Domain 2: Risk Assessment Review — 26 of 61

Domain 2 – Section B Review: IT Risk Analysis & Evaluation

CRISC Domain 2 — IT Risk Assessment Section B Review 20–25 min
Identification describes risk.
Analysis disciplines it.
Evaluation governs it.

Section B tests whether risk is:

  • Measured consistently
  • Compared against appetite
  • Properly documented
  • Escalated appropriately
  • Aligned to business impact

This review blends methodologies, inherent vs residual risk, BIA, prioritization, and governance discipline.

10 scenario-based questions

Question 1

A. Inherent risk
B. Residual risk
C. Accepted risk
D. Aggregated risk

Answer & reasoning

Correct: B

Controls have been applied. Remaining exposure is residual risk.

Question 2

A. Weak BIA
B. Excessive risk appetite
C. Poor asset classification
D. Lack of standardized methodology

Answer & reasoning

Correct: D

Methodologies must be standardized to support aggregation and comparison.

Question 3

A system has an MTD of 24 hours. The recovery team defines an RTO of 36 hours.

What does this indicate?

A. Acceptable residual risk
B. Weak threat modeling
C. RTO exceeds business tolerance
D. Excessive mitigation

Answer & reasoning

Correct: C

RTO must not exceed MTD.

Question 4

A. Escalation requirement for residual risk
B. Asset classification
C. Quantitative modeling
D. Threat landscape reassessment

Answer & reasoning

Correct: A

Residual risk exceeding tolerance requires escalation regardless of perceived likelihood.

Question 5

A. Poor inherent risk calculation
B. Incomplete threat modeling
C. Weak residual risk tracking
D. Excessive risk appetite

Answer & reasoning

Correct: C

Risks should remain documented for monitoring and aggregation even when within tolerance.

Question 6

A. False precision due to unreliable inputs
B. Excessive risk tolerance
C. Weak ERM
D. Poor BIA

Answer & reasoning

Correct: A

Quantitative analysis depends on reliable data. Weak inputs undermine credibility.

Question 7

A. Weak threat modeling
B. Incomplete risk evaluation
C. Excessive mitigation
D. Asset misclassification

Answer & reasoning

Correct: B

Risk level requires evaluation of both likelihood and impact.

Question 8

A control exists but has not been tested for effectiveness. Residual risk is assumed to be low.

What is the MOST significant concern?

A. High inherent risk
B. Weak asset inventory
C. Poor risk appetite definition
D. Inaccurate residual risk estimation

Answer & reasoning

Correct: D

Residual risk depends on validated control effectiveness.

Question 9

A. Weak threat landscape
B. Misalignment between BIA and impact scoring
C. Excessive mitigation
D. Poor methodology selection

Answer & reasoning

Correct: B

Impact scoring must align with BIA findings.

Question 10

A. Weak inherent risk evaluation
B. Poor BIA execution
C. Lack of standardized risk analysis framework
D. Inadequate threat modeling

Answer & reasoning

Correct: C

Standardized methodology enables comparison and aggregation across the enterprise.

Section B master pattern

When answering Domain 2 Section B questions:

  • Separate inherent from residual risk.
  • Validate control effectiveness before estimating residual.
  • Align impact scoring with BIA findings.
  • Standardize methodologies for aggregation.
  • Escalate when residual risk exceeds tolerance.
  • Keep risks documented — even within tolerance.

If you ignore evaluation against appetite, you will miss the governance layer.

Up Next Domain 2 Capstone Review: Risk Identification & Evaluation