Which of the following is the MOST important reason to maintain key risk indicators (KRIs)?
A.
In order to avoid risk
B.
Complex metrics require fine-tuning
C.
Risk reports need to be timely
D.
Threats and vulnerabilities change over time
Explanation:
Threats and vulnerabilities change over time and KRI maintenance ensures that KRIs continue to
effectively capture these changes.
The risk environment is highly dynamic as the enterprise’s internal and external environments are
constantly changing. Therefore, the set of KRIs needs to be changed over time, so that they can
capture the changes in threat and vulnerability.
Answer B is incorrect. While most key risk indicator (KRI) metrics need to be optimized in respect
to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs
continue to effectively capture the changes in threats and vulnerabilities over time. Hence the most
important reason is that because of change of threat and vulnerability overtime.
Answer C is incorrect. Risk reporting timeliness is a business requirement, but is not a reason for
KRI maintenance.
Answer A is incorrect. Risk avoidance is one possible risk response. Risk responses are based
on KRI reporting, but is not the reason for maintenance of KRIs.