The growing importance of risk management has led to the interest of senior management in understanding the risk environment. To begin, third party risk management programs must examine the risk metrics from their key performance indicators (KPIs) and key risk indicators (KRIs.) The metrics will then reveal the health of your vendor risk management program and how to build a risk-aware culture from it.
Shared Assessments recently hosted a webinar on setting the right KPIs and KRIs for your program where panelists discussed the difference between KPIs and KRIs and reporting considerations. The full KPI/KRI webinar recording and the slide deck from the event are available here. Speakers included:
- Phil Bennett, Manager, Information Security Governance, Horizontal Services, Navy Federal Credit Union
- Rudy Patel, Head of Third Party Risk Management, Mizuho
- Ron Bradley, VP, Shared Assessments
What are the differences between Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs)?
KPIs inform TPRM of business customers’ performance against expected service level agreements (SLAs).
- Key Takeaway: Am I sufficiently staffed? Are there operational process matters to resolve?
- Action: Hire more staff, or augment staff, to meet SLAs; fix operational issues impacting SLAs.
- Example: “Average days TPRM took to perform assessment exceeded our business commitment of 60 days.”
KRIs inform executive risk owners of aggregated third party risk.
- Key Takeaway: Should be structured to alert matters above organizational risk tolerance
- A defined “acceptable risk tolerance” (green)
- A defined “threshold” to denote “caution” (yellow)
- A defined “limit” to denote “unacceptable risk, take immediate action” (red)
- Action: Understand organizational objectives and align them with your key risks.
- Example: “Past due Critical or High risks that have passed the required mitigation due date.”
Rudy Patel shares that other notable differences between KPIs and KRIs are that KPIs convey operational efficiency and KRIs convey risks, but both are equally important.
When reporting on the success of my risk management program, what should I consider?
- Data Stability: Data can be produced accurately in the same way monthly or quarterly.
- Has Message: Conveys a meaningful operational performance or risk message.
- Actionable Data: Actionable data is critical, if you cannot act on it, do not report on it.
Reporting Best Practices
- Include Trends: Minimum every quarter, maximum 12 months of operational data.
- Key Takeaway: What message should the reader take away from the data or trend?
- Action: Who owns action to improve?
- Thresholds (caution) and limits (escalate): Set thresholds and limits to define escalation points.
- Coverage: Identifies what is not covered in the reported data.
Risk management should remember to measure what matters. Determine if your indicators are leading or lagging and make them actionable. Finally, deliver a WIIFM Report (What’s In It For Me).