Scenarios

Browse every scenario prompt in one place. These scenarios are used in the AI-marked scenario submissions under each job path.

Search scenarios

Arrange by

GRC Core Job Path Scenarios

grc-analyst

Open scenario room

Scenario 1Draft an enterprise risk statement and identify the top three business drivers.
Scenario 2Build a control map linking key risks to preventive and detective controls.
Scenario 3Create a short evidence checklist for a monthly control health review.
Scenario 4Run a mock issue triage and assign owners with due dates.
Scenario 5Prepare a one-page leadership summary of risk posture and control gaps.
Scenario 6Design a control testing calendar using risk-weighted prioritization criteria.
Scenario 7Define testing procedures with objective evidence requirements and pass/fail rules.
Scenario 8Review sample quality and identify where sample expansion is warranted.
Scenario 9Create a QA checklist for consistency, traceability, and reviewer sign-off.
Scenario 10Summarize recurring control failure themes and preventive action proposals.

Compliance Analyst / Regulatory Compliance Analyst Job Path Scenarios

regulatory-compliance-analyst

Open scenario room

Scenario 1Triage an incoming regulation and map impacted obligations to business functions.
Scenario 2Estimate implementation complexity, deadlines, and dependency risks for each obligation.
Scenario 3Define control and policy changes needed to satisfy new regulatory requirements.
Scenario 4Create stakeholder governance for legal interpretation, implementation, and validation.
Scenario 5Deliver an executive readiness update with risks, blockers, and decision requests.
Scenario 6Map recurring compliance obligations to owner teams and operating cadence.
Scenario 7Design control self-assessment workflows and evidence retention standards.
Scenario 8Evaluate control exceptions and determine compensating control requirements.
Scenario 9Develop a centralized obligations tracker with status and due-date governance.
Scenario 10Prepare an annual compliance effectiveness review with improvement priorities.

Risk Manager / Operational Risk Analyst Job Path Scenarios

risk-manager

Open scenario room

Scenario 1Draft an enterprise risk statement and identify the top three business drivers.
Scenario 2Build a control map linking key risks to preventive and detective controls.
Scenario 3Define a measurable loss event scenario using threat, asset, and effect.
Scenario 4Estimate frequency and probable loss magnitude ranges with assumptions.
Scenario 5Compare treatment options using expected risk reduction and cost.
Scenario 6Classify findings by severity, systemic impact, and regulatory sensitivity.
Scenario 7Define remediation plans with milestones, dependencies, and acceptance criteria.
Scenario 8Assess overdue issues and determine escalation based on residual risk.
Scenario 9Design verification testing to confirm sustainable closure of issues.
Scenario 10Create portfolio reporting on remediation velocity and repeat issue drivers.

GRC Core Scenario Path

grc-core

🔒 Locked for free

Scenario 1Draft an enterprise risk statement and identify the top three business drivers.
Scenario 2Build a control map linking key risks to preventive and detective controls.
Scenario 3Create a short evidence checklist for a monthly control health review.
Scenario 4Run a mock issue triage and assign owners with due dates.
Scenario 5Prepare a one-page leadership summary of risk posture and control gaps.

Upgrade required →

Audit & Assurance Scenario Path

audit-assurance

🔒 Locked for free

Scenario 1Define an audit scope for a high-risk business process.
Scenario 2Select a sample strategy and justify why it is risk-based.
Scenario 3Document one control test with clear pass/fail criteria.
Scenario 4Write a finding with condition, criteria, cause, and impact.
Scenario 5Build a remediation tracker with owner, date, and verification step.

Upgrade required →

Privacy & Data Protection Scenario Path

privacy-data

🔒 Locked for free

Scenario 1Map a data flow and identify controller/processor roles.
Scenario 2Evaluate lawful basis and notice requirements for one processing activity.
Scenario 3Create a DSAR handling checklist with SLA milestones.
Scenario 4Assess vendor transfer risk and define required safeguards.
Scenario 5Draft a privacy incident escalation note with required stakeholders.

Upgrade required →

Security & Resilience Scenario Path

security-resilience

🔒 Locked for free

Scenario 1Prioritize attack scenarios by impact and likelihood.
Scenario 2Map detection coverage to a chosen threat scenario.
Scenario 3Define incident command roles for a simulated outage.
Scenario 4Document business continuity dependencies for one critical service.
Scenario 5Create a post-incident improvement plan with measurable outcomes.

