The fact that many organizations have little or no IT governance program is quite surprising—especially when there’s a steady flow of daily data breaches making the news.

We looked to the Global Cyber Risk Perception Survey by Marsh and Microsoft to figure out what cyber risks are top of mind with IT execs. The data showed that the risks which have the highest potential impacts on the business include (in order):

  1. Business interruption.
  2. Reputational damage.
  3. Breach of customer information.
  4. Data or software damage.
  5. Extortion or ransomware.
  6. Third-party liability resulting from systems breaches.
  7. Disruption/interruption of industrial systems or other operational technology.
  8. Loss/theft of intellectual property.
  9. Contingent business interruption (supply chain).
  10. Physical property damage and/or bodily injury.

These cyber risks are all very significant and could damage an organization—possibly to the point of collapse. So it was surprising to learn that one-third of IT execs surveyed by Deloitte admit they have little or no IT governance process in place.

So, the risks have been determined. Now what?

Identifying associated risks

The next step is to identify associated risks for each cyber risk. These are possible events that would increase the likelihood of the cyber risk to occur.

For example, a cyber risk from our list is business interruption. Associated risks could include things like:

  • Vendor service interruption
  • ISP failures
  • Loss of data
  • Lack or misappropriation of IT budget
  • Lack or misappropriation of IT personnel.

If any or all of these associated risks happen, the likelihood of experiencing business interruption increases significantly. So how do we prevent, or at least monitor, the likelihood of the associated risks?

Using KRIs to monitor associated risks

Key risk indicators (KRIs) help monitor and control risks—like the ones we’ve listed above.

A risk indicator can be any metric used to identify a change in risk exposure over time. They become KRIs when they track a critical risk, or do so especially well because of their predictive value. It’s ideal if they do both.

There are a few characteristics that make up a good KRI. The indicator/data would be:

  • Relevant. the indicator/data helps identify, quantify, monitor, or manage risk and/or risk consequences that are directly associated with key business objectives/KPIs.
  • Measurable. the indicator/data is able to be quantified (a number, percentage, etc.) and is reasonably precise, comparable over time, and is meaningful without interpretation.
  • Predictive. the indicator/data can predict future problems that management can preemptively act on.
  • Easy to monitor. the indicator/data should be simple and cost effective to collect, parse, and report on.
  • Auditable. you should be able to verify your indicator/data, the way you sourced it, aggregated it, and reported on it.
  • Comparable. it’s important to be able to benchmark your indicator/data, both internally and to industry standards, so you can verify the indicator thresholds.

It’s important to note that each organization will have unique enterprise or organizational risks, just like each IT department will have their own set of priority risks. And, subsequently, no IT teams will have the same KRIs.

Using the example of business interruption, some KRIs we’d recommend include:

Soon we’ll be releasing a full white paper with more information on how to create your own KRIs, including 10 more examples of KRIs related to these top cyber risks. In the meantime, read up on Information technology governance: best practices to prevent data breaches.

eBook: 9 steps to IT audit readiness

eBook:
9 steps to IT audit readiness

In this 22-page eBook, you’ll learn how to:

  • Identify and assess IT risks and map them to controls
  • Plan, scope, and stress test micro risks
  • Assess the effectiveness of existing controls
  • Capture, track, and report deficiencies
  • Create a continuous cycle of testing, monitoring controls, and addressing exceptions.

Download eBook

Share This