KRIs – Driving business value from operational risk data

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

Much ink is currently being spilled about Big Data, artificial intelligence (AI) and machine learning (ML) within the operational risk discipline. In time, certainly, these technological approaches to processing operational risk data will have a role to play. However, today’s reality is that many financial services firms are not getting the most out of the data that is already available to them – including key risk indicator (KRI) data. Firms are not using operational risk data to drive real business value.

This is the second blog in a four-part series of blogs that explores how operational risk professionals should be getting a great deal of additional business value out of their data – enabling their organization to flourish. The first blog explored how RCSA data can be used to better understand the effectiveness of the control environment. This second blog is going to examine how looking more closely at KRIs data can provide a better understanding of which risk controls are predictive.

Examining control types

To begin with, there are four different control types that organizations can have:
• Directive – these are controls for before a risk occurs, and are focused on policies and procedures
• Preventative – these are also controls for before a risk occurs, and they are often automated
• Detective – these are controls for after a risk occurs, and are designed to identify that a risk event has taken place
• Corrective – again, a control for after a risk event takes place, and are designed to “put things right”. For example, they can include disaster recovery.

The first two control types here are able to reduce the likelihood that a risk will occur. The second pair will reduce the impact of a risk event once it has happened. It’s good practice for firms to have all four types of control types in place for each risk it has identified within its risk register, although this is not always possible. It’s also a good idea to have at least one KRI on each control, to be able to monitor its effectiveness.


Creating KRIs that add value

However, when it comes to being able to indicate the likelihood of a risk event happening, all KRIs on controls are not equal. Only KRIs on likelihood controls are able to serve as true early warning signals to firms, and of the two types – directive and preventative – only preventative control KRIs are real indicators that can tell firms about the state of a control that can stop a risk from happening.

KRIs on impact controls, on the other hand, are only able to really tell firms about the effect of the risk event on the firm once the event has taken place. As a result, detective and corrective control KRIs will only tell firms about the state of controls that reduce the impact of a risk. They cannot, by their very nature, tell a firm about how likely it is a risk event will take place.

The team responsible for the enterprise risk management framework can provide more value to firms by ensuring they have KRIs in place that are predictive – that focus on preventative controls – and that they report on those KRIs to their key stakeholders. By focusing in on these predictive KRIs in risk reporting, and educating stakeholders about the different purposes that KRIs serve, operational risk teams can reduce confusion about what KRIs are actually saying. They can also help their firms better anticipate potential risk events, and make better choices about investment in their control environment.

Firms should also have KRIs on impact controls too – both to monitor effectiveness of the control and to help firms anticipate the size of a loss that could occur. These indicators with the right grc tools could help a firm become more resilient. However, stakeholders need to be educated about how these differ from predictive controls.

The next blog in this four-part series will examine how operational risk management teams can better use the data created by loss event data collection programs. The final blog will explore how firms can undertake a useful cost-benefit analysis of their control environment using data they already have.

To learn more about how your firm can improve its approach to KRIs and improve reporting around predictive KRIs, please contact us.

Related Posts

What do we mean by Key Risk Indicators and how do we identify them?
What do we mean by Key Risk Indicators and how do we identify them? Key risk indicators (KRIs) are a fundamental part of risk management, and yet there is some confusion regarding what the term actually means. Tony and John explain what they are, and the different methods of identifying them using operational risk software.  …

What do we mean by Key Risk Indicators and how do we identify them? Read More »

Operational Risk Programme: Defining Risk Appetite and its defining role in managing Risk and ESG – Without disappearing down a rabbit hole
Session 5 This is a three-hour live instructor-led Zoom courses focusing on the real business value that can be obtained from using risk appetite frameworks, operational risk software statements and limits. This is now even more important as firms move to manage their ESG targets using appetite to guide them. The ability to evaluate, design …

Operational Risk Programme: Defining Risk Appetite and its defining role in managing Risk and ESG – Without disappearing down a rabbit hole Read More »