One Fatal Error of KRIs and How to Avoid It

If you were to ask what constitutes a well-rounded, mature ERM program that delivers strategic value to the organization, many would say robust key risk indicators (KRIs) would certainly be at or near the top of the list.

Writing in the book Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives, Deloitte & Touche Managing Director Dmitriy Borovik states:

To quickly review, KRIs are leading indicators that act as an early warning system to indicate a risk is getting worse and requires extra attention or that it is becoming less of an issue and resources can be shifted elsewhere. It is a form of risk monitoring and a helpful tool in the risk manager’s toolkit for addressing uncertainty if done properly. For further information on the basics of KRIs, I invite you to check out our previous articles here and here.

To illustrate KRIs in action, let’s say a company has an objective of achieving $1.2 billion in sales revenue (increase of $300 million from current revenue). There are risks to achieving this objective, such as not utilizing appropriate marketing because of insufficient market research.

(NOTE – the identified risk should always be tied to either a business or strategic objective. In this example, the risk is directly linked to the goal of achieving the additional revenue.)

A KRI for this risk and goal could simply be sales figures…

As the image below shows, there’s the current state and the goal. At certain intervals (like monthly or quarterly), managers and executives responsible for meeting this goal will want make sure they are hitting certain targets at these intervals.

Ideally, the targets will be hit right on the mark, but that rarely happens in reality. Regardless of whether the sales figures are coming in above or below the target, many companies tend to overreact to these indicators.

If sales figures are coming in below where they need to be and it becomes apparent the goal will not be met, many companies may go into “freak out” mode and just start throwing money around to try and address the ”problem” as they see it. These actions are frantic and reactionary rather than deliberate and measured, a key difference between traditional risk management and ERM. The marketing budget can be doubled, but would that really address the problem (e.g., the root cause of why the interval goal is not being met)?

Contrary to the implication, KRIs cannot just show a risk is materializing, but they can also show a risk is going down and thus resources can be redirected elsewhere. The KRI may show the company is exceeding the revenue target, and thus, people relax their guard. However, some companies may get too lax too soon, leading to the risk re-emerging – a sort of see-saw effect. When this occurs, the company may not have the financial and people resources available. What they fail to realize is the company’s previous mitigation actions (to address the risk of not utilizing appropriate marketing due to insufficient market research) is what led to the improved KRI.

These types of overreactions may explain why only 30% of companies indicate they are “mostly” or “very” satisfied with KRIs according to the 2021 State of Risk Oversight Report from NC State.

To prevent this overreaction from occurring, every KRI a company establishes must have clear lines in the sand.

One key ingredient of a functioning KRI that often gets overlooked is the use of acceptable and unacceptable thresholds. Having this line in the sand will help guide companies on whether they can take a breather, need to exercise mild caution, or need to take immediate, focused action to address a serious situation.

As Borovik, et al explain in Enterprise Risk Management… cited above, utilizing thresholds as part of a robust KRI system:

…help(s) provide insights that facilitate proactive risk-based decision-making processes, including allocation of capital and human resources.”

They go on to explain that these thresholds should be viewed as “goals” or “triggers.”

If a “goal” milestone or threshold is reached, this could indicate the risk’s likelihood and/or impact has decreased and a change in approach can be considered.

Conversely, a “trigger” milestone can be a signal that the risk is getting worse and requires extra attention. Further analysis to determine the root cause driving the risk should be done to pinpoint exactly where the company should focus its efforts.

Please note that “goals” and “triggers” can be low or high. In the case of our revenue example above, the “goal” threshold would be the higher amount while the “trigger” is the lower. Therefore, if revenues are coming in below the trigger amount, it could initiate further action by the company.

Again from Borovik, et al, developing these thresholds requires the company to consider the following:

  • The risk’s impact and whether those impacts increase once the risk passes a certain point.
  • How much risk is the company willing to take in pursuit of a specific goal.
  • What has this particular KRI’s “numerical value” been in the past?
  • Time required to respond or manage the impact of a risk.

In the end, effective KRIs and the deliberate and measured reaction to them is not simply about avoiding failure and keeping the doors open, but about ensuring the company is meeting goals and objectives while utilizing finite company resources. As Norman Marks eloquently puts in this article that touches on KRIs:

My view of risk management, or should I say risk management that adds value and helps an organization succeed rather than just avoid failure, is all about what might happen.

Anticipating what might happen, evaluating and assessing it, then taking appropriate actions through informed and intelligent decisions, leads organizations to success.”

So if you’ve found yourself overreacting when a risk materializes, it may be due to a lack of concrete thresholds around the risk or opportunity. Taking steps outlined above can help reduce the chance of this occurring, helping ERM deliver greater value to the organization.

Does your company utilize KRIs? How have you harnessed KRIs for improved decision-making?

Like risk appetite, KRIs is one of those areas that many companies struggle with. If you have struggles you would like to share or found a way to make them work for your company, please share your story by leaving a comment below, join the conversation on LinkedIn, or email me directly at (for private conversations).

If you find that your company is overreacting to KRIs and therefore experiencing financial loss, missed goals, and so on, please don’t hesitate to contact me directly or visit my online calendar to schedule a meeting today to discuss your specific situation!

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More