How To Write Effective KRIs Part II

Summarise on:
Charu Pel

Charu Pel

6 min Read

LinkedInTwitterEmail

How To Write Effective KRIs Part II

Information Security Forum (ISF), a nonprofit association that researches and analyzes security and risk management issues has noted that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs).

In Part I of the series, we discussed KPI and KRI basics to help new leaders understand their importance. The measured value of KRI should be able to reflect the negative impact it would have on the organization's KPI. KRIs are like an early warning system that alerts management when risk exposure exceeds tolerable limits.

While KPIs as performance indicators help identify the performing and underperforming aspects of the enterprise and provide further guidance on resource allocation, KPIs are better explained by events that have happened (for example, number of breaches or system failures). KRIs indicate future risk or likely chance of an event happening so management can act proactively.

What guidance helps in writing effective KRIs?

The next step is how to write effective KRIs. The COSO paper “Developing Key Risk Indicators to Strengthen Enterprise Management” is very useful guidance on the subject. The risk management experience and consideration of the following points will help in developing effective KRIs.

What risk management considerations help develop effective KRIs?

  1. The understanding of the organization's objectives is very important to identify events that could impact achievement of those objectives.
  2. The linkage between top risk and objectives will be an effective indicator of risk.
  3. The best way to identify KRIs is to start with events that happened in the past or near present. Analysis of intermediate events leading to the main event and root of those intermediate events helps identify risk.
  4. The goal is to develop KRIs close to the root cause so they serve as an early warning and provide enough time to respond.
  5. KRIs could be developed close to intermediate events, but they provide less time to react.
  6. KRI development starts with people in the organization, especially subject matter experts with a better understanding of intermediate events or failure points and root causes. Their input is very important to ensure key risks are considered.

How To Write Effective KRIs Part II

What data and measurement practices strengthen KRIs?

  • As an early-warning indicator, KRIs should be quantitative. Attempts should be made to quantify qualitative information rather than ignore it.
  • Relevant data must be easily accessible, and data mining and analysis should not involve excessive additional cost and resources.
  • Measuring KRIs involves data analysis. Teams must agree in advance on data points, data collection, aggregation and correlation methods.
  • A consistent and acceptable method for measuring KRIs must be agreed in advance.
  • An important element of any KRI is the data quality used in measurement. Data points and external/internal sources must be agreed to provide quality data.
  • External sources are useful in developing KRIs for risks never faced before.
  • When internal data is unavailable for emerging risks, KRI data can be sourced from independent external third parties.
  • Considering certain external data in KRI development helps from an objectivity perspective and addresses biased opinion.
  • Aggregating certain KRIs helps improve understanding of monitored risk compared to individual KRIs.
  • It is important not to confuse KRIs and KPIs. Risk indicators are different from performance indicators.
Cybersecurity

GRC Insights That Matter

Exclusive updates on governance, risk, compliance, privacy, and audits — straight from industry experts.

Related Resources

Related Posts

Information Security KRI & KPI - Relevant To CISO, CIO And Board Part I
Cybersecurity
Information Security KRI & KPI - Relevant To CISO, CIO And Board Part I

Part I covers practical KRI/KPI guidance for security leaders, including measurable KRI traits and an impact-to-KPI-to-KRI mapping approach.

Read More
Key Risk indicator & Key Performance Indicators Part I
Cybersecurity
Key Risk indicator & Key Performance Indicators Part I

An introduction to KRIs and KPIs with practical framing for leadership reporting, risk visibility, and performance measurement.

Read More
Examples Of Effective KRIs Part III
Cybersecurity
Examples Of Effective KRIs Part III

Explore effective KRI examples across leading and lagging indicators with practical implementation guidance.

Read More
background-line