
PRMIA 8020試験問題集で[2025年最新] 有効な試験練習問題集解答
8020問題集で掴み取れ![最新2025]PRMIA試験合格させます
PRMIA 8020 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
| トピック 5 |
|
| トピック 6 |
|
質問 # 19
When a single operational risk event leads to losses in multiple business lines or impacts across several event types, how should these linked losses be treated?
- A. Each business line should take it's own discretion as to how the losses are treated.
- B. Pro-rate the loss across the affected business line.
- C. Allocate entire loss to the business line for which the loss is greatest.
- D. Either allocate entire loss to the business line for which the loss is greatest or pro-rate the loss across the affected business line.
正解:D
解説:
Step 1: Understanding Linked Losses in Operational Risk
In operational risk events, a single event can impact multiple business lines or event types (e.g., IT failure affecting retail banking and wealth management).
Proper loss attribution is important for accurate risk reporting and regulatory compliance under Basel III.
Step 2: Why Option C is Correct
Basel III and PRMIA guidance allow institutions flexibility in how to allocate linked losses:
Entire loss can be allocated to the business line with the largest loss impact for simplified reporting.
Loss can be pro-rated across affected business lines for more accurate attribution.
Step 3: Why the Other Options Are Incorrect
Option A ("Allocate entire loss to the business line with the greatest loss") → Partially correct, but not always required-some firms prefer pro-rating.
Option B ("Pro-rate the loss") → Partially correct, but allocating to the largest impacted business line is also acceptable.
Option D ("Each business line decides how to treat losses") → Incorrect because loss allocation should follow a defined policy, not business line discretion.
PRMIA Risk Reference Used:
Basel III Operational Risk Framework - Discusses loss attribution for multi-line impact events.
PRMIA Loss Event Management Guidelines - Supports both full allocation and pro-rating.
Final Conclusion:
Firms can either allocate the full loss to the most impacted business line or pro-rate it across affected lines, making Option C the correct answer.
質問 # 20
In relation to financial crime. OFAC is a definition for which organization?
- A. Office of Foreign Asset Control.
- B. Office of Foreigner and other Control.
- C. Office for Asset Control.
- D. Office of Financial Asset Control.
正解:A
解説:
Step 1: Understanding OFAC
OFAC (Office of Foreign Assets Control) is a U.S. Treasury Department agency responsible for enforcing economic and trade sanctions based on U.S. foreign policy and national security goals.
It prevents financial crime by restricting transactions with sanctioned individuals, entities, and countries.
Step 2: Role of OFAC in Financial Crime Prevention
OFAC administers sanctions to prevent money laundering, terrorism financing, and other illicit activities.
Financial institutions must comply with OFAC regulations to avoid heavy fines and reputational damage.
PRMIA's Financial Crime Risk Guidelines emphasize the importance of OFAC compliance in risk management.
Step 3: Why the Other Options Are Incorrect
Option A ("Office of Financial Asset Control") - Incorrect wording; OFAC deals with foreign assets, not just financial assets.
Option B ("Office of Foreigner and Other Control") - OFAC does not regulate foreigners broadly; it targets specific foreign assets and transactions.
Option C ("Office for Asset Control") - Missing "Foreign", which is critical to OFAC's function.
PRMIA Risk Reference Used:
PRMIA Financial Crime Risk Management Guidelines - Emphasizes regulatory compliance with OFAC.
PRMIA Compliance and Sanctions Risk Standards - Stresses the role of OFAC in preventing illicit financial activities.
Final Conclusion:
OFAC stands for the Office of Foreign Assets Control, making Option D the correct answer.
質問 # 21
What are some of the deficiencies associated with bottom-up Key Risk Indicators?
- A. Mandates from a board that are too restrictive to implement.
- B. Causal affects that are not adequately understood.
- C. Not reported frequently enough.
- D. Lack of granularity.
正解:B
解説:
Definition of Bottom-Up Key Risk Indicators (KRIs)
Bottom-up KRIs are generated from operational-level data rather than high-level strategic indicators.
They are useful for monitoring localized risks but may fail to capture broad risk drivers.
Key Deficiencies of Bottom-Up KRIs
Lack of clarity on causal relationships - These indicators may detect risk trends but fail to explain root causes.
Focus on micro-level risks - They may miss systemic or enterprise-wide risk interactions.
Why Answer B is Correct
Bottom-up KRIs may indicate changes in risk levels but lack insight into the underlying causes, leading to reactive rather than proactive risk management.
Why Other Answers Are Incorrect
Option
Explanation:
A . Mandates from a board that are too restrictive to implement.
Incorrect - Board mandates apply to top-down governance, not bottom-up KRIs.
C . Not reported frequently enough.
Incorrect - Reporting frequency is an issue but not the primary deficiency; rather, it's the lack of causal insight.
D . Lack of granularity.
Incorrect - Bottom-up KRIs tend to be highly detailed (granular), making this answer incorrect.
PRMIA Reference for Verification
PRMIA Key Risk Indicator Best Practices
Basel Committee's Risk Measurement and Reporting Framework
質問 # 22
Which of the below is a definition of climate risk?
- A. Climate risk has been moved out of all risk taxonomies due to international agreement.
- B. Climate risk refers to the growing impacts that businesses and our overall society may face due to climate change.
- C. Climate risk refers to change in the business climate during a recession.
- D. Climate risk refers to the growing impacts of credit risk on the business environment.
正解:B
解説:
Step 1: Definition of Climate Risk
PRMIA and global financial regulators define climate risk as the financial, operational, and societal risks arising from climate change.
Climate risks impact businesses through physical risks (e.g., floods, wildfires) and transition risks (e.g., regulatory changes, carbon pricing).
Step 2: Why the Other Options Are Incorrect
Option A ("Climate risk has been moved out of all risk taxonomies due to international agreement") Incorrect because climate risk is now a central part of risk taxonomies, as emphasized by PRMIA, Basel III, and TCFD.
Option B ("Climate risk refers to the growing impacts of credit risk on the business environment") Incorrect because credit risk is just one aspect of climate risk, not the full definition.
Option C ("Climate risk refers to change in the business climate during a recession") Incorrect because climate risk is about environmental change, not economic cycles.
PRMIA Risk Reference Used:
PRMIA Climate Risk Guidelines - Defines climate risk as a financial and societal risk due to climate change.
TCFD (Task Force on Climate-Related Financial Disclosures) - Outlines regulatory expectations for climate risk management.
Final Conclusion:
Climate risk involves physical and transition risks from climate change, making Option D the correct answer.
質問 # 23
For the FTX case study, what was the "backdoor" used for?
- A. It allowed a rapid pace of acquisitions but poor integration of acquired companies.
- B. It allowed currency traders to smooth profits and conceal losses for over two years.
- C. It allowed a stable coin to be removed from the ledger and added to the balance sheet.
- D. It allowed trading firm Alameda to borrow S65 billion of clients' money from the exchange without their permission.
正解:D
解説:
The FTX collapse involved fraudulent fund mismanagement, where FTX executives created a "backdoor" to allow Alameda Research (FTX's sister trading firm) to borrow client funds without their consent.
Step 1: The "Backdoor" in FTX
The backdoor was a hidden code in FTX's system, allegedly created by Sam Bankman-Fried, which allowed Alameda to access customer deposits without triggering alerts to auditors or compliance teams.
Alameda used these funds for risky trading strategies and investments, leading to the eventual collapse of FTX when a liquidity crunch exposed the missing funds.
Step 2: Why the Other Options Are Incorrect
Option A ("allowed a stablecoin to be removed from the ledger and added to the balance sheet") Incorrect because FTX's fraud involved misuse of customer funds, not just a stablecoin misclassification.
Option C ("allowed currency traders to smooth profits and conceal losses for over two years") Incorrect because this sounds more like LIBOR-rigging scandals, whereas FTX misappropriated client funds.
Option D ("allowed a rapid pace of acquisitions but poor integration of acquired companies") Incorrect because FTX's collapse was due to financial fraud, not poor acquisition strategy.
PRMIA Risk Reference Used:
PRMIA Financial Crime Risk Management - Discusses insider risk and fraudulent misappropriation of funds.
