CRISC: Risk Response & Control Ownership

Domain 3A

Risk Response & Control Ownership

Risk response translates risk assessment findings into decisions and action — choosing how to treat each risk, assigning clear ownership, managing third-party risk, and handling exceptions when ideal controls aren't in place.

🎯

4 Risk Response Options

Accept (acknowledge and monitor), Avoid (eliminate the activity), Mitigate (apply controls to reduce likelihood/impact), Transfer (shift financial impact via insurance/contracts).

👤

Risk & Control Ownership

Risk owners are accountable for the risk within their business domain. Control owners are responsible for designing, implementing, and maintaining specific controls. These roles may differ.

🔗

Vendor/Supply Chain Risk

Third-party relationships extend the organization's risk boundary. Vendor risk management includes due diligence, contractual controls, ongoing monitoring, and exit strategies.

📋

Issues, Findings & Exceptions

Audit findings, security issues, and control gaps must be tracked, prioritized, and remediated. Exceptions (approved deviations) and exemptions (permanent exclusions) must be formally documented and time-bounded.

What This Sub-domain Covers

Risk Response Options — The four treatment strategies (AAMT) and when to apply each
Risk and Control Ownership — Defining accountability vs. responsibility; RACI applied to risk
Vendor/Supply Chain Risk Management — Due diligence, tiering, 4th-party risk, SBOM
Issues, Findings, Exceptions and Exemptions Management — Tracking, remediation, formal exception processes

In-Depth Study

Core Concepts

Risk Response Options

Accept

Acknowledge the risk exists and consciously decide to take no additional action
Appropriate when risk is within risk appetite/tolerance, cost of mitigation exceeds potential loss, or risk cannot be realistically reduced
Requirements: formal documentation, risk owner sign-off, periodic review
Active acceptance: documented decision; Passive acceptance: no action taken (less desirable — avoid in CRISC context)
Acceptance does NOT mean ignoring the risk — it must still be monitored via KRIs

Avoid

Eliminate the risk by discontinuing the activity, process, or technology that creates it
Appropriate when inherent risk is too high, regulatory prohibition applies, or business activity is not worth the risk
Examples: not entering a high-risk market, decommissioning a vulnerable legacy system, not storing certain data types
Trade-off: avoiding risk often means forgoing potential business opportunity or benefit

Mitigate (Reduce)

Implement controls to reduce the likelihood of the risk occurring and/or reduce its impact if it does
Most common risk response in IT risk management
Likelihood reduction: preventive controls (firewalls, access controls, patching, training)
Impact reduction: detective/corrective controls (backups, incident response, business continuity plans)
Mitigation reduces risk to residual level; must compare residual risk vs target residual risk
Control cost-benefit: cost of control should be justified by reduction in ALE

Transfer (Share)

Shift the financial consequence of a risk to a third party
Methods: cyber insurance, contractual transfer (SLAs with penalties, indemnification), outsourcing (transfers operational risk, not legal liability)
Critical: Transfer does NOT eliminate the risk — it only shifts financial consequence
Residual risk remains after transfer (e.g., reputational damage cannot be insured away)
Regulatory/legal liability CANNOT be transferred — the organization remains accountable

Selecting the Appropriate Response

Selection criteria: residual risk vs. risk appetite, cost-benefit analysis, regulatory requirements, organizational risk tolerance
Multiple responses may be combined: e.g., mitigate + transfer (implement controls AND buy cyber insurance)
Response must be approved by risk owner and documented in the risk register
Risk treatment plan: documents selected response, owner, timeline, expected residual risk, and KRIs

Response	When to Use	Example	Limitation
Accept	Risk within tolerance; cost of controls exceeds loss	Accept the risk of a minor UI defect in a low-criticality app	Must still be monitored; passive acceptance is problematic
Avoid	Risk too high; activity not worth it; regulatory prohibition	Decommission a vulnerable legacy system	Forfeits potential business benefit or opportunity
Mitigate	Risk exceeds appetite but is reducible; controls are cost-justified	Implement MFA to reduce unauthorized access risk	Only reduces, never eliminates risk; residual risk remains
Transfer	Financial impact is insurable; operational risk can be outsourced	Purchase cyber liability insurance for breach costs	Legal and regulatory liability stay with the organization

Risk and Control Ownership

Risk Ownership

Risk owner: the individual/role accountable for a specific risk within their business domain
Must have authority and resources to address the risk
Responsible for: accepting residual risk, approving treatment plans, reviewing KRIs
Risk owners are typically business unit managers or process owners — not IT staff
CRISC professionals support risk owners; they don't own the risk themselves

