📚

RIMS • RIMS-CRMP

RIMS-Certified Risk Management Professional (RIMS-CRMP) Practice Test

The RIMS-CRMP is the only ANSI-accredited, competency-based risk management credential in the world, validating a professional's ability to analyze organizational models, design risk strategies, and implement risk processes. It demonstrates achievement of risk management knowledge, performance ability, and commitment to ethical standards.

Exam Details

Questions

807

Duration

120 minutes

Passing Score

71%

Difficulty

Professional

Last Updated

Feb 2026

Topics Covered

Analyzing the Organizational ModelDesigning Organizational Risk StrategiesImplementing Risk ProcessDeveloping Organizational Risk CompetencySupporting Decision Making

Exam Domain Breakdown

Implementing Risk Process32%

Designing Organizational Risk Strategies26%

Analyzing the Organizational Model16%

Developing Organizational Risk Competency16%

Supporting Decision Making10%

Exam Overview

The RIMS-Certified Risk Management Professional (RIMS-CRMP) is the world's only ANSI National Accreditation Board (ANAB)-accredited, competency-based risk management credential, holding accreditation under ISO/IEC 17024:2012. Administered by RIMS (the Risk and Insurance Management Society), this certification validates a professional's demonstrated ability to analyze organizational models, design enterprise risk strategies, implement risk processes, build organizational risk competency, and support strategic decision-making. Its ISO/IEC 17024 accreditation means the credential meets rigorous international standards for personnel certification, setting it apart from every other risk management designation worldwide.

The RIMS-CRMP is a performance-based credential that goes beyond knowledge testing to assess a candidate's practical ability to apply risk management concepts within real organizational contexts. The exam spans five domains drawn from a comprehensive job task analysis, covering the full lifecycle of enterprise risk management. With more than 1,300 credential holders across 60 countries, RIMS-CRMP is recognized internationally across industries including financial services, insurance, healthcare, government, and technology.

Official exam page

Who Should Take This Exam

The RIMS-CRMP is designed for mid-to-senior-level risk management professionals who are actively working in or transitioning into enterprise risk management roles. Ideal candidates include Risk Managers, Chief Risk Officers, Risk Analysts, Compliance Officers, Internal Auditors, and operational managers with significant risk oversight responsibilities. Professionals working in industries with complex risk environments — such as banking, insurance, healthcare, government, and energy — will find this credential particularly relevant.

Candidates who benefit most are those seeking to formalize their risk management expertise, move into leadership positions, or differentiate themselves in a competitive job market. The credential is also pursued by professionals advising boards and executives on risk strategy, as the exam directly tests the skills required to design and champion risk frameworks at the organizational level.

Prerequisites

RIMS-CRMP candidates must meet one of two educational and experience pathways: a bachelor's degree or higher in risk management combined with at least one year of full-time professional experience in risk management, or a bachelor's degree or higher in any non-risk management field combined with at least three years of full-time risk management work experience. Relevant internship experience may count toward the required work experience hours. RIMS membership is not required to apply or sit for the exam.

While there are no mandatory preparatory courses, candidates are strongly encouraged to review the official RIMS-CRMP Examination Blueprint (particularly page 9), download the RIMS-CRMP Study Guide, and familiarize themselves with the ten recommended reference materials. These include ISO 31000:2018 (Risk Management — Guidelines), foundational enterprise risk management frameworks, and RIMS Executive Reports on risk committee governance. A working knowledge of ERM principles, organizational strategy, and risk process implementation is assumed.

Exam Format

The RIMS-CRMP exam consists of 120 multiple-choice questions, of which 100 are scored and 20 are unscored pretest questions embedded throughout. Candidates cannot distinguish pretest from scored questions during the exam. The total time allotted is 120 minutes (2 hours), making pacing critical. The exam is delivered as a computer-based test (CBT) and is available year-round either at Pearson VUE testing centers located globally or remotely via the OnVUE online proctoring platform from a candidate's home or office.

Candidates are monitored by a certified proctor via webcam and microphone when testing remotely. Once an application is approved, candidates have a four-month window to schedule and sit for the exam. Results are reported on a pass/fail basis, with a minimum passing score of 71% on the 100 scored questions. Candidates who do not pass may retake the exam upon payment of a retest fee. The resulting credential is valid for two years and requires continuing education for recertification.

