Board and Senior Management Oversight (8%)
|
|
Provide relevant, timely, and accurate information to board and senior management. |
Knowledge of:
-
Procedures to manage and report the status of risk identification, measurement, and control activities
-
The concepts and components of risk appetite and risk culture and how they link to corporate strategy and operations
-
The concept of credible challenge by the board
|
|
Champion policies, risk appetite, and risk culture across the organization. |
Knowledge of:
-
Methods to manage organizational, process, and cultural change
-
The concepts and components of risk appetite and risk culture and how they link to corporate strategy and operations
-
Practices to educate and increase awareness of risk policies, appetite, and culture within and across all three lines of defense
|
|
Direct information to the appropriate board and/or management risk committees. |
Knowledge of:
-
Organizational structures and committees, and their roles and responsibilities
-
The concepts and components of risk appetite and risk culture and how they link to corporate strategy and operations
-
The concept of credible challenge by the board
|
Policies, Procedures, and Limits (15%)
|
|
Establish and maintain enterprise risk management policies in alignment with enterprise goals and objectives. |
Knowledge of:
-
Elements of a good control environment
-
Business performance relative to policy limits and the implications this has for the effectiveness of the limits themselves
-
Regulatory expectations around policy constraints
-
How to identify current and emerging expectations in the regulatory environment
-
Methods to implement and communicate enterprise risk management policies, standards, procedures, and guidelines
-
The importance of idiosyncratic risks to the business
-
The concepts of organizational control structure and escalation channels
-
The relationship between risk appetite and enterprise goals and objectives
-
Purpose of policies and guiding principles that policies should follow
-
The concepts and components of risk appetite and risk culture and how they link to corporate strategy and operations
|
|
Define and maintain enterprise risk management standards, guidelines, and procedures to guide and enforce compliance. |
Knowledge of:
-
Elements of a good control environment
-
Regulatory expectations around policy constraints
-
How to identify current and emerging expectations in the regulatory environment
-
The importance of idiosyncratic risks to the business
-
The concepts of organizational control structure and escalation channels
-
Elements of risk appetite and the relationship between risk appetite and enterprise goals and objectives
-
Purpose of procedures and principles the procedures should follow
-
Expectations for policy, procedure, and limit review
|
|
Develop and maintain policy limits. |
Knowledge of:
-
Business performance relative to policy limits and the implications this has for the effectiveness of the limits themselves
-
Regulatory expectations around policy constraints
-
How to identify current and emerging expectations in the regulatory environment
-
The importance of idiosyncratic risks to the business
-
Concept of risk appetite and its relationship to limit‐setting
-
Purpose of, methodologies for establishing, and sound governance principles for limits
-
Calculation of risk metrics/quantitative methods
-
Typical sources of risk concentration
|
|
Establish risk appetite framework. |
Knowledge of:
-
Elements of a good control environment
-
The importance of idiosyncratic risks to the business
-
Elements of risk appetite and the relationship between risk appetite and enterprise goals and objectives
|
|
Administer and handle policy and standard exceptions. |
Knowledge of:
-
Organizational structures, committees and their roles and responsibilities, and the concept of escalation
-
Documentation of policy and standard exceptions, including that the appropriate approval authority was used for the exception
|
|
Escalate risk to the appropriate governing body. |
Knowledge of:
-
Corporate governance, organizational structures, committees, and their roles and responsibilities
-
Communication channels and techniques
-
Business writing and communication techniques
-
Documentation techniques and best practices
|
Management Information Systems (9%)
|
|
Develop and maintain management information systems (reporting tools) to systematically track and evaluate the performance of risk mitigation actions. |
Knowledge of:
-
Risk aggregation analysis tools and processes
-
How to manage risk effectively with existing system limitations and access restrictions (e.g., manual vs. automated reporting)
-
Methodologies for confirming and challenging the integrity of entries in the system
-
Information systems likely to be able to provide data required for risk reporting (e.g., asset liability systems)
-
Collection, preservation, and presentation of evidence (completeness, quality, etc.)
