This is part 4 of our video series on "Disparate and Disconnected Risk Processes and Information". In this video, David Tattam talks about key risk indicators how risk metrics can be used to help create an integrated view of your risks.
Hi, I'm David Tattam, Director of Research and Training at the Protecht Group. This is the next in the
series of business risk videos. And today we're going to be talking about key risk indicators or risk
metrics. For the other videos, check out the links below.
So what exactly are risk metrics? They're really measurable elements, measurable evidence of risk controls as risk and controls operate, develop through the business. It's like thinking that when risk develops, it gives off puffs of smoke, red flags and we're looking out for what are those pieces of information that we can collect and get intelligence from.
What's their purpose, primarily an early warning signal. And the sooner we can get that information, the quicker we can act. And secondly, as part of that, it makes our risk management reporting information more real time.
Process of creating great risk metrics
So what are the bits of the processes around creating great metrics?
- Identify the metric
Firstly is to identify what they are. And for that we really need to understand our risks from beginning to end, from causes, events, impacts and so on. And from there start thinking what would the information be given off if that risk were to develop? If it's a key control indicator, we would be looking at what metrics can we use to measure the performance of the control.
- Identify the quality of the metric
Now the next issue is the quality of the indicator. And for that we look at things such as whether the indicator is leading, we have quite a lot of time to react when we read that indicator. Or is it lagging? Secondly, is it strong or weak in relation to the risk? And thirdly, practical things such as the ease of collection.
- Identify the type of the metric
Now there's really two types of risk indicators metric we can use. The first one is basic, a single piece of information like number of customer complaints. And the more advanced one is when we use composite indicators such as our ratio, number of customer complaints divided by the number of customers, which is a lot more powerful indicator.
- Link it to the risks
Once we've identified the type of indicator we then need to link it to the risks so we can produce that integrated cohesive view of our our risk profile.
- Set up the metric
Now, once we've identified the indicator, when you just set it up. How do we set it up to operate? We need to connect it to a business unit. We need to set thresholds from green to amber, amber to red, so we can report the indicator based on our risk appetite, green, amber and red. Periodicity, what's the frequency? How often will we be collecting the indicators? We then need to assign responsibility for a particular person collecting this information on an ongoing basis. And lastly, work flowing so people get prompted and followed up in order to put this information, if it is manual or if it's interface collecting it automatically.
- Collect information about the metric
Then we obviously need to collect that information on an ongoing basis.
And once we've got that we're now ready to report. And there's many ways we can report our metrics, but the most obvious one that I'll share with you the best in the world, I would argue, is the cockpit of an aircraft. So fundamentally we're trying to create the cockpit of the business of the organization.
See how you can create and use risk metrics to track your overall risk management efforts by learning more about what makes them great. Click below to register to our live webinar:
Other videos in this series:
- Part 1 - Solving the Problem by Integrating the Building Blocks of Risk Management
- Part 2 - Solving the Problem with Risk Taxonomies
- Part 3 - Risk and Control Self Assessment (coming soon)