PRMIA ORM Certificate - 2023 Update 8020 Exam Questions

Page: 1 / 14
Total 60 questions

Want more questions? Get Premium Access.
()

Question 1

Which of the following are the most relevant ways a firm can ensure they are in line with consumer protection?

AEngage with consumers once there are enough complaints.

BAdd a consumer protection section to all reports.

CTreat customers fairly, place customer interests ahead of its own and keep promises to customers

DThis risk cannot be managed.

Answer : C

Definition of Consumer Protection in Risk Management

Consumer protection ensures ethical business practices, transparency, and regulatory compliance.

It builds trust with customers and reduces legal and reputational risks.

Key Principles of Consumer Protection

Treating customers fairly Ensures honest and ethical financial services.

Prioritizing customer interests Prevents conflicts of interest and unfair treatment.

Honoring commitments Strengthens customer confidence and regulatory trust.

Why Answer C is Correct

Following these principles ensures regulatory compliance, customer satisfaction, and risk mitigation.

Why Other Answers Are Incorrect

Option

Explanation

A . Engage with consumers once there are enough complaints.

Incorrect -- Proactive engagement is essential; waiting for complaints is a reactive and poor risk management approach.

B . Add a consumer protection section to all reports.

Incorrect -- Documentation alone does not ensure fair treatment; actions matter more.

D . This risk cannot be managed.

Incorrect -- Consumer protection risks can and should be actively managed.

PRMIA Reference for Verification

PRMIA Consumer Protection & Fair Treatment Standards

Financial Conduct Authority (FCA) Consumer Duty Guidelines

Question 2

In operational resilience, what is impact tolerance?

AImpact tolerance is a firm's tolerance for disruption to a particular business process.

BImpact tolerance is a firm's tolerance for disruption to a particular business service.

CImpact tolerance is a firm's risk appetite statement.

DImpact tolerance is a firm's risk capacity statement.

Answer : B

Impact Tolerance is a key concept in Operational Resilience, defined as the ability of a firm to withstand, respond to, and recover from disruptions. According to PRMIA and global regulatory frameworks (such as the Bank of England's Operational Resilience Framework), impact tolerance is specifically tied to business services rather than processes.

Step 1: Defining Impact Tolerance

Impact tolerance is the maximum acceptable level of disruption to an important business service, beyond which there would be intolerable harm to customers, financial markets, or regulatory obligations.

It is not the same as risk appetite or risk capacity, as those deal with broader organizational risk exposure.

Step 2: Why Business Services Matter

PRMIA defines business services as end-to-end services delivered to clients and stakeholders, such as payments processing, trade execution, or loan approvals.

Disruptions to these services directly impact customers and financial stability, making business service resilience the core focus of impact tolerance.

Step 3: Why the Other Options Are Incorrect

Option A ('tolerance for disruption to a particular business process')

Incorrect because impact tolerance applies to services, not just internal processes.

Option C ('a firm's risk appetite statement')

Incorrect because risk appetite focuses on how much risk a firm is willing to take, while impact tolerance is about surviving disruptions.

Option D ('a firm's risk capacity statement')

Incorrect because risk capacity is the maximum level of risk a firm can bear, which is broader than business service disruptions.

PRMIA Risk Reference Used:

PRMIA Operational Resilience Guidelines -- Defines impact tolerance as a service-based metric.

Bank of England's Operational Resilience Framework -- Establishes impact tolerance as a limit on business service disruption.

Final Conclusion:

Impact tolerance focuses on business services, not just internal processes or risk appetite, making Option B the correct answer.

Question 3

When a single operational risk event leads to losses in multiple business lines or impacts across several event types, how should these linked losses be treated?

AAllocate entire loss to the business line for which the loss is greatest.

BPro-rate the loss across the affected business line.

CEither allocate entire loss to the business line for which the loss is greatest or pro-rate the loss across the affected business line.

DEach business line should take it's own discretion as to how the losses are treated.

Answer : C

Step 1: Understanding Linked Losses in Operational Risk

In operational risk events, a single event can impact multiple business lines or event types (e.g., IT failure affecting retail banking and wealth management).

Proper loss attribution is important for accurate risk reporting and regulatory compliance under Basel III.

Step 2: Why Option C is Correct

Basel III and PRMIA guidance allow institutions flexibility in how to allocate linked losses:

Entire loss can be allocated to the business line with the largest loss impact for simplified reporting.

Loss can be pro-rated across affected business lines for more accurate attribution.

Step 3: Why the Other Options Are Incorrect

Option A ('Allocate entire loss to the business line with the greatest loss') Partially correct, but not always required---some firms prefer pro-rating.

Option B ('Pro-rate the loss') Partially correct, but allocating to the largest impacted business line is also acceptable.

Option D ('Each business line decides how to treat losses') Incorrect because loss allocation should follow a defined policy, not business line discretion.

PRMIA Risk Reference Used:

Basel III Operational Risk Framework -- Discusses loss attribution for multi-line impact events.

PRMIA Loss Event Management Guidelines -- Supports both full allocation and pro-rating.

Final Conclusion:

Firms can either allocate the full loss to the most impacted business line or pro-rate it across affected lines, making Option C the correct answer.

Question 4

In Operational Resilience, which of the following is not an important measure of whether a Business Service can be considered Critical?

AWhether a disruption to the provision of the service could cause material customer detriment.

BWhether a disruption to the provision of the service could harm market integrity.

CWhether a disruption to the provision of the service could exceed risk appetite.

DWhether a disruption to the provision of the service could threaten a firm's viability.

