Certified in Risk and Information Systems Control (CRISC) — Question 1335

In which of the following risk management capability maturity levels risk appetite and tolerance are applied only during episodic risk assessments?

Answer options

• A. Level 3
• B. Level 2
• C. Level 4
• D. Level 1

Correct answer: B

Explanation

The correct answer is B, Level 2, where risk appetite and tolerance are not consistently integrated into the overall framework and are instead only considered during specific assessments. In contrast, Levels 1, 3, and 4 have more structured approaches to risk appetite and tolerance, making them applicable beyond just episodic evaluations.