Domain 2: Risk Assessment

Risk Identification and Analysis.

Covers Risk Identification (Events, Threats, Vulnerabilities, Scenarios) and Risk Analysis (Concepts, BIA, Register, Methodologies, Inherent/Residual Risk).

5 minutes 5 Questions

Domain 2 of the CRISC certification, titled 'IT Risk Assessment,' focuses on the crucial processes involved in analyzing and evaluating IT-related risks to determine their potential impact on an organization's operations and strategic objectives. This domain forms the bridge between risk identifica…

Concepts covered: Risk Events, Threat Modeling and Threat Landscape, Vulnerability Management, Risk Scenario Development and Evaluation, Risk Assessment Concepts and Standards, Business Impact Analysis (BIA), Risk Register, Risk Analysis Methodologies, Inherent and Residual Risk

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

CRISC - Domain 2: Risk Assessment Example Questions

Test your knowledge of Domain 2: Risk Assessment

Question 1

During a scheduled risk profile review for a core banking application, a risk practitioner notes two simultaneous changes: the integration of a complex new currency exchange module and the deployment of an automated database encryption suite. The external threat environment remains static. Which structural modification must the practitioner apply to the risk register to adhere to standard risk calculation principles?

Apply the risk reduction coefficients of the encryption technical controls directly against the inherent volatility metric to establish a modernized gross risk baseline. Maintain the existing inherent risk definition while adjusting the residual risk factors to capture the net impact of both operational changes. Recalculate the inherent risk score based on the heightened operational processing variables prior to assessing the control mitigation effects. Offset the increased module complexity with the enhanced security posture to preserve the historical continuity of the risk trend analysis.

Correct Answer: Recalculate the inherent risk score based on the heightened operational processing variables prior to assessing the control mitigation effects.

The correct approach involves recognizing the fundamental difference between inherent risk and residual risk within standard risk calculation methodologies.

Recalculate the inherent risk score based on the heightened operational processing variables prior to assessing the control mitigation effects.

This is the best answer because Risk Management principles dictate that risk must first be assessed in its raw, natural state (Inherent Risk) before applying any mitigating factors. The introduction of a complex new currency exchange module represents a significant change in business process, logic complexity, and potential error surfaces. This fundamentally alters the gross risk profile of the application. Therefore, the practitioner must primarily recalculate the inherent risk score to reflect this deeper operational complexity. Only after establishing this new baseline should the mitigating effects of the new encryption suite be applied to determine the residual risk.

Why the other answers are incorrect:

Applying risk reduction coefficients directly against the inherent volatility metric is structurally incorrect because controls (like encryption) act upon the inherent risk to produce residual risk. They do not define the inherent risk itself. Treating controls as part of the 'gross risk baseline' conflates the risk with the mitigation.
Maintaining the existing inherent risk definition is flawed because it ignores the change introduced by the new currency module. Added complexity and functionality inherently increase the probability and/or impact of failure, regardless of threat environment stability. Fulfilling the review requires acknowledging that the 'gross' risk has changed.
Offsetting increased complexity with enhanced security to preserve historical continuity is a dangerous practice known as 'smoothing' or improperly netting risks. It hides the true exposure of the system. A more complex system with better security is not structurally identical to a simpler system with weaker security; the failure modes differ, and the risk register must reflect the specific changes in both magnitude and mitigation rather than just balancing them out to maintain a trend.

Question 2

A risk practitioner reviewing the risk register notes that several distinct risks, currently rated as low residual impact, would disastrously disrupt business operations if they materialized simultaneously. The current register structure evaluates each risk in isolation, failing to signal this potential aggregate exposure. Which specific structural enhancement should be applied to the risk register to best reveal this concealed vulnerability?

Consolidation of discrete risk scenarios into broad enterprise-level risk categories Inclusion of correlation parameters to map interdependencies among risk entries Recalibration of qualitative scoring scales to emphasize all high-velocity threats Application of stringent impact criteria to elevate low-probability risk scores

Correct Answer: Inclusion of correlation parameters to map interdependencies among risk entries

The correct approach is the inclusion of correlation parameters to map interdependencies among risk entries.

