We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.

com

FRM Part II Exam

By AnalystPrep

Questions with Answers - Operational Risk and Resiliency

Last Updated: Feb 24, 2024

1
©2024 AnalystPrep “This document is protected by International copyright laws. Reproduction and/or distribution of this document is

prohibited. Infringers will be prosecuted in their local jurisdictions.”

We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Table of Contents

103 - Introduction to Operational Risk and Resilience 4

104 - Risk Governance 13
105 - Risk Identification 22
106 - Risk Measurement and Assessment 32
107 - Risk Mitigation 38
108 - Risk Reporting 52
109 - Integrated Risk Management 62
110 - Cyber-resilience: Range of Practices 72
111 - Case Study: Cyberthreats and Information Security Risks 88
Sound Management of Risks related to Money Laundering
112 - 98
and Financing of Terrorism
113 - Case Study: Financial Crime and Fraud 112
114 - Guidance on Managing Outsourcing Risk 120
115 - Case Study: Third-Party Risk Management 132
Case Study: Investor Protection and Compliance Risks in
116 - 141
Investment Activities
117 - Supervisory Guidance on Model Risk Management 146
118 - Case Study: Model Risk and Model Validation 164
119 - Stress Testing Banks 173
Risk Capital Attribution and Risk-Adjusted Performance
120 - 176
Measurement
Range of Practices and Issues in Economic Capital
121 - 189
Frameworks
Capital Planning at Large Bank Holding Companies:
122 - 196
Supervisory Expectations and Range of Current Practice

2
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

123 - Capital Regulation Before the Global Financial Crisis 206

Solvency, Liquidity and Other Regulation After the Global
124 - 249
Financial Crisis
125 - High-level Summary of Basel III Reforms 274
126 - Basel III: Finalising Post-Crisis Reforms 287

3
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 103: Introduction to Operational Risk and Resilience

Q.5044 Which of the following risks falls within the scope of an operational risk management
(ORM) framework?

A. Credit risk associated with a company's investments in the stock market.

B. Political risk resulting from changes in government policies.

C. Legal risk arising from breach of contracts, laws and legislations.

D. Interest rate risk associated with fluctuations in interest rates.

The correct answer is C.

Operational risk management (ORM) framework encompasses a wide range of risks that can

affect an organization's operations. The operational risk definition provided by the BCBS

includes legal risk but excludes strategic and reputational risk. Legal risk refers to the potential

for losses or liabilities arising from contractual breaches, legal relevance, laws and regulations,

and the risk of financial harm in the event of errors or breaches. Legal losses can be associated

with various operational event types, but they are particularly linked to event types 3

(Employment practices and workplace safety) and 7 (Execution, delivery, and process

management). While credit risk, political risk, and interest rate risk are important risks to

manage, they fall outside the scope of operational risk management and are typically managed

separately.

A is incorrect. Credit risk is the risk of loss arising from a borrower's failure to repay a debt or

meet its obligations falls under the category of credit risk management, which is a separate type

of risk management framework.

B is incorrect. While political risk can affect an organization's operations, it falls outside the

scope of operational risk management. Political risk is typically managed through a separate type

of risk management framework known as geopolitical risk management.

D is incorrect. Interest rate risk is the risk of loss resulting from fluctuations in interest rates.

This type of risk falls under the category of market risk management, which is another type of

risk management framework.

4
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5045 Mr. Jonathan Howard, FRM, is presenting on the ORM framework. Jonathan highlights
several points regarding the ORM framework. Which of the following statements made by
Jonathan is incorrect?

A. Companies should develop a holistic picture of their risk management practices to

understand the relationships between actions, tools, and techniques

B. A good ORM framework should include governance and conduct risk as the umbrella
of all other risk management actions

C. Regulated financial service companies are required to define their risk appetite and
tolerance as a means of achieving their objectives

D. Risk monitoring focuses on the definition, discovery, selection, and categorization, of

the risks faced by a business or in a given activity

The correct answer is D.

The statement that 'Risk monitoring focuses on the definition, discovery, selection, and

categorization, of the risks faced by a business or in a given activity' is incorrect. In the context

of Operational Risk Management (ORM), risk identification, not risk monitoring, is the process

that focuses on the definition, discovery, selection, and categorization of risks. This process aims

to identify as many risks as possible that a business or a given activity might face. On the other

hand, risk monitoring is a continuous process that tracks and reports on identified risks and the

effectiveness of risk mitigation strategies. It involves the regular review of risk management

activities and the updating of risk information to ensure that the risk management strategy

remains effective.

Choice A is incorrect. This statement is accurate as it emphasizes the importance of a holistic

approach in risk management practices. Understanding the relationships between actions, tools,

and techniques helps companies to identify potential risks and develop effective strategies to

mitigate them.

Choice B is incorrect. This statement correctly highlights that a good ORM framework should

include governance and conduct risk as an overarching element of all other risk management

actions. Governance ensures that risks are managed according to the company's policies and

procedures, while conduct risk relates to the risks associated with unethical or inappropriate

behavior by employees.

5
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice C is incorrect. The statement accurately reflects that regulated financial service

companies are required to define their risk appetite and tolerance as part of their strategic

objectives. Risk appetite refers to the level of risk a company is willing to accept in pursuit of its

objectives, while risk tolerance refers to the degree of variability in investment returns that an

organization can withstand.

Q.5046 A risk analyst analyzes the types of risks that fall within the ORM framework. Which of
the following statements made by the analyst is incorrect?

A. According to BCBS, the definition of operational risk includes legal risk and strategic
risk but excludes reputational risk.

B. Recently, BCBS clarified that reputation and strategic risks should be considered by
banks where appropriate.

C. Compliance risks occur when an institution incurs fines due to knowingly or

unknowingly ignoring the industry's set of rules and regulations.

D. We can argue that strategic risk forms part of the operational risk of an organization.

The correct answer is A.

The Basel Committee on Banking Supervision (BCBS) defines operational risk as the risk of loss

resulting from inadequate or failed internal processes, people and systems, or from external

events. This definition includes legal risk, but excludes strategic and reputational risk. Therefore,

the statement in choice A is incorrect because it incorrectly includes strategic risk and excludes

reputational risk in the definition of operational risk according to BCBS.

It's important to note that the BCBS's definition of operational risk is widely accepted and used

in the banking industry. The inclusion of legal risk in the definition reflects the potential for

losses due to legal or regulatory actions, while the exclusion of strategic and reputational risk

indicates that these types of risks are considered separate and distinct from operational risk.

This distinction is crucial for effective risk management, as it helps organizations to identify,

assess, and mitigate different types of risks appropriately.

Choice B is incorrect. The Basel Committee on Banking Supervision (BCBS) has indeed

6
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

clarified that banks should consider reputational and strategic risks where appropriate. This

statement aligns with the principles of ORM, which emphasize the importance of considering all

types of risks that can impact an organization's operations.

Choice C is incorrect. Compliance risk does occur when an institution incurs fines due to

knowingly or unknowingly ignoring industry rules and regulations. This type of risk falls under

operational risk as it directly impacts the day-to-day operations and overall functioning of an

organization.

Choice D is incorrect. It can be argued that strategic risk forms part of operational risk, as

strategic decisions can have a direct impact on an organization's operations. However, this does

not mean that all strategic risks are operational in nature; some may relate more closely to other

categories such as market or credit risk.

Q.5047 Which of the following statements best illustrates the evolution of compliance risk
management in the financial industry?

A. Compliance risk has gradually become less significant, as evidenced by the reduced
number of regulatory fines in recent years.

B. Compliance risk was initially captured by event types 3 (EPWS) and 7 (EDPM), but has
since evolved to be managed separately.

C. Regulatory fines for compliance risk breaches have increased over time, prompting
banks to establish dedicated departments for compliance risk management.

D. Operational risk management departments now oversee compliance departments in

most large banks, reflecting the growing importance of operational risk.

The correct answer is C.

The significance of compliance risk in the financial industry has indeed escalated over the years.

This is evident from the increasing regulatory fines imposed on financial institutions for breaches

in compliance. For instance, HSBC was fined $1.9 billion in 2012, and Lloyds Banking Group was

fined £21.9 billion. These hefty penalties have prompted many large banks to establish dedicated

departments specifically for managing compliance risk. In some banks, such as JPMC and BNPP,

7
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

the operational risk management department is situated within the compliance department,

indicating the growing importance of compliance risk. Therefore, statement C accurately

illustrates the evolution of compliance risk management in the financial industry.

Choice A is incorrect. The significance of compliance risk in the financial industry has not

diminished over time. In fact, it has become more prominent due to increased regulatory

scrutiny and the potential for significant fines and reputational damage resulting from non-

compliance.

Choice B is incorrect. While event types 3 (EPWS) and 7 (EDPM) may have initially captured

some aspects of compliance risk, it's not accurate to say that compliance risk management

evolved from these categories. Compliance risk has always been a distinct area requiring

specialized knowledge and strategies.

Choice D is incorrect. Although operational risk management is an important function within

banks, it does not typically oversee the compliance department. These are separate functions

with different responsibilities - operational risk focuses on risks arising from failed processes or

systems, while compliance ensures adherence to laws and regulations.

Q.5048 BCBS categorizes operational risk into seven broad categories, commonly known as
"Basel types level 1." These types are further divided into regulatory types (level 2) and examples
(level 3). An FRM Part II candidate highlights several points regarding the Basel event risk type
categories. Which of the following statements is correct?

A. Internal fraud and external fraud are under the same event risk category

B. Acts that go against laws put in place to safeguard the health, safety, and general well-
being of employees and customers fall under clients, products, and business practices

C. Issues such as data entry errors and unfinished legal documents fall under execution,
delivery, and process management

D. Losses due to theft and hacking are examples of event risks under the damage to
physical assets category

The correct answer is C.

8
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

The category of 'execution, delivery, and process management' under the BCBS's operational risk

framework encompasses issues related to the failure to execute transactions and manage

processes correctly. This includes data entry errors and unfinished legal documents. These issues

can lead to operational losses and are therefore considered as operational risks. The BCBS's

framework is designed to help financial institutions identify, assess, monitor, and mitigate these

risks. By categorizing these risks, institutions can develop targeted strategies to manage them

and reduce potential losses.

Choice A is incorrect. Internal fraud and external fraud are not under the same event risk

category. Internal fraud falls under the 'Internal Fraud' category, which includes acts of a type

intended to defraud, misappropriate property or circumvent regulations, the law or company

policy, excluding diversity & discrimination events, involving at least one internal party. On the

other hand, external fraud falls under 'External Fraud' category which includes acts of a type

intended to defraud, misappropriate property or circumvent the law by a third party.

Choice B is incorrect. Acts that go against laws put in place to safeguard health and safety do

not fall under clients, products and business practices but rather they fall under 'Employment

Practices and Workplace Safety'. This category includes acts inconsistent with employment,

health or safety laws or agreements from payment of personal injury claims or diversity &

discrimination events.

Choice D is incorrect. Losses due to theft and hacking do not fall under damage to physical

assets but rather they are categorized as 'External Fraud'. The damage to physical assets refers

more towards natural disaster-induced losses such as those from earthquakes or floods.

9
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5049 Which of the following is most likely an example of execution, delivery, and process
management (EDPM) type of operational risk of the “Basel types level 1”?

A. Destruction of equipment

B. Employment contract termination

C. Vendor disputes

D. Unauthorized activities by employees

The correct answer is C.

Vendor disputes fall under the category of Execution, Delivery, and Process Management (EDPM)

type of operational risk according to the Basel types level 1 classification. EDPM risks are

associated with failed transaction processing or process management, or from relations with

trade counterparties and vendors. Vendor disputes can arise due to disagreements over the

terms of contracts, quality of goods or services provided, payment issues, or other aspects of the

vendor-client relationship. These disputes can disrupt the normal operations of a business,

leading to financial losses and reputational damage. Therefore, managing vendor disputes

effectively is a crucial aspect of operational risk management.

Choice A is incorrect. Destruction of equipment falls under the category of Physical

Environment and Safety Risks, not Execution, Delivery, and Process Management (EDPM). This

type of risk involves damage to physical assets or inability to use them due to natural or man-

made disasters.

Choice B is incorrect. Employment contract termination is more likely to be classified as an

Employment Practices and Workplace Safety Risk rather than EDPM. This type of risk arises

from acts inconsistent with employment, health or safety laws or agreements, from payment of

personal injury claims, or from diversity/discrimination events.

Choice D is incorrect. Unauthorized activities by employees are typically categorized as

Internal Fraud under Basel's classification system for operational risks. These activities involve

acts intended to defraud, misappropriate property or circumvent regulations, the law or

company policy that are perpetrated by an entity’s own staff.

10
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5051 An investment firm has contracted a risk professional and wishes to discuss the
characteristics of operational loss events and challenges that may arise in managing operational
risk. Which of the following characteristics correctly matches its description?

A. Heterogenous – Operational risk is highly varied because it encompasses diverse risks,

such as fraud in retail transactions

B. Idiosyncratic and diffuse – The distribution of operational risk is highly skewed, with a
higher concentration of the density being in the lowest part of the distribution

C. Interconnected – Operational risk arises from each person and process within the firm;
therefore, everyone has to take part in managing operational risk

D. Heavy-Tailed – Operational risk is evolving in nature

The correct answer is A.

Operational risk is indeed heterogeneous. This means that it is highly varied and encompasses a

wide range of diverse risks. For example, operational risk can include risks such as fraud in retail

transactions, system failures, process inefficiencies, and human errors. Each of these risks has

different causes, consequences, and distributions of losses. This diversity in operational risk

makes it challenging for risk professionals to manage, as they need to understand and mitigate a

wide range of potential risks. Therefore, a comprehensive and flexible risk management strategy

is required to effectively manage operational risk.

Choice B is incorrect. While operational risk can indeed be idiosyncratic and diffuse, the

statement that the distribution of operational risk is highly skewed with a higher concentration

of density in the lowest part of the distribution is not necessarily accurate. Operational risks can

have severe impacts, and their distribution may not always be skewed towards lower severity

events. The severity and frequency of operational risk events can vary greatly depending on

numerous factors such as the nature of operations, controls in place, etc.

Choice C is incorrect. Although it's true that everyone within a firm has a role to play in

managing operational risk because it arises from each person and process within the firm, this

does not accurately describe a characteristic of operational risk events themselves. Rather, it

describes an approach to managing such risks.

Choice D is incorrect. The statement that "Operational risk is evolving in nature" does not

11
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

specifically characterize operational risk events or their implications for managing operational

risks. While it's true that these risks evolve over time due to changes in processes, systems or

external environment etc., this choice doesn't provide specific insight into characteristics or

implications for management strategies related to these types of risks.

Q.5052 Bank ABC wishes to strengthen its operational resilience. The bank invites a consultant
to give more insights into this area. In his definition of resilience, the consultant clarifies that
according to BCBS, resilience cannot be defined in a single sentence but rather comprises four
components. Which of the following components is correctly defined?

A. Continuity of business services: To contribute to the stability of the system, firms

should respond to disruptions, maintain trust among key stakeholders, and provide
clarity of communication during a crisis

B. Important business services: From a process-based view of continuity, the regulator

moved to a service-based view to ensure continuity

C. Management of disruption: It protects vital business services from disruption

D. Lessons learned: Firms should learn from past events and cover predictable shocks
only

The correct answer is B.

The term 'Important business services' refers to the shift in focus from a process-based view of

continuity to a service-based view. This shift is crucial to ensure the continuity of operations. In

the process-based view, the emphasis is on maintaining the continuity of specific processes

within the organization. However, this approach may not necessarily ensure the continuity of the

overall business services that the organization provides. Therefore, the regulator moved to a

service-based view. In this approach, the focus is on ensuring the continuity of the services that

the organization provides, regardless of the specific processes involved. This approach is more

holistic and is better suited to ensuring operational resilience in the face of disruptions.

Choice A is incorrect. While continuity of business services does involve responding to

disruptions and maintaining trust among key stakeholders, it does not necessarily provide clarity

of communication during a crisis. This component primarily focuses on ensuring that critical

operations continue to function during a disruption, rather than on communication strategies.

12
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice C is incorrect. The management of disruption involves more than just protecting vital

business services from disruption. It also includes identifying potential sources of disruption,

assessing their impact, and developing strategies to mitigate their effects.

Choice D is incorrect. Lessons learned should not only cover predictable shocks but also

unpredictable ones. Firms should learn from all past events and use this knowledge to improve

their resilience against future disruptions, regardless of whether these disruptions are

predictable or not.

Q.5053 The Federal Reserve's Sound Practices for Strengthening Operational Resilience,
published in 2020 along similar business lines and tolerance levels, illustrates that operational
resilience is an important element in an Operational Risk Management Framework. Which of the
following is not a regulatory expectation for operational resilience in line with the BCBS?

A. Effective coordination of ORM relies on a solid foundation of governance and assigning

roles and responsibilities to each party.

B. Firms are required to monitor and report the coordination and maintenance of
Business Continuity Management (BCM) and IT systems resilience.

C. A strong ORM framework is necessary in order to achieve operational resilience.

D. Firms are required to reduce their reliance on third parties.

The correct answer is D.

The statement that firms are required to reduce their reliance on third parties is not a regulatory

expectation for operational resilience in line with the BCBS. The Federal Reserve's Sound

Practices for Strengthening Operational Resilience does not encourage firms to reduce their use

of third parties. Instead, it encourages firms to properly manage third parties as they are among

typical areas that can expose firms to significant risks. This includes ensuring that third parties

adhere to the same standards of operational resilience as the firm itself, and that they have

robust contingency plans in place to manage potential disruptions. This approach recognizes the

interconnected nature of modern financial systems, where third-party service providers often

play a critical role in a firm's operations. Reducing reliance on third parties is not a practical or

effective strategy for enhancing operational resilience. Instead, firms should focus on managing

13
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

and mitigating the risks associated with third-party relationships.

Choice A is incorrect. The Basel Committee on Banking Supervision (BCBS) indeed expects

effective coordination of ORM to rely on a solid foundation of governance and assigning roles

and responsibilities to each party. This is a key aspect of operational resilience as it ensures that

all parties involved in the ORM process understand their roles and responsibilities, thereby

reducing the risk of errors or oversights.

Choice B is incorrect. According to BCBS, firms are indeed required to monitor and report the

coordination and maintenance of Business Continuity Management (BCM) and IT systems

resilience. This requirement ensures that firms are actively managing their operational risks,

including those related to business continuity and IT systems.

Choice C is incorrect. As per BCBS guidelines, a strong ORM framework is necessary in order

to achieve operational resilience. Without an effective ORM framework in place, it would be

difficult for a firm to manage its operational risks effectively.

14
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 104: Risk Governance

Q.5054 Mr. Rihan, a risk specialist at Bank ABC, is presenting to the board of directors on the
Basel regulatory expectations for the governance of an operational risk management
Framework. What is the purpose of supervisory risk management in the ORM framework of
banks in this context?

A. To create a paper trail of compliance activities.

B. To only identify material risks per the firm's risk appetite.

C. To develop robust governance policies and processes and manage material risks per
the firm's risk appetite.

D. To oversee all the activities of banks.

The correct answer is C.

Supervisory risk management in the ORM framework of banks is a comprehensive process that

involves several key steps. These include assessing the risk profile in a forward-looking manner,

developing robust governance policies and processes, identifying and managing all material risks

in line with the firm's risk appetite, and ensuring an effective control environment. The goal of

these activities is to establish a robust risk management framework that can effectively manage

the bank's operational risks. This is not merely about creating a paper trail of compliance

activities, but rather about creating a sound and effective risk management system that can

protect the bank from potential losses and ensure its long-term sustainability.

Choice A is incorrect. While creating a paper trail of compliance activities is part of the

supervisory risk management's role, it does not fully define their role within the ORM

framework. The supervisory risk management's role extends beyond just documenting

compliance activities; it also includes developing robust governance policies and managing

material risks in line with the firm's risk appetite.

Choice B is incorrect. Identifying material risks per the firm's risk appetite is indeed a part of

supervisory risk management, but this alone does not encompass its entire role within the ORM

framework. Supervisory risk management also involves developing and implementing robust

governance policies and processes to manage these identified risks.

15
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice D is incorrect. Overseeing all activities of banks goes beyond the scope of supervisory

risk management within an ORM framework. While they do have oversight responsibilities, these

are specifically related to operational risks and associated governance policies rather than all

bank activities.

16
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5055 In an FRM presentation on the Basel regulatory expectations for the governance of an
operational risk management framework, an FRM candidate wishes to know how one can
examine whether the ORM framework is being implemented at a firm. Which of the following
questions should not be used to examine the above case?

A. Is there evidence that all material events are captured in event reports?

B. Does the value of each risk indicator come from an independent source?

C. Are the presented data sufficient for decision-making?

D. Does the information pertain to the senior management?

The correct answer is D.

'Does the information pertain to the senior management?' is not an appropriate question to

evaluate the implementation of an ORM framework. The question is not relevant because the

information should pertain to the level of management it is intended for, not specifically to the

senior management. The ORM framework is a comprehensive approach that involves all levels of

management, not just the senior management. Therefore, the information should be relevant and

useful to all involved parties, not just the senior management. The focus should be on whether

the information is sufficient for decision-making at all levels, not just at the senior level.

Choice A is incorrect. Asking for evidence that all material events are captured in event

reports is a valid inquiry. This helps to ensure that the ORM framework is comprehensive and

captures all significant operational risks.

Choice B is incorrect. Checking if the value of each risk indicator comes from an independent

source is also a relevant question. Independent sources can provide unbiased data, which

contributes to the accuracy and reliability of risk indicators.

Choice C is incorrect. Assessing whether the presented data are sufficient for decision-making

forms an integral part of evaluating an ORM framework's effectiveness. If the data provided are

not adequate or relevant, it could lead to poor decision-making and ineffective risk management.

17
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5056 A company's operational risk is managed through several committees that make collegial
decisions based on information provided by different levels of the firm's decision-making
hierarchy and information escalated by those committees. Which of the following is the correct
function operational risk committee?

A. Overseeing, managing, and reporting to the executive risk committee

B. Overseeing the activities of a specific business line or function

C. Overseeing all operational risks

D. Reviewing and monitoring the investigation of large incidents

The correct answer is A.

The primary function of an operational risk committee is to oversee, manage, and report a

comprehensive picture of the company's operational risks to the executive risk committee,

management committee, and board risk committee. This involves coordinating with various

levels of the firm's decision-making hierarchy and ensuring that relevant information is escalated

to the appropriate committees. The operational risk committee plays a crucial role in the

company's risk management structure by providing a holistic view of operational risks, which

enables the executive risk committee and the board risk committee to make informed decisions

about risk mitigation strategies and policies.

Choice B is incorrect. While an operational risk committee may oversee the activities of a

specific business line or function, this is not its primary function. The main role of the

operational risk committee is to oversee, manage and report on all operational risks to the

executive risk committee.

Choice C is incorrect. Although overseeing all operational risks might seem like a plausible

answer, it's not entirely accurate. The primary responsibility of an operational risk committee

isn't just oversight but also managing and reporting these risks to the executive risk committee.

Choice D is incorrect. Reviewing and monitoring investigations of large incidents are part of

the responsibilities of an operational risk committee but it does not constitute its primary

function. Its main role involves overseeing, managing and reporting on all aspects related to

operational risks.

18
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5057 The 3rd principle of operational risk management outlines the roles of the board of
directors in operational risk governance. Which of the following roles of the board is in line with
principle 3?

A. Identify the types and levels of operational risks the bank is willing to assume, as well
as approve risk appetite and risk tolerance statements

B. Regularly review the bank's risk appetite and tolerance statements' appropriateness

C. Ensure the ORM framework is subject to independent review by sufficiently skilled

personnel

D. Ensure that they consider all risks when approving the bank's risk appetite and
tolerance statements which provide details on risk limits and thresholds.

The correct answer is C.

The third principle of operational risk management (ORM) emphasizes the board of directors'

responsibility to ensure that the ORM framework is subject to independent review by sufficiently

skilled personnel. This principle underscores the importance of independent review in identifying

potential weaknesses in the ORM framework and ensuring its effectiveness. The board of

directors, as the governing body of the bank, is responsible for ensuring that the ORM

framework is robust and capable of managing operational risks effectively. This includes

ensuring that the framework is reviewed independently by personnel with the necessary skills

and expertise. Independent review provides an unbiased assessment of the ORM framework,

which can help identify areas for improvement and ensure that the framework is aligned with the

bank's operational risk profile.

Choice A is incorrect. While the board of directors plays a crucial role in operational risk

management, it is not their responsibility to identify the types and levels of operational risks the

bank is willing to assume. This task typically falls under the purview of risk management

professionals within the organization who have specialized knowledge and expertise in

identifying and assessing various types of risks.

Choice B is incorrect. Although reviewing the appropriateness of risk appetite and tolerance

statements regularly is an important aspect of ORM, this responsibility does not specifically fall

under the third principle which addresses the board's role in governing operational risk. The

third principle primarily focuses on ensuring that ORM framework undergoes independent

19
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

review by sufficiently skilled personnel.

Choice D is incorrect. Ensuring consideration for all risks when approving risk appetite and

tolerance statements, which provide details on risk limits and thresholds, does not fall under the

third principle's purview concerning governing operational risk by board members. This aspect

may be part of other principles but not specifically addressed in Principle 3.

20
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5058 The Bank of India wishes to get a deeper understanding of the three lines of defense. To
achieve this, the bank has invited an operational risk specialist to shed more light on this topic.
Which of the following roles did the specialist highlight under the first line of defense?

A. Monitoring and reporting the operational risk profiles of business units

B. The development and maintenance of operational risk management and measurement

policies, standards, and guidelines, as well as the design and delivery of operational risk

C. Reviewing other lines of business

D. Reviewing and taking part in the monitoring and reporting of the operational risk
profile

The correct answer is A.

The first line of defense in the three lines of defense model in operational risk management is

primarily responsible for managing operational risk on a day-to-day basis. This includes

identifying, assessing, controlling, and mitigating operational risks. One of the key

responsibilities of the first line of defense is to keep track of the operational risk profiles of the

business units and report them. This involves monitoring the operational risks inherent in the

business, developing appropriate controls to manage these risks, and evaluating the

effectiveness and design of these controls. By keeping track of the operational risk profiles, the

first line of defense can provide timely and accurate information to the second line of defense,

which is responsible for overseeing the operational risk management framework and policies.

Choice B is incorrect. The development and maintenance of operational risk management and

measurement policies, standards, and guidelines, as well as the design and delivery of

operational risk, are typically responsibilities associated with the second line of defense. The first

line of defense primarily involves managing risks on a day-to-day basis.

Choice C is incorrect. Reviewing other lines of business is not a primary responsibility

associated with any specific line of defense in the three-line model. Each line has its own set of

responsibilities related to risk management.

Choice D is incorrect. This task falls under both the second and third lines, which provide

oversight functions.

21
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5059 The second line of defense also referred to as the independent corporate operational risk
function (CORF), is involved in policy setting and provides assurance over first-line activities.
The CORF generally complements the operational risk management activities of individual
business lines. The following are the responsibilities of the second line of defense, except:

A. Establishing an independent view of the business units' risk management activity

B. Evaluating and identifying operational risks inherent in the business

C. Reviewing and taking part in the monitoring and reporting of the operational risk
profile

D. Assessing the relevance and consistency of the department's implementation of

operational risk management tools, measurement activities, and reporting systems

The correct answer is B.

Evaluating and identifying operational risks inherent in the business is not a responsibility of the

second line of defense, but rather, it is a role of the first line of defense. The first line of defense,

which includes business units and process owners, is directly responsible for managing and

mitigating operational risks. They are the ones who are in the best position to identify and

evaluate the risks inherent in their respective business operations. The second line of defense,

on the other hand, is more focused on providing oversight, developing and maintaining

operational risk management policies, and ensuring the effectiveness of the first line's risk

management activities.

Choice A is incorrect. The second line of defense, or the CORF, is indeed responsible for

establishing an independent view of the business units' risk management activity. This involves

independently assessing and challenging the first line's activities to ensure that they are in line

with the organization's risk appetite and policies.

Choice C is incorrect. The CORF does play a role in reviewing and participating in monitoring

and reporting on operational risk profiles. This helps to provide assurance over first-line

activities by ensuring that they are accurately reported and monitored.

Choice D is incorrect. The second line also assesses how relevantly and consistently

departments implement operational risk management tools, measurement activities, and

reporting systems to ensure compliance with organizational policies.

22
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5060 The third line of defense consists of the bank's audit function, which performs
independent oversight of the first two lines. Everyone involved in the auditing process must not
be a participant in the process under review. According to the Institute of Internal Auditors (IIA,
2017), in which of the following ways should the internal audit not interact with risk
management, compliance, board of directors and finance?

A. Corporate governance structures must include effective risk management, compliance,

and finance functions.

B. A company's internal audit should never rely exclusively on risk management,

compliance, or finance to evaluate the effectiveness of internal controls.

C. The internal audit should make informed decisions regarding the appropriateness of
incorporating relevant work handled by others, such as risk management, compliance, or
finance.

D. The internal audit should ensure that a company's operations follow the laws,
regulations, and industry standards.

The correct answer is D.

The statement that 'The internal audit should ensure that a company's operations follow the

laws, regulations, and industry standards' is incorrect in the context of the internal audit's

interaction with risk management, compliance, board of directors, and finance. This is because

ensuring that a company follows the laws, regulations, and industry standards is primarily a role

of the compliance function, not the internal audit. The internal audit's role is to provide

independent oversight and assessment of the effectiveness of these functions, not to perform

their duties. Therefore, this statement does not accurately represent the way the internal audit

should interact with these functions according to the Institute of Internal Auditors (IIA, 2017).

Choice A is incorrect. The IIA does indeed state that corporate governance structures must

include effective risk management, compliance, and finance functions. This is a crucial part of

ensuring the overall health and effectiveness of an organization's internal controls.

Choice B is incorrect. According to the IIA, an internal audit should not rely solely on other

functions such as risk management, compliance or finance to evaluate the effectiveness of

internal controls. It should independently assess these controls to ensure their adequacy and

23
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

effectiveness.

Choice C is incorrect. The IIA also recommends that the internal audit make informed

decisions about whether or not to incorporate relevant work done by others in its own

assessments. This means it can consider information from risk management, compliance or

finance but it must still conduct its own independent evaluation.

24
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5061 According to the 4th principle of operational risk management, the board must identify
the types and levels of operational risks the bank is willing to assume, as well as approve risk
appetite and risk tolerance statements. Which of the following is not a correct feature of these
statements?

A. Be easy to communicate and understand

B. Provide reasons for taking or avoiding certain operational risks

C. Be forward-looking and subject to scenario and stress testing

D. Perform scenario analysis retrospectively

The correct answer is D.

'Perform scenario analysis retrospectively' is not a correct feature of risk appetite and risk

tolerance statements according to the 4th principle of operational risk management. These

statements are meant to be forward-looking and subject to scenario and stress testing. This

means they should anticipate future scenarios and risks, rather than analyzing past scenarios

retrospectively. The purpose of these statements is to guide the bank's future actions and

decisions regarding operational risks, so they need to be proactive and forward-thinking, not

retrospective.

Choice A is incorrect. The risk appetite and tolerance statements should indeed be easy to

communicate and understand. This ensures that all stakeholders, including the board,

management, employees, and even external parties such as regulators or investors have a clear

understanding of the bank's approach to operational risk.

Choice B is incorrect. Providing reasons for taking or avoiding certain operational risks is an

important feature of these statements. It helps in aligning the bank's strategic objectives with its

operational risk management framework.

Choice C is incorrect. Being forward-looking and subject to scenario and stress testing are key

characteristics of these statements according to the 4th principle of operational risk

management. This allows banks to anticipate potential future risks and prepare accordingly.

Q.5062 Mr. Ibrahim Rashid is a lecturer at Oxford University. In one of his lectures on risk

25
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

appetite and tolerance, Rashid states several points regarding risk appetite and risk tolerance.
Which of the following statements made by Rashid is incorrect?

A. As a good practice of risk appetite, a risk owner should be assigned to each risk type;
control owners to design, implement, and evaluate controls

B. Risk appetite should be consistent with the firm's objectives and the firm's risk
management strategy

C. To demonstrate their risk appetite and tolerance for disruptions, firms must set
maximum impact tolerances for critical business services

D. Risk appetite and tolerance statement for operational risk to be approved and
periodically reviewed by senior management

The correct answer is D.

The statement that the risk appetite and tolerance statement for operational risk should be

approved and periodically reviewed by senior management is incorrect. In reality, the

responsibility for approving and periodically reviewing the risk appetite and tolerance statement

for operational risk lies with the board, not senior management. The board, as the highest

governing body of an organization, has the ultimate responsibility for setting the organization's

risk appetite and ensuring that it aligns with the organization's overall strategy and objectives.

Senior management, on the other hand, is responsible for implementing the risk appetite set by

the board and ensuring that it is adhered to throughout the organization. Therefore, while senior

management plays a crucial role in risk management, the approval and review of the risk

appetite and tolerance statement is a responsibility that falls to the board.

Choice A is incorrect. Assigning a risk owner to each risk type and control owners to design,

implement, and evaluate controls is indeed a good practice of risk appetite. This ensures that

there are individuals who are responsible for managing specific risks and implementing

necessary controls.

Choice B is incorrect. Risk appetite should indeed be consistent with the firm's objectives and

the firm's risk management strategy. This ensures that the level of risk taken by the organization

aligns with its strategic goals.

Choice C is incorrect. Firms do need to set maximum impact tolerances for critical business

26
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

services to demonstrate their risk appetite and tolerance for disruptions. This helps in managing

potential losses from unexpected events.

27
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 105: Risk Identification

Q.5065 Which of the following is most likely a document that includes all operational risks of a
firm, the likelihood of the risks and the controls applied to each risk?

A. Risk universe

B. Top-ten risks

C. Risk register

D. Shock scenarios

The correct answer is C.

The risk register is the central repository of all operational risks in financial firms. It is a

document that includes all operational risks of a firm, the likelihood of the risks and the controls

applied to each risk. The risk register is a critical tool in risk management as it provides a

comprehensive view of all the risks a firm is exposed to, their potential impact, and the measures

taken to mitigate them. It is a dynamic document that is updated regularly to reflect changes in

the risk landscape. The risk register helps in prioritizing risks based on their likelihood and

impact, and in developing appropriate risk response strategies. It also serves as a

communication tool to inform all stakeholders about the risks and the actions taken to manage

them.

Choice A is incorrect. A Risk universe is a tool used to identify potential risks in different areas

of an organization. While it does list out all possible risks, it does not necessarily include their

respective likelihoods or the specific controls implemented to mitigate each risk.

Choice B is incorrect. The Top-ten risks document typically lists only the most significant risks

faced by an organization, rather than a comprehensive list of all operational risks. Furthermore,

this document may not always detail the likelihoods of these risks or the specific controls

implemented for mitigation.

Choice D is incorrect. Shock scenarios are hypothetical extreme events used for stress testing

and do not provide a comprehensive list of all operational risks, their respective likelihoods, and

mitigation strategies.

28
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5066 Which of the following four main categories of controls are implemented to reduce the
likelihood of risks materializing by mitigating their possible causes?

A. Detective controls

B. Corrective controls

C. Preventative controls

D. Directive controls

The correct answer is C.

Preventative controls are designed to reduce the likelihood of risks materializing by mitigating

their possible causes. These controls are proactive measures that are put in place to prevent an

undesirable event from occurring. They are designed to manage risks before they have an impact

on the organization. Preventative controls may include a wide range of activities such as system

and process design, training, and supervision. The goal of these controls is to identify potential

risks and take action to eliminate or reduce them before they can affect the organization. This is

achieved by identifying the potential causes of risks and implementing measures to mitigate

these causes. Examples of preventative controls include access controls, segregation of duties,

and approval authorities.

Choice A is incorrect. Detective controls are not designed to mitigate the possible causes of

risks, but rather to identify and react to instances where a risk has materialized. They are

reactive in nature and come into play after a risk event has occurred.

Choice B is incorrect. Corrective controls, similar to detective controls, are also reactive in

nature. They aim at correcting or rectifying the situation after a risk event has occurred rather

than mitigating the possible causes of risks.

Choice D is incorrect. Directive controls guide actions towards compliance with policies and

procedures but they do not specifically target the mitigation of potential causes of risks.

29
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5067 Which of the following risk identification processes begins at the executive level, then to
the business units and finally to individual business processes?

A. Bottom-up risk identification

B. Event and loss data analysis

C. Top down risk identification

D. Risk and control self-assessment

The correct answer is C.

This process begins at the highest level of the organization, typically the board or executive

level. The purpose of this approach is to identify risks that could potentially impact the strategic

objectives of the organization. From the executive level, the process moves down to the various

business units, where risks related to specific operational activities are identified. Finally, the

process reaches the individual business processes, where risks associated with specific tasks or

procedures are identified. This approach ensures that risks are identified and assessed in the

context of the organization's overall strategic objectives, and that risk management activities are

aligned with these objectives.

Choice A is incorrect. Bottom-up risk identification starts at the individual business processes

and moves up to the various business units, and finally reaches the executive or board level. This

is opposite to what is described in the question.

Choice B is incorrect. Event and loss data analysis involves studying past events and losses to

identify potential risks. It does not necessarily follow a hierarchical process from top (executive

or board level) to bottom (individual business processes).

Choice D is incorrect. Risk and control self-assessment (RCSA) involves individuals assessing

their own risks within their respective roles or departments, rather than a process that initiates

at the executive or board level.

30
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5068 Which of the following is most likely risks that a firm has identified as being on the
horizon, relatively small but on the rise with the potential for significant impact in the future?

A. Emerging risks

B. Risk universe

C. Taxonomies

D. Risk register

The correct answer is A.

Emerging risks are risks that a firm has identified as being on the horizon, relatively small but on

the rise with the potential for significant impact in the future. These risks are not yet fully

understood, making them difficult to quantify and manage. They could be related to a variety of

factors, including changes in the market, technological advancements, regulatory changes, or

societal shifts. The identification and management of emerging risks is a critical aspect of a

firm's overall risk management strategy, as it allows the firm to anticipate and prepare for

potential future threats.

Choice B is incorrect. The term "Risk Universe" refers to the set of all possible risks that a firm

might face. It does not specifically refer to risks that are currently small but have the potential to

significantly impact the firm in the future.

Choice C is incorrect. Taxonomies in risk management are used for classification of risks into

different categories or levels, they do not represent a type of risk that is small now but could

have significant impact in future.

Choice D is incorrect. A Risk Register is a document used by firms to identify, assess and track

risks over time, it does not denote a specific type of risk like emerging ones which are currently

small but can potentially have significant impacts.

31
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5069 Which of the following is not a top-down risk identification tool?

A. Exposures and vulnerabilities

B. Risk wheel

C. Process mapping

D. Horizon scanning

The correct answer is C.

Process mapping is not a top-down risk identification tool. Instead, it is a bottom-up risk

identification technique. This method involves outlining the steps of a process in a detailed

manner, considering the risks associated with each specific set of actions, and asking what could

potentially go wrong at each stage. The focus here is on individual tasks or processes, and the

risks are identified at this granular level. These identified risks are then aggregated to form the

overall risk profile. This approach is in contrast to the top-down approach, where the focus is on

the overall risk profile, and then specific risks are identified by drilling down into this profile.

Choice A is incorrect. Exposures and vulnerabilities are indeed a part of top-down risk

identification tools. They involve identifying the overall risk profile by examining the potential

exposures and vulnerabilities that an organization might face.

Choice B is incorrect. The Risk wheel is also a top-down approach to risk identification. It

starts with the overall risk profile, then drills down into specific risks by considering various

factors such as external environment, internal environment, strategy and operations.

Choice D is incorrect. Horizon scanning falls under the category of top-down risk identification

tools as well. It involves looking at the broader picture or horizon to identify potential risks that

could impact an organization's overall risk profile.

32
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5070 Which of the following is not classified as an exposure under top-down risk identification
tools?

A. Critical third parties

B. Key distribution channels

C. Systems overdue for updates

D. Main drivers of revenues

The correct answer is C.

Exposures and vulnerabilities are top-down risk identification tools. Business risk exposure is

inherent in every financial firm while vulnerabilities are the weakest links in business activities.

The key benefit of using a list of exposures and vulnerabilities as a brainstorming technique for

risk identification is that it is business specific.

Examples of vulnerabilities are issues in control systems, systems overdue for updates, overdue

resolutions of issues, stand-alone systems, unmonitored operations or people, blind spots among

others.

A, B & D are incorrect.Examples of exposures are critical third parties, key persons, key

distribution channels, main drivers of revenue, sources of goodwill among others.

33
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5071 Which of the following bottom-up risk identification tools relates to incidents that could
have resulted in operational losses but did not due to interventions outside normal controls?

A. Internal losses

B. External losses

C. Near misses

D. Process mapping

The correct answer is C.

Near misses are incidents that could have resulted in an operational loss but did not because of

good luck or intervention outside of the normal course of controls. An example would be sending

funds to the wrong person but having the funds reversed before the funds could be withdrawn.

This concept is crucial in operational risk management as it helps organizations identify potential

risks and take preventive measures. By analyzing near misses, organizations can understand the

weaknesses in their operational processes and controls, and take corrective actions to prevent

actual losses in the future. This proactive approach to risk management can significantly

enhance an organization's resilience to operational risks.

Choice A is incorrect. Internal losses refer to the actual losses that a firm incurs due to

operational risk events within the organization. They do not account for incidents that did not

result in losses due to external interventions.

Choice B is incorrect. External losses are those incurred by other firms in the same industry

and are used as a benchmark or reference point for assessing potential operational risks. They

do not specifically relate to incidents that were prevented from causing loss through

interventions outside of normal controls.

Choice D is incorrect. Process mapping is a tool used in operational risk management to

identify potential risks by visually representing the steps involved in a process, their sequence,

and decision points. It does not directly deal with incidents that had the potential for loss but

were prevented due to external interventions.

34
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5072 Which of the following is not one of the six components of PESTLE that are used for
scanning horizon risks?

A. Political component

B. Economic component

C. Labor market component

D. Environmental component

The correct answer is C.

PESTLE is an acronym that stands for Political, Economic, Social, Technological, Legal, and

Environmental. These are the six components of the PESTLE analysis, a tool used by

organizations to scan their external macro-environment. Each component represents a type of

factor that can influence an organization's operations and performance.

The Labor market component is not a part of the PESTLE analysis. While labor market conditions

can certainly impact an organization, they are typically considered under the Economic or Social

components of the PESTLE analysis. Economic factors include economic growth, exchange rates,

inflation rate, and labor market conditions. Social factors include health consciousness,

population growth rate, age distribution, career attitudes, and emphasis on safety.

Therefore, the Labor market component is not one of the six components of the PESTLE analysis

used for scanning horizon risks.

Choice A is incorrect. The Political component is a part of the PESTLE analysis. It involves

understanding the impact of government policies, regulations, and political stability on an

organization's operations.

Choice B is incorrect. The Economic component is also a part of the PESTLE analysis. It

examines economic factors such as inflation rates, interest rates, foreign exchange rates,

economic growth patterns etc., that affect an organization's operations and decision-making

process.

Choice D is incorrect. The Environmental component forms a part of the PESTLE analysis too.

This aspect looks at environmental considerations that might affect an organization like climate

35
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

change policies or natural disaster risks.

36
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5073 Which of the following is most likely a bias that an external expert can help mitigate
during scenario analysis?

A. An excessive focus on scenarios driven by internal causes

B. Myopia

C. Initiation of discussions

D. External loss data

The correct answer is B.

Myopia, also known as nearsightedness, is a cognitive bias that causes individuals to place too

much emphasis on recent events while underestimating the likelihood or impact of events in the

distant future. This bias can significantly impact the results of scenario analysis, as it may lead to

an overestimation of the likelihood or impact of recent events and an underestimation of the

likelihood or impact of future events. An external expert can help mitigate this bias by providing

an objective perspective and helping to ensure that the analysis takes into account a broad range

of potential future scenarios, not just those that are influenced by recent events.

Choice A is incorrect. An excessive focus on scenarios driven by internal causes is a bias that

can occur during scenario analysis, but it's not necessarily mitigated by an external expert. This

bias refers to the tendency of individuals within an organization to focus more on scenarios that

are driven by factors within the organization, rather than considering external factors or events.

While an external expert may provide a fresh perspective and help broaden the scope of the

analysis, they may not necessarily mitigate this particular bias.

Choice C is incorrect. Initiation of discussions is not a recognized bias in risk management or

scenario analysis. It refers to starting conversations or debates about potential risks or

scenarios, which is generally considered a positive action in risk management as it encourages

open communication and collaboration.

Choice D is incorrect. External loss data isn't a type of bias; instead, it's a source of

information used in risk management and scenario analysis to understand potential losses from

past events that have occurred outside the organization. An external expert might bring

additional insights into interpreting this data but wouldn't mitigate any biases associated with it.

37
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5074 Which of the following Basel Category level 1 event relates to losses arising from acts
inconsistent with employment, health, or safety laws or from diversity / discrimination events?

A. Client, products & business practices

B. Employment practices and workplaces safety

C. Damage to physical assets

D. Business disruption and system failures

The correct answer is B.

Employment practices and workplace safety encompasses losses that arise from violations of

employment, health, or safety regulations or agreements. It also includes losses that result from

having to pay for personal injury claims, or from incidents involving diversity or discrimination.

These losses can occur in a variety of ways, such as through lawsuits, fines, or settlements. The

category is designed to capture a wide range of potential losses that can occur in the workplace,

and is a critical component of the Basel framework's approach to risk management.

Choice A is incorrect. The category of "Client, products & business practices" is associated

with losses that occur due to the failure of fiduciary responsibilities, improper business or

market practices, product flaws, and advisory activities. It does not cover losses related to

employment regulations or diversity/discrimination incidents.

Choice C is incorrect. "Damage to physical assets" refers to losses resulting from the damage

or destruction of a company's physical assets due to natural disasters or other events such as

vandalism. This category does not include losses related to non-compliance with employment,

health and safety regulations.

Choice D is incorrect. "Business disruption and system failures" pertains to losses caused by

hardware/software failures, power outages or other disruptions in normal business operations. It

does not encompass incidents related to violations of employment laws or discrimination issues.

38
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 106: Risk Measurement and Assessment

39
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5156 In the context of incident data collection recommendations by the Basel Committee,
which of the following statements is incorrect?

A. When reporting operational incidents, banks should use as many data fields as
possible to maximize the documentation of important information.

B. Companies should strive to utilize the same data fields when reporting operational
incidents.

C. While markets and credit risks usually follow easily identifiable external conditions,
operational events chance more subtly and their effects are harder to predict.

D. In addition to collecting internal incident data, it is also beneficial for organizations to

analyze external loss data from other firms.

The correct answer is A.

The statement that banks should use as many data fields as possible to maximize the

documentation of important information is incorrect. While it might seem logical to include as

much information as possible, this approach can lead to several issues. For instance, it can result

in information overload, making it difficult to analyze and interpret the data. Additionally, it can

lead to excessive use of resources, as more data fields require more time and effort to fill out and

manage. Therefore, the Basel Committee recommends that banks only include the most essential

data points in their incident reports. This approach ensures that the data collected is

manageable and useful, rather than overwhelming and potentially confusing.

Choice B is incorrect. The Basel Committee guidelines do not discourage the use of the same

data fields when reporting operational incidents. In fact, consistency in data fields can help in

better comparison and analysis of incident data.

Choice C is incorrect. This statement aligns with the Basel Committee's guidelines as it

correctly identifies that operational risks are more subtle and harder to predict compared to

market and credit risks, which usually follow easily identifiable external conditions.

Choice D is incorrect. As per the Basel Committee's guidelines, analyzing external loss data

from other firms can indeed be beneficial for organizations as it provides additional insights into

potential operational risks and their impacts.

40
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5157 Joel and Mark, FRM Part II candidates, are discussing BCBS’ guidelines on the need to
report comprehensive data regarding operational risk events. During the discussion, the
following statements are made. Which statement is most likely correct?

A. While the Basel Committee has set a minimum threshold for loss reporting at €20,000
($22,000), setting reporting thresholds at zero is considered best practice so as to
capture every operational loss or simplify instructions to the business units that do not
need to estimate a loss before deciding to report incidents.

B. Regulatory guidelines dictate that firms must report any incidents causing them both
financial losses and non-financial impacts.

C. Both direct and indirect losses must be reported.

D. Grouped losses are distinct operational risk events connected through a common loss
amount.

The correct answer is C.

Both direct and indirect losses must be reported. Direct losses refer to the immediate financial

impact following an operational risk event. This could include costs associated with remediation

efforts, financial consequences arising from erroneous transactions, or compensation paid to

clients. On the other hand, indirect losses are more challenging to identify as they represent the

subsequent consequences stemming from an operational risk event. These could include

reputational damage, loss of business, or increased regulatory scrutiny, which may not have

immediate financial implications but can significantly affect the firm's operations and

profitability in the long run. Therefore, both types of losses are crucial to capture a

comprehensive picture of the operational risk landscape and inform effective risk management

strategies.

Choice A is incorrect. While it is true that the Basel Committee has set a minimum threshold

for loss reporting at €20,000 ($22,000), setting reporting thresholds at zero is not considered

best practice. This could lead to an overload of information and make it difficult for firms to

identify significant operational risk events. Furthermore, business units do need to estimate a

loss before deciding to report incidents as this helps in prioritizing and managing risks

effectively.

Choice B is incorrect. The BCBS guidelines do not dictate that firms must report any incidents

41
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

causing them both financial losses and non-financial impacts. While both types of impacts are

important, the guidelines primarily focus on financial losses as these can be quantified and

measured more accurately.

Choice D is incorrect. Grouped losses are not distinct operational risk events connected

through a common loss amount. Instead, they refer to multiple losses arising from the same root

cause or event type which are grouped together for reporting purposes.

42
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5159 What is the primary use of the Swiss Cheese model?

A. A method to assess the impact of an attack on an asset.

B. A tool for generating scenarios with FAIR methodology.

C. A framework for analyzing and identifying security.

D. A concept that uses layers of defense to prevent hazards.

The correct answer is D.

The Swiss Cheese model is primarily used as a concept that employs layers of defense to prevent

hazards. This model metaphorically represents how multiple defenses, or 'layers of cheese,' are

necessary to create effective safety systems. Each layer serves as a defense against hazards, and

each has its own weaknesses, creating holes in the protective barrier. The idea is that all

defenses need to be in place and working properly in order to protect against potential hazards.

The model was first proposed by James Reason, and it has become widely used in risk

management as a way to identify vulnerabilities and increase safety protocols.

Choice A is incorrect. The Swiss Cheese model is not primarily used to assess the impact of an

attack on an asset. While it can be used to understand how different layers of defense might

mitigate the impact of a potential hazard, its primary use is not in assessing the impact itself.

Choice B is incorrect. The Swiss Cheese model does not directly relate to FAIR (Factor

Analysis of Information Risk) methodology, which focuses on quantifying risk and uncertainty in

digital environments. The Swiss Cheese model instead provides a visual representation for

understanding how multiple layers of defense work together to prevent hazards.

Choice C is incorrect. Although the Swiss Cheese model can be used as part of a broader

security analysis framework, its primary purpose isn't for analyzing and identifying security

measures but rather illustrating how multiple defenses work together to prevent hazards from

materializing.

43
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5160 What is the purpose of Monte Carlo simulations in the FAIR model of managing
operational risk?

A. To estimate the frequency and magnitude of a potential loss event.

B. To generate scenarios with an asset at risk, a threat community, a threat type and an
effect.

C. To provide the distribution of simulated scenario losses as output.

D. To determine the best course of action to prevent a potential loss event.

The correct answer is C.

Monte Carlo simulations are used in the FAIR model to provide the distribution of simulated

scenario losses based on factor estimates expressed as distributions. The factor estimates come

from business experts who estimate the frequency and probable loss magnitude for each

scenario. The Monte Carlo simulations then use these factor estimates as inputs to generate

outputs in the form of distributions of simulated scenario losses.

Option A is incorrect because Monte Carlo simulations do not estimate the frequency and

magnitude - this is done by business experts.

Option B is incorrect because Monte Carlo simulations do not generate scenarios with an asset

at risk, a threat community, a threat type and an effect - this is done through risk assessment and

analysis.

Option D is incorrect because Monte Carlo simulations are not used to determine the best

course of action to prevent a potential loss event - this is determined through other methods

such as cost/benefit analysis or decision trees.

44
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5161 Which of the following statements best describes the purpose of Root Cause Analysis?

A. To identify an immediate cause of a significant operational risk event.

B. To compare the results of multiple investigations and identify patterns leading to

operational risk events.

C. To evaluate the impact of a near miss or incident on operational performance.

D. To support or challenge the initiatives proposed by the second line of defense.

The correct answer is B.

Root Cause Analysis is designed to investigate incidents or near misses that led or could have led

to operational impacts above the materiality threshold. It is more valuable to compare the results

of previous investigations and look for links and commonalities in the causes and failures leading

to significant operational risk events, in order to identify patterns within an organization that can

help create action plans across it. A key purpose of RCA is thus not only identifying an immediate

cause, but also recognizing underlying trends that can lead to greater understanding and

preventative measures.

A is incorrect. Though this statement is partially true, it does not encompass all elements of
root cause analysis. Identifying immediate causes is just one part; recognizing underlying trends
in order to formulate preventive action plans is another.

C is incorrect. While RCA certainly includes evaluation, its main purpose is not solely limited to

assessment; rather, it involves systematic investigation into why an incident has happened in

order to build greater understanding and develop preventative measures.

D is incorrect. The statement does not accurately reflect RCA’s true purpose. Root cause

analysis involves assessing incidents and near misses in order to recognize underlying trends

which can then be used for preventative measures, as opposed to supporting or challenging

particular initiatives.

45
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 107: Risk Mitigation

46
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5075 According to the international standards of enterprise risk management ISO 31000,
there are four ways to address risks. Which of the following is correct in this context?

A. All risks can be transferred to a third party

B. Termination should be the first response action in case of an operational risk event

C. Risk can be transferred through external insurance and outsourcing

D. Tolerance involves all types of risk mitigations, especially internal controls aimed at
reducing the probability

The correct answer is C.

Risk transfer is one of the ways to address risks according to the ISO 31000 standards. This

method involves shifting the risk to another party. This can be achieved through various means,

including external insurance and outsourcing. External insurance allows an organization to

transfer the financial risk associated with a particular event to an insurance company. On the

other hand, outsourcing involves delegating certain business operations to third-party entities,

thereby transferring the associated risks as well. This method is particularly useful when the

third party has better capabilities or resources to manage the risk. However, it's important to

note that risk transfer doesn't eliminate the risk entirely; it merely shifts the responsibility of

managing the risk.

Choice A is incorrect. While risk transfer is a valid method of addressing risks, it's not

accurate to say that all risks can be transferred to a third party. Some risks are inherent and

cannot be completely transferred.

Choice B is incorrect. Termination should not necessarily be the first response action in case of

an operational risk event according to ISO 31000 standards. The response should depend on the

nature and severity of the risk, and could involve other strategies such as mitigation or

acceptance.

Choice D is incorrect. Tolerance does not involve all types of risk mitigations, especially

internal controls aimed at reducing the probability. Tolerance refers to accepting the existence of

a particular risk and deciding to live with it rather than taking actions to remove or mitigate it.

47
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5076 Christian Grey, an FRM Part II candidate, wishes to present on different types of internal
controls, the process of internal control design, and control testing in operational risk
management. Which of the following statement made by Grey is correct?

A. According to the Institute of Internal Auditors, controls can be of four types, i.e.,
preventive, detective, corrective, and directive controls

B. Directive controls aim to alert the firm if an incident occurs to accelerate its resolution
and limit the impact of the incident on the firm or its stakeholders

C. Examples of preventive controls include smoke alarms and credit card notifications of
potentially fraudulent transactions

D. Directive controls are always part of control taxonomies

The correct answer is A.

The Institute of Internal Auditors (IIA) classifies internal controls into four types: preventive,

detective, corrective, and directive. Preventive controls are designed to prevent errors or

irregularities from occurring. They are proactive controls that help to ensure departmental

directives are carried out and that the organization's objectives are achieved. Detective controls,

on the other hand, are designed to find errors or irregularities that have already occurred.

Corrective controls aim to correct errors that have been detected, while directive controls guide

operations towards achieving the organization's objectives. Grey's statement accurately reflects

this classification.

Choice B is incorrect. Directive controls do not aim to alert the firm if an incident occurs.

Instead, they are designed to guide operations towards achieving set objectives and ensuring

compliance with laws and regulations. Alerting the firm of incidents is typically a function of

detective controls, which identify and report on incidents that have already occurred.

Choice C is incorrect. The examples provided are not preventive controls but rather detective

controls. Preventive controls aim to prevent an incident from occurring in the first place, such as

segregation of duties or authorization requirements for certain transactions. Smoke alarms and

credit card notifications of potentially fraudulent transactions are examples of detective controls

as they identify and report on incidents after they have occurred.

Choice D is incorrect. While directive controls can be part of control taxonomies, it's not

48
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

always the case as it depends on how a particular organization structures its internal control

framework. Some organizations may choose to include directive controls in their taxonomy while

others may not.

49
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5077 Among the four ways to address risk, treatment is the most common risk response, which
involves risk mitigation through various control plans. Controls can be of different classes. In this
chapter, however, we have adopted the classification used by the Institute of Internal Auditors.
Which of the following types of control fall under this classification?

A. Preventive controls

B. Key controls

C. Manual controls

D. Automated controls

The correct answer is A.

Preventive controls are one of the four types of controls classified by the Institute of Internal

Auditors (IIA). These controls are designed to reduce the likelihood of an incident occurring.

They are proactive measures taken to prevent a risk from materializing. This could include

actions such as implementing security measures to prevent unauthorized access to data, or

establishing procedures and policies that ensure compliance with regulations. The goal of

preventive controls is to deter undesirable events from happening in the first place. They are

considered the most effective type of control as they help in avoiding potential risks altogether.

Choice B is incorrect. Key controls are not a type of control as per the classification provided

by the Institute of Internal Auditors (IIA). They are rather an important subset of controls that

are crucial for the effective functioning of a system or process, but they do not form a separate

category in themselves.

