Scribd
Upload
13 views4 pages

KRIs

The document outlines Key Risk Indicators (KRI) and Key Performance Indicators (KPI) used to measure and manage risks within an organization. It defines various metrics for assessing risk exposure, mitigation progress, compliance, and stakeholder awareness, along with specific thresholds and targets for effective risk management. The document emphasizes the importance of regular updates and accountability in maintaining a robust risk management framework.

Uploaded by

arvindchauhan.infosec
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
13 views4 pages

KRIs

The document outlines Key Risk Indicators (KRI) and Key Performance Indicators (KPI) used to measure and manage risks within an organization. It defines various metrics for assessing risk exposure, mitigation progress, compliance, and stakeholder awareness, along with specific thresholds and targets for effective risk management. The document emphasizes the importance of regular updates and accountability in maintaining a robust risk management framework.

Uploaded by

arvindchauhan.infosec
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Key Risk Indicators (KRI)

Key Risk Indicators (KRI) Definition


Measure the overall exposure to risk based on
Risk Exposure
the severity of identified risks in the register.

Track the number of risks in the register that


Number of High/Severe Risks
are rated as high or severe (i.e., critical risks).

The level of progress in addressing identified


Risk Mitigation Progress
risks.

Measures how often the risk register is


Frequency of Risk Register
reviewed and updated with new or changed
Updates
risks.
The appearance of new risks in the register,
Emerging Risks which could indicate a shift in the business or
operational environment.

Risk Ownership Tracks how well risks are assigned to


Accountability responsible owners for mitigation.

Key Performance
Indicators (KPI)
Key Performance
Definition
Indicators (KPI)
Risk Mitigation Action Measures the percentage of risk mitigation
Completion Rate actions completed on time
Effectiveness of Risk Measures how well the mitigation plans are
Mitigation Plans working in reducing risk impact.
Compliance with Risk Tracks adherence to internal policies and
Management Policies procedures for risk management.
Frequency of Risk Review Ensures regular discussions regarding the risk
Meetings register to maintain oversight and review.
Measures how quickly new risks are added to
Response Time to New Risks the register and how quickly risk mitigation
strategies are initiated

Measures the reduction in high or severe risks


Reduction in High Risks
in the risk register over a period of time

Risk Register Accessibility Tracks the ease with which stakeholders can
and Transparency access and understand the risk register.

Indicator Type Name


KRI Risk Exposure Level
KRI Incident Frequency
KRI Unmitigated Risk Percentage
KRI Risk Trend (Severity)
KRI Compliance Breaches
KRI Risk Mitigation Effectiveness
KRI Risk Register Update Frequency
KPI Risk Management Completion Rate
KPI Risk Reduction Percentage
KPI Audit and Review Frequency
KPI Stakeholder Risk Awareness
KPI Response Time to Emerging Risks
KPI Budget Adherence for Mitigation

KPI Employee Training on Risk Management

KPI Risk Register Completeness


KRI Metric Threshold
Average risk score (severity x likelihood) Any risk score above a certain value (e.g., 12
across all risks in the register out of 25) indicates high exposure.

Percentage of risks rated as high or severe If more than 20% of the risks are rated as
compared to the total number of risks in the high/severe, additional mitigation strategies
register. need to be developed.
If more than 10% of risks are without
Percentage of risks that have no mitigation
mitigation strategies or are inactive for more
strategy or are not actively monitored.
than 6 months, it’s a red flag
Risk register must be reviewed at least once a
Time since last update quarter. If updates are delayed beyond 90
days, it can indicate poor risk management
If the number of emerging risks increases
Number of new risks identified over a specific
significantly within a quarter, this indicates a
period
need for immediate attention

Percentage of risks in the register with clearly If less than 80% of risks have owners
defined risk owners assigned, it reflects a gap in risk accountability

KPI Metric Target


Percentage of completed risk mitigation 90% or above completion rate within the
actions versus planned actions expected timeframe
Post-mitigation risk score or change in risk A reduction in risk severity by at least 30%
severity (before vs. after mitigation) after mitigation
Percentage of risk management processes 100% compliance with internal risk
and policies that are being followed correctly. management procedures
Number of risk management meetings held At least one meeting per quarter to review and
per quarter. update the risk register
Average time (in days) taken from the
identification of a risk to its entry in the register Less than 5 days for high-impact risks
and mitigation action initiation.
Percentage decrease in the number of high or
A 10% reduction in high-risk entries every
severe risks from one review period to the
quarter
next.
Percentage of stakeholders who report that
At least 90% of stakeholders should confirm
the risk register is accessible, up-to-date, and
ease of access and clarity
transparent

Description Threshold/Target
Percentage of high risks being mitigated ≥90% actively monitored
Number of risk-related incidents in a given
≤ 5 incidents per month
time period
Percentage of risks without mitigation actions ≤10% of risks unmitigated
Change in severity of risks over time No major trend toward higher risk
Number of compliance breaches ≤ 2 breaches per quarter
Percentage of risk mitigations successfully
≥85% success rate
implemented
Frequency of updates to the risk register Monthly updates
Percentage of completed mitigation actions ≥95% completion
Percentage reduction in risk after mitigation ≥50% reduction
Number of risk audits conducted At least quarterly
Percentage of stakeholders aware of top risks ≥90% awareness
Average time to respond to new risks <1 week response time
Percentage of budget spent on mitigation
±10% of the allocated budget
actions
Percentage of employees trained on risk
≥80% trained annually
management
Percentage of risks with complete information ≥95% completeness

You might also like