Why Organizations Struggle with Key Risk Indicators and How to Make Them Work

If done properly, key risk indicators (KRIs) can be a valuable tool for proactively managing risks to achieving strategic objectives. As I explain in a previous article, being proactive is one of the key differences between traditional and enterprise risk management.

Despite their potential for facilitating the proactive management of risk, around 70% of organizations are “not very” or “not at all” satisfied with their KRIs according to an informal poll taken during a session at NC State’s Spring 2019 ERM Roundtable.

We’ve touched on this topic in the past (…see 3 Steps to Building an Effective KRI System Today), but as the informal poll and other reports show, organizations still struggle to develop useful risk indicators to guide their decision-making.

Before jumping into why, let’s take a moment and go over some basics of key risk indicators, along with a few pros and cons.

This recent case study from NC State’s ERM Initiative provides a good definition to work from. It states that key risk indicators are “…metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise.”

ERM personnel, risk owners, and executives work together to establish thresholds that will then be monitored depending on how fast the risk could materialize (velocity), its potential impact, and more. These thresholds can be a simple ratio or a combination of multiple indicators.

If a threshold is triggered, decision-makers can then revisit their strategy to determine if any changes need to be made. Most companies, though, are not interested in a set value, but instead the overall trend. Organizations participating in NC State’s report explain how being too focused on a particular number led to discussions that were “…too detail oriented.” Therefore, the monitoring can help determine whether an area is trending towards triggering a risk or if a risk is increasing in its potential impact.

KRIs can be quite helpful in understanding the onset of a particular threat, but, as Hans Læssøe explains in his book Prepare to Dare:

An early warning monitoring may tell you the likelihood of a risk materializing is increasing, and further caution should be applied to avoid being hampered…other monitoring may show that the risk is less likely to materialize, and may allow you to take more risks at this particular point in time.

In other words, like risk management in general, KRIs are not just for preventing failure, but helping the organization maximize opportunities as well.

How can KRIs help your organization take more risk?  If a risk indicator that you are monitoring is showing a positive trend (i.e., moving away from the threshold), then the potential of that risk being triggered is decreasing. That means that you can move toward taking more risk in that area. Or even better, divert some of those resources being used to manage the risk to another higher risk area that is above your threshold.

Embedded in this explanation are many of the pros of KRIs – they show trends that provide organizations with an early warning system that risk(s) are materializing or that risk(s) are less likely to be a problem. And as we’ll explain more below, KRIs can also demonstrate a linkage between risk and performance.

Why do organizations struggle to realize any strategic value from key risk indicators?

As I explained earlier, only 30% of organizations that develop KRIs are satisfied with the quality of insights they receive. They are able to use them as intended – as a tool for making better decisions or fine-tuning existing strategic goals.

The remaining 70% of organizations are either “not very” or “not at all” satisfied OR they are not using KRIs at all.

In the end, key risk indicators are a tool that should only be used by organizations with a more mature ERM process.

Developing KRIs, monitoring them, and taking action is an initiative that needs to be treated like any other project in the organization. Risks to the project need to be managed closely to ensure KRIs provide executives with timely, relevant, and actionable information.

The reason why organizations encounter so many challenges with KRIs is that they have not addressed risks around developing them. Like ERM in general, KRIs may sound simple in theory, but they are far from easy. They take effort, resources, deliberate thought, and buy-in from executives and business units to work as intended.

One common challenge many organizations have, especially non-financial firms, is the availability of credible, objective, quantitative data – there may be an abundance of qualitative data, but that is very subjective and extremely prone to human bias.

Another common issue with KRIs is they are often perceived as duplicating performance data. And as the NC State report shows, they can easily be made too complicated as well.

To address some of these challenges, ERM professionals and risk owners can examine existing performance data through a risk lens.

Let’s examine one performance metric many companies have – revenue goals.

Your company likely has set goals for how much money they want coming in the door throughout the year. As the year goes on, a trend line will begin to take shape showing whether the company will meet, exceed, or fall short of its goal.

Guardrails, or a tolerance, can be set around the goal, like demonstrated below.

If the trend line falls below the low threshold at the middle of the year (like shown below), the company can investigate what may be causing the shortfall and take steps to address it. Some causes can include supply chain disruption, new products/competition, and others.

Conversely, if the trend line exceeds the upper tolerance, the company may need to take steps to ensure everyone has the resources they need to maintain quality and deliver on customer expectations.

The intent of this article isn’t to explain how to set up KRIs at your organization – you can refer to my previous article here, or check out NC State’s case study for some examples of how different organizations approach the issue, where they find data to support their KRIs, and more. In the end, there are too many variables depending on the organization and industry. Like ERM in general, there will be some trial and error involved.

Many organizations simply attempt to develop their KRIs without careful thought and deliberation. What they end up with too often is something that is too complicated to understand and seems duplicative of performance data.

Being deliberate and carefully managing challenges will increase the odds that your company can develop KRIs that business units and executives will find useful.

Is your ERM program at a point where it can develop key risk indicators?

How have you addressed challenges to developing KRIs that provide timely, reliable, and actionable information?

While there is much information out there on KRIs, it is still a subject that isn’t well understood.

To share your thoughts, please feel free to leave a comment below or join the conversation on LinkedIn.

And if you are struggling to develop KRIs that are helpful to improving decision-making, contact me to discuss your specific situation and possible solutions.

Featured image courtesy of energepic.com via Pexels.com




Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More