“It is impossible to drive a car without access to metrics on factors like speed or temperature. Similarly, management requires metrics to support effective decision-making and to ensure that they steer the organization away from threats to its strategic and operational objectives.”
The Institute of Risk’s Key Risk Indicators Operational Risk Sound Practice Guidance suggests that while managers are no strangers to indicators and metrics – they use them daily to undertake their responsibilities and to aid decision-making – they should take advantage of operational risk indicators as an affordable means of monitoring risk exposure. Improved risk awareness and the basis for ‘well-informed risk operational management decisions’ will both result from a well-organised operational risk management framework (the ‘holy grail’ for operational risk management best practice).
KRIs as a business intelligence tool
The IOR’s view is that Key Risk Indicators (KRIs) should be treated as indicators applied to operational risks that an organisation might be highly exposed to, which may jeopardise the fulfillment of operational objectives or fall outside of risk appetite. Indicators may also be used to highlight the positives, such as effective internal control where they are within defined thresholds, and to provide assurance that risks are being appropriately managed to the board and stakeholders.
In such a context, in order to effectively identify which operational risks are ‘key’ the IOR would point risk professionals in the direction of its Risk Control Self Assessment (RCSA) guidance, available to download. Keys risks will be those with the largest inherent and/or residual risk exposure scores.
As a business intelligence tool, indicators can support:
- Risk monitoring, assessment, and modeling
- The implementation of a risk appetite framework
- Corporate governance and assurance
KRI desirable characteristics
Following a chapter dedicated to what indicators can be used for, the Key Risk Indicators guidance outlines what indicators’ desirable features should be. When selecting effective operational risk indicators, the advice is that they should be relevant, measurable, forward-looking (leading), easy to collect and monitor, comparable and auditable. The paper details why these characteristics are important and in each instance the factors to consider from a best practice perspective.
Setting thresholds and limits
The guidance goes on to explain the processes that can be used to select a set of indicators – considering the pros and cons of taking a top-down or bottom-up approach – and for setting appropriate thresholds and limits. “It must be stressed that as indicators are proxies, the aim is not to manage the indicator, but rather the operational risk exposures. A breach of an indicator is a signal of potential threats ahead… Limits and thresholds should reflect the implementation of the risk appetite statement cascaded down the organization.” For reference, separate guidance is available in the IOR’s Sound Practice Guidance on Operational Risk Appetite.
With thresholds set, organizations must determine responses for breach of thresholds. ‘Trigger conditions’ determine what action is to be taken and who is responsible for doing so in each instance. In addition to being linked to an organization’s risk appetite, the recommendation is that triggers should be connected to ‘the degree of sophistication required in the warning system and must consider the resource overhead (people, systems, and cost) necessary to implement more sophisticated structures.”
Risk indicator management and reporting
As a word of caution, a great deal of effort will be lost without dedicating sufficient time and resources to the management and reporting of key risk indicators. At the very least annual reviews are suggested, as a means of ensuring relevance, though optimal frequency will be determined by the nature of a business and its scale and operational complexity.
Operational risks will be subject to change, so a system for adding or changing operational key risk indicators should be implemented, together with clearly defined procedure and governance processes to control the setting or changing of threshold or limit levels.
Regarding reporting, top-line advice is that ‘where possible, operational risk indicator reports should be developed in conjunction with their intended audience, to ensure maximum comprehension and usability’ – from the board and senior divisional management to business unit or teams and support function levels accordingly. Central coordination is advantageous in ensuring consistency and the ability to compare reports or aggregate them for senior management. Full details of how indicator reports can be presented in a user-friendly way, with clear language, and with useful visual aids are provided, together with report examples.
Admittedly, effective risk indicator management and reporting can be time-consuming but according to the IOR, the resulting benefits are well worth it: “Management is effectively blind without access to the appropriate risk metrics”.