Certified in Risk and Information Systems Control (CRISC) — Question 482

Which of the following is NOT true for risk management capability maturity level 1?

Answer options

• A. There is an understanding that risk is important and needs to be managed, but it is viewed as a technical issue and the business primarily considers the downside of IT risk
• B. Decisions involving risk lack credible information
• C. Risk appetite and tolerance are applied only during episodic risk assessments
• D. Risk management skills exist on an ad hoc basis, but are not actively developed

Correct answer: C

Explanation

Option C is correct because at maturity level 1, risk appetite and tolerance are not consistently applied, indicating a lack of systematic processes. Options A, B, and D accurately reflect characteristics of maturity level 1, highlighting the limited understanding and development of risk management practices.