Does your organization regularly review key risk indicators (KRIs) to identify, assess, and prioritize cybersecurity risks based on their likelihood and potential impact?
Explanation
Key Risk Indicators (KRIs) are metrics used to provide early signals of increasing risk exposure in various areas of the enterprise. Regular review of KRIs helps organizations proactively identify emerging threats, understand their potential business impact, and allocate security resources appropriately. Effective KRI monitoring enables data-driven risk management decisions rather than relying on intuition or outdated assessments.
Evidence of fulfillment could include a documented risk register or dashboard showing tracked KRIs with their threshold values, assessment dates, risk ratings (likelihood/impact scores), trend analysis, and assigned risk owners. This might be in the form of a spreadsheet, risk management tool export, or board/executive presentation materials showing regular KRI reviews.
Implementation Example
Review key risk indicators (KRIs) to identify risks the organization faces, including likelihood and potential impact
ID: GV.OV-03.064
Context
- Function
- GV: GOVERN
- Category
- GV.OV: Oversight
- Sub-Category
- Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed
Related questions
- Has your organization established metrics to evaluate the effectiveness of risk management decisions in achieving business objectives?
- Does your organization regularly review and adjust cybersecurity risk strategies that may be impeding business operations or innovation?
- Has your organization reviewed recent audit findings to verify that your cybersecurity strategy effectively ensures compliance with both internal policies and external regulatory requirements?
- Does your organization regularly evaluate the performance of cybersecurity roles to identify necessary policy improvements?
- Does your organization have a formal process to review and update its cybersecurity strategy following security incidents?
- Does your organization regularly review key performance indicators (KPIs) to verify that security policies and procedures are achieving their intended objectives?