Upgrade required →

Third-Party & Regulatory Scenario Path

third-party-regulatory

🔒 Locked for free

Scenario 1Triage a high-risk vendor onboarding request and identify required due diligence evidence.
Scenario 2Assess anti-bribery red flags and document escalation rationale.
Scenario 3Evaluate an ITGC deficiency and classify impact to financial reporting.
Scenario 4Draft a remediation plan with control owner, due date, and retest criteria.
Scenario 5Prepare a regulator-ready summary with supporting evidence references.

Upgrade required →

Program Leadership Scenario Path

program-leadership

🔒 Locked for free

Scenario 1Define governance forum cadence and decision rights for a new GRC program.
Scenario 2Create KPI/KRI metrics for executive reporting and board visibility.
Scenario 3Prioritize competing remediation initiatives under constrained capacity.
Scenario 4Resolve a cross-functional ownership conflict using a RACI approach.
Scenario 5Write a quarterly GRC update with top risks, actions, and blockers.

Upgrade required →

Quantitative Risk Scenario Path

quant-risk

🔒 Locked for free

Scenario 1Define a measurable loss event scenario using threat, asset, and effect.
Scenario 2Estimate frequency and probable loss magnitude ranges with assumptions.
Scenario 3Compare treatment options using expected risk reduction and cost.
Scenario 4Document uncertainty drivers and sensitivity to key assumptions.
Scenario 5Present a decision recommendation in business terms for leadership.

Upgrade required →

Insider Threat Governance Scenario Path

insider-threat

🔒 Locked for free

Scenario 1Draft insider threat program scope, objective, and governance charter language.
Scenario 2Design intake and triage criteria for suspicious insider activity referrals.
Scenario 3Define privacy guardrails for monitoring and investigations.
Scenario 4Create escalation pathways for legal, HR, and security coordination.
Scenario 5Build monthly oversight metrics and assurance checks.

Upgrade required →

ISO 27001 Implementation Scenario Path

iso-27001

🔒 Locked for free

Scenario 1Define ISMS scope boundaries, exclusions, and ownership for a realistic organization.
Scenario 2Draft a risk assessment approach and treatment decision model aligned to business context.
Scenario 3Build a practical control selection rationale and Statement of Applicability structure.
Scenario 4Design evidence requirements for policy operation, control execution, and monitoring.
Scenario 5Prepare an internal audit and management review agenda with clear outputs.

Upgrade required →

SOC 2 Program Scenario Path

soc-2

🔒 Locked for free

Scenario 1Define system boundaries and trust services criteria priorities for a SaaS environment.
Scenario 2Create a control and evidence plan for access, change, and incident processes.
Scenario 3Evaluate vendor risk dependencies and define monitoring and exception handling controls.
Scenario 4Draft internal and external communication expectations for security events and commitments.
Scenario 5Design a readiness review checklist for evidence quality and control consistency.

Upgrade required →

NIST CSF 2.0 Scenario Path

nist-csf

🔒 Locked for free

Scenario 1Map business context and critical assets to CSF Govern and Identify outcomes.
Scenario 2Define risk governance roles, accountability, and policy integration decisions.
Scenario 3Design protection and detection priorities with measurable assurance indicators.
Scenario 4Draft incident response and recovery coordination expectations across stakeholders.
Scenario 5Build an executive reporting view showing maturity, gaps, and prioritized actions.

Upgrade required →

PCI DSS Compliance Scenario Path

pci-dss

🔒 Locked for free

Scenario 1Define cardholder data environment boundaries and identify connected systems in scope.
Scenario 2Evaluate network segmentation controls and document residual exposure assumptions.
Scenario 3Draft evidence requirements for vulnerability scans, penetration testing, and remediation.
Scenario 4Create a shared responsibility matrix for service providers handling payment data.
Scenario 5Prepare an assessor-ready narrative linking controls to PCI DSS requirements and testing.

Upgrade required →

ESG Governance & Disclosure Scenario Path

esg-governance

🔒 Locked for free

Scenario 1Identify material ESG topics and map accountable executive owners for each topic.
Scenario 2Design controls for source data quality, versioning, and disclosure approvals.
Scenario 3Evaluate a climate-risk scenario and define decision triggers for adaptation planning.
Scenario 4Build an issue log for disclosure gaps with remediation owner and due date.
Scenario 5Draft an audit committee briefing summarizing ESG reporting readiness and residual risks.

