Actions

Key Risk Indicator (KRI)

A key risk indicator (KRI) is a metric for measuring the likelihood of if an event and its consequence will exceed the organization’s risk appetite. They can be quantified in terms of percentages, numbers, Rand values, time frames etc. The primary role of a KRI is to track trends over a period of time, these trends are then converted into early warning signals. Through the association of KRI’s to risks contained within a risk register, the data gathered in a KRI’s assists decision making process for the risk team by providing incite and actual measurable to based their risk management decisions on.[1]


KRIs are used to answer the question: “How is our risk profile changing and is it within our desired tolerance levels?” Within the Risk-based performance methodology, KRIs are/should be defined for all Key Risks, and included on the risk scorecard and scored on a 0-3 scale – see previous post on the Risk-based performance scoring methodology.[2]


Key Risk Indicators (KRIs) are useful tools for business lines managers, senior management and Boards to help monitor the level of risk taking in an activity or an organisation. To business lines managers, they may help to signal a change in the level of risk exposure associated with specific processes and activities. To senior management, they reflect the level of risk exposure, use or stretch of resources and the effectiveness of key controls. To the Board, they can indicate whether the firm operates within the set risk appetite. Finally, for modellers, key risk indicators are a natural way of including the fourth element of AMA (Advanced Measurement Approach), the BEICF (Business Environment and Internal Control Factors), into operational risk capital.[3]


Characteristics of Key Risk Indicators (KRI)[4]
A good KRI should have at least the following characteristics:

  • KRIs should be based on established Standards
  • KRIs should be developed using consistent methodology
  • KRIs should provide a clear understanding of the risk variables:
    • Potentiality (Can it occur?)
    • Probability (If it can occur, what is the likelihood?)
    • Timing (When is it most likely to occur? / How much time do we have before it occurs?)
    • Severity of the Risk (When it occurs, what is the $ / % / # loss?)
  • KRIs must be quantifiable (number, dollars, or percentages)
  • KRIs must be easily applied and understood by the end users
  • KRIs must provide trending analysis of the risk variables
  • KRIs should validate or invalidate management decisions and actions
  • KRIs should be timely, provide a simplified but complete view of the risk, and cost effective


Lifecycle of Key Risk Indicators (KRI) (Figure 1.)[5]
The key steps of a leading KRI program are represented in Figure 1. The cycle starts with the identification of key risks to the organisation, the risk that are significant enough to warrant active monitoring. In order to play a role in the prevention of risk, indicators must signal a rise in the level risk factors rather than counting the number of incidents that has happened. Like a KRI for car accidents is not the number of collisions (but it is rather speed, alcohol or fog), preventive KRIs capture elevated levels of what cause risks, rather than the incidents that have already occured. Understanding the causes of the risks (step 2) is thus an essential prerequisite to the identification of leading key risk indicators. However, chances are the several existing performance and controls metrics already used in the organisation can be reused and looked at in the perspective of leading KRIs (step 3). Defficient controls (red KCIs) are, by definition, indicators of elevated levels of risks. Similarly, poor performance (red KPIs) are, more often than not, announcing trouble. Once the existing metrics have be reviewed to assess whether they qualify also as KRIs, only the missing metrics need to be completed with new KRIs (step 4). KRI Desing (step 5) relate to the structure of this particular form of reporting that are the risk indicators: data source and capture, frequency of reporting and threholds, stakeholders to the process of collecting, reporting and acting on possible breaches, and governance rules in case of breaches (step 5). Finally, after a some time (1 – 2 years) of using KRIs usage, it is advisable to test their effectiveness: have they helped to prevent any incidents? (step 6).


