Ignore KRIs: Best Practices for Key Risk Indicators

Stop me if you’ve heard this story before. There’s been significant management turnover at a $1 billion financial institution (FI), and the new management is eager to make an impact. Their solution: a new digital service provider to increase its digital footprint.

It’s a project that has a budget impact across all lines of business and requires a careful assessment. Yet the FI doesn’t have a structure in place for making strategic decisions. It simply reacts to events as they occur. There’s no recorded identification of risk and no recorded expectations. That means success is measured mostly by emotion and failure involves a lot of finger pointing.

This poor example of corporate governance is surprisingly common. Just 30 percent of internal audit departments in the U.S. regularly identify and monitor key risk indicators (KRIs), including those that suggest growing or emerging risks, according to the 2019 North American Pulse of Internal Audit survey from the Institute of Internal Auditors. Twenty three percent of the 500 companies surveyed don’t use them at all.

This is a huge oversight. KRIs and key performance indicators (KPIs) are an important part of corporate governance and risk management, helping shape strategic goals and risk appetite. Without information on performance, the board and management have no way of measuring the success of a program or making truly informed decisions.

Why Management Avoids Setting Strategic Objectives, Risk Objectives, and Key Indicators

There are many reasons why management may be slow to adopt strategic planning, enterprise risk management and key indicators to track progress. They include:

• Desire for perfection. With the operating environment constantly evolving, some FIs don’t want to waste time detailing a strategic plan or risk appetite that might change. This is a mistake. Successful FIs regularly adjust their strategic plans. In fact, they are more nimble in responding because they have indicators to track their progress.
• They don’t want to highlight failures. If you don’t outline expectations, you can’t fall short of them. This lack of transparency results in poor governance. Understanding issues from a business management perspective should never be seen as negative.
• Lack of confidence in the data. If an FI suspects its data is inaccurate or doesn’t have data that aligns with what needs to be measured, it may not bother with KPIs. Yet risk opportunity is only ever identifiable through adoption of a consistent process.
• Fear of finding too many risks. The heart wants what it wants. Risk indicators may contradict gut feelings, and management doesn’t want to concede the possibility that they are wrong. Yet there is no way of knowing what the results are without measurements. Risk may be rising, but it also could be level or even declining.
• Limited experience in performing ongoing success and risk monitoring. Management isn’t really sure how to accomplish this task, so they just skip it.

What KRIs & KPIs Tell You About Risk & Performance

When setting strategic objectives, KPIs should help understand whether those goals are being met within the expected risk tolerance. They may identify:

• Risk occurring at a higher frequency than expected. This may impact the understood likelihood of risk and may negatively impact the defined residual risk.
• Risk occurring at a much lower frequency than expected. This may impact the understood likelihood of risk and may positively impact the defined residual risk.
• Expectations not being met. This may warrant a change in the risk appetite, either allowing more or less risk.
• Expectations exceeded. This may mean that an FI should consider a greater allowance of risk to explore opportunities fully.

Related: Free Your Inner Luddite & Find Risk Management Peace

Measuring Success and Risk

Going back to the example of the $1 billion-asset FI that wants to increase its digital footprint, there are plenty of ways to measure both success and risks.

For example, success can be gauged by member/customer usage and penetration, the number of new accounts opened or an increase in fee income. Risk can be gauged by financial loss, complaints, and internal costs including labor.

These indicators should be regularly monitored with milestones along the way. This keeps the board and senior management focused on whether the FI is achieving established goals in the strategic plan. This includes whether timelines and objectives are being met and if additional or alternative actions need to be implemented.

For example, an FI may have a $100,000 risk appetite for financial loss, but management shouldn’t wait until that threshold is hit to inform the board. It should set triggers for other key milestones such as $20,000, $40,000 and $60,000 so the board can stay apprised.

When these key risk indicators are triggered, the board and management should think about why it’s occurring. This may include a risk vs. reward analysis, a study of the control environment, or a wait-and-see approach to see if it’s the result of a one-off or something more systematic.

Failing to monitor indicators can lead to regulatory scrutiny. It also limits an FI’s ability to be proactive, fostering a reactive environment, and limits its ability to be nimble and quickly recover from failure.

The road to strategic success is paved with good intentions. Failing to track risk and performance can lead to a rocky detour.

Related: Creating Reliable Risk Assessments