Sources for Selecting KRIs:
Historical Enterprise Risk Metrics: These provide data-driven insights into past risk events, helping to
identify patterns and potential future risks.
Risk Workshop Brainstorming: While valuable, this approach relies on subjective input and may not
be as reliable as historical data.
External Threat Reporting Services: Useful for understanding external risks, but may not provide
comprehensive insights specific to the enterprise.
Importance of Historical Data:
Using historical risk metrics ensures that KRIs are based on actual risk occurrences and trends within
the enterprise.
This approach allows for more accurate and relevant KRIs that reflect the enterprise's specific risk
profile.
Reference:
ISA 315 (Revised 2019), Anlage 6 highlights the importance of using reliable and relevant data
sources for risk management, ensuring that KRIs are effective in predicting and monitoring risks.
