Section: Volume D

The best course of action for the risk practitioner is to follow the incident reporting procedures established by the organization. This will ensure that the incident is properly documented, escalated, and resolved in a timely and consistent manner. Reporting the incident to the chief risk officer, advising the employee to forward the email to the phishing team, or advising the employee to permanently delete the email are not the best courses of action, as they may not comply with the organization's policies and standards, and may not address the root cause and impact of the incident. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 4, Section 4.2.2.1, page 193.

The business owner should own the risk if the ERP and payroll system fail to operate as expected, because the business owner is ultimately responsible for the business processes and objectives that depend on the systems.
The other options are not the risk owners, because:
* Option B: The ERP administrator is responsible for the technical aspects of the ERP system, but not the payroll system or the business outcomes.
* Option C: The project steering committee is responsible for overseeing the project of replacing the ERP system, but not the ongoing operation and maintenance of the systems or the business risks.
* Option D: The IT project manager is responsible for managing the project of replacing the ERP system, but not the payroll system or the business risks. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 90.

Section: Volume A
Explanation:
0 nonexistent: An enterprise's risk management capability maturity level is 0 when:
* The enterprise does not recognize the need to consider the risk management or the business impact from IT risk.
* Decisions involving risk lack credible information.
* Awareness of external requirements for risk management and integration with enterprise risk management (ERM) do not exists.
Incorrect Answers:
A, C, D: These all are much higher levels of the risk management capability maturity model and in all these enterprises do take decisions considering the risk credential information. Moreover, in these levels enterprise is aware of external requirements for risk management and integrate with ERM.