Which of the following is the MOST important reason to maintain key risk indicators (KRIs)? 

Answer options:

A. In order to avoid risk
B. Complex metrics require fine-tuning
C. Risk reports need to be timely
D. Threats and vulnerabilities change over time

D

Threats and vulnerabilities change over time and KRI maintenance ensures that KRIs continue to effectively capture these changes. The risk environment is highly dynamic as the enterprise`s internal and external environments are constantly changing. Therefore, the set of KRIs needs to be changed over time, so that they can capture the changes in threat and vulnerability. Incorrect Answers: A: Risk avoidance is one possible risk response. Risk responses are based on KRI reporting, but is not the reason for maintenance of KRIs. B: While most key risk indicator (KRI) metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time. Hence the most important reason is that because of change of threat and vulnerability overtime. C: Risk reporting timeliness is a business requirement, but is not a reason for KRI maintenance.