8020 ORM Certificate - 2023 Update Questions and Answers

Definition of DORA

The Digital Operational Resilience Act (DORA) is a regulation by the European Union (EU) aimed at strengthening the digital resilience of financial institutions.

It establishes a regulatory framework for managing information and communication technology (ICT) risks in the financial sector.

Key Objectives of DORA

Ensures that financial institutions can withstand, respond to, and recover from cyber threats and ICT-related disruptions .

Introduces standards for risk management, incident reporting, and third-party ICT risk oversight .

Why Other Answers Are Incorrect

Option

Explanation

A. Domain for Operational Risk Act.

Incorrect – No such regulation exists under this name.

B. Digital Operational Risk Act.

Incorrect – The official name is Digital Operational Resilience Act (DORA).

C. Daily Operational Resilience Act.

Incorrect – DORA is not focused on daily operations but rather long-term digital resilience .

PRMIA Risk Governance & Digital Resilience Standards

European Commission’s Official DORA Regulation

PRMIA References for Verification

The Three Lines of Defense (3LoD) model ensures that risk management responsibilities are properly segregated :

First Line : Business units (own and manage risk).

Second Line : Compliance and risk management (independent oversight).

Third Line : Internal audit (provides assurance).

PRMIA and Basel Compliance Principles state that compliance should not report to business units , as this creates a conflict of interest .

Compliance must be independent to ensure objective oversight of regulatory adherence.

Option A ("Report to the business") → Incorrect because compliance must provide independent oversight , not report to business units.

Option C ("Outsource compliance if risk function exists") → Incorrect because compliance and risk functions have distinct roles .

Option D ("Outsource risk if compliance exists") → Incorrect because risk management is a core function, not an outsourcing candidate .

Step 1: Compliance Function and the Three Lines of Defense Model Step 2: Why Compliance Must Be Independent Step 3: Why the Other Options Are Incorrect

PRMIA Compliance Risk Governance – States compliance must be independent under the Three Lines of Defense model.

Basel Compliance Principles – Recommends separate reporting structures for compliance and business units.

PRMIA Risk References Used:

Final Conclusion: Compliance must be independent from the business to avoid conflicts of interest , making Option B the correct answer .

Definition of Bottom-Up Key Risk Indicators (KRIs)

Bottom-up KRIs are generated from operational-level data rather than high-level strategic indicators.

They are useful for monitoring localized risks but may fail to capture broad risk drivers .

Key Deficiencies of Bottom-Up KRIs

Lack of clarity on causal relationships – These indicators may detect risk trends but fail to explain root causes .

Focus on micro-level risks – They may miss systemic or enterprise-wide risk interactions .

Why Answer B is Correct

Bottom-up KRIs may indicate changes in risk levels but lack insight into the underlying causes , leading to reactive rather than proactive risk management .

Why Other Answers Are Incorrect

Option

Explanation

A. Mandates from a board that are too restrictive to implement.

Incorrect – Board mandates apply to top-down governance, not bottom-up KRIs.

C. Not reported frequently enough.

Incorrect – Reporting frequency is an issue but not the primary deficiency ; rather, it’s the lack of causal insight.

D. Lack of granularity.

Incorrect – Bottom-up KRIs tend to be highly detailed (granular) , making this answer incorrect.

PRMIA Key Risk Indicator Best Practices

Basel Committee’s Risk Measurement and Reporting Framework

PRMIA References for Verification

Impact Tolerance is a key concept in Operational Resilience , defined as the ability of a firm to withstand, respond to, and recover from disruptions. According to PRMIA and global regulatory frameworks (such as the Bank of England's Operational Resilience Framework ), impact tolerance is specifically tied to business services rather than processes .

Impact tolerance is the maximum acceptable level of disruption to an important business service , beyond which there would be intolerable harm to customers, financial markets, or regulatory obligations.

It is not the same as risk appetite or risk capacity , as those deal with broader organizational risk exposure.

PRMIA defines business services as end-to-end services delivered to clients and stakeholders , such as payments processing, trade execution, or loan approvals.

Disruptions to these services directly impact customers and financial stability , making business service resilience the core focus of impact tolerance.

Option A ("tolerance for disruption to a particular business process")

Incorrect because impact tolerance applies to services , not just internal processes.

Option C ("a firm's risk appetite statement")

Incorrect because risk appetite focuses on how much risk a firm is willing to take, while impact tolerance is about surviving disruptions .

