What is the BEST way for a board of directors to improve its ability to...

Comprehensive and Detailed Explanation:

The CGEIT Review Manual 8th Edition, in its Risk Optimization domain, stresses the importance of proactive risk monitoring to ensure the board is aware of material changes to the IT risk profile. Key risk indicators (KRIs) are metrics that provide early warnings of potential risks, such as increased cyber threats or system failures. Regular KRI reviews enable the board to detect shifts in the risk profile (e.g., a spike in unauthorized access attempts) and take timely action. The manual likely references COBIT 2019’s APO12-Managed Risk, which emphasizes KRIs for risk oversight.

Option A: Comprehensive list of risks is static and less effective for ongoing monitoring.

Option B: SIEM tool is operational and supports detection but doesn’t directly provide board-level risk insights.

Option D: KPIs focus on performance, not risk, and are less relevant for risk profile changes.

Double Verification: The answer aligns with COBIT’s APO12 and the CGEIT domain’s focus on risk monitoring. KRIs are a standard ISACA tool for board-level risk oversight.

ISACA CGEIT Review Manual 8th Edition, Domain 4: Risk Optimization (focus on risk monitoring).

COBIT 2019, APO12-Managed Risk.

ISACA Glossary (for definitions of KRIs), available at https://www.isaca.org/resources/glossary.