Reporting, specifically third-party risk management reporting, seems to be one area that challenges many of my clients… and rightfully so! Even figuring out where to start can be difficult. Common questions I hear about reporting include: What data should we track on third parties? What metrics are most meaningful? How do we present the data?
Answering questions like these takes some careful planning and a good understanding of the relationship between metrics and business objectives. Metrics, alone, can only tell us so much. They quantify or summarize information (e.g. number of high-risk vendors, or number of contracts approaching expiration). Metrics paired with measurable business objectives are where indicators come into play.
Indicators help you keep your objectives on track and can inform management (or your Board) so important business decisions can be made. In the world of third-party risk management (TPRM), Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) are commonly used. Let’s take a look at key indicators, specifically at KRIs, and see how you might be able to incorporate them into your TPRM reporting.
Lagging vs Leading Indicators
As mentioned above, indicators are more than just simple metrics; they are metrics that tell a story. They help indicate whether or not certain business goals/objectives are being met. Before we dive into Key Risk Indicators, let’s first take a look at the difference between two terms known as “lagging” and “leading” indicators:
- Lagging indicators tell you about something that has already occurred. They are used to make reactive business decisions.
- Example: Your organization has no tolerance for severe third-party issues (like a data breach/security incident). Your business goal is to keep the number of incidents at zero. A lagging indicator may be “number of severe incidents per quarter.” If an incident were to occur with one of your vendors, you’d simply be reporting on it (i.e. “one incident last quarter”).
- Leading indicators help you predict something before it occurs, and enable you to make proactive business decisions.
- Example: As part of your ongoing vendor monitoring activities, your organization uses a third-party security monitoring tool to score the security posture of your vendors (i.e. a low score might indicate that vendor has major security vulnerabilities/flaws). A leading indicator may be the “number of vendors with a low-risk score.” If, quarter after quarter, you see that more of your vendors have poor security scores, that may be a predictive indicator that a severe third-party issue could occur (tying things back to our lagging indicator example above).
There is no right or wrong with regard to how my leading or lagging indicators you use. As you can see from the examples above, they can work hand in hand. As a best practice, aim to use a well-balanced mix of leading and lagging indicators in your TPRM reporting.
KPI vs KRI
Now that we understand the difference between leading and lagging indicators, let’s talk about two types of indicators that sound similar but are in fact used for very different purposes in TPRM reporting – KPIs and KRIs.
- A Key Performance Indicator (KPI) is a way to measure the performance of your vendors (e.g. compliance with contractual SLAs) or even the operational performance of your third-party risk management program (e.g. average number of days to complete due diligence assessments).
- A Key Risk Indicator (KRI) is a way to measure your organization’s exposure to risk, either in a proactive (leading) or reactive (lagging) way. KRIs help your organization understand how likely, or unlikely, a certain risk event may be.
Using KRIs in Third Party Risk Management Reporting
Just as there is no right or wrong with regard to how many leading/lagging indicators you use, there is no rule of thumb for the proper mix of KPIs and KRIs.
You may find that KPIs and KRIs are geared towards certain audiences. For example, your Business Units and operational staff may be more interested in KPIs (e.g. time it takes to conduct due diligence, # of vendors not in compliance with SLAs, etc.) whereas senior management and executives would likely be more interested in KRIs and potential risk exposure to your organization (e.g. level of residual risk, # overdue risk remediations, etc.).
With so many dimensions of risk that your organization could be exposed to simply by working with vendors and other third-parties, using KPIs will keep you and your stakeholders informed about risk trends. They can even help you take preventative action before risks elevate past your organization’s risk appetite.
As with any type of reporting, starting with the end in mind and working your way backwards is always a good idea. Identify objectives related to risk mitigation, determine which metrics would be helpful in achieving and monitoring progress towards those objectives, and identify the source or data that will allow you to obtain such metrics. As an example:
- Objective: Reduce the risk of an adverse data security incident with our third parties
- Metric/KRI: % of Critical third-parties who scored high in our third-party security monitoring tool (i.e. a high score could indicate that your third party has a strong information security posture and the likelihood of a data security incident is low). If the percentage starts to fall, that may be an indicator of an increasing risk of a data security incident.
- Data Source: Your third-party risk management system
The practice of third-party risk management is about getting the most value from your vendors, but it’s also about reducing the risk those vendors expose your organization to. Use KRIs as a way to track meaningful objectives that can produce early warning signals for your organization.