Integrating KRIs and KPIs for Effective Technology Risk Management

Performance evaluation is a key element of any management system and a good governance practice. It involves six key activities: monitoring, measurement, analysis, evaluation, internal audit and management review. Performance evaluation of an organization’s risk management system ensures the risk management process remains continually relevant to the organization’s business strategies and objectives. Organizations should adopt a metrics program to formally carry out performance evaluation. An effective metrics program helps in measuring security and risk management from a governance perspective.¹

Simply stated, metrics are measurable indicators of performance. The two key metrics that are used are key risk indicators (KRIs) and key performance indicators (KPIs). COBIT 5 for Risk defines KRIs as metrics capable of showing that the enterprise is, or has a high probability of being, subject to a risk that exceeds the defined risk appetite.² They are critical to the measurement and monitoring of risk and performance optimization. These metrics help in effectively reporting the risk management performance results (risk communication) to stakeholders and enable management in taking informed risk management decisions. While KPIs focus on business performance, KRIs focus on risk management performance.

This article highlights how a risk metrics program can be used to integrate KRIs and KPIs for effective technology risk management.

Risk Metrics Program

An effective risk metrics program yields several benefits, including:

• Enabling regular review of risk trends and better visibility of technology risk and vulnerabilities
• Enabling increased accountability and improved technology risk management effectiveness
• Assisting in management review and providing decision indicators for continual improvement of technology risk management
• Providing inputs for prioritizing resource allocation decisions
• Assisting in streamlining risk communications
• Contributing to overall cost savings and increased risk management efficiency

The key steps in the risk metrics program are:

• Selection and development of metrics
• Collection of metrics data
• Analysis of metrics data
• Reporting of metrics results

The set of risk metrics selected for initial implementation should be based on the organization’s current risk management maturity level and should contribute to improvement of high-priority risk management focus areas. The metrics should also cover various categories of stakeholders in the organization. The collection and analysis of metrics data and reporting of metrics results can be automated (see the section of this article titled “Automation—The Role of GRC Tools in a Metrics Program”). The three-lines-of-defense model³ is suggested to establish risk ownership and ensure accountability.

Risk Ownership and the Three-Lines-of-Defense Model Against Risk

Business managers tend to think that technology risk is owned and managed by IT or the risk function within the organization. COBIT 5 for Risk defines IT risk as business risk, specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.⁴

The three-lines-of-defense model can be used as a primary means to structure the roles and responsibilities for risk-related decision-making and control to achieve effective risk governance, management and assurance:

1. The first line of defense is the management teams of individual lines of business (LoBs), who are responsible for identifying and managing the risk inherent in the products, services, processes and systems within their LoBs.
2. The second line of defense is an independent corporate risk function, responsible for designing the risk management framework; defining roles and responsibilities; and providing oversight, support, monitoring and reporting.
3. The third line of defense is the internal audit function and is responsible for an independent review of the organization’s risk management controls, processes and systems.

Figure 1 provides an overview of the roles and responsibilities of the three lines of defense, with example KRIs.

The Need for Linking KRIs to KPIs

Linking KRIs to KPIs enables business managers to appreciate the relationship between risk and business performance, and relevance of KRIs to the organization’s business objectives and risk appetite. This helps in cross-functional collaboration and embedding risk considerations into business decisions. Linking KRIs to KPIs also helps in getting business buy-in for investment in risk mitigation measures. Figure 2 shows some examples of KRIs linked to KPIs and the business impact of the KRIs.

COBIT 5 for Risk and KRIs

COBIT 5 for Risk is a COBIT 5 professional guide that discusses IT-related risk and provides detailed and practical guidance for risk professionals. Specific to KRIs, it defines KRIs, lists the parameters and criteria for KRI selection, describes the three-lines-of-defense model, lists the benefits KRIs provide to an enterprise, and outlines common challenges encountered during successful implementation of KRIs.

COBIT 5 for Risk lists some possible KRIs for different stakeholders—the chief information officer (CIO), the risk function and the chief executive officer (CEO)/board of directors (BoD). Some of these KRIs are shown in figure 3.

Automation—The Role of GRC Tools in a Metrics Program

A governance, risk and compliance (GRC) risk management solution provides an organization with a consolidated view of its risk. The solution allows for risk assessment and gives authorized personnel the ability to assign metrics to risk, collect changes in the organization’s risk profile, and monitor risk and metrics against targets and tolerance thresholds.

Corporate objectives and policies defined by senior management, together with other authoritative sources and standards, contribute to the development of a risk register. The risk register is used to generate risk assessment questionnaires that are used for conducting risk assessments. Risk assessment results drive the development and implementation of risk remediation or mitigation plans. These plans, as well as the outcomes, are communicated to senior management.

Corporate objectives and the risk register are used to develop the metrics—KPIs and KRIs, respectively. The metrics dashboard or results are communicated to senior management on a regular basis. Figure 4 provides an overview of a risk metrics automation workflow in a typical GRC solution.

Conclusion

Risk communication is a key element of the risk management process. Communication and consultation with stakeholders are important as they make judgments about risk based on their perceptions of risk.⁵ An effective risk metrics program brings objectivity into stakeholders’ risk perception by providing a shared language to measure the effectiveness of security and risk mitigation measures within the organization. Integration of KRIs with KPIs helps in strengthening organizations’ risk culture by enabling business managers to recognize the business benefits of effective technology risk management.

Endnotes

¹ For examples of operational efficiency metrics and metrics in a security balanced scorecard, see Volchkov, A.; “How to Measure Security From a Governance Perspective,” ISACA Journal, vol. 5, 2013, https://www.isaca.org/resources/isaca-journal/issues
² ISACA, COBIT 5 for Risk, USA, 2013
³ For a detailed description of the three-lines-of-defense model and its role within the enterprise’s wider governance framework, see COBIT 5 for Risk.
⁴ Op cit ISACA
⁵ For a detailed description of the importance of communication and consultation in risk management, see International Organization for Standardization, ISO 31000:2018, Risk management—Guidelines.