If you were to ask what constitutes a well-rounded, mature ERM program that delivers strategic value to the organization, many would say robust key risk indicators (KRIs) would certainly be at or near the top of the list.
Writing in the book Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives, Deloitte & Touche Managing Director Dmitriy Borovik states:
To quickly review, KRIs are leading indicators that act as an early warning system to indicate a risk is getting worse and requires extra attention or that it is becoming less of an issue and resources can be shifted elsewhere. It is a form of risk monitoring and a helpful tool in the risk manager’s toolkit for addressing uncertainty if done properly. For further information on the basics of KRIs, I invite you to check out our previous articles here and here.
To illustrate KRIs in action, let’s say a company has an objective of achieving $1.2 billion in sales revenue (increase of $300 million from current revenue). There are risks to achieving this objective, such as not utilizing appropriate marketing because of insufficient market research.
(NOTE – the identified risk should always be tied to either a business or strategic objective. In this example, the risk is directly linked to the goal of achieving the additional revenue.)
A KRI for this risk and goal could simply be sales figures…
As the image below shows, there’s the current state and the goal. At certain intervals (like monthly or quarterly), managers and executives responsible for meeting this goal will want make sure they are hitting certain targets at these intervals.
Ideally, the targets will be hit right on the mark, but that rarely happens in reality. Regardless of whether the sales figures are coming in above or below the target, many companies tend to overreact to these indicators.
If sales figures are coming in below where they need to be and it becomes apparent the goal will not be met, many companies may go into “freak out” mode and just start throwing money around to try and address the ”problem” as they see it. These actions are frantic and reactionary rather than deliberate and measured, a key difference between traditional risk management and ERM. The marketing budget can be doubled, but would that really address the problem (e.g., the root cause of why the interval goal is not being met)?
Contrary to the implication, KRIs cannot just show a risk is materializing, but they can also show a risk is going down and thus resources can be redirected elsewhere. The KRI may show the company is exceeding the revenue target, and thus, people relax their guard. However, some companies may get too lax too soon, leading to the risk re-emerging – a sort of see-saw effect. When this occurs, the company may not have the financial and people resources available. What they fail to realize is the company’s previous mitigation actions (to address the risk of not utilizing appropriate marketing due to insufficient market research) is what led to the improved KRI.
These types of overreactions may explain why only 30% of companies indicate they are “mostly” or “very” satisfied with KRIs according to the 2021 State of Risk Oversight Report from NC State.
To prevent this overreaction from occurring, every KRI a company establishes must have clear lines in the sand.
One key ingredient of a functioning KRI that often gets overlooked is the use of acceptable and unacceptable thresholds. Having this line in the sand will help guide companies on whether they can take a breather, need to exercise mild caution, or need to take immediate, focused action to address a serious situation.
As Borovik, et al explain in Enterprise Risk Management… cited above, utilizing thresholds as part of a robust KRI system:
…help(s) provide insights that facilitate proactive risk-based decision-making processes, including allocation of capital and human resources.”
They go on to explain that these thresholds should be viewed as “goals” or “triggers.”
If a “goal” milestone or threshold is reached, this could indicate the risk’s likelihood and/or impact has decreased and a change in approach can be considered.
Conversely, a “trigger” milestone can be a signal that the risk is getting worse and requires extra attention. Further analysis to determine the root cause driving the risk should be done to pinpoint exactly where the company should focus its efforts.
Please note that “goals” and “triggers” can be low or high. In the case of our revenue example above, the “goal” threshold would be the higher amount while the “trigger” is the lower. Therefore, if revenues are coming in below the trigger amount, it could initiate further action by the company.
Again from Borovik, et al, developing these thresholds requires the company to consider the following:
- The risk’s impact and whether those impacts increase once the risk passes a certain point.
- How much risk is the company willing to take in pursuit of a specific goal.
- What has this particular KRI’s “numerical value” been in the past?
- Time required to respond or manage the impact of a risk.
In the end, effective KRIs and the deliberate and measured reaction to them is not simply about avoiding failure and keeping the doors open, but about ensuring the company is meeting goals and objectives while utilizing finite company resources. As Norman Marks eloquently puts in this article that touches on KRIs:
My view of risk management, or should I say risk management that adds value and helps an organization succeed rather than just avoid failure, is all about what might happen.
Anticipating what might happen, evaluating and assessing it, then taking appropriate actions through informed and intelligent decisions, leads organizations to success.”
So if you’ve found yourself overreacting when a risk materializes, it may be due to a lack of concrete thresholds around the risk or opportunity. Taking steps outlined above can help reduce the chance of this occurring, helping ERM deliver greater value to the organization.
Does your company utilize KRIs? How have you harnessed KRIs for improved decision-making?
Like risk appetite, KRIs is one of those areas that many companies struggle with. If you have struggles you would like to share or found a way to make them work for your company, please share your story by leaving a comment below, join the conversation on LinkedIn, or email me directly at email@example.com (for private conversations).
If you find that your company is overreacting to KRIs and therefore experiencing financial loss, missed goals, and so on, please don’t hesitate to contact me directly or visit my online calendar to schedule a meeting today to discuss your specific situation!