How to set kri thresholds?

To help your company manage emerging threats and better prepare for the future, it’s vital that you and your team develop Key Risk Indicators (KRIs). This helps to safeguard your organization from the various types of risks that can sidetrack its plans. Safeguarding activities include:

Key risk indicators are metrics that predict potential risks that can negatively impact businesses. They provide a way to quantify and monitor each risk. Think of them as change-related metrics that act as an early warning risk detection system to help companies effectively monitor, manage and mitigate risks. KRIs provide visibility into the weaknesses within your company’s risk and control environment and processes — and help to develop a risk assessment plan to fortify your business.

KRIs add value to overall operational risk management by playing an essential risk management role. KRIs predict potential risk — especially within high-risk areas and sectors. KRIs can help with:

In short, KRIs provide an advanced “heads-up” that allows companies to be prepared for risks.

In the current and future post-COVID era, emerging risks will continue to impact many audit risk areas. While government, healthcare, and pharmaceuticals will likely maintain a focus on strengthening their pandemic risk assessments, other industries will put an emphasis on developing or bolstering their risk assessment plans to focus on identifying emerging risks within their supply chains and internal controls — as well as looking at fraud or cybersecurity threats due to remote working conditions.

As a powerful tool supporting operational risk management (ORM), KRIs help identify and define risks to ensure everyone understands the relationship between each KRI and potential risks. So, how do KRIs help companies identify these emerging risks? KRIs assist companies with:

Clearly identifying KRIs involves developing a roadmap — such as the one outlined below — to establish the KRI framework. This process will involve your risk management team, each business unit, and those responsible for internal audits.

Before identifying KRIs, your risk management team will need to create a framework and provide guidance by ensuring everyone is trained on the KRI selection process.

Each business unit will be responsible for identifying their respective KRIs, setting the thresholds, monitoring each KRI state, and escalating variances against these to management, including:

Another part of identifying KRIs is setting thresholds or tolerances that enable flags to be raised when the situation moves outside of the normal. The thresholds should be based on industry norms or internal acceptance criteria. All thresholds should be carefully vetted by key stakeholders and approved by your company leadership or board of directors. Other tasks that need to be addressed when developing KRIs including determining who is responsible for:

Internal audit will need to validate and provide assurances relating to the KRI process as well as build into the audit plan all the required inputs and record the final results. Internal audit will also need to identify, document, and report all exceptions or breaches to KRIs.

There are various types of quantitative and qualitative KRIs — for example, some are focused on financial, human resource, operational, technical, or other aspects of the business.

These focus on provable facts and numerical data based on findings from mathematical models and analysis methods.

These types of KRIs focus on predicting probability-based outcomes to support things like sensitivity analysis.

Depending on your business or industry’s nature, the use of quantitative over qualitative KRIs may be more relevant. Some KRIs may also rank higher on the priority list, be of more importance than others, and be subject to change based on internal or external environmental factors. Here are examples of top types of KRIs used across a range of industries and sectors.

Quantitative financial KRIs may be of greater significance to commercial or retail banks, asset management or firms, or Certified Public Accounting (CPA) firms. Some examples of financial KRIs that can link to external environmental factors might include ones that measure an economic downturn or regulatory changes. Internal factors might be changes to strategic goals, budget limitations, or acquisitions.

Staffing and recruitment firms and human resource departments are likely to be interested in using quantitative or qualitative people-based KRIs. High staff turnover, low staff satisfaction, labor shortages, or low recruiting conversion rates are some examples of human resource KRIs.

Operational KRIs could measure many things, from failed internal processes to ineffective internal controls. These types of KRIs can be typically developed in all industries. Factors impacting operational KRIs might center around process inefficiencies, leadership changes, or changes to strategic goals.

System failures, security breaches, and denial of service incidents are all examples of events that technology-based KRIs measure. These types of KRIs also impact all industries, but can be of greater importance to a technology service provider or a firm that relies on online business portals. Technological risk factors might include increased operational complexity, security issues, changes to protocols, or regulations.

It’s important to understand the difference between KRIs and KPIs. While they are related, they are different. They work together to provide companies and their leaders with the metrics needed to fortify their business. Both KPIs and KRIs are needed — they work hand-in-hand to create a complete picture for effective and timely decision-making.

