What risk analysts do and what interviewers assess
Risk analysts identify, measure, and monitor risks within an organisation. In financial services: credit risk, market risk, liquidity risk, and operational risk. In insurance: actuarial and underwriting risk. In corporate settings: operational risk, supply chain risk, project risk, and enterprise risk management. Interviewers assess: understanding of risk frameworks and methodologies, quantitative skills (particularly in financial risk roles), ability to communicate risk findings clearly to non-specialists, and judgment about risk significance and priority.
Technical and quantitative questions
"What is Value at Risk (VaR) and what are its limitations?" VaR measures the maximum expected loss on a portfolio over a specified time horizon at a given confidence level (e.g., a 1-day 99% VaR of £1m means there is a 1% probability the daily loss will exceed £1m). Limitations: VaR says nothing about the severity of losses beyond the confidence threshold (tail risk), it assumes normal distributions which underestimate fat-tail events, it can encourage false precision, and it can become a self-defeating measure when widely used by similar institutions simultaneously (common exposure risk). The 2008 financial crisis exposed the limitations of VaR models that failed to capture correlated tail risks. "What is the difference between expected loss and unexpected loss in credit risk?" Expected loss (EL) is the average loss a lender expects to incur on a portfolio over a given period: EL = PD x LGD x EAD. It is provisioned for in accounting terms. Unexpected loss (UL) is the variability of losses around the expected loss: it is absorbed by capital, not provisions. Regulatory capital requirements (Basel framework) are primarily designed to cover unexpected losses.
Risk framework questions
"What is an RCSA (Risk and Control Self-Assessment) and how does it work?" RCSA is a structured process used in operational risk management: business units identify their key risks, assess the inherent risk level (before controls), assess the effectiveness of their existing controls, calculate the residual risk level (after controls), and identify any control gaps requiring remediation. The RCSA is typically facilitated by the operational risk function (second line) and signed off by the business unit management (first line). It feeds into the organisation's risk register and operational risk reporting. "What is the Three Lines of Defence model?" First line: business operations that own and manage risks. Second line: risk and compliance functions that provide oversight and challenge. Third line: internal audit that provides independent assurance over the adequacy of both the first and second lines.
Behavioral questions
"Tell me about a risk you identified that others had not noticed and what you did about it." Strong answer: how you found it (data analysis, process review, industry news, escalation from a colleague), how you assessed its significance, how you communicated it (risk register, formal report, conversation with management), and what was done as a result. Show you are proactive about risk rather than waiting for the risk event to materialise. "Describe a time you had to explain a complex risk concept to a non-specialist." Risk analysts must communicate clearly across the organisation: to business heads, board members, and regulators. Show you can translate technical risk concepts into business language without losing important nuance.