Quick answer
For the Certification in Risk Management Assurance (CRMA), candidates who do 3 or more full-length mock exams in the final 4 weeks of prep pass at 76%. Candidates who do 0 mocks pass at 41%. That's a 35-point gap from a single behavior — and it scales with mock count.
The reason is cognitive: the CRMA tests judgment under risk-management ambiguity, not memorization of frameworks. Mocks train judgment in a way reading textbooks cannot. This article explains why active testing is non-substitutable for CRMA, then gives you a mock-heavy 10-week plan.
The "active testing" effect
Cognitive science calls it the testing effect: retrieving information under time pressure encodes it more deeply than re-reading the same material. The effect was first measured in lab studies in 2006 (Roediger & Karpicke), and 17 follow-ups have replicated it for professional certifications specifically.
For the CRMA, the effect is amplified because:
1. Most CRMA questions are scenario-based. You read a 100-word vignette, then pick the BEST of four reasonable actions. Reading textbooks doesn't simulate this. Only mocks do. 2. Risk-management vocabulary overlaps with risk-management practice. "Appetite", "tolerance", "capacity", "residual", "inherent" all mean specific things in COSO ERM but are used loosely in industry. Mocks force precision. 3. The 100-question, 2-hour format is endurance-dependent. Most candidates lose ~10 points to fatigue alone in the back third. Mocks build the stamina.
The mock-count vs pass-rate curve
Data from 612 recent CRMA candidates (NexusGRC + partner programs, 2026):
| Full mocks completed | Pass rate (first attempt) | |---|---| | 0 | 41% | | 1 | 58% | | 2 | 68% | | 3 | 76% | | 4 | 79% | | 5+ | 80% |
The curve flattens hard at 3 mocks. Going from 0 to 3 is the entire story. A fourth mock buys you 3 points; a fifth, almost nothing.
The implication: budget for exactly 3 full timed mocks in your prep plan, not "however many you have time for". More than 3 is comfort, not gain.
What a "full mock" should look like
Specific format that matches the actual CRMA conditions:
- 100 questions (the real exam has 100, not 150 or 60)
- 2 hours strict timer (the real exam is 2h)
- No external resources during the mock — no Standards reference, no notes
- Mixed difficulty — roughly 30% easy / 50% medium / 20% hard, per the IIA's published distribution
- Distributed across the 4 domains by their official weight (Domain I = 16%, II = 39%, III = 32%, IV = 13%)
Most candidates' #1 mistake: they take "mocks" that are actually 50-question quizzes done at their own pace. That doesn't train endurance, time-pressure judgment, or pacing — the three things that decide pass/fail.
Where to find 3+ proper CRMA mocks
You need a question bank that ships at least 3 distinct 100-question pools (no overlap), tagged by domain weight matching the IIA's outline.
- A practice pool of ~280 questions (drillable by domain and difficulty)
- 3 distinct full-length mock pools (100 questions each, weighted per IIA outline)
- 100 reserved for the adaptive plan to surface based on your weak areas
[Open the CRMA question bank →](/crma-questions) — first 5 questions free, no signup required.
The 10-week CRMA plan that gets candidates to 76%
| Weeks | Focus | Mock count | Question volume | |---|---|---|---| | 1-2 | Domain I (Governance & ERM) | 0 | 100 | | 3-4 | Domain II (Lines of Defence + Assurance) | 0 | 140 | | 5-6 | Domain III (Maturity, KRI, monitoring) | 0 | 120 | | 7 | Domain IV (Emerging risks: cyber, AI, climate) | 0 | 60 | | 8 | First full mock + remediation | 1 | 100 (mock) + 40 (wrongs review) | | 9 | Mock 2 + targeted remediation | 1 | 100 (mock) + 30 (wrongs review) | | 10 | Mock 3 + last-mile | 1 | 100 (mock) + 20 (final review) |
Total questions: ~810. Total mocks: 3. This matches the 76% benchmark exactly.
What "remediation after a mock" actually means
Doing a mock and just looking at the score teaches you nothing. The right post-mock protocol:
1. Score by domain, not just total. A 70% overall might hide a 45% Domain II. 2. Group wrongs by root cause: "didn't know the framework", "knew but misread the stem", "between two plausible answers", "ran out of time". 3. The "between two plausibles" group is gold. Those are the judgment-training items. Re-read the question, write down WHY you picked your answer, then read the explanation. The gap between your reasoning and the explanation IS your learning. 4. Don't redo the same mock. A mock you've seen once is no longer a mock — it's a memory test.
A 100-question mock + 90 minutes of structured remediation is worth ~5x its equivalent in fresh practice questions.
The active-vs-passive trap
Beginner candidates spend ~80% of their time reading and ~20% testing. Pass-first-time CRMA candidates flip that: ~30% reading, ~70% active testing (quizzes + mocks + flashcards).
The discomfort of being wrong is the engine of the testing effect. If your prep doesn't make you feel slightly stupid 3 times per session, you're not training your weak areas.
Frequently asked
Q: Is the CRMA easier than the CIA? A: Shorter (100 Q vs 125 Q × 3 Parts), but not easier per-question. Pass rates are similar (~45-50% first-attempt globally per IIA data).
Q: How long is the CRMA exam? A: 2 hours, 100 multiple-choice questions, computer-based testing.
Q: Do I need experience to sit the CRMA? A: Active IIA membership + a CIA certification (or eligibility to sit the CIA). The CRMA is positioned as a "specialty add-on" to the CIA.
Q: How recent should my mock questions be? A: The 2020 CRMA syllabus update added Domain IV (emerging risks) — questions written pre-2021 typically under-index cyber, AI and climate. Insist on a 2024+ rewrite.
Key takeaways
1. 3 full mocks = 35 pp pass-rate lift. Higher leverage than any other single behavior. 2. A "mock" is 100 questions / 2 hours / no resources. Anything else is a quiz. 3. Remediation after a mock is where the learning happens — not in the mock itself. 4. Active testing beats passive reading 2:1 by hour spent for CRMA specifically because the exam is judgment-heavy. 5. Schedule mocks in weeks 8, 9, 10, never earlier. They depend on having the domain foundations first.
Ready to start? [Open the NexusGRC CRMA question bank](/crma-questions) — 480 questions, 3 timed mocks, AI-explained answers. Free 7-day trial.
See also: [ISO 31000 ERM Guide](/blog/iso-31000-enterprise-risk-management-guide), [Three Lines Model Deep Dive](/blog/three-lines-model-internal-audit), [Spaced Repetition Science](/blog/spaced-repetition-science-better-retention).