Certified in the Governance of Enterprise IT (CGEIT) — Question 352

An enterprise wishes to establish key risk indicators (KRIs) in an effort to better manage IT risk. Which of the following should be identified FIRST?

Answer options

• A. Risk mitigation strategies
• B. Key performance metrics
• C. Enterprise architecture (EA) components
• D. The enterprise risk appetite

Correct answer: D

Explanation

Identifying the enterprise risk appetite is crucial as it sets the threshold for acceptable risk levels, guiding the establishment of KRIs. Without understanding the risk appetite, the organization cannot effectively determine which risks are significant and how to prioritize them. The other options, while important, are secondary to establishing a clear risk appetite.