Answer : C

Step 1: Definition of a Critical Business Service in Operational Resilience

A Critical Business Service is one whose failure could result in severe harm to customers, financial markets, or the firm's viability.

Regulators (e.g., Bank of England, Basel Committee, PRMIA) define three primary factors for identifying critical services:

Customer impact

Market integrity impact

Firm viability impact

Step 2: Why Option C Is Incorrect

Risk appetite is an internal business decision, not an external measure of criticality.

A service can be critical even if its disruption stays within risk appetite.

Criticality is based on external impacts, not just internal risk limits.

Step 3: Why the Other Options Are Correct

Option A ('Material customer detriment') Correct as customer harm defines critical services.

Option B ('Harm to market integrity') Correct as market stability is a regulatory priority.

Option D ('Threaten firm viability') Correct as critical services often determine business survival.

PRMIA Risk Reference Used:

PRMIA Operational Resilience Framework -- Defines criteria for critical business services.

Basel Committee Operational Risk Guidelines -- Highlights customer, market, and firm viability as resilience factors.

Final Conclusion:

Risk appetite is an internal benchmark, not a measure of critical service designation, making Option C the correct answer.

Question 5

For the Barings case study, what external event may have accelerated the discovery of the loss event?

AThe collapse of Lehman Brothers into bankruptcy in 2002.

BThe Singapore earthquake of January 17th 1995.

CThe collapse of Lehman Brothers into bankruptcy m 2008.

DThe Kobe earthquake of January 17th 1995.

Answer : D

Background of the Barings Case Study

The Barings Bank collapse occurred due to unauthorized derivatives trading by Nick Leeson in Singapore.

Leeson concealed losses, and his trading positions became unmanageable.

How the Kobe Earthquake Affected Barings

On January 17, 1995, the Kobe earthquake caused extreme market volatility.

Leeson's unauthorized trades were highly exposed to the Nikkei 225 index, and the earthquake triggered heavy losses.

The event accelerated the exposure of Leeson's fraudulent activities, leading to Barings' collapse.

Why Answer D is Correct

The Kobe earthquake created market turmoil, forcing Barings to confront its financial position, ultimately revealing the hidden losses.

Why Other Answers Are Incorrect

Option

Explanation

A . The collapse of Lehman Brothers into bankruptcy in 2002.

Incorrect -- Lehman Brothers collapsed in 2008, not 2002.

B . The Singapore earthquake of January 17th, 1995.

Incorrect -- No significant earthquake occurred in Singapore on that date.

C . The collapse of Lehman Brothers into bankruptcy in 2008.

Incorrect -- Barings collapsed in 1995, not related to Lehman Brothers' 2008 failure.

PRMIA Reference for Verification

PRMIA Case Study on Barings Bank Collapse

Basel Committee Principles on Risk Oversight and Fraud Prevention

Question 6

In the Basel III standardized approach for operational risk, what is the Business Indicator?

AIt is a proxy for operational risks that relate to near-miss events.

BIt is a non-financial-statement-based proxy for operational risk.

CIt is a scaling factor that is based on a bank's average historical losses.

DIt is a financial-statement-based proxy for operational risk.

Answer : D

Step 1: Definition of the Business Indicator (BI) in Basel III

The Business Indicator (BI) is a financial-statement-based metric used in Basel III's Standardized Approach for Operational Risk.

It replaces previous approaches by using financial figures (e.g., revenue, fees, interest income) to estimate operational risk exposure.

Step 2: Why Option D Is Correct

The BI uses financial-statement data to calculate operational risk capital requirements.

It acts as a proxy for a bank's operational risk exposure by linking operational risk to its financial size and complexity.

Step 3: Why the Other Options Are Incorrect

Option A ('Proxy for near-miss events') Incorrect because BI is based on financial data, not near-miss risk events.

Option B ('Non-financial-statement-based proxy') Incorrect because BI is explicitly derived from financial statements.

Option C ('Scaling factor based on historical losses') Incorrect because BI does not use historical losses directly---it relies on financial-statement inputs.

PRMIA Risk Reference Used:

Basel III Operational Risk Framework -- Defines the Business Indicator as a financial-statement-based metric.

PRMIA Operational Risk Guidelines -- Explains the BI's role in capital calculations.

Question 7

ISO 27000 relates to what topic / area?

AEnvironmental, social, and governance (ESG) investing.

BInformation Security Systems.

CInternational Risk Management.

DAuditing of financial controls.
Step 1: Definition of ISO 27000
ISO 27000 is a global standard for information security management systems (ISMS), issued by the International Organization for Standardization (ISO).
It provides a framework for protecting sensitive information through policies, controls, and risk management practices.
Step 2: Why Option B Is Correct
ISO 27001 (part of ISO 27000 series) is one of the most widely recognized certifications for information security governance.
It sets guidelines on risk assessment, incident response, and data protection.
Step 3: Why the Other Options Are Incorrect
Option A ('ESG investing')
Incorrect because ISO 27000 deals with cybersecurity, not environmental, social, and governance (ESG) issues.
Option C ('International Risk Management')
Incorrect because ISO 27000 focuses on information security, not general risk management.
Option D ('Auditing of financial controls')
Incorrect because financial auditing standards (e.g., SOX, COSO) are separate from information security standards.
PRMIA Risk Reference Used:
ISO 27000 Series Documentation -- Defines cybersecurity risk management practices.
PRMIA IT Risk Governance Framework -- Reference ISO 27001 as a cybersecurity standard.

Answer : B