“There is a prospect of a thrilling time ahead for you.”

Developing effective KRIs is crucial to the success of any risk management program. First, as they assist in predicting potential risk events, they are most useful, as noted above, in identifying key areas where additional controls or mitigation might be needed. For example, the risk of “financial loss due to breach of underwriting authorities” may be partially predicted by a KRI of “number of times in a month a scheduled peer review was not conducted,” or “failure to seek management approval to underwrite a class of business outside of an assigned underwriting authority.” These types of violations may call for renewed focus on the peer review process, and shoring up of management review protocols.

Second, KRIs are often associated with legal and regulatory requirements, so that monitoring and evaluating KRIs can facilitate corporate compliance efforts. For instance, insurers are frequently examined by regulators as to their market conduct practices, to ensure policy issuance and claims procedures are compliant with state law. Failure to adhere to laws can result in significant fines, fees or penalties. To this end, companies may track KRIs such as “number of customer complaints received from all sources each month, trailing over a 3-month average, above an expected average.” An increase in customer complaints over time may indicate a larger market conduct issue.

Third, they can also support strategic decision making and business development. Here, insurers may track KRIs such as “win/loss ratios” over time for the acquisition of new business, or the company's policy renewal rate and trends through specific time periods, for particular product lines. Under a more developed enterprise risk management (ERM) program, KRIs can also be mapped and compared against a company's agreed or established risk tolerances, to give managers a sense of when risk associated with a new strategy, plan or action is “too much” for the company to accept as a reasonable business activity.

In addition, KRIs are an important part of an overall “feedback loop” of information about risk that can be circulated through all levels of a company. Individual and overall corporate behavior and results can be improved significantly when all interested stakeholders are consistently provided detailed information and feedback about:

• The company's risks, and how the risk profile changes in different circumstances;
• How controls well are operating (or not);
• What losses the company has suffered (or has nearly missed); and
• How specific conduct or decisions ultimately play out their course.

Such a feedback loop can be a powerful tool for growth and change. In the process of giving and receiving continual feedback, KRIs can be tracked, acted upon in some fashion, and the results of those actions can be analyzed and re-tested over time.

Designing and Using KRIs

“Good luck is the result of good planning.”

While the benefits of KRIs are numerous, designing effective KRIs is challenging for all companies. There is no “one-size-fits-all” approach applicable to all entities. The indicators chosen by an insurer to track and monitor depends on the evaluation and mapping of a number of complex factors, including, for example:

• The current and future business and strategic goals of the company;
• The tolerance levels of senior management for risk of financial and non-financial losses;
• How risks are prioritized by the company, particularly in its overall enterprise risk management program;
• What operational flows processes are being run; and
• The historical and current data available for extraction from the insurer's systems, as a practical matter.

A major first step in this process is surveying key stakeholders, such as the designated internal risk owners, internal and external subject matter experts, customers, and employees. Legal and compliance staff can be particularly helpful, providing advice related to current and proposed laws and regulations, as well as internal policy and procedure priorities. Vendors close to the company or line of business may be able to provide useful information about what trends they are seeing and/or tracking, and may be able to suggest data links. Competitors may also be a source of information, potentially offering glimpses of trends and risks they are monitoring through published sources, including websites; public company documents filed with the SEC, such as annual statements and 10Qs; dialogues taking place on social media platforms like LinkedIn; and press releases or news articles.

Historical loss data can also be mined to suggest areas for KRIs. Although historical key performance indicators are not the same as KRIs, as noted above, KPIs can often be re-examined and turned around to formulate KRIs for looking at future developments, under the theory that “the best prophet of the future is the past.” Past losses and trends may be analyzed for direct and indirect “root causes,” which can then be tracked proactively going forward as KRIs. To this end, trade publication and loss directories are valuable resources for loss history and cause analysis.

Trade organizations dedicated to risk management also provide some help. In the U.S., for example, the Risk Management Association (RMA) helps financial services companies improve risk management efforts through its KRI Library Services, a database of potential KRIs collected to help companies “achieve a degree of consistency and standardization” and “enable KRI to be compared, analyzed, and reported at the corporate level,” as well as foster benchmarking of KRIs with peer groups. The RMA also has conducted surveys focused on the use of popular key risk indicators, including a recent survey issued in September 2011.

From a review of all available information, KRIs can be selected or designed which are most clearly linked to corporate key strategies and business objectives, or which may help validate or invalidate management decisions and actions. There are several other factors to consider when selecting appropriate KRIs to monitor, and trade-offs may need to be made between potential criteria. Important factors include whether the KRI:

• Is commonly used in the industry, based on established practices or benchmarks;
• Can be used, developed or tracked consistently across the organization;
• Is based on high-quality data and reliable sources;
• Is measurable, allowing for quantitative comparisons and business units;
• Can be tracked across time, providing opportunities for trending analysis;
• Illustrates the performance of specific risk owners;
• Shows inter-relationships and correlations amongst causes; and
• Is not too costly or time consuming to collect, in a cost/benefit analysis.

Ultimately, the KRI must be easily applied and understood by the end users, often meaning that it must be balanced in scope – not too complicated or simplistic.

“Simplicity and clarity should be the theme in your dress.”

While implementing processes to track and communicate selected KRIs, it may helpful to provide definitions and guidelines on interpreting certain KRIs. Plain data may not tell the whole story, and their significance may not always be obvious to all those who review the statistics. Also, the KRI may require notes or caveats, and any assumptions made in the collection or analysis of a piece of data should be communicated.

Finally, KRIs should be flexible, and reviewed frequently in order to respond to changes in the business market and operational environments. This includes changes to address positive, not just negative or potentially dangerous trends.

“The road to success is always under construction.”

KRI Reporting and Automation Considerations

“It's all right to have butterflies in your stomach, just get them to fly in formation.”

Communication of KRI information depends on the audience need. Departmental managers typically need a high degree of visibility into their business, and must be able to drill down or roll up information on key risk indicators. Risk owners will want a more detailed view of KRIs, often reviewing associated risks and controls that may be impacting trends. The board/senior management: overview, on the other hand, may desire a holistic dashboard view to compare KRIs across business segments. Consider developing multiple reports for various viewers.

“Out of confusion come new patterns.”

Organizing, monitoring, reviewing and communicating KRI progress can be greatly facilitated by having a centralized, automated system for the company's ERM program, with flexible reporting functionality. Through a dedicated system for tracking risk and/or ERM program information, companies may benefit from the creation of consistent KRI standards, easily capturing attributes that are required to support risk management processes over time.

These KRI “libraries” can be linked to multiple risks and controls, across multiple departments. System-based linkage of KRIs and ERM reporting with such related information as policies and procedures, losses, incidents, source legal and regulatory content, compliance control actions taken, auditing , etc. all help risk owners and senior management develop a clearer vision of the future.

Automating as much of the ERM process as possible also helps ensure that key historical and financial data is secure and reliable, and that formulas used for trending and analysis are consistent and accurate – particularly important because one small error in a spreadsheet calculation can magnify and throw of trends in metrics, leading to wrong conclusions or poor decisions.

Predicting the future is not easy, but key risk indicators, when carefully designed to reflect a company's unique profile of risks may reveal patterns and trends in workflows, processes, or the business or market environment that can impact the future.

“The wise man expects to prepare for the unexpected.”

Spend time now to develop, trend and communicate strong risk metrics, through organization and automation, to help steer strategy and behavior.

“Control your destiny or it will control you.”