Domain 3 – Section A Review: Risk Response

Identifying risk is analysis.
Responding to risk is leadership.

Section A tests whether you can:

• Select the appropriate response option
• Preserve ownership boundaries
• Govern exceptions properly
• Manage third-party risk
• Escalate when required
• Address emerging risk proactively

This review blends all of those.

Take your time.

10 scenario-based questions

Question 1

A residual risk falls within defined tolerance. Mitigation costs exceed projected financial impact.

What is the MOST appropriate response?

A. Accept formally
B. Mitigate further
C. Transfer
D. Avoid

Question 2

The security team identifies a high residual risk and unilaterally blocks a strategic business initiative without executive involvement.

What governance principle may be violated?

A. Risk avoidance
B. Threat modeling
C. Escalation discipline
D. Control design

Question 3

A vendor experiences a data breach affecting customer information. The organization claims responsibility lies solely with the vendor.

What is the MOST significant misunderstanding?

A. Inherent risk
B. Poor mitigation
C. Weak BIA
D. Risk transfer eliminates accountability

Question 4

An audit finding identifies a recurring control failure. The remediation plan corrects the issue temporarily but does not address underlying process gaps.

What governance weakness exists?

A. Weak threat modeling
B. Failure to address root cause
C. Excessive appetite
D. Weak inherent risk calculation

Question 5

A business unit requests a permanent exception to bypass encryption controls for operational efficiency.

What is the MOST appropriate action?

A. Approve indefinitely
B. Require documented, time-bound exception with defined compensating controls
C. Reject immediately
D. Transfer risk to vendor

Question 6

A new AI platform is introduced without structured risk assessment because “industry peers are already using it.”

What governance weakness exists?

A. Excessive mitigation
B. Weak BIA
C. High inherent risk
D. Failure to evaluate emerging risk

Question 7

A risk management team directly implements operational controls to speed remediation.

What governance boundary may be blurred?

A. Separation of duties (Three Lines model)
B. Inherent risk evaluation
C. Residual risk tracking
D. Risk appetite

Question 8

A third-party vendor was properly assessed during onboarding but has not been reviewed in three years despite expanded services.

What is the PRIMARY concern?

A. High inherent risk
B. Weak risk appetite
C. Failure of ongoing monitoring
D. Excessive mitigation

Question 9

An issue is marked “closed” once remediation begins, but no validation of control effectiveness is performed.

What governance gap exists?

A. Lack of closure validation
B. Weak threat modeling
C. High inherent risk
D. Excessive acceptance

Question 10

Multiple moderate risks are individually accepted. Collectively, they begin approaching enterprise appetite limits.

What should be evaluated FIRST?

A. Avoid all moderate risks
B. Increase mitigation spending immediately
C. Transfer remaining risks
D. Aggregated exposure and escalation need

Section A master pattern

When answering Domain 3 Section A questions:

• Business owns risk.
• Security advises.
• Audit assures.
• Escalate when residual exceeds tolerance.
• Exceptions must be documented and time-bound.
• Vendors do not remove accountability.
• Emerging risk requires structured evaluation.
• Root cause > symptom fix.
• Validate remediation before closure.
• Aggregate risk at the enterprise level.

If you default to “add more controls,” you may miss the governance layer.