Domain 3 Capstone: Risk Response & Reporting

Domain 3 tests judgment.
Not technical depth — governance discipline.

These 25 questions are integrated and scenario-heavy.

Slow down.
Think in governance terms.

Questions

1

A residual risk falls within tolerance, but mitigation costs are significant. What is MOST appropriate?

A. Accept formally
B. Mitigate anyway
C. Avoid
D. Transfer entirely

2

Security implements a control without business approval because risk is “obvious.”

What principle is violated?

A. Control classification
B. Threat modeling
C. Risk ownership discipline
D. Inherent risk scoring

3

A vendor breach occurs. Leadership states liability is fully transferred via contract.

Most significant misunderstanding?

A. SLA weakness
B. Poor KPI
C. Weak KRI
D. Accountability remains internal

4

Access reviews are completed (100% KPI), but review quality errors increase.

What does this indicate?

A. Strong governance
B. KPI masks control degradation
C. Weak inherent risk
D. Excessive mitigation

5

Control testing reveals encryption applies only to stored data, not transmitted data.

This is:

A. Operating deficiency
B. Design deficiency
C. Risk acceptance
D. Mitigation

6

Multiple moderate risks are accepted individually. Aggregated exposure approaches enterprise tolerance.

First action?

A. Avoid all risks
B. Close risks
C. Increase mitigation spending
D. Evaluate aggregated risk profile

7

Mitigation project is delayed. Residual risk exceeds tolerance. No escalation occurs.

Primary governance failure?

A. Escalation discipline
B. Weak KPI
C. Poor BIA
D. Control redundancy

8

A dashboard shows green status, but underlying data is manually entered without validation.

Concern?

A. Weak inherent risk
B. Excessive appetite
C. Data integrity risk
D. Poor control design

9

A compensating control replaces a primary control. What must occur next?

A. Close risk
B. Transfer risk
C. Document and reassess residual risk
D. Ignore

10

Control passes annual testing but interim monitoring shows increasing failures.

Indicates:

A. Emerging operating degradation
B. Monitoring weakness
C. Strong effectiveness
D. Excessive mitigation

11

Board receives raw technical logs without aggregated exposure.

Primary issue?

A. KPI design
B. Audience misalignment
C. Weak KRI
D. Excessive control

12

An exception is granted with no expiration date.

Governance weakness?

A. Weak inherent risk
B. Poor KCI
C. Strong mitigation
D. Uncontrolled residual exposure

13

A KRI shows increasing patch backlog beyond threshold. No action is taken.

This represents:

A. Strong monitoring
B. Proper aggregation
C. Effective mitigation
D. Informational reporting only

14

Risk manager directly implements operational controls.

Violation of:

A. Risk aggregation
B. Three Lines separation
C. KPI structure
D. BIA alignment

15

A high-cost preventive control reduces low-impact risk already within tolerance.

This reflects:

A. Excessive appetite
B. Weak threat modeling
C. Cost-benefit misalignment
D. Poor aggregation

16

A risk treatment plan lacks defined metrics.

Missing component?

A. Performance measurement
B. Avoidance strategy
C. Risk transfer clause
D. Inherent risk rating

17

Control failure rates increase across multiple business units simultaneously.

First evaluation?

A. Enterprise systemic exposure
B. Individual issue review
C. Close control
D. Increase inherent risk

18

A new AI platform is deployed without structured assessment.

Primary governance issue?

A. Strong innovation
B. Excessive mitigation
C. Failure to evaluate emerging risk
D. Weak KPI

19

An issue is closed once remediation begins, without validation.

What failed?

A. Root cause analysis
B. Escalation
C. Risk identification
D. Closure validation

20

A KCI shows increasing access review execution errors.

This most likely impacts:

A. KPI only
B. KRI over time
C. Inherent risk only
D. Risk avoidance

21

Vendor assessments are completed (KPI), but vendor SLA breaches are increasing.

This indicates:

A. Strong TPRM
B. Exposure rising despite activity completion
C. Weak inherent risk
D. Excessive mitigation

22

Residual risk is assumed reduced after implementation without reassessment.

Primary issue?

A. Weak threat modeling
B. Proper mitigation
C. Strong control
D. Failure to validate residual risk

23

Different departments use inconsistent risk scoring scales.

Impact?

A. Weak enterprise visibility
B. Strong aggregation
C. Excessive mitigation
D. Control redundancy

24

KRIs are defined but leadership routinely overrides threshold breaches.

This undermines:

A. Design effectiveness
B. KPI discipline
C. Escalation integrity
D. Risk identification

25

An organization tracks number of incidents (lagging), but not patch backlog trends (leading).

Primary weakness?

A. Over-reliance on lagging indicators
B. Strong monitoring
C. Excessive mitigation
D. Poor control design

Domain 3 master pattern

If you remember nothing else:

• Business owns risk.
• Controls must be proportionate.
• Design ≠ implementation ≠ effectiveness.
• Monitoring must be continuous.
• KPIs measure performance.
• KRIs measure exposure.
• KCIs measure control health.
• Threshold breaches require escalation.
• Aggregation matters.
• Reporting must match audience.
• Acceptance must be formal.
• Exceptions must be time-bound.
• Emerging risk must be evaluated.
• Validation matters.

Domain 3 rewards governance thinkers — not tool operators.