This is the third and final article in a three-part series entitled “How and Why to Add Key Risk Indicators to Your ERM Program.” This article provides a practical 6-step process to quickly and easily add indicators to your ERM program. It builds on the information and concepts discussed in the two earlier articles.
The first article provided a background explanation of indicators, along with examples and benefits of using indicators in ERM programs. The second article discussed three different types of indicators and provided a perspective on quantitative versus qualitative methods.
This article uses example screenshots from our Essential ERM software system, but everything described here can be performed manually without software (albeit with much more effort!).
Step 1 - Start with Your Strategic Objectives
When it comes to implementing KRIs and KPIs, the single most important best practice we can share is to keep your efforts laser-focused on generating business value and avoid unnecessary complexity. This will help you to secure and maintain the buy-in you will need from your organization to keep your KRI process functioning properly. In practice, this means starting with a small number of indicators that are mapped to your most critical risks. You can then continue to selectively add indicators over time as you demonstrate value through your program.
How do you determine your most critical risks to create indicators for? Simple - start with your strategic objectives.
Ideally, your strategic objectives are documented and already form the foundation of your ERM program. Risks that would interfere with the achievement of objectives are identified, assessed, managed and monitored to aid with your strategy execution.
Fig. 3. The Strategy Explorer screen from the Essential ERM software system. Strategic categories and strategic objectives are documented first, and then risks that would affect execution are identified and mapped to each objective.
Using strategic objectives as a central organizing principle will help to ensure that your ERM program stays focused on delivering business value. It will make it easy to identify your most important risks, as they will be the risks that have the greatest potential to affect your most important objectives. This approach will help you to identify highest ranked risks that you should start with when identifying potential KRIs and KPIs.
A word on this - if your ERM program is not already aligned with strategic objectives, all is not lost. It is not hard to create these linkages after the fact. Our team would be happy to share pointers and this is an area where the right software tools can help. There are also other considerations for prioritizing risks, as the next two steps describe.
Step 2 - Consider Your Organization’s Risk Appetite
Just as strategic objectives provide important business context to prioritize your risks for use with KRIs and KPIs, so does consideration of your organization’s risk appetite.
Risk appetite is an extremely valuable tool to help identify and document the types and amounts of risk that your organization is prepared to assume in different situations. If you have not implemented a risk appetite framework yet, we recommend you review our two articles entitled “Understanding Risk Appetite” and “Implementing Risk Appetite Frameworks.”
Fig. 4. The Risk Appetite screen from the Essential ERM software system. Grey dots represent individual risks plotted by their residual scores, with blue bars representing the upper and lower thresholds set and approved by the board during the risk appetite documentation process. While dozens of risks are plotted, the risks that exceed thresholds can be easily and identified (by hovering over them or clicking through into their details).
Risks which exceed upper and lower risk appetite thresholds are additional candidates for use with KRI and KPI monitoring, because these represent risks which are currently out of alignment with the limits that the Board of Direcors has authorized the leadership team to operate within. These risks will likely have action plans associated with them to bring them into appetite alignment, warranting closer oversight. This will be especially true if these risks are also associated with important or sensitive strategic objectives.
Step 3 - Consider Your Risk Register
Other important clues for prioritizing your indicators can be obtained from a review of your risk register. Most registers already have a ranking system that reflects your organization’s consensus of your most important risks. Registers can also be filtered to identify risks with the highest risk ratings and to highlight the risks where the difference between inherent risk and residual risk are the greatest. These differences represent the extent to which the organization is depending on its controls to help avoid risk events. Risks with high differences in inherent and residual risks may be good candidates for control effectiveness indicators (see article 2)
Fig. 5. The Enterprise Risk Console from the Essential ERM software system with risks filtered by rank and risk owner.
The above diagram shows an example risk explorer where additional risk attributes are displayed, which may be useful in identifying risks that would be good candidates for KRIs and KPIs. For example, risks with high risk velocity are subject to rapid changes in risk profile and may benefit from indicators that serve as an early warning system. Also, the register shows the areas of the business likely to be affected by each risk. This can serve as a proxy for business value (especially when objectives are not mapped to risks), or as a way to identify business units which may be more open-minded to indicators and supportive of the KRI maintenance process (i.e. good places to pilot your program and show early value).
Step 4 - Complete Risk Bow Tie Diagrams for Your Top Risks
Once you have used steps 1 to 3 above to identify the top priority risks that you want to create indicators for, the final key preparatory step is to complete risk bow tie diagrams for each risk. This is an optional step, but highly recommended.
Fig. 6. The Risk Details screen from the Essential ERM software system, showing the details of an individual risk, including the risk assessment ratings and thresholds, risk bow tie diagram, associated business areas and strategic objectives, and open action plans.
If you are not familiar with risk bow tie diagrams and the many benefits they can bring to ERM programs, we recommend you read our article “Bow Tie Method of Risk Assessment”, which provides an overview and a step-by-step guide for building risk bow ties in your ERM program.
What makes risk bow ties so useful for creating and mapping indicators, is that they allow you to consider where the greatest uncertainties lie and where your organization would benefit most from a closer monitoring and early warning system. For example, some root causes may have a high likelihood of occurrence and/or be associated with several important risks in your register. Similarly, there may be selected pre-event or post-event mitigation steps that are vital to your ability to manage a risk. Certain action plans may be critical to lowering residual risk. Finally, there may be certain consequences that warrant close tracking with KPIs, especially when they have a strong association with key business objectives.
