First things first – I am no parenting expert! Up until very recently, I thought that when a baby cries, they need one of four things…cuddles, feeding, nappy change or medical attention. Now it is still true that when a baby cries they most likely need one [or more] of those things. It is also true that before they start balling their eyes out they have already given you subtle clues about what they need. Whilst I am no parenting expert, I do know a fair bit about risk management. As I sat in the NCT lesson on infant feeding techniques last week, it became apparent that there were many parallels with risk management. The main parallel is that babies give out different types of key risk indicator when hungry…you just need to know what to look for…
Why KRI?
As many reading this article will know, a Key Risk Indicator (KRI) is “an indicator that estimates the potential for some form of resource degradation using mathematical formulas or models.” (Source: OECD). A KRI should always be linked to one or more Key Performance Indicators (KPI). Basically, if you structure your KRIs correctly, linking them effectively to your organisation’s KPIs, then you should be less likely to miss your KPIs – or at least in a good position to put in place mitigating measures; for those unavoidable situations out of your control!
The thing is, there are different types of KRIs. Just like the signals babies give off when they are hungry, KRIs can be split into three different categories: late, mid & early warning cues. The key is to make sure when you’re picking KRIs, that you pick those with early cues – and take action at that stage…because no one wants to be doing the business equivalent of calming a screaming, hungry baby at 3:30am!
Late cues
Late cue KRIs are those where some impact has already occurred. They are usually events that are low-medium impact but ultimately someone has to fix something that has already gone wrong. In a technology environment, a KRI could be established to count incidents. The logic being that the more incidents, the higher the risk a catastrophic failure will occur in the near future. The downside to this approach is that the organisation is still dealing with all those incidents – and that costs money.
Another example of a late cue KRI is the number of vendor contracts signed without a due-diligence review. Sure, there is little you can now do about that future impact, but at least you know you’re exposed – even if you don’t know by how much.
Mid cues
Mid cue KRIs are those that force your hand. No impact has occurred yet, but if you don’t do something immediately then it is likely that impact will be felt in the short term. A good example of this could be KRIs related to capacity management e.g. File Servers at 90% of their storage capacity. The KRI has clearly given you a warning before an impact occurs but now you are going to have to divert resources away from one piece of work to deal with this unexpected surge in storage usage. Would have been nice if someone had told IT that the marketing department are now editing all the corporate videos in Ultra HD!
Other examples of mid cue KRIs are
- The number of departments who have not updated their BIA in the last 9 months – which means the BIA, plan and test all have to be squeezed into 3 months to meet the annual KPI.
- The number of projects initiated where information security hasn’t carried out a risk assessment. – so now resources have to be redirected to support those projects at short notice.
Early cues
Early cue KRIs are those that give an organisation the most optimal chance to plan for potential issues. Early cue KRIs allow organisations to take measured steps when faced with an event which hasn’t happened yet. These are the KRIs organisations want to measure.
Some examples of early cue KRIs are:
- The number of projects seeking business case approval – Now you can get those security risk assessments planned in early.
- % of staff covered by the last quarterly access management review – Now you can lock those accounts down before a compromise.
- The number of departments with no lessons learned in their last business continuity test – those plans are clearly not being tested until failure.
Get to know your organisation’s risk cues…
Just like a baby, the KRIs chosen will depend a lot on how your organisation functions. Those tasked with developing KRIs should know their organisations KPIs intimately. Work back from these KRIs and keep going, past the late and mid-level cues until you get to the early cues. Monitor these and you’ll have fewer sleepless nights!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 article 28 awareness bcms BIA business continuity calculating risk change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership monitoring operational resilience Outsourced DPO Privacy processor risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso