KRI Development Process
-
Upload
thilakpathirage -
Category
Documents
-
view
64 -
download
4
Transcript of KRI Development Process
Thilak PathirageThilak PathirageMBA(Sri j) BCOM(spl) CISSP CISA CISM CGEIT CRISC CBCP ITIL
ISO27K(LA) FIB]AGM O Ri k & I f Ri k M tAGM-OpRisk & Info.Risk Mgt.
Seylan BankPLC
Definition Example Roles and responsibilities for KRIs Major steps necessary to generate KRIs Tool Generic operational risk KRIs
Key risk indicators (KRI) are measurements that are used by management to show how risky an activity is—a project or an investment, for exampleexample.
They are called key because they warn of the most obvious areas where problems may arise.
KRI help to flag up early warnings of a possible adverse impact arising from an activity in the futurefuture.
Developing operational risk indicators is not easy.
highlight current risk levels by providing a measure of the status of an identified risk and the effectiveness of its control. Risk indicators can provide information which gives a useful ongoing p g g gview of the underlying behavior of the risk profile1;
highlight trends and changes in risk level by monitoring changes in risk between formal risk
d land control assessments;
provide early warning signals through predictive p y g g g prisk indicators which highlight changes in the risk environment, control effectiveness and potential risk issues before they crystallise and result in loss
Another type of indicator is a key control indicator (KCI) which is a measure of the effectiveness (e g(KCI), which is a measure of the effectiveness (e.g. design and performance) of a specific control. Deterioration in KCIs can show an increase in residual risk impact or likelihood. KCIs are relevant to a
i l l i i ( )particular control activity(s).
enable actions that prevent or minimise material loss or incident by prompting timely action on earlyloss or incident by prompting timely action on early warning signals; and
express escalation criteria for risk management by express escalation criteria for risk management by using thresholds to convert raw indicator data into meaningful risk ratings to aid effective decision making.g
Key risk indicators can be classified into two categories, namely:• specific indicators, which relate to particular
processes within a franchisee such as the numberprocesses within a franchisee, such as the number of reconciling items in a given area; and
• environmental indicators, which impact the f hi h l f l b ifranchisee as a whole, for example, business volume.
KRI can provide early warning of future losses or other problems.
They are useful in supporting management decisions and actionsdecisions and actions.
They can be benchmarked both internally and externallyexternally.
Mastering KRI has proven difficult to date. The company has to believe in them, even
though past history may not fully support their valuetheir value.
KRI can provide early warning of future losses or other problems.
They are useful in supporting management decisions and actionsdecisions and actions.
They can be benchmarked both internally and externallyexternally.
RCSA Fundamentals: Impact Vs. P b biliORM is the management of the frequency AND severity of operational losses
Probabilitylosses
Share COSOShare
Mitigate & Control
COSO Framework
COBITFramework
C t l
Framework
ControlAccept
We established norms of Impact and Probability
OPS # Pre OPS
5 10 15 20 255
7
CFUFIN
#
#
Control
PostControl
PWNSCC
OPS
4 8 12 16 204
EXP10
LEG5
68
MKT3
PWN21
IMP4
PWN Criteria
Category
Tolerability
Risk Level
3 6 9 12 153
pact ABC
9
LEG
CFUABC
EXP
y y
Very Low ( VL)
Acceptable
1-2
Low Acceptab 3-4
2 4 6 8 102
FIN
Im SCC MKT
IMP
(LO)p
le
Medium (ME)
Tolerable 5-7
High Tolerable 8-14
1 2 3 4 51
(HI)
Very High (VH)
Unacceptable
15 and Above
11 2 3 4 5
Likelihood
90%
100%
Low
)
The Most Risky Business Functions Rating by Summery Business Function
50%
60%
70%
80%
( Hig
h / M
ediu
m /
L
10%
20%
30%
40%
Perc
enta
ge
0%
10%
OP
S
PW
N
MK
T
SLI
LEG
SC
C
IMP
FCC
AC
T
AB
C
EX
P
Business FunctionsLow Medium High
Some of the following resources can be useful in helping create your own KRI listhelping create your own KRI list.
Policies and regulations, particularly those that are aimed at regulating the business activities of the company Such KRI may include riskthe company. Such KRI may include risk exposures relating to compliance with regulatory requirements and standards.
Strategies and objectives Corporate and Strategies and objectives. Corporate and business strategies, as established by senior management, are a good source.
Previous losses and incidents Databases Previous losses and incidents. Databases containing historical losses and incidents can provide useful input on what processes or events can cause losses.
Do Make your KRI quantifiable. Make your KRI quantifiable. Base KRI on consistent methodologies and standards. Track them along a timeline against standards or limits. Link KRI to objectives, risk owners, and standard risk categories.
R l i h k h f l ill Run regular overviews to check that your formulae are still relevant and accurate in assessing risk.
Don’t Don’t complicate risk. Don’t be too simplistic. Don’t put 100% faith in your initial KRI.