Upgrade required →

ITGC & SOX Financial Controls Scenario Path

itgc-sox

🔒 Locked for free

Scenario 1Define in-scope applications and key reports supporting financial statement assertions.
Scenario 2Test one access management control and document exceptions with root-cause analysis.
Scenario 3Assess change management evidence for emergency fixes impacting financial systems.
Scenario 4Create deficiency severity criteria and determine likely impact to control reliance.
Scenario 5Build a management action plan with milestones through quarter-end certification.

Upgrade required →

DORA ICT Third-Party Oversight Scenario Path

dora-third-party

🔒 Locked for free

Scenario 1Classify an ICT provider's criticality and document rationale against DORA expectations.
Scenario 2Draft minimum contract clauses for resilience testing, incident notification, and exit rights.
Scenario 3Evaluate concentration risk across key ICT providers and propose mitigation options.
Scenario 4Design a third-party resilience monitoring dashboard with threshold-based escalation rules.
Scenario 5Prepare a supervisory briefing on ICT third-party risk posture and planned improvements.

Upgrade required →

Vulnerability Management Operations Scenario Path

vulnerability-management

🔒 Locked for free

Scenario 1Define a risk-based triage model for critical, high, and medium vulnerabilities.
Scenario 2Assess patching SLA performance and identify bottlenecks by system owner.
Scenario 3Create an exception workflow for compensating controls and formal risk acceptance.
Scenario 4Design a validation approach to confirm remediation effectiveness across environments.
Scenario 5Build a monthly report linking exposure reduction to business-critical assets.

Upgrade required →

Incident Response Operations Scenario Path

incident-response

🔒 Locked for free

Scenario 1Classify a security event and determine escalation based on impact and confidence.
Scenario 2Draft an incident timeline capturing detection, containment, eradication, and recovery.
Scenario 3Define communications for legal, executive, customer, and regulator stakeholders.
Scenario 4Evaluate evidence preservation and chain-of-custody requirements for investigation.
Scenario 5Write a post-incident review with root cause, lessons learned, and prioritized actions.

Upgrade required →

Zero Trust Implementation Scenario Path

zero-trust

🔒 Locked for free

Scenario 1Map identity, device, network, and application trust decisions for a sensitive workflow.
Scenario 2Prioritize policy controls for least privilege and continuous access verification.
Scenario 3Evaluate telemetry gaps that limit adaptive authentication and policy enforcement.
Scenario 4Design a phased rollout plan balancing user friction, security gains, and cost.
Scenario 5Present success metrics for access risk reduction and operational stability.

Upgrade required →

Cloud Governance, FinOps & Risk Scenario Path

cloud-governance-finops

🔒 Locked for free

Scenario 1Identify cloud account governance gaps and define ownership guardrails by business unit.
Scenario 2Assess cost anomalies and map optimization options without weakening control coverage.
Scenario 3Design policy-as-code checks for tagging, encryption, and network exposure controls.
Scenario 4Create a risk register for cloud misconfiguration trends and unresolved exceptions.
Scenario 5Prepare an executive update on cloud spend, risk posture, and remediation progress.

Upgrade required →

Intermediate Vendor Assurance Scenario Path

vendor-assurance

🔒 Locked for free

Scenario 1Build a tiering model to align due diligence depth with vendor criticality.
Scenario 2Evaluate SOC, ISO, and questionnaire evidence for control design and operating effectiveness.
Scenario 3Define trigger events for reassessment, continuous monitoring, and contract review.
Scenario 4Draft a remediation plan for material findings with accountability and verification steps.
Scenario 5Create a governance summary of vendor risk trends and concentration exposures.

Upgrade required →

Audit Analytics & Control Assurance Scenario Path

audit-analytics

🔒 Locked for free

Scenario 1Select key risk indicators and data sources to test control performance at scale.
Scenario 2Design an analytic test to detect segregation-of-duties conflicts in transactional data.
Scenario 3Evaluate false positives and tune thresholds while preserving assurance quality.
Scenario 4Document reproducibility requirements for scripts, queries, and evidence snapshots.
Scenario 5Present actionable findings that connect analytic results to remediation priorities.

