Domain 1: Governance

Organizational and Risk Governance.

Focuses on Organizational Governance (Strategy, Structure, Culture, Policies, Processes, Assets) and Risk Governance (ERM, Lines of Defense, Risk Profile, Appetite, Frameworks).

5 minutes 5 Questions

CRISC Domain 1, titled "Governance," establishes the structural foundation necessary for effective enterprise risk management. Covering approximately 26% of the exam, this domain focuses on aligning IT risk management practices with the organization's broader business objectives, strategy, and cult…

Concepts covered: Strategy, Goals, and Objectives, Organizational Structure, Roles, and Responsibilities, Organizational Culture and Ethics, Policies and Standards, Business Processes and Resilience (DRP/BCP), Organizational Asset Management, Enterprise Risk Management (ERM), Lines of Defense, Risk Profile, Risk Appetite and Tolerance, Risk Frameworks and Requirements

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

CRISC - Domain 1: Governance Example Questions

Test your knowledge of Domain 1: Governance

Question 1

While an organization’s Risk Management Framework (RMF) clearly states a low risk appetite for cyber threats, business unit leaders continue to unknowingly accept excessive technology risks during rapid digital transformation projects. To bridge this gap between strategic intent and operational decision-making, which element should be integrated into the framework's functional requirements?

Enhanced reporting routines to visualize aggregate risk exposure regarding strategic objectives Specific risk tolerance thresholds that quantify acceptable deviations for operational metrics Centralized review gates requiring risk department approval for significant technology initiatives Mandatory training sessions designed to clarify the intent behind executive risk policy statements

Correct Answer: Specific risk tolerance thresholds that quantify acceptable deviations for operational metrics

The correct answer is the integration of specific risk tolerance thresholds that quantify acceptable deviations for operational metrics.

Reasoning:

Translation of Strategy to Operation: Risk appetite is a high-level, strategic statement (e.g., "low risk appetite"). For this to be useful to business unit leaders operationalizing projects, it must be translated into specific, measurable boundaries. Risk tolerance serves this function by quantifying the level of deviation from the appetite that is permitted.
Clarifying "Unknowing" Acceptance: The scenario states leaders are "unknowingly" accepting excessive risks. This suggests they lack clear criteria to evaluate whether a specific technology risk is too high. By defining tolerance thresholds (e.g., "maximum allowable downtime," "minimum encryption standards"), the framework gives leaders explicit guardrails to align their operational decisions with the strategic intent.

Why other options are incorrect:

Mandatory training sessions: While training improves general awareness, it does not provide the concrete, quantifiable metrics required to make specific decisions in complex digital transformation projects. It addresses the "why" but not the specific "how much."
Centralized review gates: While this adds control, it creates bottlenecks that can hinder the "rapid" nature of digital transformation. Furthermore, it shifts responsibility away from the business unit leaders rather than enabling them to make risk-aware decisions within the framework.
Enhanced reporting routines: Reporting is primarily a monitoring tool that visualizes risk exposure after decisions have been made or risks have materialized. It acts as a detective control rather than a preventative guide to help leaders avoid accepting excessive risk in the first place.

Question 2

A risk practitioner identifies that an organization’s Business Impact Analysis (BIA) assigns a constant Recovery Time Objective (RTO) to all financial reporting systems. However, a stress test reveals that while a three-day outage is acceptable during most months, it results in regulatory non-compliance if it occurs during the year-end close. What does this finding primarily indicate regarding the organization's resilience posture?

The alignment between the recovery point objective and the recovery time objective is insufficient to support critical reporting functions. The recovery strategy prioritizes average availability metrics while underestimating the capacity requirements needed during peak processing intervals. The business continuity plan relies on manual workarounds that are incapable of sustaining the service delivery objective during a crisis. The risk modeling approach fails to capture the temporal variations that alter the maximum tolerable downtime of the process.

Correct Answer: The risk modeling approach fails to capture the temporal variations that alter the maximum tolerable downtime of the process.

The correct answer explains that the risk modeling approach fails to capture the temporal variations that alter the maximum tolerable downtime of the process.

This finding highlights a specific deficiency in the Business Impact Analysis (BIA) process regarding seasonality or critical time windows. Financial reporting is a cyclical process where the impact of a disruption varies significantly depending on the time of year. During a standard month, a three-day delay may be manageable (high Maximum Tolerable Downtime), but during the year-end close, the tolerance for downtime shrinks drastically due to strict regulatory deadlines. By assigning a constant Recovery Time Objective (RTO), the organization failed to account for the temporal variation in process criticality. The RTO must be set based on the worst-case scenario (the year-end close) to ensure compliance at all times, or a dynamic disaster recovery strategy must be adopted.

Why the other answers are incorrect:

The option suggesting the recovery strategy prioritizes average availability metrics while underestimating capacity focuses on processing load and throughput (capacity) rather than the time-sensitivity of the restoration (RTO). The issue is not that the system cannot handle the volume of data, but that it cannot be recovered fast enough to meet the specific year-end deadline.
The option regarding the alignment between the recovery point objective (RPO) and the recovery time objective (RTO) refers to the relationship between data loss tolerance and recovery speed. The scenario does not indicate that data loss (RPO) is the contributing factor to the non-compliance, but rather the duration of the system unavailability.
The option stating the plan relies on manual workarounds is incorrect because the scenario provides no information about the use or failure of manual workarounds. The failure is identified in the metrics (RTO) established by the BIA, not necessarily the execution method.

Question 3

Which attribute is fundamental to the utility of an enterprise risk profile?

Focus on historical data over forward-looking predictive indicators Standardization of all technical controls across the organization Inclusion of every identified vulnerability in the extensive register Alignment with current business objectives and risk tolerance

Correct Answer: Alignment with current business objectives and risk tolerance

The best answer is: Alignment with current business objectives and risk tolerance.

An enterprise risk profile is most useful when it provides a high-level view of risk in the context of what the organization is trying to achieve. By aligning with business objectives and risk tolerance, the profile allows senior management and stakeholders to make informed strategic decisions, prioritizing resources toward risks that threaten key goals or exceed acceptable limits.

The other answers are incorrect because:
- Focusing on historical data over predictive indicators limits the profile's ability to anticipate future threats, reducing its strategic value.
- Standardization of technical controls is a specific management tactic rather than a fundamental attribute of the risk profile's utility itself.
- Including every identified vulnerability belongs in a vulnerability register; an enterprise risk profile should aggregate this data to provide a strategic summary rather than granular operational details.

🎓 Unlock Premium Access

Certified in Risk and Information Systems Control + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
1285 Superior-grade Certified in Risk and Information Systems Control practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
CRISC: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial

More Domain 1: Governance questions

329 questions (total)

Start 100 question test