A key risk indicator (KRI) is a metric for measuring the likelihood that the combined probability of an event and its consequences will exceed the organization's risk appetite. This could have a profoundly negative effect on an organization's ability to be successful.
KRIs play an important role in enterprise risk management (ERM) programs. They can warn organizations of potential risks to their business. They also provide insight into possible weaknesses in an organization's monitoring and control tools, as well as ongoing risk monitoring between risk assessments.
KRIs are often confused with key performance indicators. KPIs are quite different from KRIs, however. KPIs help an organization assess progress toward declared goals, as opposed to providing early warning of risks.
Why are KRIs important?
Without KRIs, an organization increases the likelihood of being subjected to events or situations that could significantly damage its business. KRIs are the red flags that ensure these risks are identified in advance and mitigated.
For example, a KRI for a retail sales organization might be the number of customer complaints. An increase in this KRI could be an early indication that an operational problem needs to be addressed.
The challenge for an organization isn't just to identify the most important risk indicators, but also to ensure internal acceptance of its KRIs. Organizations must communicate the risk warning in a way that all employees understand its significance and respond accordingly.
Characteristics of good KRIs
When developing a KRI, knowledge of the organization and how it operates are essential starting points. This is in addition to knowledge of potential risks, threats and vulnerabilities. Without an understanding of the company, it's difficult to identify where it might be at risk and what risk management steps to take.
Once identified, internal and external risks are mapped to key operational aspects of the organization to identify how key attributes could be disrupted. Good, measurable KRIs include the following characteristics:
- Details about the people, processes, technologies, facilities and other attributes important to the organization's continued operation and success.
- Identification of risks, threats and vulnerabilities the organization faces, based on their likelihood of occurring, their operational and financial effects, and the organization's ability to mitigate the event.
- Relationships between key business attributes and the most significant risks, identifying issues of greatest concern.
- Metrics showing when and how a risk becomes a serious threat to critical attributes of the organization.
Creating measurable KRIs
The following are the 11 steps involved in creating measurable KRIs:
- Define objectives. Identify the business attributes that are important to the organization and the objectives it wants to achieve with KRIs.
- Identify risks. Articulate all risks the organization faces, including financial, operational, compliance and cybersecurity risks.
- Connect risks and objectives. Show how each risk could affect the organization's ability to achieve its objectives. Rank risks in terms of their importance in achieving objectives.
- Define KRIs. Based on previous steps, develop measurable KRIs to monitor and measure whether the identified risks are materializing.
- Get approvals. Secure senior management approval of KRIs.
- Set thresholds. Establish measurable levels for each KRI that indicate when risk becomes unacceptable and to trigger a response.
- Find data sources. Identify the data needed for measuring the KRI and how it will be collected. This could include financial reports, operational metrics and incident reports.
- Establish measurement systems. Put in place systems, processes and tools to regularly measure the KRIs.
- Monitor and evaluate. Continuously monitor the KRIs to track the changes in risk levels, assess KRI effectiveness and take necessary action.
- Reporting. Summarize and communicate KRI data and insights into the risk levels to relevant stakeholders and decision-makers.
- Review and improve. Regularly assess KRI effectiveness at capturing risks, and revise them as needed.
Examples of KRIs
KRIs are developed to monitor an organization's people, processes, technology, facilities and other elements critical to its operations. They provide the risk management measurement points that, if exceeded, could disrupt the business.
The following are examples of KRIs for different aspects of a business and sample measurement points:
- Loss of staff. An organization's business can be negatively affected when employees are sick, are disabled, leave for another job or retire. It's important to have KRIs in place monitoring employee absenteeism to identify when it exceeds a critical level. For example, this type of KRI measurement might have a threshold of a 20% decline in total head count.
- Employee dissatisfaction. An unhappy workforce can also have negative consequences for a company. A KRI can identify situations that indicate employee dissatisfaction. A threshold might be when the number of employee complaints increases by 15% or more on a month-to-month basis.
