Clearly identifying KRIs involves developing a roadmap — such as the one outlined below — to establish the KRI framework. This process will involve your risk management team, each business unit, and those responsible for internal audits.
Before identifying KRIs, your risk management team will need to create a framework and provide guidance by ensuring everyone is trained on the KRI selection process.
Each business unit will be responsible for identifying their respective KRIs, setting the thresholds, monitoring each KRI state, and escalating variances against these to management, including:
Another part of identifying KRIs is setting thresholds or tolerances that enable flags to be raised when the situation moves outside of the normal. The thresholds should be based on industry norms or internal acceptance criteria. All thresholds should be carefully vetted by key stakeholders and approved by your company leadership or board of directors. Other tasks that need to be addressed when developing KRIs including determining who is responsible for:
Internal audit will need to validate and provide assurances relating to the KRI process as well as build into the audit plan all the required inputs and record the final results. Internal audit will also need to identify, document, and report all exceptions or breaches to KRIs.
There are various types of quantitative and qualitative KRIs — for example, some are focused on financial, human resource, operational, technical, or other aspects of the business.
These focus on provable facts and numerical data based on findings from mathematical models and analysis methods.
These types of KRIs focus on predicting probability-based outcomes to support things like sensitivity analysis.
Depending on your business or industry’s nature, the use of quantitative over qualitative KRIs may be more relevant. Some KRIs may also rank higher on the priority list, be of more importance than others, and be subject to change based on internal or external environmental factors. Here are examples of top types of KRIs used across a range of industries and sectors.
Quantitative financial KRIs may be of greater significance to commercial or retail banks, asset management or firms, or Certified Public Accounting (CPA) firms. Some examples of financial KRIs that can link to external environmental factors might include ones that measure an economic downturn or regulatory changes. Internal factors might be changes to strategic goals, budget limitations, or acquisitions.
Staffing and recruitment firms and human resource departments are likely to be interested in using quantitative or qualitative people-based KRIs. High staff turnover, low staff satisfaction, labor shortages, or low recruiting conversion rates are some examples of human resource KRIs.
Operational KRIs could measure many things, from failed internal processes to ineffective internal controls. These types of KRIs can be typically developed in all industries. Factors impacting operational KRIs might center around process inefficiencies, leadership changes, or changes to strategic goals.
System failures, security breaches, and denial of service incidents are all examples of events that technology-based KRIs measure. These types of KRIs also impact all industries, but can be of greater importance to a technology service provider or a firm that relies on online business portals. Technological risk factors might include increased operational complexity, security issues, changes to protocols, or regulations.
It’s important to understand the difference between KRIs and KPIs. While they are related, they are different. They work together to provide companies and their leaders with the metrics needed to fortify their business. Both KPIs and KRIs are needed — they work hand-in-hand to create a complete picture for effective and timely decision-making.
KPIs look backward and focus on how well companies are achieving their goals. KPIs identify and prioritize a company’s key goals as well as monitor performance against those goals.
KRIs look toward the future. They assess and manage potential risks to goals. They focus on the likelihood that companies will achieve their goals based on potential risk factors. KRIs are linked to strategic priorities and identify all current and emerging risks related to each key goal. KRIs also monitor risks and send an early warning when the business is at risk of not achieving its goals.
Gauging performance and ensuring that goals and milestones are met is one of the key aspects for which any leadership team is responsible. When looking at their dashboard each day, leaders across the business expect to see the information that tells them the current state of things — and that hopefully, they are on track — and this includes KRIs. When KRIs fall outside of thresholds, they alert management that there’s increased potential for a risk exposure — but KRIs are only useful when they’re developed using this methodical yet simple approach.
Prior to establishing KRIs, it is essential first to understand your company’s goals and any vulnerabilities that can cause risk points. Effective enterprise risk management relies on identifying the most significant risks — these are the ones that will have the highest impact, the highest chance of occurring — or are the most likely to be outside of your company’s control.
If your company has already established Key Performance Indicators (KPIs), these can create KRIs. Why? The KPIs will already make sense and provide the underlying information — this can reduce the time spent on monitoring and the needed resources. Keep in mind that the KPIs being transferred to KRIs must also be relevant, timely, measurable, and make sense. If the KPIs are out of date or no longer applicable, then they shouldn’t be used.
Since KRIs are developed by each department, a solid process for creating, assessing, monitoring, and reporting them to the appropriate individuals will need to be established. The following best practices can ensure things go smoothly.
Following a methodical approach like the one above can help streamline the process of developing Key Risk Indicators.
Creating, monitoring, and reporting KRIs sounds pretty straightforward, but it’s a bit more involved than one might think. Many businesses still struggle with KRIs for these reasons:
Being aware of these common challenges can help you design a KRI development approach that will anticipate data and process-related issues.
Key risk indicators should be linked to a KPI and a strategic goal — and it should be prioritized to keep the focus on key risks. It’s also vital for KRIs to be continually monitored and tracked regularly — although the frequency will depend on the type of KRI.
Risk management and audit professionals play a pivotal role in ensuring the right metrics are in place to reduce risk exposure. Effectively using KRIs also relies on having the right risk management platform in place. AuditBoard can assist in monitoring your company’s KRIs with integrated risk management software — get started with RiskOversight today.