FTX Collapse Reports - SEC, CFTC, and DOJ filings confirm that Alameda had unauthorized access to client funds.
Final Conclusion:
FTX's backdoor enabled Alameda to take $65 billion in client funds without permission, making Option B the correct answer.
質問 # 24
In operational resilience, what is impact tolerance?
- A. Impact tolerance is a firm's risk appetite statement.
- B. Impact tolerance is a firm's tolerance for disruption to a particular business process.
- C. Impact tolerance is a firm's risk capacity statement.
- D. Impact tolerance is a firm's tolerance for disruption to a particular business service.
正解:D
解説:
Impact Tolerance is a key concept in Operational Resilience, defined as the ability of a firm to withstand, respond to, and recover from disruptions. According to PRMIA and global regulatory frameworks (such as the Bank of England's Operational Resilience Framework), impact tolerance is specifically tied to business services rather than processes.
Step 1: Defining Impact Tolerance
Impact tolerance is the maximum acceptable level of disruption to an important business service, beyond which there would be intolerable harm to customers, financial markets, or regulatory obligations.
It is not the same as risk appetite or risk capacity, as those deal with broader organizational risk exposure.
Step 2: Why Business Services Matter
PRMIA defines business services as end-to-end services delivered to clients and stakeholders, such as payments processing, trade execution, or loan approvals.
Disruptions to these services directly impact customers and financial stability, making business service resilience the core focus of impact tolerance.
Step 3: Why the Other Options Are Incorrect
Option A ("tolerance for disruption to a particular business process")
Incorrect because impact tolerance applies to services, not just internal processes.
Option C ("a firm's risk appetite statement")
Incorrect because risk appetite focuses on how much risk a firm is willing to take, while impact tolerance is about surviving disruptions.
Option D ("a firm's risk capacity statement")
Incorrect because risk capacity is the maximum level of risk a firm can bear, which is broader than business service disruptions.
PRMIA Risk Reference Used:
PRMIA Operational Resilience Guidelines - Defines impact tolerance as a service-based metric.
Bank of England's Operational Resilience Framework - Establishes impact tolerance as a limit on business service disruption.
Final Conclusion:
Impact tolerance focuses on business services, not just internal processes or risk appetite, making Option B the correct answer.
質問 # 25
Which of the following is not an action available to management and the governing body to align the strategy with Risk Capacity.
- A. Reduce retained earning - by increasing dividends in order to return funds to investors and improve reputation.
- B. Improve quality of risks - pursue lower rewarding risks with better prospects.
- C. Improve retained earnings - by increasing net income or reducing dividends in order to increase risk capacity.
- D. Reduce scale of risks - shrink balance sheet or activity levels.
正解:A
解説:
Step 1: Aligning Strategy with Risk Capacity
Risk capacity is the maximum level of risk a firm can bear based on financial resources, earnings, and capital structure.
Management can adjust risk capacity by modifying risk exposure, balance sheet size, or earnings retention.
Step 2: Why Option C Is Incorrect
Increasing dividends reduces retained earnings, which lowers capital reserves and reduces risk capacity.
Firms seeking to improve risk capacity should retain earnings, not distribute them.
Step 3: Why the Other Options Are Correct
Option A ("Reduce scale of risks") → Correct as reducing balance sheet size lowers risk exposure.
Option B ("Improve quality of risks") → Correct as taking on lower-risk assets improves stability.
Option D ("Improve retained earnings") → Correct as more capital increases risk capacity.
PRMIA Risk Reference Used:
PRMIA Capital Management Framework - Defines risk capacity and earnings retention strategies.
Basel III Capital Standards - Stresses retained earnings as a key factor in risk capacity.
Final Conclusion:
Reducing retained earnings through dividends weakens risk capacity, making Option C the correct answer.
質問 # 26
Which of the following statements best defines the properties of top-down key risk indicators?
- A. Selected by senior management, used to manage changes in the business environment especially under periods of stress, and reported on a daily basis.
- B. Selected by junior management, used to manage changes in the business environment especially under periods of stress, and reported on an annual basis
- C. Can only be selected by the board in line with risk ratings.