- Production vs. demand. If production of an important product is unable to keep up with demand, an organization can face both financial and reputational issues. A KRI identifies the point at which production levels are too low relative to product demand. For instance, the KRI might send an alert if the number of units produced per day declines 20% but demand remains constant.
- Declining sales. If product function or design gets outdated, sales can rapidly decline. A KRI can be used to identify a risk point for a product review based on sales data and market research. For example, a 10% decline in sales of a specific product might trigger this sort of review.
- IT disruptions. A KRI should identify the optimum patch level for cybersecurity systems. The threshold level might be something like, when the cybersecurity system patching is two patches behind the scheduled and recommended levels, the KRI kicks in.
- Failed backup. When backup systems fail, it can be difficult to recover systems, data files and databases to the current state. A KRI should be created to monitor that IT assets are at their most current backup levels. It might be set to send an alert when backup levels fall below minimum acceptable time frames.
KRIs and KPIs: What's the difference?
As mentioned earlier, KRIs are often confused with KPIs, which are metrics that help an organization assess progress toward declared goals. The two terms are functionally the opposite of each other. While they may be separate and distinct for some issues, the creation of one often results in the creation of the other as its complement.
KRIs provide metrics regarding risks and their potential impact on business performance. They function as an early warning for monitoring, analyzing, managing and mitigating risks.
By contrast, KPIs demonstrate how well an organization is performing against its goals and objectives, including sales, revenue and customer satisfaction. Like KRIs, KPIs can be applied to the people, processes and technologies that are critical to an organization's success.
| Examples of KPIs and complementary KRIs |
| Key performance indicator |
Related key risk indicator |
| Full employment is needed for optimum company performance. |
Metric identifies when employee absenteeism exceeds a certain level. |
| Employee satisfaction with the company and their work is essential for successful performance. |
Metric measures employee unhappiness and when it reaches a specific level. |
| Production of an important product is maintained at levels sufficient to keep up with the demand. |
Metric shows when production falls below an acceptable level. |
| Existing product designs are satisfactory and provide expected value to customers. |
Metric based on declining sales and competitive market research indicates when existing designs should be examined and possibly upgraded. |
| Regular patching of cybersecurity systems is needed to minimize IT disruptions. |
Metric identifies when optimum patch levels for cybersecurity systems aren't being achieved. |
| Disruptions to the business are minimized when systems, data files and databases are being backed up to their most current recovery point. |
Metric demonstrates when IT assets aren't at their most current backup levels. |
Benefits of KRIs
The following are some of the benefits KRIs provide organizations:
- Early warnings. KRIs provide advance notice of potential risks that could damage the organization. These enable proactive measures to be taken.
- Strategic objectives. KRIs help organizations focus on their key goals, priorities and objectives.
- Better decision-making. KRIs provide timely information that informs management decisions.
- Risk control and awareness. KRIs provide insight into possible weaknesses in an organization's monitoring and control tools. They also make everyone more aware of the potential risks to the business.
- Ongoing monitoring. KRIs provide insight into potential risks and the factors that affect them between formal risk assessments.
Challenges of creating and measuring new KRIs
It isn't enough to simply create KRIs and walk away. Good risk management requires they be regularly monitored and reviewed to identify situational changes that indicate a change in the business. They also must be monitored for changes in risk and threat levels and to identify and initiate remedial action that may be needed.
Challenges associated with developing KRIs typically stem from an organization's inability to do the following:
- Obtain accurate information about the organization that can be used to pinpoint mission-critical activities.
- Identify risks, threats and vulnerabilities and then quantify them by likelihood, severity and impact.
- Secure senior management support for the use of KRIs as part of an ERM program.
- Realistically link critical business attributes to the most likely risk scenarios.
- Create metrics that are measurable and understandable to senior management.
- Establish an ongoing activity to monitor, measure and analyze any changes in metrics.
- Set up response actions to take if deviations from KRI metrics occur.
Risk maturity models enhance ERM problems. Find out more about them and how they work.