A key risk indicator (KRI) is a metric that measures the level of risk exposure or the likelihood of a risk event1. A KRI threshold is a predefined value or range that triggers an alert or action when the KRI reaches or exceeds it2. A data leakage incident is an unauthorized or accidental exposure of sensitive or confidential data to external parties3.

When a KRI threshold reaches the alert level, indicating that data leakage incidents are highly probable, the risk practitioner’s first course of action should be to review the incident handling procedures. Incident handling procedures are the plans and actions to be taken in the event of a data breach or security incident, such as data leakage4. Reviewing the incident handling procedures can help the risk practitioner to:

Verify the roles and responsibilities of the incident response team and other stakeholders

Confirm the communication and escalation channels and protocols

Identify the tools and resources available for incident detection, containment, analysis, eradication, recovery, and reporting

Evaluate the readiness and preparedness of the organization to respond to a data leakage incident

Update or revise the procedures as needed to reflect the current situation and risk level

Reviewing the incident handling procedures can help the risk practitioner to ensure that the organization can respond to a data leakage incident effectively and efficiently, minimizing the potential or expected impact on the organization’s operations, reputation, or objectives.

The other options are not the first course of action for the risk practitioner, although they may be relevant or necessary at later stages of the risk management process. Updating the KRI threshold, which means adjusting the value or range that triggers an alert or action, may be appropriate if the KRI threshold is too high or too low, but it does not address the imminent risk of data leakage or the response plan. Recommending additional controls, which means suggesting new or improved measures to prevent, detect, or mitigate data leakage, may be useful for reducing the risk exposure or impact, but it does not ensure that the organization is ready or capable to handle a data leakage incident. Performing a root cause analysis, which means finding and identifying the underlying factors that contributed to the risk event, may be helpful for learning from the incident and improving the risk management strategy, but it is usually done after the incident has occurred and resolved, not before.

References = Key Risk Indicators: Definition, Examples, and Best Practices, KRI Framework for Operational Risk Management | Workiva, What is Data Leakage? Definition, Causes, and Prevention, Incident Response Planning: Best Practices for Businesses