CGEIT Question #635: Real Exam Question with Answer & Explanation

The correct answer is A: The enterprise risk appetite. To establish Key Risk Indicators (KRIs) effectively, the enterprise risk appetite must be identified first, as it defines the acceptable level of risk and sets the context for monitoring.

Submitted by dimitri_ru· Apr 18, 2026Governance of Enterprise IT

Question

An enterprise wants to establish key risk indicators (KRIs) in an effort to better manage IT risk. Which of the following should be identified FIRST?

Options

AThe enterprise risk appetite
BKey performance metrics
CRisk mitigation strategies
DEnterprise architecture (EA) components

Explanation

To establish Key Risk Indicators (KRIs) effectively, the enterprise risk appetite must be identified first, as it defines the acceptable level of risk and sets the context for monitoring.

Common mistakes.

B. Key performance metrics (KPMs or KPIs) measure performance, not risk, and are therefore not the primary starting point for defining KRIs.
C. Risk mitigation strategies are developed to address identified risks, but the decision to mitigate and the acceptable residual risk level depend on the defined risk appetite.
D. Enterprise architecture components define the structure of IT systems, which is relevant for identifying where risks might exist, but not for defining the organization's tolerance for those risks.

Concept tested. KRI establishment prerequisites

Topics

#Key Risk Indicators (KRIs)#IT Risk Management#Risk Appetite#Governance

Community Discussion

No community discussion yet for this question.

Full CGEIT Practice Browse All CGEIT Questions