100+ Free PRMIA ORM Practice Questions

Pass your PRMIA Operational Risk Manager Certificate exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Under the Basel framework, which of the following is the standard definition of operational risk?

The risk of loss arising from adverse market price movements

The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events

The risk that a counterparty will fail to meet its contractual obligations

The risk that the bank cannot meet its short-term funding obligations

to track

2026 Statistics

Key Facts: PRMIA ORM Exam

70 Qs

Exam Questions

PRMIA

2.5 hrs

Exam Time

PRMIA

60%

Passing Score (scaled)

PRMIA

$1,250

Exam Fee

PRMIA non-member

Basel L1 Event Types

Basel II Annex 9

17 Jan 2025

DORA Applicable Date

Regulation (EU) 2022/2554

The PRMIA ORM Certificate is a 70-question, 2.5-hour online-proctored exam from PRMIA, with a passing standard around 60% (scaled). It covers the seven Basel operational risk event types, the three lines of defence, RCSA, KRIs/KCIs, loss data and ORX consortium data, scenario analysis, the Basel III Standardised Approach for Operational Risk (BIC × ILM), DORA's five pillars, BCBS Principles for Operational Resilience (March 2021), and emerging risks including cyber (NIST CSF 2.0), conduct, model risk (SR 11-7) and climate. There are no prerequisites and the credential is global.

Sample PRMIA ORM Practice Questions

Try these sample questions to test your PRMIA ORM exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Under the Basel framework, which of the following is the standard definition of operational risk?

A.The risk of loss arising from adverse market price movements

B.The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events

C.The risk that a counterparty will fail to meet its contractual obligations

D.The risk that the bank cannot meet its short-term funding obligations

Explanation: Basel defines operational risk as 'the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.' This definition explicitly includes legal risk but excludes strategic and reputational risk. It is the foundation for the Basel II/III/IV operational risk capital frameworks.

2How many Level 1 (Basel) operational risk event-type categories are there?

A.5

B.6

C.7

D.8

Explanation: Basel II Annex 9 (carried into Basel III) defines seven Level 1 operational risk event types: Internal Fraud; External Fraud; Employment Practices and Workplace Safety; Clients, Products and Business Practices; Damage to Physical Assets; Business Disruption and System Failures; and Execution, Delivery and Process Management.

3An employee colludes with a customer to misappropriate funds and falsify records. Under Basel's Level 1 event-type taxonomy, this is BEST classified as:

A.External Fraud

B.Internal Fraud

C.Clients, Products and Business Practices

D.Execution, Delivery and Process Management

Explanation: Internal Fraud covers losses due to acts intended to defraud, misappropriate property or circumvent regulations, the law or company policy involving at least one internal party. Even if a customer is also involved, the participation of an internal party makes it Internal Fraud rather than External Fraud.

4A class-action lawsuit is filed alleging that the bank systematically mis-sold a structured product without adequately disclosing the risks. Under Basel's event-type taxonomy this loss is classified as:

A.Internal Fraud

B.Clients, Products and Business Practices

C.Execution, Delivery and Process Management

D.Business Disruption and System Failures

Explanation: Clients, Products and Business Practices (CPBP) captures losses arising from an unintentional or negligent failure to meet a professional obligation to clients, or from the nature or design of a product. Mis-selling, suitability failures and disclosure breaches fall here. CPBP has historically been the largest loss category by value in industry consortia such as ORX.

5A flood damages the bank's primary data centre, destroying servers. Under Basel's event-type taxonomy this is:

A.Business Disruption and System Failures

B.Damage to Physical Assets

C.Execution, Delivery and Process Management

D.External Fraud

Explanation: Damage to Physical Assets covers losses arising from loss or damage to physical assets from natural disasters or other events (fire, flood, terrorism, vandalism). The cause of the loss is the physical destruction of the asset, even if it also leads to a system outage as a downstream effect.

6Which of the following is EXCLUDED from the Basel definition of operational risk?

