Date post: | 07-Nov-2014 |
Category: |
Business |
Upload: | max-neira-schliemann |
View: | 10,928 times |
Download: | 0 times |
© 2012 MetricStream, Inc. All Rights Reserved.
Establishing Key Risk Indicators for IT
July 31, 2012
Maximo Neira SchliemannFounder & Partner at Beyond Economics & Former CIO Ros Casares Corporation in Spain & Member of the CIO office at Baxter
Ravi MishraManager Product Marketing - IT GRC SolutionsMetricStream
© 2012 MetricStream, Inc. All Rights Reserved.
Agenda
• What are KRIs and how they differ from KPI and KCI?
• Why is KRIs important to your IT?
• Selecting the right set of KRIs for your IT organization
• Leverage KRIs for effective IT Risk Management and improving
business performance
THE ENDLESS POSSIBILITIES OF REPUTATION, RISK &DESIGN IN BUSINESS.
KRIs, KPIs & IT
Maximo Neira [email protected]@neiraschliemannJuly 31st, 2012
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
“Your life will prosper only if you see and acknowledge your faults, and work to reduce them...”
Whether you love or hate them, it is hard to dispute the popularity and mystique of fortune cookies in their reputed ability to predict the future…
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
What are KRIs?
How do they differ from KPIs?
Why are KRIs important for IT?
How to select the right KRIs?
How to leverage from KRIs?
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
“key risk indicators (KRIs) are metrics or pieces of data serving as ‘early warning indicators’ of increased risk exposure in various areas of the enterprise.”
COSO, 2010
Algorithmic & Heuristic
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
“Key Performance Indicators (KPIs) are designed to provide a high-level overview of the past performance of the organization and its major operating units, often focused almost exclusively on historical data.”
COSO, 2010
Algorithmic
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
ExternalSocial
ExternalGeoPolitical
KPIs KRIs
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Algorithmicsimple
COSO, 2010
“Not everything that can be counted counts, and not everything that counts can be counted.”
Albert Einstein
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Heuristic & Inferred
CORPORATEACTIONS
SUPPORTINGATTITUDES
THIRD PARTYOPINION
PERSONALEXPERIENCES
REPUTATION
PROSPECTS
DO
MA
INS
ATTIT
UD
ES
RESULTS
7
6
FEELIN
GS
4
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Reputation. A Construct with more than 35 observable variables across 7 domains with proven impact on Performance.
Heuristic & Inferred
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Reputation. A Process with more than 35 observable variables across 7 domainswith Impact on Performance.
DO
MA
INS
AT
TIT
UD
ES
PurchaseRecommendAnti-crisisWord of MouthInvest inWork at
FEELIN
GS
ProductsInnovationWorkplaceGovernanceCitizenshipLeadershipPerformance
TrustEsteemAdmirationReputation
RESULTS
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Cronbach Alfa
Causal analysis and Constructs. Can’t be directly observed, but it can be inferred.
Source: Reputation Institute
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Reputation KRI and Market Value KPI have a causal relationship.
Source: Reputation Institute.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
“There is a prospect of a thrilling time ahead for you.”
Developing effective KRIs is crucial to the success of any management program. First, as they assist in predicting potential adverse events, they are mostly useful, as noted above, in identifying key areas where additional controls or mitigation plans might be needed or to explore market opportunities.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
A goal of developing an effective set of KRIs is to identifyrelevant metrics that provide useful insights about potentialrisks that have an impact on the achievement of the organization’s short & long term performance & goals.the selection and or design of effective KRIs starts with a firm grasp of organizational objectives and risk-related events - uncertainties that might affect the achievement of those objectives.
extended enterprise risks
reputational risks
competitor actions risks
market dynamics risks
regulatory compliance risks
contract risks
business interruption risks
geopolitical risks
fraud or corruption risks
security risks
reporting risks
talent related risks
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Linking Objectives to Strategies to KRI’s.Mapping key risks to core strategic initiatives puts management in a position to begin identifying the most critical metrics that can serve as leading key risk indicators to help them oversee the execution of core or strategic initiatives.
KPI
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Opportunities for Proactive Strategic Risk Management.This strategic use of KRIs increases the likelihood that objectives set by management are achieved. Proactively monitoring relevant KRIs helps minimize uncertainty and identify opportunities for strategy or operational adjustments.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Why are KRIs important for IT?How to select “right” KRIs for IT?
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
IT continues to emerge as a significant source of strategic risk. the selection and or design of effective KRIs starts with a firm grasp of organizational objectives and risk-related events - uncertainties that might affect the achievement of those objectives.
source: Corporate Executive Board
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
*Illustrative
are them linked?
Traditional IT Risk Areas
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
*Illustrative
Emerging IT-related Risk Areas
On top of the traditional IT risk areas, embedded within the enterprise risk “heat map” lie an array of business risks that, upon further consideration, reveal a significant IT component.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
“By establishing the context, the organization articulates its objectives, defines the external and internal parameters to be taken into account when managing risk, and sets the scope and risk criteria for the remaining process.” (ISO 31000, p. 15)
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
KRIs should be associated with corresponding KPIs measured as preceding events with causal relationship affecting desired outcomes.
Reputation KRI
Data Privacy events
RevenueKPI
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
KRIs should be associated with corresponding KPIs measured as preceding events with causal relationship affecting desired outcomes.
