Module 2: Organizational Structure, Roles & Responsibilities

CRISC Domain 1 — Governance Section A 5–8 min read
CRISC is obsessed with clarity of accountability.
If ownership is unclear, governance is weak.

Why this module matters

This is one of the easiest areas to overthink — and one of the easiest to get wrong.

CRISC does not care whether you can describe an org chart.

It cares whether you understand:

Who owns risk.
Who manages risk.
Who monitors risk.
Who provides independent assurance.

If those lines blur in your answer, you lose points.

What the exam is really testing

CRISC is testing whether governance responsibilities are:

  • Clearly defined
  • Properly separated
  • Aligned with authority
  • Free from conflicts of interest

The exam assumes mature organizations separate:

  • Decision-making
  • Oversight
  • Execution
  • Assurance

If a scenario shows blurred lines, that's usually the problem.

The mindset shift

Technical professionals often think:

"If I can fix it, I should fix it."

CRISC thinking is different:

"Before fixing it, who is accountable for it?"

In Domain 1, governance comes before action.

Ownership clarity beats technical competence.

The most important rule

Risk is owned by the business.

Read that again.

Not IT.
Not security.
Not the risk department.

The business owns risk because the business makes strategic decisions.

IT implements controls.
Risk practitioners advise and report.
Audit provides independent assurance.

If your answer makes IT the risk owner, it's probably wrong.

Understanding role separation

CRISC expects you to recognize proper structural boundaries.

Here's how to think about it:

  • Board / Executive Management
    Set strategy, define risk appetite, accept risk.
  • Business Management (First Line)
    Own and manage risk.
  • Risk / Compliance Functions (Second Line)
    Provide oversight, guidance, and monitoring.
  • Internal Audit (Third Line)
    Provide independent assurance.

If one role starts performing another's function, governance maturity declines.

Common question pattern

You may see a scenario like:

  • Risk is identified, but no one is acting.
  • IT is accepting risk without executive input.
  • Audit is implementing controls.
  • The risk function is making operational decisions.

The question often asks:

What is the MOST appropriate action?

The answer is frequently about clarifying or enforcing accountability — not implementing controls.

Trap answers to watch for

These are common Domain 1 traps:

  • The IT department assumes ownership of enterprise risk
  • The risk manager implements corrective technical controls
  • Internal audit assists with operational risk mitigation
  • Security accepts risk on behalf of the business

These answers blur governance lines.

CRISC favors structural correction over tactical correction.

Example scenario (walk through the logic)

Scenario:
An IT security team identifies a significant control gap. Due to time constraints, the IT director decides to formally accept the risk without consulting executive management.

Question: What is the MOST appropriate action?

Tempting answer:
"Implement compensating controls immediately."

Better CRISC logic:

  • Who owns risk? The business.
  • Does the IT director have authority to accept enterprise risk?
  • Has risk appetite been considered?
  • Has executive leadership been involved?

The most appropriate action is likely:

Escalate the risk acceptance decision to the appropriate business authority aligned with governance structure.

The issue is not the control gap.

The issue is improper authority.

How to eliminate wrong answers

When reviewing answer choices, ask:

  1. Does this answer respect role boundaries?
  2. Is the risk owner properly identified?
  3. Is governance structure being reinforced?
  4. Is independence being maintained?

If the answer combines ownership + implementation + oversight in one function, it's probably incorrect.

CRISC likes clean separation.

Independence matters (especially for audit)

Internal audit must remain independent.

If a question shows audit:

  • Designing controls
  • Implementing mitigation
  • Making operational decisions

That's almost always wrong.

Audit evaluates. It does not execute.

The governance pattern to remember

When organizational structure appears in the question:

  • Clarify ownership.
  • Ensure proper escalation.
  • Maintain independence.
  • Separate oversight from execution.

Domain 1 rewards structural thinking.

Quick knowledge check

1) Who owns enterprise risk in a mature governance structure?

A. IT security
B. Risk management function
C. Business management
D. Internal audit

Answer & reasoning

Correct: C

The business owns risk because it makes strategic decisions and accepts consequences. Risk management advises. IT implements. Audit assures.

2) A risk practitioner directly implements corrective controls after identifying a control gap. What governance issue does this most likely indicate?

A. Lack of technical maturity
B. Ineffective risk quantification
C. Blurred separation between oversight and execution
D. Excessive risk tolerance

Answer & reasoning

Correct: C

The risk function provides oversight and guidance. Implementation belongs to management (first line). Role separation is being violated.

3) Internal audit is assisting management in designing and deploying risk controls. What is the primary concern?

A. Increased cost
B. Loss of independence
C. Delayed remediation
D. Overly complex controls

Answer & reasoning

Correct: B

Audit must remain independent to provide objective assurance. Designing and deploying controls compromises that independence.

Next Module Module 3: Organizational Culture