Skip to main content

4.1 Key Risk Indicators

4.1 Key Risk Indicators


  • Risk indicator is a measure used by an organization to determine the level of current risk for an activity. This helps the organization to monitor the risk level and receives an alert when a risk level approaches an unacceptable level.


  • Thus, the objective of key risk indicators is to flag the exception as and when it occurs. This provides an opportunity for the organization to respond to the risk before damage is done.


  • Examples of key risk indicators are:


  • Number of unauthorized software detected in audit.

  • Hours of system downtime

  • Number of systems without antivirus


  • Let us take one example of system downtime. Risk indicator can be set as follow:



Description

Risk Indicator  

System downtime less than 5 hours

Acceptable    

System downtime between 5 to 10 hours    

Close Monitoring

System downtime more than 10 hours

Unacceptable


 


  • Number of workstations vis-à-vis the count of employees can be considered as a key risk indicator for configuration management. High amount of excess inventory as compared to actual employees indicates poor configuration as the same is not mapped correctly with actual business requirements. Similarly, a high level of shortage of workstation also indicates poor configuration mapping.


Advantage of KRI


 Following are the advantages of KRIs:


  • It helps to validate the risk appetite and risk tolerance level of the organization.

  • It helps to identify the risk in an objective way.

  • It helps in quantification of the risk

  • It helps in continuous risk monitoring

  • It helps in triggering risk mitigation action

  • It helps in monitoring and managing regulatory compliance


KRI Selection


  • Selection of the right kind of KRI is utmost important for the success of a risk management program.


  • Following are the some of the characteristics of a good metrics also termed as SMART:


  • Specific: KRI should be clear, concise and easily understandable


  • Measurable: KRI should be able to quantified and there should not be any subjectivity


  • Attainable: KRI should be something realistic


  • Relevant: KRI should be relevant to the goals and objective of the organization


  • Time: KRI should be achievable in a given time frame


  • Risk indicator should include and cover:


  • Lag indicators i.e. occurrence of risk events

  • Lead indicators i.e. preventive controls

  • Trends over a period of time


  • For the effectiveness of KRI, the organization must ensure that data used to measure the KRI is complete, correct and accurate.


  • KRI threshold should be aligned with risk appetite and risk tolerance of the organization. KRIs need to be evaluated on a regular basis to verify that each KRI remains properly related to the risk appetite and tolerance levels of the organization.


Design of Key Risk Indicator (KRI)


  • Following are some of the key aspect for design of KRI in order of their priority:


  • KRI should be linked to specific risk

  • KRI should be capable to predict a risk event

  • KRI should be complete and accurate

  • KRI should be easily measurable and comparable


  • Linking to a specific risk is the most important criterion when selecting a KRI.


  • To ensure the KRI are effective and linked to specific risk, a risk manager must understand the end-to-end operational flow of the business processes. This will help to understand various aspects of the business such as detailed processes, data flows, decision-making processes, risk appetite and tolerance. On the basis of this information, risk practitioners can design relevant and specific KRI along with measurement criteria.


Identification of Key Risk Indicators (KRI)


Key risk indicators are generally identified during the risk response stage (i.e. before the risk monitoring stage). During the risk response stage, controls for mitigation of the risks are selected and implemented. Once the controls are implemented, some KRI is to be identified and developed. These KRIs will help to determine the effectiveness of the control. If KRI is within the threshold, it indicates that controls are effective. In case KRI crosses the threshold, then additional controls may be required.


Responsibility of monitoring of Key Risk indicators (KRI)


KRI should be measured and monitored by an independent team to ensure unbiasedness. If the same is measured by line managers, the same should be reviewed by independent authority. It is equally important that his efforts are reviewed and validated by a senior official. Most effective method to validate the efforts of a line manager is to review the reported results by an independent person. This helps to determine the efficiency and effectiveness of line managers in monitoring the key risk indicators.


Reporting of KRI results


  • When KRI reaches its threshold, it should be first reported to the business process owner who owns the risk and determines the risk response. Process owners should evaluate the effectiveness of existing control and to determine whether additional controls are required.


  • Results of key risk indicators are to be placed to senior management at periodic intervals. KRIs are the most useful data for management to determine current state of risk.


Key aspects from CRISC exam perspective


CRISC Question

Possible Answer

Who should measure and monitor the KRI? ·         

Independent team to ensure unbiased review. 

(If the same is measured by line managers, the same should be reviewed by independent authority.)

During which stage KRI is generally identified?

Risk Response stage    


Best monitoring capability to identify whether controls that are in place remain effective in mitigating their intended risk?

Measuring key risk indicators    


Which is the most important factor to be considered while implementing a KRI?

KRI is linked with specific risks    


Which is the most useful data for communicating to management about the current state of risk?    

Measurement of key risk indicator

Which is the best method for proper design of an effective KRI?    

Understand the end-to-end operational flow

of the business

Who should be alerted first for KRI reaching the thresholds?

Business Process Owner



Flashcards - 4.1 Key Risk Indicators


Practice Questions - 4.1 Key Risk Indicators





Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: A...
Read more

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical backgrou...
Read more

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statist...
Read more