4. Performance and risk indicators are essential business measurements
that make a significant distinction to how organizations are governed.
Measurements provide insights in the way an organizational system
operates using metrics that are translated into KPIs (Key Performance
Indicators) and KRIs (Key Risk Indicators).
They are critical to the measurement and monitoring of risk and
performance optimization.
When metrics measure the achievement of the desired state they
become performance indicators.
These metrics help in effectively reporting the risk management
performance results
They provide early warnings regarding an increased risk exposure in
certain areas, becoming key risk indicators.
5. Enable regular review of risk trends and better visibility of
technology risk and vulnerabilities
Enables increased accountability and improved technology risk
management effectiveness
Assists in management review and providing decision indicators
for continual improvement of technology risk management
Provides inputs for prioritizing resource allocation decisions
Assists in streamlining risk communications
Contributes to overall cost savings and increased risk
management efficiency
Benefits of Effective risk Metrics
6. It measures the performance of any operational
function, cybersecurity or otherwise.
KPIs establishes and demonstrates how effective an
organization function is performing
Did the organization achieved its established goals,
exceeded those, or missed it? If missed or exceeded,
then it also highlights by how much.
One needs to identify few critical KPIs for a specific
project, task, or process.
KPI expresses the achievement of the desired level of
results
KPIs are a quantitative measure of highlighting the success or failure of target goal achievement.
7. They are predictors of unfavorable events that can negatively affect
organization.
They monitor changes in the levels of risk exposure and contribute to
the early warning signs that enable organizations to report risks,
prevent crises and mitigate them in time.
KRI measures the risk associated in the accomplishment of a specific
project, task, or process.
They are established to quantify and proactively monitor the level of
risk
They highlight when “The Risk” of a project, task, or process has stepped
out of our comfort zone, in technical terms this is referred to as “out of
your risk-appetite” boundary.
They act as metrics of changes in an organization’s risk profile. It is
critical to the measurement and monitoring of risk and performance
optimization.
8. KRI ensures that risks are identified,
monitored, and remediated before
they become a mess.
It plays an influential role in risk
management
It provides visibility into the
organization’s risk and control
environment and processes.
9. KRIs are typically measurable
They can be quantified in terms of percentages, numbers
They are predictable and are often used as early warning signals
They impact organizational achievements and objectives
KRIs are informative and act as a catalyst for decision making.
10. Number of system backup failures – upgraded
software can results in backup failures
Number of active database administrator accounts –
Default admin accounts means if an event occurs, it isn’t
possible to point back to individual
Number of application in the organization without a
service level agreement ( SLA ) – You may be engaging
with a high risk vendor if there is no SLA, They aren’t
obligated to adhere to your regulation, thereby
interrupting your business.
Number of concurrent systems using the same
login – It shows that the employee has shared their
login credentials with unauthorized individuals
11. Early warning sensors – Signal changes in risk: increase in the
probability or in impact, before the risk materializes.
Must address risks, not events – KRI are metrics capturing risk
drivers or proxies of these risk drivers.
Specific to each activity – Specific to each risk, and to specific
weaknesses and culture of different institutions.
Best identified via data analysis and experience – Business
experience complements the lack of data.
Data analysis: to confirm business intuition, and uncover
other effects.
May need heavy data collection – The trade-off to operate
between the value of information collected and its cost of
collection. Better if automated.
12. Must be easy to use and timely – Should match the cycle of
the activity
Must help business decision – The rules of reporting apply to
KRIs: only keep reports that do influence business decisions.
Thresholds linked to risk appetite – Typically, lower threshold
for core business (low risk), but not always. 100% (or about)
target reliability does not mean 100% for all indicators; but
only so collectively.
Must be back tested for validity – How do you know it works?
An essential question in risk management.
13. Features to Identify, Select and Design effective
KRIs
May need heavy data collection - The trade-off to operate between
the value of information collected and its cost of collection. Better
if automated.
Must be easy to use and timely - Should match the cycle of the
activity
Must help business decision - The rules of reporting apply to KRIs:
only keep reports that do influence business decisions.
Thresholds linked to risk appetite - Typically, lower threshold for
core business (low risk), but not always. 100% (or about) target
reliability does not mean 100% for all indicators; but only so
collectively.
Must be back tested for validity - How do you know it works? An
essential question in risk management.
14. 14
Breakout Session
1. What is a KRI?
2. Kindly state KPI.
3. Kindly state Characteristic Features of KRIs
4. What is the Purpose of a KRI
1 minute:
Welcome to the Governance Risk and Compliance course. I’m Akin (give credentials) and I’ll be your instructor for this course.
-Describe purpose & benefits of course
Ok, let’s get started.