How to Select, Monitor and Manage Useful KRIs

In establishing its risk framework, it is likely your organization started with a language of risk. Aligned with each risk in this taxonomy is one or more key risk indicators (KRIs). But what, exactly, are KRIs? What steps can firms take to develop them properly, and why are they an important component of identifying, forecasting and mitigating risks?

KRIs are metrics that are used to measure risks, and offer critical support for risk-based decision-making. They give risk managers a tool to monitor risks and to take early action to prevent or mitigate crises. Indeed, it's useful to think of KRIs as an early warning system, like an alarm that goes off when an organization's risk exposure exceeds tolerable levels.

Examples of KRIs (which should be measurable and quantifiable) might include people KRIs, such as high staff turnover or low staff satisfaction. Information-technology risk KRIs include unplanned system downtime and the number of reported phishing events in a month.

While KRIs can be used to monitor all risks facing the business, they instead tend to focus on the most critical indicators for managing the highest-priority risks. These will vary by department, in line with an organization's objectives and priorities.

KRIs are metrics that provide information on a firm's opportunities and level of exposure to risks at any given point in time. They allow for benchmarking to industry standards and can help a firm identify risk trends, enabling leaders and key personnel to receive alerts of potential risks in advance. Moreover, KRIs enable timely and ongoing risk monitoring, and give firms the ability to align risk tolerance levels with risk appetite.

KRIs vs. Key Performance Indicators

KRIs should not be confused with key performance indicators (KPIs). KPIs answer the question, “How are we performing in meeting our goals?” KRIs, on the other hand, answer the question, “What is the likelihood that we might not achieve our goals?”

Tracking, alignment and rationalization are all part of a successful blueprint for KRIs. Let's now take a quick look at the role that each of these processes play.

Tracking KRIs

Keeping an inventory of metrics is universally deemed a good thing in business. After all, we know that we cannot manage what we do not track.

However, more metrics does not necessarily mean better risk management: we simply could be looking at, say, the wrong data, or we may have the wrong people assigned to the wrong tasks.

It is therefore important to “find” the KRIs that are tracked by your organization. Some may be embedded in your firm's governance, risk and compliance (GRC) tool; others may be in spreadsheets maintained by team members. But the data for all KRIs must be tracked and properly shared with the risk management team.

Align Risks to KRIs

An organization's risk taxonomy is often hierarchical and helps an organization rank its risks. For an organization to achieve its best return on investment, KRIs should be aligned to each risk in the taxonomy in order of priority.

As risks evolve, and as a firm's understanding of its risks deepen, KRIs should continue to be refined. The goal is to use KRIs for each risk, enabling the risk management group to measure, monitor and report risks in a timely manner.

Rationalize KRIs

Too much data, particularly if it is the wrong data, is not only burdensome but can also lead to confusion. Consequently, as an organization reassesses it metrics, there must be a ruthless review of what has been used in the past.

Through rationalization efforts, some organizations will see up to an 80% reduction in the KRIs that should be managed. This type of dramatic decrease in KRIs (via rationalization) can be a positive development - but it's natural to wonder why.

The first reason is that data tends to improve over time in an organization. For example, IT processes that may have been managed manually in the past may now be automated, and a firm may consequently may now have more reliable data on, say, cyber threats related to its high-risk assets. So, a KRI that was created a couple of years ago to track IT production could become outdated, and eliminating this type of indicator would likely increase the risk escalations that matter while decreasing data about low-impact risks.

The second reason it's wise to reduce the number of KRIs is because each organization should want to prioritize its most important risks. A good way to go about this is to align KRIs with your organization's risk taxonomy - matching up each specific risk being tracked with organizational priorities.

What's more, decreasing the number of KRIs should enable an organization to more easily distinguish between performance metrics and a firm's most important risk indicators. Performance (or operational) metrics are often available in abundance, but do little to indicate a risk level.

The Need for Predictive KRIs

The most useful KRIs are forward looking - or predictive. Forward-looking KRIs provide a forecasting perspective, via anticipating risks that may take place in the future. The “percent of users who fail a phishing exercise” is an example of a forward-looking cybersecurity KRI. This type of KRI can help predict the exposure of the organization to an actual phishing attempt.

Figure 1: Cybersecurity Phishing Risk Metrics

Though they are less valuable, KRIs can also look backward. Backward-looking KRIs describe risks that have already occurred. They provide a “lagging” view if the risk. In the “phishing” example, a backward-looking KRI would be the “number of reported phishing events last month.”

Figure 2 (below) illustrates what could be revealed when your organization closely examines predictive risk metrics, while Figure 3 depicts some illustrative KRIs and how they can be used to monitor risks.

Figure 2: Results of Inventory of Predictive KRIs

Figure 3: Illustrative KRIs

Aligning Risk Tolerance with Risk Appetite

Risk appetite is often expressed qualitatively, at a relatively high level of an organization's risk taxonomy. The corresponding KRI could be at a lower level in the taxonomy. For example, if senior management states that the firm has a low appetite for cybersecurity risk, the board will likely agree.

Aligning an appropriate KRI to represent the risk tolerance is critical, not only for how information and IT assets are managed but also for understanding and maintaining the firm's level of investment in mitigating controls.

To help firms avoid high-severity incidents and to assist the organization in staying within a low-risk appetite, forward-looking KRIs - such as the likelihood of a phishing incident - can and should be implemented. The KRI risk tolerance band can, for example, be established to conform to the chief information security officer's risk tolerance for “high-priority” and “low-priority” cybersecurity risks - as well as to provide a risk governance escalation criteria.

Parting Thoughts

KRIs are critical for decision-support and alignment to risk appetite levels across an organization - from the board of directors to management and across all employees.

The goal is for KRIs to be measurable, predictive and descriptive. In some organizations, the right KRI might even help save lives.

Brenda Boultwood is the Director of the Office of Risk Management at the International Monetary Fund. The views expressed in this article are her own and should not be attributed to IMF staff, Management or Executive Board.

She is the former senior vice president and chief risk officer at Constellation Energy, and has served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP. Currently, she serves on the board of directors at the Anne Arundel Workforce Development Corporation.

Earlier in her career, Boultwood was a senior vice president of industry solutions at MetricStream, where she was responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. She also previously worked as the global head of strategy, Alternative Investment Services, at JPMorgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services.