which of the following risk management capability maturity levels risk appetite and tolerance are applied only during episodic risk assessments?

In which of the following risk management capability maturity levels risk appetite and tolerance are
applied only during episodic risk assessments?

In which of the following risk management capability maturity levels risk appetite and tolerance are
applied only during episodic risk assessments?

A.
Level 3

B.
Level 2

C.
Level 4

D.
Level 1

Explanation:

An enterprise’s risk management capability maturity level is 1 when:
There is an understanding that risk is important and needs to be managed, but it is viewed as a
technical issue and the business primarily considers the downside of IT risk.
Any risk identification criteria vary widely across the enterprise.
Risk appetite and tolerance are applied only during episodic risk assessments.
Enterprise risk policies and standards are incomplete and/or reflect only external requirements and
lack defensible rationale and enforcement mechanisms.
Risk management skills exist on an ad hoc basis, but are not actively developed.
Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.
Answer A is incorrect. In level 3 of risk management capability maturity model, local tolerances
drive the enterprise risk tolerance.

Answer B is incorrect. In level 2 of risk management capability maturity model, risk tolerance is set
locally and may be difficult to aggregate.
Answer C is incorrect. In level 4 of risk management capability maturity model, business risk
tolerance is reflected by enterprise policies and standards reflect.



Leave a Reply 0

Your email address will not be published. Required fields are marked *