Choice C is incorrect. Manual controls refer to those risk management procedures that require

human intervention and oversight. While they are indeed a form of control, they do not constitute

a distinct category according to IIA's classification.

Choice D is incorrect. Automated controls, similar to manual ones, involve mechanisms that

operate without human intervention. However, like manual controls, they too do not represent a

separate class within IIA's categorization scheme.

50
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5078 David Hans, FRM, works as the risk manager at ABC Bank. In one of his presentations,
David states that a firm's internal controls are its foundation for risk mitigation. He further goes
ahead to state several issues concerning internal controls. Which of the following statements is
incorrect in this regard?

A. A key control is a control that can sufficiently mitigate risk on its own.

B. Controls can either be manual or automated in nature.

C. Control automation can transform human error risk into technology and model risk

D. Automated data back-up is an essential component of control testing.

The correct answer is D.

The statement that 'Automated data back-up is an essential component of control testing' is

incorrect. Control testing is a process that involves assessing the effectiveness of a control

system in mitigating risks. It does not necessarily involve automated data backup. Automated

data backup, on the other hand, is a component of control automation. Control automation refers

to the use of technology to automate certain control processes, thereby reducing the risk of

human error. Automated data backup is a part of this process as it ensures that data is

automatically saved and can be recovered in case of any data loss. Therefore, it is a component

of control automation and not control testing.

Choice A is incorrect. A key control is indeed a control that can sufficiently mitigate risk on its

own. It is a critical part of the internal control system and has a significant impact on the

achievement of an entity's objectives.

Choice B is incorrect. Controls can either be manual or automated in nature. Manual controls

are performed by individuals, while automated controls are performed by systems or

applications.

Choice C is incorrect. Control automation can transform human error risk into technology and

model risk, as it reduces the chance of human errors but introduces risks associated with

technology failures or model inaccuracies.

Q.5079 An FRM candidate is preparing for May exam. In one of the open discussion forums, the

51
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

candidate states that a control should be effectively designed so as to be applied effectively and
hence be able to mitigate risk effectively. Ineffectively designed controls waste resources and
may give unrealistic expectations resulting in vulnerabilities. He goes ahead to state the types of
weakly designed controls. Which of the following is a least likely a type of a weakly designed
control highlighted by the candidate?

A. "Optimistic control."

B. "More of the same."

C. "Collective controls."

D. "System-based data validation."

The correct answer is D.

'System-based data validation.' This type of control is an example of automated controls.

Automated controls, such as system-based data validation checks in data collection tools, are

designed to ensure the accuracy and reliability of data. These controls are typically embedded in

the systems and processes of an organization and operate automatically, without the need for

human intervention. They are designed to prevent errors and fraud, ensure compliance with

regulations, and enhance the overall effectiveness and efficiency of operations. Automated

controls like system-based data validation are generally considered to be well-designed controls

as they are effective, efficient, and reliable. They do not waste resources and do not create

unrealistic expectations or vulnerabilities. Therefore, 'System-based data validation' is least

likely to represent a type of poorly designed control.

Choice A is incorrect. "Optimistic control" refers to a type of control that assumes the best-

case scenario and does not adequately prepare for potential risks or adverse events. This type of

control can be poorly designed as it may not provide sufficient protection against risks.

Choice B is incorrect. "More of the same" refers to a situation where an organization continues

to implement the same controls, even when they have proven ineffective in mitigating risk. This

approach can lead to resource wastage and does not address underlying vulnerabilities, making

it a representation of poor design.

Choice C is incorrect. "Collective controls" refer to controls that are implemented across an

entire organization or system, without considering specific risk profiles or needs of different

52
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

departments or units. While collective controls can be effective in some cases, they may also

overlook unique risks associated with specific areas within an organization, leading to potential

vulnerabilities.

Q.5080 The Bank of India is in the process of implementing an effective control system. Its risk
management unit has clarified that control designs should be assessed, and if satisfactory, they
can be tested to check whether they are operationally effective. Which of the following is not a
type of control testing?

A. Examination

B. Observation

C. Self-certification

D. Independence

The correct answer is D.

Independence of the testing party is one of the factors that influence the effectiveness of control

testing.

We have four primary types of control testing, presented in their level of scrutiny. The greater

the inherent risk, the more rigorous the control testing must be.

The following are the main types of control testing:

Self-certification or inquiry. Given the lack of evidence, it is reasonable to limit this

assessment to secondary controls or controls related to environments with low inherent

risk.

Examination. Written documentation of the process, as well as written evidence of the

results, is needed to support this claim. The quality and relevance of documentation

determine the effectiveness of this testing method. In addition, it is more suitable for

automated checks and sampling of manual checks since it provides moderate

assurance.

53
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Observation. It involves observing the execution of the control process in real time so

that its design and effectiveness can be judged. This testing control is suitable for key

controls.

Reperformance (reproduction or parallel testing). This is the strongest form of testing,

which involves the tester reproducing the control process on a sample of transactions

and comparing the results with those previously obtained by the process.

54
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5081 Joseph Bolts, FRM, is a risk manager at the Bank of Baroda. In his recent presentation to
the board of directors, Joseph highlights that while the firm strives to establish effective control
testing, we have several factors that determine the level of this effectiveness. Which of the
following factors does not influence the effectiveness of control testing?

A. The independence of the testing party

B. The frequency of testing

C. Scope and sample

D. Reperformance

The correct answer is D.

Reperformance is not a factor that influences the effectiveness of control testing. Instead, it is

one of the four types of control testing. Reperformance involves independently executing the

controls to verify whether they are functioning as intended. While it is a method of control

testing, it does not influence the effectiveness of the testing process itself. The effectiveness of

control testing is determined by factors such as the independence of the testing party, the

frequency of testing, and the scope and sample size of the test. Therefore, reperformance does

not influence the effectiveness of control testing.

Choice A is incorrect. The independence of the testing party can significantly impact the

effectiveness of control testing. If the party conducting the test has a vested interest in the

outcome, it may lead to biased results and thus affect its effectiveness.

Choice B is incorrect. The frequency of testing also plays a crucial role in determining its

effectiveness. Infrequent tests may not capture all potential risks or control failures, thereby

reducing their efficacy.

Choice C is incorrect. The scope and sample size used for control testing can greatly influence

its effectiveness as well. A narrow scope or small sample size might not provide an accurate

representation of all possible scenarios, leading to ineffective controls.

55
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5082 To effectively mitigate human errors, we should first categorize these errors accordingly.
Identifying slips and mistakes is the first step in categorizing human error. Which of the
following categories of human errors is correctly described?

A. Slips – These are wrong choices made when someone faces a new situation due to a
lack of familiarity with a process

B. Rule-based mistakes – The perpetrator understands the right thing to do but decides
to act against the rules

C. Knowledge-based mistakes – These are the wrong choices made when someone faces a
new situation due to a lack of familiarity with a process or a lack of training and guidance

D. Violation – These are involuntary errors caused by inattention, distraction, and fatigue

The correct answer is C.

Knowledge-based mistakes refer to incorrect decisions made when an individual encounters a

new situation and lacks familiarity with the process or lacks adequate training and guidance.

These mistakes occur when a person does not have the necessary knowledge to handle a

situation correctly. For instance, a new employee might make a knowledge-based mistake when

faced with a task they have not been trained to perform. This type of error can be mitigated

through proper training and guidance, ensuring that individuals are adequately prepared to

handle new situations. It's also important to create an environment where individuals feel

comfortable asking for help when they encounter unfamiliar situations.

Choice A is incorrect. Slips are not wrong choices made when someone faces a new situation

due to a lack of familiarity with a process. Instead, slips are typically associated with automatic

behavior and occur when attention is diverted from the task at hand.

Choice B is incorrect. Rule-based mistakes do not involve an individual deciding to act against

the rules. Rather, they occur when an individual makes an error in the application or

interpretation of a rule that they understand correctly.

Choice D is incorrect. Violations are not involuntary errors caused by inattention, distraction,

and fatigue. They are deliberate deviations from procedures, rules or standards and often result

from conscious decisions by individuals who believe their actions will achieve a desired outcome.

56
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5083 To improve the quality of an operational process and reduce the potential for human
error, the risk management unit should first identify these errors and then apply several methods
to assess and mitigate risks related to these errors. Which of the following statements is
incorrect in light of this statement?

A. The Lean Six Sigma is applied to remove and reduce waste and variation by analyzing
processes and collaborative tasks hence minimizing variations

B. Six Sigma improves quality by identifying and eliminating causes of errors or defects
and minimizing variability in industrial processes

C. Quality improvement follows the 'plan', 'do', 'study', 'act' (PDSA) cycle.

D. Under the "Dr. Deming cycle", 'do' refers to analyzing the collected data, comparing
the set targets, and evaluating opportunities for improvement.

The correct answer is D.

The statement in choice D is incorrect because it misrepresents the 'Do' phase of the 'Plan', 'Do',

'Study', 'Act' (PDSA) cycle, also known as the 'Dr. Deming cycle'. In this cycle, 'Do' refers to the

implementation of the plan and the recording of its progress. It does not involve the analysis of

collected data, comparison of set targets, or evaluation of opportunities for improvement. These

activities are part of the 'Study' phase. Therefore, the statement in choice D is incorrect, making

it the correct answer to the question.

Choice A is incorrect. The Lean Six Sigma methodology indeed focuses on reducing waste and

variation in processes. It does this by identifying and removing the causes of defects, minimizing

variability, and improving the quality of process outputs.

Choice B is incorrect. Six Sigma is a set of techniques used for process improvement by

eliminating defects and ensuring quality. It aims to reduce process variability, thereby enhancing

product or service consistency.

Choice C is incorrect. The 'plan', 'do', 'study', 'act' (PDSA) cycle accurately describes a

common approach to continuous quality improvement in operational risk management

methodologies.

Q.5084 Businesses face significant operational risks when they embark on new projects,

57
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

products, and initiatives that are unfamiliar or unfamiliar to them. Which of the following
statements is correct in this context?

A. As a best practice, the owner of each new initiative should present a business case to
show the allocation of resources

B. When acquiring new assets, it is easier to assess operational risk than credit risk

C. The acquired firm should not provide any information as this makes operational risk
assessment even more difficult

D. When projects are merged, the risks of the acquired assets remain with the original
firm

The correct answer is A.

The owner of each new initiative should present a business case to show the allocation of

resources. This is considered a best practice in business operations. A well-structured business

case provides a comprehensive overview of the initiative, including its objectives, alternatives,

expected benefits, commercial aspects, and risks. By presenting a business case, the owner of

the initiative can effectively communicate the potential value and risks of the initiative to

stakeholders. This can facilitate informed decision-making and ensure that resources are

allocated appropriately. Furthermore, a business case can serve as a reference point for

monitoring and controlling the initiative as it progresses.

Choice B is incorrect. Operational risk assessment can be more complex than credit risk

assessment when acquiring new assets. This is because operational risks involve a wide range of

uncertainties, including those related to the integration of new assets into existing operations,

changes in market conditions, and potential regulatory issues.

Choice C is incorrect. The acquired firm should provide as much information as possible to

facilitate the operational risk assessment process. Withholding information can lead to

incomplete or inaccurate risk assessments, which could potentially expose the business to

unforeseen risks and liabilities.

Choice D is incorrect. When projects are merged, the risks associated with the acquired assets

do not necessarily remain with the original firm. Instead, these risks are typically transferred to

or shared with the acquiring entity depending on the terms of acquisition agreement.

58
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5085 Bank A wishes to acquire all the assets of Bank B. The risk unit of Bank A is therefore
concerned about the possible operational risks that may arise if they go ahead to acquire assets
of Bank B. Which of the following is not a correct way in which the risk function of Bank A will
involve in the acquisition of assets of Bank B?

A. Doing a thorough assessment of the operational risk related to the assets of Bank B

B. The risk unit of Bank A should ask Bank B to present information on payrolls,
customers, payroll and management systems, and its communication with other
companies

C. The board of directors can create a risk profile to familiarize the management with
potential operational risks related to these new business initiatives.

D. Bank B should provide Bank A with data on collateral, obligors, and terms and
conditions in order for them to assess credit risk

The correct answer is C.

The statement that the board of directors can create a risk profile to familiarize the management

with potential operational risks related to these new business initiatives is incorrect. In the

context of risk management, it is the Operational Risk Management (ORM) function that is

responsible for creating a risk profile. The ORM function is designed to identify, assess, monitor,

and control operational risk. It is not the responsibility of the board of directors to create a risk

profile. The board of directors is responsible for overseeing the risk management framework and

ensuring that it is effectively implemented. However, the day-to-day management of risk,

including the creation of risk profiles, is typically delegated to the ORM function or other risk

management professionals within the organization.

Choice A is incorrect. The risk unit of Bank A should indeed conduct a thorough assessment of

the operational risks related to the assets of Bank B. This is an integral part of their role in the

asset acquisition process.

Choice B is incorrect. It's not wrong for the risk unit of Bank A to ask for information on

payrolls, customers, payroll and management systems, and its communication with other

companies from Bank B. This information can help them understand potential operational risks

better.

59
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice D is incorrect. While it's true that data on collateral, obligors, and terms and conditions

are important for assessing credit risk, this doesn't negate the fact that it's also part of the role

of Bank A's risk function in an asset acquisition process.

Q.5086 Paul Schering, FRM, works as a risk manager at ABC Bank. Paul wishes to present to the
bank approaches firms should use to mitigate the impact of operational risk events. Which of the
following statements highlighted by Paul is correct?

A. A contingency plan is simply a "Plan B" or an alternative action if the result of a future
event does not go as expected

B. The first step in business continuity management (BCM) is identifying threats and
risks and linking these risks to the firm's key operational risks

C. In case of a crisis, a firm should have at least one response team: the technical team

D. In case of a crisis, a communications team to assess the risk event and restore normal
processes

The correct answer is A.

A contingency plan is indeed a 'Plan B' or an alternative course of action if the outcome of a

future event does not proceed as anticipated. Contingency planning is a component of business

continuity management (BCM), disaster recovery plans (DRP), and corrective risk management.

It should clearly specify who is responsible for what and when in the event of a crisis. In broader

terms, contingency planning involves providing alternatives in systems, people, and processes.

This ensures that the organization can continue to function and recover quickly in the event of a

disruption or crisis.

Choice B is incorrect. The first step in business continuity management (BCM) is not

identifying threats and risks and linking these risks to the firm's key operational risks. Rather, it

involves understanding the organization, which includes identifying critical products and

services, defining the organization's risk appetite, and understanding legal and regulatory

requirements.

Choice C is incorrect. While having a technical team in place during a crisis can be beneficial,

60
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

it should not be the only response team a firm has. A comprehensive crisis management plan

should include multiple teams with different areas of expertise such as operations,

communications, legal etc., each tasked with specific responsibilities to ensure an effective

response.

Choice D is incorrect. A communications team alone cannot assess the risk event and restore

normal processes during a crisis situation. This requires a coordinated effort from various teams

including risk assessment team for evaluating the severity of risk event , operations team for

restoring normal processes along with communication team for managing internal & external

communication.

Q.5087 In the event of disruptions, the business continuity plan (BCP) will be activated. Which of
the following qualities should a firm demonstrate when managing a crisis or major operational
event?

A. Emergency response

B. Recovery

C. Transparency

D. Restoration

The correct answer is C.

Transparency is a crucial quality that a firm should demonstrate when managing a crisis or

major operational event. It involves maintaining the trust of key stakeholders by always telling

the truth and being open and honest, even in the face of a large operational loss. This quality is

essential as it helps in building trust and confidence among stakeholders, which is critical during

crisis management. It ensures that stakeholders are well-informed about the situation, which can

help in reducing panic and confusion. Moreover, transparency can also aid in the decision-

making process as it provides a clear picture of the situation, enabling stakeholders to make

informed decisions.

Choice A is incorrect. While emergency response is an important aspect of crisis management,

61
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

it does not represent a quality that a firm should demonstrate during the management of a crisis

or major operational event. Emergency response refers to the immediate actions taken to

mitigate the impact of an event, but it does not necessarily reflect how well the firm manages the

situation overall.

Choice B is incorrect. Recovery refers to restoring operations back to normal after a crisis or

major operational event has occurred. Although recovery is an essential part of business

continuity planning, it does not represent a quality that a firm should exhibit during the

management of such events.

Choice D is incorrect. Restoration, similar to recovery, involves returning operations back to

their pre-crisis state following an incident. However, this action alone does not embody a quality

that firms should display while managing crises or significant operational events.

62
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5088 Operational risk can be transferred through external insurance and outsourcing. Which
of the following statements is incorrect regarding risk transfer?

A. There is a trade-off decision between the insurance premium versus the volatility

B. In external insurance, the risk is not necessarily fully transferred, as the amount of
compensation depends on the premiums paid

C. Outsourcing may result in third-party risk

D. It is hard to transfer both risk exposure and consequences

The correct answer is D.

The statement 'It is hard to transfer both risk exposure and consequences' is incorrect. In the

context of operational risk, external insurance policies are particularly suitable for risks that are

predictable and easy to transfer in terms of both risk exposure and consequences. This makes

risk mitigation effective for those who take out insurance. The predictability of the risk allows for

proper underwriting and pricing by the insurer, ensuring that the risk transfer is beneficial for

both parties. Therefore, it is not necessarily hard to transfer both risk exposure and

consequences, as the statement suggests.

Choice A is incorrect. The statement accurately represents a consideration in risk transfer.

There is indeed a trade-off decision between the insurance premium and the volatility of the risk

being insured. Higher volatility risks would typically require higher premiums for coverage.

Choice B is incorrect. This statement correctly highlights that in external insurance, the risk

isn't necessarily fully transferred as the amount of compensation depends on the premiums paid.

If an event occurs that exceeds the coverage limit set by the premium, then some of that risk

remains with the company.

Choice C is incorrect. This statement correctly identifies another potential issue with

outsourcing as a strategy for operational risk mitigation - it may result in third-party risks such

as vendor or supply chain disruptions, which are outside of direct control by your company.

63
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 108: Risk Reporting

Q.5090 Which of the following events will least likely trigger the requirement to notify regulators
of operational risk events?

A. The significance of the events relative to a materiality threshold

B. Any event affecting the firm’s management

C. Any event that could affect the firm’s ability to continue to provide adequate services

D. Any event that could result in serious consequences to the financial system

The correct answer is B.

Any event affecting the firm’s management does not necessarily trigger the requirement to notify

regulators of operational risk events. While changes in management can have implications for a

firm's operations, they do not inherently pose an operational risk unless they affect the firm

materially above a certain threshold, its reputation, its resilience, or its stability. Therefore,

unless the event involving the firm's management meets these criteria, it is not likely to

necessitate a notification to the regulators. This is because regulators are primarily concerned

with events that could potentially disrupt the firm's operations or pose a significant risk to its

stability, reputation, or resilience.

Choice A is incorrect. The significance of events relative to a materiality threshold is indeed a

factor that would necessitate reporting to regulatory bodies. If an event crosses the materiality

threshold, it indicates that the event could potentially have a significant impact on the firm's

operations and hence, should be reported.

Choice C is incorrect. Any event that could affect the firm’s ability to continue providing

adequate services would certainly require notification to regulators. This is because such an

event can disrupt the normal functioning of the firm and may lead to customer dissatisfaction or

loss, which in turn can affect its reputation and financial stability.

Choice D is incorrect. Any event that could result in serious consequences to the financial

system definitely needs reporting as it not only affects one firm but has wider implications for

other firms and stakeholders within the financial system as well.

64
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5091 Which of the following is not a type of information critical in the operational risk
requirements?

A. Qualitative information on operational risk management

B. Historical losses

C. Business indicator and subcomponents

D. Risk appetite metrics

The correct answer is D.

Risk appetite metrics, while important in the broader context of risk management, are not

considered a type of information that is critical in operational risk requirements. Risk appetite

metrics are used to measure the level of risk that an organization is willing to accept in pursuit

of its objectives. They are typically defined by the organization's board of directors and senior

management and are used to guide the organization's risk-taking activities. However, in the

context of operational risk requirements, the focus is more on specific types of information that

can help identify, assess, and manage operational risks. These include qualitative information on

operational risk management, historical losses, and business indicator and subcomponents.

Therefore, risk appetite metrics do not fall into this category.

Choice A is incorrect. Qualitative information on operational risk management is indeed

considered critical in operational risk requirements. This type of information provides insights

into the organization's culture, governance, and other non-quantifiable aspects that can

significantly impact the level of operational risks.

Choice B is incorrect. Historical losses are also deemed critical in operational risk

requirements as they provide a historical perspective on the frequency and severity of losses due

to operational risks. They serve as a basis for estimating potential future losses.

Choice C is incorrect. Business indicators and subcomponents are crucial pieces of information

in understanding and managing operational risks. They help identify areas within an

organization that may be vulnerable to significant operational risks.

65
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5092 Which of the following types of information pertains to the presentation of an entity's
governance and risk management structures that are established to manage and mitigate risk?

A. Qualitative information on operational risk management

B. Historical losses

C. Business indicators and subcomponents

D. Incidents and near misses

The correct answer is A.

Qualitative information is crucial for presenting an organization's governance and risk

management structures. Operational risk management involves the identification, assessment,

monitoring, and mitigation of risks that arise from operational failures such as system failures,

procedural errors, or disruptions. Qualitative information in this context could include details

about the organization's risk appetite, risk management strategies, risk mitigation measures, and

the roles and responsibilities of different entities within the organization in managing risk. This

information provides a comprehensive view of the organization's approach to managing

operational risk, thereby helping stakeholders understand how the organization is structured to

manage and mitigate risk.

Choice B is incorrect. Historical losses are important for understanding the past performance

of an organization and can be used to predict future risks. However, they do not specifically

relate to the presentation of governance and risk management structures.

Choice C is incorrect. Business indicators and subcomponents can provide insights into the

operational efficiency and financial health of an organization, but they do not directly depict the

governance and risk management structures.

Choice D is incorrect. Incidents and near misses are crucial for identifying potential risks in an

organization's operations, but they do not specifically represent the governance or risk

management structures in place.

66
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5093 Which of the following is not one of the main components of operational risk reporting?

A. Risk appetite metrics

B. Incidents and near misses

C. Frequency and severity

D. Action plans and follow-up

The correct answer is C.

The frequency and severity per period is one of the areas that need to be reported when

reporting in risk events and near misses. It is not one of the main components of operational risk.

There are seven main components of operational risk reporting:

i. Top-10 risks and risk outlook

ii. Heatmap and risk register
iii. Risk appetite metrics
iv. KRIs and issue monitoring
v. Incidents and near misses
vi. Action plans and follow-up
vii. Emerging risks and horizon scan findings

67
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5094 Which of the following components of operational risk reporting involves reporting a list
of the top overall risks?

A. Heatmap and risk register.

B. Risk appetite metrics.

C. Top-10 risks and risk outlook.

D. Incidents and near misses.

The correct answer is C.

The 'Top-10 risks and risk outlook' is indeed the component of operational risk reporting that

involves reporting a list of the top overall risks. This component is crucial as it provides a

snapshot of the most significant risks that an organization faces at a given point in time. It is

often derived from the risk register or risk inventory, which is a comprehensive list of all the

risks identified by the organization. The 'Top-10 risks and risk outlook' not only lists these risks

but also provides an outlook on how these risks might evolve in the future. This information is

invaluable for decision-makers as it helps them prioritize their risk mitigation efforts and allocate

resources effectively.

Choice A is incorrect. While a heatmap and risk register are components of operational risk

reporting, they do not specifically report the top-10 overall risks. A heatmap visually represents

the severity and likelihood of risks, while a risk register records details about identified risks.

Choice B is incorrect. Risk appetite metrics are used to measure an organization's willingness

to take on risk, but they do not provide a list of the top-10 overall risks.

Choice D is incorrect. 'Incidents and near misses' refers to actual events or situations that

almost led to an undesired outcome such as financial loss or legal issues. This component does

not necessarily report on the top-10 overall risks in an organization.

68
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5095 Why are near-miss occurrences included in the reporting of incidents in organizations
with strong risk cultures?

A. To assess the cost of close calls.

B. To determine the importance of close calls.

C. To analyze the potential consequence that was unintentionally avoided.

D. To evaluate the frequency of close calls.

The correct answer is C.

Organizations with strong risk cultures include near-miss occurrences in the reporting of

incidents primarily to analyze the potential consequence that was unintentionally avoided. This

practice allows them to understand the severity of the risk that was narrowly missed and to take

necessary precautions to prevent such incidents in the future. It helps in identifying the

vulnerabilities in the system and provides an opportunity to improve the risk management

strategies. By analyzing the potential consequences, organizations can learn from these near-

miss incidents without having to experience the actual loss or damage. This proactive approach

to risk management is a hallmark of organizations with strong risk cultures.

Choice A is incorrect. While assessing the cost of close calls can be a part of risk management,

it is not the primary reason for including near-miss occurrences in incident reports. The main

purpose is to analyze what could have happened had the event not been avoided, which helps in

understanding and mitigating future risks.

Choice B is incorrect. Determining the importance of close calls may be a part of risk analysis

but it's not the primary reason for their inclusion in incident reports. The key objective is to

understand potential consequences that were unintentionally avoided, thereby helping

organizations prepare better for similar situations in future.

Choice D is incorrect. Evaluating the frequency of close calls can provide insights into how

often such incidents occur, but this does not directly contribute to understanding or mitigating

potential risks that were unintentionally avoided - which remains as the main purpose behind

including near-miss occurrences in incident reports.

69
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5096 Which of the following is not one of the three options worth considering when
aggregating qualitative data?

A. Conversion and addition

B. Categorization

C. Horizon scanning

D. Worst-case reporting

The correct answer is C.

Choice A is incorrect. Conversion and addition is indeed a method used for aggregating

qualitative data. This method involves converting the qualitative data into numerical form and

then adding it up to get a total score or value.

Choice B is incorrect. Categorization is also a common method used in the aggregation of

qualitative data. It involves grouping similar types of data together into categories, which can

then be analyzed collectively.

Choice D is incorrect. Worst-case reporting, while not as commonly used as the other methods,

can still be considered a form of aggregating qualitative data. This approach focuses on

identifying and presenting the worst possible outcomes or scenarios based on the available data.

Q.5097 Which of the following stakeholder groups is authorized by the board to monitor the
effectiveness of the firm’s risk management framework?

A. The audit committee

B. The risk committee

C. Executive committee

D. Business line managers

The correct answer is B.

The risk committee is a specialized group within the board of directors that is specifically

70
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

authorized to monitor the effectiveness of the firm's risk management framework. This

committee is typically composed of members who have a deep understanding of the various risks

that the firm might face, including operational, financial, and strategic risks. The risk

committee's primary role is to ensure that the firm has robust risk management policies and

procedures in place and that these are being effectively implemented. The committee also

reviews and assesses the firm's risk profile and risk appetite, and ensures that the firm's risk

management activities align with its strategic objectives. The risk committee plays a crucial role

in promoting a strong risk culture within the firm, and in ensuring that risk considerations are

integrated into decision-making processes at all levels of the firm.

Choice A is incorrect. The audit committee is primarily responsible for overseeing the integrity

of the company's financial statements, internal controls over financial reporting, and the

performance of internal and external audits. While they may review risk management policies

and procedures as part of their duties, they are not specifically authorized to oversee and

evaluate the effectiveness of the firm's risk management framework.

Choice C is incorrect. The executive committee typically handles a range of issues including

strategic planning, resource allocation, and operational decisions. Although they might be

involved in discussions about risk management strategies or initiatives, their primary role does

not include overseeing or evaluating the effectiveness of these frameworks.

Choice D is incorrect. Business line managers are responsible for managing risks within their

specific business units or departments but do not have a firm-wide oversight role in evaluating

the effectiveness of overall risk management framework.

71
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5098 Which of the following stakeholder groups is responsible for collecting all relevant
operational risk information from the business lines to produce aggregated, synthesized
reporting and provide feedback to the business lines?

A. The risk champions

B. The operational risk committee

C. The audit committee

D. The executive committee

The correct answer is B.

The operational risk committee is the group responsible for collecting all relevant operational

risk information from the business lines. This committee is tasked with producing aggregated,

synthesized reporting based on the collected data. The operational risk committee plays a crucial

role in operational risk management as it provides a holistic view of the operational risks faced

by the organization. By aggregating and synthesizing the risk information, the committee can

identify patterns, trends, and areas of concern that may not be apparent at the individual

business line level. This comprehensive view allows the committee to provide valuable feedback

to the business lines, helping them to manage their operational risks more effectively.

Choice A is incorrect. The risk champions are typically responsible for promoting a risk-aware

culture within their respective business lines, not for the collection and consolidation of

operational risk data.

Choice C is incorrect. The audit committee's role primarily involves overseeing the

organization's internal control systems, financial reporting processes, and audits of financial

statements. They do not typically handle the collection and consolidation of operational risk data.

Choice D is incorrect. The executive committee usually focuses on strategic decision-making

based on the information provided by other groups such as the operational risk committee. They

do not directly involve themselves in collecting or consolidating operational risk data.

72
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5099 Which of the following is a challenge of non-financial risk data reporting?

A. Risk appetite metrics

B. Action plans and follow up

C. Asymmetry of operational risk event data

D. Incidents and near misses

The correct answer is C.

Asymmetry of operational risk event data is indeed a challenge in non-financial risk data

reporting. This is because operational risk event data is often characterized by a small number of

low-frequency, high-severity loss occurrences that account for the majority of operational loss

severity. This asymmetry can make it difficult to accurately assess and manage operational risk,

as the majority of losses are caused by relatively rare events. Therefore, addressing this

asymmetry is a key challenge in non-financial risk data reporting.

Choice A is incorrect. Risk appetite metrics are not a challenge in non-financial risk data

reporting but rather a tool used to measure and manage the level of risk an organization is

willing to accept. They help in decision-making and strategic planning, but do not pose a

challenge in the reporting process itself.

Choice B is incorrect. Action plans and follow-ups are part of the risk management process,

which includes identifying risks, assessing their potential impact, developing strategies to

mitigate them, and monitoring progress. While they may present challenges in terms of

execution or compliance, they do not represent a specific challenge related to non-financial risk

data reporting.

Choice D is incorrect. Incidents and near misses are sources of operational risk data that need

to be reported for effective management of non-financial risks. However, they themselves do not

constitute a challenge in the reporting process; instead, how these incidents are recorded,

analyzed and communicated could potentially pose challenges.

73
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 109: Integrated Risk Management

Q.5100 Which of the following statements is correct regarding Integrated Risk Management?

A. It is a framework that focuses on identifying and managing individual risks separately

B. It involves the centralization of risk management activities within a single department

C. It considers the potential impact of multiple risks occurring simultaneously

D. It is primarily focused on compliance and regulatory requirements

The correct answer is C.

Integrated Risk Management (IRM) indeed considers the potential impact of multiple risks

occurring simultaneously. This is a key characteristic of the IRM approach. Rather than treating

risks as isolated events, IRM recognizes that risks are often interconnected and that the

occurrence of one risk can trigger or exacerbate other risks. This understanding of the

interrelationships between risks allows organizations to better anticipate and prepare for

potential risk events. By considering the potential impact of multiple risks occurring

simultaneously, organizations can develop more robust risk management strategies that take into

account the complexity and interconnectedness of risks.

Choice A is incorrect. Integrated Risk Management (IRM) does not focus on identifying and

managing individual risks separately. Instead, it takes a comprehensive view of all risks across

an organization, considering their potential interrelationships and the possibility of multiple risks

occurring simultaneously.

Choice B is incorrect. While IRM may involve some degree of centralization in risk

management activities, its primary characteristic is not the centralization within a single

department. Rather, it emphasizes on a holistic approach to risk management that spans across

different departments and functions within an organization.

Choice D is incorrect. Although compliance and regulatory requirements are important

aspects of any risk management strategy, they are not the primary focus of Integrated Risk

Management. The main aim of IRM is to identify, prioritize, and manage risks in a way that

considers their potential interrelationships and simultaneous occurrence.

74
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5101 Risk culture is inseparable from corporate culture and goes beyond the culture of
alertness and reporting of operational risk incidents, as well as the sharing of lessons learned.
Which of the following statements is incorrect regarding risk culture from an ERM view?

A. Corporate culture is "what happens when no one is looking"

B. Risk culture influences the effectiveness of an ERM framework

C. A robust and independent risk management function can reduce tail risk exposures at
banks

D. A risk culture is a structure that is put in place to outline a firm's approach to the
management, and control of risk

The correct answer is D.

The statement that a risk culture is a structure that is put in place to outline a firm's approach to

the management, measurement, and control of risk is incorrect. This description is more apt for

a 'risk appetite framework', not a risk culture. A risk appetite framework is a tool used by

organizations to define the level and type of risk they are willing to accept in pursuit of their

objectives. It provides a structured approach to identify, assess, and manage risk. On the other

hand, risk culture refers to the norms, attitudes, and behaviors related to risk awareness, risk

taking, and risk management within an organization. It is about how people at all levels in the

organization understand and manage risk in their day-to-day activities and how they make

decisions about risk. A strong risk culture supports effective risk management and thus, the

achievement of organizational objectives.

Choice A is incorrect. The statement "Corporate culture is 'what happens when no one is

looking'" accurately reflects the concept of risk culture from an ERM perspective. This statement

emphasizes the importance of ingrained behaviors and attitudes towards risk, which are crucial

elements of a strong risk culture.

Choice B is incorrect. Risk culture indeed influences the effectiveness of an ERM framework. A

strong risk culture can enhance the implementation and effectiveness of ERM practices within

an organization.

75
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice C is incorrect. A robust and independent risk management function can indeed reduce

tail risk exposures at banks, but this does not contradict or misrepresent the concept of a risk

culture in ERM. It's part of a comprehensive approach to managing all risks in a coordinated

way.

76
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5102 Which of the following is most likely a role and responsibility of the second line of
defense for the overall risk management of a firm under risk governance?

A. Making decisions for managing risks.

B. Establishing risk management methods, and measurement methods.

C. Overseeing the risk management activities.

D. Reports independently to the board of directors.

The correct answer is B.

The second line of defense in a firm's risk governance structure is primarily responsible for

establishing risk management methods, tools, models, and measurement methods. This line of

defense plays a crucial role in training the first line of defense, raising risk awareness,

developing risk management policies, and ensuring effective risk management. The second line

of defense acts as a bridge between the first line of defense, which is directly involved in

managing risks, and the third line of defense, which oversees the risk management activities.

Therefore, the second line of defense is instrumental in establishing the methods and

measurements that are used to manage risks within the firm.

Choice A is incorrect. The second line of defense does not make decisions for managing risks.

This responsibility typically lies with the first line of defense, which includes business units and

operational management who directly manage risks.

Choice C is incorrect. Overseeing risk management activities is generally the role of the third

line of defense, which includes internal audit functions that provide independent assurance to

the board on the effectiveness of governance, risk management, and control processes.

Choice D is incorrect. While it's true that some elements within a firm's second line of defense

may report to the board (such as compliance or risk management), this isn't their primary role or

responsibility within a firm's risk governance structure. Their main function involves establishing

and monitoring risk management methods and measurement methods.

77
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5103 A newly hired risk manager is preparing to present to the risk committee on the role of
ERM in financial services in ensuring the solvency and sustainability of an institution through
appropriate capital funding that covers any unexpected losses relating to any of the main risk
classes. Which of the following points highlighted by the risk manager is correct?

A. An enterprise risk management framework and activities consist of regulatory capital

and economic capital only

B. Regulatory capital is the internal capital that firms estimate, reflecting both their risk
profile and potential needs to cover unexpected losses

C. Pillar 2, introduced under Basel II, is about market discipline

D. Basel regulations bear no legal grounds

The correct answer is D.

Basel regulations do not have any legal standing. Instead, individual countries decide whether to

incorporate the Basel standards into their domestic laws and regulations. The Basel Accords,

developed by the Basel Committee on Banking Supervision (BCBS), are a set of

recommendations for regulations in the banking industry. While these accords are not legally

binding, they have been widely adopted worldwide due to their comprehensive approach to

banking supervision. The accords aim to ensure that financial institutions have enough capital on

account to meet obligations and absorb unexpected losses. However, the implementation of these

standards is at the discretion of individual countries, and they are not legally enforceable unless

enacted into law by the respective governments.

Choice A is incorrect. An enterprise risk management framework and activities do not consist

of regulatory capital and economic capital only. It also includes operational risk, credit risk,

market risk, liquidity risk, strategic risk among others.

Choice B is incorrect. Regulatory capital is not the internal capital that firms estimate to cover

unexpected losses. Instead, it's the minimum amount of equity a bank must hold to reduce the

risk of insolvency set by banking regulators.

Choice C is incorrect. Pillar 2 under Basel II does not pertain to market discipline; rather it

deals with supervisory review process which allows regulators to review an institution's internal

assessment process and ensure that they hold sufficient capital for their level of risks.

78
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5104 The CEO of a bank has recommended that the bank should calculate RAROC in order to
determine the risk-return trade-off of their products and services. Which of the following is
correct with respect to RAROC?

A. RAROC can be used to provide a quantitative estimate of the bank's funding costs for
each transaction product and type of client

B. RAROC is given by expected after-tax risk-adjusted net income divided by regulatory

capital

C. RAROC relies heavily on historical data

D. RAROC is used to measure operational risk

The correct answer is A.

Risk-Adjusted Return on Capital (RAROC) is a risk-based profitability measurement framework

for analysing risk-return trade-off for a business. This metric is used to provide a quantitative

estimate of a bank's funding costs for each transaction, product, and type of client. It is a

comprehensive system for performance measurement and capital allocation based on risk.

RAROC allows banks to manage scarce capital and expensive resources effectively. It also

enables the management of commercial agents of the bank using objectives. The use of RAROC

in banking helps in making risk-adjusted investment decisions, thereby improving the overall

performance and profitability of the bank.

Choice B is incorrect. RAROC is not calculated by dividing the expected after-tax risk-adjusted

net income by regulatory capital. Instead, it is typically calculated as the ratio of expected return

to economic capital, which takes into account all types of risks including credit risk, market risk

and operational risk.

Choice C is incorrect. While historical data can be used in the calculation of RAROC, it does

not rely heavily on it. RAROC uses a forward-looking approach that incorporates both current

and future potential risks.

Choice D is incorrect. RAROC measures all types of risks including credit risk, market risk and

operational risk rather than just focusing on operational risk.

79
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5105 A risk manager of a large bank recommends that the bank should consider not only
regulatory and economic capital requirements but also assess aggregate capital needs. Which of
the following statements is correct regarding capital aggregation and diversification in the ERM
context?

A. Diversification can only be achieved across different risk classes

B. To determine the risk capital for a particular business unit within a larger firm, the
units are viewed together

C. We have diversification benefits whenever we have a correlation of exactly +1

D. We can have large diversification benefits when operational risk is aggregated with
other risks

The correct answer is D.

The statement that we can have large diversification benefits when operational risk is

aggregated with other risks is accurate. This is because operational risk tends to behave

independently, unlike credit and market risks, which often show increased correlations during a

crisis. Therefore, by aggregating operational risk with other types of risks, a firm can achieve

significant diversification benefits. This is a key principle in Enterprise Risk Management (ERM),

where the goal is to manage and mitigate various types of risks within a firm in a holistic

manner.

Choice A is incorrect. Diversification can be achieved not only across different risk classes but

also within the same risk class. For example, a bank can diversify its credit risk by lending to

borrowers in different industries or geographical locations.

Choice B is incorrect. While it's true that the overall capital needs of a firm are determined by

viewing all business units together, this statement does not accurately reflect the principles of

capital aggregation and diversification. Capital aggregation involves summing up individual risks

to get a total risk measure, while diversification involves spreading risks across various assets or

business units to reduce exposure.

Choice C is incorrect. Diversification benefits do not occur when we have a correlation of

exactly +1 between two risks. In fact, if two risks are perfectly positively correlated (+1), there

would be no diversification benefit at all because both risks would move in the same direction at

80
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

the same time.

Q.5107 The operational risk manager of a bank wishes to establish a robust operational risk
stress-testing framework. Which of the following is not a component of a robust operational risk
stress-testing framework?

A. Expected non-legal loss forecast module

B. Legal loss module

C. Idiosyncratic scenario add-on module

D. Regression models

The correct answer is D.

Regression models is one of two methodologies used by banks to model the frequency and

severity of operational risk losses. The other is the loss distribution approach (LDA).

A robust operational risk stress-testing framework consists of three elements to facilitate an

operational risk loss forecast based on quantitative and qualitative techniques.

A is incorrect. Expected non-legal loss forecast module: this module consists of a quantitative

model that projects and refines a loss forecast for each risk category depending on expert

judgment.

B is incorrect. Legal loss module: This module forecasts immaterial "bulk" litigation losses,

conditional litigation losses, and incremental litigation losses (the unknown unknowns).

C is incorrect. Idiosyncratic scenario add-on module: the module is developed to cover a bank's

idiosyncratic operational risk profile and bank-specific risk exposures derived from storylines.

81
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5108 The operational risk manager of a bank has asked a junior analyst to model total
operational risk losses and the frequency and severity of operational risk losses. Which of the
following method would the junior analyst apply?

A. Reverse stress testing

B. Loss distribution approach

C. Monte Carlo simulation

D. AMA approach

The correct answer is B.

The LDA is a commonly used method for modeling operational risk losses in banks. It involves

the use of statistical techniques to estimate the distribution of losses that could arise from

operational risk. The LDA models the frequency and severity of losses separately and then

combines them to estimate the total loss distribution. Some LDA models, such as frequency and

severity models, project losses based on Monte Carlo simulations. This approach allows for a

comprehensive analysis of potential losses, taking into account both the likelihood and impact of

operational risk events. Therefore, the LDA would be the most appropriate method for the junior

analyst to use in this scenario.

Choice A is incorrect. Reverse stress testing is a risk management tool used to evaluate the

potential impact of severe events or market conditions on a bank's financial condition. It does not

specifically model the total operational risk losses, nor the frequency and severity of these

losses.

Choice C is incorrect. Monte Carlo simulation is a computational algorithm that relies on

repeated random sampling to obtain numerical results; however, it does not specifically focus on

modeling operational risk losses in banking.

Choice D is incorrect. The Advanced Measurement Approach (AMA) for operational risk allows

banks to develop their own empirical model to quantify required capital for operational risk, but

it doesn't directly involve modeling the total operational risk losses as well as their frequency

and severity.

82
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5109 A newly hired risk manager of a bank wishes to implement a robust operational risk
stress testing framework at the bank. Which of the following is a potential challenge the
manager is unlikely to face when developing and implementing models used in stress testing
Operational risk?

A. Legal risk is characterized by the delay between adverse macroeconomic conditions

and legal losses suffered by banks

B. It is challenging for Conditional LDA to justify the severity percentile choice

C. Some LDA assumptions do not align with stress testing objectives

D. Quantitative-Qualitative Approach Dimension

The correct answer is D.

Quantitative-Qualitative Approach Dimension is not a challenge that the risk manager is likely to

face when developing and implementing models used in stress testing Operational risk. This

term refers to one of the two dimensions of stress testing. A stress testing taxonomy, which

includes the Quantitative-Qualitative Approach Dimension, is a tool that aids in understanding

the evolution of stress testing and the variety of stress testing practices. Therefore, it is not a

challenge but rather a methodological approach that can be used in the process of stress testing.

Choice A is incorrect. Legal risk is indeed characterized by the delay between adverse

macroeconomic conditions and legal losses suffered by banks. This delay can make it difficult to

accurately model and predict future legal risks, which can be a significant challenge in stress

testing operational risk.

Choice B is incorrect. Justifying the severity percentile choice in Conditional Loss Distribution

Approach (LDA) can indeed be challenging. The choice of severity percentile has a significant

impact on the results of the stress test, making it a critical decision that requires careful

consideration and justification.

Choice C is incorrect. Some assumptions made in Loss Distribution Approach (LDA) may not

align with stress testing objectives, posing another challenge for operational risk stress testing.

For example, LDA assumes that loss events are independent and identically distributed, which

may not hold true under stressed conditions.

83
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 110: Cyber-resilience: Range of Practices

Q.4263 Assume you are the chief systems manager at your local bank. How best would you
approach the issue of cyber security in line with the Basel Committee Report on cyber-resilience
among regulated institutions?

A. To identify all instances of cyber warfare and establish the severity and potential
damage of attacks, and ensure that findings are publicized and acted upon immediately.

B. To single out all potentially crippling cyber-related vulnerabilities that expose the bank
to large-scale monetary or nonmonetary loss

C. Accept that there can be no absolute security and instead work on developing a robust
IT system and build local and international cooperation and information exchange in
order to reduce threat and build resilience

D. To identify all instances of cyber warfare and potential vulnerabilities with an eye on
complete eradication of threats

The correct answer is C.

The reality of cyber security is that there is no such thing as 'absolute security'. Cyber threats

are constantly evolving and new ones are emerging every day. It is virtually impossible to identify

and eliminate all potential attack points. Therefore, the most effective approach is to accept this

reality and focus on developing a robust IT system that is resilient to these threats. This involves

building both local and international cooperation and information exchange networks to reduce

the threat and protect critical information infrastructures. This approach aligns with the Basel

Committee's emphasis on cyber-resilience among regulated institutions.

Choice A is incorrect. While identifying instances of cyber warfare and assessing their severity

and potential damage is important, publicizing these findings immediately may not be the best

approach. This could potentially expose the bank to further attacks by revealing its

vulnerabilities. Moreover, this option does not consider building resilience or cooperation which

are key aspects of a comprehensive cybersecurity strategy.

Choice B is incorrect. Singling out all potentially crippling cyber-related vulnerabilities that

expose the bank to large-scale monetary or nonmonetary loss is a part of addressing

cybersecurity issues but it's not sufficient on its own. It lacks consideration for developing robust

IT systems and fostering local and international cooperation for information exchange, which are

84
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

crucial in reducing threats and building resilience.

Choice D is incorrect. Identifying all instances of cyber warfare and potential vulnerabilities

with an aim towards complete eradication of threats might be unrealistic as new threats can

emerge constantly due to technological advancements. Instead, focusing on reducing threat

levels through robust IT systems development, local and international cooperation for

information exchange would be more effective in enhancing cyber-resilience.

85
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4264 In response to the increasing number of threats in the cyber space, the Basel committee
has come up with a report aimed at inculcating cyber resilience across the banking industry. The
cyber risk resilience framework encompasses all of the following EXCEPT:

A. Threat anticipation

B. Adapting to changes in the cyber space

C. Rapid recovery from cyber incidents

D. None - All of the above form part of the cyber risk resilience framework

The correct answer is D.

The Basel Committee's report on cyber resilience includes all of the elements listed in the

options. The Financial Stability Board (FSB) defines cyber resilience as the 'ability of an

organization to continue to carry out its mission by anticipating and adapting to cyber threats

and other relevant changes in the environment and by withstanding, containing and rapidly

recovering from cyber incidents.' Therefore, all the options - threat anticipation, adapting to

changes in the cyber space, and rapid recovery from cyber incidents - are part of the cyber risk

resilience framework.

Choice A is incorrect. Threat anticipation is indeed a part of the cyber risk resilience

framework. It involves identifying potential cyber threats and preparing for them in advance to

minimize their impact.

Choice B is incorrect. Adapting to changes in the cyber space is also included in the

framework. This element emphasizes on the need for banks to continuously update and adapt

their cybersecurity measures as per evolving cyber threats.

Choice C is incorrect. Rapid recovery from cyber incidents forms an integral part of the

framework as well, highlighting the importance of quick response and recovery mechanisms post

a cybersecurity breach.

Q.4265 Capital Bank just went through a serious system breach that resulted in massive loss of
sensitive customer data. The information security department is attempting to restore the system
as well as located critical data backups. Unfortunately, it appears no one knows exactly what

86
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

they are supposed to do. The bank also has a rapid recovery plan in place but the relevant
personnel do not know what protocol to follow in the execution process. What’s more, the
recovery team is struggling to put in a well-coordinated effort to carry out specific tasks. Which
of the following vulnerabilities is most likely to blame for this scenario?

A. Lack of a business impact analysis

B. Failure to back up sensitive data adequately

C. Failure to set up an alternate system

D. Failure to test the disaster recovery strategy

The correct answer is D.

The primary issue in this scenario is the failure to test the disaster recovery strategy. This is

highlighted in the Basel Committee Report on Cyber-Resilience Practices, which emphasizes the

importance of sufficient business continuity testing. Despite having a contingency and recovery

plan in place, many regulated entities do not conduct adequate testing to ensure the

effectiveness of these plans. A disaster recovery test is crucial as it ensures that all team

members are aware of their roles and responsibilities and are familiar with the steps to be

followed during the recovery period. In the case of Capital Bank, the lack of such testing has

resulted in confusion and inefficiency among the recovery team, thereby exacerbating the impact

of the system breach.

Choice A is incorrect. While a business impact analysis is crucial for understanding the

potential effects of system interruptions, it does not directly address the issues of role confusion

and lack of protocol understanding among the recovery team. These problems are more related

to disaster recovery strategy testing, which ensures that all personnel understand their roles and

responsibilities during a crisis.

Choice B is incorrect. The failure to back up sensitive data adequately could indeed result in

data loss during a system breach. However, this issue does not explain the confusion about roles

and responsibilities or the ineffective execution of the rapid recovery plan among relevant

personnel.

Choice C is incorrect. Setting up an alternate system can be part of a disaster recovery

87
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

strategy, but it doesn't necessarily ensure that team members understand their roles or how to

execute recovery plans effectively. This choice doesn't address the main problem described in

this scenario - lack of clarity on roles and ineffective execution due to misunderstanding

protocols.

Q.4266 Considering commerce and marketing, which of the following is a significant obstacle to
developing cyber resilience among regulated institutions around the globe?

A. Use of technology, including high-level automation and integration with third parties

B. Large-scale use of third party services

C. Cloud computing and related services

D. All of the above

The correct answer is D.

The biggest stumbling block toward inculcating cyber resilience among regulated institutions

has been high-level automation and use of systems that are heavily integrated with third-party

service providers and customers. This has resulted in an attack surface that is growing by the

day and has only served to increase accessibility from potential adversaries. Increased third

party integration implies that the perimeter of interest to financial sector regulators has gotten

bigger, and cloud computing means the perimeter is shared.

Options B, and C all come up as a result of high-level automation and integration.

Q.4267 According to the Basel Committee report on cyber resiliency among institutions, which of
the following jurisdictions tend to have the least robust regulatory information sharing
frameworks?

A. Those with minimum freewill information sharing arrangements

B. Those with observable practices for information-sharing among banks

C. Jurisdictions that have recorded the smallest number of cyber-related incidences

D. Jurisdictions with the highest number of systematically important banks

88
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

The correct answer is B.

The Basel Committee's report indicates that jurisdictions with observable practices for

information-sharing among banks tend to have less robust regulatory information sharing

frameworks. This is because the regulators in these jurisdictions may not feel the need to

enforce stringent information-sharing policies if voluntary peer sharing practices are well

established and effective. Therefore, these jurisdictions may rely more on the voluntary

information-sharing practices among banks rather than on robust regulatory frameworks.

Choice A is incorrect. While it might seem intuitive that jurisdictions with minimum freewill

information sharing arrangements would have the least robust regulatory information sharing

frameworks, this is not necessarily the case. The term "freewill" implies that these jurisdictions

allow banks to decide whether or not to share information, which could potentially lead to more

robust frameworks if banks choose to share extensively. Therefore, this choice does not

definitively indicate a lack of robustness in regulatory information sharing frameworks.

Choice C is incorrect. The number of cyber-related incidences recorded in a jurisdiction does

not directly correlate with the robustness of its regulatory information sharing framework. A low

number of incidents could be due to effective cybersecurity measures rather than a strong

framework for sharing regulatory information.

Choice D is incorrect. The presence of systematically important banks within a jurisdiction

does not necessarily imply weak or strong regulatory information-sharing frameworks. These

banks may have advanced internal systems for managing cyber risk but it doesn't provide any

direct indication about the quality or effectiveness of their external communication and

cooperation with regulators and other institutions.

89
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4268 The Basel committee notes that most jurisdictions have adopted some information-
sharing mechanism between banks and regulators. According to the committee’s report, the
following are potential sources of concern EXCEPT?

A. The absence of a common standard

B. Sharing of information only when it is mandatory to do so

C. Absence of bank to bank information sharing

D. Reactive reporting of threats

The correct answer is C.

The Basel Committee's report on Cyber-Resilience Practices acknowledges that various

cybersecurity information-sharing mechanisms are currently in place. One of these mechanisms

is communication between banks, which typically occurs on a voluntary basis. Therefore, the

absence of bank-to-bank information sharing is not identified as a concern in the report. This is

because such sharing does occur, and it is not seen as a significant issue at present.

Choice A is incorrect. The absence of a common standard is indeed identified as a potential

issue in the committee's report. Without a common standard, there can be inconsistencies and

misunderstandings in the information shared between banks and regulators.

Choice B is incorrect. Sharing of information only when it is mandatory to do so is also

highlighted as a potential problem by the Basel Committee on Banking Supervision. This could

lead to important information not being shared in time or at all, if it's not deemed mandatory.

Choice D is incorrect. Reactive reporting of threats was also identified as an issue by the

committee. If banks only report threats after they have occurred, this limits the ability for

proactive measures to be taken to prevent such threats from materializing.

90
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4269 With respect to cyber security strategy as outlined in the Basel Committee report on
cyber-resilience, all of the following statements are correct EXCEPT?

A. All regulators expect regulated entities to have a board approved information security
strategy

B. Most jurisdictions have included cyber-risk within their broader risk management
frameworks

C. Most supervisors review regulated entities' information security strategies, but very
few require or evaluate those entities' standalone cyber-security strategies.

D. In most jurisdictions the development of a cyber-security strategy is a mandatory

requirement anchored in law

The correct answer is D.

The Basel Committee report on cyber-resilience does not mandate the development of a cyber-

security strategy in most jurisdictions. While it is true that cyber-security is a critical aspect of

information security, the report does not require regulated entities to have a standalone cyber-

security strategy. Instead, the focus is on having a board-approved information security strategy,

policy, and procedures that effectively oversee technology. This includes, but is not limited to,

cyber-security. Therefore, the statement that 'In most jurisdictions the development of a cyber-

security strategy is a mandatory requirement anchored in law' is incorrect.

Choice A is incorrect. The Basel Committee report does indeed state that all regulators expect

regulated entities to have a board approved information security strategy. This is part of the

broader framework for managing cyber risk and ensuring cyber resilience.

Choice B is incorrect. According to the Basel Committee report, most jurisdictions have

included cyber-risk within their broader risk management frameworks. This integration allows

for a more comprehensive approach to managing and mitigating risks associated with

cybersecurity.

Choice C is incorrect. It's true that most supervisors review regulated entities' information

security strategies, but very few require or evaluate those entities' standalone cyber-security

strategies as per the Basel Committee report.

91
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4270 Which of the following regulatory approaches has been adopted by jurisdictions as a way
of enforcing cyber-security strategy requirements among regulated entities?

I. Mandatory sector specific or cross-sector cyber-security requirements

II. A requirement to develop internal cyber-security strategies by financial institutions
III. Examining whether institutions have an active IT strategy and accompanying security
provisions

A. I and II only

B. II only

C. III only

D. All three

The correct answer is D.

The Basel Committee report on Cyber-resilience notes that jurisdictions enforce cyber-security

strategy requirements using one or a combination of the following:

I. Regulator-developed cyber security strategy requirements that must be observed by all

financial institutions. This is by far the most common approach especially among
emerging market economies
II. Financial institutions may be required to developed their own cyber-security strategies
that are in compliance with existing risk management principles
III. The regulators actively examine whether financial entities have an IT strategy and
security provisions. This is especially common in Europe

Q.4271 John Henderson, FRM, is the newly appointed chief officer in charge of information
systems and security at Capital Bank. Upon scrutinizing the bank’s cyber-security strategy, he
has found that the bank lacks a well thought out business continuity plan that can be adopted in
the event of an exceptional event or crisis. With the help of other executives, he proceeds to
conduct a business impact assessment and singles out the most critical activities, resources, and
services that would be in need of rapid restoration in the event of a cyber-attack. Which of the
following activities would be most critical before finalizing and implementing the newly
developed plan?

A. Consultations with other banks in the same jurisdiction

B. Continuity tests

92
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

C. A detailed review of past cyber-related incidences

D. Data recovery tests

The correct answer is B.

Continuity tests are the most critical activity before finalizing and implementing a newly

developed business continuity plan. The Basel committee, a global standard setter for the

prudential regulation of banks, emphasizes the importance of business continuity tests. These

tests are designed to validate the effectiveness of the business continuity and crisis response

plans. For instance, the tests can assess whether it is feasible to restore services within the

stipulated timelines. This is crucial because, in the event of a cyber-attack or any other crisis, the

ability to quickly restore critical services can significantly mitigate the impact on the bank's

operations and reputation. Therefore, conducting continuity tests is a key step in ensuring that

the business continuity plan is robust and effective.

Choice A is incorrect. While consultations with other banks in the same jurisdiction can

provide valuable insights and best practices, it is not the most critical activity before finalizing

and implementing a business continuity plan. The primary focus should be on ensuring that the

plan works effectively within the specific context of Capital Bank.

Choice C is incorrect. A detailed review of past cyber-related incidences can help to identify

potential vulnerabilities and threats, but it does not directly test or validate the effectiveness of a

business continuity plan. Therefore, while useful, this activity is not as critical as conducting

continuity tests.

Choice D is incorrect. Data recovery tests are an important part of any business continuity

plan, especially in relation to cyber-attacks where data loss can occur. However, these tests are

only one component of a comprehensive business continuity strategy which also includes aspects

like restoring operations and services, communication plans etc., hence they do not hold

precedence over overall continuity tests.

93
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4272 According to the Basel Committee Report on Cyber-Resilience Practices, which of the
following is the “least observed practice across jurisdictions” with respect to information
sharing?

A. Information sharing among banks

B. Information sharing among regulators

C. Information sharing by banks with regulators

D. Information sharing by banks with security agencies

The correct answer is B.

