11/14/22, 10:01 AM What is a Key Risk Indicator (KRI) and Why is it Important?

key risk indicator (KRI)

Paul Kirvan
Linda Tucci, Industry Editor -- CIO/IT Strategy

What is a key risk indictor (KRI)?

A key risk indicator (KRI) is a metric for measuring the likelihood that the combined probability of an event and its consequences will exceed the
organization's risk appetite and have a profoundly negative impact on an organization's ability to be successful.

Key risk indicators play an important role in enterprise risk management programs. Benefits of KRIs include the following:

advance notice of potential risks that could damage the organization;

insight into possible weaknesses in an organization's monitoring and control tools; and
ongoing risk monitoring between risk assessments.

Characteristics of good KRIs

When developing a KRI, knowledge of the organization and how it operates -- plus knowledge of the potential risks, threats and vulnerabilities it faces -
- are the essential starting points. Without an understanding of the company, it is difficult to identify where it may be at risk.

Internal and external risks are then mapped to key operational aspects of the firm to identify how those key attributes could be disrupted. Thus,
characteristics of a good -- and measurable -- KRI include the following:

details on the people, processes, technologies, facilities and other corporate attributes most important to the organization's continued operation and
success;
identification of risks, threats and vulnerabilities the organization faces, based on their likelihood of occurring, their operational and financial impact
to the firm, and the firm's ability to mitigate the event;
ranking the business attributes in terms of their criticality to the firm;
ranking of risks, threats and vulnerabilities in terms of their potential harm to the firm;
linking of the key business attributes to the most significant risks to identify those issues of greatest concern to the organization;
metrics to identify when and how an identified risk becomes a serious threat to critical attributes of the organization;
ongoing process of reviewing KRIs and their metrics to identify any changes that require management review and possible action; and
approval of KRIs by senior management.

Examples of KRIs
KRIs are developed in relation to an organization's people, processes, technology, facilities and other elements critical to its operations. KRIs also
provide the measurement points that, if exceeded, could disrupt the business.

THIS ARTICLE IS PART OF

What is risk management and why is it important?

Which also includes:

governance, risk management and compliance (GRC)

risk avoidance

risk map (risk heat map)

Table 1 provides examples of KRIs for different aspects of a business and sample measurement points.

https://www.techtarget.com/searchcio/definition/key-risk-indicator-KRI#:~:text=A key risk indicator (KRI) is a metric for measuring,organization's ability … 1/4
11/14/22, 10:01 AM What is a Key Risk Indicator (KRI) and Why is it Important?

Table 1 -- KRI examples

Risk Situation Suggested KRI Measurement

People

Loss of staff Identify when employee absenteeism exceeds Total head count declines by 20% or more
a certain level

Employee dissatisfaction Identify situations indicating employee Number of employee complaints increases
dissatisfaction by 15% or more on a month-to-month basis

Process

Production of important product is unable to keep up Identify when production levels reach a certain Number of units produced per day declines
with demand point, based on product demand by 20% or more

Existing product designs are increasingly outdated Identify a risk point, based on sales and Sales of the product have declined 20% and
and could result in declining sales market research, when existing designs must more from previous levels
be changed

Technology

Disruption to IT systems from cyber attacks Identify the optimum patch level for Cybersecurity system patching is two
cybersecurity systems patches behind scheduled and
recommended levels

Inability to recover systems, data files and databases Metric demonstrating that IT assets are at their Backup systems send an alert when backup
to current state following a disaster due to failed most current backup levels levels fall below minimum acceptable time
backups frames

Why are KRIs important?

Without KRIs, an organization increases the likelihood of its being subject to events or situations that could significantly damage its business. KRIs are
the red flags that ensure these risks are identified in advance and mitigated.

Let's take a closer look.

If an organization specializes in retail sales, for example, a key risk indicator might be the number of customer complaints. An increase in this KRI
could be an early indication that an operational problem needs to be addressed.

The challenge for an organization is not only to identify which risk indicators should be identified as being key -- i.e., most important -- but also to
ensure internal acceptance of its KRIs. Organizations must communicate the risk warning in such a way that everyone in the organization clearly
understands its significance and can respond accordingly.

https://www.techtarget.com/searchcio/definition/key-risk-indicator-KRI#:~:text=A key risk indicator (KRI) is a metric for measuring,organization's ability … 2/4
11/14/22, 10:01 AM What is a Key Risk Indicator (KRI) and Why is it Important?

KRIs and KPIs: What's the difference?

Key risk indicators are often confused with key performance indicators (KPIs), which are metrics that help an organization assess progress toward
declared goals.

The two terms are functionally the inverse of each other. While they may be separate and distinct for some issues, the creation of one often results in
the creation of the other as its complement.

As stated above, KRIs provide metrics regarding risks and their potential impact on business performance. They function as an early warning capability
for monitoring, analyzing, managing and mitigating key risks.

By contrast, KPIs demonstrate how well the organization is performing against its goals and objectives -- e.g., sales, revenues and customer
satisfaction. Like KRIs, key performance indicators can be applied to the people, processes and technologies that are critical to an organization's
success.

Table 2 provides examples of key performance indicators and their corresponding KRIs.

Table 2 -- KPI examples and complementary KRIs

Key Performance Indicator Key Risk Indicator

People

Full employment needed for optimum company performance Metric that identifies when employee absenteeism exceeds a certain level

Employee satisfaction with the company and their work is essential for Metrics showing employee dissatisfaction and when it reaches a specific
successful performance level

Process

Production of an important product is maintained at levels sufficient to Metrics showing when production levels fall below unacceptable levels
keep up with the demand

Existing product designs are satisfactory and providing expected value Metric -- e.g., based on declining sales and competitive market research --
and results to customers that indicates existing designs should be examined and possibly changed

Technology

Disruption to IT systems from cyber attacks is minimized by regular Metrics that identify when optimum patch levels for cybersecurity systems
patching of cybersecurity systems are not being achieved

Disruptions to the business are minimized because systems, data files Metric demonstrating when IT assets are not at their most current backup
and databases are being backed up to their most current recovery point levels

Challenges of creating and measuring new KRIs

It is not enough to simply create KRIs and walk away. They must be regularly monitored and reviewed to both identify any situational changes that
indicate a possible change in the business, as well as risk/threat levels, and identify and initiate remedial action that may be needed.

Challenges associated with developing KRIs typically stem from an organization's inability to do the following:

obtain accurate information about the organization that can be used to pinpoint mission-critical activities;
identify risks, threats and vulnerabilities and then quantify them by likelihood, severity and impact;

https://www.techtarget.com/searchcio/definition/key-risk-indicator-KRI#:~:text=A key risk indicator (KRI) is a metric for measuring,organization's ability … 3/4
11/14/22, 10:01 AM What is a Key Risk Indicator (KRI) and Why is it Important?
secure senior management support for the use of KRIs as part of an enterprise risk management program;
realistically link critical business attributes to the most likely risk scenarios;
create metrics that are both measurable and understandable to senior management -- e.g., presenting KRIs using a dashboard;
establish an ongoing activity to monitor, measure and analyze any changes in metrics;
establish response actions to take if deviations to KRI metrics occur.

https://www.techtarget.com/searchcio/definition/key-risk-indicator-KRI#:~:text=A key risk indicator (KRI) is a metric for measuring,organization's ability … 4/4