Upgrade required →

Business Continuity & Crisis Management Scenario Path

business-continuity

🔒 Locked for free

Scenario 1Define critical business services and map maximum tolerable downtime for each.
Scenario 2Document dependency chains across people, process, technology, and third parties.
Scenario 3Design crisis command roles and decision thresholds for service disruption events.
Scenario 4Run a tabletop exercise scenario and capture response timeline strengths and gaps.
Scenario 5Build a continuity improvement backlog with ownership, due dates, and validation tests.
Scenario 6Classify a security event and determine escalation based on impact and confidence.
Scenario 7Draft an incident timeline capturing detection, containment, eradication, and recovery.
Scenario 8Define communications for legal, executive, customer, and regulator stakeholders.
Scenario 9Identify critical outsourced services and map recovery requirements for each.
Scenario 10Evaluate supplier resiliency evidence and define minimum assurance thresholds.

Upgrade required →

Data Governance & Quality Controls Scenario Path

data-governance

🔒 Locked for free

Scenario 1Define data ownership roles for critical datasets used in risk and compliance reporting.
Scenario 2Create quality rules for completeness, accuracy, timeliness, and consistency checks.
Scenario 3Design exception handling workflows for failed data controls and unresolved defects.
Scenario 4Assess lineage documentation gaps and prioritize remediation for audit-relevant flows.
Scenario 5Prepare a governance dashboard for quality trend monitoring and accountability.
Scenario 6Map a data flow and identify controller/processor roles for a business-critical system.
Scenario 7Design control self-assessment workflows and evidence retention standards for data assets.
Scenario 8Classify findings by severity, systemic impact, and regulatory sensitivity for data quality issues.
Scenario 9Define risk screening criteria for data migration and system change requests.
Scenario 10Build a policy taxonomy aligned to data governance obligations and retention requirements.

Upgrade required →

AI Governance & Model Risk Scenario Path

ai-governance

🔒 Locked for free

Scenario 1Classify an AI use case by risk tier and define required governance checkpoints.
Scenario 2Document model inventory fields including owner, purpose, data sources, and controls.
Scenario 3Evaluate bias, explainability, and performance monitoring requirements for deployment.
Scenario 4Draft incident response procedures for harmful output, drift, or control failure events.
Scenario 5Prepare board-level reporting on model risk exposure and mitigation status.
Scenario 6Build a control map linking AI-specific risks to preventive and detective controls.
Scenario 7Define approval workflows, review cadence, and exception governance for model deployments.
Scenario 8Define risk screening criteria for AI use cases entering production environments.
Scenario 9Map recurring AI compliance obligations to owner teams and operating cadence.
Scenario 10Resolve a cross-functional ownership conflict for shared AI models using a RACI approach.

Upgrade required →

Fraud Risk & Internal Controls Scenario Path

fraud-controls

🔒 Locked for free

Scenario 1Map high-risk fraud schemes to preventive and detective controls across the process.
Scenario 2Define red-flag indicators and escalation logic for suspicious activity monitoring.
Scenario 3Assess effectiveness of approval controls and segregation-of-duties boundaries.
Scenario 4Create an investigation case template with evidence standards and documentation fields.
Scenario 5Recommend control enhancements and quantify expected fraud-loss reduction impact.

Upgrade required →

Policy Lifecycle Management Scenario Path

policy-management

🔒 Locked for free

Scenario 1Build a policy taxonomy aligned to regulatory obligations and internal risk themes.
Scenario 2Define approval workflows, review cadence, and exception governance requirements.
Scenario 3Assess policy-to-control traceability and identify implementation coverage gaps.
Scenario 4Design employee attestation and targeted training requirements by role risk level.
Scenario 5Prepare a policy health report with overdue reviews and remediation actions.

Upgrade required →

Regulatory Change Management Scenario Path

regulatory-change

🔒 Locked for free

Scenario 1Triage an incoming regulation and map impacted obligations to business functions.
Scenario 2Estimate implementation complexity, deadlines, and dependency risks for each obligation.
Scenario 3Define control and policy changes needed to satisfy new regulatory requirements.
Scenario 4Create stakeholder governance for legal interpretation, implementation, and validation.
Scenario 5Deliver an executive readiness update with risks, blockers, and decision requests.

Upgrade required →

Access Governance & IAM Assurance Scenario Path

access-governance

🔒 Locked for free

Scenario 1Define joiner-mover-leaver control objectives and required evidence artifacts.
Scenario 2Test privileged access reviews for timeliness, completeness, and revocation quality.
Scenario 3Design role mining criteria to reduce entitlement sprawl and toxic combinations.
Scenario 4Assess MFA and conditional access coverage across high-risk user populations.
Scenario 5Build a quarterly IAM assurance report with exceptions and remediation tracking.

