Which of the following is NOT true for risk management capability maturity level 1?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The enterprise with risk management capability maturity level 0 makes decisions without having much knowledge about the risk credible information.
In level 1, enterprise takes decisions on the basis of risk credible information.
Incorrect Answers: A, C, D: An enterprise's risk management capability maturity level is 1 when: -> There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk.
-> Any risk identification criteria vary widely across the enterprise.
-> Risk appetite and tolerance are applied only during episodic risk assessments.
-> Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms.
-> Risk management skills exist on an ad hoc basis, but are not actively developed.
-> Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.
The Capability Maturity Model Integration (CMMI) is a framework that is used to assess the maturity level of an organization's risk management capabilities. The CMMI model defines five levels of maturity, with level 1 being the least mature and level 5 being the most mature.
At maturity level 1, risk management is typically viewed as a technical issue and not as a strategic business concern. This means that there is an understanding that risk is important and needs to be managed, but the business primarily considers the downside of IT risk. Additionally, decisions involving risk lack credible information, as there is a lack of formalized processes and procedures for identifying, assessing, and managing risk.
Risk appetite and tolerance are applied only during episodic risk assessments, meaning that they are not integrated into day-to-day decision-making processes. At this level of maturity, risk management skills exist on an ad hoc basis, but are not actively developed. This can result in a lack of consistency and reliability in risk management practices across the organization.
To summarize, the answer to the question is C: Risk appetite and tolerance are applied only during episodic risk assessments. This means that risk management is not integrated into day-to-day decision-making processes and is not a strategic business concern. Decisions involving risk lack credible information, and risk management skills exist on an ad hoc basis but are not actively developed.