-
Design elements in MIS reports to board and senior management that escalate attention to important risk mitigation actions
|
|
Assess the quality and capabilities of the MIS systems used to support the decision‐making activities of the institution. |
Knowledge of:
-
Risk aggregation analysis tools and processes
-
Industry standards, sound practices, and regulatory expectations regarding enterprise risk management
-
How to manage risk effectively with existing system limitations and access restrictions (e.g., manual vs. automated reporting)
-
Information systems likely to be able to provide data required for risk reporting (e.g., asset liability systems)
-
Investigative techniques (inquire, observe, request documentation, challenge)
|
|
Ensure accuracy of data used for board and senior management reporting. |
Knowledge of:
-
Risk aggregation analysis tools and processes
-
Investigative techniques (inquire, observe, request documentation, challenge)
-
Fundamental system requirements knowledge (e.g., asset liability system, modeling, credit risk, risk assessment)
|
|
Effectively manage data governance. |
Knowledge of:
-
Risk aggregation analysis tools and processes
-
Investigative techniques (inquire, observe, request documentation, challenge)
-
Information systems likely to be able to provide data required for risk reporting (e.g., asset liability systems)
-
Techniques for establishing quality control processes and accountability
|
Control Framework (10%)
|
|
Determine if the internal control framework aligns with the size, complexity, and risk appetite of the organization. |
Knowledge of:
-
Three lines of defense: roles, responsibilities, and the importance of an independent ERM function
-
System of internal controls, including control types and techniques
-
Control frameworks (e.g., COSO)
-
Effective challenge by risk management staff
-
Principles for conducting effective risk and control self‐assessments (RCSAs)
-
Model risk management practices
|
|
Coordinate timing, coverage, and scope of risk management reviews with those of other control partners. |
Knowledge of:
-
Three lines of defense: roles, responsibilities, and the importance of an independent ERM function
-
System of internal controls, including control types and techniques
-
Quality control and quality assurance
|
|
Support effective exam management for regulators, independent third parties, and audit. |
Knowledge of:
-
Three lines of defense: roles, responsibilities, and the importance of an independent ERM function
-
System of internal controls, including control types and techniques
-
Principles for effective exam management (e.g., regulatory and audit)
|
|
Assess the adequacy of controls around external financial reporting and disclosures. |
Knowledge of:
-
Three lines of defense: roles, responsibilities, and the importance of an independent ERM function
-
System of internal controls, including control types and techniques
-
Sarbanes‐Oxley Act and financial review committees
-
Financial and regulatory reports and appropriate interpretation
-
Control frameworks (e.g., COSO)
-
Effective challenge by risk management staff
|
Risk Identification (12%)
|
|
Monitor and survey the internal and external environment for emerging risks and, where necessary, identify and execute appropriate risk mitigating strategies. |
Knowledge of:
-
Likelihood, impact, direction, and velocity for assessing risks
-
Types of risk events (across risk taxonomies)
-
Potential upstream/downstream impact of risk events
-
Criteria for criticality
-
Regulatory environment and applicable requirements
-
Internal risk appetite and tolerance
-
Basic processes and principles of banking
|
|
Aid the first line in properly identifying, scoping, and conducting comprehensive risk and control self‐assessments (RCSAs). |
Knowledge of:
-
Likelihood, impact, direction, and velocity for assessing risks
-
Types of risk events (across risk taxonomies)
-
Potential upstream/downstream impact of risk events
-
Criteria for business criticality
-
Risk and control self‐assessment (RCSA) scoping
-
Regulatory environment and applicable requirements
-
Risk appetite and tolerance
-
Basic processes and principles of banking
|
|
Identify key risks associated with non‐compliance with internal and external expectations. |
