Unit 4: Risk Indicators and Registers Flashcards
What are risk indicators?
Metrics that help monitor and control identified risks over time.
They are a ‘health check’ of the performance of the business and can be used by all functions to ensure that risk is controlled satisfactorily.
How do risk indicators usually measure risk?
They usually measure the effects of risk at set control points in the business and act as early warning signals to alert management to problem areas.
What 3 things must a metric be able to be used to measure to be considered a key risk indicator (KRI)?
- Exposure levels (to risks).
- Control effectiveness.
- Management of risk exposure effectiveness.
What four things should a KRI be, to be effective?
- Measurable (number, count, %, $).
- Predictable (provide early warning signs)
- Comparable (tracked over time; trends)
- Informational (measures status of risk and control)
Example: if we want to measure the risk of process errors, what would a good KRI be?
The number of customer complaints.
What are three KRIs we could track for our people?
- High training fail rates
- High turnover rates
- Low employee engagement scores
What are two KRIs we could track for our tech?
- System drop-outs
- User complaints
What are three KRIs we could track for our performance?
- Failure to meet targets
- Reduction in customer service scores
- Reduction in customer retention
What KRIs we could track for our regulatory compliance?
Incidents and breaches
When does an indicator become ‘key’?
When it tracks a particularly important risk exposure (a key risk) or does so particularly well (a key indicator).
Ideally, it does both.
How are tolerances/limits usually tied to risk indicators?
Defining threshold levels or changes which, when exceeded, alert management to areas of potential problems.
What is a risk register?
A management tool that can be used to monitor and report on a risk.
It’s a log of key risks associated with a project or business unit and also includes details of the control measures that have been identified to mitigate the risks.
What three pieces of information will a risk register generally contain?
- An individual event
- Estimate of potential loss
- Probability of occurence