Denis would like to adopt an industry-standard approach for assessing the processes his organization uses to manage risk. What maturity model would be most appropriate for his use?

The Risk Maturity Model (RMM) is specifically designed for the purpose of assessing enterprise risk management programs. Denis could conceivably use the more generic capability maturity model (CMM), but this would not be as good of a fit. The software capability maturity model (SW-CMM) is designed for assessing development projects, not risk management efforts. The Control Objectives for Information Technology (COBIT) are a set of security control objectives and not a maturity model.