By CPA Abdallah Mambo Dallu
There has been a tremendous perception shift of risk management from a compliance box-ticking
activity as well as a source of competitive advantage to risk management becoming increasingly integrated and connected in various ways throughout organizations. Risk management is now being seen as an enabler of business strategy execution. In our country very little has been done to appreciate the importance of risk management in driving organizational performance.
The Public Sector Accounting and Standards board (PSASB) of Kenya released draft Public Sector Risk Management guidelines for the National and county government in July 2021. These guidelines are for use by public officers in National and County Governments and their entities to enhance capacity and provide guidance risk management implementation. The guidelines were benchmarked with ISO 31000:2018 Risk Management – Guidelines.
While this was a good gesture for appreciating the importance of risk management, much needs to be done to showcase how organizational performance can be integrated into organizational Enterprises RiskManagement (ERM) framework to drive performance. In this article we are going to look into the key risk indicators and how they can be integrated in organizational ERM to drive performance of the organisations.
What are key risk indicators?
In the context of Enterprise Risk Management (ERM), key risk indicators (KRIs) are activities or outcomes that signal to a risk manager that a particular risk event is becoming more or less likely. They may also indicate that a risk event has already occurred and provide a sense of its impact or severity. KRIs are usually numerical (although they can be qualitative too) and are tracked against upper and/or lower
tolerance bands.
Tolerance bands usually represent the expected range of the metric, or the values of the metric that can be “tolerated” by the organization without a material change in risk levels or a serious threat to objectives. When the value of the indicator exceeds a tolerance band, it is viewed as abnormal behavior and as a strong signal that the risk events associated with the indicator are becoming much more likely.
How to Measure Risk with KRIs and KPIs.
Risk professionals today are facing an unprecedented level of scrutiny. Risk managers are not only responsible for protecting and securing their organizations, they also have to provide evidence that their risk management programs are actually effective at managing risk.
Most often, the metrics used to evaluate business performance are identified as “Key Risk Indicators” (KRIs) or Key Performance Indicators (KPIs). At a high level, both KRIs and KPIs are quantifiable ways to measure the downsides and upsides of risk for an organization. KRIs are metrics which evaluate and measure the efficiency of an organization’s risk management program.
KPIs are metrics which evaluate the components of a business deemed crucial for its success, revealing how consistently the company achieves key business objectives. By analyzing KRIs and KPIs in concert, and over an extended period of time, you will be able to show actual or probable deviations from a given standard or goal. With these risk metrics, you can improve your company’s understanding of just how likely achieving its strategic objectives is going to be.
Integrating Risk and Performance Management
Risks and opportunities are prevalent in today’s global economy. Organizations are constantly getting exposed to material risks (financial, strategic, operational, geopolitical, environmental, legal, compliance etc.) yet the majority are not prepared for them. Today’s uncertain business environment requiresorganizations to start taking a broader view of enterprise risks, focus on those risks with the greatest impact and occurrence and leverage performance management tools to manage and mitigate them.
To incorporate risk into performance management organizations must:
i. Prioritize risks based on greatest impact and likelihood of occurrence
ii. Create a line of sight working backward from the identified risks and their root causes.
iii. Correlate risks within and across silos.
iv. Adjust for the compounding effects of seemingly independent risk events.
v. Plan for different scenarios. By identifying different scenarios, the organization will be able to develop various risk response plans that are applicable to many possible events, not just the specific scenario developed.
In the context of Enterprise Risk Management (ERM), key risk indicators (KRIs) are activities or outcomes that signal to a risk manager that a particular risk event is becoming more or less likely. They may also indicate that a risk event has already occurred and provide a sense of its impact or severity.
Setting Up KRIs and KPIs in an ERM Program
Generally, there are six easy steps that can guide risk professionals in integrating risk performance indicators to an ERM program.
Step 1 – Start with Your Strategic Objectives
When it comes to implementing KRIs and KPIs, the single most important best practice we can share is to keep your efforts laser-focused on generating business value and avoid unnecessary complexity. This will help you to secure and maintain the buy-in you will need from your organization to keep your KRIprocess functioning properly. In practice, this means starting with a small number of indicators that are mapped to your most critical risks.
