GRC: Metrics in Integrated Risk Management
Risk metrics are defined as a quantifiable measure that is used to track and assess the status of a specific risk. Metrics help in tracking the exposure of a risk over time.
Risk indicators are an important tool within operational risk management. Indicators facilitate the monitoring and control of risk. Therefore, they may be used to support a range of operational risk management activities and processes, such as risk identification, risk and control assessments, the implementation of effective risk appetite, and the risk management and governance frameworks. Indicators only support one type of results called Pass or Fail and do not support data types such as number, percentage, or monetary amount. Metrics provide better escalation and notification mechanism for indicators, allow specific definition of data owners, and the classification of the indicators.
- Provides continuous visibility into risk and control performance.
- Alerts respective owners about change of risk and control performance.
- Automates metric data collection tasks saving time for organization.
- Efficiently monitors and sharing of risk information across the organization.
Uses of the GRC: Metrics in ESG Management and IRM
The GRC: Metrics application is used by various applications such as Integrated Risk Management and ESG Management.
Risk management and Environmental, Social, and Governance (ESG) are concepts that intersect in several ways, with ESG referring to the criteria used by investors to evaluate a company's sustainability. ESG factors consider issues such as climate change, human rights, diversity and inclusion, corporate governance, and supply chain management, among others. Risk management involves identifying, assessing, and mitigating risks that may affect an organization's ability to achieve its objectives, including financial, operational, and reputational risks, among others. The relationship between risk management and ESG is strong since poorly managed ESG factors can create significant risks for companies. For example, a company with poor environmental practices may face legal and regulatory, reputational, and operational risks. Similarly, a company with weak governance practices may face legal and reputational risks, as well as risks related to conflicts of interest and poor decision-making. By integrating ESG factors into their risk management processes, companies can identify and mitigate these risks, leading to more sustainable and resilient business models. For example, a company that identifies and mitigates its environmental risks may reduce its exposure to future environmental regulations, while a company that improves its governance practices may reduce its exposure to reputational and legal risks. Therefore, companies that effectively manage their ESG risks can improve their overall risk management capabilities, create long-term value, and ensure the sustainability of their business models.
Types of metrics
- Key risk indicators (KRIs): These indicators identify the amount of exposure to a given risk or set of risks. Examples of KRIs are: Staff morale determined through employee surveys, number of hacks attempted on IT, number of negative social media posts following a loss event and so on.
- Key control indicators (KCIs): These indicators identify the effectiveness of the controls that have been implemented to reduce or mitigate a given risk exposure.
- Key performance indicators (KPIs): These indicators show how effectively the risk exposure is managed. These indicators show the achievement against objectives.
Difference between indicators and metrics
| GRC Indicators | Metrics |
|---|---|
| Used for continuous monitoring of risks and controls and for collecting supporting data. | Used to measure the degree to which a system, component, or process, possesses a given attribute. |
| Can be used to monitor a risk or control. | Can be used to measure any GRC object. |
| Can have only binary values such as pass or fail. | Can have any value: Quantitative (numbers) or Qualitative (text). |