, as well as poor service
delivery, punctuated by costly delays. NIS has most likely exposed the bank to:
A. Outsourcing risk
B. Credit risk
C. Reputational risk
D. Concentration risk
Reputati onal ri sk s arise when actions or poor performance of a service provider cause the
public to form a negative opinion about a financial institution.
Q.2323 Which of the following statements is correct?
A. After the outsourcing of an activity, all responsibility with regard to outsourced activities
is transferred to the third party.
B. After the outsourcing of an activity, the third party and senior management have partial
responsibility.
C. After the outsourcing of an activity, senior management is still responsible for normal
functioning of the bank.
D. It is not possible to outsource accounting services.
T he use of service providers does not relieve a financial institution's board of directors and senior
management of their responsibility to ensure that outsourced activities are conducted in a safe-and-
sound manner and in compliance with applicable laws and regulations. Policies governing the use of
service providers should be established and approved by the board of directors, or an executive
committee of the board. Note that option B is incorrect. T here's nothing like “partial” responsibility
in the context of outsourcing.
130
Q.2324 WPC performs an audit on financial statements of Anderson Bank. After performing really
well, the bank decides to offer the company an internal audit role in addition to the existing role. T he
move exposes the bank to:
A. Country risk
B. Operational risk
D. Compliance risk
Compliance risks arise when the services, products, or activities of a service provider fail to comply
with applicable U.S. laws and regulations.
T he Sarbanes-Oxley Act of 2002 specifically prohibits a registered public accounting firm from
performing certain non-audit services for a public company client for whom it performs financial
statement audits.
Q.2325 An American bank is considering outsourcing its IT operations to an Indian IT provider. Is it

in order for the bank’s risk management team to analyze the provider’s financial condition before
making a final decision?
A. No, because the bank should only be concerned with country risk.
B. No, because it’s illegal to outsource IT services in the first place.
C. Yes, in order to access the financial stability and integrity of the service provider.
D. Yes, because it’s a requirement under Basel II regulation.
Financial institutions should review the financial condition of the service provider and its closely-
related affiliates. A bad financial condition may be an indicator of potential problems in the future
which could result in interruption of service providing etc.
131
Q.2326 Sandero bank from Carrington, North Dakota, is considering outsourcing part of its IT
services to a third party. Such a move will most likely involve sharing of some nonpublic personal
information about the bank's customers with the third party. Should the bank go ahead with its plan?
A. No, all outsourcing activities that can reasonably be expected to expose nonpublic
personal information are forbidden.
B. Yes, but the bank should refrain from sharing all nonpublic personal information.
C. Yes, the bank could outsource an activity which requires usage of nonpublic personal
information, but the service provider must comply with applicable privacy laws and
regulation.
D. No, because such a move would open doors to possible lawsuits by aggrieved customers.
If service providers handle any of the financial institution customer's Nonpublic Personal
Information (NPPI), the service providers must comply with applicable privacy laws and regulations.
132
Q.2327 Fort Worth Bank from Texas, USA, is considering outsourcing its retail loans collection
process to ICAP, a service provider from Mexico. What should its risk management team do?
A. Carry out a risk assessment of the move.
B. Analyze contract provisions and considerations.
C. Perform a due diligence of the service provider.
D. All of the above.
While the activities necessary to implement an effective service provider risk management program
can vary based on the scope and nature of a financial institution's outsourced activities, effective
programs usually include the following core elements:
a. Risk assessments;
b. Due diligence and selection of service providers;
c. Contract provisions and considerations;
d. Incentive compensation review;
e. Oversight and monitoring of service providers; and
f. Business continuity and contingency plans.
133
Q.2328 A certain bank based in the United States has developed a sound, effective program for
assessment of all outsourcing activities. Some of the elements of the program have a lot to do with
due diligence analyses and the selection of providers. According to good industry practice, due
diligence analyses and selection of providers should include:
A. Financial analyses, assessment of internal controls, and limits of liabilities.
B. A review of technical abilities, employee backgrounds, and facilities.
C. A review of business background, strategy and reputation, financial performance and

condition, operations, and internal controls.
T he overall due diligence process includes a review of the service provider with regard to:
1. Business background, reputation, and strategy;

2. Financial performance and condition; and
3. Operations and internal controls.
134
Q.2329 A bank based in Palermo, Italy, is considering outsourcing its IT services and is preparing a
review of financial condition of IAM Systems – the most popular service provider in town. Which of
the following would not form part of the financial review process?
A. T he adequacy of the service provider's insurance coverage.
B. T he adequacy of the service provider's review of the financial condition of any

subcontractors.
C. T he potential financial impact of the bank’s business on the provider.
D. T he potential impact of the provider’s past clients on the bank’s financial condition.
Financial institutions should review the financial condition of the service provider and its closely-
related affiliates. T he financial review may include:
T he service provider's most recent financial statements and annual report with regard to
outstanding commitments, capital strength, liquidity and operating results
T he service provider's sustainability, including factors such as the length of time that the
service provider has been in business and the service provider's growth of market share
for a given service
The potenti al i mpact of the fi nanci al i nsti tuti on's busi ness rel ati onshi p on the
servi ce provi der's fi nanci al condi ti on
T he service provider's commitment (both in terms of financial and staff resources) to
provide the contracted services to the financial institution for the duration of the contract
The adequacy of the servi ce provi der's i nsurance coverage
The adequacy of the servi ce provi der's revi ew of the fi nanci al condi ti on of any
subcontractors
Other current issues the service provider may be facing that could affect future financial
performance
135
Q.2330 Stroud Bank from Gloucester, UK, is in the process of executing a major merger. T he bank
will be outsourcing the activities related to the relocation of facilities, as required by the merger,
which should take considerable efforts. T he bank is reviewing operations and internal controls of
several service providers in order to make an informed decision. Which of the following should not
be included in the review?
A. T raining, including compliance training for staff.
B. Compliance with the environmental sustainability of the business.
C. Business resumption and contingency planning.
D. Service support and delivery.
Financial institutions should evaluate the adequacy of standards, policies, and procedures (of service
providers). Depending on the characteristics of the outsourced activity, some or all of the following
may need to be reviewed:
Internal controls;
Facilities management (such as access requirements or sharing of facilities);
Trai ni ng, i ncl udi ng compl i ance trai ni ng for staff;
Security of systems (for example, data and equipment);
Privacy protection of the financial institution's confidential information;
Maintenance and retention of records;
Busi ness resumpti on and conti ngency pl anni ng;
Systems development and maintenance;
Servi ce support and del i very;
Employee background checks; and
Adherence to applicable laws, regulations, and supervisory guidance.
136
Q.2331 Coulomb Bank from Montpellier, France, is preparing a contract for outsourcing of several
of its activities. T he bank’s legal staff is describing the scope of contract defining the relationship
between the bank and service provider. Which of the following (among other rights and
responsibilities of each party) should be included in the contract?
A. Terms governing the use of the bank’s property, equipment, and staff.
B. T raining of the bank’s employees.
C. Both of the above.
D. None of the above.
Scope: Contracts should clearly define the rights and responsibilities of each party, including:
maintenance, and customer service;
Contract timeframes;
Compliance with applicable laws, regulations, and regulatory guidance;
Trai ni ng of fi nanci al i nsti tuti on empl oyees;
T he ability to subcontract services;
T he distribution of any required statements or disclosures to the financial institution's
customers;
Insurance coverage requirements; and
Terms governi ng the use of the fi nanci al i nsti tuti on's property, equi pment, and
staff.
137
Q.2993 Which of the following tasks is NOT necessarily executed by the financial institution in the
course of preparing contingency plans?
A. Ensuring that there is the existence of a disaster recovery and business continuity plan,
regarding the services and products contracted.
B. T he service provider’s disaster recovery and business continuity plan should be assessed
by the financial institution, to ensure they align with that of their own.
C. T he business continuity and contingency plan of the service provider should be tested on
a periodic basis by the financial institution to ensure they are adequate and effective.
D. T he financial institution should ensure that the foreign-based service providers are
complying with their country’s regulations and regulatory guidance.
Ensuring compliance to the rules and regulations and regulatory guidance in the country which the
financial institution is located, despite being important and done by the financial institution, is not
necessarily executed by the financial institution when preparing contingency plans.
138
Q.5257 Which of the following best describes the key elements of contracts and agreements related
to the cost and compensation of service providers?
A. Contracts and agreements should only describe the compensation to be paid to the service
provider without addressing any other related expenses.
B. Contracts and agreements should only address the payment of legal, audit, and examination
fees related to the activity performed by the service provider.
C. Contracts and agreements should only address the responsibility for the maintenance of
equipment, hardware, and software related to the activity performed by the service
provider.
D. Contracts and agreements should describe the compensation, variable charges, and any
fees to be paid for non-recurring items and special requests.
Contracts and agreements should describe the compensation, variable charges, and any fees to be
paid for non-recurring items and special requests, address which party is responsible for the
payment of legal, audit, and examination fees, and address the responsibility for the expense,
purchasing, and maintenance of any related equipment, hardware, or software. T his is according to
the information presented, which states that agreements should describe compensation and fees,
address payment responsibilities, and address equipment responsibilities.
A i s i ncorrect. Agreements should describe not only the compensation but also variable charges,
fees for non-recurring items, and responsibilities for the payment of related fees and the
maintenance of related equipment.
B i s i ncorrect. Agreements should address not only payment responsibilities for legal, audit, and
examination fees but also compensation and responsibilities for the maintenance of related
equipment.
C i s i ncorrect. Agreements should address not only responsibilities for the maintenance of
equipment but also compensation, fees, and payment responsibilities for legal, audit, and examination
fees.
139
Reading 111: Case Study: Third-Party Risk Management
Q.5129 Which of the following is not a step in the T hird-Party Risk Management life cycle?
A. Remediation
B. Risk rating & Evaluation
C. Shared Assessments
D. Continuous monitoring
Shared assessment is a US based certifying organization specializing in T hird-Party Risk Management
and delivering the professional certification of third-party risk management professionals.
T he five stages of the professional certification of third-party risk management professionals are:
i. Business model decision

ii. Evaluation, risk rating, due diligence
iii. RFPs (requests for proposal) and contracts
iv. Monitoring (continuous and ongoing)
v. Remediation or termination
140
Q.5130 Which of the five steps in the T hird-Party Risk Management cycle involves choosing a third-
party service provider after evaluating the risk appetite of the firm?
A. Evaluation, risk rating, due diligence
B. Business model decision
C. Contracts and contract management
D. Continuous Monitoring
T he Business model decision step involves making the decision to outsource some activities or keep
them in-house and the choice about a providers’ quality and price are important strategic decisions
that also relate to the risk appetite of the firm.
A i s i ncorrect. Evaluation, risk rating, is performing due diligence and evaluation of who you will be
doing business with.
C i s i ncorrect. Contracts, service level agreements (SLAs) and contract management involves
clearly defining the responsibilities and expectations of both parties, as well as establish quality and
timing in the provision of services.
D i s i ncorrect. Continuous monitoring involves monitoring of service provision, quality SLAs, and
compliance with regulation as well as with the terms of the contract. It also involves setting trigger
events for reassessment, not just at the end-of-contract.
141
Q.5131 Which of the following is a good risk management practice of the remediation or termination
step of the T hird-Party Risk Management life cycle?
A. Defining trigger events for reassessment
B. Establish limits on the outsourcing by third parties
C. Having an exit strategy
D. Use of standard assessment questionnaires
It is good risk management practice under the remediation and termination step of the T hird-Party
Risk Management life cycle to have a grievance procedure as well as an exit strategy or termination
clause if the situation deteriorates beyond repair.
A i s i ncorrect. Defining trigger events for assessment is a good practice under the continuous
monitoring step of the T hird-Party Risk Management life cycle.
B i s i ncorrect. Establishing limits on the outsourcing by third parties is a good practice under the
Contracts, SLAs, and Contract Management step of the T hird-Party Risk Management life cycle.
D i s i ncorrect. Using of standard assessment questionnaires is a good practice under the
evaluation, risk rating and due diligence step of the T hird-Party Risk Management life cycle.
142
Q.5132 Which of the following is not an example of an event that can trigger the reassessment of
contracts with third parties?
A. Data breaches
B. A merger or acquisition
C. Regulatory change
D. Risk appetite
Risk appetite is not an example of an event that can trigger the assessment of contracts with third
parties. A company’s risk appetite will determine a company’s decision whether to outsource some
activities or keep them in house.
Events that could trigger contract reassessment include data breaches or incidents, a change in the
business circumstances of either firm, such as a merger or an acquisition, a legal or regulatory
change, changes in services provided, an act of God, a breach of contract or performance failure.
143
Q.5133 Which of the five steps in the T hird-Party Risk Management cycle requires sound due
diligence and verification of third-party service providers?
A. Remediation or termination
B. Continuous monitoring
C. Evaluation and risk rating
D. Business model decision
Evaluation, risk rating, and due diligence is the second stage of the T hird-Party Risk Management
cycle. It requires sound due diligence and verification of third-party service providers.
Proportionality of approach is a good risk management practice where there needs an extensive due
diligence for third parties that will have access to sensitive information compared to one that will
not.
A i s i ncorrect. Remediation or termination is the fifth step in the T hird-Party Risk Management
cycle, and it is the ending of contracts either due to them coming to an end or due to termination
because of the deterioration of situations beyond repair.
B i s i ncorrect. Continuous monitoring involves monitoring of service provision, quality SLAs, and
compliance with regulation as well as with the terms of the contract. It also involves setting trigger
events for reassessment, not just at the end-of-contract.
D i s i ncorrect. T he Business model decision step involves making the decision to outsource some
activities or keep them in-house and the choice about a providers’ quality and price are important
strategic decisions that also relate to the risk appetite of the firm.
144
Q.5134 Which of the following is not a common third-party risk?
A. Service disruption
B. T hird parties
C. Accidental data privacy breach
D. Compliance breaches
T hird parties are not necessarily a common third-party risk. It is the use of third parties that
increases a firm’s exposure to third-party risks. T hird parties are providers of goods and services
that are not internal to the firm.
Common third-party risks include service disruption, failings in service quality, fraud, accidental data
privacy breach or intentional information leak, compliance breaches, espionage and IP theft, and
reputational damage.
145
Q.5135 Which of the following is a good practice when addressing fourth-party risk?
A. Establish standards on outsourcing
B. Define trigger events for reassessment
C. Have an exit strategy
D. Having a termination clause
Good practice under SLA and contract management is for the contract to establish standards or limits
on the outsourcing that is done by third-party vendors. T he standards for vendor outsourcing can be a
replication of rules that the firm applies to its own vendors, so the vendors can apply them to their
own vendors and contractors.
B i s i ncorrect. Defining trigger events for contract assessment is a good practice under the
continuous monitoring of contracts step of the T hird-Party Risk Management cycle.
C i s i ncorrect. Having an exit strategy is a good strategy under the remediation or termination step
of the T hird-Party Risk Management cycle.
D i s i ncorrect. Having a termination clause if the relationship deteriorates beyond repair is a good
practice to have under the termination or remediation step of the T hird-Party Risk Management
cycle.
146
Q.5136 Which of the following is not an action that should be undertaken during the wind-down
process of contracts?
A. T he transmission of intellectual property
B. Plan to transition to in-house services
C. Have audit rights on their vendors
D. Provide evidence of data transfer or destruction
Having audit rights on vendors is a necessity for firms whose third parties also outsource services to
other parties. It is necessary for the firms to verify by themselves the application of rules the
vendors use.
Relationships can be terminated for a number of reasons and firms should plan for a wind-down
process that includes the transmission of intellectual property (IP), a plan to transition to in-house
services or to transfer to another provider, and to provide evidence of data transfer or destruction, if
any sensitive data was held by the third-party vendor.
147
Q.5137 Which of the following steps of the T hird-Party Risk Management life cycle involves keeping
track of service provision, quality SLAs, and compliance with regulation?
A. Remediation or termination
B. Business model decision
C. Evaluation and risk rating
D. Contract monitoring
Continuous monitoring involves keeping track of service provision, quality SLAs, and compliance
with regulation as well as with the terms of the contract. It also involves setting trigger events for
reassessment, not just at the end-of-contract.
A i s i ncorrect. Remediation or termination involves having a grievance procedure as well as an
exit strategy or termination clause if the relationship deteriorates beyond repair.
B i s i ncorrect. T he Business model decision step involves making the decision to outsource some
activities or keep them in-house and the choice about a providers’ quality and price are important
strategic decisions that also relate to the risk appetite of the firm.
C i s i ncorrect. Evaluation, risk rating, and due diligence involves sound due diligence and
verification of third-party service providers. proportionality of approach is a good risk management
practice where there needs an extensive due diligence for third parties that will have access to
sensitive information compared to one that will not.
148
Reading 112: Case Study: Investor Protection and Compliance Risks in

Investment Activities
Q.5138 Which of the following is not a mechanism used by regulators for investor protection?
A. preventing misrepresentation by institutions and intermediaries
B. establishing responsibility in cases of fraud or insider trading
C. requiring firms that buy and sell derivatives to do so through clearinghouses
D. facilitate cross-jurisdictional regulatory and law enforcement cooperation
Mechanisms used by regulators for investor protection include:
aid in preventing misrepresentation by institutions and intermediaries,
establishing responsibility in cases of fraud or insider trading, and
facilitate cross-jurisdictional regulatory and law enforcement cooperation.
Requiring firms that buy and sell derivatives to do so through clearinghouses is a regulation
established by T he Investor Protection Act – Dodd-Frank regulatory as a response to the 2007
financial crisis.
149
Q.5139 Which of the following is not one of the activities addressed by the Markets in Financial
Instruments Regulation (MIFIR)?
A. Investment advisory definition and objectivity
B. Best deal execution for the clients
C. Protections for whistleblowers
D. T ransactions with qualified counterparties
Enhanced protection for whistleblowers is issue addressed by the investor protection act - Dodd-
Frank.
T he MIFIR regulation addresses the incentive systems as well as other facets of financial
corporations' investing activities, such as:
Pay for traders, advisors, and potential conflicts of interest
Fair and non-misleading communication with customers
Investment advisory definition and objectivity
Sales procedure and product management
Best deal execution for the clients
T ransactions with qualified counterparties
150
Q.5140 Which of the following is not a protection provided to investors by the Investor Protection
Act – Dodd-Frank?
A. enhanced protections for whistleblowers under the act
B. requires firms that buy and sell derivatives without using clearinghouses
C. establishes the Volcker Rule
D. the establishment of a council to oversee financial stability
T he Investor Protection Act – Dodd-Frank required firms that buy and sell derivatives to do so
through clearinghouses.
Other protections provided to investors from the act are:
enhanced protections for whistleblowers under the act,
formed a committee to engage with the Securities and Exchange Commission (SEC)
regarding regulatory priorities surrounding new financial products, fee structures, and
trading methods.
the restructuring of financial regulation and the establishment of a council to oversee
financial stability.
establishes the Volcker Rule that seeks to stop commercial banks from profit-driven
speculation and proprietary trading.
the Consumer Financial Protection Bureau (CFPB) was established under the act as an
independent financial regulator to regulate consumer finance markets.
151
Q.5141 Which regulations resulted in the formation of the Consumer Financial Protection Bureau
(CFPB), as an independent financial regulator to regulate consumer finance markets ?
A. T he Markets in Financial Instruments Directive (MIFID)
B. T he Investor Protection Act – Dodd-Frank
C. T he Financial Industry Regulatory Authority (FINRA)
D. T he Volcker Rule
T he Investor Protection Act – Dodd-Frank established T he Consumer Financial Protection Bureau
(CFPB), under the act as an independent financial regulator to regulate consumer finance markets.
A i s i ncorrect. T he Markets in Financial Instruments Directive (MIFID) is a 2004 EU directive
that has been in effect throughout the EU since November 2007. It establishes the requirements for
regulatory reporting and transaction transparency as well as the guidelines for the admission of
financial instruments for public trading.
C i s i ncorrect. T he Financial Industry Regulatory Authority (FINRA), a US-based regulatory
agency organization, is under the SEC's supervision and controls brokerage firms. It is committed to
maintaining market integrity and protecting investors.
D i s i ncorrect. T he Volcker Rule was established by under the Investor Protection Act – Dodd
Frank and it seeks to stop commercial banks from profit-driven speculation and proprietary trading.
152
Q.5142 Which of the following factors does not contribute to both internal fraud and market abuse
risk?
A. Low levels of employee involvement within the company
B. Employee education
C. Inadequate resource allocation to corporate units or activities
D. Weak culture of ethics
Employee education is an effective measure that ensures that investment activities are carried out
properly. It is not a contributing factor to either internal fraud or market abuse risk.
T he factors that contribute to internal fraud and to market abuse risk include:
low levels of employee involvement within the company
stress or employee dissatisfaction
inadequate resource allocation to corporate units or activities
weak culture of ethics
153
Q.5143 Which of the following factors do not contribute to compliance risk in market activity?
A. T he asymmetry in information between buyers and sellers
B. T raders' conflicts of interest
C. Volatility boost the volume of transactions
D. Inadequate resource allocation to corporate units or activities
Inadequate resource allocation to corporate units or activities is a factor that contributes to internal
fraud and market abuse risk.
Factors that contribute to compliance risk in market activity include:
T he asymmetry in information between buyers and sellers. Compared to banks and asset
management firms, retail investors typically have significantly less knowledge.
T raders' conflicts of interest when they trade for the company and for their clients'
books.
Economic factors like spikes in market volatility boost the volume of transactions, which
increases the incidence of errors.
154
Q.5144 Which of the following is an effect of the Volcker rule?
A. Enhanced witness protection
B. Buying and selling of securities through clearing houses
C. Stopping commercial banks from speculation and proprietary trading
D. Establish the Consumer Financial Protection Bureau
T he Volcker rule intends to prevent commercial banks from engaging in speculative activities and
proprietary trading for profit. It specifically limits banks’ investments in hedge funds and private
equity funds.
All the above choices were as a result of the establishment of the Investor Protection Act – Dodd-
Frank however the results of the Volcker rule intended to prevent commercial banks’ risky
speculative activities.
155
Q.5145 Which of the following is not an effective measure for ensuring that investment activities
are carried out properly?
A. T he oversight and supervision of workers and trades
B. Robust back-office and middle-office operations
C. Sufficient rules and regulations
D. Fair and non-misleading communication with customers
Fair and non-misleading communication with customers is one of the activities that the Markets in
Financial Instruments Regulation (MIFIR) seeks to address.
Effective measures for ensuring that investment activities are carried out properly include:
the oversight and supervision of workers and trades
robust back-office and middle-office operations
sufficient rules and regulations
employee education
a culture of ethics that is robust and is maintained by regular onboarding and training
156
Q.5146 Which of the following is the key issue addressed by the creation of the Markets in Financial
Instruments Directive II (MIFID II)?
A. T he requirements for regulatory reporting and transaction transparency
B. T he disclosure of transaction data to supervisors and regulators
C. T he asymmetry in information between buyers and sellers
D. T he oversight and supervision of workers and trades
MIFID II added new requirements for the public disclosure of trading activity data as well as for the
disclosure of transaction data to supervisors and regulators.
A i s i ncorrect. T he requirements for regulatory reporting and transaction transparency are
addressed by the original Markets in Financial Instruments Directive (MIFID) established in 2004.
C i s i ncorrect. T he asymmetry in information between buyers and sellers is a factor contributing
to compliance risk in the market activity.
D i s i ncorrect. T he oversight and supervision of workers and trades is an effective measure that
ensures that investment activities are carried out properly.
157
Q.5147 Which of the following is a protection provided to investors through the Investor Protection
Act – Dodd-Frank?
A. Employee education
B. Best deal execution for the clients
C. Establishes the Volcker Rule
D. Fair and non-misleading communication with customers
T he Investor Protection Act – Dodd-Frank established the Volcker rule which seeks to stop
commercial banks from profit-driven speculation and proprietary trading as well as limits banks’
investments in hedge funds and private equity funds.
A i s i ncorrect. Employee education is an effective measure for ensuring that investment activities
are carried out properly.
B i s i ncorrect. Best deal execution for the clients is one of the issues that the Markets in Financial
Instruments Regulation sought to regulate.
D i s i ncorrect. Fair and non-misleading communication with customers is another issue that the
Markets in Financial Instruments Regulation sought to regulate.
158
Reading 113: Supervisory Guidance on Model Risk Management
Q.4297 Which of the following is a primary way in which models can pose a significant risk to
financial service firms?
A. Models are costly
B. Models can give inaccurate results
C. Models are not time-sensitive
D. Models take too long to be implemented
Models that produce inaccurate results may lead to unexpected losses. T he two primary ways in
which models can pose a significant risk to financial services firms:
Models can be manipulated, misunderstood, or misused; this leads to unexpected losses to
the firm.
Models can give inaccurate results, which leads to unexpected losses to the firm.
A i s i ncorrect: Model's cost does not pose a significant risk to a financial institution.
C i s i ncorrect: Model's time consumption does not pose any significant risk.
D i s i ncorrect: T ime of implementation does not pose a significant risk to a firm.
159
Q.4298 T he following are activities carried out during the data preparation stage of a model
development process, EXCEPT :
A. Data acquisition
B. Data cleaning
C. Data exploration
D. Sample selection
Data exploration belongs to the data understanding stage. It involves the study of the relationship
between the dependent variable and independent variables. Study of the correlation between
different features
A i s i ncorrect: Data acquisition: Involves acquiring data from the source, which may include: file,
database, website, among others.
B i s i ncorrect: Data cleaning: Data differs in quality, mainly due to the different sources. Some of
the values may need to be cleaned, and errors spotted.
D i s i ncorrect: Sample selection: A useful model requires a carefully selected data set. Outliers
should be handled.
160
Q.4299 Which of the following gives a reason why a firm should invest in model risk management?
A. To give incentives to model developers to work faster
B. To cater for losses brought about by a model
C. To provide incentives to management
D. To ensure that the model is used as required
A strong model risk management relies on considerable investment in supporting systems to

