Successful third party risk management programs are driven by Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). Strong KPIs and KRIs are meaningful for leadership and the board: these metrics paint a picture of an organization’s overall third party risk estate and give compelling reasons for actions implemented (or to be made) by risk management programs.
Shared Assessments recently hosted a webinar on the best KPIs and KRIs for risk management. In this session, Tom Garrubba, VP, Shared Assessments and Alastair Parr, SVP, Global Products & Risk, Prevalent discussed:
A Key Risk Indicator (KRI) for third party risk management programs gauges the potential risk posed to organization by a downstream third party. KRIs can be considered for each third party individually. KRIs can also be an aggregate of risk across an organization’s entire third party estate. KRIs should be based on the required output and audience. A KRI becomes particularly useful when it helps drive decision-making in risk tolerance and allocation of remediation resources.
A Key Performance Indicator (KPI) for third party risk management programs is a measurement of the progress and success of a program against tasks and functions. KPIs can reflect the information gathering progress, team performance metrics, improvements to risk management progress, or even individual third party performance. A KPI is most useful when it helps drive improvements and awareness of where resource or progress is insufficient based on the organization’s broader risk appetite. Having good data and tools at your ready is key!
Both sets of metrics are equally critical to business performance. KRIs and KPIs work in tandem to drive a healthy third party program. They allow for efficiencies, true risk appetite and exception management, and expectation setting.
Distributing and monitoring KRIs and KPIs introduce benefits across the organization. Vested parties include:
Across all audiences, the content delivered in KPIs and KRIs needs to be tailored in a way serves the respective audience. Each audience has a specific need that needs addressing – if each audience member gets the data in a succinct and clear way, they can apply reasonable measures to drive their part of the risk management program. Good, meaningful metrics pay dividends in an efficient program.
Boards and executives are interested in overarching risk and the decisions necessary to apportion resources. As boards and executives are considered ultimately accountable, here is what they need to know:
Business function leads are interested in outputs that impact their specific focus area. Functions can include audit, privacy, legal, procurement, operations. Here is what they need to know:
Responsible for the operating performance of the third party program, program managers are concerned with responsibility to scope and deliver. Program managers need to know:
Focused on their own local performance potentially relative to peers, practitioners need to drive scale, quality, and directly manage risk reduction. Practitioners need to know:
Third parties need a targeted lens to demonstrate their individual progress and attainment. Third parties need to know:
As a risk manager, it is imperative to talk to the business and see what your stakeholders want you to monitor. You can then focus on your leading and lagging indicators and know when to recalibrate your metrics for changes in the risk and business environments. Proportionate metrics must be driven by the audience so they can take appropriate actions. Remember that good metrics come from structured data and program management.