Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) have long been viewed as an essential component of operational risk management. Many risk managers are now looking to incorporate these valuable tools into enterprise risk management (ERM) programs as well.
Their goal is to transform their ERM programs from static repositories into dynamic systems that continually monitor risk and performance, and provide up-to-date information that can be used for better decision making and strategy execution.
Unfortunately, however, some ERM managers miss out on the value that indicators can provide because they mistakenly believe that KRIs and KPIs are either too complicated or require detailed mathematical models in order to be effective. We have found through experience that this is not the case, and nearly all ERM programs can benefit from using indicators in the easy and practical manner described in the following sections. Furthermore, this is an area where software tools can help considerably, by providing automation, along with built-in guidance and analysis expertise.
This is the first in a series of three articles that provide an overview of KRIs and KPIs and shares best practice experience on how to incorporate indicators into ERM programs. Together, they will cover the benefits of using indicators, common implementation pitfalls, contrasts with operational risk indicators, and 6 practical steps to quickly and easily add KRIs and KPIs to your ERM program today.
This article provides an overview of indicators, including examples and benefits of using indicators in ERM. The second article discusses different types of indicators and the third article provides a practical 6-step process to add indicators to your ERM program today.
All three articles use example screenshots from our Essential ERM software system, but note that everything described in them can be performed manually without software (albeit with much more effort!).
What are Key Risk Indicators?
In the context of ERM, key risk indicators (KRIs) are activities or outcomes that signal to a risk manager that a particular risk event is becoming more or less likely. They may also indicate that a risk event has already occurred and provide a sense of its impact or severity.
KRIs are usually numerical (although they can be qualitative too) and are tracked against upper and/or lower tolerance bands. Tolerance bands usually represent the expected range of the metric, or the values of the metric that can be “tolerated” by the organization without a material change in risk levels or a serious threat to objectives. When the value of the indicator exceeds a tolerance band, it is viewed as abnormal behavior and as a strong signal that the risk events associated with the indicator are becoming much more likely.
Indicator Explorer screen from the Essential ERM system showing KRIs and KPIs including their trend and status relative to tolerance levels
Real World Example - Sports Endurance Training
A simple real-world example of using KRIs with risks and objectives can be taken from the world of endurance sports. Many endurance athletes are concerned about the risk of overtraining (burnout). Burnout is a critical risk for endurance athletes, as it results in deep fatigue that can last for many months. Once serious burnout sets in, the primary recourse is extended rest and it is not uncommon for an athlete to miss an entire training and competition season.
To guard against this, many endurance athletes monitor their resting heart rates (RHR) each morning when they first wake up. If an athlete’s RHR is rising over several days, exercise physiology research has shown that it is very likely that the athlete is in the early stages of overtraining. In this way, RHR, is an indicator that the risk event of overtraining is about to occur, or has begun. Rising RHR also indicates that any important objectives associated with this risk (such as performing well at competition, earning sponsorships, moving up in athletic rankings etc.) are being threatened and are now less likely to be achieved if quick action is not taken.
In the example above, a climbing resting heart rate is an effective indicator because it is both highly correlated to and predictive of burnout risk. It is correlated because elevated RHR is tied to overtraining or illness in a high percentage of situations. It is predictive because elevated RHR often shows up before serious burnout occurs. By monitoring this indicator, athletes can take action (by altering training, rest, diet etc.) to prevent burnout from occurring, or at least limit its duration and severity.
The same analogy holds true for business situations. For example, rising mortgage default rates may be strong predictors of risk event occurrence in certain financial markets. Spikes in influenza cases at local hospitals may precede and predict resource risks unfolding in other hospitals and in entire health systems. Increasing competitive activity and rising bid prices for online ads may foretell risk events that will negatively affect a company’s revenue growth objectives.
TommusRhodus is an elite author known for offering high-quality, high-value products backed by timely and personable support. Recognised and awarded by Envato on multiple occasions for producing consistently outstanding products, it's no wonder over 40,000 customers enjoy using TommusRhodus themes.
Why are Key Risk Indicators Important to ERM?
The key for ERM managers then, is to find the key metrics and events (i.e. the “RHR indicators”) in their business that are closely tied to their top enterprise risk events and related objectives. By doing so, ERM managers will create an early warning system that lets them know when the corporate risk profile is changing. This is especially valuable in the context of ERM, where strategic objectives and risks may be set and reviewed on an infrequent basis. This infrequency leaves ERM programs vulnerable to new Interval Risks (risks that arise between assessment windows) and high velocity risks (risks whose likelihood and impact can change rapidly).
Furthermore, ERM is closely linked to strategic planning and decision making. All strategic decisions are based on assumptions, which are essentially predictions about uncertain variables, relationships and outcomes. The process of creating and measuring indicators (as will be described in the sections below) leads leadership teams to better identify and consider their strategic assumptions more carefully.
Indicators can then be used to subsequently monitor those assumptions and the factors that affect them. Changes to the assumptions that underpin a strategic plan can and should be an important trigger for leadership teams to revisit their objectives and immediately address emerging risks - rather than simply waiting for the next annual or quarterly risk review. Measuring and collecting indicator data will also generate valuable information to measure prediction accuracy and to develop baselines that will be helpful in future planning and decision making. (In future articles, we will discuss methods to use indicator data and predictive analytics to uncover new insights and correlations between metrics, risks and performance.)
Finally, note that risk managers do always need to understand how or why indicators are correlated with changing risk profiles for indicators to be effective. Athletes don’t need to know why rising resting heart rates warn of burnout in order to use this indicator to reduce risk. Similarly, indicators do not have to be causally related to be useful. It is highly unlikely that rising heart rates are the cause of burnout (they are both correlated to the same underlying cause), just as infectious outbreaks in one county may not directly lead to resource shortages in other health systems, but can still be a useful early warning to help neighbouring hospital administrators.