If your executives and managers love metrics, then they’re sure to use Key Performance Indicators (KPIs). Even if they don’t like numbers, any smart executive will be reviewing their KPIs dashboard. These historical measures are designed to gauge performance to ensure goals and milestones are being met.
As risk professionals, though, we know the value of metrics is limited—namely, that they cannot foretell the future. Sure, they can be charted to estimate future activity, but they can’t warn us of potential risk events.
For that, we need Key Risk Indicators (KRIs). Instead of historical metrics, these are leading indicators. Good KRIs establish thresholds that, when triggered, alert management to an increased potential for a future risk event, which means KRIs can be used as an early warning system.
A Lack of Warning = A Lack of Value
While most organizations utilize KPIs, KRIs are more elusive. According to the NC State’s “2017 Global Risk Oversight Report,” about a third of responding organizations indicated they were “mostly” or “very satisfied” with the nature and extent of their KRI reporting. The report concludes that there is “a widespread lack of KRIs that management can usefully monitor to proactively navigate the organization around emerging risks. This may explain why respondents generally do not believe that their organizations’ risk management processes are providing strategic value.”
Did you catch that? A lack of useful KRIs at an organization can make executives feel like their ERM program isn’t providing strategic value.
Where are the KRIs?
You’re probably wondering, “If executives want KRIs, why aren’t more ERM professionals providing them?”
In defense of our fellow risk professionals, it can take a while for a company to mature to the point where they want to track KRIs and are ready to take action based on the information collected. There’s a lot of foundational work that has to be completed first.
Another issue is information overload. Identifying KRIs is great, but if they’re not relevant or actionable, then they’re just noise—the kind that takes up a lot of resources to track and report.
In my personal opinion, I think there’s a third reason why companies don’t use KRIs: they’re making it more complicated than it has to be. And who can blame them? If you search the internet for “KRIs,” you’ll see a lot of impressive information, from case studies to fancy diagrams. These resources may help you down the road, but they probably won’t give you practical information on how to build an effective, sustainable system to identify and manage KRIs in your organization.
3 Steps to Building Your KRI System
If you’re looking to develop KRIs, we suggest a simple approach: base KRIs on existing KPIs. Then outline a basic process to report findings and escalate concerns to the appropriate individuals. The following is a high-level, 3-step process to get you started today
1. Pick Your Risks
Remember, KRIs are supposed to warn about potential risk events that could threaten organizational objectives. So before you even talk about KRIs, you need to understand your organization’s objectives and the primary risks that threaten them. Focus on your top risks, especially those with a high Impact, high Velocity, or low Controllability (i.e. the risks you really want to get ahead of).
(Read our prior article on simplifying the risk assessment process to ensure you’re focusing on the right risks.)
Imagine we work in the same ERM unit. Our executives have made a strategic decision to manufacture a new type of widget, and they set an objective to produce 1 million units by the end of the year. As part of the planning process, management determined that the existing workforce can produce 5,000 widgets in a six-hour period. Then they contracted with the appropriate vendors to upgrade the production machinery, store the raw materials and completed products, and ship them to warehouses for distribution to sales outlets.
These various data points and milestones are then used to develop KPIs. As each week and month progresses, executives will look to these KPIs to make sure they’re on target to reach their objective.
We’ve identified the primary risk broadly as anything that could slow down the manufacturing process, causing us to miss the production deadline. There are dozens of specific risks that could cause this slow down to occur, but we’re going to focus on the high-level risk.
2. Establish Your KRIs
Once you’ve identified the risks for which you want to create an early-warning system, you’re ready to establish the KRIs.
Since your organization is probably tracking KPIs, use them to create your KRIs. This has several benefits: executives will be familiar with the underlying data, while the time and resources necessary to pull together the information are greatly reduced, and bureaucracy is minimized by integrating with other areas in the organization.
When creating the KRIs, be sure the data is:
- Relevant – There should be a direct correlation to the risk.
- Quantifiable – To be effective as an early-warning indicator, the KRI should be quantitative. However, don’t ignore relevant qualitative information, such as negative media attention or negative social media posts. If possible, develop a way to categorize and scale this type of information so you can measure and report it.
- Easily accessible – If the information isn’t readily available (e.g. it costs too much to mine and analyze), then don’t pursue it. Start with the information at your fingertips.
Let’s take another look at our Example:
We know the primary risk is around missing our production time frame, and we know the data available to us. Therefore, we establish the following KRI:
The time frame to manufacture 5,000 widgets and prepare them for shipment should not exceed 8 hours.
Notice the time frame is two hours above the estimated production time of six hours. That’s because we’re setting an upper-limit threshold that will trigger a mitigating response. The two-hour difference gives us “wiggle room” to handle normal production fluctuations.
Also, note that the wording of the KRI is as high-level as the risk we identified. We could have created separate KRIs to warn us of the underlying risks such as manufacturing failures and strikes by personnel, but then we would have to monitor and track that information. Instead, we developed a single KRI that alerts us to any issues in the manufacturing process that impact production time. We know this one KRI will be effective because it’s relevant to the risk, quantifiable, and easily accessible.
3. Formalize Your Process
Remember, the purpose of KRIs is to alert decision-makers of a potential increase in risk that could affect the company’s objectives. That means the information can’t just be collected—it has to be monitored, analyzed, and reported to the appropriate individuals. Since these activities will occur across departmental lines, you should take the lead in outlining the process and securing appropriate approvals.
When working with stakeholders, follow these best practices:
- Engage stakeholders early on, while the KRIs are being identified.
- Don’t just notify the stakeholders, secure their buy-in of the KRIs and the process. Each person needs to understand and believe in what he’s doing, or he won’t make it a priority.
- Make the KRIs and the process surrounding them available to all stakeholders.
- Be the central point of contact so they all know where to go when there are questions or issues.
Once you have established the KRIs and the processes, record the information in a systematic form, such as a protected Excel spreadsheet. Be sure to include a unique identifier, the risk being tracked, the KRI thresholds, the owner of the data, the person who monitors the data, and how the information is escalated if the thresholds are reached.
Over all, keep your process as simple as it can be to get the job done.
Back to our Example:
The following was the KRI we established (with approval from all stakeholders):
The time frame to manufacture 5,000 widgets and prepare them for shipment should not exceed 8 hours.
After working with the stakeholders, we all agree to the following process:
The Production Manager monitors the data each day and notifies the appropriate executive if the production time exceeds the 8-hour threshold noted in the KRI.
The following chart shows the production data over a 12-day period:
Notice that days 2 and 10 both have data points higher than the 8-hour threshold. Given our new process, this should trigger the Production Manager to take action.
Also note that the trend line has been increasing over time and is now dangerously close to the upper threshold of 8. On Day 8, you now have a leading indicator that a risk is about to materialize, and the Production Manager should reach out to other managers to take mitigating steps. These mitigating steps would be noted, so the executives can be made aware of what is being done to reduce the risk.
Mature Your KRI System
By following these three steps, you can quickly build an effective KRI system that supports the strategic plan of your organization. While this is a great start, you should plan to mature your KRIs and the process over time.
What has been your experience with KRIs? Do you feel your organization is using them to the fullest?
We’d love to get your perspective on this important yet often neglected topic. Please feel free to leave a comment below or join the conversation on LinkedIn.
We’ll be discussing this topic more in upcoming posts and in future training programs. If you would like to know when we publish new posts or plan to offer training on building a KRI system, click here and also receive our step-by-step guide to developing an enterprise risk management program as a free thank you!
And if you need to make more immediate progress on a KRI system or any other facet of your ERM program, be sure to contact me today.
Receive our Weekly Blog Updates
Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.