Key Risk Indicator (KRI)

A Key Risk Indicator (KRI) is a metric used to measure and monitor the level of risk associated with a particular process, activity, or system within an organization. KRIs are typically used in risk management to provide early warning signs of potential risks and to help organizations take proactive steps to mitigate those risks.

KRIs are designed to be quantitative and measurable, allowing organizations to track changes in risk levels over time and to identify trends and patterns that may indicate an increased likelihood of risk. Examples of KRIs may include the number of security breaches, the frequency of customer complaints, or the percentage of on-time project completions.

KRIs are often used in conjunction with other risk management tools, such as risk assessments and risk registers, to provide a comprehensive view of the organization's risk profile. They can be customized to the specific needs of an organization and can be used to monitor risks at both a strategic and operational level.

The use of KRIs can help organizations to better understand and manage their risk exposure. By monitoring key risk indicators, organizations can identify potential issues before they become major problems and take proactive steps to mitigate those risks. This can help to improve overall risk management and to minimize the potential impact of risks on the organization.

KRIs are used to answer the question: “How is our risk profile changing, and is it within our desired tolerance levels?” Within the Risk-based performance methodology, KRIs are/should be defined for all Key Risks, included on the risk scorecard, and scored on a 0-3 scale – see previous post on the Risk-based performance scoring methodology.[1]

Key Risk Indicators (KRIs) are useful tools for business line managers, senior management, and Boards to help monitor the level of risk-taking in an activity or an organization. To business lines managers, they may help to signal a change in the level of risk exposure associated with specific processes and activities. To senior management, they reflect the level of risk exposure, use or stretch of resources, and the effectiveness of key controls. To the Board, KRIs can indicate whether the firm operates within the set risk appetite. Finally, for modelers, key risk indicators are a natural way of including the fourth element of AMA (Advanced Measurement Approach), the BEICF (Business Environment and Internal Control Factors), into operational risk capital.[2]

Characteristics of Key Risk Indicators (KRI)[3]

A good KRI should have at least the following characteristics:

  • KRIs should be based on established Standards
  • KRIs should be developed using a consistent methodology
  • KRIs should provide a clear understanding of the risk variables:
    • Potentiality (Can it occur?)
    • Probability (If it can occur, what is the likelihood?)
    • Timing (When is it most likely to occur? / How much time do we have before it occurs?)
    • Severity of the Risk (When it occurs, what is the $ / % / # loss?)
  • KRIs must be quantifiable (number, dollars, or percentages)
  • KRIs must be easily applied and understood by the end users
  • KRIs must provide trending analysis of the risk variables
  • KRIs should validate or invalidate management decisions and actions
  • KRIs should be timely, provide a simplified but complete view of the risk, and cost-effective

Lifecycle of Key Risk Indicators (KRI) (Figure 1.)[4]

The key steps of a leading KRI program are represented in Figure 1. The cycle starts with the identification of key risks to the organization, the risk that is significant enough to warrant active monitoring. In order to play a role in the prevention of risk, indicators must signal a rise in the level of risk factors rather than counting the number of incidents that have happened. Like a KRI for car accidents is not the number of collisions (but it is rather speed, alcohol, or fog), preventive KRIs capture elevated levels of what causes risks rather than the incidents that have already occurred. Understanding the causes of the risks (step 2) is thus an essential prerequisite to the identification of leading key risk indicators. However, chances are that several existing performance and control metrics already used in the organization can be reused and looked at from the perspective of leading KRIs (step 3). Deficient controls (red KCIs) are, by definition, indicators of elevated levels of risk. Similarly, poor performance (red KPIs) is, more often than not, announcing trouble. Once the existing metrics have to be reviewed to assess whether they qualify also as KRIs, only the missing metrics need to be completed with new KRIs (step 4). KRI Desing (step 5) relates to the structure of this particular form of reporting that are the risk indicators: data source and capture, frequency of reporting and thresholds, stakeholders to the process of collecting, reporting, and acting on possible breaches, and governance rules in case of breaches (step 5). Finally, after some time (1 – 2 years) of using KRIs usage, it is advisable to test their effectiveness: have they helped to prevent any incidents? (step 6).

Key Risk Indicators
Figure 1. source: Chapelle Consulting

KRI Processes[5]

