Introduction

A reporting system of key risk indicators must provide current operational risk insight to business management. This insight enables management to control the operation in such a manner that an optimal balance is accomplished between risk effects and the measures that are taken to minimise these risk effects. A newly introduced reporting system will often result in increased risk awareness, where limited awareness was before the introduction of the reporting system.

Key risk effects

Typically businesses focus mostly on key risk effects. Examples of these key risk effects are:

• Decreasing profit/ increasing costs
• Higher required value of economic capital
• Amount of complaints the business received in a given period
• Audit findings

Reporting of key risk effects is the baseline of operational risk and should also get primary focus in a KRI reporting system. The key risk effects clarify operational results over a given period. They also provide input to any future activities that influence the key risk effect. Future activities can also be invented for the sole purpose of influencing the risk effect. Note that the influence of adequate risk reporting can be at strategic, tactical and operational level. See the following examples:

• Strategic: poor insight in risk leads to higher allocation of economical capital imposed by the regulator.
• Tactical: relatively high operational loss on a specific product, may lead to alteration or even cancellation of that product.
• Operational: an increased amount of external complaints will motivate an operational manager to increase focus on client friendliness.

To ensure all risk effects get the desired focus of management, objectives can be agreed on for these key risk effects. The nature of these objectives will differ per department. For example focus of supporting departments is on costs where sales departments focus on margins. Objectives should be included in personal performance contracts. Management must decide what to reward when defining objectives and related performance contracts. Management could reward positive results and/or negative side effects and/or indicators the results could have been better. For example a manager of a region can be rewarded for realising a target profit of 1.000.000 Euro. But should also be taken into account that the number of complaints of his customers doubled? Should be taken into account that by an operational human error caused by a bad procedure his business lost 200.000 Euro (despite the fact he still realised his profit target)?

Risk causes

When operational risk effects get the desired attention by the business, it only should be a question of time before the business will look at the operational risk department for help on how to influence these key risk effects. To handle this request, operational risk must bring KRI reporting to the next level. Operational risk needs to report on causes of key risk effects. The easy way to do this would be to work on assumptions. A logical assumption would be that the number of resources in a bank shop influences the service level and therefore the number of complaints at that bank shop. The number of resources is therefore a KRI and should be included in the reporting to management.However, is this influence actually there and if so, to what extent does it actually influence the number of complaints? What is the most efficient value of resources regarding the risk of external complaints? Another, even more complex, question would be what the influence is of the number of resources to other key risk effects? All these questions lead us to the ´hard way´ of answering the question on how to influence the key risk effects. That is by providing KRI´s that have a proven explicit statistical relationship to a key risk effect. When a clear relationship is recognised in the past, we have some reason to believe history repeats and it happens again. ´Some’ reason, since even when we can prove a relationship in the past, we often cannot guarantee it in the future. But still, history does tend to repeat itself and offering estimates is still a whole lot better than offering nothing at all. This is obviously no argument to ignore common sense. When for any reason a statistical relationship is not proven, but common sense dictates there is a relationship, it wouldn’t make sense to exclude the KRI from business reporting.

Control measures

Now the business is provided with current info on key risk effects and its causes. The business will start implementing measures using their brand new information on KRI´s. To control for example the number of available resources, management could decide to increase the number and height of bonuses to stimulate their employees to put in more hours. The key question of course will be ´does this have any effect´. Again the answers must come from statistics. We could assume using common sense that employees do put in more hours when the reward goes up, but are then accepting a very realistic risk this assumption might be completely false. The only assessments on the effectiveness on measures that have any value at all must be based on facts. Therefore the operational data on the measures must be analysed. Only when a statistical relation with a key risk effect is proven, the measure should be included in reporting to management. From that point on the measure should be maintained as an effective control measure for that particular key risk effect.

Gathering data

The described approach focuses on using statistics to prove and define relationships. This approach only works with a certain volume of facts, so it will not suit the smallest companies that do only have small volumes of operational data. For the larger companies it will only work when the company recognises the need to record a broad range of operational facts in e.g. a data warehouse. To really gain knowledge on what causes the most significant risk effects one must be prepare to start gathering data. Data must be gathered on all possible relevant domains. This without knowing and specifying exactly what information are (assumed) causes to risk effects. This approach allows analysts to think out of the box and use their statistical techniques in unexplored territories. They might just discover sales drops are influenced mostly by the weather….

Summary

To summarise, the key elements for a successful KRI implementation are:

• To increase focus on operational risk of management by including key risk effects in their performance contracts.
• The basis of reporting must be set in accurate current reporting of the key risk effects.
• As a result of statistical analysis, indicators/ causes of the key risk effects are included in reporting.
• Business management implements control measures to influence the key risk effects. Reporting must include the effectiveness of these control measures.
• Finally, to make all this possible the business must be prepared to invest in the recording of a broad range of operational data.