One question that I keep hearing is about the difference between a Key Performance Indicator (KPI) and a Key Risk Indicator (KRI). Examiners are starting to hone in on this now as well, telling us it is something we want to pay attention to. In short, a KPI is a backward looking indicator, and a KRI is a forward looking indicator. One tracks how well you did, and the other attempts to predict where you are going. If you are just starting out in setting up risk indicators for your monitoring activities and Risk Appetite Statement, it is more important to get your monitoring tasks set up and working in a useful way, then to get bogged down in the difference between backward and forward looking. In other words, having some monitoring program in place is better than waiting until all risk indicators are perfectly classified as forward looking or backward looking. That being said, it is important from a regulatory perspective, and just plain good business practice, to be able to monitor risks from both perspectives. You'll eventually want to get to this level of maturity.
The challenge I keep hearing is how to actually identify and track a risk indicator that is forward looking. For most of us, identifying KPI’s, is relatively straight forward. These typically outline how well we have done a particular task by measuring the outcome. Examples include ratios of delinquent loans/total loans, delinquent loans/assets, or net charge offs/average loans. If we approved better quality loans, these ratios would be favorable.
If we want to turn the table and look forward, or uncover emerging risk, we have to think of what would trigger negative performance in the future. Following with the lending example above, how can we attempt to predict delinquent or charged off loans? At a high level, if we diversify our lending and keep to our sound lending policies, negative results can be reduced. So to predict emerging risk, perhaps we can track loan concentrations, underwriting trends, or Loan Policy exception rates. These are most likely monitored already, just not thought of as forward looking, but they are in the sense that they help us predict unfavorable results (i.e. if we violate our underwriting principles, we can expect to experience delinquencies in the future).
The same can be applied in other areas. Consider information technology. It may be useful to detect emerging risk by monitoring application patch latency, # of successful and unsuccessful logons, # of viruses blocked, # of SPAM emails blocked, system usage time of day logins, and # phishing attempts. The list can go on, but you get the point. I believe we all can agree that a move in these activities could very well predict some nefarious activity is on the way.
There are obviously many more forward looking KRI’s out there, the goal here is to help you identify which is which, and possible get you thinking about some new activities you have not monitored before.
So keep driving your risk management program, remembering to look in the rear view mirror for lessons learned, but keep your eyes out ahead of you as well. Knowing where you are going is the best way to ensure your risk management activities are aligned with strategic objectives (your road map) and get where you are going quickly and safely.