Isaca Certified in Risk and Information Systems Control CRISC Question # 423 Topic 43 Discussion

CRISC Exam Topic 43 Question 423 Discussion:

Question #: 423

Topic #: 43

A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

Recommend a re-evaluation of the current threshold of the KRI.

Notify management that KRIs are being effectively managed.

Update the risk rating associated with the KRI In the risk register.

Update the risk tolerance and risk appetite to better align to the KRI.

Get Premium CRISC Questions

Explanation

The FIRST thing that should be done when a KRI has remained below its established trigger point for an extended period of time is to recommend a re-evaluation of the current threshold of the KRI, because it may indicate that the trigger point is set too high or too low, or that the KRI is not relevant or effective in measuring the risk exposure. A re-evaluation of the current threshold of the KRI may result in adjusting the trigger point, changing the KRI, or removing the KRI. The other options are not the first thing that should be done, because:

Option B: Notifying management that KRIs are being effectively managed is not the first thing that should be done, because it may not reflect the true risk status and performance. A KRI that remains below its trigger point for a long time may not be a valid or reliable indicator of the risk exposure, and it may not capture the changes or trends in the risk environment.

Option C: Updating the risk rating associated with the KRI in the risk register is not the first thing that should be done, because it may not be accurate or consistent. A risk rating is based on the likelihood and impact of the risk, and it should be derived from a comprehensive risk analysis, not just from a single KRI. A KRI that remains below its trigger point for a long time may not reflect the actual likelihood and impact of the risk, and it may not be aligned with the other risk indicators and assessments.

Option D: Updating the risk tolerance and risk appetite to better align to the KRI is not the first thing that should be done, because it may not be appropriate or feasible. Risk tolerance and risk appetite are the acceptable level of risk exposure and variation that the enterprise is willing to accept in pursuit of its objectives, and they are determined by the executive management and the board of directors, based on the enterprise’s strategy and goals. A KRI that remains below its trigger point for a long time may not represent the desired or optimal level of risk exposure and variation, and it may not be aligned with the enterprise’s strategy and goals. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 121.

Actual exam question for Isaca CRISC exam by Hale81354 at Aug 3, 2025, 11:27:11 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Isaca Certified in Risk and Information Systems Control CRISC Question # 423 Topic 43 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 423 Topic 43 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Isaca Certified in Risk and Information Systems Control CRISC Question # 423 Topic 43 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 423 Topic 43 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval