Which of the following is NOT true for risk management capability maturity level 1?

Which of the following is NOT true for risk management capability maturity level 1?
A . There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk
B . Decisions involving risk lack credible information
C . Risk appetite and tolerance are applied only during episodic risk assessments
D . Risk management skills exist on an ad hoc basis, but are not actively developed

View Answer

Answer: B

Explanation:

The enterprise with risk management capability maturity level 0 makes decisions without having much knowledge about the risk credible information. In level 1, enterprise takes decisions on the basis of risk credible information.

Incorrect Answers:

A, C, D: An enterprise’s risk management capability maturity level is 1 when:

– There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk.

– Any risk identification criteria vary widely across the enterprise.

– Risk appetite and tolerance are applied only during episodic risk assessments.

– Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms.

– Risk management skills exist on an ad hoc basis, but are not actively developed.

– Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.