guarantee data and reporting integrity and testing to ensure:
Proper implementation of models
Effective systems integration
Appropriate use.
A i s i ncorrect: Model developers don't get incentives to work faster; model development takes
some time, and thus the firm should plan for it in good time to avoid a last-minute rush.
B i s i ncorrect: Model risk management is set up to prevent these losses; however, losses resulting
from the model will be a responsibility of the firm as a whole.
C i s i ncorrect: Management does not need incentives.
161
Q.4303 T CC bank has developed a set of models to analyze liquidity risk, market risk, as well as the
credit risk of borrowers. Which of the following model risk management functions is least likely to
be handled by the developers of these models?
A. Coming up with a clear statement of purpose to ensure that model development is aligned
with the intended use
B. Rigorous assessment of data quality and relevance
C. model testing
D. Model validation
An important aspect of validation is independence from model development and usage. It is generally
recommended that validation be carried out by people who are not responsible for the development
or use of the model and do not have an interest in its validity. Independence is not an end in itself, but
rather ensures incentives are aligned with the goals of model validation.
Options A, B, and C all describe the roles of model developers. Here's a brief explanation of each
role:
Effective model development begins with a clearly defined objective (statement of
purpose) to ensure that model development is aligned with the intended use. Model design,
theory, and logic need to be well documented, supported by literature and industry
practice, and generally supported by published research.
In addition, in developing a model, data and other information are of critical importance.
Both the quality and relevance of the data should be evaluated rigorously and adequately
documented. It is imperative that developers show that such data and information are
suitable for the model, and that they are consistent with the theory behind the approach
and the chosen methodology.
As part of model development, testing is necessary to determine whether the model is
functioning as intended and whether its various components are working properly. T he
test involves checking the model's accuracy, demonstrating its robustness and stability,
assessing its potential limitations, and examining its behavior given a range of input values.
162
Q.4304 Model development and implementation in risk management requires various best practices
to ensure that the models are aligned to their intended use. Which of the following alternatives about
these best practices is MOST ACCURAT E?
A. T he merits and limitations of the model methodologies and processing components should
be well explained.
B. Developers should compare their models with alternative approaches and theories.
C. T he quality of data used to develop a model should be assessed and documented.
D. All of the above
It is the most appropriate option as all the other options are best practices for model development
and implementation.
A i s correct: T he model methodologies and processing components that implement the theory,
including the mathematical specification and the numerical techniques and approximations, should be
explained in detail with particular attention to merits and limitations.
B i s correct: Comparison with alternative theories and approaches is a fundamental component of a
sound modeling process.
C i s correct: It is of critical importance to rigorously assess the relevance and the data quality used
to develop a model, and appropriately document it. Developers should be able to demonstrate that
such data are suitable for the model and that they are consistent with the theory behind the approach
and with the chosen methodology.
163
Q.4305 Which of the following gives a common error in model use and management across all
industries?
A. Spending more than anticipated
B. Sample bias in model data
C. Users failing to keep documentation
D. Model invalidation
T his occurs when, during model development, a nonrepresentative set of data was used. T his leads to
wrong model outcomes. Other common errors include:
Application of a model outside its area of validity
Sample bias in model data
Flawed model design
A, C, and D are i ncorrect: T hey are not errors in model management or usage.
164
Q.4306 Which of the given options identifies one challenge faced by model risk managers while
designing and delivering effective model risk reporting?
A. Lack of funds to fully implement the model
B. Implementing the required infrastructure to deliver reporting
C. Implementing the model
D. Lack of personnel to test the model
T here is a need for the appropriate infrastructure to enable the organization, management, and
updating of data, e.g., workflow tools and databases. Model risk reporting is the link to the model risk
limit that the organization can take. Reporting should give an insight into model risk. T he challenges
include:
Determining how to measure the impact of models in a way that allows comparison and
ranking of the risks posed by potentially very different models;
How to define metrics, for example, linked to model risk appetite;
Determining an appropriate frequency of reporting;
Implementing the required infrastructure to deliver reporting
How to aggregate reporting on individual models to provide a comprehensive and
consistent view of model risk at a defined level of aggregation.
A i s i ncorrect: Doesn't require any extra money to report as that is the job description of model
risk managers.
C i s i ncorrect: Implementation of the model is independent of model risk reporting.
D i s i ncorrect: T he personnel to test the model are mostly the firm's staff who are available at no
extra cost.
165
Q.4443 T he following are some of the regulatory requirements of the model validation process,
EXCEPT:
A. Ensure that the model is used for decision making
B. Ensure that documentation indicates where the internal model does not work effectively
C. Model developers must also be involved in the model validation team
As per SR 11-7, only an independent team should be included in the model validation process.
A i s i ncorrect: According to SR 11-7, models should be used for the decision-making process.
B i s i ncorrect: Model documentation should indicate situations where the model might not work
accurately.
D i s i ncorrect.
166
Q.4444 Which of the following best describes a model?
A. A spreadsheet that aggregates groups’ trading positions for reporting
B. A spreadsheet with what-if calculations for potential buyers
C. A spreadsheet with coded probabilistic risk calculation that enables what-if scenarios to be
run each day
D. Both B and C
Option C describes a model that provides useful outputs to a firm given a set of inputs and can be
reused day by day.
A i s i ncorrect: ‘A spreadsheet that aggregates groups’ trading positions for reporting’ is a tool of a
model that aggregates groups’ trading positions for reporting and not complete to be a model.
B i s i ncorrect: ‘A spreadsheet with what-if calculations for potential buyers’ is also a tool of a
model and not complete to be a model.
D i s i ncorrect.
167
Q.4445 T he following are some key areas where model risk can arise from, EXCEPT:
A. Data
B. Interpretation
C. Validation
D. Inventory
Validation is made to sort out the risk; it is not a source of model risk.
Data: Risk may result from using data that is incomplete, corrupt, or erroneous.
Interpretati on: Model results may be incorrectly interpreted.
Inventory: Risk due to incomplete or inaccurate model inventories, the use of non-validated models,
or models that have been retired.
168
Q.4446 Which of the following best describes the importance of an independent validation?
A. It reduces the cost of the validation process
B. It ensures that the bank doesn’t spend much on incentives that model developers may
require to validate the model
C. It provides comfort to the CRO, and regulators
D. All of the above
Regulation required that banks should use independent validators. Besides being a requirement, it
helps eradicate the risks as validators are experts; thus, the CRO is comfortable using an independent
team of validators.
A i s i ncorrect: Use of an independent validation does not reduce any cost that was meant for
validation.
B i s i ncorrect: Developers are not required to validate a model.
D i s i ncorrect.
169
Q.4447 T he following are key components of the model development process, EXCEPT:
A. Model lifecycle
B. Data preparation
C. Model audit
D. Model assembly
Model lifecycle is not a component of the model development process; however, model development
is a component of the model lifecycle.
Data preparati on: T his is the first component of the model development process. It entails data
acquisition, data cleaning, and sample selection.
Model audi t: T his is the last component and entails all the activities required for monitoring the
model performance.
Model assembl y: Model assembly is composed of all activities that are required to construct the
model.
170
Q.4448 Which of the following should be found in the model documentation?
A. Model validation team
B. Data sources
C. Individual model users
Model documentation must contain the data sources, data quality, justification of using such data,
among other important things pertaining to the model development.
A i s i ncorrect: Model documentation does not contain the model validation team; however, the
team should be guided in their validation process mainly by the documentation.
C i s i ncorrect: Model users are not listed in the model documentation.
D i s i ncorrect.
171
Q.4449 Which one of the following is a challenge faced by banks in the model validation process?
A. Use of model users for validation
B. Model developers requiring incentives to validate the model
C. Use of vendor models
D. All of the above
As per the SR 11-7, all models, both internally developed or purchased, should be validated with the
same rigor. However, there is a lack of vendor transparency to its intellectual property. T his
concern may require banks to relax their rigor in the validation process and just rely on
benchmarking, outcome analysis, among other methods.
A i s i ncorrect: Model users are not used to validate a model.
B i s i ncorrect: Model developers are not a part of the model validation team. T he team should be
independent.
D i s i ncorrect.
172
Q.4450 Which of the following is an important element of the model risk management framework?
A. Model lifecycle management
B. Model risks
C. T hird-party models
Managing the lifecycle of a model requires consideration of various factors to maintain its quality.
T his component involves understanding the model development, documentation, validation,
inventory, among other things.
B i s i ncorrect: Model risk is not a component of the model risk framework.
C i s i ncorrect: T hird-party models are also not elements of the model risk management
framework.
D i s i ncorrect.
173
Q.4451 T he following are the essential components of a model, EXCEPT:
A. A data input component
B. A data processing component
C. A data understanding component
D. A reporting component
Data understanding is a component of the model development process. T here are three key
components of a model. T hey include data input components, a data processing component, and a
reporting component.
A data i nput component: A model must obtain data from the user, which is input to the system
through this component.
A processi ng component: After the data is input, the model processes the data using this
component, which contains the statistical or numerical computations.
A reporti ng component: T his is the component responsible for giving the outcome or the results
after processing.
174
Q.4742 T he following are considered by initial model validation to establish the appropriateness of a
proposed model, EXCEPT :
A. Model implementation
B. Model revalidation
C. Model documentation
D. Model testing
Model revalidation comes in the last step of model validation. Initial model validation should consider:
Conceptual soundness
Quality of model design and construction
Model implementation
T he model control environment
Model assumptions
Internal and external model data inputs
Testing of model performance and constraints
Model documentation
A, C, and D are not correct: T hey are considered in the initial model validation process.
175
Q.4743 Which of the following is a primary element of a strong model validation framework?
A. Good investment
B. Ongoing monitoring
C. Technology advancement
D. T ime efficiency
Ongoing monitoring is a critical element of a reliable model validation framework. T he main aim of
this element is to confirm the appropriate implementation of the model, in addition to its usage and
performance as intended.
Other key elements of comprehensive validation include:
Evaluation of conceptual soundness: it entails the assessment of the quality of model design
and its construction. T here should always be documented evidence to provide support for
all model choices.
Outcomes analysis: T his element highly relies on statistical tests and other quantitative
measures. It involves a comparison of outcomes. T he actual outcomes are compared with
the model's outcomes.
A, C, D are i ncorrect: T hey are not elements of the validation process.
176
Reading 114: Case Study: Model Risk and Model Validation
Q.5148 A risk manager at a bank is presenting to the board of directors about model risk
management. He starts his presentation by defining a model. Which one of the following is the
correct definition of a model in the context of risk management in the modern day today?
A. A tool used for forecasting based on complex statistical techniques
B. A tool used for forecasting based on qualitative techniques
C. A tool that applies quantitative approaches to forecast results
D. A tool used for forecasting based on both quantitative and qualitative methods
According to the Fed, "the term model refers to a quantitative method, system, or approach that
applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to
process input data into quantitative estimates. T he definition of a model also covers quantitative
approaches whose inputs are partially or wholly qualitative or based on expert judgment, provided
that the outputs are quantitative in nature."
A i s i ncorrect. T his is the definition used in the early days of model risk management.
B i s i ncorrect. T he definition of a model must include both quantitative and qualitative approaches.
C i s i ncorrect. T he explanation for B also applies here.
177
Q.5149 A newly hired risk manager analyzes the types of risk and also wishes to explain different
ways that financial institutions can become exposed to model risk. Which of the following options
best describes the ways that financial institutions can become exposed to model risk?
A. By investing in low-risk assets.
B. By avoiding complex financial instruments.
C. By relying too heavily on a single model or failing to consider alternative models.
D. By conducting regular stress tests and scenario analysis.
Financial institutions can become exposed to model risk by relying too heavily on a single model or
failing to consider alternative models. T his can result in inaccurate or incomplete assessments of
risk, which can have serious consequences for the institution.
A i s i ncorrect. Investing in low-risk assets may help to minimize some types of risk, but it is not
directly related to model risk.
B i s i ncorrect. Avoiding complex financial instruments may help to reduce some types of risk, but
it does not address the issue of model risk specifically.
D i s i ncorrect. Conducting regular stress tests and scenario analysis is an important risk
management practice, but it is not directly related to the ways that financial institutions can become
exposed to model risk.
178
Q.5150 A junior analyst at a bank wishes to understand more about the role of the model risk
management function and best practices in model risk management. What is the role of model risk
management (MRM) function in financial institutions, and how do they determine the frequency of
model validation?
A. MRM function validates models every year, regardless of their tier, to minimize risks.
B. MRM function specifies the frequency of model validation, but the tier of the model is not
taken into consideration.
C. MRM function is responsible for reviewing and challenging models to minimize risks, and
models are assigned to different tiers based on their risk level.
D. MRM function monitors the performance of models through reports produced by model
owners, but they do not conduct validations.
MRM function is responsible for reviewing and challenging models to minimize risks, and models are
assigned to different tiers based on their risk level. T he MRM function in financial institutions is
responsible for identifying, assessing, and mitigating model risk, which includes assigning models to
different tiers based on the risk they pose to the firm. T he frequency of model validation is
determined by the tier of the model, with high-tier models undergoing more frequent and detailed
validation than lower-tier models.
A i s i ncorrect. Not all models are validated every year, and the frequency of validation depends on
the tier of the model.
B i s i ncorrect. T he tier of the model is an important factor in determining the frequency of model
validation.
D i s i ncorrect. T he MRM function not only monitors the performance of models through reports
but also conducts validations to ensure model risk is sufficiently addressed.
179
Q.5151 What is the role of the first line of defense in the three lines of defense model in model risk
management, and how do first-line QA/QC teams help mitigate model risk?
A. T he first line of defense is responsible for independently assessing the risk and risk
management practices of the second line, while the first-line QA/QC teams monitor the
performance of models.
B. T he first line of defense abdicates its own responsibilities to the second line, while the
first-line QA/QC teams ensure models are validated at the appropriate frequency.
C. T he first line of defense generates the risk to which the organization is exposed and owns
the risk. T he first-line QA/QC teams play a pivotal role in mitigating model risk, especially
execution risk.
D. T he first line of defense is responsible for validating models, while the first-line QA/QC
teams conduct comprehensive backtesting.
T he three lines of defense model apply in model risk management, with the first line of defense
comprising model developers and model owners who generate the risk to which the organization is
exposed. T he first-line QA/QC teams play a pivotal role in mitigating model risk, especially execution
risk, by ensuring that models are developed and implemented according to best practices.
A i s i ncorrect. T he second line is responsible for independently assessing the risk and risk
management practices of the first line, not the other way around.
B i s i ncorrect. T he first line of defense should not abdicate its own responsibilities to the second
line, and the first-line QA/QC teams do not ensure models are validated at the appropriate frequency.
D i s i ncorrect. T he first line of defense is not responsible for validating models, and the first-line
QA/QC teams do not conduct comprehensive backtesting either.
180
Q.5152 T he risk committee of a large bank has prepared a report on model risk management
framework. In the report, it is stated that just like operational risk management (ORM), the MRM
applies the three lines of defense model. Which of the following is correct regarding the three lines
of defense in the MRM framework?
A. Model developers and model owners form the first line of defense
B. T he second line of defense works with the first line to assess all the activities of the first
line of defense
C. T he second line of defense owns the risk
D. T he first line of defense oversees all the activities of the second line of defense
In the context of model risk, model developers and model owners form the first line of defense.
Hence, they generate the risk to which the organization is exposed.
B i s i ncorrect. T he first line owns the risk and should take all necessary steps to mitigate it, while
the second line independently assesses the first line's risk and risk management practices.
C i s i ncorrect. T he first line owns the risk
D i s i ncorrect. It should be the other way round, i.e., the second line of defense oversees the
activities of the first line of defense.
181
Q.5153 A bank's risk manager presents to the risk committee various case studies in which small
errors and ignorance led to or nearly costed the firm huge losses. What lesson related to the collapse
of the CDO market in 2008 did the bank's risk manager present to the risk committee?
A. T he importance of diversification in investments.
B. T he significance of credit ratings in selecting securities.
C. T he risk of relying solely on quantitative models in investment decisions.
D. T he necessity of hedging against market downturns.
T he collapse of the CDO market in 2008 was mainly attributed to the over-reliance on quantitative
models to evaluate and price the securities. T his led to the underestimation of risks and the creation
of overly complex securities that were ultimately unsustainable. T herefore, the lesson related to
this collapse is the risk of relying solely on quantitative models in investment decisions.
A i s i ncorrect. T he importance of diversification in investments is a general lesson that applies to
investment management and is not specific to the CDO market collapse in 2008.
B i s i ncorrect. T he significance of credit ratings in selecting securities was also a factor in the
CDO market collapse but this is not the main lesson in this case.
D i s i ncorrect. T he necessity of hedging against market downturns is a general lesson in risk
management and is not specific to the CDO market collapse in 2008.
182
Q.5154 A large bank has hired an expert to look into their newly developed model as good MRM
practice. Which of the following options presents a case study in which banks and model users
suffered huge losses due to their ignorance to assess the newly developed models before fully
adopting them?
A. Gaussian Copula and CDO pricing
B. Barclays' acquisition of Lehman Brothers and the excel spreadsheet error
C. NASA mars orbiter
D. Lehman Brothers scandal
T his case study focuses on the collapse of CDO markets in 2008. In the early 2000s, David X. Li
published a paper on pricing CDOs and how to price pools of assets without considering their
correlations. Li's approach was based on the Gaussian copula and the use of CDS prices to infer the
correlation of assets. Li's pricing model was widely adopted, despite its associated limitations. Both
banks and model users did not care to assess the related limitations before fully adopting the model.
When signs of weaknesses started to materialize in 2008, the correlation implied by the CDSs and the
CDO prices increased dramatically, leading to the collapse of the CDO market.
B i s i ncorrect. In September 2008, Lehman Brothers collapsed, sparking the 2008 global financial
crisis. In one incident not known to many, Barclays Capital almost bought 179 trading contracts from
Lehman Brothers. A junior law associate was asked to convert the Excel files into a PDF for
uploading on the court's website. Unaware of hidden rows, including those listing the 179 trading
contracts that Barclays did not want to buy, he directly converted the files to PDF files. T he mistake
was identified later after the deal had already been approved.
C i s i ncorrect. T his case study relates to the use of inconsistent or wrong units, which costed
NASA $125 million.
D i s i ncorrect. T he failure of Lehman Brothers was mainly caused by unethical management
practices.
183
Q.5155 In September 2008, Lehman Brothers collapsed, sparking the 2008 global financial crisis. In
one incident not known to many, Barclays Capital almost bought 179 trading contracts from Lehman
Brothers by accident. Which of the following lessons can be learned from this incident?
A. MRM should challenge the assumptions and ensure users understand related limitations
B. Even tools and models that seem so simple should be challenged and reviewed properly
C. Even small errors, such as the use of wrong units, can lead to massive losses
D. A good MRM should help minimize the misuse of models by helping users understand the
limitations accompanying a model
A simple mistake – forgetting to delete the hidden rows almost costed Barclays millions of dollars.
Even though the loss did not materialize in this case, it could materialize in some other cases. T hus,
even tools and models that seem so simple should be challenged and reviewed properly.
A i s i ncorrect. T his is a lesson associated with the collapse of CDO markets in 2008, where users
widely adopted Li's model without assessing it.
C i s i ncorrect. T his lesson relates to the NASA Mars Orbiter incident, where the use of
inconsistent or wrong units costed NASA $125 million.
D i s i ncorrect. T his lesson is drawn from the collapse of CDO markets in 2008, in which users
blindly adopted Li's pricing model.
184
Reading 115: Stress Testing Banks
Q.2306 Jim Scott, a risk manager, has been tasked with creating a presentation on capital and liquidity
for students at a high school. His introduction begins with a broad definition of the different types of
capital and liquidity. In this regard, which of the following is not a type of capital/liquidity?
A. T he capital/liquidity you have.
B. T he capital/liquidity the regulators think that you have.
C. T he capital/liquidity you need.
D. T he capital/liquidity the regulators think that you need.
T here are three kinds of capital and liquidity: 1) the capital/liquidity you have; 2) the capital/liquidity
you need (to support your business activities); and 3) the capital/liquidity the regulators think that
you need.
Q.2307 Which of the following does not represent a stress test exercise by a valid authority?
A. SCAP 2009 – Supervisory Capital Assessment Program
B. CEBS 2010 – Committee of European Bank Supervisors
C. T CAP 2009 – T reasury’s Capital Assistance Program
D. CCAR 2011/2012 – Comprehensive Capital Analysis and Review
Answer C is the only one which is not a stress test exercise, but a mechanism to supply capital to
banks in need. It is also not connected to a particular year, and the correct full name is “U.S.
T reasury’s CAP”.
185
Q.2308 When modeling a bank’s revenues, losses, and balance sheet, there are some vital measures
to be taken into account. Which of the following is an important measure to the modelers?
A. Asset values
B. Accounting and economic profits and losses
C. Cash inflows and cash outflows
D. All of the above
Modeling a bank’s revenues, losses, and balance sheet makes use of asset values for modeling balance
sheets, accounting and economic profits and losses for modeling losses and cash inflows and cash
outflows for modeling revenues.
Q.2309 What is a Credit Value Adjustment (CVA)?
A. A function of the expected default likelihood of the counterparty during normal operation.
B. A function of the expected default likelihood of the counterparty under a stress scenario.
C. A function of the expected default likelihood of the counterparty according to historical

