|
Indicator type
Description
Examples
Exposure
indicators
Monitor changes in an
organization’s exposure to one or
more risks, either in likelihood of
occurrence or potential impact
Changes of resources exposed to
risk, changes in political or
regulatory environment
Stress
indicators
Capture the stretch in
organizational resources in human
capital, equipment or IT
Rise in transactions handled per
staff, long-term vacancies in small
teams; percentage of machine time
operated at capacity limit, reduced
buffer system capacity, overdue
maintenance, missed intermediary
deadlines, etc.
Failure
indicators
KRIs derived from failing
organizational performance and/or
control weaknesses; typically
captured by a KPI or KCI
breaching their thresholds
Unconfirmed back-office
transactions, incomplete client files
(AML), incomplete due diligence
check (suppliers/staff), poor
customer services ratings
Causal
indicators
Metrics that provide information
about the causes and root causes of
key risks
Pay under market rate (for key man
risk), financial pressure (for internal
fraud), abnormal trading pattern (for
rogue trading), abnormal behavior
pattern (for all types of fraud)
of risk indicators (Table 14.1). The four categories – Exposure, Stress, Failure and
Causal – have been adopted by firms I had not even met personally and have been
reproduced in a number of publications on the topic. This section discusses these four
categories.
E x p o s u r e I n d i c a t o r s
Exposure indicators relate to the nature of the business environment and to its crit-
ical dependencies. The business environment may be volatile or stable, growing or
mature, regulated or free. Critical dependencies include main suppliers and vendors,
large clients, essential systems or key staff. Accepting a given business environment
and critical dependencies are risk appetite decisions. Next, monitoring any changes to
this accepted level of risk is part of a comprehensive KRI program. Exposure KRIs cap-
ture significant changes to the business environment or to its exposure. For example,
an increase in financial markets volatility is an appropriate KRI for errors in the back
offices of trading floors, due to the increased volumes of trades it commonly gen-
erates. Critical stakeholders monitoring is another important part of exposure KRIs.
148
RISK MONITORING
As a director of a small business I won’t tolerate a single client generating more than
50% of my turnover for longer than three months. This is a risk appetite decision about
critical exposure to key clients. Reporting of exposure KRIs can be regular or ad hoc,
depending on their nature and the type of business.
S t r e s s a n d S t r e t c h
Stretch KRIs reflect the overusage of business resources, whether human or physical.
Tiredness is a well-documented cause of accidents, mistakes and slip-ups, whether
in medical services, road safety or other areas. Many human resources departments
record the number of hours of overtime per staff member, and some organizations have
introduced overtime limits after realizing that overworked staff members make more
mistakes, damaging productivity.
Overused equipment and IT resources are likely to lead to equipment losses, down-
time or crashes. Care is therefore needed to protect the infrastructure. An example is a
messaging company that closely monitors the number of messages passing through
each of its network hubs and then reroutes messages before a hub reaches a crit-
ical threshold. Stress indicators may be reported regularly or exceptionally, when-
ever there is a significant change in the use of resources. IT resources and usage are
typically monitored continuously, with flags raised when critical points are reached
or approached.
F a i l u r e I n d i c a t o r s
Failure indicators are another name for failing performance and failing controls. Put
simply, a KPI is a performance indicator when it is green and become a KRI when
it turns amber. The same goes for control indicators. Any indicator of a key control
failure is a good potential KRI, either as formal KCI reporting, unsatisfactory control
testing or low rating on control effectiveness. Poor performance also often leads to risk
increases, leading to the common ambiguity between KPIs and KRIs. This is why many
organizations avoid confusion by calling all indicators KPI or KI (key indicators), or
KxI (x being either performance, control or risk), or simply key metrics.
C a u s a l I n d i c a t o r s
At the heart of preventive KRIs, causal indicators focus on risk drivers. They capture
the direct causes and the root causes of key risks. In practice, the three other indica-
tor categories can also be causal indicators, in the sense that they capture the causes
of events rather than the incidents themselves. Causal indicators capture the causes
of risks that have not been addressed by exposure, stress and failure. This residual
category ensures a comprehensive range of indicators.
Do'stlaringiz bilan baham: |