Upgrade required →

Third-Party Resilience & Exit Planning Scenario Path

third-party-resilience

🔒 Locked for free

Scenario 1Identify critical outsourced services and map recovery requirements for each.
Scenario 2Evaluate supplier resiliency evidence and define minimum assurance thresholds.
Scenario 3Design exit playbooks for high-impact suppliers with transition milestones.
Scenario 4Assess substitutability risk and identify concentration hotspots by service type.
Scenario 5Prepare leadership decisions on resilience investments and contractual improvements.

Upgrade required →

Board Risk Reporting Scenario Path

board-reporting

🔒 Locked for free

Scenario 1Define board-level risk appetite indicators and threshold breach triggers.
Scenario 2Create a concise risk dashboard balancing trend clarity with decision relevance.
Scenario 3Translate technical control findings into strategic business impact statements.
Scenario 4Draft decision memos for top risk tradeoffs and funding implications.
Scenario 5Build a quarterly board pack with accountability, status, and escalation items.

Upgrade required →

Control Testing & QA Scenario Path

control-testing

🔒 Locked for free

Scenario 1Design a control testing calendar using risk-weighted prioritization criteria.
Scenario 2Define testing procedures with objective evidence requirements and pass/fail rules.
Scenario 3Review sample quality and identify where sample expansion is warranted.
Scenario 4Create a QA checklist for consistency, traceability, and reviewer sign-off.
Scenario 5Summarize recurring control failure themes and preventive action proposals.

Upgrade required →

KRI & Metrics Design Scenario Path

kris-metrics

🔒 Locked for free

Scenario 1Select KRIs linked to top enterprise risks and owner accountability.
Scenario 2Define metric calculation logic, data lineage, and refresh cadence.
Scenario 3Set tolerance bands and escalation triggers with management response actions.
Scenario 4Validate metric quality through back-testing and anomaly review.
Scenario 5Present metric insights that drive concrete risk treatment decisions.

Upgrade required →

Issue Management & Remediation Scenario Path

issue-management

🔒 Locked for free

Scenario 1Classify findings by severity, systemic impact, and regulatory sensitivity.
Scenario 2Define remediation plans with milestones, dependencies, and acceptance criteria.
Scenario 3Assess overdue issues and determine escalation based on residual risk.
Scenario 4Design verification testing to confirm sustainable closure of issues.
Scenario 5Create portfolio reporting on remediation velocity and repeat issue drivers.

Upgrade required →

Compliance Operations Scenario Path

compliance-operations

🔒 Locked for free

Scenario 1Map recurring compliance obligations to owner teams and operating cadence.
Scenario 2Design control self-assessment workflows and evidence retention standards.
Scenario 3Evaluate control exceptions and determine compensating control requirements.
Scenario 4Develop a centralized obligations tracker with status and due-date governance.
Scenario 5Prepare an annual compliance effectiveness review with improvement priorities.

Upgrade required →

Change Risk Assessment Scenario Path

change-risk

🔒 Locked for free

Scenario 1Define risk screening criteria for business and technology change requests.
Scenario 2Assess control impacts from major releases and process redesign initiatives.
Scenario 3Design pre-implementation assurance checks for high-risk changes.
Scenario 4Create post-implementation monitoring to detect unintended control degradation.
Scenario 5Document change governance lessons and optimize approval decision paths.

Upgrade required →

Audit & Assurance Job Path Scenarios

it-audit-assurance

🔒 Locked for free

Scenario 1Define an audit scope for a high-risk business process.
Scenario 2Select a sample strategy and justify why it is risk-based.
Scenario 3Document one control test with clear pass/fail criteria.
Scenario 4Write a finding with condition, criteria, cause, and impact.
Scenario 5Build a remediation tracker with owner, date, and verification step.
Scenario 6Select key risk indicators and data sources to test control performance at scale.
Scenario 7Design an analytic test to detect segregation-of-duties conflicts in transactional data.
Scenario 8Evaluate false positives and tune thresholds while preserving assurance quality.
Scenario 9Document reproducibility requirements for scripts, queries, and evidence snapshots.
Scenario 10Present actionable findings that connect analytic results to remediation priorities.