- D. Selected by senior management, tied to material external and internal loss exposures and scenarios, and used to manage changes in the business environment, especially under periods of stress.
正解:D
解説:
Definition of Key Risk Indicators (KRIs)
KRIs are quantitative metrics used to monitor risk levels and detect early warning signs of potential risk events.
Top-down KRIs are identified at the senior management level and focus on enterprise-wide risk exposure.
Key Properties of Top-Down KRIs
Selected by senior management to ensure alignment with strategic objectives.
Tied to material external and internal loss exposures to capture critical financial, operational, and strategic risks.
Used to manage changes in the business environment to ensure proactive risk response, especially under stress conditions.
Why Other Answers Are Incorrect
Option
Explanation:
B . Selected by senior management, used to manage changes in the business environment, especially under periods of stress, and reported on a daily basis.
Incorrect - Top-down KRIs are not reported daily; they are monitored periodically (e.g., quarterly).
C . Selected by junior management, used to manage changes in the business environment, especially under periods of stress, and reported on an annual basis.
Incorrect - Junior management does not define top-down KRIs; senior management does. Also, annual reporting is too infrequent.
D . Can only be selected by the board in line with risk ratings.
Incorrect - The board provides oversight, but senior risk management selects KRIs, not just the board.
PRMIA Reference for Verification
PRMIA Risk Indicator Guidelines
Basel Committee on Banking Supervision (BCBS) Principles for Effective Risk Data Aggregation
質問 # 27
Internal loss data (ILD) consists of what kind of data?
- A. It consists of near miss operational loss incidents of a bank.
- B. It consists of historical operational loss incidents of a bank.
- C. It consists of the Key Risk Indicators of a bank.
- D. It consists of scenario data develeloped to calcuate the future operational loss incidents of a bank.
正解:B
解説:
Definition of Internal Loss Data (ILD)
Internal Loss Data (ILD) refers to historical records of actual operational losses incurred by a bank.
These losses are used for risk assessment, capital calculations, and trend analysis under Basel III's Operational Risk Framework.
Key Characteristics of ILD
Captures actual past loss events, such as fraud, system failures, and compliance breaches.
Supports the identification of risk trends and weak control areas.
Used for operational risk capital modeling, along with external loss data and scenario analysis.
Why Other Answers Are Incorrect
Option
Explanation:
A . It consists of near miss operational loss incidents of a bank.
Incorrect - ILD captures actual losses, while near misses are reported separately.
C . It consists of the Key Risk Indicators of a bank.
Incorrect - KRIs are forward-looking risk metrics, while ILD focuses on historical data.
D . It consists of scenario data developed to calculate the future operational loss incidents of a bank.
Incorrect - ILD is historical, whereas scenario data is used for predictive analysis.
PRMIA Reference for Verification
Basel III & PRMIA Operational Risk Data Framework
PRMIA Risk Management Standards for ILD
質問 # 28
For the Northern Rock case study, what was the low-probability-high-impact event that was most responsible for the loss event?
- A. The acquisition of Merrill Lynch by Bank of America.
- B. Liquidity dried up in the inter-bank and commercial paper markets.
- C. The Bank of England's withdrawal of Deposit Protection.
- D. An exposure to real estate funds, heavily concentrated in Berlin.
正解:B
解説:
Step 1: Understanding the Northern Rock Case Study
Northern Rock was a UK bank that collapsed in 2007 due to its heavy reliance on short-term wholesale funding rather than customer deposits.
When the 2007 financial crisis hit, the inter-bank lending market and commercial paper market froze, cutting off Northern Rock's access to liquidity.
Step 2: Why Option C Is Correct
Northern Rock depended on short-term borrowing to fund long-term mortgage lending.
When the liquidity crisis hit, it couldn't refinance its debt, leading to a bank run and collapse.
The Bank of England had to intervene, and the UK government nationalized Northern Rock in 2008.
Step 3: Why the Other Options Are Incorrect
Option A ("Acquisition of Merrill Lynch") → Incorrect because this happened in 2008, after Northern Rock's failure.
Option B ("Withdrawal of Deposit Protection") → Incorrect because UK deposit protection remained in place.
