CCIMA Practice
Sign inStart free
Home / STRATEGIC · Strategic Level / P3: Risk Management

CIMA·STRATEGIC · Strategic Level·UnitSTRATEGIC · Unit 02Access: Premium

P3: Risk Management

P3 covers the identification, assessment, and management of risk at a strategic level. You will study enterprise risk management frameworks, strategic and cyber risk, internal control systems, and risk management processes and tools. This is the Performance pillar subject at Strategic level, examined through a 90-minute objective test.

Questions
250
Topics
5
Access
Premium

What’s in it.

5 topics
  • Topic 01

    Risk Management Process and Tools

    53 questions
  • Topic 02

    Enterprise Risk

    43 questions
  • Topic 03

    Strategic Risk

    45 questions
  • Topic 04

    Cyber Risk

    41 questions
  • Topic 05

    Internal Controls

    68 questions

Sample questions

3 of many

A few questions from this unit, with the answer and a full explanation. The complete bank is available when you start practising.

  1. A manufacturing company discovers that one of its suppliers has been using child labour in violation of international labour standards. The company's code of conduct prohibits such practices, but there is no immediate legal liability under the company's home jurisdiction. The supplier provides 40% of a critical component and switching suppliers would take 9-12 months. Which risk classification and response strategy is most appropriate?

    • This is primarily a compliance risk (reputational and ethical breach) requiring immediate action to avoid the supplier, despite operational disruption, as it violates stated ethical standards
      Correct answer
    • This is primarily an operational risk requiring a reduce strategy by diversifying suppliers over the 9-12 month transition period
    • This is a strategic risk that should be accepted temporarily while maintaining the supplier relationship and implementing monitoring controls
    • This is a reputational risk only, requiring a communications strategy rather than operational changes
    Explanation

    Although there is no immediate legal liability in the home jurisdiction, this situation represents compliance risk because it violates the company's own ethical code of conduct and international labour standards (such as ILO conventions). Modern enterprise risk management recognizes that compliance extends beyond legal requirements to include ethical obligations and ESG commitments.

    The appropriate response is risk avoidance — terminating the supplier relationship despite significant operational disruption. The reputational damage and stakeholder consequences of continuing the relationship would far exceed the operational costs of switching suppliers. The company's stated commitment creates a binding ethical obligation that must be upheld.

    This question tests understanding of:

    • Compliance risk extending beyond legal requirements to ethical/ESG commitments
    • Risk response prioritization when competing risks conflict (operational vs. compliance)
    • The board's duty to uphold stated values even at operational cost

  2. A company has identified three risks: Risk A (high probability, low impact), Risk B (medium probability, medium impact), and Risk C (low probability, high impact). Using a probability-impact matrix, which risk(s) should be prioritized first?

    • Risk A only, because prevention is better than cure
    • Risk A only, because it is most likely to occur
    • Only Risk C, because high impact always takes priority
    • Risk B and Risk C, as they both fall in or near the red zone requiring immediate attention
      Correct answer
    Explanation

    On a probability-impact matrix, risks are prioritized based on their combined score. Risk B (medium/medium) and Risk C (low/high) typically fall in the red or yellow zones requiring attention, while Risk A (high/low) usually falls in the green or yellow zone. High-impact risks like Risk C must be managed even if probability is low, as the consequences could be catastrophic. Risk B represents a balanced threat requiring action. The matrix helps visualize this prioritization quickly.

  3. A manufacturing company has established a mature risk management process with quarterly risk assessments, detailed risk registers, and board-level reporting. However, a major supply chain disruption recently occurred that was not on any risk register. The board is reviewing why this risk was missed. Which aspect of risk identification MOST likely failed?

    • The systematic risk identification process was not comprehensive enough to capture emerging external environment risks
      Correct answer
    • The risk response planning failed to establish adequate contingency arrangements
    • The risk assessment methodology used incorrect probability calculations for supply chain events
    • The risk reporting format did not effectively communicate supply chain risks to the board
    Explanation

    This scenario highlights a failure in the risk identification step itself — the risk was never identified and therefore never appeared on the risk register. While the company had mature processes for assessing, responding to, monitoring, and reporting risks, these steps can only address risks that have been identified. The supply chain disruption represents an emerging external risk that should have been captured through comprehensive identification techniques such as horizon scanning, external environment analysis, or scenario planning. This demonstrates why risk identification must be both systematic and comprehensive, covering internal operations, external environment changes, and strategic initiatives.

Frequently asked questions

4 questions
What topics are covered in CIMA P3?

P3 covers five areas: the risk management process and tools, enterprise risk management (ERM), strategic risk including reputational and political risk, cyber risk and data security, and internal controls including audit and assurance.

How is the P3 exam structured?

P3 is a 90-minute computer-based objective test containing 60 questions. Question types include multiple choice, multiple response, drag and drop, and number entry. It is available on demand at Pearson VUE test centres.

What is the pass mark for P3?

You need to score at least 70% to pass the P3 objective test. Results are available immediately after completing the exam.

Does P3 cover cyber security?

Yes, cyber risk is a dedicated topic within P3 covering threats, vulnerabilities, data protection, business continuity, and the role of management accountants in managing cyber risk. This reflects the growing importance of digital risk in modern organisations.