Domain 3 – Section C Review: Risk Monitoring & Reporting

Controls reduce risk.
Monitoring proves it.
Reporting governs it.

Section C tests whether you can:

• Track risk treatment plans
• Monitor risk exposure
• Distinguish KPIs, KRIs, and KCIs
• Aggregate enterprise risk
• Validate monitoring data
• Escalate threshold breaches
• Communicate to the right audience

This review blends all of those.

10 scenario-based questions

Question 1

A mitigation plan is approved but no owner or target date is assigned.

What is the PRIMARY governance weakness?

A. Weak inherent risk
B. Incomplete risk treatment plan
C. Excessive appetite
D. Poor threat modeling

Question 2

An organization reports the number of access reviews completed on time.

This metric is best classified as:

A. KRI
B. KCI
C. KPI
D. Heatmap metric

Question 3

The percentage of critical vulnerabilities past SLA exceeds defined threshold, but leadership delays escalation due to operational pressure.

What governance principle is MOST compromised?

A. Control design
B. Escalation discipline
C. Threat modeling
D. Risk identification

Question 4

A dashboard shows declining incidents, but the rate of control execution errors is increasing.

What is the MOST likely concern?

A. Strong governance
B. Lagging indicators masking control degradation
C. Excessive mitigation
D. Weak inherent risk

Question 5

Different business units use inconsistent definitions of “high risk,” making enterprise reporting difficult.

What is the PRIMARY issue?

A. Weak monitoring
B. Lack of metric standardization for aggregation
C. Excessive appetite
D. Poor control testing

Question 6

A control passes annual testing but interim monitoring shows increasing exceptions.

This MOST likely indicates:

A. Strong operating effectiveness
B. Emerging control degradation
C. Excessive mitigation
D. Lower inherent risk

Question 7

A board report contains detailed technical logs but no aggregated risk exposure summary.

What is the PRIMARY weakness?

A. Weak KRI design
B. Audience misalignment in reporting
C. Poor inherent risk scoring
D. Excessive mitigation

Question 8

Residual risk exceeds tolerance due to delayed control implementation. Monitoring identifies the breach, but no action is taken.

What governance failure exists?

A. Weak threat modeling
B. Failure to act on monitoring insight
C. Poor KPI selection
D. Control redundancy

Question 9

An organization measures the number of control tests performed but not the number of failures identified.

What is the MOST significant gap?

A. Strong KPI
B. Missing KCI or exposure insight
C. Excessive appetite
D. Poor BIA

Question 10

A KRI threshold breach is observed in multiple departments simultaneously.

What should be evaluated FIRST?

A. Individual department performance only
B. Aggregated enterprise risk concentration
C. Increase inherent risk score
D. Close risk

Section C master pattern

When answering Domain 3 Section C questions:

• Treatment plans require ownership and timelines.
• KPIs measure performance.
• KRIs measure exposure.
• KCIs measure control health.
• Monitoring must be continuous.
• Data must be validated.
• Aggregation enables enterprise visibility.
• Threshold breaches require escalation.
• Reporting must match audience.
• Trend analysis matters more than raw numbers.

If monitoring does not trigger action, governance is weak.

CRISC rewards disciplined oversight — not colorful dashboards.