Many companies are failing to use risk metrics in a way that supports senior management. Tom Teixeira and Immanuel Kemp of Arthur D. Little, explain how KRIs can drive business decisions and build resilience.
Risk management is a growing priority for companies across all sectors, not just in highly regulated environments. Senior leadership needs to better monitor risk to support improved decision-making and minimise the likelihood of catastrophic events with crippling financial and reputational consequences.
This is not a task that can be solely managed by a dedicated risk function, so a cross-functional approach at executive level is required. Additionally, there is a growing regulatory obligation on companies to make disclosures about financial viability, solvency and liquidity considering their key risks, coupled with pressure from investors to provide evidence that risk management is reducing uncertainty and volatility.
However, shortfalls in the current approaches of many companies can leave them dangerously exposed. Many either have no corporate level mechanisms for monitoring and acting on risk exposure, or they gather data but fail to develop appropriate metrics (Key Risk Indicators, or KRIs) to support effective monitoring, control and timely remediation.
Even when companies employ KRIs, they frequently select inappropriate ones, or struggle to implement them effectively. The maturity of a company's approach can vary enormously, with our experience assessing maturity suggesting that most companies tend to operate below where senior management thinks they are.
Selecting and implementing KRIs
Choosing effective KRIs is not a simple process; companies often fall at the first hurdle by not selecting the right metrics, which should take into account the following:
Even where companies select the right KRIs, they often fail to monitor and manage them proactively, with boards overlooking this in favour of simply choosing the KRIs and completely delegating their measurement and reporting. Furthermore, many organisations fail to commit to full implementation of effective systems for monitoring, which is often the greater challenge. Features of effective KRI implementation include:
A typical traffic-light system is illustrated below, showing KRI performance by month, with different responses depending on the threshold exceeded.
The risk of seemingly unpredictable crisis events can be managed if the right data is effectively captured, stored, processed, and visualised to support decision-making and timely intervention. This will typically require a suitable digital platform designed to create insight from data that is locked into existing systems, visualise it in a near-real-time dashboard and use consumer commodity and open-source technology to enable quicker and cheaper implementation.
The effective implementation and adoption of KRIs to support decision-making and performance improvement can be an involved and complex task. A pragmatic approach is required that balances simplicity with innovative, technology-led solutions, typically involving the following steps:
A proactive approach is required for KRI development and implementation with executive commitment, preventing reversion to a passive risk management approach. It should act as an enabler to drive decisive action to pre-emptively manage risks, reduce Total Cost of Risks (TCOR), improve financial performance and provide the right level of board assurance that risk is being taken on a "controlled and informed" basis.
Tom Teixeira is partner at Arthur D. Little and Immanuel Kemp is consultant at Arthur D. Little.