Option D ("a firm's risk capacity statement")

Incorrect because risk capacity is the maximum level of risk a firm can bear , which is broader than business service disruptions.

Step 1: Defining Impact Tolerance Step 2: Why Business Services Matter Step 3: Why the Other Options Are Incorrect

PRMIA Operational Resilience Guidelines – Defines impact tolerance as a service-based metric.

Bank of England’s Operational Resilience Framework – Establishes impact tolerance as a limit on business service disruption.

PRMIA Risk References Used:

Final Conclusion: Impact tolerance focuses on business services, not just internal processes or risk appetite , making Option B the correct answer .

Definition of Key Risk Indicators (KRIs)

KRIs are quantitative metrics used to monitor risk levels and detect early warning signs of potential risk events.

Top-down KRIs are identified at the senior management level and focus on enterprise-wide risk exposure .

Key Properties of Top-Down KRIs

Selected by senior management to ensure alignment with strategic objectives.

Tied to material external and internal loss exposures to capture critical financial, operational, and strategic risks.

Used to manage changes in the business environment to ensure proactive risk response, especially under stress conditions.

Why Other Answers Are Incorrect

Option

Explanation

B. Selected by senior management, used to manage changes in the business environment, especially under periods of stress, and reported on a daily basis.

Incorrect – Top-down KRIs are not reported daily ; they are monitored periodically (e.g., quarterly).

C. Selected by junior management, used to manage changes in the business environment, especially under periods of stress, and reported on an annual basis.

Incorrect – Junior management does not define top-down KRIs ; senior management does. Also, annual reporting is too infrequent.

D. Can only be selected by the board in line with risk ratings.

Incorrect – The board provides oversight, but senior risk management selects KRIs , not just the board.

PRMIA Risk Indicator Guidelines

Basel Committee on Banking Supervision (BCBS) Principles for Effective Risk Data Aggregation

PRMIA References for Verification

ISO 27000 is a global standard for information security management systems (ISMS) , issued by the International Organization for Standardization (ISO) .

It provides a framework for protecting sensitive information through policies, controls, and risk management practices.

ISO 27001 (part of ISO 27000 series) is one of the most widely recognized certifications for information security governance .

It sets guidelines on risk assessment, incident response, and data protection .

Option A ("ESG investing")

Incorrect because ISO 27000 deals with cybersecurity, not environmental, social, and governance (ESG) issues .

Option C ("International Risk Management")

Incorrect because ISO 27000 focuses on information security , not general risk management .

Option D ("Auditing of financial controls")

Incorrect because financial auditing standards (e.g., SOX, COSO) are separate from information security standards .

Step 1: Definition of ISO 27000 Step 2: Why Option B Is Correct Step 3: Why the Other Options Are Incorrect

ISO 27000 Series Documentation – Defines cybersecurity risk management practices.

PRMIA IT Risk Governance Framework – References ISO 27001 as a cybersecurity standard.

PRMIA Risk References Used:

A Risk Function ensures that an organization follows best practices in risk governance, assessment, and control implementation .

It should be aligned with the board’s risk strategy and ensure independent oversight .

The board sets the overall risk strategy , and the risk function implements risk controls accordingly .

PRMIA emphasizes board oversight as the guiding force behind risk management .

Option A ("Implement management’s direction") → Incorrect because risk oversight should be board-driven, not solely management-driven .

Option C ("Ensure opinions are listened to") → Incorrect because risk functions enforce policies, not just share opinions .

Option D ("Lower risk-taking to zero") → Incorrect because risk-taking is necessary for growth—excessive risk aversion harms business .

Step 1: Role of a Risk Function Step 2: Why Option B is Correct Step 3: Why the Other Options Are Incorrect

PRMIA Risk Governance Framework – Highlights board oversight in risk management.

Basel III Risk Management Standards – Emphasizes board-driven risk controls.

PRMIA Risk References Used:

Final Conclusion: The Risk Function must follow the board’s direction in implementing risk controls , making Option B the correct answer .

Definition of Internal Loss Data (ILD)

Internal Loss Data (ILD) refers to historical records of actual operational losses incurred by a bank.

These losses are used for risk assessment, capital calculations, and trend analysis under Basel III’s Operational Risk Framework .

Key Characteristics of ILD

Captures actual past loss events , such as fraud, system failures, and compliance breaches.

Supports the identification of risk trends and weak control areas.

Used for operational risk capital modeling , along with external loss data and scenario analysis.