Control Ownership

Control owner: the individual responsible for designing, implementing, operating, and maintaining a specific control
May differ from risk owner (e.g., IT team owns firewall control; business process owner owns the risk)
Control owner responsibilities: ensure control is operating effectively, report exceptions, update control design when environment changes
Control owner accountability extends to maintaining evidence for auditors

Establishing Accountability

RACI applied to risk/control ownership: Responsible (does the work), Accountable (owns the outcome), Consulted, Informed
Clear ownership prevents "nobody owns it" failure mode — one of the most common risk management failures
CRISC Task: "Establish accountability by assigning and validating appropriate levels of risk and control ownership"

Vendor/Supply Chain Risk Management

Third-Party Risk Lifecycle

Pre-engagement: due diligence (SOC 2 reports, security questionnaires, reference checks, site visits)
Contracting: SLAs (uptime, incident response time), right-to-audit clauses, data processing agreements, indemnification
Ongoing monitoring: periodic reassessment, continuous compliance monitoring, incident notification requirements
Offboarding: data return/destruction, access revocation, transition planning

Vendor Categorization

Tier 1 (Critical): access to sensitive data or critical systems — most rigorous due diligence
Tier 2 (Significant): moderate access or dependency — standard due diligence
Tier 3 (Low Risk): minimal access — basic review
Categorization drives the level of oversight and contractual controls required

Supply Chain Risks

Software supply chain: malicious code in open-source components, compromised software updates (e.g., SolarWinds attack pattern)
Hardware supply chain: counterfeit components, firmware tampering
4th-party risk: vendors' vendors — organization may inherit risk from suppliers it has no direct relationship with
Mitigation: vendor inventory, SBOM (Software Bill of Materials), contractual flow-down requirements

Key Vendor Assurance Documents

SOC 2 Type I: controls are designed adequately at a point in time
SOC 2 Type II: controls operated effectively over a period (6–12 months) — stronger assurance
ISO 27001 certification: third-party audit of information security management system
Penetration test reports, vulnerability assessments, security questionnaires (SIG, CAIQ)

Issues, Findings, Exceptions and Exemptions

Issues and Findings

Finding: identified control gap or deficiency from an audit, assessment, or incident
Issue: a broader operational or risk concern that may or may not stem from an audit
Findings must be: documented, risk-rated (criticality), assigned an owner, given a remediation deadline
Tracking: findings tracker / issue log (separate from or linked to the risk register)
Aging findings: unresolved findings beyond their deadline signal governance failure

Exceptions and Exemptions

Exception: a temporary, approved deviation from a policy or standard
- Must be: formally requested, risk-assessed, approved by appropriate authority, time-bounded
- Example: "Legacy system cannot meet password complexity standard — exception approved for 6 months while migration proceeds"
Exemption: a permanent exclusion from a policy requirement
- Higher bar for approval — requires senior sign-off and compensating controls
- Must be reviewed periodically to determine if still valid
Both require: documentation, compensating controls, expiration/review date, owner

Attribute	Exception	Exemption
Duration	Temporary — must have an expiry date	Permanent — indefinite exclusion
Approval Level	Manager / risk owner level	Senior leadership / board level
Compensating Controls	Required during the exception period	Required; reviewed periodically
Review Frequency	At expiry; may be renewed	Periodic review to confirm ongoing validity
Typical Trigger	Migration, upgrade, temporary gap	Unique business/operational characteristic

Risk Treatment Plan Management

After selecting a response, a risk treatment plan documents: specific actions, responsible owners, timelines, expected residual risk after treatment, KRIs to monitor
CRISC Task: "Validate that risk responses have been executed according to risk action plans"
Progress must be tracked and reported to risk owners and senior management
Incomplete treatment plans represent unmitigated residual risk

Retention Strategies

Memory Hooks

Six high-impact mnemonics and mental models to anchor Domain 3A concepts in long-term memory before exam day.

"AAMT — Accept, Avoid, Mitigate, Transfer"

The four CRISC risk response options. Accept = live with it (document it). Avoid = stop doing the thing. Mitigate = add controls to reduce likelihood/impact. Transfer = shift financial consequence (insurance/contracts). Transfer doesn't eliminate risk — you still own the liability.

"Risk Owner ≠ Control Owner"

Risk owner = business unit manager accountable for the risk. Control owner = person responsible for operating the control. A CFO may own the financial fraud risk; the IT team owns the access control that mitigates it. CRISC professionals support both but own neither.

