One of the core components of a successful risk management program is demonstrating the management and monitoring of risk to an acceptable level of risk within a risk appetite framework. Risk appetite is the level and type of risk that an organization is willing to accept within the context of its business strategy. Risk indicators are metrics used to monitor identified risk exposures over time. Consequently, any piece of data that can perform this function may be considered a risk indicator. The indicator becomes “key” when it tracks an important risk exposure (a material risk), or when it does so especially well (a key indicator), or ideally both.
A key risk indicator (KRI) can be used to measure:
- The exposure to a given key risk or set of key risks,
- The effectiveness of any controls that have been implemented to reduce or mitigate a given risk exposure, or
- How well risk exposures are managed at different levels of an organization.
While related, KRIs are different from Key Performance Indicators (KPIs). KPIs are designed to measure effectiveness or progress in achieving business objectives, whereas KRIs measure the vulnerabilities or factors that may prevent the achievement of business objectives. Distinctions between KRIs and KPIs are summarized in Table 1 below.
Table 1 – KPI vs. KRI
What It Measures
Key Performance Indicator (KPI)
Measures a performance goal or target to achieve business strategy and objectives.
Provides directional insight on how the organization is progressing towards strategic objectives, or the effectiveness of specific business processes or control objectives.
Key Risk Indicator (KRI)
Measures used by management to indicate how much risk is associated with an activity. Generally, a KRI is an indicator of the possibility of a future adverse event manifesting itself.
Provides, preferably, early warning signals or lagging confirmation when risks (both strategic and operational) move in a direction that may prevent the achievement of KPIs.
KRIs can be used by an organization as a management tool to track changes in its exposures to risk. If selected appropriately, KRIs can provide a means for identifying:
- Emerging risk trends and issues on the horizon that may need to be addressed (via “leading” indicators),
- Current exposure levels, and
- Events that may have materialized in the past and which could occur again (via “lagging” indicators).
The frequency with which an indicator is measured is an important factor. Generally, the more often an indicator is updated, the more useful the risk it represents will be. However, there can be occasions where more frequent measurement will show only small changes in the risk profile. In those cases, it is important to consider the longer-term trend of measures before arriving at conclusions as to the overall changes in risk exposure.
Risk Assessment Alignment to KRIs
The risk assessment process includes identifying and evaluating individual risks by employing both quantitative and qualitative methods. Based on the inputs provided from risk assessments, management determines whether a KRI is needed. Defining a KRI depends on whether the risk impacts the bank’s risk profile. If the outcomes of the risk identification methods show an impact on the organization’s risk profile, a KRI may be necessary.
There are two main approaches to selecting KRIs:
- Top-Down: Senior management selects indicators to monitor across the business. A top-down approach is the most effective for strategic KRIs. They can facilitate aggregation of risk and management’s understanding of common risks impacting strategy and business objectives.
- Bottom-Up: The lines of business select and monitor indicators that are relevant within their operational processes. The bottom-up approach ensures key risks are identified and tracked at a granular level to enable the lines of business to manage risks that are most tangible and relevant.
An effectively developed KRI must have the following five (5) components:
- Relevant: KRIs must be relevant to the risks being monitored. They must help identify and quantify existing risks, as well as monitor and manage the exposure and the consequences of exposure.
- Measurable: KRIs must be capable of being measured with a high level of certainty on a repeated basis and be capable of being quantified as an amount, percentage, ratio, number, or count. KRIs may be qualitative if no quantitative measures exist.
- Verifiable: KRIs must be reproduceable based on data and documentation, including the way the data is sourced, aggregated, and delivered to management.
- Predictive: KRIs can provide a lagging, leading, or current perspective of an organization’s operational risk exposures. However, regardless of perspective, a KRI should provide insight into future risk to facilitate mitigation of that risk. Choice of leading indicators is considered industry best practices as they provide the clearest view into future risk unless unavailable.
- Specific: KRIs must be accurate and precise in their measurement. For each KRI, there must be a lower bound (trigger limit) and an upper bound (alert limit) established which allows management to detect potential for increased risk exposure in day-to-day operations.
- Trigger limits are quantified as a shift in risk to a level beyond management’s expectations requiring monitoring and identification of risk drivers and possible control failures.
- Alert limits are quantified as a major shift in risk to a greater potential for an adverse risk event occurring, requiring immediate action to report, escalate, and develop a remediation.
- Easy to monitor: The data used for indicators should be simple, cost effective to collect and easy to interpret, understand, and monitor.
- Comparable: KRIs should be tracked over time to provide trends and evaluate or ‘benchmark’ against industry peers. By itself, trending does not produce leading indicators, it simply provides an indication as to where the exposure could be going. It is beneficial to measure indicators over time to detect trends and to provide contextual information.
- Automated: Automated KRIs are preferred over manual KRIs to improve information integrity and efficiency, however, some KRIs may only lend themselves to manual creation.
Tips When Developing KRIs
- KRIs should link back to day-to-day operations as they can be early warning risk indicators.
- KRIs should leverage business knowledge and industry best practices.
- KRI volatility should be considered when setting up trigger and alert limits to provide effective monitoring.
- When possible, KRIs should be standardized to make it easy to aggregate, interpret, or compare across the organization.
- KRIs should be reported in a timely manner to effectively address limit breaches (for example, monthly reporting). Quarterly reporting may be too infrequent to prompt management action.
Join Compliance Core for a Free Webinar
A robust and comprehensive Compliance Risk Assessment process is an essential component of an effective Enterprise Compliance Management System. An effective risk assessment process helps the board and management address emerging risks at an early stage and allows them to proactively develop and implement appropriate strategies to mitigate the risks before the risks have an adverse effect on the bank’s condition or risk profile.
Please join us on Tuesday, April 20th from 12:00-1:00 PM EST for an in-depth webinar on the steps to build and conduct an effective compliance risk assessment.