Reviewing Risk and Performance
his week, I’ll be talking about the 2nd point under the COSO guiding principle of Review and Revision, which is Reviews Risk and Performance.
Review and Revision has 3 points:
Assesses Substantial Change
Reviews Risk and Performance
Pursues Improvement in Enterprise Risk Management
Key risk indicators (KRIs) are the tactical application of a risk appetite statement. They are used in conjunction with key performance indicators (KPIs) to provide an early indication that a risk is increasing and approaching a risk tolerance threshold.
Many organizations focus heavily KPIs rather than KRIs, but the reality is that you need to develop and measure both. KRI’s describe the “risk altitude” (where you are) vs. KPIs that describe the “risk trajectory” (where you are going). KRIs and KPIs need to be considered in conjunction and complement each other.
A useful set of KRIs pinpoint appropriate metrics that call-out potential risks that may affect the organization's ability to achieve its goals.
There must be a connection of risks to strategic initiatives so that the KRIs capture the most relevant information that can inform you, ERM, and executive leadership when a risk may exceed the organization's risk appetite.
Here are some key things to keep in mind when developing KRIs:
Identify your organization's strategic goals.
Map risks from the risk register that directly impact the ability of your organization to meet those goals.
Define metrics that can serve as leading indicators that indicate if a risk is approaching a risk threshold. These metrics will be unique for your organization.
Link KRIs to specific risk scenarios.
Ensure they are complete, accurate, and specific.
Do not have too many KRIs. Select a handful that are specific and applicable for your organization.
Measuring KRIs is challenging. Ensure you have the appropriate measurement mechanisms in-place for the KRIs you develop.
Aggregate, compare, and systematically interpret KRIs at an enterprise level.
Linking KRIs and KPIs helps bring clarity to the fog of complex and conflicting metrics. Doing so elevates the cybersecurity team's profile by showing that you can engage executives in substantial conversations around which cyber risks that are within tolerances, which are not, and why.
Next time I’ll talk about pursuing improvement in enterprise risk management.
As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up.
Have a great week!