Domain 2 – Section B Review: IT Risk Analysis & Evaluation

Identification describes risk.
Analysis disciplines it.
Evaluation governs it.

Section B tests whether risk is:

• Measured consistently
• Compared against appetite
• Properly documented
• Escalated appropriately
• Aligned to business impact

This review blends methodologies, inherent vs residual risk, BIA, prioritization, and governance discipline.

10 scenario-based questions

Question 1

A high inherent risk is identified. Strong controls are implemented, reducing likelihood significantly. The remaining exposure is moderate and within tolerance.

What level of risk is now being evaluated?

A. Inherent risk
B. Residual risk
C. Accepted risk
D. Aggregated risk

Question 2

An organization uses a qualitative “High/Medium/Low” rating scale. Different departments interpret “High” differently, resulting in inconsistent prioritization.

What is the MOST significant governance issue?

A. Weak BIA
B. Lack of standardized methodology
C. Excessive risk appetite
D. Poor asset classification

Question 3

A system has an MTD of 24 hours. The recovery team defines an RTO of 36 hours.

What does this indicate?

A. Acceptable residual risk
B. RTO exceeds business tolerance
C. Weak threat modeling
D. Excessive mitigation

Question 4

A risk remains above tolerance after mitigation efforts. Management chooses not to escalate because likelihood is low.

What governance principle is being violated?

A. Asset classification
B. Escalation requirement for residual risk
C. Quantitative modeling
D. Threat landscape reassessment

Question 5

An organization removes a documented risk from the risk register because mitigation controls reduced it to within tolerance.

What governance weakness exists?

A. Poor inherent risk calculation
B. Weak residual risk tracking
C. Incomplete threat modeling
D. Excessive risk appetite

Question 6

A quantitative model produces precise financial loss estimates based on limited historical data and unverified assumptions.

What is the PRIMARY concern?

A. Excessive risk tolerance
B. False precision due to unreliable inputs
C. Weak ERM
D. Poor BIA

Question 7

An organization prioritizes mitigation based solely on likelihood, ignoring potential business impact.

What analytical weakness exists?

A. Weak threat modeling
B. Incomplete risk evaluation
C. Excessive mitigation
D. Asset misclassification

Question 8

A control exists but has not been tested for effectiveness. Residual risk is assumed to be low.

What is the MOST significant concern?

A. High inherent risk
B. Inaccurate residual risk estimation
C. Weak asset inventory
D. Poor risk appetite definition

Question 9

A BIA identifies a process as critical due to regulatory reporting deadlines. Risk assessment rates associated system disruption as low impact.

What is the MOST likely issue?

A. Weak threat landscape
B. Misalignment between BIA and impact scoring
C. Excessive mitigation
D. Poor methodology selection

Question 10

Risk analysis methods vary significantly between subsidiaries, preventing meaningful enterprise aggregation.

What governance maturity gap is MOST evident?

A. Weak inherent risk evaluation
B. Lack of standardized risk analysis framework
C. Poor BIA execution
D. Inadequate threat modeling

Section B master pattern

When answering Domain 2 Section B questions:

• Separate inherent from residual risk.
• Validate control effectiveness before estimating residual.
• Align impact scoring with BIA findings.
• Standardize methodologies for aggregation.
• Escalate when residual risk exceeds tolerance.
• Keep risks documented — even within tolerance.

If you ignore evaluation against appetite, you will miss the governance layer.