kri (key risk indicators) & it

© 2012 MetricStream, Inc. All Rights Reserved.

Establishing Key Risk Indicators for IT

July 31, 2012

Maximo Neira SchliemannFounder & Partner at Beyond Economics & Former CIO Ros Casares Corporation in Spain & Member of the CIO office at Baxter

Ravi MishraManager Product Marketing - IT GRC SolutionsMetricStream

© 2012 MetricStream, Inc. All Rights Reserved.

Agenda

• What are KRIs and how they differ from KPI and KCI?

• Why is KRIs important to your IT?

• Selecting the right set of KRIs for your IT organization

• Leverage KRIs for effective IT Risk Management and improving

business performance

THE ENDLESS POSSIBILITIES OF REPUTATION, RISK &DESIGN IN BUSINESS.

KRIs, KPIs & IT

Maximo Neira [email protected]@neiraschliemannJuly 31st, 2012

THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT

“Your life will prosper only if you see and acknowledge your faults, and work to reduce them...”

Whether you love or hate them, it is hard to dispute the popularity and mystique of fortune cookies in their reputed ability to predict the future…


What are KRIs?

How do they differ from KPIs?

Why are KRIs important for IT?

How to select the right KRIs?

How to leverage from KRIs?


“key risk indicators (KRIs) are metrics or pieces of data serving as ‘early warning indicators’ of increased risk exposure in various areas of the enterprise.”

COSO, 2010

Algorithmic & Heuristic


“Key Performance Indicators (KPIs) are designed to provide a high-level overview of the past performance of the organization and its major operating units, often focused almost exclusively on historical data.”

COSO, 2010

Algorithmic


ExternalSocial

ExternalGeoPolitical

KPIs KRIs


Algorithmicsimple

COSO, 2010

“Not everything that can be counted counts, and not everything that counts can be counted.”

Albert Einstein


Heuristic & Inferred

CORPORATEACTIONS

SUPPORTINGATTITUDES

THIRD PARTYOPINION

PERSONALEXPERIENCES

REPUTATION

PROSPECTS

DO

MA

INS

ATTIT

UD

ES

RESULTS

7

6

FEELIN

GS

4


Reputation. A Construct with more than 35 observable variables across 7 domains with proven impact on Performance.

Heuristic & Inferred


Reputation. A Process with more than 35 observable variables across 7 domainswith Impact on Performance.

DO

MA

INS

AT

TIT

UD

ES

PurchaseRecommendAnti-crisisWord of MouthInvest inWork at

FEELIN

GS

ProductsInnovationWorkplaceGovernanceCitizenshipLeadershipPerformance

TrustEsteemAdmirationReputation

RESULTS


Cronbach Alfa

Causal analysis and Constructs. Can’t be directly observed, but it can be inferred.

Source: Reputation Institute


Reputation KRI and Market Value KPI have a causal relationship.

Source: Reputation Institute.


“There is a prospect of a thrilling time ahead for you.”

Developing effective KRIs is crucial to the success of any management program. First, as they assist in predicting potential adverse events, they are mostly useful, as noted above, in identifying key areas where additional controls or mitigation plans might be needed or to explore market opportunities.


A goal of developing an effective set of KRIs is to identifyrelevant metrics that provide useful insights about potentialrisks that have an impact on the achievement of the organization’s short & long term performance & goals.the selection and or design of effective KRIs starts with a firm grasp of organizational objectives and risk-related events - uncertainties that might affect the achievement of those objectives.

extended enterprise risks

reputational risks

competitor actions risks

market dynamics risks

regulatory compliance risks

contract risks

business interruption risks

geopolitical risks

fraud or corruption risks

security risks

reporting risks

talent related risks


Linking Objectives to Strategies to KRI’s.Mapping key risks to core strategic initiatives puts management in a position to begin identifying the most critical metrics that can serve as leading key risk indicators to help them oversee the execution of core or strategic initiatives.

KPI


Opportunities for Proactive Strategic Risk Management.This strategic use of KRIs increases the likelihood that objectives set by management are achieved. Proactively monitoring relevant KRIs helps minimize uncertainty and identify opportunities for strategy or operational adjustments.


Why are KRIs important for IT?How to select “right” KRIs for IT?


IT continues to emerge as a significant source of strategic risk. the selection and or design of effective KRIs starts with a firm grasp of organizational objectives and risk-related events - uncertainties that might affect the achievement of those objectives.

source: Corporate Executive Board


*Illustrative

are them linked?

Traditional IT Risk Areas


*Illustrative

Emerging IT-related Risk Areas

On top of the traditional IT risk areas, embedded within the enterprise risk “heat map” lie an array of business risks that, upon further consideration, reveal a significant IT component.


“By establishing the context, the organization articulates its objectives, defines the external and internal parameters to be taken into account when managing risk, and sets the scope and risk criteria for the remaining process.” (ISO 31000, p. 15)


KRIs should be associated with corresponding KPIs measured as preceding events with causal relationship affecting desired outcomes.

Reputation KRI

Data Privacy events

RevenueKPI


KRIs should be associated with corresponding KPIs measured as preceding events with causal relationship affecting desired outcomes.

