What is the chief audit executives most logical definition of risk of loss to be used in selecting engagement Clients?

Key risk indicators, operational risk, risk mitigation—these terms pop up in most content focused on risk management. But, these terms aren't often used in a way that provides guidance on improving processes. We all need to understand what role KRIs play in risk mitigation, but do we all know how to get started turning concepts into action? This blog by Kate Strachnyi provides a substantive introduction to a realistic KRI framework that any company can use as a foundation for a robust and customized risk management strategy.

Key risk indicators defined

Key risk indicators (KRIs) are an important tool within risk management and are used to enhance the monitoring and mitigation of risks and facilitate risk reporting. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or external events. Operational KRIs are measures that enable risk managers to identify potential losses before they happen. The metrics act as indicators of changes in the risk profile of a firm.

Effective KRIs should be:

• Measurable - metrics should be quantifiable (e.g., number, count, percentage, dollar volume, etc.).

• Predictable - provide early warning signals.

• Comparable - track over a period of time (trends).

• Informational - measure the status of the risk and control.

Leading & lagging KRIs

Leading KRIs are measures that are considered predictive in nature. They are derived from metrics that can help to forecast future occurrences. Lagging KRIs are metrics based on historical measures. These help to identify trends in the firm.

Importance of KRIs

KRIs play an important role in risk management by predicting potential high risk areas and enabling timely action.

KRIs enable firms to:

• Identify current risk exposure and emerging risk trends.

• Highlight control weaknesses and allow for the strengthening of poor controls.

• Facilitate the risk reporting and escalation process.

• Operational risk management adds value to the firm.

Regulatory expectations

To qualify to use the Advanced Measurement Approach (AMA) to calculate operational risk capital under Basel II, the Basel Committee on Banking Supervision (BCBS) has specified detailed criteria for the use of forward-looking measures. The choice of each factor needs to be justified as a meaningful driver of risk and whenever possible, and the factors should be translatable into quantitative measures that lend themselves to verification. The sensitivity of a firms risk estimates to changes in the factors and the relative weighting of the various factors need to be well reasoned.

KRI roadmap

Below is a high-level roadmap for establishing a KRI framework:

KRI processes

KRI identification

• Identify existing metrics.

• Assess gaps and improve metrics.

• Identify KRIs via risk control self-assessment (RCSA)—interview business units.

• Don’t over rely on them; focus on indicators which track changes in the risk profile or the effectiveness of the control environment.

• Concentrate on the significant risks and their causes and consider forward looking and historical indicators.

• Consider absolute values and numbers, ratios, percentages, ageing, etc.

• Data on KRIs should be collated on a systematic and consistent basis in order to be meaningful, e.g., on a monthly basis.

KRI selection

• Select the KRIs that are measurable, meaningful and predictive (leading indicators).

• Gather a good mix of leading and lagging indicators for effective risk management.

• Don’t select too many KRIs that:

  • Are too difficult to manage (track).

  • Might become unmanageable.

  • Select only the ones that provide useful information.

Setting thresholds

• Determine and validate trigger levels or thresholds.

• Based on industry tolerance or internal acceptance.

• Board of directors should approve thresholds.

• Should coincide with risk appetite statement.

KRI tracking & reporting

• Periodic tracking of KRIs (monthly, weekly, depends on what the KRI represents).

• KRIs should be reported regularly and escalation procedures should be in place (as part of the KRI framework) to ensure timely reporting to management and board.

• Various KRIs will have different levels of escalation. When in doubt, escalate higher but don’t dump too much information on management/board because they will get overwhelmed.

• Reporting of KRIs to head of business units by KRI owners. Head of business units then reports into risk management. Risk management reports to risk board and when applicable, the full board.

• This can help improve corporate governance structure.

Risk mitigation plans

• Risk mitigation plans (RMPs) should be set for High risk items.

• Items with high severity or high frequency of occurrence need to have RMPs to mitigate risk and enhance controls.

• Determine what is high risk by assessing control levels.

• Track RMPs to ensure that controls are enhanced and risk is mitigated. Report on RMPs to management/board, and set target completion dates.

Roles & responsibilities

• Risk management

  • Create Framework and provide training

  • Guidance and challenge KRI selection process

  • Reporting/Escalation of breaches

  • Identify Trends

• Business units

  • Identify KRIs

  • Set thresholds

  • Monitor positions

  • Escalate breaches of limits to management

• Internal audit

  • Validation and assurance around KRI process

  • Incorporate output into audit plan

  • Assess control effectiveness for KRIs that were breached or yellow

Challenges

The potential challenges of establishing an effective KRI framework include:

• Getting business units to buy-in into the need for KRIs

• Demonstrating the effect (positive) that it can have on the firm overall and for each business unit

• Might result in setting aside more capital

• Identification of KRIs can prove to be difficult

• Lack of resources to track KRIs

This article is by Kseniya Strachnyi from riskarticles.com.

What are the 4 types of audit risk?

What is the most important element of the audit risk model?

What are the 3 factors of audit risk?

What is risk Why is the concept of risk important in the study of auditing?