SECTION 1: RISK GOVERNANCE
|
Board and Senior Management Oversight (8%)
|
|
Provide relevant, timely, and accurate information to board, risk committees, and senior management. |
Knowledge of:
-
Organizational structures and committees and their roles and responsibilities (e.g., governance, credible challenge)
-
Processes to manage and report the status of risk identification, measurement, and control activities
-
The concepts and components of risk appetite and risk culture and how they link to corporate strategy and operations
|
|
Champion policies, risk appetite, and risk culture across the organization. |
Knowledge of:
-
Practices to drive organizational, process, and cultural change (e.g., communicating expectations, define roles) in alignment with business objectives and strategy
-
The concepts and components of risk appetite and risk culture
-
How risk appetite and risk culture link to corporate strategy and operations
-
Practices to educate and increase awareness of risk policies, appetite, and culture within and across all three lines of defense
|
Policies, Procedures and Limits (12%)
|
|
Establish and maintain risk management policies, procedures, and risk appetite framework in alignment with enterprise objectives. |
Knowledge of:
-
Elements of an effective control environment (e.g., policy review/governance)
-
Regulatory expectations around policies (e.g., proper authority, breadth of coverage, approval)
-
Methods to implement and communicate risk management policies
-
The concepts of organizational control structure and escalation channels
-
Risk management policies' purpose, roles, and responsibilities
-
The components of risk appetite (e.g., qualitative, quantitative) and how they link to corporate strategy
-
Assessment of risk appetite levels and monitoring thresholds
-
Regulator expectations of procedures to execute in alignment with risk management policies
|
|
Establish a governance process to create and maintain policy limits for measuring business performance. |
Knowledge of:
-
Development and maintenance of policy limits (e.g., setting appropriate limits, periodic review expectations)
-
Calculation of risk metrics/quantitative methods
-
Typical sources of risk concentration (e.g., portfolio concentration, uninsured deposits, counterparty)
|
|
Manage policy exceptions (e.g., LTV exception) and policy breach (e.g., data privacy breach) |
Knowledge of:
-
Documentation of policy exceptions
-
Appropriate approval authority used for exception
-
Establish timelines and processes for noncompliance to policy for decision-making (e.g., exceptions, risk mitigation, dispensation)
-
Process and requirements for breach in policy (e.g., escalate, document, track)
|
Management Information Systems (11%)
|
|
Develop and maintain management information systems (i.e., reporting tools) to systematically track and evaluate the effectiveness of the risk management program. |
Knowledge of:
-
Risk aggregation analysis tools and processes
-
System limitations (e.g., access restrictions, manual versus automated reporting)
-
Information systems and data required for risk reporting (e.g., asset liability systems)
-
Information collection, retention, and sharing (e.g., completeness, quality, accessibility)
-
Design elements in MIS reports to aid in effective decision-making
|
|
Assess the quality and capabilities of the systems used to support the decision‐making activities. |
Knowledge of:
-
Industry standards, sound practices, and regulatory expectations regarding information systems related to enterprise risk management
-
Investigative approaches to ensure system function as expected (e.g., inquire, observe, request documentation, challenge)
|
Develop and implement data governance program to ensure
completeness and accuracy of reporting. |
Knowledge of:
-
Fundamental system requirements (e.g., asset liability system, modeling, Credit Risk, risk assessment)
-
Methodologies for confirming and challenging the integrity of inputs and outputs (e.g., model validation, reconciliation)
-
Investigative approaches to ensure data is accurate and complete (e.g., inquire, observe, request documentation, challenge)
-
Controls for information systems providing data required for risk reporting (e.g., asset liability systems)
-
Quality control processes and accountability
|
Control Framework (7%)
|
|
Determine if the internal control framework aligns with the size, complexity, and risk appetite of the organization. |
