Key risk indicator

Last updated May 26, 2024

A key risk indicator (KRI) is a measure used in management to indicate how risky an activity is. Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise. It differs from a key performance indicator (KPI) in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future adverse impact. KRI give an early warning to identify potential events that may harm continuity of the activity/project.

Definitions

According to OECD ^[1]

A risk indicator is an indicator that estimates the potential for some form of resource degradation using mathematical formulas or models.

Risk management

Security risk management

According to Risk IT framework by ISACA,^[2] key risk indicators are metrics capable of showing that the organization is subject or has a high probability of being subject to a risk that exceed the defined risk appetite.

Organizations have different sizes and environment. So every enterprise should choose its own KRI, taking into account the following steps:

Consider the different stakeholders of the organization
Make a balanced selection of risk indicators, covering performance indicators, lead indicators and trends
Ensure that the selected indicators drill down to the root cause of the events
Choose high relevant and high probability of predicting important risks:
- High business impact
- Easy to measure
- With high correlation with the risk
- Sensitivity
Determine thresholds and triggers for the set of KRI's
Locate and fold in data sources that contribute or feed data into KRI triggers
Determine notification methods, recipients, and action or response sequences

The constant measure of KRI can bring the following benefits to the organization:

Provide an early warning: a proactive action can take place
Provide a backward looking view on risk events, so lesson can be learned by the past
Provide an indication that the risk appetite and tolerance are reached
Provide real time actionable intelligence to decision makers and risk managers

Advances in hosted cloud data storage, data federation, and data aggregation have enabled data supply chains for real time calculation of key risk indicators across heretofore unlinked or disconnected data sources. Risk level dashboards can be supplemented with real time push notifications of risk. Systems methods and tools addressing triggering of notifications when targets are attained for key risk indicators have been evolving. Calculating and enabling notifications of key risk indicators used to be a unique benefit of enterprise software packages. With the evolution of API's to calculate trigger values for key risk indicators across various data sources, the potential for risk managers to include data external to an enterprise or external to an enterprise database has changed the risk management landscape.

Qualities of good key risk indicators

Some qualities of a good key risk indicator include:^[3]

Ability to measure the right thing (e.g., supports the decisions that need to be made)
Quantifiable (e.g., damages in dollars of profit loss)
Capability to be measured precisely and accurately
Ability to be validated against ground truth, and confidence level one has in the assertions made within the framework of the metric
Comparability Over Time and Business Units
Assessment of Risk Owners’ Performance

Related Research Articles

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

Information technology (IT)governance is a subset discipline of corporate governance, focused on information technology (IT) and its performance and risk management. The interest in IT governance is due to the ongoing need within organizations to focus value creation efforts on an organization's strategic objectives and to better manage the performance of those responsible for creating this value in the best interest of all stakeholders. It has evolved from The Principles of Scientific Management, Total Quality Management and ISO 9001 Quality management system.

A performance indicator or key performance indicator (KPI) is a type of performance measurement. KPIs evaluate the success of an organization or of a particular activity in which it engages. KPIs provide a focus for strategic and operational improvement, create an analytical basis for decision making and help focus attention on what matters most.

COBIT is a framework created by ISACA for information technology (IT) management and IT governance.

The chief risk officer (CRO), chief risk management officer (CRMO), or chief risk and compliance officer (CRCO) of a firm or corporation is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments. Risks are commonly categorized as strategic, reputational, operational, financial, or compliance-related. CROs are accountable to the Executive Committee and The Board for enabling the business to balance risk and reward. In more complex organizations, they are generally responsible for coordinating the organization's Enterprise Risk Management (ERM) approach. The CRO is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm's capital and earnings. The CRO roles and responsibilities vary depending on the size of the organization and industry. The CRO works to ensure that the firm is compliant with government regulations, such as Sarbanes–Oxley, and reviews factors that could negatively affect investments. Typically, the CRO is responsible for the firm's risk management operations, including managing, identifying, evaluating, reporting and overseeing the firm's risks externally and internally to the organization and works diligently with senior management such as chief executive officer and chief financial officer.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992, COSO published the Internal Control – Integrated Framework, commonly used by businesses in the United States to design, implement, and conduct systems of internal control over financial reporting and assessing their effectiveness.

Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives, assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring process. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

A federal enterprise architecture framework (FEAF) is the U.S. reference enterprise architecture of a federal government. It provides a common approach for the integration of strategic, business and technology management as part of organization design and performance improvement.

Sustainability reporting refers to the disclosure, whether voluntary, solicited, or required, of non-financial performance information to outsiders of the organization. Sustainability reporting deals with qualitative and quantitative information concerning environmental, social, economic and governance issues. These are the criteria often gathered under the acronym ESG.

Performance measurement is the process of collecting, analyzing and/or reporting information regarding the performance of an individual, group, organization, system or component.

Val IT is a governance framework that can be used to create business value from IT investments. It consists of a set of guiding principles and a number of processes and best practices that are further defined as a set of key management practices to support and help executive management and boards at an enterprise level. The latest release of the framework, published by IT Governance Institute (ITGI), based on the experience of global practitioners and academics, practices and methodologies was named Enterprise Value: Governance of IT Investments, The Val IT Framework 2.0. It covers processes and key management practices for three specific domains and goes beyond new investments to include IT services, assets, other resources and principles and processes for IT portfolio management.

Value measuring methodology (VMM) is a tool that helps financial planners balance both tangible and intangible values when making investment decisions, and monitor benefits.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Sustainability accounting originated in the 1970s and is considered a subcategory of financial accounting that focuses on the disclosure of non-financial information about a firm's performance to external stakeholders, such as capital holders, creditors, and other authorities. Sustainability accounting represents the activities that have a direct impact on society, environment, and economic performance of an organisation. Sustainability accounting in managerial accounting contrasts with financial accounting in that managerial accounting is used for internal decision making and the creation of new policies that will have an effect on the organisation's performance at economic, ecological, and social level. Sustainability accounting is often used to generate value creation within an organisation.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

Factor analysis of information risk (FAIR) is a taxonomy of the factors that contribute to risk and how they affect each other. It is primarily concerned with establishing accurate probabilities for the frequency and magnitude of data loss events. It is not a methodology for performing an enterprise risk assessment.

Risk IT Framework, published in 2009 by ISACA, provides an end-to-end, comprehensive view of all risks related to the use of information technology (IT) and a similarly thorough treatment of risk management, from the tone and culture at the top to operational issues. It is the result of a work group composed of industry experts and academics from different nations, from organizations such as Ernst & Young, IBM, PricewaterhouseCoopers, Risk Management Insight, Swiss Life, and KPMG.

In information security, risk factor is a collective name for circumstances affecting the likelihood or impact of a security risk.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

Objectives and key results is a goal-setting framework used by individuals, teams, and organizations to define measurable goals and track their outcomes. The development of OKR is generally attributed to Andrew Grove who introduced the approach to Intel in the 1970s and documented the framework in his 1983 book High Output Management.

References

↑ OECD Glossary of statistical terms
↑ "ISACA THE RISK IT FRAMEWORK (registration required)" (PDF). Archived from the original (PDF) on 2010-07-05. Retrieved 2010-12-13.
↑ Sheldon, Abercrombie, & Mili (2009). "Methodology for Evaluating Security Controls Based on Key Performance Indicators and Stakeholder Mission". 2009 42nd Hawaii International Conference on System Sciences. Vol. 42nd Hawaii International Conference on, Big Island, HI. pp. 1–10. CiteSeerX 10.1.1.502.6181 . doi:10.1109/HICSS.2009.308. ISBN 978-0-7695-3450-3.{{cite book}}: CS1 maint: multiple names: authors list (link)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] OECD Glossary of statistical terms

[2] "ISACA THE RISK IT FRAMEWORK (registration required)" (PDF). Archived from the original (PDF) on 2010-07-05. Retrieved 2010-12-13.

[3] Sheldon, Abercrombie, & Mili (2009). "Methodology for Evaluating Security Controls Based on Key Performance Indicators and Stakeholder Mission". 2009 42nd Hawaii International Conference on System Sciences. Vol. 42nd Hawaii International Conference on, Big Island, HI. pp. 1–10. CiteSeerX 10.1.1.502.6181 . doi:10.1109/HICSS.2009.308. ISBN 978-0-7695-3450-3.{{cite book}}: CS1 maint: multiple names: authors list (link)

[1]

[2]

[3]