Introduction
In the previous article with regard to the reporting of key risk indicators, the importance of a structured approach towards selection of KRI’s was explained. It also explained why an solid information infrastructure is a prerequisite of a reliable KRI environment. In the midst of the credit crisis it is almost a certainty that regulators in the near future will demand high quality risk reporting environments within financial institutions. An reporting environment that is complete, accurate and close to day-to-day business operations. The underlying KRI production process should be just as transparent as the produced KRI’s. Ratings agencies as well as regulators are expected to demand insight in how the reporting process is controlled just as they require external validation of the risk models in use.

Approach.

In many organizations a modern information infrastructure for KRI reporting will be missing. This doesn’t mean KRI’s cannot be reported. It does mean however that it will cost a lot of effort. It also limits the reporting to Key Risk effects only. Reporting more forward looking metrics like risk causes and control effectiveness as well as putting Key Risk effects into the right business context are simply not do-able when reports are build manually.

The following questions need to be answered before setting up KRI reporting:

1. To whom will the KRI’s be reported, the board, product owners or operational managers?

Each management reporting level does have it’s own characteristics. The first difference is the level of aggregation. The board probably only wants a specification of KRI’s aggregated at organization level “board minus one”. Sometimes also a risk type view (like country or compliance risk) or a product view is also desired. To make the information interesting, the Key Risk Effects preferably are expressed as forecasts of relative impact on personal objectives. This way the KRI report is positioned as a tool to manage personal performance contracts too.

2. What are the main objectives at each management level and how specific are these objectives?

Different management responsibilities result in different objectives, although it is a best practice to align strategic, tactical and operational objectives. The level of reporting also impacts the characteristics of the reported KRI’s. At strategic level a KRI should reflect the outcome of different scenario’s. At operational level a YTD metric combined with a year end forecast is probably more than sufficient. Finding specific objectives with owners is not that simple. Some of the required attributes could be missing. An objective should have at least

• an owner
• an end date
• objective
• upper and lower thresholds
• near real-time measurement

Referring to performance management and balanced score card approaches you find some type of objectives categorized at the different decision levels:

1. Strategic
   • Financial
   • Market share
   • Human capital
   • Shareholder value
   • Sustainability
   • Control efficiency
2. Tactical
   • Financial
   • Commercial
   • Operational excellence
   • Control efficiency
3. Operational
   • Costs
   • Excellence
   • Percentage hands free processing
   • Control efficiency

3. What Key Risk effect information is readily available that can signal impact on objectives and are the metrics and thresholds aligned with each other?

Find readily available Key Risk effect information that signal impact on one of more of the aforementioned objectives. This information is usually already available in a different context. Some example Key Risk effects are:

• General provisions
• Operational losses
• Complaints and legal claims
• Regulator fines
• Employee training budget
• Staff turnover
• Accepted risks
• Information quality
• Known high risks
• Software patch backlog
• Change management frequency

Bottom line is that metrics are used that signal a potential direct negative impact on objectives. Some of these KRI’s appear to be backward looking, but can be made forward looking using regression techniques. Ideally there is enough history information available that can be used to reliably forecast end-of-year results. The next thing that needs to be checked is if these metrics are normalized. In other words, does the information from one source match with that of another source. For example: the recording of complaints doesn’t necessarily use the same product categories as for instance the financial accounting or sales force system. Relating KRI’s to objectives is not that difficult provided some alignment is inplace. Some examples:

• Expected loss frequency impact on operational excellence.
• Expected loss amount impact on RAROC or Economic Capital.
• Expected loss amount impact on efficiency ratio.
• Expected complaint frequency impact on customer attrition.
• Expected number of risks without mitigation impact on control objectives.
• Expected internal fraud frequency impact on control objectives
• Expected change frequency impact on service availability

4. Is it possible to transfer the presented Key Risk effect information into owned actions?

For reported KRI’s it is a requirement that these KRI’s have business owners. It should be clear who is responsible for managing the KRI. KRI’s at different dimensions (organization, product, distribution channel, customer segment) can have different owners. When building a KRI reporting environment it helps to have a clear understanding how these different dimensions relate to each other. When an organization has a mature performance management environment, this should not be that difficult. In the situation this is lacking this impacts the effort needed to construct the KRI solution. Another thing that requires planning is the functionality needed after the reporting is in place. When KRI’s signal that objectives are at risk, management will demand action to address the risk. This requires people with analytical skills, high quality information and the tools to execute the analysis. In many cases it doesn’t make sense to report KRI’s when it is not possible to analyze the underlying information.

5. Is it possible to measure the quality of the Key Risk effect information and is the owner willing to provide the requested information for this purpose?

One of the first things management usually wants to know is how reliable the KRI information is. To make sure management doesn’t draw the wrong conclusions the KRI solution needs to be extended. The following quality measures should be considered:

• Try to construct groups of KRI’s which improve the interpretation of presented metrics. For instance construct a KRI group of complaints, claims and losses. These KRI’s are related and trending of the individual KRI’s in most cases should correlate.
• Extract information directly from your core systems. Think of information from systems like the General Ledger, marketing information, product specific operational data, human resource administration etc. The KRI system should not use manually corrected information. When information extracted from core systems is not reliable this is an issue that should be solved and not circumvented. It can help to get these issues on the priority list to make this visible in the KRI reporting.
• Demand that the presented information is not older than one day. This way business can respond quickly to changes in the risk profile and is also able to see quickly whether or not initiated actions have the desired effect. It forces the organization also to implement a fully automated and transparent KRI reporting solution. This reduces the risk of human error or manipulation of information and in the long term also is more cost efficient.
• Request from the information owner a statement of completeness and correctness to get insight in the quality of information. Many KRI’s use information from business supporting processes like financial accounting, complaints and claims, audit, credit and operational loss registration, human resource administration etc. This is information not validated by customers and the quality cannot not always be guaranteed.
• Ensure there is an information delivery contract which makes the information owner responsible for the timely notification of changes in the core systems. This way adjustments in the reporting environment can be planned.

Conclusion.
Creating a professional KRI reporting environment is a demanding task. The main success criteria to succeed are:

1. Alignment with performance management preferably at the individual level. This way the KRI-reporting can be positioned as a tool that supports management with managing their objectives (and bonus).
2. Top down approach with adequate and persistent backing from senior management.
3. The creation of an information value chain that extracts and processes fully automated information from multiple core systems.
4. Creative professional analysts familiar with predictive modeling and with access to the information and tooling to analyze and model.
5. Consistent and transparent risk and performance reporting at strategic, tactical and operational level to align management of priorities.