The accuracy of a key risk indicator (KRI) is the degree to which the indicator reflects the true level and trend of the risk. It is most important that the indicator is correlated to risk and tracks variances in the risk, as this ensures that the indicator is relevant, reliable, and responsive to the risk situation. A correlated indicator has astrong and consistent relationship with the risk, meaning that changes in the indicator reflect changes in the risk. A variance-tracking indicator measures the difference between the actual and expected risk level, meaning that the indicator can detect and report deviations from the risk appetite or threshold. According to the CRISC Review Manual 2022, correlation and variance tracking are two of the key characteristics of an effective KRI1. According to the CRISC Review Questions, Answers & Explanations Manual 2022, correlation and variance tracking are the correct answer to this question2.

Assigning the indicator to IT processes and projects with a low level of risk, having a high correlation with the process outcome, and triggering response based on risk thresholds are not the most important factors for determining the accuracy of a KRI. These factors may be useful or desirable, but they do not directly affect the accuracy of the indicator. Assigning the indicator to IT processes and projects with a low level of risk may reduce the complexity and uncertainty ofthe indicator, but it may also limit the scope and value of the indicator. Having a high correlation with the process outcome may indicate that the indicator is aligned with the business objectives, but it may not capture the risk factors or drivers that affect the outcome. Triggering response based on risk thresholds may indicate that the indicator is actionable and timely, but it may not reflect the actual or potential changes in the risk level.