Definition

A KRI is a measure to indicate the potential presence, level, or trend of a risk. A KRI is first and foremost a measurement tool. It can indicate whether a risk has occurred or is emerging, a sense of the level of the risk exposure, the trending of and/or changes in risk exposure. Note that KRIs provide information about a risk situation that may or may not exist and as such serves as a signal for further action. Based on the measurement, KRIs help to focus action by providing a direction to follow. A KRI can be equated to a thermometer that measures the temperature of a patient. The reading encourages the physician to delve more deeply into the condition of the patient and the reason for the high temperature.

KRIs measure the risk of the “well-being” of an organization. When effectively designed and used, KRIs have predictive value and can act as early warning signals on the possible changes in an organization’s risk profile.

Examples of KRIs

The reality is that organizations are not short of KRIs, although many times these are not identified as such. In fact, one of the challenges is that organizations have too many KRIs, resulting in the unmanageable situation of not being able to focus on the most significant ones. For example, for deposit-taking institutions such as banks in the United States and Canada, the Risk Management Association (RMA) is offering a library of KRIs consisting of thousands of KRIs relating to operational risks to their members. There is a clear need to select the ones that are most relevant to the risk being monitored and that reflect the uniqueness of the organization or business area.

Exhibit 8.1 provides some examples of KRIs. In addition to illustrating the breadth of KRIs, these measures can also exist at different levels of granularity. An example is provided in Exhibit 8.2.

The decisions on both the selection of KRIs and the level of granularity depend on the intended audience and what kinds of decisions will be driven by KRI reporting. In the above example, the top level (i.e., aggregated or generic/common) KRIs can be very useful to a Chief Compliance Officer to gain a bird’s-eye view of the compliance risk trends of an organization, while the drilled-down measures (KRIs that are specific to business units) provide more meaningful information for the Privacy Officer or Anti-Money Laundering (AML) Officer for developing tactical risk management actions.

KRI reporting, therefore, serves to provide useful management information. Common KRIs are frequently aggregated for senior management reporting; some examples include measures related to audit, compliance, staff turnover, information technology, and business continuity. On the other hand, KRIs for specific risks may just be reported at the function/business unit level. This is not to suggest that specific KRIs, without being aggregated, are never reported to senior management. On the contrary, these KRIs may be escalated to senior management’s attention when the measure meets preset criteria, in other words, trigger levels or thresholds.

Differentiation from Key Performance Indicators

Although some key performance indicators (KPIs) often serve as KRIs, it is important to understand the difference between the two types of measures. KPIs are measures that are focused on performance targets and are based on a wide range of strategic, tactical, and operational objectives. Some examples of these objectives relate to volume of business, revenue, or profitability goals, market share, and customer satisfaction. KPIs measure actual performance and as such are often “lagging” in nature.

KRIs, on the other hand, are measures that help monitor risk and involve thresholds that may warrant mitigation actions once these thresholds are triggered. They relate to specific risk(s) that are suggestive of a change in the likelihood or impact of the risk event(s) occurring. KRIs can also show the level of stress or strain under which current risk management activities may be operating. Therefore, these are measures of risk that in turn may affect performance, that is, the failure to achieve targets. Instead of focusing on achieving targets, they often involve defining threshold levels. KRIs that exceed preestablished threshold levels should trigger management attention for potential risk management actions. As such, useful KRIs should be “leading” in nature, helping to predict if a KPI may or may not be achieved. An example of a leading versus lagging indicator is:

• Lagging: Number of staff-related fraudulent incidents.
• Leading: Percentage of staff taking no vacation.

Staff in key/vulnerable positions not taking vacation increases the likelihood of fraud occurring and going undetected. It is important to note, as mentioned later in this chapter, a single measure is not a conclusive indicator that fraud will or has occurred. However, when a preestablished threshold level is exceeded, it triggers management action for further analysis.

KRIs are linked to risk, performance, and strategy. A pictorial representation of this relationship is shown in Exhibit 8.3.

Exhibit 8.3 shows that KRIs are derived from the specific risks that the organization wants to monitor, as well as the drivers of those risks. Risks themselves are determined based on the organization’s strategies and objectives. When managed ineffectively, risk can lead to performance challenges. In summary, KRIs need to be linked to strategy, objectives, and target performance levels, with a good understanding of the sources of risk (i.e., risk drivers).

Validate Organizational Planning and Monitor Performance

Given that business strategies and objectives define performance goals and targets, and that KRIs are best derived from performance goals and targets, the development of KRIs help to better define, and at times challenge, performance targets and business strategies and objectives. Deep analysis of the drivers to risk in the process of defining KRIs provides the opportunity to validate how realistic goals and plans are. As well, through monitoring KRIs, an organization is better equipped to monitor performance and its strategic plan.

With regard to an example of practical application, an organization can define KRIs as part of its strategic planning process, aligning the KRIs to its performance goals. This can also be done at the business unit level where KRIs are aligned with tactical operational goals. Monitoring KRIs enables the organization to better monitor performance through the enhanced ability to predict what may impact performance. KRIs can be included in management reporting through a scorecard tracking progress against plan.

A Canadian telecom company embarked on a KRI initiative several years ago where the project’s mandate was to identify existing metrics that could provide a forward-looking view to help better manage the business. As can be expected of a typical telecom company, it is not short of performance metrics especially ones that are system-generated. One of the areas that the company delved into was around customer churning, which was identified to have a significant impact on profitability of the business. The project team analyzed cases where subscribers left the company by reviewing customer complaints, network availability and downtimes, and events brought to the attention of senior management regarding customer dissatisfaction. They came to the conclusion that the level of customer satisfaction, or in reality dissatisfaction, was a key driver for subscribers leaving the company. In particular, they have noticed those customers who have phoned into the call center to complain two times or more are the most likely to leave the company. Once this linkage was established, this company started to tag second calls from subscribers and monitor the related metrics as an input to efforts aimed at improving customer satisfaction and financial results.

Note that in reality KPIs are frequently developed/reviewed annually based on updated strategic and/or business plans, while KRIs are developed as part of an organization’s risk management program. As such, the development of KPIs and KRIs has historically not been a coordinated process. Given an enhanced level of understanding of the application of KRIs to an organization’s planning and performance processes, there is increased potential that these measures are aligned with the strategic direction of the organization.

Enhance Operational Efficiency and Effectiveness

One of the most critical decisions of an organization is where to allocate its scarce resources to get the highest risk-adjusted return. KRIs can support operational efficiency and effectiveness by serving as an important input to resource allocation decisions. This is typically achieved through being part of a larger risk identification and assessment process used to prioritize workload such that focus is directed to areas of higher risk. See Exhibit 8.4.

Exhibit 8.4 illustrates this process. A typical risk prioritization tool consists of two conceptual components:

1. KRIs—leading risk indicators indicative of the level of risk.
2. Risk prioritization rules—reflecting how KRIs should be risk scored. Components include weightings assigned to the KRIs and decision rules around aggregating risk scores.

The output from the risk tool (i.e., the risk scores) helps to prioritize workload so that resources are dedicated to the highest risk areas.

Many organizations use risk prioritization tools, which comprise KRIs as indicated above. These include:

• Internal audit departments and compliance functions use risk models to prioritize audits or examinations.

• Health care, tax revenue agencies, and other public services use similar tools to prioritize cases and applications received.
• Financial services regulators use risk prioritization tools to prioritize their focus on supervising regulated entities.

To illustrate the use of KRIs by a financial services regulator, consider a regulatory organization that focuses on the securities industry. This organization regulates and supervises more than 200 entities and has been developing risk assessment models for each of its key departments to help guide the allocation of scarce compliance resources. These models, which include risk indicators to help predict solvency of, and business and trade conduct appropriateness at, the regulated entities, help to determine the frequency and coverage of examination efforts. Results have proven that fewer compliance resources are now needed and, more importantly, there is a higher level of confidence that this regulator is more focused on the higher risk areas within the securities industry.

Clarify Risk-Taking Expectations

Since KRIs are measurable, they help to communicate and reinforce expectations and accountability for risk management. By ensuring that KRIs are aligned with the most significant risks, an organization further clarifies the critical performance areas that need to be monitored. In addition, thresholds and escalation levels relating to KRIs reflect what is acceptable and not acceptable to management and reflect an organization’s risk appetite. KRIs, however, are not the only means to communicate risk-taking expectations. Formal articulation of risk appetite and tolerances and risk management policies are other important means to communicate risk-taking requirements and boundaries set up by management and the board of directors.

An example of how KRIs help to clarify risk-taking expectations is illustrated in Exhibit 8.5.

Monitor Risk Exposures

A more widely used application is to use KRIs to proactively assess and address shifts in risk exposure. KRIs highlight, on a more real-time basis, current risk levels, and trends and changes in risk levels over time to enable more timely actions. They provide early warning signals to trigger actions that would help to prevent or minimize material losses or incidents. In this application, KRIs are typically used in conjunction with risk and control self-assessments (RCSAs) and other risk identification and assessment tools to support the timely identification of risks.

