Professional Documents
Culture Documents
Bill Pankey
Tunitas Group
CRISC
Risk
Monitoring
Domain
Job Practice
Agenda
Key Risk Indicators
Data Aggregation
Benchmarking
No distinct RiskIT monitoring process
3
KRI Uses
Operational
risk
management
Strate
gy
Normalizati
on
Risk
Communication
Compliance ??
?
KRI Selection
Unlimited # of risk indicators in logs, alarms,
reports
Effectivene
ss
Comparabil
ity
Efficiency
ISACA
Best
Practice
1. Data access
2. Data validation
3. Data analysis
Statistical computations
Conclusions / inference
4. Reporting
ISACA
Best
Practice
5. Optimization criteria
KPI Optimization
Sensitivity
Timing
Frequency
Corrective action
Regression analysis
15
16
KPI Timing
Early indication greater
opportunity for correction
Failed IT project
Loss of key IT personnel
KRI: Mid-level Staff retention
rate
Clinger-Cohen Act of 1996 new demand for certified IT
professional
KRI: Industry Salary Index (annual)
17
Pro-Active Risk
Management
18
Aggregation
Address management concern regarding
overall risk :
Specific business objectives
Strategic | Operational
Customer
Product
Regulation
Business Unit
arbitrary level of specificity
Aggregation
Diversity Problem:
For different risk domains (say IT, Legal,
Finance ..)
KRI
KRI
KRI
KRI
KRI
are specialized
have different time periods
have different granularity
have varying sensitivity
have varying relevance, reliability and validity
Aggregation Heuristic
Report risk as dimensionless quantity (kounts,
%)
Report risk as % red, yellow, green
Loss data
21
Management Report
Visual display of risk based on risk
indicators
With thanks to Excel, easy to produce
Dashboards .Red light / green light
gauges
Heat Maps
Spider Diagrams
22
Industry Risk
Benchmarks
Collection & summarization of risk data
Loss data
KRI
Source for:
23
24
25
Bottom Line
Express organizational 'risk appetite
in terms of a KPI threshold value
Alert management to trends that may
affect achievement of objectives
Use KPI to initiate mitigation activity
Provides measurable data conducive
to aggregation
Assists in demonstrating compliance
26
Next Week
CRISC Domain #4
Control Design & Implementation
27