The Basel Committee Report on Cyber-Resilience Practices has identified that the least observed

practice in terms of information sharing is among regulators. This is a concerning situation,

particularly considering the increasing sophistication and global nature of cyber-fraud. The lack

of information sharing among regulators can lead to a lack of awareness about emerging risks

and can hinder the development of a comprehensive, coordinated response. This could

potentially leave certain industry sectors vulnerable to cyber threats. Therefore, there is a

pressing need to enhance information sharing among regulators to ensure a robust and effective

response to cyber threats.

Choice A is incorrect. Information sharing among banks is not the least prevalent practice.

Banks often share information with each other to mitigate risks and enhance their cyber-

resilience practices. This collaboration allows them to learn from each other's experiences and

implement effective strategies.

Choice C is incorrect. Information sharing by banks with regulators is also not the least

prevalent practice. Banks are required to report certain types of information to regulators, such

as incidents of cyber-attacks or breaches, as part of their regulatory obligations.

Choice D is incorrect. Information sharing by banks with security agencies isn't the least

prevalent either. In fact, it's quite common for banks to collaborate with security agencies in

order to strengthen their defenses against potential cyber threats.

94
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4273 Exim Bank has just completed a risk assessment and business impact analysis (BIA) with
respect to cyber-attacks and the latest emerging threats and vulnerabilities in the cyber space.
However, the bank’s information security manager and business department manager don’t seem
to agree on who will ultimately be responsible for detailed evaluation of the results and risk
analysis. Which of the following would be the best cause of action in these circumstances?

A. Acceptance and implementation of the information security manager’s decision on the

risk to the bank

B. Acceptance and implementation of the business department manager’s decision on the

risk to the bank

C. Creation of a new risk assessment and BIA plan to iron out the differences

D. Review the report with senior management for final input

The correct answer is D.

The senior management and executives of an organization play a pivotal role in the evaluation

and management of cyber risk. This is highlighted in the Basel Committee Report on Cyber

Resilience. Just like with other types of risks, the senior management is ultimately responsible

for promoting and maintaining cyber resilience within their institutions. They have the authority

and responsibility to streamline and resolve any issues that might arise during the process of

implementing a solution against cyber risk. In the given scenario, the disagreement between the

information security manager and the business department manager can be resolved by

involving the senior management. They can review the report, provide their inputs, and make the

final decision. This approach ensures that the decision is made at the highest level, taking into

consideration the overall strategic objectives and risk appetite of the organization.

Choice A is incorrect. While the information security manager's decision on the risk to the

bank is important, it should not be accepted and implemented without considering other

perspectives. The information security manager may have a deep understanding of cyber threats

and vulnerabilities, but they might lack a comprehensive view of business operations and

strategic objectives.

Choice B is incorrect. Similarly, accepting and implementing the business department

manager’s decision on the risk to the bank would also be inappropriate. Although this individual

likely has a strong understanding of business operations, they may not fully comprehend or

95
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

appreciate all aspects of cyber risks.

Choice C is incorrect. Creating a new risk assessment and BIA plan to iron out differences

could be time-consuming and costly without necessarily resolving disagreements between

different stakeholders in an organization. It would be more efficient to review existing

assessments with senior management who can provide balanced input based on their overall

understanding of both business operations and potential risks.

96
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4478 In the context of cyber-resilience practices, which of the following is/are considered (a)
third-party(ies)?

A. Cloud computing services

B. Computer hardware

C. Trading platforms

D. All of the above

The correct answer is D.

All of the options listed, i.e., cloud computing services, computer hardware, and trading

platforms, are considered third-parties in the context of cyber-resilience practices. Cloud

computing services are often outsourced by organizations to manage and store their data.

Computer hardware, such as servers and workstations, are typically purchased from external

suppliers. Trading platforms, which are used to conduct financial transactions, are also

considered third-parties as they are usually operated by external entities. Therefore, all of these

entities fall under the category of third-parties as they are external to the organization and play a

crucial role in its operations.

Choice A is incorrect. While cloud computing services are indeed a third-party entity, this

choice alone does not encompass all the possible third-party entities that an organization might

rely on for its operations in cyber-resilience.

Choice B is incorrect. Computer hardware can be considered as a third-party entity if it's

provided by an external vendor. However, similar to Choice A, this option alone does not cover all

the potential third-party entities involved in cyber-resilience.

Choice C is incorrect. Trading platforms can also be classified as a third-party entity if they are

externally provided and managed. But again, this choice doesn't include all other possible

external entities that contribute to an organization's cyber-resilience.

Q.4479 Assume that you are a human resource manager at a reputable bank. Your bank has
advertised the supply chain manager post, which you are entrusted to shortlist the candidates
based on their qualifications. Based on the Basel committee report on regulated institutions,

97
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

what are the required qualifications for the candidates you should look for?

A. Certified by Certified Information Systems Security Professionals

B. Certified by an institution which is compliant to ISO 9001 Quality Management System

C. Should have considerable skills in risk management

D. All of the above

The correct answer is D.

The Basel Committee's report on regulated institutions suggests that a candidate for a

managerial position in a banking institution should ideally possess all the qualifications listed in

the options. This includes certification by Certified Information Systems Security Professionals

(CISSP), certification by an institution compliant with ISO 9001 Quality Management System,

and considerable skills in risk management. The CISSP certification ensures that the candidate

has a deep knowledge and understanding of new threats, technologies, regulations, standards,

and practices in the field of information security. ISO 9001 certification, on the other hand,

demonstrates that the candidate is familiar with quality management principles including a

strong customer focus, the involvement of top management, a process approach, and continual

improvement. Lastly, skills in risk management are crucial as they enable the candidate to

identify, assess, and prioritize risks followed by coordinated and economical application of

resources to minimize, monitor, and control the probability or impact of unfortunate events.

Choice A is incorrect. While certification by Certified Information Systems Security

Professionals (CISSP) can be beneficial for certain roles within a banking institution, it is not the

primary qualification to prioritize for a Supply Chain Manager position. The CISSP certification

focuses on information security, which, although important in every role, is not directly related to

supply chain management.

Choice B is incorrect. ISO 9001 Quality Management System compliance certification

indicates that an institution adheres to international standards of quality management. However,

this does not necessarily mean that an individual certified by such an institution would have the

specific skills required for managing a supply chain in a banking environment.

98
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice C is incorrect. While risk management skills are crucial in many roles within a bank

due to the nature of financial services industry, they are not the only qualifications needed for a

Supply Chain Manager position. Other skills and qualifications such as strategic planning and

operational efficiency are also essential.

Q.4480 According to the Basel Committee report on regulated institutions, information sharing
from the banks to regulators has some advantages, which include:

I. The regulator can systematically monitor the financial industry

II. The regulators can effectively oversight the incident resolution
III. Through excessive information between the regulator and industries weakens the cyber-
risk response framework.
IV. Through the information collected by the regulators, they can give recommendations or
requirements to the industries, which can lead to an adjustment of the policies and
strategies.

Which of the above advantages are CORRECT?

A. I and II

B. I and III

C. I, II and III

D. I, II and IV

The correct answer is D.

The bank-regulator information sharing is essential because:

Enables the systematic monitoring of the financial industry by the regulators

The regulatory requirements or recommendations by the regulators can be enhanced

to adjust the policies and strategies given the information collected

The regulators can effectively oversight the incident resolution

A robust cyber-risk response framework can be developed through the active sharing of

the information with industries and the regulators.

99
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4481 What is cyber resilience?

A. The ability of an entity to continue to execute its purpose by anticipating and adapting
to cyber threats

B. The ability of an entity to rapidly recover from the cyber occurrence

C. All of the above

D. None of the above

The correct answer is C.

Cyber resilience encompasses both the ability of an entity to continue to execute its purpose by

anticipating and adapting to cyber threats (Choice A) and the ability of an entity to rapidly

recover from the cyber occurrence (Choice B). Cyber resilience is not just about being able to

resist and withstand cyber threats, but also about being able to quickly recover and adapt in the

face of these threats. This involves having robust security measures in place, as well as effective

incident response and recovery plans. It's about being prepared for any potential cyber threats,

and being able to respond and adapt quickly when they occur.

Choice A is incorrect. While it is true that cyber resilience involves the ability of an entity to

continue its operations by anticipating and adapting to cyber threats, this definition alone does

not fully encompass the concept of cyber resilience. Cyber resilience also includes the ability to

rapidly recover from a cyber occurrence, which is not mentioned in this option.

Choice B is incorrect. This choice only focuses on one aspect of cyber resilience - the ability to

rapidly recover from a cyber occurrence. However, it misses out on another crucial aspect - the

ability to anticipate and adapt to potential threats, which makes this choice incomplete in

describing the full concept of cyber resilience.

Choice D is incorrect. The statement that none of these options describe the concept of cyber

resilience is false as both choices A and B partially describe aspects of it but neither fully

encapsulates all elements involved in achieving complete cybersecurity resiliency.

Q.4482 Assume that you are a cyber risk manager for a regulated company in a country where

100
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

cybersecurity regulations are absent. What is the best course of action you should take to ensure
that your company is secured against cyber threats?

A. Implement the international standard and use prescribed guidance and supervisory
practices

B. Develop new regulations to govern cyber risk in your organization

C. Develop a sound cybersecurity regulation according to regulations

D. Develop cyber risk awareness culture in your company according to regulations

The correct answer is A.

In the absence of specific cybersecurity regulations in a country, the best course of action for a

cyber risk manager would be to adhere to international standards and utilize the guidance and

supervisory practices prescribed by these standards. These international standards are

developed by experts in the field and are widely recognized and accepted. They provide a

comprehensive framework for managing cyber risks and include best practices for identifying,

assessing, and mitigating these risks. Implementing these standards would ensure that the

company is adequately protected against potential cyber threats, even in the absence of local

regulations. Furthermore, these standards are often used as a benchmark by regulators and

stakeholders to assess a company's cybersecurity posture. Therefore, adhering to these

standards would not only ensure the company's security but also enhance its reputation and

credibility in the eyes of stakeholders.

Choice B is incorrect. While developing new regulations to govern cyber risk in your

organization might seem like a good idea, it may not be the most effective strategy. This is

because creating new regulations can be time-consuming and costly, and there's no guarantee

that these regulations will cover all potential cyber threats. Furthermore, without expertise in

cybersecurity, the developed regulations may not be comprehensive or up-to-date with current

threats.

Choice C is incorrect. Developing a sound cybersecurity regulation according to existing

regulations would not be possible in this scenario as it was stated that the company operates in a

country where there are no specific regulations governing cybersecurity.

101
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice D is incorrect. While developing a cyber risk awareness culture according to existing

regulations could potentially help mitigate some risks, it would not ensure adequate protection

against all potential cyber threats. This approach relies heavily on individual employees'

understanding and adherence to security practices which can vary greatly and leave gaps in

protection.

Q.4483 In the context of cyber governance, as described in the Basel Committee report on
regulated institutions, one of the following statements is INCORRECT about cyber-security
strategy?

A. Most of the regulators require institutions to develop a cyber-security strategy

B. The organizations are expected to have a board-approved information security

strategy, policy, and procedures based on the rule of effective oversight of technology

C. The regulator or an authority enforces the cybersecurity strategy requirements in

sector-specific or across multiple industries with which financial institutions must comply

D. The financial institutions might develop their way of cybersecurity strategies, but they
should comply with the principled-based risk management practices

The correct answer is A.

The statement that 'most of the regulators require institutions to develop a cyber-security

strategy' is incorrect. While it is true that regulators emphasize the importance of cyber-security,

it is not accurate to say that most regulators mandate the development of a specific cyber-

security strategy. The Basel Committee's report does not state that most regulators require

institutions to develop a cyber-security strategy. Instead, it suggests that institutions should have

a robust and comprehensive cyber-security framework in place, which may include a strategy,

but it does not explicitly require one. The report emphasizes the importance of a risk-based

approach to cyber-security, which includes identifying, assessing, and managing cyber risks,

rather than prescribing a specific strategy.

Choice B is incorrect. The Basel Committee indeed expects organizations to have a board-

approved information security strategy, policy, and procedures. This is in line with the principle

of effective oversight of technology which emphasizes that senior management should be

102
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

responsible for overseeing the firm's IT framework.

Choice C is incorrect. The statement accurately represents the Committee's stance on cyber-

security strategy. Regulators or authorities do enforce cybersecurity strategy requirements

either sector-specific or across multiple industries with which financial institutions must comply.

Choice D is incorrect. Financial institutions are allowed to develop their own cybersecurity

strategies as long as they comply with principled-based risk management practices. This allows

for flexibility while ensuring that key risk management principles are adhered to.

Q.4484 According to the Basel Committee’s report on the regulated institutions, cyber risk
awareness and risk culture is enhanced through:

A. Cyber training, incorporated in all phases of employment-recruitment to the

termination in a regulated institution

B. Having effective processes and controls that ensure that employees, contractors, and
third-party dealers understand their roles and responsibilities in the quest to reduce the
risk of theft, fraud, or misuse of the institution’s facilities

C. Establishing a common risk culture to ensure effective cyber-risk management

D. All of the above

The correct answer is D.

The Basel Committee's report on regulated institutions emphasizes the importance of cyber risk

awareness and a robust risk culture. It suggests several methods to enhance these aspects, all of

which are represented in the choices provided. Choice A refers to the incorporation of cyber

training in all phases of employment, from recruitment to termination. This is a crucial aspect of

creating a culture of cyber risk awareness as it ensures that all employees, regardless of their

role or tenure, are equipped with the necessary knowledge and skills to identify and mitigate

cyber risks. Choice B refers to the establishment of effective processes and controls that ensure

that all stakeholders, including employees, contractors, and third-party dealers, understand their

roles and responsibilities in reducing the risk of theft, fraud, or misuse of the institution's

facilities. This is an essential component of a robust risk culture as it ensures that everyone

103
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

involved in the institution's operations is accountable for managing cyber risks. Finally, Choice C

refers to the establishment of a common risk culture to ensure effective cyber-risk management.

This is a fundamental aspect of a robust risk culture as it ensures that all stakeholders share the

same understanding and approach to managing cyber risks.

Choice A is incorrect. While cyber training is indeed a crucial part of enhancing cyber risk

awareness, it is not the only method recommended by the Basel Committee. The report also

emphasizes on having effective processes and controls in place and establishing a common risk

culture.

Choice B is incorrect. Although having effective processes and controls that ensure employees,

contractors, and third-party dealers understand their roles in reducing risks of theft, fraud or

misuse of facilities is important, this alone does not fully represent the recommendations made

in the Basel Committee's report. Other methods such as cyber training and establishing a

common risk culture are also suggested.

Choice C is incorrect. Establishing a common risk culture to ensure effective cyber-risk

management is one of the recommendations made by the Basel Committee but it does not

encompass all suggestions made in the report. Cyber training for all phases of employment and

having effective processes are also recommended.

104
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 111: Case Study: Cyberthreats and Information Security Risks

Q.5110 Which of the following is not an example of an involuntary disclosure under the taxonomy
of information security risks?

A. Database loss

B. Virus infection

C. System disruptions

D. Loss of printed documents

The correct answer is B.

Virus infection is not an example of an involuntary disclosure under the taxonomy of information

security risks. Instead, it falls under the category of data theft or corruption caused by external

factors. In this scenario, the disclosure of information is not unintentional or involuntary. Rather,

it is a deliberate act by an external entity (the virus) to access, steal, or corrupt the data. This is

different from involuntary disclosure, where the information is unintentionally exposed due to

various reasons such as system disruptions, database loss, loss of devices by staff members, or

accidental mentions of confidential information when communicating to outsiders.

Choice A is incorrect. Database loss can be considered as an 'involuntary disclosure' because it

involves the unintentional exposure of sensitive information. This could occur due to various

reasons such as system failures, human errors, or cyber attacks.

Choice C is incorrect. System disruptions can also lead to 'involuntary disclosure'. For

instance, during a system disruption, sensitive data might become accessible to unauthorized

individuals or entities.

Choice D is incorrect. Loss of printed documents falls under the category of 'involuntary

disclosure'. If these documents contain sensitive information and are lost or misplaced, they

could potentially be found and accessed by unauthorized individuals.

105
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5111 Which of the following is not one of the five guidelines offered by The National Institute
of Standards and Technology (NIST) on cybersecurity standards?

A. Identify

B. Protect

C. Mitigate

D. Recover

The correct answer is C.

Mitigate is not one of the five guidelines offered by The National Institute of Standards and

Technology (NIST) on cybersecurity standards. While mitigation is a common term used in risk

management and information security, it is not specifically listed as one of the five key steps in

the NIST's cybersecurity framework. Mitigation generally refers to the process of reducing the

severity, seriousness, or painfulness of something. In the context of cybersecurity, this could

involve actions taken to reduce the impact of a security breach or to prevent future breaches.

However, the NIST's framework focuses on the steps of Identify, Protect, Detect, Respond, and

Recover.

Choice A is incorrect. "Identify" is indeed one of the five key guidelines established by NIST for

cybersecurity standards. It involves understanding the business context, resources that support

critical functions, and related cybersecurity risks to an organization's information systems.

Choice B is incorrect. "Protect" is also a part of NIST's five guidelines for cybersecurity

standards. This guideline focuses on developing and implementing appropriate safeguards to

ensure delivery of critical infrastructure services.

Choice D is incorrect. "Recover" too falls under the NIST's five guidelines for cybersecurity

standards. It emphasizes on developing and implementing activities necessary to restore any

capabilities or services that were impaired due to a cybersecurity event.

106
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5112 Which of the following is an external cause of information security risk?

A. Database loss

B. Loss of printed documents

C. Systems disruptions

D. Departing employees taking proprietary information

The correct answer is C.

Systems disruptions are an example of an external cause of information security risk. External

causes of information security risks are factors that originate outside of the organization but can

still impact the confidentiality, integrity, and availability of information and systems. Examples of

external causes include system disruptions, hacking, phishing, theft, or transfer of

digital/physical information. System disruptions can occur due to various reasons such as natural

disasters, power outages, or cyber-attacks. These disruptions can lead to downtime, loss of data,

and can severely impact the operations of an organization. Therefore, it is crucial for

organizations to have robust disaster recovery and business continuity plans in place to mitigate

the impact of such disruptions.

Choice A is incorrect. Database loss is typically an internal risk, often resulting from technical

failures or human errors within the organization. It could be due to hardware failure, software

bugs, or even accidental deletion by an employee.

Choice B is incorrect. Loss of printed documents is also an internal risk as it usually occurs

due to mishandling of physical documents within the organization's premises. This could be due

to negligence, lack of proper storage facilities or inadequate document management procedures.

Choice D is incorrect. Departing employees taking proprietary information represents an

internal threat rather than external. This can occur when employees who have access to

sensitive information leave the company and take this information with them for personal gain or

use at a new employer.

Q.5113 Which of the following five guidelines offered by The National Institute of Standards and

107
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Technology (NIST) on cybersecurity standards is related to reporting an attack to law

enforcement and other authorities?

A. Recover

B. Respond

C. Protect

D. Detect

The correct answer is B.

The 'Respond' guideline provided by the National Institute of Standards and Technology (NIST)

is specifically designed to address the process of reporting a cyber attack to law enforcement

and other relevant authorities. This guideline emphasizes the importance of creating and

regularly testing a plan for reporting such incidents. The goal is to ensure that organizations are

prepared to take immediate and effective action in the event of a cyber attack. This includes not

only identifying and mitigating the attack but also communicating the incident to the appropriate

authorities. This is crucial for several reasons. Firstly, it allows law enforcement agencies to

investigate the incident and potentially take action against the perpetrators. Secondly, it can help

other organizations to be aware of the threat and take necessary precautions. Lastly, it

contributes to the overall body of knowledge about cyber threats, helping to improve

cybersecurity measures and strategies.

Choice A is incorrect. The "Recover" guideline from NIST focuses on developing and

implementing the appropriate activities to maintain plans for resilience and to restore any

capabilities or services that were impaired due to a cybersecurity event. It does not specifically

address the process of reporting a cyber attack.

Choice C is incorrect. The "Protect" guideline from NIST involves developing and

implementing the appropriate safeguards to ensure delivery of critical infrastructure services.

This includes access control, awareness and training, data security, information protection

processes and procedures, maintenance, protective technology etc., but it does not involve

reporting a cyber attack.

Choice D is incorrect. The "Detect" guideline from NIST refers to developing and

108
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

implementing the appropriate activities to identify the occurrence of a cybersecurity event in a

timely manner which includes anomalies detection, security continuous monitoring etc., but it

doesn't cover reporting an incident.

109
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5114 Which of the following is not one of the actions under the respond guideline of the
National Institute of Standards and Technology (NIST) on cybersecurity standards?

A. Notifying customers, employees, and others whose data may be at risk

B. Keeping business operations up and running

C. Investigating any unusual activities on your network or by your staff

D. Reporting the attack to law enforcement and other authorities

The correct answer is C.

The action of 'Investigating any unusual activities on your network or by your staff' is not part of

the 'respond' guideline of the NIST cybersecurity standards. Instead, this action falls under the

'detect' guideline. The 'detect' guideline focuses on the identification of potential cybersecurity

events and the subsequent assessment of their impact. This includes monitoring and analyzing

the organization's networks and systems to identify any unusual or suspicious activities that

could indicate a cybersecurity threat. Therefore, investigating unusual activities is a proactive

measure aimed at detecting potential threats before they can cause significant damage, rather

than a reactive measure in response to a confirmed cybersecurity incident.

Choice A is incorrect. Notifying customers, employees, and others whose data may be at risk is

indeed a part of the 'respond' guideline of the NIST cybersecurity standards. This action ensures

that those potentially affected by a cyber attack are aware of the situation and can take

necessary precautions to protect their information.

Choice B is incorrect. Keeping business operations up and running during a cyber attack is

also included in the 'respond' guideline. The aim here is to minimize disruption to services while

dealing with the incident.

Choice D is incorrect. Reporting an attack to law enforcement and other authorities falls under

the 'respond' guideline as well. This step helps in investigating the incident further and possibly

preventing similar attacks in future.

110
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5115 Which of the following is a category of informational controls that address actions taken
by people when it comes to handling and protecting information?

A. Technical controls

B. Behavioral controls

C. Prevention controls

D. Detection controls

The correct answer is B.

Behavioral controls are a category of informational controls that address actions taken by people

when it comes to handling and protecting information. They are a type of administrative control

that focuses on influencing the behavior of people within an organization to reduce information

security risks. Examples of behavioral controls include security awareness training, policies and

procedures, background checks, and security clearances. These controls are designed to ensure

that individuals within an organization are aware of the potential risks associated with

information handling and are equipped with the necessary knowledge and skills to mitigate these

risks. They are crucial in creating a security-conscious culture within an organization, thereby

enhancing the overall effectiveness of information security management.

Choice A is incorrect. Technical controls, also known as logical controls, primarily involve the

use of software and hardware to protect information systems. They do not directly influence the

behavior of individuals within an organization.

Choice C is incorrect. Prevention controls are measures taken to prevent security incidents

from occurring in the first place. While they may indirectly influence behavior by setting up

barriers or restrictions, their primary focus is not on influencing individual behavior.

Choice D is incorrect. Detection controls are designed to identify and respond to security

incidents after they have occurred. They do not primarily focus on influencing individual

behavior but rather on identifying breaches in security.

111
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5116 Which of the following is not a requirement for a company to be certified as ISO27001
compliant?

A. Have an Information Security Management System (ISMS) that manages its

information security risks

B. Design and implement information security, including effective and comprehensive

controls

C. Adopt an ongoing risk management process

D. Guidance in response and recovery from cybersecurity incidents

The correct answer is D.

The requirement for guidance in response and recovery from cybersecurity incidents is not a

part of ISO27001 compliance. This is a guideline provided by the NIST Framework for Improving

Critical Infrastructure Cybersecurity. ISO27001 focuses on the establishment and maintenance

of an Information Security Management System (ISMS), risk management, and the

implementation of effective controls. While it does require a procedure for responding to and

managing information security incidents, it does not specifically require guidance in response

and recovery from cybersecurity incidents. Therefore, this is not a requirement for a company to

be certified as ISO27001 compliant.

Choice A is incorrect. Having an Information Security Management System (ISMS) that

manages its information security risks is indeed a requirement for ISO27001 certification. The

ISMS should be designed to ensure the selection of adequate and proportionate security controls

that protect information assets and give assurance to interested parties.

Choice B is incorrect. Designing and implementing effective and comprehensive controls for

information security is also a requirement for ISO27001 certification. These controls are

necessary to manage or reduce the risks identified through the risk assessment process.

Choice C is incorrect. Adopting an ongoing risk management process is another requirement

for ISO27001 certification. This involves conducting regular reviews and audits of the ISMS to

ensure its continual improvement in line with changes in the threat environment, business

circumstances, legal requirements, etc.

112
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5117 A risk manager at a large bank claims that when talking about information control, it is
important to consider the different types or categories of control that exist. These categories can
provide a framework for understanding how information is being controlled, who has control
over it, and what the implications of that control may be.Which of the following is a correct
category of information control?

A. Protect

B. Recover

C. Behavioral

D. Detect

The correct answer is C.

Information control can be broadly classified into two categories: Behavioral controls and

Technical controls. Behavioral controls involve the implementation of policies, procedures, and

training programs that aim to influence the behavior of individuals who handle sensitive

information. The primary objective of this category of information control is to minimize the

potential for human error or deliberate misconduct that could compromise the confidentiality,

integrity, or availability of information. This is achieved by addressing human behaviors related

to the handling and protection of information. Behavioral controls are crucial in any information

security framework as they directly deal with the human element, which is often considered the

weakest link in the security chain.

Choice A is incorrect. "Protect" is not a category of information control but rather an action or

measure taken within the framework of information control. It refers to the steps taken to

safeguard sensitive data from unauthorized access, use, disclosure, disruption, modification, or

destruction.

Choice B is incorrect. "Recover" also does not represent a category of information control.

Instead, it's a part of disaster recovery planning which involves restoring operations critical for

the resumption of business after a disaster or disruption in services.

Choice D is incorrect. "Detect" like protect and recover does not represent a category but

rather an action within the framework of information control. It refers to identifying potential

threats and vulnerabilities that could compromise data security.

113
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5118 Which of the following five guidelines offered by The National Institute of Standards and
Technology (NIST) on cybersecurity standards involves creating and sharing a company
cybersecurity policy that covers roles and responsibilities of employees?

A. Recover

B. Protect

C. Identify

D. Detect

The correct answer is C.

The 'Identify' guideline provided by NIST is primarily concerned with the identification of all the

resources that a company uses. This includes equipment, software, and data. In addition to this,

the 'Identify' guideline also involves the creation and sharing of a company's cybersecurity policy.

This policy is crucial as it outlines the roles and responsibilities of the employees in relation to

cybersecurity. It helps in ensuring that all employees are aware of their duties and

responsibilities in maintaining the security of the company's digital assets. This guideline is the

first step in a company's cybersecurity strategy as it helps in identifying the resources that need

to be protected and the roles that employees will play in this protection.

Choice A is incorrect. The 'Recover' guideline by NIST refers to the development and

implementation of appropriate activities necessary to restore any capabilities or services that

were impaired due to a cybersecurity event. It does not involve the creation and dissemination of

a company's cybersecurity policy.

Choice B is incorrect. The 'Protect' guideline by NIST involves developing and implementing

safeguards to ensure delivery of critical infrastructure services, rather than outlining roles and

responsibilities in a cybersecurity policy.

Choice D is incorrect. The 'Detect' guideline by NIST refers to the development and

implementation of appropriate activities that identify the occurrence of a cybersecurity event,

not about creating or disseminating a company's cybersecurity policy.

114
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5119 Which of the following actions does not fall under the ‘protect’ step of the National
Institute of Standards and Technology (NIST) guidelines?

A. Controlling who logs onto a company’s network

B. Updating security software regularly

C. Creating a company cybersecurity policy that covers roles and responsibilities of

employees

D. Having formal policies for safely disposing of electronic files

The correct answer is C.

Creating a company cybersecurity policy that covers roles and responsibilities of employees does

not fall under the 'protect' step of the National Institute of Standards and Technology (NIST)

guidelines. This action is actually a part of the 'identify' step of the NIST framework. The

'identify' step involves understanding the business context, the resources that support critical

functions, and the related cybersecurity risks. This enables an organization to focus and

prioritize its efforts, consistent with its risk management strategy and business needs. The

creation of a cybersecurity policy that outlines the roles and responsibilities of employees is a

crucial part of this step as it helps to clearly define who is responsible for what in the context of

cybersecurity.

Choice A is incorrect. Controlling who logs onto a company’s network is indeed part of the

'protect' step in the NIST guidelines. This action helps to ensure that only authorized individuals

have access to sensitive information, thereby reducing the risk of cyber threats.

Choice B is incorrect. Regularly updating security software aligns with the 'protect' step as it

helps to safeguard digital assets by ensuring that any potential vulnerabilities are addressed

promptly and effectively.

Choice D is incorrect. Having formal policies for safely disposing of electronic files also falls

under the 'protect' step in NIST's cybersecurity framework. Proper disposal prevents

unauthorized access or recovery of sensitive data from discarded devices or files.

115
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 112: Sound Management of Risks related to Money Laundering

and Financing of Terrorism

Q.2987 Which of the following is the main driver behind the Know Your Customer (KYC)
programs outlined in the Basel Committee's papers on customer due diligence for banks?

A. Protecting the integrity of the banking systems.

B. The Financial Action Task Force's (FATF) recommendations.

C. Protecting the integrity of the capital markets.

D. Customer protection.

The correct answer is A.

The main driver behind the Know Your Customer (KYC) programs, as outlined in the Basel

Committee's papers on customer due diligence for banks, is to protect the integrity of the

banking systems. The primary motivation for these KYC programs is to prevent financial crimes

such as money laundering, terrorist financing, and other activities that can jeopardize the

banking system's integrity. KYC programs assist banks in identifying and verifying their

customers' identities, assessing the risks associated with their activities, and monitoring their

transactions for suspicious activity. This helps in maintaining the integrity of the banking systems

by ensuring that the banks are not used as a medium for illegal activities.

Choice B is incorrect. While the Financial Action Task Force's (FATF) recommendations do play

a significant role in shaping global financial regulations, they are not the primary driver for

implementing KYC programs as per the Basel Committee's guidelines. The main aim of these

programs is to protect the integrity of banking systems rather than adhering to FATF

recommendations.

Choice C is incorrect. Protecting the integrity of capital markets, although important, is not

the primary reason for implementing KYC programs according to Basel Committee's guidelines.

These programs are primarily designed to safeguard banking systems from various financial

crimes and not specifically targeted towards capital markets.

Choice D is incorrect. Customer protection, while an essential aspect of any banking

116
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

operation, isn't the primary factor driving KYC implementation as per Basel Committee's

guidelines. The main objective here is protecting banking system integrity rather than individual

customer protection.

117
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2988 In the context of a banking institution, the anti-money laundering representative plays a
crucial role in ensuring the organization's compliance with anti-money laundering regulations.
This representative is responsible for regularly updating the senior management about the
progress and effectiveness of the anti-money laundering program. Which report would be the
most beneficial for the representative to use in order to provide a comprehensive update to the
senior management about the progress of the anti-money laundering program?

A. Law enforcement inquiry details

B. Credit exposure report

C. Management changes notification

D. Report on audits and examinations results

The correct answer is D.

Reports on audit and examination results would be the most useful report for informing senior

management about the organization's anti-money laundering program's progress. This report

would provide an in-depth look at the organization's anti-money laundering program,

highlighting its strengths and weaknesses. It would contain information on any audits or

examinations that have taken place, as well as any findings or recommendations made by

auditors or examiners. The report would also detail any actions taken in response to these

findings, as well as any improvements or enhancements made to the program over time.

A is incorrect. These details are typically related to specific cases and investigations, rather

than the overall progress of the program.

B is incorrect. Credit exposure report: A credit exposure report provides information about the

amount of credit risk the bank is exposed to, but it is not necessarily related to the progress of

the anti-money laundering program.Â

C is incorrect. While changes in management can impact the program's effectiveness, this

information does not provide an overview of the program's progress or its strengths and

weaknesses.

118
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2991 Blackest Bank wants to promote an anti-money laundering culture. Which of the
following is an appropriate action by the senior management to enable them to achieve the said
task?

A. As an employment condition, compliance with anti-money laundering procedures

should be included.

B. The management should have close ties with the anti-money laundering program’s
independent auditors.

C. Employee’s compensation should be based on the how many suspicious activities they
engage in.

D. Back-end employees must attend training sessions with frontline employees.

The correct answer is A.

Things to Remember

1. Anti-money laundering measures are crucial for financial institutions to prevent and detect the

use of their services for money laundering or terrorist financing activities.

2. Effective anti-money laundering measures include establishing robust internal controls,

providing regular training to employees, conducting regular audits and reviews, and ensuring

compliance with all relevant laws and regulations.

3. It is important for organizations to foster a culture of compliance where all employees

understand their roles and responsibilities in relation to anti-money laundering procedures and

are committed to adhering to these procedures.

4. Any measure that could potentially incentivize suspicious activities or compromise the

independence and objectivity of audits and reviews should be avoided as it could undermine the

effectiveness of the anti-money laundering program.

Q.3122 Under what circumstances may a bank rely on a third party for customer due diligence
(CDD)?

A. When the third party has an established business relationship with the customer.

B. When the third party is a bank or financial institution, regardless of the nature of the
relationship with the customer.

119
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

C. When the third party is subject to different levels of supervision and regulation than
the bank, but is able to demonstrate a strict AML/CFT program.

D. When the bank conducts periodic checks to ensure the third party's CDD process is
more comprehensive than its own.

The correct answer is A.

A bank may rely on a third party for customer due diligence (CDD) when the third party has an

established business relationship with the customer. This is because the third party, having an

established relationship, would have a better understanding of the customer's financial behavior

and risk profile. The bank can leverage this understanding to conduct a more effective CDD.

However, the bank must establish a written document acknowledging the reliance on the other

party's CDD processes. This is to ensure that the bank has a clear understanding of the third

party's CDD processes and can hold them accountable for any lapses in the CDD.

Choice B is incorrect. While it might seem logical for a bank to rely on another financial

institution for CDD, the nature of the relationship with the customer is crucial. Simply being a

bank or financial institution does not automatically qualify a third party to conduct CDD on

behalf of another bank.

Choice C is incorrect. The level of supervision and regulation that a third party is subject to,

even if different from that of the bank, does not necessarily make them suitable for conducting

CDD. They must also have an established business relationship with the customer and be able to

demonstrate strict adherence to AML/CFT programs.

Choice D is incorrect. Conducting periodic checks on the third party's CDD process does not

justify relying on them for this task unless they have an established business relationship with

the customer. The comprehensiveness of their process alone cannot be used as a criterion for

selection.

120
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3123 A bank in Italy holds a business account for an Italian company that sells suits
throughout Europe and North America. Information provided during the account opening
process states that the purpose of this account is to receive payment for sales. A year-long
review of the account shows a pattern of wire transfers coming from pass-through accounts.
There are also significant transactions involving purchases of garment and cotton from China
and India. The MOST important factor in assessing whether money laundering is a threat is that:

A. The account is apparently used for both sales and purchases.

B. Payments originate from third party accounts.

C. Account holder maintains raw materials rather than finished pieces of clothing.

D. Most transactions involve wire transfers rather than cash deposits.

The correct answer is B.

The fact that payments are originating from third-party accounts, specifically pass-through

accounts, is the most significant factor when assessing the threat of money laundering. Pass-

through accounts are those through which banking institutions extend money transfer privileges

to the customers of other institutions, often foreign banks. These accounts can be more

susceptible to higher risk because banks do not subject the foreign customers to the same level

of due diligence as domestic customers who want to open checking and other accounts.

Therefore, there is a possibility that the money wired into the account comes from illicit

activities. This makes it a critical factor in assessing the potential threat of money laundering.

Choice A is incorrect. The account being used for both sales and purchases is a normal

business practice and does not necessarily indicate money laundering. It's common for

businesses to have accounts that handle both inflows (sales) and outflows (purchases).

Choice C is incorrect. The fact that the account holder maintains raw materials rather than

finished pieces of clothing doesn't necessarily suggest money laundering. This could simply be

indicative of the nature of their business operations, which involves manufacturing suits.

Choice D is incorrect. While cash transactions can often be a red flag in terms of potential

money laundering, the use of wire transfers isn't inherently suspicious or indicative of illicit

activity. Many legitimate businesses prefer wire transfers due to their speed, convenience, and

security.

121
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3124 Which of the following is the main role of supervisors in banks under the Anti-Money
Laundering (AML) and Countering Financing of Terrorism (CFT) framework put forth by the
Basel Committee?

A. Approval and oversight of AML/CFT risk management policies and procedures.

B. Advising banks on the best risk management strategies.

C. Evaluating whether the reporting entity has an appropriate and reasonable risk
assessment, and an AML/CFT programme that reflects inherent risks.

D. Helping banks to develop a sound AML/CFT risk management system that can keep
track of all customer transactions.

The correct answer is C.

The role of supervisors is to independently scrutinize and verify AML/CFT policies and
procedures. They have a mandate to ensure that banks in their jurisdiction maintain sound
ML/FT risk management to protect the integrity of both the banks and the financial system as a
whole.
A is incorrect. Approval and oversight is the responsibility of the board.

B and D are duties of the chief AML/CFT officer.

122
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3125 What is the role of the AML/CFT chief officer in the second layer of defense in anti-money
laundering and countering the financing of terrorism?

A. Conducting customer due diligence checks.

B. Continuously monitoring the bank's compliance with AML/CFT duties.

C. Conducting forensic investigations into suspicious transactions.

D. Reviewing and approving high-risk transactions.

The correct answer is B.

The AML/CFT chief officer is responsible for continuously monitoring the bank's compliance with

AML/CFT duties as part of the second layer of defense in anti-money laundering and countering

the financing of terrorism. This includes conducting sample testing to ensure compliance and

reviewing exception reports to alert senior management or the board of directors if there are

concerns that AML/CFT procedures are not being addressed in a responsible manner.

A is incorrect. Customer due diligence checks are typically conducted by the first line of

defense, which includes customer-facing employees such as relationship managers.

C is incorrect. Forensic investigations into suspicious transactions are typically conducted by

specialized units within the bank's compliance function.

D is incorrect. Reviewing and approving high-risk transactions is typically the responsibility of

the bank's compliance function or risk management function.

Q.3126 Paul Khan, a risk manager at the bank of India, is presenting to the board of directors on
important AML/CFT considerations including responsibilities of various components of AML/CFT
governance. What is the responsibility of internal audit in the bank's AML/CFT policies and
procedures?

A. Monitoring customer transactions.

B. Approving new customer accounts.

C. Evaluating the effectiveness of risk management and controls.

D. Developing AML/CFT policies and procedures.

123
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

The correct answer is C.

The primary responsibility of the internal audit department in a bank's AML/CFT policies and

procedures is to evaluate the effectiveness of risk management and controls. The internal audit

department is considered the third line of defense in a bank's risk management structure. They

are responsible for providing an independent and objective review of the bank's operations and

controls, including those related to AML/CFT. They assess the adequacy and effectiveness of the

bank's risk management system and internal controls, identify areas of risk and non-compliance,

and recommend improvements. Their findings are reported to the board of directors' audit

committee or a similar oversight body, which then takes appropriate action based on these

findings.

Choice A is incorrect. Monitoring customer transactions is not the primary responsibility of the

internal audit department. This task typically falls under the purview of the compliance or

operations department, which has direct access to transaction data and can monitor for

suspicious activity on a real-time basis.

Choice B is incorrect. Approving new customer accounts is also not a primary function of the

internal audit department. This responsibility usually lies with the client relationship

management or business development teams, who are in charge of onboarding new clients and

ensuring they meet all necessary regulatory requirements.

Choice D is incorrect. Developing AML/CFT policies and procedures isn't primarily done by the

internal audit department but rather by a specialized team within compliance or risk

management departments that have expertise in regulatory requirements and best practices for

AML/CFT governance.

Q.3127 The following are lines of defense in the context of AML/CFT EXCEPT:

A. The supervisor

B. The internal audit function

C. The chief AML/CFT officer and the compliance department

124
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

D. Customer-facing activities

The correct answer is A.

The supervisor is not considered a line of defense in the context of AML/CFT. The lines of

defense in AML/CFT are typically internal mechanisms within an organization designed to

prevent, detect, and mitigate money laundering and terrorist financing risks. These include the

business units or customer-facing activities, the Chief AML/CFT Officer and the compliance

department, and the internal audit function. The supervisor, while playing a crucial role in

overseeing and enforcing compliance with AML/CFT regulations, is not a line of defense in the

same sense as these internal mechanisms. The supervisor's role is more of an external oversight

function, ensuring that the organization's internal lines of defense are functioning effectively and

in compliance with relevant regulations.

Choice B is incorrect. The internal audit function is indeed a line of defense in the AML/CFT

context. It provides an independent, objective assurance and consulting activity designed to add

value and improve an organization's operations. It helps an organization accomplish its

objectives by bringing a systematic, disciplined approach to evaluate and improve the

effectiveness of risk management, control, and governance processes.

Choice C is incorrect. The chief AML/CFT officer and the compliance department are also

considered as a line of defense in the AML/CFT context. They are responsible for developing

policies and procedures to detect, prevent, monitor, report on money laundering/terrorist

financing activities.

Choice D is incorrect. Customer-facing activities are also considered as a line of defense in the

AML/CFT context because they involve direct interaction with customers which can help identify

suspicious transactions or behaviors that may indicate money laundering or terrorist financing

activities.

Q.3128 What is the reasoning behind implementing a “risk-based anti-money laundering and
combating financial terrorism approach”?

125
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

A. It allows banks to focus on selling products that surpass a specified “hurdle” rate of
return.

B. A qualitative approach would yield better results than a quantitative approach.

C. Banks can best detect instances of money laundering by customers where the money
laundering risks are high.

D. It allows banks to best monitor their profits.

The correct answer is C.

The primary reason for implementing a 'risk-based anti-money laundering and combating

financial terrorism approach' is to enable banks to better detect instances of money laundering

by customers where the money laundering risks are high. This approach allows banks to

consider all relevant inherent and residual risk factors at various levels, including country,

sector, bank, and business relationship. By doing so, banks can determine their risk profile and

create customer risk profiles based on the nature and amount of their transactions. This enables

them to group accounts based on the level of risk posed, making it easier to identify and flag

suspicious activity.

Choice A is incorrect because the 'risk-based anti-money laundering and combating financial

terrorism approach' is not primarily designed to allow banks to focus on selling products that

surpass a specified 'hurdle' rate of return. While banks do aim to sell products that yield high

returns, the primary purpose of this approach is to detect and prevent money laundering and

financial terrorism, not to maximize profits.

Choice B is incorrect because the 'risk-based anti-money laundering and combating financial

terrorism approach' is not about choosing a qualitative approach over a quantitative one. Both

qualitative and quantitative methods can be used in this approach, depending on the specific

circumstances and requirements. The main objective of this approach is to identify and manage

money laundering risks effectively, regardless of the methods used.

Choice D is incorrect because the 'risk-based anti-money laundering and combating financial

terrorism approach' is not primarily aimed at allowing banks to monitor their profits. While profit

monitoring is an important aspect of banking operations, the main purpose of this approach is to

126
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

detect and prevent money laundering and financial terrorism. Profit monitoring and risk

management are two distinct aspects of banking operations.

Q.3129 Simon works as the chief risk officer at XYZ Bank. He is looking at the transactions of
one of the bank’s customers, Mr. Lincoln, a commercial account holder and owner of a check
cashing company. Over the last eight months, Mr. Lincoln has made multiple check deposits but
not a single withdrawal of cash against those deposits. Mr. Lincoln also deposited two checks for
US$10,000 each that were issued by an infamous casino in town. When checking the account’s
details, Simon finds out that during account opening, Mr. Lincoln went to great lengths to
establish the various fees and commisions attached to his account. Mr. Lincoln also has a savings
account at the bank, but it has had little activity over the same period. What should arouse
Simon’s suspicion the most? Mr. Lincoln:

A. Showed an untypical level of curiosity about fees.

B. Made significant deposits from casinos.

C. Has multiple accounts at the institution.

D. Did not make withdrawals of cash against check deposits.

The correct answer is D.

Check cashing companies, also known as money services businesses, provide customers with an

easy way to turn their checks into cash without having to rely on a bank account. As such, one

would expect to see deposit activity that’s commensurate with cash withdrawals as the money is

released to the relevant persons. That this did not happen for a prolonged period raises

questions as to the source of the check deposits. This is unusual and suspicious behavior,

especially for a check cashing company. The lack of cash withdrawals against check deposits

could indicate potential money laundering or other illicit activities. Therefore, this should arouse

Simon's suspicion the most.

Choice A is incorrect. While it may be unusual for a customer to show an atypical level of

curiosity about fees, this behavior alone does not necessarily indicate suspicious activity. It could

simply mean that Mr. Lincoln is a cautious and informed customer who wants to understand all

the costs associated with his account.

127
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice B is incorrect. Although the source of funds can sometimes be a red flag for potential

money laundering or other illicit activities, depositing checks from casinos in itself isn't

necessarily suspicious. Casinos are legitimate businesses and it's possible that Mr. Lincoln

received these checks as winnings or payments for services rendered.

Choice C is incorrect. Having multiple accounts at the same institution isn't inherently

suspicious either, especially if one account is used for business transactions (like check cashing)

and another for personal savings.

Q.3130 A large banking group has an AML compliance program that addresses procedures for
filing Suspicious Transaction Reports and includes policies, procedures and internal controls for
customer identification, information sharing, account monitoring, and identifying money
laundering red flags. Each of the bank’s 12 branches undergoes mandatory AML/CFT trainings
in April and November each year, all conducted as online conferences via a video link. The board
does not take the Internet training. Instead, the chief risk officer organizes a luncheon at the
head office where an outsider comes in and trains them. The program provides for the
appointment of a chief ALM/CFT officer, and twice a year the chief ALM/CFT officer conducts an
audit of the ALM/CFT framework. In what respect does the program need improvement?

A. The AML program should be tested more than twice per year.

B. Employees should be trained in a classroom, not via the internet because physical
training is better.

C. The group should consolidate the training sessions across its subsidiaries into a single
event.

D. The AML/CFT program should be tested by an independent party, not the chief
ALM/CFT officer.

The correct answer is D.

The AML/CFT program should be tested by an independent party, not the chief AML/CFT officer.

The role of internal audit, which is considered the third line of defense, is crucial in

independently evaluating a bank's risk management and controls. The office conducting the

audit should have sufficient independence to assess adherence to various policies and

procedures without any compromise. In this case, since the chief risk officer, who also serves as

the developer and advisor on AML and CFT matters, conducts the audit, there could be a

128
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

potential conflict of interest. This is because they are assessing the same policies and procedures

that they have developed. Therefore, to ensure the effectiveness and integrity of the audit, it

should be conducted by an independent party.

Choice A is incorrect. The frequency of testing the AML program twice a year is generally

considered adequate in most banking institutions. Increasing the frequency may not necessarily

lead to improved compliance or detection of money laundering activities.

Choice B is incorrect. The mode of training, whether online or in-person, does not inherently

determine its effectiveness. As long as the content and delivery are effective and comprehensive,

online training can be just as beneficial as classroom training.

Choice C is incorrect. Consolidating all training sessions into a single event may not be

practical due to logistical constraints and could potentially overwhelm employees with

information overload. Spreading out the trainings allows for better absorption and

understanding of the material.

The AML/CFT program should indeed be tested by an independent party rather than by someone
who has been involved in its implementation (the chief ALM/CFT officer). This ensures objectivity
and impartiality in assessing the effectiveness of the program.

129
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5452 Global Bank, a leading financial institution, is in the process of reviewing its risk
management procedures. The bank's Chief Risk Officer, Mr. Anderson, has been appointed to
lead this initiative. As part of the review, he is keen on incorporating the best practices as
recommended by the Basel committee for the assessment, management, mitigation, and
monitoring of money laundering and financing of terrorism (ML/FT) risks. Mr. Anderson
convened a meeting with his team to discuss key aspects that should be emphasized in the
revised policies and procedures. Which of the following actions, based on the Basel committee's
best practices, should Mr. Anderson incorporate for effective management of ML/FT risks?

A. Integrate international risk assessments and country reports to augment the bank's
internal monitoring process.

B. Prioritize customer due diligence (CDD) rules as the primary tool for risk
identification.

C. Mainly focus on the bank's own risk assessment of ML/FT risks.

D. Delegate the responsibility of ML/FT risk management to the board of directors.

The correct answer is A.

To ensure a thorough understanding and monitoring of ML/FT risks, banks should utilize both

internal and external sources. By incorporating international risk assessments and country

reports, banks can have a more comprehensive view of potential risks, especially in a global

context.

B is incorrect. Although CDD rules are crucial, they shouldn't be the sole focus. It's vital to

adopt a comprehensive approach by incorporating other measures and tools in addition to CDD.

C is incorrect. Relying mainly on the bank's own risk assessment might miss out on global

trends and evolving risks. External guidelines and international standards can offer insights that

the bank's internal assessment might overlook.

D is incorrect. While the board of directors should oversee the risk management process, day-

to-day management and operational decision-making should involve specialized officers, such as

a qualified chief AML/CFT officer. This ensures that the bank has dedicated expertise managing

and mitigating ML/FT risks.

Q.5453 Global Trust Bank is a rapidly growing financial institution with an expanding

130
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

international clientele. To ensure its continued growth and maintain its reputation, the bank's
senior management has stressed the importance of strict adherence to global best practices in
managing risks. As part of this strategy, they are revising their guidelines on combating money
laundering and financing of terrorism (ML/FT). Ms. Carter, the bank's Head of Risk and
Compliance, is overseeing the revision process and has sought input from her team on how best
to align their strategies with the Basel committee's recommendations. Which of the following
strategies, based on the Basel committee's best practices, would best enhance Global Trust
Bank's approach to ML/FT risk management?

A. Regularly update bank protocols based on core principles for effective banking
supervision.

B. Limit the bank's reliance on external sources, focusing on internal transaction data for
ML/FT risk assessment.

C. Develop a singular mitigation strategy for all ML/FT risks, ensuring uniformity across
all operations.

D. Designate the ML/FT risk management tasks to a specific department without cross-
collaboration with other bank units.

The correct answer is A.

For a bank to stay compliant and mitigate risks effectively, it's essential to be up-to-date with the

core principles for effective banking supervision. Regularly updating the bank's protocols

ensures that they remain relevant and effective as global standards and risks evolve.

B is incorrect. A comprehensive approach to ML/FT risk assessment requires the integration of

both internal transaction data and external sources such as international risk assessments and

country reports. Limiting reliance on external sources may result in an incomplete

understanding of global ML/FT risks.

C is incorrect. ML/FT risks can be diverse and context-specific. Implementing a one-size-fits-all

mitigation strategy can lead to gaps in risk management and may not address specific risks

effectively.

D is incorrect. ML/FT risk management is a multi-faceted challenge that often requires cross-

collaboration between different bank units. Designating tasks to a specific department without

collaboration might limit the bank's ability to gain a comprehensive view and manage risks

holistically.

131
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5454 Regent Bank, a globally renowned financial institution, is aiming to bolster its Anti-
Money Laundering and Countering Financing of Terrorism (AML/CFT) protocols. Mrs.
Fernandez, the bank's newly appointed Chief AML/CFT officer, is tasked with evaluating and
improving the existing frameworks in accordance with global best practices. To achieve this,
Mrs. Fernandez considers the importance of the three lines of defense and the role of the chief
AML/CFT officer in effective risk management. Based on global best practices, which of the
following measures should Mrs. Fernandez prioritize to enhance Regent Bank's AML/CFT risk
management?

A. Limit the responsibilities of the Chief AML/CFT officer to solely the operational
aspects, excluding any form of executive oversight.

B. Ensure that the Chief AML/CFT officer has a direct reporting line to senior
management or the board, clarifying the relationship between the chief officer and other
officers.

C. Standardize the AML/CFT training content for all departments to maintain uniformity
in knowledge dissemination across the bank.

D. Allocate the Chief AML/CFT officer as the sole authority to modify and adjust bank
AML/CFT policies without consulting the board or senior management.

The correct answer is B.

Establishing a direct reporting line for the Chief AML/CFT officer to senior management or the

board is pivotal. It not only underscores the significance of the AML/CFT function within the

organization but also ensures that concerns, suggestions, and findings of the officer are

accorded the attention and urgency they deserve at the highest echelons of the bank.

Furthermore, clear reporting lines prevent potential conflicts of interest and facilitate swift

decision-making processes.

A is incorrect. The Chief AML/CFT officer's role should not be limited. Their responsibilities

should encompass both operational and executive oversight to ensure comprehensive risk

management.

C is incorrect. While standardization ensures uniformity, AML/CFT training should be adapted

to the specific roles and potential risks encountered by different departments. Implementing a

blanket training approach may lead to gaps in knowledge where specialized training is

132
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

necessary.

D is incorrect. While the Chief AML/CFT officer plays a central role in shaping AML/CFT

policies, it is essential that they collaborate with the board and senior management. This

collective decision-making process ensures holistic policy development that considers multiple

perspectives and expertise.

Q.5455 Falcon International Bank, known for its expansive global operations, is in the process of
overhauling its Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT)
protocols. As a part of this initiative, Mr. Thompson, the bank's Chief Risk Officer, is
collaborating with external consultants to devise a strategy that aligns with international best
practices. Their discussions mainly revolve around the roles of the different lines of defense and
the importance of human resources in this context. Considering global best practices, which of
the following strategies should Mr. Thompson adopt to fortify Falcon International Bank's
AML/CFT risk management procedures?

A. Establish a centralized AML/CFT training program that provides identical content to

all employees to ensure consistent knowledge across departments.

B. Facilitate robust communication channels between the three lines of defense, ensuring
that the first line - business units, are proactive in identifying, assessing, and controlling
AML/CFT risks.

C. Assign the internal audit function as the primary decision-maker for amending
AML/CFT policies, thereby ensuring an unbiased review and implementation process.

D. Empower the compliance function with advanced technology tools, relegating human
intervention to the background, for efficient and error-free monitoring.

The correct answer is B.

Effective AML/CFT risk management necessitates a well-coordinated approach among the three

lines of defense. Particularly, the first line - the business units, must be empowered and educated

to actively identify, assess, and control risks. This proactive stance ensures that potential threats

are mitigated at the onset, reducing the burden on subsequent defense lines and promoting a

risk-aware culture.

A is incorrect. While uniformity in training ensures a consistent baseline of knowledge,

AML/CFT training should be tailored to the specific responsibilities and potential risks faced by

133
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

individual departments. A one-size-fits-all approach might lead to knowledge gaps in specialized

areas, making it less effective.

C is incorrect. While the internal audit function plays a pivotal role in reviewing AML/CFT

policies, entrusting them with the sole authority to amend these policies could lead to a lack of

holistic input. Collaborative decision-making, involving various stakeholders, is crucial for

comprehensive and effective policy formulation.

D is incorrect. While technology tools enhance efficiency in monitoring, human judgment

remains indispensable in AML/CFT risk management. Relegating human intervention to the

background could result in overlooking nuanced risks and threats that technology might miss.

The optimal approach combines the strengths of both technology and human expertise.

Q.5456 Global United Bank is conducting an internal review of its governance structures. The
Board of Directors has specifically requested an evaluation of the Internal Audit department's
role in the context of Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT)
compliance. Mr. Kingston, the Senior Internal Auditor, has been given the task to ensure that the
internal audit's capabilities align with industry best practices and regulatory requirements. What
measure should Mr. Kingston prioritize to ensure that the Internal Audit function effectively
contributes to the AML/CFT framework of Global United Bank, in line with best practices?

A. Streamline the Internal Audit function to focus primarily on post-incident reporting to

avoid interfering with the proactive risk management activities of the compliance
department.

B. Delegate the authority to revise AML/CFT policies exclusively to the Internal Audit
department to maintain an element of independence and objectivity in policy formulation.

C. Institute a regular rotation of audit personnel within the AML/CFT function to

different departments to broaden their understanding of various business operations and
risks.

D. Introduce a continuous auditing process for AML/CFT activities, enabling real-time

monitoring and evaluation, thus providing immediate feedback for risk mitigation.

The correct answer is D.

Incorporating a continuous auditing approach allows the Internal Audit function to provide

ongoing assurance and consultative feedback, which is essential in the dynamic field of

134
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

AML/CFT. This helps the bank to promptly identify and address risks, ensuring that AML/CFT

measures are effective and updated in real time to align with the ever-changing regulatory

landscape and patterns of financial crime.

A is incorrect. The Internal Audit function should not be limited to post-incident reporting as

this diminishes its role in preventive control and oversight. Best practices suggest a proactive

engagement in reviewing and advising on AML/CFT controls before incidents occur.

B is incorrect. While the Internal Audit function should evaluate and provide recommendations

on AML/CFT policies, the exclusive authority to revise policies should not reside with Internal

Audit. Such responsibilities should involve a collaborative approach with the AML/CFT

compliance team and senior management to ensure balanced and comprehensive policy

development.

C is incorrect. Although rotating personnel can be beneficial for broadening experience,

regularly moving auditors may disrupt the continuity and depth of expertise required for

effective AML/CFT auditing. Auditors need to develop and maintain specialized knowledge in

AML/CFT to conduct thorough and insightful audits.

Q.5457 During the development of its Customer Acceptance Policy (CAP), MetroBank is focusing
on aligning with best practices for the acceptance of new clients while also adhering to the
principles of financial inclusion. Based on the recommendations by the Basel committee, which
of the following approaches should MetroBank prioritize to ensure both compliance and
inclusivity in its CAP?

A. Implement a universal policy that restricts the opening of accounts to only those
customers who can provide a comprehensive financial profile, thereby minimizing the
risk of money laundering and terrorist financing.

B. Enforce a stringent CAP that mandates enhanced due diligence for all new customers,
irrespective of their risk profile, to maintain a consistent level of scrutiny across all
customer interactions.

C. Develop a CAP that incorporates differentiated due diligence measures, considering

factors such as the customer's geographical location, type of product desired, and the
level of risk associated with their profile, to balance risk management with non-
discrimination.

D. Establish a CAP that exclusively targets high-risk individuals, such as politically

135
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

exposed persons (PEPs) and individuals from high-risk countries, with enhanced due
diligence, while simplifying the process for all other customers.

The correct answer is C.