Knowledge of:
-
Three lines of defense (e.g., roles, responsibilities, independence)
-
Internal control system (e.g., control environment, risk assessment, control activities)
-
Internal control framework (e.g., COSO Integrated Control Framework)
-
Regulatory requirements (e.g., Sarbanes‐Oxley Act [SOX], Heightened Standards)
-
Control types (e.g., preventative/detective, manual/automated)
-
Effective challenge by risk management staff
-
Quality control and quality assurance
-
Effective controls for all risk categories (e.g., model risk, fraud, external financial reporting, Sarbanes‐Oxley Act [SOX])
|
|
Coordinate timing, coverage, and scope of risk management reviews with those of other control partners (e.g., independent risk, compliance) and prepare for regulatory exams. |
Knowledge of:
-
The roles and responsibilities of the three lines of defense
-
Principles for effective exam management
|
SECTION 2: RISK MANAGEMENT
|
Risk Identification (15%)
|
|
Monitor and survey the internal and external environment to identify emerging risks. |
Knowledge of:
-
Risk categories (e.g., Operational Risk, Credit Risk) and types of risk events (e.g., processing errors, loan default)
-
Potential upstream and downstream impact of risk events
-
Risk presented by third parties (e.g., concentration, financial health)
-
Criteria for materiality
-
Regulatory environment and industry trends
|
|
Identify current risks through the development of risk and control selfassessment (RCSAs). |
Knowledge of:
-
Risk categories (e.g., Operational Risk, Credit Risk) and types of risk events
(e.g., processing errors, loan default)
-
Potential upstream and downstream impact of risk events
-
Risk presented by third parties (e.g., concentration, financial health)
-
Risk and control self‐assessment (RCSA) fundamentals (e.g., inherent risk,
residual risk, business processes)
-
Regulatory environment and applicable requirements
|
|
Identify idiosyncratic risks (e.g., unique product lines, third-party relationships, customer concentration). |
Knowledge of:
-
Risk categories (e.g., Operational Risk, Credit Risk) and types of risk events (e.g., processing errors, loan default)
-
Potential upstream and downstream impact of risk events
-
Criteria for materiality
-
Regulatory environment and applicable requirements
|
|
Identify risks resulting from failure to meet internal and external stakeholder requirements. |
Knowledge of:
-
Potential upstream and downstream impact of risk events
-
Criteria for materiality
-
Potential regulatory actions and penalties (e.g., Matters Requiring Attention [MRA], Civil Money Penalties [CMP])
|
Risk Measurement and Evaluation (13%)
|
|
Estimate the likelihood of risk event(s) and the potential impact(s). |
Knowledge of:
-
Risk assessment factors including likelihood, impact, direction, and velocity
-
Key indicators (e.g., KRI, KPI) across all risk categories
-
Evaluation of inherent risk, control environment, and residual risk
-
Development and calculation of risk metrics/quantitative methods
-
External factors (e.g., economic, regulatory, environmental)
-
Potential upstream and downstream impact of risk events
-
Effects of aggregated risks
|
|
Conduct scenario analysis (e.g., stress test). |
Knowledge of:
-
Scenario analysis fundamentals (e.g., scenario selection, triggers)
-
Regulator expectations for conducting scenario analysis (e.g., asset size, complexity)
-
Key indicators (e.g., KRI, KPI) across all risk categories
-
Calculation of risk metrics
-
Application and limitations of stress testing and scenario analysis
-
External factors (e.g., economic, regulatory, environmental)
|
|
Complete risk and control self‐assessments (RCSAs). |
Knowledge of:
-
Risk assessment factors including likelihood, impact, direction, and velocity
-
Evaluation of inherent risk, control environment, and residual risk
-
Risk scoring and prioritization
|
|
Evaluate risk relative to risk appetite and risk tolerance. |
Knowledge of:
-
Key indicators (e.g., KRI, KPI) across all risk categories
-
Risk appetite and tolerance
|
Risk Responses (18%)
|
|
Evaluate the alignment of management’s risk response and documentation with risk appetite. |
Knowledge of:
-
Types and examples of risk responses (i.e., accept, mitigate, transfer, avoid), and when each is appropriate
-
Maintenance of Risk and Control Self-Assessment (RCSA)
|
|
Develop and recommend risk response (i.e., accept, mitigate, transfer, avoid). |