  • KRI Identification
    • Identify existing metrics.
    • Assess gaps and improve metrics.
    • Identify KRIs via risk control self-assessment (RCSA)—interview business units.
    • Don’t over-rely on them; focus on indicators that track changes in the risk profile or the effectiveness of the control environment.
    • Concentrate on the significant risks and their causes and consider forward-looking and historical indicators.
    • Consider absolute values and numbers, ratios, percentages, aging, etc.
    • Data on KRIs should be collated on a systematic and consistent basis in order to be meaningful, e.g., on a monthly basis.
  • KRI selection
    • Select the KRIs that are measurable, meaningful, and predictive (leading indicators).
    • Gather a good mix of leading and lagging indicators for effective risk management.
    • Don’t select too many KRIs that:
    • Are too difficult to manage (track).
    • Might become unmanageable.
    • Select only the ones that provide useful information.
  • Setting thresholds
    • Determine and validate trigger levels or thresholds.
    • Based on industry tolerance or internal acceptance.
    • Board of directors should approve thresholds.
    • Should coincide with risk appetite statement.
  • KRI Tracking & Reporting
    • Periodic tracking of KRIs (monthly, weekly, depending on what the KRI represents).
    • KRIs should be reported regularly, and escalation procedures should be in place (as part of the KRI framework) to ensure timely reporting to management and the board.
    • Various KRIs will have different levels of escalation. When in doubt, escalate higher, but don’t dump too much information on management/board because they will get overwhelmed.
    • Reporting of KRIs to head of business units by KRI owners. The head of business units then reports to risk management. Risk management reports to the risk board and, when applicable, the full board.
    • This can help improve corporate governance structure.
  • Risk Mitigation Plans
    • Risk mitigation plans (RMPs) should be set for high-risk items.
    • Items with high severity or high frequency of occurrence need to have RMPs to mitigate risk and enhance controls.
    • Determine what high risk is by assessing control levels.
    • Track RMPs to ensure that controls are enhanced, and risk is mitigated. Report on RMPs to management/board and set target completion dates.

Methodology of Identification of Key Risk Indicators (KRI)[6]

The approach for operational KRI identification consists of five steps:

Step 1: Definition of the perimeter of risks to manage For efficient operational risk management, the enterprise should focus on major risks. This risk has a real and/or significant potential impact on a company’s financial statements. The significance level to decide whether a risk is major or not depends on each company (revenues, results, total assets, degree of sensitivity to risks, etc.). It should be set by the top management. Thus, major risks to be followed are those whose annual impact exceeds thresholds set in fact by management. The operational risk mapping serves as a guide to which managers can refer throughout the process of identifying the company’s major risks.

Step 2: Identification of KRI dashboard recipients The second step of the KRI definition process consists of the identification of the future receivers of dashboards. Indeed, appropriate indicators should be made available to the recipients according to their functions. Relevant good practices recommend sending to each operational manager key indicators related to risks within his scope of intervention. These indicators must be aggregated on the basis of the hierarchy level. Furthermore, they need to be available for the risk managers, if there is one in the company, for internal controllers and auditors to target their checks.

Step 3: Identification of actors that would participate in indicators’ definition workshop For a successful exercise of KRI identification, it is important to involve managers who would exploit indicators in the identification workshops. All operational managers are responsible for managing and tracking major risks must be identified and invited to attend training sessions. The main goal of those sessions is to explain the objectives of the KRI system, the methodology for the identification of the indicators, and the threshold setup. The risk manager should also attend this training session in view of the important role he will play in the indicators and threshold definition.

Step 4: Training of actors (designated in step 3) in KRIs identification methodology Designated actors need to go through a training session dealing with the identification of risk indicators process. This session should focus on the following:

  • Definition of basic concepts: risk, major risk, key risk indicator, exposure indicator, proven risk indicator, environment indicator, specific indicator;
  • Presentation of the objectives regarding the set-up of the operational key risk indicators system;
  • Presentation of the methodology for identification of key risk indicators and their thresholds (see step 5 below);
  • Identification of people that would exploit these indicators but also those that would set up and control the KRI system;
  • Presentation of the templates for KRI dashboards to produce.

Once the training session is completed, a plan for holding an indicators identification workshop should be put in place.

Step 5: Holding the KRI identification and thresholds definition workshops in accordance with the predefined planning As said above, there are two types of indicators, namely, exposure indicators and proven risk indicators, calculated prior to or after risk occurrence. In order to identify exposure indicators, it is recommended to proceed as follows:

  • Identify potential sources of each selected major risk;
  • Determine the indicator that would quantify each identified source of risk.

As far as proven risk indicators are concerned, the approach for indicators identification is as follows:

  • Identify the consequences of each selected major risk;
  • Define indicators that would quantify each identified consequence of risk.

However, it is possible to combine the two types of indicators for one risk in order to ensure effective monitoring before and after the occurrence of risk.

Mapping Risks to KRI (Figure 2.)[7]

Managing risks is about managing the chain of:

  • Detecting/predicting threats/opportunities
  • Estimating the chance that they will happen (their probability)
  • Controlling the impact/outcomes

Normally, we cannot map all these aspects of the risk in one KRI, so we will normally need 3 indicators:

  • Indicator that would measure the probability
  • Indicator that would measure the impact
  • Indicator that would measure action plan

For example, for such KRI as “Poor mentoring of employees,” we would have: Time spend on mentoring per week, hours. This indicator estimates risk probability; the fewer hours one spends mentoring others, the more likely the company will face this risk. Employee engagement index, %. This indicator helps to understand the impact of poor communication. Less mentoring means less engagement on the part of employees. Action plan: improve mentoring procedures; relevant indicators might be something like “Leadership training passed, hours.” We need to teach managers a proper leadership paradigm that would include mentoring.

