Why to Add Key Risk Indicators to Your ERM Program
Using KRIs and KPIs in ERM for improved decision making and strategy execution
Types of KRIs & KPIs
A look at different types of indicators and a perspective on quantitative versus qualitative approaches.
6-Step Guide to Setting Up KRIs and KPIs in your ERM Program
A practical 6-step process to add indicators to your ERM program.
This is the second article in a three part series entitled “How and Why to Add Key Risk Indicators to Your ERM Program.” This article discusses the different types of indicators and provides a perspective on quantitative versus qualitative approaches.
The earlier first article provided a background explanation of indicators, along with examples and benefits of using indicators in ERM programs. The third article that follows this piece provides a practical 6-step process to add indicators to your ERM program today.
All three articles use example screenshots from our Essential ERM software system, but note that everything described within them can be performed manually without software (albeit with much more effort!).
KRIs Versus KPIs: Three Common Types of Indicators
Risk practitioners often consider three primary types of indicators:
- Risk Indicators - these are metrics that indicate that an unwanted event is becoming more likely or potentially more impactful. They can be causally related (i.e. related to a triggering event that precipitates the risk event) or simply correlated with the risk event. They are typically predictive indicators, providing a warning prior to risk events unfolding, although they can be post-event indicators, signaling when risks have occurred and the magnitude of their impact.
- Control Effectiveness Indicators - these are a form of risk indicator that measure and monitor the health of the organization’s risk controls. Controls are put in place to reduce the likelihood that root causes will trigger and lead to risk events (and their subsequent impacts or consequences). If these controls are not functioning as expected, then likelihood and impact may change. As such, these indicators are usually predictive and causally related. Their correlation to the risk event may be lower (poor controls create the potential for a risk event to occur but may not directly or immediately cause it to materialize), but they can serve as an effective early warning system. For example, continuing on the earlier endurance athlete scenario, a coach monitoring the athlete’s weekly training logs may be able to identify a heightened risk of overtraining long before the athlete’s resting heart rate actually starts to rise.
- Performance Indicators - these are metrics that indicate success or progress towards achieving a desired outcome. They are related to factors inside the organization (versus external market factors) and are usually linked to outcomes and consequences. They can be used in an affirmative way to demonstrate the achievement of objectives, or as a warning so show when risk events are in the early stages of unfolding. For example, sticking with the performance athlete scenario, a slower than expected time in a short race (a small milestone on the way to a larger strategic objective) may be an indicator that burnout is in the early stages and is threatening the athlete’s larger strategic objective (an important long race at the end of the season). In addition to providing useful immediate feedback on risks and objectives, collecting KPI data in concert with risk ratings and KRI data will build a helpful dataset for future strategic planning and predictive analytics (to be covered in a future article).
The above overview of indicator types is provided for background purposes and to stimulate thought. Our advice, however, is to not get too hung up on categorizing indicators. Whether you label an indicator as a KRI or a KPI is much less important than whether or not the indicator has a strong predictive correlation to the events and outcomes that you are most concerned about. In other words, an indicator that works is useful, regardless of what you call it.
Furthermore, as discussed in the accompanying article on the 6 steps to implement indicators, we find that indicators can be useful at all stages of a risk event scenario. In this article, we recommend the risk bow tie model as an excellent framework to identify and map useful indicators. For example, indicators can be mapped to the risk event itself, or can be mapped and used to monitor root causes, pre-event mitigations (controls), post-event mitigations and consequences.
Screenshot from the Essential ERM software system showing the year-long trend of a sample performance indicator trend, along with its acceptable tolerance bands.
Quantitative Versus Qualitative KRIs and KPIs:
KRIs and KPIs are typically thought of as going hand-in-hand with quantitative risk. Quantitative risk is an approach to risk management that focuses on factual and numerical data, along with mathematical models and analysis methods, in order to reduce bias. A risk practitioner would first build a mathematical model that approximates the various scenarios in which root causes map to each other, precipitate risk events and affect desired objectives. An example might be the way in which changing interest rates are managed by hedging strategies and ultimately affect investment returns.
Quantitative models can be computerized and simulated repeatedly (e.g. Monte Carlo simulation) to predict probability-based outcomes, such as the probability of achieving different levels of investment returns. The power of these models is their ability to support sensitivity analysis, as different inputs and extremes are modelled. Numerically-based KRIs and KPIs can play a valuable role in these models, adjusting them based on real-time values for assumptions and outcomes. As a result, KRIs and KPIs have become a core component of operational risk programs, which are typically quantitative-based.
Does this mean, however, that you must build detailed mathematical models to use and get value from KRIs and KPIs in your enterprise risk program?
No, not in our experience.
In fact, we believe that this misconception (that complex quantitative models are needed to use KRIs and KPIs) is one of the reasons that some organizations overlook them and miss out on the value that KRIs and KPIs could bring to their enterprise risk programs.
One of the main differences between ERM and operational risk is that ERM programs track higher-level (or summary-level) risks that have been rolled up for consumption by the senior leadership team and board of directors. In many cases, attempting to build detailed mathematical models for enterprise risk would involve so many levels of aggregation and assumptions that it would undermine the reliability of the analysis in the eyes of the report consumers. As a result, many ERM programs rely on qualitative risk analysis methods.
We are not saying that mathematical models are not useful in ERM, but rather that they are not essential to get immediate value from KRIs and KPIs. There are easy steps that almost all ERM program managers can take now to start getting value from indicators, while accumulating data that will be useful later in data analysis and possibly the development of mathematical models where appropriate.
One insight from quantitative risk that is, however, helpful for considering KRIs and KPIs in ERM is that indicators do not need to be thought of as binary or unidirectional. For example, decreasing values for certain KRIs do not only mean that risk events are becoming less likely or less impactful. They can also mean that key objectives associated with those risk events are now more likely to be achieved. In this way, KRIs and KPIs can be an important part of strategy execution and performance management. It is an important shift in thinking to move beyond simply preventing risk events (i.e. “make everything green”) to focus on maximizing positive outcomes based on available resources and your organization’s risk appetite.
And finally, we have found that your KRIs and KPIs themselves do not need to be quantitative to be useful. Qualitative inputs are valid forms of data and can be easily converted to numerical values for future analysis if needed. For example, an indicator can still have a strong predictive correlation with risk events, causes, mitigations (controls) and consequences, even if subject matter experts are simply asked to rate an indicator as “high”, “medium” or “low”.
This is also demonstrated through a common everyday example. Asking people to answer if the morning sky colour is “red”, “blue” or “grey” is a valid way to predict the likelihood of rain in many locations. It turns out that the old proverb about “red sky at morn, sailors take warn” (meaning there will be stormy seas when the morning sky is red) actually has a basis in science.