Explanation/Reference:
Explanation:
The enterprise with risk management capability maturity level 0 makes decisions without having much knowledge about the risk credible information. In level 1, enterprise takes decisions on the basis of risk credible information.
Incorrect Answers:
A, C, D: An enterprise's risk management capability maturity level is 1 when:
There is an understanding that risk is important and needs to be managed, but it is viewed as a

technical issue and the business primarily considers the downside of IT risk.
Any risk identification criteria vary widely across the enterprise.

Risk appetite and tolerance are applied only during episodic risk assessments.

Enterprise risk policies and standards are incomplete and/or reflect only external requirements and lack

defensible rationale and enforcement mechanisms.
Risk management skills exist on an ad hoc basis, but are not actively developed.

Ad hoc inventories of controls that are unrelated to risk are dispersed across desktop applications.

The best way to ensure the continued effectiveness of the IT risk management function within an organization experiencing high employee turnover is to have well documented policies and procedures. Policies and procedures are the formal documents that define the roles, responsibilities, processes, and standards for the IT risk management function. They provide guidance, consistency, and continuity for the IT risk management activities and outcomes. They also facilitate the knowledge transfer, training, and performance evaluation of the IT risk management staff. The other options are not as helpful as well documented policies and procedures, as they are related to the tools, mechanisms, or structures that support the IT risk management function, not the foundation and direction of the IT risk management function. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.1: IT Risk Management Process, page 15.

The most important concern when assigning multiple risk owners for an identified risk is that accountability may not be clearly defined. Accountability is the obligation of an individual or group to take responsibility for the risk and its associated actions and outcomes. If multiple risk owners are assigned for the same risk, there may be confusion, conflict, or overlap in their roles and responsibilities, and they may not be held accountable for the risk management performance. Risk ratings being inconsistently applied, different risk taxonomies being used, and mitigation efforts being duplicated are other possible concerns, but they are not as important as accountability not being clearly defined. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, question 12; CRISC Review Manual, 6th Edition, page 215.

Section: Volume D

Explanation/Reference:
Explanation:
0 nonexistent: An enterprise's risk management capability maturity level is 0 when:
The enterprise does not recognize the need to consider the risk management or the business impact

from IT risk.
Decisions involving risk lack credible information.

Awareness of external requirements for risk management and integration with enterprise risk

management (ERM) do not exists.
Incorrect Answers:
A, C, D: These all are higher levels of capability maturity model and in this enterprise is mature enough to recognize the importance of risk management.