Key risk indicator
   HOME

TheInfoList



OR:

A key risk indicator (KRI) is a measure used in management to indicate how risky an activity is. Key risk indicators are metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise. It differs from a
key performance indicator A performance indicator or key performance indicator (KPI) is a type of performance measurement. KPIs evaluate the success of an organization or of a particular activity (such as projects, programs, products and other initiatives) in which it eng ...
(KPI) in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future adverse impact. KRI give an early warning to identify potential events that may harm continuity of the activity/project. KRIs are a mainstay of operational risk analysis.


Definitions

According to
OECD The Organisation for Economic Co-operation and Development (OECD; french: Organisation de coopération et de développement économiques, ''OCDE'') is an intergovernmental organisation with 38 member countries, founded in 1961 to stimulate ...
:''A risk indicator is an indicator that estimates the potential for some form of resource degradation using mathematical formulas or models.''


Risk management


Security risk management

According to
Risk IT Risk IT, published in 2009 by ISACA,ISACA THE RISK IT FR ...
framework by
ISACA ISACA is an international professional association focused on IT (information technology) governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only.
, key risk indicators are metrics capable of showing that the organization is subject or has a high probability of being subject to a risk that exceed the defined
risk appetite Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, ...
. Organizations have different sizes and environment. So every enterprise should choose its own KRI, taking into account the following steps: * Consider the different stakeholders of the organization * Make a balanced selection of risk indicators, covering
performance indicator A performance indicator or key performance indicator (KPI) is a type of performance measurement. KPIs evaluate the success of an organization or of a particular activity (such as projects, programs, products and other initiatives) in which it en ...
s, lead indicators and trends * Ensure that the selected indicators drill down to the root cause of the events * Choose high relevant and high probability of predicting important risks: ** High business impact ** Easy to measure ** With high correlation with the risk ** Sensitivity * Determine thresholds and triggers for the set of KRI's * Locate and fold in data sources that contribute or feed data into KRI triggers * Determine notification methods, recipients, and action or response sequences The constant measure of KRI can bring the following benefits to the organization: * Provide an early warning: a proactive action can take place * Provide a backward looking view on risk events, so lesson can be learned by the past * Provide an indication that the
risk appetite Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk. It represents a balance between the potential benefits of innovation and the threats, ...
and tolerance are reached * Provide real time actionable intelligence to decision makers and risk managers Advances in hosted cloud data storage, data federation, and data aggregation have enabled data supply chains for real time calculation of key risk indicators across heretofore unlinked or disconnected data sources. Risk level dashboards can be supplemented with real time push notifications of risk. Systems methods and tools addressing triggering of notifications when targets are attained for key risk indicators have been evolving. Calculating and enabling notifications of key risk indicators used to be a unique benefit of enterprise software packages. With the evolution of API's to calculate trigger values for key risk indicators across various data sources, the potential for risk managers to include data external to an enterprise or external to an enterprise database has changed the risk management landscape.


Qualities of good key risk indicators

Some qualities of a good key risk indicator include: * Ability to measure the right thing (e.g., supports the decisions that need to be made) * Quantifiable (e.g., damages in dollars of profit loss) * Capability to be measured precisely and accurately * Ability to be validated against ground truth, and
confidence level In frequentist statistics, a confidence interval (CI) is a range of estimates for an unknown parameter. A confidence interval is computed at a designated ''confidence level''; the 95% confidence level is most common, but other levels, such as ...
one has in the assertions made within the framework of the metric


See also

*
Committee of Sponsoring Organizations of the Treadway Commission The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is an organization that develops guidelines for businesses to evaluate internal controls, risk management, and fraud deterrence. In 1992 (and subsequently re-released in 20 ...
*
Enterprise risk management Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typic ...
*
ISO 31000 ISO 31000 is a family of standards relating to risk management codified by the International Organization for Standardization. ISO 31000:2018 provides principles and generic guidelines on managing risks that could be negative faced by organizati ...


References

{{Reflist Metrics Operational risk