In risk management, particularly when adhering to CRISC standards, evaluating risks solely in isolation often masks the true potential impact of 'risk aggregation.' When multiple distinct risks share underlying causes or have the potential to trigger one another, they are correlated. If these correlated risks materialize simultaneously, their combined impact can be far greater than the sum of their individual impacts. By explicitly mapping these interdependencies within the risk register, the organization can see where 'low' individual risks cluster together to form a 'high' aggregate exposure, thereby revealing the concealed vulnerability described in the scenario.

Here is why the other options are incorrect:

Recalibration of qualitative scoring scales to emphasize all high-velocity threats is incorrect because the issue is not the speed (velocity) of the threats or the scale itself, but rather the lack of visibility into how distinct risks interact. Changing the scale globally does not establish the necessary links between specific risks.

Consolidation of discrete risk scenarios into broad enterprise-level risk categories is incorrect because grouping risks into broad categories (bucketing) often obscures specific operational details and relationships rather than highlighting how specific simultaneous events cause disruption. It simplifies the view rather than analyzing the complexity of interaction.

Application of stringent impact criteria to elevate low-probability risk scores is incorrect because artificially inflating scores for all low-probability or low-impact risks invalidates the risk assessment process. It creates noise by making everything look critical, rather than specifically identifying the group of risks that are dangerous only when combined.

Question 3

A risk practitioner conducting a structural audit of the risk register encounters an anomaly where the quantitative Residual Risk score for a legacy system exceeds its Inherent Risk score. The Risk Owner justifies this by stating the implemented security controls are operationally brittle and induce system instability. Which structural error in the risk register does this specific condition indicate?

The record invalidly combines secondary risks generated by the controls with the original risk instead of listing them independently. The residual calculation logic erroneously applies a positive coefficient to the control variable resulting in an inflated final score. The inherent risk scoring model relies on static historical baselines that underestimate the volatility of the current threat environment. The assessment methodology updates the residual perspective to a worst-case scenario while maintaining an average-case inherent baseline.

Correct Answer: The record invalidly combines secondary risks generated by the controls with the original risk instead of listing them independently.

The correct answer is that the record invalidly combines secondary risks generated by the controls with the original risk instead of listing them independently.

Here is the step-by-step reasoning:

Definition of Values: Inherent Risk is the risk level before controls are applied. Residual Risk is the risk remaining after controls are applied. Generally, controls are implemented to reduce risk, meaning Residual Risk should be lower than Inherent Risk.
The Anomaly: The scenario presents a Residual Risk score that is higher than the Inherent Risk score, which is mathematically illogical in standard risk formulas (Risk - Control = Residual) unless the control adds negative value.
The Justification: The Risk Owner states the controls result in 'system instability.' Use of a control that introduces a new problem is the definition of a Secondary Risk (a risk that arises as a direct result of implementing a risk response).
The Structural Error: The anomaly occurs because the negative impact of the secondary risk (instability) is being aggregated into the residual score of the original risk. In a properly structured risk register, secondary risks should be logged as independent risk entries with their own inherent and residual scores. Combining them creates a distorted view where the treatment appears to amplify the original risk rather than mitigating it and creating a separate, distinct issue.

Why other options are incorrect:

Static historical baselines: While underestimating inherent risk is a problem, the Risk Owner specifically blamed the controls for the issue, not the threat landscape or baseline data.
Positive coefficient calculation logic: This suggests a mere formula or software bug. The scenario provides a qualitative reason regarding the nature of the controls (brittleness/instability), indicating a methodological error in how the risk is classified (secondary risk) rather than just a math error.
Mismatched perspectives (Worst-case vs. Average-case): While comparing different baselines can cause scoring errors, the prompt specifically links the high score to the consequences of the controls, which points to the existence of a secondary risk rather than a change in assessment perspective.

🎓 Unlock Premium Access

Certified in Risk and Information Systems Control + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
1285 Superior-grade Certified in Risk and Information Systems Control practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
CRISC: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial

More Domain 2: Risk Assessment questions

269 questions (total)

Start 100 question test