Domain 3 – Section A Review: Risk Response

Identifying risk is analysis.
Responding to risk is leadership.

Section A tests whether you can:

• Select the appropriate response option
• Preserve ownership boundaries
• Govern exceptions properly
• Manage third-party risk
• Escalate when required
• Address emerging risk proactively

This review blends all of those.

Take your time.

10 scenario-based questions

Question 1

A residual risk falls within defined tolerance. Mitigation costs exceed projected financial impact.

What is the MOST appropriate response?

A. Avoid
B. Mitigate further
C. Transfer
D. Accept formally

Question 2

The security team identifies a high residual risk and unilaterally blocks a strategic business initiative without executive involvement.

What governance principle may be violated?

A. Risk avoidance
B. Escalation discipline
C. Threat modeling
D. Control design

Question 3

A vendor experiences a data breach affecting customer information. The organization claims responsibility lies solely with the vendor.

What is the MOST significant misunderstanding?

A. Inherent risk
B. Risk transfer eliminates accountability
C. Weak BIA
D. Poor mitigation

Question 4

An audit finding identifies a recurring control failure. The remediation plan corrects the issue temporarily but does not address underlying process gaps.

What governance weakness exists?

A. Weak threat modeling
B. Failure to address root cause
C. Excessive appetite
D. Weak inherent risk calculation

Question 5

A business unit requests a permanent exception to bypass encryption controls for operational efficiency.

What is the MOST appropriate action?

A. Approve indefinitely
B. Reject immediately
C. Require documented, time-bound exception with defined compensating controls
D. Transfer risk to vendor

Question 6

A new AI platform is introduced without structured risk assessment because “industry peers are already using it.”

What governance weakness exists?

A. Excessive mitigation
B. Failure to evaluate emerging risk
C. High inherent risk
D. Weak BIA

Question 7

A risk management team directly implements operational controls to speed remediation.

What governance boundary may be blurred?

A. Inherent risk evaluation
B. Separation of duties (Three Lines model)
C. Residual risk tracking
D. Risk appetite

Question 8

A third-party vendor was properly assessed during onboarding but has not been reviewed in three years despite expanded services.

What is the PRIMARY concern?

A. High inherent risk
B. Failure of ongoing monitoring
C. Weak risk appetite
D. Excessive mitigation

Question 9

An issue is marked “closed” once remediation begins, but no validation of control effectiveness is performed.

What governance gap exists?

A. Weak threat modeling
B. Lack of closure validation
C. High inherent risk
D. Excessive acceptance

Question 10

Multiple moderate risks are individually accepted. Collectively, they begin approaching enterprise appetite limits.

What should be evaluated FIRST?

A. Avoid all moderate risks
B. Aggregated exposure and escalation need
C. Transfer remaining risks
D. Increase mitigation spending immediately

Section A master pattern

When answering Domain 3 Section A questions:

• Business owns risk.
• Security advises.
• Audit assures.
• Escalate when residual exceeds tolerance.
• Exceptions must be documented and time-bound.
• Vendors do not remove accountability.
• Emerging risk requires structured evaluation.
• Root cause > symptom fix.
• Validate remediation before closure.
• Aggregate risk at the enterprise level.

If you default to “add more controls,” you may miss the governance layer.