*Illustrative
CustomerSatisfaction
OperationalExcellence
SystemsAvailability
DataPrivacy
IT Strategic Initiatives & Risks aligned with Company’s core Pillars, Initiatives & Goals
KPI
KPI
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Start with Credible & Discrete KRIs directly impacting business KPIs
*Illustrative. Source: Gartner
IT Strategic Initiatives aligned with Company’s core Pillars & Initiatives
KPIKRI
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Real-world KRIs and KPIs mappings
*Illustrative. Source Gartner
KRIs KPIs
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
How to leverage KRIs and improve Business performance?
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Business case example for a shipping company…
*Illustrative
A cross-country shipping company with a fleet of 100 trucks.
KPI: On-time delivery has reputation, sales and customer service implications.
KRI: Lorry breakdown rates have a causal relationship with on-time delivery.
KPI: Failure to change oil has a causal relationship and a negative impact with breakdowns.
Control: Maintenance SLA with oil change every 5k mi.
KPI and KRI
Changing oil every 3k mi raises costs but does not significantly lower breakdown rates.
Changing oil every 10k mi lower costs but significantly raises breakdown rates.
Risk management
Business outcomes: • Alignment of risk-related activities to execution.• Risk visibility drives better business decisions with a KRI.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Risk adjusted KPIs improve decisions and increase business value.
*Illustrative
on-time deliveryKPI
oil change KRI
on-time delivery = orders delivered on-time / total orders received
on-time delivery KPI = 912/1,000 = 91%
KPI target = 90%
oil-change KRI = lorries w/o oil change within last 5,000mi /total fleet
oil-change KRI = 75/100 = 75%
Risk adjusted on-time delivery KPI = KPI – (4 * KRI) = 91% - 3% = 88%
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
The Risk Adjusted Value Model and the KRI Catalog
Business aspect
Outcomes Key Risk Indicators
*Illustrative. Source Gartner
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
The Risk Adjusted Value Model and the KRI Catalog
Business aspect
Outcomes
KRI
Support Services
Finance and Regulatory
Impacted KPITime to Market
Audit Exception Index
Category Compliance
KRI Description Audit findings are a measure of Compliance failures. The Audit Exception Index is a KRI that a company is accepting more risk than it is addressing.
KRI Metric
KRI Example
Risk Adjusted
KPI example
AlternativeMeasures
The Audit Exception Index measures the % of audit exceptions granted over the total number of audit findings. Audit Exception Index = Granted Exceptions / Total Audit FindingsThe ABC Co. granted 10 critical audit exceptions in the past 12mo. During the same period, the total number of findings was 40. Audit Exception Index = (10/40) = 25%ABC Co. is in the heavily regulated pharma industry. Poor compliance increases regulatory scrutiny, which increases new drug development costs while delaying product launch.RA New Product Index = New Product Index – (4 x Audit Exception Index)Compliance Program Maturity.Average days out of date for Critical Mandates.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
How to go about developing a Strategy-KRI-KPI mapping exercise?The “Vertical-Horizontal” analysis
Security I&O CEOCOOCIO
function criticalperspective analysis
Core
Com
pete
nce E
xecu
tion
dependency linksperspective analysis
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Three Takeaways
• Management Process need to consider Risk explicitly.
• Risk Adjusted KPIs improve business decisions and increases business value.
• A Risk Adjusted/Aware Value Model represents the activities and events that affect the expected or planned outcomes of your Co.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
Communicating & Engaging through KRIs
Organizing, monitoring, reviewing and communicating KRI progress and their impact on KPIs can be greatly facilitated by having a centralized, automated system for the company’s Risk Adjusted KPI program, with flexible, audience oriented, reporting & dashboarding functionality.
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
GovernanceRisk ManagementandComplianceare nuisances without an holistic strategyandproper tooling
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
IT GRC needs are often more complicated than those of their enterprise colleagues.
With PCI, HIPAA, ISO certification, and privacy laws, IT Pros are typically looking for more sophisticated control mapping, asset management, vulnerability and event data and product integration functionality.
As we mentioned, KRIs can/need to be linked to multiple KPIs and controls, across various enterprise key processes. On top of the KRI-KPI linkage and its management complexity, creating risk intelligence require embracing all risk related information as policies, procedures, losses, incidents, source legal and regulatory content, compliance control actions taken, auditing , etc.All this requires proper systems support to help risk owners and senior management develop a common language and a clearer vision of the future.As of today, IT risk and compliance issues don’t usually get the executive visibility they deserve. Although many firms may list one or two IT risks among their corporate top 10, most IT & Risk heads struggle to get visibility with their corporate executives and boards. (until there’s a breach, that is)
THE ENDLESS POSSIBILITIES OF RISK IN BUSINESS. KRIs & IT
“The wise man expects to prepare for the unexpected.”
Even as concerns grow over mounting regulations, cyberwarfare, privacy, reputation and fraud, it will be a proper KRI to KPI mapping and the existing large and successful list of deployments and success stories, as much as anything else, that will pave the way for your ITGRC program. So buckle up, leverage from both of them and turn your IT into the domain expert you Co. needs.
THE ENDLESS POSSIBILITIES OF REPUTATION, RISK &DESIGN IN BUSINESS.
KRIs, KPIs & IT
Maximo Neira [email protected]@neiraschliemannJuly 31st, 2012