How to Run a Risk Voting Workshop
Risk voting is an easy and powerful way to increase executive engagement in your ERM program and generate more value
Everything you need to know about KPIs and KRIs.
This is the second article in a three part series entitled “How and Why to Add Key Risk Indicators to Your ERM Program.” This article discusses the different types of indicators and provides a perspective on quantitative versus qualitative approaches.
The earlier first article provided a background explanation of indicators, along with examples and benefits of using indicators in ERM programs. The third article that follows this piece provides a practical 6-step process to add indicators to your ERM program today.
All three articles use example screenshots from our Essential ERM software system, but note that everything described within them can be performed manually without software (albeit with much more effort!).
Risk practitioners often consider three primary types of indicators:
The above overview of indicator types is provided for background purposes and to stimulate thought. Our advice, however, is to not get too hung up on categorizing indicators. Whether you label an indicator as a KRI or a KPI is much less important than whether or not the indicator has a strong predictive correlation to the events and outcomes that you are most concerned about. In other words, an indicator that works is useful, regardless of what you call it.
Furthermore, as discussed in the accompanying article on the 6 steps to implement indicators, we find that indicators can be useful at all stages of a risk event scenario. In this article, we recommend the risk bow tie model as an excellent framework to identify and map useful indicators. For example, indicators can be mapped to the risk event itself, or can be mapped and used to monitor root causes, pre-event mitigations (controls), post-event mitigations and consequences.
Screenshot from the Essential ERM software system showing the year-long trend of a sample performance indicator trend, along with its acceptable tolerance bands.
KRIs and KPIs are typically thought of as going hand-in-hand with quantitative risk. Quantitative risk is an approach to risk management that focuses on factual and numerical data, along with mathematical models and analysis methods, in order to reduce bias. A risk practitioner would first build a mathematical model that approximates the various scenarios in which root causes map to each other, precipitate risk events and affect desired objectives. An example might be the way in which changing interest rates are managed by hedging strategies and ultimately affect investment returns.
Quantitative models can be computerized and simulated repeatedly (e.g. Monte Carlo simulation) to predict probability-based outcomes, such as the probability of achieving different levels of investment returns. The power of these models is their ability to support sensitivity analysis, as different inputs and extremes are modelled. Numerically-based KRIs and KPIs can play a valuable role in these models, adjusting them based on real-time values for assumptions and outcomes. As a result, KRIs and KPIs have become a core component of operational risk programs, which are typically quantitative-based.
Does this mean, however, that you must build detailed mathematical models to use and get value from KRIs and KPIs in your enterprise risk program?
No, not in our experience.
In fact, we believe that this misconception (that complex quantitative models are needed to use KRIs and KPIs) is one of the reasons that some organizations overlook them and miss out on the value that KRIs and KPIs could bring to their enterprise risk programs.
One of the main differences between ERM and operational risk is that ERM programs track higher-level (or summary-level) risks that have been rolled up for consumption by the senior leadership team and board of directors. In many cases, attempting to build detailed mathematical models for enterprise risk would involve so many levels of aggregation and assumptions that it would undermine the reliability of the analysis in the eyes of the report consumers. As a result, many ERM programs rely on qualitative risk analysis methods.
We are not saying that mathematical models are not useful in ERM, but rather that they are not essential to get immediate value from KRIs and KPIs. There are easy steps that almost all ERM program managers can take now to start getting value from indicators, while accumulating data that will be useful later in data analysis and possibly the development of mathematical models where appropriate.
One insight from quantitative risk that is, however, helpful for considering KRIs and KPIs in ERM is that indicators do not need to be thought of as binary or unidirectional. For example, decreasing values for certain KRIs do not only mean that risk events are becoming less likely or less impactful. They can also mean that key objectives associated with those risk events are now more likely to be achieved. In this way, KRIs and KPIs can be an important part of strategy execution and performance management. It is an important shift in thinking to move beyond simply preventing risk events (i.e. “make everything green”) to focus on maximizing positive outcomes based on available resources and your organization’s risk appetite.
And finally, we have found that your KRIs and KPIs themselves do not need to be quantitative to be useful. Qualitative inputs are valid forms of data and can be easily converted to numerical values for future analysis if needed. For example, an indicator can still have a strong predictive correlation with risk events, causes, mitigations (controls) and consequences, even if subject matter experts are simply asked to rate an indicator as “high”, “medium” or “low”.
This is also demonstrated through a common everyday example. Asking people to answer if the morning sky colour is “red”, “blue” or “grey” is a valid way to predict the likelihood of rain in many locations. It turns out that the old proverb about “red sky at morn, sailors take warn” (meaning there will be stormy seas when the morning sky is red) actually has a basis in science.