Key Risk Indicators
Figure 1. source: Chapelle Consulting


KRI Processes[6]

  • KRI Identification
    • Identify existing metrics.
    • Assess gaps and improve metrics.
    • Identify KRIs via risk control self-assessment (RCSA)—interview business units.
    • Don’t over rely on them; focus on indicators which track changes in the risk profile or the effectiveness of the control environment.
    • Concentrate on the significant risks and their causes and consider forward looking and historical indicators.
    • Consider absolute values and numbers, ratios, percentages, ageing, etc.
    • Data on KRIs should be collated on a systematic and consistent basis in order to be meaningful, e.g., on a monthly basis.
  • KRI selection
    • Select the KRIs that are measurable, meaningful and predictive (leading indicators).
    • Gather a good mix of leading and lagging indicators for effective risk management.
    • Don’t select too many KRIs that:
    • Are too difficult to manage (track).
    • Might become unmanageable.
    • Select only the ones that provide useful information.
  • Setting thresholds
    • Determine and validate trigger levels or thresholds.
    • Based on industry tolerance or internal acceptance.
    • Board of directors should approve thresholds.
    • Should coincide with risk appetite statement.
  • KRI Tracking & Reporting
    • Periodic tracking of KRIs (monthly, weekly, depends on what the KRI represents).
    • KRIs should be reported regularly and escalation procedures should be in place (as part of the KRI framework) to ensure timely reporting to management and board.
    • Various KRIs will have different levels of escalation. When in doubt, escalate higher but don’t dump too much information on management/board because they will get overwhelmed.
    • Reporting of KRIs to head of business units by KRI owners. Head of business units then reports into risk management. Risk management reports to risk board and when applicable, the full board.
    • This can help improve corporate governance structure.
  • Risk Mitigation Plans
    • Risk mitigation plans (RMPs) should be set for High risk items.
    • Items with high severity or high frequency of occurrence need to have RMPs to mitigate risk and enhance controls.
    • Determine what is high risk by assessing control levels.
    • Track RMPs to ensure that controls are enhanced and risk is mitigated. Report on RMPs to management/board, and set target completion dates.


Methodology of Identification of Key Risk Indicators (KRI)[7]

The approach for operational KRI identification consists of five steps:

Step 1: Definition of the perimeter of risks to manage For an efficient operational risk management, the enterprise should focus on major risks. This kind of risk has a real and/or a significant potential impact on a company’s financial statements. The significance level to decide whether a risk is major or not depends on each company (revenues, results, total asset, degree of sensitivity to risks, etc.). It should be set by the top management. Thus, major risks to be followed are those whose annual impact exceeds thresholds set in fact by management. The operational risk mapping serves as a guide to which managers can refer throughout the process of identifying company’s major risks.

Step 2: Identification of KRI dashboard recipients The second step of the KRI definition process consists of the identification of the future receivers of dashboards. Indeed, appropriate indicators should be made available to the recipients according to their functions. Relevant good practices recommend sending to each operational manager key indicators related to risks within his scope of intervention. These indicators must be aggregated on the basis of the hierarchy level. Furthermore, they need to be available for risk manager, if there is one in the company, for internal controllers and auditors to target their checks.

Step 3: Identification of actors that would participate in indicators’ definition workshop For a successful exercise of KRI identification, it is important to involve managers who would exploit indicators in the identification workshops. All operational managers who are responsible for managing and tracking major risks must be identified and invited to attend training sessions. The main goal of those sessions is to explain the objectives of the KRI system, the methodology for the indicators identification and thresholds setting up. The risk manager should also attend this training session in view of the important role he will play in the indicators and thresholds definition.

Step 4: Training of actors (designated in step 3) in KRIs identification methodology Designated actors need to go through a training session dealing with identification of risk indicators process. This session should focus on:

  • Definition of basic concepts: risk, major risk, key risk indicator, exposure indicator, proven risk indicator, environment indicator, specific indicator;
  • Presentation of the objectives regarding the set-up of operational key risk indicators system;
  • Presentation of the methodology for identification of key risk indicators and their thresholds (see step 5 below);
  • Identification of people that would exploit these indicators but also those that would set up and control the KRI system;
  • Presentation of the templates for KRI dashboards to produce.

