Section: Volume B
Explanation:
Monitoring tools that focuses on transaction data generally correlate information from one system to another, such as employee data from the human resources (HR) system with spending information from the expense system or the payroll system.
Incorrect Answers:
B: Process integrity is confirmed within the system, it does not need monitoring.
C: Configuration settings are generally compared against predefined values and not based on the correlation between multiple sources.
D: System changes are compared from a previous state to the current state, it does not correlate information from multiple sources.

A standardized risk taxonomy is a common language and structure for identifying, analyzing, and reporting risks across the enterprise. It enables consistent and comparable risk assessment and aggregation, as well as clear communication and coordination among different divisions. A list of control deficiencies, an enterprise risk ownership policy, and an updated risk tolerance metric are not sufficient to enable management of risk at the enterprise level, as they do not address the issue of risk alignment and integration among divisions.
References = [CRISC Review Manual (Digital Version)], page 42; CRISC by Isaca Actual Free Exam Q&As, question 197.

Risk appetite is the amount and type of risk that an enterprise is willing to accept in pursuit of its objectives.
Risk appetite provides the most important information to facilitate a risk response decision, as it defines the boundaries and expectations for the risk management process. Risk appetite helps to determine the acceptable level of variation around the objectives, and to prioritize and allocate resources for the risk responses. Risk appetite also helps to align the risk management program with the enterprise's strategy, culture, and values.
The other options are not as important as risk appetite, as they provide different types of information for the risk management process:
* Audit findings are the results of the independent and objective examination of the risk management program, such as by internal or external auditors. Audit findings provide assurance and feedback on the effectiveness and efficiency of the risk management program, and may identify gaps or weaknesses that need to be addressed. Audit findings may influence the risk response decision, but they are not as essential as risk appetite, as they are based on the existing or past performance of the risk management program, and may not reflect the future or potential risks or opportunities.
* Key risk indicators are the metrics that measure the changes in the level of risk exposure, such as by monitoring the risk drivers, triggers, or events. Key risk indicators provide information on the current or emerging risks, and may alert the enterprise to take action or adjust the risk response. Key risk indicators may influence the risk response decision, but they are not as essential as risk appetite, as they are based on the observed or estimated data or trends, and may not account for the uncertainties or complexities of the risks.
* Industry best practices are the methods or techniques that have been proven to be effective or efficient in managing risks, such as by benchmarking or adopting standards or frameworks. Industry best practices provide guidance and direction on how to implement the risk management program, and may improve the quality or consistency of the risk response. Industry best practices may influence the risk response decision, but they are not as essential as risk appetite, as they are based on the experiences or
* recommendations of other enterprises, and may not be suitable or applicable for the specific context or objectives of the enterprise. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 1, Section 1.2.1.1, pp. 18-19.

Section: Volume A
Explanation:
Threats and vulnerabilities change over time and KRI maintenance ensures that KRIs continue to effectively capture these changes.
The risk environment is highly dynamic as the enterprise's internal and external environments are constantly changing. Therefore, the set of KRIs needs to be changed over time, so that they can capture the changes in threat and vulnerability.
Incorrect Answers:
A: Risk avoidance is one possible risk response. Risk responses are based on KRI reporting, but is not the reason for maintenance of KRIs.
B: While most key risk indicator (KRI) metrics need to be optimized in respect to their sensitivity, the most important objective of KRI maintenance is to ensure that KRIs continue to effectively capture the changes in threats and vulnerabilities over time. Hence the most important reason is that because of change of threat and vulnerability overtime.
C: Risk reporting timeliness is a business requirement, but is not a reason for KRI maintenance.