Posted on: December 11, 2019
Risk management functions today, regardless of size and complexity, tend to focus substantial time and energy on point-in-time assessments. While these exercises are necessary and do provide a robust view of an enterprise’s risk posture for a given period, risk management professionals should also put ample resources towards developing and maintaining ongoing risk monitoring techniques, such as key risk indicators (“KRIs”).
KRIs are quantitative metrics defined by an organization to provide an early signal of increasing risk exposure, which may signal the need for action. Such indicators can be used to identify the trends related to increasing (negative) levels of risk and provide the proper context to proactively initiate remedial action plans or revisit a related risk assessment. KRIs can provide an organization the necessary data to make timely, effective responses.
KRIs can be created using a variety of information available to an organization, but a risk function should ask itself: “Will this KRI facilitate informed decision making?” Collecting metrics for the sake of collecting metrics may distract from the real risk affecting business processes and can lead to misinformation and uninformed decisions. It is to the best practice to leverage the knowledge of the individuals closest to the risk and the professionals executing the business processes influenced by the risk in order to build and sustain relevant and meaningful KRIs. Directly relating KRIs to entities such as business units, functional areas, processes and risk categories helps ensure that those indicators have an appropriate purpose and a specific audience in a risk management function.
Risk management professionals should also consider the following questions when developing a KRI:
- Is the measurement data easily accessible?
- Can the data be consistently collected?
- At what level would the KRI warrant action?
As measurements are logged, trend analysis of a KRI determines whether the risk indicator has either degraded, is stable or has improved, alerting the KRI owner and risk manager on where to focus. Additionally, for a KRI to have real influence, a tolerance threshold should be established, which if exceeded, would require additional investigation and potentially an action plan.
As we see per the red tolerance line in the above chart, our current rating has landed the KRI below threshold, so no corrective action is immediately necessary.
Keeping a continuous pulse on key metrics enables informed decisions that increase the resilience of an organization and its ability to make proactive decisions with a risk-based context. As an example, an organization could develop a KRI to monitor the volume of hazardous waste released on a weekly basis by all critical manufacturing sites. This KRI has been established with the intention of monitoring the enterprise’s risk in terms of noncompliance with laws and regulations governing hazardous waste material. The trend analysis obtained would inform necessary action plans to address rising levels of waste material to avoid fines and negative press due to environmental safety issues. KRIs provide a clear and forward-thinking lens to an organization working to be resilient and take proactive steps rather than reactive measures when addressing risk.