All Practice Exams
100+ Free CISI Operational Risk Practice Questions
CISI Operational Risk (Investment Operations Certificate unit) practice questions are available now; exam metadata is being verified.
✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
Not published by CISI Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0
A discrimination claim brought by an employee would be recorded under which Basel operational risk event type?
A
B
C
D
to track
Same family resources
Explore More CISI Qualifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
2026 Statistics
Key Facts: CISI Operational Risk Exam
70%
Pass Mark
CISI IOC
CBE
Computer-Based MCQ
CISI IOC
On-demand
Exam Availability
CISI IOC
3 units
To Achieve the IOC
CISI IOC
No entry
Formal Requirements
CISI IOC
7
Basel Event Types
Basel Committee
The CISI Operational Risk unit is an on-demand, computer-based multiple-choice examination forming part of the Investment Operations Certificate (IOC), with a 70% pass mark. The syllabus covers operational risk concepts and the Basel definition, risk appetite and the three lines of defence, identifying and assessing risk, risk and control self-assessment (RCSA), key risk indicators (KRIs), loss data and event management including the Basel operational risk event types, process, people, systems and external-event risk, and governance and reporting. CISI sets no formal entry requirements, and three IOC units are needed to earn the certificate.
Sample CISI Operational Risk Practice Questions
Try these sample questions to test your CISI Operational Risk exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1Which definition of operational risk is used in the Basel framework and adopted across financial services?
A.The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events
B.The risk that a counterparty fails to meet its contractual obligations
C.The risk of loss arising from movements in market prices
D.The risk that an institution cannot meet payment obligations as they fall due
Explanation: The Basel Committee defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. This definition explicitly includes legal risk but excludes strategic and reputational risk.
2Under the Basel definition of operational risk, which risk type is explicitly INCLUDED?
A.Strategic risk
B.Legal risk
C.Reputational risk
D.Systemic risk
Explanation: The Basel definition of operational risk explicitly includes legal risk but specifically excludes strategic and reputational risk. Legal risk covers exposure to fines, penalties and damages from supervisory actions and private settlements.
3Operational risk is often described as which type of risk in relation to potential reward?
A.A speculative risk offering balanced upside and downside
B.A market risk that can be hedged with derivatives
C.A pure (downside-only) risk with no upside reward
D.A diversifiable risk that disappears in a large portfolio
Explanation: Operational risk is generally a pure or downside risk: a firm gains no reward for taking it, only the prospect of loss. This contrasts with market or credit risk, which are accepted in exchange for expected return.
4The four primary causal categories of operational risk under the Basel definition are people, systems, external events and which other?
A.Markets
B.Counterparties
C.Liquidity
D.Processes
Explanation: The Basel definition identifies four root-cause categories: inadequate or failed internal processes, people, systems, and external events. These four causal buckets underpin most operational risk taxonomies.
5What is the term for the level and type of risk a firm is willing to accept in pursuit of its objectives?
A.Risk appetite
B.Risk velocity
C.Risk inventory
D.Risk transfer
Explanation: Risk appetite is the amount and type of risk an organisation is prepared to seek, accept or tolerate to achieve its strategic objectives. It is typically expressed in a board-approved risk appetite statement with supporting tolerances.
6Within a risk management framework, what does 'risk tolerance' most accurately describe?
A.The total elimination of all operational risk exposures
B.The acceptable variation around the risk appetite, often expressed as specific limits or thresholds
C.The historical average of realised operational losses
D.The capital held against unexpected losses
Explanation: Risk tolerance defines the acceptable level of variation relative to the achievement of objectives, typically translated into quantitative thresholds and limits that operationalise the broader risk appetite statement.
7Which sequence correctly represents the core stages of the operational risk management cycle?
A.Report, assess, transfer, ignore
B.Monitor, eliminate, capitalise, audit
C.Identify, assess, control/mitigate, monitor and report
D.Assess, accept, terminate, restate
Explanation: A typical operational risk management cycle is: identify risks, assess their likelihood and impact, control or mitigate them, then monitor and report on an ongoing basis. The cycle is iterative rather than one-off.
8The 'three lines of defence' model assigns ownership of day-to-day risk and controls primarily to which line?
A.The second line: the risk and compliance functions
B.The third line: internal audit
C.The external auditors as a fourth line
D.The first line: business and operational management who own and manage risk
Explanation: In the three lines of defence model, the first line comprises business and operational management who own risks and operate controls. The second line (risk and compliance) provides oversight and challenge, and the third line (internal audit) gives independent assurance.
9In the three lines of defence model, which function provides independent assurance to the board and audit committee?
A.Internal audit
B.The trading desk
C.The compliance department
D.The finance team
Explanation: Internal audit forms the third line of defence, providing independent and objective assurance over the effectiveness of governance, risk management and internal controls to the board and audit committee.
10What distinguishes 'inherent risk' from 'residual risk'?
A.Inherent risk is always lower than residual risk
B.Inherent risk is the exposure before controls; residual risk is the exposure remaining after controls are applied
C.Inherent risk applies only to credit risk; residual risk only to market risk
D.They are identical terms used interchangeably
Explanation: Inherent (gross) risk is the level of risk before any mitigating controls are applied. Residual (net) risk is what remains after controls operate. The difference reflects the effectiveness of the control environment.
About the CISI Operational Risk Practice Questions
Verified exam format metadata for CISI Operational Risk (Investment Operations Certificate unit) is pending. The practice questions above remain available while official exam length, timing, passing score, fee, and administrator details are reviewed.