The correct approach for MetroBank is to develop a Customer Acceptance Policy that allows for

the application of risk-based due diligence measures. This means differentiating the level of due

diligence based on various risk factors associated with the customer, such as their geographical

location, the type of products they are interested in, their transactional profiles, and any other

relevant risk indicators. This risk-based approach enables the bank to effectively manage

potential risks without being overly restrictive, thereby promoting financial inclusion and

avoiding discrimination against individuals who may be financially or socially disadvantaged.

A is incorrect. A universal policy that heavily restricts account opening can be overly

prohibitive and could potentially deny access to legitimate customers who are financially or

socially disadvantaged, which goes against the principles of financial inclusion.

B is incorrect. Mandating enhanced due diligence for all new customers would result in an

inefficient allocation of resources and could lead to unnecessary barriers for low-risk individuals,

which is not in line with recommended practices that call for proportionality based on risk.

D is incorrect. While focusing on high-risk individuals for enhanced due diligence is important,

it should not be done to the exclusion of applying a risk-based approach across all customers.

Simplifying the process for all other customers without any due diligence could expose the bank

to unforeseen risks.

136
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 113: Case Study: Financial Crime and Fraud

Q.5120 An operational risk manager at the bank is presenting on financial crimes and fraud. He
starts his presentation by defining financial crime. Which of the following is the correct
definition of a financial crime?

A. Any criminal conduct relating to money or to, financial services, or markets

B. Losses due to acts intended to defraud, misappropriate property or circumvent

regulations, the law, or company policy excluding diversity/discrimination events
involving at least one internal party

C. Losses due to acts of a type intended to defraud, misappropriate property or

circumvent the law by a third party

D. Misappropriation of assets, such as extortion, embezzlement, malicious destruction of

assets, bribery, and tax evasion

The correct answer is A.

Financial crime, as defined by the Financial Conduct Authority's (FCA) Handbook of the UK,

encompasses any kind of criminal conduct relating to money or to financial services or markets.

This includes any offence involving fraud or dishonesty, misconduct in, or misuse of information

relating to, a financial market, handling the proceeds of crime, or the financing of terrorism. This

definition is broad and encompasses a wide range of activities, reflecting the diverse nature of

financial crimes. Financial crimes can include everything from money laundering and fraud to

bribery and corruption. They can be committed by individuals, organizations, or even states, and

can have serious consequences, including financial loss, reputational damage, and legal

penalties.

Choice B is incorrect. While this option does cover some aspects of financial crime, such as

fraud and misappropriation of property, it unnecessarily excludes diversity/discrimination events.

Financial crimes can involve a wide range of illegal activities, not just those intended to defraud

or misappropriate property. Furthermore, the involvement of an internal party is not a necessary

condition for an act to be considered a financial crime.

Choice C is incorrect. This choice incorrectly limits the definition of financial crimes to acts

committed by third parties only. Financial crimes can be committed by anyone involved in the

137
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

handling or management of money or financial services, including employees and executives

within an organization.

Choice D is incorrect. Although this option includes several types of misconduct that could be

classified as financial crimes (e.g., extortion, embezzlement), it fails to capture the full breadth

and complexity of what constitutes a 'financial crime'. For instance, it does not mention

fraudulent activities related to financial markets or services which are also part of 'financial

crime'.

Q.5121 Different countries may have different laws against money laundering and terrorism
financing. On 20 May 2015, the European Parliament and Council issued a directive to prevent
the use of the financial system for money laundering or terrorist financing. According to the
European Union, which of the following activities are considered money laundering?

A. Knowingly converting or transferring property derived from criminal activity in order

to disguise the illicit origin of the property or to assist someone involved in such an
activity to evade the legal consequences of his actions

B. The provision or collection of funds to be used, partly or in full, to facilitate any offense
considered by the authorities as a terrorism act

C. Any intentional violation of the law or of internal policies perpetrated by the firm's
employees

D. Getting the money out to use while evading taxes and law enforcement through
activities such as fake payments to employees, fake loans, or dividends to accomplices

The correct answer is A.

The European Parliament and Council's directive defines money laundering as the process of

making illegally-gained proceeds appear legal. This is typically achieved through three steps:

placement, layering, and integration. Placement refers to the process of introducing the illicit

money into the financial system. Layering is the process of creating complex networks of

transactions to obscure the money's origin. Finally, integration involves merging the laundered

money back into the legitimate economy. Choice A accurately describes the process of converting

or transferring property derived from criminal activity for the purpose of disguising its illicit

origin or assisting someone involved in such activity to evade legal consequences. This activity

138
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

falls under the definition of money laundering as per the directive.

Choice B is incorrect. While the provision or collection of funds to facilitate any offense

considered as a terrorism act is indeed a serious crime, it falls under the category of terrorism

financing rather than money laundering according to the directive issued by the European

Parliament and Council.

Choice C is incorrect. Intentional violation of law or internal policies perpetrated by a firm's

employees may constitute fraud or misconduct, but it does not necessarily equate to money

laundering unless it involves activities such as conversion or transfer of property derived from

criminal activity with an intent to disguise its illicit origin.

Choice D is incorrect. Evading taxes and law enforcement through activities such as fake

payments to employees, fake loans, or dividends to accomplices can be part of tax evasion

schemes and fraudulent practices. However, these actions do not meet the specific definition of

money laundering within the European Union unless they involve knowingly converting or

transferring property derived from criminal activity for disguising its illicit origin.

Q.5122 A risk manager at a large bank states that the bank has zero tolerance for internal fraud.
He goes ahead to highlight that the bank has a robust framework of controls and measures to
mitigate internal fraud risks. Which of the following is a component of such a framework?

A. Inspections

B. Selection

C. Placement

D. Layering

The correct answer is B.

Selection is a crucial component of a framework designed to control and mitigate internal fraud

risks. This process involves the careful screening of employees and associated third parties. The

organization's culture is also taken into account during this step. When firms hire individuals

who align with their values and ethical standards, managing these employees becomes

139
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

significantly easier. Selection also plays a vital role in Anti-Money Laundering (AML) and third-

party risk management, serving as an important mitigation mechanism.

Other components of a robust fraud risk management framework include Prevention, Detection,

and Deterrents. Prevention involves clearly defining the rights, authority, and access of each

function to effectively manage fraud risk. Detection is critical in limiting the impact of an

operational risk event, with detective controls acting as a deterrent as well. Fraud is least likely

to occur if the consequences are severe. Effective supervision and monitoring help limit internal

fraud. Deterrents, which are sanctions and actions announced following any act of fraud, also

disincentivize employees to commit fraud, thus promoting the risk-reward balance.

Choice A is incorrect. While inspections can be a part of a comprehensive system to mitigate

risks, they are not specifically targeted towards internal fraud. Inspections are more general in

nature and aim to ensure compliance with all policies and procedures, not just those related to

fraud.

Choice C is incorrect. Placement refers to the process of assigning employees to specific roles

within the organization. Although it's important for risk management, it doesn't directly

contribute to mitigating the risks associated with internal fraud.

Choice D is incorrect. Layering is a term used in money laundering processes where illegal

funds are made difficult to trace back by creating complex layers of financial transactions. It

does not relate directly with measures taken against internal fraud in an organization.

Q.5123 An operational risk manager at a bank has asked a junior analyst to prepare a
presentation on AML risk management to be presented to the board's risk committee. Which of
the following controls falls under the ''deterrents" step of AML controls?

A. Transaction monitoring system

B. Staff information and training

C. Ethos and values

D. Legal pursuits

The correct answer is D.

140
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Deterrents are measures taken to discourage or prevent fraudulent activities. They are typically

punitive actions that are announced following any act of fraud. The purpose of deterrents is to

disincentivize employees from committing fraud by promoting a balance between risk and

reward. Examples of deterrents in the context of Anti-Money Laundering (AML) controls include

escalation to the relevant financial intelligence unit (FIU), legal pursuits, and closure of

accounts. Legal pursuits, in particular, serve as a strong deterrent as they involve the potential

for legal action and penalties against those involved in fraudulent activities. This can include

fines, imprisonment, and other legal consequences. Therefore, legal pursuits are an appropriate

control to include under the 'deterrents' step of AML controls.

Choice A is incorrect. A transaction monitoring system is not a deterrent but rather a detection

tool used in the process of Anti-Money Laundering (AML) controls. It helps in identifying

suspicious transactions that may indicate money laundering activities, but it does not deter

individuals from engaging in such activities.

Choice B is incorrect. Staff information and training are crucial for ensuring that employees

understand their roles and responsibilities in preventing money laundering. However, this falls

under the 'prevention' step of AML controls rather than 'deterrents'. While well-informed staff

can help deter money laundering by being vigilant and proactive, this control itself does not

directly act as a deterrent.

Choice C is incorrect. Ethos and values form part of an organization's culture which can

influence behavior towards compliance with laws and regulations including those related to

AML. However, they do not directly serve as deterrents to money laundering activities.

141
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5124 A newly hired money laundering risk officer is presenting on AML risk management. He
highlights that it is common for criminals to disguise the proceeds of their criminal activities into
legitimate sources of funds in two or three phases. Which of the following is a phase of money
laundering?

A. Placement

B. Deterrent

C. Detection

D. Protection

The correct answer is A.

Placement is indeed a phase of money laundering. It involves all methods intended to disguise

the origins of the funds. This could include cash transfer to businesses, false invoicing, use of

trusts and offshore companies, 'smurfing' (keeping a bank account or credit card under the Anti-

Money Laundering (AML) reporting threshold by making a series of small transactions rather

than a single large transaction), using foreign bank accounts, and so on. The goal of this phase is

to introduce the illicit money into the financial system in such a way that it appears to be

legitimate.

Choice B is incorrect. Deterrent is not a stage in the money laundering process. It refers to

measures taken to prevent or discourage certain behaviors, including illegal activities such as

money laundering. However, it does not represent a stage in the process of money laundering

itself.

Choice C is incorrect. Detection is also not a stage in the money laundering process. Detection

refers to identifying and recognizing suspicious activities that may indicate money laundering,

but it does not represent an actual step that criminals undertake when they launder their illicit

funds.

Choice D is incorrect. Protection does not represent a stage in the money laundering process

either. While criminals involved in this illegal activity do seek ways to protect their ill-gotten

gains and avoid detection by authorities, protection itself isn't considered as one of the distinct

stages of converting illicit proceeds into seemingly legitimate funds.

142
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5125 The CEO of a bank highlights that the bank is practicing comprehensive AML risk
management. Which of the following statements would justify the CEO's claim that the bank is
practicing comprehensive Anti-Money Laundering (AML) risk management?

A. The bank has established robust customer due diligence procedures.

B. The bank has never had a customer involved in a money laundering scheme.

C. The bank has hired a new CEO with extensive experience in AML risk management.

D. The bank has reported suspicious transactions to the relevant authorities.

The correct answer is A.

Comprehensive AML risk management involves a proactive approach to mitigating risks

associated with money laundering and terrorism financing. A key component of this approach is

Customer Due Diligence (CDD). CDD procedures require banks to perform background checks

and verify the identities of their customers. This helps to ensure that the bank is not

inadvertently facilitating illicit activities. By establishing robust CDD procedures, the bank is

demonstrating a commitment to preventing money laundering and terrorism financing, which is

a key aspect of comprehensive AML risk management. Therefore, if the bank has indeed

established robust CDD procedures, this would provide strong evidence to support the CEO's

claim that the bank is practicing comprehensive AML risk management.

Choice B is incorrect. The fact that a bank has never had a customer involved in a money

laundering scheme does not necessarily indicate comprehensive AML risk management. It could

simply mean that the bank has been fortunate or unaware of such activities. Effective AML risk

management involves proactive measures, such as robust customer due diligence procedures,

rather than relying on the absence of past incidents.

Choice C is incorrect. Hiring a new CEO with extensive experience in AML risk management

can be beneficial for the bank's overall approach to managing this type of risk, but it does not

provide evidence of comprehensive AML practices currently in place at the bank. The CEO's

experience alone cannot guarantee effective implementation and operation of robust policies,

procedures, and controls.

Choice D is incorrect. Reporting suspicious transactions to relevant authorities is an important

143
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

part of AML compliance but it doesn't necessarily indicate comprehensive AML risk management

by itself. Comprehensive approach would involve preventive measures like establishing robust

customer due diligence procedures which can help prevent illicit activities from occurring in the

first place.

Q.5126 In its 2022 report, the FCA examines financial crime controls at challenger banks, which
are fully digital and offer customers the ability to open accounts very quickly. Which of the
following is a key finding highlighted by UK regulators in their examination of financial crime
controls at challenger banks in their 2022 report?

A. Challenger banks tend to perform better than traditional banks in identifying higher-
risk customers.

B. Challenger banks need to improve their systems for identifying and verifying customer
information.

C. Challenger banks are not required to follow AML regulations because they operate
fully digitally.

D. Traditional banks are more susceptible to financial crime than challenger banks.

The correct answer is B.

The 2022 report by the Financial Conduct Authority (FCA) on the examination of financial crime

controls at challenger banks highlighted that these banks need to enhance their systems for

identifying and verifying customer information. The report underscored the risk associated with

the rapid account opening process offered by these banks. The information collected during this

process may not be sufficient to identify customers who pose a higher risk, thereby making it

challenging for these banks to effectively manage their Anti-Money Laundering (AML) risks. As a

result, the regulators have recommended that challenger banks bolster their systems for

identifying and verifying customer information to better manage their AML risks and prevent

financial crimes.

Choice A is incorrect. The report did not conclude that challenger banks perform better than

traditional banks in identifying higher-risk customers. In fact, the FCA's examination found that

these digital banks need to improve their systems for identifying and verifying customer

144
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

information, which includes the identification of higher-risk customers.

Choice C is incorrect. Regardless of whether a bank operates digitally or traditionally, it is

required to follow Anti-Money Laundering (AML) regulations. The mode of operation does not

exempt any financial institution from adhering to these regulations.

Choice D is incorrect. The FCA's report did not suggest that traditional banks are more

susceptible to financial crime than challenger banks. The susceptibility to financial crime

depends on the effectiveness of a bank's financial crime controls and not its mode of operation.

145
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5127 Which of the following is a lesson learned from the USAA Federal Savings Bank (FSB)
case study, where it was fined $140 million by the Financial Crimes Enforcement Network
(FinCEN) and the Office of the Comptroller of the Currency (OCC) for failing to implement and
maintain a BSA/AML compliance program?

A. Banks should prioritize customer service over compliance to remain competitive.

B. Banks should implement robust BSA/AML compliance programs to avoid penalties.

C. Banks should minimize their reporting of suspicious activities to avoid regulatory

scrutiny.

D. Banks should shift their compliance focus away from AML to other areas such as
cybersecurity.

The correct answer is B.

The USAA FSB case study underscores the critical importance of having a robust Bank Secrecy

Act/Anti-Money Laundering (BSA/AML) compliance program in place. The bank was penalized

with a hefty fine of $140 million for its failure to implement and maintain such a program,

thereby exposing itself to the risks of money laundering and terrorist financing activities. This

case serves as a stark reminder for all banks about the potential consequences of non-

compliance with BSA/AML regulations. Therefore, the primary lesson to be learned from this

case is the necessity for banks to prioritize BSA/AML compliance in order to avoid penalties and

regulatory scrutiny.

Choice A is incorrect. Prioritizing customer service over compliance can lead to severe

penalties and reputational damage, as seen in the USAA FSB case. Compliance with regulatory

requirements such as BSA/AML should not be compromised for competitiveness.

Choice C is incorrect. Minimizing the reporting of suspicious activities can result in non-

compliance with BSA/AML regulations, leading to hefty fines and sanctions from regulatory

bodies like FinCEN and OCC. Banks are required to report any suspicious activities promptly to

avoid such consequences.

Choice D is incorrect. While cybersecurity is an important area of focus for banks, shifting

compliance focus away from AML could lead to non-compliance with BSA/AML regulations,

resulting in significant penalties as demonstrated by the USAA FSB case study.

146
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

147
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 114: Guidance on Managing Outsourcing Risk

Q.2318 Tummers Bank from New York, USA, is considering outsourcing some of its activities to a
third party. Which of the following risks (among others) should the bank consider before making
a final decision?

A. Credit, market, and operational risks

B. Reputational, operational, and compliance risks

C. Portfolio, counterparty, and market risks

D. Country, legal, and counterparty risks

The correct answer is B.

When a financial institution like Tummers Bank considers outsourcing some of its activities, it

must consider a variety of risks. These risks include reputational, operational, and compliance

risks. Reputational risks refer to the potential damage to the bank's reputation that could occur

if the third party fails to meet the bank's standards or if there is a breach of data or security.

Operational risks refer to the potential for loss resulting from inadequate or failed internal

processes, people, and systems, or from external events. This includes the risk that the third

party may not be able to carry out the outsourced activities to the required standard. Compliance

risks involve the potential for legal penalties, financial forfeiture, and material loss an institution

might suffer as a result of its failure to comply with laws, regulations, rules, related self-

regulatory organization standards, and codes of conduct applicable to its banking activities.

Therefore, these three risks are crucial for Tummers Bank to consider before making a final

decision on outsourcing.

Choice A is incorrect. While credit, market, and operational risks are important for any

financial institution to consider, they are not the most relevant in the context of outsourcing.

Credit and market risks primarily relate to investment decisions rather than operational

decisions such as outsourcing.

Choice C is incorrect. Portfolio, counterparty, and market risks are more related to investment

management and trading activities. These types of risk do not directly arise from outsourcing

functions of a bank.

148
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice D is incorrect. Country risk could be relevant if the bank was considering outsourcing

functions overseas; however, it's not necessarily a primary concern in all cases of outsourcing.

Legal risk would be a consideration but it's typically addressed through contracts with service

providers rather than being an ongoing risk associated with the decision itself. Counterparty risk

can be considered part of credit risk which as explained above isn't directly related to an

outsourcing decision.

149
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2319 A bank based in Texas, USA, is considering outsourcing its human resource activities
from an HR agency. Its risk management team is considering all potential risks that could arise
from this arrangement, particularly compliance risks. Which of the following would qualify as a
compliance risk?

A. Advertising jobs without regard to existing labor laws.

B. Negative public opinion because of poor performance of outsourced activities.

C. Acceptance of fake academic documents.

D. Delays in service delivery.

The correct answer is A.

Compliance risk is a type of operational risk that arises when an organization fails to adhere to

the laws, regulations, and standards that govern its operations. In the context of this question,

advertising jobs without regard to existing labor laws is a clear violation of the law. This could

potentially lead to legal repercussions, including lawsuits and penalties, which could significantly

impact the bank's reputation and financial stability. Therefore, this scenario represents a

compliance risk. The bank's risk management team must ensure that the HR agency they are

considering for outsourcing is aware of and complies with all relevant labor laws to mitigate this

risk.

Choice B is incorrect. Negative public opinion due to poor performance of outsourced

activities is a reputational risk, not a compliance risk. Compliance risks are associated with the

failure to comply with laws or regulations.

Choice C is incorrect. Acceptance of fake academic documents could be considered as

operational risk, specifically in the area of internal fraud or lack of proper controls and

procedures. It does not directly relate to compliance with laws or regulations.

Choice D is incorrect. Delays in service delivery can be classified as operational risk,

specifically under the category of business process disruptions. This does not fall under

compliance risk which pertains to legal and regulatory obligations.

Q.2321 LAB Bank from Los Angeles, USA, is considering outsourcing its IT activities to East IT

150
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

India, an Indian company. East IT India would provide the bank with IT services such as database
hosting, software development and maintenance, problem-solving, etc. Which risk should be
specially taken into consideration while making the final decision about this arrangement?

A. Outsourcing risk

B. Operational risk

C. Country risk

D. Competency risk

The correct answer is C.

Country risk refers to a collection of risks associated with investing in a foreign country. These

risks include political risk, exchange rate risk, economic risk, sovereign risk, and transfer risk,

which is the risk that a foreign government will prohibit capital flows. In the context of the

question, LAB Bank is considering outsourcing its IT operations to East IT India, a company

based in India. By doing so, the bank would expose itself to the country risk associated with

India. This could include potential economic, social, and political conditions and events in India

that could adversely affect the bank's operations. For example, if there were political instability

in India, it could disrupt East IT India's operations, which in turn would disrupt the IT services

provided to LAB Bank. Similarly, if there were significant fluctuations in the exchange rate

between the US dollar and the Indian rupee, it could make the outsourcing arrangement more

expensive for LAB Bank. Therefore, when considering such an outsourcing arrangement, it is

crucial for the bank to assess the country risk.

Choice A is incorrect. While outsourcing risk is a valid concern when considering such an

arrangement, it is not the specific type of risk that should be given particular attention in this

context. Outsourcing risk refers to the potential problems that could arise from relying on

external entities for certain business functions, but it does not specifically address the unique

risks associated with outsourcing IT operations to a company located in another country.

Choice B is incorrect. Operational risk refers to the potential for loss resulting from

inadequate or failed internal processes, people and systems or from external events. Although

operational risks may increase due to outsourcing IT operations, they are not specific to this

scenario as they can occur in any business operation.

151
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice D is incorrect. Competency risk refers to the possibility that East IT India may lack the

necessary skills or expertise to effectively manage LAB Bank's IT operations. While competency

risk could be a factor in any outsourcing decision, it does not specifically address the unique

risks associated with outsourcing these services to a company located in another country.

Q.2322 New Savings Bank from Texas, USA, recently outsourced its IT services to Novel IT
Service company (NIS) from Los Angeles, USA. NIS has a rich history spanning several decades
but has recently been the subject of public criticism for various legal violations, as well as poor
service delivery, punctuated by costly delays. NIS has most likely exposed the bank to:

A. Outsourcing risk

B. Credit risk

C. Reputational risk

D. Concentration risk

The correct answer is C.

Reputational risk is the potential for negative publicity, public perception, or uncontrollable

events to adversely impact a company's reputation, thereby affecting its revenue. In the context

of the question, New Savings Bank has outsourced its IT services to Novel IT Service company

(NIS), which has been under public scrutiny for legal violations and poor service delivery. These

issues have the potential to negatively impact the bank's reputation if they become associated

with NIS's negative public image. This could lead to loss of customer trust, which could in turn

lead to loss of customers and revenue. Therefore, the bank is most likely exposed to reputational

risk.

Choice A is incorrect. Outsourcing risk refers to the potential negative impacts that can arise

from an organization's decision to outsource certain tasks or services. While New Savings Bank

is indeed outsourcing its IT services, the question specifically asks about the type of risk

associated with NIS's legal violations and poor service delivery, which falls under reputational

risk rather than outsourcing risk.

152
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice B is incorrect. Credit risk pertains to the possibility of a loss resulting from a

borrower's failure to repay a loan or meet contractual obligations. In this scenario, there is no

mention of any loans or credit agreements between New Savings Bank and NIS, hence credit

risk does not apply here.

Choice D is incorrect. Concentration risk refers to the potential for losses to occur due to

heavy investment in a particular asset class, sector, region or other area of exposure without

adequate diversification. In this case scenario, there isn't any indication that New Savings Bank

has heavily invested in one particular area without sufficient diversification; thus concentration

risk does not apply here.

Q.2323 Which of the following statements is correct?

A. After the outsourcing of an activity, all responsibility with regard to outsourced

activities is transferred to the third party.

B. After the outsourcing of an activity, the third party and senior management have
partial responsibility.

C. After the outsourcing of an activity, senior management is still responsible for normal
functioning of the bank.

D. It is not possible to outsource accounting services.

The correct answer is C.

After the outsourcing of an activity, senior management is still responsible for normal functioning

of the bank. This is because the use of service providers does not relieve a financial institution's

board of directors and senior management of their responsibility to ensure that outsourced

activities are conducted in a safe-and-sound manner and in compliance with applicable laws and

regulations. Policies governing the use of service providers should be established and approved

by the board of directors, or an executive committee of the board. This means that even though

the activity has been outsourced, the senior management still has the responsibility to ensure

that the activity is being conducted properly and in accordance with all relevant laws and

regulations.

153
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice A is incorrect. Even though an activity is outsourced, the responsibility for ensuring

that the outsourced activities are conducted in a safe-and-sound manner and in compliance with

applicable laws and regulations still lies with the senior management of the financial institution.

The third party does not assume all responsibilities.

Choice B is incorrect. While it's true that both parties have some level of responsibility, it's not

accurate to say they share equal or partial responsibility. The ultimate accountability for

ensuring compliance and safety remains with senior management of the financial institution,

regardless of any outsourcing arrangements.

Choice D is incorrect. It's certainly possible to outsource accounting services within a financial

institution; however, this doesn't change who retains overall responsibility for ensuring these

services are conducted safely and compliantly - which remains with senior management.

Q.2324 WPC performs an audit on financial statements of Anderson Bank. After performing
really well, the bank decides to offer the company an internal audit role in addition to the
existing role. The move exposes the bank to:

A. Country risk

B. Operational risk

C. Reputational risk

D. Compliance risk

The correct answer is D.

Compliance risk is the potential for losses and legal penalties due to failure to comply with laws

or regulations. In this case, the Sarbanes-Oxley Act of 2002, a U.S. law, specifically prohibits a

registered public accounting firm from performing certain non-audit services for a public

company client for whom it performs financial statement audits. This is to ensure the

independence and objectivity of the audit. If WPC were to accept the offer to perform both

external and internal audits for Anderson Bank, it could potentially violate this law, thereby

exposing the bank to compliance risk. This could result in legal penalties for the bank, and could

154
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

also damage its reputation.

Choice A is incorrect. Country risk refers to the potential for losses due to a nation's political,

legal, economic or social conditions. It does not apply in this scenario as the situation described

does not involve any changes in these conditions.

Choice B is incorrect. Operational risk refers to the risk of loss resulting from inadequate or

failed internal processes, people and systems or from external events. While there may be some

operational risks involved in WPC performing both internal and external audits for Anderson

Bank, such as potential conflicts of interest or lack of independence, these are more

appropriately classified under compliance risk.

Choice C is incorrect. Reputational risk involves damage to a company's reputation that could

lead to financial loss or difficulties in maintaining relationships with customers, shareholders and

other stakeholders. Although reputational damage could potentially occur if WPC were found to

be conducting its audits improperly due to its dual role at Anderson Bank, this would be a

consequence rather than a direct type of risk associated with the arrangement.

155
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2325 An American bank is considering outsourcing its IT operations to an Indian IT provider. Is

it in order for the bank’s risk management team to analyze the provider’s financial condition
before making a final decision?

A. No, because the bank should only be concerned with country risk.

B. No, because it’s illegal to outsource IT services in the first place.

C. Yes, in order to access the financial stability and integrity of the service provider.

D. Yes, because it’s a requirement under Basel II regulation.

The correct answer is C.

Financial institutions should review the financial condition of the service provider and its closely-
related affiliates. A bad financial condition may be an indicator of potential problems in the
future which could result in interruption of service providing etc.

Things to Remember

1. Outsourcing IT operations can offer several benefits to banks, including cost savings, access to

specialized expertise, and the ability to focus on core business activities. However, it also comes

with risks, including operational, reputational, and financial risks.

2. To manage these risks, banks should conduct thorough due diligence on potential service

providers. This includes analyzing the provider's financial condition, as well as other factors such

as its technical capabilities, track record, and compliance with relevant laws and regulations.

3. While country risk is an important factor to consider when outsourcing operations to a foreign

service provider, it is not the only factor. Banks should also consider the specific risks associated

with the service provider itself, including its financial stability.

4. Basel II regulation encourages banks to maintain a robust risk management framework, but it

does not specifically mandate that banks analyze the financial condition of their service

providers. Therefore, banks should not rely solely on regulatory requirements when deciding

whether to analyze a service provider's financial condition.

Q.2326 Sandero bank from Carrington, North Dakota, is considering outsourcing part of its IT
services to a third party. Such a move will most likely involve sharing of some nonpublic personal

156
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

information about the bank's customers with the third party. Should the bank go ahead with its
plan?

A. No, all outsourcing activities that can reasonably be expected to expose nonpublic
personal information are forbidden.

B. Yes, but the bank should refrain from sharing all nonpublic personal information.

C. Yes, the bank could outsource an activity which requires usage of nonpublic personal
information, but the service provider must comply with applicable privacy laws and
regulation.

D. No, because such a move would open doors to possible lawsuits by aggrieved
customers.

The correct answer is C.

Yes, the bank could outsource an activity which requires usage of nonpublic personal

information, but the service provider must comply with applicable privacy laws and regulation.

This is because the privacy laws and regulations are designed to protect the privacy and security

of nonpublic personal information (NPPI). These laws and regulations apply not only to financial

institutions like Sandero bank, but also to their service providers. Therefore, if Sandero bank

decides to outsource part of its IT services to a third party, the third party must comply with

these laws and regulations. This means that the third party must implement appropriate

measures to protect the NPPI from unauthorized access, use, disclosure, alteration, and

destruction. These measures may include, for example, the use of encryption technologies,

firewalls, intrusion detection systems, and access controls. In addition, the third party must

provide adequate training to its employees about the importance of protecting NPPI and the

consequences of non-compliance. Furthermore, the third party must regularly monitor and audit

its privacy and security practices to ensure their effectiveness and compliance with the laws and

regulations. Finally, the third party must promptly report any privacy or security incidents to

Sandero bank and cooperate with the bank in the investigation and resolution of such incidents.

Choice A is incorrect. While privacy laws and regulations do place restrictions on the sharing

of nonpublic personal information, they do not outright forbid all outsourcing activities that

could potentially expose such information. Instead, these laws typically require that appropriate

safeguards be put in place to protect this information.

157
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice B is incorrect. This choice suggests that the bank should refrain from sharing all

nonpublic personal information during outsourcing. However, this may not be practical or even

possible in some cases where the outsourced service requires access to such data for operational

purposes. The key is ensuring that any shared data is protected and used in compliance with

applicable privacy laws and regulations.

Choice D is incorrect. While it's true that mishandling of customer data could potentially lead

to lawsuits, simply outsourcing IT services does not automatically open doors to legal action by

customers. As long as the bank and its service provider comply with relevant privacy laws and

regulations, including those pertaining to data protection and consent for data use, they can

mitigate this risk.

Q.2327 Fort Worth Bank from Texas, USA, is considering outsourcing its retail loans collection
process to ICAP, a service provider from Mexico. What should its risk management team do?

A. Carry out a risk assessment of the move.

B. Analyze contract provisions and considerations.

C. Perform a due diligence of the service provider.

D. All of the above.

The correct answer is D.

The risk management team of Fort Worth Bank should indeed carry out all the actions listed in

the options. When a financial institution is considering outsourcing a significant process such as

retail loans collection, it is crucial to conduct a comprehensive risk assessment. This involves

identifying potential risks and evaluating their potential impact on the bank's operations. The

risk assessment should consider various factors, including the service provider's capabilities, the

regulatory environment in the service provider's country, and the potential impact on the bank's

customers.

Furthermore, the risk management team should also analyze the contract provisions and

considerations. This includes understanding the terms and conditions of the contract, the

158
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

responsibilities of each party, and the mechanisms for dispute resolution. The contract should

also include provisions for the bank to monitor the service provider's performance and ensure

compliance with regulatory requirements.

Finally, performing due diligence of the service provider is another critical step. The due

diligence process involves verifying the service provider's credentials, assessing its financial

stability, and evaluating its track record in providing similar services. The due diligence process

also includes reviewing the service provider's internal controls, data security measures, and

business continuity plans.

Choice A is incorrect. While carrying out a risk assessment of the move is an important step, it

alone is not sufficient to mitigate potential risks. The bank's risk management team should also

consider other factors such as contract provisions and due diligence of the service provider.

Choice B is incorrect. Analyzing contract provisions and considerations is crucial, but this

alone does not cover all aspects of risk mitigation. It needs to be complemented with a

comprehensive risk assessment and due diligence process.

Choice C is incorrect. Performing a due diligence of the service provider can help identify

potential issues that might arise in future, but it should be accompanied by a thorough risk

assessment and analysis of contract provisions for complete mitigation of risks.

159
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2328 A certain bank based in the United States has developed a sound, effective program for
assessment of all outsourcing activities. Some of the elements of the program have a lot to do
with due diligence analyses and the selection of providers. According to good industry practice,
due diligence analyses and selection of providers should include:

A. Financial analyses, assessment of internal controls, and limits of liabilities.

B. A review of technical abilities, employee backgrounds, and facilities.

C. A review of business background, strategy and reputation, financial performance and

condition, operations, and internal controls.

D. All of the above.

The correct answer is C.

The due diligence process in the context of outsourcing activities should be comprehensive and

thorough. It should include a review of the service provider's business background, strategy, and

reputation. This is important to understand the provider's market position, competitive

advantage, and overall business direction. The financial performance and condition of the

provider should also be assessed to ensure its financial stability and ability to deliver the

required services over the contract period. The review of operations and internal controls is

crucial to evaluate the provider's operational efficiency, effectiveness, and risk management

practices. This choice correctly encapsulates all these aspects, making it the correct answer.

Choice A is incorrect. While financial analyses, assessment of internal controls, and limits of

liabilities are important aspects to consider during due diligence and selection of service

providers, they do not encompass all the necessary elements. It lacks consideration for business

background, strategy and reputation which are crucial in evaluating a potential service provider.

Choice B is incorrect. Reviewing technical abilities, employee backgrounds, and facilities are

also significant factors but they do not provide a comprehensive view. This choice misses out on

key elements such as financial performance and condition as well as the operations of the

potential service provider.

Choice D is incorrect. Although it might seem like an inclusive option because it states "All of

the above", it's not correct because choices A and B do not cover all necessary aspects for a

comprehensive due diligence analysis and selection process according to best industry practices.

160
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

161
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2329 A bank based in Palermo, Italy, is considering outsourcing its IT services and is preparing
a review of financial condition of IAM Systems – the most popular service provider in town.
Which of the following would not form part of the financial review process?

A. The adequacy of the service provider's insurance coverage.

B. The adequacy of the service provider's review of the financial condition of any
subcontractors.

C. The potential financial impact of the bank’s business on the provider.

D. The potential impact of the provider’s past clients on the bank’s financial condition.

The correct answer is D.

Financial institutions should review the financial condition of the service provider and its closely-

related affiliates. The financial review may include:

The service provider's most recent financial statements and annual report with regard

to outstanding commitments, capital strength, liquidity and operating results

The service provider's sustainability, including factors such as the length of time that

the service provider has been in business and the service provider's growth of market

share for a given service

The potential impact of the financial institution's business relationship on the

service provider's financial condition

The service provider's commitment (both in terms of financial and staff resources) to

provide the contracted services to the financial institution for the duration of the

contract

The adequacy of the service provider's insurance coverage

The adequacy of the service provider's review of the financial condition of any

subcontractors

Other current issues the service provider may be facing that could affect future

financial performance

162
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2330 Stroud Bank from Gloucester, UK, is in the process of executing a major merger. The
bank will be outsourcing the activities related to the relocation of facilities, as required by the
merger, which should take considerable efforts. The bank is reviewing operations and internal
controls of several service providers in order to make an informed decision. Which of the
following should not be included in the review?

A. Training, including compliance training for staff.

B. Compliance with the environmental sustainability of the business.

C. Business resumption and contingency planning.

D. Service support and delivery.

The correct answer is B.

While environmental sustainability is an important aspect of any business, it is not typically a

factor that a financial institution would consider when reviewing the operations and internal

controls of a service provider for outsourcing activities related to a merger. The primary focus of

such a review would be on the service provider's ability to effectively and efficiently carry out the

tasks required by the merger, including relocation of facilities, staff training, business

resumption and contingency planning, and service support and delivery. Environmental

sustainability, while important, is not directly related to these tasks and therefore would not

typically be included in the review.

Choice A is incorrect. Training, including compliance training for staff, is a crucial element to

consider during the review process. It ensures that the service provider's employees are well-

equipped with the necessary skills and knowledge to perform their tasks effectively and in

accordance with regulatory requirements.

Choice C is incorrect. Business resumption and contingency planning should be considered as

part of this review process. This would provide Stroud Bank with an understanding of how the

service provider plans to resume operations in case of any disruptions or unforeseen

circumstances, ensuring continuity of services.

Choice D is incorrect. Service support and delivery are essential elements to consider during

this review process as they directly impact the quality of services provided by potential

providers. This includes factors such as response times, availability of support personnel, and

163
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

efficiency in delivering services.

Q.2331 Coulomb Bank, a financial institution based in Montpellier, France, is in the process of
drafting a contract for the outsourcing of several of its operations. The legal team of the bank is
meticulously outlining the scope of the contract, which will delineate the rights and
responsibilities of both the bank and the service provider. Which among the following elements
should be incorporated into the contract?

A. Terms governing the use of the bank’s property, equipment, and staff.

B. Training of the bank’s employees.

C. Both of the above.

D. None of the above.

The correct answer is C.

Scope: Contracts should clearly define the rights and responsibilities of each party, including:

maintenance, and customer service;

Contract timeframes;

Compliance with applicable laws, regulations, and regulatory guidance;

Training of financial institution employees;

The ability to subcontract services;

The distribution of any required statements or disclosures to the financial institution's

customers;

Insurance coverage requirements; and

Terms governing the use of the financial institution's property, equipment, and

staff.

164
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2993 In the process of formulating contingency plans, financial institutions undertake a variety
of tasks. These tasks are aimed at ensuring the continuity of business operations in the event of
unforeseen circumstances. Which of the following tasks is not necessarily performed by the
financial institution during the contingency planning process?

A. Ensuring that there is the existence of a disaster recovery and business continuity
plan, regarding the services and products contracted.

B. The service provider’s disaster recovery and business continuity plan should be
assessed by the financial institution, to ensure they align with that of their own.

C. The business continuity and contingency plan of the service provider should be tested
on a periodic basis by the financial institution to ensure they are adequate and effective.

D. The financial institution should ensure that the foreign-based service providers are
complying with their country’s regulations and regulatory guidance.

The correct answer is D.

Ensuring compliance to the rules and regulations and regulatory guidance in the country which
the financial institution is located, despite being important and done by the financial institution,
is not necessarily executed by the financial institution when preparing contingency plans.

Q.5257 Which of the following best describes the key elements of contracts and agreements
related to the cost and compensation of service providers?

A. Contracts and agreements should only describe the compensation to be paid to the
service provider without addressing any other related expenses.

B. Contracts and agreements should only address the payment of legal, audit, and
examination fees related to the activity performed by the service provider.

C. Contracts and agreements should only address the responsibility for the maintenance
of equipment, hardware, and software related to the activity performed by the service
provider.

D. Contracts and agreements should describe the compensation, variable charges, and
any fees to be paid for non-recurring items and special requests.

The correct answer is D.

Contracts and agreements with service providers should be comprehensive and cover all aspects

related to cost and compensation. This includes the basic compensation to be paid to the service

165
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

provider, any variable charges that may arise due to changes in the scope of work or other

factors, and any fees that may be incurred for non-recurring items and special requests. This

ensures that both parties have a clear understanding of the financial obligations involved,

reducing the potential for disputes and misunderstandings. It also allows for better budgeting

and financial planning by both parties. This approach aligns with best practices in contract

management and is recommended by experts in the field.

Choice A is incorrect. While compensation to the service provider is an essential component, it

should not be the only aspect addressed in contracts and agreements. Other related expenses

such as variable charges, fees for non-recurring items and special requests should also be

included to ensure a comprehensive cost structure.

Choice B is incorrect. Although legal, audit, and examination fees are important considerations

in a service provider agreement, they do not encapsulate all the essential components of cost

and compensation. The agreement should also cover aspects like compensation to the service

provider, variable charges and any fees for non-recurring items or special requests.

Choice C is incorrect. Responsibility for maintenance of equipment, hardware, and software

are indeed important considerations but they do not represent all essential components that

need to be addressed in terms of cost and compensation in a service provider agreement. Other

elements such as direct compensation to the service provider along with variable charges or any

other additional costs must also be included.

166
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 115: Case Study: Third-Party Risk Management

Q.5129 Which of the following is not a step in the Third-Party Risk Management life cycle?

A. Remediation

B. Risk rating & evaluation

C. Shared assessments

D. Continuous monitoring

The correct answer is C.

Shared assessment is a US based certifying organization specializing in Third-Party Risk

Management and delivering the professional certification of third-party risk management

professionals.

The five stages of the professional certification of third-party risk management professionals are:

i. Business model decision

ii. Evaluation, risk rating, due diligence
iii. RFPs (requests for proposal) and contracts
iv. Monitoring (continuous and ongoing)
v. Remediation or termination

Q.5130 Which of the five steps in the Third-Party Risk Management cycle involves choosing a
third-party service provider after evaluating the risk appetite of the firm?

A. Evaluation, risk rating, due diligence

B. Business model decision

C. Contracts and contract management

D. Continuous monitoring

The correct answer is B.

The 'Business model decision' step in the Third-Party Risk Management cycle is primarily

167
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

concerned with the selection of a third-party service provider. This step involves making

strategic decisions about whether to outsource certain activities or keep them in-house. The

choice of a provider's quality and price are important considerations in this step. These decisions

are closely related to the risk appetite of the firm, as the firm must balance the potential benefits

of outsourcing with the potential risks. The risk appetite of the firm can influence the level of risk

it is willing to accept in its business model, and therefore, in its choice of third-party service

providers.

Choice A is incorrect. While evaluation, risk rating, and due diligence are important steps in

the third-party risk management cycle, they primarily involve assessing the potential risks

associated with a third-party service provider rather than selecting one based on the firm's risk

appetite. These steps help to identify and quantify the risks but do not directly involve making a

decision about whether or not to engage with a particular service provider.

Choice C is incorrect. Contracts and contract management are concerned with formalizing the

relationship between the firm and its chosen third-party service provider once that selection has

been made. This step involves setting out terms of engagement, responsibilities, performance

metrics etc., but it does not directly deal with selecting a service provider based on risk appetite.

Choice D is incorrect. Continuous monitoring refers to ongoing oversight of the relationship

with a third-party service provider after it has been established. It involves tracking performance

against agreed-upon metrics and managing any emerging risks or issues that arise during

execution of services by third party providers but does not involve selection of these providers.

168
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5131 Which of the following is a good risk management practice of the remediation or
termination step of the Third-Party Risk Management life cycle?

A. Defining trigger events for reassessment

B. Establish limits on the outsourcing by third parties

C. Having an exit strategy

D. Use of standard assessment questionnaires

The correct answer is C.

Having an exit strategy is a good risk management practice under the remediation and

termination step of the Third-Party Risk Management life cycle. This step involves taking

necessary actions to address identified risks and, if necessary, terminating the relationship with

the third party. An exit strategy or termination clause provides a clear plan for ending the

relationship with the third party if the situation deteriorates beyond repair. This could be due to

a variety of reasons such as the third party's failure to meet contractual obligations, significant

changes in the third party's business condition, or the identification of unacceptable risks during

the continuous monitoring process. Having an exit strategy ensures that the organization is

prepared for such scenarios and can minimize potential losses and disruptions to its operations.

Choice A is incorrect. Defining trigger events for reassessment is an important part of the risk

management process, but it is not specifically associated with the remediation or termination

step. This practice typically falls under the monitoring and review stage of the Third-Party Risk

Management life cycle, where ongoing assessment of third-party performance and risk exposure

takes place.

Choice B is incorrect. Establishing limits on outsourcing by third parties can be a good risk

management practice, but it does not directly relate to remediation or termination step. This

action usually pertains to the initial stages of third-party relationship establishment where

organizations define their outsourcing policies and set boundaries for third-party involvement.

Choice D is incorrect. The use of standard assessment questionnaires can be a useful tool in

evaluating potential risks associated with third parties; however, this practice generally applies

to earlier stages in the Third-Party Risk Management life cycle such as selection and due

169
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

diligence phase rather than remediation or termination step.

Q.5132 Which of the following is not an example of an event that can trigger the reassessment of
contracts with third parties?

A. Data breaches

B. A merger or acquisition

C. Regulatory change

D. Risk appetite

The correct answer is D.

Risk appetite is not an event that can trigger the reassessment of contracts with third parties.

Risk appetite refers to the level of risk that an organization is willing to accept in pursuit of its

objectives, before action is deemed necessary to reduce the risk. It is a strategic decision made

by the organization and is not an event or incident that would necessitate a reassessment of

contracts. A company's risk appetite will influence its decision-making process, including

whether to outsource certain activities or keep them in-house. However, it does not directly

trigger a reassessment of existing contracts with third parties.

Choice A is incorrect. Data breaches are a significant event that can necessitate the

reassessment of contracts with third parties. If a data breach occurs, it may indicate that the

third party's security measures are inadequate, which could lead to potential legal and financial

risks for the business.

Choice B is incorrect. A merger or acquisition is another event that typically triggers a

reassessment of contracts with third parties. This is because such events often result in changes

to business operations and strategies, which may affect existing contractual relationships.

Choice C is incorrect. Regulatory changes can also trigger a reassessment of contracts with

third parties. Changes in laws or regulations can impact the terms and conditions of existing

contracts, making it necessary for businesses to review these agreements to ensure compliance.

170
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5133 Which of the five steps in the Third-Party Risk Management cycle requires sound due
diligence and verification of third-party service providers?

A. Remediation or termination

B. Continuous monitoring

C. Evaluation and risk rating

D. Business model decision

The correct answer is C.

This is the second stage of the Third-Party Risk Management cycle. It involves a thorough due

diligence process and verification of third-party service providers. The aim of this step is to

assess the potential risks associated with engaging a third-party service provider. The level of

due diligence required may vary depending on the nature of the third-party service provider. For

instance, a third-party service provider that will have access to sensitive information may require

more extensive due diligence compared to one that will not. This approach, known as

proportionality of approach, is considered a good risk management practice.

Choice A is incorrect. Remediation or termination is a step in the Third-Party Risk

Management cycle that occurs after a risk has been identified and evaluated. It involves taking

corrective action to mitigate the risk or terminating the relationship with the third-party service

provider if necessary. This step does not involve due diligence process and verification of third-

party service providers.

Choice B is incorrect. Continuous monitoring refers to ongoing oversight of third-party

relationships to ensure they continue to meet contractual obligations and compliance

requirements, as well as manage any changes in their risk profile over time. While it's an

important part of managing third-party risks, it doesn't necessitate a thorough due diligence

process and verification which are typically conducted before engaging with a third party.

Choice D is incorrect. The business model decision stage involves deciding whether to

outsource certain functions or processes based on strategic considerations such as cost,

efficiency, expertise, etc., rather than conducting due diligence on potential service providers.

171
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5134 Which of the following is not a common third-party risk?

A. Service disruption

B. Third parties

C. Accidental data privacy breach

D. Compliance breaches

The correct answer is B.

Third parties are not necessarily a common third-party risk. It is the use of third parties that

increases a firm’s exposure to third-party risks. Third parties are providers of goods and services

that are not internal to the firm.

Common third-party risks include service disruption, failings in service quality, fraud, accidental

data privacy breach or intentional information leak, compliance breaches, espionage and IP

theft, and reputational damage.

172
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5135 Which of the following is a good practice when addressing fourth-party risk?

A. Establish standards on outsourcing

B. Define trigger events for reassessment

C. Have an exit strategy

D. Having a termination clause

The correct answer is A.

Establishing standards on outsourcing is a good practice when addressing fourth-party risk. This

is because it allows the firm to set certain standards or limits on the outsourcing activities

carried out by third-party vendors. These standards can be a replication of the rules that the firm

applies to its own vendors, thereby ensuring that the vendors also apply them to their own

vendors and contractors. This practice is beneficial as it helps in maintaining control over the

outsourcing activities and mitigating any potential risks associated with them.

Choice B is incorrect. While defining trigger events for reassessment can be a good practice in

managing third-party risk, it does not directly address the issue of fourth-party risk. Fourth-party

risk arises when a third party outsources some of its tasks or services to another entity (the

fourth party). Therefore, establishing standards on outsourcing would be more beneficial in

managing this specific type of risk.

Choice C is incorrect. Having an exit strategy is indeed important in any contract management

process, but it does not specifically target the management of fourth-party risks. An exit strategy

would come into play when there are significant issues with the third party that cannot be

resolved, and does not necessarily prevent or manage risks associated with the fourth parties

they may engage.

Choice D is incorrect. Similar to choice C, having a termination clause can be beneficial in

general contract management but it doesn't directly help manage fourth-party risks. A

termination clause allows for ending the contract under certain conditions but doesn't set

standards or limits on outsourcing which is crucial for managing fourth-party risks.

173
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5136 Which of the following is not an action that should be undertaken during the wind-down
process of contracts?

A. The transmission of intellectual property

B. Plan to transition to in-house services

C. Have audit rights on their vendors

D. Provide evidence of data transfer or destruction

The correct answer is C.

Having audit rights on vendors is not typically part of the wind-down process. Audit rights are a

necessity for firms whose third parties also outsource services to other parties. It is necessary

for the firms to verify by themselves the application of rules the vendors use. However, this is not

a step that is typically undertaken during the wind-down process. Instead, audit rights are

usually exercised during the course of the relationship with the vendor, to ensure compliance

with contractual obligations and regulatory requirements.

Choice A is incorrect. The transmission of intellectual property is typically part of the wind-

down process. This ensures that any proprietary information or technology that was shared with

the vendor is returned to the company, protecting its intellectual assets.

Choice B is incorrect. Planning to transition to in-house services is also a common step in the

wind-down process. This involves preparing internal resources and personnel to take over the

tasks previously handled by the third-party vendor, ensuring business continuity.

Choice D is incorrect. Providing evidence of data transfer or destruction is another crucial step

in winding down contracts with third-party vendors. This helps confirm that all sensitive data has

been appropriately handled, either transferred back to the company or securely destroyed.

174
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5137 Which of the following steps of the Third-Party Risk Management life cycle involves
keeping track of service provision, quality SLAs, and compliance with regulation?

A. Remediation or termination

B. Business model decision

C. Evaluation and risk rating

D. Continuous monitoring

The correct answer is D.

Continuous monitoring is the step in the Third-Party Risk Management life cycle that involves

keeping track of service provision, quality SLAs, and compliance with regulations. This step is

crucial as it ensures that the third-party service provider is meeting the agreed-upon standards

and adhering to the regulations. Continuous monitoring also involves setting trigger events for

reassessment, not just at the end-of-contract. This means that the performance of the third-party

service provider is constantly being evaluated and any deviations from the agreed-upon

standards or regulations are quickly identified and addressed. This continuous monitoring and

evaluation help in mitigating risks and ensuring that the third-party service provider is delivering

as per the expectations.

Choice A is incorrect. Remediation or termination is a step in the third-party risk management

process, but it typically comes into play when there are significant issues with the service

provision or compliance breaches. It does not primarily focus on continuous monitoring of SLAs

and regulatory compliance.

Choice B is incorrect. The business model decision step involves deciding whether to

outsource a particular function or keep it in-house based on various factors such as cost,

expertise, and strategic importance. This step does not involve continuous monitoring of service

provision and compliance with regulations.

Choice C is incorrect. Evaluation and risk rating involves assessing the potential risks

associated with outsourcing a particular function to a third party. While this step may include

setting trigger events for reassessment, its primary focus is not on ongoing monitoring of service

provision and regulatory compliance.

175
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

176
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 116: Case Study: Investor Protection and Compliance Risks in

Investment Activities

Q.5139 Which of the following is not one of the activities addressed by the Markets in Financial
Instruments Regulation (MIFIR)?

A. Investment advisory definition and objectivity

B. Best deal execution for the clients

C. Protections for whistleblowers

D. Transactions with qualified counterparties

The correct answer is C.

Protections for whistleblowers is not one of the activities addressed by the Markets in Financial

Instruments Regulation (MIFIR). This is because the protection of whistleblowers is typically

covered under different legislation. In the United States, for example, the Dodd-Frank Wall

Street Reform and Consumer Protection Act provides significant protections for whistleblowers.

These protections include confidentiality, protection from retaliation, and potential financial

rewards for providing information that leads to successful enforcement action. Therefore, while

whistleblower protection is a critical aspect of financial regulation, it is not a focus of MIFIR.

Choice A is incorrect. The Markets in Financial Instruments Regulation (MIFIR) does cover the

definition and objectivity of investment advisory. It provides guidelines on how investment advice

should be given, ensuring that it is objective and in the best interest of the client.

Choice B is incorrect. MIFIR also addresses best deal execution for clients. It mandates that

financial institutions must take all necessary steps to obtain the best possible result for their

clients when executing orders.

Choice D is incorrect. Transactions with qualified counterparties are indeed covered by MIFIR.

The regulation outlines specific rules for these transactions to ensure transparency and fairness

in financial markets.

177
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5141 Which regulations resulted in the formation of the Consumer Financial Protection Bureau
(CFPB) as an independent financial regulator to regulate consumer finance markets ?

A. The Markets in Financial Instruments Directive (MIFID)

B. The Investor Protection Act – Dodd-Frank

C. The Financial Industry Regulatory Authority (FINRA)

D. The Volcker Rule

The correct answer is B.

The Investor Protection Act – Dodd-Frank is the regulation that led to the establishment of the

Consumer Financial Protection Bureau (CFPB). The Dodd-Frank Wall Street Reform and

Consumer Protection Act, commonly referred to as Dodd-Frank, was signed into law in 2010 in

response to the 2008 financial crisis. One of its key provisions was the creation of the CFPB, an

independent agency tasked with protecting consumers in the financial sector. The CFPB's

mandate includes enforcing consumer protection laws, conducting financial education,

researching consumer behavior, and monitoring financial markets for risks to consumers.

Choice A is incorrect. The Markets in Financial Instruments Directive (MiFID) is a European

Union law that provides harmonized regulation for investment services across the 31 member

states of the European Economic Area. It does not have any direct relation to the establishment

of CFPB in the United States.

Choice C is incorrect. The Financial Industry Regulatory Authority (FINRA) is a private, self-

regulatory organization in the United States, which was created to regulate member brokerage

firms and exchange markets. It was not responsible for creating CFPB.

Choice D is incorrect. The Volcker Rule refers to § 619[1] part of the Dodd–Frank Wall Street

Reform and Consumer Protection Act, originally proposed by American economist and former

United States Federal Reserve Chairman Paul Volcker to restrict United States banks from

making certain kinds of speculative investments that do not benefit their customers. While it's

part of Dodd-Frank act, it's not directly related to formation of CFPB.

178
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5144 Which of the following is an effect of the Volcker rule?

A. Enhanced witness protection

B. Buying and selling of securities through clearing houses

C. Stopping commercial banks from speculation and proprietary trading

D. Establish the Consumer Financial Protection Bureau

The correct answer is C.

The Volcker Rule was designed to prevent commercial banks from engaging in speculative

activities and proprietary trading for profit. This rule was a response to the 2008 financial crisis,

during which risky trading activities by banks contributed to the collapse of financial markets. By

prohibiting these activities, the Volcker Rule aims to protect depositors' funds and maintain the

stability of the financial system. The rule specifically limits banks' investments in hedge funds

and private equity funds, which are often associated with high levels of risk. Therefore, the

primary effect of the Volcker Rule is to stop commercial banks from speculation and proprietary

trading.

Choice A is incorrect. Enhanced witness protection is not a direct effect of the Volcker Rule.

The Volcker Rule primarily focuses on limiting risky financial activities by banks, such as

proprietary trading and certain investments in hedge funds and private equity funds, rather than

enhancing witness protection.

Choice B is incorrect. While the Dodd-Frank Act does include provisions related to clearing

houses, these are not directly related to the Volcker Rule. The rule's main purpose is to limit

speculative trading activities by commercial banks, not necessarily promoting buying and selling

of securities through clearing houses.

Choice D is incorrect. The establishment of the Consumer Financial Protection Bureau (CFPB)

was indeed a part of the Dodd-Frank Wall Street Reform and Consumer Protection Act but it was

not a direct result of implementing the Volcker Rule. The CFPB was created to protect

consumers from deceptive financial practices whereas the Volcker rule specifically targets risk-

taking activities by banks.

179
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5146 Which of the following is the key issue addressed by the creation of the Markets in
Financial Instruments Directive II (MIFID II)?

A. The requirements for regulatory reporting and transaction transparency

B. The disclosure of transaction data to supervisors and regulators

C. The asymmetry in information between buyers and sellers

D. The oversight and supervision of workers and trades

The correct answer is B.

The Markets in Financial Instruments Directive II (MIFID II) was primarily created to address

the issue of the disclosure of transaction data to supervisors and regulators. This directive was a

significant development in the regulation of financial markets, particularly in the European

Union. It was designed to provide greater transparency and to protect investors. The directive

added new requirements for the public disclosure of trading activity data as well as for the

disclosure of transaction data to supervisors and regulators. This was done to ensure that the

financial markets operate in a fair, efficient, and transparent manner. The directive also aimed to

strengthen investor protection and to improve the functioning of financial markets making them

more efficient, resilient, and transparent.

Choice A is incorrect. While MIFID II does include requirements for regulatory reporting and

transaction transparency, these are not the primary issues that the directive aimed to address.

The main focus of MIFID II was to increase transparency in financial markets and protect

investors by ensuring they have access to necessary information.

Choice C is incorrect. Although information asymmetry between buyers and sellers can be a

problem in financial markets, it was not the primary issue that MIFID II aimed to address. The

directive's main goal was to enhance market transparency and investor protection, which goes

beyond simply addressing information asymmetry.

Choice D is incorrect. Oversight and supervision of workers and trades are important aspects

of financial regulation, but they were not the key issues that led to the creation of MIFID II. The

directive primarily sought to improve market transparency and protect investors by requiring

disclosure of transaction data.

180
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5147 Which of the following is a protection provided to investors through the Investor
Protection Act – Dodd-Frank?

A. Employee education

B. Best deal execution for the clients

C. Establishing the Volcker Rule

D. Fair and non-misleading communication with customers

The correct answer is C.

The Investor Protection Act – Dodd-Frank established the Volcker Rule, which is named after

former Federal Reserve Chairman Paul Volcker. The rule seeks to stop commercial banks from

engaging in profit-driven speculation and proprietary trading, as well as limiting banks’

investments in hedge funds and private equity funds. The Volcker Rule is designed to reduce the

risks that banks pose to the financial system and to protect depositors. By prohibiting banks from

engaging in certain types of risky activities, the rule aims to prevent the kind of financial

instability that led to the 2008 financial crisis. The Volcker Rule is a key component of the Dodd-

Frank Act's efforts to reform Wall Street and protect investors.

