Domain 2 Capstone Review: Risk Identification & Evaluation

If you misidentify the risk, you assess it incorrectly.
If you assess it incorrectly, you govern it poorly.

This review blends all Domain 2 concepts.

Every question tests structure:

• Threat vs vulnerability vs event vs loss
• Inherent vs residual
• Methodology consistency
• BIA alignment
• Escalation discipline
• Root cause vs symptom

Take your time.

20 scenario-based questions

Question 1

An outdated authentication system allows unauthorized access to payroll data, resulting in employee identity theft claims.

What is the risk event?

A. Outdated authentication
B. Identity theft claims
C. Unauthorized access to payroll data
D. Weak monitoring

Question 2

A control exists but is not performed consistently, resulting in repeated compliance violations.

This represents:

A. Design deficiency
B. Operating deficiency
C. Threat event
D. Residual risk

Question 3

A rare but catastrophic event is identified. Likelihood is low, impact is extreme.

What is MOST important for prioritization?

A. Likelihood only
B. Impact only
C. Combined evaluation
D. Industry frequency

Question 4

A risk rated as high inherent risk is reduced to moderate residual risk after mitigation. Tolerance threshold is “low.”

What should occur?

A. Close the risk
B. Escalate for evaluation
C. Ignore because controls exist
D. Recalculate inherent risk

Question 5

Departments use different scoring scales for risk analysis, preventing enterprise comparison.

What governance weakness exists?

A. Weak BIA
B. Lack of standardized methodology
C. Poor threat modeling
D. Excessive appetite

Question 6

A vendor outage causes payroll delays. The organization did not evaluate vendor dependency in its BIA.

What is the PRIMARY issue?

A. Weak threat modeling
B. Incomplete dependency mapping in BIA
C. High inherent risk
D. Weak encryption

Question 7

A quantitative risk model produces exact financial loss values based on limited historical data.

What is the PRIMARY concern?

A. Excessive tolerance
B. False precision
C. Weak ERM
D. Inaccurate inherent risk

Question 8

Which is the BEST risk scenario?

A. Weak firewall
B. External attacker
C. External attacker exploits weak firewall to access sensitive financial records, resulting in reporting delays
D. Reporting delays

Question 9

Residual risk is assumed low without validating control effectiveness.

What is MOST likely inaccurate?

A. Inherent risk
B. Residual risk
C. Risk appetite
D. Risk aggregation

Question 10

A system has an MTD of 12 hours and an RTO of 10 hours.

What does this indicate?

A. Misalignment
B. Acceptable recovery objective
C. Excessive mitigation
D. High inherent risk

Question 11

Repeated unpatched vulnerabilities persist due to unclear remediation ownership.

What is the MOST significant root cause?

A. Weak scanning
B. Lack of accountability
C. High appetite
D. Weak BIA

Question 12

A rise in ransomware attacks in the industry occurs prior to cloud migration.

What should occur FIRST?

A. Deploy endpoint tools
B. Reassess threat landscape exposure
C. Escalate to regulators
D. Delay migration

Question 13

A risk register removes risks once they fall within tolerance.

What governance weakness exists?

A. Excessive mitigation
B. Weak residual tracking
C. Poor inherent scoring
D. Weak threat modeling

Question 14

An organization prioritizes risk mitigation based only on financial loss, ignoring regulatory exposure.

What analytical weakness exists?

A. Incomplete impact analysis
B. Weak likelihood scoring
C. Excessive tolerance
D. Poor methodology

Question 15

A system disruption risk is rated low impact despite BIA identifying the process as critical.

What is MOST likely wrong?

A. Likelihood estimate
B. Impact scoring
C. Inherent risk
D. Threat identification

Question 16

Threat modeling excludes insider threats while focusing only on external attackers.

What weakness exists?

A. Poor inherent risk
B. Narrow threat modeling scope
C. Excessive tolerance
D. Weak asset classification

Question 17

A risk rated as moderate residual risk is accepted formally and documented.

This represents:

A. Elimination of risk
B. Risk transfer
C. Governance decision aligned to tolerance
D. Inherent risk miscalculation

Question 18

An organization uses different criteria for defining “High” impact across subsidiaries.

What governance risk does this create?

A. Weak inherent scoring
B. Inability to aggregate risk consistently
C. Excessive mitigation
D. Threat landscape error

Question 19

A vulnerability is identified but no corresponding business impact is documented.

What is missing?

A. Threat source
B. Risk event
C. Impact component
D. Control deficiency

Question 20

Multiple moderate risks individually fall within tolerance but collectively approach appetite limits.

What should be evaluated?

A. Immediate mitigation of one risk
B. Aggregated exposure
C. Individual inherent scores only
D. Control elimination

Domain 2 master pattern

If you struggled with any question, revisit:

• Threat vs vulnerability vs event vs loss
• Inherent vs residual distinction
• Control effectiveness validation
• BIA alignment
• Standardized methodology
• Aggregation discipline
• Escalation rules

Domain 2 is about structured clarity.

If you can pass this

You:

• Identify risk cleanly.
• Analyze risk consistently.
• Evaluate risk against governance standards.
• Escalate appropriately.
• Think structurally — not emotionally.

That's CRISC thinking.