data.
D. A function of the expected default likelihood of the counterparty according to other

variables.
Counterparty credit risk arises when, in a derivative transaction revalued to the stress scenario, the
bank finds itself in the money (i.e., enjoys a derivative receivable) yet cannot be sure that the
counterparty to the transaction will be solvent to make good on the payment. T hus, the value is
discounted, where the discount is a function of the expected default likelihood of the counterparty
under the stress scenario, which presumably is higher than today. Thi s adj ustment i s cal l ed a
credi t val ue adj ustment (CVA), and banks with significant derivative activities manage CVA as a
matter of course.
186
Q.2311 Regulatory and economic capital models are important instruments for measuring the amount
of capital needed. One of the following statements is not true about regulatory and economic capital
models. Which one?
Regulatory and economic capital models:
A. Evolve very slowly.
B. Evolve dynamically and quickly.
C. Have difficulty adapting to financial innovation and rapidly changing macro conditions.
D. Motivate some innovation in modeling due to their “one-size-fits-all” rules.
Both regulatory and economic capital models (and especially the former) evolve very slowly and thus
have difficulty adapting to financial innovation and rapidly changing macro conditions. Indeed, some of
the innovation is motivated by those slowly evolving, one-size-fits-all regulatory capital rules.
187
Reading 116: Risk Capital Attribution and Risk-Adjusted Performance

Measurement
Q.2207 A Catalonian bank is looking to expand its business lines. T he management decides that the
primary condition for investment will be the highest RAROC (risk-adjusted return on capital). T he
possibilities being discussed are:
I. Tarragona Construcciones, with an expected net profit of EUR 3,000,000 per year and
economic capital of EUR 50,000,000; and
II. Valencia Bonos, with an expected net profit of EUR 1,500,000 per year and economic capital
of EUR 22,000,000.
Assuming the cost of equity is 0.062, based on RAROC, the bank would most likely invest in:
A. Tarragona Construcciones
B. Valencia Bonos
C. Both projects
D. None – neither of the two would be economically viable
After-tax expected risk-adjusted net income

RAROC =
Economic capital
Expected Profit Economic capital Calculation

3,000,000
Tarragona Construcciones 3, 000, 000 50, 000, 000 50,000,000 =
0.06
1,500,000
Valencia Bonos 1, 500, 000 22, 000, 000 22,000,000 =
0.068
T he RAROC for Valencia Bonos(0.068) is greater than the cost of equity (0.062), thus it is most
likely the next investment opportunity for the bank.
188
Q.2208 During a meeting at a certain bank, manager A reports a RORAC (Return on Risk-Adjusted
Capital) of USD 30, manager B a ROC (Return on Capital) of USD 30, and manager C a RoCaR (Return
on Capital at Risk) of USD 30. T he best manager in terms of performance relative to the risk it is
taking is?
A. Manager A
B. Manager B
C. Manager C
D. All the three have performed equally
RoCaR is a risk management metric that measures the return a company earns on the capital it has
put at risk. RoCaR is useful for evaluating a company's risk management practices and determining
whether it is adequately compensating investors for the risks it is taking.
A i s i ncorrect. RORAC adjusts for the risks associated with a company's operations, and is
therefore a more sophisticated measure of profitability. RORAC is particularly useful for evaluating
the performance of financial institutions, which typically have complex risk profiles.
B i s i ncorrect ROC is a basic measure of a company's profitability and capital efficiency, and is
useful for comparing companies in the same industry or sector. However, it does not take into
account the risks that a company faces.
T here is no single "better" metric among return on capital (ROC), return on risk-adjusted capital
(RORAC), and return on capital at risk (RoCaR). Each of these metrics serves a different purpose
and can provide valuable insights into a company's financial performance and risk management.
189
Q.2210 A bank in Vermont is considering investing in one of four regional factories producing maple
syrup. T he bank intends to make a decision based on RAROC (risk-adjusted return on capital). T he
following information is available:
Factory A: expected revenues of USD 150,000; expected losses of USD 8,000;

economic capital of $1, 400,000.
Factory B: expected revenues of USD 175,000; expected losses of USD 15,000;
Factory C: expected revenues of USD 200,000; expected losses of USD 15,000;
Factory D: expected revenues of USD 250,000; expected losses of USD 10,000;
On the basis of the risk-adjusted return on capital for each factory, the bank will most likely pick:
A. Factory A
B. Factory B
C. Factory C
D. Factory D
(expected revenues − costs − expected losses − taxes + return on risk capital + / − transfers
RAROC =
economic capital
Revenues Expected losses Economic capital Calculation

(150,000−8,000)
Factory A 150, 000 8, 000 1, 400, 000 1,400,000 = 0.10143
(175,000−15,000)
Factory B 175, 000 15, 000 1, 500, 000 1,500,000 = 0.10667
(200,000−15,000)
Factory C 200, 000 15, 000 1, 800, 000 1,800,000 = 0.10278
(250,000−10,000)
Factory D 250, 000 10, 000 2, 000, 000 2,000,000 = 0.12000
190
Q.2211 T he difference between risk capital and regulatory capital is that:
A. Regulatory capital only applies to a few closely monitored industries like banking and
insurance.
B. While risk capital depends on an institution’s individual characteristics and investment

choices, regulatory capital is calculated based on industry-wide rules.
C. Aggregate risk capital and regulatory capital may be equal at firm level, but different at
business lines level.
Risk capital is necessary across all risk-taking businesses but regulatory capital only applies to a few
industries where protection of the interests of investors/depositors is paramount. In addition, risk
capital is determined by the nature of a firm’s investments but regulatory capital is based on a
standardized, industry-wide formula. Furthermore, even though risk capital and regulatory capital can
have similar aggregate figures as viewed at the firm level, you will most likely come across
significant differences at the department level. Some departments or business lines may be subject
to more regulatory measures than others.
191
Q.2212 Kimberley Excavations, a diamond-mining company from South Africa, has implemented a
RAROC (risk-adjusted return on capital) system for future strategic investments. Kimberley
Excavations owns several diamond mines which have been showing signs of a decrease in yield, with
sharp rises and drops. Management of the mines is deeply dissatisfied with the new system,
complaining that RAROC is lacking fairness in attributing economic capital (EC) to their businesses –
namely that the EC is too high. What is the correct course of action for senior management in this
case?
A. Neglect dissatisfaction in the local management and enforce the RAROC system at all
costs.
B. Display commitment to RAROC, expand in-house communication and education regarding

the system.
C. Disregard RAROC and return to the old, tried and proven risk management system.
D. Allocate resources to each of the businesses for purpose of stricter employee

monitoring.
Answer B, being part of the recommendations for implementing the RAROC system, is the only
acceptable answer in this instance. Answer A is wrong because good communication should always
be placed above forceful implementation. Answer C is wrong because RAROC is not just a common
language of risk, but a quantitative technique. We can also think of a RAROC-based capital budgeting
process as akin to an internal capital market in which businesses are competing with one another for
scarce balance sheet resources - all with the objective of maximizing shareholder value. T his makes
RAROC a useful tool for capital allocation, both for banks and for nonbank corporations. Answer D is
outside the scope of this course.
Q.2213 An Indian bank is in the process of calculating its risk capital. T he main purpose of risk
capital calculation is:
A. To show the level of expected losses that the bank could absorb.
B. To find differences between regulatory and risk capital.
C. To show the level of unexpected losses the bank could absorb.
Risk capital should be calculated in such a way that the institution can absorb unexpected losses up
to a level of confidence in line with the requirements of the firm's various stakeholders.
192
Q.2214 A certain bank is calculating RAROC for some of its business lines. T he available data gives
information on: expected revenues, costs, taxes, return on risk capital, transfers, and economic
capital. What type of data is missing?
A. Sharpe ratio
B. Expected losses
C. Net present value
D. VaR (Value-at-risk)
T he RAROC equation for capital budgeting is as follows:
(expected revenues − costs − expected losses − taxes + return on risk capital + / − transfers
RAROC =
economic capital
Clearly, the bank has yet to gather data on expected losses.
193
Q.2215 A certain bank is in the process of developing a differentiated mortgage product targeting a
market segment that has previously been overlooked because it's in a different geographical location
from where the bank operates. Which method should the bank adopt to estimate default probabilities
with regard to the new business line? T he point-in-time approach or the through-the-cycle approach?
A. Point-in-time approach
B. T hrough-the-cycle approach
C. Both are equally reasonable
D. Neither of the two
A point-in-time (PIT ) probability of default is reasonable for calculating near-term expected losses
(EL) and for pricing financial instruments that are subject to credit risk.
A through-the-cycle (T T C) PD, which is largely the approach taken by the rating agencies, is more
reasonable for calculating economic capital, current profitability, and strategic decisions regarding
products, geographies, and new business ventures.
Further explanation: A “through the cycle” process requires assessment of the borrower’s riskiness
bases on a worst-case, “bottom of the cycle scenario” (i.e., its condition under stress). T his makes a
lot more sense for a new business line since this business line is likely to go through “bottom of the
cycle scenario” at some point.
194
Q.2734 Determine the RAROC using the following information about a loan.
Loan Value $ 2 million

Gross Revenue $ 250, 000
Expected Loss 300 bps
Interest Expense $ 100, 000
Operating Costs $ 60, 000
Return on invested economic capital $ 10, 000
Economic capital required $ 400, 000
A. 10.00%
B. 10.50%
C. 11.00%
D. 12.50%
Revenues − Expected loss − Expenses + Return on capital + / − T ransfer price

RAROC =
Economic capital
Expected loss = 0.0300 × 2, 000, 000 = 60, 000
250, 000 − 60, 000 − 60, 000 + 10, 000 − 100, 000
RAROC = = 10%
400,000
Q.2735 Given that the RAROC on a project is 12%, the risk-free rate is 4%, the return on the
market portfolio is 10%, and the firm’s equity beta is 1.25, calculate the adjusted RAROC for the
project and determine whether it should be accepted or rejected.
A. 6.4%; rejected
B. 4.5%; accepted
C. 6.0%; accepted
D. 6.0%; rejected
195
RAROC is a profitability measure for analyzing risk-adjusted financial performance. For acceptance, a
project must earn a return that's higher than the firm's hurdle rate - a benchmark rate of return set
taking into account the firm's cost of both common and preferred equity. However, exclusively
accepting only the projects whose RAROC > hurdle rate can result in a portfolio of high-risk
projects that could ultimately result in losses and reduce the value of the firm. What's more lower
return projects that have a RAROC < hurdle rate (rejected projects) also come with low risk that
could provide steady returns and increase the value of the firm.
For these reasons, we adjust RAROC for systematic risk, giving rise to ARAROC, where:
Adjusted RAROC = RAROC − βe(R m − R f )
Where:
R m = expected return on the market
R f = risk-free rate
βe = firm's equity beta
= 0.12 − 1.25(0.10 − 0.04) = 0.045
T he project can be accepted if ARAROC > risk-free rate.
Since 4.5% > 4%, this particular projected can be accepted.
196
Q.2964 Supposing we are given the following information for a loan:
$89.5 million is the expected revenue
$8.89 million is the operating cost
$50.98 million is the tax expense
$10 million is the expected loss
$24.01 million is the return on risk capital
$69.5 million is the economic capital
What is the RAROC for the loan?
A. 0.7867
B. 0.4537
C. 0.6279
D. 0.8794
Revenues − Expected loss − Expenses + Return on capital + / − T ransfer price

RAROC =
Economic capital
T herefore:
89.5 − 8.89 − 50.98 − 10 + 24.01

RAROC = = 0.6279
69.5
197
Q.3136 Sigma Inc. has an equity beta of 1.18. In addition, the risk-free rate is 2%, the expected
market return is 7.932% and the RAROC on the proposed project is 10%. If the beta of the proposed
project is the same as that of Sigma Inc, then, in order to increase the shareholders' wealth,
ARAROC should increase by more than?
A. 1.446%
B. 1.592%
C. 0.0000%
D. 2.000%
Shareholders’ wealth increases when ARAROC is greater than the risk-free rate
ARAROC can be computed using the following formula:
ARAROC = RAROC − β(R M − rf )

= 10% − 1.18(7.932% − 2%)
= 3%
In order for shareholders to increase the value of their wealth, ARAROC should be greater than the
risk-free rate. Clearly, this condition has been met and, therefore there is no need to increase it.
198
Q.3206 Samar Vance is an equity strategist at Jumbo Capital. She has been given with the following
information about an investee banking company whose:
Gross revenue: $12 million
Economic capital: 80 million
Return on invested economic capital: 700,000
Operating costs associated with making the loan: $2.3 million
Expected loss on the loan: 1,600,000
Based on the above information, the RAROC is closest to?
A. 30%.
B. 23%.
C. 12%.
D. 11%.
Expected revenues − Costs − Expected losses − Taxes + Return on risk capital ± T ransfers
RAROC =
Economic Capital
(12 − 2.3 − 1.6 − 0 + 0.7 ± 0)
=
80
= 0.11 or 11%
199
Q.3207 Larry Sing is considering to invest in an Oil Marketing Company stock named Hudson
Petroleum. If its RAROC is 17%, the company's beta is 1.2, the return on the market is 12%, and the
risk-free rate is 8% what will be the adjusted RAROC for a Hudson?
A. 13.2%.
B. 16%.
C. 12.2%.
D. 5.9%.
ARAROC = RAROC − Beta(R m − R f ) = 17 − 1.2(12 − 8) = 12.2%
200
Q.3209 Henry Campbell is equity analyst at Four Brothers Financials. He is currently analyzing a
new project for expanding in new markets. His calculated RAROC is 13%, the risk-free rate is 6%,
the market return is 14%, the firm's required return on equity is 12%, and the firm's beta is 1.5.
What is the ARAROC and should the project be accepted?
A. 11%; accept.
B. 5.5%; reject.
C. 6.2%; accept.
D. 1.0%; reject.
Adj RAROC = RAROC - Beta (Rm-Rf)

Decision rule: Accept (reject) projects whose adjusted RAROC is greater (smaller) than Rf.
Adjusted RAROC = 13% - 1.5(14% - 6%) = 1%
Since 1% < 6%, the project should be rejected
A note on the formul a used

Old mock exams and study material used a slightly different formula,.i.e.
ARAROC = ( RAROC - Rf ) / Beta
In fact, both formulas will lead to the same decision, but there are conditions.
First case: ARAROC = ( RAROC - Rf ) / Beta => to be compared with Rm-Rf

Accept (reject) projects whose adjusted RAROC is greater (smaller) than (Rm - Rf).
Second case: ARAROC = RAROC - Beta (Rm - Rf ) => to be compared with Rf

Accept (reject) projects whose adjusted RAROC is greater (smaller) than Rf.
Applying the second (newer) approach is recommended.
201
Reading 117: Range of Practices and Issues in Economic Capital

