Sunday, March 23, 2008

Pure Risk Management Training 101: Key Risk Indicators (KRIs)

Q: What Are KRIs?
A: Key Risk Indicators (KRIs) are set of relevant metrics showing a point in time status of the operating processes. Risk managers use the metrics to proactively monitor the operational process to identify potential risks that may affect the operating process long before they can occur.

Q: What Is Their Purpose?
A: When designed properly, reported timely, and measured reasonably, KRIs provide a predictive warning of potential issues that may adversely affect the Business.

Q: How Do You Design KRIs Properly?
A: Risk manager must first understand the end-to-end operational flow of the business prior to attempting to manage the risk. With a detailed mapping of the business process, data flow, decisioning branches, seasonality of the business flow, projected business growth, overall business model, and the acceptable level of risks that the business is willing / allowed to take, a risk manager can design the limits – upper and lower – of the KRIs that would yield the best quality data. It is with this data that the risk manager designs the KRIs.

Q: What Do You Think Is “Timely” Reporting Of KRIs?
A: Each business and its processes have different tenor (time horizon). For some businesses, such as overnight shippers, timely would mean near instantly. Others, such as any continuous flow process, i.e., manufacturing shoes; the timeliness of the KRIs would be determined by the company’s reporting cycle. Typically, a good risk manager would want to know, weekly, the critical operational and decisioning pathways metrics and, at least bi-weekly, for the less critical operational paths metrics.

Q: How Are The KRIs Developed?
A: KRIs are developed as part of the end-to-end review of a business process, which will identify where there is a need for early detection and escalation of issues that will adversely affect the Business

Q: Who Develops KRIs?
A: Risk manager, in concert with the senior managers of all the businesses involved in the end-to-end process, will develop the KRIs.

Q: Are Risk Management Necessary?
A: This is analogous to a person asking if one requires a torch before entering into a cavern. Even if you have been in the cavern many times, without sufficient lighting, it is going to be a very slow, arduous, and dangerous going. However, there are companies out there that do just that. These companies feel that their business models are “battle tested” and their processes have been sufficiently “refined over time.” It is these very groups of businesses that get hit with a major financial loss or embarrassing risk event. So, in short, risk management is very necessary as it is one of the essential monitoring tools for any business.

Q: Do We Really Need KRIs?
A: Knowing risk management is one of the essential monitoring tools for any business, the answer here is unequivocal ‘Yes.’ KRIs are important to the risk manager in assessing vast quantities of data in a meaningful way. Through properly developed set of KRIs, the risk manager is able to providing advanced notice of potential risk events (things that may go wrong) with the Business, well in advance of the risk event ever occurring. The idea is to use that lead-time to prevent (mitigate) the risk event or at least try to manage it.

Example: In the case of the 2004 Indonesian tidal wave that devastated parts of Indonesia, Thailand, and India, there were no advanced warning systems in place. Because of a lack of an early warning system, 13,000 people were killed (a severe risk event). How would properly developed KRIs help to mitigate some of the losses?

A simple KRI that could have helped in the example situation:
Measurement of earthquakes:

Low = any earthquake with a magnitude of 3.5 or less.
Medium = earthquake with a magnitude > 3.5 and < 8.0 (for location more than 500 mile inland).
Medium = earthquake with a magnitude > 3.5 and < 6.0 (for costal location).
High = earthquake with a magnitude > 8.0 (for location more than 500 mile inland).
High = earthquake with a magnitude > 6.0 (for costal location).

In fact, the Tsunami Warning System in place in Alaska and Hawaii does exactly this. By monitoring and measuring the size and location of the earthquake, they can make a determination of the potential for a Tsunami and an approximate time to impact.

Q: Where Would One Apply KRIs?
A: KRIs can be applied to any process that the business may determine has sufficient risk of failing or causing another process to fail, resulting in financial losses, non-monetary damages, or both. Businesses can use KRIs in all their operational processes to assist in predicting potential risk events.

Q: How Do You Reasonably Measure Risks Using KRIs?
A: KRIs, like all tools, in of themselves do not manage or mitigate the risks in a business. Moreover, if improperly designed, it can lead to a false sense of security. Furthermore, improper timing of the KRIs can lead to missing the risk event altogether or not being properly prepared with corrective actions. (Sort of like yelling out “Iceberg, dead ahead!” at the moment of impact.)

Therefore, the measurement of the risks must be done in concert with (a) the senior business managers whose businesses and processes are involved in the operational pathways and (b) with senior officers of the company, to clearly understand their tolerance levels for risk of financial losses and non-monetary set backs. The combination of the nature of the business to monitor, the tolerance levels, and good design of the KRIs will allow the risk manager to measure the risks facing the business.

Q: Are KPIs (Key Process Indicators) The Same As KRIs?
A: No. Key Process Indicators (KPIs) are different from KRIs. KPIs only show what the business is doing and how much of it is being done in a period of time. Therefore, KPIs are INFORMATIVE. KRIs, on the other hand, are DETERMINITIVE.

Example: KPIs are analogous to a car’s speedometer. Speedometer tells you how fast the car is going at any given moment. However, it does not tell if the current speed is appropriate for the vehicle, road, traffic, and weather conditions. It is merely informative.

KRIs are analogous to a car’s fuel gauge. The fuel gauge will provide information but also gives you an understanding of what will happen, and approximately when. If one chooses to ignore the fuel gauge data, then one will quickly learn not to repeat that error.

Q: Can KPIs become KRIs?
A: A good question. And the answer is a firm “Maybe.” If a series of KPIs are presented in a proper and coordinated manner, then one can use the KPIs to derive a KRI.

Example: Using the car analogy again. Let’s use a series of KPIs: speedometer, clock, and odometer. Individually, these are KPIs. They are informative, nothing more. However, when taken together with an external data point, one can derive a KRI from the collective data.

KPIs for both cases: Speedometer indicates 40 MPH, clock indicates 8 AM, and odometer indicates 4,000 RPMs out of max of 9,000 RPMs.

Case 1: You are driving on a highway headed toward the business district. What is your risk level?
Case 2: You are driving down a steep incline from a top of a mountain on a Sunday. What is your risk level?

Side Note: One can make an incorrect argument that a speedometer is a KRI since if one takes the car to the maximum limits of the speedometer, then one will lose control of the car and crash. This is a false assumption since there are at least two ways to get the speedometer to the maximum without any risk of damage:

1. The vehicle is on a chassis dynamometer
2. The vehicle is a Zamboni, which has a top speed of 9 MPH and is running top speed on the world’s largest skating rink, according to Guinness.

There may be more examples but the above two is sufficient to make the point that KPI does not equal KRI.

Q: Finally, What Makes A Good KRI?
A: A good KRI should have at least the following characteristics:

  1. KRIs should be based on established Standards
  2. KRIs should be developed using consistent methodology
  3. KRIs should provide a clear understanding of the risk variables
    • Potentiality (Can it occur?)
    • Probability (If it can occur, what is the likelihood?)
    • Timing (When is it most likely to occur? / How much time do we have before it occurs?)
    • Severity of the Risk (When it occurs, what is the $ / % / # loss?)
  4. KRIs must be quantifiable (number, dollars, or percentages)
  5. KRIs must be easily applied and understood by the end users
  6. KRIs must provide trending analysis of the risk variables
  7. KRIs should validate or invalidate management decisions and actions
  8. KRIs should be timely, provide a simplified but complete view of the risk, and cost effective
Couple of Practical Tests Of Risk Management:
1. You are going to drive a mid-sized rental car through the desert to Las Vegas from Reno. Gas gauge is reads full, as is your trunk. The sign you’ve just past informed you that Las Vegas is 450 miles away. By the time you get to the midway point, the gas gauge is at 1/4 full. You see a gas station ahead but they are charging $6 per gallon of gas. You also see a sign that tells you that a full service gas station and truck stop is 10 miles away. What do you do as a risk manager? Why?

2. You have an important business meeting in an hour at your office with a client on a make or break deal. As you are leaving the house, you have a choice of two transportation options: (A) take the car, which will get you to your office in 15 minutes, leaving you plenty of time to get the final preparation done and have a cup of coffee. However, it will cost you $35 in parking fees; (B) take the metro, which usually takes 35 minutes door to door, but has been known to take up to 45 minutes with traffic. The benefit is that it only cost $2 and you can prepare on the metro while having your breakfast. What is your choice and why?

Regards,
Ed Kim
Practical Risk Manager
Riskyops.blogspot.com

Sphere: Related Content

2 comments:

David Harper said...

Thank you, this is helpful.

Unknown said...

Hi

I like this post very much. It help me to solve some my work under my director’s requirements.

Apart from that, below article also is the same meaning

key performance indicators examples

Tks again and nice keep posting
Rgs