Meaningful Metrics: Measuring Enterprise Risk Management Performance
Steven Minsky | September 5, 2018
To run an effective ERM program, you need the right metrics.
Risk professionals today are facing an unprecedented level of scrutiny. Risk managers are not only responsible for protecting and securing their organizations, they also have to provide evidence that their risk management programs are actually effective at managing risk.
At the very minimum, risk managers must prove they are meeting the expectations of not only regulators, examiners, and their board of directors, but also their customers, investors, fellow employees, and communities.
In the era of the see-through economy, the rapid advancement and proliferation of technologies like social media have left companies with nowhere to hide. We’re living in an age of transparency where the public is empowered to impact a company’s reputation.
Without meaningful metrics, the value of the company’s ERM program, or the degree to which previously unidentified risks have been mitigated, is unlikely to be demonstrated.
3 Things Make Risk Metric Collection Difficult
- Unavailable data that’s very expensive to gather creates inefficiencies for risk teams.
- It’s unclear who is responsible for metrics collection and reporting.
- There can be an unequal focus on lagging and leading indicators.
Often, many risk managers don’t collect the metrics they need and don’t allocate responsibility for information collection and reporting. As a result, risk management teams find themselves drowning in a sea of data they are unable to efficiently analyze.
KRIs and KPIs
Most often, the metrics used to evaluate business performance are identified as “Key Risk Indicators” (KRIs) or Key Performance Indicators (KPIs). At a high level, both KRIs and KPIs are quantifiable ways to measure the downsides and upsides of risk for an organization.
KRIs are metrics which evaluate and measure the efficiency of an organization’s risk management program. KPIs are metrics which evaluate the components of a business deemed crucial for its success, revealing how consistently the company achieves key business objectives.
By analyzing KRIs and KPIs in concert, and over an extended period of time, you will be able to show actual or probable deviations from a given standard or goal. With these risk metrics, you can improve your company’s understanding of just how likely achieving its strategic objectives is going to be.
The most important characteristics of both KRIs and KPIs is that they are measurable, comparable, and reportable.
4 Key Risk Management Metrics
An enterprise risk management program should identify gaps across the organization, it should also include processes and methodologies that quantify and measure the value of the ERM program. Four crucial risk management metrics are:
The number of systemic risks identified: Systemic risk identification detects upstream and downstream dependencies across all levels and business areas of an organization. Additionally, this metric will identify areas that would benefit from centralized controls, which would eliminate the extra work and investment of maintaining separate activity level controls, thereby increasing organizational efficiency.
The percentage of process areas involved in risk assessments: ERM is inherently cross-functional and cannot be performed in silos. Risk, much like a business, is the sum of its parts. An incident or risk event in one area of the business will affect other areas within the business.
Process owners own the risk; risk managers own the completeness, timeliness, and accuracy of the risk information. As more process owners become involved in risk assessments, the more accurate and forward-looking information is more likely to be collected.
The percentage of key risks monitored: Organizations need a more holistic understanding of how the business metrics they rely on daily are tied to risk. If a risk or activity changes, organizations have no way of knowing if and how the change will impact their metrics. Through risk assessments and linking risks to activities, organizations can start prioritizing the activities that are most in need of monitoring.
Regular risk assessments enable the detection of increased threat levels and potentially emerging risks before they materialize. Following this process will prevent business metrics from being pushed out of tolerance.
The percentage of key risks mitigated: Here, transparency is key. While having a good sense of your overall risk coverage is important, it’s not nearly as valuable as understanding the coverage of your organization’s key risks. All risk assessment should be based on standardized criteria, so you can determine a uniform tolerance, or cut level, throughout the organization based on resulting assessment indexes.
This will help to prioritize resources, allocating them to risks in need of stronger coverage and reducing inefficiencies that come from wasting resources on low-impact risks. With a tolerance level, this gap analysis will also serve to identify emerging risks as they rise out of tolerance, indicating that current mitigation activities are no longer sufficient.
By tracking these metrics, organizations are able to more effectively mitigate existing risks and detect emerging risks long before they are able to have a detrimental impact on the organization.
You can assess the strength of your own ERM program and create a roadmap for improving performance today with the free RIMS Risk Maturity Model (RMM).
The RMM uses the metrics referenced above to produce the data needed to measure the effectiveness of your risk management program. It is best practice for process owners throughout organizations to complete over half of the RMM standards so that these metrics can be automatically aggregated into a single report suitable for presenting to the board.