100+ Free IRM International Certificate Practice Questions

Pass your IRM International Certificate in Enterprise Risk Management (Module 1 MCQ Exam) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

An organisation's ERM programme identifies an emerging risk: 'Generative AI tools used by employees without IT approval could result in data leakage.' At this early stage, which risk register entry is MOST appropriate?

Record the risk with a high inherent rating, note it as an emerging risk, assign an owner, and schedule a deeper assessment

Do not record the risk until it has a quantifiable financial impact

Terminate the risk by banning all AI tools organisation-wide immediately

Transfer the risk to the IT department to manage without further board visibility

to track

2026 Statistics

Key Facts: IRM International Certificate Exam

multiple-choice questions on the Module 1 MCQ exam

IRM International Certificate official page and Pearson VUE exam listing

90 minutes

exam duration for the Module 1 MCQ exam

Pearson VUE IRM exam information page

~60%

approximate pass mark (exact mark set per session by standard-setting)

IRM published guidance; exact threshold varies by sitting

units covered in the Module 1 syllabus

IRM International Certificate course syllabus page

maximum exam attempts permitted

Pearson VUE IRM exam information and IRM certificate FAQs

The IRM International Certificate Module 1 MCQ exam is a 60-question, 90-minute computer-based test delivered at Pearson VUE centres worldwide. It covers six units: key ERM concepts and frameworks (ISO 31000, COSO ERM 2017), strategic planning and governance (RASP, Three Lines Model), risk context and assessment (PESTLE, bow-tie, risk matrices), risk management and monitoring (four Ts, KRIs, risk registers), risk culture and appetite (LILAC, risk capacity/appetite/tolerance), and corporate governance and assurance (UK governance codes, combined assurance). The pass mark is set by standard-setting after each session.

Sample IRM International Certificate Practice Questions

Try these sample questions to test your IRM International Certificate exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1According to ISO 31000:2018, which of the following best describes 'risk'?

A.The effect of uncertainty on objectives

B.The probability that a hazard will cause harm to an organisation

C.Any event that could lead to a financial loss

D.A negative deviation from expected outcomes

Explanation: ISO 31000:2018 defines risk as 'the effect of uncertainty on objectives.' This definition is deliberately neutral — it encompasses both upside (opportunity) and downside (threat) effects, recognising that uncertainty can influence objectives positively or negatively.

2Which of the following correctly distinguishes risk from uncertainty?

A.Risk involves known probabilities; uncertainty involves unknown probabilities

B.Risk is always negative; uncertainty is always positive

C.Risk applies only to financial matters; uncertainty applies to all business decisions

D.Risk is managed by insurance; uncertainty is managed by diversification

Explanation: In risk management theory (originating with Frank Knight), risk refers to situations where probabilities can be estimated or measured, whereas uncertainty refers to situations where probabilities are unknown. IRM syllabus material draws on this distinction when explaining why qualitative judgement is needed alongside quantitative tools.

3An organisation classifies its risks as strategic, operational, financial, and hazard/reputational. Which classification model is this most consistent with?

A.A risk universe or risk taxonomy approach

B.COSO ERM 2017 objective categories

C.ISO 31000:2018 risk treatment categories

D.The Three Lines Model assurance mapping

Explanation: Grouping risks into strategic, operational, financial, hazard, and reputational categories reflects a risk universe or risk taxonomy, which helps organisations ensure comprehensive risk identification across all domains. The IRM syllabus specifically uses the risk universe concept in Unit 1.

4ISO 31000:2018 is best described as which of the following?

A.A principles-based guidance standard for risk management applicable to any organisation

B.A certifiable international standard with mandatory compliance requirements

C.A sector-specific standard developed for financial services organisations

D.A prescriptive framework defining the exact risk management processes organisations must follow

Explanation: ISO 31000:2018 is a principles-based guidance standard. It is not certifiable, not sector-specific, and not prescriptive — it provides principles, a framework, and a process that organisations can adapt to their context. The IRM contrasts this with COSO, which is more process-oriented.

5COSO ERM 2017 organises its framework around five components. Which of the following is the FIRST component in the COSO ERM 2017 structure?

A.Governance and Culture

B.Risk Assessment

C.Strategy and Objective-Setting

D.Information, Communication, and Reporting

Explanation: The COSO ERM 2017 framework has five components in order: (1) Governance and Culture, (2) Strategy and Objective-Setting, (3) Performance, (4) Review and Revision, and (5) Information, Communication, and Reporting. Governance and Culture is positioned first because leadership and tone set the foundation for all other components.