Upgrade required →

Privacy & Data Protection Job Path Scenarios

privacy-operations

🔒 Locked for free

Scenario 1Map a data flow and identify controller/processor roles.
Scenario 2Evaluate lawful basis and notice requirements for one processing activity.
Scenario 3Create a DSAR handling checklist with SLA milestones.
Scenario 4Assess vendor transfer risk and define required safeguards.
Scenario 5Draft a privacy incident escalation note with required stakeholders.
Scenario 6Define data ownership roles for critical datasets used in risk and compliance reporting.
Scenario 7Create quality rules for completeness, accuracy, timeliness, and consistency checks.
Scenario 8Design exception handling workflows for failed data controls and unresolved defects.
Scenario 9Assess lineage documentation gaps and prioritize remediation for audit-relevant flows.
Scenario 10Prepare a governance dashboard for quality trend monitoring and accountability.

Upgrade required →

Security & Resilience Job Path Scenarios

security-grc-engineer

🔒 Locked for free

Scenario 1Prioritize attack scenarios by impact and likelihood.
Scenario 2Map detection coverage to a chosen threat scenario.
Scenario 3Define incident command roles for a simulated outage.
Scenario 4Document business continuity dependencies for one critical service.
Scenario 5Create a post-incident improvement plan with measurable outcomes.
Scenario 6Classify a security event and determine escalation based on impact and confidence.
Scenario 7Draft an incident timeline capturing detection, containment, eradication, and recovery.
Scenario 8Define communications for legal, executive, customer, and regulator stakeholders.
Scenario 9Evaluate evidence preservation and chain-of-custody requirements for investigation.
Scenario 10Write a post-incident review with root cause, lessons learned, and prioritized actions.

Upgrade required →

Third-Party & Regulatory Job Path Scenarios

third-party-risk

🔒 Locked for free

Scenario 1Triage a high-risk vendor onboarding request and identify required due diligence evidence.
Scenario 2Assess anti-bribery red flags and document escalation rationale.
Scenario 3Evaluate an ITGC deficiency and classify impact to financial reporting.
Scenario 4Draft a remediation plan with control owner, due date, and retest criteria.
Scenario 5Prepare a regulator-ready summary with supporting evidence references.
Scenario 6Build a tiering model to align due diligence depth with vendor criticality.
Scenario 7Evaluate SOC, ISO, and questionnaire evidence for control design and operating effectiveness.
Scenario 8Define trigger events for reassessment, continuous monitoring, and contract review.
Scenario 9Draft a remediation plan for material findings with accountability and verification steps.
Scenario 10Create a governance summary of vendor risk trends and concentration exposures.

Upgrade required →

Program Leadership Job Path Scenarios

grc-program-manager

🔒 Locked for free

Scenario 1Define governance forum cadence and decision rights for a new GRC program.
Scenario 2Create KPI/KRI metrics for executive reporting and board visibility.
Scenario 3Prioritize competing remediation initiatives under constrained capacity.
Scenario 4Resolve a cross-functional ownership conflict using a RACI approach.
Scenario 5Write a quarterly GRC update with top risks, actions, and blockers.
Scenario 6Define a measurable loss event scenario using threat, asset, and effect.
Scenario 7Estimate frequency and probable loss magnitude ranges with assumptions.
Scenario 8Compare treatment options using expected risk reduction and cost.
Scenario 9Document uncertainty drivers and sensitivity to key assumptions.
Scenario 10Present a decision recommendation in business terms for leadership.

Upgrade required →

ISO 27001 / Security Compliance Manager Job Path Scenarios

iso-27001-security-compliance

🔒 Locked for free

Scenario 1Define ISMS scope boundaries, exclusions, and ownership for a realistic organization.
Scenario 2Draft a risk assessment approach and treatment decision model aligned to business context.
Scenario 3Build a practical control selection rationale and Statement of Applicability structure.
Scenario 4Design evidence requirements for policy operation, control execution, and monitoring.
Scenario 5Prepare an internal audit and management review agenda with clear outputs.
Scenario 6Design a control testing calendar using risk-weighted prioritization criteria.
Scenario 7Define testing procedures with objective evidence requirements and pass/fail rules.
Scenario 8Evaluate control exceptions and determine compensating control requirements.
Scenario 9Build a policy taxonomy aligned to regulatory obligations and internal risk themes.
Scenario 10Define approval workflows, review cadence, and exception governance requirements.

