Six steps for preventive KRIs

Key risk indicators, or KRIs, are major components of the operational risk profile reports for nearly seven out of 10 of the institutions surveyed by OpRisk and Protiviti at the end of 2014. A majority of respondents (60%) also use KRIs as a measure of the operating effectiveness of the control environment. Contrastingly, only 39% of the organisations surveyed declare using 20 KRIs or more, while 15% use fewer than five and 14% use none.

This column proposes a six-step method to identify, design and validate preventive KRIs, which are an essential component of any operational risk framework.

Preventive KRIs are metrics of key risk drivers. Identifying the key risks to an organisation, understanding the main drivers of these key risks and finding the proxies of these drivers to turn them into economically efficient and reliable risk reporting, are the essential steps to set up an effective KRI suite. This method can be broken into six steps.

Chart 2 shows a classification of operational risks that can support the identification and design of preventive KRIs. I have previously listed many of the KRIs that can be used to monitor people risk, in close collaboration with the HR function. Like in HR, KRIs need to track weaknesses and overstretch in processes and systems.

Root risks are linked to the intrinsic nature of operational risk; core risks are central to the business objectives; operations risks relate to the day-to-day activities, specific to the nature of each business.

Understanding the root causes of key risks is at the heart of preventive KRI identification. For core risks for instance, conflicting priorities, absence of project rankings and prioritisations, and unclear roles and responsibilities are some of the KRIs applicable.

The good news is that in the matter of identifying KRIs, many firms are better placed than they think. KRIs are often a new name for the old practice of internal controls and monitoring. Failed controls are undoubtedly a cause for increased risk. Therefore, failed key control indicators (KCIs) or failing controls are by nature real preventive KRIs and should be captured as such. Similarly, poor performance will often generate risks; failed KPIs are, often, good preventive KRIs also.

Therefore, before undertaking too much investment in defining new KRIs, firms should make an inventory of all the control testing, monitoring, KPIs and other alerts reported on a regular basis, in order to extract those than can be requalified as useful KRIs. Linking back to chart 2, business continuity risk and legal and compliance risk are specialist areas, usually well understood and monitored by the competent team. KRIs typically exist in these functions, albeit under different names.

Once the list of risk drivers from step 2 is matched with the list of existing metrics in step 3, the missing gaps can be filled in the definition exercise of step 4, to find metrics capturing the main causes of the key risks. In step 5, KRI design relates to the detail of data capture, frequency, thresholds and governance of who reports and who acts on KRI breaches. KRI thresholds are one way of expressing risk appetite throughout the organisation's operations, with lower thresholds typically linked to lower risk appetite. Reliable thresholds, however, will be best identified through data analysis after a 'control period' of observation, during what constitutes normality in the firm's operations.

Finally, the validation stage is essential to maintain a reliable and valuable set of KRIs. Do our KRIs help prevent incidents? The simplest approach is to check the status of the relevant KRIs after an incident: green? Maybe they are irrelevant, or with an inappropriate threshold. Red? They might be reliable, but why was no action taken? Conversely, red KRIs followed by preventive actions allowing the avoidance of incidents is the most desirable situation.

Defining preventive KRIs is a continuous effort, improving the understanding of the generation mechanisms of operational risk. It helps to address the number one nominated challenge for the operational risk function in this year's survey (22%): the lack of management understanding of the value of the ORM programme.

More details on this and more will be explained in the upcoming course, Identifying Operational Risk: KRIs, RCSAs and Scenario Analysis, 22–23 March 2016 in London (www.training.risk.net/oprisk-kri).

Ariane Chapelle is honorary reader in operational risk at University College London and the director of Ariane Chapelle Consulting Ltd.