Risk Management Metrics – Cooking Down The Acronym Soup

Risk Management Metrics – Cooking Down The Acronym Soup

by | Nov 10, 2020 | Third Party Risk Management

Risk Management Metrics

Like most industries, in Risk Management, acronyms abound. Let’s sort through the acronym soup to understand the most important KRIs (Key Risk Indicators) and KPIs (Key Performance Indicators) for TPRM (Third Party Risk Management) or VRM (Vendor Risk Management). We asked risk experts

What is the one metric that is essential for TPRM programs?

In this post, experts in risk offer their views on key Risk Management Metrics. These concepts are sorted into two categories – Key Risk Indicators which pertain to risk itself and Key Performance Indicators which pertain to the TPRM program overall. 

Key Risk Indicators (KRIs) 

Financial Viability

Charlie Miller, Senior Advisor, Shared Assessments’, points to “financial viability of high risk and critical vendors” as being the KRI to keep an eye on. ( Shared Assessments’ Vertical Strategy Groups and Continuous Monitoring Working Groups collaborated to discuss the financial health of third parties in this blogpost.)

Risk Score

Phil Bennet, Manager of Information Security Governance at Navy Federal Credit Union, recommends getting an understanding of overall risk with  “A holistic third party ecosystem risk score measured against a standardized framework.” 

External Threat Intelligence

Alpa Inamdar, Head of TPG Advisory, BNY Mellon, suggests that understanding the  “combination of Security Incidents & Losses as well as External Threat Intelligence” will put TPRM programs in good stead. 

Supplier Risk Ranking

Risk Management Metrics

Risk Ranking

Finally, Marcus Rose, Senior Analyst, Cyber Risk Management, Trane Technologies, offers “a metric that supplies a trend based on risk levels of third party vendors. Being able to report on third-parties by risk ranking can lead to KPIs that in turn help improve vendor relationships and improve processes.”

Key Performance Indicators (KPIs) 

Measuring Resources

Risk Management Metrics

Vendor Onboarding

Nasser Fattah, Executive Advisor at RiskLogix LLC, says that for TPRM programs an important indicator of performance is around supplier onboarding or supplier relationship management (SRM): “the average time to onboard a vendor in a secure and sound manner by tier.  For the business, percent of vendors removed due to overlaps and cost-savings due to consolidating contracts under the same vendor.” 

In conclusion, Catherine Allen, Founder and Chairman of The Santa Fe Group/Shared Assessments, weighs in with advice somewhere between a KRI and a KPI. Allen recommends “passing an assessment and mediating what needs work.” Hungry for more? This blogpost gives an extensive list of KRIs and Mitigants to keep on your radar.


Sabine Zimmer

View all posts by Sabine Zimmer

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics

This site uses cookies

Please note that on our website we use cookies necessary for the functioning of our website, cookies that optimize the performance.
To learn more about our cookies, how we use them and their benefits, please read our Cookie Policy and Privacy Policy.