Explanation/Reference:
Explanation:
An enterprise's risk management capability maturity level is 3 when:
Risk management is viewed as a business issue, and both the drawbacks and benefits of risk are

recognized.
There is a selected leader for risk management, engaged with the enterprise risk committee, across the

enterprise.
The business knows how IT fits in the enterprise risk universe and the risk portfolio view.

Local tolerances drive the enterprise risk tolerance.

Risk management activities are being aligned across the enterprise.

Formal risk categories are identified and described in clear terms.

Situations and scenarios are included in risk awareness training beyond specific policy and structures

and promote a common language for communicating risk.
Defined requirements exist for a centralized inventory of risk issues.

Workflow tools are used to accelerate risk issues and track decisions.

Incorrect Answers:
C: Enterprise having risk management capability maturity level 5 requires continuous improvement of risk management skills, based on clearly defined personal and enterprise goals.

The most important factor for an organization to consider when developing its IT strategy is the organizational goals and objectives. The organizational goals and objectives are the statements that define the purpose, direction, and desired outcomes of the organization. The organizational goals and objectives help to align the IT strategy with the organization's mission, vision, values, and strategy, and to ensure that the IT strategy supports and enables the organization's performance and improvement. The organizational goals and objectives also help to communicate and coordinate the IT strategy with the organization's stakeholders, such as the board, management, business units, and IT functions, and to facilitate the IT decision-making and reporting processes. The other options are not as important as the organizational goals and objectives, although they may be related to the IT strategy. IT goals and objectives, the organization's risk appetite statement, and legal and regulatory requirements are all factors that could affect the feasibility and sustainability of the IT strategy, but they do not necessarily reflect or influence the organization's purpose, direction, and desired outcomes. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.2.1, page
1-9.

Section: Volume D

Section: Volume D