Domain 2: Risk Assessment Capstone Review — 27 of 61

Domain 2 Capstone Review: Risk Identification & Evaluation

CRISC Domain 2 — IT Risk Assessment Capstone Review 35–45 min
If you misidentify the risk, you assess it incorrectly.
If you assess it incorrectly, you govern it poorly.

This review blends all Domain 2 concepts.

Every question tests structure:

  • Threat vs vulnerability vs event vs loss
  • Inherent vs residual
  • Methodology consistency
  • BIA alignment
  • Escalation discipline
  • Root cause vs symptom

Take your time.

20 scenario-based questions

Question 1

A. Outdated authentication
B. Identity theft claims
C. Unauthorized access to payroll data
D. Weak monitoring

Answer & reasoning

Correct: C

A = vulnerability
B = loss result
C = exposure event
D = contributing condition

Question 2

A. Operating deficiency
B. Design deficiency
C. Threat event
D. Residual risk

Answer & reasoning

Correct: A

Control exists but fails in operation.

Question 3

A. Likelihood only
B. Combined evaluation
C. Impact only
D. Industry frequency

Answer & reasoning

Correct: B

Risk evaluation requires both likelihood and impact.

Question 4

A. Close the risk
B. Ignore because controls exist
C. Recalculate inherent risk
D. Escalate for evaluation

Answer & reasoning

Correct: D

Residual exceeds tolerance → escalate.

Question 5

A. Lack of standardized methodology
B. Weak BIA
C. Poor threat modeling
D. Excessive appetite

Answer & reasoning

Correct: A

Standardization enables aggregation.

Question 6

A.

What is the PRIMARY issue?

A. Weak threat modeling
B. High inherent risk
C. Weak encryption
D. Incomplete dependency mapping in BIA

Answer & reasoning

Correct: D

BIA must account for third-party dependencies.

Question 7

A. Excessive tolerance
B. False precision
C. Weak ERM
D. Inaccurate inherent risk

Answer & reasoning

Correct: B

Unreliable inputs create misleading outputs.

Question 8

A. Weak firewall
B. External attacker
C. External attacker exploits weak firewall to access sensitive financial records, resulting in reporting delays
D. Reporting delays

Answer & reasoning

Correct: C

Complete scenario: threat + vulnerability + event + impact.

Question 9

A. Inherent risk
B. Residual risk
C. Risk appetite
D. Risk aggregation

Answer & reasoning

Correct: B

Residual risk depends on control effectiveness.

Question 10

A. Acceptable recovery objective
B. Misalignment
C. Excessive mitigation
D. High inherent risk

Answer & reasoning

Correct: A

RTO must be ≤ MTD.

Question 11

Repeated unpatched vulnerabilities persist due to unclear remediation ownership.

What is the MOST significant root cause?

A. Weak scanning
B. High appetite
C. Weak BIA
D. Lack of accountability

Answer & reasoning

Correct: D

Recurring issues usually indicate accountability gaps.

Question 12

A. Deploy endpoint tools
B. Escalate to regulators
C. Reassess threat landscape exposure
D. Delay migration

Answer & reasoning

Correct: C

Threat landscape change → reassessment.

Question 13

A. Excessive mitigation
B. Poor inherent scoring
C. Weak threat modeling
D. Weak residual tracking

Answer & reasoning

Correct: D

Risks should remain documented.

Question 14

An organization prioritizes risk mitigation based only on financial loss, ignoring regulatory exposure.

What analytical weakness exists?

A. Weak likelihood scoring
B. Excessive tolerance
C. Incomplete impact analysis
D. Poor methodology

Answer & reasoning

Correct: C

Impact must include regulatory and reputational dimensions.

Question 15

A. Likelihood estimate
B. Impact scoring
C. Inherent risk
D. Threat identification

Answer & reasoning

Correct: B

Impact scoring must align with BIA.

Question 16

Threat modeling excludes insider threats while focusing only on external attackers.

What weakness exists?

A. Narrow threat modeling scope
B. Poor inherent risk
C. Excessive tolerance
D. Weak asset classification

Answer & reasoning

Correct: A

Threat modeling must consider internal and external threats.

Question 17

A. Elimination of risk
B. Risk transfer
C. Governance decision aligned to tolerance
D. Inherent risk miscalculation

Answer & reasoning

Correct: C

Acceptance must be formal and aligned to tolerance.

Question 18

A. Weak inherent scoring
B. Inability to aggregate risk consistently
C. Excessive mitigation
D. Threat landscape error

Answer & reasoning

Correct: B

Inconsistent criteria prevent meaningful aggregation.

Question 19

A. Impact component
B. Threat source
C. Risk event
D. Control deficiency

Answer & reasoning

Correct: A

Impact must be defined to support assessment.

Question 20

A. Immediate mitigation of one risk
B. Individual inherent scores only
C. Control elimination
D. Aggregated exposure

Answer & reasoning

Correct: D

Aggregation may exceed appetite even if individual risks do not.

Domain 2 master pattern

If you struggled with any question, revisit:

  • Threat vs vulnerability vs event vs loss
  • Inherent vs residual distinction
  • Control effectiveness validation
  • BIA alignment
  • Standardized methodology
  • Aggregation discipline
  • Escalation rules

Domain 2 is about structured clarity.

If you can pass this

You:

  • Identify risk cleanly.
  • Analyze risk consistently.
  • Evaluate risk against governance standards.
  • Escalate appropriately.
  • Think structurally — not emotionally.

That's CRISC thinking.

Next Module Module 22: Risk Treatment / Risk Response Options