Key risk indicators (KRIs) are a vital tool for monitoring the health of your organisation, but selecting the right ones can be difficult. Keeping them relevant, monitoring them and connecting them to your organisation’s risk appetite are also key steps towards a better understanding of your company’s risk exposures.
While many organisations fall into the trap of monitoring what’s easy, without thinking about what is most relevant to business strategy or risk appetite, others try too hard to monitor their risks at a granular or even project-level.
Below, we have distilled five key tips from discussions between members to help you get the most out of your key risk indicators (KRIs). The full how-to guide on setting and monitoring KRIs – including our comprehensive suite of KRIs and separate suite of risk culture metrics – can be accessed via our Intelligence platform.
1. Keep it relevant
The most important aspect to consider when defining a KRI is its relevance to the organisation’s strategy and overall risk appetite.
In order to ensure your KRIs meet this requirement, it is useful to have a fully defined risk taxonomy across the organisation. Not only does this paint a picture of your risk universe, it also allows you to describe and organise that universe so you can better understand which pieces of information you need in order to monitor those risks and exposures.
It is also important to remember that KRIs work best when looking at the aggregate position of the risks they are monitoring. If you try to use KRIs to manage risks at the granular level, then they will soon become too vast and too complex to manage, and any valuable pieces of information they contain will become lost.
2. Maintain proper ownership
It is also important to ensure that you have an appropriate level of ownership and accountability for your KRIs. The risk owner is usually best placed to manage the KRI related to their particular risk as they have the greatest understanding of the area in which they operate.
This means that the risk owner should be responsible for providing the monitoring information and reporting this back to the risk function.
The risk function can then perform additional analysis to bring context and insight to any reporting around the KRIs, including analysing how risks may be impacting on related risks across other parts of the organisation.
3. Update measures regularly
The more regular that data for a KRI can be gathered, the better, as it allows an organisation to build up a ‘live’ view of the risks it is facing.
Lead indicators are of particular importance because they provide a forward-looking view of the risk that can act as an early warning system for the business, meaning that changes can be made before a situation becomes a serious problem for the organisation.
In addition to regularly monitoring the inputs into a KRI, it is also important for the risk function to keep a regular eye on the relevance of different measures as the risk landscape, and the strategy of the business, evolves.
If you're interested in accessing the full KRI library, and would like to know what else Risk Leadership Network membership includes, find out more about what's happening in the network here.
4. Connect your suite of KRIs to risk appetite
A common way of using KRIs to check whether an organisation is inside or outside their established risk appetite is to plot risks (and the relevant indicators) on an appetite chart. This chart has two axes:
- how costly the risk will be to manage; and
- how big of an impact the risk could have on the business
Risks that won’t be costly to manage and have a lower potential impact on the business sit in the “green zone”; there is little point focusing a lot of attention on indicators for these risks, although you should still be aware of them.
On the other hand, risks that are costly to manage, or could have a significant impact on the business, will sit in the “orange” and “red zones”: the risk team should focus on these indicators the most and consider how to move the risks into the green zone (for example, by identifying ways to mitigate the risk).
5. Create a culture of acceptance
In addition to monitoring the KRIs, it is also important that they are acted on when necessary. This could include escalating reports to the board where risk appetite limits are being approached so that appropriate measures can be taken.
As such, it is essential that the risk function creates a culture of acceptance around KRIs so that risk owners feel confident and comfortable reporting breaches of appetite, or any changes in the risk profile of the organisation that may lead to future breaches.
If risk owners do not feel safe in making such reports, then this will only serve to create bigger problems in the future and the power of the KRIs will be lost.
If you would like to know more about our upcoming member meetings, please click here. Keen to find out how else organisations benefit from Risk Leadership Network membership? Click here to find out more.
Want a sneak peek of our KRI library?
If you'd like a sneak peek of our KRI library, which is categorised by risk topics; leading/lagging; and type of metrics used by members, enquire today about membership.
To learn more about Risk Leadership Network membership, click here.
