GV.OV-03.064

Does your organization regularly review key risk indicators (KRIs) to identify, assess, and prioritize cybersecurity risks based on their likelihood and potential impact?

Explanation

Key Risk Indicators (KRIs) are metrics used to provide early signals of increasing risk exposure in various areas of the enterprise. Regular review of KRIs helps organizations proactively identify emerging threats, understand their potential business impact, and allocate security resources appropriately. Effective KRI monitoring enables data-driven risk management decisions rather than relying on intuition or outdated assessments. Evidence of fulfillment could include a documented risk register or dashboard showing tracked KRIs with their threshold values, assessment dates, risk ratings (likelihood/impact scores), trend analysis, and assigned risk owners. This might be in the form of a spreadsheet, risk management tool export, or board/executive presentation materials showing regular KRI reviews.

Implementation Example

Review key risk indicators (KRIs) to identify risks the organization faces, including likelihood and potential impact

ID: GV.OV-03.064

Context

Function
GV: GOVERN
Category
GV.OV: Oversight
Sub-Category
Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron