CRISC Certified in Risk and Information Systems Control – Question330

In which of the following risk management capability maturity levels risk appetite and tolerance are applied only during episodic risk assessments?

A.
Level 3
B. Level 2
C. Level 4
D. Level 1

Correct Answer: D

Explanation:

Explanation:
An enterprise’s risk management capability maturity level is 1 when:

  • There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk.
  • Any risk identification criteria vary widely across the enterprise.
  • Risk appetite and tolerance are applied only during episodic risk assessments.
  • Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms.
  • Risk management skills exist on an ad hoc basis, but are not actively developed.
  • Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.

Incorrect Answers:
A: In level 3 of risk management capability maturity model, local tolerances drive the enterprise risk tolerance.
B: In level 2 of risk management capability maturity model, risk tolerance is set locally and may be difficult to aggregate.
C: In level 4 of risk management capability maturity model, business risk tolerance is reflected by enterprise policies and standards reflect.