Managing Key Risk Indicators (KRIs)- Valutrics
The position of Chief Risk Officer (CRO) was first established in the early 1990s by GE Capital to manage credit, market and liquidity risks. The role has proven most successful in heavily regulated industries such as banking and energy where regulatory risks – losses sourced in existing or prospective regulation – are becoming more significant.
Key Risk Indicators (KRIs).
One of the most important roles of a CRO is to provide timely reporting of risks and performance against agreed targets, typically as a set of agreed Key Risk Indicators (KRIs).
Most managers are familiar with (KPIs) and this concept has been extended – by the Basel Committee on Banking Supervision (BCBS) to the idea of KRIs:
Risk Indicators are statistics and/or metrics which can provide insight into a bank’s risk position. These indicators tend to be reviewed on a periodic basis (such as monthly or quarterly) to alert banks to changes that may be indicative of risk concerns. Such indicators may include the number of failed trades, staff turnover rates and the frequency and/or severity of errors and omissions.
Any framework of KRIs needs to include reports of actual outcomes and – because these data are ‘backward looking’ – also incorporate some leading (or forward looking) indicators that point to current developments that may impact on future risks. These are best communicated through risk maps discussed in the previous chapter that plot exposure against frequency for expected risks or value losses. At a minimum KRIs should incorporate:
1. Actual loss experience. This should be broader than just net P&L impacts and include events that do not have material costs (especially ‘near misses’ and disruption to customers, employees and operations). Results should be categorized by business line and loss type.
2. The firm’s best thinking on risks it faces. This includes anticipated risks (particularly self-assessment such as the ‘ten top risks we face’) with probabilities and consequences.
3. Value at risk, particularly for financial measures.
4. Firm and industry data on risks, mapped as consequences vs. probability.
5. Milestones that are indicative of scenarios for credible generic risks in terms of consequences and required responses. The implication is that passing a milestone should trigger heightened awareness of this risk.
6. Organizational ‘red flags’ such as executive turnover; legal or ethical charges; reporting errors; and backlogs in production and accounting.
This becomes particularly important given that most major disasters have been presaged by previous incidents bordering on criminal behaviour.
According to a recent survey of banks, their ‘Top 20 KRIs’ can be grouped as follows :
1. Organization: staff turnover; employee complaints.
2. Counterparty/Customer: credit quality; failed trades; client complaints; new accounts; customer attrition.
3. Internal Processes: inventory (cash) losses; market risk limit excesses; expenses; investigations underway.
4. Audit and compliance: risk and control self assessment audit scores and issues; compliance breaches.
5. Technology: system downtime.
6. Criminal activities: theft, fraud (internal and external).
7. External threats: IT system intrusions; economic indicators.
This kind of analysis lends itself to development of comprehensive sets of KRIs covering potential sources of failure involved in individual transactions.
How should any firm develop its KRIs? From a Board’s perspective, the most important leading indicators of serious strategic risk are poor financial performance and a weak competitive position, management’s failure to react in a timely fashion to internal and external developments, and deterioration in the firm’s reputation and the occurrence of unacceptable (even if minor) losses of value, particularly criminal actions. These, respectively, indicate factors that could lead to unexpected increase in risk propensity through ambitious strategic initiatives to boost profits, heightened exogenous risks due to a failure to understand the environment, and evidence from counterparties and operational outcomes of a heightened risk environment.
More specifically, KRIs foreshadow potential deficiencies in the firm’s supply chain, product quality, compliance, process integrity and operational efficiency.
Developing a set of KRIs will combine generic measures of standard pressure points that affect any organization along with more granular yardsticks that relate to the organization’s mission and to its proprietary products and services, processes and plant, finances, and suppliers, customers and employees.
Leading risk Indicators
Poor financial performance risk
• Profitability and return relative to benchmarks and competitors
• Earnings ‘disappointments’
Weak competitive position risk
• Relative share performance
• Loss of market share
• Relative performance using financial and operating measures
Management’s failure to react in a timely fashion to developments risk
• Internal – missed financial and operating targets; budget and project overruns
• External – ‘shocks’
Deterioration in reputation risk
• Opinion of analysts
• Business media reports
Occurrence of unacceptable losses of value risk
• ‘Shocks’ to share price
• Fines or charges associated with finances (theft) or operations (environment, OHS)
Supply chain risk
• Inventory stock out
• Spoilage/shrinkage
Product quality risk
• Customer complaints
• Quality defects
• Customer attrition
Compliance risk
• Audit
Process integrity risk
• System failure
Operational efficiency risk
• Incidents, even when minor
Organization risk
• Staff turnover
• Employee absence
• Decline in productivity
Finances risk
• Credit quality
• Working capital
Risk Governance
Moody’s provides details of key risk governance topics that include: the firm’s risk appetite and target risk outcomes; a mechanism for incorporating risk into strategy development; an appropriate risk management organization; and timely reporting of risk outcomes.