You can then continue to selectively add indicators over time as you demonstrate value through your program. Ideally, your strategic objectives are documented and already form the foundation of your ERM program. Risks that would interfere with the achievement of objectives are identified, assessed, managed and monitored to aid with your strategy execution.
Using strategic objectives as a central organizing principle will help to ensure that your ERM program stays focused on delivering business value. It will make it easy to identify your most important risks, as they will be the risks that have the greatest potential to affect your most important objectives. This approach will help you to identify highest ranked risks that you should start with when identifying potential KRIs and KPIs.
Step 2 – Consider Your Organization’s Risk Appetite
Just as strategic objectives provide important business context to prioritize your risks for use with KRIs and KPIs, so does consideration of your organization’s risk appetite. Risk appetite is an extremely valuable tool to help identify and document the types and amounts of risk that your organization is prepared to assume in different situations. Risks which exceed upper and lower risk appetite thresholds are additional candidates for use with KRI and KPI monitoring, because these represent risks which are currently out of alignment with the limits that the Board of Directors has authorized the leadership team to operate within.
Step 3 – Consider Your Risk Register
Other important clues for prioritizing your indicators can be obtained from a review of your risk register. Most registers already have a ranking system that reflects your organization’s consensus of your most important risks. Registers can also be filtered to identify risks with the highest risk ratings and to highlight the risks where the difference between inherent risk and residual risk are the greatest. These differences represent the extent to which the organization is depending on its controls to help avoid risk events. Risks with high differences in inherent and residual risks may be good candidates for control effectiveness indicators.
Step 4 – Complete Risk Bow Tie Diagrams for Your Top Risks
Once you have used steps 1 to 3 above to identify the top priority risks that you want to create indicators for, the final key preparatory step is to complete risk bow tie diagrams for each risk. The risk bow ties are so useful for creating and mapping indicators, in that they allow you to consider where the greatest uncertainties lie and where your organization would benefit most from a closer monitoring and early warning system. Once you have identified these key points in the various scenarios displayed in the bow tie diagram, you have a useful roadmap to show you where to create and associate indicators.
Now that you have prioritized your risks through steps 1 to 3 and identified your critical dependencies and uncertainties in step 4, you are ready to set up indicators. Start simple, focusing on your priority risks and dependencies. Work with your business subject matter experts in small workshops to identify a small number of indicators that will be most useful to give you the feedback you require.
Step 5 – Identify, Set Up and Map Indicators
Now that you have prioritized your risks through steps 1 to 3 and identified your critical dependencies and uncertainties in step 4, you are ready to set up indicators. Start simple, focusing on your priority
risks and dependencies. Work with your business subject matter experts in small workshops to identify a small number of indicators that will be most useful to give you the feedback you require.
Once you have identified an indicator you plan to use, you will set the upper and lower tolerance values that it will get tracked against. Your tolerance bands will represent the indicator values above and below which your risk ratings are likely to change in a material way. Finally, you must determine how and how often your indicator data will be updated.
Step 6 – Activate and Monitor Indicators
Once you have set up and activated your KRI and KPI data gathering processes, we recommend you use the initial 2-3 data gathering periods to “tune” your tolerance settings. These means risk managers should be closely reviewing the KRI/KPI data coming back, while holding off on automated escalation processes when tolerance limits are breached. Risk managers can use this period to adjust tolerance settings so
that future alerts will be sent in the appropriate situations (when risk profiles are changing).
Conclusion
In order to drive business performance, organizations must be proactive and make use of rolling forecasts and perform what-if analysis on their decision making processes. Steering the organization ahead and for growth requires business leaders to understand and mitigate the different types of risks that can ultimately lead to disaster in some form.
Today’s uncertain business environment requires organizations to start taking a broader view of enterprise risks, focus on those risks with the greatest impact and occurrence and leverage performance management tools to manage and mitigate them factoring risk into the main areas of performance
management positions the enterprise to better limit surprises and capitalize on upside opportunities. This can be achieved when organisation have well built ERM frameworks that integrates risk and performance management.