12 Important Factors to Consider When Developing Effective Key Risk Indicators
By Carol Stern, FLMI, AIRC, ACS
Senior Consultant, First Consulting & Administration, Inc.
In working with companies over the past year to help implement their ERM frameworks and also prepare to file a report for the Own Risk & Solvency Assessment (ORSA) requirements, we gathered some expertise and knowledge about the development of key risk indicators. These 12 Factors are useful to all companies in assessing whether their risk monitoring has any gaps. Both the compliance and risk management departments should be involved in this gap analysis and work together to improve the process of monitoring risk by creating and reporting with effective Key Risk Indicators.
Key Risk Indicators (KRIs) can be defined as “measurable flags.” These quantitative tolerance ranges are set by the Corporation to indicate at what point the risk in that specific area should be reported to the governance team for action. KRIs are often called risk metrics, as they can help monitor the Corporation’s risk exposures over time. Any set of data that can serve as a “measurable flag” may be considered a KRI.
- KRIs should be based on well-established practices or benchmarks, or metrics already available or being captured.
- KRIs should be developed initially to allow risk owners the ability to assess their risks against the overall risk profile of the Corporation.
- KRIs should be monitored consistently across the organization and provide the risk owner and governance teams with the best possible unambiguous and intuitive view of the highlighted risk.
- KRIs must be monitored continuously once they are in place.
- KRI tolerance ranges can be color-coded – such as green, orange, yellow and red – to alert the governance teams to changes in the risk level. Green would indicate the lowest risk level, and red would indicate the highest. An example is presented here:
|This Footprint shows the trending of the overall risks for probability and impact. It's a good snapshot to give management of picture of the risk categories that need immediate mitigation and attention. In this example Risk A-I are all in green, which is what all companies hope to achieve.|
- A KRI entering the orange or yellow tolerance ranges can prompt a more intensive analysis of the risk. A KRI that goes red should trigger immediate review, escalation and management action, according to predetermined plans. However, in some instances due to changing circumstances, a revision to the tolerance range itself may be the right action to take.
- KRIs can be used to measure risk appetite in action if the Corporation maps them effectively.
- KRIs can be one of the effective tools to help create risk reports for the governance teams and the Board of Directors.
- Monitoring KRIs allows the Board and management to “pre-actively” adjust strategies in advance of risk events, to help reduce the likelihood of risk event surprises.
- Monitoring KRIs provides management the opportunity to modify strategies when the risk event occurs, and thereby reducing the impact of the risk on the organization.
- There should be a relationship among goals, key performance indicators (KPIs) and KRIs, so that the KRIs can become an early warning system for long-term corporate objectives which might be in jeopardy.
- KRIs must serve the Corporation dynamically and will be revised, improved or eliminated as goals and risks change and new risks arise.
Risk Monitoring and Reporting
Once a company has created an effective risk report with a footprint and KRIs for all existing risks, this report should be routinely distributed to the senior management risk committee and the Board of Directors. To ensure proper management of risks at a strategic level, the company should be monitoring using not just KRIs, but also risk assessments and regular risk reports. With these in place, the Company will assure that:
- New risks to the Company are identified and considered;
- Existing risks are monitored to identify any changes which may impact the Company;
- Risks have been properly assessed and recorded in the risk report together with relevant information such as existing risk controls;
- An appropriate person has been nominated for all new risk controls and new risk controls are being implemented according to the planned schedule; and,
- Existing risk controls are still in place and operating effectively.
This monitoring and reporting process is essential in established a strong and effective ERM program.