Foundation of all CRISC risk management activity โ 26% of the 150-question exam
The system of rules, practices, and processes directing and controlling an enterprise; includes strategy alignment, structure, culture, policies, and asset management.
The framework for overseeing risk management enterprise-wide: ERM program, lines of defense, risk appetite/tolerance thresholds, and compliance with legal/regulatory requirements.
Risk Appetite: the amount of risk the organization is willing to accept in pursuit of objectives (strategic, board-set). Risk Tolerance: the acceptable variation from the risk appetite (operational boundary, set by management).
1st: Business units (own and manage risk); 2nd: Risk/compliance functions (oversight, policy); 3rd: Internal audit (independent assurance). Ensures segregation of risk ownership from oversight.
Deep-dive into every subtopic tested in Domain 1
| Concept | Who Sets It | Level | Description |
|---|---|---|---|
| Risk Capacity | Regulators / Board | Maximum boundary | The absolute maximum risk the org can absorb without threatening viability |
| Risk Appetite | Board of Directors | Strategic | How much risk the org is willing to accept in pursuit of objectives |
| Risk Tolerance | Management | Operational | Acceptable deviation from the risk appetite threshold in day-to-day operations |
| Framework | Owner | Primary Focus |
|---|---|---|
| ISACA Risk IT | ISACA | IT risk governance, evaluation, and response lifecycle |
| COSO ERM 2017 | COSO | Enterprise risk management tied to strategy and performance |
| NIST RMF | NIST (US Gov) | Security and privacy risk management for federal/IT systems |
| ISO 31000 | ISO | General risk management principles and guidelines |
| COBIT 2019 | ISACA | Governance and management of enterprise IT |
| GDPR | EU Commission | Personal data protection for EU residents |
| HIPAA | US Dept of HHS | Health information privacy and security |
| PCI DSS | PCI SSC | Payment card data security standards |
| SOX | US Congress | Financial reporting IT controls for public companies |
Six mnemonics to lock in Domain 1 concepts before exam day
Risk appetite is the strategic threshold set by the board: "how much risk will we take?" Tolerance is the operational boundary set by management: "how much deviation can we live with?" Capacity = the absolute maximum before viability is threatened. Hierarchy: Capacity > Appetite > Tolerance.
1st line owns and manages risk. 2nd line oversees and sets policy. 3rd line (internal audit) provides independent assurance. Never let 1st line audit itself โ that destroys the model. External auditors are sometimes a "4th line" but are not formally part of the Three Lines model.
The governance hierarchy flows downward: policies state intent (mandatory), standards define specific requirements (mandatory), guidelines recommend (optional), procedures give steps (mandatory when followed). CRISC candidates must know which is enforceable. Only guidelines are non-mandatory.
You cannot write a BCP or DRP without first doing a BIA. The BIA identifies critical processes, their RTOs and RPOs, and dependencies. BCP keeps the business running (people and processes); DRP restores the IT systems. BIA โ BCP (process) โ DRP (technology).
The COSO ERM 2017 framework explicitly connects risk management to strategy and performance. IT risk is not standalone โ it feeds into the enterprise risk profile and affects strategic objectives. When you see ERM questions, think: strategy first, compliance second.
The risk profile aggregates all identified IT risks into an executive-level picture. It's used to communicate with the board, inform risk appetite decisions, and prioritize resources. It must be kept current โ a stale risk profile is a governance failure. It comes from the risk register.
10 scenario-based questions โ Domain 1: Governance
Review the concepts above and try again.
Click any card to flip it โ 8 key concepts for Domain 1
Appetite: how much risk we're WILLING to take (board-set, strategic).
Tolerance: how much DEVIATION from appetite is acceptable (management-set, operational).
Capacity: the MAXIMUM risk before threatening viability.
Capacity > Appetite > Tolerance.
1st Line: Business/operational management โ owns risk, implements controls.
2nd Line: Risk management & compliance โ oversight, policy, monitoring.
3rd Line: Internal audit โ independent assurance.
Key rule: 1st line cannot self-audit.
BCP: keeps critical business PROCESSES running during a disruption โ people, workarounds, manual processes.
DRP: restores IT SYSTEMS after a disaster.
BIA must precede both โ identifies critical processes, RTOs, and RPOs.
RTO: maximum TIME to restore a system/process after disruption.
RPO: maximum acceptable DATA LOSS measured in time (e.g., 4-hour RPO = lose up to 4 hours of data).
Lower RTO/RPO = more expensive controls.
1. Governance & Culture
2. Strategy & Objective-Setting
3. Performance (identify, assess, prioritize)
4. Review & Revision (monitor, improve)
5. Information, Communication & Reporting
Key: ERM is tied to strategy, not just compliance.
Policy โ Standard โ Guideline โ Procedure
Policy: intent (MANDATORY)
Standard: specific requirements (MANDATORY)
Guideline: recommended (OPTIONAL)
Procedure: step-by-step (MANDATORY when invoked)
Policies approved at executive/board level.
The aggregated view of ALL identified risks facing the organization at a point in time.
Compiled from the risk register. Communicated to the board and senior management.
Must be dynamic โ updated as risks emerge, change, or are resolved.
Input to risk appetite decisions.
Categorize โ Select โ Implement โ Assess โ Authorize โ Monitor
Lifecycle approach to managing security and privacy risk for federal systems.
Categorize (impact), Select (controls), Implement, Assess (test), Authorize (ATO), Monitor (ongoing).
Targeted guidance for Domain 1 exam success
Domain 1 is 26% of the exam. Expect scenario questions asking "who is responsible for X?" and "which framework applies?" Know the Three Lines of Defense cold โ it appears in multiple domains. Distinguish risk appetite/tolerance/capacity without hesitation. Most questions are scenario-based, so practice applying concepts to realistic organizational situations rather than memorizing definitions alone.
Governance feeds directly into Risk Assessment (Domain 2) โ risk identification must align with organizational strategy and risk appetite. The risk register (Domain 2) reports up to the risk profile (Domain 1). KRIs (Domain 3C) must trace back to appetite/tolerance thresholds set in Domain 1. Understanding Lines of Defense is also essential for Domain 4 (IT and Security Controls).
Authoritative links for CRISC exam preparation
| Detail | Info |
|---|---|
| Questions | 150 multiple-choice |
| Duration | 4 hours |
| Domains | 4 (Governance 26%, IT Risk Assessment 20%, Risk Response & Reporting 32%, Info Tech & Security 22%) |
| Experience Required | 3+ years in IT risk management or IS control |
| Exam Fee (Member) | $760 |
| Exam Fee (Non-Member) | $960 |
| Credential Term | 3 years (CPE required for renewal) |
| Passing Score | 450 out of 800 (scaled) |