Once the training session completed, a planning for holding indicators’ identification workshop should be put in place.

Step 5: Holding the KRI identification and thresholds definition workshops in accordance with the predefined planning As said above, there are two types of indicators namely, exposure indicators and proven risk indicators, calculated prior to or after risk occurrence. In order to identify exposure indicators, it is recommended to proceed as follows:

  • Identify potential sources of each selected major risk;
  • Determine the indicator that would quantify each identified source of risk.

As far as proven risk indicators are concerned, the approach for indicators identification is as follows:

  • Identify consequences of each selected major risk;
  • Define indicator that would quantify each identified consequence of risk.

However, it is possible to combine the two types of indicators for one risk in order to ensure effective monitoring before and after the occurrence of risk.


Mapping Risks to KRI (Figure 2.)[8]
Managing risks is about managing the chain of:

  • Detecting/predicting threats/opportunities
  • Estimating the chance that they will happen (their probability)
  • Controlling the impact/outcomes

Normally, we cannot map all these aspects of the risk in one KRI, so we will normally need 3 indicators:

  • Indicator that would measure probability
  • Indicator that would measure the impact
  • Indicator that would measure action plan

For example, for such KRI as “Poor mentoring of employees” we would have: Time spend on mentoring per week, hours. This indicator estimates risk probability, the less hours one spends mentoring others, and the more likely the company will face this risk. Employee engagement index, %. This indicator helps to understand the impact of poor communication. Less mentoring means less engagement from the part of employees. Action plan: improve mentoring procedures; relevant indicator might be something like “Leadership training passed, hours.” We need to teach managers a proper leadership paradigm that would include mentoring.


Mapping Risks to KRI
Figure 2. source: BSC Designer


Role of Technology in Effectively Measuring and Managing KRIs[9]
Given the advances made by technology today, it is imperative to leverage it to look at different indicators in context of the risk data being collated for an organization. If the organization is already using a risk management system, then it has its risk and control assessment data, issue data, and can combine existing KRIs effectively.

  • Technology enables the measurement of different risk categories, metrics, and even occurrences. The system is not only for risks, it can also be used for asset classes, objectives, controls, processes, business entities etc. Once these are established, one can define thresholds (such as green, amber and red) – which represent rising and dropping indicators, both critical and non-critical. Reporting and dashboards make it easy to see critical areas for analyses, thresholds – breached or otherwise.
  • Technology can be used to create a comprehensive story when KRI thresholds escalate. Automating KRIs to give them longer lives, track remedial action when KRIs are escalated, track follow ups – are some of the options available when technology is harnessed. Using technology also makes it easier to explain to regulators the actions performed, and the situations that mandated them, since it leaves an audit trail which reveals these details clearly.
  • Risk management strategies can also be realized for specific, measurable, relevant and timely actions and responsibilities. Towards this objective, it is essential to understand KRI standards and measurement specifications. Furthermore, it is essential to determine the organization’s analytics providers and the metrics consumers through various tools and resources.
  • One of the biggest benefits of leveraging technology to manage KRIs is that it does away with manual efforts, which can be time consuming and cumbersome. Technology supports manual and automated data collation methods, enables easy definition of thresholds, and tracks issues and actions for breaches. It provides a single interface to define KRI, KPIs , KCI (Key Control Indicators) and risk appetites. It is possible to track metrics for causes, consequences and risks and these are easily accessible to personnel studying these within the organization. It is also easy to relate KRIs, KPIs and KCIs to anything in the organization’s GRC library of content.


