As organizations endeavour to achieve their objectives in the short, medium and long term, risks are constantly evolving. This means there is a high demand for relevant and timely risk information capable of helping management and the board of directors identify the entity’s various risk exposures and their effect on the corporate strategy. Risk identification, analysis, evaluation and monitoring is not a once in a while process.
In today’s dynamic business environment, new risks are always emerging at the speed of light. It therefore means management and the board of directors must be able to proactively deal with the organization’s risk portfolio.
Organizations that have been successful in embracing and creating a culture of enterprise-wide approach to managing risks have done so because they have been able to differentiate Key Performance Indicators (KPIs) from Key Risk Indicators (KRIs).
KPIs are measures of performance, both financial and non-financial, that help an organization see where it is coming from and where it is going, hence we have lagging and leading indicators.
Examples of KPIs could be weekly, monthly, quarterly or annual sales, cost of sales and margins. These measures , for example, help management identify operational units that are under-performing and those that require additional investment in resources but do not describe the bigger picture of old and new emerging risks.
On the other hand, Key Risk Indicators (KRIs) provide timely leading-indicator information about new emerging risks. They signal potential risks from internal operations of the organization or those from external events such as macroeconomic imbalances that have a bearing on the demand for the entity’s products or services.
It should be noted that KRIs do not only signal threats to the organization’s corporate strategy and existence, but also the potential opportunities that abound and the necessary actions required to be taken.
In order to develop effective KRIs, management and boards need to link organizational objectives to strategies to risks and to KRIs. With the advent of big data, fine-tuning this data into meaningful information is much required capability by organizations to survive in this competitive and constantly changing business environment.
It is therefore paramount that management are capable of identifying only those metrics that are relevant and provide useful information about potential risks and their impact on the achievement of organizational objectives. Failing to grasp the company’s objectives and the risk-related events is a recipe for disaster.
By mapping key risks to strategies, management and boards are in a better position to identify the most important leading KRIs and become less distracted by other information that is less relevant for achieving the organization’s objectives.
Furthermore, performing root-cause (chain of events) analysis also helps management and boards develop effective KRIs. This can be achieved by analyzing all risk events that have had an impact on the business either in the past or at present and then working backwards to identify the root causes and intermediate events of the loss or lost opportunity. This process will enable management to proactively take action and respond to various risk events.
When developing KRIs, it is very important that management and boards evaluate their sources of information in terms of timeliness, reliability, quality, uniformity, cost etc. Care should be taken that subject matter expects within the organization are not biased towards existing risk metrics already in use.
Internal data which is available and related to prior risks is typically unavailable for many risks and hence is of limited use. The data is only part of the whole. In this regards, external sources may be helpful in identifying potential risks not yet experienced by the organisation.
Well designed Key Risk Indicators (KRIs) are:
- Based on established practices or benchmarks
- Developed consistently across the organization
- Provide an unambiguous and intuitive view of the highlighted risk
- Allow for measurable comparison across time and business units
- Provide opportunities to assess the performance of risk owners on a timely basis
- Consume resources efficiently
Effective development of KRIs will benefit the organization in the form of:
- Better articulation of risk appetite and tolerance levels
- Improved risk and opportunity identification
- Better risk treatment by defining limits to certain actions
- Improved risk reporting
- Improved performance
- Improved processes and
- Improved workplace environment
By effectively developing KRIs, management and boards are better positioned to become proactive as opposed to being reactive when it comes to enterprise risk management.
Source: Developing Key Risk Indicators to Strengthen Enterprise Risk – Coso