Which of the following is NOT true for risk management capability maturity level 1?
A . There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk
B . Decisions involving risk lack credible information
C . Risk appetite and tolerance are applied only during episodic risk assessments
D . Risk management skills exist on an ad hoc basis, but are not actively developed
Answer: B
Explanation:
The enterprise with risk management capability maturity level 0 makes decisions without having much knowledge about the risk credible information. In level 1, enterprise takes decisions on the basis of risk credible information.
Incorrect Answers:
A, C, D: An enterprise’s risk management capability maturity level is 1 when:
– There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk.
– Any risk identification criteria vary widely across the enterprise.
– Risk appetite and tolerance are applied only during episodic risk assessments.
– Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms.
– Risk management skills exist on an ad hoc basis, but are not actively developed.
– Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.
Leave a Reply