We have mentioned to you before how beneficial KPIs can be to you, however there are two other metrics you may or may not have heard of: KRIs and KCIs. In this edition of the Daily Dash, we will go through the definitions, differences, and the functionality of each. Let's begin with the most well known of the three, KPIs.
So if you haven't heard of these by now, we'll give a brief explanation. A KPI (Key Performance Indicator) enables a business to define its performance targets based on its goals and objectives and to monitor towards its progress achieving these targets. The main question to be asked of a KPI is: "are we maximizing levels of our performance?" In character, KPIs can either be financial or non-financial based, and either leading or lagging. They measure either qualitative or quantitative data, and display the progress (or lack of it) toward realizing the firm's objectives or strategic plans by monitoring activities which (if not properly performed) would likely cause severe losses or outright failure. Okay, so now we've defined what a KPI is, now lets look at risk.
The next indicator is KRIs, Key Risk Indicators. They monitor the company's risk profile and the rate of change that occurs. All risks are measured, and they more or less have the same functionality that a KPI has, but help us better understand the impact of risk and likelihood of getting to our overall objective. The main thing to ask when establishing a KRI, is: "how your risk profile is changing and is it within the balance level?" Some prime examples of KRIs are: risk identification; risk and control assessments; and the implementation of effective risk appetite, risk management and governance frameworks.
Finally, KCIs (Key Controls Indicators) involve defining the control environment, while monitoring the appropriate level of controls relative to desired tolerances. The role of KCIs is to ensure that adequate responses and monitoring have been provided to a risk situation identified by KRIs. Control verification is a key component of a KCI, and it typically includes auditing, quality assurance and improvement programs. Typical KCIs cover the reliability of financial reporting, number of audit issues or product quality assurance ratios.
It is unclear whether these three types of indicators each have a different emphasis and provide different management indicators to different audiences. However, one should not assume this means three times the volume of data is required; often it is not. This is because fundamentally these three different types of indicators are related and often data can be reused for different types of indicators. It would not be unusual to see data for a lagging KCI be reused for a leading KRI for example. One must be very specific about the different types of indicators used so they allow for a wide range of audiences that can be satisfied from the data set developed using Risk-based performance. As a simple example, Management will be interested in all three types of information, whereas the Risk team, Internal Audit and the Regulator will be focused primarily on the risk and controls data.