The correct answer isBbecause aprocess maturity modelis primarily used to determine thegap between the actual state and the desired stateof the risk management process. This is its main value in CRISC: it helps the organization understand current capability, compare it with target capability, and identify where improvement is needed.
The other options are less accurate:
A. determine the cost of control improvementsmay be done separately through cost-benefit analysis, but it is not the main purpose of a maturity model.
C. benchmark maturity against industry standardscan be a secondary use, but the primary value is internal gap identification.
D. reduce audit and regulatory findingsmay occur as an indirect benefit, but it is not the principal purpose.
Exact Extracts supporting the answer:
“Improving an enterprise’s risk management process is most effectively achieved through the use of a maturity model.”
“The most insightful tool for understanding an enterprise’s risk management capabilities is a capability maturity model review.”
“A capability maturity model assists risk practitioners in measuring the existing level of development of risk management processes against the desired state.”
“The PRIMARY benefit of using a maturity model to assess the enterprise’s data management process is that it helps identify gaps.”
“Measuring the gap between actual and desired states is the primary use of capability models in assessing risk management processes.”
These extracts directly support that the most useful purpose of a process maturity model is to identify the gap between current and target maturity.
===========
Submit