Domain 1 – Section B Review: Risk Governance
Section A was about structure.
Section B is about enterprise discipline.
Risk Governance tests whether risk management is:
- Structured
- Consistent
- Aggregated
- Aligned to appetite
- Legally compliant
- Ethically transparent
If you find yourself jumping to technical controls, pause.
Section B favors governance-level thinking.
The Risk Governance pattern
Across ERM, Three Lines, Risk Profile, Appetite & Tolerance, Compliance, and Ethics, CRISC consistently prefers:
- Framework over improvisation
- Enterprise visibility over isolated fixes
- Escalation over silent tolerance breaches
- Independence over convenience
- Structured impact assessment over reactive control deployment
When unsure, ask:
Is this a structural governance issue?
Often, it is.
10 exam-style scenario questions
Question 1
A. Increase control monitoring
B. Conduct additional risk assessments
C. Escalate to regulators
D. Implement an enterprise-wide risk management framework
Answer & reasoning
Correct: D
The issue is structural inconsistency. ERM provides standardization across departments.
Question 2
Internal audit assists management in implementing remediation after identifying control weaknesses.
What governance principle is MOST at risk?
A. Risk appetite alignment
B. Asset ownership
C. Independence
D. Risk aggregation
Answer & reasoning
Correct: C
Audit must remain independent to provide objective assurance.
Question 3
A. Mitigate the highest individual risk
B. Escalate aggregated exposure to leadership
C. Ignore if no single risk exceeds threshold
D. Conduct vulnerability scanning
Answer & reasoning
Correct: B
Aggregation must be evaluated against appetite and tolerance.
Question 4
A. Improper risk ownership
B. Weak compliance monitoring
C. Poor asset classification
D. Inadequate encryption
Answer & reasoning
Correct: A
Risk ownership belongs to business management, not the second line.
Question 5
A. Delayed mitigation
B. Excessive risk appetite
C. Lack of structured compliance evaluation
D. Poor vulnerability management
Answer & reasoning
Correct: C
Impact assessment should precede implementation to ensure governance alignment.
Question 6
A. Control automation
B. Centralized risk aggregation and reporting
C. Asset encryption
D. Additional audits
Answer & reasoning
Correct: B
Risk profile requires enterprise-level aggregation and visibility.
Question 7
A. Failure to follow escalation protocol
B. Weak asset inventory
C. Excessive risk appetite
D. Poor control testing
Answer & reasoning
Correct: A
Tolerance breaches require structured escalation regardless of perceived impact.
Question 8
A. Risk aggregation
B. Risk appetite
C. Asset ownership
D. Organizational accountability
Answer & reasoning
Correct: D
Contractual outsourcing does not eliminate governance accountability.
Question 9
A. Adjust the scoring methodology
B. Delay reporting
C. Escalate through formal governance channels
D. Increase monitoring frequency
Answer & reasoning
Correct: C
Transparency and independence must be preserved.
Question 10
A. Weak encryption
B. Lack of enterprise risk integration
C. Insufficient vulnerability scanning
D. Poor compliance auditing
Answer & reasoning
Correct: B
ERM must align risk management to enterprise objectives.
Section B master rule
When answering Risk Governance questions:
- Think enterprise.
- Think framework.
- Think aggregation.
- Think escalation.
- Think independence.
- Think structured compliance.
Section B is rarely about the tool.
It's about whether governance discipline exists.
Domain 1 complete
You now have:
- ✓ Organizational Governance
- ✓ Risk Governance
The consistent decision pattern across Domain 1:
- Governance before controls
- Structure before reaction
- Alignment before mitigation
- Escalation before silent acceptance
- Transparency before convenience