Risk management, compliance, and internal audit professionals are well versed in finding ways to help organizations manage risk. Risk identification and assessment processes should be iterative and dynamic. Auditors need to revise risk assessments and modify risk responses and audit procedures throughout fast-changing and complex circumstances.
To help your company manage emerging threats and better prepare for the future, it’s vital that you and your team develop Key Risk Indicators (KRIs). This helps to safeguard your organization from the various types of risks that can sidetrack its plans. Safeguarding activities include:
- Developing a thorough understanding of each potential risk exposure.
- Documenting each risk, the impact, and likelihood of the risk occurring.
- Closely monitoring performance via Key Performance Indicators.
- Leveraging technology to assist this process.
- Conducting periodic and regular reviews of KRIs as situations change and evolve.
What Is a Key Risk Indicator?
Key risk indicators are metrics that predict potential risks that can negatively impact businesses. They provide a way to quantify and monitor each risk. Think of them as change-related metrics that act as an early warning risk detection system to help companies effectively monitor, manage and mitigate risks. KRIs provide visibility into the weaknesses within your company’s risk and control environment and processes — and help to develop a risk assessment plan to fortify your business.
What Is the Purpose of Key Risk Indicators?
KRIs add value to overall operational risk management by playing an essential risk management role. KRIs predict potential risk — especially within high-risk areas and sectors. KRIs can help with:
- Identifying any risk exposure relating to current or emerging risk trends.
- Assessing and quantifying each risk and its potential impact.
- Providing perspective through benchmarking.
- Enabling timely and ongoing risk control and monitoring.
- Enabling leaders and key personnel to receive alerts of potential risks in advance.
- Providing time to develop the appropriate and effective risk responses.
- Establishing objectivity within the risk management process.
In short, KRIs provide an advanced “heads-up” that allows companies to be prepared for risks.
How Do Key Risk Indicators Help Companies Identify Emerging Risks?
In the current and future post-COVID era, emerging risks will continue to impact many audit risk areas. While government, healthcare, and pharmaceuticals will likely maintain a focus on strengthening their pandemic risk assessments, other industries will put an emphasis on developing or bolstering their risk assessment plans to focus on identifying emerging risks within their supply chains and internal controls — as well as looking at fraud or cybersecurity threats due to remote working conditions.
As a powerful tool supporting operational risk management (ORM), KRIs help identify and define risks to ensure everyone understands the relationship between each KRI and potential risks. So, how do KRIs help companies identify these emerging risks? KRIs assist companies with:
- Comparing business objectives and strategy to actual performance to isolate changes.
- Measuring the effectiveness of processes or projects.
- Demonstrating changes in the frequency or impact of a specific risk event.
How to Identify Key Risk Indicators
Clearly identifying KRIs involves developing a roadmap — such as the one outlined below — to establish the KRI framework. This process will involve your risk management team, each business unit, and those responsible for internal audits.
Risk Management Responsibilities
Before identifying KRIs, your risk management team will need to create a framework and provide guidance by ensuring everyone is trained on the KRI selection process.
Business Unit Responsibilities
Each business unit will be responsible for identifying their respective KRIs, setting the thresholds, monitoring each KRI state, and escalating variances against these to management, including:
- Revisiting All Existing Metrics: As things change, all current metrics must be thoroughly reviewed; frequency will depend on the industry, internal and external changes, strategic goals, and other factors, but this should be done at least annually. Conduct an organization-wide SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats) to identify, analyze, and document the entire organization’s operational state and risk appetite.
- Conducting a Risk Control Self-assessment :Another aspect of assessing risk appetite is revisiting each metric and conducting a full risk assessment. This should be carried out to determine precisely how each potential risk affects strategic plans, the likelihood of it happening, and where the impact may occur, among other things.
- Tracking Changes in the Control Environment: It’s necessary to track changes in the control environment. Published by the Committee of Sponsoring Organization (COSO), the Internal Control — Integrated Framework ensures the standards, processes, and structures in organizations are in place to safeguard your organization. Changes to processes and controls may negatively impact the control environment’s effectiveness and increase risk exposure.
- Prioritizing Significant Risks and Isolating Their Root Causes: Once risks are identified, they will need to be prioritized — each risk will require a risk response, but they all can’t be a top priority. Conducting a root cause analysis will be essential to determine the importance and action to be taken.
- Systematically Collecting All Data on KRIs: To be of value to the organization, data relating to KRIs should be collated methodically. Make sure not to select a large number of KRIs that are too difficult to monitor, manage, or trace. To be effective and deliver strategic value, all KRIs should be measurable, predictable, comparable, and informational.
Another part of identifying KRIs is setting thresholds or tolerances that enable flags to be raised when the situation moves outside of the normal. The thresholds should be based on industry norms or internal acceptance criteria. All thresholds should be carefully vetted by key stakeholders and approved by your company leadership or board of directors. Other tasks that need to be addressed when developing KRIs including determining who is responsible for:
- Tracking and reporting KRIs
- Establishing risk responses
- Establishing or updating controls
- Re-evaluating KRIs as circumstances change
Internal Audit Responsibilities
Internal audit will need to validate and provide assurances relating to the KRI process as well as build into the audit plan all the required inputs and record the final results. Internal audit will also need to identify, document, and report all exceptions or breaches to KRIs.
What Are Examples of Key Risk Indicators?
