Domain 1 – Section B Review: Risk Governance
Section A was about structure.
Section B is about enterprise discipline.
Risk Governance tests whether risk management is:
- Structured
- Consistent
- Aggregated
- Aligned to appetite
- Legally compliant
- Ethically transparent
If you find yourself jumping to technical controls, pause.
Section B favors governance-level thinking.
The Risk Governance pattern
Across ERM, Three Lines, Risk Profile, Appetite & Tolerance, Compliance, and Ethics, CRISC consistently prefers:
- Framework over improvisation
- Enterprise visibility over isolated fixes
- Escalation over silent tolerance breaches
- Independence over convenience
- Structured impact assessment over reactive control deployment
When unsure, ask:
Is this a structural governance issue?
Often, it is.
10 exam-style scenario questions
Question 1
Different departments use unique methodologies for scoring risk, resulting in inconsistent exposure ratings.
What is the MOST effective corrective action?
A. Increase control monitoring
B. Conduct additional risk assessments
C. Implement an enterprise-wide risk management framework
D. Escalate to regulators
Answer & reasoning
Correct: C
The issue is structural inconsistency. ERM provides standardization across departments.
Question 2
Internal audit assists management in implementing remediation after identifying control weaknesses.
What governance principle is MOST at risk?
A. Risk appetite alignment
B. Asset ownership
C. Independence
D. Risk aggregation
Answer & reasoning
Correct: C
Audit must remain independent to provide objective assurance.
Question 3
Multiple medium-level risks across departments collectively exceed defined tolerance thresholds.
What should occur NEXT?
A. Mitigate the highest individual risk
B. Ignore if no single risk exceeds threshold
C. Escalate aggregated exposure to leadership
D. Conduct vulnerability scanning
Answer & reasoning
Correct: C
Aggregation must be evaluated against appetite and tolerance.
Question 4
Risk management accepts a high-impact operational risk to avoid project delay without involving business leadership.
What governance weakness exists?
A. Weak compliance monitoring
B. Improper risk ownership
C. Poor asset classification
D. Inadequate encryption
Answer & reasoning
Correct: B
Risk ownership belongs to business management, not the second line.
Question 5
A new regulation is enacted affecting data handling. The organization immediately deploys new technical controls without performing a formal impact assessment.
What governance weakness is MOST significant?
A. Delayed mitigation
B. Lack of structured compliance evaluation
C. Excessive risk appetite
D. Poor vulnerability management
Answer & reasoning
Correct: B
Impact assessment should precede implementation to ensure governance alignment.
Question 6
Executive leadership receives individual departmental risk reports but cannot determine total enterprise exposure.
What is missing?
A. Control automation
B. Centralized risk aggregation and reporting
C. Asset encryption
D. Additional audits
Answer & reasoning
Correct: B
Risk profile requires enterprise-level aggregation and visibility.
Question 7
A defined tolerance for system downtime is exceeded, but management chooses not to escalate because business impact appears minimal.
What governance issue exists?
A. Weak asset inventory
B. Failure to follow escalation protocol
C. Excessive risk appetite
D. Poor control testing
Answer & reasoning
Correct: B
Tolerance breaches require structured escalation regardless of perceived impact.
Question 8
A vendor fails to meet contractual security requirements. Management assumes liability rests solely with the vendor.
What governance principle is being misunderstood?
A. Risk aggregation
B. Risk appetite
C. Organizational accountability
D. Asset ownership
Answer & reasoning
Correct: C
Contractual outsourcing does not eliminate governance accountability.
Question 9
Leadership pressures the risk function to reduce reported exposure to avoid investor concern.
What is the MOST appropriate response?
A. Adjust the scoring methodology
B. Delay reporting
C. Escalate through formal governance channels
D. Increase monitoring frequency
Answer & reasoning
Correct: C
Transparency and independence must be preserved.
Question 10
Risk management operates exclusively within the IT department and is not integrated with enterprise strategy.
What governance weakness is MOST significant?
A. Weak encryption
B. Lack of enterprise risk integration
C. Insufficient vulnerability scanning
D. Poor compliance auditing
Answer & reasoning
Correct: B
ERM must align risk management to enterprise objectives.
Section B master rule
When answering Risk Governance questions:
- Think enterprise.
- Think framework.
- Think aggregation.
- Think escalation.
- Think independence.
- Think structured compliance.
Section B is rarely about the tool.
It's about whether governance discipline exists.
Domain 1 complete
You now have:
- ✓ Organizational Governance
- ✓ Risk Governance
The consistent decision pattern across Domain 1:
- Governance before controls
- Structure before reaction
- Alignment before mitigation
- Escalation before silent acceptance
- Transparency before convenience