Much ink is currently being spilled about Big Data, artificial intelligence (AI) and machine learning (ML) within the operational risk discipline. In time, certainly, these technological approaches to processing operational risk data will have a role to play. However, today’s reality is that many financial services firms are not getting the most out of the data that is already available to them – including key risk indicator (KRI) data. Firms are not using operational risk data to drive real business value.
This is the second blog in a four-part series of blogs that explores how operational risk professionals should be getting a great deal of additional business value out of their data – enabling their organization to flourish. The first blog explored how RCSA data can be used to better understand the effectiveness of the control environment. This second blog is going to examine how looking more closely at KRIs data can provide a better understanding of which risk controls are predictive.
Examining control types
To begin with, there are four different control types that organizations can have:
• Directive – these are controls for before a risk occurs, and are focused on policies and procedures
• Preventative – these are also controls for before a risk occurs, and they are often automated
• Detective – these are controls for after a risk occurs, and are designed to identify that a risk event has taken place
• Corrective – again, a control for after a risk event takes place, and are designed to “put things right”. For example, they can include disaster recovery.
The first two control types here are able to reduce the likelihood that a risk will occur. The second pair will reduce the impact of a risk event once it has happened. It’s good practice for firms to have all four types of control types in place for each risk it has identified within its risk register, although this is not always possible. It’s also a good idea to have at least one KRI on each control, to be able to monitor its effectiveness.
Creating KRIs that add value
However, when it comes to being able to indicate the likelihood of a risk event happening, all KRIs on controls are not equal. Only KRIs on likelihood controls are able to serve as true early warning signals to firms, and of the two types – directive and preventative – only preventative control KRIs are real indicators that can tell firms about the state of a control that can stop a risk from happening.
KRIs on impact controls, on the other hand, are only able to really tell firms about the effect of the risk event on the firm once the event has taken place. As a result, detective and corrective control KRIs will only tell firms about the state of controls that reduce the impact of a risk. They cannot, by their very nature, tell a firm about how likely it is a risk event will take place.
The team responsible for the enterprise risk management framework can provide more value to firms by ensuring they have KRIs in place that are predictive – that focus on preventative controls – and that they report on those KRIs to their key stakeholders. By focusing in on these predictive KRIs in risk reporting, and educating stakeholders about the different purposes that KRIs serve, operational risk teams can reduce confusion about what KRIs are actually saying. They can also help their firms better anticipate potential risk events, and make better choices about investment in their control environment.
Firms should also have KRIs on impact controls too – both to monitor effectiveness of the control and to help firms anticipate the size of a loss that could occur. These indicators with the right grc tools could help a firm become more resilient. However, stakeholders need to be educated about how these differ from predictive controls.
The next blog in this four-part series will examine how operational risk management teams can better use the data created by loss event data collection programs. The final blog will explore how firms can undertake a useful cost-benefit analysis of their control environment using data they already have.
To learn more about how your firm can improve its approach to KRIs and improve reporting around predictive KRIs, please contact us.