KRI (Key Risk Indicators) & IT
maxneira
38,968 views
39 slides
Aug 16, 2012
Slide 1 of 39
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
About This Presentation
July 31
Slide Content
Establishing Key Risk Indicators for IT July 31, 2012 Maximo Neira Schliemann Founder & Partner at Beyond Economics & Former CIO Ros Casares Corporation in Spain & Member of the CIO office at Baxter Ravi Mishra Manager Product Marketing - IT GRC Solutions MetricStream
Agenda What are KRIs and how they differ from KPI and KCI? Why is KRIs important to your IT? Selecting the right set of KRIs for your IT organization Leverage KRIs for effective IT Risk Management and improving business performance
THE ENDLESS POSSIBILITIES OF REPUTATION , RISK & DESIGN IN BUSINESS. KRIs, KPIs & IT Maximo Neira Schliemann [email protected] @ neiraschliemann July 31 st , 2012
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT “ Your life will prosper only if you see and acknowledge your faults, and work to reduce them... ” Whether you love or hate them, it is hard to dispute the popularity and mystique of fortune cookies in their reputed ability to predict the future…
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT What are KRIs? How do they differ from KPIs? Why are KRIs important for IT? How to select the right KRIs? How to leverage from KRIs?
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT “key risk indicators ( KRIs ) are metrics or pieces of data serving as ‘early warning indicators’ of increased risk exposure in various areas of the enterprise.” COSO, 2010 Algorithmic & Heuristic
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT “Key Performance Indicators ( KPIs ) are designed to provide a high-level overview of the past performance of the organization and its major operating units, often focused almost exclusively on historical data. ” COSO, 2010 Algorithmic
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT External Social External GeoPolitical KPIs KRIs
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Algorithmic simple COSO, 2010
“Not everything that can be counted counts, and not everything that counts can be counted .” Albert Einstein THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Heuristic & Inferred
CORPORATE ACTIONS SUPPORTING ATTITUDES THIRD PARTY OPINION PERSONAL EXPERIENCES REPUTATION PROSPECTS DOMAINS ATTITUDES RESULTS 7 6 FEELINGS 4 THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Reputation. A Construct with more than 35 observable variables across 7 domains with proven impact on Performance. Heuristic & Inferred
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Reputation. A Process with more than 35 observable variables across 7 domains with Impact on Performance . DOMAINS ATTITUDES Purchase Recommend Anti-crisis Word of Mouth Invest in Work at FEELINGS Products Innovation Workplace Governance Citizenship Leadership Performance Trust Esteem Admiration Reputation RESULTS
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Cronbach Alfa Causal analysis and Constructs. Can’t be directly observed, but it can be inferred. Source: Reputation Institute
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Reputation KRI and Market Value KPI have a causal relationship. Source : Reputation Institute .
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT “There is a prospect of a thrilling time ahead for you. ” Developing effective KRIs is crucial to the success of any management program. First , as they assist in predicting potential adverse events, they are mostly useful, as noted above, in identifying key areas where additional controls or mitigation plans might be needed or to explore market opportunities.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT A goal of developing an effective set of KRIs is to identify relevant metrics that provide useful insights about potential risks that have an impact on the achievement of the organization’s short & long term performance & goals. the selection and or design of effective KRIs starts with a firm grasp of organizational objectives and risk-related events - uncertainties that might affect the achievement of those objectives. extended enterprise risks reputational risks competitor actions risks market dynamics risks regulatory compliance risks contract risks business interruption risks geopolitical risks fraud or corruption risks security risks reporting risks talent related risks
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Linking Objectives to Strategies to KRI’s. Mapping key risks to core strategic initiatives puts management in a position to begin identifying the most critical metrics that can serve as leading key risk indicators to help them oversee the execution of core or strategic initiatives . KPI
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Opportunities for Proactive Strategic Risk Management. This strategic use of KRIs increases the likelihood that objectives set by management are achieved. Proactively monitoring relevant KRIs helps minimize uncertainty and identify opportunities for strategy or operational adjustments.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Why are KRIs important for IT? How to select “right” KRIs for IT?
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT IT continues to emerge as a significant source of strategic risk. the selection and or design of effective KRIs starts with a firm grasp of organizational objectives and risk-related events - uncertainties that might affect the achievement of those objectives. source: Corporate Executive Board
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT *Illustrative are them linked? Traditional IT Risk Areas
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT *Illustrative Emerging IT-related Risk Areas On top of the traditional IT risk areas, embedded within the enterprise risk “heat map” lie an array of business risks that, upon further consideration, reveal a significant IT component.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT “By establishing the context, the organization articulates its objectives, defines the external and internal parameters to be taken into account when managing risk, and sets the scope and risk criteria for the remaining process.” (ISO 31000, p. 15)
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT KRIs should be associated with corresponding KPIs measured as preceding events with causal relationship affecting desired outcomes. Reputation KRI Data Privacy events Revenue KPI
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT KRIs should be associated with corresponding KPIs measured as preceding events with causal relationship affecting desired outcomes. *Illustrative Customer Satisfaction Operational Excellence Systems Availability Data Privacy IT Strategic Initiatives & Risks aligned with Company’s core Pillars, Initiatives & Goals KPI KPI
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Start with Credible & Discrete KRIs directly impacting business KPIs *Illustrative. Source: Gartner IT Strategic Initiatives aligned with Company’s core Pillars & Initiatives KPI KRI
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Real-world KRIs and KPIs mappings *Illustrative. Source Gartner KRIs KPIs
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT How to leverage KRIs and improve Business performance?