Frameworks
Q.2216 T he main challenge faced by financial institutions while choosing the risk measure to use for
economic capital purposes is that:
A. T here are no generally accepted properties of a good risk measure.
B. Most risk measures are too complex, which means implementation and eventual
communication to stakeholders can be quite difficult.
C. T here is a general lack of relevant and reliable data that can be used to assess risks.
D. T here is no singularly preferred risk measure for economic capital purposes.
Although there seems to be some kind of a general agreement on the properties that should guide
institutions while choosing a risk measure for economic capital assessment, there is no single
measure that could be considered ideal for every firm. None is ‘head and shoulders’ above the others.
Every institution, therefore, has to choose its risk measure in light of specific circumstances.
Q.2217 While developing an economic capital framework, it is important to come up with the
aggregate risk facing the institution as a whole. However, aggregate risk can be erroneous and
inaccurate in light of certain circumstances. T hese include:
A. Presence of too many autonomous business units.
B. Use of different risk assessment models by different business units.
C. Recognition of benefits of diversification across the organization.
D. Failure to recognize correlations between different risks.
In most organizations, most risks are evaluated on a standalone basis without regard to possible
interactions between them, which indeed exist in real life, e.g. interaction between market risk and
credit risk. Failure to recognize this correlation during aggregation can result in gross
underestimation of the total risk facing the organization. Too many autonomous units or the use of
different modeling methodologies would not by themselves introduce errors as long as the models
have been validated and tested for suitability. Recognizing diversification would actually improve risk
aggregation.
202
Q.2218 Which of the following statements is (are) true?
I. Validation serves to increase confidence among users that modeling assumptions are
consistent with market conditions
II. Validation techniques are equally powerful in sensitivity testing and overall absolute
accuracy
III. Only one validation technique should be applied to a given model; combining techniques is
always counterproductive
A. All of the above
B. I only
C. I and III
D. II only
Validation provides a degree of confidence that modeling assumptions are appropriate, hence
increases the confidence of users dependent on the model’s outcome. Moreover, a range of
validation techniques – as opposed to just one – can provide more substantial evidence for or against
the use of a particular model. However, validation techniques are more powerful in some areas such
as risk sensitivity but not in other areas such as absolute accuracy.
Q.2219 When examining a firm’s capital adequacy, it’s always important to establish the dependency
(correlation) between obligors. However, correlation estimates provided by current models are
usually inaccurate and unstable – mainly because of:
A. A lack of well-developed computer algorithms.
B. Scarcity of skilled personnel to do the calculations.
C. Overdependence on model assumptions.
D. T he use of irrelevant input data.
To determine appropriate levels of economic capital for a bank, it’s absolutely necessary to estimate
the correlation between obligors. Unfortunately, most models currently in use do not provide
accurate/stable correlation estimates mainly because they still depend heavily on explicit/implicit
model assumptions.
203
Q.2220 A bank-wide view of counterparty credit risk for economic capital purposes can be a
challenge mainly because:
A. It involves large-scale gathering of data and transactions monitoring, which can easily
strain human resources.
B. It requires the use of expensive software to track transactions.
C. It relies heavily on independent opinions of credit rating agencies, some of which can be
compromised.
D. It requires cooperation among all business divisions, some of which could be autonomous.
Measurement of counterparty credit risk presents a complex exercise as it involves the gathering of
data across multiple systems and continuous monitoring of multiple risk exposures, sometimes
numbering millions. Moreover, while some transactions conclude overnight, some might run for tens
of years. Such exercises can easily strain resources.
Q.2221 One of the main challenges in the calculation of economic capital for interest rate risk in the
banking book relates to:
A. T he long holding period of balance sheet assets and liabilities.
B. Varying market forces of supply and demand.
C. T he unpredictable nature of regulatory action by central banks.
D. T he presence of a large bouquet of products, all priced differently.
It’s difficult to determine the level of economic capital required to mitigate interest rate risk
because most assets and liabilities have long holding periods, and interest rate projections 10-20
years into the future are, at best, speculative.
204
Q.2222 Which of the following financial products would pose the greatest challenge to the
determination of the economic capital of a bank?
A. Ordinary stocks
B. Preference shares
C. Bonds with embedded options
D. Fixed-rate interest rate loans
Embedded optionality in banking brings about indeterminate cash flows on both the asset and liability
sides. It’s normally not easy to predict whether or not outstanding options will be exercised. Such
products pose risks that are significantly greater than most measures suggest.
Q.2223 Economic capital is best defined as:
A. T he amount of money invested in various risk-taking activities.
B. T he amount of reserve cash held by a bank, which is used to absorb losses resulting from
credit risk.
C. Practices that allow institutions to assess risk and attribute capital to the economic
effects of risk-taking activities.
D. Practices that allow institutions to set aside sufficient funds to mitigate risks emanating
from future uncertainties.
Economic capital can be defined as the method or practices that allow financial institutions to
consistently assess risk and to financially prepare for the economic effects of risk-taking activities.
205
Q.2965 Fidelity Bank uses models based on the asymptotic single risk factor (ASRF) model for credit
risk. In particular, the model is based on Basel II risk weights. What is the effect to the capital charge
for an exposure based on this ASRF model?
A. T he capital charge depends on the composition of the portfolio to which the exposure is
added.
B. T he capital charge for an exposure depends on risk characteristics of the exposure only.
C. T he capital charge captures general types of tendencies as opposed to the Gaussian copula
models.
D. All the above answers are correct.
ASRF models are derived from “ordinary” credit portfolio models by the law of large numbers. When
a portfolio consists of a large number of 5 relatively small exposures, idiosyncratic risks associated
with individual exposures tend to cancel out one-another and only systematic risks that affect many
exposures have a material effect on portfolio losses. In the ASRF model, all systematic (or system-
wide) risks, that affect all borrowers to a certain degree, like industry or regional risks, are modeled
with only one (the “single”) systematic risk factor.
T his modeling approach permits the use of banks’ correlation estimates or multiple systematic risk
factors for correlations to be addressed.
Q.2967 Copulas combine the marginal probability distributions into a joint distribution. Which of the
following is an advantage of copulas as a form of risk aggregation methodology?
A. T he effect of fixed diversification is sensitive to underlying interactions between the

different components.
B. T he method is easy to use as it easily estimates inter-risk correlations and does not
capture nonlinearities.
C. Simulation of common drivers provides for calculating the distribution of outcomes and
economic capital risk measure.
D. Is more flexible than a covariance matrix and allows for nonlinearities and higher-order
dependencies.
T hrough flexibility in copulas as a means of combining marginal probability distribution into joint
distribution as compared to a covariance matrix, nonlinearities and higher-order dependencies are
allowed.
206
Q.2968 Broadways Bank uses the unit of account as a component of risk aggregation methodology.
Which of the following is NOT a characteristic of the unit of risk accounting?
A. Risk metric
B. Confidence level
C. Complex simulation
D. T ime horizon
T he following are crucial characteristics of the unit of risk accounting:
Risk metric (the metrics used for quantifying different components)
Differences in confidence levels (assumption as a result of the loss distribution arising
from different types of risks)
T he measured risk’s horizon (in risk aggregation, it’s selection is of crucial importance)
207
Q.2969 Which of the following risk measures is the least commonly used measure in the practice of
risk management?
A. Standard deviation
B. Spectral risk measures
C. Value at risk
D. Expected shortfall
Spectral risk measures are a newer class of risk measures that allow for different weights to be
assigned to the quantiles of a loss distribution, rather than assuming equal weights for all
observations, as is the case for Expected shortfall. However, spectral and distorted risk measures
are not widely used in practice and are currently largely of academic interest.
Q.3211 Which of the following categories of BIS recommendations specifically refers to the need to
consider using additional methods, such as stress testing, to help cover all exposures?
A. Risk aggregation.
B. Interest rate risk in the banking book.
C. Netting
D. Counterparty credit risk.
When deciding between the available methods of measuring counterparty credit risk, there are trade-
offs to be considered . Additional methods, such as stress testing, need to be adopted to help cover all
exposures.
208
Reading 118: Capital Planning at Large Bank Holding Companies:

Supervisory Expectations and Range of Current Practice
Q.2224 Oak Creek bank, part of a Bank Holding Company (BHC), is preparing for its annual CCAR
(Comprehensive Capital Analysis and Review). After careful consideration, analysts have identified a
wrongly implemented principle of capital adequacy process in the bank. Which of the following
principles is not part of the CCAR?
A. Effective loss-estimation methodologies
B. Sufficient capital adequacy impact assessment
C. Adequate IT resources
D. Robust internal controls
T he seven principles of an effective capital adequacy process are:
1. Sound foundational risk management

2. Effective loss-estimation methodologies
3. Solid resource-estimation methodologies
4. Sufficient capital adequacy impact assessment
5. Comprehensive capital policy and capital planning
6. Robust internal controls
7. Effective governance
209
Q.2225 T he Great Falls Bank of Montana, USA, part of a Bank Holding Company (BHC), is performing
an annual CCAR (Comprehensive Capital Analysis and Review). During the process, it is revealed that
one of the existing models has not been appropriately validated nor independently reviewed. Which
principle of effective capital adequacy has been violated?
A. Robust internal controls
C. Effective loss-estimation methodologies
D. Effective governance
Principle 6 of an effective capital adequacy process has much to do with robust internal controls,
including change control; model val i dati on and i ndependent revi ew; comprehensive
documentation; and review by internal audit.
Q.2226 Minnetonka Bank, part of a Bank Holding Company (BHC), is involved in comprehensive
capital analysis and review. During the process, it is confirmed that one of their processes for
translating risk measures into estimates of potential losses does not encompass a satisfactory range
of stressful scenarios and environments. Which principle of an effective capital adequacy process
has been violated?
A. Sound foundational risk management
C. Effective governance
D. Effective loss-estimation methodologies
Principle 2 of an effective capital adequacy process has much to do with effective loss-estimation
methodologies. It states that the BHC should have effective processes for translating risk measures
into estimates of potential losses over a range of stressful scenarios and environments and for
aggregating those estimated losses across the BHC.
210
Q.2227 A certain bank based in New York is assessing risks as part of its preparation for the annual
CCAR (Comprehensive Capital Analysis and Review). During the process of stress-testing, several
risk categories are defined, particularly those that are difficult to quantify or not directly attributable
to any of the specific integrated firm-wide risk categories. Which of the following risks would not fall
under such a category?
A. Compliance risk
B. Credit risk
D. Strategic risk
Given the scope of operations and the associated breadth of risks facing large, complex BHCs –
including the risk of losses from exposures and of reduced revenue generation – they are often
exposed to risks, other than credit or market risk, that are either difficult to quantify or not directly
attributable to any of the specific integrated firm-wide scenarios that are evaluated as part of the
BHC's scenario-based stress testing ("other risks"). Examples of these other risks include
reputational risk, strategic risk, and compliance risk.
Q.2228 Cloverdale Bank in Idaho, USA, forms part of a Bank Holding Company (BHC). It has just
ventured into a new business line that requires the proper estimation of losses, revenues and
expenses as part of scenario analysis. Bearing this in mind, what would be the most appropriate data
for modeling purposes?
A. Internal data
B. External data
C. Both internal and external data
D. None - the new models should take into account only future data generated by the
business line
Generally, BHCs should develop and use internal data to estimate losses, revenues, and expenses as
part of an enterprise-wide scenario analysis. However, in certain instances, it may be more
appropriate for BHCs to use external data to make their models more robust. In this case, the BHC
lacks sufficient, relevant historical data.
211
Q.2229 Fairgrounds Bank forms part of a Bank Holding Company (BHC). T he bank has been very
successful in a business line that was established about 6 months ago. T he bank intends to stress test
models for the business line for a longer period. As part of best practice during stress testing, the
bank should:
A. Ensure minimal variation from established internal data patterns.
B. Test a wide range of adverse effects reaching outside the established data patterns.
C. Only use the data which reflects the most positive outcomes.
D. Only use the data which reflects the most negative outcomes.
Given the uncertainty inherent in a forward-looking capital planning exercise, the Federal Reserve
expects BHCs to apply generally conservative assumptions throughout the stress testing process to
ensure appropriate tests of the BHCs' resilience to stressful conditions. In particular, BHCs should
ensure that models are developed using data that contain sufficiently adverse outcomes. If a BHC
experienced better-than-average performance during previous periods of stress, it should not assume
that those prior patterns will remain unchanged in the stress scenario. BHCs should carefully review
the applicability of key assumptions and critically assess how historically observed patterns may
change in unfavorable ways during a period of severe stress for the economy, the financial markets,
and the BHC.
212
Q.2230 Clayton bank forms part of a Bank Holding Company (BHC) and has been requested, by the
Federal Reserve, to compile documentation regarding its estimation practices. What are the main
guidelines that should be followed by the bank while documenting its estimates?
A. Extremely detailed explanations of key methodologies with every bit of data available
being presented.
B. Limited documentation emphasizing the importance of management’s judgments in

estimates.
C. Limited documentation encompassing theoretical assumptions and quantitative estimates.
D. Concisely explained key methodologies and assumptions presented in a well-organized

manner.
T he Federal Reserve expects BHCs to clearly document their key methodologies and assumptions
used to estimate losses, revenues, and expenses. BHCs with stronger practices provided
documentation that concisely explained methodologies, with relevant macroeconomic or other risk
drivers, and demonstrated relationships between these drivers and estimates. Documentation should
clearly delineate among model outputs, qualitative overlays to model outputs, and purely qualitative
estimates. BHCs with weaker practices often had limited documentation that was poorly organized
and that relied heavily on subjective management judgment for key model inputs with limited
empirical support for and documentation of these adjustments.
Q.2231 Highlands Bank forms part of a Bank Holding Company (BHC). T he bank is computing loss
estimates on a number of its business lines. What are the components that the bank should take into
account when estimating losses?
A. Probability of default (PD), time value of money (T M), and loss given default (LGD).
B. Probability of default (PD), loss given default (LGD), and exposure at default (EAD).
C. Probability of default (PD), time value of money (T M), and exposure at default (EAD).
D. Loss given default (LGD), exposure at default (EAD), and credit rating (CR).
Under the expected loss approach, losses are estimated as a function of three components-
probability of default (PD), loss given default (LGD), and exposure at default (EAD). PD, LGD, and
EAD can be estimated at a segment level or at an individual loan level, and using different models or
assumptions.
213
Q.2232 Fetterman Bank is in the process of estimating revenue and expenses for the following time
period. What is the length of time required for the estimation of revenue and expenses by the
Federal Reserve’s Capital Plan Rule?
A. Nine quarters
B. Eight quarters
C. T welve quarters
D. T here is no explicit length of time defined by the Federal Reserve
T he Capital Plan Rule requires BHCs to estimate revenue and expenses over the nine-quarter
planning horizon.
Q.2233 What are the internal control methods included in an internal capital planning process?
A. Robust and independent model review and validation.
B. Comprehensive documentation, including policies and procedures.
C. Regular and comprehensive review by internal audit.
D. All of the mentioned above, as well as change controls.
As with other aspects of key risk-management and finance area functions, a BHC should have a
strong internal control framework that helps govern its internal capital planning processes. T hese
controls should include (1) regular and comprehensive review by internal audit; (2) robust and
independent model review and validation practices; (3) comprehensive documentation, including
policies and procedures; and (4) change controls.
214
Q.2234 Bank of Elmwood, part of a Bank Holding Company (BHC), is preparing for independent model
review and validation. What’s included in such a process?
A. An evaluation of conceptual soundness
B. Ongoing monitoring that includes verification of processes and benchmarking
C. An “outcome analysis”
D. All of the above
T he model review and validation process should include:
an evaluation of conceptual soundness;
ongoing monitoring that includes verification of processes and benchmarking; and
an "outcomes analysis"
Q.2235 A BHC is having a supervisory review performed on its modeling practices for capital
planning. Following the review, the company receives very positive feedback regarding its model
documentation as part of risk management. What could be the reason for the positive feedback?
A. Large-scale collection of relevant historical data for use as input data.
B. Presence of an updated inventory of all models used in the process.
C. Presence of qualified modeling staff.
D. Adoption of large-scale sensitivity testing and stress testing.
Maintaining an updated inventory of all models used in the modeling process is one of the
(documentation) practices that are exhibited by well-performing and financially stable BHCs.
215
Q.2236 Campbell bank, part of a Bank Holding Company (BHC), has not had its risk infrastructure,
nor its loss-estimation methodologies reviewed for more than a year. Which principle of an effective
capital adequacy process does this violate?
A. Robust internal controls
B. Sound foundational risk management
C. Effective governance
D. Sufficient capital adequacy impact assessment
In order for a BHC to be considered to have effective governance, there should be effective
oversight of the capital adequacy process by the board and senior management, including peri odi c
revi ew of the BHC's ri sk i nfrastructure and l oss- and resource-esti mati on
methodol ogi es; evaluation of capital goals; assessment of the appropriateness of stressful
scenarios considered; regular review of any limitations and uncertainties in all aspects of the CAP;
and approval of capital decisions.
Q.2237 What do you understand by “feeder models” as used in modeling by BHCs?
A. Models outsourced from external sources for the purpose of performance comparison
with internal models.
B. Models used to produce projections or estimates that can then be used in another model to
generate final figures for expected losses, expenses and revenue.
C. Models whose outcome has been disputed by experts and analysts at firm level.
D. Models used to generate the final projected figures for losses, expenses, and revenues.
BHCs should maintain an inventory of all models used in the capital planning process, including all
input or “feeder” models that produce projections or estimates used by the models that generate the
final loss, revenue or expense projections.
216
Q.2238 A BHC in Mississippi, USA, was recently subjected to a supervisory review of its model risk
management. Following the exercise, the company received negative feedback. Which of the
following could have led to such an outcome?
A. Using models without validation or models that had identified weaknesses.
B. Using benchmark or challenger models to help assess the reasonableness of the primary
model output.
C. Employing independent validation staff to critically evaluate the models.
D. Being too transparent about the validation status of all models used for capital planning.
Recommended practices in BHCs capital planning include: being transparent about the validation
status of all models used for capital planning and appropri atel y addressi ng any model s that
have not been val i dated (or those that have i denti fi ed weak nesses) by restri cti ng thei r
use, or using benchmark or challenger models to help assess the reasonableness of the primary
model output. Also, there should be independent validation staff mandated with critical review of
models to assess their suitability.
Q.2970 Bank Holding Company (BHC) models review and validation process should include all the
following, EXCEPT :
A. An evaluation of the conceptual soundness
B. Ongoing monitoring that includes verification processes and benchmarking
C. Policies and procedures
D. An outcomes analysis
T he process of reviewing and validating a BHC model must have an evaluation of conceptual
soundness. In addition, there should be an ongoing monitoring that includes verification processes and
benchmarking. Furthermore, an outcomes analysis needs to be done. However, there are no policies
and procedures in the model review and validation processes.
217
Q.2971 Internal controls in bank holding companies (BHCs) should ensure that there is integrity of
reported results and the documentation, review, and approval of all material changes to the capital
planning process and its components. Such controls as ensured by BHCs should exist at all levels of
the capital planning process, with specific control measures to perform all the following roles apart
from:
A. Making sure that there is sufficient robustness in MIS for capital analysis and decision
making to be supported, with sufficient flexibility to run ad-hoc analysis whenever
necessary.
B. Provide for reconciliation and data integrity process for all key reports.
C. Enable the addressing of presentation of aggregate, enterprise-wide capital planning results

that gives the description of manual adjustments created in the aggregation process and
identified weaknesses are compensated by these adjustments.
D. Ensure that the documentation provides evidence that results and recommendations can
be challenged by the Board.
Options A, B, and C are all specific control measures for performing the aforementioned roles.
However, for option d, there is no direct link to the specific control measures by ensuring that
evidence provided by documents resulting from recommendations can be challenged by the Board.
218
Reading 119: Capital Regulation Before the Global Financial Crisis
Q.2334 In 1992, Germany was under Basel I regulations. Eintracht Bank from Frankfurt has had the
following portfolio structure (in USD):
Loans to corporations – $1 billion ($600 million in uninsured residential real estate)

OECD countries government’s exposures – $500 million
Cash, balance with a central bank – $200 million
Risk weights were as follows:
Risk Weight (%) Asset category

0 Cash, gold bullion, claims on OECD governments such as
T reasury bonds or insured residential mortgages
20 Claims on OECD banks and OECD public sector entities such as
securities issued by U.S. government agencies or claims on municipalities
50 Uninsured residential mortgage loans
100 All other claims such as corporate bonds and less-developed
country debt, claims on non-OECD banks
T he risk-weighted assets of Eintracht bank were closest to which of the following?
A. $700 million
B. $1 billion
C. $500 million
D. $1.2 billion
Risk weighted assets should be calculated as follows:
Loans to corporate with uninsured residential real-estate as collateral = 600m * 50%

Loans to corporate without collateral = 400m * 100%
OECD countries government’s exposures = 500m * 0%
Cash, balance with a central bank = 200m * 0%
Total risk weighted assets = 700m
219
Q.2335 In 1992, Italy was under Basel I regulations. Scala Bank from Milan had the following portfolio
structure (in USD):
Loans to corporations: $1.5 billion ($600 million in commercial real estate)
OECD countries government’s exposures: $300 million
Cash, balance with a central bank: $500 million
Risk weights were as follows:
Risk Weight (%) Asset category

0 Cash, gold bullion, claims on OECD governments such as
T reasury bonds or insured residential mortgages
20 Claims on OECD banks and OECD public sector entities such as
securities issued by U.S. government agencies or claims on municipalities
50 Uninsured residential mortgage loans
100 All other claims such as corporate bonds and less-developed
country debt, claims on non-OECD banks
T he risk-weighted assets of Scala Bank were closest to which of the following?
A. $1.2 billion
B. $1.5 billion
C. $2.3 billion
D. $1.65 billion
Risk-weighted assets should be calculated as follows:
Loans to corporate = 1.5b * 100%

OECD countries government’s exposures = 300m * 0%
Cash, balance with a central bank = 500m * 0 %
Total risk weighted assets = 1.5b
220
Q.2336 Arrenberg bank from Rotterdam, Netherlands, has to calculate its RWA under Basel I for its
exposure in an over-the-counter FX swap agreement. T he data on the swap exposure is as follows:
Add-on factor – 1%
Notional amount – EUR 500 million
Current value – EUR 1 million
Risk-weighted factor for counterparty – 100%
T he RWA is equal to:
A. EUR 501 million
B. EUR 6 million
C. EUR 5.01 million
D. EUR 1 million
T he RWA should be calculated as follows:
RW A = (notional amount × add-on factor + current value) × risk weighted factor

