A risk practitioner has implemented a key risk indicator (KRI) that triggers a warning when the number of untreated IT control deficiencies exceeds a given threshold. Which of the following should be the GREATEST concern regarding the design of this KRI?
The greatest concern regarding the design of the key risk indicator (KRI) should be ignoring the significance of the control deficiencies. The purpose of a KRI is to provide meaningful insights into potential risks, and by not considering the significance of the control deficiencies, the KRI could miss critical issues that need immediate attention. Setting unrealistic targets or generating false positives, while problematic, are secondary to ensuring that the warning thresholds are based on the actual risk posed by the deficiencies.
I would pick A cos its important for KRIs to be attainable otherwise its useless