Five Common Mistakes to Avoid When Establishing KRIs

Scott Cronin headshot
Scott Cronin
Five Common Mistakes to Avoid When Establishing KRIs

Key Risk Indicators (KRIs) are a critical tool for monitoring the level of risk exposure an organization is experiencing against thresholds. When used correctly, KRIs are extremely effective metrics that serve as an early warning system for organizational governance. Establishing and monitoring KRIs can be tricky, especially for the first time. This article will point out common mistakes that you can avoid and launch your KRI program successfully.

1.   Difficulty Identifying “Key” Risks

When implementing Key Risk Indicators, the first step is to separate key risks from common risks. If you can partner with your Enterprise Risk Management (ERM) team, they may have an established risk register with identified key risks. If not, you will need to identify these through your own risk assessment and input from senior management. It is a mistake to build KRIs for all risks, which could devalue the entire process by diluting the focus on the truly key risks. Monitoring hundreds of risk metrics may seem like a good idea, but we should focus on the few aligned with senior management’s greatest concerns.

2.   Fixating on Format, Not Content

KRIs should be specific, measurable metrics that are supported by data. For example, suppose a key risk is related to talent management. In that case, we may have a KRI to alert us if voluntary terminations in any business unit are above 10% in any rolling 30-day period. A common mistake when implementing KRIs is focusing too heavily on the reporting format, colors in a heatmap, and shading in a dashboard. The focus should be entirely on the appropriateness of the metric, the thresholds applied to the metrics, and action plans. 

3.   Not Understanding Risk Drivers

Identifying a key risk indicator requires a deep understanding about the key drivers of the risk increasing or decreasing, and therefore how to measure the risk. In the talent management example, we want to know what caused employees to leave their jobs. Figuring out the root cause of the risk occurring will inform our action plans to mitigate the level of risk. If a new competitor started up and offered more pay for similar positions, our response could be to raise wages. On the other hand, employees may have left due to factors other than compensation, in which case we would have raised wages unnecessarily. Ultimately, understanding the drivers of risks, as highlighted by KRIs, is critical to determining the appropriate remediation plans.

4.   Failing to Invest in Automation

Metrics should be data-driven, but obtaining the data should not be overly manual. Inputting data leads to errors, a lack of timeliness, and an unsustainable process. Instead, implementing KRIs should include an element of automation. Using the prior example on employee turnover, data should automatically feed from the employee master file into the KRI tracking software. That software could then send automated notifications to the risk owners when the risk threshold is breached.

5.   Not Creating Action Plans When Exceeding a Threshold

One of the last steps in the KRI monitoring process is often overlooked - having a plan of action for when the risk’s threshold is exceeded. Defining this action should be part of implementing the KRI, not an afterthought. This is difficult because the action plan depends on the risk driver, which means there could be several potential actions to take. While it’s not possible to think of every possible outcome, we can develop several of the most likely scenarios. Predefined action plans reduce confusion and delay when a risk indicator is triggered.

The Value of KRIs in a Fast-Changing World

Someone recently asked me if coming up with KRIs is worth the effort, given how dynamic and rapidly changing each industry is today. The answer is absolutely yes. Using KRIs is an even more important exercise now, since automated KRIs allow us to react more quickly with a plan when key risk indicator thresholds are crossed. After coming up with all the elements of good key risk indicators we discussed above, you should continue to monitor the appropriateness of metrics over time. KRIs should be revisited periodically to ensure we are monitoring the right risks with the appropriate thresholds to continue to get the most out of this critical risk management tool.

Scott Cronin

Scott Cronin is the Global Head of SOX Compliance & Controls for BNY Mellon, leading a team of 60 professionals in various locations. Prior to joining BNY Mellon, Scott has over 20 years of experience at companies including American Express, AIG, and PricewaterhouseCoopers. Connect with Scott on LinkedIn.

Related Articles