The first element – to establish the firm’s risk appetite and target risk outcomes – involves quantification of risk objectives; establishing limits on what is desired and what is not; and putting in place a relatively stable organizational framework that explicitly reflects risk management objectives.
The second risk governance objective is to embed risk into strategy development and this needs a formal process covering: standardized risk requirements for management, investments and product design; training on how to evaluate and leverage risk; and criteria to evaluate and reward managers’ performance against risk-based performance measures.
Third is to establish an appropriate risk management organization which may be as simple as appointing a CRO to report jointly to the CEO and Board Risk Committee, and providing them with adequate resources and organizational support.
Risk-driven governance involves continuous examination of risk outcomes through timely reporting to all stakeholders, both in quantitative terms (such as through Key Risk Indicators – or KRIs) and as qualitative reports on objectives and process improvements.
Key Topics in Risk Governance
1. Risk Governance at Board Level
• Extent to which Board (including external or independent directors) is involved in defining risk appetite, control structure and organization
• Awareness and understanding by Board of risk exposures
• Mandate and practical workings of Board-level risk and/or audit committees in reviewing risk management and effectiveness of controls
2. Risk Governance at Executive Management Level
• Involvement in risk decisions by executive committee, risk awareness of top management
• Mandate and practical workings of executive-level risk committees
• Risk measures and considerations used by executive management in determining capital allocation and overall capital adequacy decisions
3. Risk Governance – Risk Management Organization and its Influence
• Reporting lines and authority of risk management functions
• Mission of risk control: monitoring/measuring/reporting vs. active management and mitigation
• Independence/autonomy of risk organization
• Centralized vs. decentralized risk organization, integrated vs. silo risk control, extent of adoption of enterprise-wide risk management concepts
• Existence and implementation of enterprise-wide risk management concepts
• Veto power and forcefulness of risk control/management on new and existing products
• New product approval procedures
• Process for the dissemination of risk principles, preferences, risk-taking decision authorities, policies and procedures
• Steps taken to provide education and training for broader personnel in risk matters.
These can be combined in more comprehensive documents which are useful in explaining a variety of non-financial outcomes to stakeholders, including risk, safety, environment, R&D and long-term strategy. Many firms now have impressive Sustainability Reports, particularly mining companies and banks.
This can lead to a comprehensive view of corporate governance that incorporates communications to various stakeholder groups, strategy formation, knowledge management and communication within a broad risk framework. The best depiction of this risk governance approach is the interesting framework for risk-biased corporate governance developed by Shell, which – reminiscent of many Enterprise Risk Management (ERM) perspectives – places risk within a governance framework that links it to strategic responsibilities.
Risk governance emphasises linking disparate strategies and functions, so it needs to be alert to unexpected knock-on impacts. When consciously influencing and measuring risk outcomes Boards need to consider a range of possible implications, including undesired impacts. An example of the latter is imposing a requirement for approval on an exceptions basis of decisions that could prove high risk. This might place the onus on decision makers to identify such decisions by extrapolating their risk possibilities, and then obtaining approval from a level of management higher than required by other authority criteria (such as amount of the investment) or from a central risk group. This appears to be a prudent and reasonable policy. However, it contains an implicit message that risk is ‘exceptional’, which would almost certainly result in either a deluge of exceptions, or an unwillingness for managers to contemplate risks.
Apart from regular KPIs, the Board needs to be alert to emerging risks factors that could indicate the need to more closely monitor developments.
Critical Questions on Risk Environment
1. What is the firm’s risk management strategy (balance between avoid-insure-manage)? What is its strategic risk appetite? What risks are acceptable and what are unwelcome?
2. Does the organization have a history of problems (including near misses) or a risk bias?
3. Are incentives in place to promote integrity? Think in terms of Five Forces as well as rewards for decision makers.
4. What is the ‘frame’ of the business and operating environment? Consider geography, industry, governance, assets, management objectives, moral hazard
5. What is the ‘culture’ of the business and operating processes? Consider organization, structure, controls, reporting, KPIs; and the psychodemographics of staff (age, background, personality, recruiting) and counterparties
6. Is this a new process? If so, how far up the learning curve are operations (training, procedures, routines, predictability)
CRO Responsibilities
A key question is how the role of the CRO differs from the risk management responsibilities of the Board. The working assumption here is that the CRO will establish a sophisticated approach to the firm’s risk management, and to monitor and report its progress.
