Domain 3 Capstone: Risk Response & Reporting
Domain 3 tests judgment.
Not technical depth — governance discipline.
These 25 questions are integrated and scenario-heavy.
Slow down.
Think in governance terms.
Questions
1
A residual risk falls within tolerance, but mitigation costs are significant. What is MOST appropriate?
A. Avoid
B. Mitigate anyway
C. Accept formally
D. Transfer entirely
Answer
C — Acceptance within tolerance and cost-benefit alignment.
2
Security implements a control without business approval because risk is “obvious.”
What principle is violated?
A. Control classification
B. Risk ownership discipline
C. Threat modeling
D. Inherent risk scoring
Answer
B — Business owns risk decisions.
3
A vendor breach occurs. Leadership states liability is fully transferred via contract.
Most significant misunderstanding?
A. SLA weakness
B. Accountability remains internal
C. Weak KRI
D. Poor KPI
Answer
B — Accountability cannot be outsourced.
4
Access reviews are completed (100% KPI), but review quality errors increase.
What does this indicate?
A. Strong governance
B. KPI masks control degradation
C. Weak inherent risk
D. Excessive mitigation
Answer
B — KCI issue despite KPI strength.
5
Control testing reveals encryption applies only to stored data, not transmitted data.
This is:
A. Operating deficiency
B. Design deficiency
C. Risk acceptance
D. Mitigation
Answer
B — Control design incomplete.
6
Multiple moderate risks are accepted individually. Aggregated exposure approaches enterprise tolerance.
First action?
A. Avoid all risks
B. Evaluate aggregated risk profile
C. Increase mitigation spending
D. Close risks
Answer
B — Aggregation matters.
7
Mitigation project is delayed. Residual risk exceeds tolerance. No escalation occurs.
Primary governance failure?
A. Weak KPI
B. Escalation discipline
C. Poor BIA
D. Control redundancy
Answer
B — Threshold breach requires escalation.
8
A dashboard shows green status, but underlying data is manually entered without validation.
Concern?
A. Weak inherent risk
B. Data integrity risk
C. Excessive appetite
D. Poor control design
Answer
B — Reporting must be validated.
9
A compensating control replaces a primary control. What must occur next?
A. Close risk
B. Document and reassess residual risk
C. Transfer risk
D. Ignore
Answer
B — Compensating controls require validation.
10
Control passes annual testing but interim monitoring shows increasing failures.
Indicates:
A. Strong effectiveness
B. Monitoring weakness
C. Emerging operating degradation
D. Excessive mitigation
Answer
C — Drift between tests.
11
Board receives raw technical logs without aggregated exposure.
Primary issue?
A. KPI design
B. Audience misalignment
C. Weak KRI
D. Excessive control
Answer
B — Reporting must match audience.
12
An exception is granted with no expiration date.
Governance weakness?
A. Weak inherent risk
B. Uncontrolled residual exposure
C. Strong mitigation
D. Poor KCI
Answer
B — Exceptions must be time-bound.
13
A KRI shows increasing patch backlog beyond threshold. No action is taken.
This represents:
A. Strong monitoring
B. Informational reporting only
C. Effective mitigation
D. Proper aggregation
Answer
B — Monitoring without action.
14
Risk manager directly implements operational controls.
Violation of:
A. Risk aggregation
B. Three Lines separation
C. KPI structure
D. BIA alignment
Answer
B — Second line should not execute.
15
A high-cost preventive control reduces low-impact risk already within tolerance.
This reflects:
A. Excessive appetite
B. Cost-benefit misalignment
C. Weak threat modeling
D. Poor aggregation
Answer
B — Over-control.
16
A risk treatment plan lacks defined metrics.
Missing component?
A. Avoidance strategy
B. Performance measurement
C. Risk transfer clause
D. Inherent risk rating
Answer
B — Treatment plans require measurable outcomes.
17
Control failure rates increase across multiple business units simultaneously.
First evaluation?
A. Individual issue review
B. Enterprise systemic exposure
C. Close control
D. Increase inherent risk
Answer
B — Aggregated systemic trend.
18
A new AI platform is deployed without structured assessment.
Primary governance issue?
A. Strong innovation
B. Failure to evaluate emerging risk
C. Excessive mitigation
D. Weak KPI
Answer
B — Emerging risk discipline required.
19
An issue is closed once remediation begins, without validation.
What failed?
A. Root cause analysis
B. Closure validation
C. Risk identification
D. Escalation
Answer
B — Effectiveness must be verified.
20
A KCI shows increasing access review execution errors.
This most likely impacts:
A. KPI only
B. KRI over time
C. Inherent risk only
D. Risk avoidance
Answer
B — Control degradation may increase exposure.
21
Vendor assessments are completed (KPI), but vendor SLA breaches are increasing.
This indicates:
A. Strong TPRM
B. Exposure rising despite activity completion
C. Weak inherent risk
D. Excessive mitigation
Answer
B — KPI does not equal exposure control.
22
Residual risk is assumed reduced after implementation without reassessment.
Primary issue?
A. Weak threat modeling
B. Failure to validate residual risk
C. Strong control
D. Proper mitigation
Answer
B — Residual risk must be recalculated.
23
Different departments use inconsistent risk scoring scales.
Impact?
A. Strong aggregation
B. Weak enterprise visibility
C. Excessive mitigation
D. Control redundancy
Answer
B — Standardization required for aggregation.
24
KRIs are defined but leadership routinely overrides threshold breaches.
This undermines:
A. Design effectiveness
B. Escalation integrity
C. KPI discipline
D. Risk identification
Answer
B — Governance depends on consistent enforcement.
25
An organization tracks number of incidents (lagging), but not patch backlog trends (leading).
Primary weakness?
A. Strong monitoring
B. Over-reliance on lagging indicators
C. Excessive mitigation
D. Poor control design
Answer
B — Leading indicators are necessary for proactive governance.
Domain 3 master pattern
If you remember nothing else:
- Business owns risk.
- Controls must be proportionate.
- Design ≠ implementation ≠ effectiveness.
- Monitoring must be continuous.
- KPIs measure performance.
- KRIs measure exposure.
- KCIs measure control health.
- Threshold breaches require escalation.
- Aggregation matters.
- Reporting must match audience.
- Acceptance must be formal.
- Exceptions must be time-bound.
- Emerging risk must be evaluated.
- Validation matters.
Domain 3 rewards governance thinkers — not tool operators.