What is a key risk indictor (KRI)?
A key risk indicator (KRI) is a metric for measuring the likelihood that the combined probability of an event and its consequences will exceed the organization's risk appetite and have a profoundly negative impact on an organization's ability to be successful.
Key risk indicators play an important role in enterprise risk management programs. Benefits of KRIs include the following:
- advance notice of potential risks that could damage the organization;
- insight into possible weaknesses in an organization's monitoring and control tools; and
- ongoing risk monitoring between risk assessments.
Characteristics of good KRIs
When developing a KRI, knowledge of the organization and how it operates -- plus knowledge of the potential risks, threats and vulnerabilities it faces -- are the essential starting points. Without an understanding of the company, it is difficult to identify where it may be at risk.
Internal and external risks are then mapped to key operational aspects of the firm to identify how those key attributes could be disrupted. Thus, characteristics of a good -- and measurable -- KRI include the following:
- details on the people, processes, technologies, facilities and other corporate attributes most important to the organization's continued operation and success;
- identification of risks, threats and vulnerabilities the organization faces, based on their likelihood of occurring, their operational and financial impact to the firm, and the firm's ability to mitigate the event;
- ranking the business attributes in terms of their criticality to the firm;
- ranking of risks, threats and vulnerabilities in terms of their potential harm to the firm;
- linking of the key business attributes to the most significant risks to identify those issues of greatest concern to the organization;
- metrics to identify when and how an identified risk becomes a serious threat to critical attributes of the organization;
- ongoing process of reviewing KRIs and their metrics to identify any changes that require management review and possible action; and
- approval of KRIs by senior management.
Examples of KRIs
KRIs are developed in relation to an organization's people, processes, technology, facilities and other elements critical to its operations. KRIs also provide the measurement points that, if exceeded, could disrupt the business.
Table 1 provides examples of KRIs for different aspects of a business and sample measurement points.
|Table 1 -- KRI examples|
|Risk Situation||Suggested KRI||Measurement|
|Loss of staff||Identify when employee absenteeism exceeds a certain level||Total head count declines by 20% or more|
|Employee dissatisfaction||Identify situations indicating employee dissatisfaction||Number of employee complaints increases by 15% or more on a month-to-month basis|
|Production of important product is unable to keep up with demand||Identify when production levels reach a certain point, based on product demand||Number of units produced per day declines by 20% or more|
|Existing product designs are increasingly outdated and could result in declining sales||Identify a risk point, based on sales and market research, when existing designs must be changed||Sales of the product have declined 20% and more from previous levels|
|Disruption to IT systems from cyber attacks||Identify the optimum patch level for cybersecurity systems||Cybersecurity system patching is two patches behind scheduled and recommended levels|
|Inability to recover systems, data files and databases to current state following a disaster due to failed backups||Metric demonstrating that IT assets are at their most current backup levels||Backup systems send an alert when backup levels fall below minimum acceptable time frames|
Why are KRIs important?
Without KRIs, an organization increases the likelihood of its being subject to events or situations that could significantly damage its business. KRIs are the red flags that ensure these risks are identified in advance and mitigated.
Let's take a closer look.
If an organization specializes in retail sales, for example, a key risk indicator might be the number of customer complaints. An increase in this KRI could be an early indication that an operational problem needs to be addressed.
The challenge for an organization is not only to identify which risk indicators should be identified as being key -- i.e., most important -- but also to ensure internal acceptance of its KRIs. Organizations must communicate the risk warning in such a way that everyone in the organization clearly understands its significance and can respond accordingly.
KRIs and KPIs: What's the difference?
Key risk indicators are often confused with key performance indicators (KPIs), which are metrics that help an organization assess progress toward declared goals.
The two terms are functionally the inverse of each other. While they may be separate and distinct for some issues, the creation of one often results in the creation of the other as its complement.
As stated above, KRIs provide metrics regarding risks and their potential impact on business performance. They function as an early warning capability for monitoring, analyzing, managing and mitigating key risks.
By contrast, KPIs demonstrate how well the organization is performing against its goals and objectives -- e.g., sales, revenues and customer satisfaction. Like KRIs, key performance indicators can be applied to the people, processes and technologies that are critical to an organization's success.
Table 2 provides examples of key performance indicators and their corresponding KRIs.
|Table 2 -- KPI examples and complementary KRIs|
|Key Performance Indicator||Key Risk Indicator|
|Full employment needed for optimum company performance||Metric that identifies when employee absenteeism exceeds a certain level|
|Employee satisfaction with the company and their work is essential for successful performance||Metrics showing employee dissatisfaction and when it reaches a specific level|
|Production of an important product is maintained at levels sufficient to keep up with the demand||Metrics showing when production levels fall below unacceptable levels|
|Existing product designs are satisfactory and providing expected value and results to customers||Metric -- e.g., based on declining sales and competitive market research -- that indicates existing designs should be examined and possibly changed|
|Disruption to IT systems from cyber attacks is minimized by regular patching of cybersecurity systems||Metrics that identify when optimum patch levels for cybersecurity systems are not being achieved|
|Disruptions to the business are minimized because systems, data files and databases are being backed up to their most current recovery point||Metric demonstrating when IT assets are not at their most current backup levels|
Challenges of creating and measuring new KRIs
It is not enough to simply create KRIs and walk away. They must be regularly monitored and reviewed to both identify any situational changes that indicate a possible change in the business, as well as risk/threat levels, and identify and initiate remedial action that may be needed.
Challenges associated with developing KRIs typically stem from an organization's inability to do the following:
- obtain accurate information about the organization that can be used to pinpoint mission-critical activities;
- identify risks, threats and vulnerabilities and then quantify them by likelihood, severity and impact;
- secure senior management support for the use of KRIs as part of an enterprise risk management program;
- realistically link critical business attributes to the most likely risk scenarios;
- create metrics that are both measurable and understandable to senior management -- e.g., presenting KRIs using a dashboard;
- establish an ongoing activity to monitor, measure and analyze any changes in metrics;
- establish response actions to take if deviations to KRI metrics occur.