Once you have identified these key points in the various scenarios displayed in the bow tie diagram, you have a useful roadmap to show you where to create and associate indicators.
If you still don’t plan to use bow tie diagrams anytime soon, you can simply proceed by going to the next step and mapping your indicators directly to your risks and objectives.
Step 5 - Identify, Set Up and Map Indicators
Now that you have prioritized your risks through steps 1 to 3 and identified your critical dependencies and uncertainties in step 4, you are ready to set up indicators.
Start simple, focusing on your priority risks and dependencies. Work with your business subject matter experts in small workshops to identify a small number of indicators that will be most useful to give you the feedback you require. As discussed in article 1 and article 2, good indicators are metrics or ratings that are highly correlated with and predictive of events and outcomes. (if you have not read those articles yet, we highly recommend you do so before completing this process).
Once you have identified an indicator you plan to use, you will set the upper and lower tolerance values that it will get tracked against. As discussed in the earlier articles, your tolerance bands will represent the indicator values above and below which your risk ratings are likely to change in a material way. Don’t worry too much about getting them perfect - it is better to get started and then monitor and tune the tolerance settings as real-world data starts to come in.
Finally, you must determine how and how often your indicator data will be updated. While it is natural to first think of automated data feeds, there can be a great deal of utility from indicators that get updated manually by subject matter specialists on a recurring basis. This, however, is an area where software tools will help considerably, by automating these workflows (including reminders and escalations) and collating responses. It is possible to complete these processes manually with emails and spreadsheets but will take considerable effort.
Fig. 7. The Indicator Details screen from the Essential ERM software system. While KRIs and KPIs can be incorporated and tracked in ERM without software, an easy-to-use automated software package will dramatically reduce the effort involved for risk managers and subject matter specialists.
Step 6 - Activate and Monitor Indicators
Once you have set up and activated your KRI and KPI data gathering processes, we recommend you use the initial 2-3 data gathering periods to “tune” your tolerance settings. This means risk managers should be closely reviewing the KRI/KPI data coming back, while holding off on automated escalation processes when tolerance limits are breached. Risk managers can use this period to adjust tolerance settings so that future alerts will be sent in the appropriate situations (when risk profiles are changing).
Once data gathering has been initiated and tolerance limits have been tuned, it is important to incorporate indicators into ongoing risk management and reporting processes. This includes a protocol to alert appropriate risk managers, business unit managers and leadership team members and business unit objectives when indicator tolerance levels are exceeded.
This is where the effort you put into mapping indicators to the appropriate business objectives and risks will pay off. The example report below shows strategic objectives with KRI and KPI alerts activated against them. Depending on the importance of these objectives, an immediate review of the underlying risks and indicators may make sense (along with potential corrective action), rather than waiting for the next scheduled quarterly or annual review.
Fig. 8. The Strategy Explorer from the Essential ERM software system showing yellow alert symbols for objectives affected by KRIs and KPIs that have exceeded their tolerance levels. Alert status for the objectives has been inherited from the indicators associated with the attached risks.
Continuing the example above, risk and business managers can examine the individually affected risks to see exactly where and how KRIs and KPIs are potentially affecting the risk profile.
Fig. 9. A sample Risk Details screen from the Essential ERM software system showing yellow alert symbols showing linkages to KRIs and KPIs. In some cases indicators are directly associated with this risk. In other cases, the risk is inheriting the alert status from its link to other sub-risks, causes, mitigations (controls) and/or consequences that have alerting KRIs and KPIs associated with them. A risk manager can continue to click through to see the source of the underlying alert.
Start Small and Grow
The brainstorming and workshopping process that is used to identify potential indicators will usually generate many good ideas for indicators and it is tempting to want to implement them all at once. Don’t confuse initial receptiveness and enthusiasm for long-term sustainability. The subject matter specialists that you will be relying on for KRI/KPI data updates may tire of the activity if they do not see results from their efforts (as will their management).
Our advice instead, is to start with a small number of indicators, such 2-3 indicators for 2-3 top risks. You may also wish to focus on indicators and risks that are related to one department or area of your organization that is supportive of the program and has meaningful risks to track. This will give you one group of subject matter specialists to work with to collect indicator data and a single management team consuming the output. This approach will allow you to tune your processes and demonstrate early success that will make it easier to roll your indicator program out more broadly.
Please share any feedback or experiences that you think would help us make this article better - we would love to hear from you.
Please also note that we offer a free, no-obligation trial of our Essential ERM software system. Setup only takes a few minutes and one of our risk advisors would be happy to quickly demonstrate KRI and KPI configuration if you would like. This way you can experiment with KRIs and KPIs on your own, with a little help and some easy automation!
The above overview of indicator types is provided for background purposes and to stimulate thought. Our advice, however, is to not get too hung up on categorizing indicators. Whether you label an indicator as a KRI or a KPI is much less important than whether or not the indicator has a strong predictive correlation to the events and outcomes that you are most concerned about. In other words, an indicator that works is useful, regardless of what you call it.
Furthermore, as discussed in the accompanying article on the 6 steps to implement indicators, we find that indicators can be useful at all stages of a risk event scenario. In this article, we recommend the risk bow tie model as an excellent framework to identify and map useful indicators. For example, indicators can be mapped to the risk event itself, or can be mapped and used to monitor root causes, pre-event mitigations (controls), post-event mitigations and consequences.
Screenshot from the Essential ERM software system showing the year-long trend of a sample performance indicator trend, along with its acceptable tolerance bands.