The essence of key risk indicators

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about key risk indicators.

There are two common types of metrics that management might use. One is the key risk indicator (KRI) and the other is the key performance indicator (KPI).

Key performance indicators are intended to establish performance goals and then help management focus on those processes that are not delivering desired results. As an example, management might establish a KPI to limit waste materials to <.31% in a particular phase of production. Then, actual waste is periodically measured and compared to this goal. If actual measurements consistently fail to meet the KPI, then the process should be reviewed and corrected. It is intended to be a historical measurement.

Key risk indicators, on the other hand, are intended to warn management if risk levels are increasing. COSO published a thought leadership paper in 2010 on key risk indicators. It’s a pretty good document and I recommend it.

What I want to address here is how to actually put this concept into use. A challenge that I’ve run into is that management is not naturally attuned to focus on risk events. When asked to come up with a list of risk events that might impact some activity, management often responds with “Well, um, I suppose that (this or that) could happen.” You need to identify these risk events in order to then identify leading indicators (KRI) that might give advance warning of the risk event. The problem is that you’re asking management to poke holes in their own strategies. That’s not something that anyone readily wants to do.

Instead, consider asking management about the key assumptions (rather than the potential risk events) in their strategy.  I have had great success here. Management is usually much more able to talk about these assumptions. Given a few minutes of thought, they might identify assumptions like the ability to hire adequate staff for the new production facility or the general growth in consumer demand. Further, it is easy to get management to agree that these assumptions, while valid and reasonable at the moment, could decline or fail to materialize over time. We can’t be 100% sure. That’s the nature of assumptions – they are often outside of our immediate control. Management can relate to this concept.

So we turn these assumptions into KRI. We track these assumptions over time. If any significant assumption declines or fails to materialize then any strategy that relied on this assumption should be reevaluated. Management is, in essence, receiving advanced warning that the risk level (the unpredictability) of that particular strategy is increasing because the assumptions on which the strategy is based are no longer valid.

Focusing on key assumptions is attractive because management can relate to it. It’s also very transparent. The assumptions can be discussed and agreed-upon in advance of the strategy’s execution. If the external assumptions fail to materialize it’s no one’s fault – everyone had already agreed that the assumptions had been valid at the time. There is no incentive to hide the problem. Just go back and adjust the strategy to take advantage of knowledge that simply didn’t exist before. And establish newly revised assumptions that you will once again monitor.

The essence is that key risk indicators are most easily understood when tied to strategic assumptions. Keep it simple and link this concept to strategy setting in a way that is transparent and non-threatening.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (rskldr.com).

Advertisements

The essence of risk and opportunities

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about risk and opportunities.

I often hear that risk management should help an organization find opportunities as much as control potential problems. COSO says that part of risk management is the identification of events which could have a positive impact, a negative impact, or both. This concept does not work for me on multiple levels. In a future post I’ll write more about the idea of event identification. In this post I want to address a more practical strategic problem with this approach.

One of the toughest hurdles in risk management is explaining it in a way that makes it relevant to executive management. You need their support. The more that you ask executive leadership to accept concepts that are not intuitive to them, the tougher the sell. I normally describe risk management as the group of organizational activities that try to improve results by making the unpredictable a little more predictable. This usually resonates well with executive leadership. It fits their existing notion of risk management. When you start talking about risk management also being a source of strategic opportunities, I’ve found that executives start looking at you with a skeptical eye. It sounds like a salesman promising benefits that everyone knows he can’t deliver. I recommend staying away from this approach. There are other executives who are paid to identify and exploit opportunities. Maybe later you can help, but for now stay off their turf.

The essence is that linking a risk management function with the identification of strategic opportunities is a tough sell. It is hard enough to get executive management excited about risk management at its most easily understood and intuitive level. Don’t confuse the basic message with unproven claims that your executive team may find counter-intuitive.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (rskldr.com).

The essence of operational risk and reward

This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.

This post is about operational risk and reward.

It’s a common understanding that you need to take on more risk in order to get greater rewards. The common context for this risk/reward tradeoff is when you’re managing a financial portfolio of investments. Highly conservative investments tend to deliver lower returns over the long run when compared to those investments that might have more risk. However, risk/reward also applies in other ways. It impacts how you manage your organization and deliver operational results.

Imagine a common operational scenario. You’re assigned a goal and you need to develop an appropriate strategy to deliver that goal. If you choose a conservative strategy you’ll get highly predictable results. It’s tried-and-true. If your assigned goal falls into the predictable results that your conservative strategy will deliver, by all means use that conservative strategy and pat yourself on the back for being eminently practical.

Conversely, if you’re handed a stretch goal then that tried-and-true strategy will not deliver it. In that situation, you need a new or revised strategy that has, at least, the potential to deliver the desired results because the conservative strategy absolutely has no chance. You must select a strategy that takes on some uncertainty; you must take on more risk. To be clear – simply taking on more risk does not in any way imply that you will automatically get greater rewards. It only means greater uncertainty. But without that uncertainty you may stand no chance of delivering desired results.

The essence is that risk and reward are definitely related. Conservative strategies deliver predictable results. If you need to provide more aggressive results, you need a less conservative strategy that has the potential to deliver those results.

You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (rskldr.com).