6A company's board adopts a formal policy that defines the risk management mandate, risk appetite, roles, and reporting lines. In IRM terminology, this is known as the organisation's:

A.Risk architecture, strategy, and protocols (RASP)

B.Risk register

C.Risk treatment plan

D.Combined assurance framework

Explanation: IRM uses the term Risk Architecture, Strategy, and Protocols (RASP) to describe the structural and governance elements of an ERM programme: the architecture (governance structure, roles, committees), the strategy (risk policy and appetite), and the protocols (procedures, tools, and reporting requirements). This is a core Unit 2 concept.

7The Three Lines Model (IIA, 2020) replaced the earlier Three Lines of Defence model. Which of the following best describes the role of the SECOND line?

A.Risk and compliance functions providing oversight, expertise, and challenge to the first line

B.Operational management owning and managing risks day-to-day

C.Internal audit providing independent assurance to the board

D.External audit providing regulatory assurance to shareholders

Explanation: In the Three Lines Model, the second line comprises risk management, compliance, and control functions. They support the first line by setting frameworks, providing expertise, developing policies, and challenging whether risks are being managed appropriately — without taking operational risk ownership away from the first line.

8A Chief Risk Officer (CRO) reports directly to the CEO and attends board risk committee meetings. In the Three Lines Model, the CRO's function sits in which line?

A.Second line

B.First line

C.Third line

D.Outside the model as an executive function

Explanation: The CRO and the corporate risk function are second-line roles. The second line provides risk oversight, expertise, frameworks, and challenge to the operational (first-line) risk owners without directly owning the day-to-day risks themselves.

9A risk manager uses PESTLE analysis to identify risks arising from changes in data privacy regulation, increasing energy costs, and a new competitor entering the market. Which PESTLE categories do these correspond to, in order?

A.Legal, Economic, Technological

B.Political, Economic, Social

C.Legal, Economic, Competitive

D.Regulatory, Environmental, Social

Explanation: Data privacy regulation is a Legal factor. Increasing energy costs are an Economic factor. A new competitor entering the market is a Technological or Competitive factor — in standard PESTLE, 'competitive landscape' is captured under Economic or Technological. However, among the given options, L-E-T is the closest correct match for regulation/cost/competitor.

10During a risk identification workshop, the facilitator asks participants to consider 'what could prevent us achieving each of our strategic objectives?' This technique is best described as:

A.Objective-based risk identification

B.Scenario analysis

C.Cause-and-effect mapping

D.Bow-tie analysis

Explanation: Objective-based risk identification starts from stated objectives and asks what events or uncertainties could prevent their achievement. The IRM syllabus lists this as one of the primary risk identification methods in Unit 3, alongside environment-based, scenario-based, and taxonomy-based approaches.

About the IRM International Certificate Exam

The IRM International Certificate in Enterprise Risk Management is a globally recognised qualification awarded by the Institute of Risk Management. The qualification comprises two modules: Module 1 (assessed by this 60-question MCQ exam) covering principles, frameworks, assessment, culture, and governance; and Module 2 (assessed by assignment) covering organisational resilience and sustainability. This practice bank covers the Module 1 MCQ exam only.

Assessment

60 compulsory multiple-choice questions with four answer options per question; one correct answer per question

Time Limit

90 minutes (plus 5-minute NDA agreement before the exam starts)

Passing Score

Pass mark is set by standard-setting after each session; approximately 60% (36 of 60 correct) based on published IRM guidance, but the exact threshold varies per sitting

Exam Fee

Tiered pricing based on World Bank country classification; IRM members receive a 10% discount; resit fee approximately GBP 175. Contact IRM for the current fee schedule. (Institute of Risk Management (IRM), UK; exam delivered by Pearson VUE)

IRM International Certificate Exam Content Outline

Unit 1

Key Concepts in Risk Management

Risk definition (ISO 31000:2018), risk vs uncertainty, types of risk and risk taxonomies, the risk universe concept, ERM benefits, and a comparative overview of ISO 31000, COSO ERM 2017, and the Orange Book.

Unit 2

Strategic Planning for Enterprise Risk Management

Risk Architecture, Strategy, and Protocols (RASP); governance structures and committees; the Three Lines Model (IIA 2020); roles including the CRO; risk policy and its place in the strategy element of RASP.

