CORES Cheat Sheet 2026
The 30 highest-yield CORES facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
100 questions
90 min time limit
70.00% to pass
- Which governance principle ensures that individuals cannot both authorize and execute a transaction without a separate review? → Segregation of duties
- Which document outlines steps to recover operations after a disaster? → Business Continuity Plan (BCP)
- In the context of CORES certification, what is the most important consideration when implementing vendor & third-party risk oversight? → Ensuring alignment with established standards, stakeholder needs, and best practices
- Which of the following is an example of an operational risk event? → IT system outage
- Which body is primarily responsible for approving a firm's operational risk appetite statement? → The Board of Directors
- Which of the following is a compliance-related law in finance? → Sarbanes-Oxley Act (SOX)
- Which approach is used when a risk cannot be eliminated? → Risk transfer
- Why is it important to test the business continuity plan regularly? → To ensure the plan works during an actual event
- Under U.S. banking regulation, which guidance specifically articulates supervisory expectations for internal audit functions at large financial institutions? → SR 03-5: Amended Interagency Guidance on the Internal Audit Function
- What is the primary purpose of a Risk Appetite Statement (RAS) in an operational risk framework? → To define the amount and type of risk the organization is willing to accept
- Which of the following best describes a key competency required for scenario analysis & stress testing in CORES practice? → Strong analytical skills combined with effective communication and ethical judgment
- In the Three Lines of Defense model, which line is primarily responsible for owning and managing operational risks on a day-to-day basis? → Business units and operational management
- In the context of CORES certification, what is the most important consideration when implementing loss data collection & analysis? → Ensuring alignment with established standards, stakeholder needs, and best practices
- Under sound operational risk governance, how often should the risk appetite statement typically be reviewed? → At least annually and after significant business or risk profile changes
- What is the role of compliance audits? → To check compliance and mitigate risks
- Which technique is commonly used to prioritize risks? → Heat maps
- What is the primary purpose of risk mitigation planning? → To reduce the impact or likelihood of risks
- Which of the following best describes a key competency required for risk culture & awareness training in CORES practice? → Strong analytical skills combined with effective communication and ethical judgment
- Which quantitative method is commonly used in operational risk to estimate potential losses at a given confidence level over a specified time horizon? → Value at Risk (VaR)
- Which governance document formally defines the scope, objectives, and methodology of an organization's operational risk management program? → Operational risk management policy
- Which element is essential for making operational risk reports 'actionable'? → Recommendations or suggested actions tied to each identified risk or control gap
- A heat map in operational risk reporting typically displays risks according to which two dimensions? → Likelihood (probability) and impact (severity)
- The 'audit universe' in internal audit planning refers to: → A comprehensive inventory of all auditable entities, processes, and systems
- Which document typically outlines specific risk mitigation steps? → Risk mitigation plan
- Under the IIA's Three Lines Model (2020 update), which body is positioned OUTSIDE the three lines and provides governing oversight? → Governing body (Board)
- What is the function of a communication plan during a crisis? → To ensure timely and accurate communication
- The concept of 'risk ownership' in operational risk governance means: → Business unit managers are accountable for managing the risks within their areas
- A risk-based internal audit approach prioritizes audit resources based on: → The relative risk exposure and significance of auditable entities
- Which operational risk framework component ensures that risk management policies are consistently applied across all business lines? → Risk governance structure
- What is the purpose of a risk assessment in continuity planning? → To identify potential risks to operations
Turn these facts into recall: