Key risk indicators – or KRIs – are canary-in-the-coalmine metrics that can alert you to changing conditions. They are your early indication of an increase or decrease in risk exposure in various areas of the enterprise.

Organizations of all sizes can use KRIs to proactively manage risks rather than reacting after something happens. While KRIs have real potential to improve your ERM program – and executive-level engagement – there is a lack of consensus on what should be measured or what KRIs should be used for.

Why Are Key Risk Indicators Important?

In general, key risk indicators are useful because it is a practical impossibility to continually evaluate every risk in your profile.

KRIs give your organization valuable information on both internal and external threats. They help you identify early-warning signs of change so you can prioritize your efforts to address risks before they cause harm.

“You need an indicator, some kind of flag that pops up and says: ‘Look at me!’ something has changed,” explains Rob Quail, noted ERM expert and featured guest in the Risk@Work education webinar series.

Characteristics of a Good KRI

Specific KRIs will vary by company, industry, and risk profile. Here are some characteristics of strong key risk indicators:

  • Relevant: A good KRI will have a clear link to the business and have proven predictive value. If the KRI increases, you should be confident that signals a change in that risk.
  • Measurable: KRIs should be measurable and precise. You should be able to easily quantify your metrics without digging through a lot of external noise.
  • Comparable: A good KRI is comparable to other KRIs, industry benchmarks, and other figures that help you determine if conditions have changed.
  • Actionable: Good KRIs are actionable, providing information you can use to make decisions and prioritize your resources.
  • Accessible: The data should be easily accessible, either something you are already measuring, something that would be simple to start measuring, or something that can be pulled in from an external source.
  • Consistent: A good KRI is reliable so you can track changes over time.

It’s also important that your KRIs are easy to understand. “KRIs do end up on board reports,” Quail points out. “The executive team needs to understand why and how the measure relates to the risk.”

Examples of Common KRIs

KRIs measure things like a change in impact, value, or what is considered credible. They can also measure change in external circumstances that will result in a larger threat to strategic objectives.

While your company’s specific KRIs will depend on your industry, product portfolio, and risk portfolio, here are a few common KRIs:

Financial

External financial KRIs might measure economic conditions or regulatory change. Internal financial KRIs might track changes to budgets, sales growth targets, or expenses.

Technology

Technology KRIs might track system availability, security breaches, or the number of cyberattacks over a certain period.

Operational

Operational KRIs measure things like the effectiveness of internal controls, process efficiencies, product quality, and changes to strategic goals.

Human resources

HR KRIs might track staff turnover, recruiting conversion rates, and employee engagement.

Not all KRIs are created equal. Narrow down your list of potential KRIs by focusing on those that are the best predictors of change and the easiest to measure. Regular monitoring of a curated list of strong KRIs will alert you to signs of change – positive or negative – so you can respond effectively.

Key Performance Indicator vs. Key Risk Indicator

Both key risk indicators and key performance indicators are important metrics to measure progress. But they serve different purposes in risk management and are not interchangeable.

KPIs are metrics that measure the performance of a company, usually against company objectives or performance initiatives. They are repeatable measures of achievement with a strong link to the business. For example, a company might monitor quarterly sales or total closed deals to measure performance against sales goals.

KRIs, on the other hand, are leading indicators only. The purpose is to help predict if a KPI will be achieved. Key risk indicators tell you if you are more or less likely to meet your goals.

Note, however, that a KPI for one area can become a KRI for another because of the cascading effect of risk. A technology failure, for instance, is a common a KPI. The downstream effects of that technology failure on productivity, employee engagement, reputation, and so forth, could make it a KRI for those areas.

The Role of KRIs in Enterprise Risk Management

For KRIs to be effective, they must be part of an established ERM program. Risk appetite, for example, is what establishes the thresholds that determine whether a risk is up or down. Knowing your risk appetite is an important part of an effective ERM program and is often determined in a risk workshop.

“KRIs are not entry-level ERM,” emphasizes Quail. “You already need to know your risks, their sources, and have some understanding of your appetite for each of your strategic objectives. You also have to have an executive team that likes ERM enough to want to have these conversations.”

Indeed, conversation is one of the most important benefits of ERM – and KRIs can generate a lot of productive conversation that may uncover new insights that help identify emerging risks, reprioritize efforts, or reallocate resources.

“If KRIs are not stimulating new conversations, they are of no use whatsoever to your organization,” says Quail. “Use them to build understanding of risks and help the organization drive better decisions.”

For more on ERM, download the ebook, Charting a Course for Enterprise Risk Management, and check out Riskonnect’s ERM software solution.