Exam CRISC topic 1 question 464 discussion

A. Loss expectancy information Loss expectancy information is highly valuable for setting KRI thresholds as it provides an estimate of the potential impact (in terms of loss) of specific risk events. This information helps in determining the point at which a risk becomes significant enough to warrant attention or action. By understanding the potential loss associated with different risk levels, organizations can set KRI thresholds that are aligned with their risk appetite and tolerance. These thresholds help in identifying when a risk is approaching a level that could result in unacceptable losses, allowing for timely intervention.

A. Loss expectancy information Loss expectancy information can provide useful guidance in setting thresholds for key risk indicators (KRIs), as it offers insight into the potential impact of risk events. The threshold for a KRI should reflect a point at which the risk becomes unacceptable, and this would naturally be tied to the potential loss that could be incurred. Other options like IT service level agreements, control performance results, or remediation activity progress could be informative in certain contexts but are not as universally applicable as loss expectancy when developing KRI thresholds.

Going with "A", asset value, SLE and ALE determine KRI's thresholds

The question is asking about KRI, so A, with B being more KPI and C being more KCI

'A' KRI measures risk based on a risk threshold and your expectation of loss (upon reaching an unacceptable level). An SLA is a type of KPI.

A for me

B. IT service level agreements is best in my view. A KRI will help act as an early warning indicator if the process is about to breach the SLA. Rest do not seem to be the best answer.