The first objective is to provide leadership for ERM. This involves a number of activities, starting with establishing an ERM programme
The next step is to formally integrate all risk management functions, staff and responsibilities across the company within the CRO’s group. Unless risk management activities are fully integrated, the benefits of establishing an ERM programme and the CRO role will not be achieved. Bringing all risk activities together enables the CRO to develop policies across the full set of firm risks. This will involve authorities (such as approval limits on transactions and sign-offs on risky decisions), procedure guides (minimum safety standards and training requirements), reporting (positions at risk and incidents or near misses) and inspection frameworks. A centralized group also has the scale to develop and implement tailored training in risk management processes for all staff. This will differ according to function and responsibility, and may incorporate a tiered approach where some staff are made experts in risk, much along the lines of black belts in Six Sigma.
The second objective of a CRO is to coordinate internal and external risk reporting.
This is a core CRO function and requires firm-level indicators of outcomes such as milestones for programme implementation, and performance against Key Risk Indicators (KRIs). Setting up firm-level data requires a build-up by business units, and this can assist business units to develop their own risk measures which are incorporated into the firm’s process measures.
Independent of any external reporting requirements, the CRO also needs to establish baseline measures of firm performance and indicators of best-in-class outcomes. Accurately measuring risk outcomes is important because setting up a specialist risk function and increasing the cultural awareness of risk will increase reporting and so bias-up the apparent incidence of measures of risk. To properly evaluate the effectiveness of the risk programme requires an accurate baseline; and objectives need to be set against best practice which will typically come from benchmarking. The last can throw up some surprises. My favourite came in a presentation on risk management by the risk manager of a supermarket chain who somewhat shamefacedly reported that their benchmarking showed they had a significantly higher lost time injury frequency than a steel manufacturer. Supermarkets were seen as ‘safe’ environments and employees eschewed prudent behaviours when lifting, driving and myriad other tasks that can only be made free of injury by the right attitude.
The third objective of a CRO is to ensure compliance with stock exchange and regulatory requirements for risk management, which involves ensuring that the firm’s risk management policies and procedures exceed compliance and then enforcing them.
A fourth, more aggressive, objective of a CRO is to better incorporate risk into the firm’s strategy and programmes. This would include extending the firm’s business plans to specifically incorporate risk management. When this is combined with the CRO’s sign-off on risk aspects of major decisions, it is desirable to develop models that demonstrate the impact of risk on business operations, and optimize the return-risk trade-off in strategy development, particularly new investments.
Thus the CRO will test their performance against tangible and intangible criteria. The tangible criteria are relatively clear, and include: declining measures of risks, and at least matching performance of the best competitor; reduced expenses that are directly attributable to risks such as insurance and workers compensation expenses (although much of this is very long tailed with costs associated with accidents that might have occurred a decade earlier); and fewer breaches, ‘surprises’ and adverse events.
Unfortunately many benefits of better risk management are difficult to measure. These less tangible outcomes cover items such as:
Closer integration of risk measures into project evaluations and operations. This is an awareness issue that requires employees, especially managers, to see advantages in identifying and managing risks. Thus it involves education and evidence of the benefits of ERM.
Better matching of risk propensity to decisions. In the workplace it is appropriate to test outcomes against clear, low-risk criteria such as ‘nobody gets hurt’ or ‘fish can swim in our effluent’. Other decisions, though – whether credit approvals, research projects or market innovations – may be expected to fail occasionally; not because mistakes are acceptable, but because some losses are a consequence of better calibrated risk taking.
Perversely an effective CRO may increase awareness of risks, promote increased risk propensity, ensure more comprehensive reporting and bring an increase in the frequency of reported adverse events.
In brief, the CRO position will have four principal roles: strategic evaluation of risks and their optimum management; communication of risk strategy and performance; administration of the risk management process, including audit and insurance; and participation in crisis management. Clearly this requires a broad set of competencies covering finance and management, engineering and communications; and the ability to innovate, see ahead, clearly communicate complex subjects to different audiences, and garner organizational support for cultural change. Rarely will this range of attributes be held by one person; but this, of course, is not necessary for a CRO who is supported by a team of specialists who posses technical, training and other skills.