Performance and risk indicators are essential business measurements that make a significant distinction to how organizations are governed. Thus, measurements provide insights in the way an organizational system operates using metrics that are translated into KPIs (Key Performance Indicators) and KRIs (Key Risk Indicators).
When metrics measure the achievement of the desired state they become performance indicators. A KPI expresses the achievement of the desired level of results in an area relevant to the organization, it shapes its behaviors. For example, air pollution may be just a metric, but for an organization that is concerned about reducing the environmental impact of its production process, it becomes an important KPI for their HSSE department.
With metrics providing early warnings regarding an increased risk exposure in certain areas, they become key risk indicators. By monitoring KRIs, the organization identifies the problem expressed by them early on. They can take a proactive approach to mitigating risks before the event occurrence and have more serious consequences. For example, a large percentage of customers in financial difficulties can be a KRI as it indicates how large the company exposure is toward its clients. Many customers with financial problems can affect the cash flow of the organization. Essentially, it is a key enabling structure and an active relation among risk management, strategy and target setting. Every organization follows different aims to add value, and should generally recognize the acceptable level of risk in doing so.
Below is an example of KRI classification proposed by Dr. A. Chapelle that can help the organization to choose the most appropriate indicators;
Therefore, good KRIs act as an early warning system giving to management sufficient time to consider the range of choices to prevent a much bigger problem from happening. They bring attention to issues and speed up decision making before those bad consequences start to pile up.
What do we have to bear in mind when designing and reporting KRIs?
The most common characteristics of alarm systems are that people don’t respond properly because they don’t know what the indicators mean, they don’t know what their significance is. If a KRI is indicating there is an issue and no one cares or pays attention or has any belief in its value, then there is not that much point putting the work in to collect the data and make the report in the first place.
To ensure that the KRIs can make a real difference in your organization and will not create false assurance, here are the features to identify, select and design effective KRIs:
- Early warning sensors
- Signal changes in risk: increase in the probability or in impact, before the risk materializes.
- Must address risks, not events
- KRI are metrics capturing risk drivers or proxies of these risk drivers.
- Specific to each activity:
- Specific to each risk, and to specific weaknesses and culture of different institutions.
- One size does not fit all.
- Best identified via data analysis and experience
- Business experience complements the lack of data.
- Data analysis: to confirm business intuition, and uncover other effects.
- May need heavy data collection
- The trade-off to operate between the value of information collected and its cost of collection.
- Better if automated.
- Must be easy to use and timely
- Should match the cycle of the activity
- Must help business decision
- The rules of reporting apply to KRIs: only keep reports that do influence business decisions.
- Thresholds linked to risk appetite
- Typically, lower threshold for core business (low risk), but not always.
- 100% (or about) target reliability does not mean 100% for all indicators; but only so collectively.
- Must be back tested for validity
- How do you know it works? An essential question in risk management.
With all above in place, a useful and proven scheme for effectively managing KRIs to streamline risk management and align it to best practices is established. KRIs are like any metrics, they are read by human beings, we may systematize them, load them with clever analytical data, but actions are taken by people. There is a need to reduce or eliminate these biases in adopting an internationally recognized standard such as ISO 31000, which drives the most relevant best-practice from organizations worldwide. It provides principles; a framework and a process to implement a risk management suite allowing the identification, the selection and the design of appropriate KRIs.
Moreover, with due cognizance of its own internal and external contexts, an organization must recognize the applicable and relevant obligations and should put into practice a system of controls to attain compliance. Additionally, ISO 31000 distinguishes the significance of feedback by means of two mechanisms: “communicating and consulting” and the “monitoring and reviewing” of performance. Communicating and consulting ensure the engagement of relevant internal and external stakeholders while monitoring and reviewing guarantee that the organization observes its risk indicators without bringing the false sense of assurance.
Implementing various risk assessment methods and Key Risk Indicators does clearly emphasize upon the success of your organization. Measuring risk also expedites undertaking preventive actions. Additionally, complying with ISO 31000 raises the bar of success in individuals implementing the standard in conjunction with having Risk Management Systems in place. Certifying against ISO 31000 through PECB ensures worldwide recognition and distinctive training.