Operational risk: key risk indicators (KRIs)
Key risk indicators defined
Key risk indicators (KRIs) are an important tool within risk management and are used to enhance the monitoring and mitigation of risks and facilitate risk reporting. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or external events. Operational KRIs are measures that enable risk managers to identify potential losses before they happen. The metrics act as indicators of changes in the risk profile of a firm.
Effective KRIs should be:
- Measurable - metrics should be quantifiable (e.g., number, count, percentage, dollar volume, etc.).
- Predictable - provide early warning signals.
- Comparable - track over a period of time (trends).
- Informational - measure the status of the risk and control.
Leading & lagging KRIs
Leading KRIs are measures that are considered predictive in nature. They are derived from metrics that can help to forecast future occurrences. Lagging KRIs are metrics based on historical measures. These help to identify trends in the firm.
Importance of KRIs
KRIs play an important role in risk management by predicting potential high risk areas and enabling timely action.
KRIs enable firms to:
- Identify current risk exposure and emerging risk trends.
- Highlight control weaknesses and allow for the strengthening of poor controls.
- Facilitate the risk reporting and escalation process.
- Operational risk management adds value to the firm.
To qualify to use the Advanced Measurement Approach (AMA) to calculate operational risk capital under Basel II, the Basel Committee on Banking Supervision (BCBS) has specified detailed criteria for the use of forward-looking measures. The choice of each factor needs to be justified as a meaningful driver of risk and whenever possible, and the factors should be translatable into quantitative measures that lend themselves to verification. The sensitivity of a firms risk estimates to changes in the factors and the relative weighting of the various factors need to be well reasoned.
Below is a high-level roadmap for establishing a KRI framework:
- Identify existing metrics.
- Assess gaps and improve metrics.
- Identify KRIs via risk control self-assessment (RCSA)—interview business units.
- Don’t over rely on them; focus on indicators which track changes in the risk profile or the effectiveness of the control environment.
- Concentrate on the significant risks and their causes and consider forward looking and historical indicators.
- Consider absolute values and numbers, ratios, percentages, ageing, etc.
- Data on KRIs should be collated on a systematic and consistent basis in order to be meaningful, e.g., on a monthly basis.
- Select the KRIs that are measurable, meaningful and predictive (leading indicators).
- Gather a good mix of leading and lagging indicators for effective risk management.
- Don’t select too many KRIs that:
- Are too difficult to manage (track).
- Might become unmanageable.
- Select only the ones that provide useful information.
- Determine and validate trigger levels or thresholds.
- Based on industry tolerance or internal acceptance.
- Board of directors should approve thresholds.
- Should coincide with risk appetite statement.
KRI tracking & reporting
- Periodic tracking of KRIs (monthly, weekly, depends on what the KRI represents).
- KRIs should be reported regularly and escalation procedures should be in place (as part of the KRI framework) to ensure timely reporting to management and board.
- Various KRIs will have different levels of escalation. When in doubt, escalate higher but don’t dump too much information on management/board because they will get overwhelmed.
- Reporting of KRIs to head of business units by KRI owners. Head of business units then reports into risk management. Risk management reports to risk board and when applicable, the full board.
- This can help improve corporate governance structure.
Risk mitigation plans
- Risk mitigation plans (RMPs) should be set for High risk items.
- Items with high severity or high frequency of occurrence need to have RMPs to mitigate risk and enhance controls.
- Determine what is high risk by assessing control levels.
- Track RMPs to ensure that controls are enhanced and risk is mitigated. Report on RMPs to management/board, and set target completion dates.
Roles & responsibilities
- Risk management
- Create Framework and provide training
- Guidance and challenge KRI selection process
- Reporting/Escalation of breaches
- Identify Trends
- Business units
- Identify KRIs
- Set thresholds
- Monitor positions
- Escalate breaches of limits to management
- Internal audit
- Validation and assurance around KRI process
- Incorporate output into audit plan
- Assess control effectiveness for KRIs that were breached or yellow
The potential challenges of establishing an effective KRI framework include:
- Getting business units to buy-in into the need for KRIs
- Demonstrating the effect (positive) that it can have on the firm overall and for each business unit
- Might result in setting aside more capital
- Identification of KRIs can prove to be difficult
- Lack of resources to track KRIs
This article is by Kseniya Strachnyi from riskarticles.com.
About the Author
Kseniya (Kate) Strachnyi is an advisory consultant focused on risk management, governance, and regulatory response solutions for financial services institutions. Areas of expertise include governance frameworks, enterprise risk management programs, ICAAP, compliance risk management, operational risk management, Foreign Enhanced Prudential Standards, Basel II/III, and the Dodd-Frank Act.