Option D ("Real estate exposure in Berlin") → Incorrect because Northern Rock's problem was funding liquidity, not real estate losses.
PRMIA Risk Reference Used:
PRMIA Liquidity Risk Management Framework - Describes how liquidity shocks impact banks like Northern Rock.
Basel III Liquidity Coverage Ratio (LCR) Standards - Created after Northern Rock to prevent similar liquidity crises.
Final Conclusion:
The collapse of the inter-bank and commercial paper markets was the key low-probability-high-impact event that led to Northern Rock's failure, making Option C the correct answer.
質問 # 29
Which of the following best describes the role of the compliance department?
- A. The compliance department is responsible for providing oversight over the board's implementation of compliance risk management controls.
- B. The compliance department is responsible for providing oversight over the first line's implementation of compliance risk management controls.
- C. The compliance department is responsible for providing oversight over the auditor's implementation of compliance risk management controls.
- D. The compliance department is responsible for implementing the first line's compliance risk management controls.
正解:B
解説:
Three Lines of Defense Model
The compliance department functions as the second line of defense, ensuring oversight over the first line's compliance controls.
It does not directly implement controls but monitors and advises on compliance risk management.
Responsibilities of the Compliance Department
Ensures regulatory compliance with laws, policies, and industry standards.
Monitors and enforces risk management controls within business operations.
Provides advisory and training on compliance risks.
Why Answer D is Correct
The first line of defense (business operations) is responsible for executing compliance controls.
The compliance department (second line) provides oversight and governance to ensure compliance adherence.
Why Other Answers Are Incorrect
Option
Explanation:
A . The compliance department is responsible for implementing the first line's compliance risk management controls.
Incorrect - The first line (business units) implement compliance controls, while compliance oversees.
B . The compliance department is responsible for providing oversight over the auditor's implementation of compliance risk management controls.
Incorrect - Internal audit is part of the third line of defense, not directly overseen by compliance.
C . The compliance department is responsible for providing oversight over the board's implementation of compliance risk management controls.
Incorrect - The board provides high-level governance; compliance ensures business adherence to regulations.
PRMIA Reference for Verification
PRMIA Governance & Compliance Oversight Framework
Basel Committee's Guidelines on Compliance Risk Management
質問 # 30
Which of the following principles is critical when creating the optimum policy range and content'?
- A. Policies should be divided into a large number of short topics to enhance accessibility.
- B. Policy owners must ensure that policies are read by the regulator and then the shareholders.
- C. New policies should be accompanied by Citable training for the target audience and added to the content of new employee training.
- D. Hard copies of a new policy should be placed in a central library of governance documents at the CRO's home.
正解:C
解説:
Best Practices for Policy Development
Policies should be clearly written, well-structured, and accompanied by training to ensure employees understand their responsibilities.
PRMIA governance principles emphasize the need for training to enhance compliance and operational effectiveness.
Why Answer D is Correct
Training ensures policy adoption and understanding across the organization.
Integrating policies into new employee training helps embed governance and compliance culture.
Why Other Answers Are Incorrect
Option
Explanation:
A . Policies should be divided into a large number of short topics to enhance accessibility.
Incorrect - While policies should be structured for readability, excessive fragmentation can lead to confusion and inefficiency.
B . Policy owners must ensure that policies are read by the regulator and then the shareholders.
Incorrect - Policies are internal governance tools, not primarily for regulators or shareholders.
C . Hard copies of a new policy should be placed in a central library of governance documents at the CRO's home.
Incorrect - Policies should be centrally available within the organization, not at a personal location.
PRMIA Reference for Verification
PRMIA Governance Best Practices
ISO 31000 Risk Management Standards
質問 # 31
Which of the following principles best applies to a compliance function?
- A. The compliance function should be independent of the business (following a three lines of defense model).
- B. The compliance function should report to the business (even when following a three lines of defense model).
- C. The risk function should be outsourced if there is a compliance function.
- D. The compliance function should be outsourced if there is a risk function.
正解:A
解説:
Step 1: Compliance Function and the Three Lines of Defense Model
The Three Lines of Defense (3LoD) model ensures that risk management responsibilities are properly segregated:
First Line: Business units (own and manage risk).
