Академический Документы
Профессиональный Документы
Культура Документы
The model helps in aligning risk strategy, governance, management and assurance.
The Need for Linking KRIs to KPIs for KRI selection, describes the three-lines-of-defense
model, lists the benefits KRIs provide to an enterprise,
Linking KRIs to KPIs enables business managers and outlines common challenges encountered during
to appreciate the relationship between risk and successful implementation of KRIs.
business performance, and relevance of KRIs to
the organization’s business objectives and risk COBIT 5 for Risk lists some possible KRIs for
appetite. This helps in cross-functional collaboration different stakeholders—the chief information officer
and embedding risk considerations into business (CIO), the risk function and the chief executive
decisions. Linking KRIs to KPIs also helps in getting officer (CEO)/board of directors (BoD). Some of
business buy-in for investment in risk mitigation these KRIs are shown in figure 3.
measures. Figure 2 shows some examples of KRIs
linked to KPIs and the business impact of the KRIs.
Automation—The Role of GRC Tools in a
COBIT 5 for Risk and KRIs Metrics Program
A governance, risk and compliance (GRC) risk
COBIT 5 for Risk is a COBIT® 5 professional guide that
management solution provides an organization with
discusses IT-related risk and provides detailed and
a consolidated view of its risk. The solution allows
practical guidance for risk professionals. Specific to
for risk assessment and gives authorized personnel
KRIs, it defines KRIs, lists the parameters and criteria
the ability to assign metrics to risk, collect changes provides an overview of a risk metrics automation
in the organization’s risk profile, and monitor risk and workflow in a typical GRC solution.
metrics against targets and tolerance thresholds.
Conclusion
Corporate objectives and policies defined by senior
Risk communication is a key element of the
management, together with other authoritative
risk management process. Communication and
sources and standards, contribute to the
consultation with stakeholders are important as
development of a risk register. The risk register is
they make judgments about risk based on their
used to generate risk assessment questionnaires
perceptions of risk.5 An effective risk metrics
that are used for conducting risk assessments.
program brings objectivity into stakeholders’ risk
Risk assessment results drive the development and
perception by providing a shared language to
implementation of risk remediation or mitigation
measure the effectiveness of security and risk
plans. These plans, as well as the outcomes, are
mitigation measures within the organization.
communicated to senior management.
Integration of KRIs with KPIs helps in strengthening
organizations’ risk culture by enabling business
Corporate objectives and the risk register are used
managers to recognize the business benefits of
to develop the metrics—KPIs and KRIs, respectively.
effective technology risk management.
The metrics dashboard or results are communicated
to senior management on a regular basis. Figure 4
Senior Management
Corporate Objectives
and Policies
Risk Register
Risk Remediation
Plans Risk Assessment