Governance structures specify the policies, principles and procedures for making decisions about corporate direction. They distribute rights and responsibiliies among stakeholders that typically include executive management, employees, the board etc. Statement I is therefore correct.

'Cybernetics is a transdisciplinary approach for exploring regulatory systems, their structures, constraints, and possibilities. In the 21st century, the term is often used in a rather loose way to imply 'control of any system using technology' (Wikipedia). Governance literature has been affected by cybernetics, which is not the same thing as information security or cyber security. Statement II is incorrect.

Corporate governance includes risk governance, and not the other way round. Therefore statement III is incorrect.

The Cadbury Report, titled Financial Aspects of Corporate Governance, was a report issued in the UK in December 1992 by 'The Committee on the Financial Aspects of Corporate Governance'. The report is eponymous with the chair of the committee, and set out recommendations on the arrangement of company boards and accounting systems to mitigate corporate governance risks and failures. Statement IV is therefore correct.

This is a tricky question in the sense no risk management professional can be expected to know the answer to this one unless they have read Chapter 2 of the PRMIA handbook. So this question appears purely for the sake of something you would need to know purely for the sake of the exam.

PRMIA's handbook classifies governance sructures as reactive, preventative and active. Reactive structures involve monitoring signals after the event leading to corrective actions. Preventative structures are forward looking and anticipate issues before they arise. Active structures include considerations of operational efficiency and not just governance. All other answers are made up phrases and are incorrect.

In reality, corporations employ all structures together without worrying about the boundary between the three, and these distinctions do not exist except in textbooks.

Statutory financial reporting is the responsibility of the Chief Financial Officer, not the Chief Risk Officer. The head of internal audit reports to the audit committee of the board, not the CRO. Therefore statements I and II are incorect.

The CRO is generally expected to drive risk and compliance with related regulatory standards. Market risk, credit risk and operational risk groups report into the CRO, so statements III and IV are correct.

In statistics, which is relevant to risk management, a distinction is often drawn between 'frequentists' and 'Bayesians'. Frequentists rely upon data to draw conclusions as to probabilities. Bayesians consider conditional probabilities, ie, take into account what things are already known, and inject sometimes subjective a-priori probabilities into the calculations. Statement I describes Bayesians, and not frequentists. In reality however, the difference is merely academic. Risk managers use whichever technique best applies to the given situation without making it about ideology.

The difference between 'Knightian uncertainty' and 'Risk' is similarly academic. Knightian uncertainty refers to risk that cannot be measured or calculated. 'Risk' on the other hand refers to things for which past data exists and calculations of exposure can be made. To give an example in the context of the financial world, the risk from a pandemic creating systemic failures from a failure of payment and settlement systems and the like is 'Knightian uncertainty', but the market risk from equity price movements can be modeled (albeit with limitations) and is calculable. Statement II is therefore correct.

Once a risk is identified, it can be mitigated, accepted, avoided or eliminated, or transferred by way of insurance. Therefore statement III is correct.

Confidence accounting is a conceptual idea that suggests that accounting statements make reference to ranges as opposed to point estimates in financial statements. For example, instead of saying that the pension obligation is $xx million, the company should say the pension obligation is in a range of $xx m - $yy m with a certain confidence level. Statement IV is therefore inaccurate.

Statement I is correct. The financial system proved to be stable against small shocks and disturbances, or shocks of a particular type (eg, the dotcom crash, the wars in the Persian Gulf); but rather fragile against other types of shocks, including disturbances to key market participants caused by a worsening of mortgage defaults. Statement II is incorrect. Financial innovation, in particular the slicing and dicing of 'risk' through securitization, significantly increased interrelationships, dependence on the same risk factors, and the complexity of the system as a whole. Statement III is incorrect. A distinction is sometimes made between risk that is knowable, measureable, and quantifiable through parameters; and uncertainty, where the parameters are not known at all. The latter is called 'Knightian uncertainty' after the name of the scholar who came up with the distinction between the two. Statement IV is correct. Feedback effects had the greatest impact on liquidity which was tended to be hoarded, and on asset prices that tumbled as market participants tried to sell assets to become more liquid. Thus, choice is a the correct answer.