How to Develop Effective Key Risk Indicators + Best Practices for 2023
41% of organizations have experienced three or more critical risk events in the last 12 months, according to Forrester’s State of Risk Management 2022 report.
With enterprise risk on the rise, enterprise risk management (ERM) is more important than ever. Developing key risk indicators, or KRIs, can strengthen ERM.
KRIs track the potential occurrence of certain risk events. When triggered, they can alert management and other stakeholders to a potential threat that would have a significant impact on business operations, such as falling out of compliance with security frameworks like SOC 2.®
Ready to learn more? Below we dig into the basics of KRIs, how to establish them, and tips for maintaining KRIs over time.
What are key risk indicators?
Key risk indicators (KRIs) are a way to proactively measure risks that a business may face. They serve as early warning signs of upcoming crises, which can provide an organization’s management team time to create an action plan to mitigate that risk’s potential impact or prevent it from occurring.
KRIs are also tied to risk appetite, which sets a threshold for the level of risk exposure that a business will take on to achieve its objectives. KRIs can alert leadership of any upcoming threats that might exceed that threshold.
KRIs aren’t meant to track every specific risk that your company may face. Instead, they’re meant to track the most important types of risks that could put your business’s primary objectives and priorities in jeopardy.
Key performance indicators vs key risk indicators
Both key risk indicators and key performance indicators (KPIs) are metrics that help businesses make informed decisions and accurately plan for the future. However, KRIs and KPIs differ in what they measure. Let’s take a closer look at these two metrics below.
Key performance indicators
KPIs are used to measure the company’s performance against a goal or objective over a period of time. They can be used to look toward the future or back on the past, depending on the type.
- Leading KPIs evaluate outcomes of certain actions and processes to indicate a company’s progress toward achieving its business goals. Examples include customer satisfaction and percent growth in new markets.
- Lagging KPIs evaluate outputs of past actions and processes, like product launches and events, to determine whether the company achieved its goals. Examples include annual revenue and growth in annual sales.
Key risk indicators
KRIs are used to indicate potential risks that may affect the company’s ability to achieve its core objectives. KRIs can help a company meet its KPIs by reducing significant risks that can jeopardize business operations and growth initiatives.
For example, if a company establishes a KPI to measure IT system performance, then a complementary KRI might measure the number of system backup failures or critical incidents. If either of these KRIs exceeded its threshold, then stakeholders could be alerted and have time to mitigate the risk before the IT system performance was impacted.
Challenges of developing key risk indicators
While KRIs boast a wide range of benefits that include the ability to proactively address an organization's risks, businesses also face a range of challenges when it comes to setting and tracking KRIs.
In a recent poll conducted during a webinar by the CEOs of Nymro Clinical Consulting Services and Cyntegrity, 22% of business leaders said that finding the right method to calculate KRIs is their top challenge.
Other common challenges businesses face when utilizing KRIs include:
- A failure to incorporate KPIs with KRIs
- Inefficient tracking of KRIs due to lack of resources or tools such as automation
- Trouble accessing objective qualitative data to identify risk trends
- Not associating actions with risk thresholds
How to develop KRIs
Before your business can begin benefiting from KRIs, you’ll need to do a bit of prep work. We walk through the steps for KRI design below.
1. Understand your key objectives
A KRI is a metric for tracking the potential occurrence of certain risk events that will have an adverse effect on your company’s objectives.
So before you can begin developing effective KRIs, it’s essential that you understand your company’s most important objectives. For example, one core objective might be to increase profits by increasing revenues and decreasing costs. There are several risks you may map to this core objective, like economic downturns or operational inefficiencies.
2. Identify priority risks
The risks that pose the biggest threat to your business objectives— with a high probability of occurring and a potentially damaging outcome — are the kind you’re looking to include when you establish KRIs.
Here are a few ways to identify relevant risks:
- Conduct a risk assessment to identify the risks that will cause the biggest impacts to your overall objectives and goals.
- Review your risk register to tip you off to certain risks that are subject to swift changes in risk level, indicating that they could benefit from the early warning of a KRI.
- Keep your core business objectives at the forefront as you design your KRIs, which will help you prioritize the most important risks.
- Consider risks that fall above or below your risk appetite threshold, as they will likely need additional oversight.
- Conduct an internal audit to assess your internal controls against a framework as you prepare towards audit readiness.
3. Select KRIs
There are two primary methods for choosing KRIs: top-down and bottom-up approaches.
- Top-down approach: Senior leadership selects KRIs for the entire organization. This approach can be helpful in aligning with strategic KPIs and can help the organization’s understanding of risk impact and how it can affect business objectives.
- Bottom-up approach: Business units across the organization select and monitor KRIs that map to their operational processes. The bottom-up approach ensures risks are tracked on a more granular level and fosters buy-in from departments.
Whether you opt for a top-down or a bottom-up approach, after top-priority risks have been identified you can begin to design KRIs. For initial KRIs, it can be helpful to start small with two or three indicators for your top risks.
When setting up KRIs, keep things simple by focusing on your priority risks. Include relevant subject matter experts from your organization to help identify a few key indicators that will help you properly track risks.
Remember that key traits of a good KRI are:
- Measurable: KRIs are quantifiable by percentages, numbers, etc.
- Predictive: KRIs can be used as an early warning system.
- Informative: KRIs are used to shape decision-making.
- Comparable: KRIs can be benchmarked internally and to industry standards.
4. Set thresholds for KRIs
Once you’ve identified KRIs, set upper and lower tolerance values to track against each risk. Any time a risk moves beyond these thresholds of acceptance, you should alert key stakeholders and assign follow-up tasks to mitigate that risk.
These tolerance values can be changed as data is captured, so don’t spend too much time perfecting them in the beginning. To start, you can use industry norms or internal criteria to set them and ensure they’re approved by your board of directors or other key leadership.
When you’re confident in the data being collected from your initial indicators, you can expand the KRI program into different business departments.
5. Maintain KRIs over time
Once KRIs are in place, they need to be monitored and tracked regularly, whether in real time or with a quarterly check-in.
Automation can help simplify this process, but you may also want to consider appointing key individuals to manually track certain indicators that make sense for your organization.
Additionally, you can use the first few data-gathering periods as a way to check if your risk threshold settings are correct. This will help ensure that future alerts are configured correctly and prevent false alarms.
It’s important to document and report all risk occurrences related to your KRIs. This should include a formal process for alerting key leadership when indicator tolerance levels are high.
Key risk indicator examples
While you can map KRIs to any aspect of your business, common KRI types include operational, financial, technological, and people-related indicators.
Operational KRIs are closely related to operational risk.
- Process inefficiencies
- Internal failures
- Leadership changes
Financial KRIs are commonly used by banks and CPA firms.
- Economic downturn
- Regulatory changes
- Budget changes
Technological KRIs are used by businesses across industries.
- System failures
- Data breach incidents
- Regulatory changes
These KRIs are often used by human resource departments or companies that handle staffing and recruitment.
- High turnover
- Low employee satisfaction
- Low recruiting conversion
Cybersecurity key risk indicators can be used by any company to measure, monitor, and manage their cybersecurity risk. Cybersecurity risk relates to the loss of confidentiality, integrity, or availability of information, data, or information (or control) systems as a result of digital attacks.
- Number of cyber incidents
- Number of exposed data records
- Cyber incident response times
Information security KRIs
Information security KRIs can be used by any company to measure, monitor, and manage their InfoSec risk. InfoSec risk is the risk to organizational operations, organizational assets, and individuals due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems.
- Failed login requests
- Percentage of systems in use that are no longer supported
- Increase in attacks on firewall
Anti-money laundering key risk indicators are commonly used by financial and other regulated institutions to help them comply with AML and anti terrorist financing legislation.
- Size of the business
- Number of transactions
- Types of products and services sold to customers
- Customer type
Key risk indicator template
KRIs are an important operational risk management tool for risk identification and risk mitigation. Now that you understand how to develop key risk indicators, it’s time to map out your own set of KRIs. We created this simple KRI template to help you think through your company’s risks.
What is a KRI?
A KRI stands for key risk indicator. These indicators are used to measure an organization's performance against their defined risk appetite and risk tolerance. For example, they can validate that the organization is operating within its defined risk appetite or demonstrate where risk tolerances have been exceeded so that organizations can proactively address risks.
What are key risk indicators examples?
Examples of key risk indicators are number of data breach incidents, cyber incident response times, percentage of systems in use that are no longer supported, network traffic surges, or statistical deviations from normal user behavior.
What is difference between KPI and KRI?
A key performance indicator (KPI) is used to measure a company’s performance against a goal or objective over a period of time, whereas a key risk indicator (KRI) is used to indicate potential risks that may affect the company’s ability to achieve its core objectives.
What are key risk indicators for employees?
Key risk indicators for employees are often used by human resource departments or companies that handle staffing and recruitment. Examples include total turnover rate, retention rate per manager, employee satisfaction (could be an NPS score), number of applicants per job, and offer acceptance rate.
Helping your company better prepare for the future with KRIs
Establishing KRIs is an important aspect of any enterprise risk management strategy.
Key risk indicators are an invaluable tool for forward-thinking businesses to manage upcoming threats and act swiftly to mitigate potential harm.
KRI implementation is just one of the approaches for baking risk prevention into your business. We’ve created a visual guide to inspire your business to adopt a more risk-minded cybersecurity approach.
SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA® Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.