Choice A is incorrect. Employee education is not a protection provided to investors through

the Investor Protection Act – Dodd-Frank. While employee education can be beneficial for

improving the overall quality of service provided by financial institutions, it does not directly

protect investors or their investments.

Choice B is incorrect. Best deal execution for clients, while an important aspect of fiduciary

duty in finance, is not specifically addressed in the Investor Protection Act – Dodd-Frank. This

act primarily focuses on regulatory reforms and consumer protections rather than specific

operational practices within financial institutions.

Choice D is incorrect. Fair and non-misleading communication with customers is a general

principle that all businesses should adhere to, but it's not a specific provision of the Investor

Protection Act – Dodd-Frank. The act does include provisions aimed at increasing transparency

181
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

and accountability in financial markets, but these are broader than simply ensuring fair

communication with customers.

182
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 117: Supervisory Guidance on Model Risk Management

Q.4297 Which of the following is a primary way in which models can pose a significant risk to
financial service firms?

A. Models are costly

B. Models can give inaccurate results

C. Models are not time-sensitive

D. Models take too long to be implemented

The correct answer is B.

Models that produce inaccurate results may lead to unexpected losses. The two primary ways in

which models can pose a significant risk to financial services firms:

Models can be manipulated, misunderstood, or misused; this leads to unexpected

losses to the firm.

Models can give inaccurate results, which leads to unexpected losses to the firm.

A is incorrect: Model's cost does not pose a significant risk to a financial institution.

C is incorrect: Model's time consumption does not pose any significant risk.

D is incorrect: Time of implementation does not pose a significant risk to a firm.

183
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4298 The following are activities carried out during the data preparation stage of a model
development process, EXCEPT:

A. Data acquisition

B. Data cleaning

C. Data exploration

D. Sample selection

The correct answer is C.

Data exploration is not typically carried out during the data preparation stage of a model

development process. Instead, it belongs to the data understanding stage. This stage involves

studying the relationship between the dependent variable and independent variables, as well as

the correlation between different features. It is a crucial step in understanding the structure and

patterns within the data, which can inform the subsequent stages of model development.

Choice A is incorrect. Data acquisition is a crucial part of the data preparation stage in model

development. It involves gathering relevant data from various sources, which will be used to

build and test the model.

Choice B is incorrect. Data cleaning, also known as data cleansing or scrubbing, is another

essential activity during this stage. It involves detecting and correcting (or removing) corrupt or

inaccurate records from a dataset.

Choice D is incorrect. Sample selection refers to the process of choosing a subset of a

population for investigation; it's an integral part of the data preparation stage as it helps in

ensuring that the model can be generalized to apply to broader contexts beyond just the sample

itself.

184
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4299 Which of the following gives a reason why a firm should invest in model risk
management?

A. To give incentives to model developers to work faster

B. To cater for losses brought about by a model

C. To provide incentives to management

D. To ensure that the model is used as required

The correct answer is D.

Ensuring that the model is used as required is a fundamental reason for a firm to invest in model

risk management. A strong model risk management framework relies on significant investment

in supporting systems to guarantee data and reporting integrity and testing to ensure proper

implementation of models, effective systems integration, and appropriate use. This investment is

crucial to ensure that the models are used correctly and effectively, thereby reducing the risk of

financial losses due to model errors or misuse.

Choice A is incorrect. While it may be beneficial for model developers to work faster, this is not

a primary reason for investing in model risk management. The main purpose of model risk

management is to ensure the integrity and effectiveness of financial models, not to speed up

their development.

Choice B is incorrect. Although mitigating potential losses caused by a flawed or misused

model can be an outcome of effective model risk management, it's not the primary reason for

such investment. The main goal is to ensure that the models are used as intended and provide

accurate results.

Choice C is incorrect. Providing incentives to management does not directly relate to the

purpose of investing in model risk management. While good governance and oversight are

important aspects of managing risks associated with financial models, they do not constitute a

primary reason for such investments.

185
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4303 TCC bank has developed a set of models to analyze liquidity risk, market risk, as well as
the credit risk of borrowers. Which of the following model risk management functions is least
likely to be handled by the developers of these models?

A. Coming up with a clear statement of purpose to ensure that model development is

aligned with the intended use

B. Rigorous assessment of data quality and relevance

C. model testing

D. Model validation

The correct answer is D.

The process of validation is crucial and it requires independence from model development and

usage. It is generally advised that validation should be performed by individuals who are not

involved in the development or usage of the model and do not have a vested interest in its

validity. Independence is not a goal in itself, but it ensures that incentives are aligned with the

objectives of model validation. Therefore, it is least likely to be handled by the developers of the

models.

Choice A is incorrect. The individuals who develop the models are indeed responsible for

coming up with a clear statement of purpose to ensure that model development is aligned with

the intended use. This is because they have a deep understanding of the model's design and its

intended application, making them best suited to define its purpose.

Choice B is incorrect. Rigorous assessment of data quality and relevance is also likely to be

performed by those who developed the models. They need to ensure that the data used in their

models are accurate, reliable, and relevant for their intended use.

Choice C is incorrect. Model testing involves checking if a model works as expected under

different scenarios and conditions. This task would typically be performed by those who

developed it since they understand how it should function in various situations.

Q.4304 Model development and implementation in risk management requires various best
practices to ensure that the models are aligned to their intended use. Which of the following

186
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

alternatives about these best practices is MOST ACCURATE?

A. The merits and limitations of the model methodologies and processing components
should be well explained.

B. Developers should compare their models with alternative approaches and theories.

C. The quality of data used to develop a model should be assessed and documented.

D. All of the above

The correct answer is D.

All of the above-mentioned practices are indeed considered best practices in model development

and implementation in risk management. Each of these practices contributes to the overall

effectiveness and accuracy of the model. Choice A emphasizes the importance of understanding

the strengths and weaknesses of the model methodologies and processing components. This

understanding allows for better decision-making and risk assessment. Choice B highlights the

importance of comparing the developed model with alternative approaches and theories. This

comparison can provide insights into potential improvements or modifications that can enhance

the model's performance. Choice C underscores the importance of assessing and documenting

the quality of data used in the model development. High-quality data is crucial for the accuracy

and reliability of the model. Therefore, all these practices are essential and contribute to the

development of a robust and reliable risk management model.

Choice A is incorrect. While it is true that the merits and limitations of the model

methodologies and processing components should be well explained, this alone does not

encompass all the best practices in model development and implementation. Other aspects such

as comparing models with alternative approaches and assessing the quality of data used are also

crucial.

Choice B is incorrect. Comparing models with alternative approaches and theories is indeed a

best practice in risk management modeling. However, this statement does not cover all other

important practices such as explaining the merits and limitations of the model methodologies or

assessing data quality.

Choice C is incorrect. Assessing and documenting the quality of data used to develop a model

187
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

is an essential practice but it doesn't represent all best practices in risk management modeling.

Other key aspects like explaining model methodologies' pros & cons or comparing models with

alternatives are also necessary.

188
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4305 Which of the following gives a common error in model use and management across all
industries?

A. Spending more than anticipated

B. Sample bias in model data

C. Users failing to keep documentation

D. Model invalidation

The correct answer is B.

Sample bias in model data is a common error in model use and management across all

industries. This error occurs when a nonrepresentative set of data is used during the

development of a model. The use of such data can lead to incorrect model outcomes. This is

because the model is trained on a biased sample, which does not accurately represent the

population. As a result, the model's predictions or classifications may also be biased and

inaccurate. This can have significant implications, particularly in industries where models are

used to make critical decisions or predictions. Therefore, it is crucial to ensure that the data

used to train a model is representative of the population to avoid sample bias.

Choice A is incorrect. While overspending can be a concern in any business scenario, it does

not specifically pertain to the use and management of models across various industries.

Overspending is more related to budgeting and financial management rather than model use and

management.

Choice C is incorrect. Although maintaining documentation is important for model use and

management, users failing to keep documentation isn't a common mistake that's often

encountered in this context. Documentation issues are more related to organizational practices

rather than inherent issues with model use or management.

Choice D is incorrect. Model invalidation isn't a common mistake encountered in the context of

model use and management across various industries. Invalidation of a model usually occurs

when the assumptions or data upon which it was built change significantly, making the model no

longer applicable or accurate.

189
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4306 Which of the given options identifies one challenge faced by model risk managers while
designing and delivering effective model risk reporting?

A. Lack of funds to fully implement the model

B. Implementing the required infrastructure to deliver reporting

C. Implementing the model

D. Lack of personnel to test the model

The correct answer is B.

Implementing the required infrastructure to deliver reporting is indeed a significant challenge

faced by model risk managers. Model risk reporting is a critical component of an organization's

risk management framework. It provides insights into the model risk limit that the organization

can tolerate. However, to deliver effective reporting, there is a need for appropriate

infrastructure. This includes workflow tools and databases that enable the organization,

management, and updating of data. Without the right infrastructure, it becomes difficult to

measure the impact of models, define metrics linked to model risk appetite, determine an

appropriate frequency of reporting, and aggregate reporting on individual models to provide a

comprehensive and consistent view of model risk at a defined level of aggregation. Therefore,

implementing the required infrastructure to deliver reporting is a significant challenge in model

risk management.

Choice A is incorrect. While lack of funds can be a challenge in implementing the model, it

does not directly relate to the challenges faced by model risk managers in designing and

delivering effective model risk reporting. The question specifically asks about challenges related

to reporting, not implementation.

Choice C is incorrect. Implementing the model itself is a part of the overall process but it

doesn't represent a specific challenge that model risk managers might face while designing and

delivering effective model risk reporting. The focus here is on issues related to reporting, not

implementation.

Choice D is incorrect. Lack of personnel to test the model could be an issue in overall risk

management but it doesn't specifically address the challenges faced by model risk managers in

190
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

terms of designing and delivering effective reports on model risks.

Q.4443 The following are some of the supervisory guidance for model validation process,
EXCEPT:

A. Ensure that the model is used for decision making

B. Ensure that documentation indicates where the internal model does not work
effectively

C. Model developers must also be involved in the model validation team

D. None of the above.

The correct answer is C.

The statement that 'Model developers must also be involved in the model validation team' is

incorrect. According to the supervisory guidance for model validation process, specifically SR 11-

7, the model validation team should be independent. This means that the individuals who

developed the model should not be involved in its validation. The reason for this is to ensure

objectivity in the validation process. If the developers were involved in the validation, there could

be a conflict of interest, as they may be biased towards their own work. Therefore, to maintain

the integrity and reliability of the model, it is crucial that the validation team is independent of

the development team.

Choice A is incorrect. The supervisory guidelines indeed emphasize the importance of using

the model in decision making. This is to ensure that the model is not just a theoretical construct,

but has practical applications and can guide business decisions effectively.

Choice B is incorrect. According to supervisory guidelines, it's crucial that documentation

clearly indicates where the internal model does not work effectively. This helps in identifying

potential areas of improvement and mitigating any risks associated with these limitations.

Choice D is incorrect. As explained above, both choices A and B accurately represent

supervisory guidelines for model validation process, hence 'None of the above' cannot be correct.

191
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4444 Which of the following best describes a model?

A. A spreadsheet that aggregates groups’ trading positions for reporting

B. A spreadsheet with what-if calculations for potential buyers

C. A spreadsheet with coded probabilistic risk calculation that enables what-if scenarios
to be run each day

D. Both B and C

The correct answer is C.

A model is a tool that provides useful outputs to a firm given a set of inputs and can be reused

day by day. A spreadsheet with coded probabilistic risk calculation that enables what-if scenarios

to be run each day fits this definition perfectly. It is not just a simple spreadsheet, but a complex

tool that can process inputs (data entered into the spreadsheet), apply a probabilistic risk

calculation (the model's algorithm), and generate useful outputs (the results of the what-if

scenarios). These outputs can then be used to make informed decisions about risk management.

Furthermore, the fact that this tool can be used day after day, with different inputs, makes it a

reusable model, which is a key characteristic of financial models.

Choice A is incorrect. While a spreadsheet that aggregates groups' trading positions for

reporting can be a useful tool, it does not necessarily constitute a model in the context of

financial risk management. This is because it does not process inputs to generate outputs that

can be used in various scenarios, which is an essential characteristic of a model.

Choice B is incorrect. A spreadsheet with what-if calculations for potential buyers may provide

valuable insights, but it does not necessarily qualify as a model unless it also includes coded

probabilistic risk calculations that enable what-if scenarios to be run each day.

Choice D is incorrect. As explained above, both options B and C do not fully encapsulate the

definition of a model in financial risk management context. Only option C meets all the criteria

required for something to be considered as a model.

192
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4445 The following are some key areas where model risk can arise from, EXCEPT:

A. Data

B. Interpretation

C. Validation

D. Inventory

The correct answer is C.

Validation is not a source of model risk, but rather a process to mitigate it. In the context of

financial modeling, validation is a critical step that involves verifying the accuracy and

appropriateness of a model. This process is designed to identify and rectify any potential errors

or inaccuracies in the model, thereby reducing the likelihood of model risk. Validation involves a

thorough review of the model's assumptions, data inputs, calculations, and outputs. It also

includes stress testing the model under various scenarios to ensure it performs as expected.

Therefore, validation is a risk management tool, not a source of risk.

Choice A is incorrect. Data is indeed a source of model risk. Inaccurate, incomplete, or

outdated data can lead to erroneous results in financial modeling. For instance, if the data used

for modeling does not accurately represent the underlying reality or if it contains errors, the

model's predictions may be off.

Choice B is incorrect. Interpretation is also a source of model risk. Misinterpretation of the

results generated by a financial model can lead to wrong decisions and potential losses. This

could happen due to lack of understanding about how the model works or what its outputs mean.

Choice D is incorrect. Inventory refers to all models being used within an organization and this

too can be a source of risk if not properly managed. If there are too many models in use and they

are not well-documented or understood by users, it could lead to confusion and misuse.

193
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4446 Which of the following best describes the importance of an independent validation?

A. It reduces the cost of the validation process

B. It ensures that the bank doesn’t spend much on incentives that model developers may
require to validate the model

C. It provides comfort to the CRO, and regulators

D. All of the above

The correct answer is C.

Regulation required that banks should use independent validators. Besides being a requirement,
it helps eradicate the risks as validators are experts; thus, the CRO is comfortable using an
independent team of validators.

A is incorrect: Use of an independent validation does not reduce any cost that was meant for

validation.

B is incorrect: Developers are not required to validate a model.

D is incorrect.

194
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4447 The following are key components of the model development process, EXCEPT:

A. Model lifecycle

B. Data preparation

C. Model audit

D. Model assembly

The correct answer is A.

Model lifecycle is not a component of the model development process. Instead, the model

development process is a part of the model lifecycle. The model lifecycle encompasses all stages

of a model's existence, from its initial conception and development, through its deployment, use,

and maintenance, to its eventual retirement. The model development process, on the other hand,

is a specific stage within this lifecycle, focusing on the creation and testing of the model.

Choice B is incorrect. Data preparation is a crucial part of the model development process. It

involves cleaning, transforming, and analyzing data to be used in the model. Without proper data

preparation, the model may not accurately represent the situation it's intended to analyze.

Choice C is incorrect. Model audit is also an important component of the model development

process. It ensures that the model has been developed correctly and functions as intended by

checking for errors or inconsistencies in its design or implementation.

Choice D is incorrect. Model assembly refers to putting together all parts of a model including

inputs, calculations and outputs which makes it an integral part of any modeling process.

195
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4448 Which of the following should be found in the model documentation?

A. Model validation team

B. Data sources

C. Individual model users

D. None of the above

The correct answer is B.

Model documentation should include the data sources used in the model. This is crucial because

it provides transparency about the origin of the data, which can affect the model's reliability and

validity. The data sources section in the model documentation should detail the specific

databases, files, or other sources from which the data was obtained. It should also include

information about the data's quality and any issues that might affect its accuracy or reliability.

Justification for using the chosen data should also be provided, explaining why this data is

suitable for the model's purpose. This can include discussions about the data's relevance,

timeliness, completeness, and other attributes that make it appropriate for the model. By

including this information in the model documentation, users and reviewers of the model can

better understand its workings and make informed decisions about its use.

Choice A is incorrect. While the model validation team plays a crucial role in verifying the

accuracy and reliability of a financial model, they are not a component that needs to be included

in the model documentation. The documentation should focus on the development, assumptions,

and data inputs of the model.

Choice C is incorrect. Individual model users are not necessary to be included in the model

documentation. The focus of such documentation should be on providing comprehensive

information about how the model was developed, what assumptions were made during its

creation, and what data sources were used.

Choice D is incorrect. As explained above, there are certain components like data sources that

need to be included in a financial model's documentation.

196
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4449 Which one of the following is a challenge faced by banks in the model validation process?

A. Use of model users for validation

B. Model developers requiring incentives to validate the model

C. Use of vendor models

D. All of the above

The correct answer is C.

The use of vendor models presents a significant challenge in the model validation process for

banks. According to the SR 11-7 guidelines, all models, whether developed internally or

purchased, should undergo the same rigorous validation process. However, vendors often lack

transparency regarding their intellectual property, which can complicate the validation process.

This lack of transparency may force banks to relax their validation standards and instead rely on

methods such as benchmarking and outcome analysis. This approach, while necessary due to the

circumstances, can potentially compromise the thoroughness and accuracy of the validation

process.

Choice A is incorrect. The use of model users for validation does not necessarily present a

challenge in the model validation process. Model users can provide valuable insights and

feedback on the practicality and usability of the models, which can be beneficial for improving

them.

Choice B is incorrect. While incentives might influence the behavior of model developers, it's

not inherently a challenge in the model validation process. Incentives could potentially motivate

developers to ensure their models are accurate and reliable, although they should ideally be

motivated by professional integrity rather than financial gain.

Choice D is incorrect. As explained above, both options A and B do not inherently represent

challenges that banks might encounter during the model validation process.

197
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4450 Which of the following is an important element of the model risk management
framework?

A. Model lifecycle management

B. Model risks

C. Third-party models

D. None of the above

The correct answer is A.

Model lifecycle management is indeed an essential element of the model risk management

framework. It involves the comprehensive management of a model throughout its lifecycle, from

its initial development to its eventual retirement. This process includes several stages such as

model development, validation, deployment, monitoring, and decommissioning. Each stage

requires careful management to ensure the model's effectiveness and reliability. For instance,

during the development stage, the model's design and assumptions are thoroughly evaluated.

Similarly, during the validation stage, the model's performance is rigorously tested against

various scenarios to ensure its robustness. Therefore, model lifecycle management plays a

crucial role in maintaining the quality and reliability of financial models, making it a vital

component of the model risk management framework.

Choice B is incorrect. While model risks are indeed a significant concern in financial risk

management, they are not a component of the model risk management framework itself. Instead,

they are what the framework aims to identify, manage and mitigate.

Choice C is incorrect. Third-party models can be part of an organization's overall financial

modeling strategy, but they do not constitute a key element of the model risk management

framework. The use of third-party models may introduce additional risks that need to be

managed within this framework.

Choice D is incorrect. As explained above, both Model lifecycle management and Third-party

models are related to the model risk management framework but neither constitutes its vital

component.

198
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4451 The following are the essential components of a model, EXCEPT:

A. A data input component

B. A data processing component

C. A data understanding component

D. A reporting component

The correct answer is C.

A data understanding component is not considered an essential component of a model. While

understanding the data is a crucial part of the model development process, it is not a component

of the model itself. The model development process involves understanding the data, but once

the model is developed, it does not require a data understanding component. Instead, the model

requires data input, data processing, and reporting components to function effectively. The data

input component is responsible for obtaining data from the user, the data processing component

processes the data using statistical or numerical computations, and the reporting component

provides the outcome or results after processing.

Choice A is incorrect. The data input component is an essential part of a model as it provides

the raw data that will be processed and analyzed by the model. Without this component, the

model would not have any information to work with.

Choice B is incorrect. The data processing component is also crucial in a model as it

manipulates and processes the raw data into a form that can be easily understood and analyzed.

This component helps in extracting meaningful insights from the raw data.

Choice D is incorrect. The reporting component of a model plays an important role in

presenting the results derived from the processed data in an understandable manner to

stakeholders or decision-makers. It aids in communicating findings effectively, hence it's

considered essential.

199
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4742 The following are considered by initial model validation to establish the appropriateness
of a proposed model, EXCEPT:

A. Model implementation

B. Model revalidation

C. Model documentation

D. Model testing

The correct answer is B.

Model revalidation is not considered during the initial model validation. The process of model

revalidation involves reviewing and updating the model to ensure that it remains effective and

relevant. This process is typically carried out after the model has been implemented and used for

a certain period of time. Therefore, it is not part of the initial model validation, which focuses on

establishing the appropriateness of a proposed model before it is implemented.

Choice A is incorrect. Model implementation is indeed a part of the initial model validation

process. It involves checking whether the model has been implemented correctly in accordance

with its design and specifications.

Choice C is incorrect. Model documentation is also considered during the initial model

validation process. This includes reviewing all relevant documents related to the model, such as

its design, development, testing procedures, and user manuals.

Choice D is incorrect. Model testing forms an integral part of the initial model validation

process as well. It involves conducting various tests to assess if the model performs as expected

under different scenarios and conditions.

200
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4743 Which of the following is a primary element of a strong model validation framework?

A. Good investment

B. Ongoing monitoring

C. Technology advancement

D. Time efficiency

The correct answer is B.

Ongoing monitoring is a critical element of a reliable model validation framework. The main aim

of this element is to confirm the appropriate implementation of the model, in addition to its

usage and performance as intended.

Other key elements of comprehensive validation include:

Evaluation of conceptual soundness: it entails the assessment of the quality of model

design and its construction. There should always be documented evidence to provide

support for all model choices.

Outcomes analysis: This element highly relies on statistical tests and other quantitative

measures. It involves a comparison of outcomes. The actual outcomes are compared

with the model's outcomes.

A, C, D are incorrect: They are not elements of the validation process.

201
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 118: Case Study: Model Risk and Model Validation

Q.5148 A risk manager at a bank is presenting to the board of directors about model risk
management. He starts his presentation by defining a model. Which one of the following is the
correct definition of a model in the context of risk management in the modern day today?

A. A tool used for forecasting based on complex statistical techniques

B. A tool used for forecasting based on qualitative techniques

C. A tool that applies quantitative approaches to forecast results

D. A tool used for forecasting based on both quantitative and qualitative methods

The correct answer is D.

A model, in the context of risk management, is indeed a tool used for forecasting based on both

quantitative and qualitative methods. The Federal Reserve defines a model as a quantitative

method, system, or approach that applies statistical, economic, financial, or mathematical

theories, techniques, and assumptions to process input data into quantitative estimates. This

definition also encompasses quantitative approaches whose inputs are partially or wholly

qualitative or based on expert judgment, as long as the outputs are quantitative in nature.

Therefore, a model is not limited to either quantitative or qualitative methods but rather

incorporates both to provide a comprehensive forecast.

Choice A is incorrect. While it is true that models often use complex statistical techniques for

forecasting, this definition is too narrow. It excludes models that use qualitative methods or a

combination of both quantitative and qualitative methods.

Choice B is incorrect. This definition also falls short as it only considers models that are based

on qualitative techniques, thereby excluding those that utilize quantitative approaches or a mix

of both.

Choice C is incorrect. Similar to choices A and B, this definition only focuses on one aspect of

modeling - the application of quantitative approaches for forecasting results. It does not account

for models that incorporate qualitative methods or a blend of both types.

202
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5149 A newly hired risk manager analyzes the types of risk and also wishes to explain different
ways that financial institutions can become exposed to model risk. Which of the following options
best describes the ways that financial institutions can become exposed to model risk?

A. By investing in low-risk assets.

B. By avoiding complex financial instruments.

C. By relying too heavily on a single model or failing to consider alternative models.

D. By conducting regular stress tests and scenario analysis.

The correct answer is C.

Financial institutions can become exposed to model risk by relying too heavily on a single model

or failing to consider alternative models. This can result in inaccurate or incomplete assessments

of risk, which can have serious consequences for the institution.

A is incorrect. Investing in low-risk assets may help to minimize some types of risk, but it is not

directly related to model risk.

B is incorrect. Avoiding complex financial instruments may help to reduce some types of risk,

but it does not address the issue of model risk specifically.

D is incorrect. Conducting regular stress tests and scenario analysis is an important risk

management practice, but it is not directly related to the ways that financial institutions can

become exposed to model risk.

Q.5150 A junior analyst at a bank wishes to understand more about the role of the model risk
management function and best practices in model risk management. What is the role of model
risk management (MRM) function in financial institutions, and how do they determine the
frequency of model validation?

A. MRM function validates models every year, regardless of their tier, to minimize risks.

B. MRM function specifies the frequency of model validation, but the tier of the model is
not taken into consideration.

C. MRM function is responsible for reviewing and challenging models to minimize risks,
and models are assigned to different tiers based on their risk level.

203
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

D. MRM function monitors the performance of models through reports produced by

model owners, but they do not conduct validations.

The correct answer is C.

The Model Risk Management (MRM) function in financial institutions is primarily responsible for

reviewing and challenging models to minimize risks. This involves a thorough examination of the

models to identify any potential issues or inaccuracies that could lead to significant financial

losses or regulatory penalties. The MRM function also assigns models to different tiers based on

their risk level. This tier-based system is crucial as it helps in prioritizing the models that require

immediate attention and frequent validation. High-risk models, or those belonging to the top tier,

are subjected to more frequent and detailed validation to ensure their accuracy and reliability.

On the other hand, models with lower risk levels undergo less frequent validation. This approach

allows the MRM function to effectively manage model risk by focusing their efforts on the models

that pose the greatest risk to the institution.

Choice A is incorrect. While the MRM function does validate models, it does not do so every

year regardless of their tier. The frequency of model validation is determined based on the risk

level associated with each model, which is indicated by its assigned tier.

Choice B is incorrect. This statement incorrectly suggests that the MRM function does not

consider the tier of a model when specifying the frequency of its validation. In reality, models are

assigned to different tiers based on their risk level and this tier assignment plays a crucial role in

determining how often they should be validated.

Choice D is incorrect. The MRM function's responsibilities extend beyond merely monitoring

reports produced by model owners; they also actively review and challenge models to minimize

risks and conduct validations as necessary based on each model's assigned risk level or tier.

Q.5151 What is the role of the first line of defense in the three lines of defense model in model
risk management, and how do first-line QA/QC teams help mitigate model risk?

A. The first line of defense is responsible for independently assessing the risk and risk
management practices of the second line, while the first-line QA/QC teams monitor the

204
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

performance of models.

B. The first line of defense abdicates its own responsibilities to the second line, while the
first-line QA/QC teams ensure models are validated at the appropriate frequency.

C. The first line of defense generates the risk to which the organization is exposed and
owns the risk. The first-line QA/QC teams play a pivotal role in mitigating model risk,
especially execution risk.

D. The first line of defense is responsible for validating models, while the first-line QA/QC
teams conduct comprehensive backtesting.

The correct answer is C.

The first line of defense in the three lines of defense model in model risk management is

responsible for generating the risk to which the organization is exposed. This line of defense is

primarily composed of model developers and model owners. They are the ones who create and

own the risk, and hence, they are in the best position to manage and mitigate it. The first-line

QA/QC teams play a pivotal role in mitigating model risk, especially execution risk. They ensure

that models are developed and implemented according to best practices. By doing so, they help

in reducing the likelihood of errors and inaccuracies in the models, which can lead to significant

risks for the organization. Therefore, the first line of defense and the first-line QA/QC teams are

integral to the effective management of model risk.

Choice A is incorrect. The first line of defense is not responsible for independently assessing

the risk and risk management practices of the second line. Instead, it owns and manages the

risks that are generated by its activities. The first-line QA/QC teams do monitor the performance

of models, but their role extends beyond just monitoring to include mitigating model risk.

Choice B is incorrect. The first line of defense does not abdicate its responsibilities to the

second line; rather, it actively manages and owns its risks. While ensuring models are validated

at an appropriate frequency is important, this task typically falls under the purview of second or

third lines of defense rather than being a responsibility of first-line QA/QC teams.

Choice D is incorrect. Model validation is generally not a responsibility assigned to the first

line of defense; instead, this task usually falls under either second or third lines in order to

maintain independence from those who develop and use these models daily. Similarly, while

205
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

comprehensive backtesting can be part of model risk management process, it's typically

performed by independent validation teams (second or third lines) rather than by first-line

QA/QC teams.

Q.5152 The risk committee of a large bank has prepared a report on model risk management
framework. In the report, it is stated that just like operational risk management (ORM), the
MRM applies the three lines of defense model. Which of the following is correct regarding the
three lines of defense in the MRM framework?

A. Model developers and model owners form the first line of defense

B. The second line of defense works with the first line to assess all the activities of the
first line of defense

C. The second line of defense owns the risk

D. The first line of defense oversees all the activities of the second line of defense

The correct answer is A.

In the context of model risk, model developers and model owners form the first line of defense.

Hence, they generate the risk to which the organization is exposed.

B is incorrect. The first line owns the risk and should take all necessary steps to mitigate it,

while the second line independently assesses the first line's risk and risk management practices.

C is incorrect. The first line owns the risk

D is incorrect. It should be the other way round, i.e., the second line of defense oversees the

activities of the first line of defense.

Q.5153 A bank's risk manager presents to the risk committee various case studies in which small
errors and ignorance led to or nearly costed the firm huge losses. What lesson related to the
collapse of the CDO market in 2008 did the bank's risk manager present to the risk committee?

A. The importance of diversification in investments.

B. The significance of credit ratings in selecting securities.

206
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

C. The risk of relying solely on quantitative models in investment decisions.

D. The necessity of hedging against market downturns.

The correct answer is C.

The 2008 financial crisis, particularly the collapse of the CDO market, was largely attributed to

an over-reliance on quantitative models for evaluating and pricing securities. These models,

while sophisticated and complex, failed to accurately capture the inherent risks associated with

these securities. This led to the creation of overly complex and ultimately unsustainable financial

products. The models underestimated the likelihood and potential impact of extreme market

events, leading to a significant mispricing of risk. As a result, when the housing market

collapsed, the models were unable to accurately predict the resulting losses, leading to a

systemic failure of the financial markets. Therefore, the key lesson from the CDO market

collapse is the risk associated with relying solely on quantitative models for investment

decisions. It underscores the need for a more holistic approach to risk management, one that

combines quantitative analysis with qualitative factors such as market conditions, regulatory

environment, and human judgment.

Choice A is incorrect. While diversification is a key principle in investment, it was not the

primary lesson from the CDO market collapse. The crisis occurred despite diversified

investments because of the systemic risk that affected all types of securities.

Choice B is incorrect. The significance of credit ratings was indeed questioned during the

crisis as many high-rated securities defaulted. However, this was not the main lesson emphasized

by the risk manager. The issue lay more with over-reliance on these ratings and lack of

independent assessment.

Choice D is incorrect. Hedging against market downturns is always important but it wasn't the

key takeaway from this event. Even well-hedged portfolios suffered losses due to unprecedented

scale and nature of this crisis.

207
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5154 A large bank has hired an expert to look into their newly developed model as good MRM
practice. Which of the following options presents a case study in which banks and model users
suffered huge losses due to their ignorance to assess the newly developed models before fully
adopting them?

A. Gaussian Copula and CDO pricing

B. Barclays' acquisition of Lehman Brothers and the excel spreadsheet error

C. NASA mars orbiter

D. Lehman Brothers scandal

The correct answer is A.

This case study focuses on the collapse of Collateralized Debt Obligations (CDO) markets in

2008. In the early 2000s, David X. Li published a paper on pricing CDOs and how to price pools

of assets without considering their correlations. Li's approach was based on the Gaussian copula

and the use of Credit Default Swap (CDS) prices to infer the correlation of assets. Despite the

limitations associated with Li's pricing model, it was widely adopted by both banks and model

users. These parties failed to assess the limitations of the model before fully adopting it. When

signs of weaknesses in the model began to emerge in 2008, the correlation implied by the CDSs

and the CDO prices increased dramatically. This led to the collapse of the CDO market, resulting

in substantial losses for banks and model users.

Choice B is incorrect. Barclays' acquisition of Lehman Brothers and the excel spreadsheet

error is not a case of failure to adequately assess a newly developed model. Instead, it was an

operational error in the use of an Excel spreadsheet that led to significant losses for Barclays.

Choice C is incorrect. NASA's Mars Orbiter loss was due to a unit conversion error, not due to

inadequate assessment of a financial risk management model. This case study does not fit into

the context of financial risk management.

Choice D is incorrect. The Lehman Brothers scandal involved fraudulent activities and

misrepresentation of financial statements rather than issues with inadequately assessed risk

models. Therefore, this choice does not exemplify the situation described in the question.

208
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5155 In September 2008, Lehman Brothers collapsed, sparking the 2008 global financial
crisis. In one incident not known to many, Barclays Capital almost bought 179 trading contracts
from Lehman Brothers by accident. Which of the following lessons can be learned from this
incident?

A. MRM should challenge the assumptions and ensure users understand related
limitations

B. Even tools and models that seem so simple should be challenged and reviewed
properly

C. Even small errors, such as the use of wrong units, can lead to massive losses

D. A good MRM should help minimize the misuse of models by helping users understand
the limitations accompanying a model

The correct answer is B.

The incident involving Barclays Capital and Lehman Brothers underscores the importance of

thorough review and challenge, even for tools and models that may appear simple on the

surface. In this case, a seemingly minor oversight - the failure to delete hidden rows - could have

resulted in a significant financial loss for Barclays Capital. Although the loss did not materialize

in this specific instance, it serves as a stark reminder that potential losses can arise from the

simplest of errors. Therefore, it is crucial to challenge and review all tools and models,

regardless of their perceived simplicity, to prevent such mistakes from occurring.

Choice A is incorrect. While it's true that Model Risk Management (MRM) should challenge

assumptions and ensure users understand related limitations, this choice does not directly relate

to the incident at hand. The Barclays-Lehman Brothers near-miss event was more about the

importance of meticulousness in financial transactions rather than challenging assumptions or

understanding model limitations.

Choice C is incorrect. This statement is generally true in risk management, but it doesn't

encapsulate the lesson from the Barclays-Lehman Brothers incident. The issue wasn't about

using wrong units but rather a lack of thorough review and attention to detail in financial

transactions.

Choice D is incorrect. Although a good MRM should indeed help minimize misuse of models by

209
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

helping users understand their limitations, this choice doesn't directly address the key lesson

from the incident - which emphasizes on thorough review and challenge even for seemingly

simple tools and models.

Q.5297 What is the primary role of model risk management in dealing with conceptual errors?

A. To identify and correct all conceptual errors.

B. To ensure transparency and clear communication of assumptions to users.

C. To make models always valid in any context.

D. To prevent market conditions from deteriorating.

The correct answer is B.

The primary role of model risk management in dealing with conceptual errors is to ensure

transparency and clear communication of assumptions to users. Conceptual errors in financial

models can arise due to a variety of reasons, including incorrect assumptions, inappropriate use

of models, or lack of understanding of the underlying financial concepts. These errors can lead to

significant financial losses if not identified and addressed promptly. Model risk management

plays a crucial role in mitigating these risks by ensuring that the assumptions used in the models

are clearly communicated to the users. This helps in enhancing the understanding of the users

about the model and its limitations, thereby enabling them to make informed decisions.

Furthermore, transparency in communication also fosters trust among the users, which is

essential for the effective use of financial models.

Choice A is incorrect. While model risk management does involve identifying and correcting

conceptual errors, it is not its primary responsibility. The main focus of model risk management

is to ensure that the risks associated with the use of financial models are properly managed and

mitigated, which includes but is not limited to dealing with conceptual errors.

Choice C is incorrect. It's unrealistic and impractical to expect any financial model to be

always valid in any context. Financial models are simplifications of reality and their validity

depends on the assumptions made during their development. Therefore, ensuring that a model is

210
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

always valid in any context goes beyond the scope of model risk management.

Choice D is incorrect. Model risk management cannot prevent market conditions from

deteriorating as it has no control over external factors affecting market conditions such as

economic trends or policy changes. Its role lies in managing risks associated with financial

models rather than controlling market dynamics.

211
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 119: Stress Testing Banks

Q.2306 Jim Scott, a risk manager, has been tasked with creating a presentation on capital and
liquidity for students at a high school. His introduction begins with a broad definition of the
different types of capital and liquidity. In this regard, which of the following is not a type of
capital/liquidity?

A. The capital/liquidity you have.

B. The capital/liquidity the regulators think that you have.

C. The capital/liquidity you need.

D. The capital/liquidity the regulators think that you need.

The correct answer is B.

There are three kinds of capital and liquidity: 1) the capital/liquidity you have; 2) the
capital/liquidity you need (to support your business activities); and 3) the capital/liquidity the
regulators think that you need.

Things to Remember

Capital and liquidity are fundamental concepts in finance and risk management. Capital refers to

the financial resources that are available for use, while liquidity refers to the ease with which

assets can be converted into cash. Understanding the different types of capital and liquidity is

crucial for effective financial planning and risk management. The three primary types of capital

and liquidity are: 1) the capital/liquidity you have, 2) the capital/liquidity you need, and 3) the

capital/liquidity the regulators think that you need. These categories provide a comprehensive

framework for assessing and managing financial resources, and are key to ensuring financial

stability and success.

212
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2307 Stress testing is a simulation technique used in banking to determine the ability of a
given financial instrument or financial institution to deal with an economic crisis. Various
authorities conduct different stress test exercises. Among the following options, which one does
not represent a valid stress test exercise conducted by an authoritative body?

A. SCAP 2009 – Supervisory Capital Assessment Program

B. CEBS 2010 – Committee of European Bank Supervisors

C. TCAP 2009 – Treasury’s Capital Assistance Program

D. CCAR 2011/2012 – Comprehensive Capital Analysis and Review

The correct answer is C.

Answer C is the only one which is not a stress test exercise, but a mechanism to supply capital to
banks in need. It is also not connected to a particular year, and the correct full name is “U.S.
Treasury’s CAP”.

Q.2308 When modeling a bank’s revenues, losses, and balance sheet, there are some vital
measures to be taken into account. Which of the following is an important measure to the
modelers?

A. Asset values

B. Accounting and economic profits and losses

C. Cash inflows and cash outflows

D. All of the above

The correct answer is D.

Modeling a bank’s revenues, losses, and balance sheet makes use of asset values for modeling
balance sheets, accounting and economic profits and losses for modeling losses and cash inflows
and cash outflows for modeling revenues.

Q.2309 What is a Credit Value Adjustment (CVA) in the context of stress testing?

A. A function of the expected default likelihood of the counterparty during normal

operation.

B. A function of the expected default likelihood of the counterparty under a stress

213
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

scenario.

C. A function of the expected default likelihood of the counterparty according to

historical data.

D. A function of the expected default likelihood of the counterparty according to other

variables.

The correct answer is B.

A Credit Value Adjustment (CVA) is indeed a function of the expected default likelihood of the

counterparty under a stress scenario. Counterparty credit risk is a significant concern in

derivative transactions. This risk arises when a bank, upon revaluing a derivative to the stress

scenario, finds itself 'in the money' (i.e., it has a derivative receivable). However, the bank cannot

be certain that the counterparty to the transaction will remain solvent to fulfill the payment. As a

result, the value of the derivative is discounted. This discount is a function of the expected

default likelihood of the counterparty under the stress scenario, which is presumably higher than

the current scenario. This adjustment to the value of the derivative is referred to as a Credit

Value Adjustment (CVA). Banks with substantial derivative activities manage CVA as a standard

practice to mitigate counterparty credit risk.

Choice A is incorrect. While the expected default likelihood of the counterparty during normal

operation is a factor in assessing counterparty credit risk, it does not represent an adjustment to

the value of the derivative. The adjustment in question specifically pertains to a stress scenario,

not normal operations.

Choice C is incorrect. The adjustment to the value of a derivative due to counterparty credit

risk is not solely based on historical data. Although historical data can provide insights into past

behavior and trends, it does not necessarily predict future outcomes or account for potential

stress scenarios.

Choice D is incorrect. While other variables may influence the expected default likelihood of a

counterparty, they do not constitute an adjustment to the value of a derivative in terms of

counterparty credit risk. This adjustment specifically relates to potential default under stress

scenarios.

214
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2311 Regulatory and economic capital models are important instruments for measuring the
amount of capital needed. One of the following statements is not true about regulatory and
economic capital models. Which one?
Regulatory and economic capital models:

A. Evolve very slowly.

B. Evolve dynamically and quickly.

C. Have difficulty adapting to financial innovation and rapidly changing macro conditions.

D. Motivate some innovation in modeling due to their “one-size-fits-all” rules.

The correct answer is B.

Both regulatory and economic capital models (and especially the former) evolve very slowly and
thus have difficulty adapting to financial innovation and rapidly changing macro conditions.
Indeed, some of the innovation is motivated by those slowly evolving, one-size-fits-all regulatory
capital rules.

Things to Remember

Regulatory and economic capital models are critical tools in financial risk management. They

help financial institutions determine the amount of capital they need to hold to cover their risks.

Here are some key points to remember about these models:

They are designed to be robust and stable, and changes are made cautiously to avoid

unintended consequences.

Their slow evolution can be a challenge in a rapidly changing financial environment, as

they may not be able to adapt quickly to new risks and conditions.

Financial innovation often introduces new types of risks and opportunities, which may

not be adequately captured by existing models.

The 'one-size-fits-all' nature of these models can motivate financial institutions to

develop their own models that are more tailored to their specific needs and conditions.

These models also need to meet regulatory standards and requirements, which can be

a challenge.

215
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 120: Risk Capital Attribution and Risk-Adjusted Performance

Measurement

Q.2207 A Catalonian bank is looking to expand its business lines. The management decides that
the primary condition for investment will be the highest RAROC (risk-adjusted return on capital).
The possibilities being discussed are:

I. Tarragona Construcciones, with an expected net profit of EUR 3,000,000 per year and
economic capital of EUR 50,000,000; and
II. Valencia Bonos, with an expected net profit of EUR 1,500,000 per year and economic
capital of EUR 22,000,000.

Assuming the cost of equity is 0.062, based on RAROC, the bank would most likely invest in:

A. Tarragona Construcciones

B. Valencia Bonos

C. Both projects

D. None – neither of the two would be economically viable

The correct answer is B.

After-tax expected risk-adjusted net income

RAROC =
Economic capital

Expected Profit Economic capital Calculation

3 ,000,000
Tarragona Construcciones 3 , 000, 000 50, 000, 000 50,000 ,000=
0.06
1, 500,000
Valencia Bonos 1 , 500, 000 22, 000, 000 22,000, 000=
0.068

The RAROC for Valencia Bonos(0.068) is greater than the cost of equity (0.062), thus it is most

likely the next investment opportunity for the bank.

216
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2210 A bank in Vermont is considering investing in one of four regional factories producing
maple syrup. The bank intends to make a decision based on RAROC (risk-adjusted return on
capital). The following information is available:

Factory A: expected revenues of USD 150,000; expected losses of USD 8,000;

economic capital of $1, 400, 000.
Factory B: expected revenues of USD 175,000; expected losses of USD 15,000;
economic capital of $1, 500, 000.
Factory C: expected revenues of USD 200,000; expected losses of USD 15,000;
economic capital of $1, 800, 000.
Factory D: expected revenues of USD 250,000; expected losses of USD 10,000;
economic capital of $2, 000, 000.

On the basis of the risk-adjusted return on capital for each factory, the bank will most likely pick:

A. Factory A

B. Factory B

C. Factory C

D. Factory D

The correct answer is D.

(expected revenues − costs − expected losses − taxes + return on risk capital + / − transfers
RAROC =
economic capital

Revenues Expected losses Economic capital Calculation

(150,000−8,000)
Factory A 150, 000 8, 000 1 , 400, 000 1,400 ,000 = 0.10143
(175, 000−15,000)
Factory B 175, 000 15, 000 1 , 500, 000 1, 500,000 = 0.10667
(200, 000−15,000)
Factory C 200, 000 15, 000 1 , 800, 000 1, 800,000 = 0.10278
(250, 000−10,000)
Factory D 250, 000 10, 000 2 , 000, 000 2, 000,000 = 0.12000

217
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2211 The difference between risk capital and regulatory capital is that:

A. Regulatory capital only applies to a few closely monitored industries like banking and
insurance.

B. While risk capital depends on an institution’s individual characteristics and investment

choices, regulatory capital is calculated based on industry-wide rules.

C. Aggregate risk capital and regulatory capital may be equal at firm level, but different
at business lines level.

D. All of the above.

The correct answer is D.

Risk capital and regulatory capital are indeed different in several ways. Firstly, regulatory capital

is a concept that is primarily applicable to certain industries where the protection of investors or

depositors is of utmost importance. These industries, such as banking and insurance, are closely

monitored and regulated, and hence, the concept of regulatory capital is more relevant to them.

On the other hand, risk capital is a broader concept that is applicable across all risk-taking

businesses, irrespective of the industry they operate in. Secondly, the calculation of risk capital

and regulatory capital is based on different parameters. Risk capital is determined by the

specific characteristics of a firm and its investment choices. It is a more individualized measure

that takes into account the unique risk profile of a firm. In contrast, regulatory capital is

calculated based on standardized, industry-wide rules. It is a more uniform measure that is

designed to ensure a minimum level of capital adequacy across all firms in a regulated industry.

Lastly, while the aggregate figures for risk capital and regulatory capital may be similar at the

firm level, there can be significant differences at the business line or department level. Some

departments or business lines may be subject to more regulatory measures than others, and

hence, their regulatory capital requirements may be higher. Therefore, all the statements in the

options are correct, making Choice D the correct answer.

Q.2212 Kimberley Excavations, a diamond-mining company from South Africa, has implemented
a RAROC (risk-adjusted return on capital) system for future strategic investments. Kimberley
Excavations owns several diamond mines which have been showing signs of a decrease in yield,
with sharp rises and drops. Management of the mines is deeply dissatisfied with the new system,

218
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

complaining that RAROC is lacking fairness in attributing economic capital (EC) to their
businesses – namely that the EC is too high. What is the correct course of action for senior
management in this case?

A. Neglect dissatisfaction in the local management and enforce the RAROC system at all
costs.

B. Display commitment to RAROC, expand in-house communication and education

regarding the system.

C. Disregard RAROC and return to the old, tried and proven risk management system.

D. Allocate resources to each of the businesses for purpose of stricter employee

monitoring.

The correct answer is B.

The senior management should display commitment to the RAROC system and expand in-house

communication and education regarding the system. This is because RAROC is not just a

common language of risk, but a quantitative technique that can be used to maximize shareholder

value. It can be thought of as an internal capital market where businesses compete with each

other for scarce balance sheet resources. This makes RAROC a useful tool for capital allocation,

both for banks and nonbank corporations. Therefore, instead of disregarding the concerns of the

local management, the senior management should take steps to educate them about the benefits

and workings of the RAROC system. This would help in ensuring a smooth transition to the new

system and in addressing any misconceptions or misunderstandings about it.

Choice A is incorrect. Neglecting the dissatisfaction of local management and enforcing the

RAROC system at all costs may lead to further discontent and resistance, which could negatively

impact the overall operations of the mines. It's important for senior management to address

concerns and provide clarity on any new systems implemented.

Choice C is incorrect. Disregarding RAROC and returning to an old risk management system

may not be beneficial in the long run as it might not adequately account for risk-adjusted returns

on capital. The adoption of RAROC was likely due to its ability to better manage risks associated

with strategic investments, hence reverting back might expose Kimberley Excavations to higher

risks.

219
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice D is incorrect. Allocating resources for stricter employee monitoring does not directly

address the issue at hand - dissatisfaction with RAROC's high economic capital attribution.

Instead, it could potentially create a hostile work environment by implying mistrust towards

employees, which can further exacerbate existing issues.

220
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2213 An Indian bank is in the process of calculating its risk capital. The main purpose of risk
capital calculation is:

A. To show the level of expected losses that the bank could absorb.

B. To find differences between regulatory and risk capital.

C. To show the level of unexpected losses the bank could absorb.

D. All of the above.

The correct answer is C.

The primary purpose of calculating risk capital is to demonstrate the level of unexpected losses

that the bank could absorb. Unexpected losses refer to the losses that exceed what is expected

or predicted. These losses are not anticipated and hence, are not included in the regular loss

provisions. The risk capital is essentially a buffer to protect the bank against these unexpected

losses. It is calculated based on a level of confidence that aligns with the requirements of the

bank's various stakeholders. This level of confidence is typically high to ensure that the bank can

withstand significant unexpected losses. Therefore, the risk capital serves as a safety net for the

bank, providing financial stability and resilience in the face of unexpected adverse events.

Choice A is incorrect. The calculation of risk capital does not primarily aim to show the level of

expected losses that a bank could absorb. Expected losses are typically covered by provisions

and reserves, not risk capital.

Choice B is incorrect. While finding differences between regulatory and risk capital can be

part of the overall financial management process, it is not the primary objective of calculating

risk capital. Risk capital is calculated to measure unexpected losses that may occur due to

extreme events.

Choice D is incorrect. As explained above, choices A and B do not accurately represent the

primary objective of calculating risk capital, therefore an option stating all choices are correct

would also be incorrect.

Q.2214 A certain bank is calculating RAROC for some of its business lines. The available data

221
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

gives information on: expected revenues, costs, taxes, return on risk capital, transfers, and
economic capital. What type of data is missing?

A. Sharpe ratio

B. Expected losses

C. Net present value

D. VaR (Value-at-risk)

The correct answer is B.

Risk-Adjusted Return on Capital (RAROC) is a risk-based profitability measurement framework

for analysing risk-adjusted financial performance and providing a consistent view of profitability

across businesses. The basic formula for calculating RAROC is:

(expected revenues − costs − expected losses − taxes + return on risk capital + / − transfers
RAROC =
economic capital

In the given scenario, the bank has information on expected revenues, costs, taxes, return on

risk capital, transfers, and economic capital. However, the data on expected losses is missing.

Expected losses are an integral part of the RAROC calculation as they represent the losses that

the bank expects to incur as a result of its business activities. These losses could be due to credit

risk, market risk, operational risk, or other types of risk that the bank is exposed to. Therefore,

without this data, the bank cannot accurately calculate its RAROC.

Choice A is incorrect. The Sharpe ratio is not required for the calculation of RAROC. The

Sharpe ratio measures the performance of an investment compared to a risk-free asset, after

adjusting for its risk. It does not provide any information about expected losses or gains which

are necessary for calculating RAROC.

Choice C is incorrect. Net present value (NPV) is also not needed in the calculation of RAROC.

NPV is a method used in capital budgeting to analyze the profitability of an investment or

project, but it does not contribute to determining expected losses or gains which are integral

components in calculating RAROC.

Choice D is incorrect. VaR (Value-at-risk) measures the potential loss that could occur in an

222
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

investment portfolio over a specific period with a given confidence level, but it's not directly

involved in computing RAROC as it doesn't provide information on expected losses or gains.

Q.2215 A certain bank is in the process of developing a differentiated mortgage product

targeting a market segment that has previously been overlooked because it's in a different
geographical location from where the bank operates. Which method should the bank adopt to
estimate default probabilities with regard to the new business line? The point-in-time approach
or the through-the-cycle approach?

A. Point-in-time approach

B. Through-the-cycle approach

C. Both are equally reasonable

D. Neither of the two

The correct answer is B.

The through-the-cycle (TTC) approach is the most suitable method for estimating default

probabilities for the new business line. This approach, which is commonly used by rating

agencies, is ideal for calculating economic capital, current profitability, and making strategic

decisions regarding products, geographies, and new business ventures. The TTC approach

assesses the borrower's risk based on a worst-case, 'bottom of the cycle' scenario, i.e., its

condition under stress. This is particularly relevant for a new business line, as it is likely to

experience a 'bottom of the cycle' scenario at some point. Therefore, the TTC approach provides

a more comprehensive and realistic assessment of the potential risks associated with the new

business line, making it the most appropriate choice in this context.

Choice A is incorrect. The point-in-time approach is not suitable in this case because it

estimates default probabilities based on current economic conditions and borrower-specific

information. Since the bank has no prior experience with this new market segment, it lacks the

necessary borrower-specific data to accurately estimate default probabilities using this

approach.

Choice C is incorrect. Both approaches are not equally reasonable in this scenario. The

223
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

through-the-cycle approach would be more appropriate as it considers long-term average

economic conditions, which would be more relevant for a new business venture in an unfamiliar

geographical area.

Choice D is incorrect. It's not that neither of the two approaches should be used; rather, one of

them (the through-the-cycle approach) should indeed be employed due to its ability to better

accommodate the uncertainties associated with entering a new market segment.

Q.2734 Determine the RAROC using the following information about a loan.

Loan Value $ 2 million

Gross Revenue $ 250, 000
Expected Loss 300 bps
Interest Expense $ 100, 000
Operating Costs $ 60, 000
Return on invested economic capital $ 10, 000
Economic capital required $ 400, 000

A. 10.00%

B. 10.50%

C. 11.00%

D. 12.50%

The correct answer is A.

Revenues − Expected loss − Expenses + Return on capital + / − Transfer price

RAROC =
Economic capital

Expected loss = 0.0300 × 2 , 000 , 000 = 60 , 000

250, 000 − 60, 000 − 60, 000 + 10, 000 − 100, 000
RAROC = = 10%
400, 000

224
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2735 Given that the RAROC on a project is 12%, the risk-free rate is 4%, the return on the
market portfolio is 10%, and the firm’s equity beta is 1.25, calculate the adjusted RAROC for the
project and determine whether it should be accepted or rejected.

A. 6.4%; rejected

B. 4.5%; accepted

C. 6.0%; accepted

D. 6.0%; rejected

The correct answer is B.

RAROC is a profitability measure for analyzing risk-adjusted financial performance. For

acceptance, a project must earn a return that's higher than the firm's hurdle rate - a benchmark

rate of return set taking into account the firm's cost of both common and preferred equity.

However, exclusively accepting only the projects whose RAROC > hurdle rate can result in a

portfolio of high-risk projects that could ultimately result in losses and reduce the value of the

firm. What's more lower return projects that have a RAROC < hurdle rate (rejected projects) also

come with low risk that could provide steady returns and increase the value of the firm.

For these reasons, we adjust RAROC for systematic risk, giving rise to ARAROC, where:

Adjusted RAROC = RAROC − βe (R m − Rf )

Where:

R m = expected return on the market

R f = risk-free rate

βe = firm's equity beta

= 0.12 − 1.25(0.10 − 0.04) = 0.045

The project can be accepted if ARAROC > risk-free rate.

Since 4.5% > 4%, this particular projected can be accepted.

225
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2964 Supposing we are given the following information for a loan:

$89.5 million is the expected revenue

$8.89 million is the operating cost

$50.98 million is the tax expense

$10 million is the expected loss

$24.01 million is the return on risk capital

$69.5 million is the economic capital

What is the RAROC for the loan?

A. 0.7867

B. 0.4537

C. 0.6279

D. 0.8794

The correct answer is C.

Revenues − Expected loss − Expenses + Return on capital + / − Transfer price

RAROC =
Economic capital

Therefore:

89.5 − 8.89 − 50.98 − 10 + 24.01

RAROC = = 0.6279
69.5

226
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3136 Sigma Inc. has an equity beta of 1.18. In addition, the risk-free rate is 2%, the expected
market return is 7.932% and the RAROC on the proposed project is 10%. If the beta of the
proposed project is the same as that of Sigma Inc, then, in order to increase the shareholders'
wealth, ARAROC should increase by more than?

A. 1.446%

B. 1.592%

C. 0.0000%

D. 2.000%

The correct answer is C.

Shareholders’ wealth increases when ARAROC is greater than the risk-free rate
ARAROC can be computed using the following formula:

ARAROC = RAROC − β(RM − rf )

= 10% − 1.18(7.932% − 2%)
= 3%

In order for shareholders to increase the value of their wealth, ARAROC should be greater than
the risk-free rate. Clearly, this condition has been met and, therefore there is no need to increase
it.

227
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3206 Samar Vance is an equity strategist at Jumbo Capital. She has been given with the
following information about an investee banking company whose:

Gross revenue: $12 million

Economic capital: 80 million

Return on invested economic capital: 700,000

Operating costs associated with making the loan: $2.3 million

Expected loss on the loan: 1,600,000

Based on the above information, the RAROC is closest to?

A. 30%.

B. 23%.

C. 12%.

D. 11%.

The correct answer is D.

Expected revenues − Costs − Expected losses − Taxes + Return on risk capital ± Transfers
RAROC =
Economic Capital
(12 − 2.3 − 1.6 − 0 + 0.7 ± 0)
=
80
= 0.11 or 11%

228
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3207 Larry Sing is considering to invest in an Oil Marketing Company stock named Hudson
Petroleum. If its RAROC is 17%, the company's beta is 1.2, the return on the market is 12%, and
the risk-free rate is 8% what will be the adjusted RAROC for a Hudson?

A. 13.2%.

B. 16%.

C. 12.2%.

D. 5.9%.

The correct answer is C.

ARAROC = RAROC − Beta(R m − Rf ) = 17 − 1.2(12 − 8) = 12.2%

229
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3209 Henry Campbell is equity analyst at Four Brothers Financials. He is currently analyzing a
new project for expanding in new markets. His calculated RAROC is 13%, the risk-free rate is
6%, the market return is 14%, the firm's required return on equity is 12%, and the firm's beta is
1.5. What is the ARAROC and should the project be accepted?

A. 11%; accept.

B. 5.5%; reject.

C. 6.2%; accept.

D. 1.0%; reject.

The correct answer is D.

Adj RAROC = RAROC - Beta (Rm-Rf)

Decision rule: Accept (reject) projects whose adjusted RAROC is greater (smaller) than Rf.
Adjusted RAROC = 13% - 1.5(14% - 6%) = 1%
Since 1% < 6%, the project should be rejected

A note on the formula used

Old mock exams and study material used a slightly different formula,.i.e.
ARAROC = ( RAROC - Rf ) / Beta
In fact, both formulas will lead to the same decision, but there are conditions.

First case: ARAROC = ( RAROC - Rf ) / Beta => to be compared with Rm-Rf

Accept (reject) projects whose adjusted RAROC is greater (smaller) than (Rm - Rf).

Second case: ARAROC = RAROC - Beta (Rm - Rf ) => to be compared with Rf

Accept (reject) projects whose adjusted RAROC is greater (smaller) than Rf.