Skills Measured

1.Implementing Risk Process (32%): The largest domain, covering the execution of risk identification, assessment, treatment, monitoring, and reporting activities within an organization. Candidates must demonstrate the ability to operationalize a risk process aligned with organizational objectives and governance structures.
2.Designing Organizational Risk Strategies (26%): Focuses on developing and structuring enterprise risk management frameworks, risk appetite statements, and risk policies. Candidates are assessed on their ability to align risk strategy with organizational goals and design governance models that support risk oversight.
3.Analyzing the Organizational Model (16%): Tests the ability to assess an organization's structure, culture, stakeholder landscape, and operating environment to understand how these factors influence risk management design and effectiveness.
4.Developing Organizational Risk Competency (16%): Covers building risk awareness, fostering risk culture, training stakeholders, and advancing the organization's overall capability to manage risk as an integrated business function.
5.Supporting Decision Making (10%): Evaluates skills in communicating risk information to executives, boards, and other decision-makers, including the use of risk data, dashboards, and reporting to support strategic and operational decisions.

Study Tips

Download and structure your study plan around the official RIMS-CRMP Examination Blueprint (page 9 of the candidate handbook), which maps all tested duties and tasks within each domain — this is the most authoritative guide to what will be assessed.
Prioritize study time proportional to domain weights: allocate the most time to 'Implementing Risk Process' (32%) and 'Designing Organizational Risk Strategies' (26%), as together they make up nearly 60% of the scored questions.
Study ISO 31000:2018 (Risk Management — Guidelines) thoroughly, as it is the primary international standard referenced throughout the exam content and is listed as a core recommended reference by RIMS.
Use the RIMS-CRMP Overview Course (self-paced online) to reinforce foundational concepts, especially if you have gaps in any domain; this official course is specifically designed to refresh knowledge aligned with the exam blueprint.
Enroll in a RIMS Virtual Workshop if you prefer structured, instructor-led preparation — these are offered multiple times per year and provide guided review of all five exam domains with subject matter experts.
Practice applying risk concepts to scenario-based questions rather than memorizing definitions; the competency-based nature of the exam means questions are framed around real organizational situations requiring judgment, not just recall.
Review the ten RIMS-recommended reference materials listed in the study guide, paying particular attention to ERM frameworks and RIMS Executive Reports on risk committee governance, which directly inform the strategy and decision-making domains.

Career Benefits

According to RIMS, full-time risk professionals who hold the RIMS-CRMP credential earn $16,000 more annually than their non-certified peers, making it one of the most financially impactful credentials in the risk management field. The certification prepares holders for senior roles including Risk Manager, Enterprise Risk Director, Vice President of Risk, and Chief Risk Officer, as well as advisory roles supporting C-suite and board-level risk governance. Industries with the highest demand for RIMS-CRMP holders include financial services, insurance, healthcare, energy, and government.

As the only ISO/IEC 17024-accredited risk management credential in the world, the RIMS-CRMP carries a level of international recognition and credibility that distinguishes it from non-accredited designations such as the PMI-RMP or CRISC, which are scoped to project or IT risk rather than enterprise-wide risk strategy. With a global community of over 1,300 certified professionals across 60 countries, the credential is recognized by multinational employers and government agencies alike, including the U.S. Department of Defense through the Navy COOL program.

Sample Questions

Preview — answers shown

5 sample questions with correct answers and explanations. Start a practice session to test yourself across all 807 questions.

1. Northwind Construction is implementing a risk treatment plan for a high-profile infrastructure project. After analyzing the risk of foundation failure due to unstable soil conditions, the project manager decides to relocate the building to an area with stable geological conditions, effectively eliminating the risk entirely. Which ISO 31000:2018 risk treatment option does this represent? (Select one!)

ARetaining the risk by informed decision

BAvoiding the risk by not starting or continuing the activity that gives rise to the risk

CChanging the likelihood of the risk occurring

DSharing the risk through contractual agreements

Explanation

Relocating the building to eliminate the foundation failure risk represents risk avoidance under ISO 31000:2018. Avoidance involves not starting or not continuing the activity that gives rise to the risk. By moving to stable geological conditions, the organization removes the risk source entirely rather than attempting to mitigate or transfer it. Sharing the risk through contracts would transfer some financial consequences to another party but would not eliminate the physical risk. Changing the likelihood would involve implementing controls such as soil stabilization while proceeding with the original location. Retaining the risk would mean accepting the foundation failure possibility and proceeding with the original plan. The key distinction is that avoidance completely eliminates exposure to the specific risk.

2. Fabrikam Construction Group is using Failure Mode and Effects Analysis to evaluate risks in its crane operation procedures. The team has assessed one failure mode with a Severity rating of 8, an Occurrence rating of 4, and a Detection rating of 7. After implementing a new automated inspection system, the Detection rating improves to 3 while Severity and Occurrence remain unchanged. What is the Risk Priority Number before and after the control improvement, and does the failure mode still require action based on a typical action threshold? (Select one!)

