CRA Cheat Sheet 2026
The 30 highest-yield CRA facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
50 questions
90 min time limit
70.00% to pass
- What is the primary role of senior management in a business continuity program? → To provide strategic direction, resources, and accountability for the BCP program
- Why is it important to assess both internal and external risks? → It helps identify all possible risk sources
- What is the recommended review frequency for high-risk vendor relationships according to leading TPRM practices? → At least annually, with more frequent reviews based on elevated risk or material changes
- What does supply chain resilience mean in an enterprise risk context? → The capacity to maintain operations when key supply chain disruptions occur
- How does regulatory compliance impact risk management? → Regulatory compliance helps mitigate legal risks and align with industry standards
- Which of the following is the PRIMARY purpose of establishing Key Risk Indicators (KRIs) as part of a risk control system? → To provide an early warning that a risk is more likely to occur.
- Which of the following best describes 'fourth-party risk' in vendor risk management? → Risk posed by the subcontractors or suppliers used by your direct vendors
- What is the role of stakeholders in the risk management process? → Stakeholders provide insights and help prioritize risks
- What is the importance of analyzing the likelihood and impact of risks? → It helps prioritize risk mitigation efforts
- What is the main goal of enterprise risk management (ERM)? → To identify and manage risks to achieve business goals
- What is the significance of aligning risk management with business strategy? → It ensures that risk management is integrated into business goals
- Why is training employees on compliance important? → To ensure employees understand their roles and responsibilities
- How does an ERM framework contribute to strategic decision-making? → It helps identify opportunities and threats, enabling better decision-making
- What is the primary purpose of a Business Impact Analysis (BIA)? → To identify critical business functions and quantify the impact of their disruption
- Why is it important to continuously monitor risks? → To identify new risks and evaluate mitigation strategies
- Which risk category is most directly associated with a critical vendor experiencing financial insolvency? → Vendor exit and service continuity risk
- What is the primary challenge of unstructured data in risk management analytics? → It is difficult to analyze using traditional risk modeling tools
- What is the primary purpose of a vendor scorecard in ongoing vendor relationship management? → To continuously measure vendor performance against defined KPIs and risk metrics
- Why is communication important in the ERM process? → It fosters transparency and collaboration in managing risks
- Which U.S. regulatory guidance specifically requires financial institutions to conduct comprehensive due diligence on critical third-party service providers? → OCC Bulletin 2013-29 on Third-Party Relationships
- What does 'inherent risk' represent in a third-party risk assessment? → The level of risk that exists before any controls or mitigations are in place
- What is 'model risk' in the context of risk management systems? → The risk of loss resulting from inaccurate or misused quantitative models
- What is the primary purpose of a Risk Information System (RIS)? → To centralize and manage risk data for reporting and analysis
- What is a key component of an ERM framework? → Defining risk tolerance levels
- What is the primary purpose of regulatory compliance in risk management? → To avoid fines and legal consequences
- How can you evaluate the effectiveness of a risk mitigation strategy? → By tracking performance and making necessary adjustments
- What is cyber resilience in the context of business continuity management? → The ability to continuously deliver intended outcomes despite cyber attacks or incidents
- What is a common method used to assess risks in an organization? → Risk mapping and scenario analysis
- What is the significance of transparency in compliance? → It promotes trust and accountability
- Which of the following items is typically included in a vendor due diligence questionnaire (DDQ)? → Information on security controls, financial stability, and regulatory compliance posture
Turn these facts into recall: