200+ Free CERP Practice Questions

Pass your Certified Enterprise Risk Professional (CERP) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

200+ Questions

100% Free

1 / 200

Question 1

Score: 0/0

A newly created KRI has no documented owner. What is the main governance problem?

The metric will appear too often in board reporting

No one is clearly accountable for its definition, quality, and remediation when issues arise

KRIs do not require owners

Ownership belongs automatically to internal audit

to track

2026 Statistics

Key Facts: CERP Exam

200 Qs

Delivered Questions

ABA CERP exam application

4 hrs

Time Limit

ABA CERP exam application

500

Passing Score

ABA Certification Exams FAQs

$815

Initial Exam Fee

ABA CERP exam application

$500

Retake Fee

ABA CERP exam application

8 Domains

Blueprint Areas

ABA CERP outline

As of March 11, 2026, ABA's official CERP outline uses eight weighted domains: Board and Senior Management Oversight (8%), Policies, Procedures, and Limits (12%), Management Information Systems (11%), Control Framework (7%), Risk Identification (15%), Risk Measurement and Evaluation (13%), Risk Responses (18%), and Risk Monitoring (16%). The delivered exam is 200 multiple-choice questions in 4 hours, uses ABA's 200-800 scaled score reporting, and requires a passing score of 500. For 2026 preparation, candidates should also understand the current U.S. banking risk environment, including capital, liquidity, data-governance, third-party, fraud, and supervisory-prioritization developments.

Sample CERP Practice Questions

Try these sample questions to test your CERP exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1A newly created KRI has no documented owner. What is the main governance problem?

A.The metric will appear too often in board reporting

B.No one is clearly accountable for its definition, quality, and remediation when issues arise

C.KRIs do not require owners

D.Ownership belongs automatically to internal audit

Explanation: A metric without an owner lacks accountability for quality, interpretation, and action. Ownership is essential because someone must be responsible when thresholds change, anomalies appear, or data quality degrades.

2Why might a high-velocity operational risk require near-real-time escalation rather than monthly committee reporting?

A.Because monthly reporting is always weak governance

B.Because the risk can materialize and cause harm faster than the normal reporting cycle allows

C.Because committees should never review operational risk

D.Because high velocity means the risk is already low severity

Explanation: Some risks move too quickly for normal committee cycles to be sufficient. High-velocity monitoring should ensure material problems are escalated while management still has time to respond effectively.

3Management proposes a mitigation plan, but residual risk would still remain above appetite for several quarters. What is the main governance implication?

A.The issue can be treated as closed because a plan exists

B.The remaining exposure may require formal escalation, additional action, or documented acceptance by the proper authority

C.Residual risk matters only after external audit review

D.Appetite is irrelevant once remediation starts

Explanation: A remediation plan does not by itself make the resulting exposure acceptable. If residual risk remains above appetite, governance should consider escalation, stronger treatment, or formal acceptance by the right authority if permitted.

4Model risk is growing because the same scoring model is now being reused across lending, collections, and marketing, but each team identifies risk separately. What is the key identification weakness?

A.Separate identification can miss enterprise-wide dependence on one model

B.Model reuse always reduces risk through standardization

C.Only the collections team needs to identify model risk

D.Marketing use of a model is never a risk concern

Explanation: When one model is reused across multiple activities, the exposure may become more concentrated than each team recognizes individually. Enterprise identification should capture shared dependencies and common-failure risk.

5A board packet combines numbers extracted from different systems at different cut-off times. What is the main reporting weakness?

A.The packet contains too many colors

B.The packet may not present a coherent point-in-time view of risk

C.The packet is automatically a regulatory violation

D.The packet should exclude all historical information

Explanation: Management and the board need a consistent view of risk as of a defined point in time. Mixed extraction times can produce misleading relationships between metrics and make apparent movements look like real changes when they are not.

6After acquiring a bank with a very different deposit mix, what should management identify first?

A.Whether the acquired bank uses the same slide template

B.How the new funding profile changes liquidity, operational, and concentration risks

C.Whether branch signage should be updated immediately

D.Whether risk identification can wait until integration is complete

Explanation: A changed deposit mix can affect liquidity stability, pricing pressure, servicing needs, and concentration exposure. Those risks should be identified early so strategy and controls can adjust before assumptions become outdated.

7Why is a board report based on stale quarter-old data a governance weakness?

A.Directors prefer narrative reports over metrics

B.Timeliness is not important if the information is accurate

C.Outdated data can prevent directors from identifying and challenging current material risks

D.Board reports should never include any historical information

Explanation: Effective board oversight depends on timely information. Even accurate data can be insufficient if it arrives too late to support escalation, challenge, or corrective action on emerging or worsening risks.

8A long-term system fix will take nine months. What is the best immediate response to reduce risk in the meantime?

A.Do nothing until the system project is complete

B.Implement an interim compensating control and monitor it until the permanent fix is in place

C.Close the issue because remediation has started

D.Transfer the issue to another committee

Explanation: When a permanent fix takes time, interim mitigants help reduce exposure while the institution works toward closure. The bank should also monitor the compensating control to ensure it is actually functioning during the interim period.

9Why is third-party risk identification important before onboarding a critical vendor?

A.Because vendor risks disappear after contract signature

B.Because the bank needs to understand dependency, control gaps, and resilience exposure before relying on the vendor

C.Because only procurement is affected by vendors

D.Because third-party risk applies only to cloud providers

Explanation: Third-party risk identification should happen before dependency is created. The bank needs to understand what could fail, how severe the dependency is, and what controls or contingency plans are needed before the service becomes critical.

10An incident occurred because staff re-entered data manually, but the deeper reason was that two systems were never integrated. What should remediation focus on?

A.Punishing the last employee who touched the data

B.Addressing the underlying integration and process design weakness

C.Eliminating incident reporting

D.Waiting to see whether the problem repeats

Explanation: The manual re-entry was part of the immediate chain of events, but the underlying design weakness was the lack of integration. Sustainable remediation targets the structural cause that made the error path possible.

About the CERP Exam

The CERP is ABA's enterprise risk certification for bank risk professionals who must connect governance, data, controls, reporting, and issue management across the full risk lifecycle. The exam measures whether candidates can identify and measure risk, evaluate risk relative to appetite, recommend and document responses, and monitor the resulting exposure in a U.S. banking environment.

Assessment

200 multiple-choice questions with four answer choices each; ABA notes that a few unscored pilot items may be embedded

Time Limit

4 hours

Passing Score

500 scaled score on ABA's 200-800 reporting scale

Exam Fee

$815 initial sitting; $500 retake (American Bankers Association (ABA))

CERP Exam Content Outline

Board and Senior Management Oversight

Board reporting, committees, credible challenge, risk appetite, and the communication of risk culture across the organization.

12%

Policies, Procedures, and Limits

Policy governance, limit structures, risk appetite frameworks, concentration management, and exception or breach handling.

11%

Management Information Systems

Risk aggregation, reporting systems, data quality, system limitations, and governance over inputs, outputs, and retention.

Control Framework

Three lines of defense, internal controls, COSO concepts, quality assurance, independence, and exam-readiness coordination.

15%

Risk Identification

Emerging-risk scans, RCSAs, third-party and idiosyncratic risks, stakeholder expectations, and regulatory or industry change.

13%

Risk Measurement and Evaluation

Likelihood, impact, velocity, scenario analysis, stress testing, risk scoring, and evaluation relative to appetite and tolerance.

18%

Risk Responses

Accept, mitigate, transfer, or avoid decisions; issue management; root-cause analysis; action plans; findings response; and residual risk.

16%

Risk Monitoring

KRIs and KPIs, thresholds, dashboards, escalation, control monitoring, trend analysis, and risk-based recommendations.

How to Pass the CERP Exam

What You Need to Know

Passing score: 500 scaled score on ABA's 200-800 reporting scale
Assessment: 200 multiple-choice questions with four answer choices each; ABA notes that a few unscored pilot items may be embedded
Time limit: 4 hours
Exam fee: $815 initial sitting; $500 retake

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

CERP Study Tips from Top Performers

1Memorize the official domain weights and spend disproportionate time on Risk Responses and Risk Monitoring, because together they represent more than one-third of the blueprint.

2Treat risk appetite as a connective concept rather than a standalone definition. On the exam, appetite appears in governance, policies, measurement, response, and monitoring questions.

3Practice translating qualitative issues into measurable indicators. CERP questions frequently test whether a dashboard, threshold, or escalation path would actually help management act.

4Get comfortable with RCSA language: inherent risk, control environment, residual risk, issue tracking, validation, and closure should feel operational, not theoretical.

5Study scenario analysis and stress testing as decision tools with assumptions and limitations, not just as calculations or annual compliance exercises.

6Use U.S. banking examples when you practice. ABA states that the credential is based on U.S. laws, regulations, and supervisory expectations.

7Review current regulatory and industry trends before test day so your answers reflect the 2026 environment around data quality, fraud, vendor concentration, capital, and liquidity.

Frequently Asked Questions

How many questions are on the CERP exam?

ABA's official CERP exam application page lists a 200-question exam with a four-hour testing window. ABA also notes in its certification FAQ that a few unscored pilot questions may be embedded for statistical research.

What score do I need to pass the CERP exam?

ABA reports all of its certification exams on a scaled score from 200 to 800, with 500 as the passing score. The exam is scored on a pass/fail basis and is not graded on a curve.

Which CERP domains matter most?

Risk Responses is the largest domain at 18%, followed by Risk Monitoring at 16%, Risk Identification at 15%, and Risk Measurement and Evaluation at 13%. In practice, that means successful candidates need more than governance theory; they must be strong at issue handling, escalation, root-cause analysis, metrics, and ongoing monitoring.

What are the CERP eligibility requirements?

ABA currently lists two paths. Option One requires five years of banking experience, including three years working directly in a risk-management or closely related role, plus a bachelor's degree or higher. Option Two requires seven years of banking experience, including five years working directly in a risk-management or closely related role. ABA also states that candidates must have U.S.-based experience because the certification is grounded in U.S. laws and regulations.

What does the CERP exam cost in 2026?

ABA's current CERP exam application page lists the initial exam fee at $815 and the retake fee at $500. If an application is denied, ABA states the refund is reduced by a $100 application fee.

What 2026 updates matter for CERP candidates?

As of March 11, 2026, ABA has not published a new 2026 CERP content-outline revision, so the current official eight-domain blueprint remains the core guide. The most relevant 2026 updates are in the operating environment: ABA's 2026 testing windows and fees, continued Meazure and live remote delivery, and current banking-risk priorities such as third-party oversight, data governance, fraud, supervisory focus on material financial risk, and the April 1, 2026 effective date for the federal agencies' modified leverage-capital rule.