*Illustrative

CustomerSatisfaction

OperationalExcellence

SystemsAvailability

DataPrivacy

IT Strategic Initiatives & Risks aligned with Company’s core Pillars, Initiatives & Goals

KPI

KPI


Start with Credible & Discrete KRIs directly impacting business KPIs

*Illustrative. Source: Gartner

IT Strategic Initiatives aligned with Company’s core Pillars & Initiatives

KPIKRI


Real-world KRIs and KPIs mappings

*Illustrative. Source Gartner

KRIs KPIs


How to leverage KRIs and improve Business performance?


Business case example for a shipping company…

*Illustrative

A cross-country shipping company with a fleet of 100 trucks.

KPI: On-time delivery has reputation, sales and customer service implications.

KRI: Lorry breakdown rates have a causal relationship with on-time delivery.

KPI: Failure to change oil has a causal relationship and a negative impact with breakdowns.

Control: Maintenance SLA with oil change every 5k mi.

KPI and KRI

Changing oil every 3k mi raises costs but does not significantly lower breakdown rates.

Changing oil every 10k mi lower costs but significantly raises breakdown rates.

Risk management

Business outcomes: • Alignment of risk-related activities to execution.• Risk visibility drives better business decisions with a KRI.


Risk adjusted KPIs improve decisions and increase business value.

*Illustrative

on-time deliveryKPI

oil change KRI

on-time delivery = orders delivered on-time / total orders received

on-time delivery KPI = 912/1,000 = 91%

KPI target = 90%

oil-change KRI = lorries w/o oil change within last 5,000mi /total fleet

oil-change KRI = 75/100 = 75%

Risk adjusted on-time delivery KPI = KPI – (4 * KRI) = 91% - 3% = 88%


The Risk Adjusted Value Model and the KRI Catalog

Business aspect

Outcomes Key Risk Indicators

*Illustrative. Source Gartner


The Risk Adjusted Value Model and the KRI Catalog

Business aspect

Outcomes

KRI

Support Services

Finance and Regulatory

Impacted KPITime to Market

Audit Exception Index

Category Compliance

KRI Description Audit findings are a measure of Compliance failures. The Audit Exception Index is a KRI that a company is accepting more risk than it is addressing.

KRI Metric

KRI Example

Risk Adjusted

KPI example

AlternativeMeasures

The Audit Exception Index measures the % of audit exceptions granted over the total number of audit findings. Audit Exception Index = Granted Exceptions / Total Audit FindingsThe ABC Co. granted 10 critical audit exceptions in the past 12mo. During the same period, the total number of findings was 40. Audit Exception Index = (10/40) = 25%ABC Co. is in the heavily regulated pharma industry. Poor compliance increases regulatory scrutiny, which increases new drug development costs while delaying product launch.RA New Product Index = New Product Index – (4 x Audit Exception Index)Compliance Program Maturity.Average days out of date for Critical Mandates.


How to go about developing a Strategy-KRI-KPI mapping exercise?The “Vertical-Horizontal” analysis

Security I&O CEOCOOCIO

function criticalperspective analysis

Core

Com

pete

nce E

xecu

tion

dependency linksperspective analysis


Three Takeaways

• Management Process need to consider Risk explicitly.

• Risk Adjusted KPIs improve business decisions and increases business value.

• A Risk Adjusted/Aware Value Model represents the activities and events that affect the expected or planned outcomes of your Co.


Communicating & Engaging through KRIs

Organizing, monitoring, reviewing and communicating KRI progress and their impact on KPIs can be greatly facilitated by having a centralized, automated system for the company’s Risk Adjusted KPI program, with flexible, audience oriented, reporting & dashboarding functionality.


GovernanceRisk ManagementandComplianceare nuisances without an holistic strategyandproper tooling


IT GRC needs are often more complicated than those of their enterprise colleagues.

With PCI, HIPAA, ISO certification, and privacy laws, IT Pros are typically looking for more sophisticated control mapping, asset management, vulnerability and event data and product integration functionality.

As we mentioned, KRIs can/need to be linked to multiple KPIs and controls, across various enterprise key processes. On top of the KRI-KPI linkage and its management complexity, creating risk intelligence require embracing all risk related information as policies, procedures, losses, incidents, source legal and regulatory content, compliance control actions taken, auditing , etc.All this requires proper systems support to help risk owners and senior management develop a common language and a clearer vision of the future.As of today, IT risk and compliance issues don’t usually get the executive visibility they deserve. Although many firms may list one or two IT risks among their corporate top 10, most IT & Risk heads struggle to get visibility with their corporate executives and boards. (until there’s a breach, that is)


“The wise man expects to prepare for the unexpected.”

Even as concerns grow over mounting regulations, cyberwarfare, privacy, reputation and fraud, it will be a proper KRI to KPI mapping and the existing large and successful list of deployments and success stories, as much as anything else, that will pave the way for your ITGRC program. So buckle up, leverage from both of them and turn your IT into the domain expert you Co. needs.

THE ENDLESS POSSIBILITIES OF REPUTATION, RISK &DESIGN IN BUSINESS.

KRIs, KPIs & IT

Maximo Neira [email protected]@neiraschliemannJuly 31st, 2012

kri (key risk indicators) & it

Business

itmaximo neira

esneiraschliemannjuly

effective

changing oil

firm grasp

35 observable

rights reserved

endless possibilities