The importance of risk metrics, KRIs and KPIs to your ERM framework

The fourth (and final!) installment in Baker Tilly’s enterprise risk management (ERM) webinar series—The importance of risk metrics, KRIs and KPIs to your ERM framework — explores just that — why developing, monitoring and utilizing risk metrics, key risk indicators (KRIs) and key performance indicators (KPIs) is critical to the success of your overall ERM framework. 

We invite you to review the first, second and third installments of this series to deepen your understanding of fundamental ERM concepts: 

• ERM essentials: Building a strong foundation 
• Enhancing ERM: Moving beyond the traditional risk assessment 
• Foundational concepts for long-term success with ERM governance 

Whether you’re a seasoned risk professional or are only now beginning your journey, this exclusive ERM webinar series from Baker Tilly delivers valuable takeaways.  

ERM is a critical component for organizations aiming to better navigate uncertainties and achieve their strategic objectives. In today’s risk landscape, where enterprise-wide risks are evolving faster and extending further than ever before, the most effective ERM frameworks properly leverage risk metrics, KRIs and KPIs to proactively monitor and manage risks and potential opportunities. 

That’s the end goal. But where do you begin? 

Introduction to ERM metrics

ERM metrics are essential tools that provide insights into changes in risk exposure and the potential associated impact on performance. They help organizations track risk levels, identify emerging threats and opportunities, and make informed decisions. Metrics can be categorized into KRIs and KPIs, each serving distinct purposes in risk management. 

• KRIs (key risk indicators) are metrics that are tied to a risk exposure and signal potential risk events before they occur. They are forward-looking and help organizations anticipate and mitigate risks proactively. 
• KPIs (key performance indicators) on the other hand, measure the result of actions already taken and are typically backward-looking. 

Together, tracking KRIs and KPIs for an organization’s risks can provide a more comprehensive view of risk and performance — past, present and future. 

Developing metrics for top risks 

The development of effective risk metrics involves several phases: developing KRIs, defining tolerances and aggregating data. 

Developing KRIs 

This phase focuses on identifying scenarios and drivers that could lead to potential risk events. It involves selecting the top scenarios and their associated drivers for a risk, researching potential data sources and collecting any available historical data to develop a trend analysis. 

Defining tolerances 

Establishing tolerance thresholds for risk metrics is crucial for evaluating changes in risk exposure levels. This phase includes confirming tolerances with risk owners, setting quantitative thresholds for risks and defining escalation protocols in the event a threshold is breached. 

Aggregating data 

The aggregation of KRI data for each top risk enables ongoing monitoring and helps to establish an objective approach to escalating risk discussions. This phase involves assigning weights to KRIs, then aggregating KRI scores up to overall scenario scores, risk category scores and business unit scores (as desired). 

Leading practices for utilizing KRIs 

It’s not enough to simply develop a set of KRIs for a risk and hope they work as intended. Effective KRIs must be properly aligned to the root causes of the risk, then monitored, operationalized and reviewed periodically to ensure continued alignment with the overall level of tolerance for the risk. 

Aligning KRIs with strategic objectives 

KRIs should be aligned with the organization's strategic goals and performance objectives. This ensures that risk management efforts are focused on areas that matter most to the organization. 

Monitoring through the SMART principle 

As simple as it may sound, effective KRIs should adhere to the SMART principle — Specific, Measurable, Actionable, Reliable and Timely. This ensures that KRIs are clear and quantifiable, and that they provide actionable insights, enable consistent monitoring and offer early indicators of potential risk exposure. 

Operationalizing KRIs 

Moving your KRIs from concepts to concrete metrics involves actively integrating them into the organization's risk monitoring processes. This is, in large part, the actual work of what we discussed above — developing KRIs, defining tolerances, aggregating data and incorporating dashboards for reporting. 

Challenges and mitigating activities 

Even with the best laid plans, implementing effective risk metrics can be challenging. As you seek to incorporate (or refine) the above within your organization, it’s often helpful to know what speed bumps and roadblocks might be up ahead. The most common challenges we’ve seen often include: 

• Data collection: Collecting accurate and relevant data for KRIs can be difficult, especially if data sources are fragmented or unreliable. 
• Threshold setting: Defining appropriate tolerance thresholds requires a deep understanding of risk dynamics and organizational priorities. 
• Stakeholder engagement: Ensuring that internal stakeholders understand and use risk metrics effectively requires ongoing communication and training. 

But you’re not without hope! To mitigate these challenges, organizations can: 

• Leverage existing data: No need to reinvent the wheel from the ground up. Use existing data sources as a starting point for developing KRIs and KPIs. 
• Pilot metrics development: Start with a pilot project to develop metrics for one risk, working with friendly risk owners to refine the process. 
• Align metrics with performance objectives: Ensure that metrics are aligned with the organization's top performance objectives to maintain relevance and focus. 

The bottom line 

Risk metrics, KRIs and KPIs are indispensable tools for effective ERM. They provide objective and actionable data that help organizations monitor risk exposure, track performance and make informed decisions. By developing robust metrics, defining tolerance thresholds and utilizing dashboards for reporting, organizations can enhance their ERM program and navigate uncertainties with confidence.