= (500m × 1% + 1) × 100% = EUR 6 million
221
Q.2337 Calc Bank from Frankfurt, Germany, had to calculate its risk-weighted assets (RWA) under
Basel I for its exposure in over-the-counter interest rate swap agreement. T he data on the swap
exposure is as follows:
Add-on factor: 1.5%
Notional amount: EUR 1 billion
Current value: EUR -2 million
Risk-weighted factor for counterparty: 100%
T he RWA is equal to:
A. EUR 13 million
B. EUR 0
C. EUR 15 million
D. EUR 1 billion
RWA should be calculated as follows:
RW A = (notional amount × add-on factor + max (current value; 0)) × risk weighted factor
= (1b × 1.5% + 0) × 100% = EUR 15 million
222
Q.2338 Kediray Bank from Izmir, T urkey is calculating its regulatory capital under Basel I
regulations. It has the following capital instruments: equity, noncumulative perpetual preferred
stocks, and subordinated debt with a maturity of over 5 years. What is the structure of its regulatory
capital?
A. T ier 1 capital includes equity, noncumulative perpetual preferred stocks, and subordinated
debt.
B. T ier 1 capital includes equity, and T ier 2 capital includes noncumulative perpetual
preferred stocks and subordinated debt.
C. T ier 1 capital includes equity, and T ier 2 includes noncumulative perpetual preferred
stocks; subordinated debt is not included in regulatory capital.
D. T ier 1 capital includes equity, noncumulative perpetual preferred stocks, and T ier 2
includes subordinated debt.
Capital has two components:
1. T ier 1 – T his consists of items such as equity and noncumulative perpetual preferred stock.
(Goodwill is subtracted from equity.)
2. T ier 2 – T his is sometimes referred to as Supplementary Capital. It includes instruments
such as cumulative perpetual preferred stock, certain types of 99-year debenture issues, and
subordinated debt (i.e. debt subordinated to depositors) with an original life of more than five
years.
223
Q.2339 Banat Bank from T imisoara, Romania, is calculating its regulatory capital under Basel I
regulations. It has the following structure of capital instruments (in EUR):
Equity: 150m
Subordinated debt (over 5 years maturity): 50m
Cumulative preferred stocks: 20m
What is the structure of its T ier 1 and T ier 2 capital?
A. T ier 1: 170m; T ier 2: 50m
B. T ier 1: 150m, T ier 2: 70m
C. T ier 1: 150m, T ier 2: 20m
D. T ier 1: 170m
T he capital has two components:
1. T ier 1: T his consists of items such as equity and noncumulative perpetual preferred stock.
(Goodwill is subtracted from equity.)
2. T ier 2: T his is sometimes referred to as Supplementary Capital. It includes instruments such
as cumulative perpetual preferred stock, certain types of 99-year debenture issues, and
subordinated debt (i.e. debt subordinated to depositors) with an original life of more than five
years.
In this example, T ier 1 = Equity (150m); and T ier 2 = Subordinated debt (50m) + Cumulative
preferred stocks (20m) = 70m
224
Q.2340 Osijek Commercial Bank from Croatia has to calculate its T ier 1 and T ier 2 capital under
Basel I regulations. It has the following capital structure (in EUR):
Equity: 50m
Subordinated debt (over 5 years maturity): 30m
Cumulative preferred stocks: 5m
Noncumulative preferred stocks: 10m
What is the structure of the bank’s T ier 1 and T ier 2 capital?
A. T ier 1 capital: 60m; T ier 2: 35m
B. T ier 1 capital: 55m; T ier 2: 40m
C. T ier 1 capital: 55m; T ier 2: 10m
D. T ier 1 capital: 60m; T ier 2: 5m
T ier 1 = Equity (50m) + Concumulative preferred stocks (10m) = 60m

T ier 2 = Subordinated debt (30m) + Cumulative preferred stocks (5m) = 35m
Q.2341 Basel II introduced a capital requirement for one “new” risk in Pillar 1. Which one?
A. Interest rate risk in banking book
B. Market risk in trading book
C. Operational risk
D. Credit risk
Capital requirement for credit risk was introduced in ther Basel I Capital Accord (which if the reason
why D is not the correct answer). T he capital requirement for market risk was introduced in Basel I
Amendment from 1996 (which if the reason why B is not the correct answer). T he capital
requirement for operational risk was introduced in Pillar 1 of Basel II.
225
Q.2342 NYC Bank from New York, USA, is one of the largest banks in the USA. At the moment of
the introduction of Basel II standards in the USA, it was free to choose the approach to use so as to
meet credit risk capital requirements. What options did the bank have in this regard?
A. Standardized approach, Internal rating based approach, and Advanced IRB approach.
B. None, because the USA chose not to apply Basel II.
C. NYC Bank could only use standardized approach.
D. NYC Bank could only use the Foundation IRB approach.
T he United States chose to apply Basel II only to large banks and decided that only the Foundation
IRB approach could be used since only the probability of default data was required from the banks as
compared to the advanced IRB approach that required all the three values, i.e, the probability of
default, the exposure at default and loss given default data.
Q.2343 PSV Bank, a small regional bank from Eindhoven, Holland, is in process of calculating its
capital requirements. Which of the following statements is true?
A. T he bank must use the standardized approach because of its size.
B. T he bank can choose between standardized, IRB, and advanced IRB approaches under EU
regulation.
C. T he bank is under Basel I regulations.
D. T he bank is under both Basel I and Basel II regulations.
T he Basel II capital requirements applied to "internationally active" banks. In the United States,
there are many small regional banks and the U.S. regulatory authorities decided that Basel II would
not apply to them. (T hese banks are regulated under what is termed Basel IA, which is similar to
Basel I.) In Europe, all banks, large or small, were regulated under Basel II. Furthermore, the
European Union required the Basel II rules to be applied to securities companies as well as banks.
226
Q.2345 Bethlenbank from Kecskemet, Hungary, has to calculate its capital requirement for credit
risk. T he bank has decided to use the standardized approach and has managed to gather data on:
exposure, collateral, probability of default, and credit rating of the debtor. Which piece of data is
missing so as to proceed with the required calculations smoothly?
A. Loss given default (LGD)
B. Exposure at default (EAD)
C. None
D. Maturity
Under the standardized approach (Basel II), risk-weighted assets are calculated as the product of
exposure and a weighted factor which depends on credit rating of the debtor. LGD and maturity are
used for the calculation of capital requirement for credit risk under the IRB approach.
Q.2346 Astoria Bank from Marseille, France, has chosen the IRB approach to calculate its capital
requirement for credit risk. In line with standard practice, the bank should calculate its:
A. Value at risk with a time horizon of 1 year and a confidence interval of 99.9%.
B. Value at risk with a time horizon of 1 year and a confidence interval of 99%.
C. Value at risk with a time horizon of 1 month and a confidence interval of 99.9%.
D. Value at risk with a time horizon of 10 days and a confidence interval of 99%.
Regulators base the capital requirement on the value at risk calculated using a one-year time horizon
and a 99.9% confidence level. T hey recognize that expected losses are usually covered by the way a
financial institution prices its products. (For example, the interest charged by a bank on a loan is
designed to recover expected loan losses.) T he capital required is, therefore, the value at risk minus
the expected loss.
227
Q.2737 A bank’s annual financial statements showed the following assets:
(in $ million)
Cash 50
T reasury bills 100
Loans to corporations 750
Uninsured Residential mortgages 100
Calculate the bank’s risk-weighted assets based on the Basel I guidelines.
A. $850 million
B. $700 million
C. $750 million
D. $800 million
According to Basel I the risk weights for different assets are:
Cash and T reasury bills 0%

Uninsured residential mortgages 50%
Loans to corportions 100
T he risk-weighted assets for the bank can be calculated as:
50 × 0% + 100 × 0% + 750 × 100% + 100 × 50% = 800 million
228
Q.2738 Which of the following approaches is NOT appropriate for calculating credit risk capital
under Basel II?
A. Standardized Approach
B. Foundation IRB Approach
C. Advanced IRB Approach
D. Advanced Measurement Approach
Basel II provides three approaches for calculating the credit risk capital of a bank. T hese include the
standardized approach, the foundation IRB approach, and the advanced IRB approach. T he advanced
measurement approach is used for calculating the operational risk of a bank.
Q.2739 Under the Foundation IRB approach for measuring credit risk under Basel II, all of these are
provided by the supervisor, except:
A. PD
B. EAD
C. LGD
D. M
In the Foundation IRB approach for the measurement of credit risk, the bank only calculates the
probability of default. All other measures for the calculation of capital charge (LGD, EAD, and M) are
prescribed by the supervisor.
229
Q.2740 All of these are pillars of sound bank management under the Basel II framework, except:
A. Minimum capital requirements
B. Sound corporate governance
C. Supervisory review
D. Market discipline
T he three pillars of sound bank management under the Basel II framework include Minimum Capital
Requirements, Supervisory Review, and Market Discipline.
230
Q.2994 Suppose that G&R Bank’s assets are made up of $267 million of corporate loans, $17 million
of OECD government bonds, and $79 million of residential mortgages. We are also given that
corporate loans have a risk weight of 100%, loans to government agencies and banks in OECD
countries carry a risk weight of 20%, and mortgages have a risk weight of 50%. Compute the total
risk-weighted assets.
A. $520.7 million
B. $306.5 million
C. $267.4 million
D. $487.6 million
Recall that the total risk-weighted assets for N on the balance-sheet items is given by the following
expression:
N
∑ L iW i
i=1
T herefore:
T he total risk weighted assets = 267 × 1 + 79 × 0.5 = $306.5 Million
Note: Cash and securities issued by governments of OECD countries (members of the Organisation
of Economic Co-operation and Development) are considered to have virtually zero risk and have a
risk weight of zero. It is loans to banks and government agencies in OECD countries that have a risk
weight of 20%.
231
Q.2995 T he following table shows a portfolio of three derivatives (in EUR million) possessed by a
bank with a particular counterparty:
T ransaction Principal L i Current Value Vi

2-year interest rate swap 1000 95
5-year foreign exchange forward 1000 −35
8-month option on a stock 700 80
Calculate the net replacement ratio.
A. 0.74
B. 0.63
C. 0.80
D. 1.31
Recall that:
max(∑N
i=1 Vi, 0)
N RR =
∑N
i=1 max(Vi, 0)
T he current exposure with netting (the numerator) is computed as:
95 + 80 − 35 = 140
T he current exposure without netting (the denominator) is computed as:
95 + 0 + 80 = 175
T herefore:
140
N RR = = 0.8
175
Q.3232 Jinshi & Houshi Corporation is a large commercial bank operating in mainland China. It has
232
adopted the Basel I framework and makes use of the following add-on factors for derivatives:
Add-On Factors as a Percent of Principal for Derivatives

Remaining Interest Exchange Equity Precious Other
Maturity Rate Rate and Metals Commodities
(yr) Gold Except Gold
<1 0.0 1.0 6.0 7.0 0.0
1 to 5 0.5 5.0 8.0 7.0 1.2
>5 1.5 7.5 10.0 8.0 1.5
T he bank made the following transactions during a one-year period:

(a) A seven-year interest rate swap with a notional principal of $400 million and a current market
value of -$3 million.
(b) A three-year interest rate swap with a notional principal of $170 million and a current value of $7
million.
(c) A four-month derivative on a commodity with a principal of $80 million that is currently worth $4
million.
Using this information, estimate the risk-weighted assets for the bank under Basel I if the
counterparty is a corporation (the risk weight for corporations is 0.5). Assume no netting.
A. $7.9825 million
B. $12.925 million
C. $25.850 million
D. $8.925 million
To calculate the risk-weighted assets for an off-balance sheet item, we must first establish the item’s
credit equivalent amount (CEA). T he credit equivalent amount is then multiplied by the risk weight
for the counterparty to calculate risk-weighted assets.
For interest rates swaps and other over-the-counter (OT C) derivatives, the credit equivalent amount
is calculated as:
CEA = max(V , 0) + a × L
233
where:
V = current value of the derivative to the bank
a = add-on factor
L = principal amount
Following are CEAs for each transaction:
CEA(a) = 0 + 1.5% × $400m = $6 million
CEA(b) = 7 + 0.5% × $170m = $7.85 million
CEA(c) = 4 + 0% × $80m = $4 million
T he bank is transacting with a corporation and as per Basel guidelines (as pointed out in the question)
the risk weight for corporations is 0.5.
T hus,
Risk-weighted assets = 0.5[6 + 7.85 + 4] = $8.925 million
Q.3233 Jinshi&Houshi Corporation is a large commercial bank operating in mainland China. It has
adopted the Basel I framework and must maintain at least 8% capital to risk-weighted assets. T he
bank makes use of the following add-on factors for derivatives:
Add-On Factors as a Percent of Principal for Derivatives

Remaining Interest Exchange Equity Precious Other
Maturity Rate Rate and Metals Commodities
(yr) Gold Except Gold
<1 0.0 1.0 6.0 7.0 10.0
1 to 5 0.5 5.0 8.0 7.0 12.0
>5 1.5 7.5 10.0 8.0 15.0
T he bank made the following transactions during a one-year period:

234
million.
million.
Using this information, estimate the capital requirment for the bank under Basel I if the
counterparty is a corporation (the risk weight for corporations is 0.5). Assume no netting.
A. $1.034 million
B. $2.068 million
C. $0.517 million
D. $1.535 million
Capital required must be 8% of risk-weighted assets.

To calculate the risk-weighted assets for an off-balance sheet item, we must first establish the item’s
credit equivalent amount (CEA). T he credit equivalent amount is then multiplied by the risk weight
for the counterparty to calculate risk-weighted assets.
For interest rates swaps and other over-the-counter (OT C) derivatives, the credit equivalent amount
is calculated as:
CEA = max(V , 0) + a × L
where:
V = current value of the derivative to the bank
a = add-on factor
L = principal amount
Following are CEAs for each transaction:
CEA(a) = 0 + 1.5% × $400m = $6 million
CEA(b) = 7 + 0.5% × $170m = $7.85 million
CEA(c) = 4 + 10% × $80m = $12 million
235
T he bank is transacting with a corporation and as per Basel guidelines (as pointed out in the question)
the risk weight for corporations is 0.5.
T hus,
Risk weighted assets = 0.5[6 + 7.85 + 12] = $12.925 million

Capital required = 0.08 × 12.925 = $1.034 million
adopted the Basel I framework and had made the following transactions during the year:
million.
million.
Given the above information, what is the net replacement ratio (NRR) under Basel I assuming that
the 1995 netting amendment applies?
A. 1.375
B. 1.000
C. 0.727
D. 0.636
T he current exposure with netting is −3 + 7 + 4 = 8

T he current exposure without netting is 0 + 7 + 4 = 11
T he net replacement ratio is given by:
max (∑N
i=1 (Vi, 0))
N RR =
∑N
i=1 (Vi, 0)
8
= = 0.727
11
236
million.
million.
Based on this information, what’s the credit equivalent amount with netting agreements and without
netting respectively under Basel I assuming that the 1995 netting amendment applies?
A. $14.85 million and $25.85 million
B. $14.82 million and $25.85 million
C. $22.85 million and $14.82 million
D. $20.42 million and $25.85 million
T he total of the add-on amounts is 1.5% × 400 + 0.5% × 170 + 10% × 80 = $14.85 Million
T he credit equivalent amount when netting agreements are in place is =
N N
∑ max (Vi , 0) + (0.4 + 0.6 × N RR) ∑ ai L i
i=1 i=1
= 8 + (0.4 + 0.6 × 0.727) × 14.85 = $20.42 million
Without netting, the credit equivalent amount is 11 + 14.85 = $25.85 million
237
Q.3236 Jinshi& Houshi Corporation is a large commercial bank operating in mainland China. It has
million.
million.
Given this information, what is the risk-weighted asset amount under Basel I if the counterparty is an
OECD Bank assuming that the 1995 netting amendment applies and also in the case that the
amendment does not apply?
A. $4.084 million and $10.21 million
B. $4.084 million and $5.170 million
C. $10.21 million and $12.93 million
D. $12.93 million and $10.21 million
T he total of the add-on amounts is :
1.5% × 400 + 0.5% × 170 + 10% × 80 = $14.85 Million
T he credit equivalent amount when netting agreements are in place is given by:
N N
∑ max (Vi, 0) + (0.4 + 0.6 × N RR) ∑ aiL i
i=1 i=1
= 8 + (0.4 + 0.6 × 0.727) × 14.85

= $20.42 million
Without netting, the credit equivalent amount is:
11 + 14.85 = $25.85 million
Since the counterparty is an OECD bank so that the risk weight is 0.2.
RWA with netting is 0.2 × 20.42 = $4.084 million.
Without netting, it is 0.2 × 25.85 = 5.17 million.
238
Q.3238 Paul Hales is a risk consultant at Kimpala Leasing Bank. T he assets of the bank consist of
$690 million retail loans (not mortgages), mostly fleets of multinational companies financed by
Kimpala. T he bank’s actuary has projected that the probability of default (PD) is 1% and the loss
given default (LGD) is 40%.
Based on this information, what is the worst-case default rate at 99.9% certainty and the expected
loss under the Basel II IRB approach? (Note: In this case, correlation ρ = 0.1216.)
A. 0.1190 and $2.76 million
B. 0.1216 and $44.15 million
C. 0.8784 and $4.83 million
D. 0.9086 and $44.15 million
WCDR (T,X) Or WCDR(X, T ) indicates the Xth percentile of the default rate distribution during a
period of length T. Its components are as follows:
−1
−1
√ρN (X)
W CDR = N [N (P D) + ]
√1 − ρ
P D = probability of default
ρ = correlation parameter
N −1 is the inverse of the standard normal CDF
For a problem like this, you would likely be provided with the values for N −1(P D) and N −1(X ), but it
is still useful to understand how they can be retrieved.
So in this case we have N −1(0.01) and N −1(0.999)
Perhaps to interpret this, we want to find values of z such that P (Z < z) = 0.01, and P (Z < z) = 0.999
Using a table that only shows the right-hand side of the standard normal Z-lookup we would be able to
see that:
N −1(0.01) ≅−2.33 because 0.9901 which is nearest to 0.9900 is found at z = 2.33; if
P r(Z < 2.33) = 99%, then P (Z < −2.33) = 1 − 99% = 1% . [a consequence of symmetry, i.e, equal
halves]
239
N −1(0.999) ∼ P (Z < z) = 0.999; z = 3.09
T hus,
√0.1216 × 3.09
W CDR = N [−2.33 + ] = N (−1.18031)
√1 − 0.1216
N (−1.1803) = 1– N (1.1803) = 1– P (Z < 1.1803)
= 1– 0.88100 = 0.1190
EL = ∑ EADi × LGDi × P Di
= 690 × 0.4 × 0.01 = 2.76
Q.3239 Paul Hales is a risk consultant at Kimpala Leasing Bank. T he assets of the bank consist of
$690 million retail loans (not mortgages), mostly fleets of multinational companies financed by
Kimpala. T he bank’s actuary has projected that the probability of default (P D) is 1% and the loss
given default (LGD) is 40%. T he correlation parameter is 0.1216 Based on the Basel II accord, what
is the default rate at the 99.9th percentile for the bank?
A. 0.9547
B. 0.0453
C. 0.9531
D. 0.1190
DR99.9 the 99.9th percentile for a large portfolio of assets of type i
−1
−1
√ρN (0.999)
DR99.9 = N [N (P Di ) + ]
√1 − ρ
P D = probability of default
ρ = correlation parameter
N −1 is the inverse of the standard normal CDF
240
For a problem like this, you would likely be provided with the values for N −1(P D) and N −1(X ), but it
is still useful to understand how they can be retrieved.
So in this case we have N −1(0.01) and N −1(0.999)
Perhaps to interpret this, we want to find values of z such that P (Z < z) = 0.01, and P (Z < z) = 0.999
Using a table that only shows the right-hand side of the standard normal Z-lookup we would be able to
see that:
N −1(0.01) ≅−2.33 because 0.9901 which is nearest to 0.9900 is found at z = 2.33; if
P r(Z < 2.33) = 99%, then P (Z < −2.33) = 1 − 99% = 1% . [a consequence of symmetry, i.e, equal
halves]
N −1(0.999) ∼ P (Z < z) = 0.999 ⇒ z = 3.09
T hus,
√0.1216 × 3.09
DR99.9 = N [−2.33 + ] = N (−1.18031)
√1 − 0.1216
N (−1.1803) = 1– N (1.1803) = 1– P (Z < 1.1803)
= 1– 0.88100 = 0.1190
241
Q.3240 Python Commercial Bank uses the standardized approach to arrive at an estimate of total risk-
weighted credit risk exposure. An external credit rating agency assigned the following weights to the
bank's risk exposures.
Risk Exposure Weight

