Capability maturity models are the models that are used by the enterprise to rate itself in terms of the least mature level to the most mature level.
Which of the following capability maturity levels shows that the enterprise does not recognize the need to consider the risk management or the business impact from IT risk?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
0 nonexistent: An enterprise's risk management capability maturity level is 0 when: -> The enterprise does not recognize the need to consider the risk management or the business impact from IT risk.
-> Decisions involving risk lack credible information.
-> Awareness of external requirements for risk management and integration with enterprise risk management (ERM) do not exists.
Incorrect Answers: A, C, D: These all are higher levels of capability maturity model and in this enterprise is mature enough to recognize the importance of risk management.
Capability Maturity Model (CMM) is a model that assesses the capability and maturity of an organization's processes. It is used to measure and improve the ability of an organization to deliver high-quality products and services. The CMM has five maturity levels, ranging from Level 0 to Level 5.
Level 0: The organization has no processes in place, and work is performed on an ad-hoc basis.
Level 1: The organization has basic processes in place, but they are not well defined, and their effectiveness is not measured.
Level 2: The organization has defined processes that are repeatable, and their effectiveness is measured.
Level 3: The organization has defined processes that are both repeatable and documented, and their effectiveness is regularly measured and evaluated.
Level 4: The organization has established a quantitative process management system that uses metrics to improve process performance.
Level 5: The organization has optimized its processes to achieve continuous process improvement.
Based on the given options, the capability maturity level that shows that the enterprise does not recognize the need to consider the risk management or the business impact from IT risk is Level 0.
At Level 0, the organization has no processes in place, and work is performed on an ad-hoc basis. Therefore, it is highly unlikely that the organization recognizes the need to consider risk management or the business impact from IT risk.
The other levels, Level 1 through Level 3, indicate that the organization has at least basic processes in place, and in Level 3, the processes are documented and regularly measured and evaluated. At these levels, it is more likely that the organization recognizes the need to consider risk management or the business impact from IT risk.
In conclusion, the answer is B. Level 0.