There are various types of quantitative and qualitative KRIs — for example, some are focused on financial, human resource, operational, technical, or other aspects of the business.
These focus on provable facts and numerical data based on findings from mathematical models and analysis methods.
These types of KRIs focus on predicting probability-based outcomes to support things like sensitivity analysis.
Depending on your business or industry’s nature, the use of quantitative over qualitative KRIs may be more relevant. Some KRIs may also rank higher on the priority list, be of more importance than others, and be subject to change based on internal or external environmental factors. Here are examples of top types of KRIs used across a range of industries and sectors.
Quantitative financial KRIs may be of greater significance to commercial or retail banks, asset management or firms, or Certified Public Accounting (CPA) firms. Some examples of financial KRIs that can link to external environmental factors might include ones that measure an economic downturn or regulatory changes. Internal factors might be changes to strategic goals, budget limitations, or acquisitions.
Human Resource KRIs
Staffing and recruitment firms and human resource departments are likely to be interested in using quantitative or qualitative people-based KRIs. High staff turnover, low staff satisfaction, labor shortages, or low recruiting conversion rates are some examples of human resource KRIs.
Operational KRIs could measure many things, from failed internal processes to ineffective internal controls. These types of KRIs can be typically developed in all industries. Factors impacting operational KRIs might center around process inefficiencies, leadership changes, or changes to strategic goals.
System failures, security breaches, and denial of service incidents are all examples of events that technology-based KRIs measure. These types of KRIs also impact all industries, but can be of greater importance to a technology service provider or a firm that relies on online business portals. Technological risk factors might include increased operational complexity, security issues, changes to protocols, or regulations.
What Is the Difference Between KRI and KPI? Are They Related?
It’s important to understand the difference between KRIs and KPIs. While they are related, they are different. They work together to provide companies and their leaders with the metrics needed to fortify their business. Both KPIs and KRIs are needed — they work hand-in-hand to create a complete picture for effective and timely decision-making.
KPIs look backward and focus on how well companies are achieving their goals. KPIs identify and prioritize a company’s key goals as well as monitor performance against those goals.
KRIs look toward the future. They assess and manage potential risks to goals. They focus on the likelihood that companies will achieve their goals based on potential risk factors. KRIs are linked to strategic priorities and identify all current and emerging risks related to each key goal. KRIs also monitor risks and send an early warning when the business is at risk of not achieving its goals.
How to Develop Key Risk Indicators to Fortify Your Business?
Gauging performance and ensuring that goals and milestones are met is one of the key aspects for which any leadership team is responsible. When looking at their dashboard each day, leaders across the business expect to see the information that tells them the current state of things — and that hopefully, they are on track — and this includes KRIs. When KRIs fall outside of thresholds, they alert management that there’s increased potential for a risk exposure — but KRIs are only useful when they’re developed using this methodical yet simple approach.
Identify Relevant Risks
Prior to establishing KRIs, it is essential first to understand your company’s goals and any vulnerabilities that can cause risk points. Effective enterprise risk management relies on identifying the most significant risks — these are the ones that will have the highest impact, the highest chance of occurring — or are the most likely to be outside of your company’s control.
Establish Your KRIs
If your company has already established Key Performance Indicators (KPIs), these can create KRIs. Why? The KPIs will already make sense and provide the underlying information — this can reduce the time spent on monitoring and the needed resources. Keep in mind that the KPIs being transferred to KRIs must also be relevant, timely, measurable, and make sense. If the KPIs are out of date or no longer applicable, then they shouldn’t be used.
Establish a Solid Process
Since KRIs are developed by each department, a solid process for creating, assessing, monitoring, and reporting them to the appropriate individuals will need to be established. The following best practices can ensure things go smoothly.
- When identifying KRIs, involve all relevant stakeholders from the start.
- Gain stakeholder buy-in so that everyone is on the same page and vested in the success.
- Ensure all information about KRIs and the process are accessible to all stakeholders.
- Create a central point of contact to whom stakeholders can go to get support.
- Keep stakeholders updated in a timely manner as things change.
Following a methodical approach like the one above can help streamline the process of developing Key Risk Indicators.
What Are the Challenges of Developing a Key Risk Indicator?
Creating, monitoring, and reporting KRIs sounds pretty straightforward, but it’s a bit more involved than one might think. Many businesses still struggle with KRIs for these reasons:
- Risks relating to the actual development of a KRI itself continue to go unaddressed. It requires conscious effort, resources, and executive and stakeholder buy-in.
- There are also issues with access to credible and objective data — especially quantitative data.
- The available data can often be unnecessarily complex and difficult to decipher and use.
Being aware of these common challenges can help you design a KRI development approach that will anticipate data and process-related issues.
How to Use and Monitor KRIs Effectively
Key risk indicators should be linked to a KPI and a strategic goal — and it should be prioritized to keep the focus on key risks. It’s also vital for KRIs to be continually monitored and tracked regularly — although the frequency will depend on the type of KRI.
Risk management and audit professionals play a pivotal role in ensuring the right metrics are in place to reduce risk exposure. Effectively using KRIs also relies on having the right risk management platform in place. AuditBoard can assist in monitoring your company’s KRIs with integrated risk management software — get started with RiskOversight today.
Learn how AuditBoard's integrated suite of easy-to-use software (audit management software, SOX compliance software, risk management software, audit workflow software, and compliance management software) can empower your team.