Knowledge of:
-
Likelihood, impact, direction, and velocity for assessing risks
-
Types of risk events (across risk taxonomies)
-
Potential upstream/downstream impact of risk events
-
Criteria for business criticality
-
Regulatory environment and applicable requirements
-
Risk appetite and tolerance
-
Basic processes and principles of banking
|
|
Identify key idiosyncratic risks. |
Knowledge of:
-
Likelihood, impact, direction, and velocity for assessing risks
-
Types of risk events (across risk taxonomies)
-
Potential upstream/downstream impact of risk events
-
Criteria for business criticality
-
Regulatory environment and applicable requirements
-
Risk appetite and tolerance
-
Basic processes and principles of banking
|
|
Identify risk scenarios that could lead to business loss. |
Knowledge of:
-
Likelihood, impact, direction, and velocity for assessing risks
-
Types of risk events (across risk taxonomies)
-
Potential upstream/downstream impact of risk events
-
Criteria for business criticality
-
Regulatory environment and applicable requirements
-
Risk appetite and tolerance
-
Basic processes and principles of banking
|
Risk Measurement and Evaluation (17%)
|
|
Estimate the likelihood that an event will occur and the impact of an event if it occurs. |
Knowledge of:
-
Key credit, financial, and non‐financial risk measures (see Appendix for risk measures)
-
Evaluation of inherent risk, control environment, and residual risk
-
Calculation of risk metrics/quantitative methods
-
Key indicators of economic trends (e.g., unemployment, bankruptcy rate, etc.)
-
Typical sources of risk concentration
|
|
Effectively challenge risk metric calculations by others. |
Knowledge of:
-
Key credit, financial, and non‐financial risk measures (see Appendix for risk measures)
-
Calculation of risk metrics
|
|
Conduct scenario analysis stress tests. |
Knowledge of:
-
Key credit, financial, and non‐financial risk measures (see Appendix for risk measures)
-
Calculation of risk metrics
-
Types of events that should be used in stress testing and the limitations of these scenario analyses
-
Key indicators of economic trends (e.g., unemployment, bankruptcy rate, etc.)
|
|
Complete risk and control self‐assessments (RCSAs). |
Knowledge of:
-
Key credit, financial, and non‐financial risk measures (see Appendix for risk measures)
-
Evaluation of inherent risk, control environment, and residual risk
-
Calculation of risk metrics
|
|
Evaluate risk relative to risk appetite and risk tolerance. |
Knowledge of:
-
Key credit, financial, and non‐financial risk measures (see Appendix for risk measures)
-
Risk appetite and tolerance
-
Calculation of risk metrics
-
Typical sources of risk concentration
|
|
Perform root cause analysis. |
Knowledge of:
-
Effects of diversification or amplification on aggregated risks
-
Typical sources of risk concentration
-
How risk appetite is quantified by risk types (for aggregation purposes)
-
Root cause analysis principles and techniques
|
|
Aggregate like risks. |
Knowledge of:
-
Effects of diversification or amplification on aggregated risks
-
How risk appetite is quantified by risk types (for aggregation purposes)
|
|
Aggregate across multiple risk types. |
Knowledge of:
-
Effects of correlation on diversification and aggregated risks
|
Risk Mitigation (17%)
|
|
Evaluate the appropriateness of management’s risk response and documentation. |
Knowledge of:
-
Types of risk responses (accept, mitigate, transfer, avoid)
-
Basic classes of risk transfer instruments, including insurance and securitized assets, and when they are appropriate to use
-
Practices for mitigating counterparty risk in risk transfer
-
Root cause analysis and after action reviews
-
Documentation expectations
|
|
Prepare proper action plans for possible events. |
Knowledge of:
-
Types and examples of risk responses (accept, mitigate, transfer, avoid), and when each is appropriate
-
Root cause analysis and after action reviews
-
Third‐party risk management practices
-
Risk appetite and tolerance
|
|
Select or recommend appropriate types of risk mitigation activity. |
Knowledge of:
-
Types of risk responses (accept, mitigate, transfer, avoid)
-
Basic classes of risk transfer instruments, including insurance and securitized assets, and when they are appropriate to use
