Metrics & KPIsRisk IT Make risk-aware decisions
11 KPIs
% of (in)decisions leading to IT-related loss revisited for lessons learned
% of accepted IT risks with complete set of documentation
% of business decisions that should have considered IT risk but did not
% of IT risk issues with tracking of expected reduction in frequency and magnitude
Cycle time from discovery of a control deficiency to risk acceptance decision
Cycle time from reported policy exceptions to decision on their disposition
Number of adverse events arising out of risk acceptance decision
Number of key management decisions without availability of relevant risk analysis report
Number of prioritised risk response activities
Size of adverse events arising out of risk acceptance decision
Value of failed projects due to risk issues not identified