CRISC · topic practice

Risk Response and Mitigation practice questions

Practise Certified in Risk and Information Systems Control CRISC Risk Response and Mitigation practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Risk Response and Mitigation

What the exam tests

What to know about Risk Response and Mitigation

Risk Response and Mitigation questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Risk Response and Mitigation exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Risk Response and Mitigation questions

20 questions · select your answer, then reveal the explanation

After implementing a new web application, the risk owner reports that the residual risk level is still above the risk appetite. Which of the following should be the risk practitioner's FIRST action?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization is implementing a risk mitigation strategy for a critical system. The business impact analysis shows that downtime costs are extremely high. Which risk response strategy is MOST appropriate for this scenario?

An organization decides to outsource its data center operations to a third party. This is an example of which risk response?

During a review, a risk practitioner discovers that a key control for a high-risk process is not operating effectively. The risk owner is reluctant to invest in additional controls due to budget constraints. What should the risk practitioner do FIRST?

A company has implemented a risk mitigation plan that includes technical controls. However, six months later, the residual risk is still higher than expected. The risk practitioner suspects that the controls are not being followed. Which of the following is the BEST approach to verify this?

Which TWO of the following are effective risk mitigation strategies for reducing the likelihood of a ransomware attack?

Which THREE of the following are key components of an effective risk treatment plan?

Question 8easymultiple choice
Study the full ACL explanation →

Refer to the exhibit. A risk practitioner is reviewing the access control list for a critical server. The ACL is applied inbound on the interface connecting to the internet. Which of the following is the MOST significant risk?

Exhibit

Refer to the exhibit.

Access List: ACL-01
10 deny ip host 10.1.1.10 any
20 permit tcp 10.1.1.0 0.0.0.255 any eq 443
30 permit udp 10.1.1.0 0.0.0.255 any eq 53
40 deny ip any any

You are a risk practitioner at a financial institution that is migrating its core banking system to a cloud provider. The migration plan includes a phased approach, with the first phase moving non-critical applications. However, during the second phase (moving customer-facing applications), the cloud provider experiences a major outage that lasts 6 hours. The outage was caused by a misconfiguration in the provider's network. The institution had conducted a risk assessment and identified cloud provider downtime as a risk, but the treatment plan only included a service level agreement (SLA) with financial penalties. The SLA does not cover the reputational damage and loss of customer trust. The risk register shows that the residual risk level was marked as 'low' before the incident. After the incident, senior management is demanding a review. Which of the following is the MOST appropriate action for the risk practitioner to take?

A risk assessment for a financial trading platform has identified a high-risk vulnerability in the order matching engine. The risk owner has recommended implementing compensating controls rather than fixing the underlying code. Which TWO of the following are valid compensating controls? (Choose two.)

Based on the risk register exhibit, which of the following is the MOST appropriate risk response for R-0042?

Exhibit

Refer to the exhibit.

```
[Risk Register Excerpt]
Risk ID: R-0042
Risk Description: Unauthorized access to customer PII due to weak database encryption
Inherent Risk Score: 16 (Likelihood: 4, Impact: 4)
Control: AES-256 encryption at rest (implemented)
Residual Risk Score: 8 (Likelihood: 2, Impact: 4)
Risk Appetite Threshold: 10
```

A global manufacturing company is implementing a new ERP system across multiple regions. The project manager has identified a risk that data migration from legacy systems may cause data corruption, leading to production delays. The risk owner proposes conducting a full data reconciliation after migration. However, the IT director argues that this would be too time-consuming and suggests only sampling data for verification. The risk manager must decide on the risk response. The project timeline is tight, and the company has a low tolerance for data integrity issues. Which of the following is the BEST course of action?

Order the steps for implementing a risk treatment plan.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Sequence the steps for implementing a new control based on risk assessment findings.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Put the steps for performing a control self-assessment (CSA) in order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each risk response strategy to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Eliminate the activity that causes the risk

Reduce the likelihood or impact of the risk

Shift the risk to a third party, e.g., insurance

Acknowledge the risk and take no further action

Match each risk management term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Risk level before controls are applied

Risk level after controls are applied

Amount of risk the organization is willing to accept

Acceptable deviation from risk appetite

Match each risk management process step to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Find and list potential risks

Determine likelihood and impact

Compare risk levels to risk criteria

Select and implement controls

Question 19easymultiple choice
Read the full NAT/PAT explanation →

A company has identified a critical vulnerability in a legacy application that cannot be patched immediately. The application is used by a small number of users and supports a non-critical business process. Which of the following is the MOST appropriate risk response strategy?

During a risk assessment, the risk owner identifies that the residual risk level is higher than the risk appetite. Which of the following actions should the risk owner take FIRST?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Risk Response and Mitigation sessions

Start a Risk Response and Mitigation only practice session

Every question in these sessions is drawn from the Risk Response and Mitigation domain — nothing else.

Related practice questions

Related CRISC topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CRISC exam test about Risk Response and Mitigation?
Risk Response and Mitigation questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Risk Response and Mitigation questions in a focused session?
Yes — the session launcher on this page draws every question from the Risk Response and Mitigation domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CRISC topics?
Use the topic links above to move to related areas, or go back to the CRISC question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CRISC exam covers. They are not copied from any real exam or dump site.