ABefore: 224, After: 96. The failure mode still requires action because the Severity rating of 8 indicates a critical risk regardless of the RPN

BBefore: 224, After: 96. The failure mode no longer requires action as both values fall below the typical threshold of 100-200

CBefore: 128, After: 64. The failure mode no longer requires action as both values fall below the typical threshold of 100-200

DBefore: 19, After: 15. The failure mode does not require action as both values are well below the typical threshold

Explanation

The Risk Priority Number is calculated as Severity multiplied by Occurrence multiplied by Detection. Before improvement: 8 times 4 times 7 equals 224. After improvement: 8 times 4 times 3 equals 96. While the RPN dropped below the typical action threshold of 100-200, the failure mode still requires attention because the Severity rating of 8 out of 10 indicates a critical failure mode. In FMEA best practice, high severity ratings warrant continued monitoring and action regardless of the overall RPN, because even low-probability, hard-to-detect failures with severe consequences should not be dismissed based solely on a composite score. The RPN maximum is 1,000 (10 times 10 times 10). The calculation of 19 and 15 incorrectly adds the ratings instead of multiplying them. The calculation of 128 and 64 uses incorrect initial values.

3. Adatum Software Corporation is preparing for a SOX compliance audit. The internal audit team needs to understand the specific requirements of different SOX sections related to internal controls over financial reporting. Which two statements correctly describe SOX compliance requirements? (Select two!)

Multiple correct answers

ASection 302 requires the CEO and CFO to personally certify the accuracy of financial statements

BSection 404(a) requires external auditors to design and implement internal controls over financial reporting

CSection 404(b) requires external auditor attestation of the effectiveness of internal controls over financial reporting

DSection 302 requires the board of directors to conduct quarterly risk assessments of all operational risks

ESection 404(a) eliminates the need for management to assess internal control effectiveness

Explanation

SOX Section 302 requires the CEO and CFO to personally certify the accuracy of financial statements, taking responsibility for establishing and maintaining internal controls and disclosing any deficiencies. Section 404(b) requires external auditor attestation of the effectiveness of internal controls over financial reporting, providing independent verification. Section 404(a) requires management assessment of ICFR effectiveness, not external auditors designing controls. Section 302 addresses CEO and CFO certification of financial statements, not board-level operational risk assessments. Section 404(a) specifically mandates management assessment of internal control effectiveness rather than eliminating that requirement.

4. Litware Healthcare is establishing its risk governance structure using the Three Lines Model. The board has asked the risk manager to clarify which organizational function should provide independent, objective assurance on the effectiveness of risk management activities. Which organizational function fulfills this role in the Three Lines Model? (Select one!)

AInternal audit that provides independent and objective assurance

BExternal consultants hired to perform annual risk assessments

COperational management who owns and manages risk on a day-to-day basis

DRisk management and compliance functions that monitor, support, and challenge the first line

Explanation

In the Three Lines Model, the third line is internal audit, which provides independent, objective assurance on the effectiveness of governance, risk management, and internal controls. Internal audit reports directly to the governing body and is independent from management, allowing it to provide unbiased assessments. The first line consists of operational management who owns and manages risk in day-to-day activities. The second line includes risk management and compliance functions that provide expertise, support, monitoring, and challenge to the first line. External consultants are not part of the Three Lines Model structure. The 2020 update to this model removed the word defense to emphasize value creation alongside risk protection.

5. Tailspin Biotech Corporation wants to assess the severity of risks in its drug development pipeline. The risk team needs to evaluate both the frequency of potential loss events and the magnitude of potential losses to prioritize risk responses. Which quantitative model decomposes risk into Loss Event Frequency and Loss Magnitude as its primary components? (Select one!)

AFAIR (Factor Analysis of Information Risk) Model

BCOSO ERM Performance Component

CISO 31000 Risk Evaluation Matrix

DBasel II Standardized Approach

Explanation

The FAIR (Factor Analysis of Information Risk) model specifically decomposes risk into two primary components: Loss Event Frequency and Loss Magnitude. This taxonomy provides a structured quantitative approach to analyzing risk by breaking down frequency into Threat Event Frequency and Vulnerability, and magnitude into Primary Loss and Secondary Loss factors. The COSO ERM Performance Component addresses risk identification, assessment, prioritization, and response but does not use this specific decomposition. The Basel II Standardized Approach uses business-line-specific multipliers applied to gross income for calculating operational risk capital. ISO 31000 does not prescribe a specific risk evaluation matrix; it provides guidelines and principles while leaving technique selection to the organization.

One-time access to this exam

Full access to all 807 questions

Or $15/mo for all 201 exams

Detailed explanations

Free preview stays available