The correct answer is C because the best way to incorporatecontinuous monitoringin IT risk policies is todefine how risk thresholds are aligned with organizational objectives. Continuous monitoring is effective only when it is tied to measurable thresholds that indicate when risk is moving outside acceptable limits. Those thresholds must be aligned with business objectives, risk appetite, and tolerance to make monitoring meaningful.
The other options are less appropriate as the best policy-level approach:
A. Implement a governance, risk, and compliance (GRC) toolmay support monitoring, but a tool is not the policy foundation.
B. Establish a cross-functional risk steering committeeimproves governance, but it does not define how continuous monitoring should operate.
D. Standardize IT risk mitigationhelps consistency, but continuous monitoring depends on thresholds and escalation criteria.
Exact Extracts supporting the answer:
“The main purpose of continuous monitoring is detecting changes to the enterprise’s risk environment.”
“The main purpose of risk monitoring is to provide timely information on the actual status of the enterprise with regard to risk with the risk profile offering an overall risk status.”
“Including thresholds that identify when controls no longer provide the intended value is essential when developing metrics to monitor the control life cycle.”
“The most important consideration when implementing key risk indicators is linking the metric to a specific risk.”
“The best approach for creating key risk indicators for quarterly reporting to senior leadership is identifying the enterprise risk appetite and metrics and measures of current risk.”
These extracts show that continuous monitoring must be based on defined thresholds linked to enterprise objectives and risk levels. Therefore, the best answer isdefine how risk thresholds are aligned with organizational objectives.
===========
