Which capability BEST identifies the effectiveness of controls in mitigating risk?

The identification of the effectiveness of controls in mitigating risk is best accomplished through a key risk indicator (KRI). A KRI serves as a measurable value that indicates the level of risk facing an organization. By monitoring KRIs, organizations can gain insights into how well their controls are performing in relation to specific risks. A KRI provides early warning signals that help in assessing whether the controls in place are adequate or if adjustments are necessary to better manage risk.

This ongoing monitoring of risk indicators allows management to make informed decisions regarding risk management strategies, effectively ensuring that the organization's risk exposure is minimized. KRIs help in establishing a proactive approach to risk management, enabling organizations to detect potential issues before they escalate.

While other options like key performance indicators (KPIs) and audits are valuable in assessing performance and compliance, they do not specifically focus on the effectiveness of controls in the context of mitigating risk. KPIs measure the success of operational activities but are not risk-specific, and audits evaluate compliance and effectiveness but may not provide real-time insights into risk management effectiveness. Hence, KRIs stand out as the most relevant capability for this purpose.