• There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk.
• Any risk identification criteria vary widely across the enterprise.
• Risk appetite and tolerance are applied only during episodic risk assessments.
• Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack defensible rationale and enforcement mechanisms.
• Risk management skills exist on an ad hoc basis, but are not actively developed.
• Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.

Incorrect Answers:
A: In level 3 of risk management capability maturity model, local tolerances drive the enterprise risk tolerance.
B: In level 2 of risk management capability maturity model, risk tolerance is set locally and may be difficult to aggregate.
C: In level 4 of risk management capability maturity model, business risk tolerance is reflected by enterprise policies and standards reflect.