KRIs are used by many global financial institutions to help identify and manage operational risk. A European-based insurance group initially developed 14 generic KRIs, which are reported consistently around the world. These KRIs were developed by the central risk management function at the global head office, with input from the business executives. These KRIs represent high-level risk metrics that are applied across all country units and business units and are intended to cover major operational risks. This organization sees generic KRIs as a tool to monitor and compare the risk profiles of different entities within the group. A second phase of the initiative involved developing specific KRIs that are most applicable to the different divisions and countries. As a result, the project enabled local entities and business units to monitor their own risk profiles more effectively. The central risk management function also manages the development and implementation of the specific KRIs and will independently monitor the risk profiles. Most recently, this global insurance group embarked on the initiative involving the determination of thresholds to guide escalation decisions.

The determination of threshold levels should be aligned with the organization’s risk tolerance. Frequently, thresholds are based on industry averages, historical averages, service level agreement (SLA) requirements, and management expectations. Thresholds provide tangible triggers for management action as illustrated in Exhibit 8.6. In this example, monitoring trends in customer complaints would enable an organization to better understand whether there are risks evolving that could impact the organization’s sales objectives. Different thresholds set for customer complaints will require different management actions.

Measure Risk

The use of KRIs to calibrate economic capital models is more applicable to the larger financial institutions, especially those that are required to meet risk-based regulatory capital requirements. These institutions, mostly global banks and insurance companies, are required to maintain a risk measurement system that supports the calculation of minimum regulatory capital. Factors that are forward looking and reflect the quality of the institution’s control and operating environments, for example, meaningful drivers of risk, need to be considered in estimating risk and capital. Beyond minimum regulatory requirements, financial institutions are looking to maintain the appropriate level of economic capital to protect them from “unexpected losses.” These are losses above and beyond the expected level and estimated up to a predetermined confidence level. Economic capital, therefore, represents a common measurement of risk. For these institutions, KRIs are among the inputs to calibrate capital models.

Global banks are more advanced in this area than other types of financial institutions and the use of KRIs is focused on operational risk management. KRIs are often used to adjust economic capital qualitatively (i.e., using management judgment rather than through quantitative means). For several financial institutions, enterprise-level and business unit–level KRIs are being developed and these KRIs are analyzed against operational risk information from other sources, for example, RCSA and internal audit reports.

Keep the Stakeholders and Objectives in Mind

The overriding principle for a KRI system, and, in fact, for any risk management system, is that it has to add value to the key stakeholders. These stakeholders can be both internal and external to an organization. Identifying who the stakeholders are, their needs and specific requirements, and what the KRIs will be used for (refer to the different applications discussed earlier in the chapter) is a first step toward developing a KRI framework. The specific set of KRIs and the depth of these KRIs as discussed earlier in the chapter should be aligned with stakeholders’ needs. A good indication of the degree of alignment is to ask the questions: “What decisions are to be made by the stakeholders from the organization’s risk management system?” “Do the KRIs help them make these decisions?” Keeping the stakeholders and their objectives in mind not only ensures that the selected KRIs are relevant, but that the stakeholders will be more willing to support the development and sustainability of a KRI framework.

Leverage Management Insight and Existing Metrics

As mentioned earlier, organizations typically have in place many KPIs, and likely KRIs, that they are already monitoring. Organizations should try to keep their KRI development process cost-effective by assessing the usability of existing performance metrics in a KRI system, and leverage the insight of management regarding business strategies, objectives, and performance goals in the selection of the specific set of KRIs. Engaging management in the evaluation process has the additional benefit of promoting buy-in to the use of KRIs and driving the appropriate risk culture.

However, caution should be exercised when it comes to selecting KRIs as there is inherent bias on the part of management to choose KRIs that are already in place. As such, the independent risk management function should filter the input provided by management and ensure that the KRIs chosen represent the most appropriate indicators of risks.

Have a Good Basic Understanding of the Risks

Build on the foundation of the organization’s risk management program to develop the KRI system. As an example, significant risks would typically be identified through existing processes, for example, through RCSAs. Select KRIs based on the most significant risks that have already been identified.

KRIs need to be relevant to the risk being monitored. This typically requires an analysis of the risk and its drivers to ensure there is a causal relationship between the KRI and the risk. Correlation between causes and risk events must exist and, ideally, be validated through statistical analysis, assessment of impact, and influence based on experience and expert judgment, and back-testing with empirical data.

Limit Indicators to Those That Are Most Representative

Focus on the most important risks and KRIs that have the strongest causal relationship. As mentioned earlier, the reality is that organizations often have too many performance and risk measures in place. ERM is about managing the most significant risks. A cost-effective process requires filtering through these measures to find the set that is most representative of the significant risks. The KRI framework should involve a manageable process.

