Essay |
Corresponding author: Gerrit Jan van den Brink ( gjvandenbrink@outlook.de ) Corresponding author: Marc Leipoldt ( marc.leipoldt@yahoo.com ) Academic editor: Oscar van Leeuwen
© 2022 Gerrit Jan van den Brink, Marc Leipoldt.
This is an open access article distributed under the terms of the Creative Commons Attribution License (CC BY-NC-ND 4.0), which permits to copy and distribute the article for non-commercial purposes, provided that the article is not altered or modified and the original author and source are credited.
Citation:
van den Brink GJ, Leipoldt M (2022) Key Risk Indicators reloaded. Maandblad voor Accountancy en Bedrijfseconomie 96(5/6): 165-171. https://doi.org/10.5117/mab.96.80730
|
Although Key Risk Indicators have been a staple for Operational Risk Management reports in financial institutions for years now, they are rarely drivers for action and their relevance is waning. The authors argue that, for Key Risk Indicators to become more relevant, they should be recast as predominantly business (first line of defence) driven and made practical rather than theoretical. After describing the current state of Key Risk Indicators and the future for such indicators in case no action is taken, an ideal situation is outlined and five recommendations are presented that serve as practical steps towards that ideal state.
Key Risk Indicators, financial Institutions, risk management, operational risk, operational resilience
Financial institutions are increasingly working under challenging conditions putting the sustainability of their business models under pressure. At the same time, regulators are increasingly focusing on the sustainability of business models. Key Risk Indicators can be a useful tool to retain a grip on existing and emerging risk levels, provided Key Risk Indicators are part and parcel of the first line management review and responsibility.
The financial sector is subject to a fast-changing business environment which requires strong risk measurement and risk management capabilities. Recent changes to the business environment that affect the risk profile of the business include:
The low interest environment is a source of fundamental changes for the financial sector. Banks are experiencing lower interest income and Insurance companies had to lower guaranteed interest rates (e.g., to 0.25% in Germany) or to drop them completely. Pension funds are struggling to meet their targets (the largest fund in the Netherlands, ABP, is currently 20% behind the desired level).
The European Banking Authority (EBA 2021a) issued Risk Dashboards indicating a weighted Return on Equity (“RoE”) for banks in the EU at its lowest point in the second quarter of 2020 at 0.5% rising to 7.4% a year later (EBA 2021a, page 16). This modest rise in RoE in European banks in 2020 is an improvement, but it is largely due to lower provisions for bad loans. Current business environment parameters, in particular COVID-19, the war in Ukraine and substantial changes required by the EU Green Deal put additional pressure on Financial Institutions (“FIs”) to better manage risk and avoid associated costs. The EBA (EBA 2021b) already requires banks to include the climate change risk in their credit underwriting and monitoring processes. These requirements provide excellent opportunities to re-imagine Key Risk Indicators (“KRIs”) to manage these topics.
Partly driven by the COVID-19 pandemic, innovations in (on-line) relationship management, new uses for Artificial Intelligence (AI) as well as other experimental technologies such as block-chain and robo-investment advice, unintended consequences and risks are emerging throughout the business processes. Certain unintended consequences, such as denying groups of people or companies banking facilities, can result in regulatory sanctions. The Dutch Central Bank (DNB 2019) has issued a note indicating their concerns and in their strategy paper (DNB 2021) this point was reinforced.
The COVID-19 pandemic led to specific supervisory guidance of the Financial Stability Institute (FSI 2021). In addition, the European Commission has issued the Digital Operational Resilience Act which comes into force in 2023. This act focuses on business continuity of operations, outsourcing management, IT-Security and IT-incident management.
Considering the rapid changes to the business environment, the stronger focus on the sustainability of the business models of FIs and the decreasing reaction window as a result of automation and digitisation, the authors believe that the concept of KRIs should be reinterpreted. KRIs must become an integral part of the business workflow and be incorporated into standard management tools. This approach will support the management of FIs to consider the changes to the risk profile of the business model and the consequently lower risk appetite which FIs can accept.
KRIs as a standard tool came on the scene as part of formalisation of Operational Risk Management (“ORM”) in the Basel II regulation, starting in 1999 (BCBS 1999). Although the first draft of Basel II (BCBS 2001) was clear on the purpose of the ORM initiatives (namely to allow for better risk management), the focus soon moved to capital calculation, the bread and butter of Basel II. A range of qualitative methods were outlined in an implementation paper that went through a few editions, currently called “Principles for the Sound Management of Operational Risk” (BCBS 2020).
KRIs were mentioned in the latest BCBS consultative document (BCBS 2020, p. 1) lamenting the inadequate implementation of the KRIs. No specific recommendations, however, were provided.
