Key risk indicators, operational risk, risk mitigation—these terms pop up in most content focused on risk management. But, these terms aren't often used in a way that provides guidance on improving processes. We all need to understand what role KRIs play in risk mitigation, but do we all know how to get started turning concepts into action? This blog by Kate Strachnyi provides a substantive introduction to a realistic KRI framework that any company can use as a foundation for a robust and customized risk management strategy.
Key risk indicators defined
Key risk indicators [KRIs] are an important tool within risk management and are used to enhance the monitoring and mitigation of risks and facilitate risk reporting. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or external events. Operational KRIs are measures that enable risk managers to identify potential losses before they happen. The metrics act as indicators of changes in the risk profile of a firm.
Chartis RiskTech200: Workiva Wins in Customer Satisfaction
Effective KRIs should be:
Measurable - metrics should be quantifiable [e.g., number, count, percentage, dollar volume, etc.].
Predictable - provide early warning signals.
Comparable - track over a period of time [trends].
Informational - measure the status of the risk and control.
Leading & lagging KRIs
Leading KRIs are measures that are considered predictive in nature. They are derived from metrics that can help to forecast future occurrences. Lagging KRIs are metrics based on historical measures. These help to identify trends in the firm.
Importance of KRIs
KRIs play an important role in risk management by predicting potential high risk areas and enabling timely action.
KRIs enable firms to:
Identify current risk exposure and emerging risk trends.
Highlight control weaknesses and allow for the strengthening of poor controls.
Facilitate the risk reporting and escalation process.
Operational risk management adds value to the firm.
Regulatory expectations
To qualify to use the Advanced Measurement Approach [AMA] to calculate operational risk capital under Basel II, the Basel Committee on Banking Supervision [BCBS] has specified detailed criteria for the use of forward-looking measures. The choice of each factor needs to be justified as a meaningful driver of risk and whenever possible, and the factors should be translatable into quantitative measures that lend themselves to verification. The sensitivity of a firms risk estimates to changes in the factors and the relative weighting of the various factors need to be well reasoned.
KRI roadmap
Below is a high-level roadmap for establishing a KRI framework:
KRI processes
KRI identification
Identify existing metrics.
Assess gaps and improve metrics.
Identify KRIs via risk control self-assessment [RCSA]—interview business units.
Don’t over rely on them; focus on indicators which track changes in the risk profile or the effectiveness of the control environment.
Concentrate on the significant risks and their causes and consider forward looking and historical indicators.
Consider absolute values and numbers, ratios, percentages, ageing, etc.
Data on KRIs should be collated on a systematic and consistent basis in order to be meaningful, e.g., on a monthly basis.
KRI selection
Select the KRIs that are measurable, meaningful and predictive [leading indicators].
Gather a good mix of leading and lagging indicators for effective risk management.
Don’t select too many KRIs that:
Are too difficult to manage [track].
Might become unmanageable.
Select only the ones that provide useful information.
Setting thresholds
Determine and validate trigger levels or thresholds.
Based on industry tolerance or internal acceptance.
Board of directors should approve thresholds.
Should coincide with risk appetite statement.
KRI tracking & reporting
Periodic tracking of KRIs [monthly, weekly, depends on what the KRI represents].
KRIs should be reported regularly and escalation procedures should be in place [as part of the KRI framework] to ensure timely reporting to management and board.
Various KRIs will have different levels of escalation. When in doubt, escalate higher but don’t dump too much information on management/board because they will get overwhelmed.
Reporting of KRIs to head of business units by KRI owners. Head of business units then reports into risk management. Risk management reports to risk board and when applicable, the full board.
This can help improve corporate governance structure.
Risk mitigation plans
Risk mitigation plans [RMPs] should be set for High risk items.
Items with high severity or high frequency of occurrence need to have RMPs to mitigate risk and enhance controls.
Determine what is high risk by assessing control levels.
Track RMPs to ensure that controls are enhanced and risk is mitigated. Report on RMPs to management/board, and set target completion dates.
Roles & responsibilities
Risk management
Create Framework and provide training
Guidance and challenge KRI selection process
Reporting/Escalation of breaches
Identify Trends
Business units
Identify KRIs
Set thresholds
Monitor positions
Escalate breaches of limits to management
Internal audit
Validation and assurance around KRI process
Incorporate output into audit plan
Assess control effectiveness for KRIs that were breached or yellow
Challenges
The potential challenges of establishing an effective KRI framework include:
Getting business units to buy-in into the need for KRIs
Demonstrating the effect [positive] that it can have on the firm overall and for each business unit
Might result in setting aside more capital
Identification of KRIs can prove to be difficult
Lack of resources to track KRIs
This article is by Kseniya Strachnyi from riskarticles.com.