In simple terms, Key Risk Indicator (KRI) is a metric used to measure the level of exposure to risk. These are indicators that denote the unfavourable situation or troubles ahead which could have a negative impact on the enterprise.
KRIs are important
- As they help in highlighting a trend and predicting the potential high-risk area.
- Highlighting the weakness in the controls
- Take corrective action like strengthening the controls, proactively implementing a remediation plan, etc.
Key features of a good KRI include the following:
- KRIs to be mapped to each major risk faced by the enterprise. For example, If Technology Risk is one of the major risks faced by the enterprise, then KRI should be defined to address this specific issue.
- KRIs should be well defined and relevant to provide meaning full insight to the risk.
- KRIs should be measurable and should not be based on subjective judgement.
- Ability to define multiple levels of KRI viz. Acceptable level, Warning level, and danger level. (Green/Amber and Red Zone)
- The business team should have absolute clarity on the rationale of the KRI.
Risk teams to ensure that, while defining a KRI the following details should be part of the definition:
|Risk Sub Classification
|Technology – Development Risk
|Percentage of Scheduled Maintenance Activities Missed
|The number of scheduled maintenance activities related to company devices (workstations, network equipment, servers) that did not take place on or before their scheduled date as a percentage of all maintenance activities scheduled to occur over the same period of time.
|This metric measures the IT function’s adherence to preventative and scheduled maintenance plans. Missed scheduled maintenance activities increase the likelihood of service interruptions, productivity losses, and security incidents. Instances of missed schedule maintenance activities should be traced back to the responsible party to identify and correct the root cause.
|(Number of Scheduled Maintenance Activities Carried Out On-Time / Total Number of Scheduled Maintenance Activities to be Carried Out) * 100
|Acceptable Level – above 75%, Warning level – 60% – 75%, Danger level- below 60%
Though the importance of defining a KRI was explained earlier, it is also important to make the team members aware of the same. There needs to be a clear-cut alert and notification mechanism to ensure that the responsible officer is alerted on the same and also the remediation plans need to be well documented.