Certified Information Security Manager (CISM) — Question 901

Which of the following would be the GREATEST concern with the implementation of key risk indicators (KRIs)?

Answer options

• A. Inability to measure KRIs
• B. Poorly defined risk appetite
• C. Overly specific KRI definitions
• D. Complex organizational structure

Correct answer: B

Explanation

A poorly defined risk appetite can lead to misalignment in the organization's understanding of risk and its tolerance levels, making KRIs ineffective. While the other options present challenges, they do not fundamentally compromise the framework for understanding and responding to risk as significantly as a vague risk appetite does.