“If you must play, decide on three things at the start: the rules of the game, the stakes, and the moment to quit.” Chinese proverb
A company can monitor and manage its most important risk targets, limits and tolerance through a set of key risk indicators (KRIs).
KRIs can be expressed in a variety of units, according to the specific risk under discussion. These may include a percentage of faulty products, a number of hours lost due to work-related accidents or a monetary value such as net debt or a ratio. Of course, great care should be taken when defining a KRI: is the KRI really measuring what we want it to measure? And if so, are we measuring it correctly?
To balance risks and opportunities correctly and to obtain the best possible alignment of performance management and risk management, each KRI should be linked to a key performance indicator (KPI). KPIs have long played an essential role in performance management.
As explained in A new balanced scorecard: measuring performance and risk, one of the most effective ways to link performance and risk management is to integrate risk factors and risk management in a company's performance management tool of choice. Currently, the Balanced Scorecard (BSC) is by far the most popular tool.
For each of the four main areas in the classic BSC (market, operations, organization, finance), a company defines its goals and the related KPIs. By enhancing the BSC with KRIs, a company can integrate performance and risk management. It can measure and monitor performance and risk at the same time, as part of the same process.
A KRI should be expressed in a unit of measurement that is predictive for the KPI to which it is linked. Imagine that a performance target for a car is to get from Amsterdam to Athens at an average speed of 100 kilometers per hour. In that case, we would like to express the KRIs in very car-specific terms: motor temperature, braking power, oil level, etc.
In business, it should be the same. But all too often, we see KPIs defined in specific, tangible units (number of products sold, increase in market penetration among a specific demography, etc.). Related, often implicit, KRIs on the other hand are expressed in indirectly related monetary terms, such as increasing market share for product X among clients between 16 and 25 years old from 15% to 20% over the next 12 months without risking more than 1.5 million euros in the effort.
This “KRI” is bound to leave the responsible manager confused. It is much better to define the KRI in terms closely related to the KPI. A relevant KRI could be the churn rate (existing customers that quit as a percentage of total customers during a given time period) among new customers in the age group 16-25.
Using analysis and creativity to aggregate risk
One of the most important but often most difficult tasks is the aggregation of risks to a higher level. When performing this task, management cannot limit itself to just adding up the different risks in various business lines.
Some risks reinforce each other. Other risks may (partially) even each other out. Risks may correlate positively, negatively or not at all. In other words, sometimes 5 + 5 = 10, sometimes 5 + 5 = 15, sometimes 5 + 5 = 2.
Scorecard – rebalanced
An organization's risk appetite will normally differ from one risk category to the other, based on its relative expertise and competitive edge in different areas. A company may be very good at managing volatility in the financial markets, but very bad at managing interruptions in its supply chain, so its risk appetite for both categories will be very different.
The BSC for executive management and the board will therefore contain a set of different KRIs, just as it has more than one KPI.
The explicit balance between risk appetite and strategic goals
All too often, a company only addresses the question “What is our risk appetite?” implicitly. There is no explicit discussion of the balance between risks and opportunities, between risk appetite and strategic goals. As a result, the approach remains haphazard and intuitive instead of structured and reasoned.
Companies will benefit from a much more explicit discussion, definition and implementation of risk appetite. It will allow them to link risk management to performance management. A clear definition of risk appetite, risk tolerance, risk targets and risk limits at all relevant levels in the business is an excellent basis for effective ERM, for embedding risk management into day-to-day decision-making, and for balancing opportunities and risks.