Why Other Answers Are Incorrect

Option

Explanation

A. It consists of near miss operational loss incidents of a bank.

Incorrect – ILD captures actual losses, while near misses are reported separately.

C. It consists of the Key Risk Indicators of a bank.

Incorrect – KRIs are forward-looking risk metrics , while ILD focuses on historical data .

D. It consists of scenario data developed to calculate the future operational loss incidents of a bank.

Incorrect – ILD is historical , whereas scenario data is used for predictive analysis .

Basel III & PRMIA Operational Risk Data Framework

PRMIA Risk Management Standards for ILD

PRMIA References for Verification

Definition of Governance

Governance refers to the framework of policies, principles, and processes used to guide corporate decision-making and strategic direction.

It ensures accountability, transparency, and risk oversight within an organization.

Key Elements of Governance

Risk oversight – Ensuring risks are properly identified and managed.

Accountability structures – Defining roles and responsibilities.

Decision-making frameworks – Establishing policies for long-term corporate success.

Why Other Answers Are Incorrect

Option

Explanation

A. Governance is a structure specifying the daily operation of a firm.

Incorrect – Governance focuses on high-level corporate oversight , not day-to-day operations.

B. Governance is a structure specifying the ways in which reporting is made to the primary regulator.

Incorrect – Governance is broader than just regulatory reporting.

C. Governance is being replaced by management in all firms that are regulated.

Incorrect – Governance and management are separate but complementary ; governance provides oversight, while management executes strategy.

PRMIA 10 Principles of Good Governance

PRMIA References for Verification

Three Lines of Defense Model

The compliance department functions as the second line of defense , ensuring oversight over the first line’s compliance controls .

It does not directly implement controls but monitors and advises on compliance risk management.

Responsibilities of the Compliance Department

Ensures regulatory compliance with laws, policies, and industry standards.

Monitors and enforces risk management controls within business operations.

Provides advisory and training on compliance risks.

Why Answer D is Correct

The first line of defense (business operations) is responsible for executing compliance controls.

The compliance department (second line) provides oversight and governance to ensure compliance adherence.

Why Other Answers Are Incorrect

Option

Explanation

A. The compliance department is responsible for implementing the first line's compliance risk management controls.

Incorrect – The first line (business units) implement compliance controls, while compliance oversees.

B. The compliance department is responsible for providing oversight over the auditor's implementation of compliance risk management controls.

Incorrect – Internal audit is part of the third line of defense , not directly overseen by compliance.

C. The compliance department is responsible for providing oversight over the board's implementation of compliance risk management controls.

Incorrect – The board provides high-level governance ; compliance ensures business adherence to regulations.

PRMIA Governance & Compliance Oversight Framework

Basel Committee’s Guidelines on Compliance Risk Management

PRMIA References for Verification

Background of the Barings Case Study

Nick Leeson , a trader at Barings Bank , caused the collapse of the institution due to unauthorized trading in derivatives.

A critical failure was the lack of segregation of duties , allowing Leeson to both execute trades (front-office) and oversee trade settlement (back-office) .

How Segregation of Duties Failed

Proper segregation of duties ensures that no single individual has unchecked control over trading and settlement.

Leeson was responsible for both trading (front-office) and settlement (back-office) , meaning he could hide losses without detection.

Why Answer A is Correct

A trader (Leeson) should never have been managing back-office functions.

His dual role allowed him to manipulate records and bypass controls , leading to $1.3 billion in losses and the bank’s collapse.

Why Other Answers Are Incorrect

Option

Explanation

B. A trader was responsible for managing the front-office.

Incorrect – Traders are supposed to manage the front-office; the issue was their involvement in back-office functions .

C. A risk manager was responsible for managing the back-office.

Incorrect – The issue was lack of oversight on the trader , not risk managers handling back-office duties.

D. A trader was responsible for managing the expense account.

Incorrect – The main issue was the trader’s control over trade settlement , not expense accounts.

PRMIA Case Study on Barings Bank Collapse

Basel Principles on Segregation of Duties in Risk Management

PRMIA References for Verification

Role of the Risk Function

The risk function is responsible for documenting, monitoring, and overseeing risk policies and frameworks .

It ensures the organization maintains structured risk governance, reporting, and compliance .

Key Responsibilities

Developing Risk Management Manuals to define risk appetite, risk frameworks, and risk governance structures .

Creating Risk Policies that align with regulatory standards and internal controls .

Why Answer B is Correct

The risk function primarily develops, implements, and maintains risk management frameworks , which include formal manuals and policies .

