Lifecycle of Key Risks Indicators
In traditional life cycle representations of KRIs, one essential step is missing: the understanding of the various causes of a risk. Moreover, too little benefit is derived for the reuse of existing metrics of the firm into leading KRIs. Poor results of control testing and flags of underperformance are often useful KRIs. The key steps of a leading KRI programme are represented in the figure above.
The cycle starts with the identification of key risks to the organisation, the risk that are significant enough to warrant active monitoring. In order to play a role in the prevention of risk, indicators must signal a rise in the level risk factors rather than counting the number of incidents that has happened. Like a KRI for car accidents is not the number of collisions (but it is rather speed, alcohol or fog), preventive KRIs capture elevated levels of what cause risks, rather than the incidents that have already occured. Understanding the causes of the risks (step 2) is thus an essential prerequisite to the identification of leading key risk indicators. However, chances are the several existing performance and controls metrics already used in the organisation can be reused and looked at in the perspective of leading KRIs (step 3). Defficient controls (red KCIs) are, by definition, indicators of elevated levels of risks. Similarly, poor performance (red KPIs) are, more often than not, announcing trouble. Once the existing metrics have be reviewed to assess whether they qualify also as KRIs, only the missing metrics need to be completed with new KRIs (step 4). KRI Desing (step 5) relate to the structure of this particular form of reporting that are the risk indicators: data source and capture, frequency of reporting and threholds, stakeholders to the process of collecting, reporting and acting on possible breaches, and governance rules in case of breaches (step 5). Finally, after a some time (1 – 2 years) of using KRIs usage, it is advisable to test their effectiveness: have they helped to prevent any incidents? (step 6).
Feel free to contact us for more details and assistance: firstname.lastname@example.org