For many people, risk management helps companies make sure that their compliance risks are monitored and that they have controls in place to take care of them.
Personally, I strongly believe that risk management is much more than that – it helps companies really steer their business, avoid roadblocks, seize opportunities, and react appropriately.
Key Risk Indicators (KRIs) are indicators of the possibility of a future adverse impact on the organization. They serve as an early warning system to the stakeholders and enable preventive action to be taken directly on the risks and opportunities flagged.
In that sense, they can be any value that is worth tracking in relation to a risk:
a date (like the date of last review of the risk)
a number (number of near misses)
a percentage (percentage increase in customer returns)
And they can vary from risk to risk.
Most often, it is the trend and changes that will be monitored because these can indicate a deterioration of a situation or can point out that the mitigation strategy in place is no longer effective.
To my mind, there are no restrictions on when to use KRIs. As soon as a risk event is identified and considered sufficiently critical to be followed, then an indicator can be defined to monitor it.
This will also help the risk owner to focus on the risks that require extra attention.
Now that this has been said, comes the “not so easy” part – how do we design them so that they’re effective?
Designing an Effective KRI
Here I believe that a combined effort between the business users and the IT experts proves the most effective. The business users know best what information indicates that additional action is required on a risk, and IT experts often know best what information is available (or can be made available) and at what frequency it can be refreshed. The question of the frequency is crucial and should really be discussed between the business and IT: a KRI that isn’t refreshed periodically might give a false indication.
An alignment between these two profiles means that the KRI can benefit from the best design and, when possible, can be automated to reduce the effort by avoiding duplication, should the value already be available in a system.
Food for Thought
Here are a few best practices that I‘ve seen implemented across different organizations and that I think can be applicable to many:
KRIs need to be simple to be understood by every stakeholder – there should be no need to be an expert to understand the resulting value as actions might be required based on it
To truly support the decision making process, one must ensure that KRIs are quantifiable so that they can be used in threshold monitoring and therefore trigger appropriate escalations
Most of all – there’s no need to create more KRIs than necessary. Too many false positives will dilute the true notification and weaken the overall monitoring process.