The CIO in a large enterprise is seeking assurance that significant IT risk is being proactively monitored and does not exceed agreed risk tolerance levels. The BEST way to provide this ongoing assurance is to require the development of:

A. key risk indicators (KRIs).
B. an IT risk appetite statement.
C. a risk management policy.
D. a risk register.