"SOC 2 Type I = Design, Type II = Operation"

SOC 2 Type I: controls are suitably designed at a point in time. SOC 2 Type II: controls operated effectively over a period (6–12 months). Always prefer Type II for vendor assurance — it proves controls actually work.

"Exception = Temporary, Exemption = Permanent"

Exception: approved deviation for a limited time (must have expiry date + compensating controls). Exemption: permanent exclusion (higher approval bar, still needs review). Both must be formally documented — informal workarounds are compliance failures.

"4th-Party Risk = Your Vendor's Vendor"

Your due diligence only reaches your direct vendors (3rd parties). Their vendors are 4th parties — and you inherit their risk too. Contractual flow-down clauses require your vendors to apply equivalent standards to their own supply chain.

"Transfer ≠ Eliminate — Liability Stays"

Cyber insurance transfers the financial loss but NOT the regulatory liability or reputational damage. The organization remains legally accountable even when a vendor causes the breach. This is a favorite CRISC exam distractor.

Knowledge Check

Practice Quiz

10 scenario-based questions, one at a time. Select your answer to see instant feedback, then advance.

Question 1 of 10Score: 0

1. An organization decides to stop offering a high-risk online service because the risk cannot be reduced to an acceptable level. This is an example of which risk response?

2. Purchasing cyber liability insurance PRIMARILY represents which risk response strategy?

3. Which of the following CANNOT be transferred to a third party through insurance or contracts?

4. A risk owner is BEST described as:

5. SOC 2 Type II provides stronger vendor assurance than Type I because it:

6. A policy exception differs from a policy exemption in that an exception is:

7. An organization discovers that a critical vendor's subcontractor (4th party) suffered a data breach exposing the organization's data. This illustrates the risk of:

8. Which vendor assurance document provides evidence that security controls were suitably DESIGNED at a specific point in time?

9. A risk treatment plan should include all of the following EXCEPT:

10. When residual risk after applying controls still exceeds the target residual risk level, the BEST next step is to:

🎯

0/10

Calculating...

Targeted guidance for Domain 3A — what to prioritize, where candidates go wrong, and how to connect this domain to the rest of the exam.

🎯 Exam Strategy

Domain 3A focuses heavily on scenario questions: "what response is appropriate given this situation?" Know AAMT cold with the trade-offs of each. Expect a question about what transfer doesn't cover (legal liability stays). Exception vs Exemption is a reliable CRISC topic — memorize the distinction precisely.

📚 Core Resources

ISACA CRISC Review Manual — Domain 3 section
ISACA vendor risk management guidance
AICPA SOC 2 framework overview
NIST SP 800-161 (supply chain risk management)
ISACA's Third-Party Risk Management publication

💻 Hands-On Practice

For 5 risk scenarios, choose the appropriate response and justify it in writing
Draft a one-page risk treatment plan for a fictional risk
Write a sample vendor risk tiering policy distinguishing Tier 1/2/3 criteria
Compare a SOC 2 Type I and Type II report side by side

⚠️ Common Mistakes

Thinking transfer eliminates risk — it only shifts financial consequence
Confusing risk owner (accountable, business) with control owner (responsible, operational)
Treating exceptions as permanent without expiry dates
Forgetting that 4th-party risk is inherited even without a direct relationship
Choosing passive acceptance over active acceptance — document everything

🔗 Related Exam Topics

Risk Response connects backward to Risk Assessment (Domain 2) — response options are chosen based on risk scores. It connects forward to Control Design (Domain 3B) — a mitigate response triggers control selection. Vendor risk connects to Technology & Security (Domain 4) — vendor systems create IT risk exposure.

Official Links

Resources

Authoritative sources for CRISC exam preparation and Domain 3A subject matter.

🏛️

ISACA CRISC Certification Page

Official credential overview, eligibility requirements, exam scheduling, and pricing ($760 member / $960 non-member)

📄

CRISC Exam Content Outline

Official blueprint showing all four domains and their percentage weightings — the authoritative guide to what will be tested

🔗

NIST SP 800-161 Rev. 1 — Supply Chain Risk Management

Foundational guidance on managing cybersecurity risks in supply chains, including 4th-party risk and SBOM practices

📊

AICPA SOC 2 Framework

Official AICPA resource explaining SOC 2 Type I vs Type II engagements and trust service criteria

📰

ISACA Journal — Third-Party Risk Guidance

ISACA's published research and practitioner articles on vendor and supply chain risk management