This post continues my “essence of ERM” series. The goal of this series is to address all manner of risk management topics in small sensible components. I’m writing this series to help make risk management a practical tool for organizations of all types.
This post is about key risk indicators.
There are two common types of metrics that management might use. One is the key risk indicator (KRI) and the other is the key performance indicator (KPI).
Key performance indicators are intended to establish performance goals and then help management focus on those processes that are not delivering desired results. As an example, management might establish a KPI to limit waste materials to <.31% in a particular phase of production. Then, actual waste is periodically measured and compared to this goal. If actual measurements consistently fail to meet the KPI, then the process should be reviewed and corrected. It is intended to be a historical measurement.
Key risk indicators, on the other hand, are intended to warn management if risk levels are increasing. COSO published a thought leadership paper in 2010 on key risk indicators. It’s a pretty good document and I recommend it.
What I want to address here is how to actually put this concept into use. A challenge that I’ve run into is that management is not naturally attuned to focus on risk events. When asked to come up with a list of risk events that might impact some activity, management often responds with “Well, um, I suppose that (this or that) could happen.” You need to identify these risk events in order to then identify leading indicators (KRI) that might give advance warning of the risk event. The problem is that you’re asking management to poke holes in their own strategies. That’s not something that anyone readily wants to do.
Instead, consider asking management about the key assumptions (rather than the potential risk events) in their strategy. I have had great success here. Management is usually much more able to talk about these assumptions. Given a few minutes of thought, they might identify assumptions like the ability to hire adequate staff for the new production facility or the general growth in consumer demand. Further, it is easy to get management to agree that these assumptions, while valid and reasonable at the moment, could decline or fail to materialize over time. We can’t be 100% sure. That’s the nature of assumptions – they are often outside of our immediate control. Management can relate to this concept.
So we turn these assumptions into KRI. We track these assumptions over time. If any significant assumption declines or fails to materialize then any strategy that relied on this assumption should be reevaluated. Management is, in essence, receiving advanced warning that the risk level (the unpredictability) of that particular strategy is increasing because the assumptions on which the strategy is based are no longer valid.
Focusing on key assumptions is attractive because management can relate to it. It’s also very transparent. The assumptions can be discussed and agreed-upon in advance of the strategy’s execution. If the external assumptions fail to materialize it’s no one’s fault – everyone had already agreed that the assumptions had been valid at the time. There is no incentive to hide the problem. Just go back and adjust the strategy to take advantage of knowledge that simply didn’t exist before. And establish newly revised assumptions that you will once again monitor.
The essence is that key risk indicators are most easily understood when tied to strategic assumptions. Keep it simple and link this concept to strategy setting in a way that is transparent and non-threatening.
You can read more about my view of risk management (which I call Performance Risk Management) at Risk Leader (rskldr.com).