Domain 1 Capstone Review: Governance Integration
If you can think through this review, you're thinking the way CRISC expects.
This is not a Section A or Section B recap.
These scenarios blend:
- Strategy
- Structure
- ERM
- Three Lines
- Risk Profile
- Appetite & Tolerance
- Compliance
- Ethics
Every question forces you to ask:
- Is this structural?
- Is this escalation?
- Is this ownership?
- Is this aggregation?
- Is this alignment?
- Is this independence?
Take your time.
Scenario questions (20)
Question 1
A. Mitigate the highest individual risk
B. Standardize reporting templates
C. Implement an enterprise-wide risk management framework
D. Delay expansion
Answer & reasoning
Correct: C
The issue is structural inconsistency. ERM provides standardized methodology and enterprise visibility.
Question 2
A high-impact operational risk exceeds defined tolerance levels. Management believes the business benefits justify proceeding and chooses not to escalate.
What governance principle is being violated?
A. Asset classification
B. Escalation aligned to appetite
C. Risk aggregation
D. Control monitoring
Answer & reasoning
Correct: B
Tolerance breaches require formal escalation to leadership.
Question 3
A. Compromised independence
B. Weak ERM
C. Excessive risk appetite
D. Poor asset inventory
Answer & reasoning
Correct: A
Audit must remain independent to provide objective assurance.
Question 4
A. Risk profile aggregation
B. Risk tolerance definition
C. Encryption standards
D. Organizational accountability remains
Answer & reasoning
Correct: D
Outsourcing does not transfer governance accountability.
Question 5
A. Risk aggregation and enterprise visibility
B. Additional mitigation
C. Asset reclassification
D. Stronger controls
Answer & reasoning
Correct: A
Risk profile must aggregate exposure across the enterprise.
Question 6
A. Adjust methodology
B. Delay reporting
C. Escalate governance integrity concerns
D. Increase monitoring
Answer & reasoning
Correct: C
Transparency and independence must be preserved.
Question 7
A. Over-control
B. Weak encryption
C. Excessive tolerance
D. Lack of structured compliance impact assessment
Answer & reasoning
Correct: D
Impact assessment precedes control implementation.
Question 8
The risk management function formally accepts risk on behalf of the business.
What structural issue exists?
A. Inadequate ERM
B. Improper risk ownership
C. Weak asset classification
D. Insufficient compliance
Answer & reasoning
Correct: B
Risk ownership belongs to business management (first line).
Question 9
A. Increase monitoring
B. Conduct more audits
C. Add technical safeguards
D. Strengthen tone at the top and accountability
Answer & reasoning
Correct: D
The issue is cultural and governance-driven, not technical.
Question 10
A. CVSS score
B. Business impact and asset value
C. Industry benchmarks
D. Technical complexity
Answer & reasoning
Correct: B
Risk decisions must align to business impact.
Question 11
Risk reporting occurs only within IT and is not presented to executive leadership.
What governance maturity issue exists?
A. Lack of enterprise integration
B. Weak controls
C. Poor encryption
D. Asset misclassification
Answer & reasoning
Correct: A
ERM requires enterprise visibility and leadership engagement.
Question 12
A. Poor ERM
B. Weak compliance
C. Lack of measurable tolerance
D. Excessive risk appetite
Answer & reasoning
Correct: C
Appetite must be operationalized through measurable tolerance.
Question 13
A. Weak encryption
B. Lack of centralized oversight
C. Poor asset classification
D. Weak monitoring
Answer & reasoning
Correct: B
Compliance requires structured governance oversight.
Question 14
A. Risk appetite
B. Asset ownership
C. Risk scoring
D. Transparency
Answer & reasoning
Correct: D
Governance requires timely, transparent reporting.
Question 15
A. Immediate mitigation
B. Asset encryption
C. Aggregated exposure against appetite
D. Control automation
Answer & reasoning
Correct: C
Aggregate exposure may exceed appetite even if individual risks do not.
Question 16
The risk function implements remediation controls directly due to resource constraints.
What governance weakness does this indicate?
A. Blurred separation of oversight and execution
B. Poor ERM
C. Weak compliance
D. Asset mismanagement
Answer & reasoning
Correct: A
Second line should not execute controls.
Question 17
A merger introduces multiple compliance exposures across jurisdictions. Leadership is unaware of combined regulatory risk.
What is the MOST appropriate action?
A. Mitigate highest risk first
B. Conduct vulnerability scanning
C. Perform enterprise-wide regulatory impact assessment
D. Increase monitoring
Answer & reasoning
Correct: C
Impact must be evaluated enterprise-wide before mitigation decisions.
Question 18
A. Structured risk acceptance process
B. Asset classification
C. Encryption standards
D. Incident response
Answer & reasoning
Correct: A
Risk acceptance must follow formal governance procedures.
Question 19
A. Weak tolerance
B. Conflict of interest
C. Poor compliance
D. Asset misclassification
Answer & reasoning
Correct: B
Independence and objectivity are compromised.
Question 20
A. Weak encryption
B. Poor asset classification
C. Inadequate tolerance definition
D. Lack of enterprise-wide ERM framework
Answer & reasoning
Correct: D
ERM ensures consistency across the enterprise.
Domain 1 master pattern
If you struggled with any question, revisit this checklist:
- Did you jump to controls instead of governance?
- Did you ignore escalation?
- Did you miss ownership?
- Did you forget aggregation?
- Did you skip appetite alignment?
- Did you overlook independence?
Domain 1 rewards structural thinking.
If you can do this, you're ready
If you consistently:
- Fix structure before controls
- Escalate tolerance breaches
- Preserve independence
- Align risk to business impact
- Think enterprise-wide
You are thinking the way CRISC expects.