Regulation around KRIs in the insurance and pension industry does not fundamentally differ from that in banks but the regulation around KRIs is even less well defined. EIOPA published a general statement on the management of operational risks in Institutions on Occupational Retirement Provision (IORP) which is similar to KRIs as suggested by the BCBS:
“Risk limits may also be set to notify an IORP of any breach of tolerable risks. Risk tolerance can be expressed in absolute terms, e.g. ‘The IORP will not accept a delay in investing contributions that exceeds x days” (BCBS 2019, p. 5).
Another indicator for the relevance of KRIs in the insurance business can be found in publications of actuarial organisations and insurance advisors, see for example
Although the regulation has been clear about the need for KRIs for twenty years, implementation remains weak. Perhaps the increasing regulatory focus on the sustainability of businesses may serve as a reboot for KRIs. Note that, in certain areas, KRIs have never been in dispute. This applies typically to real-time systems such as system breaks, reconciliation breaks, IT-outages and other environments with instant, high frequency data updates. Much risk related data, however, is not high frequency, is not collected instantaneously, is not assessed consistently, is only loosely combined into indicators, and, more significantly, is rarely acted upon.
In this paper, we describe the current state of KRIs, the future for KRIs if no action is taken, followed by an ideal version of KRIs and, finally, five recommendations that serve as a start towards that ideal state.
A first indication of the use status of KRIs can be gleaned from official disclosures by FIs. Companies disclose risk information in reports, such as Pillar 3 Reports for banks and Solvency and Financial Condition Reports (“SFCR”) for insurance companies. It should be noted that not all FIs publish their KRI usage consistently, or at all. The overview (Table
Financial Institution | Use of key risk indicators | Source |
---|---|---|
Allianz Group | Quarterly based on top risk assessment | SFCR 2019, p. 40–41 |
Phoenix Holdings | Development and monitoring in the context of the Actuarial Function | SFCR 2020, p. 79 |
Standard Life International DAC | Identification of potential issues and snapshot of risk exposure | SFCR 2020, p. 28 |
DZ Bank Instituts- gruppe | Usage of Risk indicators mentioned | Aufsichtsrechtlicher Risikobericht 2020, p. 182 |
ABN AMRO | Part of the Risk Assessment methodology | Pillar 3 Report 2020 p. 17 |
KBC | KRI used for risk identification | Annual Report, p 58 |
Erste Bank | No reference in financial statements or website | Financial Statements 2020, Offenlegungsbericht 2020 |
Barclays | KRIs used to monitor risk appetite | Barclays PLC Pillar 3 Report 2020, p 206 |
Although many FIs have implemented KRIs in the last two decades, our experience at more than 20 FIs across all continents supports the notion that most implementations are half-hearted and not very successful. COVID-19 induced changes to work practises, as well as increasing data-driven processes reinforce the need for good risk management data. Now that staff and third parties are predominantly working from home, management cannot easily pick up on verbal and non-verbal signs and KRIs can play a more prominent role in management and decision making.
The reasons for the low success rate for KRIs to date are varied. Some of the most prominent are discussed below.
KRIs serve both operational and strategic needs which are different in nature.
Operational KRIs support direct process steering. Examples are the ageing of open nostro account items, the availability of IT-systems, loads on IT-servers, detection of intersystem breaks, cash availability in ATMs, etc. A shared characteristic of these KRIs is their continuous, near time calculation allowing rapid reactions to threshold breaches. Take the risk of a collision when parking a car. Here, the beeping sound when coming near proximate objects serves as an excellent KRI. This excellence comes from the continuous, immediate feedback, allowing instantaneous mitigating actions, thus avoiding a collision. These operational KRIs are flourishing and are not the main subject of this paper.
Strategic KRIs are supposed to alert management to changes in the risk profile. Broadly speaking, the risk profile is determined based on risk analysis, typically comprising a combination of forward-looking scenario-analyses, the history of risk events and information based on risk and control assessments. Most of all, strategic KRIs are derived from a deep understanding of process weaknesses, product complexity and environmental threats that may jeopardise business objectives. Few FIs have the ability to effectively translate heterogeneous risk data into meaningful KRIs.
KRIs are often assumed to belong to the domain of the ORM department as part of their risk framework. As a practical implication the risk function drafts a project plan, assign responsibilities and actions which business managers are expected to implement. No wonder then that business management are less than keen to adopt KRs as meaningful management information. Often, existing information such as KPIs are dressed up as KRIs although both are very different and should not be mixed up. Under such conditions, KRIs have little impact on management actions, let alone business decisions. The whole KRI programme degenerates into a compliance fig leaf and ends up wasting of time and effort, further undermining the whole concept of KRIs.