Mapping Risks to KRI
Figure 2. source: BSC Designer

Role of Technology in Effectively Measuring and Managing KRIs[8]

Given the advances made by technology today, it is imperative to leverage it to look at different indicators in the context of the risk data being collated for an organization. If the organization is already using a risk management system, then it has its risk and control assessment data and issue data and can combine existing KRIs effectively.

  • Technology enables the measurement of different risk categories, metrics, and even occurrences. The system is not only for risks; it can also be used for asset classes, objectives, controls, processes, business entities, etc. Once these are established, one can define thresholds (such as green, amber, and red) – which represent rising and dropping indicators, both critical and non-critical. Reporting and dashboards make it easy to see critical areas for analyses, thresholds – breached or otherwise.
  • Technology can be used to create a comprehensive story when KRI thresholds escalate. Automating KRIs to give them longer lives, tracking remedial action when KRIs are escalated, track follow-ups – are some of the options available when technology is harnessed. Using technology also makes it easier to explain to regulators the actions performed and the situations that mandated them since it leaves an audit trail that reveals these details clearly.
  • Risk management strategies can also be realized for specific, measurable, relevant, and timely actions and responsibilities. Toward this objective, it is essential to understand KRI standards and measurement specifications. Furthermore, it is essential to determine the organization’s analytics providers and the metrics consumers through various tools and resources.
  • One of the biggest benefits of leveraging technology to manage KRIs is that it does away with manual efforts, which can be time-consuming and cumbersome. Technology supports manual and automated data collation methods, enables the easy definition of thresholds, and tracks issues and actions for breaches. It provides a single interface to define KRI, KPIs, KCI (Key Control Indicators), and risk appetites. It is possible to track metrics for causes, consequences, and risks, which are easily accessible to personnel studying these within the organization. It is also easy to relate KRIs, KPIs, and KCIs to anything in the organization’s GRC library of content.

Benefits of Key Risk Indicators (KRI)[9]

The constant measure of KRI can bring the following benefits to the organization:

  • Provide an early warning: a proactive action can take place
  • Provide a backward-looking view on risk events, so lessons can be learned from the past
  • Provide an indication that the risk appetite and tolerance are reached
  • Provide real-time actionable intelligence to decision-makers and risk managers

Management Challenges in the Development of KRI Library[10]

  • Lack of standards and best practices—For better or for worse, the SMSIs look at the many operating methods and controls used successfully by other institutions. The SMSI often scales for its environment with the more advanced management techniques of larger institutions. Until KRI practices mature and become time-tested, each institution will have to continue experimenting with different risk indicators to determine which are effective and manageable.
  • Management Awareness—The control measures that get the most attention and support are those that senior management understands and expects. Because the concept of an enterprise-wide KRI library is still very new to the industry, many senior managers are unaware of its value, let alone its design, so they are hesitant to allocate scarce resources to develop such a program.
  • Speed of change—Technology changes at an extremely rapid pace, so risks that may be embedded or inherent within a given technology today may increase or decrease with successive versions or developments. KRIs that are linked to a specific technology or even a technology-centric process need to be routinely reevaluated any time that the underlying technology goes through a major revision.
  • Control measures—Before effective KRIs can be designed and implemented, the institution must be able to clearly establish its internal control measures. An organization that is not confident in its control measures cannot build “status” measures around them. Fortunately, many institutions have gone through extensive exercises to document key control measures as a part of their compliance programs, particularly those subject to the Sarbanes-Oxley Act. These controls often serve as the foundation for determining active risk indicators.
  • Lack of a process “decay” period—Some aspects of technology can be effectively monitored for subtle changes or degradation. Others defy monitoring. They can move very quickly from a stable state where nothing is happening to one of dramatic change. For example, the lack of any computer viruses on the internal network can be routinely monitored, but a virulent computer virus that suddenly penetrates the network’s defenses can’t be measured by a KRI since the environment would go immediately from “stable” to “bad,” completely bypassing “trending toward bad.”
  • Technology versus risk focus—People charged with implementing and maintaining the bank’s technology are, for the most part, focused on the technology itself and not necessarily the business risk associated with a potential failure of the technology. The development of technology-based KRIs is probably going to require the development of more mature communication channels between the subject matter experts regarding what could go wrong with the technology and what that would mean to the business.
  • Technology versus process risk—Processes dependent on technology must include the potential failure of the technology as a risk. In failure scenarios, there is a gray area because the failure could be due to the technology itself or how it is used. For instance, if the misconfiguration of an externally facing router exposes the bank’s network to the public Internet, is that a technology risk or a process risk? Many technology-centric KRIs may only make sense within the context of a full KRI library to cover all operational risk areas.

See Also

Risk Management
Enterprise Risk Management (ERM)
IT Governance


Further Reading