KPIs look backward and focus on how well companies are achieving their goals. KPIs identify and prioritize a company’s key goals as well as monitor performance against those goals.

KRIs look toward the future. They assess and manage potential risks to goals. They focus on the likelihood that companies will achieve their goals based on potential risk factors. KRIs are linked to strategic priorities and identify all current and emerging risks related to each key goal. KRIs also monitor risks and send an early warning when the business is at risk of not achieving its goals.

Gauging performance and ensuring that goals and milestones are met is one of the key aspects for which any leadership team is responsible. When looking at their dashboard each day, leaders across the business expect to see the information that tells them the current state of things — and that hopefully, they are on track — and this includes KRIs. When KRIs fall outside of thresholds, they alert management that there’s increased potential for a risk exposure — but KRIs are only useful when they’re developed using this methodical yet simple approach.

Prior to establishing KRIs, it is essential first to understand your company’s goals and any vulnerabilities that can cause risk points. Effective enterprise risk management relies on identifying the most significant risks — these are the ones that will have the highest impact, the highest chance of occurring — or are the most likely to be outside of your company’s control.

If your company has already established Key Performance Indicators (KPIs), these can create KRIs. Why? The KPIs will already make sense and provide the underlying information — this can reduce the time spent on monitoring and the needed resources. Keep in mind that the KPIs being transferred to KRIs must also be relevant, timely, measurable, and make sense. If the KPIs are out of date or no longer applicable, then they shouldn’t be used.

Since KRIs are developed by each department, a solid process for creating, assessing, monitoring, and reporting them to the appropriate individuals will need to be established. The following best practices can ensure things go smoothly.

Following a methodical approach like the one above can help streamline the process of developing Key Risk Indicators.

Creating, monitoring, and reporting KRIs sounds pretty straightforward, but it’s a bit more involved than one might think. Many businesses still struggle with common mistakes when establishing KRIs for these reasons:

Being aware of these common challenges can help you design a KRI development approach that will anticipate data and process-related issues.

Before your business can begin benefiting from KRIs, you’ll need to do a bit of prep work. We walk through the steps for KRI design below.

A KRI is a metric for tracking the potential occurrence of certain risk events that will have an adverse effect on your company’s objectives.

So before you can begin developing effective KRIs, it’s essential that you understand your company’s most important objectives. For example, one core objective might be to increase profits by increasing revenues and decreasing costs. There are several risks you may map to this core objective, like economic downturns or operational inefficiencies.

The risks that pose the biggest threat to your business objectives— with a high probability of occurring and a potentially damaging outcome — are the kind you’re looking to include when you establish KRIs.

Here are a few ways to identify relevant risks:

There are two primary methods for choosing KRIs: top-down and bottom-up approaches.

Whether you opt for a top-down or a bottom-up approach, after top-priority risks have been identified you can begin to design KRIs. For initial KRIs, it can be helpful to start small with two or three indicators for your top risks.

When setting up KRIs, keep things simple by focusing on your priority risks. Include relevant subject matter experts from your organization to help identify a few key indicators that will help you properly track risks.

Remember that key traits of a good KRI are:

Once you’ve identified KRIs, set upper and lower tolerance values to track against each risk. Any time a risk moves beyond these thresholds of acceptance, you should alert key stakeholders and assign follow-up tasks to mitigate that risk.

These tolerance values can be changed as data is captured, so don’t spend too much time perfecting them in the beginning. To start, you can use industry norms or internal criteria to set them and ensure they’re approved by your board of directors or other key leadership.

When you’re confident in the data being collected from your initial indicators, you can expand the KRI program into different business departments.

Once KRIs are in place, they need to be monitored and tracked regularly, whether in real time or with a quarterly check-in.

Automation can help simplify this process, but you may also want to consider appointing key individuals to manually track certain indicators that make sense for your organization.

Additionally, you can use the first few data-gathering periods as a way to check if your risk threshold settings are correct. This will help ensure that future alerts are configured correctly and prevent false alarms.

• Developing a thorough understanding of each potential risk exposure.
• Documenting each risk, the impact, and likelihood of the risk occurring.
• Closely monitoring performance via Key Performance Indicators.
• Leveraging technology to assist this process.