Using Key Performance Indicators to Measure Risk Management Effectiveness
Key performance indicators are used to measure and monitor business strategies and business operations. Performance measurement provides information on the gaps between actual performance and targeted performance. It can be used to determine organizational effectiveness and operational efficiency. Measuring and monitoring risk management effectiveness is no different from measuring other performance. Measures are identified, expected targets or thresholds are established, and a starting point or baseline is set. Key performance indicators can take many forms:
• Qualitative and quantitative indicators.
Qualitative measures are based on subjective characteristics or qualities rather than on a quantity or measured value. Quantitative measures are based on objective, quantifiable data, like percentages, counts, and ratios. The difference between qualitative and quantitative measures can be confusing, and there is often debate over which is better; however, both can be equally useful, and many times a combination of qualitative and quantitative measures can provide a more holistic picture of performance.
• Leading and lagging indicators.
Leading indicators are predictive in nature, like early warning signals. They can highlight that an overall change in performance level is expected based on specific triggers that are monitored. Lagging indicators provide insights into the success or failure of an activity after it is complete.
• Input, process, and output indicators.
These indicators are useful in evaluating an end-to-end process. Input indicators measure resources used in executing an activity. Process indicators measure efficiency or productivity. Output indicators measure the result of the process or activity.
In measuring risk management effectiveness, a combination of indicator types is often used. The biggest challenge in measuring performance is knowing what to measure. Selecting performance measures that cannot be gathered and tracked on an ongoing basis or selecting performance measures that are too complex for business leaders to understand their relevance will not provide value. To be most effective, key performance indicators need to be defined so that they are clear, meaningful, and measurable.
When defining KPIs for ERM, ensuring that the following four characteristics are incorporated can be helpful:
Tangible performance measures, aligned with the level of risk exposure that the company deems acceptable, provide true measures of risk management effectiveness, not just milestones in a risk management plan.
Flexible performance measures that can be adjusted to changes in the organization and risk landscape.
Common performance measures used enterprise-wide that provide a view of how each business line's performance contributes to the aggregated risk exposure at the enterprise level.
• Outcome or objective focused.
Performance measures that are aligned to a specific objective or desired outcome.
Exhibit 12.2 provides some examples of key performance indicators.
Exhibit 12.2 Key Performance Indicators
Examples of Key Performance Indicators
Percentage of customer attrition
Percentage of employee turnover
Profitability of customers by demographic segments
Percentage of mission-critical business processes with tested contingency plans Current-period write-offs or fraud losses