Blog

The Significance of Key Risk Indicators in Organisations

Feb 24, 2023

By Vivek Soni, CCSP

Key Risk Indicators (KRIs) are critical predictors/indicators of undesirable events that can adversely impact the organisation. These are the kind of metrics which are forward looking and contribute to the early warning sign that facilitates enterprise to report risks, prevent calamity and remediate them promptly.

Risks to an organisation may vary based on their business environment and the respective business unit. For example, an IT service management team might worry about changes going into production without approvals, an Information Security Team might focus on preventing data compromise, a bank might be concerned with fraudulent bank accounts being opened, etc.

KRIs measure the potential risk related to specific decision that an organisation is considering as well as the risk inherent in the organisation’s day-to-day operations. It can be used by any organisation irrespective of their sizes and can be a foundation for security reporting to the executive level. The organisations can set targets and monitor these indicators for continuous improvement.

KRIs independently or in combination with other risk environment pertinent data, such as, loss events, assessment outcomes, and issues, offer considerable insights into the weaknesses within the risk and control environments.

Benefits of KRIs

  • Early notice of potential risks that could harm the organisation.
  • Quantifying each risk and its potential impact.
  • Developing appropriate risk responses.
  • Give insights into possible vulnerabilities in the organisation’s monitoring and control tools.
  • Ongoing risk monitoring.
  • Assurance to the senior management and shareholders on the security posture of the organisation.
  • Greater trust levels from regulatory bodies perspective.

Differences Between KRIs and KPIs

Even though enterprises use the terms Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) interchangeably, they are two different tools with different purposes:

KPI

KRI

The measurement an organisation leverages to understand how well individuals, business units, projects and companies are performing against their strategic goals.

The measurement an organisation leverages to determine how much risk they are exposed to or how risky a particular venture or activity is.

These are backward Looking.

These are forward Looking.

Once an organisation has identified its strategic goals, KPIs serve as monitoring and decision-making tools   that help answer your organisation’s key performance questions .

By measuring the risks and their potential impact on business performance beforehand, organisations can create early warning systems that allow them to monitor, manage and mitigate key risks.

Answers the question:

How are we doing against our goals?

Answers the question:

What prevents us from achieving our goals?

Typical KRI Flow

Traits of Effective KRIs

When developing KRIs, the business context of the organisation plays a critical role. Some important questions to ask before the organisation begins its KRI journey:

  • What kind of industry the organisation operates in?
  • What different regulations/laws are applicable?
  • What kind of risks the industry faces?
  • What locations the business operates in?
  • What external parties the organisation deals with and their requirements?

The characteristics of good KRIs include:

  • Business Aligned: Linking key business attributes to the risks and identifying serious threats.
  • Context Rich: Details about the people, processes, technologies, resources, and other aspects important to the success of the
  • Risk Based: Identifying the risks and threats that the organization faces and how they will impact its day-to-day operations and
  • Measurable: Metrics should be The data can be number, count, quantity, percentage, amount etc. but NOT texts, Yes/No questions, or reports.
  • Management Buy-In: Approval of the KRIs by
  • Repeatable: They should be easy to collect, parse, and report
  • Standardised: Must be benchmarkable both internally and to industry

Challenges in developing KRIs

Many organizations encounter challenges when developing KRIs because they don’t tie to the business objective or do not address the risks associated with their development.

  • Lack of accurate information or insufficient requirement
  • Lack of risk-based approach in developing
  • Lack of Management buy-in/approval.
  • Lack of alignment with industry standards/benchmarks.
  • Complex and Legacy System integration act as a blocker for the data which is required to develop metrics
  • Failure to automate the collection of KRI values

Key Risk Indicators Examples

Risk

Metric Definition

Frequency

Reasoning

Data Loss

Percentage of Servers/Workstations backup Failure in a given Period.

Monthly

Change in server configuration or any upgrades in software can result in backup failure.

Data Loss

Percentage of Servers   using weak authentication protocols.

Monthly

Servers using weak authentication protocols can be a pathway for attackers to penetrate resulting into Information Leakage and Lateral Movement.

Compromised Systems/Data

Percentage of Critical Servers hosting sensitive/highly sensitive /Business Critical information where Logging is not Enabled.

Monthly

If logging is not enabled on Critical servers, the organisation will be unaware of any malicious activity/attacks.

Compromised Systems/Data

Percentage of Critical Servers missing patches.

Monthly

Missing critical patches may result into newly identified vulnerabilities being exploited by attackers.

Unauthorised Access

Percentage of Users whose access rights have not been reviewed within the last 90 days.

Monthly, Quarterly

Access rights if not reviewed timely can lead to unauthorised access by those who do not have business need to have that access.

Unauthorised Access

Number of Failed Attempts to Access User Accounts with Access to Sensitive Data.

Monthly

Access to sensitive information may be controlled and limited to those who have business need. If not it can cause serious harm to the organisation.

Unauthorised Access

Percentage of Network Devices not meeting the configuration standards.

Monthly

The Network devices not meeting the configuration standard can act as a pathway for threat actors to attack the weak configuration.

Malware/Virus Attacks

Percentage of Critical Servers that have not received a full malware scan within last 24 hours.

Daily, Weekly

Critical servers not undergoing a full malware scan with last 24 hours can be vulnerable and can be exploited by attackers.

 

Malware/Virus Attacks

Percentage of Critical Servers not running updated antivirus software.

Daily, Weekly

Critical servers without updated virus/malware signatures can be exploited by attackers.

Data Exfiltration

Average Time elapsed between formal reviews of Firewall Rules.

Monthly, Quarterly

Firewall rule reviews may help in discovering the need for additional rules and reveal unused rules – both outcomes improve overall security & firewall performance and ensures that unused rules cannot be used by external attackers for data exfiltration.

Service Interruptions

Percentage of Requests not resolved with the SLA (Service Level Agreement).

Monthly, Quarterly

A large percentage of issues that are not resolved within the desired time frame may increase the likelihood of productivity/capacity issues, service interruptions and potential customer service issues.

Service Interruptions

Percentage of IT Assets (Devices) Impacted by End-of- Life or Support.

Quarterly

A high percentage of devices with impending EoL dates may indicate that the company is using relatively outdated devices, and/or that it will be a large undertaking to procure and implement replacement devices soon.

Conclusion

To wrap it up, key risk indicators plays a crucial part in an organisation’s strategic risk management activities and day to day operations. To carve out an effective KRI library is one of the most vital steps for getting a proactive approach to risk management. Effectively designed KRI’s should act as an enabler to drive decisive action to manage risks, improve financial performance and provide the right level of board assurance that risks are under control.

To gain a holistic vision of key risk indicators, business people, risk professionals, Data Specialists, Software Engineers, UX Engineers and digital transformation experts must collaborate. Otherwise, an organisation may have tons of KRI’s with zero automation or highly automated alerts that nobody monitors.

 

References