Benefits of Key Risk Indicators (KRI)[10]
The constant measure of KRI can bring the following benefits to the organization:

  • Provide an early warning: a proactive action can take place
  • Provide a backward looking view on risk events, so lesson can be learned by the past
  • Provide an indication that the risk appetite and tolerance are reached
  • Provide real time actionable intelligence to decision makers and risk managers


Management Challenges in Development of KRI Library[11]

  • Lack of standards and best practices—For better or for worse, the SMSIs look at the many operating methods and controls used successfully by other institutions. The SMSI often scales for its environment the more advanced management techniques of larger institutions. Until KRI practices mature and become time-tested, each institution will have to continue experimenting with different risk indicators to determine which are effective and manageable.
  • Management Awareness—The control measures that get the most attention and support are those that senior management understand and expect. Because the concept of an enterprise-wide KRI library is still very new to the industry, many senior managers are unaware of its value, let alone its design, so they are hesitant to allocate scarce resources to develop such a program.
  • Speed of change—Technology changes at an extremely rapid pace, so risks that may be embedded or inherent within a given technology today may increase or decrease with successive versions or developments. KRIs that are linked to a specific technology or even technology-centric process need to be routinely reevaluated any time that the underlying technology goes through a major revision.
  • Control measures—Before effective KRIs can be designed and implemented, the institution must be able to clearly establish its internal control measures. An organization that is not confident in its control measures cannot build “status” measures around them. Fortunately, many institutions have gone through extensive exercises to document key control measures as a part of their compliance programs, particularly those subject to the Sarbanes-Oxley Act. These controls often serve as the foundation for determining active risk indicators.
  • Lack of a process “decay” period—Some aspects of technology can be effectively monitored for subtle changes or degradation. Others defy monitoring. They can move very quickly from a stable state in which nothing is happening to one of dramatic change. For example, the lack of any computer viruses on the internal network can be routinely monitored, but a virulent computer virus that suddenly penetrates the network’s defenses can’t be measured by a KRI since the environment would go immediately from “stable” to “bad,” completely bypassing “trending toward bad.”
  • Technology versus risk focus—People charged with implementing and maintaining the bank’s technology are, for the most part, focused on the technology itself and not necessarily the business risk associated with a potential failure of the technology. The development of technology-based KRIs is probably going to require the development of more mature communication channels between the subject matter experts regarding what could go wrong with the technology and what that would mean to the business.
  • Technology versus process risk—Processes dependent on technology must include the potential failure of the technology as a risk. In failure scenarios, there is a gray area because the failure could be due to the technology itself or to how the technology is used. For instance, if the mis-configuration of an externally facing router exposes the bank’s network to the public Internet, is that a technology risk or a process risk? Many technology-centric KRIs may only make sense within the context of a full KRI library to cover all operational risk areas.


See Also

Risk Management
Enterprise Risk Management (ERM)
Key Performance Indicators (KPI)
Business Continuity
Business Continuity Planning (BCP)
Disaster Recovery Planning
Key Control Indicator (KCI)
Compliance
IT Governance


References

  1. Defining Key Risk Indicator? Cura
  2. What is a Key Risk Indicator? riskbasedperformance.com
  3. Explaining Key Risk Indicator (KRI) ior-institute.org
  4. What are the Characteristics of a good Key Risk Indicator (KRI)? RiskyOps Blog
  5. What is the Life-cycle of Key Risk Indicators (KRI)? ChapelleConsulting
  6. Unterstanding KRI Processes Workiva
  7. Methodology of Identification of Key Risk Indicators (KRI) Hajar Mouatassim, Abdelmajid Ibenrissoul
  8. Mapping Risks to KRI. Defining Key Risk Indicators. BSC Designer
  9. The Role of Technology in Effectively Measuring and Managing KRIs Metric Stream
  10. What are the Benefits of Key Risk Indicators (KRI) Wikipedia
  11. What are some of the challenges that may inhibit the development of a KRI library? Eric Holmquist


External References

  • Key Risk Indicators GCOR X
  • Risk Reporting & Key Risk Indicators: A Case Study Analysis NC State
  • How Key Risk Indicators can Sharpen Focus on Emerging Risks coso.org
  • Proposal for an Implementation Methodology of Key Risk Indicators System: Case of Investment Management Process in Moroccan Asset Management Company JFRM
  • Developing Practical Key Risk Indicators for Operational Risks in Technology RMA Journal