Key Risk Indicator reporting and governance for a FTSE 50 European Fund Manager

We were called in by a FTSE 50 European Fund Manager, whose management reports of Cyber Key Risk Indicators (KRIs) were not only so technically dense that senior management couldn’t understand them but were showing “a sea of green” suggesting that there were no issues. So the leadership team were not sure if there was an issue or not.

The reports had been curated by technical IT people who were comfortable with technical language and also stood to be negatively impacted by “poor” scores. As a result the reports and metrics weren’t understood by a non-technical audience.

We worked with the client to select a standard industry framework called SANS, which dictates a prioritised list of controls to be deployed, and specifies the best way to measure their effectiveness. We then helped to design the reporting and governance model so that the KRIs were reported without “interference” from the risk owners.

With the critical nature of the project, rapid deployment was key and we achieved deployment of the ‘top 5’ controls within a year.

At the end of the project we developed reporting dashboards which ensured senior management were able to make quality decisions based upon key and accurate data.