Applying the second (newer) approach is recommended.

230
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.5388 What correct observations could a quantitative model validator make about ABC Bank's
rating migration matrix model, considering that it is based on data from 2009 to 2024, a period
characterized by economic growth and mild recessions in the country where the bank operates,
but the country is anticipated to face a severe recession in 2025, unlike anything seen since the
1990s?

A. The rating migration matrix adopts a point-in-time approach to data management,

leading to an underestimation of the default probabilities for the year 2025.

B. By utilizing the point-in-time approach to data management, the rating migration

matrix will overstate the default probabilities for the year 2025.

C. The utilization of the through-the-cycle methodology in the rating migration matrix

results in an underestimation of the default probabilities for the year 2025.

D. The rating migration matrix, employing the through-the-cycle approach to data

management, will overstate the default probabilities for the year 2025.

The correct answer is C.

Due to the rating migration matrix employing the “through-the-cycle” data approach, the

observed migration during a recession will be more pronounced compared to an average period

of stability. As a result, the default probabilities for the year 2023 will be underestimated.

A is incorrect. The management of data in the rating migration employs a through-the-cycle

approach rather than a point-in-time approach.

B is incorrect. The management of data in the rating migration employs a through-the-cycle

approach rather than a point-in-time approach.

D is incorrect. In a recession, the rating migration matrix will underestimate, rather than

overestimate, the defaults, considering that the observed migration tends to be more severe.

231
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 121: Range of Practices and Issues in Economic Capital

Frameworks

232
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2216 The main challenge faced by financial institutions while choosing the risk measure to use
for economic capital purposes is that:

A. There are no generally accepted properties of a good risk measure.

B. Most risk measures are too complex, which means implementation and eventual
communication to stakeholders can be quite difficult.

C. There is a general lack of relevant and reliable data that can be used to assess risks.

D. There is no singularly preferred risk measure for economic capital purposes.

The correct answer is D.

The primary challenge that financial institutions face when selecting a risk measure for

economic capital purposes is that there is no singularly preferred risk measure. While there are

several risk measures available, none of them can be considered as the ideal choice for every

institution. Each risk measure has its own strengths and weaknesses, and the choice of a risk

measure often depends on the specific circumstances and requirements of the institution.

Therefore, it is not possible to single out one risk measure as the preferred choice for all

institutions. This lack of a universally preferred risk measure makes the selection process

challenging for financial institutions.

Choice A is incorrect. There are indeed generally accepted properties of a good risk measure,

such as sub-additivity, monotonicity, and translation invariance. These properties are widely

recognized and used in the field of risk management.

Choice B is incorrect. While it's true that some risk measures can be complex to implement

and communicate to stakeholders, this does not represent the primary challenge faced by

financial institutions when selecting an appropriate risk measure for economic capital purposes.

The complexity of a risk measure does not necessarily make it inappropriate or unsuitable for

use.

Choice C is incorrect. Although there may be challenges associated with obtaining relevant

and reliable data for assessing risks, this issue doesn't primarily hinder the selection of an

appropriate risk measure for economic capital purposes. In fact, most financial institutions have

systems in place to collect and analyze relevant data.

233
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2217 While developing an economic capital framework, it is important to come up with the
aggregate risk facing the institution as a whole. However, aggregate risk can be erroneous and
inaccurate in light of certain circumstances. These include:

A. Presence of too many autonomous business units.

B. Use of different risk assessment models by different business units.

C. Recognition of benefits of diversification across the organization.

D. Failure to recognize correlations between different risks.

The correct answer is D.

The failure to recognize correlations between different risks can lead to a significant

underestimation of the total risk facing an organization. In reality, risks do not exist in isolation

and there are often interactions between different types of risks. For example, there can be a

correlation between market risk and credit risk. If these correlations are not taken into account

during the aggregation of risks, it can result in a gross underestimation of the total risk.

Therefore, recognizing and accounting for these correlations is crucial for accurate risk

aggregation.

Choice A is incorrect. The presence of too many autonomous business units does not

necessarily lead to inaccuracies in the calculation of aggregate risk. While it may make the

process more complex, as long as each unit accurately assesses and reports its risks, the overall

risk can be correctly aggregated.

Choice B is incorrect. The use of different risk assessment models by different business units

can potentially lead to inconsistencies in risk measurement across the organization. However,

this does not inherently result in inaccuracies in calculating aggregate risk if these models are

properly calibrated and validated.

Choice C is incorrect. Recognizing benefits of diversification across an organization actually

improves accuracy in calculating aggregate risk because it takes into account that some risks

may offset each other due to their negative correlation.

234
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2218 Which of the following statements is (are) true?

I. Validation serves to increase confidence among users that modeling assumptions are
consistent with market conditions
II. Validation techniques are equally powerful in sensitivity testing and overall absolute
accuracy
III. Only one validation technique should be applied to a given model; combining techniques
is always counterproductive

A. All of the above

B. I only

C. I and III

D. II only

The correct answer is B.

Validation in financial modeling serves to increase confidence among users by ensuring that the

modeling assumptions are consistent with the prevailing market conditions. This is because

validation techniques are designed to test the model's assumptions against real-world data and

scenarios. If the model's assumptions are found to be consistent with the market conditions, it

increases the confidence of the users in the model's predictions and outcomes. Therefore,

validation plays a crucial role in financial modeling by enhancing the credibility and reliability of

the models.

Choice A is incorrect. Not all the statements are accurate. While Statement I is correct,

Statements II and III are not.

Choice C is incorrect. Although Statement I is correct, Statement III is not accurate because

using multiple validation techniques can be beneficial in providing a more comprehensive

evaluation of a model's performance and validity.

Choice D is incorrect. Statement II incorrectly suggests that validation techniques have equal

power in sensitivity testing and overall absolute accuracy. In reality, the effectiveness of

validation techniques can vary depending on the specific context or application.

235
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2219 When examining a firm’s capital adequacy, it’s always important to establish the
dependency (correlation) between obligors. However, correlation estimates provided by current
models are usually inaccurate and unstable – mainly because of:

A. A lack of well-developed computer algorithms.

B. Scarcity of skilled personnel to do the calculations.

C. Overdependence on model assumptions.

D. The use of irrelevant input data.

The correct answer is C.

Overdependence on model assumptions is the primary reason for the inaccuracy and instability

in correlation estimates provided by current models. Models used to estimate the correlation

between obligors in the context of a firm's capital adequacy are heavily reliant on both explicit

and implicit assumptions. These assumptions may include factors such as the obligors'

creditworthiness, the economic environment, and the firm's financial health. However, these

assumptions may not always hold true in real-world scenarios, leading to inaccurate and

unstable correlation estimates. Furthermore, the overreliance on these assumptions limits the

model's adaptability to changing market conditions and obligor behaviors, further exacerbating

the inaccuracy and instability of the correlation estimates.

Choice A is incorrect. While well-developed computer algorithms are important for accurate

calculations, their absence does not primarily contribute to the instability and inaccuracy of

correlation estimates. The issue lies more with the assumptions made within these models rather

than the computational tools used.

Choice B is incorrect. Although skilled personnel are necessary for accurate calculations, their

scarcity is not the primary reason for inaccurate and unstable correlation estimates. Even with

highly skilled personnel, if a model's assumptions are flawed or overly simplistic, it will produce

inaccurate results.

Choice D is incorrect. The use of irrelevant input data can indeed lead to inaccurate results;

however, this isn't typically the primary cause of instability in correlation estimates. The main

issue often lies in overdependence on model assumptions which may not hold true under all

236
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

circumstances.

Q.2220 A bank-wide view of counterparty credit risk for economic capital purposes can be a
challenge mainly because:

A. It involves large-scale gathering of data and transactions monitoring, which can easily
strain human resources.

B. It requires the use of expensive software to track transactions.

C. It relies heavily on independent opinions of credit rating agencies, some of which can
be compromised.

D. It requires cooperation among all business divisions, some of which could be

autonomous.

The correct answer is A.

The process of assessing counterparty credit risk on a bank-wide scale is indeed a complex and

resource-intensive task. It involves the large-scale gathering of data from multiple systems and

the continuous monitoring of numerous risk exposures, which can sometimes number in the

millions. Furthermore, the duration of these transactions can vary greatly, with some concluding

overnight while others may run for several decades. This extensive and continuous monitoring

and data gathering can easily strain human resources, making it a significant challenge for

banks. Therefore, the assertion that a bank-wide view of counterparty credit risk for economic

capital purposes can be a challenge mainly because it involves large-scale gathering of data and

transactions monitoring, which can easily strain human resources, is accurate.

Choice B is incorrect. While the use of software can indeed be a part of the process, it is not

the primary challenge in assessing counterparty credit risk for economic capital. The main

challenge lies in the large-scale gathering of data and monitoring transactions, which can strain

human resources.

Choice C is incorrect. Although credit rating agencies' opinions can play a role in assessing

counterparty credit risk, they are not heavily relied upon for this purpose. The assessment

primarily involves internal processes such as data collection and transaction monitoring.

237
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice D is incorrect. Cooperation among business divisions could be beneficial but it's not the

primary challenge when conducting a comprehensive assessment of counterparty credit risk for

economic capital purposes. The main issue arises from the extensive data gathering and

transaction monitoring required.

Q.2221 One of the main challenges in the calculation of economic capital for interest rate risk in
the banking book relates to:

A. The long holding period of balance sheet assets and liabilities.

B. Varying market forces of supply and demand.

C. The unpredictable nature of regulatory action by central banks.

D. The presence of a large bouquet of products, all priced differently.

The correct answer is A.

The long holding period of balance sheet assets and liabilities indeed poses a significant

challenge in the calculation of economic capital for interest rate risk in the banking book. This is

because most assets and liabilities in a bank's balance sheet have long holding periods.

Predicting interest rates over such extended periods (10-20 years or more) is speculative at best.

Therefore, determining the level of economic capital required to mitigate interest rate risk

becomes a complex task. The economic capital serves as a buffer against potential losses that

could arise from adverse movements in interest rates. However, the uncertainty surrounding

long-term interest rate movements makes it difficult to accurately estimate the amount of

economic capital needed. This uncertainty is further compounded by the fact that the value of

assets and liabilities can significantly change over their long holding periods due to various

factors, including changes in market conditions and the bank's own creditworthiness.

Choice B is incorrect. While varying market forces of supply and demand can influence the

interest rates, they do not directly impact the computation of economic capital for managing

interest rate risk in banking. The calculation process primarily depends on the risk profile of

assets and liabilities, not external market forces.

238
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice C is incorrect. The unpredictable nature of regulatory action by central banks can

indeed pose a challenge to banks, but it does not directly affect the computation of economic

capital for managing interest rate risk. Regulatory actions are more related to policy changes

which may indirectly influence interest rates but are not a direct factor in calculating economic

capital.

Choice D is incorrect. Although a large bouquet of products priced differently can add

complexity to asset-liability management, it does not present a direct challenge in computing

economic capital for managing interest rate risk. The diversity in product pricing might affect

profitability or liquidity management but doesn't significantly impact the calculation process for

economic capital related to interest rate risk.

Q.2222 In the context of banking, certain financial products can significantly complicate the
process of determining a bank's economic capital. This complexity arises due to the inherent
risks and uncertainties associated with these products. Among the following options, which
financial product is considered to be the most challenging when it comes to calculating a bank's
economic capital?

A. Ordinary stocks

B. Preference shares

C. Bonds with embedded options

D. Fixed-rate interest rate loans

The correct answer is C.

Embedded optionality in banking brings about indeterminate cash flows on both the asset and
liability sides. It’s normally not easy to predict whether or not outstanding options will be
exercised. Such products pose risks that are significantly greater than most measures suggest.

239
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2223 Economic capital is best defined as:

A. The amount of money invested in various risk-taking activities.

B. The amount of reserve cash held by a bank, which is used to absorb losses resulting
from credit risk.

C. Practices that allow institutions to assess risk and attribute capital to the economic
effects of risk-taking activities.

D. Practices that allow institutions to set aside sufficient funds to mitigate risks
emanating from future uncertainties.

The correct answer is C.

Economic capital refers to the amount of capital that an institution needs to hold in order to

cover potential losses resulting from various risk-taking activities. This capital is not just the

regulatory capital required by authorities but also includes additional funds based on the

institution's internal risk assessment. Economic capital helps institutions to understand and

manage their exposure to risks effectively. Option C best defines economic capital as it

emphasizes the practices of assessing risk and allocating capital accordingly.

A is incorrect. Economic capital is a measure of the institution's capacity to absorb losses, not

the actual amount invested in risky ventures.

B is incorrect. While it is true that economic capital involves setting aside funds to absorb

losses from risk, it is not limited to losses resulting from credit risk alone.

D is incorrect. Economic capital takes into account both known and potential risks and is not

limited to uncertainties in the future.

Q.2965 Fidelity Bank uses models based on the asymptotic single risk factor (ASRF) model for
credit risk. In particular, the model is based on Basel II risk weights. What is the effect to the
capital charge for an exposure based on this ASRF model?

A. The capital charge depends on the composition of the portfolio to which the exposure
is added.

B. The capital charge for an exposure depends on risk characteristics of the exposure

240
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

only.

C. The capital charge captures general types of tendencies as opposed to the Gaussian
copula models.

D. All the above answers are correct.

The correct answer is B.

The ASRF model, which is based on Basel II risk weights, is used by Fidelity Bank for credit risk

management. The capital charge for an exposure in this model is determined solely by the risk

characteristics of the exposure. This is because the ASRF model is derived from 'ordinary' credit

portfolio models through the law of large numbers. When a portfolio comprises a large number

of relatively small exposures, the idiosyncratic risks associated with individual exposures tend to

cancel each other out. As a result, only systematic risks that affect many exposures have a

significant impact on portfolio losses. In the ASRF model, all systematic (or system-wide) risks

that affect all borrowers to a certain degree, such as industry or regional risks, are modeled with

only one (the 'single') systematic risk factor. This modeling approach allows for the use of banks'

correlation estimates or multiple systematic risk factors for correlations to be addressed.

Therefore, the capital charge for an exposure depends solely on the risk characteristics of the

exposure, not on the composition of the portfolio to which the exposure is added.

Choice A is incorrect. The ASRF model, as per Basel II risk weights, does not consider the

composition of the portfolio to which the exposure is added. Instead, it focuses on individual risk

characteristics of each exposure.

Choice C is incorrect. The capital charge in an ASRF model does not capture general types of

tendencies; rather it depends on specific risk characteristics of the exposure. Gaussian copula

models are a different type of credit risk models that capture dependencies between different

exposures but are not directly related to how capital charges are calculated in an ASRF model.

Choice D is incorrect. As explained above, both choices A and C do not accurately describe

how the capital charge for a specific exposure gets influenced in an ASRF model.

241
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2967 Copulas combine the marginal probability distributions into a joint distribution. Which of
the following is an advantage of copulas as a form of risk aggregation methodology?

A. The effect of fixed diversification is sensitive to underlying interactions between the

different components.

B. The method is easy to use as it easily estimates inter-risk correlations and does not
capture nonlinearities.

C. Simulation of common drivers provides for calculating the distribution of outcomes

and economic capital risk measure.

D. Is more flexible than a covariance matrix and allows for nonlinearities and higher-
order dependencies.

The correct answer is D.

Copulas are more flexible than a covariance matrix and allow for nonlinearities and higher-order

dependencies. This flexibility is a significant advantage of copulas. Unlike covariance matrices,

which only capture linear dependencies, copulas can capture both linear and nonlinear

dependencies. This means they can model complex relationships between different risk factors

more accurately. Additionally, copulas can capture higher-order dependencies, which are

relationships involving more than two variables. This is particularly useful in risk aggregation,

where multiple risk factors need to be considered simultaneously. Therefore, the flexibility of

copulas in handling nonlinearities and higher-order dependencies makes them a powerful tool in

risk aggregation methodology.

Choice A is incorrect. The statement is not accurate as the effect of fixed diversification is not

sensitive to underlying interactions between different components when using copulas. In fact,

one of the advantages of copulas is that they can capture the dependence structure

independently from the marginal distributions.

Choice B is incorrect. This statement contradicts one of the main advantages of using copulas

in risk aggregation methodology. While it's true that estimating inter-risk correlations can be

challenging, copulas are actually capable of capturing nonlinearities, which makes them more

sophisticated and flexible than traditional correlation matrices.

Choice C is incorrect. Although simulation of common drivers does provide for calculating

242
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

distribution outcomes and economic capital risk measures, this isn't a unique advantage to

copulas nor does it accurately represent their primary function in risk aggregation methodology.

Q.2968 Broadways Bank uses the unit of account as a component of risk aggregation
methodology. Which of the following is NOT a characteristic of the unit of risk accounting?

A. Risk metric

B. Confidence level

C. Complex simulation

D. Time horizon

The correct answer is C.

Complex simulation is not a characteristic of the unit of risk accounting. The unit of risk

accounting is a component of risk aggregation methodology, which is used to quantify and

manage risk. It includes several defining characteristics such as risk metric, confidence level,

and time horizon. However, complex simulation is not one of these characteristics. Complex

simulations are often used in risk management to model potential outcomes and scenarios, but

they are not a defining characteristic of the unit of risk accounting itself. The unit of risk

accounting is more about the metrics and parameters used to quantify and aggregate risk, rather

than the methods or simulations used to model or predict risk.

Choice A is incorrect. The risk metric is indeed a characteristic of the unit of account in risk

aggregation methodology. It refers to the specific measure used to quantify risk, such as Value at

Risk (VaR), Expected Shortfall (ES), etc.

Choice B is incorrect. Confidence level is also a defining characteristic of the unit of account in

risk aggregation methodology. It represents the statistical confidence with which we can state

that losses will not exceed a certain amount.

Choice D is incorrect. Time horizon forms an integral part of the unit of account in risk

aggregation methodology as it defines over what period we are assessing our risks.

243
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2969 Which of the following risk measures is the least commonly used measure in the practice
of risk management?

A. Standard deviation

B. Spectral risk measures

C. Value at risk

D. Expected shortfall

The correct answer is B.

Spectral risk measures are a relatively new class of risk measures that allow for different

weights to be assigned to the quantiles of a loss distribution, rather than assuming equal weights

for all observations, as is the case for Expected shortfall. This flexibility allows for a more

nuanced understanding of risk, as it can account for the fact that different losses may have

different impacts on an organization's overall risk profile. However, despite their theoretical

appeal, spectral risk measures are not widely used in practice. This is largely due to their

complexity and the computational challenges associated with their implementation. As a result,

they are currently largely of academic interest, with their practical application being relatively

limited.

Choice A is incorrect. Standard deviation is a widely used measure in risk management

scenarios. It quantifies the amount of variation or dispersion of a set of values, which helps in

understanding the volatility and thus, the risk associated with an investment.

Choice C is incorrect. Value at Risk (VaR) is also commonly used in practical risk management

scenarios. VaR measures the potential loss that could happen in an investment portfolio over a

specific period for a given confidence interval.

Choice D is incorrect. Expected shortfall (ES), also known as Conditional Value at Risk (CVaR),

although being more conservative than VaR, it's still frequently utilized due to its ability to

provide information about tail risks and extreme market conditions.

244
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3211 Which of the following categories of BIS recommendations specifically refers to the need
to consider using additional methods, such as stress testing, to help cover all exposures?

A. Risk aggregation.

B. Interest rate risk in the banking book.

C. Netting

D. Counterparty credit risk.

The correct answer is D.

Counterparty credit risk refers to the risk that a counterparty in a financial contract will not live

up to their contractual obligations. In the context of the Basel Committee on Banking

Supervision (BCBS) recommendations, counterparty credit risk is the category that specifically

refers to the need to consider using additional methods, such as stress testing, to help cover all

exposures. Stress testing is a risk management technique used to evaluate the potential impact

of an adverse event or market condition. It is a powerful tool that allows financial institutions to

assess their risk exposure under extreme scenarios. By incorporating stress testing into their

risk management practices, banks can ensure that they are adequately prepared for even the

most severe economic shocks. This is why the BCBS recommends the use of stress testing as a

supplementary method for measuring counterparty credit risk.

Choice A is incorrect. Risk aggregation is a process of consolidating all risks across an

organization to get a holistic view. While it's an important part of risk management, it's not a

specific category of BCBS recommendations.

Choice B is incorrect. Interest rate risk in the banking book refers to the potential change in

net interest income due to changes in interest rates. Although BCBS has guidelines on this, it's

not what the question is referring to.

Choice C is incorrect. Netting refers to offsetting positions or obligations by aggregating

multiple positions or obligations with the aim of reducing exposures. This concept, while

important in risk management and covered under BCBS guidelines, does not match with what

was described in the question.

245
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 122: Capital Planning at Large Bank Holding Companies:

Supervisory Expectations and Range of Current Practice

Q.2224 Oak Creek bank, part of a Bank Holding Company (BHC), is preparing for its annual
CCAR (Comprehensive Capital Analysis and Review). After careful consideration, analysts have
identified a wrongly implemented principle of capital adequacy process in the bank. Which of the
following principles is not part of the CCAR?

A. Effective loss-estimation methodologies

B. Sufficient capital adequacy impact assessment

C. Adequate IT resources

D. Robust internal controls

The correct answer is C.

Adequate IT resources is not a principle of an effective capital adequacy process. The

Comprehensive Capital Analysis and Review (CCAR) is a regulatory framework introduced by the

Federal Reserve in the United States to supervise, assess, and regulate the capital adequacy

processes of large, complex Bank Holding Companies (BHCs). The CCAR aims to ensure that

these institutions have robust, forward-looking capital planning processes that account for their

unique risks and sufficient capital to continue operations throughout times of economic and

financial stress. The seven principles of an effective capital adequacy process under the CCAR

are: sound foundational risk management, effective loss-estimation methodologies, solid

resource-estimation methodologies, sufficient capital adequacy impact assessment,

comprehensive capital policy and capital planning, robust internal controls, and effective

governance. While IT resources are crucial for the operational efficiency of a bank, they do not

form a principle of the capital adequacy process under the CCAR.

Choice A is incorrect. Effective loss-estimation methodologies are indeed a component of the

CCAR. These methodologies help banks to estimate potential losses under various stress

scenarios, which is crucial for assessing capital adequacy.

Choice B is incorrect. Sufficient capital adequacy impact assessment is also a part of the CCAR

process. This involves evaluating the impact of different stress scenarios on a bank's capital

246
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

position and ensuring that it maintains adequate capital even in adverse conditions.

Choice D is incorrect. Robust internal controls are an essential part of the CCAR process as

well. These controls ensure that all processes related to risk management and capital planning

are functioning effectively and accurately, thereby reducing the likelihood of errors or

misjudgments in these critical areas.

Q.2225 The Great Falls Bank of Montana, USA, part of a Bank Holding Company (BHC), is
performing an annual CCAR (Comprehensive Capital Analysis and Review). During the process,
it is revealed that one of the existing models has not been appropriately validated nor
independently reviewed. Which principle of effective capital adequacy has been violated?

A. Robust internal controls

B. Sufficient capital adequacy impact assessment

C. Effective loss-estimation methodologies

D. Effective governance

The correct answer is A.

The principle of robust internal controls is a key component of an effective capital adequacy

process. This principle emphasizes the importance of having strong internal controls in place to

ensure the accuracy and reliability of the bank's operations and financial reporting. In the

context of the Comprehensive Capital Analysis and Review (CCAR), robust internal controls

would include procedures for model validation and independent review. In the given scenario,

the Great Falls Bank of Montana has violated this principle by failing to appropriately validate

one of its existing models and not having it independently reviewed. This lack of robust internal

controls could potentially lead to inaccurate risk assessments and financial reporting, which

could in turn impact the bank's capital adequacy.

Choice B is incorrect. Sufficient capital adequacy impact assessment refers to the process of

evaluating the potential effects of a business decision on a firm's ability to meet its capital

requirements. In this scenario, there is no mention of any business decision that could potentially

affect the bank's capital adequacy.

247
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice C is incorrect. Effective loss-estimation methodologies refer to the techniques used by

financial institutions to estimate potential losses from various risks. The scenario does not

provide information about any issues with the bank's loss-estimation methodologies.

Choice D is incorrect. While effective governance includes oversight and validation of models,

it also encompasses broader aspects such as setting risk appetite, formulating strategy, and

ensuring accountability at all levels in an organization. The issue described in this scenario

specifically pertains to internal controls related to model validation and independent review,

which makes option A more appropriate than option D.

Q.2226 Minnetonka Bank, part of a Bank Holding Company (BHC), is involved in comprehensive
capital analysis and review. During the process, it is confirmed that one of their processes for
translating risk measures into estimates of potential losses does not encompass a satisfactory
range of stressful scenarios and environments. Which principle of an effective capital adequacy
process has been violated?

A. Sound foundational risk management

B. Sufficient capital adequacy impact assessment

C. Effective governance

D. Effective loss-estimation methodologies

The correct answer is D.

The principle of effective loss-estimation methodologies is a crucial component of an effective

capital adequacy process. This principle emphasizes that a Bank Holding Company (BHC) should

have robust processes in place for converting risk measures into estimates of potential losses.

These estimates should cover a wide range of stressful scenarios and environments.

Furthermore, the BHC should be capable of aggregating these estimated losses across the entire

organization. In the case of Minnetonka Bank, their failure to encompass a satisfactory range of

stressful scenarios and environments in their loss-estimation methodology indicates a violation of

this principle. Therefore, choice D is the correct answer.

Choice A is incorrect. Sound foundational risk management refers to the basic principles and

248
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

practices that a bank should follow to manage its risks effectively. It includes identifying,

measuring, monitoring, and controlling risk. In this case, the bank has not failed in its

foundational risk management but rather in its loss-estimation methodologies.

Choice B is incorrect. Sufficient capital adequacy impact assessment refers to the process of

evaluating how different scenarios might affect a bank's capital adequacy ratio (CAR). While it's

true that an inadequate loss-estimation methodology could potentially impact this assessment,

the question specifically points out a failure in converting risk measures into potential loss

estimates which falls under effective loss-estimation methodologies.

Choice C is incorrect. Effective governance refers to the systems and processes used by a bank

to make decisions and oversee its operations. This includes setting strategy, managing risks,

ensuring compliance with laws and regulations etc., The problem identified here does not relate

directly to governance but rather specific technical aspects of their capital analysis process i.e.,

their loss estimation methodology.

Q.2227 A certain bank based in New York is assessing risks as part of its preparation for the
annual CCAR (Comprehensive Capital Analysis and Review). During the process of stress-testing,
several risk categories are defined, particularly those that are difficult to quantify or not directly
attributable to any of the specific integrated firm-wide risk categories. Which of the following
risks would not fall under such a category?

A. Compliance risk

B. Credit risk

C. Reputational risk

D. Strategic risk

The correct answer is B.

Credit risk does not fall under the category of risks that are difficult to quantify or not directly

attributable to any specific integrated firm-wide risk categories. Credit risk is a well-defined and

quantifiable risk that arises from the potential that a borrower or counterparty will fail to meet

its obligations in accordance with agreed terms. It is a fundamental risk category that banks face

249
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

and is directly attributable to their lending and investment activities. Banks have well-

established methodologies for quantifying credit risk, including credit scoring systems, credit

risk models, and provisions for loan losses. Therefore, credit risk does not fall into the category

of 'other risks' that are difficult to quantify or not directly attributable to specific firm-wide risk

categories.

Choice A is incorrect. Compliance risk refers to the potential for financial loss, legal penalties,

or regulatory sanctions due to non-compliance with laws or regulations. It is a type of risk that is

challenging to quantify as it depends on various factors such as changes in regulatory

environment, effectiveness of internal controls and so on.

Choice C is incorrect. Reputational risk refers to the potential for negative publicity, public

perception, or uncontrollable events that could damage a company's reputation and affect its

revenue. This type of risk is also difficult to quantify because it relies heavily on subjective

factors like public opinion and media coverage.

Choice D is incorrect. Strategic risk arises from poor business decisions, improper

implementation of decisions, or lack of responsiveness to industry changes. This kind of risk can

be hard-to-quantify as it involves assessing the impact of indirect factors such as market

competition and strategic positioning which are not directly attributable to any specific

integrated firm-wide risk categories.

Q.2228 Cloverdale Bank in Idaho, USA, forms part of a Bank Holding Company (BHC). It has just
ventured into a new business line that requires the proper estimation of losses, revenues and
expenses as part of scenario analysis. Bearing this in mind, what would be the most appropriate
data for modeling purposes?

A. Internal data

B. External data

C. Both internal and external data

D. None - the new models should take into account only future data generated by the
business line

The correct answer is B.

250
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Bank Holding Companies (BHCs) typically rely on internal data to estimate losses, revenues, and

expenses as part of an enterprise-wide scenario analysis. Internal data is data that is generated

within the organization and includes financial statements, sales reports, customer data, and

other operational data. This data is often used because it is specific to the organization and can

provide a more accurate estimate of potential losses, revenues, and expenses. However, in

certain situations, it may be more appropriate for BHCs to use external data. External data is

data that is generated outside the organization and includes market data, industry reports,

economic indicators, and other relevant data. In the case of Cloverdale Bank, the new business

line is a recent venture, and therefore, the bank lacks sufficient, relevant historical data. As

such, it would be more appropriate to use external data to make their models more robust.

External data can provide a broader perspective and can help the bank understand the market

conditions, industry trends, and economic factors that could impact their new business line.

Therefore, external data would be the most appropriate data for modeling purposes in this case.

Choice A is incorrect. While internal data can provide valuable insights into the bank's

historical performance, it may not be sufficient for predicting future outcomes in a new line of

business. The bank's past experiences may not accurately reflect the potential risks and rewards

associated with this new venture.

Choice C is incorrect. Although combining internal and external data could potentially provide

a more comprehensive view, it might also introduce unnecessary complexity into the model.

Moreover, external data alone would be more suitable in this case as it provides broader industry

perspective which is crucial for a new line of business.

Choice D is incorrect. Relying solely on future data generated by the business line would mean

ignoring valuable information that could be gleaned from existing external sources. This

approach might lead to inaccurate predictions due to lack of historical context and industry

benchmarking.

Q.2229 Fairgrounds Bank forms part of a Bank Holding Company (BHC). The bank has been very
successful in a business line that was established about 6 months ago. The bank intends to stress
test models for the business line for a longer period. As part of best practice during stress
testing, the bank should:

251
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

A. Ensure minimal variation from established internal data patterns.

B. Test a wide range of adverse effects reaching outside the established data patterns.

C. Only use the data which reflects the most positive outcomes.

D. Only use the data which reflects the most negative outcomes.

The correct answer is B.

The bank should test a wide range of adverse effects reaching outside the established data

patterns. Stress testing is a simulation technique used in banking to determine the ability of a

financial institution to deal with an economic crisis. Instead of looking at the past performance

and expecting the same pattern to continue, the bank should consider a wide range of possible

outcomes, including those that are outside of the established data patterns. This is because the

future is uncertain and the past performance of the bank may not necessarily indicate its future

performance, especially in the event of a crisis. Therefore, it is important for the bank to test a

wide range of adverse effects to ensure its resilience to stressful conditions. This approach is in

line with the Federal Reserve's expectation for BHCs to apply generally conservative

assumptions throughout the stress testing process.

Choice A is incorrect. While it's important to consider established internal data patterns, stress

testing should not be limited to these. Stress tests are designed to evaluate the bank's resilience

under extreme conditions, which often means going beyond established patterns and considering

a wide range of adverse effects.

Choice C is incorrect. Using only the data which reflects the most positive outcomes would not

provide a comprehensive view of potential risks and vulnerabilities. Stress testing should include

scenarios that reflect a variety of outcomes, including adverse ones.

Choice D is incorrect. Similarly, using only the data which reflects the most negative outcomes

could lead to an overly pessimistic view and may not accurately represent all possible scenarios.

A balanced approach that includes both positive and negative outcomes would be more

appropriate for stress testing.

252
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2230 Clayton bank forms part of a Bank Holding Company (BHC) and has been requested, by
the Federal Reserve, to compile documentation regarding its estimation practices. What are the
main guidelines that should be followed by the bank while documenting its estimates?

A. Extremely detailed explanations of key methodologies with every bit of data available
being presented.

B. Limited documentation emphasizing the importance of management’s judgments in

estimates.

C. Limited documentation encompassing theoretical assumptions and quantitative

estimates.

D. Concisely explained key methodologies and assumptions presented in a well-organized

manner.

The correct answer is D.

The Federal Reserve expects BHCs to clearly document their key methodologies and
assumptions used to estimate losses, revenues, and expenses. BHCs with stronger practices
provided documentation that concisely explained methodologies, with relevant macroeconomic
or other risk drivers, and demonstrated relationships between these drivers and estimates.
Documentation should clearly delineate among model outputs, qualitative overlays to model
outputs, and purely qualitative estimates. BHCs with weaker practices often had limited
documentation that was poorly organized and that relied heavily on subjective management
judgment for key model inputs with limited empirical support for and documentation of these
adjustments.

Q.2231 Highlands Bank forms part of a Bank Holding Company (BHC). The bank is computing
loss estimates on a number of its business lines. What are the components that the bank should
take into account when estimating losses?

A. Probability of default (PD), time value of money (TM), and loss given default (LGD).

B. Probability of default (PD), loss given default (LGD), and exposure at default (EAD).

C. Probability of default (PD), time value of money (TM), and exposure at default (EAD).

D. Loss given default (LGD), exposure at default (EAD), and credit rating (CR).

The correct answer is B.

The expected loss approach, which is the most appropriate method for estimating losses in the

banking sector, involves three key components: Probability of Default (PD), Loss Given Default

253
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

(LGD), and Exposure at Default (EAD). PD refers to the likelihood that a borrower will default on

their loan obligations. LGD is the amount that a bank stands to lose if a default occurs, taking

into account any potential recoveries from the sale of collateral or other recovery processes.

EAD, on the other hand, is the total value that a bank is exposed to at the time of a default. These

three components can be estimated at either a segment level or an individual loan level, using

various models or assumptions. Therefore, when Highlands Bank is estimating losses on its

business lines, it should take into account PD, LGD, and EAD.

Choice A is incorrect. While Probability of Default (PD) and Loss Given Default (LGD) are key

components in loss estimation, Time Value of Money (TM) is not typically used in this context.

The time value of money refers to the concept that money available today is worth more than the

same amount in the future due to its potential earning capacity. This principle suggests that the

value of a unit of currency will decrease over time because it could have earned interest or

investment income if it was invested.

Choice C is incorrect. Similar to Choice A, while Probability of Default (PD) and Exposure at

Default (EAD) are important factors for loss estimation, Time Value of Money (TM) does not play

a direct role in estimating potential losses for a bank's business lines.

Choice D is incorrect. Although Loss Given Default (LGD), and Exposure at Default(EAD), are

crucial components for calculating potential losses, Credit Rating(CR), though important for

assessing credit risk, does not directly factor into the calculation process for estimating losses.

254
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2232 Fetterman Bank is currently engaged in the task of projecting its revenue and expenses
for a future period. According to the regulations set forth by the Federal Reserve's Capital Plan
Rule, what is the specified duration for which should these financial estimates be made?

A. Nine quarters

B. Eight quarters

C. Twelve quarters

D. There is no explicit length of time defined by the Federal Reserve

The correct answer is A.

The Capital Plan Rule requires BHCs to estimate revenue and expenses over the nine-quarter
planning horizon.

255
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2233 What are the internal control methods included in an internal capital planning process?

A. Robust and independent model review and validation.

B. Comprehensive documentation, including policies and procedures.

C. Regular and comprehensive review by internal audit.

D. All of the mentioned above, as well as change controls.

The correct answer is D.

The internal control framework of a Bank Holding Company (BHC) should include all the

methods mentioned in the options. This includes a regular and comprehensive review by internal

audit, robust and independent model review and validation practices, comprehensive

documentation, including policies and procedures, and change controls. These controls are

essential for governing the internal capital planning processes of a BHC. They help in managing

key risk-management and finance area functions effectively. Therefore, all the mentioned

methods are included in an internal capital planning process.

Choice A is incorrect. While a robust and independent model review and validation is an

important part of the internal control framework, it alone does not fully encompass all the

necessary methods that should be included in this process. Other elements such as

comprehensive documentation, regular reviews by internal audit, and change controls are also

crucial.

Choice B is incorrect. Comprehensive documentation, including policies and procedures, is

indeed a vital component of the internal control framework. However, it does not cover all

aspects of the process. The inclusion of other methods like robust model review/validation,

regular audits by internal teams, and change controls are equally important.

Choice C is incorrect. Regular and comprehensive review by internal audit forms a key part of

the control framework but it's not sufficient on its own to ensure effective risk management

within a Bank Holding Company (BHC). Other components such as independent model

review/validation, comprehensive documentation (including policies/procedures), along with

change controls need to be incorporated into this process.

256
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2234 Bank of Elmwood, part of a Bank Holding Company (BHC), is preparing for independent
model review and validation. What’s included in such a process?

A. An evaluation of conceptual soundness

B. Ongoing monitoring that includes verification of processes and benchmarking

C. An “outcome analysis”

D. All of the above

The correct answer is D.

The model review and validation process should include:

an evaluation of conceptual soundness;

ongoing monitoring that includes verification of processes and benchmarking; and

an "outcomes analysis"

Things to Remember

Model review and validation is a critical process in financial institutions, particularly for Bank

Holding Companies (BHCs). It is a regulatory requirement and a best practice to ensure that the

models used for decision-making are reliable, accurate, and robust. The process includes several

key components:

Evaluation of Conceptual Soundness: This involves a thorough review of the

model's design and underlying mathematics to ensure that they are theoretically sound

and appropriate for the intended use.

Ongoing Monitoring: This includes verification of processes and benchmarking to

ensure that the model continues to perform as expected and that any changes or

updates to the model are properly implemented and tested.

Outcome Analysis: This is a comparison of the model's predictions with actual

outcomes to assess the model's performance.

Each of these components is crucial for ensuring that the model is reliable and effective.

257
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Neglecting any one of these components could lead to inaccurate predictions and poor decision-

making.

Q.2235 A BHC is having a supervisory review performed on its modeling practices for capital
planning. Following the review, the company receives very positive feedback regarding its model
documentation as part of risk management. What could be the reason for the positive feedback?

A. Large-scale collection of relevant historical data for use as input data.

B. Presence of an updated inventory of all models used in the process.

C. Presence of qualified modeling staff.

D. Adoption of large-scale sensitivity testing and stress testing.

The correct answer is B.

The presence of an updated inventory of all models used in the process is a key factor in the

positive feedback received by the BHC. This is because maintaining an updated inventory of all

models used in the modeling process is a best practice in risk management. It ensures that all

models are accounted for and can be easily accessed when needed. This practice also helps in

tracking the performance of each model and identifying any issues that may arise. Furthermore,

it aids in the decision-making process as it provides a comprehensive overview of all the models

in use. Therefore, the presence of an updated inventory of all models used in the process is a

critical component of effective model documentation and risk management.

Choice A is incorrect. While the collection of relevant historical data is important for model

development and validation, it does not directly relate to model documentation. Model

documentation involves detailing the development process, assumptions, limitations, and

performance of a model which is independent of the volume of data collected.

Choice C is incorrect. Having qualified modeling staff is crucial for developing and maintaining

robust models but it doesn't necessarily mean that their model documentation would be

commendable. The quality of model documentation depends on how well the modeling process,

assumptions, limitations and performance are recorded and communicated rather than just

258
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

having qualified staff.

Choice D is incorrect. Large-scale sensitivity testing and stress testing are part of risk

management strategy but they do not directly contribute to the quality of model documentation.

These tests help in understanding how a financial system or a specific portfolio might behave

under different scenarios but do not necessarily improve the clarity or comprehensiveness of

model documentation.

Q.2236 Campbell bank, part of a Bank Holding Company (BHC), has not had its risk
infrastructure, nor its loss-estimation methodologies reviewed for more than a year. Which
principle of an effective capital adequacy process does this violate?

A. Robust internal controls

B. Sound foundational risk management

C. Effective governance

D. Sufficient capital adequacy impact assessment

The correct answer is C.

Effective governance is a crucial principle of an effective capital adequacy process. It

necessitates the board and senior management's effective oversight of the capital adequacy

process. This includes periodic reviews of the BHC's risk infrastructure and loss- and resource-

estimation methodologies. It also involves the evaluation of capital goals, the assessment of the

appropriateness of stressful scenarios considered, regular reviews of any limitations and

uncertainties in all aspects of the Capital Adequacy Process (CAP), and the approval of capital

decisions. In the case of Campbell bank, the lack of review of its risk infrastructure and loss-

estimation methodologies for over a year indicates a violation of the principle of effective

governance.

Choice A is incorrect. Robust internal controls refer to the systems and procedures put in

place to ensure the integrity of financial and accounting information, meet operational and

profitability targets, and achieve compliance with laws, regulations, and policies. While regular

259
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

reviews of risk infrastructure could be part of a robust internal control system, it is not directly

related to the scenario described.

Choice B is incorrect. Sound foundational risk management refers to having a solid base for

identifying, assessing, managing, monitoring and reporting risks. Although reviewing risk

infrastructure can be part of this process, it does not necessarily mean that if Campbell bank has

not undergone a review for over a year its foundational risk management is unsound.

Choice D is incorrect. Sufficient capital adequacy impact assessment refers to evaluating how

different scenarios or decisions will affect an institution's capital adequacy ratios. The scenario

provided does not provide enough information about Campbell bank's capital adequacy impact

assessments.

260
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2237 What do you understand by “feeder models” as used in modeling by BHCs?

A. Models outsourced from external sources for the purpose of performance comparison
with internal models.

B. Models used to produce projections or estimates that can then be used in another
model to generate final figures for expected losses, expenses and revenue.

C. Models whose outcome has been disputed by experts and analysts at firm level.

D. Models used to generate the final projected figures for losses, expenses, and revenues.

The correct answer is B.

BHCs should maintain an inventory of all models used in the capital planning process, including
all input or “feeder” models that produce projections or estimates used by the models that
generate the final loss, revenue or expense projections.

Things to Remember

1. Feeder models are a crucial part of the capital planning process in Bank Holding Companies

(BHCs). They are used to generate projections or estimates that are then used in another model

to generate the final figures for expected losses, expenses, and revenue.

2. The use of feeder models allows for a more detailed and comprehensive analysis as it breaks

down the overall modeling process into smaller, more manageable parts. This increases the

accuracy and reliability of the overall projections.

3. Feeder models are not used for performance comparison with external models, nor are they

defined by the level of agreement or disagreement regarding their outcomes. They are also not

used to generate the final projected figures for losses, expenses, and revenues directly.

Q.2238 A BHC in Mississippi, USA, was recently subjected to a supervisory review of its model
risk management. Following the exercise, the company received negative feedback. Which of the
following could have led to such an outcome?

A. Using models without validation or models that had identified weaknesses.

B. Using benchmark or challenger models to help assess the reasonableness of the

primary model output.

C. Employing independent validation staff to critically evaluate the models.

261
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

D. Being too transparent about the validation status of all models used for capital
planning.

The correct answer is A.

The use of models without validation or models that have identified weaknesses could have led to

the negative feedback received by the BHC. In the context of model risk management, validation

is a critical process that ensures the accuracy and reliability of a model's output. It involves a

thorough examination of the model's conceptual soundness, ongoing monitoring, and outcome

analysis. If a model is used without undergoing this rigorous process, it may produce inaccurate

or misleading results, leading to poor decision-making and potential financial losses.

Furthermore, if a model has identified weaknesses, it indicates that there are known issues that

could affect the model's performance and reliability. Using such a model without addressing

these weaknesses could lead to similar adverse outcomes. Therefore, the use of unvalidated

models or models with known weaknesses is a significant lapse in model risk management,

which could have resulted in the negative feedback received by the BHC.

Choice B is incorrect. Using benchmark or challenger models to assess the reasonableness of

the primary model output is actually a good practice in model risk management. It helps in

identifying any potential errors or biases in the primary model, thereby enhancing its reliability

and accuracy.

Choice C is incorrect. Employing independent validation staff to critically evaluate the models

is also a recommended practice for managing model risk. Independent validation ensures that

there are no conflicts of interest and that the evaluation of the models is unbiased and objective.

Choice D is incorrect. Being transparent about the validation status of all models used for

capital planning cannot be a reason for negative feedback from a supervisory review.

Transparency in this context would mean that all stakeholders are aware of whether each model

has been validated, which can help prevent misuse or over-reliance on unvalidated models.

262
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2970 Bank Holding Company (BHC) models review and validation process should include all
the following, EXCEPT:

A. An evaluation of the conceptual soundness

B. Ongoing monitoring that includes verification processes and benchmarking

C. Policies and procedures

D. An outcomes analysis

The correct answer is C.

Policies and procedures are not typically included in the review and validation process of Bank

Holding Company (BHC) models. While policies and procedures are crucial for the overall

governance and operation of a BHC, they do not form part of the technical review and validation

process of the models used by the BHC. The review and validation process is more focused on

the technical and mathematical aspects of the models, such as their conceptual soundness, the

ongoing monitoring of their performance, and an analysis of their outcomes. Therefore, while

policies and procedures play a significant role in the broader context of a BHC's operations, they

are not a component of the model review and validation process.

Choice A is incorrect. An evaluation of the conceptual soundness is indeed a part of the BHC

models review and validation process. This involves assessing the theoretical foundations and

design of the model to ensure it is logically sound and appropriate for its intended use.

Choice B is incorrect. Ongoing monitoring that includes verification processes and

benchmarking are also integral parts of this process. Verification ensures that the model has

been implemented correctly, while benchmarking compares its performance with other similar

models or industry standards.

Choice D is incorrect. An outcomes analysis, which involves comparing model predictions with

actual results to assess performance, is another key component of the BHC models review and

validation process.

Q.2971 Internal controls in bank holding companies (BHCs) should ensure that there is integrity

263
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

of reported results and the documentation, review, and approval of all material changes to the
capital planning process and its components. Such controls as ensured by BHCs should exist at
all levels of the capital planning process, with specific control measures to perform all the
following roles apart from:

A. Making sure that there is sufficient robustness in MIS for capital analysis and decision
making to be supported, with sufficient flexibility to run ad-hoc analysis whenever
necessary.

B. Provide for reconciliation and data integrity process for all key reports.

C. Enable the addressing of presentation of aggregate, enterprise-wide capital planning

results that gives the description of manual adjustments created in the aggregation
process and identified weaknesses are compensated by these adjustments.

D. Ensure that the documentation provides evidence that results and recommendations
can be challenged by the Board.

The correct answer is D.

The role of ensuring that the documentation provides evidence that results and

recommendations can be challenged by the Board is not typically a function of the specific

control measures in place at Bank Holding Companies (BHCs). While it is important for the

Board to have the ability to challenge results and recommendations, this is not usually achieved

through the specific control measures associated with the capital planning process. Instead, this

is more likely to be a function of the broader governance and oversight mechanisms in place at

the BHC. These might include, for example, the establishment of a robust internal audit function,

the implementation of a strong risk management framework, and the cultivation of a culture of

transparency and accountability.

Choice A is incorrect. The control measures in BHCs are indeed designed to ensure robustness

in the Management Information System (MIS) for capital analysis and decision making. This

includes the ability to run ad-hoc analysis whenever necessary, which is crucial for effective

capital planning.

Choice B is incorrect. Reconciliation and data integrity processes for all key reports are also a

part of the control measures implemented by BHCs. These processes ensure that all data used in

capital planning is accurate and reliable, thereby enhancing the credibility of the results.

264
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice C is incorrect. The control measures also enable addressing presentation of aggregate,

enterprise-wide capital planning results including description of manual adjustments created in

aggregation process and identified weaknesses compensated by these adjustments. This ensures

transparency and accountability in the capital planning process.

The role of internal controls at a Bank Holding Company (BHC) does not typically include
ensuring that documentation provides evidence that results and recommendations can be
challenged by the Board. While it's important for a board to have oversight over an
organization's operations, this does not typically fall under internal controls' responsibilities
within a BHC's capital planning process.

265
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 123: Capital Regulation Before the Global Financial Crisis

Q.2334 In 1992, Germany was under Basel I regulations. Eintracht Bank from Frankfurt has had
the following portfolio structure (in USD):

Loans to corporations – $1 billion ($600 million in uninsured residential real estate)

OECD countries government’s exposures – $500 million
Cash, balance with a central bank – $200 million
Risk weights were as follows:

Risk Weight (%) Asset category

0 Cash, gold bullion, claims on OECD governments such as
Treasury bonds or insured residential mortgages
20 Claims on OECD banks and OECD public sector entities such as
securities issued by U.S. government agencies or claims on municipalities
50 Uninsured residential mortgage loans
100 All other claims such as corporate bonds and less-developed
country debt, claims on non-OECD banks

The risk-weighted assets of Eintracht bank were closest to which of the following?

A. $700 million

B. $1 billion

C. $500 million

D. $1.2 billion

The correct answer is A.

Risk weighted assets should be calculated as follows:

Loans to corporate with uninsured residential real-estate as collateral = 600m * 50%

Loans to corporate without collateral = 400m * 100%
OECD countries government’s exposures = 500m * 0%
Cash, balance with a central bank = 200m * 0%
Total risk weighted assets = 700m

266
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2335 In 1992, Italy was under Basel I regulations. Scala Bank from Milan had the following
portfolio structure (in USD):
Loans to corporations: $1.5 billion ($600 million in commercial real estate)
OECD countries government’s exposures: $300 million
Cash, balance with a central bank: $500 million

Risk weights were as follows:

Risk Weight (%) Asset category

0 Cash, gold bullion, claims on OECD governments such as
Treasury bonds or insured residential mortgages
20 Claims on OECD banks and OECD public sector entities such as
securities issued by U.S. government agencies or claims on municipalities
50 Uninsured residential mortgage loans
100 All other claims such as corporate bonds and less-developed
country debt, claims on non-OECD banks

The risk-weighted assets of Scala Bank were closest to which of the following?

A. $1.2 billion

B. $1.5 billion

C. $2.3 billion

D. $1.65 billion

The correct answer is B.

Risk-weighted assets should be calculated as follows:

Loans to corporate = 1.5b * 100%

OECD countries government’s exposures = 300m * 0%
Cash, balance with a central bank = 500m * 0 %
Total risk weighted assets = 1.5b

267
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2336 Arrenberg bank from Rotterdam, Netherlands, has to calculate its RWA under Basel I for
its exposure in an over-the-counter FX swap agreement. The data on the swap exposure is as
follows:
Add-on factor – 1%
Notional amount – EUR 500 million
Current value – EUR 1 million
Risk-weighted factor for counterparty – 100%

The RWA is equal to:

A. EUR 501 million

B. EUR 6 million

C. EUR 5.01 million

D. EUR 1 million

The correct answer is B.

The RWA should be calculated as follows:

RWA = (notional amount × add-on factor + current value) × risk weighted factor
= (500m × 1% + 1) × 100% = EUR 6 million

268
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2337 Calc Bank from Frankfurt, Germany, had to calculate its risk-weighted assets (RWA)
under Basel I for its exposure in over-the-counter interest rate swap agreement. The data on the
swap exposure is as follows:
Add-on factor: 1.5%
Notional amount: EUR 1 billion
Current value: EUR -2 million
Risk-weighted factor for counterparty: 100%

The RWA is equal to:

A. EUR 13 million

B. EUR 0

C. EUR 15 million

D. EUR 1 billion

The correct answer is C.

RWA should be calculated as follows:

RW A = (notional amount × add-on factor + max (current value; 0)) × risk weighted factor
= (1b × 1.5% + 0) × 100% = EUR 15 million

Q.2338 Kediray Bank from Izmir, Turkey is calculating its regulatory capital under Basel I
regulations. It has the following capital instruments: equity, noncumulative perpetual preferred
stocks, and subordinated debt with a maturity of over 5 years. What is the structure of its
regulatory capital?

A. Tier 1 capital includes equity, noncumulative perpetual preferred stocks, and

subordinated debt.

B. Tier 1 capital includes equity, and Tier 2 capital includes noncumulative perpetual
preferred stocks and subordinated debt.

C. Tier 1 capital includes equity, and Tier 2 includes noncumulative perpetual preferred
stocks; subordinated debt is not included in regulatory capital.

D. Tier 1 capital includes equity, noncumulative perpetual preferred stocks, and Tier 2
includes subordinated debt.

The correct answer is D.

269
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Under Basel I regulations, the regulatory capital of a bank is divided into two tiers: Tier 1 and

Tier 2. Tier 1 capital, also known as core capital, includes the most liquid forms of capital and is

a key indicator of a bank's financial strength from a regulator's point of view. It primarily

consists of equity and noncumulative perpetual preferred stocks. Equity represents the value of

an ownership interest in the bank, while noncumulative perpetual preferred stocks are a type of

preferred stock where the issuer has the right to withhold dividend payments. When dividends

are withheld, they are not accumulated for future payment. These forms of capital are

considered high-quality because they are readily available to cover losses. On the other hand,

Tier 2 capital, also known as supplementary capital, includes less liquid forms of capital like

subordinated debt with a maturity of over 5 years. Subordinated debt refers to loans or

securities that rank below other loans or securities with regard to claims on assets or earnings.

In the event of a liquidation, subordinated debt is only repaid after other debts have been paid.

Therefore, in the context of Kediray Bank, its equity and noncumulative perpetual preferred

stocks constitute its Tier 1 capital, while its subordinated debt forms part of its Tier 2 capital.

Choice A is incorrect. According to Basel I regulations, subordinated debt with a maturity

period exceeding 5 years is not included in Tier 1 capital but rather in Tier 2 capital. Therefore,

it's incorrect to state that Tier 1 capital includes equity, noncumulative perpetual preferred

stocks, and subordinated debt.

Choice B is incorrect. This choice incorrectly categorizes noncumulative perpetual preferred

stocks as part of Tier 2 capital. Under Basel I regulations, noncumulative perpetual preferred

stocks are considered part of Tier 1 capital along with equity.

Choice C is incorrect. While this choice correctly identifies that equity forms part of the bank's

Tier 1 regulatory capital and that subordinated debt does not form part of the regulatory capital

under Basel I regulations, it incorrectly states that noncumulative perpetual preferred stocks are

included in Tier 2 instead of being a component of the bank's Tier 1 regulatory capital.

270
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2339 Banat Bank from Timisoara, Romania, is calculating its regulatory capital under Basel I
regulations. It has the following structure of capital instruments (in EUR):

Equity: 150m
Subordinated debt (over 5 years maturity): 50m
Cumulative preferred stocks: 20m

What is the structure of its Tier 1 and Tier 2 capital?

A. Tier 1: 170m; Tier 2: 50m

B. Tier 1: 150m, Tier 2: 70m

C. Tier 1: 150m, Tier 2: 20m

D. Tier 1: 170m

The correct answer is B.

The capital has two components:

1. Tier 1: This consists of items such as equity and noncumulative perpetual preferred
stock. (Goodwill is subtracted from equity.)
2. Tier 2: This is sometimes referred to as Supplementary Capital. It includes instruments
such as cumulative perpetual preferred stock, certain types of 99-year debenture issues,
and subordinated debt (i.e. debt subordinated to depositors) with an original life of more
than five years.

In this example, Tier 1 = Equity (150m); and Tier 2 = Subordinated debt (50m) + Cumulative

preferred stocks (20m) = 70m

271
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2340 Osijek Commercial Bank from Croatia has to calculate its Tier 1 and Tier 2 capital under
Basel I regulations. It has the following capital structure (in EUR):

Equity: 50m
Subordinated debt (over 5 years maturity): 30m
Cumulative preferred stocks: 5m
Noncumulative preferred stocks: 10m

What is the structure of the bank’s Tier 1 and Tier 2 capital?

A. Tier 1 capital: 60m; Tier 2: 35m

B. Tier 1 capital: 55m; Tier 2: 40m

C. Tier 1 capital: 55m; Tier 2: 10m

D. Tier 1 capital: 60m; Tier 2: 5m

The correct answer is A.

Tier 1 = Equity (50m) + Noncumulative preferred stocks (10m) = 60m

Tier 2 = Subordinated debt (30m) + Cumulative preferred stocks (5m) = 35m

272
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2341 Basel II introduced a capital requirement for one “new” risk in Pillar 1. Which one?

A. Interest rate risk in banking book

B. Market risk in trading book

C. Operational risk

D. Credit risk

The correct answer is C.

Things to Remember

1. The Basel II framework was developed by the Basel Committee on Banking Supervision to

enhance the banking regulatory framework. It consists of three pillars: Pillar 1 - Minimum

Capital Requirements, Pillar 2 - Supervisory Review Process, and Pillar 3 - Market Discipline.

2. Under Pillar 1, Basel II introduced a capital requirement for operational risk, recognizing the

importance of managing this type of risk in banking institutions.

3. The capital requirement for operational risk is calculated based on three methods: the Basic

Indicator Approach (BIA), the Standardized Approach (TSA), and the Advanced Measurement

Approach (AMA).

4. The capital requirements for credit risk and market risk were not introduced in Basel II. They

were introduced in the Basel I Capital Accord and the Basel I Amendment from 1996,

respectively.

5. Interest rate risk in the banking book is typically addressed under Pillar 2 of the Basel

framework, which deals with the supervisory review process.

273
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2342 NYC Bank from New York, USA, is one of the largest banks in the USA. At the moment of
the introduction of Basel II standards in the USA, it was free to choose the approach to use so as
to meet credit risk capital requirements. What options did the bank have in this regard?

A. Standardized approach, Internal rating based approach, and Advanced IRB approach.

B. None, because the USA chose not to apply Basel II.

C. NYC Bank could only use standardized approach.

D. NYC Bank could only use the Foundation IRB approach.

The correct answer is A.

When Basel II standards were introduced in the USA, banks had the option to choose from
various approaches to meet credit risk capital requirements. The options available to NYC Bank,
as one of the largest banks in the USA, would typically include:

1. Standardized approach: Under this approach, banks use standardized risk weights assigned by

regulators to various asset classes to calculate their capital requirements.

2. Internal rating based (IRB) approach: This approach allows banks to use their internal rating

systems to assess credit risk and calculate capital requirements accordingly. There are two

variations of the IRB approach:

a. Foundation IRB approach: This allows banks to use their own internal estimates of probability

of default (PD) for eligible exposures, while other parameters such as loss given default (LGD)

and exposure at default (EAD) are determined by regulators.

b. Advanced IRB approach: This approach permits banks to use their own internal estimates for

PD, LGD, and EAD for eligible exposures, subject to approval and oversight by regulators.

Q.2343 PSV Bank, a small regional bank from Eindhoven, in North Brabant, in the Netherlands,
is in process of calculating its capital requirements. Which of the following statements is true?

A. The bank must use the standardized approach for calculating regulatory capital,
because of its size.

B. The bank can choose between standardized, IRB, and advanced IRB approaches under
EU regulation.

C. The bank is under Basel I regulations which set out specific capital adequacy

274
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

requirements for different types of assets.

D. The bank is under both Basel I and Basel II regulations which require banks to hold
capital based on specific risk-weighted assets.

The correct answer is B.

Under the regulations of the European Union, banks, regardless of their size or international

activity, have the option to choose between the standardized approach, the Internal Ratings-

Based (IRB) approach, and the Advanced IRB (AIRB) approach for calculating their regulatory

capital requirements. This choice is not arbitrary but is based on a variety of factors such as the

bank's risk profile, its level of sophistication, and other factors that are subject to supervisory

approval. The standardized approach is the simplest and least risk-sensitive of the three, while

the IRB and AIRB approaches allow for more sophisticated risk management and capital

calculation techniques. The IRB approach allows banks to use their own internal models to

calculate credit risk, while the AIRB approach allows banks to use their own internal models to

calculate both credit risk and operational risk. This flexibility allows banks to align their capital

requirements more closely with their actual risk profile, thereby promoting more efficient use of

capital.

Choice A is incorrect. The size of the bank does not necessarily determine the approach it

must use for calculating regulatory capital. Under EU regulation, banks have the option to

choose between standardized, IRB (Internal Ratings-Based), and advanced IRB approaches.

Choice C is incorrect. While Basel I regulations do set out specific capital adequacy

requirements for different types of assets, PSV Bank is based in the Netherlands which falls

under EU jurisdiction. Therefore, it follows Basel III regulations which allow banks to choose

between standardized, IRB and advanced IRB approaches for calculating regulatory capital

requirements.

Choice D is incorrect. Although Basel I and II regulations do require banks to hold capital

based on specific risk-weighted assets, this statement does not accurately reflect the current

regulatory environment for PSV Bank as it operates under EU jurisdiction where Basel III

regulations are applicable.

275
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2345 Bethlenbank from Kecskemet, Hungary, has to calculate its capital requirement for credit
risk. The bank has decided to use the standardized approach and has managed to gather data on:
exposure, collateral, probability of default, and credit rating of the debtor. Which piece of data is
missing so as to proceed with the required calculations smoothly?

A. Loss given default (LGD)

B. Exposure at default (EAD)

C. None

D. Maturity

The correct answer is C.

The correct answer is 'nan' which stands for 'not a number'. This is a placeholder value that is

used in computations when a numerical result cannot be produced. In the context of this

question, 'nan' is the correct answer because all the other options - Loss given default (LGD),

Exposure at default (EAD), and Maturity - are not missing from the data gathered by

Bethlenbank. Under the standardized approach (Basel II), risk-weighted assets are calculated as

the product of exposure and a weighted factor which depends on the credit rating of the debtor.

LGD and maturity are used for the calculation of capital requirement for credit risk under the

IRB approach, not the standardized approach that Bethlenbank is using. Therefore, these are not

the missing data that the bank needs to collect. The 'nan' option indicates that no additional data

is required for the bank to proceed with its calculations.

Choice A is incorrect. Loss given default (LGD) is not a required input for the standardized

approach to credit risk. LGD is used in the Internal Ratings-Based (IRB) approach, which allows

banks to estimate their own parameters for risk weight functions.

Choice B is incorrect. Exposure at default (EAD) has already been collected by Bethlenbank as

part of its data gathering process, so it does not represent the missing data that needs to be

collected.

Choice D is incorrect. Maturity of the loan or exposure is also not a required input under the

standardized approach for credit risk calculation. Like LGD, maturity factor plays a role in IRB

approach but not in standardized one.

276
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2346 Astoria Bank from Marseille, France, has chosen the IRB approach to calculate its capital
requirement for credit risk. In line with standard practice, the bank should calculate its:

A. Value at risk with a time horizon of 1 year and a confidence interval of 99.9%.

B. Value at risk with a time horizon of 1 year and a confidence interval of 99%.

C. Value at risk with a time horizon of 1 month and a confidence interval of 99.9%.

D. Value at risk with a time horizon of 10 days and a confidence interval of 99%.

The correct answer is A.

The capital requirement for credit risk under the IRB approach is based on the Value at Risk

(VaR) calculated using a one-year time horizon and a 99.9% confidence level. This is a standard

practice recognized by regulators. The VaR is a statistical technique used to measure and

quantify the level of financial risk within a firm or investment portfolio over a specific time

frame. In this case, the time frame is one year and the confidence level is 99.9%, meaning the

bank is 99.9% confident that its losses will not exceed the VaR over a one-year period. The

capital required is therefore the VaR minus the expected loss. Expected losses are usually

covered by the way a financial institution prices its products. For example, the interest charged

by a bank on a loan is designed to recover expected loan losses. Therefore, the capital

requirement is essentially a buffer against unexpected losses, which are the losses that exceed

the expected losses.

Choice B is incorrect. While the Value at Risk (VaR) model is indeed used in risk management,

the Basel II regulations specify a confidence interval of 99.9% for the IRB approach, not 99%.

Therefore, this choice does not align with the standard procedures outlined by Basel II for banks

using the IRB approach.

Choice C is incorrect. This option suggests a time horizon of 1 month which is not in

accordance with Basel II regulations for banks using the IRB approach. The correct time horizon

as per these regulations should be 1 year and not shorter periods like one month.

Choice D is incorrect. Similar to Choice C, this option also proposes an inappropriate time

horizon - 10 days in this case - which does not comply with Basel II standards for banks that have

opted for the IRB method. The correct time frame should be one year as per these guidelines.

277
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2737 A bank’s annual financial statements showed the following assets:

(in $ million)
Cash 50
Treasury bills 100
Loans to corporations 750
Uninsured Residential mortgages 100

Calculate the bank’s risk-weighted assets based on the Basel I guidelines.

A. $850 million

B. $700 million

C. $750 million

D. $800 million

The correct answer is D.

According to Basel I the risk weights for different assets are:

Cash and Treasury bills 0%

Uninsured residential mortgages 50%
Loans to corportions 100

The risk-weighted assets for the bank can be calculated as:

50 × 0% + 100 × 0% + 750 × 100% + 100 × 50% = 800 million

278
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2738 Which of the following approaches is NOT appropriate for calculating credit risk capital
under Basel II?

A. Standardized Approach

B. Foundation IRB Approach

C. Advanced IRB Approach

D. Advanced Measurement Approach

The correct answer is D.

The Advanced Measurement Approach (AMA) is not an appropriate method for calculating credit

risk capital under Basel II. The AMA is actually used for calculating the operational risk of a

bank, not credit risk. Operational risk refers to the risk of loss resulting from inadequate or

failed internal processes, people, and systems, or from external events. This includes legal risk,

but excludes strategic and reputational risk. The AMA for operational risk allows banks to

develop their own empirical model to quantify required capital for operational risk, subject to

certain minimum conditions and oversight from their national regulator. Therefore, while the

AMA is a recognized approach under Basel II, it is not used for calculating credit risk capital.

Choice A is incorrect. The Standardized Approach is indeed a method for calculating credit

risk capital as per the Basel II guidelines. Under this approach, banks use ratings from external

credit assessment institutions to quantify required capital for credit risk.

Choice B is incorrect. The Foundation IRB (Internal Ratings-Based) Approach is also a suitable

method under Basel II guidelines. In this approach, banks are allowed to develop their own

empirical model to estimate PD (Probability of Default), but they must use prescribed values for

other parameters such as Loss Given Default (LGD) and Exposure at Default (EAD).

Choice C is incorrect. The Advanced IRB Approach allows banks more flexibility in estimating

the necessary risk parameters including PD, LGD and EAD based on their internal models, which

makes it another suitable method under Basel II guidelines.

279
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2740 All of these are pillars of sound bank management under the Basel II framework, except:

A. Minimum capital requirements

B. Sound corporate governance

C. Supervisory review

D. Market discipline

The correct answer is B.

Sound corporate governance is not one of the three pillars of the Basel II framework. While

sound corporate governance is indeed a crucial aspect of any banking institution's operations, it

is not explicitly listed as one of the three pillars under the Basel II framework. The Basel II

framework is specifically focused on three areas: Minimum Capital Requirements, Supervisory

Review, and Market Discipline. These three pillars are designed to ensure that banks have

adequate capital on hand to absorb losses, that they are subject to effective supervision, and that

they adhere to market discipline through transparency and disclosure. However, it should be

noted that sound corporate governance can indirectly contribute to these three pillars by

promoting responsible and ethical decision-making, effective risk management, and

transparency.

Choice A is incorrect. Minimum capital requirements is indeed one of the three pillars of the

Basel II framework. It sets out the minimum capital requirements that banks must hold to cover

their risk-weighted assets.

Choice C is incorrect. Supervisory review, which encourages banks to develop and use better

risk management techniques in monitoring and managing their risks, is also one of the three

pillars of Basel II.

Choice D is incorrect. Market discipline, which aims to achieve a more stable banking system

by making banks' financial conditions more transparent and thus subjecting them to market

discipline, constitutes the third pillar of Basel II.

280
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2994 Suppose that G&R Bank’s assets are made up of $267 million of corporate loans, $17
million of OECD government bonds, and $79 million of residential mortgages. We are also given
that corporate loans have a risk weight of 100%, loans to government agencies and banks in
OECD countries carry a risk weight of 20%, and mortgages have a risk weight of 50%. Compute
the total risk-weighted assets.

A. $520.7 million

B. $306.5 million

C. $267.4 million

D. $487.6 million

The correct answer is B.

Recall that the total risk-weighted assets for N on the balance-sheet items is given by the

following expression:

N
∑ Li Wi
i=1

Therefore:

The total risk weighted assets = 267 × 1 + 79 × 0.5 = $306.5 Million

Note: Cash and securities issued by governments of OECD countries (members of the

Organisation of Economic Co-operation and Development) are considered to have virtually zero

risk and have a risk weight of zero. It is loans to banks and government agencies in OECD

countries that have a risk weight of 20%.

281
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2995 The following table shows a portfolio of three derivatives (in EUR million) possessed by a
bank with a particular counterparty:

Transaction Principal L i Current Value Vi

2-year interest rate swap 1000 95
5-year foreign exchange forward 1000 −35
8-month option on a stock 700 80

Calculate the net replacement ratio.

A. 0.74

B. 0.63

C. 0.80

D. 1.31

The correct answer is C.

Recall that:

max(∑N
i =1 Vi , 0)
NRR =
∑N
i=1 max(Vi , 0)

The current exposure with netting (the numerator) is computed as:

95 + 80 − 35 = 140

The current exposure without netting (the denominator) is computed as:

95 + 0 + 80 = 175

Therefore:

140
N RR = = 0.8
175

Q.3233 Jinshi&Houshi Corporation is a large commercial bank operating in mainland China. It

282
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

has adopted the Basel I framework and must maintain at least 8% capital to risk-weighted assets.
The bank makes use of the following add-on factors for derivatives:

Add-On Factors as a Percent of Principal for Derivatives

Remaining Interest Exchange Equity Precious Other
Maturity Rate Rate and Metals Commodities
(yr) Gold Except Gold
<1 0.0 1.0 6.0 7.0 10.0
1 to 5 0.5 5.0 8.0 7.0 12.0
>5 1.5 7.5 10.0 8.0 15.0

The bank made the following transactions during a one-year period:

(a) A seven-year interest rate swap with a notional principal of $400 million and a current market
value of -$3 million.

(b) A three-year interest rate swap with a notional principal of $170 million and a current value
of $7 million.

(c) A four-month derivative on a commodity with a principal of $80 million that is currently worth
$4 million.

Using this information, estimate the capital requirment for the bank under Basel I if the
counterparty is a corporation (the risk weight for corporations is 0.5). Assume no netting.

A. $1.034 million

B. $2.068 million

C. $0.517 million

D. $1.535 million

The correct answer is A.

Capital required must be 8% of risk-weighted assets.

To calculate the risk-weighted assets for an off-balance sheet item, we must first establish the
item’s credit equivalent amount (CEA). The credit equivalent amount is then multiplied by the
risk weight for the counterparty to calculate risk-weighted assets.

For interest rates swaps and other over-the-counter (OTC) derivatives, the credit equivalent

amount is calculated as:

CEA = max(V , 0) + a × L

where:

283
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

V = current value of the derivative to the bank

a = add-on factor

L = principal amount

Following are CEAs for each transaction:

CEA(a) = 0 + 1.5% × $400m = $6 million

CEA(b) = 7 + 0.5% × $170m = $7.85 million

CEA(c) = 4 + 10% × $80m = $12 million

The bank is transacting with a corporation and as per Basel guidelines (as pointed out in the

question) the risk weight for corporations is 0.5.

Thus,

Risk weighted assets = 0.5[6 + 7.85 + 12] = $12.925 million

Capital required = 0.08 × 12.925 = $1.034 million

284
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3234 Jinshi&Houshi Corporation is a large commercial bank operating in mainland China. It

has adopted the Basel I framework and had made the following transactions during the year:
(a) A seven-year interest rate swap with a notional principal of $400 million and a current market
value of -$3 million.

(b) A three-year interest rate swap with a notional principal of $170 million and a current value
of $7 million.

(c) A four-month derivative on a commodity with a principal of $80 million that is currently worth
$4 million.

Given the above information, what is the net replacement ratio (NRR) under Basel I assuming
that the 1995 netting amendment applies?

A. 1.375

B. 1.000

C. 0.727

D. 0.636

The correct answer is C.

The current exposure with netting is −3 + 7 + 4 = 8

The current exposure without netting is 0 + 7 + 4 = 11

The net replacement ratio is given by:

max (∑N
i=1 (Vi , 0))
NRR =
∑N
i=1 (V i, 0)
8
= = 0.727
11

Q.3238 Paul Hales is a risk consultant at Kimpala Leasing Bank. The assets of the bank consist of
$690 million retail loans (not mortgages), mostly fleets of multinational companies financed by
Kimpala. The bank’s actuary has projected that the probability of default (PD) is 1% and the loss
given default (LGD) is 40%.
Based on this information, what is the worst-case default rate at 99.9% certainty and the
expected loss under the Basel II IRB approach? (Note: In this case, correlation ρ = 0.1216.)

A. 0.1190 and $2.76 million

B. 0.1216 and $44.15 million

285
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

C. 0.8784 and $4.83 million

D. 0.9086 and $44.15 million

The correct answer is A.

WCDR (T,X) Or WCDR(X, T) indicates the Xth percentile of the default rate distribution during a
period of length T. Its components are as follows:

−1
−1
√ρN (X)
WCDR = N [N (PD) + ]
√1 − ρ

P D = probability of default

ρ = correlation parameter

N −1 is the inverse of the standard normal CDF

For a problem like this, you would likely be provided with the values for N −1(P D) and N −1 (X),

but it is still useful to understand how they can be retrieved.

So in this case we have N −1(0.01) and N −1 (0.999)

Perhaps to interpret this, we want to find values of z such that P (Z < z) = 0.01, and

P (Z < z) = 0.999

Using a table that only shows the right-hand side of the standard normal Z-lookup we would be

able to see that:

N −1(0.01) ≅−2.33 because 0.9901 which is nearest to 0.9900 is found at z = 2.33; if

P r(Z < 2.33) = 99% , then P (Z < −2.33) = 1 − 99% = 1% . [a consequence of symmetry, i.e, equal

halves]

N −1(0.999) ∼ P (Z < z) = 0.999; z = 3.09

Thus,

√ 0.1216 × 3.09
WCDR = N [−2.33 + ] = N (−1.18031)
√1 − 0.1216
N(−1.1803) = 1– N (1.1803) = 1– P(Z < 1.1803)
= 1– 0.88100 = 0.1190

286
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

EL = ∑ EADi × LGDi × P Di
= 690 × 0.4 × 0.01 = 2.76

Q.3239 Paul Hales is a risk consultant at Kimpala Leasing Bank. The assets of the bank consist of
$690 million retail loans (not mortgages), mostly fleets of multinational companies financed by
Kimpala. The bank’s actuary has projected that the probability of default (P D) is 1% and the loss
given default (LGD) is 40%. The correlation parameter is 0.1216 Based on the Basel II accord,
what is the default rate at the 99.9th percentile for the bank?

A. 0.9547

B. 0.0453

C. 0.9531

D. 0.1190

The correct answer is D.

DR99.9 the 99.9th percentile for a large portfolio of assets of type i

−1
√ρN (0.999)
DR99.9 = N [N −1 (PDi ) + ]
√1 − ρ

P D = probability of default

ρ = correlation parameter

N −1 is the inverse of the standard normal CDF

For a problem like this, you would likely be provided with the values for N −1(P D) and N −1 (X),

but it is still useful to understand how they can be retrieved.

So in this case we have N −1(0.01) and N −1 (0.999)

Perhaps to interpret this, we want to find values of z such that P (Z < z) = 0.01, and

P (Z < z) = 0.999

Using a table that only shows the right-hand side of the standard normal Z-lookup we would be

287
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

able to see that:

N −1(0.01) ≅−2.33 because 0.9901 which is nearest to 0.9900 is found at z = 2.33; if

P r(Z < 2.33) = 99% , then P (Z < −2.33) = 1 − 99% = 1% . [a consequence of symmetry, i.e, equal

halves]

N −1(0.999) ∼ P (Z < z) = 0.999 ⇒ z = 3.09

Thus,

√ 0.1216 × 3.09
DR99.9 = N [−2.33 + ] = N (−1.18031)
√1 − 0.1216
N(−1.1803) = 1– N (1.1803) = 1– P(Z < 1.1803)
= 1– 0.88100 = 0.1190

288
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3240 Python Commercial Bank uses the standardized approach to arrive at an estimate of total
risk-weighted credit risk exposure. An external credit rating agency assigned the following
weights to the bank's risk exposures.

Risk Exposure Weight

$24 million 80%
$12 million 120%
$18million 70%
$17 million 30%
$3 million 10%

According to the Basel II Accord, as a rough approximation, the bank is mandated to maintain a
minimum capital of:

A. $51.6 million.

B. $1.792 million.

C. $4.128 million.

D. $5.920 million.

The correct answer is C.

Minimum capital required = 0.08 × (0.80 × $24 million + 1.20 × $12 million + 0.70 × $18 million
+ 0.30 × $17 million + 0.10 × $3 million)
= 0.08 × $51.6 million
= $4.128 million.

According to the Basel II Accord, the bank is mandated to maintain a capital of at least 8% of

total risk-weighted assets.

Q.4216 Which of the following statements gives one of the reasons for the introduction of Basel I
accord?

A. The continuity of international financial transactions even after the Herstatt Bank
failure

B. The growing competition between the banks in different countries due to the varied
level of capital requirements

C. All of the above

289
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

D. None of the above

The correct answer is C.

The Basel I accord was introduced due to a combination of factors. One of the primary reasons

was the continuity of international financial transactions even after the failure of Herstatt Bank.

The bank's failure highlighted the need for a more robust regulatory framework to ensure the

stability of the international banking system. Additionally, there was growing competition

between banks in different countries due to the varied level of capital requirements. This

competition was seen as potentially destabilizing, as banks with lower capital requirements could

take on more risk, potentially leading to financial instability. Therefore, the Basel I accord was

introduced to create a level playing field and ensure that all banks had sufficient capital to cover

potential losses.

Choice A is incorrect. While the failure of Herstatt Bank did highlight the need for better risk

management in international banking, it was not a direct reason for the establishment of Basel I.

The Basel I accord was primarily introduced to address inconsistencies in capital requirements

across different countries, which is not directly related to ensuring continuity of international

financial transactions after a bank failure.

Choice B is incorrect. Although growing competition between banks due to varied levels of

capital requirements was indeed an issue, it was not the sole reason that led to the

establishment of Basel I. The accord aimed at addressing several issues including credit risk and

market risk along with creating a level playing field by standardizing capital adequacy ratios.

Choice D is incorrect. As explained above, both options A and B represent some aspects that

led to the establishment of Basel I but they were not the only reasons. Therefore, saying none of

them were reasons would be inaccurate.

290
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4217 What was the main goal of Basel I accord?

A. Develop a common currency for all the banks

B. Maintenance of sufficient capital for the banks to remain solvent in time of distress

C. Raising the solvency level of small banks to match that of a big bank

D. None of the above

The correct answer is B.

The main goal of the Basel I accord was to ensure that banks maintain sufficient capital to

remain solvent in times of distress. This was done to promote the stability of the financial system

and prevent bank failures that could trigger a financial crisis. The accord introduced the concept

of risk-weighted assets, which required banks to hold capital in proportion to the different risk

levels of their assets. This was a significant step towards risk-based regulation, which is now a

fundamental principle in banking supervision. The Basel I accord was the first of three Basel

accords issued by the Basel Committee on Banking Supervision, which provides a forum for

regular cooperation on banking supervisory matters. Its objective is to enhance understanding of

key supervisory issues and improve the quality of banking supervision worldwide.

Choice A is incorrect. The Basel I accord was not designed to develop a common currency for

all the banks. It was primarily focused on ensuring that banks maintain sufficient capital to

remain solvent during times of financial distress.

Choice C is incorrect. While the Basel I accord did aim to improve the solvency of banks, it did

not specifically target raising the solvency level of small banks to match that of big banks. Its

main objective was to ensure overall stability in the banking sector by requiring all banks,

regardless of their size, to maintain adequate capital.

Choice D is incorrect. As explained above, the primary objective of Basel I accord was indeed

related to banking regulation and it wasn't 'None of the above'. It aimed at maintaining sufficient

capital for all types of bank so as they can remain solvent during times of financial distress.

291
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4218 Which of the following ratios did the Basel I used to establish the capital sufficiency of
the banks?

A. Leverage ratio

B. Risk-based capital ratio

C. All of the above

D. None of the above

The correct answer is B.

The Basel I accord primarily used a risk-based capital ratio to determine the capital adequacy of

banks. This ratio is the ratio of a bank's capital to its risk-weighted assets (RWA). The risk-

weighted assets include both on-balance sheet assets (based on accounting conventions) and off-

balance sheet exposures such as loan commitments and derivatives exposures. The risk-based

capital ratio is designed to ensure that a bank has sufficient capital to cover the risks associated

with its assets. The higher the risk associated with an asset, the higher the capital requirement.

This approach encourages banks to manage their risk exposures and maintain a strong capital

base, thereby promoting the stability and efficiency of financial systems.

Choice A is incorrect. While the leverage ratio is a financial metric used to evaluate a bank's

financial health by measuring its capital against its consolidated assets, it was not the primary

ratio used by Basel I for determining capital adequacy. The leverage ratio does not take into

account the riskiness of a bank's assets, which was a key focus of Basel I.

Choice C is incorrect. This choice suggests that both the leverage ratio and risk-based capital

ratio were primarily used by Basel I to determine capital adequacy. However, as explained above,

while both ratios are important in assessing a bank's financial health and stability, only the risk-

based capital ratio was primarily used under Basel I.

Choice D is incorrect. This choice implies that neither the leverage nor risk-based capital

ratios were utilized by Basel I for determining a bank's capital adequacy. This contradicts with

the fact that Basel I primarily relied on the risk-based capital ratio for this purpose.

292
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4219 Under the Basel I framework, what is the required value of the ratio of Tier 1 capital to
risk-weighted assets (RWA)?

A. Greater than 4%

B. Less than 4%

C. Greater than 8%

D. Less than 8%

The correct answer is A.

The Basel I framework, which was introduced by the Basel Committee on Banking Supervision in

1988, required banks to maintain a minimum ratio of Tier 1 capital to risk-weighted assets (RWA)

of 4%. Tier 1 capital, also known as core capital, includes the highest quality capital a bank

possesses, such as common stock and disclosed reserves. Risk-weighted assets are the total of all

assets held by a bank, adjusted for their associated risks. The higher the risk associated with an

asset, the higher its weight. The purpose of this ratio is to ensure that banks have enough high-

quality capital to absorb losses, thereby reducing the risk of bank failure and protecting

depositors. The ratio is calculated as follows:

ex tT ier1Capital
> 4%
extRWA

Choice B is incorrect. The Basel I framework does not require the ratio of Tier 1 capital to

RWA to be less than 4%. This would imply a lower level of financial strength, which contradicts

the purpose of the Basel regulations that aim to ensure sufficient capital adequacy in banks.

Choice C is incorrect. While it's true that a higher ratio indicates greater financial strength,

the Basel I framework does not set forth a requirement for this ratio to be greater than 8%. The

standard set by Basel I was actually lower.

Choice D is incorrect. Similar to Choice C, this option misrepresents the standards set by Basel

I. A requirement for this ratio to be less than 8% would suggest a relatively low threshold for

financial strength, which isn't consistent with the objectives of these regulatory standards.

293
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4220 Based on the Basel I framework, which of the following expressions is incorrect?

A. Tier 1 capital > 4%(RWA)

B. Total capital > 8%(RWA)

C. Tier 1 capital + Tier 2 capital = Total capital

D. Tier 1 capital + Tier 2 capital > Total capital

The correct answer is D.

The Basel I framework does not state that the sum of Tier 1 and Tier 2 capital should be greater

than the total capital. In fact, the total capital under the Basel I framework is defined as the sum

of Tier 1 and Tier 2 capital. Therefore, it is not possible for the sum of Tier 1 and Tier 2 capital to

be greater than the total capital. This statement is a contradiction and is therefore incorrect.

Choice A is incorrect. The Basel I framework indeed stipulates that Tier 1 capital should be

greater than 4% of risk-weighted assets (RWA). This requirement ensures that banks maintain a

certain level of high-quality, liquid assets to absorb losses.

Choice B is incorrect. According to the Basel I framework, the total capital (Tier 1 + Tier 2)

should be greater than or equal to 8% of RWA. This rule was established to ensure that banks

have sufficient overall capital reserves relative to their risk exposure.

Choice C is incorrect. Under the Basel I framework, Total Capital does indeed consist of Tier 1

and Tier 2 capital combined. Therefore, it's accurate to say that Tier 1 Capital + Tier 2 Capital

equals Total Capital.

294
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4221 According to Basel I classification of capital, which of the following is NOT a constituent
of Tier 2 capital?

A. Undisclosed reserves

B. Common equity

C. Hybrid instruments

D. Loan loss reserves not allocated to non-performing assets

The correct answer is B.

Under the Basel I framework, Tier 1 Capital, also known as core capital, includes common equity

and disclosed reserves minus goodwill. Common equity is the most fundamental form of capital

and represents the ownership interest in a bank. It includes ordinary shares and retained

earnings. This type of capital is considered the highest quality because it is fully available to

cover losses. Therefore, common equity is not a part of Tier 2 capital, which is supplementary

capital and includes other forms of capital that are less secure and reliable than Tier 1 capital.

Choice A is incorrect. Undisclosed reserves are indeed a part of Tier 2 capital under the Basel

I framework. These reserves are created or increased through appropriations of retained

earnings or other surplus, such as share premiums, general reserves, and legal reserves.

Choice C is incorrect. Hybrid instruments are also included in Tier 2 capital under Basel I

framework. These instruments combine characteristics of both debt and equity and provide a

supplementary source of capital for banks.

Choice D is incorrect. Loan loss reserves not allocated to non-performing assets form part of

Tier 2 Capital as per Basel I norms. They serve as buffers against potential losses from loans that

may default in future.

295
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4222 According to Basel I, to create a risk-sensitive ratio, the risk-weighted assets are used as
the denominator. Which of the following is assigned a risk weight of 0%?

A. Uninsured residential mortgages

B. Commercial and consumer loans

C. Claims on Organization for Economic Cooperation and Development (OECD)

government bonds

D. Claims on OECD banks and public sector entities

The correct answer is C.

Under the Basel I framework, claims on Organization for Economic Cooperation and

Development (OECD) government bonds are assigned a risk weight of 0%. This is based on the

assumption that OECD governments are highly unlikely to default on their obligations. The 0%

risk weight reflects the perceived safety and stability of these bonds, which are backed by the

full faith and credit of OECD governments. These governments are typically characterized by

strong and stable economies, robust institutional frameworks, and high levels of public sector

transparency and accountability. Therefore, the risk of default is considered to be extremely low,

justifying the 0% risk weight.

Choice A is incorrect. Uninsured residential mortgages are not assigned a risk weight of 0%

under the Basel I framework. They carry credit risk and hence, are assigned a higher risk

weight.

Choice B is incorrect. Commercial and consumer loans also carry credit risk and therefore,

they are not assigned a 0% risk weight under the Basel I framework.

Choice D is incorrect. Claims on OECD banks and public sector entities do not have a 0% risk

weight under the Basel I framework as they also carry some level of credit risk.

296
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4223 The constituents of an American bank are $200 million of American government bonds,
$500 million of loans to corporations, $300 million of uninsured residential mortgages, and $250
million of residential mortgages issued by the public sector. What is the value of risk-weighted
assets (RWA) based on Basel I accord?

A. $1250 million

B. $600 million

C. $700 million

D. $850 million

The correct answer is C.

Using the weight ratios under the Basel I accord, the RWA is given by:

RWA = 0% × 200 + 100% × 500 + 50% × 300 + 20% × 250 = $700 million

297
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4224 According to Basel I, conventional off-balance sheet exposures were converted to an on-
balance sheet equivalent using credit conversion factors. Which of the following off-balance-
sheet category was assigned a credit conversion factor of 100%?

A. Loan commitments with an original maturity of 6 months

B. Loan commitments with an original maturity of one year

C. Guarantees on loans and bonds

D. Standby letters of credit of transactions related to credit transactions

The correct answer is C.

Guarantees on loans and bonds were assigned a credit conversion factor of 100% under Basel I.

This means that these types of off-balance sheet exposures were considered to have the same

credit risk as on-balance sheet exposures. Guarantees on loans and bonds are commitments

made by a bank to cover the losses of a borrower in case of their default. Given the high risk

associated with these commitments, they were assigned the highest credit conversion factor.

This ensured that banks held sufficient capital against these exposures, thereby promoting

financial stability.

Choice A is incorrect. According to Basel I, loan commitments with an original maturity of 6

months were assigned a credit conversion factor of 20%, not 100%. This means that only 20% of

the off-balance sheet exposure would be converted into an on-balance sheet equivalent.

Choice B is incorrect. Loan commitments with an original maturity of one year were also

assigned a credit conversion factor lower than 100% under Basel I. The higher the maturity, the

higher the risk and hence, a higher credit conversion factor but it was still less than 100%.

Choice D is incorrect. Standby letters of credit related to trade transactions were not assigned

a credit conversion factor of 100%. These are considered less risky compared to guarantees on

loans and bonds because they are contingent upon certain events or conditions being met.

298
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4227 Under the Basel I framework, which of the following is one of the methods of measuring
market risk?

A. Current exposure method

B. Original exposure method

C. Standardized approach methods

D. The foundations of internal ratings-based

The correct answer is C.

The Basel I framework, which was introduced in 1988, was primarily focused on credit risk.

However, in 1996, the Basel Committee on Banking Supervision amended the Basel I framework

to include market risk. The amendment provided two methodologies for measuring market risk: a

standardized approach and an internal model-based approach. The standardized approach is a

method that uses pre-determined risk weights to calculate the capital requirement for each type

of market risk. This approach is simpler and less resource-intensive than the internal model-

based approach, making it suitable for smaller banks or banks with less complex trading

activities. The standardized approach methods are therefore correctly identified as a method of

measuring market risk under the Basel I framework.

Choice A is incorrect. The Current Exposure Method (CEM) is a measure of counterparty

credit risk in over-the-counter derivatives, not a method for measuring market risk under the

Basel I framework.

Choice B is incorrect. The Original Exposure Method refers to the original amount of exposure

at the time of transaction and it does not pertain to market risk measurement under Basel I.

Choice D is incorrect. The foundations of internal ratings-based approach are part of Basel II

and III frameworks, which focus on credit risk, not market risk measurement under Basel I.

Q.4400 Which one of the following statements is true concerning the Solvency II capital
framework for insurance companies?

A. The internal models-based approached approaches are used to calculate solvency

299
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

capital requirement (SCR)

B. When an insurance company breaches Solvency II's minimum requirements, the

company is still allowed to take up new policies.

C. When an insurance company breaches Solvency II's minimum requirements,

supervisors may bar the company from selling/writing new policies or put it into
resolution

D. None of the above

The correct answer is C.

When an insurance company breaches Solvency II's minimum requirements, supervisors may bar

the company from selling/writing new policies or put it into resolution. This is a key provision of

the Solvency II framework. It is designed to protect policyholders and the wider financial system

from the risks associated with insurance companies that are not adequately capitalized. If an

insurance company breaches the minimum capital requirements set out in Solvency II, it is a

clear indication that the company is facing financial difficulties. In such a situation, the

supervisors have the authority to take corrective actions. These actions can include barring the

company from selling or writing new policies. This is done to prevent the company from taking

on additional risks that it may not be able to cover. The supervisors can also put the company

into resolution. This is a process where the company's assets are liquidated to pay off its

liabilities. The aim of this process is to ensure that the company's policyholders and creditors are

paid off to the greatest extent possible.

Choice A is incorrect. While it's true that Solvency II allows for the use of internal models to

calculate the solvency capital requirement (SCR), it's not the only method. Insurance companies

can also use a standard formula approach, which is based on a series of risk modules and sub-

modules, to calculate their SCR.

Choice B is incorrect. This statement contradicts one of the main objectives of Solvency II,

which is to ensure that insurance companies have sufficient capital to cover their risks. If an

insurance company breaches Solvency II's minimum requirements, it indicates that they may not

have enough capital to cover potential losses from underwriting risks. Therefore, allowing such a

company to take up new policies would increase its risk exposure and potentially jeopardize

300
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

policyholders' interests.

Choice D is incorrect. As explained above in choices A and B explanations.

Q.4401 The Solvency II uses both standardized and internal model-based approaches to compute
SCR. However, if an insurance company decides to use internal models, the models must satisfy
certain conditions. Which of the following is one of the conditions?

A. The size of the data used should be small

B. The model used to must be applicable to real business decision making

C. All of the above

D. None of the above

The correct answer is B.

The internal models used by insurance companies under Solvency II must be applicable to real

business decision making. This means that the models should not only be theoretically sound, but

also practical and useful in the context of the company's operations. They should be able to

accurately represent the company's risk profile, and should be integrated into the company's

decision-making process. This ensures that the models are not just used for regulatory

compliance, but also contribute to the company's risk management and strategic planning. The

models should be regularly updated and tested to ensure their continued relevance and accuracy.

Choice A is incorrect. The size of the data used in internal models should not necessarily be

small. In fact, larger datasets can often provide more accurate and reliable results as they allow

for a more comprehensive analysis of risk factors.

Choice C is incorrect. As explained above, not all the options listed are prerequisites for an

insurance company that opts to use internal models under Solvency II regulations.

Choice D is incorrect. There are indeed certain prerequisites that these models must meet

under Solvency II regulations, so it's not correct to say that none of the options listed are

prerequisites.

301
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4403 A bank majors in four business lines whose corresponding multipliers and gross income
(in millions) for three years are given in the table below:

Business Line Multiplier Annual Gross Income

Year 1 Year 2 Year 3
Retail Banking 13% 6 18 8
Asset Management 14% 8 10 18
Trading and Sales 19% 9 18 28
Corporate Finance 18% 42 25 20

Based on the Basel II accord, what is the value of the required capital for operational risk under
the Basic Indicator approach?

A. 7.2

B. 4.0

C. 10.2

D. 10.5

The correct answer is D.

This method computes the capital for the operational risk as the 15% of the bank’s average
annual gross income over the past three years while ignoring years that resulted in negative
gross income.

So,

Business Line Annual Gross Income

Year 1 Year 2 Year 3
Retail Banking 6 18 8
Asset Management 8 10 18
Trading and Sales 9 18 28
Corporate Finance 42 25 20
Sum 65 71 74

Note that the multiplier column has been excluded since we do not need it here. Therefore, the

required capital for the operational risk is given by:

65 + 71 + 74
0.15 [ ] = 10.5 million
3

302
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4404 The Basel Committee defined operational risk as the risk that occurs due to inadequate
or failed internal processes, people and systems or from external events. Which of the following
methods of determining capital required for operational risk is incorrectly described as per Basel
II accord?

A. Basic Indicator Approach: computes the capital for the operational risk as 15% of the
bank’s average annual gross income over the past three years while ignoring years that
resulted in negative gross income

B. Standardized approach: computes bank’s average annual gross income over the past
three years while ignoring years that resulted in negative gross income using the same
multiplier across assets

C. Advanced Measurement Approach (AMA): computes the required capital for

operational risk as 99.9% VaR measured using internal models less expected operational
losses

D. None of the above

The correct answer is B.

The Standardized Approach, as per the Basel II accord, does not use the same multiplier across

all assets. Instead, it uses different multipliers for different types of business lines. The

multipliers are predefined by the Basel Committee and are based on the inherent riskiness of

each business line. The gross income of each business line is multiplied by its respective

multiplier to calculate the capital requirement for operational risk. Therefore, the description in

Choice B is incorrect as it states that the Standardized Approach uses the same multiplier across

all assets.

Choice A is incorrect. The Basic Indicator Approach does indeed calculate the capital for

operational risk as 15% of the bank's average annual gross income over the past three years,

excluding years with negative gross income. This description is accurate and therefore not a

correct answer to this question.

Choice B is incorrect. The Standardized Approach does not use a single multiplier across all

assets when calculating the bank's average annual gross income over the past three years while

ignoring years that resulted in negative gross income. Instead, it applies different multipliers to

different business lines based on their level of riskiness, making this description inaccurate and

thus the correct answer to this question.

303
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice C is incorrect. The Advanced Measurement Approach (AMA) does compute required

capital for operational risk as 99.9% VaR measured using internal models less expected

operational losses, which aligns with Basel II guidelines on AMA usage for operational risk

capital calculation.

Choice D is incorrect. This option suggests that none of the descriptions provided are

inaccurate; however, as explained above, Choice B incorrectly describes how the Standardized

Approach calculates capital requirements for operational risk under Basel II guidelines.

304
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4405 A Canadian bank has assets consisting of CAD 300 million BB-rated drawn loans. The
probability of default is estimated (PD) to be 0.01, the LGD is 30%, and DR is estimated to be
0.10. What is the RWA for the bank with regard to the Basel II accord?

A. CAD 100.34 million

B. CAD 125.53 million

C. CAD 125.43 million

D. CAD 101.25 million

The correct answer is D.

Recall that retail exposures were calculated similarly to that of advanced IRB only that there is
no maturity adjustment. So,

RWA = 12.5 × EAD × LGD × (DR - PD)

= 12.5 × 300 × 0.30 × (0.10 − 0.01)
= CAD 101.25 million

Note:

Under Basel II, banks are required to maintain a total capital ratio (Tier 1 + 2 + 3) of

minimum 8%. 12.5 is the inverse of 8%. The multiplier has the effect of turning a

capital requirement into a RWA measure.

EAD = Exposure at Default

LGD = Loss Given Default

DR = the default rate at the 99.9th percentile for a large portfolio of assets of type i.

PD = The bank's own probability of default

305
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4406 The bank’s probability of default (PD) is estimated to be 0.01. What is the approximated
value of the asset correlation in the context of the Basel II framework?

A. 0.1562

B. 0.1453

C. 0.1928

D. 0.2341

The correct answer is C.

Basel II model assumes the Lopez’s model given by:

1 − e−50PD 1 − e−50PD
ρ = 0.12 [ ] + 0.24 [1 − ]
1 − e−50 1 − e−50

Since we are given PD=0.01, then the asset correlation is given by:

1 − e−50×0.01 1 − e−50×0.01
ρ = 0.12 [ ] + 0.24 [1 − ] = 0.1928
1 − e−50 1 − e−50

Q.4408 Assume that a bank has a portfolio of four derivatives with two counterparties, as shown
in the table below:

Counterparty Derivative Maturity Notional Market Add-on

Type Period Amount Value Factor
1 Interest rate 2 200 −5 0.5%
1 Interest rate 2 100 15 0.5%
2 Equity Option 4 100 0 10%
2 Wheat Option 6 200 −10 10%

What is the value of the credit equivalent of the derivative portfolio based on the 1995 netting
amendment?

A. 60.23

B. 62.45

C. 42.54

D. 35.2

306
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

The correct answer is D.

According to the 1995 amendment of Basel I, the Credit equivalent amount is given by

N
CEA = max(∑ Vi , 0) + ∑ (0.4 × Dj + 0.6 × Dj × NRR)
i=1 j

Where NRR (Net Replacement Ratio) is defined as:

max (∑N
i=1 V i, 0)
NRR =
∑N
i=1 max (V i, 0)

Now,

N
max (∑ Vi , 0) = max (0, 10) = 10
i =1

Note that the current exposure portion of the credit equivalent is 10 for counterparty 1 because

-5 exposure on the first interest rate is netted against 15 on the second interest rate. Moreover,

the current exposure for counterparty 2 is 0 current since exposure cannot be negative (-10).

Now,

max(∑N
i=1 Vi , 0) Current exposure 10
NRR = = = = 0.6667
∑N
i=1 max (Vi , 0)
sum of positive Exposure15

The add-on factor for the potential future exposures is calculated for each derivative

Interest rate = 0.5% (100 + 200) = 1.5

Equity Option = 10% × 100 = 10
Wheat Option = 10% × 200 = 20

So,

307
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

= ∑ (0.4 × Dj + 0.6 × Dj × NRR)

j

= [0.4 × 1.5 + 0.6 × 1.5 × 0.6667] + [0.4 × 10 + 0.6 × 10 × 0.6667]

+ [0.4 × 20 + 0.6 × 20 × 0.6667]
= 1.20 + 8 + 16 = 25.2

Therefore:

N
CEA = max (∑ V i, 0) + ∑ (0.4 × Dj + 0.6 × Dj × NRR) = 10 + 25.2 = 35.2
i=1 j

308
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 124: Solvency, Liquidity and Other Regulation After the Global
Financial Crisis

Q.2347 BastaBank from Bari, Italy, has just adopted Basel II.5 regulations after years of Basel II
compliance. The bank’s risk management team wants to bring the directors up to speed,
particularly with regard to the new requirements under Basel II.5. The team has prepared a
report highlighting the main changes. These most likely have a lot to do with:

A. Calculation of capital requirement for liquidity risk, calculation of stressed VaR, and a
new methodology of capital calculation.

B. Calculation of stressed VaR, a new incremental risk charge, and a comprehensive risk
measure for instruments dependent on credit correlation.

C. A new incremental risk charge, a comprehensive risk measure for instruments

dependent on credit correlation, and a new methodology of capital calculation.

D. A new incremental risk charge, new requirements for IRB parameters calculation, and
new requirements for liquidity measurement.

The correct answer is B.

The transition from Basel II to Basel II.5 brought about three significant changes. These include

the calculation of a stressed Value at Risk (VaR), the introduction of a new incremental risk

charge, and a comprehensive risk measure for instruments that are dependent on credit

correlation. The stressed VaR is a risk measure that estimates the potential losses a bank could

incur under extreme market conditions. The incremental risk charge is a capital charge that

covers potential losses arising from changes in credit quality. Lastly, the comprehensive risk

measure is a capital requirement that covers potential losses from correlation trading activities.

These changes were introduced to enhance the risk sensitivity of the capital framework and to

address the shortcomings of the Basel II framework that were exposed during the financial

crisis.

Choice A is incorrect. While Basel II.5 does introduce the calculation of stressed VaR, it does

not include a new methodology for capital calculation or a specific capital requirement for

liquidity risk. These aspects are more associated with Basel III regulations.

Choice C is incorrect. Although Basel II.5 introduces an incremental risk charge and a

comprehensive risk measure for instruments dependent on credit correlation, it does not

309
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

introduce a new methodology of capital calculation.

Choice D is incorrect. The introduction of an incremental risk charge is indeed part of Basel

II.5, but the new requirements for IRB parameters calculation and liquidity measurement are not

included in this regulatory update.

310
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2348 Cosomora Bank from Eindhoven, in the Netherlands, is one of the largest European
banks with a large trading book. The bank has been under Basel II and is currently in the later
stages of Basel II.5 implementation. What will be the main effect of shifting from Basel II to
Basel II.5?

A. Capital charges for credit risk will increase.

B. Capital charges for credit risk will be reduced.

C. Capital charges for market risk will increase.

D. Sweeping changes in liquidity measurement techniques.

The correct answer is C.

The transition from Basel II to Basel II.5 primarily results in an increase in the capital charges

for market risk. This is because Basel II.5 introduces enhancements to the market risk

framework, which include the incorporation of stressed Value-at-Risk (VaR) and the incremental

risk charge (IRC). These enhancements aim to capture the risk of mark-to-market losses on the

trading book due to changes in market conditions. As a result, banks are required to hold more

capital against market risk to absorb potential losses, leading to an increase in capital charges

for market risk. This is particularly relevant for large banks like Cosomora Bank, which have a

significant trading book.

Choice A is incorrect. The transition from Basel II to Basel II.5 primarily impacts the capital

charges for market risk, not credit risk. While Basel II.5 does introduce some changes in the

calculation of credit risk, it is not the primary focus of this regulatory update.

Choice B is incorrect. Similar to Choice A, this option incorrectly focuses on credit risk instead

of market risk. Furthermore, under Basel II.5 framework, there isn't a general reduction in

capital charges for credit risk; rather it introduces more sophisticated and sensitive measures for

calculating these risks.

Choice D is incorrect. Although Basel III (the next iteration after Basel II and II.5) places

significant emphasis on liquidity measurement techniques, this is not a primary impact of

transitioning from Basel II to Basel II.5 which mainly addresses market risks.

311
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2349 With the introduction of Basel II.5, the Basel Committee requires banks to calculate the
so-called stressed VaR. Stressed VaR was introduced mainly because of:

A. Very high capital requirements because of high volatility of market variables.

B. Too low VaR as a result of low volatility of market variables.

C. Increased capital charges for credit risk.

D. None of the above.

The correct answer is B.

The period from 2003 to 2006 was characterized by low volatilities of most market variables.

Consequently, the market risk Value at Risk (VaR) calculated during this period for regulatory

capital purposes were also low. Even after the onset of the financial crisis, the VaRs remained

low for a while because much of the data used to calculate them still came from the low-volatility

period. This led to an underestimation of the actual risk, which could potentially lead to

insufficient capital allocation. Therefore, the Basel Committee introduced the concept of

'stressed VaR' under Basel II.5 to address this issue. The 'stressed VaR' is designed to provide a

more realistic estimate of potential losses in periods of stress, thereby ensuring that banks hold

adequate capital to cover these potential losses.

Choice A is incorrect. The Basel II.5 was not introduced due to very high capital requirements

because of high volatility of market variables. In fact, the stressed VaR was introduced to ensure

that banks have sufficient capital during periods of stress when market variables are highly

volatile.

Choice C is incorrect. The introduction of Basel II.5 and the requirement for 'stressed VaR'

were not primarily related to increased capital charges for credit risk. While Basel II did

introduce more sophisticated approaches for credit risk, the stressed VaR specifically addresses

market risk under stressful conditions.

Choice D is incorrect. There were specific reasons behind the introduction of Basel II.5 and the

requirement for 'stressed VaR', hence 'None of the above' does not provide a correct explanation.

312
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2353 Katerini Bank from Greece is in the process of implementing Basel III regulations. One of
the first assignments of its risk management team is to calculate the required regulatory capital.
In line with Basel III, the bank should have the following categories of capital, except:

A. Tier 1 capital

B. Tier 2 capital

C. Tier 3 capital

D. Additional Tier I capital

The correct answer is C.

Under the Basel III regulations, there is no category known as Tier 3 capital. The Basel III

framework, which was developed by the Basel Committee on Banking Supervision (BCBS) to

strengthen the regulation, supervision, and risk management within the banking sector, outlines

three main categories of capital that banks are required to maintain. These include Tier 1 equity

capital, Additional Tier 1 capital, and Tier 2 capital. Tier 1 capital, which is the highest quality of

capital a bank possesses, is further divided into Common Equity Tier 1 (CET1) and Additional

Tier 1 (AT1) capital. CET1 capital includes ordinary shares and retained earnings, while AT1

capital consists of instruments that are not CET1 but satisfy other criteria. Tier 2 capital, on the

other hand, is a lower form of capital that includes items such as undisclosed reserves,

revaluation reserves, general loan-loss reserves, hybrid (debt/equity) capital instruments, and

subordinated debt. The concept of Tier 3 capital, which was present in the earlier Basel I and

Basel II frameworks, was removed in Basel III. Therefore, the statement that the bank should

have Tier 3 capital is incorrect.

Choice A is incorrect. Tier 1 capital, also known as core capital, is a key component of Basel III

regulations. It includes the highest quality capital that a bank possesses, such as common equity

and disclosed reserves.

Choice B is incorrect. Tier 2 capital, or supplementary capital, is also part of Basel III

requirements. This category includes items like undisclosed reserves, revaluation reserves,

general loan-loss reserves and hybrid (debt/equity) capital instruments.

Choice D is incorrect. Additional Tier I (AT1) Capital forms part of the regulatory framework

313
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

under Basel III and comprises securities that are subordinated to most other debts, have no fixed

maturity date and no encumbrances.

314
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2354 Which of the following presents a component of Tier 1 capital?

A. Changes in retained earnings arising from securitized transactions

B. Share capital

C. Goodwill

D. Changes in retained earnings arising from a bank's own credit risk

The correct answer is B.

Share capital is a primary component of Tier 1 capital. It refers to the funds that a company

raises in exchange for shares. It is a key measure of a company's liquidity and overall financial

health. In the context of banking, share capital can be used to absorb losses, thereby protecting

depositors and other creditors. It is considered a high-quality capital because it is fully paid-up

and available to the bank without any obligations. Therefore, it provides a strong buffer against

losses. Share capital is also permanent in nature, meaning it does not have a maturity date and is

available to the bank as long as it is in operation. This permanence further enhances its ability to

absorb losses. In addition, share capital is freely available to cover losses, as it is not

encumbered by contractual or regulatory obligations that could limit its availability in times of

stress.

Choice A is incorrect. Changes in retained earnings arising from securitized transactions are

not considered as a part of Tier 1 capital. These changes are related to the bank's investment

activities and do not reflect the core financial strength of the bank from a regulatory perspective.

Choice C is incorrect. Goodwill, while an asset on a company's balance sheet, is not included in

Tier 1 capital calculations. This is because goodwill can be highly subjective and difficult to

accurately value, making it less reliable as an indicator of financial strength.

Choice D is incorrect. Changes in retained earnings arising from a bank's own credit risk are

also not included in Tier 1 capital. These changes reflect potential losses that could occur if the

bank's creditworthiness deteriorates, rather than its core financial resources.

315
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2356 In Basel III, the Basel Committee introduced, among others, a new requirement named
leverage ratio. The main reason for its introduction was that:

A. Capital adequacy ratio was too high for many banks.

B. Banks had too much discretion in the way risk-weighted assets were calculated.

C. Banks were too undercapitalized.

D. Banks would have unlimited discretion while calculating their regulatory capital.

The correct answer is B.

The Basel Committee introduced the leverage ratio because regulators thought that banks had
too much discretion in the way risk-weighted assets were calculated. They have far less
discretion in the way “total exposure” is calculated.

Things to Remember

1. Basel III is a global regulatory standard on bank capital adequacy, stress testing, and market

liquidity risk. It was introduced by the Basel Committee on Banking Supervision following the

financial crisis of 2007-2008 to strengthen the regulation, supervision, and risk management of

banks.

2. The leverage ratio is a non-risk-based capital adequacy measure introduced under Basel III. It

is calculated by dividing Tier 1 capital by the bank's total exposures, which include on-balance

sheet items, derivative exposures, and off-balance sheet items.

3. The leverage ratio serves as a backstop to the risk-based capital ratios. It helps ensure that

banks have an adequate capital buffer against losses and restricts the level of leverage that

banks can take on.

4. The main reason for the introduction of the leverage ratio was that banks had too much

discretion in the way risk-weighted assets were calculated. This could lead to an underestimation

of risk and lower capital requirements.

5. The calculation of the leverage ratio is more straightforward and leaves less room for

manipulation compared to the calculation of risk-weighted assets.

316
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2358 Berthold Bruhne, a risk manager for the bank of Salzburg, was attending a board
meeting where he presented the results of the liquidity coverage ratio (LCR) calculation.
According to him, the bank’s LCR stood at 152% as of December 31st, 2016, safely above the
required minimum. His conclusion was that the bank could survive liquidity disruptions in the
next:

A. 1 year

B. 60 days

C. 30 days

D. 15 days

The correct answer is C.

The Liquidity Coverage Ratio (LCR) is a regulatory requirement under the Basel III framework,

designed to ensure that banks hold enough high-quality liquid assets to survive a severe liquidity

disruption over a 30-day period. The LCR is calculated as the ratio of a bank's High Quality

Liquid Assets (HQLA) to its total net cash outflows over the next 30 days. A ratio of 100% or

more indicates that the bank has enough liquid assets to meet its short-term obligations, even in

a severe liquidity stress scenario. In this case, the Bank of Salzburg's LCR of 152% suggests that

it has more than enough liquid assets to survive a 30-day liquidity disruption.

Choice A is incorrect. The liquidity coverage ratio (LCR) is a short-term liquidity measure

designed to ensure that banks can withstand a 30-day stress scenario, not a full year. Therefore,

an LCR of 152% does not imply that the bank could withstand liquidity disruptions for one year.

Choice B is incorrect. While the LCR is indeed a measure of short-term liquidity, it specifically

pertains to a 30-day stress scenario as per Basel III regulations. An LCR of 152% does not

indicate that the bank could survive liquidity disruptions for 60 days without additional

measures.

Choice D is incorrect. The LCR's purpose is to ensure that banks have enough high-quality

liquid assets to survive significant cash outflows over a period of 30 days under stressed

conditions, not just for 15 days.

317
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2359 In line with Basel III, the LCR is calculated as the:

A. Ratio between stable funding and high-quality liquid assets.

B. Ratio between high-quality liquid assets and total assets.

C. Ratio between high-quality liquid assets and net cash outflows in a 30-day period.

D. Ratio between stable funding and net cash outflows in a 30-day period.

The correct answer is C.

The Liquidity Coverage Ratio (LCR) is indeed calculated as the ratio between high-quality liquid

assets and net cash outflows over a 30-day period. This ratio is a key component of Basel III, a

set of international banking regulations developed by the Basel Committee on Banking

Supervision. The LCR is designed to ensure that banks have enough high-quality liquid assets on

hand to survive a severe liquidity stress scenario lasting 30 days. High-quality liquid assets are

those that can be easily and immediately converted into cash with little or no loss of value. Net

cash outflows are the total expected cash outflows minus total expected cash inflows occurring

in the next 30 days. The LCR must be greater than or equal to 100%, indicating that a bank has

enough liquid assets to cover its total net cash outflows for 30 days.

Choice A is incorrect. The ratio between stable funding and high-quality liquid assets is not the

Liquidity Coverage Ratio (LCR) according to Basel III. This ratio refers more to the Net Stable

Funding Ratio (NSFR), another standard introduced by Basel III, which aims to promote

resilience over a longer-term structural horizon by requiring banks to fund their activities with

sufficiently stable sources of funding.

Choice B is incorrect. The LCR does not involve a ratio between high-quality liquid assets and

total assets. Total assets include both liquid and illiquid assets, whereas the LCR specifically

focuses on high-quality liquid assets that can be readily converted into cash in times of stress.

Choice D is incorrect. The ratio between stable funding and net cash outflows in a 30-day

period does not define the LCR as per Basel III regulations. This choice seems to mix elements

from both the LCR and NSFR standards but does not accurately represent either.

318
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2360 CIB Bank from Oklahoma City, USA, is a G-SIB, as classified by the Financial Stability
Board. This implies that:

A. The bank is recognized globally as a “Solid Investment Bank”.

B. The bank’s failure could lead to a global economic crisis.

C. The bank has a global reach and has been successful for an extended period.

D. The bank’s “Sustained International Business” ratio is high in all operational

countries.

The correct answer is B.

The term G-SIB stands for global systemically important bank. Their failure could be nearly
catastrophic, triggering a market-wide disruption that could lead to a financial crisis. The
systemic importance of a bank or other financial institution depends on the effect that its failure
could have on the global financial system. This, in turn, depends on the nature of its activities
and the contracts it has entered into with other financial institutions globally.

319
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2361 Catalina Insurance from Tucson, Arizona, is identified as a SIFI. It is, however, not a D-
SIB. Why is that so?

A. Catalina Insurance is operating in the USA only.

B. Catalina Insurance is involved in global activities.

C. Catalina Insurance is not a bank.

D. Catalina Insurance is above the capital threshold designated by the Basel Committee.

The correct answer is C.

Catalina Insurance is not a bank. The term SIFI (Systemically Important Financial Institution) is

a broad category that includes both banks and non-banks that are deemed to be systemically

important. These institutions are often considered 'too big to fail' and are likely to be bailed out if

they face financial difficulties to prevent a potential systemic risk. On the other hand, D-SIBs

(Domestic Systemically Important Banks) are a subset of SIFIs that are specifically banks. These

are designated by national regulators and are considered systemically important within the

domestic economy. Therefore, since Catalina Insurance is not a bank, it cannot be classified as a

D-SIB despite being a SIFI.

Choice A is incorrect. The geographical operation of Catalina Insurance, whether it's only in

the USA or globally, does not determine its classification as a SIFI or D-SIB. These classifications

are based on the potential risk that the institution poses to the financial stability of a country or

globally.

Choice B is incorrect. While global activities can contribute to an institution being classified as

a Global Systemically Important Bank (G-SIB), it does not necessarily prevent it from being

designated as a D-SIB. Therefore, Catalina Insurance's involvement in global activities is not a

valid reason for its non-classification as a D-SIB.