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Business case example for a shipping company… *Illustrative A cross-country shipping company with a fleet of 100 trucks. KPI : On-time delivery has reputation, sales and customer service implications. KRI: Lorry breakdown rates have a causal relationship with on-time delivery. KPI : Failure to change oil has a causal relationship and a negative impact with breakdowns. Control : Maintenance SLA with oil change every 5k mi. KPI and KRI Changing oil every 3k mi raises costs but does not significantly lower breakdown rates. Changing oil every 10k mi lower costs but significantly raises breakdown rates. Risk management Business outcomes: Alignment of risk-related activities to execution. Risk visibility drives better business decisions with a KRI.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Risk adjusted KPIs improve decisions and increase business value. *Illustrative on-time delivery KPI oil change KRI on-time delivery = orders delivered on-time / total orders received on-time delivery KPI = 912/1,000 = 91% KPI target = 90% oil-change KRI = lorries w/o oil change within last 5,000mi / total fleet oil-change KRI = 75/100 = 75% Risk adjusted on-time delivery KPI = KPI – (4 * KRI) = 91% - 3% = 88%
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT The Risk Adjusted Value Model and the KRI Catalog Business aspect Outcomes Key Risk Indicators *Illustrative. Source Gartner
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT The Risk Adjusted Value Model and the KRI Catalog Business aspect Outcomes KRI Support Services Finance and Regulatory Impacted KPI Time to Market Audit Exception Index Category Compliance KRI Description Audit findings are a measure of Compliance failures. The Audit Exception Index is a KRI that a company is accepting more risk than it is addressing. KRI Metric KRI Example Risk Adjusted KPI example Alternative Measures The Audit Exception Index measures the % of audit exceptions granted over the total number of audit findings. Audit Exception Index = Granted Exceptions / Total Audit Findings The ABC Co. granted 10 critical audit exceptions in the past 12mo. During the same period, the total number of findings was 40. Audit Exception Index = (10/40) = 25% ABC Co. is in the heavily regulated pharma industry. Poor compliance increases regulatory scrutiny, which increases new drug development costs while delaying product launch. RA New Product Index = New Product Index – (4 x Audit Exception Index) Compliance Program Maturity. Average days out of date for Critical Mandates.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT How to go about developing a Strategy-KRI-KPI mapping exercise? The “Vertical-Horizontal” analysis Security I&O CEO COO CIO function critical perspective analysis Core Competence Execution dependency links perspective analysis
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Three Takeaways Management Process need to consider Risk explicitly . Risk Adjusted KPIs improve business decisions and increases business value. A Risk Adjusted/Aware Value Model represents the activities and events that affect the expected or planned outcomes of your Co.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Communicating & Engaging through KRIs Organizing, monitoring, reviewing and communicating KRI progress and their impact on KPIs can be greatly facilitated by having a centralized, automated system for the company’s Risk Adjusted KPI program, with flexible, audience oriented , reporting & dashboarding functionality.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT Governance Risk Management and Compliance are nuisances without an holistic strategy and proper tooling
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT IT GRC needs are often more complicated than those of their enterprise colleagues. With PCI , HIPAA, ISO certification, and privacy laws, IT Pros are typically looking for more sophisticated control mapping, asset management, vulnerability and event data and product integration functionality. As we mentioned, KRIs can/need to be linked to multiple KPIs and controls, across various enterprise key processes. On top of the KRI-KPI linkage and its management complexity, creating risk intelligence require embracing all risk related information as policies, procedures , losses , incidents, source legal and regulatory content, compliance control actions taken, auditing , etc . All this requires proper systems support to help risk owners and senior management develop a common language and a clearer vision of the future. As of today, IT risk and compliance issues don’t usually get the executive visibility they deserve. Although many firms may list one or two IT risks among their corporate top 10, most IT & Risk heads struggle to get visibility with their corporate executives and boards. ( until there’s a breach, that is)
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT “The wise man expects to prepare for the unexpected.” Even as concerns grow over mounting regulations, cyberwarfare , privacy, reputation and fraud, it will be a proper KRI to KPI mapping and the existing large and successful list of deployments and success stories, as much as anything else, that will pave the way for your ITGRC program. So buckle up, leverage from both of them and turn your IT into the domain expert you Co. needs.
THE ENDLESS POSSIBILITIES OF REPUTATION , RISK & DESIGN IN BUSINESS. KRIs, KPIs & IT Maximo Neira Schliemann [email protected] @ neiraschliemann July 31 st , 2012
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 38,968
- Slides 39
- Favorites 26
- Age 4856 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
28 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
28 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
27 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
30 views