$24 million 80%
$12 million 120%
$18million 70%
$17 million 30%
$3 million 10%
According to the Basel II Accord, as a rough approximation, the bank is mandated to maintain a
minimum capital of:
A. $51.6 million.
B. $1.792 million.
C. $4.128 million.
D. $5.920 million.
Minimum capital required = 0.08 × (0.80 × $24 million + 1.20 × $12 million + 0.70 × $18 million
+ 0.30 × $17 million + 0.10 × $3 million)
= 0.08 × $51.6 million
= $4.128 million.
According to the Basel II Accord, the bank is mandated to maintain a capital of at least 8% of total
risk-weighted assets.
242
Q.4216 Which of the following statements gives one of the reasons for the introduction of Basel I
accord?
A. T he continuity of international financial transactions even after the Herstatt Bank failure
B. T he growing competition between the banks in different countries due to the varied level
of capital requirements
C. All of the above
T he Basel Committee on Banking Supervision (BCBS) developed a specification of capital regulation
due to growing cross-border financial transactions after the failure of Herstatt bank, and the G10
countries had a common objective that the banks should possess enough equity to cover for the
extreme losses.
Moreover, there was growing competition between banks in different countries due to the
difference in capital requirements. For instance, the banks with the lowest capital requirements
created a perception that they had a competitive advantage. T herefore, BCBS developed a level
playing field for all banks.
243
Q.4217 What was the main goal of Basel I accord?
A. Develop a common currency for all the banks
B. Maintenance of sufficient capital for the banks to remain solvent in time of distress
C. Raising the solvency level of small banks to match that of a big bank
T he Basel I was created to ensure that the financial institutions would possess enough assets to
maintain their solvency in times of distress. T he sufficiency of the capital required was computed
using risk-adjusted capital ratios to establish a level playing field for global financial institutions.
Opti on A i s i ncorrect: Basel I ensured that sufficient capital is maintained the currency to which a
particular bank is located.
Opti on C i s i ncorrect: T he Basel I accord was aimed at establishing a level playing field for the
financial institutions.
244
Q.4218 Which of the following ratios did the Basel I used to establish the capital sufficiency of the
banks?
A. Leverage ratio
B. Risk-based capital ratio
C. All of the above
T he Basel I accord used a risk-based ratio, which is the ratio of capital to risk-weighted assets
(RWA). T his ratio included the assets on the balance sheets (based on accounting conventions) and
off-balance sheet exposures such as loan commitments and derivatives exposures.
Opti on A i s i ncorrect: T he leverage ratio (ratio of capital to book value of assets) disadvantaged
the banks with low-risk portfolios and advantage those with high-risk portfolios since banks vary in
terms of their components and sizes of their balance sheets.
Q.4219 Under the Basel I framework, what is the required value of the ratio of T ier 1 capital to risk-
weighted assets (RWA)?
A. Greater than 4%
B. Less than 4%
C. Greater than 8%
D. Less than 8%
Basel, I required a financial institution to maintain the ratio of T ier 1 capital to RWA greater than
4%. Mathematically stated as:
T ier 1 Capital
>4
RWA
245
Q.4220 Based on the Basel I framework, which of the following expressions is incorrect?
A. T ier 1 capital > 4%(RWA)
B. Total capital > 8%(RWA)
C. T ier 1 capital + T ier 2 capital = Total capital
D. T ier 1 capital + T ier 2 capital > Total capital
Opti on A i s correct: Basel I required that
T ier 1 Capital
> 4%
RWA
⇒ T ier 1 capital > 4% (RWA)
Opti on B i s correct: Basel I required that
Total Capital
> 8%
RWA
⇒ Total capital > 8% (RWA)
Opti on C i s correct: Under the Basel I framework, the Total capital is equivalent to the sum of the
T ier 1 capital and T ier 2 capital
Opti on D i s not true: because it contradicts Opti on C
246
Q.4221 According to Basel I classification of capital, which of the following is NOT a constituent of
T ier 2 capital?
A. Undisclosed reserves
B. Common equity
C. Hybrid instruments
D. Loan loss reserves not allocated to non-performing assets
According to the Basel I framework, T ier 1 Capital includes common equity and disclosed reserves
minus goodwill.
Options A, C, and D are the constituents of T ier 2 capital.
247
Q.4222 According to Basel I, to create a risk-sensitive ratio, the risk-weighted assets are used as the
denominator. Which of the following is assigned a risk weight of 0%?
A. Uninsured residential mortgages
B. Commercial and consumer loans
C. Claims on Organization for Economic Cooperation and Development (OECD) government

bonds
D. Claims on OECD banks and public sector entities
0% weight was assigned to OECD governments such as bonds since it was assumed that no OECD
government would default on its obligations.
Opti on A i s i ncorrect: Uninsured residential mortgages were assigned a risk weight of 50%.
Opti on B i s i ncorrect: Exposures such as commercial and consumer loans were assigned a risk
weight of 100%
Opti on D i s i ncorrect: Claims on OECD banks and public sectors were assigned a risk weight of
20%.
248
Q.4223 T he constituents of an American bank are $200 million of American government bonds, $500
million of loans to corporations, $300 million of uninsured residential mortgages, and $250 million of
residential mortgages issued by the public sector. What is the value of risk-weighted assets (RWA)
based on Basel I accord?
A. $1250 million
B. $600 million
C. $700 million
D. $850 million
Using the weight ratios under the Basel I accord, the RWA is given by:
RWA = 0% × 200 + 100% × 500 + 50% × 300 + 20% × 250 = $700million
249
Q.4224 According to Basel I, conventional off-balance sheet exposures were converted to an on-
balance sheet equivalent using credit conversion factors. Which of the following off-balance-sheet
category was assigned a credit conversion factor of 100%?
A. Loan commitments with an original maturity of 6 months
B. Loan commitments with an original maturity of one year
C. Guarantees on loans and bonds
D. Standby letters of credit of transactions related to credit transactions
T he guarantees on loans and bonds, banker's acceptance, and equivalents were assigned a credit
conversion factor of 100%.
Opti on A i s i ncorrect: Loan commitments with original maturity less than one year were assigned
a credit conversion factor of 0%
Opti on B i s i ncorrect: Loan commitments with an original maturity greater than or equal to 1
year were assigned a credit conversion factor of 20%.
Opti on D i s i ncorrect: Standby letters of credit of transactions related to credit transactions were
assigned a credit conversion factor of 50%
250
Q.4225 T he derivatives book of a Canadian bank consists of C$500 million notional value of interest
rate swaps and with C$200 million having a maturity of 6 months, C$100 million having the maturity
of one and half years, and the rest having a maturity of 3 years. T he market value of the derivatives
book is C$50 million. According to Basel I accord, what is the credit equivalent amount of the
derivatives book using the current exposure method?
A. C$40.90 million
B. C$49.90 million
C. C$52.30 million
D. C$51.50 million
According to the current exposure method, credit equivalent is got by adding the amount of changes
contracts future value to the market value of the contract. For the interest-rate swap, the amount of
changes to the future value depends on the maturity of the interest rate swap; zero for maturities
less than one year, 0.5% for remaining maturities five years or less, and 1.5% for more than five
years.
So, in this case, the credit equivalent amount is given by:
CE = 50 + 0% × 200 + 0.5% × 100 + 0.5% × 200 = $51.50
251
Q.4226 T he constituents of an American bank are $200 million of American government bonds, $500
million of loans to corporations, $300 million of uninsured residential mortgages, and $250 million of
residential mortgages issued by the public sector. If T ier I capital of the bank is $42 million, does the
bank have sufficient capital under Basel I accord?
A. Yes; the ratio of T ier 1 capital to RWA is 6%
B. No; the ratio of T ier 1 capital to RWA is 4%
C. No; the ratio of T ier 1 capital to RWA is 6%
D. Yes; the ratio of T ier 1 capital to RWA is 4%
Under Basel I accord, for a bank to maintain sufficient capital, the following condition must be met:
T ier 1 Capital
> 4%
RWA
Given the information, RWA for this case is given by:
RWA = 0% × 200 + 100% × 500 + 50% × 300 + 20% × 250 = $700million
So that:
T ier 1 Capital 42
= = 0.06 = 6% > 4%
RWA 700
252
Q.4227 Under the Basel I framework, which of the following is one of the methods of measuring
market risk?
A. Current exposure method
B. Original exposure method
C. Standardized approach methods
D. T he foundations of internal ratings-based
T he amendment of Basel I in 1996 provided ways two methodologies of market risk measurements: a
standardized approach and an internal model-based approach.
Options A and B are incorrect because they are the methods of calculating credit equivalent amounts
of off-balance sheets assets.
Option D in incorrect because it is one of the methods for calculating the minimum capital
requirements for credit risk under the Basel II accord.
253
Q.4400 Which one of the following statements is true concerning the Solvency II capital framework
for insurance companies?
A. T he internal models-based approached approaches are used to calculate solvency capital

requirement (SCR)
B. When an insurance company breaches Solvency II's minimum requirements, the company
is still allowed to take up new policies.
C. When an insurance company breaches Solvency II's minimum requirements, supervisors

may bar the company from selling/writing new policies or put it into resolution
In the case, an insurance company breaks the Solvency II minimum capital requirement (MCR), the
supervisors may decide to stop the stressed firm from writing new policies or put the insurer into
resolution
Opti on A i s i ncorrect: Solvency II uses both standardized and internal model-based approaches to
compute SCR.
Opti on B i s i ncorrect: It contradicts option C.
T hings to Remember:
254
Q.4401 T he Solvency II uses both standardized and internal model-based approaches to compute SCR.
However, if an insurance company decides to use internal models, the models must satisfy certain
conditions. Which of the following is one of the conditions?
A. T he size of the data used should be small
B. T he model used to must be applicable to real business decision making
C. All of the above
T he internal models used must take into consideration the following factors:
I. T he data used and methods used should efficient.

II. T he model employed must be utilized in real business decision making.
III. T he risk assessment must be calibrated based on the target criteria set by the regulator.
Opti on A i s i ncorrect: T he data used and methods used should efficient.
255
Q.4403 A bank majors in four business lines whose corresponding multipliers and gross income (in
millions) for three years are given in the table below:
Business Line Multiplier Annual Gross Income

Year 1 Year 2 Year 3
Retail Banking 13% 6 18 8
Asset Management 14% 8 10 18
T rading and Sales 19% 9 18 28
Corporate Finance 18% 42 25 20
Based on the Basel II accord, what is the value of the required capital for operational risk under the
Basic Indicator approach?
A. 7.2
B. 4.0
C. 10.2
D. 10.5
T his method computes the capital for the operational risk as the 15% of the bank’s average annual
gross income over the past three years while ignoring years that resulted in negative gross income.
So,
Business Line Annual Gross Income

Year 1 Year 2 Year 3
Retail Banking 6 18 8
Asset Management 8 10 18
T rading and Sales 9 18 28
Corporate Finance 42 25 20
Sum 65 71 74
Note that the multiplier column has been excluded since we do not need it here. T herefore, the
required capital for the operational risk is given by:
65 + 71 + 74
0.15 [ ] = 10.5 million
3
256
Q.4404 T he Basel Committee defined operational risk as the risk that occurs due to inadequate or
failed internal processes, people and systems or from external events. Which of the following
methods of determining capital required for operational risk is incorrectly described as per Basel II
accord?
A. Basic Indicator Approach: computes the capital for the operational risk as 15% of the
bank’s average annual gross income over the past three years while ignoring years that
resulted in negative gross income
B. Standardized approach: computes bank’s average annual gross income over the past three
years while ignoring years that resulted in negative gross income using the same multiplier
across assets
C. Advanced Measurement Approach (AMA): computes the required capital for operational
risk as 99.9% VaR measured using internal models less expected operational losses
T he standardized approach computes bank’s average annual gross income over the past three years
while ignoring years that resulted in negative gross income using the di fferent mul ti pl i ers i n
each asset. Opti ons A, C are i ncorrect: T he methods are correctly described.
257
Q.4405 A Canadian bank has assets consisting of CAD 300 million BB-rated drawn loans. T he
probability of default is estimated (PD) to be 0.01, the LGD is 30%, and DR is estimated to be 0.10.
What is the RWA for the bank with regard to the Basel II accord?
A. CAD 100.34 million
B. CAD 125.53 million
C. CAD 125.43 million
D. CAD 101.25 million
Recall that retail exposures were calculated similarly to that of advanced IRB only that there is no
maturity adjustment. So,
RWA = 12.5 × EAD × LGD × (DR - PD)

= 12.5 × 300 × 0.30 × (0.10 − 0.01)
= CAD 101.25 million
Note:
Under Basel II, banks are required to maintain a total capital ratio (T ier 1 + 2 + 3) of
minimum 8%. 12.5 is the inverse of 8%. T he multiplier has the effect of turning a capital
requirement into a RWA measure.
EAD = Exposure at Default
LGD = Loss Given Default
DR = the default rate at the 99.9th percentile for a large portfolio of assets of type i.
PD = T he bank's own probability of default
258
Q.4406 T he bank’s probability of default (PD) is estimated to be 0.01. What is the approximated value
of the asset correlation in the context of the Basel II framework?
A. 0.1562
B. 0.1453
C. 0.1928
D. 0.2341
Basel II model assumes the Lopez’s model given by:
1 − e−50PD 1 − e−50PD
ρ = 0.12 [ ] + 0.24[1 − ]
1 − e−50 1 − e−50
Since we are given PD=0.01, then the asset correlation is given by:
1 − e−50×0. 01 1 − e−50×0. 01
ρ = 0.12 [ ] + 0.24 [1 − ] = 0.1928
1 − e−50 1 − e−50
Q.4408 Assume that a bank has a portfolio of four derivatives with two counterparties, as shown in
the table below:
Counterparty Derivative Maturity Notional Market Add-on

T ype Period Amount Value Factor
1 Interest rate 2 200 −5 0.5%
1 Interest rate 2 100 15 0.5%
2 Equity Option 4 100 0 10%
2 Wheat Option 6 200 −10 10%
What is the value of the credit equivalent of the derivative portfolio based on the 1995 netting
amendment?
A. 60.23
B. 62.45
C. 42.54
D. 35.2
259
According to the 1995 amendment of Basel I, the Credit equivalent amount is given by
N
CEA = max (∑ Vi , 0) + ∑ (0.4 × Dj + 0.6 × Dj × NRR)
i=1 j
Where NRR (Net Replacement Ratio) is defined as:
max (∑N
i=1 Vi, 0)
NRR =
∑N
i=1 max (Vi, 0)
Now,
N
max (∑ Vi , 0) = max (0, 10) = 10
i=1
Note that the current exposure portion of the credit equivalent is 10 for counterparty 1 because -5
exposure on the first interest rate is netted against 15 on the second interest rate. Moreover, the
current exposure for counterparty 2 is 0 current since exposure cannot be negative (-10).
Now,
max (∑N
i=1 Vi, 0) Current exposure 10
NRR = = = = 0.6667
∑N
i=1 max (Vi, 0) sum of positive Exposure15
T he add-on factor for the potential future exposures is calculated for each derivative
Interest rate = 0.5% (100 + 200) = 1.5

Equity Option = 10% × 100 = 10
Wheat Option = 10% × 200 = 20
So,
260
= ∑ (0.4 × Dj + 0.6 × Dj × NRR)

j
= [0.4 × 1.5 + 0.6 × 1.5 × 0.6667] + [0.4 × 10 + 0.6 × 10 × 0.6667]

+ [0.4 × 20 + 0.6 × 20 × 0.6667]
= 1.20 + 8 + 16 = 25.2
T herefore:
N
CEA = max (∑ Vi, 0) + ∑ (0.4 × Dj + 0.6 × Dj × NRR) = 10 + 25.2 = 35.2
i=1 j
261
Reading 120: Solvency, Liquidity and Other Regulation After the Global
Financial Crisis
Q.2347 BastaBank from Bari, Italy, has just adopted Basel II.5 regulations after years of Basel II
compliance. T he bank’s risk management team wants to bring the directors up to speed, particularly
with regard to the new requirements under Basel II.5. T he team has prepared a report highlighting
the main changes. T hese most likely have a lot to do with:
A. Calculation of capital requirement for liquidity risk, calculation of stressed VaR, and a new
methodology of capital calculation.
B. Calculation of stressed VaR, a new incremental risk charge, and a comprehensive risk
measure for instruments dependent on credit correlation.
C. A new incremental risk charge, a comprehensive risk measure for instruments dependent
on credit correlation, and a new methodology of capital calculation.
D. A new incremental risk charge, new requirements for IRB parameters calculation, and
new requirements for liquidity measurement.
T he three changes from Basel II to II.5 are:
1. T he calculation of a stressed VaR;

2. A new incremental risk charge; and
3. A comprehensive risk measure for instruments dependent on credit correlation.
Q.2348 Cosomora Bank from Eindhoven, Holland, is one of the largest European banks with a large
trading book. T he bank has been under Basel II and is currently in the later stages of Basel II.5
implementation. What will be the main effect of shifting from Basel II to Basel II.5?
A. Capital charges for credit risk will increase.
B. Capital charges for credit risk will be reduced.
C. Capital charges for market risk will increase.
D. Sweeping changes in liquidity measurement techniques.
T he main effect of the implementation of Basel II.5 (from Basel II) is greatly increasing the market
risk capital that large banks are required to hold.
262
Q.2349 With the introduction of Basel II.5, the Basel Committee requires banks to calculate the so-
called stressed VaR. Stressed VaR was introduced mainly because of:
A. Very high capital requirements because of high volatility of market variables.
B. Too low VaR as a result of low volatility of market variables.
C. Increased capital charges for credit risk.
T he 2003-2006 period was one where the volatilities of most market variables were low. As a result,
the market risk VaRs calculated during this period for regulatory capital purposes were also low.
Furthermore, the VaRs continued to be too low for a period of time after the onset of the crisis,
because much of the data used to calculate them continued to come from a low-volatility period.
Q.2353 Katerini Bank from Greece is in the process of implementing Basel III regulations. One of the
first assignments of its risk management team is to calculate the required regulatory capital. In line
with Basel III, the bank should have the following categories of capital, except:
A. T ier 1 capital
B. T ier 2 capital
C. T ier 3 capital
D. Additional T ier I capital
Under Basel III, a bank's total capital consists of:
1. T ier 1 equity capital

2. Additional T ier 1 capital
3. T ier 2 capital
T here is no T ier 3 capital.
263
Q.2354 Which of the following presents a component of T ier 1 capital?
A. Changes in retained earnings arising from securitized transactions
B. Share capital
C. Goodwill
D. Changes in retained earnings arising from a bank's own credit risk
T ier 1 equity capital (also referred to as core T ier 1 capital) includes share capital, retained
earnings, and a limited amount of minority interest and unrealized gains and losses. Goodwill or
deferred tax assets are deducted. It must be adjusted downward to reflect defined benefit pension
plan deficits but is not adjusted upward to reflect defined benefit plan surpluses. Changes in retained
earnings arising from a bank's own credit risk or securitized transactions are not counted as part of
the capital for regulatory purposes.
Q.2356 In Basel III, the Basel Committee introduced, among others, a new requirement named
leverage ratio. T he main reason for its introduction was that:
A. Capital adequacy ratio was too high for many banks.
B. Banks had too much discretion in the way risk-weighted assets were calculated.
C. Banks were too undercapitalized.
D. Banks would have unlimited discretion while calculating their regulatory capital.
T he Basel Committee introduced the leverage ratio because regulators thought that banks had too
much discretion in the way risk-weighted assets were calculated. T hey have far less discretion in the
way “total exposure” is calculated.
264
Q.2358 Berthold Bruhne, a risk manager for the bank of Salzburg, was attending a board meeting
where he presented the results of the liquidity coverage ratio (LCR) calculation. According to him,
the bank’s LCR stood at 152% as of December 31st, 2016, safely above the required minimum. His
conclusion was that the bank could survive liquidity disruptions in the next:
A. 1 year
B. 60 days
C. 30 days
D. 15 days
T he liquidity coverage ratio is an important part of the Basel Accords, as they define how much liquid
assets have to be held by financial institutions. Because banks are required to hold a certain level of
highly liquid assets, they are less able to lend out short-term debt. T he LCR focuses on a bank's
ability to survive a 30-day period of liquidity disruptions.
Q.2359 In line with Basel III, the LCR is calculated as the:
A. Ratio between stable funding and high-quality liquid assets.
B. Ratio between high-quality liquid assets and total assets.
C. Ratio between high-quality liquid assets and net cash outflows in a 30-day period.
D. Ratio between stable funding and net cash outflows in a 30-day period.
T he LCR focuses on a bank's ability to survive a 30-day period of liquidity disruptions. It is defined as:
High-quality liquid assets / Net cash outflows in a 30-day period
265
Q.2360 CIB Bank from Oklahoma City, USA, is a G-SIB, as classified by the Financial Stability Board.
T his implies that:
A. T he bank is recognized globally as a “Solid Investment Bank”.
B. T he bank’s failure could lead to a global economic crisis.
C. T he bank has a global reach and has been successful for an extended period.
D. T he bank’s “Sustained International Business” ratio is high in all operational countries.
T he term G-SIB stands for global systemically important bank. T heir failure could be nearly
catastrophic, triggering a market-wide disruption that could lead to a financial crisis. T he systemic
importance of a bank or other financial institution depends on the effect that its failure could have on
the global financial system. T his, in turn, depends on the nature of its activities and the contracts it
has entered into with other financial institutions globally.
Q.2361 Catalina Insurance from T ucson, Arizona, is identified as a SIFI. It is, however, not a D-SIB.
Why is that so?
A. Catalina Insurance is operating in the USA only.
B. Catalina Insurance is involved in global activities.
C. Catalina Insurance is not a bank.
D. Catalina Insurance is above the capital threshold designated by the Basel Committee.
T he term SIFI (systemically important financial institution) is used to describe both banks and
nonbanks that are considered to be systemically important. T he popular view of SIFis is that they
are "too big to fail," and have been identified as the financial institutions that will have to be bailed
out if they run into financial difficulties. National regulators designate some banks that have not been
classified as G-SIBs as domestic systemically important banks (D-SIBs).
266
Q.2741 All of these are changes that were implemented through Basel 2.5, except:
A. Calculation of a stressed VaR.
B. Implementation of a new incremental risk change (IRC).
C. A comprehensive risk measure (CRM) for instruments sensitive to correlations between

default risks of various instruments.
D. Calculation of the net stable funding ratio (NSFR) and the liquidity coverage ratio (LCR).
Basel 2.5 introduced three major changes; these include distressed VaR, incremental risk charge, and
a comprehensive risk measure for instruments dependent on credit correlation.
Basel III contains two entirely new liquidity requirements: the net stable funding ratio (NSFR) and
the liquidity coverage ratio (LCR).
267
Q.2743 Which of the following correctly describes the time horizon considered by the Liquidity
Coverage Ratio (LCR) and the Net Stable Funding Ratio (NSFR)?
A. LCR: Focuses on a 30-day period; NSFR: Focuses on a 2-year period.
B. LCR: Focuses on a 1-year period; NSFR: Focuses on a 30-day period.
C. LCR: Focuses on a 2-year period; NSFR: Focuses on a 30-day period.
D. LCR: Focuses on a 30-day period; NSFR: Focuses on a 1-year period.
T he Liquidity Coverage Ratio (LCR) focuses on the ability of a bank to survive a 30-day period of
liquidity disruptions. On the contrary, the NSFR focuses on the long-term liquidity management of
the bank, considering a period of one year.
Thi ngs to Remember
LCR is an obligation under Basel III for banks to maintain liquid assets sufficient to fund cash
outflows for 30 days. LCRs aim to anticipate market-wide shocks and ensure financial institutions
have the capital necessary to withstand short-term liquidity disruptions. As part of the rule, banks
must have enough high-quality liquid assets (HQLA) on hand to match net cash outflows over 30 days
in a scenario of market stress in which creditors withdraw funds. As a rule of thumb, an asset can be
considered as HQLA if it is low risk, has a high likelihood of remaining liquid during a crisis, is
actively traded on secondary markets, is not subject to excessive price volatility, is easily valued, and
is accepted as collateral by the Fed.
In contrast, the NSFR takes a longer-term perspective and aims to create “additional incentives for a
bank to fund its activities with more stable sources of funding on an ongoing structural basis.” Banks
are required to maintain a minimum amount of stable funding backing their assets for a year or
longer. Various types of funding and assets are given different weights to reflect their stability and
liquidity under stressed conditions. A stable funding source is defined as one that can be relied upon
under stress. It is classified by type, counterparty, and maturity date. T he NSFR requires the highest
level of stable funding for assets that do not qualify for HQLA under the LCR.>/p>
268
Q.2997 Goodwill Bank’s balance sheet contains the following items. T he available stable funding
(ASF) and required stable funding (RSF) factors for each category of funding capital are also
provided:
ASF factor
Retail Deposits 35 90%
Wholesale Deposits 50 50%
T ier 2 Capital 5 100%
T ier 1 Capital 10 100%
RSF Factor
Cash 7 0%
Mortgages 38 65%
T reasury Bonds 6.5 5%
Small Business Loans 54 85%
Fixed Assets 12 100%
Which of the following is closest to the net stable funding ratio?
A. 84.9%
B. 86.2%
C. 83.1%
D. 88.0%
Recall that:
Amount of stable funding

