Key Risk Indicators (KRIs)
Print this Guidebook
Risks are dynamic and evolve over time. This makes the ongoing monitoring of risks a crucial element of an Institution's risk management framework. Recognising this, paragraph 16(7) of the Public Sector Risk Management Framework states:
"risk assessments should be re-performed for the key risks in response to significant environmental and/or organisational changes, but at least once a year, to ascertain any change in the magnitude of risk and the need for further management action as a result thereof."
Well-constructed KRIs enhance management's awareness and understanding of risks and increases the effectiveness of the ERM processes in driving performance.
What are key risk indicators (KRIs)
KRIs are metrics used to monitor changes in risks. They derive from deconstructing a risk into its key risk factors (something that has the potential to cause the risk) and isolating for active monitoring those that reveal the best information of the risk. KRIs signal developing issues within the Institution itself as well as externally in the political, economic, social, technological, legislative, and environmental realm in which it operates, that could create, exacerbate or reduce risk for the Institution.
The importance of KRIs
An effective risk management framework should be forward looking. It must empower management through predictive risk insights and enable them to respond proactively to changing risks. KRIs fulfil this need for early warning of impending changes in risks. They reveal why and where early action is needed to prevent risks from escalating beyond accepted levels. This alerts risk owners to the need for proactively re-rating the affected risks and reviewing the related risk responses.
Advantages of using KRIs can be summarised as follows. KRIs:
i. provide a deeper insight of risks and their causes thus enabling more timely and robust methods to assess, monitor and manage risks;
ii. can be a useful to establish acceptable parameters for risk (risk appetite & tolerance);
iii. forewarn of proactive steps needed to manage risks that are moving beyond accepted levels, before they develop into crises;
iv. enables risk reporting from a more empirical rather than pure judgement basis;
v. enables appropriate escalation of risks; and
vi. facilitates more effective risk oversight.
KRIs are an important tool within the risk management framework and are used to enhance the monitoring of risks. This improves the management of individual risks, the quality of risk reporting, risk oversight and ultimately the overall system of risk management.
Relationship between KRIs and Key performance indicators (KPIs)
The Department of Planning, Monitoring and Evaluation (DPME's) Framework for Strategic Plans and Annual Performance Plans require us to align KPIs and KRIs to makes it possible to monitor performance and risk in a single streamlined process. Both KPIs and KRIs are concerned with monitoring performance, however, they are not the same. The fundamental difference is that KPIs are backward looking while KRIs are forward looking.
KPIs help us to compare actual performance against pre-determined objectives. They look back and compare what has happened against what was expected to happen, i.e. what has already affected the Institution's performance. On the other hand, KRIs are forward looking and help us to understand what might affect performance in the future. It's important, therefore, that KRIs are KPIs are set out and measured separately and not conflated whilst keeping in mind the need to have them in a single streamlined process.
It is worth noting that underperformance identified through KPIs may be as a result of previously unidentified risk, but not necessarily so. Missed performance targets could also be as a result of issues or problems, which fall outside the definition of risk, which is:
uncertain future event that may impede an institution from achieving its service delivery or other performance objectives". However, to the extent that KPIs force us to drill down into the reasons for underperformance, they are useful for exposing previously unidentified risks, as well as known risks that are not being managed effectively.
Developing effective KRIs
Before delving into KRIs the key Institutional risks must be identified and prioritised. Key risks (or priority risks) are those that are most critical to institutional performance. Paragraph 126.96.36.199 of DPME's Framework for Strategic Plans and Annual Performance Plans states:
"the strategic plan must include a summary of
key risks which may affect achievement of the identified outcomes and must describe measures which will be taken to mitigate these risks." The process for identifying and prioritising risks is set out in the Public Sector Risk Management Framework and does not receive further attention here.
It is worth noting again that KRIs must be linked to the institution's key risks, as opposed to all risks. The key risks must be broken down into their causal factors, which is to say, those things that cause the risk to occur and alter its profile over time. KRIs should be predictive and provide early warning of developing risks and opportunities. They should be reduceable to hard numbers, percentages or ratios or other features that allow for easy interpretation and analysis. Good KRIs should be:
- quantifiable (numerically, percentages, ratios, etc.);
- specific (to the particular risk that is being considered);
- predictive (provides future insight);
- supported by reliable data;
- scrutinising leading indicators that look at current and future events and their upcoming effects; and
- scrutinising lagging indicators that review what has happened in the past that can affect risks going forward.
key steps involved in developing effective KRIs involve:
- having a credible risk register compiled from a deep understanding of the Institution's strategic and operational plans and risks linked to them;
- from the risk register, isolating the key risks for which KRIs are needed;
- performing root cause analysis for each of the key risks to determine their causes;
- further interrogating how the causes interact with the risk (e.g. how powerful they are in influencing the frequency, severity, and velocity of the risk);
- there are possibly multiple causes and these must be prioritised according to their importance in influencing the risk, with those having the biggest influence commanding the most attention; and
- risk owners, risk champions and subject matter experts should participate in designing the KRIs, with the Chief Risk Officer or equivalent person leading the participants in identifying KRIs, appropriate trigger points and as well as escalation protocols and action plans to be activated at these points.
As indicated above, effective KRIs are supported by reliable data. Attention to
data and data sources must consider:
I. The Institution might already be tracking certain metrics for operational purposes which could be useful. An evaluation of whether these metrics can be used for the KRIs, perhaps with some refinement and augmentation, should be done to avoid unnecessary effort.
- The most reliable and objective data must be considered where there is more than one source.
- Internal sources of data provide useful intelligence on internal operations thus are most useful for KRIs linked to operational risks.
- Data from external sources like professional bodies, Statistics South Africa, Reserve Bank, regulatory bodies, independent institutions and others are important for risks that emerge from the Institution's operating environment, for example, changes in socio-economic conditions, employment rate, movements in interest rates and foreign exchange, regulatory changes etc. These are useful for KRIs linked to strategic risks; and
- Risk owners, risk champions, subject matter experts and the Chief Risk Officer or equivalent person should work together to identify appropriate data and their sources.
KRIs in decision making
KRIs are dynamic hence they are useful only if they are constructed thoughtfully, tracked and measured at appropriate intervals and ultimately influence risk management decisions. The Risk Committee and Executive must fully understand the KRIs, data sources and their influence on the risk ratings and action plans. Risk dashboards tabled at the Risk Committee should highlight changes in KRIs which influenced any re-rating of risks and action plans.
The following diagram shows (from left to right) the process of deconstructing the high-level Institutional objectives to the point of KRIs. It is also possible looking from right to left, starting at the KRIs, to see how the KRIs affect the risks and subsequently the objectives they are linked to. This insight ultimately represents the value of KRIs to the risk management process and Institutional performance.