Successful third party risk management programs are driven by Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs). Strong KPIs and KRIs are meaningful for leadership and the board: these metrics paint a picture of an organization’s overall third party risk estate and give compelling reasons for actions implemented (or to be made) by risk management programs.
Shared Assessments recently hosted a webinar on the best KPIs and KRIs for risk management. In this session, Tom Garrubba, VP, Shared Assessments and Alastair Parr, SVP, Global Products & Risk, Prevalent discussed:
- The difference between KPIs and KRIs
- Tailoring KPIs and KRIs for different audiences
- Collecting meaningful KPIs and KRIs
What are KRIs?
A Key Risk Indicator (KRI) for third party risk management programs gauges the potential risk posed to organization by a downstream third party. KRIs can be considered for each third party individually. KRIs can also be an aggregate of risk across an organization’s entire third party estate. KRIs should be based on the required output and audience. A KRI becomes particularly useful when it helps drive decision-making in risk tolerance and allocation of remediation resources.
What are KPIs?
A Key Performance Indicator (KPI) for third party risk management programs is a measurement of the progress and success of a program against tasks and functions. KPIs can reflect the information gathering progress, team performance metrics, improvements to risk management progress, or even individual third party performance. A KPI is most useful when it helps drive improvements and awareness of where resource or progress is insufficient based on the organization’s broader risk appetite. Having good data and tools at your ready is key!
Should I care more about KRIs or KPIs?
Both sets of metrics are equally critical to business performance. KRIs and KPIs work in tandem to drive a healthy third party program. They allow for efficiencies, true risk appetite and exception management, and expectation setting.
What audiences are in scope?
Distributing and monitoring KRIs and KPIs introduce benefits across the organization. Vested parties include:
- Board/Executive Level
- Business Function Leads
- Program Managers
- Third Parties
Across all audiences, the content delivered in KPIs and KRIs needs to be tailored in a way serves the respective audience. Each audience has a specific need that needs addressing – if each audience member gets the data in a succinct and clear way, they can apply reasonable measures to drive their part of the risk management program. Good, meaningful metrics pay dividends in an efficient program.
1. Board Executive Levels
Boards and executives are interested in overarching risk and the decisions necessary to apportion resources. As boards and executives are considered ultimately accountable, here is what they need to know:
- Are we regulatory compliant?
- Do we have a disproportionate amount of risk?
- Is the program suitably funded?
- Is the program suitably performing?
2. Business Function Leads
Business function leads are interested in outputs that impact their specific focus area. Functions can include audit, privacy, legal, procurement, operations. Here is what they need to know:
- Do third parties detrimentally impact my focus area?
- Can I leverage third party progress to support my agenda?
- Does the third party program suitably meet my needs?
3. Program Managers
Responsible for the operating performance of the third party program, program managers are concerned with responsibility to scope and deliver. Program managers need to know:
- Is the team performing as expected?
- Is the quality of output sufficient?
- Is the scope sufficient?
- Are third parties presenting an acceptable risk level?
Focused on their own local performance potentially relative to peers, practitioners need to drive scale, quality, and directly manage risk reduction. Practitioners need to know:
- Am I meeting my personal activity targets and tasks?
- Is a third party under my remit underperforming?
- Is a third party under my remit disproportionally a risk?
5. Third Parties
Third parties need a targeted lens to demonstrate their individual progress and attainment. Third parties need to know:
- How much risk am I presenting?
- What timescales for resolution have been agreed?
- Am I performing in line with agreements?
As a risk manager, it is imperative to talk to the business and see what your stakeholders want you to monitor. You can then focus on your leading and lagging indicators and know when to recalibrate your metrics for changes in the risk and business environments. Proportionate metrics must be driven by the audience so they can take appropriate actions. Remember that good metrics come from structured data and program management.