Key risk indicators are important for every business. And while “KRIs” vary from one industry to the next — for example, what’s important for agribusiness is different from what’s important for pharmaceutical firms — no matter what the KRIs look like, they’re all instrumental for managing operational risk.
Think of a key risk indicator as a pressure gauge measuring the amount of some risk your company has. When the gauge reading rises from green to yellow to red, that’s meant to be a warning sign of trouble that needs your attention.
In that case, KRIs are an indispensable part of risk management. Risk management itself is the process companies use to:
- Identify risks to their operations;
- Decide how much risk they want to accept (their risk appetite); and
- Determine how they’ll respond to a risk event outside that risk appetite.
Key risk indicators exist just beyond that third bullet point; they are the metrics a company uses to know when it’s time to put those response plans into action. Accurate, informative KRIs support better decision-making, and ultimately lead to less exposure to risk and better forecasting of earnings and other results.
What is a good risk indicator?
A good risk indicator is measurable and quantifiable. It produces information that can be measured repeatedly, which allows you to establish certain thresholds and benchmarks by which you know management should intercede to avoid a risk event.
Other traits of a good risk indicator are that it alerts you to increasing risk exposures and it can measure the risk in real-time. This last part is especially important for setting thresholds for your level of risk acceptance. If you can’t measure your KRI in real-time, then by the time you perceive the potential risk event it may be too late to mitigate the threat.
A key risk indicator must also be accurate. The job of operational risk management is not to cry wolf every time a hiccup happens in the supply chain; it’s to help identify risk, monitor risk, and strengthen your company’s resiliency against threats.
What are examples of key risk indicators (KRIs)?
Key risk indicators can be developed for any business. Some focus on the root cause of a specific area of your business; others monitor different business units or external risk trends.
Here are some examples of common KRIs:
A company might monitor its deb-to-equity levels, return on assets, allowances for doubtful accounts, and other metrics that illuminate the company’s financial position. Should those KRIs rise too high or too low, management might need to secure fresh capital or change operations to bring the KRIs back to acceptable levels.
Given the modern supply chain that spans the globe, businesses need to monitor political instability in, say, countries that house critical materials or components for your business. Your company might also monitor regulatory changes in markets where you do business, to understand whether new regulations will impose compliance risks that need attention.
Human resources KRIs
The company could monitor employee turnover, quit rates (that is, when employees leave by their own choice), and reasons for departure (which would require your HR team to have an exit interview process to collect such information).
The company might also monitor turnover among “key” employees such as managers of high-growth operating units or those with specialized technical skills. Again, this means the HR team must have a process in place to identify key employees and in-demand skills that would be hard to replace quickly.
Supply chain KRIs
KRIs are closely connected to key performance indicators (KPIs) — and in few business areas is this more evident than in supply chain management with all its deadlines and potential snags.
You may want to monitor delivery times for suppliers, reasons for missed deliveries, changes in shipping costs, or percent of goods not delivered in a promised shipment. Make sure you have an action plan ready to address these key performance issues.
How do you develop key risk indicators?
Developing efficient KRIs is easiest when undertaken as a company-wide initiative that becomes a natural part of the management process. Make sure you get support from all stakeholders (from production floor to boardroom), and include everyone as part of your company’s ongoing risk assessment process.
Then identify relevant, specific risk areas and risk events that you can demonstrate (by using previously collected data) as predictive for certain risk events. For example, perhaps increases in average delivery time for suppliers predicted delivery shortages of your own goods; or decreases in return on assets led to lower profits in subsequent quarters.
Look at your key performance indicators (KPIs) as data sets that can help identify areas where KRIs should be defined and monitored. Established KPIs identify important areas of your business. They are a source of data that can help you identify KRIs, and develop dashboards and benchmarks to pay attention to.
Finally (and as always) establish a solid process by which you identify and develop KRIs. This process should be transparent and redundant: every risk area is treated in the same manner.
Let ZenGRC do the math for you!
The ZenGRC compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you track KRIs and KPIs no matter what time of day it is or which potential crisis may be costing you sleep.
Worry-free risk management is the Zen way. For more information on how ZenGRC can enable your CMS, contact us for a free demo.