The Power of Key Risk Indicators (KRIs) in Enterprise Risk Management (ERM)

Safeguarding an organization from operational, reputational, and other risks, necessitates periodic and regular reviews of these KRIs. This reviewing process also facilitates timely reporting of key risks to the top management. All of this is possible through an in-depth understanding of risks, which will enable proper identification, establish appropriate risk indicators, and monitor performance consistently via the Key Performance Indicators (KPIs); while leveraging technology to assist this process.
 

Characteristic Features of KRIs

Some of the key characteristic features of KRIs are:
 

Measurable

KRIs are typically measurable, i.e., they can be quantified in terms of percentages, numbers, etc.

Predictive

They are predictable and are often used as early warning signals, while also tracking trends over a period of time

Comparable

They serve as internal points of reference as well as could be aligned to industry standards, enabling effective comparison of metrics

Informative

Since they offer useful insights about potential risks that may impact organizational achievements and objectives, KRIs are informative and act as a catalyst for decision-making
 

KRIs: Types and Examples 

KRIs can be classified into four categories:
 

Financial

These are focused on an organization’s financial risks and posture, which could impact its profits. Examples include mergers and acquisitions, budgetary changes, etc.

Operational

These are focused on risks related to day-to-day business operations and activities. Examples include leadership changes, control gaps or weaknesses, process inefficiencies, etc.

People

These are tied to the “human” element of business – both internal such as employees, and external such as customers. Examples include employee retention rate, employee satisfaction, customer churn, customer satisfaction, etc.

Technological

These help track technology and cybersecurity-related risks. Examples include data breach incidents, system failures, etc.
 

What is the Objective of KRIs?

Well-designed KRIs can enable an organization to:
 

• Improve foresight into evolving and emerging risks and risk trends
• Define metrics that can help the board and top management better understand risk exposure
• Monitor and track changes in risk metrics through threshold limits and benchmarking
• Understand the potential business impact of various risk scenarios
• Enhance risk preparedness including developing effective risk mitigation and response strategies
   

Designing Effective KRIs

Effective KRIs rely on setting thresholds at the acceptable level of risk. Considering their importance, it is crucial that KRIs are designed with care. Developing effective KRIs mandates a thorough understanding of organizational objectives, risk profiles, and risk-related events that might affect the achievement of those objectives. This requires:
 

1. Aligning Key Risks to Business Strategies

Mapping key risks to core strategic initiatives allows the management to identify the most critical metrics and monitor their performance. These metrics can help oversee the implementation of core strategic initiatives and reduce the chances of disruptions.
 

2. Establish a Streamlined KRI Management System 

Create and maintain a well-structured and centralized repository of various KRIs, their definitions, threshold limits, etc. This will make it easy for the chief risk officers (CROs), risk managers, and management to track the risk metrics and proactively take action.
 

3. Driving Continuous Review and Monitoring 

While most organizations monitor KRIs that have developed over time, it is essential for these to be regularly evaluated for efficiency and continuously monitored to highlight potential risks. Over time, they must be augmented with new KRIs to meet the dynamic circumstances as newer risks emerge and the older KRIs may be insufficient. 

Staying current with scope and metrics across the GRC universe of vendors, projects, processes, and business units, enables organizations to accurately analyze KRIs in terms of geographies, customers, suppliers, business lines, high-value processes, policies, assets, and technologies.
 

4. Ensuring SME Oversight

Having subject matter experts vet KRI designs will go a long way in keeping the organization safe. They will be able to shed light on root cause events, stress points, and intermediate events in their units or the processes they supervise. Their supervision may ensure that key risks are not sidelined but are effectively communicated at the right time, rather than after an adverse event has occurred.
 

5. Leveraging High-Quality Data

Effective KRIs are born out of high-quality data used to track a specific risk. To ensure high quality and integrity of data, it is important to have a standardized risk taxonomy across the organization. A common taxonomy facilitates a consistent understanding of risk and streamlines data aggregation and harmonization for further analysis.

The source of this data – internal or external to the organization -- must be reviewed and examined carefully. This will go a long way in determining the KRI to be employed.

Sources like trade publications and; discussions with customers, employees, and members of the supply chain will offer insights into the risks they face that can be harmful to the organization at an enterprise level. Once the data is collated, the approaches taken to measure and standardize KRIs must be uniform for the collated information to be robust and to make the decision process easy.

KRI and KPI: What is the Difference?

One of the other most commonly used indicators in corporate governance is the KPIs or Key Performance Indicators. While the KRI is used to indicate potential risks, KPI measures performance. While many organizations use these interchangeably, it is necessary to distinguish between the two. KPIs are typically designed to offer a high-level overview of organizational performance. So while these metrics may not adequately offer early warning signals of a developing risk, they are important to analyze trends and monitor performance. 

KRIs highlight just the opposite.

KRIs help the management understand increasing risk exposures in various areas of the enterprise. At times, they represent key ratios that the management can track as indicators of evolving risks, and potential opportunities, which signal the need for action. Others may be more elaborate and involve the aggregation of several individual risk indicators into a multi-dimensional score about emerging events that may lead to new risks or opportunities.

For example, in the banking sector, a bank may develop a KPI that will include data about defaulters. This KPI may highlight an event that has already occurred – a case where a client defaulted on his payment to the bank as per his loan contract. However, developing a KRI would be a more proactive way to indicate loan repayment trends before risk events occur.

To balance risks and opportunities appropriately and to obtain the best possible alignment of performance management and risk management, each KRI should be linked to a KPI. KPIs have long played an essential role in performance management. And one of the most effective ways to link performance and risk management is to integrate risk factors into the company’s performance management data. By integrating these, a company can measure and monitor performance and risk at the same time, as part of the same process.

How to Identify and Select KRIs and Set Thresholds

Being proactive and preventing an unfavorable situation from occurring is ossible when the metrics to measure the event are clearly delineated. Here are a few key considerations for identifying and selecting KRIs and setting thresholds: 

• Identifying KRIs

  Every business unit should be tasked with and responsible for identifying their KRIs. The onus, however, falls on the risk management team to ensure that every stakeholder is trained and understands the process. 

• Selecting KRIs

  When selecting KRIs, choose the ones that are measurable, meaningful, and predictive. Ensure that they are not too many, or else managing them becomes difficult. Select only those that offer concrete information. 

• Setting Threshold Limits

  Threshold limits should be set and trigger levels should be validated once the KRIs have been determined. These should be based on the organizational risk appetite and tolerance, or internal acceptance, and implemented after seeking approval from the Board of Directors. 

• Reviewing and Reporting

  Once the KRIs are in place, they must be tracked regularly – the frequency depends on what the KRI represents. These should be reported to the top management and escalation procedures must be established and communicated to personnel handling these metrics. Not all KRIs have the same levels of escalation, so even if the organization escalates higher in a situation, it is imperative to follow the hierarchy of reporting and not overwhelm the management with too much information.
   

Challenges/Limitations of KRIs

While KRIs help organizations combat risks and adversities, there are enough reasons why KRI monitoring also fails to deliver business benefits:

• Difficulty in identifying measurable KRIs for all risks
• Insufficient focus on the causes of the risks
• Failure to automate the collection of KRI values
• Not using existing KPIs in conjunction with KRIs
• Not associating actions with thresholds

But for each of these challenges, there are remedial recommendations: organizations should start with the key risks and then; expand. They should assign KRIs against each cause. And as many KRIs as possible should be automated to prevent them from becoming stale. Existing KPIs should also be mapped with the KRIs and both should be used to forecast risks. Lastly, associating actions with thresholds goes a long way in synchronizing appropriate thinking when defining thresholds.

Role of Technology in Effectively Measuring and Managing KRIs

Given the advances made by technology today, it is imperative to leverage it to look at different indicators in the context of the risk data being collated for an organization. 

Some key benefits of leveraging technology to manage KRIs include

• Better process and operational efficiencies by doing away with manual efforts, which can be time-consuming and cumbersome 
• Simplified creation and maintenance of KRI definitions and threshold limits 
• Single interface to define KRI, KPI, KCI (Key Control Indicators), and risk appetites 
• Ability to track metrics for causes, consequences, and risks and these are easily accessible to personnel studying these within the organization 
• Ability to track issues and actions until their closure 
• Ability to map KRIs, KPIs, and KCIs to anything in the organization’s GRC library of content to get deeper and more comprehensive picture

If an organization is already using a risk management system, then it will have risk and control assessment data and issue data, which can help assess and analyze KRIs effectively. In today’s open API era, integrating data from multiple systems should rather be easy. By collecting and collating data and measuring KRIs, organizations can have a deeper understanding of their risk profiles.

Technology enables the measurement of different risk categories, metrics, and even occurrences. The system is not only for risks, it can also be used for asset classes, objectives, controls, processes, business entities, etc. Once these are established, one can define thresholds (such as green, amber, and red) – which represent rising and dropping indicators, both critical and non-critical. Reporting and dashboards make it easy to see critical areas for analyses, thresholds – breached or otherwise.

Technology can be used to create a comprehensive story when KRI thresholds escalate. Automating KRIs to give them longer lives, tracking remedial action when KRIs are escalated, and tracking follow-ups – are some of the options available when technology is harnessed.

In addition to enabling continuous KRI monitoring to stay on top of risks, technology simplifies the process of collating the data for KRI reports which can be presented to the board and other stakeholders. Using technology also makes it easier to explain to regulators the actions performed, and the situations that mandated them, since it leaves an audit trail that reveals these details clearly.

Conclusion

Designing and setting up KRIs is critical to a successful ERM process. While the potential advantages of creating an effective set of KRIs have been highlighted, it is equally important to set the design elements and protocols for their proper communication and flow within the sphere of corporate governance.

KRIs in conjunction with the KPIs are deemed to be efficient indicators of not just the potential risks to an organization but also how its different units have been performing. Though the difference is simply in perspective, an organization benefits far more when examining KPIs using risk lenses. It is believed that harnessing technology and leveraging it will only enhance organizations’ risk management approach and complement existing risk identification methods so as to yield significant benefits.