C-SUITE: USE KEYS RISKS INDICATORS!
IT HAS NEVER BEEN MORE IMPORTANT FOR C-SUITE TO KNOW AND UNDERSTAND COMPANY CYBER RISK LEVEL
● 29% of CEOs list cyber as the issue that has the biggest impact on their company today.
● 86% of CEOs indicated that information security /cybersecurity is the risk they are most concerned about
● 19%: Less than a fifth of companies have developed a formal risk appetite statement.
ISACA defines KRIs as “metrics capable of showing that the enterprise is subject to, or has a high probability of being subject to, a risk that exceeds the defined risk appetite.” A KRI is a specific, measurable, quantitative or qualitative metric that is tied to a process, procedure, or control. The indicator should clearly characterize the point-in-time risk associated with the process, procedure, or control to which the indicator is tied. The value of KRI is determined by the choice of security standard.
After identifying the KRI metrics, each risk indicator should be categorize to establish a threshold. Each KRI will be able to be measured and accurately reflect the negative impact it would have on the organization’s key performance indicators.
Companies have to prioritize IT risk management to show the risk level to the C-Suite.
Classifying KRI allows the IT risk management function to better monitor compliance. Having these monitoring capabilities allows C-Suite to identify and understand IT risks that will have a direct impact on business activities.