Certified in Risk and Information Systems Control (CRISC) — Question 1299

A risk practitioner has implemented a key risk indicator (KRI) that triggers a warning when the number of untreated IT control deficiencies exceeds a given threshold. Which of the following should be the GREATEST concern regarding the design of this KRI?

Answer options

• A. Setting unrealistic targets for compliance
• B. Ignoring the significance of the control deficiencies
• C. Generating a large number of false-positive warnings
• D. Failing to attract sufficient management support

Correct answer: C

Explanation

The greatest concern with this KRI's design is generating a large number of false-positive warnings (option C), as this can lead to alarm fatigue and undermine the effectiveness of risk management efforts. Setting unrealistic targets (option A) and ignoring the significance of deficiencies (option B) are also issues, but they do not directly lead to confusion and inaction like false positives do. Failing to attract sufficient management support (option D) is important, but it is secondary to the operational issues caused by false positives.