The best thing to include when communicating changes in the IT risk profile is the gaps between the current and desired states of the control environment, as this shows the stakeholders the extent and impact of the changes, and the actions and resources needed to address them. The control environment is the set of policies, processes, and systems that provide reasonableassurance that the IT risks are identified, assessed, and treated effectively and efficiently. The current state of the control environment reflects the existing level and performance of the controls, and the residual risk that remains after the controls are applied. The desired state of the control environment reflects the target level and performance of the controls, and the risk appetite and tolerance of the organization. The gaps between the current and desired states of the control environment indicate the areas of improvement or enhancement for the IT risk management process, and the priorities and strategies for risk response. The other options are not the best things to include when communicating changes in the IT risk profile, although they may be useful or relevant information. A list of recent incidents affecting industry peers can provide some context and comparison for the IT risk profile, but it does not measure or explain the changes in the IT risk level or the control environment. Results of external attacks and related compensating controls can demonstrate the security and resilience of the IT systems and networks, but they do not cover the entire scope or spectrum of the IT risk profile or the control environment. A review of leading IT risk management practices within the industry can provide some insights and benchmarks for the IT risk management process, but it does not reflect thespecific situation or needs of the organization or the stakeholders. References = Risk and Information Systems Control Study Manual, Chapter 5: Risk and Control Monitoring and Reporting, page 181.