Domain 1 Capstone Review: Governance Integration
If you can think through this review, you're thinking the way CRISC expects.
This is not a Section A or Section B recap.
These scenarios blend:
- Strategy
- Structure
- ERM
- Three Lines
- Risk Profile
- Appetite & Tolerance
- Compliance
- Ethics
Every question forces you to ask:
- Is this structural?
- Is this escalation?
- Is this ownership?
- Is this aggregation?
- Is this alignment?
- Is this independence?
Take your time.
Scenario questions (20)
Question 1
An organization launches a strategic expansion into a new region. Risk assessments are conducted separately by each department using different scoring methods. Executive leadership cannot determine overall exposure.
What is the MOST appropriate action?
A. Mitigate the highest individual risk
B. Standardize reporting templates
C. Implement an enterprise-wide risk management framework
D. Delay expansion
Answer & reasoning
Correct: C
The issue is structural inconsistency. ERM provides standardized methodology and enterprise visibility.
Question 2
A high-impact operational risk exceeds defined tolerance levels. Management believes the business benefits justify proceeding and chooses not to escalate.
What governance principle is being violated?
A. Asset classification
B. Risk aggregation
C. Escalation aligned to appetite
D. Control monitoring
Answer & reasoning
Correct: C
Tolerance breaches require formal escalation to leadership.
Question 3
Internal audit identifies repeated control failures but also assists in redesigning the control framework.
What is the PRIMARY governance concern?
A. Weak ERM
B. Excessive risk appetite
C. Compromised independence
D. Poor asset inventory
Answer & reasoning
Correct: C
Audit must remain independent to provide objective assurance.
Question 4
A cloud vendor fails to meet contractual security obligations. Management assumes liability is transferred to the vendor.
What is the MOST significant governance misunderstanding?
A. Risk profile aggregation
B. Organizational accountability remains
C. Risk tolerance definition
D. Encryption standards
Answer & reasoning
Correct: B
Outsourcing does not transfer governance accountability.
Question 5
Each department maintains a risk register. Executive reporting shows no major risks, but multiple medium risks collectively exceed appetite.
What is missing?
A. Additional mitigation
B. Asset reclassification
C. Risk aggregation and enterprise visibility
D. Stronger controls
Answer & reasoning
Correct: C
Risk profile must aggregate exposure across the enterprise.
Question 6
Leadership pressures the risk team to reduce exposure ratings before a board presentation.
What is the MOST appropriate response?
A. Adjust methodology
B. Delay reporting
C. Escalate governance integrity concerns
D. Increase monitoring
Answer & reasoning
Correct: C
Transparency and independence must be preserved.
Question 7
A new regulation is introduced. Without assessing impact, technical teams deploy new controls across all systems.
What governance weakness exists?
A. Over-control
B. Lack of structured compliance impact assessment
C. Weak encryption
D. Excessive tolerance
Answer & reasoning
Correct: B
Impact assessment precedes control implementation.
Question 8
The risk management function formally accepts risk on behalf of the business.
What structural issue exists?
A. Inadequate ERM
B. Improper risk ownership
C. Weak asset classification
D. Insufficient compliance
Answer & reasoning
Correct: B
Risk ownership belongs to business management (first line).
Question 9
Repeated policy violations occur despite documented standards. Leadership rarely enforces corrective action.
What is the MOST appropriate focus?
A. Increase monitoring
B. Strengthen tone at the top and accountability
C. Conduct more audits
D. Add technical safeguards
Answer & reasoning
Correct: B
The issue is cultural and governance-driven, not technical.
Question 10
A high-severity vulnerability is discovered on a low-impact internal system.
What should guide prioritization?
A. CVSS score
B. Industry benchmarks
C. Business impact and asset value
D. Technical complexity
Answer & reasoning
Correct: C
Risk decisions must align to business impact.
Question 11
Risk reporting occurs only within IT and is not presented to executive leadership.
What governance maturity issue exists?
A. Weak controls
B. Lack of enterprise integration
C. Poor encryption
D. Asset misclassification
Answer & reasoning
Correct: B
ERM requires enterprise visibility and leadership engagement.
Question 12
Tolerance thresholds for system downtime are undefined, but leadership states they have “low appetite for downtime.”
What governance weakness exists?
A. Poor ERM
B. Lack of measurable tolerance
C. Weak compliance
D. Excessive risk appetite
Answer & reasoning
Correct: B
Appetite must be operationalized through measurable tolerance.
Question 13
A department independently interprets regulatory requirements without coordination with compliance.
What is the primary governance issue?
A. Weak encryption
B. Lack of centralized oversight
C. Poor asset classification
D. Weak monitoring
Answer & reasoning
Correct: B
Compliance requires structured governance oversight.
Question 14
Audit findings are delayed until after a product launch to avoid reputational harm.
What governance principle is MOST compromised?
A. Risk appetite
B. Transparency
C. Asset ownership
D. Risk scoring
Answer & reasoning
Correct: B
Governance requires timely, transparent reporting.
Question 15
Risk exposure trends upward across multiple business units but remains within individual tolerance thresholds.
What should be evaluated FIRST?
A. Immediate mitigation
B. Aggregated exposure against appetite
C. Asset encryption
D. Control automation
Answer & reasoning
Correct: B
Aggregate exposure may exceed appetite even if individual risks do not.
Question 16
The risk function implements remediation controls directly due to resource constraints.
What governance weakness does this indicate?
A. Poor ERM
B. Blurred separation of oversight and execution
C. Weak compliance
D. Asset mismanagement
Answer & reasoning
Correct: B
Second line should not execute controls.
Question 17
A merger introduces multiple compliance exposures across jurisdictions. Leadership is unaware of combined regulatory risk.
What is the MOST appropriate action?
A. Mitigate highest risk first
B. Perform enterprise-wide regulatory impact assessment
C. Conduct vulnerability scanning
D. Increase monitoring
Answer & reasoning
Correct: B
Impact must be evaluated enterprise-wide before mitigation decisions.
Question 18
A business unit consistently accepts risk without formal documentation.
What governance principle is weakened?
A. Asset classification
B. Structured risk acceptance process
C. Encryption standards
D. Incident response
Answer & reasoning
Correct: B
Risk acceptance must follow formal governance procedures.
Question 19
A risk practitioner is responsible for evaluating a system they designed.
What is the primary ethical concern?
A. Weak tolerance
B. Conflict of interest
C. Poor compliance
D. Asset misclassification
Answer & reasoning
Correct: B
Independence and objectivity are compromised.
Question 20
Risk management processes differ significantly between subsidiaries with no centralized oversight.
What governance maturity gap is MOST evident?
A. Weak encryption
B. Lack of enterprise-wide ERM framework
C. Poor asset classification
D. Inadequate tolerance definition
Answer & reasoning
Correct: B
ERM ensures consistency across the enterprise.
Domain 1 master pattern
If you struggled with any question, revisit this checklist:
- Did you jump to controls instead of governance?
- Did you ignore escalation?
- Did you miss ownership?
- Did you forget aggregation?
- Did you skip appetite alignment?
- Did you overlook independence?
Domain 1 rewards structural thinking.
If you can do this, you're ready
If you consistently:
- Fix structure before controls
- Escalate tolerance breaches
- Preserve independence
- Align risk to business impact
- Think enterprise-wide
You are thinking the way CRISC expects.