Hi Wesley,
I hope I understand your question correctly. If not, please let me know.
When developing KRIs and KPIs for your Third-party risk management program, it's important to start with the organization's objectives for having the program in the first place. Since you are joining a bank, regulatory compliance, protecting organizational and customer data, and preserving the brand and reputation are likely at the top of the list. Once you identify your objectives, I suggest identifying the 3-5 KPIs for each objective. So for regulatory compliance, it might look like this.
Regulatory Compliance KPIs
· % of Vendors with regulatory compliance risk with current risk assessment and due diligence
· % of Vendors with regulatory compliance risk with internal compliance training
· % of vendors with regulatory compliance risk with contracts obliging regulatory compliance
· % of internal vendor owners who have completed TPRM training within 30 days of onboarding
· % of vendors with past due compliance issues
For each of those, I would set an appropriate target. Remember that for every KPI/KRI, you need readily accessible and reliable data. That data may come from your TPRM system or other sources. Still, if it is too difficult to obtain and interpret, selecting another KPI/KRI that can be substantiated with available data is best.
Each KPI should have an associated Key risk indicator (KRI) but with a lower limit threshold to alert you when the risk is not within your stated tolerance and action is necessary.
Let's look at an example of % of Vendors with regulatory compliance risk with current risk assessment and due diligence. The KPI target is 95-98%, but the KRI is 95%, which means that if the % of vendors with current risk assessments and due diligence falls at or below 95%, specific action must be taken. That action might be in the form of outsourcing due diligence document collection and SME reviews until you are caught up or hiring additional FTE to manage the workload.
Remember that KPIs are lagging indicators, meaning we are looking at something that has already happened. And KRIs are leading indicators that can tell us what might happen. It is important to have both.
As for maturing these KPIs and KRIs, a natural development process typically occurs when managing these indicators over time. It may be that your initial KPIs aren't aligned with the biggest risks, the data is unreliable, or maybe you need more, less, or different KPIs altogether. Collaborating with your ERM team to ensure your TPRM program KPIs and KRIs can help the organization get a holistic picture of all risks to be managed.
I hope that helps, but I would love to hear from other members.
Original Message:
Sent: 02-15-2023 10:21 AM
From: Wesley Carrington
Subject: What techniques, tools, and tech were used for the KPI/KRI's there
Hi All,
Hoping this finds everyone healthy and well!
As I begin a new engagement with a Large/National Bank, I have a "multifold", lingering/outstanding question:
- From an Enterprise GRC, Enterprise Risk Management (ERM), and Third-Party Risk Management (TPRM) perspective, what/which techniques, tools, and tech are/would there be used in the development and maturation of KPI's and KRI"s?
Looking forward to hearing from you and receiving your feedback confirmation of receipt of the aforementioned.
Sincerely,
Wes
Semper Fi