Unit 3

Risk Context, Objectives, and Assessment

Internal and external context; PESTLE and SWOT analysis; objective-based, taxonomy-based, scenario, pre-mortem, and Delphi risk identification techniques; qualitative, semi-quantitative, and quantitative risk analysis; likelihood–impact matrices; bow-tie analysis; risk evaluation against criteria.

Unit 4

Managing, Monitoring, and Reporting Risks

Risk treatment using the four Ts (Tolerate, Treat, Transfer, Terminate); preventive and detective controls; inherent, residual, and target residual risk; risk registers; KRIs vs KPIs vs KCIs; monitoring, reviewing, escalation, and board-level risk reporting.

Unit 5

Risk Culture and Appetite

Risk appetite, tolerance, and capacity — their definitions and distinctions; qualitative and quantitative appetite statements; the LILAC risk culture model (Leadership, Involvement, Learning, Accountability, Communication); psychological safety; cultural maturity levels; tone from the top.

Unit 6

Corporate Governance and Risk Assurance

UK Corporate Governance Code requirements; board responsibilities for internal control and risk; going concern and viability statements; internal audit independence and Three Lines accountability; combined assurance and assurance mapping; external audit scope.

How to Pass the IRM International Certificate Exam

What You Need to Know

Passing score: Pass mark is set by standard-setting after each session; approximately 60% (36 of 60 correct) based on published IRM guidance, but the exact threshold varies per sitting
Assessment: 60 compulsory multiple-choice questions with four answer options per question; one correct answer per question
Time limit: 90 minutes (plus 5-minute NDA agreement before the exam starts)
Exam fee: Tiered pricing based on World Bank country classification; IRM members receive a 10% discount; resit fee approximately GBP 175. Contact IRM for the current fee schedule.

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

IRM International Certificate Study Tips from Top Performers

1Memorise the eight ISO 31000:2018 principles and the five COSO ERM 2017 components in order — they are frequently tested on definitions, comparisons, and application scenarios.

2Practise distinguishing risk appetite, risk tolerance, and risk capacity using concrete examples: appetite is the chosen level, tolerance is the acceptable variation, and capacity is the absolute maximum the organisation can absorb.

3Know the five LILAC elements by name and be able to explain a real scenario where each element is absent or weak, as the exam tests application of the culture model.

4Learn the four Ts (Tolerate, Treat, Transfer, Terminate) and map each to the ISO 31000 treatment options (retain, reduce, share, avoid); scenario questions will test which T is most appropriate given specific risk characteristics.

5Review the Three Lines Model clearly: first line owns risks operationally, second line (risk/compliance function) provides oversight and challenge, third line (internal audit) provides independent assurance to the board — and know which line the CRO and Audit Committee each belong to.

Frequently Asked Questions

How many questions are on the IRM International Certificate Module 1 MCQ exam?

The Module 1 MCQ exam has 60 compulsory multiple-choice questions. Each question offers four possible answers and candidates select one. The exam is delivered by Pearson VUE.

How long is the IRM International Certificate MCQ exam?

The exam is 90 minutes long, plus a 5-minute non-disclosure agreement (NDA) before the exam begins, making the total appointment approximately 95–105 minutes.

What is the pass mark for the IRM International Certificate exam?

IRM uses standard-setting to determine the pass mark after each exam session, meaning the exact threshold varies. IRM guidance indicates the pass mark is approximately 60% (around 36 of 60 correct), but candidates should not rely on a fixed percentage.

Where can I sit the IRM International Certificate Module 1 MCQ exam?

The exam is delivered by Pearson VUE at its worldwide network of test centres. An online proctored option (OnVUE) is also available. Candidates must enrol with IRM before booking through Pearson VUE.

What frameworks and standards does the IRM International Certificate exam cover?

The Module 1 exam covers ISO 31000:2018, COSO ERM 2017, and the UK Orange Book as the three key risk management frameworks. It also covers the IIA Three Lines Model (2020), the IRM LILAC risk culture model, and UK Corporate Governance Code principles.

Does this question bank cover Module 2 of the IRM International Certificate?

No. Module 2 is assessed by assignment (long-form case study), not by MCQ. This question bank covers the Module 1 MCQ exam only — the six units on risk concepts, strategic planning, risk assessment, managing and monitoring, risk culture and appetite, and corporate governance.