What's new

P2.T7.701. Operational risk governance

Nicole Seaman

Director of FRM Operations
Staff member
Concept: These on-line quiz questions are not specifically linked to learning objectives, but are instead based on recent sample questions. The difficulty level is a notch, or two notches, easier than bionicturtle.com's typical question such that the intended difficulty level is nearer to an actual exam question. As these represent "easier than our usual" practice questions, they are well-suited to online simulation.


701.1. Whitestreet Bank is merging with another bank and the newly merged international financial services firm is developing its executive organizational chart. There is an important question about the location of operational risk. Put another way, "who will own" operational risk; or, to which executive or committee will the operational risk report?

Each of the above is plausible but which is the LEAST LIKELY?

a. Operational risk reports to the Chief Risk Officer (CRO)
b. Operational risk reports to Internal Audit (IA)
c. Operational risk reports to Compliance who reports to the COO/CFO
d. Operational risk reports directly to the COO or CFO

701.2. Peter is developing an operational risk taxonomy (i.e., classification of operational risk categories) for his firm's operational risk system. His manager says to Peter, "The most important criteria for your classification framework is that it identifies operational risk losses by their CAUSE(S) rather than their effect or some other event-type categorization, because we want to use this to proactively MANAGE operational risk and, in order to manage risk, we need to act on root causes." In this case, which of the following classifications does the BEST job of classifying by CAUSES of operational risk rather than effects or some other factor?

a. People; Processes; Systems and technology; and External events
b. Fraud; Employment practices; Workplace safety; Clients; and Products
c. Damage to physical assets; Business disruption, Systems failures; Execution; and Delivery
d. High-frequency/high-impact (HFHI); High-frequency/Low-impact (HFLI); Low-frequency/high-impact (LFHI); Low-frequency/Low-impact (LFLI)

701.3. In an effort to re-establish trust with stakeholders in the wake of a public scandal that exposed key deficiencies in its culture and governance, Alphaholding International Bank has re-designed and re-staffed its risk management function. In particular, the bank's new operational risk framework endeavors to reflect "sound practices" and/or "best practices" with respect to operational risk. Consequently, each of the following is an advisable (or at least plausible) practice EXCEPT which is the LEAST LIKELY to be a component of the new operational risk management framework?

a. Senior management develops (for approval by the Board of Directors, BOD) a governance structure with well-defined, transparent, and consistent lines of responsibility, and this responsibility entails "three lines of defense:" the business line, the corporate operational risk function, and the internal audit function
b. The Board (BOD) approves and reviews the bank's Risk Appetite and Tolerance statement for operational risk; where “risk appetite” reflects the level of aggregate risk the bank's Board is willing to assume and manage in the pursuit of the bank's business objectives, and this risk appetite include both quantitative and qualitative elements
c. The bank maps each operational risk loss sub-type to its own general ledger account so operational risk trends and exposures can be evaluated via historical profit and loss statements (P&Ls); and so the Board (BOD) can budget quantitative dollar exposure limits (akin to position limits in market risk) to each operational risk type and sub-type
d. The bank conducts Risk Control Self-assessments (RCSA) which evaluate inherent risks (i.e., the risk before controls are considered), the effectiveness of the control environment, and residual risks (i.e., the risk exposure after controls are considered); scorecards build on the RCSAs by weighting residual risks in order to translate the the RCSA output into metrics

Answers here:
Last edited by a moderator:

Nicole Seaman

Director of FRM Operations
Staff member
Excellent Questions...Answers D, A and C.

Hello @Hermz29 and @meenalbaheti

The answers to our daily practice questions are only available to our paid members, as these questions are part of our practice question sets in the study planner. Here are the study packages that we offer if you are interested in gaining access to the answers and explanations: https://www.bionicturtle.com/features-pricing/ :)

Thank you,


David Harper CFA FRM

David Harper CFA FRM
Staff member
@Hermz29 Thank you for appreciating this question set! These operational risk review questions are tough (time-consuming) to write by the time I polish, cross-check and calibrate them, but there's always some fresh insights to mine from the material it seems :)