Corresponding authors: Gerrit Jan van den Brink (
Academic editor: Oscar van Leeuwen
Although Key Risk Indicators have been a staple for Operational Risk Management reports in financial institutions for years now, they are rarely drivers for action and their relevance is waning. The authors argue that, for Key Risk Indicators to become more relevant, they should be recast as predominantly business (first line of defence) driven and made practical rather than theoretical. After describing the current state of Key Risk Indicators and the future for such indicators in case no action is taken, an ideal situation is outlined and five recommendations are presented that serve as practical steps towards that ideal state.
Financial institutions are increasingly working under challenging conditions putting the sustainability of their business models under pressure. At the same time, regulators are increasingly focusing on the sustainability of business models. Key Risk Indicators can be a useful tool to retain a grip on existing and emerging risk levels, provided Key Risk Indicators are part and parcel of the first line management review and responsibility.
The financial sector is subject to a fast-changing business environment which requires strong risk measurement and risk management capabilities. Recent changes to the business environment that affect the risk profile of the business include:
The low interest environment is a source of fundamental changes for the financial sector. Banks are experiencing lower interest income and Insurance companies had to lower guaranteed interest rates (e.g., to 0.25% in Germany) or to drop them completely. Pension funds are struggling to meet their targets (the largest fund in the Netherlands, ABP, is currently 20% behind the desired level).
The European Banking Authority (EBA 2021a) issued Risk Dashboards indicating a weighted Return on Equity (“
Partly driven by the COVID-19 pandemic, innovations in (on-line) relationship management, new uses for Artificial Intelligence (
The COVID-19 pandemic led to specific supervisory guidance of the Financial Stability Institute (FSI 2021). In addition, the European Commission has issued the Digital Operational Resilience Act which comes into force in 2023. This act focuses on business continuity of operations, outsourcing management, IT-Security and IT-incident management.
Considering the rapid changes to the business environment, the stronger focus on the sustainability of the business models of
Regulation around
“
Another indicator for the relevance of
Although the regulation has been clear about the need for
In this paper, we describe the current state of
A first indication of the use status of
Overview of use of KRS in selected
Financial Institution | Use of key risk indicators | Source |
---|---|---|
Allianz Group | Quarterly based on top risk assessment | |
Phoenix Holdings | Development and monitoring in the context of the Actuarial Function | |
Standard Life International DAC | Identification of potential issues and snapshot of risk exposure | |
DZ Bank Instituts- gruppe | Usage of Risk indicators mentioned | Aufsichtsrechtlicher Risikobericht 2020, p. 182 |
ABN AMRO | Part of the Risk Assessment methodology | Pillar 3 Report 2020 p. 17 |
KBC | KRI used for risk identification | Annual Report, p 58 |
Erste Bank | No reference in financial statements or website | Financial Statements 2020, Offenlegungsbericht 2020 |
Barclays | Barclays PLC Pillar 3 Report 2020, p 206 |
Although many
The reasons for the low success rate for
Thresholds are a key element of
The question of what to do when thresholds are breached is rarely given much attention in (the design phase of) KRI programmes. It should be noted that the strategic risks measured by
This point especially holds true for the strategic
If the issues mentioned above are allowed to continue, the acceptance of strategic
After the 2008 financial crisis, regulators
The forward looking element of
If
As is clear from the previous sections, the development and implementation of a KRI programme is far from straightforward. In part, this is due to a range of practical issues, but it is also the result of a mix of expectations. There is nothing wrong with high expectations per se, and in this section we will outline what may be expected from a KRI programme in an ideal world. And although not all
There are three types of strategic KRI measurements:
KRIs that measure the level of a well understood risk
KRIs that measure the change in the level of a well understood risk
Composite KRIs (combining several type A and type B KRIs)
The expectation that all
There are plenty of risks that can be measured this way. They are typically operational gauges that are regularly used by any process owner who wants to know what is going on in their process.
However, risk management has a broader remit to include changes in the risk profile. Therefore, the risk monitoring system should be geared to detect changes in the internal and external environment affecting the risk level. Two elements are of special interest: changes in risk triggers (such as increased risk for cyber security breaches) or changes to risk exposures (such as a change in transactional volume).
The definition of an excellent KRI report is one that is keenly awaited, seriously studied and actively discussed and acted upon by both the business and the risk function. That this is possible is evidenced by reports that are produced in the wake of an ongoing crisis. During turbulent times, it is not uncommon to have daily and intraday updates. That is information people will appreciate. Information that is one day out, let alone one week or a month out is progressively useless. Let alone those pesky HR related
A KRI that trails behind may still have some use provided it allows for some non-trivial action. Nobody expects a new raft of actions every day, but if
Having said that, in the absence of an immediate response, there is one action that is recommended for any KRI breach: “investigate”. That is really it. If KRI breaches do not lead to either an immediate and well-understood simple remediation or a formal investigation, then the KRI is not worth collecting. One implication of this is that, ideally, the set up for such investigation actions is created as part of the longside creation of the KRI itself.
Although it takes effort to set up
The closer the KRI information (both the collection and the analysis) is to the decision maker, the better the chances are that KRI data will be used for actual process management. If KRI data is collected and/or analysed by what is perceived as a third party (like the risk department) or on behalf of a third party (such as
Some examples for
KRIs related to suspense accounts:
Amount related to open items in suspense accounts and the first order difference with the previous reporting period;
The number of suspense accounts and the first order derivative with the previous reporting period.
IT-operations KRIs:
Freely available disk space and the first order derivative with the previous reporting period;
Number of security patches to be deployed;
Number of performance patches to be deployed;
A selection of alerts from Network traffic monitoring tools.
The examples mentioned above are examples of
Starting with the Basel II inclusion of
Recommendation 1: Embellish the KRI with narrative and explain what it is good for. In addition to recording random statistics, be explicit about what the KRI measures. Note that we do not mean paraphrasing the input, but explaining the mechanism how this data helps manage a process or alert the owner to a developing situation. Here, more is more, because so often
Recommendation 2: Add ownership to the KRI. It makes a lot of sense to not only record KRI data but also to note who needs to receive this data and who has control over the process that it relates to. As a rule of thumb, if a KRI does not have an explicit owner, it is not worth recording.
Recommendation 3: Select an uncomplicated KRI. Many
Recommendation 4: Reuse existing information to create the first set of
Recommendation 5: KRI programmes must be demand based. Since the best
As outlined above, the distinction between operational and strategic
Considering the increasing constraints facing
Further enhancement to operational and strategic
The authors argue that the establishment of strategic
The authors want to thank the anonymous reviewers for their valuable comments and helpful recommendations.
Readers who would like references to academic papers, or at least a seminal article regarding KRI literature will be disappointed. No such corpus exists. The Institute of Operational Risk provides a decent overview of the theory and practice of KRIs (IOR 2010). Scattered references are made in various publications about the importance of KRIs, but they rarely exceed a few pages of examples.
Aggregation of KRIs is regularly promoted by various scorecard-like risk management systems. Due attention needs to be paid the various scales on which KRIs are measured and therefore aggregation often is only allowed over the status (e.g. red - amber - green zone) as the various values can only be aggregated according to the lowest scale which is the ordinal scale in most circumstances.
E.g. ECB 2018 (see https://www.bankingsupervision.europa.eu/press/pr/date/2018/html/ssm.pr180918/ssm.pr180918_FAQ.en.html).