Upgrade required →

Operational Resilience Analyst Job Path Scenarios

operational-resilience

🔒 Locked for free

Scenario 1Define critical business services and map maximum tolerable downtime for each.
Scenario 2Document dependency chains across people, process, technology, and third parties.
Scenario 3Design crisis command roles and decision thresholds for service disruption events.
Scenario 4Run a tabletop exercise scenario and capture response timeline strengths and gaps.
Scenario 5Build a continuity improvement backlog with ownership, due dates, and validation tests.
Scenario 6Classify a security event and determine escalation based on impact and confidence.
Scenario 7Draft an incident timeline capturing detection, containment, eradication, and recovery.
Scenario 8Define communications for legal, executive, customer, and regulator stakeholders.
Scenario 9Classify an ICT provider's criticality and document rationale against DORA expectations.
Scenario 10Evaluate concentration risk across key ICT providers and propose mitigation options.

Upgrade required →

Executive & Board Reporting Job Path Scenarios

executive-board-reporting

🔒 Locked for free

Scenario 1Define board-level risk appetite indicators and threshold breach triggers.
Scenario 2Create a concise risk dashboard balancing trend clarity with decision relevance.
Scenario 3Translate technical control findings into strategic business impact statements.
Scenario 4Draft decision memos for top risk tradeoffs and funding implications.
Scenario 5Build a quarterly board pack with accountability, status, and escalation items.
Scenario 6Create KPI/KRI metrics for executive reporting and board visibility.
Scenario 7Select KRIs linked to top enterprise risks and owner accountability.
Scenario 8Set tolerance bands and escalation triggers with management response actions.
Scenario 9Validate metric quality through back-testing and anomaly review.
Scenario 10Present metric insights that drive concrete risk treatment decisions.

Upgrade required →

Cloud Governance & Asset Lifecycle Job Path Scenarios

cloud-governance-asset-lifecycle

🔒 Locked for free

Scenario 1Identify cloud account governance gaps and define ownership guardrails by business unit.
Scenario 2Assess cost anomalies and map optimization options without weakening control coverage.
Scenario 3Design policy-as-code checks for tagging, encryption, and network exposure controls.
Scenario 4Create a risk register for cloud misconfiguration trends and unresolved exceptions.
Scenario 5Prepare an executive update on cloud spend, risk posture, and remediation progress.
Scenario 6Define joiner-mover-leaver control objectives and required evidence artifacts.
Scenario 7Test privileged access reviews for timeliness, completeness, and revocation quality.
Scenario 8Define risk screening criteria for business and technology change requests.
Scenario 9Assess control impacts from major releases and process redesign initiatives.
Scenario 10Design pre-implementation assurance checks for high-risk changes.

Upgrade required →

Quantitative Risk & Insider Threat Job Path Scenarios

quant-risk-insider-threat

🔒 Locked for free

Scenario 1Define a measurable loss event scenario using threat, asset, and effect.
Scenario 2Estimate frequency and probable loss magnitude ranges with assumptions.
Scenario 3Compare treatment options using expected risk reduction and cost.
Scenario 4Document uncertainty drivers and sensitivity to key assumptions.
Scenario 5Present a decision recommendation in business terms for leadership.
Scenario 6Draft insider threat program scope, objective, and governance charter language.
Scenario 7Design intake and triage criteria for suspicious insider activity referrals.
Scenario 8Define privacy guardrails for monitoring and investigations.
Scenario 9Create escalation pathways for legal, HR, and security coordination.
Scenario 10Build monthly oversight metrics and assurance checks.

Upgrade required →

ESG Governance & Disclosure Job Path Scenarios

esg-governance-disclosure

🔒 Locked for free

Scenario 1Identify material ESG topics and map accountable executive owners for each topic.
Scenario 2Design controls for source data quality, versioning, and disclosure approvals.
Scenario 3Evaluate a climate-risk scenario and define decision triggers for adaptation planning.
Scenario 4Build an issue log for disclosure gaps with remediation owner and due date.
Scenario 5Draft an audit committee briefing summarizing ESG reporting readiness and residual risks.
Scenario 6Triage an incoming regulation and map impacted obligations to business functions.
Scenario 7Define control and policy changes needed to satisfy new regulatory requirements.
Scenario 8Create stakeholder governance for legal interpretation, implementation, and validation.
Scenario 9Deliver an executive readiness update with risks, blockers, and decision requests.
Scenario 10Prepare an annual compliance effectiveness review with improvement priorities.

Upgrade required →