Certified in Risk and Information Systems Control (CRISC) — Question 1392

A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?

Answer options

• A. The underlying data source for the KRI is using inaccurate data and needs to be corrected.
• B. The KRI threshold needs to be revised to better align with the organization's risk appetite.
• C. Senior management does not understand the KRI and should undergo risk training.
• D. The KRI is not providing useful information and should be removed from the KRI inventory.

Correct answer: B

Explanation

The correct answer is B, as it suggests that the thresholds set for the KRI may not reflect the organization's actual risk tolerance, leading management to dismiss the reported risks. Option A addresses data accuracy, which is not the issue here; option C implies a knowledge gap, while option D suggests the KRI is irrelevant, neither of which explain the inaction despite exceeding thresholds.