What do we mean by Key Risk Indicators and how do we identify them?

What do we mean by Key Risk Indicators and how do we identify them?

Key risk indicators (KRIs) are a fundamental part of risk management, and yet there is some confusion regarding what the term actually means. Tony and John explain what they are, and the different methods of identifying them using operational risk software.   

Taken from: Mastering Risk Management 

All indicators (sometimes known as business metrics) tell you about the state of a particular item over a period of time. They are rarely used as a single point of time data, but rather as a series by reference to previous values to detect movements whether these are by day, week, month or quarter. In risk management terms, these movements may indicated that the firm is heading towards breaching its risk appetite. 

Key risk indicators (KRIs) are a fundamental part of any comprehensive risk management framework and yet many firms seem to be puzzled and confused by them. The confusion may be less if they are called IRKs (indicators of risks which are key) or IKRs (indicators of key risks). They are definitely not ‘key’ risk indicators as this leads to far too many indicators. 

Many firms identify several hundred indicators and then try to manage their businesses by using this large number of so-called ‘key risk indicators’. However, it is highly questionable as to whether any business can truly have, or indeed manage, that number of indicators of key risks – or have the number of key risks which will give rise to several hundred indicators. 

Other firms strive for a very small number of indicators, which will tell them about the well-being of the firm overall. This is clearly a good place to start – however, it shouldn’t stop there.  Indicators are one of the three fundamental processes of risk management. Indicators of risks which are key can provide vital early warning signs to enable threats to the business and its objectives to be managed before they happen. Such indicators are typically called ‘leading’ or ‘predictive’ indicators. They give the current (sometimes projecting into the future) key risk and key control levels, as opposed to historic (events) or future (risk and control self-assessments) values. 

As indicators give today’s levels of risk, they also enable trends in risks and their associated controls to be investigated and analysed. This trend analysis can help to predict events before they happen. It can also signal that escalation criteria have been breached and so trigger management action. Such criteria are often linked to the firm’s risk appetite.

Key Performance Indicators and Key Risk Indicators

It is important to differentiate between key performance indicators (KPIs) and key risk indicators (KRIs). KPIs are commonly used in business to assess the current level of performance. Perhaps the most commonly used KPI is the profitability of a business. From a risk perspective, profitability tells us about the state if the firm’s entire risk exposure and its control performance in the most recent period. However, it is a poor indicator of key risks as it tells us very little about any particular key risk and nothing about how to modify the risk exposure. The profit figure by itself gives no disaggregation by key risk (or by control performance) and therefore little opportunity to manage the firm by adjusting its risks. 

KPIs are about the performance of the business and should be linked directly to the business objectives. Examples of KPIs are: sales, revenues, profitability, total costs, staff costs, premises costs and IT costs. Some, though, can also act as KRIs. Examples could be: market penetration (risk: poor distribution network), or board and senior management turnover (risk: loss of key staff). By comparison, KRIs tell us about changes in the likelihood or impact of a key risk and can be linked to a risk and control self-assessment. 

A third set of indicators, key control indicators (KCIs), tell us about the change in the design or performance of controls and can be linked to a risk and control self-assessment. Just as with risks, KCIs are indicators of controls which are key or indicators or key controls. KCIs fall into two categories: indicators of those controls which mitigate individual key risks and indicators of those controls which mitigate a number of risks. 

Approaches to KRI Identification

Management support is essential for establishing indicators of risks which are key. There are various approaches to identifying indicators of key risks and key controls. Some of these are more likely than others to attract management support and drive. 

They are: 

• Using a blank sheet of paper
• Using existing management information
• Using an existing risk and control self-assessment

Blank sheet of paper 

Many firms start their identification of KRIs with a blank sheet of paper and setting down all the indicators they are able to articulate. This has the advantage that there are no preconceptions, but it ignores any previous risk management work, in particular risk and control self-assessment. 

Existing management information

Using existing management information has several advantages: 

• It uses business metrics which are well known and understood. This means that senior management will be comfortable and more willing to take decisions based on the KRIs.
• The data are more likely to be accurate as they are in current use.
• There is an implicit link to identified risks and controls as most managers intuitively know their major risks and the controls that mitigate them. This intuitive knowledge leads to a natural match between the information used to control the business and the risk profile of the business, as represented by the risk and control self-assessments.

However, there is no explicit link to specific key risks. It is therefore harder to identify the indicators of key risks from indicators of normal risks. This approach also makes it difficult to identify which indicators are significant, although it can be argued that all metrics that are used on a monthly basis by senior management should be significant. 

Existing risk and control self-assessment

This approach has the advantage of using risk and control data which have already been agreed and are linked to the business objectives (or processes), assuming these have been used to identify the risks and controls. It therefore builds on previous risk management work and reinforces that work as being valuable and key in its own right. 

Identification of key risks is relatively easy with this approach. Typically, a key risk is identified as a risk with an inherent high-impact score and an inherent high-likelihood score. If this approach identifies only a few key risks, it can be expanded to include all risks which have a high impact, with no attention being paid to the likelihood score. 

Having defined the key risks, it is then easy to identify one category of key controls, i.e. any control which mitigates a key risk. Another category of key controls is any control which mitigates several risks, since the failure of this control may have significant effect on the firm. 

Having identified the key risks, it is now relatively easy, using knowledge of the business, to identify indicators of the key risks which tell you about the changes to their likelihood or impact and to the design of performance of a key control. A good indicator will be easy to access and easy to understand. Many risk indicators are already being tracked somewhere in the firm. 

Periodicity

Indicators can be tracked over various lengths of time (e.g. daily, weekly, monthly or annually). Most typically, risk indicators are recorded on a monthly basis although indicators of risks which are set at a transaction level are often daily or event intra-day. The periodicity of an indicator is largely irrelevant to using it for managing risk. Much more important is how frequently the risk changes. 

An indicator linking a risk to a daily process or activity clearly requires recording on a daily basis, and equally, an indicator linked to a risk which is annual in nature only needs recording on an annual basis. However, the majority of indicators are recorded on a monthly basis as this frequency gives the best balance between the effort required to record the indicators and good management of the risk. 

In the next blog, Tony and John talk about the links between Risks, Controls, KRIs and KCIs.

Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317    

For more information contact us today on sales@risklogix-solutions.com