A.Legal risk

B.Strategic and reputational risk

C.Internal fraud risk

D.Process execution risk

Explanation: The Basel definition explicitly INCLUDES legal risk but EXCLUDES strategic and reputational risk. Strategic risk relates to business decisions and market positioning; reputational risk often arises as a consequence of operational events but is not itself in scope of Pillar 1 OR capital.

7Which Basel Level 1 event type captures discrimination claims, workers' compensation losses and harassment settlements?

A.Clients, Products and Business Practices

B.Internal Fraud

C.Employment Practices and Workplace Safety

D.Execution, Delivery and Process Management

Explanation: Employment Practices and Workplace Safety (EPWS) covers losses from acts inconsistent with employment, health or safety laws or agreements; from payment of personal injury claims; or from diversity/discrimination events. EPWS is typically lower-frequency in banking but can produce sizeable settlements.

8A back-office team books a trade with the wrong notional, causing a settlement break and a loss when the position is reversed. Under Basel this is:

A.Internal Fraud

B.Execution, Delivery and Process Management

C.Business Disruption and System Failures

D.Clients, Products and Business Practices

Explanation: Execution, Delivery and Process Management (EDPM) captures losses from failed transaction processing or process management — including data entry errors, missed deadlines, incorrect reference data, and reconciliation breaks. It is typically the highest-frequency event type in banks.

9An external hacker breaches the bank and exfiltrates customer data. Under Basel Level 1 this is BEST classified as:

A.External Fraud

B.Business Disruption and System Failures

C.Internal Fraud

D.Damage to Physical Assets

Explanation: External Fraud includes losses due to acts by a third party of a type intended to defraud, misappropriate property, or circumvent the law. Cyber-criminal activity such as theft of information, hacking damage and computer-based theft is explicitly mapped to External Fraud (Level 2: Systems Security) under Basel II Annex 9.

10Which of the following BEST distinguishes operational risk from market and credit risk?

A.Operational risk is always low frequency, high severity

B.Operational risk is generally taken intentionally to earn return; market and credit risk are not

C.Operational risk is generally NOT taken intentionally to earn return — it is a by-product of doing business

D.Operational risk losses are bounded; market and credit losses are unbounded

Explanation: A core conceptual distinction is that market and credit risk are intentionally taken to generate return — banks earn spread for bearing them. Operational risk is generally a by-product of operating the business: there is no upside, only loss potential. This shapes how appetite, controls and incentives are designed.

About the PRMIA ORM Exam

The PRMIA Operational Risk Manager (ORM) Certificate is a stand-alone credential — not a section of the full PRM exam — for risk professionals working in operational risk, ICT/cyber risk, resilience and second-line oversight. It tests fundamentals of OR (Basel definition and seven event types), governance (three lines, RCSA, KRIs, KCIs), loss data and external data (ORX), scenario analysis, OR capital under Basel III SA-OR (BIC and ILM), operational resilience (BCBS POR, DORA, ISO 22301/27001), and emerging topics including cyber, conduct, model and climate risk.

Questions

70 scored questions

Time Limit

2.5 hours

Passing Score

60% (scaled)

Exam Fee

$1,250 (PRMIA)

PRMIA ORM Exam Content Outline

15%

Operational Risk Fundamentals

Basel OR definition, seven Level 1 event types, OR taxonomy, OR vs market/credit risk

15%

Operational Risk Governance

Three lines of defence, risk appetite, RCSA basics, KRIs vs KCIs, BCBS PSMOR (2021)

10%

Loss Data Collection and External Data

Internal LDC, ORX consortium, near misses, boundary events, scaling external data

15%

RCSA and Scenario Analysis

Inherent vs residual risk, control design vs operating effectiveness, scenario workshops, biases, heat maps

15%

Capital Modeling for Operational Risk

Basel II BIA/TSA/AMA legacy, Basel III SA-OR formula (BIC × ILM), Pillar 2/3, EU CRR3 ILM=1 election

15%

Operational Resilience

BCBS POR, impact tolerances, DORA five pillars, ICT third-party risk, ISO 22301/27001/31000, COSO ERM

15%

Emerging Topics

Cyber risk and NIST CSF 2.0, conduct risk, model risk (SR 11-7), climate-related OR

How to Pass the PRMIA ORM Exam

What You Need to Know

Passing score: 60% (scaled)
Exam length: 70 questions
Time limit: 2.5 hours
Exam fee: $1,250

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

PRMIA ORM Study Tips from Top Performers

1Memorise the Basel definition word-for-word: 'inadequate or failed internal processes, people and systems or from external events' — and remember it INCLUDES legal but EXCLUDES strategic and reputational

2Drill the seven Level 1 event types and be able to map any scenario to one — especially boundary cases like cyber (External Fraud), mis-selling (CPBP), and data centre flood (Damage to Physical Assets)

3Know SA-OR cold: BIC = sum of marginal coefficients (12%/15%/18%) × Business Indicator components (ILDC, SC, FC); ILM uses a 10-year loss lookback; EU CRR3 sets ILM = 1

4Distinguish KRIs (forward-looking, predictive) from KCIs (control performance) — the exam tests this directly

5Know DORA's five pillars and the 17 January 2025 application date; understand TLPT and the CTPP designation

6Understand the difference between control DESIGN and control OPERATING EFFECTIVENESS — RCSA and audit terminology

7Be ready for SR 11-7 model-risk fundamentals and the NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover)

Frequently Asked Questions

Is the PRMIA ORM Certificate the same as the PRM exam?

No. The PRMIA Operational Risk Manager (ORM) Certificate is a stand-alone PRMIA credential focused on operational risk. The PRM is a separate, broader risk-management designation that PRMIA also offers. Candidates often pursue ORM independently for operational risk roles in banks, insurers, asset managers and FMIs without taking the full PRM.

What is the format of the PRMIA ORM exam?

The PRMIA ORM exam is delivered as an online-proctored, multiple-choice exam — 70 questions in 2.5 hours, with a passing standard around 60% (scaled). The exam is global and is offered on a flexible schedule throughout the year. There are no formal prerequisites, though working knowledge of operational risk concepts is strongly recommended.

What does the PRMIA ORM exam cover?

The ORM curriculum covers operational risk fundamentals (the Basel definition and seven Level 1 event types), governance (three lines of defence, risk appetite, RCSA, KRIs and KCIs), loss data and external data (including ORX), scenario analysis, capital under Basel III SA-OR (BIC × ILM), operational resilience (BCBS POR, DORA, ISO 22301/27001), and emerging topics — cyber, conduct, model risk (SR 11-7) and climate.

What is the BIC × ILM formula in Basel III SA-OR?

Under Basel III's Standardised Approach for Operational Risk (BCBS d424, applied from January 2023 in most jurisdictions), Pillar 1 OR capital = Business Indicator Component (BIC) × Internal Loss Multiplier (ILM). The BIC is computed from the firm's three-year average Business Indicator (interest, services and financial components) using marginal coefficients of 12%, 15% and 18%. The ILM uses a 10-year average of internal losses. The EU's CRR3 sets ILM = 1 for all institutions.

What are the seven Basel Level 1 operational risk event types?

The seven Basel L1 event types (Annex 9) are: Internal Fraud; External Fraud; Employment Practices and Workplace Safety; Clients, Products and Business Practices; Damage to Physical Assets; Business Disruption and System Failures; and Execution, Delivery and Process Management. Industry data (e.g. ORX) typically shows EDPM highest by frequency and CPBP highest by total value.

What is the difference between a KRI and a KCI?

A Key Risk Indicator (KRI) is a forward-looking, predictive metric that signals changes in RISK exposure (e.g. patches overdue, staff turnover, transaction volume vs capacity). A Key Control Indicator (KCI) measures CONTROL performance and effectiveness (e.g. percentage of access reviews completed within SLA, reconciliation breaks cleared on time). KRIs answer 'is risk rising?'; KCIs answer 'is the control working?'.

When did DORA become applicable in the EU?

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) entered into force on 16 January 2023 and became applicable from 17 January 2025 to a wide range of EU financial entities and to designated Critical ICT Third-Party Providers (CTPPs). Its five pillars are ICT risk management, ICT incident reporting, digital operational resilience testing (including TLPT), ICT third-party risk management, and information sharing.