Building risk indicators
Look back at Chapter 2, Managing a Defense Security Team, for a definition of Key Risk Indicators (KRIs).
When developing a KRI, knowledge of an organization and how it operates – as well as knowledge of the possible risks, threats, and vulnerabilities it faces – are key starting points. Without understanding an organization, it is tough to identify where it may be at risk.
Afterward, key operational aspects of the organization are mapped to internal and external risks to identify how those key aspects could be disrupted.
Therefore, features of a good and measurable KRI include the following:
- Details on who is affected, which processes, and which technologies are at risk; where the risk takes place (so what facilities are affected); and other organizational characteristics most important to the organization’s continued operation and success
- Recognition of the risks, threats, and vulnerabilities the organization faces...