Second Line: Compliance and risk management (independent oversight).
Third Line: Internal audit (provides assurance).
Step 2: Why Compliance Must Be Independent
PRMIA and Basel Compliance Principles state that compliance should not report to business units, as this creates a conflict of interest.
Compliance must be independent to ensure objective oversight of regulatory adherence.
Step 3: Why the Other Options Are Incorrect
Option A ("Report to the business") → Incorrect because compliance must provide independent oversight, not report to business units.
Option C ("Outsource compliance if risk function exists") → Incorrect because compliance and risk functions have distinct roles.
Option D ("Outsource risk if compliance exists") → Incorrect because risk management is a core function, not an outsourcing candidate.
PRMIA Risk Reference Used:
PRMIA Compliance Risk Governance - States compliance must be independent under the Three Lines of Defense model.
Basel Compliance Principles - Recommends separate reporting structures for compliance and business units.
Final Conclusion:
Compliance must be independent from the business to avoid conflicts of interest, making Option B the correct answer.
質問 # 32
In order for a KRI to be effective it must be:
- A. Qualitative, Consistent Efficient & Repeatable.
- B. Quantitative, Repeatable and Efficient.
- C. Quantitative and Qualitative. Consistent. Efficient & Repeatable.
- D. Quantitative, Consistent and Comparable. Efficient & Repeatable
正解:C
解説:
Definition of an Effective Key Risk Indicator (KRI)
A KRI is a metric used to identify, measure, and monitor emerging risks.
To be effective, KRIs must be both quantitative and qualitative, allowing for a comprehensive risk view.
Key Characteristics of Effective KRIs
Quantitative - Uses numerical data for trend analysis.
Qualitative - Incorporates expert judgment and scenario-based insights.
Consistent - Maintains uniform definitions across reporting periods.
Efficient & Repeatable - Must be easily measured and consistently reported.
Why Other Answers Are Incorrect
Option
Explanation:
B . Qualitative, Consistent, Efficient & Repeatable.
Incorrect - Excludes quantitative aspects, which are essential for KRIs.
C . Quantitative, Consistent, Comparable, Efficient & Repeatable.
Incorrect - While comparison is useful, qualitative factors are missing, making this answer incomplete.
D . Quantitative, Repeatable and Efficient.
Incorrect - Lacks qualitative insights and consistency as key factors for KRIs.
PRMIA Reference for Verification
PRMIA Risk Indicator Guidelines
Basel Committee's Principles on Risk Data and KRI
質問 # 33
Ideally, which of the following should be completed as part of the risk assessments of service providers?
- A. Onsite visits are not advantageous for understanding the third party's risks and control environment.
- B. An assessment of a third party should not include its compliance and risk infrastructure, financials, business strategy and operating history.
- C. An assessment of a third party should include its compliance and risk infrastructure, financials, business strategy and operating history.
- D. A review of the pay levels of the staff supporting the service.
正解:C
解説:
Third-Party Risk Management (TPRM)
PRMIA highlights the importance of conducting thorough due diligence on third-party vendors and service providers.
This includes evaluating compliance programs, risk management frameworks, financial stability, strategic objectives, and operational history.
Key Areas of Third-Party Risk Assessment
Compliance and Risk Infrastructure → Ensures that the provider meets regulatory and security requirements.
Financial Health → Determines whether the provider has the financial stability to support long-term service delivery.
Business Strategy → Helps assess alignment with the organization's risk appetite and goals.
Operating History → Evaluates experience and reliability in delivering services.
Why Other Answers Are Incorrect
Option
Explanation:
B . An assessment of a third party should not include its compliance and risk infrastructure, financials, business strategy, and operating history.
Incorrect - Ignoring these critical factors increases the risk of working with an unreliable vendor.
C . Onsite visits are not advantageous for understanding the third party's risks and control environment.
Incorrect - Onsite visits are highly valuable as they provide first-hand insights into operational controls. PRMIA encourages risk managers to conduct site visits.
D . A review of the pay levels of the staff supporting the service.
