August 22, 2013

A Key Risk Indicator or “KRI” is defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) “….a metric used by organizations to provide an early signal of increasing risk exposures in various areas of the enterprise.”

Critical in this definition is the concept of KRIs providing “early warning” to a potential future risk event or exposure.

KRIs differ from a Key Performance Indicators (KPIs) in that KPIs are generally  designed to measure performance against an established goal, target, or objective while KRIs are generally designed to measure or indication of a potential future negative or adverse impact or consequence to the organization.

Well-designed KRIs should help provide early warning of a potential event or threat to the organization.

• Key Performance Indicators (KPIs): Monitor changes in business performance in relation to specific business objectives / strategy (e.g. revenue, business volume). Measures how well something is being done or performed.
• Key Risk Indicators (KRIs): Related to specific risk and demonstrates a change in the likelihood (frequency) or impact (consequences) of the risk event

Potential Key Benefits of KRIs

• Enable timely monitoring of potential future risk exposures
• Help provide organization with increased understanding of risks and controls
• Provide ability to track trends in KRI performance over time
• Provide understandable and measurable early warning signals
• Helps add objectivity to the risk management process
• Enables reporting by exception to help facilitate timely and effective remediation

Pros and Cons of KRIs

While KRIs can serve as a key strategic tool for helping an institution identifyemerging risk (particularly operational risk), there are some pitfalls to avoid.

• We’ve all heard the phrase “Don’t boil the ocean” - Too many poorly defined KRIs without clear understanding of what’s actually being measured or how to act if a limit or target is exceeded
• Many institutions previous KRI efforts have failed due to poorly designed suite of indicators (manually calculated/labor intensive, bad data, not predictive, etc.)
• For a KRI to be most useful, it should be predictive and measure something of potential consequence to the institution.
• Don’t go on “auto pilot” and over rely on systems to do the work.
• A well-defined suite of KRIs can serve as an early warning indicator of potential elevated levels of risk beyond the institution’s desired risk profile.

Defining the “right” KRIs to develop and monitor

At their core, risk indicators are a powerful tool to help support the management of operational risk.

Operational Risk: The Basel II Committee defines operational risk as:

"The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.“

Defining the right KRIs begins with understanding the explicit relationship the KRI has to the specific risk exposure it’s designed to represent.

Example: Customer Complaints

• If there is an increase in the number and type of customer complaints, there is an elevated probability that there may be an increase in operational errors or mistakes occurring that are driving complaints.
• There must be a rationale in this instance to determining that adverse trends in the number of customer complaints is likely linked to increased operational risk exposures or events.

Other KRI Examples:

• Staff Turnover – If there is an increase in voluntary staff turnover, this may link to fraud risks and/or processing errors due to staffing shortages.
• Data Capture Errors – If there is an increase in data capture errors, this may link to poorly designed or inadequately controlled systems/processes.
• Incidence of Virus, Denial of Service, Phishing attacks – If there is an increase in the level of IT related incidents; this may link to IT system failures, inadequate IT processes and controls.

Consider Basel II Event Type Categories below as you develop your suite of KRIs to help ensure appropriate linkage to risk and potential loss event categories:

• Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions, bribery
• External Fraud- theft of information, hacking, identify theft, third-party theft and forgery
• Employment Practices and Workplace Safety - discrimination, workers compensation, employee health and safety
• Clients, Products, & Business Practice- market manipulation, antitrust, improper trades, product defects, fiduciary breaches, account churning
• Damage to Physical Assets - natural disasters, terrorism, vandalism
• Business Disruption & Systems Failures - utility disruptions, software failures, hardware failures
• Execution, Delivery, & Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets

“Top of the house” KRI

Strategic Objective:

• Increase quality C&I loan growth with aggregate relationship revenues above targeted threshold
• Reduce current exposure to out of footprint CRE loans

Linkage to Risk Appetite Statement:

• Category: Credit Diversification
• Limit or Tolerance: < $ per relationship; < $ in CRE out of footprint concentration

Possible KRIs:

• Total loans outstanding by relationship, product, industry, geography, number of rating downgrades, weighted average risk rating (segment by portfolios; loan type, collateral, etc.).

Line of Business (LOB) KRIs – Transactional and Process View

Unlike the “top of the house” KRIs, line of business KRIs are generally designed to provide a transactional or process view of risk (i.e., bottom up).

Top of the house View

• Non-Performing Assets
• Weighted Average Risk Rating
• Risk Rating Migrations

Transactional View

• Loans with loan policy exceptions
• Loans with DTI, LTV exceptions

From a transactional point of view, if the number of loans in the current vintage begin to show deterioration from an underwriting, loan policy compliance perspective, this may serve as an early warning indicator to loan portfolio performance issues in the future.

KRIs – Other Considerations

Other factors to consider as you embark on building out or enhancing your suite of KRIs:

• Consider the needs/requirement of various stakeholders of the institution
• As you identify/select potential KRIs, choose a balanced “suite” of risk indicators to avoid the pitfall on overreliance on a limited set of indicators.
• Determine that indicators provide a line of sight into potential root causes of the events or elevated risk levels.
• Select indicators with a relatively high probability of predicting important forward looking risks and events:
  • KRI is highly correlated with the risk being measured
  • KRI is relatively easy to measure/calculate
  • KRI measures a business impact
  • Consider “sensitivity” of the KRI and what the appropriate “limit” to monitor is
  • What happens if and when a KRI is breeched (reporting and escalation)?

A disciplined approach to KRI measurement and monitoring can accrue significant benefits to the institution by:

• Providing early warning to allow the institution the opportunity to take proactive action to address or mitigate.
• Providing a view on historical risk events, so lesson can be learned by the past.

Author: Glenn H. Hursh,  Managing Director, KPMG Financial Services Risk Consulting

Publisher: This information was taken from the Using Key Risk Indicators (KRIs) to Prevent Emerging Threats live webinar held by Lorman Education Services. For more information visit, www.lorman.com.