RIMS · RIMS-CRMP
The RIMS-CRMP is the only ANSI-accredited, competency-based risk management credential in the world, validating a professional's ability to analyze organizational models, design risk strategies, and implement risk processes. It demonstrates achievement of risk management knowledge, performance ability, and commitment to ethical standards.
Questions
807
Duration
120 minutes
Passing Score
71%
Difficulty
ProfessionalLast Updated
Jun 2026
This RIMS CRMP practice exam helps you review enterprise risk management concepts including risk governance, assessment, analysis, response, communication, monitoring, and integration with strategic decision-making. The questions mirror how the real exam is weighted, with implementing the risk process (32%) and designing organizational risk strategies (26%) carrying the most marks, so your practice time goes where the exam actually rewards it.
Use explanations to connect each scenario to risk appetite, stakeholder communication, controls, and organizational objectives. The certification rewards applied judgment, so repeated practice should focus on why a response supports the broader risk management process. The exam itself is 120 multiple-choice questions (100 scored) in two hours, with a 71% pass mark, so steady accuracy matters more than speed.
The RIMS-Certified Risk Management Professional (RIMS-CRMP) is the world's only ANSI National Accreditation Board (ANAB)-accredited, competency-based risk management credential, holding accreditation under ISO/IEC 17024:2012. Administered by RIMS (the Risk and Insurance Management Society), this certification validates a professional's demonstrated ability to analyze organizational models, design enterprise risk strategies, implement risk processes, build organizational risk competency, and support strategic decision-making. Its ISO/IEC 17024 accreditation means the credential meets rigorous international standards for personnel certification, setting it apart from every other risk management designation worldwide.
The RIMS-CRMP is a performance-based credential that goes beyond knowledge testing to assess a candidate's practical ability to apply risk management concepts within real organizational contexts. The exam spans five domains drawn from a comprehensive job task analysis, covering the full lifecycle of enterprise risk management. With more than 1,300 credential holders across 60 countries, RIMS-CRMP is recognized internationally across industries including financial services, insurance, healthcare, government, and technology.
The RIMS-CRMP is designed for mid-to-senior-level risk management professionals who are actively working in or transitioning into enterprise risk management roles. Ideal candidates include Risk Managers, Chief Risk Officers, Risk Analysts, Compliance Officers, Internal Auditors, and operational managers with significant risk oversight responsibilities. Professionals working in industries with complex risk environments — such as banking, insurance, healthcare, government, and energy — will find this credential particularly relevant.
Candidates who benefit most are those seeking to formalize their risk management expertise, move into leadership positions, or differentiate themselves in a competitive job market. The credential is also pursued by professionals advising boards and executives on risk strategy, as the exam directly tests the skills required to design and champion risk frameworks at the organizational level.
RIMS-CRMP candidates must meet one of two educational and experience pathways: a bachelor's degree or higher in risk management combined with at least one year of full-time professional experience in risk management, or a bachelor's degree or higher in any non-risk management field combined with at least three years of full-time risk management work experience. Relevant internship experience may count toward the required work experience hours. RIMS membership is not required to apply or sit for the exam.
While there are no mandatory preparatory courses, candidates are strongly encouraged to review the official RIMS-CRMP Examination Blueprint (particularly page 9), download the RIMS-CRMP Study Guide, and familiarize themselves with the ten recommended reference materials. These include ISO 31000:2018 (Risk Management — Guidelines), foundational enterprise risk management frameworks, and RIMS Executive Reports on risk committee governance. A working knowledge of ERM principles, organizational strategy, and risk process implementation is assumed.
The RIMS-CRMP exam consists of 120 multiple-choice questions, of which 100 are scored and 20 are unscored pretest questions embedded throughout. Candidates cannot distinguish pretest from scored questions during the exam. The total time allotted is 120 minutes (2 hours), making pacing critical. The exam is delivered as a computer-based test (CBT) and is available year-round either at Pearson VUE testing centers located globally or remotely via the OnVUE online proctoring platform from a candidate's home or office.
Candidates are monitored by a certified proctor via webcam and microphone when testing remotely. Once an application is approved, candidates have a four-month window to schedule and sit for the exam. Results are reported on a pass/fail basis, with a minimum passing score of 71% on the 100 scored questions. Candidates who do not pass may retake the exam upon payment of a retest fee. The resulting credential is valid for two years and requires continuing education for recertification.
According to RIMS, full-time risk professionals who hold the RIMS-CRMP credential earn $16,000 more annually than their non-certified peers, making it one of the most financially impactful credentials in the risk management field. The certification prepares holders for senior roles including Risk Manager, Enterprise Risk Director, Vice President of Risk, and Chief Risk Officer, as well as advisory roles supporting C-suite and board-level risk governance. Industries with the highest demand for RIMS-CRMP holders include financial services, insurance, healthcare, energy, and government.
As the only ISO/IEC 17024-accredited risk management credential in the world, the RIMS-CRMP carries a level of international recognition and credibility that distinguishes it from non-accredited designations such as the PMI-RMP or CRISC, which are scoped to project or IT risk rather than enterprise-wide risk strategy. With a global community of over 1,300 certified professionals across 60 countries, the credential is recognized by multinational employers and government agencies alike, including the U.S. Department of Defense through the Navy COOL program.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 807 questions.
Preview — answers shown1. Contoso Energy is building a decision tree analysis to evaluate whether to invest in a new renewable energy project. The risk analyst has constructed the tree with square nodes and circular nodes. A junior analyst asks about the interpretation of these symbols. Which statement correctly describes the components of a decision tree? (Select one!)