Incorrect - Employee salaries are not a primary risk factor in vendor assessments. The focus should be on the vendor's security, compliance, and operational risks.
PRMIA Reference for Verification
PRMIA Third-Party Risk Management (TPRM) Guidelines - Details best practices for vendor risk assessments.
Basel Principles on Outsourcing and Third-Party Risk - Provides regulatory guidance on evaluating third-party service providers.
質問 # 34
In relation to the template for writing policy documents, which one of the following pairings of requirements is correct? A well designed policy will include:
- A. To whom the policy applies to and how an additional management report should be allocated to.
- B. A list of acceptable fonts and margin types.
- C. A list of exceptions for the family of board members.
- D. To whom and in what form exceptions should be sought and the general exemptions e.g. areas to which the policy does not apply
正解:D
解説:
Step 1: Key Elements of a Well-Designed Policy Document
A well-designed policy should include:
Scope - Who the policy applies to.
Exception Handling - How and where exceptions should be requested.
Accountability - Who is responsible for enforcement.
Step 2: Why Option C is Correct
A policy must clearly define exceptions and the process for requesting them.
It should also define areas where the policy does not apply to avoid confusion.
Step 3: Why the Other Options Are Incorrect
Option A ("List of exceptions for board members' families") → Incorrect because policies should apply consistently to all stakeholders.
Option B ("List of acceptable fonts and margin types") → Incorrect because formatting is secondary to content clarity.
Option D ("To whom the policy applies and an additional management report") → Incorrect because policy scope should not include unnecessary reports.
PRMIA Risk Reference Used:
PRMIA Policy Writing Guidelines - Defines policy structure and exception handling.
ISO 19600 Compliance Management Standard - Supports clear, well-documented policies.
Final Conclusion:
A well-designed policy clearly defines exceptions and their handling process, making Option C the correct answer.
質問 # 35
The The Task Force on Climate-related Financial Disclosures (TCFD) was founded by which body?
- A. The World Bank (WB).
- B. The European Commission (EC).
- C. The Financial Stability Board (FSB).
- D. The United Nations (UN).
正解:C
解説:
Step 1: What is the TCFD?
The Task Force on Climate-related Financial Disclosures (TCFD) was established to develop climate-related financial risk disclosure recommendations to help investors, lenders, and regulators make informed decisions.
Step 2: Who Founded the TCFD?
The Financial Stability Board (FSB), an international organization that monitors and makes recommendations about the global financial system, founded the TCFD in 2015.
The FSB recognized climate risk as a financial stability issue and launched the TCFD to standardize reporting.
Step 3: Why the Other Options Are Incorrect
Option A ("World Bank") → Incorrect because the World Bank supports climate initiatives but did not create the TCFD.
Option B ("United Nations") → Incorrect because the UN has climate programs like the UNFCCC, but not the TCFD.
Option D ("European Commission") → Incorrect because the EC develops its own sustainability regulations (e.g., SFDR, CSRD), separate from the TCFD.
PRMIA Risk Reference Used:
PRMIA Climate Risk Guidelines - Cites FSB's role in founding the TCFD.
FSB Official Reports (2015) - Confirms that the FSB established the TCFD.
Final Conclusion:
The FSB founded the TCFD in 2015, making Option C the correct answer.
質問 # 36
Confidence Accounting can be defined as:
- A. An approach that encourages companies and audit firms to stop using figures and maths.
- B. An approach that encourages companies and audit firms to use regular statements in their Al software.
- C. An approach that encourages companies and audit firms to have diverse boards.
- D. An approach that encourages companies and audit firms to use ranges, rather than discrete numbers, for major accounting entries.
正解:D
解説:
Definition of Confidence Accounting
Confidence Accounting challenges traditional accounting by introducing probability distributions and ranges rather than fixed numbers for financial reporting.
This approach improves transparency and risk awareness by acknowledging uncertainty in financial figures.
Why Answer B is Correct
Encourages using ranges (confidence intervals) instead of discrete values to better reflect uncertainty.
Used in risk-sensitive industries where financial estimates vary due to external factors (e.g., credit risk, market fluctuations).
Why Other Answers Are Incorrect
Option
Explanation:
A . An approach that encourages companies and audit firms to have diverse boards.
Incorrect - Board diversity is unrelated to Confidence Accounting.
C . An approach that encourages companies and audit firms to use regular statements in their AI software.
Incorrect - AI may use probability models, but Confidence Accounting is an accounting methodology, not an AI approach.
D . An approach that encourages companies and audit firms to stop using figures and maths.
Incorrect - Confidence Accounting still relies on mathematical models; it does not eliminate numerical analysis.
PRMIA Reference for Verification
PRMIA Financial Risk Reporting Standards
IFRS (International Financial Reporting Standards) Guidelines on Probability-Based Accounting
質問 # 37
When a control is found to be ineffective, which of the following steps should be take next?
- A. An action plan should be designed to close the gap.
- B. The controls should be re-assessed during the next cycle to determine if they are still ineffective.
- C. Risks should be re-assessed to determine if there is the appropriate level of control assessment.
- D. Risks should be re-assessed to determine if there can be an exception for the level of control assessment.
正解:A
解説:
When a control is found to be ineffective, the primary objective is to remediate the deficiency by implementing corrective measures. PRMIA (Professional Risk Managers' International Association) guidance, aligned with best practices in risk governance, emphasizes a structured approach to handling control deficiencies. Below is a detailed breakdown based on PRMIA risk management principles:
Step 1: Identify and Assess the Ineffective Control
A control is deemed ineffective when it fails to mitigate the identified risks to an acceptable level.
The root cause of the failure must be determined through a Control Effectiveness Review (CER).
PRMIA recommends control testing and incident analysis to assess the severity of the control failure.
Step 2: Develop an Action Plan to Address the Control Deficiency
PRMIA best practices state that risk management should prioritize corrective actions rather than delaying remediation.
The organization must define an action plan to close the gap, which includes:
Revising or strengthening the control mechanisms.
Implementing new controls, if necessary.
Assigning responsibility for remediation to control owners.
Setting deadlines for resolution.
This step aligns with PRMIA's Risk Governance Framework, which emphasizes proactive risk management.
Step 3: Implement Corrective Measures and Monitor Progress
Once an action plan is designed, the organization should execute the corrective actions.
PRMIA's Risk Monitoring Guidelines require regular follow-ups and testing to ensure the control is functioning correctly.
The effectiveness of the remediation should be validated through post-implementation review and ongoing control testing.
Step 4: Re-Assess Risks and Control Effectiveness
Once corrective measures are in place, the organization should re-evaluate risks to confirm that the issue is resolved.
The risk assessment process should be updated to reflect the changes in the control environment.
Why the Other Options Are Incorrect?
Option A: "Risks should be re-assessed to determine if there is the appropriate level of control assessment." While risk re-assessment is a good practice, it does not directly address the ineffective control.
PRMIA guidelines prioritize closing the control gap first before reassessing risks.
Option C: "The controls should be re-assessed during the next cycle to determine if they are still ineffective." Waiting until the next assessment cycle delays remediation, which could expose the organization to unmitigated risks.
PRMIA risk frameworks recommend immediate corrective action when a control is found to be ineffective.
Option D: "Risks should be re-assessed to determine if there can be an exception for the level of control assessment." PRMIA does not support exceptions for ineffective controls unless there is a well-documented risk acceptance process.
A control failure should be remediated rather than seeking exceptions.
PRMIA Risk Reference Used:
PRMIA Risk Governance Framework - Defines the importance of immediate corrective actions for control failures.
PRMIA Risk Monitoring Guidelines - Stresses continuous monitoring and validation of controls.
PRMIA Risk Management Standards - Recommends a structured action plan for ineffective controls.
PRMIA Operational Risk Framework - Emphasizes the need to close control gaps to maintain a strong risk posture.
Final Conclusion:
According to PRMIA risk management best practices, when a control is found to be ineffective, the best course of action is to design and implement an action plan to remediate the issue (Option B). This approach ensures that the organization mitigates risk promptly and maintains a strong control environment.
質問 # 38
......
8020試験問題集PDF正確率保証と更新された問題:https://jp.fast2test.com/8020-premium-file.html