The PRIMARY objective of the board of directors periodically reviewing the risk profile is to help ensure that the risk strategy is appropriate, because the risk strategy defines the enterprise’s risk appetite, tolerance, and objectives, and guides the risk management process and activities. The board of directors should review the risk profile to ensure that it reflects the current internal and external environment, and that it aligns with the enterprise’s strategy and goals. The other options are not the primary objective, because:

Option B: KRIs and KPIs are aligned is a desirable outcome of the risk strategy, but not the primary objective of the board of directors reviewing the risk profile. KRIs and KPIs are indicators that measure and monitor the risk exposure and performance of the enterprise, respectively, and they should be consistent with the risk strategy and objectives.

Option C: Performance of controls is adequate is a result of the risk response, but not the primary objective of the board of directors reviewing the risk profile. Performance of controls is the degree to which the controls are effective and efficient in mitigating the risks, and it should be evaluated and reported by the risk management function and the internal audit function.

Option D: The risk monitoring process has been established is a prerequisite for the risk profile, but not the primary objective of the board of directors reviewing the risk profile. The risk monitoring process is the process of tracking and reporting the risk status and performance, and it should be implemented and executed by the risk management function and the business process owners. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 119.