Risk management is a growing priority for companies across all sectors, not just in highly regulated environments. Senior leadership needs to better monitor risk to support improved decision-making and minimise the likelihood of catastrophic events with crippling financial and reputational consequences.
This is not a task that can be solely managed by a dedicated risk function, so a cross-functional approach at executive level is required. Additionally, there is a growing regulatory obligation on companies to make disclosures about financial viability, solvency and liquidity considering their key risks, coupled with pressure from investors to provide evidence that risk management is reducing uncertainty and volatility.
However, shortfalls in the current approaches of many companies can leave them dangerously exposed. Many either have no corporate level mechanisms for monitoring and acting on risk exposure, or they gather data but fail to develop appropriate metrics (Key Risk Indicators, or KRIs) to support effective monitoring, control and timely remediation.
Even when companies employ KRIs, they frequently select inappropriate ones, or struggle to implement them effectively. The maturity of a company's approach can vary enormously, with our experience assessing maturity suggesting that most companies tend to operate below where senior management thinks they are.
Selecting and implementing KRIs
Choosing effective KRIs is not a simple process; companies often fall at the first hurdle by not selecting the right metrics, which should take into account the following:
- Strategic relevance to the business and its objectives;
- Alignment with the organisation's true risk exposure, with coverage of all major risk areas;
- Specificity, measurability and objectivity;
- Basis in data-driven, cause-and-effect analysis;
- An appropriate number of indicators for reporting;
- Adequate use of leading indicators, and not solely lagging ones, to enable predictive monitoring and intervention before adverse events occur.
Even where companies select the right KRIs, they often fail to monitor and manage them proactively, with boards overlooking this in favour of simply choosing the KRIs and completely delegating their measurement and reporting. Furthermore, many organisations fail to commit to full implementation of effective systems for monitoring, which is often the greater challenge. Features of effective KRI implementation include:
- Appropriate limits and monitoring for their breaches;
- A traffic-light system for assessing the severity of breaches, with amber representing risk appetite and red representing conditions of genuine threat;
- A data-driven approach to determining KRI thresholds, making use of actuarial data;
- Effective communication processes to ensure that the right information gets to the right level at the right time;
- Maximum use of data already available within the organisation.
A typical traffic-light system is illustrated below, showing KRI performance by month, with different responses depending on the threshold exceeded.
The risk of seemingly unpredictable crisis events can be managed if the right data is effectively captured, stored, processed, and visualised to support decision-making and timely intervention. This will typically require a suitable digital platform designed to create insight from data that is locked into existing systems, visualise it in a near-real-time dashboard and use consumer commodity and open-source technology to enable quicker and cheaper implementation.
The effective implementation and adoption of KRIs to support decision-making and performance improvement can be an involved and complex task. A pragmatic approach is required that balances simplicity with innovative, technology-led solutions, typically involving the following steps:
- Develop (or redevelop) an appropriate, balanced set of KRIs;
- Determine appropriate, data-driven thresholds for these KRIs;
- Be prepared to commit time and resources to the development of effective monitoring systems;
- Consider the level of detail and format of reporting most appropriate for senior management;
- Use KRI information to inform all levels of management in order to ensure that these indicators are used to drive timely investigation and intervention.
A proactive approach is required for KRI development and implementation with executive commitment, preventing reversion to a passive risk management approach. It should act as an enabler to drive decisive action to pre-emptively manage risks, reduce Total Cost of Risks (TCOR), improve financial performance and provide the right level of board assurance that risk is being taken on a "controlled and informed" basis.
Tom Teixeira is partner at Arthur D. Little and Immanuel Kemp is consultant at Arthur D. Little.