CRISC domain - 32% of the exam

Risk Response and Reporting

Risk Response and Reporting is 32% of the Certified in Risk and Information Systems Control (CRISC) (CRISC) exam. These are the objectives it covers, each with practice questions and worked explanations.

Objectives in this domain

Evaluate and select risk treatment and response options consistent with the organisation's risk appetite.
Section 3.1medium
Develop risk treatment plans that assign actions, resources and timelines to bring risk within tolerance.
Section 3.2medium
Establish risk and control ownership to ensure accountability for residual risk and control operation.
Section 3.3medium
Manage third-party and supply chain risk across the vendor lifecycle, including fourth-party dependencies.
Section 3.4hard
Classify control types and apply control standards and frameworks to the control environment.
Section 3.5medium
Design and select controls proportionate to the assessed risk and the cost of control.
Section 3.6hard
Implement controls and integrate them into business processes and the technology environment.
Section 3.7medium
Test controls and evaluate their effectiveness in reducing risk to an acceptable level.
Section 3.8medium
Monitor risk and controls through data collection, aggregation and analysis, and manage issues, findings and exceptions.
Section 3.9medium
Report risk and control status to stakeholders using metrics such as KPIs, KRIs and KCIs and appropriate visualisations.
Section 3.10hard

Sample question from this domain

Free sampleRisk Response and Reportingmedium

A residual risk sits just above the organisation's stated risk appetite, and the cost of further controls would clearly exceed the potential loss. The business owner is willing to live with the exposure. Which risk treatment should the practitioner recommend?

AAccept the residual risk with documented, informed sign-off from the business owner. Correct
BTransfer the exposure to an insurer so the financial impact falls on a third party.
CAvoid the risk by retiring the underlying activity that generates the exposure.
DMitigate further by adding controls until the residual sits below appetite.

Recognise that informed risk acceptance is appropriate when the cost of further treatment exceeds the potential loss and the owner accepts the exposure. Risk acceptance is justified when the marginal cost of additional controls would exceed the value at risk; the practitioner records the decision with informed business-owner sign-off so the residual exposure is owned and accountable rather than ignored.

Why A is correct: When treatment cost exceeds the potential loss and the owner accepts the exposure, formal informed acceptance is the economically rational and accountable choice.

Why B is wrong: Transfer through insurance shifts financial impact but adds premium cost, which is hard to justify when the residual loss is already smaller than further treatment spend.

Why C is wrong: Avoidance removes the activity entirely, an extreme response that sacrifices business value when the exposure is only marginally above appetite.

Why D is wrong: Adding controls feels safe, but spending more than the loss is worth destroys value and is not warranted for a marginal breach of appetite.

Other domains in this exam

Governance26% of the exam
Risk Assessment22% of the exam
Information Technology and Security20% of the exam

See also the CRISC cert hub, the study guide, and the cheat sheet.

Examworthy is not affiliated with or endorsed by ISACA. Original, blueprint-aligned practice material only.