Certified in Risk and Information Systems Control (CRISC) — Question 4

Which of the following statements are true for enterprise's risk management capability maturity level 3?

Answer options

• A. Workflow tools are used to accelerate risk issues and track decisions
• B. The business knows how IT fits in the enterprise risk universe and the risk portfolio view
• C. The enterprise formally requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals
• D. Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are recognized

Correct answer: A, B, D

Explanation

The correct statements A, B, and D reflect the characteristics of maturity level 3, where workflow tools are implemented for efficiency, IT's role in risk is acknowledged, and risk management is recognized as a business concern. Option C is incorrect because at this level, continuous improvement is not necessarily mandated but is a best practice rather than a formal requirement.