-
Practices for mitigating counterparty risk in risk transfer
-
Root cause analysis and after action reviews
-
Third‐party risk management practices
-
Risk appetite and tolerance
|
|
Respond to incidents with timely and appropriate mitigation. |
Knowledge of:
-
Types of risk responses (accept, mitigate, transfer, avoid)
-
Root cause analysis and after action reviews
|
|
Perform issue management, including identification and tracking, to ensure effective and timely resolution. |
Knowledge of:
-
Types of risk responses (accept, mitigate, transfer, avoid)
-
Root cause analysis and after action reviews
-
Effective issue management
|
|
Respond to findings from regulators, independent third parties, and audit. |
Knowledge of:
-
Types of risk responses (accept, mitigate, transfer, avoid)
-
Root cause analysis and after action reviews
-
Effective finding management
|
|
Estimate the residual risk of an event post‐mitigation. |
Knowledge of:
-
Evaluation of inherent risk, control environment, and residual risk
-
Calculation of risk metrics
|
Risk Monitoring (12%)
|
|
Design and produce standardized and ad hoc reporting. |
Knowledge of:
-
Required frequency and granularity for monitoring and distribution, including timeline, scoping, periodicity, time horizon, level of aggregation, and segmentation
-
Techniques for effectively summarizing and communicating risk information (e.g., color coding, heat mapping)
-
Techniques for effectively deconstructing risk information
-
The proper level to distribute and make information available, including escalation
-
Reporting requirements
|
|
Monitor internal and external indicators and reports to identify key environmental changes. |
Knowledge of:
-
Required frequency and granularity for monitoring and distribution, including timeline, scoping, periodicity, time horizon, level of aggregation, and segmentation
-
Techniques for effectively deconstructing risk information
-
The proper level to distribute and make information available, including escalation
-
Key credit, financial, and non‐financial risk measures (see Appendix for risk measures)
|
|
Identify and define key risk indicators. |
Knowledge of:
-
Key credit, financial, and non‐financial risk measures (see Appendix for risk measures)
-
Risk appetite and tolerance
-
Calculation of risk metrics
-
Distinction between key indicators (i.e., performance vs. risk vs. control)
-
Key indicators of economic trends (e.g., unemployment, bankruptcy rate, etc.)
-
Elements of effective risk measures
|
|
Analyze report output. |
Knowledge of:
-
Techniques for effectively summarizing and communicating risk information (e.g., color coding, heat mapping)
-
Techniques for effectively deconstructing risk information
-
The proper level to distribute and make information available, including escalation
|
|
Evaluate the controls for design and operating effectiveness. |
Knowledge of:
-
Required frequency and granularity for monitoring and distribution, including timeline, scoping, periodicity, time horizon, level of aggregation, and segmentation
-
Control effectiveness evaluation
-
Techniques for effectively deconstructing risk information
|
|
Evaluate the quality of first‐line performance/control monitoring. |
Knowledge of:
-
Required frequency and granularity for monitoring and distribution, including timeline, scoping, periodicity, time horizon, level of aggregation, and segmentation
-
Control effectiveness evaluation
-
Techniques for effectively deconstructing risk information
-
The proper level to distribute and make information available, including escalation
-
Best practices for first‐line monitoring
-
Reporting requirements
|
Use this quick start guide to collect all the information about ABA Enterprise Risk Professional (CERP) Certification exam. This study guide provides a list of objectives and resources that will help you prepare for items on the CERP ABA Enterprise Risk Professional exam. The Sample Questions will help you identify the type and difficulty level of the questions and the Practice Exams will make you familiar with the format and environment of an exam. You should refer this guide carefully before attempting your actual ABA Enterprise Risk Professional certification exam.