Why Organizations Struggle with Key Risk Indicators and How to Make Them Work

If done properly, key risk indicators (KRIs) can be a valuable tool for proactively managing risks to achieving strategic objectives. As I explain in a previous article, being proactive is one of the key differences between traditional and enterprise risk management.

Despite their potential for facilitating the proactive management of risk, around 70% of organizations are “not very” or “not at all” satisfied with their KRIs according to an informal poll taken during a session at NC State’s Spring 2019 ERM Roundtable.

We’ve touched on this topic in the past (…see 3 Steps to Building an Effective KRI System Today), but as the informal poll and other reports show, organizations still struggle to develop useful risk indicators to guide their decision-making.

Before jumping into why, let’s take a moment and go over some basics of key risk indicators, along with a few pros and cons.

This recent case study from NC State’s ERM Initiative provides a good definition to work from. It states that key risk indicators are “…metrics used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise.”

ERM personnel, risk owners, and executives work together to establish thresholds that will then be monitored depending on how fast the risk could materialize (velocity), its potential impact, and more. These thresholds can be a simple ratio or a combination of multiple indicators.

If a threshold is triggered, decision-makers can then revisit their strategy to determine if any changes need to be made. Most companies, though, are not interested in a set value, but instead the overall trend. Organizations participating in NC State’s report explain how being too focused on a particular number led to discussions that were “…too detail oriented.” Therefore, the monitoring can help determine whether an area is trending towards triggering a risk or if a risk is increasing in its potential impact.

KRIs can be quite helpful in understanding the onset of a particular threat, but, as Hans Læssøe explains in his book Prepare to Dare:

An early warning monitoring may tell you the likelihood of a risk materializing is increasing, and further caution should be applied to avoid being hampered…other monitoring may show that the risk is less likely to materialize, and may allow you to take more risks at this particular point in time.

In other words, like risk management in general, KRIs are not just for preventing failure, but helping the organization maximize opportunities as well.

How can KRIs help your organization take more risk?  If a risk indicator that you are monitoring is showing a positive trend (i.e., moving away from the threshold), then the potential of that risk being triggered is decreasing. That means that you can move toward taking more risk in that area. Or even better, divert some of those resources being used to manage the risk to another higher risk area that is above your threshold.

Embedded in this explanation are many of the pros of KRIs – they show trends that provide organizations with an early warning system that risk(s) are materializing or that risk(s) are less likely to be a problem. And as we’ll explain more below, KRIs can also demonstrate a linkage between risk and performance.

Why do organizations struggle to realize any strategic value from key risk indicators?

As I explained earlier, only 30% of organizations that develop KRIs are satisfied with the quality of insights they receive. They are able to use them as intended – as a tool for making better decisions or fine-tuning existing strategic goals.

The remaining 70% of organizations are either “not very” or “not at all” satisfied OR they are not using KRIs at all.

In the end, key risk indicators are a tool that should only be used by organizations with a more mature ERM process.

Developing KRIs, monitoring them, and taking action is an initiative that needs to be treated like any other project in the organization. Risks to the project need to be managed closely to ensure KRIs provide executives with timely, relevant, and actionable information.

The reason why organizations encounter so many challenges with KRIs is that they have not addressed risks around developing them. Like ERM in general, KRIs may sound simple in theory, but they are far from easy. They take effort, resources, deliberate thought, and buy-in from executives and business units to work as intended.

One common challenge many organizations have, especially non-financial firms, is the availability of credible, objective, quantitative data – there may be an abundance of qualitative data, but that is very subjective and extremely prone to human bias.

Another common issue with KRIs is they are often perceived as duplicating performance data. And as the NC State report shows, they can easily be made too complicated as well.

To address some of these challenges, ERM professionals and risk owners can examine existing performance data through a risk lens.

Let’s examine one performance metric many companies have – revenue goals.

Your company likely has set goals for how much money they want coming in the door throughout the year. As the year goes on, a trend line will begin to take shape showing whether the company will meet, exceed, or fall short of its goal.

Guardrails, or a tolerance, can be set around the goal, like demonstrated below.

If the trend line falls below the low threshold at the middle of the year (like shown below), the company can investigate what may be causing the shortfall and take steps to address it. Some causes can include supply chain disruption, new products/competition, and others.

Conversely, if the trend line exceeds the upper tolerance, the company may need to take steps to ensure everyone has the resources they need to maintain quality and deliver on customer expectations.

The intent of this article isn’t to explain how to set up KRIs at your organization – you can refer to my previous article here, or check out NC State’s case study for some examples of how different organizations approach the issue, where they find data to support their KRIs, and more. In the end, there are too many variables depending on the organization and industry. Like ERM in general, there will be some trial and error involved.

Many organizations simply attempt to develop their KRIs without careful thought and deliberation. What they end up with too often is something that is too complicated to understand and seems duplicative of performance data.

Being deliberate and carefully managing challenges will increase the odds that your company can develop KRIs that business units and executives will find useful.

Is your ERM program at a point where it can develop key risk indicators?

How have you addressed challenges to developing KRIs that provide timely, reliable, and actionable information?

While there is much information out there on KRIs, it is still a subject that isn’t well understood.

To share your thoughts, please feel free to leave a comment below or join the conversation on LinkedIn.

And if you are struggling to develop KRIs that are helpful to improving decision-making, contact me to discuss your specific situation and possible solutions.

Featured image courtesy of energepic.com via Pexels.com




, , , , ,

Related Posts

4 Comments. Leave new

  • Hans Læssøe
    January 29, 2020 3:44 am

    If 70% of companies are unhappy with their KRI’s, there are, in my view, two options:

    1) Fix it, i.e. Look at “what do you want to know”, then “how soon do we have to know to be able to act in time” “how can we get to know that in time”, define your metrics accordingly and start monitoring.

    2) Abandon the use of KRI’s … and hence accept that things happen and your risk response is basically “to cross that bridge, when we get to it”

    Option 1 is about being prepared … but do not prepare for everything and anything, that’ll be too costly. Look at – “if it happens, how will it affect our performance” and base/prioritize your efforts on that.

    For many risks/issues – option 2 is good enough.

    However, our (that goes for executives, board members, managers, and everyone else) perception of risks and what we worry about is highly biased – and hence we may take some rather dangerous shortcuts by leaning on option 2.

    My hint … spend an hour discussing the potential risk/issue and decide prudently, how vigorously you wish to address this.

    • It would certainly be foolish to try and monitor every risk. Organizations who do so will manage themselves right out of business. Unfortunately, many rely too heavily on option 2 because they have a “check-the-box” mindset when it comes to risk management. Like many things, careful consideration and balance is what’s needed.

      Maybe it is time for some risk professionals to approach their executives with the 2 options you laid out and ask – which one do you want to do? And do you want to justify your decision to the board, shareholders, etc.?

  • I agree that if focus is given to all risk inventory to come up with KRIs and then their monitoring, it will not help the organization. This will augment additional burden on the organizaiton and the labor as well.

    The right approach could be to pick up high or meidum risk inventory and start monitoring their KRIs that are carefully developed with consensus of the risk owner.

    This will give a good start for monitoring and getting good results from KRI

    • Absolutely – you can’t monitor everything. I think the biggest reason so few companies find them valuable is because the risk professionals don’t speak the language of the business. Execs are not interested in risk velocity, impact, and other terms only us risk mgmt. geeks care about. They care about strategic goals, revenue, production time, down time, ROI, etc. How can the risk metrics be translated to something executives care about?


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.