Thresholds are a key element of KRIs and are not easy to define. They are an expression of the company’s risk appetite and assume that appropriate action is taken when the risk exposure exceeds the risk appetite.
The question of what to do when thresholds are breached is rarely given much attention in (the design phase of) KRI programmes. It should be noted that the strategic risks measured by KRIs are of low frequency. It is important to note that the low frequency is not a flaw. As in the credit and market risk practice, the risks that can be characterised as (very) low frequency but unacceptable impact require close monitoring. In the realm of ORM, however, managers might not have experienced these risks. If the reaction time window and the potential effectiveness of actions is not the manager’s scope, they will be disinclined to accept the associated thresholds as relevant. If they are set too tightly, breaches will be frequent and not taken seriously. This may explain why thresholds are often set to unreasonably high levels, leading to a situation where the “traffic light is always on green”.
This point especially holds true for the strategic KRIs. Much of the data used to determine the KRI-values is manually captured, processed and interpreted. Composite KRIs are aggregated
KRIs and other data driven approaches are necessary for proper risk management but do not play a major role in practice, just as with risk and control assessments, once the novelty of the programme wears off, so does the interest in the KRI programmes wane quickly. The importance of real time observations and targeted analytics tools for ORM is discussed in
If the issues mentioned above are allowed to continue, the acceptance of strategic KRIs as an ORM instrument will suffer substantially. KRI usage is likely to decrease and organisations will reduce the effort put into strategic KRIs to a minimum or even abolish them.
After the 2008 financial crisis, regulators
The forward looking element of KRIs is crucial. The question to ask is: Does this KRI tell me anything about a change to the risk profile that requires action? For example, a KRI measuring staff overtime reflects past excess hours, but clearly reflects future issues as well too: if overtime limits are continually breached, a series of knock-on effects may be expected.
If KRIs (continue to) fail to contribute to better management, this is likely to lead to a waning interest in them. That in turn may undermine the role of risk management as an integral part of business management. Given the recent changes in the operational models in FIs due to the COVID-19 restrictions and the desire of the majority of companies to move in the direction of more remote work, it has become more important to establish a strong data driven risk monitoring framework. KRIs are an important part of such a framework.
As is clear from the previous sections, the development and implementation of a KRI programme is far from straightforward. In part, this is due to a range of practical issues, but it is also the result of a mix of expectations. There is nothing wrong with high expectations per se, and in this section we will outline what may be expected from a KRI programme in an ideal world. And although not all KRIs are created equal (note the distinction between operational and strategic KRIs), we can identify the ideal circumstances for a successful KRI programme. Five characteristics stand out.
There are three types of strategic KRI measurements:
The expectation that all KRIs are of type A has led to a simplistic approach adopting simplistic thresholds and effectively relegated KRIs to a system of simplistic gauges as if measuring risk is no more than a simple readout. The ‘well understood’ places some severe restrictions on the usual hand waving that defines many KRIs. Well understood means that the metric used operates in a simple domain where the characteristics of the process are well defined and changes can be picked up by the indicator in question.
There are plenty of risks that can be measured this way. They are typically operational gauges that are regularly used by any process owner who wants to know what is going on in their process.
However, risk management has a broader remit to include changes in the risk profile. Therefore, the risk monitoring system should be geared to detect changes in the internal and external environment affecting the risk level. Two elements are of special interest: changes in risk triggers (such as increased risk for cyber security breaches) or changes to risk exposures (such as a change in transactional volume).
KRIs of type C are a much less common sight, although a mature KRI programme should include them. A mature KRI-monitoring system requires both types.
The definition of an excellent KRI report is one that is keenly awaited, seriously studied and actively discussed and acted upon by both the business and the risk function. That this is possible is evidenced by reports that are produced in the wake of an ongoing crisis. During turbulent times, it is not uncommon to have daily and intraday updates. That is information people will appreciate. Information that is one day out, let alone one week or a month out is progressively useless. Let alone those pesky HR related KRIs that measure staff turnover since last quarter. That does not provide the ‘stop the press’ moment that KRI proponents claim to deliver.
A KRI that trails behind may still have some use provided it allows for some non-trivial action. Nobody expects a new raft of actions every day, but if KRIs are not leading to the occasional in-depth debate and action, then the efforts spent in collecting KRIs is wasted. Part of this problem lies in the design and expectations of KRIs. Too often, KRI breaches are expected to lead to immediate knee-jerk actions. That should only be expected in situations with a reasonably small reaction window. A KRI such as detecting the presence of a child on an airport baggage conveyor belt may trigger an emergency stop. But in most processes, such detection schemes are not labelled KRIs.
