Exploring GRC: Metrics
A metric is used to measure and evaluate the effectiveness of your organizational processes. A metric or a combination of metrics can provide an insight into a system, component, or process.
GRC: Metrics overview
The GRC: Metrics application enables other applications to assess, compare, and track the performance of the processes.
The user role that is responsible to read, create, and update the metric definitions and metrics is the GRC: Metrics manager (sn_grc_metric.manager).
You define metrics by using the Metrics form. A metric combines a metric definition with an entity. When you apply a metric definition to an entity, the GRC: Metrics application creates a metric. After you define metrics, the application collects data to show how well each process works. For example, a metric can measure an incident resolution process by tracking the time needed to resolve an incident.
Every organization has a range of data sources for building and structuring their own metric analysis. To establish a useful metric, the metrics manager must first assess and set the goals. Next, the manager sets the targets for the metrics that are integrated with their business decisions.
Qualitative and quantitative metrics
You can classify your metrics into qualitative and quantitative measurements.
Qualitative metrics in Risk Management are derived from the subjective opinion that you form based on other information. Some examples of qualitative metrics in the Risk Management are categorizing risk severity as Low, Medium, or High, or assessing control effectiveness using descriptive scales.
Quantitative metrics in Risk Management are the metrics that you can measure in a specific number through certain formulas. Some examples of quantitative metrics for an organization include the number of overdue risk assessments, number of failed controls, and so on.
Examples of metrics
Rising system downtime indicates infrastructure instability or maintenance gaps, which may lead to productivity loss and operational disruption. For example, a downtime exceeding 5 hours per month triggers a technical infrastructure audit.
GRC: Metrics workflow in Integrated Risk Management
The metrics workflow defines how organizations design, operationalize, and monitor Key Risk Indicators (KRIs) and Key Control Indicators (KCIs) to gain visibility into enterprise risk exposure.
- An operational risk manager defines the overall metrics framework. This establishes the foundation for measuring risk performance and verifies that KRIs and KCIs are consistently applied across the organization.
- The operational risk manager trains business stakeholders on how the metrics framework works, including how KRIs and KCIs are identified, measured, and used to monitor risk.
- Relevant risks and controls that require ongoing monitoring are identified.
- For each selected risk and control, appropriate KRIs and KCIs are identified.
- The operational risk manager defines the threshold values for KRIs and KCIs. It serves as a limit that triggers alerts or remediation if exceeded.
- The operational risk manager identifies data owners for each indicator. These owners are responsible for providing and validating the data used to calculate the metrics, either by manually submitting the required data or by configuring automated metrics that collect the data on an ongoing, automated basis.
- A business operational risk manager reviews the defined KRIs, KCIs, and thresholds to confirm that they align with business requirements.
- The business operational risk manager can refine the thresholds to align them with business needs.
- Employees provide the required data to calculate KRIs and KCIs at the defined frequency.
-
The operational risk manager and the business operational risk manager continuously monitor the indicators and generate reports. Leadership and risk managers use dashboards and reports to view trends, threshold breaches, and the overall risk posture.