N SF R =
Required Amount of stable Funding
Amount of stable funding = 35 × 0.9 + 50 × 0.5 + 5 × 1 + 10 × 1 = 71.5
And:
RSF = 7 × 0 + 38 × 0.65 + 6.5 × 0.05 + 54 × 0.85 + 12 × 1 = 82.925
T herefore:
71.500
N SF R = = 0.862 = 86.2%
82.925
269
Q.3237 Exim Bank estimates its stable funding to be $100 million. Further, net cash outflows over
the coming 30 days are estimated to hit $155 million. Exim bank has capital of $10 million and its total
exposure stands at $150 million. T he bank's high-quality liquid assets are valued at $140 million.
Determine the bank’s liquidity coverage ratio (LCR) as stipulated in Basel III.
A. 0.9032
B. 0.875
C. 1.1
D. 1.4
According to Basel III rules, the bank needs a minimum liquidity coverage ratio (LCR) of 100%. T he
LCR focuses on the bank’s ability to see it through a 30-day period of disrupted liquidity. T he LCR
formula is as follows:
high-quality liquid assets

LCR =
net cash outflows in a 30-day period
In this case,
$140 million
LCR = = 0.9032 = 90.3%
$155 million
It's evident that Exim bank has not met the minimum 100% requirement and is in violation of the
rule.
270
Q.3242 A bank has a previous-period stressed VAR of $20 million, a multiplication factor (M) of 4, and
a stressed VAR average over the previous 60 trading days of $7 million. Which of the following values
is the correct stressed VAR amount for this bank?
A. $28 million
B. $20 million
C. $48 million
D. $8 million
T he calculation of SV AR is defined as follows:
max (previous SVAR,M × average SVAR)

=max [$20 million or $28 million (4 × $7 million)]
T herefore, the max amount is $28 million.
Q.3244 Zombie Commercial Bank has the following balance sheet:
Cash 6 Retail Deposits (stable) 15

T reasury Bonds (>1 yr) 8 Retail Deposits (less stable) 20
Corporate Bonds Rated A 9 Wholesale Deposits 34
Mortgages 12 Preferred Stock (>1 yr) 19
Small Business Loans (< 1 year) 55 T ier 2 Capital 5
Fixed Assets 10 T ier 1 Capital 7
100 100
T he RSF for the assets are 0%, 5%, 50%, 65%, 85% and 100% respectively. T he ASF for the
liabilities are 90%, 80%, 50% 100%, 100% and100% respectively. Given the balance sheet
information, what is the net stable funding ratio?
A. 0.81
B. 1.23
C. 0.89
D. 1.12
271
Amount of stable funding

N SF R =
Required amount of stable funding
Amount of stable funding = 15 × 0.9 + 20 × 0.8 + 34 × 0.5 + 19 × 1 + 5 × 1 + 7 × 1 = 77.5
Required amount of stable funding = 6 × 0 + 8 × 0.05 + 9 × 0.5 + 12 × 0.65 + 55 × 0.85 + 10 × 1 = 69.45
77.5
N SF R = = 1.12
69.45
Note that:
RSF Factors for Net Stable Funding Ratio

RSF Factor Category
0% Cash
Short-term instruments, securities, loans
to financial entities if they have a residual
maturity of less than one year.
5% Marketable securities with a residual
maturity greater than one year if they
are claims on sovereign governments or
similar bodies with a 0% risk weight.
20% Corporate bonds with a rating of AA- or
higher and a residual maturity greater
than one year.
Claims on sovereign governments or
similar bodies with a risk weight of 20%.
50% Gold, equity securities, bonds rated A+
to A-.
65% Residential mortgages
85% Loans to retail and small business
customers with a remaining maturity less
than one year.
100% All other assets.
272
ASF Factors for Net Stable Funding Ratio

100% T ier 1 and T ier 2 capital.
Preferred stock and borrowing with a
remaining maturity greater than one
year.
90% “Stable” demand deposits and term
deposits with remaining maturity less
than one year provided by retail or
small business customers.
80% “Less Stable” demand deposits and term
deposits with remaining maturity less
than one year provided by retail or
small business customers.
50% Wholesale demand deposits and term
deposits with remaining maturity
less than one year provided by non-financial
corporates, sovereigns, central
banks, multilateral development banks,
and public sector entities.
0% All othe Liability and equity.
273
Q.3245 T he Royal Bank of Neptune has average capital and total exposure for the period ended June
30, 2018 as follows:
REGULAT ORY CAPITAL in $ Billions

Total Common Equity T ier 1 Capital 2.4
+Additional T ier 1 Capital +1.3
= Total T ier 1 Capital = 3.7
+T ier 2 Capital +0.8
=Total Capital = 4.5
For the period ended June 30, 2018, the average Exposure for Neptune Bank is $78 Billion
Using the Basel III framework, which of the following is the best estimate of the bank’s current
leverage ratio?
A. 5.77%
B. 4.74%
C. 3.08%
D. 4.10%
For Basel III purposes,
Core T ier 1 Capital

leverage ratio =
Total Exposure
2.4
=
78
= 0.03076 ≈ 3.08%.
Note that, T ier 1 Equity Capital is also known as Core T ier 1 Capital
274
Q.3246 Consider a bank balance sheet with
1. Common stock of $730,000,000;

2. Unrealized long-term marketable equity securities gain: $33,000,000;
3. Five -year subirdinated debt: $28,000,000;
4. Goodwill: $92,000,000.
Based Basel III capital requirements and solely on the above information, the tier 1 and tier 2 capital
numbers are, respectively:
A. $730,000,000 and $0
B. $730,000,000 and $61,000,000
C. $822,000,000 and $33,000,000
D. $671,000,000 and $28,000,000
T ier 1 capital consists of equity plus unrealized gains/losses less goodwill = 730+33-92 = $671
million.
T ier 2 capital includes five year surbodinated debt of $28 million.
275
Q.3247 As a result of the credit crisis, the Basel Committee revised the market risk framework and
introduced a stressed V aR requirement. A bank uses the internal models approach for market risk
and has generated the following risk measures for the current trading book positions at 99%
confidence level:
Latest Available 10-day V aR = $289
Latest Available 10-day Stressed V aR = $408
Average 10-day V aR of Previous 60 Days = $1467
Average 10-day Stressed V aR of Previous 60 Day = $367
T he supervisory authority has set the multiplication factors for both the V aR and stressed V aR
values to 3. What is the capital requirement for general market risk?
A. $5,502
B. $1,390
C. $1,756
D. $4,987
T he revised market risk capital requirement is:
max (V aR t−1 , mc × V aR avg ) + max (sV aR t−1, ms × sV aR avg)
Market Risk Capital = max (289, 3 × 1467) + max (408, 3 × 367)

= max (289, 4401) + max (408, 1101)
= 4, 401 + 1, 101 = $5, 502
276
Q.3250 Steve Warne is an advisor at a local Bank which is attempting to transition to the new Basel
III standards. Specifically, they are wondering if their liquidity and funding ratios meet the updated
requirements as specified by the Basel Committee. Given the following information, what is the
bank's current liquidity coverage ratio?
High-quality liquid assets = $236
Marketable securities = $107
Required amount of stable funding (RSF) = $320
Cash inflows over the next 30 days = $214
Cash outflows over the next 30 days = $487
Long-term economic capital =$640
Available amount of stable funding (ASF) = $305
A. 48.46%
B. 86.45%
C. 206.3%
D. 115.67%
the stock of high-quality liquid assets

T he 30-day liquidity coverage ratio (LCR) =
the net cash outflow over a 30-day period.
Under Basel III, this ratio must equal or exceed 100%.
Net cash outflow = 487 − 214 = $273
$236
Bank's liquidity coverage ratio = = 0.8645 = 86.45% .
$273
277
Q.4285 After the global financial crisis, it was realized that the minimum capital charges under the
market risk amendment were not sufficient to address trading book risks. Which of the following is
one of the significant changes implemented in 2011 to address these trading book risks, which was
later known as Basel 2.5?
A. VaR computation was tailored to include a stressed VaR component
B. A portion of operational risk was required on top of credit and market risk
C. T he risk weights in credit risk formulas were to be based on modern credit risk and banks’
internal measures
D. It was ruled out that the T ier 1 capital was necessary for the preservation of
maintenance, while T ier 2 capital was to be used for the recapitalization of a financial
institution in resolution and decrease the level of failures on the depositors
After the global financial crisis of 2007-2009, the minimum capital charges made on the market risk
were insufficient to underlying trading-book risks. As a result, the Basel committee instituted the
changes that the VaR calculations were to include the stressed VaR component, addition of capital for
incremental risk, and comprehensive risk requirements for securitizations and related instruments.
T his came to be known as Basel 2.5.
Opti ons B and C are i ncorrect: T hese are the extra innovations that Basel II made on top of the
Basel I requirements.
Opti on D i s i ncorrect: It is one of the assumptions made while defining the components of capital
in the context of Basel I accord.
278
Q.4286 Which of the following statements is correct about the stressed VaR in Basel 2.5?
A. Stressed VaR is calculated by multiplying 1-day VaR from the recent daily variation in
values by √10
B. Stressed VaR is drawn from one year from the most recent seven years that exhibited
stress in its current portfolio
C. Stressed VaR is drawn from one year from the most recent ten years that exhibited stress
in its current portfolio
A bank was required to identify a one-year (that is, 250 trading days) period from the latest seven
years that was most stressful for its current portfolios.
Opti on A i s i ncorrect: T his was the method of calculating the market risk amendment using the
historical simulation in Basel I accord.
Opti on C i s i ncorrect: Basel 2.5 required banks to identify one year from the latest seven years
(not ten years) that was most stressful for its current portfolios.
Q.4287 T he 99% 10-day VaR for ABC Bank is $800. T he average 99% VaR for the recent 60 days is
$360. Over the past seven years, the most stressful 10-day 99% VaR is $950 and the most stressful
60-day average 99% VaR is $370. T he multiplier on the average 99% VaR for the recent 60 days is
2.5, and that of the most stressful average 99% VaR for the recent 60 days over the past seven years
is 2.2. What is the estimated market risk capital charge for this bank under Basel 2.5?
A. $1,850
B. $1,160
C. $1,320
D. $2,460
As per the Basel 2.5, the market risk given by:
MR 2. 5 = max (V aR t−1, mrV aR avg ) + max (SV aR t−1 , ms SV aR avg)
279
Where:
VaR t−1 =traditional 10-day, 99% VaR drawn from the previous day
VaR avg =99% average VaR of the most recent days
SVaR t−1 = over the past seven years
SVaR avg =over a period of seven years
mr and ms are the respective multipliers of VaR avg and SVaR avg respectively
So, in this case, we have:
VaR t−1= $800
VaR avg= $360
SVaR t−1= $950
SVaR avg= $370
mr=2.5 and ms =2.2
MR 2. 5 = max ($800, 2.5 × 360) + max ($950, 2.2 × $370)

= max ($800, $900) + max ($950, $814)
= $900 + $950 = $1, 850
280
Q.4288 Which of the following is one of the variants of calculating incremental default risk charge
(IDRC) as proposed by Basel 2.5?
A. A standardized approach similar to that of Basel I
B. Current exposure similar to that of Basel I
C. Internal rating-based (IRB) based on a one-year time horizon
D. All of the above
T he Basel Committee proposed adding IDRC to specific risk which through two forms:
An internal model of default risk tailored to 99.9th percentile at one-year time horizon
similar to the IRB approach
When the internal model is unavailable, either standardized or current exposure approach
of calculating specific risk similar to that of Basel I.
Q.4289 Which of the following are the components of T ier 1 capital in the context of Basel III
capital definition?
A. T ier 1 equity capital and Additional T ier 1 capital
B. Common equity and Retained earnings
C. Unrealized gains and losses
D. Goodwill and Common equity
In the context of Basel III, T ier 3 capital was eliminated, and the T ier 1 capital divided into T ier 1
equity capital and Additional T ier 1 capital.
Opti ons B and C are i ncorrect: Common equity, Retained earnings, Unrealized gains and losses
are components of T ier 1 equity capital.
Opti on D i s i ncorrect: Goodwill is usually subtracted from the T ier 1 equity capital.
281
Q.4290 Assume that a bank has common equity of $100 million, retained earnings of $80 million,
minority interest and unreleased gains and losses of $20 million, and goodwill and other intangibles of
$5 million. What is the value of T ier 1 equity capital in the context of the Basel III accord?
A. $190 million
B. $195 million
C. $205 million
D. $100 million
In the context of Basel III, T ier 1 equity capital consists of common equity, retained earnings, and a
limited amount of minority interest and unrealized gains and losses less goodwill and other intangibles.
So, in this case:
T ier 1 equity capital = 100 + 80 + 20 – 5 = $195
Q.4291 T he estimated risk-weighted assets of a bank is $200 million. In the context of Basel III, the
Core T ier 1 (T ier 1 Equity Capital) of the bank is at least:
A. $10 million
B. $4.5 million
C. $9 million
D. $12 million
Basel III changed the minimum capital requirements such that the Core T ier 1 capital must be at
least 4.5% of the risk-weighted assets (RWA). So, in this case, the Core T ier 1 must be at least:
4.5% × $200 million = $9 million
282
Q.4292 T he estimated risk-weighted assets of a bank stand at $400 million. In the context of Basel III,
what is the bank's minimum T ier 1 capital?
A. $18 million
B. $12 million
C. $16 million
D. $24 million
T he minimum T ier 1 capital increases from 4% in Basel II to 6%, applicable in 2015, over RWAs.
T his 6% is composed of 4.5% of CET 1, plus an extra 1.5% of Additional T ier 1 (AT 1). So in this case,
T ier I capital must be at least $24 million:
0.06% × $400 million = $24 million
Q.4293 In the context of Basel III, the T ier 2 capital is designed to address the losses after failure and
thus protects the depositors and other creditors of the bank. Which of the following is NOT a
component of T ier 2 capital?
A. Subordinated debt
B. General loan loss reserves
C. All of the above
According to Basel III, T ier 2 capital was structured to cover the losses after a failure, thus
protecting the depositors and other creditors. T ier 2 consisted of: (I). Subordinated debt, which
included unsecured, unguaranteed, debt instruments subordinated to depositors and subordinated
debt, with five or more years maturity, and callable only after five or more years. (II). General loan
loss reserves. T hese were not allocated to absorb losses on specific positions. T hey included capital
limited at 1.25% of standardized approach RWAs or 0.6% of IRB RWAs.
283
Q.4295 Which of the following statements correctly describes Systemically Important Financial
Institutions (SIFIs)?
A. T hey are the entities subject to less supervision and regulation
B. T hey are entities whose failure or distress will affect the whole market or the whole
economy.
C. T hey are the entities whose failure affects only its stakeholder but not the broader
market system or the economy
D. T hey are the market entities whose failure can be reversed by government financing
without affecting its stakeholders
SIFIs are entities whose failure impacts the whole financial market or the whole real economy.
Opti on A i s i ncorrect: SIFIs are usually subject to numerous supervisions and regulations
Opti on C i s i ncorrect: T he failure of a SIFIs is usually felt, first by the stakeholders and then the
whole financial system or the real economy.
Opti on D i s i ncorrect: T he goal of a SIFI is to operate and be recapitalized without government
support continuously.
284
Q.4296 T he liquidity coverage ratio (LCR) of a bank is approximated to be 1.30. Under Basel III
liquidity requirements, does the bank fulfill the required LCR?
A. No, because LCR > 1
B. Yes, because LCR > 1
C. No, because LCR < 2
D. Yes, because LCR < 2
T he requirement of as per Basel III is that:
High quality liquid assets

LCR = >1
Net Cash out flows in 30 day period
Since the LCR for this bank is 1.30, then it meets the requirements.
285
Reading 121: High-level Summary of Basel III Reforms
Q.3092 T he following are motivations for revising the Basel III framework EXCEPT :
A. To align definitions with the internal ratings-based approach (IRB) by introducing a new
definition for default.
B. To expand banks’ borrowing powers to enable them mitigate market risk in periods of
stress.
C. To improve liquidity by requiring banks to hold liquid assets sufficient to run the bank for
30 days during times of stress.
D. To limit procyclicality by requiring banks to hold sufficient retained earnings that can be
drawn down during periods of economic stress.
A focal point in the revised Basel III framework has much to do with banks’ use of leverage. Market
analysis has revealed that banks have had tendencies to borrow high amounts of money that only
exacerbate financial pressure in time of stress. As a result, the revised requirements further
restrict the use of debt among banks.
286
Q.3093 Which of the following changes have been set forth by Basel III with reference to the
changes credit risk?
I. New exposure classes and evaluation tools have been introduced

II. Definitions within the internal ratings-based approach (IRB) have been aligned with those
under the standardized approach
III. Retail exposures have been aggregated to simplify the analytical process
IV. Introduction of further due diligence requirements to limit reliance on external credit
ratings
A. All of the above
B. I, III, and IV
C. II and III
D. I, II, and IV
III is incorrect. For retail exposures, a more granul ar treatment applies, which distinguishes
between different types of retail exposures.
287
Q.3094 Which of the following is not an approach for calculating credit risk capital?
A. Standardized approach
B. Internal ratings based approach – Foundation
C. Internal ratings based approach – Advanced
D. Standardized approach- advanced
Banks are required to adopt the following methods while calculating credit risk capita
Under the IRB approach, banks are allowed to use their internal rating systems conditional on
approval by their supervisors. Banks can use:
T he advanced IRB approach (i.e., use their internal estimates of risk parameters such as
probability of default (PD), exposure-at-default (EAD), and the loss-given-default (LGD), or
T he foundation IRB approach (i.e., use only their internal estimates of PD).
In addition, banks can use the standardized approach to credit risk.
Q.3095 Capital Bank, a hypothetical a global systematically important bank (G-SIB) based in Europe, is
subject to a 5% risk-weighted higher-loss absorbency requirement. In line with Basel III reforms,
the bank would be subject to a leverage ratio buffer requirement of:
A. 5%
B. 10%
C. 2.5%
D. Zero: the bank has already surpassed the required 3% risk-weighted higher-loss
absorbency requirement
To mitigate against the externalities or rather the ripple effect associated with the failure of G-SIBs,
the leverage ratio is set at 50% of a G-SIB’s riskweighted higher-loss absorbency requirements.
T herefore, a G-SIB with a 5% risk-weighted higher-loss absorbency requirement would be subject to
a leverage ratio buffer of 2.5%.
288
Q.3096 Prime Bank’s risk-weighted assets stood at $200 million as of December 2018. What is this
bank’s common equity requirement plus the capital conservation buffer, according to Basel III?
A. $9,000,000
B. $14,000,000
C. $12,000,000
D. $16,000,000
Under Basel III, Common Equity T ier I (CET I) risk-weighted requirements consist of a capital ratio
of 4.5% plus an additional capital conservation buffer of 2.5%, making up a CET ratio of 7%. With
risk-weighted assets of $200 million, therefore, the bank’s CET I requirement will be $14 million (=
7% × $200m)
Q.3097 T he Basel III reforms announced in 2017 require banks to calculate Credit Value adjustment
risk using all of the following methods EXCEPT :
A. T he internal modeled approach
B. T he standardized approach
C. T he simpler basic approach
D. All of the above
T he updated guidelines remove the use of an internally modeled approach and instead emphasize the
use of two main methods: (I) the standardized approach (SA-CVA), and (II), the simpler basic approach
(BA-CVA).
289
Q.3098 T he new standardized approach for determining a bank’s operational risk capital
requirements assumes that:
I. Operational risk increases at a decreasing rate with a bank's income

II. Banks which have experienced greater operational risk losses historically are more likely to
experience operational risk losses in the future
A. I only
B. II only
C. Both I and II
D. Neither I nor II
As per the new standardized approach, operational risk capital requirements based on two
components: (i) a measure of a bank's income; and (ii) a measure of a bank's historical losses.
Furthermore, it assumes: (i) that operational risk i ncreases at an i ncreasi ng rate with a bank's
income; and (ii) that banks which have a history of operational risk losses are more likely to
experience operational risk losses in the future.
290
Q.3099 An American bank has the following exposure:
Business line BI coefficient Business line

relevant indicator
A 8% 48
B 10% 44
C 12% 20
T he bank’s supervisor has set an internal loss multiplier of 1. T he capital requirement for
operational risk for the bank, using the standardized approach, is equal to:
A. 10.00
B. 10.64
C. 5.76
D. 12.00
T he operational risk capital requirement can be summarized as follows:
Operational risk capital = BIC × I LM
where:
Business Indicator Component (BIC) = ∑(α i × BIi )
αi is the BI coefficient for business line i, and BIi is the business line indicator
I LM = internal loss multiplier = 1
T hus, value of the capital requirement = (48 × 0.08) + (44 × 0.10) + (20 × 0.12) = 10.64
291
Q.3100 Basel III reforms replace the existing Basel II floor with a floor based on the revised Basel III
standardized approaches. T he revised floor sets the minimum level of:
A. leverage
B. equity
C. capital
D. none of the above
Consistent with the original floor as outlined in Basel II, the revised floor places a lower bound/limit
on the regulatory capital benefits that banks using internal models can derive relative to the
standardized approaches. In effect, the output floor acts as a ri sk -based back stop that attempts to
level the playing field by limiting the extent to which banks using internal models can lower their
capital requirements relative to the standardized approaches.
Q.3101 A hypothetical a global systematically important bank (G-SIB) based in Europe, is subject to a
$200 million risk-weighted higher-loss absorbency requirement. In line with Basel III reforms, the
bank would be subject to a leverage ratio buffer requirement of:
A. $100 million
B. $50 million
C. $200 million
D. $400 million
T he leverage ratio among G_SIBS is set at 50% of the bank’s riskweighted higher-loss absorbency
requirement. T herefore, a G-SIB with a $200m risk-weighted higher-loss absorbency requirement
would be subject to a leverage ratio buffer of $100m.
292
Q.3102 Bank A has $200 million in tier 1 capital and $100 million in tier 2 capital. Bank A loaned $50
million to XYZ Corporation, which has 30% riskiness, and $100 million to Brighter World, Inc., which
has 50% riskiness. T he bank’s capital adequacy ratio is equal to:
A. 3.52
B. 1.51
C. 2.20
D. 4.61
T ier I capital + T ier II capital

Capital adequacy ratio =
Risk weighted assets
Bank A has risk-weighted assets of $65 million($50 million × 0.3 + $100 million × 0.50).
It also has capital of $300 million, ($200 million + $100 million).
$300 million
Its resulting capital adequacy ratio is 4.61 ( ).
$65 million
293
Q.3103 Four European banks, A, B, C, and D have the following capital amounts and risk weighted
assets (in $m):
Bank A B C D
T ier I capital 5 8 15 25
T ier II capital 3 3 5 10
Risk-weighted assets 30 40 240 230
Which of the four banks is in violation of the capital adequacy requirements as set out in the Basel
III reforms announced in 2017?
A. Bank A
B. Bank B
C. Bank C
D. Bank D
According to the revised Basel III guidelines, the minimum capital adequacy ratio, including the
capital conservation buffer, is 10.5%. As can be seen from the calculations below, only bank C has
failed to attain the minimum ratio.
T ier I capital + T ier II capital

Capital adequacy ratio =
Risk weighted assets
Bank A B C D
T ier I capital 5 8 15 25
T ier II capital 3 3 5 10
Risk-weighted assets 30 40 240 230
CAR (Capital adequacy ratio) 26.7% 27.5% 8.3% 15.2%
294
Q.3104 A French bank has the following exposure:
Business line BI coefficient Business line

relevant indicator
Consumer banking 12% 100
Global banking 15% 200
Wealth management 18% 50
T he bank’s supervisor has set an internal loss multiplier of 1. T he capital requirement for
operational risk for the bank, using the standardized approach, is equal to:
A. 67
B. 80
C. 51
D. 45
T he operational risk capital requirement can be summarized as follows:
Operational risk capital = BIC × I LM
where:
Business Indicator Component (BIC) = ∑(α i × BIi )
αi is the BI coefficient for business line i, and BIi is the business line indicator
I LM = internal loss multiplier = 1
T hus, value of the capital requirement = (100 × 0.12) + (200 × 0.15) + (50 × 0.18) = 51
295
Q.3105 In the most recent global financial crisis (2007/2008), banks suffered huge losses resulting
from CVA risk – losses related to the deterioration of a counterparty’s creditworthiness in derivative
contracts. In the aftermath of the crisis, the Basel Committee has enhanced the CVA framework with
a view to:
A. Keep losses associated with CVA risk at less than 10% of the total value of the derivatives.
B. Totally eliminate CVA losses by conducting due diligence on all counterparties before a
contract comes into force.
C. Enhance the risk sensitivity of the framework by recognizing more risk drivers.
D. Limit derivative contracts at not more than 20% of the total capital for a bank.
T he enhanced CVA framework has 3 main objectives:
To enhance ri sk sensi ti vi ty
T he revised CVA framework takes into account the exposure component of CVA risk as
well as the risk of associated hedges.
To enhance robustness of the CVA framework
T he updated guidelines remove the use of an internally modeled approach and instead
emphasize the use of two main methods: (I) the standardized approach (SA-CVA), and (II),
the simpler basic approach (BA-CVA). In addition, banks with minimal engagement activities
in derivative transactions can use their credit counterparty risk (CCR) capital
requirements as a proxy for their CVA charge.
To i mprove consi stency of the CVA framework
T he standardized and basic approaches of the revised CVA framework have been revised to
be consistent with the approaches used in the revised market risk framework.
296
Q.3106 T he Basel Committee has agreed on various additional enhancements to the IRB approaches
to further reduce unwarranted RWA variability. Which of the following correctly outlines a measure
that has been put forth for adoption by banks?
A. Secured exposures: increasing the haircuts that apply to the collateral; Unsecured
exposures: reducing the LGD parameter from 45% to 40% for exposures to non-financial
corporates.
B. Secured exposures: reducing the LGD parameters; Unsecured exposures: reducing the
LGD parameter from 25% to 20% for exposures to non-financial corporates.
C. Secured exposures: decreasing the haircuts that apply to the collateral; Unsecured
exposures: reducing the LGD parameter from 45% to 40% for exposures to non-financial
corporates.
D. Secured exposures: increasing the LGD parameters; Unsecured exposures: increasing the
LGD parameter from 40% to 50% for exposures to non-financial corporates.
Adjustments have been made to the supervisory specified parameters in the Foundation – Internal
ratings based approach (F-IRB), including: (i) for exposures secured by nonfinancial collateral,
increasing the haircuts that apply to the collateral and reducing the LGD parameters; and for
exposures that are unsecured, reducing the LGD parameter from 45% to 40% for exposures to non-
financial corporates.
Q.3107 T he initial phase of the Basel III framework focused, in part, on increasing the quality of
bank regulatory capital to cover unexpected losses. As such, the Minimum T ier I capital:
A. Rose from 4% to 6%.
B. Rose from 5% to 6%.
C. Rose from 5% to 7%.
D. Rose from 4% to 7%.
T he initial phase of the Basel III framework focused, in part, on the following objectives increasing
the quality of bank regulatory capital to cover unexpected losses. Minimum T ier I capital rose from
4% to 6%.
297
Q.3108 T he initial phase of the Basel III framework was announced in 2010. Which of the following
is not one of the objectives it focused on?
A. To constrain banks’ borrowing rate (leverage) hence avoid a build-up of debt which would
exacerbate financial pressure during a downturn.
B. To improve liquidity by requiring banks to hold liquid assets sufficient to run the bank for
180 days during times of stress.
C. To increase capital requirement to mitigate market risk in times of stress.
D. To limit procyclicality by requiring banks to hold sufficient retained earnings that can be
drawn down during periods of economic stress.
One of the objectives Basel III focused on is to improve liquidity by requiring banks to hold liquid
assets sufficient to run the bank for 30 days during times of stress.
Q.3109 When were the Basel III reforms announced?
A. In 2010
B. In 2014
C. In 2015
D. In 2017
T he initial phase of the Basel III framework was announced in 2010. However, the Basel III reforms
were announced in 2017.
298
Reading 122: Basel III: Finalising Post-Crisis Reforms
Q.3111 A Bank holding company based in Germany has two subsidiaries, A and B. T he business
indicator values of each are given in the table below:
Bank A B
BI €800 million €1.2 billion
In light of this information, which of the following statements is correct?
A. Bank A would be expected to calculate operational risk capital based on the Advanced
Measurement Approach while Bank B would employ the standardized measurement
approach.
B. Only Bank B would be expected to set aside capital for operational risk.
C. Bank B would be expected to use loss experience in the standardized approach

calculations.
D. Neither Bank A nor Bank B would be expected to set aside some capital for operational
risk.
For firms with BI levels less than €1bn, the ILM is set to 1, and therefore internal loss data does not
affect the capital calculation. However, for banks with BIs of more than €1bn (bucket 2-3), internal
loss experience must be taken into account while calculating operational risk capital.
Options A, B, and D are all incorrect. As per the Basel III reforms announced in 2017, all banks are
required to use the standardized approach in operational risk capital calculations.
Q.3112 In light of Basel III reforms, which of the following items must be excluded from gross loss
calculations following an operational risk event?
A. System upgrades following an operational risk event.
B. Fees paid in exchange for legal counsel following a breach of client data.
C. Losses resulting from a failure to execute a stop loss.
D. Cost of replacing office furniture.
Internal or external expenditures used to enhance the business after an operational risk event must
be excluded from gross loss calculations. System upgrades fall under that category.
299
Q.3113 T he following information has been extracted from the P&L of a European bank over a 3-
year period:
Year (ended) 20X6 20X7 20X8

Interest, leases and dividends €950 million €1.3 billion €1.8 billion
Services €1.6 billion €2.2 billion €2.6 billion
Financial (Net Profit/Loss on the trading book) €500 million €1.1 billion €1.3 billion
Using the Standardized Measurement Approach, the bank’s Business Indicator (BI) for the year ended
31 Dec 20X8 is closest to:
A. €4.45 billion
B. €1.9 billion
C. €2.6 billion
D. €500 million
Under the standardized measurement approach, SMA, a bank’s BI has three components: the
interest, leases and dividends component (ILDC), the services component (SC), and the financial
component, FC. To determine the value of BI, we must sum up the 3-year average of each of these
components:
T hus,
0.95 + 1.3 + 1.8 1.6 + 2.2 + 2.6 0.5 + 1.1 + 1.3

BI = + + = 4.45
3 3 3
Q.3114 T he chief risk officer at an international bank would like to determine the bank’s operational
risk capital in line with Basel III reforms under the Standardized Measurement Approach. T he
following information is available:
Business Indicator, BI: €36 billion
Loss Component, LC: €5.8 billion
Calculate the bank’s operational risk capital (ORC) required:
A. €4.35 billion
B. €5.62 billion
300
C. €5.55 billion
D. €1.01 billion
To answer this question, it’s important to have the BI ranges and the marginal BI coefficients – as
outlined in Basel III reforms – at your fingertips.
Recall that
ORC = BI C × I LM
Where
BI C = ∑ (α i × BI i )
And,
0. 8
LC
I LM = ln [exp (1) − 1 + ( ) ]
BI C
Calculating the BIC of a bank with a BI of €36bn:
BI Bucket 1 2 3
BI Range ≤ 1 bn €1 bn < BI ≤ €30 bn €30 bn
Marginal BI Coefficient 0.12 0.15 0.18
BI of € 40 €1bn × 12% € = (30 − 1) × 15% = €(36 − 30) × 18%
= €0.12bn = €4.35bn = €1.08bn
BIC=sum of Buckets 1-3 = €5.55bn
5.8 0. 8
I LM = ln [exp (1) − 1 + ( ) ] = 1.0131
5.55
ORC = BI C × ILM = 5.55 × 1.0131 = €5.62 billion
301
Q.3115 T he following are verified historical loss data for an international bank over a 10-year period
(in billions of Euros)
[3.8, 2.9, 2.8, 2.8, 0.6, 0.4, 0.1, 0.2, 0.1, 0.2]
Determine the bank’s Internal Loss Multiplier as computed under the Standardized Measurement
Approach (T he bank’s Business Indicator Component is €18 billion)
A. 1.39
B. 0.9288
C. 1.0
D. 1.0449
0. 8
LC
I LM = ln [exp (1) − 1 + ( ) ]
BI C
Where LC = 15 times a bank's average historical losses over the preceding 10 years.
T hus,
3.8 + 2.9 + 2.8 + 2.8 + ⋯ + 0.1 + 0.2

LC = ( ) × 15 = 20.85
10
20.85 0. 8
ILM = ln[exp (1) − 1 + ( ) ] = 1.0449
18
Q.3116 T he following are verified historical loss data for a large established bank over a 10-year
period (in billions of Euros)
[0.8, 0.9, 0.7, 0.8, 0.06, 0.04, 0.10, 0.09, 0.03, 0.0]
T he bank has a Business indicator of €960 million.
Determine the bank’s operational risk capital, ORC, as computed under the Standardized
Measurement Approach
A. €115 million
B. €3.52 million
302
C. €361 million
D. €100 million
Recall that
ORC = BI C × I LM
Where
BI C = ∑ (α i × BI i )
And,
0. 8
LC
I LM = ln [exp (1) − 1 + ( ) ]
BI C
Also recall that for firms with BI levels less than €1bn, the ILM is set to 1, and therefore internal
loss data does not affect the capital calculation.
T hus, the operational risk capital in his case is a function of the business Indicator Component only.
With a BI of €960 million, the bank falls under bucket 1 of the Basel guidelines and therefore the
relevant BI coefficient is 0.12.
BI C = 0.12 × 960 = €115.2 million
So,
ORC = 115.2 × 1 = 115.2
year period:
303
Year (ended) 20X6 20X7 20X8

Interest, leases and dividends €950 million €1.3 billion €1.8 billion
Services €1.6 billion €2.2 billion €2.6 billion
Financial (Net Profit/Loss on the trading book) €500 million €1.1 billion €1.3 billion
T he bank’s Loss Component, LC, is €0.9 billion. Using the Standardized Measurement Approach,
calculate the bank’s operational risk capital:
A. €0.11 billion
B. €0.6375 billion
C. €0.708 billion
D. €4.5 billion
Recall that
ORC = BI C × I LM
Where
BI C = ∑ (α i × BI i )
And,
0. 8
LC
I LM = ln [exp (1) − 1 + ( ) ]
BI C
component, FC. To determine the value of BI, we must sum up the 3-year average of each of these
components:
T hus,
0.95 + 1.3 + 1.8 1.6 + 2.2 + 2.6 0.5 + 1.1 + 1.3

BI = + + = 4.45
3 3 3
304
Next, determine the bank’s BIC:
BI Bucket 1 2 3
BI of € 4.45bn €1bn × 12% = €0.12bn € = (4.45 − 1) × 15% = €0.5175bn
BI C = Sum of buckets = €0.6375
Next, calculate ILM:
0.9 0. 8
I LM = ln [exp (1) − 1 + ( ) ] = 1.1105
0.6375
ORC = 0.6375 × 1.1105 = 0.7079
305
year period:
Year (ended) 2007 2008 2009 2010

Interest, leases and dividends €565 million €1.6 billion €2.4 billion €2.2 billion
Services €1.8 billion €2.2 billion €2.8 billion €2.6 billion
Financial (Net Profit/Loss on the trading book) €625 million €1.1 billion €1.7 billion €2.9 billion
Using the Standardized Measurement Approach, the bank’s Business Indicator (BI) for the year ended
31 Dec 2010 is closest to:
A. €3.9 billion
B. €6.5 billion
C. €3.0 billion
D. €5.6 million
component, FC. To determine the value of BI, we must sum the average over three years: t, t − 1
and t − 2,
T hus,
1.6 + 2.4 + 2.2 2.2 + 2.8 + 2.6 1.1 + 1.7 + 2.9

BI = + + = 6.5
3 3 3
306
Q.3119 An international lender based in Dubai has a Business Indicator of €34.5 billion. Determine
the Business Indicator Component for the bank.
A. €0.12bn.
B. €4.35bn.
C. €35bn.
D. €5.28bn.
To answer the question, it’s important to have the BI bucket divisions and corresponding marginal
coefficients as outlined in Basel III reforms.
BI Bucket 1 2 3
BI of € 40 €1bn × 12% € = (30 − 1) × 15% = €(34.5 − 30) × 18%
= €0.12bn = €4.35bn = €0.81bn
BIC=sum of Buckets 1-3 = €5.28bn
BI C = Sum of buckets 1 to 3 = €5.28bn
307
Q.3120 A hypothetical European Bank has a business indicator (BI) of EUR 40 billion. T he bank’s loss
component is EUR 1.2 billion. Using the information in the following table, calculate the bank’s
operational risk capital.
BI Bucket 1 2 3
BI Range ≤ 1 bn 1 bn < BI ≤ 30 bn 30 bn
Marginal BI Coefficient 12% 15% 18%
A. €0.63 billion
B. €0.55billion
C. €4.30 billion
D. €4.5 billion
T he operational risk capital requirement (ORC) can be calculated as follows:
ORC = BI C × I LM
Where the Business indicator component (BIC) is given by:
BI C = ∑ (α i × BIi)
BI C = (12% × €1) + (15% × (€30 − €1)) + (18% × (€40 − €30)) = €6.27
And, the Internal losses multiplier (ILM) is expressed as:
0. 8
LC
I LM = ln[exp (1) − 1 + ( )
BI C
1.2 0. 8
I LM = ln [exp(1) − 1 + ( ) ] = ln1.98 = 0.6855
6.27
Finally,
ORC = €6.27 × 0.6855 = €4.30
308
Q.3204 Florence Charles is an operational risk analyst at Namibian National Bank. In the notes to the
financial statements specifically focused on the P&L, Namibian Bank reveals the following amounts
associated with several line item components:
Impairments: $16.7 million.
Fixed asset expenses: $29.4 million.
Depreciation tied to non-operating leases: $13.6 million.
Depreciation tied to operating leases: $11.7 million.
Income from reinsurance businesses: $2.1 million.
Premiums paid for insurance policies: $17.3 million.
Corporate income tax: $10.9 million.
Provisions related to operational loss events: $6.4 million.
When examining the standardized measurement approach (SMA) for operational risk, the total
amount that should be excluded from the business indicator (BI) component calculation will be
closest to:
A. $108.1 million
B. $79.7 million
C. $101.7 million
D. $90 million
T he BI component calculation will exclude each of the following: impairments ($16.7 million), fixed
asset expenses ($29.4 million), depreciation tied to non-operating leases ($13.6 million), premiums
paid for insurance policies ($17.3 million), corporate income tax($10.9 million) and income from
reinsurance businesses($2.1 million) = $16.7 + $29.4 + $13.6 + $17.3 + $10.9 + 2.1 = $90 million.
309

CH 7 Operational Risk and Resiliency KGNLXY6ZAM

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CH 7 Operational Risk and Resiliency KGNLXY6ZAM

Uploaded by

Copyright:

Available Formats

We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.

FRM Part II Exam

Questions with Answers - Operational Risk and Resiliency

Last Updated: Mar 13, 2023

prohibited. Infringers will be prosecuted in their local jurisdictions. ”

99 - Introduction to Operational Risk and Resilience 280

119 - Capital Regulation Before the Global Financial Crisis 219

Reading 99: Introduction to Operational Risk and Resilience

B. ORM is a relatively new discipline in the financial sector

C. ORM was inspired by the failure of Barings Bank

such as errors and frauds are called boundary events.

criminal activity, and security breaches.

A. Companies should develop a holistic picture of their risk management practices to

whether risk management has been effective.

practices to understand the relationships between actions, tools, and techniques.

priorities, making it a key component of an ORM approach.

operational risk management."

helping clients to evade taxes.

public image, or brand due to the negative impacts of an operational event.

and process management.

B. Contract termination issues

D. Unauthorized activities by employees

A i s i ncorrect. Destruction of equipment is an example of damage to physical assets. Other

B i s i ncorrect. Contract termination issues is an example of employment practices and workplace

D i s i ncorrect. Unauthorized activities by employees is an example of internal fraud. Another

Q.5050 A number of unique characteristics influence the management and measurement of

B. Losses due to operational risk materialize in a symmetric way

D. Operational risk is dynamic and evolving in nature

B i s i ncorrect. Losses due to operational risk materialize in a highly asymmetric way. T he

very large events.

A. Heterogenous – Operational risk is highly heterogenous because it encompasses diverse

B. Idiosyncratic and diffuse – T he distribution of operational risk is highly skewed, with a

D. Heavy-Tailed – Operational risk is evolving in nature

largely contribute to the multiplicity of operational, credit, and market risks.

tail stretches to a small number of very large events.

B. Important business services: From a process-based view of continuity, the regulator

C. Management of disruption: It protects vital business services from disruption

of continuity to a service-based view.

to encompass unexpected extreme shocks.

A. Effective coordination of ORM relies on a solid foundation of governance and assigning

C. A strong ORM framework is necessary in order to achieve operational resilience

D. Firm are required to reduce their reliance on thrid parties

A i s i ncorrect. T he Fed document on operational resilience shows that operational resilience is a

holistic outcome of different components of ORM in the organization. Effective coordination of

and resilience is the necessary starting point.

coordination and maintenance of these activities.

C i s i ncorrect. T he ORM is the central component of operational resilience because resilience

events can be dealt with.

Reading 100: Risk Governance

A. To create a paper trail of compliance activities.

B. To only identify material risks per the firm's risk appetite.

D. To oversee all the activities of banks.

paper trail of compliance activities.

supervisory risk management.

supervisory risk management process.

management in the ORM framework of banks.

C. Are the presented data sufficient for decision-making?

D. Does the information pertain to the senior management?

A. Overseeing, managing, and reporting a comprehensive picture to the executive risk

B. Overseeing the activities of a specific business line or function

C. Overseeing all operational risks

D. Reviewing and monitoring the investigation of large incidents

of the business line operational risk committee.

of the board's risk committee.