Having said that, in the absence of an immediate response, there is one action that is recommended for any KRI breach: “investigate”. That is really it. If KRI breaches do not lead to either an immediate and well-understood simple remediation or a formal investigation, then the KRI is not worth collecting. One implication of this is that, ideally, the set up for such investigation actions is created as part of the longside creation of the KRI itself.
Although it takes effort to set up KRIs and to prepare the ground for action in the case of breaches, by far the biggest effort is spent in collecting data on KRIs, processing it, analysing it for first order and second order changes and ultimately reporting on it. For those reasons, ideal KRIs would be routinely collected, stored and reviewed. To be sure, special situations may warrant a temporary KRI collection, e.g. for a change project or a particularly hazardous situation, such as an IPO. Here also, the collection of KRI should be part of standard data collection and analysis.
The closer the KRI information (both the collection and the analysis) is to the decision maker, the better the chances are that KRI data will be used for actual process management. If KRI data is collected and/or analysed by what is perceived as a third party (like the risk department) or on behalf of a third party (such as KRIs collected for an oversight body), the KRI is less likely to be used in the real world.
Some examples for KRIs matching the characteristics described above are:
The examples mentioned above are examples of KRIs that are directly related to operations. They are highly relevant to manage risks and signal unintended errors, internal and external fraud, problems with systems availability, cybercrime and business discontinuity. Note that monitoring and action on these KRIs is a first line responsibility. The risk management function may be involved with cross referencing the KRIs with other risk data, with aggregation and reporting on appropriate follow up.
Starting with the Basel II inclusion of KRIs in the ORM toolkit, many FIs have had a stab at formally introducing KRIs. Alongside the KRIs that always existed but weren’t called that, a smörgåsbord of indicators has emerged, some of which are useful, some of which are useless and some of which are downright misleading. The section above outlined an ideal system of KRIs. This section addresses each of the five elements of the ideal system of KRIs and suggests how to get started along each dimension.
Recommendation 1: Embellish the KRI with narrative and explain what it is good for. In addition to recording random statistics, be explicit about what the KRI measures. Note that we do not mean paraphrasing the input, but explaining the mechanism how this data helps manage a process or alert the owner to a developing situation. Here, more is more, because so often KRIs are collected without a good understanding what this particular KRI is good for.
Recommendation 2: Add ownership to the KRI. It makes a lot of sense to not only record KRI data but also to note who needs to receive this data and who has control over the process that it relates to. As a rule of thumb, if a KRI does not have an explicit owner, it is not worth recording.
Recommendation 3: Select an uncomplicated KRI. Many KRIs lead a mundane life without ever getting triggered. For the KRIs that do trigger action, nine out of ten times these actions are not spectacular. They are not unlike a timer on an oven, alerting the user of an increased risk of burning your dinner. That allows you to turn off the oven and save the day. Not everyone will equate that timer to a KRI, but it is.
Recommendation 4: Reuse existing information to create the first set of KRIs. Nobody likes to spend time collecting useless information. A good way to start a KRI programme is therefore to use what is already available and put another spin on it. That creates more buy-in than requesting staff to collect additional information on top of the MIS and process data that is readily available.
Recommendation 5: KRI programmes must be demand based. Since the best KRIs allow corrective action, are routinely collected/studied and are not complicated, the best way to get started is to ensure that the KRI programme does not run over multiple departments. Hence, the first line should be fully in charge of its KRI programme.
As outlined above, the distinction between operational and strategic KRIs is helpful to ensure focus of the various governance bodies in FI. This approach might improve the relevance for the readers and therefore keep them interested. The usage of KRIs will then be better embedded and the Boards and Risk Committees have a measurement tool to monitor the sustainability of the FI’s business models which will ease the discussions with stakeholders, including regulators.
Considering the increasing constraints facing FIs (low or zero interest rate environments, lower margins, more substantial regulation and increased reputation risk), early warning signals become more and more important to enable Boards and (senior) management to take appropriate actions.
Further enhancement to operational and strategic KRIs must support hybrid operating models, including enhanced levels of outsourcing. KRIs will function as sensors in the business to raise the alarm when (strategic) objectives are in danger or stakeholder interests are endangered.
The authors argue that the establishment of strategic KRIs requires a dedicated effort, clearly aligning the FI’s risk exposure to its risk appetite.
Dr. Gerrit Jan van den Brink RA is owner of Risk Sigma GmbH, advising on risk management, ESG and data topics. He is lecturer at various Universities and Institutes in Germany and the Netherlands.
Drs. Marc Leipoldt is Owner of Global Risk Advisory Services.
The authors want to thank the anonymous reviewers for their valuable comments and helpful recommendations.