Ensure Clarity in What Is Being Measured

Ensure that there is clear understanding and documentation of the definition of the selected KRIs and how exactly they are being measured. The consistency in the definition and calculation method is critical to ensuring comparability and proper aggregation. For example, when staff turnover rate is measured, there needs to be clarity on the treatment of part-time and temporary staff, shared resources, and people who are on extended leave, and so on.

Focus More on Objective Measures

Consider sources of information and, to the extent practical, select measures that are more objectively measured and that come from an external or independent source. An external or independent source does not necessarily mean that the measures have to be supplied from a third party outside of the organization. A source internal within the organization that is independent of the area being measured also has a high degree of reliability. The lowest level of objectivity will be measures derived from the judgment of individuals involved in managing the risk.

Consider the Wider Set of KRIs

The nature of KRI is such that, when used in isolation, a single KRI may not act as confirmation on the specific level and trending of risk. The main reason is that there are few, if any, leading indicators that perfectly correlate with specific risks. Therefore, meaningful analysis should involve studying several KRIs at the same time, and ensuring interpretation is put in the right context. Collectively they tell a better story about the risk being monitored.

Consider the Relative Importance of KRIs

Not all KRIs are created equal, given differences in the significance of the associated risk and the strength of correlation to the risk. After selecting the most appropriate set of KRIs, one can use threshold levels and weightings (if needed) to differentiate the degree of their relevance to the overall risk analysis.

Monitor for Continual Usefulness

Implement a dynamic process to validate the usefulness of the selected KRIs over time and make changes where appropriate. As the performance focus and risk profile of the organization change over time, KRIs currently being monitored will diminish in relevance and new KRIs will need to be identified and monitored. A process should be established to continuously review and assess KRIs being monitored.

Think Longer Term

To reduce implementation efforts, organizations may be tempted to choose KRIs based solely on the fact that they are already available or are easy to collect. Do not let short-term data constraints restrict which KRIs to use. Identify indicators that may have future value as part of a phased approach to KRI development.

Finally, it is important to look to internal and external sources to design effective “forward-looking” predictive KRIs. Exhibit 8.7 outlines some of the useful sources.

Obtaining Buy-In

It is important to understand and to communicate to the stakeholders the benefits to be gained through KRIs. Position KRIs as part of the overall ERM program and emphasize their incremental value and practical applications. When making the case for KRIs, the following examples of arguments can be made:

• Financial benefit: The use of KRIs can result in improved profitability, reduced losses or earnings volatility, additional recoveries and/or capital relief.
• Improved quality: The use of KRIs can positively impact service delivery, social responsibility, customer service, and/or reputation.
• Satisfied people: The use of KRIs can lead to better alignment of resources and skills, and more balanced workload.

Lack of Resources and Skills

Organizations may find that they lack the resources and skills to develop and implement a KRI framework and that there is no accountability for KRI implementation.

Organizations should leverage internal knowledge and engage management who understands the business and the risks, as well as technical experts in the area of risk management and KRIs, to help identify KRIs. In addition, establish clear accountability for designing, monitoring and actioning KRIs. Exhibit 8.8 lays out accountability in these areas.

Data and Technology Challenges

The effectiveness of using specific KRIs is dependent on the availability and integrity of data needed to provide the trend analyses. Consider the reliability of the internal and external data source and any limitations these have. Designing reports on the different levels of KRIs to meet the needs of the stakeholders is another consideration. Note that reporting on exceptions, rather than each selected KRI, provides a sharper focus for management action. In addition, the analysis of the KRIs (groupings rather than individual measures) and with other risk information is an important component of meaningful risk analyses and reporting.

Assess the need for a tool to collect, calculate, monitor, and maintain KRIs for cost-effectiveness purposes. The decision whether to automate the process depends on a number of factors, including the volume of KRIs, data sources, frequency of computation, complexity of calculations, the need for correlation analysis, and linkage to workflow and business tasks.

Integration with Business Activities

From a practical standpoint, integrate the use of KRIs into the organization’s business activities and overall risk management program. Ensure that the process is linked to strategy formulation, performance management, risk appetite determination, and organizational culture fostering processes. KRIs complement the other risk management tools, so analysis and reporting should be performed on an integrated basis.

Sustainability of the KRI Framework

KRIs need to be continuously reviewed to provide ongoing value. Changes in the environment, the organization’s business and operations, risks and data sources can change the relevance of specific KRIs at any point in time. It is therefore necessary to define a process and assign accountability for reviewing and updating KRIs and to conduct external benchmarking analysis where needed. In addition, it is important that business management takes ownership for monitoring and taking action on KRI information to ensure sustainability of KRI implementation.