Explanation
In decision tree analysis, square nodes represent decision points where management must choose between alternatives, and circular nodes represent chance events where outcomes are determined by probability rather than choice. Triangle nodes typically represent terminal outcomes or endpoints. The analysis proceeds by folding back the tree from right to left, calculating expected monetary values at chance nodes by multiplying probabilities by outcomes, and selecting the optimal choice at decision nodes. Reversing the node definitions would fundamentally misrepresent the model. Decision trees are specifically designed to distinguish between controllable decisions and uncontrollable chance events, which is central to their value in risk-informed decision-making.
2. Adatum Global Services is evaluating its risk management program and wants to strengthen the organization's ability to thrive amid uncertainty. The chief risk officer presents a proposal to the board describing organizational resilience as a strategic priority. Which statement best describes organizational resilience in the context of enterprise risk management? (Select one!)
Explanation
Organizational resilience encompasses the broad capability to anticipate, prepare for, respond to, and adapt to both incremental change and sudden disruptions while continuing to deliver the organization's mission and enabling it to prosper. This definition, aligned with ISO 22316 and enterprise risk management principles, reflects that resilience goes far beyond any single discipline. Focusing exclusively on IT recovery addresses only one narrow component of a much broader resilience strategy. Maintaining identical operations regardless of change represents organizational rigidity, which is the opposite of resilience since adaptation is a core element. While business continuity planning is an important contributor to resilience, true organizational resilience extends beyond documented plans to encompass organizational culture, leadership commitment, adaptive capacity, strategic flexibility, coordination across management disciplines, and the ability to thrive amid uncertainty rather than merely survive disruptions.
3. Contoso Global is evaluating alternative risk transfer mechanisms for catastrophic natural disaster exposure at its coastal manufacturing facilities. Traditional insurance markets have become prohibitively expensive. Which two alternative risk transfer mechanisms would be MOST appropriate for transferring catastrophic natural disaster risk? (Select two!)
Multiple correct answersExplanation
Catastrophe bonds are specifically designed to transfer catastrophic risk to capital market investors, making them ideal for large-scale natural disaster exposures. Investors receive regular premium payments but lose their principal if a qualifying catastrophic event occurs, providing the issuing company with immediate post-event funding. Contingent capital arrangements provide pre-negotiated access to debt or equity financing following a qualifying event, ensuring liquidity is available when traditional financing may be difficult to obtain after a disaster. A single-parent captive retains risk internally rather than transferring it, which does not address the need to transfer catastrophic exposure. Finite risk programs primarily smooth losses over time rather than transfer catastrophic risk. Weather derivatives for minor temperature fluctuations do not address catastrophic natural disaster exposure.
4. A healthcare organization is implementing Domain C5 (Collaborate with Stakeholders) for a new patient data analytics initiative. Key stakeholders include physicians (concerned about clinical workflow disruption), IT department (concerned about system integration), compliance officer (concerned about HIPAA requirements), patients (concerned about privacy), and board members (focused on ROI). Which stakeholder engagement approach BEST supports effective risk management? (Select one!)
Explanation
Conducting separate risk assessments with each stakeholder group and integrating findings creates a comprehensive risk profile that addresses diverse perspectives and identifies interdependencies between concerns. Domain C5 emphasizes inclusive stakeholder collaboration to uncover risks that might be missed by limited perspectives. Each stakeholder group has valid risk insights based on their expertise and affected interests. Prioritizing only board ROI concerns ignores critical clinical, technical, compliance, and patient privacy risks that could derail the initiative or create significant liabilities. Assigning compliance to evaluate which concerns are legitimate creates hierarchy among stakeholder perspectives and misses valuable risk insights from clinical and technical experts. Focusing exclusively on legal obligations while dismissing operational concerns ignores that workflow disruption and integration failures can lead to clinical errors, system abandonment, or data breaches that violate the very compliance requirements being prioritized.
5. Fabrikam Manufacturing has completed a comprehensive risk assessment and identified 15 high-priority risks. The risk manager is now developing risk treatment plans and needs to select appropriate treatment options. Under ISO 31000:2018, which of the following is a valid risk treatment option that involves deliberately increasing exposure to achieve a potential benefit? (Select one!)
Explanation
ISO 31000:2018 explicitly recognizes taking or increasing risk as a valid risk treatment option when an organization identifies an opportunity that aligns with its objectives and risk appetite. This treatment acknowledges that risk is not solely negative and that organizations may deliberately increase exposure to capture potential benefits. Retaining the risk is a passive acceptance decision rather than actively increasing exposure. Sharing the risk through insurance or partnerships reduces the organization's exposure rather than increasing it. Removing the risk source eliminates the risk entirely, which is the opposite of increasing exposure to pursue opportunities.
You qualify with a risk management bachelor degree plus 1 year of experience, a non-risk bachelor degree plus 3 years, or 6 years of risk management experience with no degree. Final-year students can test but are certified only after finishing the degree and gaining 1 year of experience.
It is $375 for RIMS members and $525 for non-members, each including a $100 non-refundable application fee. Student rates are lower.
There are 120 multiple-choice questions (100 scored plus 20 unscored pretest) in a 2-hour computer-based test, taken at a Pearson VUE center or online via OnVUE.
You need 71% or higher. Only the 100 scored questions count toward your result.
Analyzing the organizational model (16%), designing organizational risk strategies (26%), implementing the risk process (32%), developing organizational risk competency (16%), and supporting decision making (10%).
Recertify every 2 years by earning 50 recertification points, 35 of which must be in professional development, and paying $150 for members or $200 for non-members.
No. Membership is not required, but non-members pay a higher exam fee.
It is a vendor-neutral, ANAB/ISO 17024-accredited enterprise risk management credential recognized internationally, which supports its value for ERM career advancement.
$17.99
One-time access to this exam