Knowledge of:
-
Types and examples of risk responses (i.e., accept, mitigate, transfer, avoid) and when each is appropriate
-
Types of risk mitigation activity (e.g., preventative, detective, corrective)
-
Root cause analysis principles and techniques
-
Impact from internal and external risks (e.g., third‐party service providers, shared services)
-
Risk appetite and tolerance
|
|
Manage issues identified by the first line and second line. |
Knowledge of:
-
Issues Management identification and tracking
-
Types and examples of risk responses (i.e., accept, mitigate, transfer, avoid) and when each is appropriate relevant to risk appetite
-
Root cause analysis principles and techniques
-
Impact from internal and external risks (e.g., third‐party service providers, shared services)
-
Issues Management resolution (e.g., validation, closure)
|
|
Respond to findings from regulators, independent third parties, and audits. |
Knowledge of:
-
Root cause analysis principles and techniques
-
Methods to address findings (e.g., rating criticality, action plan, documentation, disposition)
|
|
Determine the residual risk of an event post‐risk response. |
Knowledge of:
-
Evaluation of inherent risk, control environment, and residual risk
-
Maintenance of Risk and Control Self-Assessment (RCSA)
|
Risk Monitoring (16%)
|
|
Identify and define key indicators (e.g., KRI, KPI). |
Knowledge of:
-
Key credit measures (e.g., debt to income ratio, net credit losses, percentage of nonperformance asset)
-
Key financial measures (e.g., net interest income, tier 1 capital ratio, current ratio)
-
Key non-financial measures (e.g., operational losses, system downtime, employee turnover, efficiency ratio)
-
Risk appetite and tolerance
-
Distinction between key indicators (i.e., performance vs. risk)
-
Indicators of economic trends (e.g., unemployment, bankruptcy rate)
-
Elements of effective risk measures (e.g., limit, trigger)
|
|
Design and produce standardized and ad hoc reporting. |
Knowledge of:
-
Report monitoring and distribution components (e.g., timeline, scoping, time horizon, level of aggregation, segmentation)
-
Techniques for analyzing risk information (i.e., quantitative, qualitative)
-
Methods to summarize and communicate risk information (e.g., color coding, heat mapping, dashboard)
-
The proper level to distribute and make information available, including escalation
-
Reporting requirements
|
|
Monitor indicators and reports to identify emerging risks. |
Knowledge of:
-
Report monitoring and distribution components (e.g., timeline, scoping, time horizon, level of aggregation, segmentation)
-
Techniques for analyzing risk information (i.e., quantitative, qualitative)
-
The proper level to distribute and make information available, including escalation
-
Key credit measures (e.g., debt-to-income ratio, net credit losses, percentage of nonperformance asset)
-
Key financial measures (e.g., net interest income, tier 1 capital ratio, current ratio)
-
Key non-financial measures (e.g., operational losses, system downtime, employee turnover, efficiency ratio)
|
|
Evaluate the quality of first line performance through control monitoring. |
Knowledge of:
-
Report monitoring and distribution components (e.g., timeline, scoping, time horizon, level of aggregation, segmentation)
-
Control design and operating effectiveness
-
Techniques for analyzing risk information (i.e., quantitative, qualitative)
-
The proper level to distribute and make information available, including escalation
-
Reporting requirements
|
|
Analyze report output and make risk-based recommendations. |
Knowledge of:
-
Methods to summarize and communicate risk information (e.g., color coding, heat mapping, dashboard)
-
Techniques for analyzing risk information (i.e., quantitative, qualitative)
-
The proper level to distribute and make information available, including escalation
|
Use this quick start guide to collect all the information about ABA Enterprise Risk Professional (CERP) Certification exam. This study guide provides a list of objectives and resources that will help you prepare for items on the CERP ABA Enterprise Risk Professional exam. The Sample Questions will help you identify the type and difficulty level of the questions and the Practice Exams will make you familiar with the format and environment of an exam. You should refer this guide carefully before attempting your actual ABA Enterprise Risk Professional certification exam.
