Site icon Blog | Cyber Security News & Training | Einnosec

How To Write Effective KRIs Part II

Information Security Forum (ISF), a nonprofit association that researches and analyzes security and risk management issues has noted that many CISOs are reporting the wrong key performance indicators (KPIs) and key risk indicators (KRIs).

In part-I of the series, we discussed KPIs and KRIs basics to help new leaders understand the importance of KPIs and KRIs. The measured value of KRI should be able to reflect the negative impact it would have on the organization’s KPI. The KRIs are like an early warning system that alerts the management when risk exposure exceeds tolerable limits.

While KPIs as performance indicators help identify the performing and underperforming aspects of the enterprise and provide further guidance on the allocation of resources to the areas that merit more attention. KPI could be better explained by the event which has happened, e.g. the number of breaches, system failures, etc. and the KRI will indicate the risk in future or likely chance of an event happening so that management can act proactively.

The next step is how to write effective KRIs. The COSO paper “Developing Key Risk Indicators to Strengthen Enterprise Management” is very useful guidance on the subject. The risk management experience and consideration of the following points will help in developing effective KRIs.

  1. The understanding of the organization’s objectives is very important to identify the events that could impact the achievement of those objectives.
  2. The linkage between top risk and objectives will be an effective indicator of risk.
  3. The best way to identify KRIs is to start with the event that happened in the past or near present. The analysis of intermediate events leading to the main even and root of those intermediate events will help identify the risk.
  4. The goal is to develop KRIs close to the root cause so that they serve as an early warning as well as able to provide enough time to respond.
  5. KRIs could be developed close to the intermediate event but they will provide less time to react.
  6. The development of the KRI process starts with people in the organization especially subject matter experts who have a better understanding of intermediate events or failure points and root cause. Their input will be very important to ensure the key risks are considered.