A. Capability maturity level The Capability Maturity Model (often used in its Integrated form, CMMI) provides a structured approach for assessing and improving processes within an organization. By evaluating the maturity level of the processes, the organization can get a clear view of the current state, effectiveness, and maturity of its IT risk management program. Option B, "Balanced scorecard," is a strategic performance management tool that looks at a variety of indicators across different organizational perspectives, but it may not provide a detailed view of the IT risk management program's maturity and effectiveness. Option C, "Control self-assessment (CSA)," provides a way for organizations to assess the effectiveness of their controls, but it doesn't provide a comprehensive view of the IT risk management program's maturity. Option D, "Internal audit plan," provides a schedule and scope for internal audits but doesn't provide a comprehensive assessment of the maturity and effectiveness of the IT risk management program. Thus, assessing the capability maturity level would be the most useful method for regularly reporting on the overall status and effectiveness of the IT risk management program.

B. Balanced scorecard The balanced scorecard is MOST useful for regularly reporting on the overall status and effectiveness of the IT risk management program. The balanced scorecard is a strategic performance management framework that provides a balanced view of an organization's performance across multiple dimensions, including financial, customer, internal processes, and learning and growth.

Agree with B.

I will go with Balanced score card. The language in the stupid ISACA manual is intentionally made convoluted.

From the self-assessment questions (7th CRISC manual, chapter 3), 'a scorecard allows management to measure strategy implementation and assist management in translating it into action'.

In the CRISC manual have never came across scorecard, is it something being used to asses risk assessment process or framework?

also agree with this answer. scorecard is most suitable in this situation

I think scorecard is right here. CMM generally used when compare with peer organization or gap analysis. Scorecard is kind academic report of individual in different areas of company like finance, process, customers etc.

I think the correct answer is A. Capability maturity level