Key risk indicator explained

A key risk indicator (KRI) is a measure used in management to indicate how risky an activity is. Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise. It differs from a key performance indicator (KPI) in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future adverse impact. KRI give an early warning to identify potential events that may harm continuity of the activity/project.

KRIs are a mainstay of operational risk analysis.

Definitions

According to OECD[1]

A risk indicator is an indicator that estimates the potential for some form of resource degradation using mathematical formulas or models.

Risk management

Security risk management

According to Risk IT framework by ISACA,[2] key risk indicators are metrics capable of showing that the organization is subject or has a high probability of being subject to a risk that exceed the defined risk appetite.

Organizations have different sizes and environment. So every enterprise should choose its own KRI, taking into account the following steps:

The constant measure of KRI can bring the following benefits to the organization:

Advances in hosted cloud data storage, data federation, and data aggregation have enabled data supply chains for real time calculation of key risk indicators across heretofore unlinked or disconnected data sources. Risk level dashboards can be supplemented with real time push notifications of risk. Systems methods and tools addressing triggering of notifications when targets are attained for key risk indicators have been evolving. Calculating and enabling notifications of key risk indicators used to be a unique benefit of enterprise software packages. With the evolution of API's to calculate trigger values for key risk indicators across various data sources, the potential for risk managers to include data external to an enterprise or external to an enterprise database has changed the risk management landscape.

Qualities of good key risk indicators

Some qualities of a good key risk indicator include:[3]

See also

Notes and References

  1. http://stats.oecd.org/glossary/detail.asp?ID=2360 OECD Glossary of statistical terms
  2. Web site: ISACA THE RISK IT FRAMEWORK (registration required) . 2010-12-13 . 2010-07-05 . https://web.archive.org/web/20100705110913/http://www.isaca.org/Knowledge-Center/Research/Documents/RiskIT-FW-18Nov09-Research.pdf . dead .
  3. Book: Sheldon, Abercrombie, & Mili. 2009 42nd Hawaii International Conference on System Sciences. Methodology for Evaluating Security Controls Based on Key Performance Indicators and Stakeholder Mission. 2009. 42nd Hawaii International Conference on, Big Island, HI. 1–10. 10.1109/HICSS.2009.308. 978-0-7695-3450-3. 10.1.1.502.6181.