Why Other Answers Are Incorrect

Option

Explanation

A. Documenting its activities, typically by operating and then recording the daily operation of controls.

Incorrect – The first line of defense (business units) handles daily operational controls, not the risk function.

C. Putting in place the servers, firewalls, and software to ensure cybersecurity.

Incorrect – Cybersecurity is an IT responsibility , while the risk function oversees cyber risk frameworks .

D. Creating a trial balance, balance sheet statement, and cash flow statement.

Incorrect – These are financial accounting responsibilities , not risk management duties.

PRMIA Governance Framework for Risk Management

Basel Risk Management Principles

PRMIA References for Verification

PRMIA and global financial regulators define climate risk as the financial, operational, and societal risks arising from climate change .

Climate risks impact businesses through physical risks (e.g., floods, wildfires) and transition risks (e.g., regulatory changes, carbon pricing).

Option A ("Climate risk has been moved out of all risk taxonomies due to international agreement")

Incorrect because climate risk is now a central part of risk taxonomies , as emphasized by PRMIA, Basel III, and TCFD.

Option B ("Climate risk refers to the growing impacts of credit risk on the business environment")

Incorrect because credit risk is just one aspect of climate risk, not the full definition.

Option C ("Climate risk refers to change in the business climate during a recession")

Incorrect because climate risk is about environmental change, not economic cycles .

Step 1: Definition of Climate Risk Step 2: Why the Other Options Are Incorrect

PRMIA Climate Risk Guidelines – Defines climate risk as a financial and societal risk due to climate change.

TCFD (Task Force on Climate-Related Financial Disclosures) – Outlines regulatory expectations for climate risk management.

PRMIA Risk References Used:

Final Conclusion: Climate risk involves physical and transition risks from climate change , making Option D the correct answer .

Risk-sensitive pricing ensures that financial institutions and businesses properly account for risk in their pricing strategies to maintain stability and sustainability. PRMIA’s Risk Pricing and Capital Adequacy Guidelines define the importance of risk-sensitive pricing in ensuring fair compensation for risk exposure and avoiding risk concentration issues .

Aligns risk with return : Pricing should be designed to reflect the underlying risk and return trade-off.

Protects investors : Investors expect compensation for capital at risk ( Option A is correct).

Reinforces risk-aware culture : PRMIA promotes linking incentives to risk-adjusted returns ( Option B is correct).

Prevents adverse selection : Proper risk pricing prevents low-quality assets from accumulating ( Option C is correct).

Income targets are business-driven, not risk-driven .

Risk-sensitive pricing aims to balance risk and reward , not just maximize revenue.

PRMIA discourages profit-seeking behavior at the expense of risk considerations .

Step 1: Why Risk-Sensitive Pricing Is Important Step 2: Why Option D Is Incorrect

PRMIA Risk Pricing Guidelines – Defines the principles of risk-sensitive pricing.

PRMIA Risk-Adjusted Return Standards – Stresses linking incentives to risk-aware decisions.

PRMIA Capital Adequacy Framework – Highlights the role of risk-sensitive pricing in portfolio management.

PRMIA Risk References Used:

Final Conclusion: Risk-sensitive pricing is designed to align returns with risk exposure , not simply to meet or exceed income targets , making Option D the correct answer .

Financial Crime Risk Management

Managing financial crime requires implementing controls, monitoring, and reporting systems to detect and prevent illegal activities.

Developing red flags and monitoring scenarios allows firms to detect suspicious transactions related to money laundering, fraud, and terrorist financing.

Why Answer C is Correct

PRMIA emphasizes that effective risk management requires proactive monitoring of transactions using red flags, transaction patterns, and anomaly detection systems.

This is aligned with Anti-Money Laundering (AML) and Counter-Terrorism Financing (CTF) regulatory requirements.

Why Other Answers Are Incorrect

Option

Explanation

A. Having the business be a cash-only business and not report any transactions.

Incorrect – Cash-only businesses with no reporting are high-risk for financial crime.

B. The requirements to trace all transactions when they are entered into spreadsheets.

Incorrect – While transaction tracing is important, spreadsheets alone are not an effective control mechanism for financial crime.

D. Local regulations that allow a bank to not report transactions by family members of the board.

Incorrect – This would violate AML and financial crime regulations , increasing corruption risk.

PRMIA Financial Crime and AML Risk Guidelines

Basel Committee on Financial Crime and Money Laundering

PRMIA References for Verification