Choice D is incorrect. Being above the capital threshold designated by the Basel Committee

might make an institution eligible for SIFI status but doesn't exclude it from being classified as a

D-SIB if it meets other criteria such as size, interconnectedness and complexity of operations

among others.

320
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2741 All of these are changes that were implemented through Basel 2.5, except:

A. Calculation of a stressed VaR.

B. Implementation of a new incremental risk change (IRC).

C. A comprehensive risk measure (CRM) for instruments sensitive to correlations

between default risks of various instruments.

D. Calculation of the net stable funding ratio (NSFR) and the liquidity coverage ratio
(LCR).

The correct answer is D.

The calculation of the net stable funding ratio (NSFR) and the liquidity coverage ratio (LCR)

were not changes implemented through Basel 2.5. These are liquidity measures that were

introduced later, under Basel III. Basel III was developed in response to the deficiencies in

financial regulation revealed by the financial crisis of 2007–2008. It is intended to strengthen

bank capital requirements by increasing bank liquidity and decreasing bank leverage. The NSFR

is designed to ensure that long-term assets are funded with at least a minimum amount of stable

liabilities in order to mitigate the risk of future funding stress. The LCR is a requirement that

banks hold an amount of high-quality liquid assets that's enough to cover its total net cash

outflows over 30 days. Both of these measures aim to improve the banking sector's ability to

absorb shocks arising from financial and economic stress, thus reducing the risk of spill over

from the financial sector to the real economy.

Choice A is incorrect. Basel 2.5 did introduce the calculation of a stressed VaR (Value at Risk).

This was done to ensure that banks have enough capital to cover extreme losses during periods

of significant financial stress.

Choice B is incorrect. The implementation of a new incremental risk charge (IRC) was indeed

part of the changes brought about by Basel 2.5. The IRC was designed to capture the default and

migration risks for unsecuritized credit products.

Choice C is incorrect. Basel 2.5 also introduced a comprehensive risk measure (CRM) for

instruments sensitive to correlations between default risks of various instruments, in order to

better manage and mitigate systemic risk.

321
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2743 Which of the following correctly describes the time horizon considered by the Liquidity
Coverage Ratio (LCR) and the Net Stable Funding Ratio (NSFR)?

A. LCR: Focuses on a 30-day period; NSFR: Focuses on a 2-year period.

B. LCR: Focuses on a 1-year period; NSFR: Focuses on a 30-day period.

C. LCR: Focuses on a 2-year period; NSFR: Focuses on a 30-day period.

D. LCR: Focuses on a 30-day period; NSFR: Focuses on a 1-year period.

The correct answer is D.

The Liquidity Coverage Ratio (LCR) focuses on a 30-day period, while the Net Stable Funding

Ratio (NSFR) focuses on a 1-year period. The LCR is designed to ensure that a bank has an

adequate stock of unencumbered high-quality liquid assets (HQLAs) that can be converted into

cash to meet its liquidity needs for a 30-day time horizon under a significantly severe liquidity

stress scenario. On the other hand, the NSFR is a longer-term structural ratio designed to

address liquidity mismatches and provide incentives for banks to use stable sources of funding. It

aims to measure the amount of longer-term, stable sources of funding employed by an institution

relative to the liquidity profiles of the assets funded and the potential for contingent calls on

funding liquidity arising from off-balance sheet commitments and obligations, over a one-year

horizon.

Choice A is incorrect because while it correctly identifies the time horizon for the LCR as a 30-

day period, it incorrectly states that the NSFR focuses on a 2-year period. The NSFR actually

focuses on a 1-year period. The NSFR is designed to ensure that long-term assets are funded

with at least a minimum amount of stable liabilities in relation to their liquidity risk profiles over

a one-year period.

Choice B is incorrect because it incorrectly identifies the time horizons for both the LCR and

the NSFR. The LCR focuses on a 30-day period, not a 1-year period as stated in this choice.

Similarly, the NSFR focuses on a 1-year period, not a 30-day period. The LCR is designed to

ensure that a bank has an adequate stock of unencumbered high-quality liquid assets (HQLAs)

that can be converted into cash to meet its liquidity needs for a 30-day time horizon. The NSFR,

322
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

on the other hand, is designed to ensure that long-term assets are funded with at least a

minimum amount of stable liabilities in relation to their liquidity risk profiles over a one-year

period.

Choice C is incorrect because it incorrectly identifies the time horizons for both the LCR and

the NSFR. The LCR focuses on a 30-day period, not a 2-year period as stated in this choice.

Similarly, the NSFR focuses on a 1-year period, not a 30-day period. The LCR is designed to

ensure that a bank has an adequate stock of unencumbered high-quality liquid assets (HQLAs)

that can be converted into cash to meet its liquidity needs for a 30-day time horizon. The NSFR,

on the other hand, is designed to ensure that long-term assets are funded with at least a

minimum amount of stable liabilities in relation to their liquidity risk profiles over a one-year

period.

323
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.2997 Goodwill Bank’s balance sheet contains the following items. The available stable funding
(ASF) and required stable funding (RSF) factors for each category of funding capital are also
provided:

ASF factor
Retail Deposits 35 90%
Wholesale Deposits 50 50%
Tier 2 Capital 5 100%
Tier 1 Capital 10 100%
RSF Factor
Cash 7 0%
Mortgages 38 65%
Treasury Bonds 6.5 5%
Small Business Loans 54 85%
Fixed Assets 12 100%

Which of the following is closest to the net stable funding ratio?

A. 84.9%

B. 86.2%

C. 83.1%

D. 88.0%

The correct answer is B.

Recall that:

Amount of stable funding

N SF R =
Required Amount of stable Funding

Amount of stable funding = 35 × 0.9 + 50 × 0.5 + 5 × 1 + 10 × 1 = 71.5

And:

RSF = 7 × 0 + 38 × 0.65 + 6.5 × 0.05 + 54 × 0.85 + 12 × 1 = 82.925

Therefore:

71.500
NSF R = = 0.862 = 86.2%
82.925

324
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3237 Exim Bank estimates its stable funding to be $100 million. Further, net cash outflows
over the coming 30 days are estimated to hit $155 million. Exim bank has capital of $10 million
and its total exposure stands at $150 million. The bank's high-quality liquid assets are valued at
$140 million.
Determine the bank’s liquidity coverage ratio (LCR) as stipulated in Basel III.

A. 0.9032

B. 0.875

C. 1.1

D. 1.4

The correct answer is A.

According to Basel III rules, the bank needs a minimum liquidity coverage ratio (LCR) of 100%.

The LCR focuses on the bank’s ability to see it through a 30-day period of disrupted liquidity. The

LCR formula is as follows:

high-quality liquid assets

LCR =
net cash outflows in a 30-day period

In this case,

$140 million
LCR = = 0.9032 = 90.3%
$155 million

It's evident that Exim bank has not met the minimum 100% requirement and is in violation of the

rule.

325
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3242 A bank has a previous-period stressed VAR of $20 million, a multiplication factor (M) of 4,
and a stressed VAR average over the previous 60 trading days of $7 million. Which of the
following values is the correct stressed VAR amount for this bank?

A. $28 million

B. $20 million

C. $48 million

D. $8 million

The correct answer is A.

The calculation of SV AR is defined as follows:

max (previous SVAR,M × average SVAR)

= max [$20 million or $28 million (4 × $7 million)]

Therefore, the max amount is $28 million.

Q.3245 Question: Bank ABC is subject to Basel III regulations. The bank has the following
balance sheet information (in millions):

Tier 1 Capital: $250

Tier 2 Capital: $150

Total Assets: $2,000

On-balance-sheet derivative exposures: $100

Off-balance-sheet derivative exposures: $150

Repurchase agreement exposures: $200

Under Basel III, what is the leverage ratio for Bank ABC?

A. 5.77%

B. 10.20%

326
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

C. 13.08%

D. 9.10%

The correct answer is B.

Under Basel III, the leverage ratio is calculated as Tier 1 Capital divided by the exposure

measure. The exposure measure includes total assets, off-balance-sheet items, and derivative

exposures.

First, calculate the exposure measure:

Exposure Measure = Total Assets + On-balance-sheet Derivative Exposures + Off-balance-sheet

Derivative Exposures + Repurchase Agreement Exposures

Exposure Measure = $2,000 + $100 + $150 + $200 = $2,450 million

Next, calculate the leverage ratio:

Leverage Ratio = (Tier 1 Capital / Exposure Measure) × 100

Leverage Ratio = ($250 / $2,450) × 100

Leverage Ratio = 0.10204 × 100

Leverage Ratio = 10.204% ≈ 10.20% (rounded to two decimal places)

327
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3246 Consider a bank balance sheet with

1. Common stock of $730,000,000;

2. Unrealized long-term marketable equity securities gain: $33,000,000;
3. Five -year subirdinated debt: $28,000,000;
4. Goodwill: $92,000,000.

Based Basel III capital requirements and solely on the above information, the tier 1 and tier 2
capital numbers are, respectively:

A. $730,000,000 and $0

B. $730,000,000 and $61,000,000

C. $822,000,000 and $33,000,000

D. $671,000,000 and $28,000,000

The correct answer is D.

Tier 1 capital consists of equity plus unrealized gains/losses less goodwill = 730+33-92 = $671

million.

Tier 2 capital includes five year surbodinated debt of $28 million.

Q.3247 A financial institution has a trading portfolio with the following characteristics:

Previous day's VaR (VaRt-1): $1,200,000 (10-day time horizon, 99% confidence level)

Average VaR over the past 60 days (VaRavg): $1,400,000 (10-day time horizon, 99%

confidence level)

Previous day's Stressed VaR (SVaRt-1): $2,200,000 (10-day time horizon, 99%

confidence level)

Average Stressed VaR over the past 60 days (SVaRavg): $2,000,000 (10-day time

horizon, 99% confidence level)

Multiplicative factor for VaR (mr): 3

328
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Stressed VaR multiplicative factor (ms): 3

Calculate the total market risk capital charge based on the Basel 2.5 framework.

A. $10,200,000

B. $9,200,000

C. $5,000,000

D. $4,987,000

The correct answer is A.

To calculate the total market risk capital charge, we must use the given formula:

Total capital charge = max(VaRt-1, mr × VaRavg) + max(SVaRt-1, ms × SVaRavg)

First, we need to calculate the maximum of VaRt-1 and mr × VaRavg:

max(VaRt-1, mr × VaRavg) = max($1 , 200, 000, 3 × $1, 400, 000) = max($1 , 200, 000, $4, 200, 000) =

Next, we need to calculate the maximum of SVaRt-1 and ms × SVaRavg:

max(SVaRt-1, ms × SVaRavg) = max($2 , 200, 000, 3 × $2, 000, 000) = max($2 , 200 , 000, $6, 000, 000

Now, we can calculate the total capital charge:

Total capital charge = $4,200,000 + $6,000,000 = $10,200,000

329
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3250 Steve Warne is an advisor at a local Bank which is attempting to transition to the new
Basel III standards. Specifically, they are wondering if their liquidity and funding ratios meet the
updated requirements as specified by the Basel Committee. Given the following information,
what is the bank's current liquidity coverage ratio?

High-quality liquid assets = $236

Marketable securities = $107

Required amount of stable funding (RSF) = $320

Cash inflows over the next 30 days = $214

Cash outflows over the next 30 days = $487

Long-term economic capital =$640

Available amount of stable funding (ASF) = $305

A. 48.46%

B. 86.45%

C. 206.3%

D. 115.67%

The correct answer is B.

the stock of high-quality liquid assets

The 30-day liquidity coverage ratio (LCR) =
the net cash outflow over a 30-day period.

Under Basel III, this ratio must equal or exceed 100%.

Net cash outflow = 487 − 214 = $273

$236
Bank's liquidity coverage ratio = = 0.8645 = 86.45% .
$273

330
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4285 After the global financial crisis, it was realized that the minimum capital charges under
the market risk amendment were not sufficient to address trading book risks. Which of the
following is one of the significant changes implemented in 2011 to address these trading book
risks, which was later known as Basel 2.5?

A. VaR computation was tailored to include a stressed VaR component

B. A portion of operational risk was required on top of credit and market risk

C. The risk weights in credit risk formulas were to be based on modern credit risk and
banks’ internal measures

D. It was ruled out that the Tier 1 capital was necessary for the preservation of
maintenance, while Tier 2 capital was to be used for the recapitalization of a financial
institution in resolution and decrease the level of failures on the depositors

The correct answer is A.

The global financial crisis of 2007-2009 exposed the inadequacy of the minimum capital charges

under the market risk amendment in addressing the underlying trading-book risks. In response

to this, the Basel Committee introduced several changes, one of which was the inclusion of a

stressed VaR component in the VaR computations. This change was aimed at ensuring that the

VaR calculations took into account extreme market conditions, thereby providing a more

accurate measure of the potential losses that could be incurred in such scenarios. This change

was part of a broader set of reforms known as Basel 2.5, which were designed to strengthen the

resilience of the banking sector and reduce the likelihood of future financial crises.

Choice B is incorrect. Operational risk, while important, was not the primary focus of Basel 2.5

amendments. The changes were primarily aimed at addressing trading book risks and did not

mandate additional operational risk coverage on top of credit and market risk.

Choice C is incorrect. While modernizing credit risk measures and aligning them with banks'

internal measures is a crucial aspect of overall risk management, it was not a specific change

implemented under Basel 2.5 to address trading book risks.

Choice D is incorrect. The classification of Tier 1 and Tier 2 capital for preservation of

maintenance or recapitalization purposes does not directly relate to the changes made in Basel

2.5 for addressing trading book risks.

331
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4286 Which of the following statements is correct about the stressed VaR in Basel 2.5?

A. Stressed VaR is calculated by multiplying 1-day VaR from the recent daily variation in
values by √10

B. Stressed VaR is drawn from one year from the most recent seven years that exhibited
stress in its current portfolio

C. Stressed VaR is drawn from one year from the most recent ten years that exhibited
stress in its current portfolio

D. None of the above

The correct answer is B.

According to Basel 2.5, Stressed VaR is calculated by identifying a one-year period (equivalent to

250 trading days) from the most recent seven years that was most stressful for a bank's current

portfolios. This period is identified based on the bank's current risk profile and the historical

market conditions during that year. The Stressed VaR is then calculated using the risk factors

and market data from this identified stressful period. This approach ensures that the bank's

capital requirement is sufficient to cover potential losses under extreme market conditions

similar to those experienced during the identified stressful year.

Choice A is incorrect. Stressed VaR is not calculated by multiplying 1-day VaR from the recent

daily variation in values by √ 10. This method does not take into account the stressed market

conditions which are a key aspect of Stressed VaR calculation as per Basel 2.5.

Choice C is incorrect. While it's true that Stressed VaR involves selecting a period of stress,

according to Basel 2.5, this period should be one year from the most recent seven years that

exhibited stress in its current portfolio, not ten years as stated in this option.

Choice D is incorrect. As explained above, option B correctly describes the method of

calculating Stressed VaR as per Basel 2.5, hence 'None of the above' cannot be correct.

Q.4287 The 99% 10-day VaR for ABC Bank is $800. The average 99% VaR for the recent 60 days
is $360. Over the past seven years, the most stressful 10-day 99% VaR is $950 and the most
stressful 60-day average 99% VaR is $370. The multiplier on the average 99% VaR for the recent
60 days is 2.5, and that of the most stressful average 99% VaR for the recent 60 days over the

332
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

past seven years is 2.2. What is the estimated market risk capital charge for this bank under
Basel 2.5?

A. $1,850

B. $1,160

C. $1,320

D. $2,460

The correct answer is A.

As per the Basel 2.5, the market risk given by:

MR2.5 = max (V aR t−1 , m r V aRavg ) + max (SV aRt−1 , ms S V aRavg )

Where:

VaR t−1 =traditional 10-day, 99% VaR drawn from the previous day

VaR avg =99% average VaR of the most recent days

SVaR t−1 = over the past seven years

SVaR avg =over a period of seven years

mr and m s are the respective multipliers of VaR avg and SVaR avg respectively

So, in this case, we have:

VaR t−1 = $800

VaR avg = $360

SVaR t−1 = $950

SVaR avg = $370

mr = 2.5 and m s = 2.2

MR 2.5 = max ($800, 2.5 × 360) + max ($950, 2.2 × $370)

= max ($800, $900) + max ($950, $814)
= $900 + $950 = $1 , 850

333
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4288 Which of the following is one of the variants of calculating incremental default risk
charge (IDRC) as proposed by Basel 2.5?

A. A standardized approach similar to that of Basel I

B. Current exposure similar to that of Basel I

C. Internal rating-based (IRB) based on a one-year time horizon

D. All of the above

The correct answer is D.

The Basel Committee proposed adding IDRC to specific risk which through two forms:

An internal model of default risk tailored to 99.9th percentile at one-year time horizon

similar to the IRB approach

When the internal model is unavailable, either standardized or current exposure

approach of calculating specific risk similar to that of Basel I.

334
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4289 Which of the following are the components of Tier 1 capital in the context of Basel III
capital definition?

A. Common equity and Retained earnings

B. General loan loss reserves

C. Subordinated debt

D. Goodwill and other intangibles

The correct answer is A.

Tier 1 capital is divided into:

Tier 1 Equity Capital, also called Core Tier 1 capital.

Additional Tier 1 Capital.

Tier 1 Equity Capital consisted of the following:

Common equity.

Retained earnings.

Limited amount of minority interest and unrealized gains and losses.

Additional Tier 1 Capital includes:

Unguaranteed, unsecured, non-cumulative perpetual preferred equity instruments

subordinated to depositors and subordinated debt callable after five or more years.

Debt with suitable factors leads to conversion to equity or write-downs.

Approved minority interest excluded in Core Tier 1 capital.

A and B are incorrect. These are components of Tier 2 capital.

D is incorrect. Goodwill and other intangibles are actually deducted when calculating Tier 1

capital.

335
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4290 Assume that a bank has common equity of $100 million, retained earnings of $80 million,
minority interest and unreleased gains and losses of $20 million, and goodwill and other
intangibles of $5 million. What is the value of Tier 1 equity capital in the context of the Basel III
accord?

A. $190 million

B. $195 million

C. $205 million

D. $100 million

The correct answer is B.

In the context of Basel III, Tier 1 equity capital consists of common equity, retained earnings, and

a limited amount of minority interest and unrealized gains and losses less goodwill and other

intangibles. So, in this case:

Tier 1 equity capital = 100 + 80 + 20 - 5 = $195

Q.4291 The estimated risk-weighted assets of a bank is $200 million. In the context of Basel III,
the Core Tier 1 (Tier 1 Equity Capital) of the bank is at least:

A. $10 million

B. $4.5 million

C. $9 million

D. $12 million

The correct answer is C.

Basel III changed the minimum capital requirements such that the Core Tier 1 capital must be at

least 4.5% of the risk-weighted assets (RWA). So, in this case, the Core Tier 1 must be at least:

4.5% × $200 million = $9 million

336
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4292 The estimated risk-weighted assets of a bank stand at $400 million. In the context of
Basel III, what is the bank's minimum Tier 1 capital?

A. $18 million

B. $12 million

C. $16 million

D. $24 million

The correct answer is D.

The minimum Tier 1 capital increases from 4% in Basel II to 6%, applicable in 2015, over RWAs.

This 6% is composed of 4.5% of CET1, plus an extra 1.5% of Additional Tier 1 (AT1).

So in this case, Tier I capital must be at least $24 million:

0.06% × $400 million = $24 million

337
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4293 In the context of Basel III, the Tier 2 capital is designed to address the losses after failure
and thus protects the depositors and other creditors of the bank. Which of the following is a
component of Tier 2 capital?

A. Common equity

B. General loan loss reserves

C. Retained earnings

D. Approved minority interest not included in Core Tier 1

The correct answer is B.

Components of Tier 2 Capital include subordinated debt and general loan loss reserves are
components. Subordinated debt refers to unsecured, unguaranteed debt instruments that are
subordinated to depositors and other creditors. These instruments must have a maturity of five
or more years and can only be called after five or more years. On the other hand, general loan
loss reserves are not allocated to absorb losses on specific positions. They include capital limited
at 1.25% of standardized approach Risk-Weighted Assets (RWAs) or 0.6% of Internal Ratings-
Based (IRB) RWAs.

A and C are incorrect. These are components of Tier 1 Capital.

D and is incorrect. This is a component of Additional Tier 1 Capital

Q.4295 Which of the following statements correctly describes Systemically Important Financial
Institutions (SIFIs)?

A. They are the entities subject to less supervision and regulation

B. They are entities whose failure or distress will affect the whole market or the whole
economy.

C. They are the entities whose failure affects only its stakeholder but not the broader
market system or the economy

D. They are the market entities whose failure can be reversed by government financing
without affecting its stakeholders

The correct answer is B.

Systemically Important Financial Institutions (SIFIs) are indeed entities whose failure or distress

338
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

can have a significant impact on the entire market or economy. This is because sIFIs are typically

large, interconnected financial institutions that play a critical role in the functioning of the

financial system. Their operations are so integral to the financial system that their failure could

trigger a cascade of failures among other financial institutions, leading to a systemic crisis. This

is why SIFIs are subject to additional regulatory scrutiny and are required to have robust risk

management systems in place to prevent their failure.

Choice A is incorrect. Systemically Important Financial Institutions (SIFIs) are not subject to

less supervision and regulation. In fact, due to their significant role in the financial system and

potential impact on the economy, they are often subject to more stringent regulations and

oversight compared to other financial institutions.

Choice C is incorrect. The failure of a SIFI does not only affect its stakeholders but also has

far-reaching implications for the broader market system or economy. This is because SIFIs play a

crucial role in maintaining financial stability, and their distress or failure can lead to systemic

risks.

Choice D is incorrect. While government financing can sometimes be used as a measure to

prevent the failure of a SIFI from causing widespread economic disruption, it does not mean that

such interventions would have no effect on its stakeholders. Stakeholders may still suffer losses

or face other negative consequences as a result of such interventions.

339
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.4296 The liquidity coverage ratio (LCR) of a bank is approximated to be 1.30. Under Basel III
liquidity requirements, does the bank fulfill the required LCR?

A. No, because LCR > 1

B. Yes, because LCR > 1

C. No, because LCR < 2

D. Yes, because LCR < 2

The correct answer is B.

The Basel III regulatory framework was introduced by the Basel Committee on Banking

Supervision to strengthen the regulation, supervision, and risk management within the banking

sector following the 2008 financial crisis. One of the key measures introduced under Basel III is

the Liquidity Coverage Ratio (LCR). The LCR is designed to ensure that banks have an adequate

stock of unencumbered high-quality liquid assets (HQLA) that can be converted into cash to meet

their liquidity needs for a 30-day time horizon under a significantly severe liquidity stress

scenario. The LCR is defined as the ratio of the stock of HQLA to total net cash outflows over the

next 30 calendar days. A bank's LCR must be greater than or equal to 1. This means that the

bank's stock of high-quality liquid assets should be at least equal to its total net cash outflows

over the next 30 days. In this case, the bank's LCR is 1.30, which is greater than 1. Therefore,

the bank is in compliance with the Basel III liquidity requirements.

Choice A is incorrect. The statement that the bank is not in compliance because LCR > 1 is

incorrect. According to Basel III regulations, a bank's LCR should be greater than or equal to 1.

This means that the bank has enough high-quality liquid assets to meet its net cash outflows for

a 30-day period.

Choice C is incorrect. The assertion that the bank isn't compliant because its LCR < 2 isn't

correct either. There's no requirement under Basel III for a bank's LCR to be less than or equal

to 2.

Choice D is incorrect. The claim that the bank complies with Basel III liquidity requirements

because its LCR < 2 doesn't hold true as well. As per Basel III, there's no upper limit on how

high an institution’s LCR can be; it just needs to be at least one.

340
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

341
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 125: High-level Summary of Basel III Reforms

Q.3092 The following are motivations for revising the Basel III framework EXCEPT:

A. To align definitions with the internal ratings-based approach (IRB) by introducing a

new definition for default.

B. To expand banks’ borrowing powers to enable them mitigate market risk in periods of
stress.

C. To improve liquidity by requiring banks to hold liquid assets sufficient to run the bank
for 30 days during times of stress.

D. To limit procyclicality by requiring banks to hold sufficient retained earnings that can
be drawn down during periods of economic stress.

The correct answer is B.

The motivation to expand banks’ borrowing powers to enable them to mitigate market risk in

periods of stress was not a reason for revising the Basel III framework. In fact, the opposite is

true. The revised Basel III framework aimed to limit the use of leverage by banks. This was done

in response to market analysis that revealed that banks often borrowed excessively, which only

exacerbated financial pressure during times of stress. Therefore, the revised requirements

sought to further restrict the use of debt among banks, rather than expand their borrowing

powers.

Choice A is incorrect. The Basel III framework did indeed introduce a new definition for

default to align definitions with the internal ratings-based approach (IRB). This was done to

ensure consistency in risk measurement and management across banks.

Choice C is incorrect. Improving liquidity by requiring banks to hold liquid assets sufficient to

run the bank for 30 days during times of stress was one of the key motivations behind the

revisions in Basel III framework. This requirement, known as Liquidity Coverage Ratio (LCR),

ensures that banks have an adequate stock of unencumbered high-quality liquid assets that can

be converted into cash easily and immediately in private markets.

Choice D is incorrect. The aim to limit procyclicality by requiring banks to hold sufficient

retained earnings that can be drawn down during periods of economic stress was indeed one of

342
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

the motivations behind Basel III's revisions. This measure helps ensure that banks have a buffer

during downturns, thereby reducing their vulnerability and enhancing their resilience.

Q.3093 Which of the following changes have been set forth by Basel III with reference to the
changes credit risk?

I. New exposure classes and evaluation tools have been introduced

II. Definitions within the internal ratings-based approach (IRB) have been aligned with
those under the standardized approach
III. Retail exposures have been aggregated to simplify the analytical process
IV. Introduction of further due diligence requirements to limit reliance on external credit
ratings

A. All of the above

B. I, III, and IV

C. II and III

D. I, II, and IV

The correct answer is D.

Basel III has indeed introduced new exposure classes and evaluation tools to better manage and

assess credit risk. This is aimed at ensuring that banks have a more comprehensive and accurate

understanding of their credit risk exposure. Furthermore, Basel III has also aligned the

definitions within the internal ratings-based approach (IRB) with those under the standardized

approach. This is to ensure consistency and comparability across different banks and

jurisdictions. Lastly, Basel III has introduced further due diligence requirements to limit reliance

on external credit ratings. This is to ensure that banks do not overly rely on external ratings and

instead conduct their own due diligence when assessing credit risk.

Choice A is incorrect. Not all of the statements accurately reflect the changes introduced by

Basel III in relation to credit risk management. Specifically, statement III is incorrect as retail

exposures have not been aggregated to simplify the analytical process under Basel III.

343
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice B is incorrect. While statements I and IV are correct, statement III is not accurate as

mentioned above.

Choice C is incorrect. Although statement II correctly reflects a change brought about by Basel

III, statement III does not accurately represent these changes.

344
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3094 Which of the following is not an approach for calculating credit risk capital?

A. Standardized approach

B. Internal ratings based approach – Foundation

C. Internal ratings based approach – Advanced

D. Standardized approach- advanced

The correct answer is D.

The 'Standardized approach- advanced' is not a recognized method for calculating credit risk

capital. The Basel II framework, which provides guidelines for banking supervision, does not

include an 'advanced' version of the Standardized approach. The Standardized approach is a

simpler method that uses external credit assessments for determining risk weights. It does not

have an 'advanced' version like the Internal Ratings Based (IRB) approach. The IRB approach, on

the other hand, allows banks to use their internal estimates of risk parameters, and it has two

versions: Foundation and Advanced.

Choice A is incorrect. The Standardized Approach is a recognized method for calculating

credit risk capital. In this approach, banks use external credit ratings to quantify the risk of their

credit exposures.

Choice B is incorrect. The Internal Ratings Based (IRB) – Foundation approach is also a

recognized method for calculating credit risk capital. Under this approach, banks use their own

internal estimates of probability of default (PD) while other parameters like loss given default

(LGD) and exposure at default (EAD) are provided by the regulator.

Choice C is incorrect. The Internal Ratings Based (IRB) – Advanced approach allows banks to

use their own internal estimates for all parameters including PD, LGD and EAD in the calculation

of risk-weighted assets and hence, the regulatory capital.

345
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3095 Capital Bank, a hypothetical a global systematically important bank (G-SIB) based in
Europe, is subject to a 5% risk-weighted higher-loss absorbency requirement. In line with Basel
III reforms, the bank would be subject to a leverage ratio buffer requirement of:

A. 5%

B. 10%

C. 2.5%

D. Zero: the bank has already surpassed the required 3% risk-weighted higher-loss
absorbency requirement

The correct answer is C.

The leverage ratio buffer requirement for a G-SIB is set at 50% of its risk-weighted higher-loss

absorbency requirement. This is a measure put in place to mitigate the potential ripple effects

associated with the failure of G-SIBs. Therefore, if a G-SIB has a 5% risk-weighted higher-loss

absorbency requirement, it would be subject to a leverage ratio buffer of 2.5%. This requirement

is part of the Basel III reforms, which aim to improve the banking sector's ability to absorb

shocks arising from financial and economic stress, improve risk management and governance,

and strengthen banks' transparency and disclosures.

Choice A is incorrect. The leverage ratio buffer requirement for a G-SIB like Capital Bank is

not 5%. This percentage refers to the risk-weighted higher-loss absorbency requirement, which

is a different concept from the leverage ratio buffer.

Choice B is incorrect. A 10% leverage ratio buffer requirement would be too high according to

Basel III standards. The Basel III reforms have set the leverage ratio at 3%, with an additional

buffer of 2.5% for G-SIBs, totaling to a maximum of 5.5%, not 10%.

Choice D is incorrect. Even though Capital Bank has surpassed the required 3% risk-weighted

higher-loss absorbency requirement, it does not mean that there would be no leverage ratio

buffer requirement for it under Basel III reforms. The bank still needs to maintain an additional

capital conservation buffer of at least 2.5%. Therefore, stating that there's zero need for any

further buffers because they've already met one standard misinterprets how these regulatory

requirements work in practice.

346
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3096 Prime Bank’s risk-weighted assets stood at $200 million as of December 2018. What is
this bank’s common equity requirement plus the capital conservation buffer, according to Basel
III?

A. $9,000,000

B. $14,000,000

C. $12,000,000

D. $16,000,000

The correct answer is B.

Under Basel III, Common Equity Tier I (CETI) risk-weighted requirements consist of a capital
ratio of 4.5% plus an additional capital conservation buffer of 2.5%, making up a CET ratio of
7%. With risk-weighted assets of $200 million, therefore, the bank’s CETI requirement will be
$14 million (= 7% × $200m)

347
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3097 The Basel III reforms announced in 2017 require banks to calculate Credit Value
adjustment risk using all of the following methods EXCEPT:

A. The internal modeled approach

B. The standardized approach

C. The simpler basic approach

D. All of the above

The correct answer is A.

The internal modeled approach is not included in the Basel III reforms announced in 2017 for

calculating Credit Value Adjustment (CVA) risk. The Basel III reforms were designed to

strengthen the regulation, supervision, and risk management of banks. As part of these reforms,

banks are required to calculate CVA risk using specific methods. However, the internal modeled

approach is not one of these methods. The reforms instead emphasize the use of two main

methods: the standardized approach (SA-CVA) and the simpler basic approach (BA-CVA). The

internal modeled approach was removed from the guidelines, indicating a shift away from

internal models towards more standardized and simpler methods for calculating CVA risk. This

change was made to increase the comparability and consistency of CVA risk calculations across

banks and to reduce the reliance on banks' internal models, which can vary significantly in their

design and assumptions.

Choice B is incorrect. The standardized approach is indeed a part of the Basel III reforms for

calculating CVA risk. This approach uses a set of predefined risk weights and exposure amounts

to calculate the CVA risk, which provides consistency across different banks.

Choice C is incorrect. The simpler basic approach is also included in the Basel III reforms for

calculating CVA risk. This method simplifies the calculation process by using a fixed percentage

for certain types of exposures, making it easier for smaller banks to comply with the regulations.

Choice D is incorrect. All of the above cannot be correct as both The Standardized Approach

and The Simpler Basic Approach are included in Basel III reforms for calculating Credit Value

Adjustment (CVA) Risk.

348
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3098 The new standardized approach for determining a bank’s operational risk capital
requirements assumes that:

I. Operational risk increases at a decreasing rate with a bank's income

II. Banks which have experienced greater operational risk losses historically are more likely
to experience operational risk losses in the future

A. I only

B. II only

C. Both I and II

D. Neither I nor II

The correct answer is B.

The new standardized approach for determining a bank's operational risk capital requirements is

based on two components: a measure of a bank's income and a measure of a bank's historical

losses. It assumes that banks which have a history of operational risk losses are more likely to

experience operational risk losses in the future. This is because past performance is often a good

indicator of future performance, especially when it comes to operational risk. Banks that have

experienced operational risk losses in the past have demonstrated that they have vulnerabilities

in their operations that can lead to losses. These vulnerabilities may be due to a variety of

factors, such as inadequate internal controls, poor risk management practices, or a lack of

effective oversight. Unless these issues are addressed, the bank is likely to continue

experiencing operational risk losses in the future. Therefore, the assumption that banks with a

history of operational risk losses are more likely to experience such losses in the future is a key

component of the new standardized approach for determining operational risk capital

requirements.

Choice A is incorrect. The new standardized approach for calculating a bank's operational risk

capital requirements does not assume that the operational risk escalates at a diminishing rate as

the bank's income increases. Instead, it assumes that the operational risk increases

proportionally with the increase in income.

Choice C is incorrect. As explained above, assumption I is not correct under the new

349
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

standardized approach for calculating a bank's operational risk capital requirements. Therefore,

both assumptions I and II cannot be correct.

Choice D is incorrect. Assumption II is indeed correct under this approach as banks with a

history of higher operational risk losses are considered more prone to future operational risk

losses.

350
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3099 An American bank has the following exposure:

Business line BI coefficient Business line

relevant indicator
A 8% 48
B 10% 44
C 12% 20

The bank’s supervisor has set an internal loss multiplier of 1. The capital requirement for
operational risk for the bank, using the standardized approach, is equal to:

A. 10.00

B. 10.64

C. 5.76

D. 12.00

The correct answer is B.

The operational risk capital requirement can be summarized as follows:

Operational risk capital = BIC × I LM

where:

Business Indicator Component (BIC) = ∑(α i × BIi)

αi is the BI coefficient for business line i, and BIi is the business line indicator

I LM = internal loss multiplier = 1

Thus, value of the capital requirement = (48 × 0.08) + (44 × 0.10) + (20 × 0.12) = 10.64

351
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3100 Basel III reforms replace the existing Basel II floor with a floor based on the revised
Basel III standardized approaches. The revised floor sets the minimum level of:

A. leverage

B. equity

C. capital

D. none of the above

The correct answer is C.

The Basel III reforms were introduced to strengthen the regulation, supervision, and risk

management within the banking sector. One of the key changes was the replacement of the Basel

II floor with a revised floor based on the Basel III standardized approaches. This revised floor

sets a minimum level of capital. The purpose of this floor is to place a lower limit on the

regulatory capital benefits that banks using internal models can derive relative to the

standardized approaches. In essence, the output floor acts as a risk-based backstop that

attempts to level the playing field by limiting the extent to which banks using internal models

can lower their capital requirements relative to the standardized approaches. This ensures that

banks maintain a minimum level of capital to absorb losses and promote stability in the financial

system.

Choice A is incorrect. While leverage is a key component in financial risk management, the

Basel III reforms specifically set a minimum level for capital, not leverage. The purpose of this is

to ensure that banks have enough capital on hand to absorb losses and continue operations

during periods of financial stress.

Choice B is incorrect. Equity, like leverage, plays an important role in the financial health of a

bank. However, the Basel III reforms focus on setting minimum levels for capital rather than

equity. This distinction is crucial because while all equity can be considered as part of a bank's

capital, not all capital consists of equity.

Choice D is incorrect. As explained above, the Basel III reforms do indeed set a minimum level

for a specific financial element - namely capital - making this option incorrect.

352
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3101 A hypothetical a global systematically important bank (G-SIB) based in Europe, is subject
to a $200 million risk-weighted higher-loss absorbency requirement. In line with Basel III
reforms, the bank would be subject to a leverage ratio buffer requirement of:

A. $100 million

B. $50 million

C. $200 million

D. $400 million

The correct answer is A.

The leverage ratio among G_SIBS is set at 50% of the bank’s riskweighted higher-loss
absorbency requirement. Therefore, a G-SIB with a $200m risk-weighted higher-loss absorbency
requirement would be subject to a leverage ratio buffer of $100m.

Q.3102 Bank A has $200 million in tier 1 capital and $100 million in tier 2 capital. Bank A loaned
$50 million to XYZ Corporation, which has 30% riskiness, and $100 million to Brighter World,
Inc., which has 50% riskiness. The bank’s capital adequacy ratio is equal to:

A. 3.52

B. 1.51

C. 2.20

D. 4.61

The correct answer is D.

Tier I capital + Tier II capital

Capital adequacy ratio =
Risk weighted assets

Bank A has risk-weighted assets of $65 million($50 million × 0.3 + $100 million × 0.50).

It also has capital of $300 million, ($200 million + $100 million).

$300 million
Its resulting capital adequacy ratio is 4.61 ( ).
$65 million

353
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3103 Four European banks, A, B, C, and D have the following capital amounts and risk
weighted assets (in $m):

Bank A B C D
Tier I capital 5 8 15 25
Tier II capital 3 3 5 10
Risk-weighted assets 30 40 240 230

Which of the four banks is in violation of the capital adequacy requirements as set out in the
Basel III reforms announced in 2017?

A. Bank A

B. Bank B

C. Bank C

D. Bank D

The correct answer is C.

According to the revised Basel III guidelines, the minimum capital adequacy ratio, including the

capital conservation buffer, is 10.5%. As can be seen from the calculations below, only bank C

has failed to attain the minimum ratio.

Tier I capital + Tier II capital

Capital adequacy ratio =
Risk weighted assets

Bank A B C D
Tier I capital 5 8 15 25
Tier II capital 3 3 5 10
Risk-weighted assets 30 40 240 230
CAR (Capital adequacy ratio) 26.7% 27.5% 8.3% 15.2%

354
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3104 A French bank has the following exposure:

Business line BI coefficient Business line

relevant indicator
Consumer banking 12% 100
Global banking 15% 200
Wealth management 18% 50

The bank’s supervisor has set an internal loss multiplier of 1. The capital requirement for
operational risk for the bank, using the standardized approach, is equal to:

A. 67

B. 80

C. 51

D. 45

The correct answer is C.

The operational risk capital requirement can be summarized as follows:

Operational risk capital = BIC × I LM

where:

Business Indicator Component (BIC) = ∑(α i × BIi)

αi is the BI coefficient for business line i, and BIi is the business line indicator

I LM = internal loss multiplier = 1

Thus, value of the capital requirement = (100 × 0.12) + (200 × 0.15) + (50 × 0.18) = 51

355
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3105 In the most recent global financial crisis (2007/2008), banks suffered huge losses
resulting from CVA risk – losses related to the deterioration of a counterparty’s creditworthiness
in derivative contracts. In the aftermath of the crisis, the Basel Committee has enhanced the CVA
framework with a view to:

A. Keep losses associated with CVA risk at less than 10% of the total value of the
derivatives.

B. Totally eliminate CVA losses by conducting due diligence on all counterparties before a
contract comes into force.

C. Enhance the risk sensitivity of the framework by recognizing more risk drivers.

D. Limit derivative contracts at not more than 20% of the total capital for a bank.

The correct answer is C.

The enhanced CVA framework has 3 main objectives:

To enhance risk sensitivity

The revised CVA framework takes into account the exposure component of CVA risk as

well as the risk of associated hedges.

To enhance robustness of the CVA framework

The updated guidelines remove the use of an internally modeled approach and instead

emphasize the use of two main methods: (I) the standardized approach (SA-CVA), and

(II), the simpler basic approach (BA-CVA). In addition, banks with minimal engagement

activities in derivative transactions can use their credit counterparty risk (CCR) capital

requirements as a proxy for their CVA charge.

To improve consistency of the CVA framework

The standardized and basic approaches of the revised CVA framework have been

revised to be consistent with the approaches used in the revised market risk

framework.

Q.3106 The Basel Committee has agreed on various additional enhancements to the IRB
approaches to further reduce unwarranted RWA variability. Which of the following correctly
outlines a measure that has been put forth for adoption by banks?

356
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

A. Secured exposures: increasing the haircuts that apply to the collateral; Unsecured
exposures: reducing the LGD parameter from 45% to 40% for exposures to non-financial
corporates.

B. Secured exposures: reducing the LGD parameters; Unsecured exposures: reducing the
LGD parameter from 25% to 20% for exposures to non-financial corporates.

C. Secured exposures: decreasing the haircuts that apply to the collateral; Unsecured
exposures: reducing the LGD parameter from 45% to 40% for exposures to non-financial
corporates.

D. Secured exposures: increasing the LGD parameters; Unsecured exposures: increasing

the LGD parameter from 40% to 50% for exposures to non-financial corporates.

The correct answer is A.

The Basel Committee has indeed proposed adjustments to the supervisory specified parameters

in the Foundation – Internal ratings based approach (F-IRB). For exposures that are secured by

non-financial collateral, the committee has suggested increasing the haircuts that apply to the

collateral. A 'haircut' in this context refers to a reduction applied to the value of an asset that is

being used as collateral for a loan. The purpose of this haircut is to provide a cushion for the

lender in case the value of the collateral falls. In addition to this, for exposures that are

unsecured, the committee has proposed reducing the Loss Given Default (LGD) parameter from

45% to 40% for exposures to non-financial corporates. LGD is a measure of the potential loss to a

lender or investor in the event of default by a borrower. By reducing the LGD parameter, the

committee aims to reflect a lower potential loss on unsecured exposures to non-financial

corporates.

Choice B is incorrect because it incorrectly states that the Basel Committee has proposed

reducing the LGD parameters for secured exposures. In fact, the committee has proposed

increasing the haircuts that apply to the collateral for secured exposures. Furthermore, the

committee has not proposed reducing the LGD parameter from 25% to 20% for exposures to non-

financial corporates. The correct proposal is to reduce the LGD parameter from 45% to 40% for

such exposures.

Choice C is incorrect because it incorrectly states that the Basel Committee has proposed

decreasing the haircuts that apply to the collateral for secured exposures. In fact, the committee

357
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

has proposed increasing these haircuts. Furthermore, the committee has not proposed reducing

the LGD parameter from 45% to 40% for exposures to non-financial corporates.

Choice D is incorrect because it incorrectly states that the Basel Committee has proposed

increasing the LGD parameters for secured exposures and increasing the LGD parameter from

40% to 50% for exposures to non-financial corporates. In fact, the committee has proposed

increasing the haircuts that apply to the collateral for secured exposures and reducing the LGD

parameter from 45% to 40% for unsecured exposures to non-financial corporates.

358
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3107 The initial phase of the Basel III framework focused, in part, on increasing the quality of
bank regulatory capital to cover unexpected losses. As such, the Minimum Tier I capital:

A. Rose from 4% to 6%.

B. Rose from 5% to 6%.

C. Rose from 5% to 7%.

D. Rose from 4% to 7%.

The correct answer is A.

The Basel III framework was introduced in response to the deficiencies in financial regulation

revealed by the financial crisis of 2007-08. It aimed to strengthen the banking sector's ability to

deal with financial and economic stress, improve risk management and governance, and

strengthen banks' transparency and disclosures. One of the key aspects of this framework was

the focus on improving the quality of bank regulatory capital to cover unexpected losses. As

such, the Minimum Tier I capital requirement was increased from 4% to 6%. This increase was

intended to ensure that banks have a sufficient buffer of high-quality capital that can absorb

losses during periods of financial and economic stress.

Choice B is incorrect. The Basel III framework did not increase the Minimum Tier I capital

requirement from 5% to 6%. The initial phase of Basel III increased the requirement from 4% to

6%, not from 5%.

Choice C is incorrect. This choice incorrectly states that the Minimum Tier I capital

requirement rose from 5% to 7%. In reality, under Basel III, it was increased from a lower

percentage of 4%, not from a higher percentage of 5%.

Choice D is incorrect. While this option correctly identifies that the final target for Minimum

Tier I capital requirement under Basel III was indeed set at a higher level of around 7%, it

incorrectly suggests that this increase was implemented in the initial phase itself. In fact, during

its initial phase, Basel III only raised this requirement to an intermediate level of about 6%. The

further increase up to around approximately 7% was planned for later stages.

359
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3108 The initial phase of the Basel III framework was announced in 2010. Which of the
following is not one of the objectives it focused on?

A. To constrain banks’ borrowing rate (leverage) hence avoid a build-up of debt which
would exacerbate financial pressure during a downturn.

B. To improve liquidity by requiring banks to hold liquid assets sufficient to run the bank
for 180 days during times of stress.

C. To increase capital requirement to mitigate market risk in times of stress.

D. To limit procyclicality by requiring banks to hold sufficient retained earnings that can
be drawn down during periods of economic stress.

The correct answer is B.

The Basel III framework indeed aimed to improve liquidity in the banking sector. However, the

statement in choice B is incorrect because it states that banks are required to hold liquid assets

sufficient to run the bank for 180 days during times of stress. In reality, the Basel III framework

introduced a liquidity coverage ratio (LCR) that requires banks to hold an amount of high-quality

liquid assets that can cover its total net cash outflows over a 30-day stress period, not 180 days.

This requirement is designed to ensure that banks have enough cash or assets that can be

quickly converted into cash to survive a short-term liquidity crisis.

Choice A is incorrect. Basel III indeed aimed to constrain banks' borrowing rate or leverage to

avoid a build-up of debt which could exacerbate financial pressure during a downturn. This was

done by introducing the Leverage Ratio, which is a non-risk based capital adequacy measure that

aims to restrict the level of leverage that banks can take on.

Choice C is incorrect. Basel III did aim at increasing capital requirements but not specifically

for mitigating market risk in times of stress. It increased both Tier 1 and Tier 2 capital

requirements and introduced additional buffers like Capital Conservation Buffer (CCB) and

Countercyclical Buffer (CCyB). These measures were designed to ensure that banks have an

adequate amount of capital at all times, including periods of stress.

Choice D is incorrect. The objective mentioned here aligns with one of the key objectives of

Basel III - limiting procyclicality by requiring banks to hold sufficient retained earnings that can

be drawn down during periods of economic stress.

360
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3109 When were the Basel III reforms announced?

A. In 2010

B. In 2014

C. In 2015

D. In 2017

The correct answer is D.

The Basel III reforms were officially announced in 2017. The Basel III reforms are a

comprehensive set of reform measures designed to improve the regulation, supervision, and risk

management within the banking sector. These reforms were developed in response to the

financial crisis of 2007-2008. They are intended to strengthen bank capital requirements and

introduce new regulatory requirements on bank liquidity and bank leverage. The announcement

of these reforms in 2017 marked a significant milestone in banking regulation, with the aim of

reducing the risk of future banking crises.

Choice A is incorrect. The Basel III reforms were not announced in 2010. This year marked the

publication of the initial version of Basel III, but it was not officially announced as a reform until

later.

Choice B is incorrect. The Basel III reforms were not announced in 2014 either. While there

were discussions and proposals around banking regulations during this time, the official

announcement of the Basel III reforms did not occur in this year.

Choice C is incorrect. Similarly, 2015 is also an incorrect answer as it does not correspond to

the official announcement year for Basel III reforms.

361
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Reading 126: Basel III: Finalising Post-Crisis Reforms

Q.3111 A Bank holding company based in Germany has two subsidiaries, A and B. The business
indicator values of each are given in the table below:

Bank A B
BI €800 million €1.2 billion

In light of this information, which of the following statements is correct?

A. Bank A would be expected to calculate operational risk capital based on the Advanced
Measurement Approach while Bank B would employ the standardized measurement
approach.

B. Only Bank B would be expected to set aside capital for operational risk.

C. Bank B would be expected to use loss experience in the standardized approach

calculations.

D. Neither Bank A nor Bank B would be expected to set aside some capital for
operational risk.

The correct answer is C.

Bank B would be expected to use loss experience in the standardized approach calculations. This

is because, according to the Basel III reforms announced in 2017, all banks are required to use

the standardized approach in operational risk capital calculations. For banks with Business

Indicator (BI) values of more than €1 billion (falling into bucket 2-3), internal loss experience

must be taken into account while calculating operational risk capital. In this case, Bank B, with a

BI value of €1.2 billion, falls into this category and therefore, would be expected to incorporate

its loss experience into its calculations.

Choice A is incorrect. The Advanced Measurement Approach (AMA) and the Standardized

Measurement Approach (SMA) are not determined by the Business Indicator (BI) value of a

bank. Both Bank A and Bank B can use either approach depending on their operational risk

management capabilities, regulatory approval, and other factors.

Choice B is incorrect. Both banks would be expected to set aside capital for operational risk as

it is a requirement under Basel III regulations for all banks, regardless of their BI values.

362
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Choice D is incorrect. As explained above, both Bank A and Bank B would be expected to set

aside some capital for operational risk as per Basel III regulations.

Q.3113 The following information has been extracted from the P&L of a European bank over a 3-
year period:

Year (ended) 20X6 20X7 20X8

Interest, leases and dividends €950 million €1.3 billion €1.8 billion
Services €1.6 billion €2.2 billion €2.6 billion
Financial (Net Profit/Loss on the trading book) €500 million €1.1 billion €1.3 billion

Using the Standardized Measurement Approach, the bank’s Business Indicator (BI) for the year
ended 31 Dec 20X8 is closest to:

A. €4.45 billion

B. €1.9 billion

C. €2.6 billion

D. €500 million

The correct answer is A.

Under the standardized measurement approach, SMA, a bank’s BI has three components: the
interest, leases and dividends component (ILDC), the services component (SC), and the financial
component, FC. To determine the value of BI, we must sum up the 3-year average of each of
these components:
Thus,

0.95 + 1.3 + 1.8 1.6 + 2.2 + 2.6 0.5 + 1.1 + 1.3

BI = + + = 4.45
3 3 3

Q.3114 The chief risk officer at an international bank would like to determine the bank’s
operational risk capital in line with Basel III reforms under the Standardized Measurement
Approach. The following information is available:
Business Indicator, BI: €36 billion
Loss Component, LC: €5.8 billion

Calculate the bank’s operational risk capital (ORC) required:

363
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

A. €4.35 billion

B. €5.62 billion

C. €5.55 billion

D. €1.01 billion

The correct answer is B.

To answer this question, it’s important to have the BI ranges and the marginal BI coefficients –
as outlined in Basel III reforms – at your fingertips.
Recall that

ORC = BIC × I LM

Where

BIC = ∑ (α i × BI i )

And,

0.8
LC
I LM = ln [exp (1) − 1 + ( ) ]
BIC

Calculating the BIC of a bank with a BI of €36bn:

BI Bucket 1 2 3
BI Range ≤ 1 bn €1 bn < BI ≤ €30 bn €30 bn
Marginal BI Coefficient 0.12 0.15 0.18
BI of € 40 €1bn × 12% € = (30 − 1) × 15% = €(36 − 30) × 18%
= €0.12bn = €4.35bn = €1.08bn
BIC=sum of Buckets 1-3 = €5.55bn

5.8 0.8
I LM = ln [exp (1) − 1 + ( ) ] = 1.0131
5.55

ORC = BIC × I LM = 5.55 × 1.0131 = €5.62 billion

364
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3115 The following are verified historical loss data for an international bank over a 10-year
period (in billions of Euros)
[3.8, 2.9, 2.8, 2.8, 0.6, 0.4, 0.1, 0.2, 0.1, 0.2]

Determine the bank’s Internal Loss Multiplier as computed under the Standardized
Measurement Approach (The bank’s Business Indicator Component is €18 billion)

A. 1.39

B. 0.9288

C. 1.0

D. 1.0449

The correct answer is D.

0.8
LC
I LM = ln [exp (1) − 1 + ( ) ]
BIC

Where LC = 15 times a bank's average historical losses over the preceding 10 years.

Thus,

3.8 + 2.9 + 2.8 + 2.8 + ⋯ + 0.1 + 0.2

LC = ( ) × 15 = 20.85
10

20.85 0.8
ILM = ln [exp (1) − 1 + ( ) ] = 1.0449
18

Q.3116 The following are verified historical loss data for a large established bank over a 10-year
period (in billions of Euros)
[0.8, 0.9, 0.7, 0.8, 0.06, 0.04, 0.10, 0.09, 0.03, 0.0]

The bank has a Business indicator of €960 million.

Determine the bank’s operational risk capital, ORC, as computed under the Standardized
Measurement Approach

A. €115 million

B. €3.52 million

365
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

C. €361 million

D. €100 million

The correct answer is A.

Recall that

ORC = BIC × I LM

Where

BIC = ∑ (α i × BI i )

And,

0.8
LC
I LM = ln [exp (1) − 1 + ( ) ]
BIC

Also recall that for firms with BI levels less than €1bn, the ILM is set to 1, and therefore internal

loss data does not affect the capital calculation.

Thus, the operational risk capital in his case is a function of the business Indicator Component

only.

With a BI of €960 million, the bank falls under bucket 1 of the Basel guidelines and therefore the

relevant BI coefficient is 0.12.

BIC = 0.12 × 960 = €115.2 million

So,

ORC = 115.2 × 1 = 115.2

Q.3117 The following information has been extracted from the P&L of a European bank over a 3-
year period:

366
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Year (ended) 20X6 20X7 20X8

Interest, leases and dividends €950 million €1.3 billion €1.8 billion
Services €1.6 billion €2.2 billion €2.6 billion
Financial (Net Profit/Loss on the trading book) €500 million €1.1 billion €1.3 billion

The bank’s Loss Component, LC, is €0.9 billion. Using the Standardized Measurement Approach,
calculate the bank’s operational risk capital:

A. €0.11 billion

B. €0.6375 billion

C. €0.708 billion

D. €4.5 billion

The correct answer is C.

Recall that

ORC = BIC × I LM

Where

BIC = ∑ (α i × BI i )

And,

0.8
LC
I LM = ln [exp (1) − 1 + ( ) ]
BIC

Under the standardized measurement approach, SMA, a bank’s BI has three components: the

interest, leases and dividends component (ILDC), the services component (SC), and the financial

component, FC. To determine the value of BI, we must sum up the 3-year average of each of

these components:

Thus,

0.95 + 1.3 + 1.8 1.6 + 2.2 + 2.6 0.5 + 1.1 + 1.3

BI = + + = 4.45
3 3 3

367
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Next, determine the bank’s BIC:

BI Bucket 1 2 3
BI Range ≤ 1 bn €1 bn < BI ≤ €30 bn €30 bn
Marginal BI Coefficient 0.12 0.15 0.18
BI of € 4.45bn €1bn × 12% = €0.12bn € = (4.45 − 1) × 15% = €0.5175bn

BI C = Sum of buckets = €0.6375

Next, calculate ILM:

0.9 0.8
I LM = ln [exp (1) − 1 + ( ) ] = 1.1105
0.6375

ORC = 0.6375 × 1.1105 = 0.7079

368
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3118 The following information has been extracted from the P&L of a European bank over a 3-
year period:

Year (ended) 2007 2008 2009 2010

Interest, leases and dividends €565 million €1.6 billion €2.4 billion €2.2 billion
Services €1.8 billion €2.2 billion €2.8 billion €2.6 billion
Financial (Net Profit/Loss on the trading book) €625 million €1.1 billion €1.7 billion €2.9 billion

Using the Standardized Measurement Approach, the bank’s Business Indicator (BI) for the year
ended 31 Dec 2010 is closest to:

A. €3.9 billion

B. €6.5 billion

C. €3.0 billion

D. €5.6 million

The correct answer is B.

Under the standardized measurement approach, SMA, a bank’s BI has three components: the

interest, leases and dividends component (ILDC), the services component (SC), and the financial

component, FC. To determine the value of BI, we must sum the average over three years: t, t − 1

and t − 2,

Thus,

1.6 + 2.4 + 2.2 2.2 + 2.8 + 2.6 1.1 + 1.7 + 2.9

BI = + + = 6.5
3 3 3

369
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3119 An international lender based in Dubai has a Business Indicator of €34.5 billion.
Determine the Business Indicator Component for the bank.

A. €0.12bn.

B. €4.35bn.

C. €35bn.

D. €5.28bn.

The correct answer is D.

To answer the question, it’s important to have the BI bucket divisions and corresponding
marginal coefficients as outlined in Basel III reforms.

BI Bucket 1 2 3
BI Range ≤ 1 bn €1 bn < BI ≤ €30 bn €30 bn
Marginal BI Coefficient 0.12 0.15 0.18
BI of € 40 €1bn × 12% € = (30 − 1) × 15% = €(34.5 − 30) × 18%
= €0.12bn = €4.35bn = €0.81bn
BIC=sum of Buckets 1-3 = €5.28bn

BI C = Sum of buckets 1 to 3 = €5.28bn

370
© 2014-2024 AnalystPrep.
We provide latest Study Material for CFA, FRM and Financial Modeling. Please drop us an email at guru.ghantal987@gmail.com

Q.3120 A hypothetical European Bank has a business indicator (BI) of EUR 40 billion. The bank’s
loss component is EUR 1.2 billion. Using the information in the following table, calculate the
bank’s operational risk capital.

BI Bucket 1 2 3
BI Range ≤ 1 bn 1 bn < BI ≤ 30 bn 30 bn
Marginal BI Coefficient 12% 15% 18%

A. €0.63 billion

B. €0.55billion

C. €4.30 billion

D. €4.5 billion

The correct answer is C.

The operational risk capital requirement (ORC) can be calculated as follows:

ORC = BIC × I LM

Where the Business indicator component (BIC) is given by:

BI C = ∑ (αi × BIi )
BI C = (12% × €1) + (15% × (€30 − €1)) + (18% × (€40 − €30)) = €6.27

And, the Internal losses multiplier (ILM) is expressed as:

0.8
LC
I LM = ln[exp (1) − 1 + ( )
BIC
1.2 0.8
I LM = ln [exp (1) − 1 + ( ) ] = ln1.98 = 0.6855
6.27

Finally,

ORC = €6.27 × 0.6855 = €4.30

371
© 2014-2024 AnalystPrep.