Key Risk and Performance Indicators
OversightControl Statement
Key risk and performance indicators as well as thresholds have been established for the organization's key cyber risk and controls. The risk indicators should align with the cyber risk appetite as stated in the cyber risk framework.
Description
Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) provide quantitative and qualitative measures that enable the organization to monitor its cyber risk posture and control effectiveness. KRIs serve as early warning signals that risk levels are approaching or exceeding the defined risk appetite, while KPIs measure whether security controls and processes are performing as intended. Establishing thresholds linked to the risk appetite creates trigger points for escalation, investigation, and corrective action, transforming risk management from a periodic exercise into a continuous monitoring capability.
Key Implementation Activities
- 1 Define KRIs that measure exposure to key cyber risks and align threshold levels with the approved risk appetite statement
- 2 Define KPIs that measure the effectiveness of critical security controls and processes against target performance levels
- 3 Establish thresholds (green/amber/red or equivalent) that trigger escalation, investigation, and remediation activities
- 4 Implement automated collection and reporting of indicator data to enable timely visibility into risk and control status
- 5 Review and recalibrate indicators and thresholds periodically to ensure they remain relevant as the risk landscape and risk appetite evolve
Evidence Examples
- KRI and KPI register documenting each indicator, its definition, data source, owner, threshold levels, and alignment to risk appetite
- Dashboards or reports showing current indicator values against established thresholds
- Escalation records demonstrating that threshold breaches triggered the defined response actions
- Evidence of periodic indicator review and recalibration (meeting minutes, updated indicator definitions)
- Risk appetite statement with explicit linkage to KRI thresholds
Maturity Levels
Limited or no formal KRIs/KPIs exist for cyber risk. Metrics are collected ad hoc and are not tied to a risk appetite. Thresholds are not defined.
A defined set of KRIs and KPIs is established, aligned with the risk appetite, and reported to management on a regular basis. Thresholds trigger documented escalation and response actions.
Indicators are comprehensive, automated, and provide near-real-time visibility. Predictive analytics and trending are used to anticipate threshold breaches. Indicators are continuously refined based on effectiveness analysis and changes in risk appetite.
Document Templates
Evidence Requirements View all evidence
| Type | Evidence Item | Frequency | Level |
|---|---|---|---|
| Document | KRI/KPI Register with definitions, data sources, thresholds, and risk appetite alignment | Reviewed semi-annually | Required |
| Document | Risk Appetite Statement showing explicit linkage to KRI thresholds | Reviewed annually | Required |
| Record | Dashboards or reports showing current indicator values against thresholds | Monthly/Quarterly | Required |
| Record | Escalation records demonstrating threshold breach response actions | Per breach event | Required |
| Record | Indicator review and recalibration records | Semi-annually | Expected |
| Record | Trend analysis reports showing indicator movement over time | Quarterly | Expected |