Key Risk Indicator

From Wikipedia, the free encyclopedia
Jump to: navigation, search
This article is about the measure used in management. For the Ruby Implementation, see YARV. For other uses, see KRI.

A Key Risk Indicator, also known as a KRI, is a measure used in management to indicate how risky an activity is. It differs from a Key Performance Indicator (KPI) in that the latter is meant as a measure of how well something is being done while the former is an indicator of the possibility of future adverse impact. KRI give us an early warning to identify potential event that may harm continuity of the activity/project.

KRIs are a mainstay of Operational Risk analysis.

Definitions[edit]

According to OECD [1]

A risk indicator is an indicator that estimates the potential for some form of resource degradation using mathematical formulas or models.

Risk management[edit]

Security risk management[edit]

According to Risk IT framework by ISACA,.[2] Key risk indicators are metrics capable of showing that the organization is subject or has a high probability of being subject to a risk that exceed the defined risk appetite.

Organizations have different sizes and environment. So every enterprise should choose its own KRI, taking into account the following steps:

  • Consider the different stakeholders of the organization
  • Make a balanced selection of risk indicators, covering performance indicators, lead indicators and trends
  • Ensure that the selected indicators drill down to the root cause of the events
  • Choose high relevant and high probability of predicting important risks:
    • High business impact
    • Easy to measure
    • With high correlation with the risk
    • Sensitivity

The constant measure of KRI can bring the following benefits to the organization:

  • Provide an early warning: a proactive action can take place
  • Provide a backward looking view on risk events, so lesson can be learned by the past
  • Provide an indication that the risk appetite and tolerance are reached

See also[edit]

References[edit]

  1. ^ OECD Glossary of statistical terms
  2. ^ ISACA THE RISK IT FRAMEWORK (registration required)