{
  "question_text": "When a risk dimension is rated residual-high after controls are applied, what does the assessment framework require?",
  "options": [
    "A documented remediation commitment with a target completion date",
    "Immediate discontinuation of the product or service associated with that dimension",
    "Escalation to the state regulator within 30 days",
    "Reclassification of the dimension as inherent-high pending further review"
  ],
  "correct_answer": "A documented remediation commitment with a target completion date",
  "correct_response": "Correct. Any dimension rated residual-high must be accompanied by a documented remediation commitment that includes a target completion date. This creates an auditable record and drives timely corrective action.",
  "incorrect_response": "A residual-high rating requires a documented remediation commitment with a target completion date — not suspension of operations, regulatory escalation, or reclassification. The documented commitment creates an auditable record and ensures corrective action is completed on a defined schedule.",
  "unsure_response": null,
  "question_bank": [
    {
      "question_text": "How often must you review transaction volume trends as part of the ongoing risk management process?",
      "options": [
        "Quarterly",
        "Annually, as part of the formal assessment",
        "Monthly, aligned with SAR filing cycles",
        "Only when an out-of-cycle assessment is triggered"
      ],
      "correct_answer": "Quarterly",
      "correct_response": "Correct. Transaction volume trends are reviewed quarterly. A sustained shift of 20% or more in volume, product mix, or customer segment triggers an out-of-cycle assessment.",
      "incorrect_response": "Transaction volume trends must be reviewed quarterly — not only at the annual assessment or only when a trigger occurs. Quarterly review ensures monitoring thresholds stay calibrated to current activity and that a 20% sustained shift is caught before it goes unaddressed.",
      "unsure_response": null
    },
    {
      "question_text": "Before launching a new product, service, delivery channel, or location, which assessment methodology applies?",
      "options": [
        "The same five-step methodology used for the annual assessment",
        "A simplified two-step review covering scope and inherent risk only",
        "An informal checklist review without formal documentation",
        "A post-launch review completed within 90 days of the launch date"
      ],
      "correct_answer": "The same five-step methodology used for the annual assessment",
      "correct_response": "Correct. Pre-launch risk assessments follow the same five-step methodology: define scope, assess inherent risk, evaluate controls, calculate residual risk, and document and recommend.",
      "incorrect_response": "Pre-launch assessments use the full five-step methodology — not a simplified checklist or a post-launch review. This ensures new risk is fully identified and controlled before it becomes operational exposure.",
      "unsure_response": null
    }
  ],
  "enrichment_content": "<p><strong>Residual risk ratings:</strong> Each risk dimension receives two ratings — an inherent risk rating (before controls) and a residual risk rating (after controls). If any dimension is rated residual-high, a documented remediation commitment with a target completion date is required.</p><p><strong>Control ratings scale:</strong> Each mitigating control is rated as <strong>strong</strong>, <strong>adequate</strong>, or <strong>needs improvement</strong>. Controls include CIP procedures, OFAC screening, monitoring thresholds, SAR/CTR filing, EDD protocols, and staff training.</p><p><strong>Transaction volume:</strong> Review trends quarterly. A sustained shift of 20% or more in volume, product mix, or customer segment triggers an out-of-cycle assessment.</p>"
}