Professional Documents
Culture Documents
What Is A Key Risk Indicator (KRI) and Why Is It Important
What Is A Key Risk Indicator (KRI) and Why Is It Important
Key risk indicators play an important role in enterprise risk management programs. Benefits of KRIs include the following:
Internal and external risks are then mapped to key operational aspects of the firm to identify how those key attributes could be disrupted. Thus,
characteristics of a good -- and measurable -- KRI include the following:
details on the people, processes, technologies, facilities and other corporate attributes most important to the organization's continued operation and
success;
identification of risks, threats and vulnerabilities the organization faces, based on their likelihood of occurring, their operational and financial impact
to the firm, and the firm's ability to mitigate the event;
ranking the business attributes in terms of their criticality to the firm;
ranking of risks, threats and vulnerabilities in terms of their potential harm to the firm;
linking of the key business attributes to the most significant risks to identify those issues of greatest concern to the organization;
metrics to identify when and how an identified risk becomes a serious threat to critical attributes of the organization;
ongoing process of reviewing KRIs and their metrics to identify any changes that require management review and possible action; and
approval of KRIs by senior management.
Examples of KRIs
KRIs are developed in relation to an organization's people, processes, technology, facilities and other elements critical to its operations. KRIs also
provide the measurement points that, if exceeded, could disrupt the business.
risk avoidance
Table 1 provides examples of KRIs for different aspects of a business and sample measurement points.
https://www.techtarget.com/searchcio/definition/key-risk-indicator-KRI#:~:text=A key risk indicator (KRI) is a metric for measuring,organization's ability … 1/4
11/14/22, 10:01 AM What is a Key Risk Indicator (KRI) and Why is it Important?
People
Loss of staff Identify when employee absenteeism exceeds Total head count declines by 20% or more
a certain level
Employee dissatisfaction Identify situations indicating employee Number of employee complaints increases
dissatisfaction by 15% or more on a month-to-month basis
Process
Production of important product is unable to keep up Identify when production levels reach a certain Number of units produced per day declines
with demand point, based on product demand by 20% or more
Existing product designs are increasingly outdated Identify a risk point, based on sales and Sales of the product have declined 20% and
and could result in declining sales market research, when existing designs must more from previous levels
be changed
Technology
Disruption to IT systems from cyber attacks Identify the optimum patch level for Cybersecurity system patching is two
cybersecurity systems patches behind scheduled and
recommended levels
Inability to recover systems, data files and databases Metric demonstrating that IT assets are at their Backup systems send an alert when backup
to current state following a disaster due to failed most current backup levels levels fall below minimum acceptable time
backups frames
If an organization specializes in retail sales, for example, a key risk indicator might be the number of customer complaints. An increase in this KRI
could be an early indication that an operational problem needs to be addressed.
The challenge for an organization is not only to identify which risk indicators should be identified as being key -- i.e., most important -- but also to
ensure internal acceptance of its KRIs. Organizations must communicate the risk warning in such a way that everyone in the organization clearly
understands its significance and can respond accordingly.
https://www.techtarget.com/searchcio/definition/key-risk-indicator-KRI#:~:text=A key risk indicator (KRI) is a metric for measuring,organization's ability … 2/4
11/14/22, 10:01 AM What is a Key Risk Indicator (KRI) and Why is it Important?
The two terms are functionally the inverse of each other. While they may be separate and distinct for some issues, the creation of one often results in
the creation of the other as its complement.
As stated above, KRIs provide metrics regarding risks and their potential impact on business performance. They function as an early warning capability
for monitoring, analyzing, managing and mitigating key risks.
By contrast, KPIs demonstrate how well the organization is performing against its goals and objectives -- e.g., sales, revenues and customer
satisfaction. Like KRIs, key performance indicators can be applied to the people, processes and technologies that are critical to an organization's
success.
Table 2 provides examples of key performance indicators and their corresponding KRIs.
People
Full employment needed for optimum company performance Metric that identifies when employee absenteeism exceeds a certain level
Employee satisfaction with the company and their work is essential for Metrics showing employee dissatisfaction and when it reaches a specific
successful performance level
Process
Production of an important product is maintained at levels sufficient to Metrics showing when production levels fall below unacceptable levels
keep up with the demand
Existing product designs are satisfactory and providing expected value Metric -- e.g., based on declining sales and competitive market research --
and results to customers that indicates existing designs should be examined and possibly changed
Technology
Disruption to IT systems from cyber attacks is minimized by regular Metrics that identify when optimum patch levels for cybersecurity systems
patching of cybersecurity systems are not being achieved
Disruptions to the business are minimized because systems, data files Metric demonstrating when IT assets are not at their most current backup
and databases are being backed up to their most current recovery point levels
Challenges associated with developing KRIs typically stem from an organization's inability to do the following:
obtain accurate information about the organization that can be used to pinpoint mission-critical activities;
identify risks, threats and vulnerabilities and then quantify them by likelihood, severity and impact;
https://www.techtarget.com/searchcio/definition/key-risk-indicator-KRI#:~:text=A key risk indicator (KRI) is a metric for measuring,organization's ability … 3/4
11/14/22, 10:01 AM What is a Key Risk Indicator (KRI) and Why is it Important?
secure senior management support for the use of KRIs as part of an enterprise risk management program;
realistically link critical business attributes to the most likely risk scenarios;
create metrics that are both measurable and understandable to senior management -- e.g., presenting KRIs using a dashboard;
establish an ongoing activity to monitor, measure and analyze any changes in metrics;
establish response actions to take if deviations to KRI metrics occur.
https://www.techtarget.com/searchcio/definition/key-risk-indicator-KRI#:~:text=A key risk indicator (KRI) is a metric for measuring,organization's ability … 4/4