Must-have metrics for effective Enterprise Risk Management
Sword GRC Blog
“Management is blind without access to the right metrics”
Risk data provides organizations with the opportunity to leverage information that will help to drive a more robust operational risk management (ORM) program, embedded within an effective enterprise risk management (ERM) framework. The imperative therefore for risk professionals – and the challenge, as the volume of enterprise data increases – is to extract the right data and to get the right stakeholders on board to define which operational risk metrics are the most useful in supporting business strategies.
In ‘Indicators and metrics used in enterprise risk management’ (Department of Informatics and Economic Cybernetics, The Bucharest Academy of Economic Studies) it is suggested that the use of metrics in ERM will enable every company to “have a holistic view of the potential events that may affect the achievement of the organization’s objectives”.
With a complete view, management will have the requisite insights to make data-informed business decisions. Critical strategic decisions won’t be made ‘blind’.
There are many benefits to be derived from using metrics. Those cited in the ‘Indicators and metrics used in enterprise risk management’ paper include:
- Early identification of trends and issues
- A source of critical information for controls
- A means of recognizing improvements or signs of worsening in situations
- Aid for information-based decision-making
- Underpins proactive management
- Improves future estimates and performance
- Evaluates success and failure
- Improves stakeholder satisfaction
Which metrics for effective risk management?
So which metrics should risk professionals make use of? Risk practitioners often consider three primary indicator types:
Key Risk Indicators (KRIs) – these are typically predictive indicators, providing a red flag that an unwanted event is becoming more likely or its impact potential is increasing. Post-event, they can also indicate that risks have occurred and reveal the scope of their impact.
Key Performance Indicators (KPIs) – these metrics are related to internal factors as opposed to external market circumstances, and indicate success or demonstrable progress towards the attainment of the desired outcome.
They can be used affirmatively to demonstrate the achievement of objectives but also to flag up the early evolvement of risk events.
Key Control Indicators (KCIs) – also referred to as Control Effectiveness Indicators, these metrics reveal the extent to which a control is working in meeting its objectives to, for example, prevent loss, at any point in time. If controls are not working as anticipated, then risk likelihood or impact may change. As such, KCIs are often predictive, though they can also provide early detection of risks beginning to unfold.
KRIs must not be confused with KPIs
The ‘Indicators and metrics used in enterprise risk management’ paper highlights that risk managers should be able to distinguish between KRIs and KPIs. It states that ‘key performance indicators focus especially on the historical performance of the enterprise or its key operations and are important for successful management. On the other hand, KRIs provide real-time indicators that offer information about emerging risks… KPIs tell us if we will achieve our goals and KRIs help us to understand changes in risk profile, impact, and the likelihood of achieving our goals. If the distinction is made between the two types of key indicators, we will be very clear about what types of questions we want to answer through these indicators and how we will define these indicators to improve the management quality and the clarity of results.’
Undoubtedly, KRIs, KPIs, and KCIs are all connected. Risk personnel should appreciate how or why indicators are correlated with changing risk profiles in order for metrics to be effective. In essence, indicators give a ‘picture’ of an organization and metrics provide a means of benchmarking whether ERM activity is on the right track.
Metrics – not too many, not too little
How many metrics provide the most benefit? If there are too many, time will be devoted to managing them that otherwise would have been spent on other critical tasks. And too much information can be detrimental – risk professionals may struggle to distinguish critical information, thus deriving little value from the metrics in use. Too few metrics, however, may not generate sufficient information for the data to be meaningful.
Whilst striking the right balance, of utmost importance is that the metrics used should be relevant, measurable, easy to monitor, auditable, and comparable.
Ultimately perhaps the key questions risk professionals should ask themselves are, ‘Am I seeing improvements in the business? Are business priorities aligned to changing or emerging risks? Are risks being mitigated and losses avoided?’ In answering to the affirmative, the metrics, pieced together are doing their work, generating data that can be leveraged to define stronger controls and inform decision-making aligned with business strategy.
For your reference, The Institute of Operational Risk’s Sound Practice Guidance on the subjects of KRIs, Scenario Analysis, Stress and Reverse Stress Testing, Risk Culture and more may be downloaded, free of charge, here.
*Institute of Operational Risk: Key Risk Indicators, Operational Sound Practice Guidance