Metrics & KPIsRisk management
69 KPIs
% of controls directly related to maintaining defined risk tolerance
% of core ERM activities that consider IT risk
% of core ERM activities with embedded IT risk considerations
% of critical business services not covered by risk analysis
% of employees whose performance metrics and rewards reflect risk management objectives
% of escalated risk vulnerabilities
% of highly ranked assets, targets and resources reviewed
% of neglected risk vulnerabilities
% of overdue risk vulnerabilities
% of parallel risk assessments with same results
% of re-opened risk vulnerabilities
% of risk analyses performed by trained risk analysts
% of risk analyses that are substantiated by later experience or testing
% of risk analysis reports accepted on initial delivery
% of risk analysis undergoing peer review
% of risk incident response plans past their next required review date
% of risk incident response plans with one or more open issues
% of risk incidents with business impact not subject to post-mortem review
% of risk issues exceeding defined risk tolerance without action plans
% of risk issues inappropriately distributed in the organisational hierarchy
% of risk management expenditures with traceability to business risk strategy
% of risk mitigation plans executed on time
% of risk vulnerabilities handled first time correctly
% of risk vulnerabilities worked on
% of risks with probable frequency of occurrence and probable magnitude of impact measured
% of staff trained in critical risk management techniques
% of unaccepted risk issues with action plan developed
% of unaccepted risk issues without mitigation plans developed
% of unassessed risks
Accuracy of risk assessments
Amount of investment spent on cancelled risk mitigation efforts
Average closure duration of risk vulnerabilities
Average closure duration of risk vulnerabilities
Average number of days open of risk vulnerabilities
Average overdue time of risk vulnerabilities
Backlog of risk vulnerabilities
Closure duration rate of risk vulnerabilities
Consistency of risk assessment
Cumulative business impact from events not identified by risk evaluation processes
Cycle time from discovery of a control deficiency to risk acceptance decision
Cycle time from reported policy exceptions to decision on their disposition
Extent of overlap of risk management activities
Extent to which budgets are allocated based on risk significance
Frequency of risk management activity reporting
Number of different issue functions and platforms
Number of different risk reports provided to the board
Number of key management decisions without availability of relevant risk analysis report
Number of open positions in the risk management staff
Number of policies in force with statements contradicting related risk tolerance
Number of prioritised risk response activities
12