Login required to access some wiki spaces. Please register to create your login credentials
|
Key risk indicators (KRIs) are used for monitoring risk treatment actions.
Key risk indicators are metrics used to provide an early warning on increasing risk exposures in different areas within an organization. In some instances, they may represent key ratios that are tracked by management throughout the organization as indicators of evolving risks, and potential opportunities, that alert on the need for actions to be taken. Others may be more complex, and involve aggregation of several individual risk indicators into a multi-dimensional score about emerging events, that may lead to new risks or opportunities.
KRIs are typically derived from specific events or root causes, internally or externally identified, that can prevent performance goals from being achieved. Linkage of top risks to core strategies helps pinpoint the most relevant information that can serve as an effective leading indicator of an emerging risk.
An effective method for developing KRIs begins by analysing a risk-event that has affected the organization in the past (or at present), and then working backwards to pinpoint intermediate and root cause events that led to the ultimate loss or lost opportunity. The closer the KRI is to the root cause of a risk-event, the more likely that the KRI will provide management time to take positive action to respond to such an event.
Effective KRIs often result from being developed by teams including professional risk management staff, and business unit managers with a deep understanding of the operational processes subject to potential risks. Ideally, these KRIs are developed in cooperation with strategic plans for individual business units, and can then embed acceptable deviations from the plan which fall within the overall risk appetite of the organization.
The development of KRIs that can provide relevant and timely information, to both the board and senior management, is a significant component of effective risk oversight. It is also important to consider the frequency of reporting the KRIs. The appropriate time horizon depends on the main user of a specific KRI. For operational managers, real-time reporting may be necessary. For senior management, where a compilation of KRIs that highlight potential deviations from organization-level targets is the likely goal, a less frequent (e.g., weekly) status report may be enough. At the board level, the reporting is often aggregated to allow a broader analysis. Management can then use such analyses to identify information related to the root cause event, or intermediate event that might serve as a key risk indicator related to either event. When KRIs for root cause events and intermediate events are monitored, management is in the best position to identify early mitigation strategies to begin to reduce or eliminate the impact associated with an emerging risk event.
KRIs do not manage or treat risk, and can lead to a false sense of safety if poorly designed. An important feature of any KRI is the quality of the available data used to monitor a specific risk, and attention must be paid to the source of information, either internal to the organization or drawn from an external party. Sources of information to inform decisions about the choice of KRIs may be available; for example, internal data may be available concerning prior risk events which can be informative about potential future exposures. Nevertheless, internal data is often unavailable for many risks — especially if not previously encountered. In addition, risks likely to have a significant impact may often arise from external sources, such as changes in economic conditions, interest rate shifts, or new regulatory requirements/legislation. Therefore, KRIs may be based on external data, given that root cause and intermediate events may arise from outside the organization.
A well-designed KRI should:
1) Be based on established practices or benchmarks;
2) Be consistently developed across the organization;
3) Provide an unambiguous and intuitive view of the highlighted risk;
4) Allow for measurable comparisons across time and business units;
5) Provide opportunities to assess the performance of risk owners on a timely basis;
6) Consume resources efficiently.
In the picture below, identification of a key-risk indicator related to the objective “Enhancing job rotation” is assisted by developing a cause-effect chain between an event that can negatively impact on a particular objective, and its root cause.
Figure 4: Example of Key Risk Indicator: “Enhancing job rotation”
Formula:
Key Risk Indicator (KRI) | Key Performance Indicator (KPI) | Key Performance Indicator (KPI) |
% of vacancies per year | % of staff transfers per year | % of training expenses per year |