Risk management can be defined as altering the potential risks a company faces to match the risks that it desires. This entails establishing and assessing the risk appetite of the entity, meaning the amount and type of risk that an organisation is willing to take in order to meet its strategic objectives. Therefore, an enterprise’s risk appetite determines the tolerance the board of directors is willing to accept with regard to the impact of risk to the entity’s top and bottom line. This can be quantified in terms of percentages, numbers, Rand values, time frames, etc. Fundamental to gauging an organisation’s appetite for risk and monitoring and measuring risk management performance is planning for the level of impact a risk has on the company’s performance at any given time.
The primary role of a Key Risk Indicator, or KRI, is to track trends over a particular time period. These trends are analysed against risks contained within a risk register and then converted into early warning signals. According to Alex Roberts, CURA’s Regional Director of Sales and Operations, the insights KRIs provide from a metric-based approach inform the risk team’s decision-making process by providing concise and accurate data in order to critically assess risk events. “Say, for example, an organisation specialises in the manufacture of a product. A key risk indicator might be the number of delays in the production line, for instance. An increase in this KRI beyond an acceptable norm could be an early indication that an operational problem needs to be addressed. The challenge for any organisation is not only to identify which risk indicators should be identified as pertinent, but also to communicate these findings in such a way those responsible understand its significance and can act on them in an actionable, structured manner.”
Using KRIs to enable proactive risk management and assist in the prevention of risk materialisation is only possible when the metrics being utilised are clearly defined. When determining which KRIs to track, it is advantageous to select metrics that are regularly quantifiable, meaningful and logical. Ranking the KRI’s level of impact or importance can also assist in establishing which KRI’s data to take into account when assessing a risk. If it is determined that one or two specific KRIs are the common focal point during the assessment process, the value of the lower ranked KRIs should be reviewed. When examining multiple KRIs, one must be cognisant that these can be associated to a single or multiple risks. Furthermore, one should be aware that too many KRIs to a single risk may overcomplicate the risk assessment process.
Each KRI will have differing measuring periods and these are dependent on what the KRI represents and how frequently the KRI value changes. Establishing these KRIs plays an integral role in the development of a risk management framework by establishing risk tolerance thresholds and ensuring that mechanisms are in place to prevent these thresholds from being exceeded.
Roberts concludes that with virtually any business process, it is necessary to measure something in order to be able to effectively manage it, and risk management is no exception. “KRIs provide rich information to better monitor and manage potential shifts in risk conditions and bolster management’s position to handle events that may arise in the future in a timely and strategic way. KRIs aid in reducing loss and preventing exposure by indicating changes in risk profiles and proactively managing risk situations before they occur.”