Events, dear boy, events…this is a quote often attributed to former British Prime Minister, Harold Macmillan and one that will be ringing in the ears of many business and risk professionals as they watched turbulence unfold in the markets yesterday. Many will now be waking up, asking themselves what does the coronavirus and this market turmoil mean for them.

Up until yesterday; the coronavirus crisis had grown relatively quickly but steadily. After a history of SARS, Swine Flu and the like, many firms would have, at least a semblance of, a response plan which could be used as a basis for a coronavirus response plan.

However, I wonder how many of these plans consider the implications on the firm’s business model, ability to deliver operationally and strategically, on their balance sheet, P&L etc. I wonder further how many firms have thought the scenario where; in the face of a potential global pandemic, the world experiences an oil price shock leading to a dramatic drop in the value of listed companies worldwide and creating significant, additional uncertainty going forward.

Events, dear boy, events…this reflects the times we live in and underlines why firms need to build risk-based management systems, embed risk-based decision-making within their culture and put in place the technology and data architecture to enable firms to execute operationally and strategically in these times of significant uncertainty.

Strategy is a hypothesis of how the firm will create value. Risk is a hypothesis about the uncertainties of delivering the strategy. Risk Management provides the frameworks and tools to understand the uncertainties, challenge and stressing the strategic hypothesis while managing the uncertainties within the risk hypothesis.

The Donald and Kim cut short their summit.

The UK heads for a Brexit on March 29... or does it?

Venture (or should that be Vulture) funds stalking seemingly solid firms.

Competition and disruption coming from both left and right field.

Upward pressure on costs continue as does downward pressure on sales & revenue.

Hackers are at the gate. Not sure we can hold them back much longer.

People are our greatest asset, but too often feel like our greatest source of frustration and vulnerability.

And with every day, a new regulatory change to stay abreast off.

Business is Risk. Risk is Business.

In this video from the FT, Gillian Tett asks if banking culture has really changed it is clear to see the seeds of the Senior Managers and Certification Regime (SM&CR) in the interviews in this video. Gillian Tett ask the question; Has culture in Financial Services changed? Let me know what you think.

Google the terms ‘Key Performance Indicators’, ‘Key Risk Indicators’ and ‘Key Control Indicators’ and you will accumulate 13,900,000, 7,180,000 and 9,400,000 hits respectively.

Evidently there is a lot of information out there on these topics, but the two specific questions that we are often asked are – KPIs, KRIs, KCIs – are they different? And if so, does it really matter?

In our view, the answer to both these questions is YES.

These three types of indicators are used within the Risk-Based Performance Management methodology, they are related and in cases interchangeable however lets start by defining each of these different indicators.

Key Performance Indicator

An indicator which enables an organisation to define its performance targets based on its goals and objectives and to monitor its progress towards achieving these targets. KPIs are used to answer the question: Are we achieving our desired levels of performance? KPIs can be financial and non-financial in nature, and leading or lagging. They can be quantitative or qualitative in nature.

Key Risk Indicator

An indicator which is used by organisations to help define its risk profile and monitor changes in that profile. KRIs are used to answer the question: How is our risk profile changing and is it within our desired tolerance levels? Like KPIs, KRIs can be financial and non-financial in nature, and leading or lagging. They can be quantitative or qualitative in nature. Where KPIs tell us if we are achieving our targets, KRIs help us to understand the changes in our risk profile and the impact and likelihood of achieving our overall objective.

Key Control Indicator

An indicator which is used by organisations to help define its controls environment and monitor levels of control relative to desired tolerances. KCIs are used to answer the question: Are our organisation’s internal controls effective? Are we ‘in control’?

Having defined each of these different types of indicators, let us return to the original questions: Are they different?

From the definitions above it is clear that these three types of indicators each have a different emphasis and provide different management indicators to different audiences. However, do not assume that three times the volume of data is required; often it is not. This is fundamentally because these three different types of indicators are interlinked (but not the same!) and often data can be reused for different types of indicators. It would not be unusual to see data for a lagging KCI being reused for a leading KRI, for example.

Does it matter? Yes, it does. Firstly, we return to the point about developing greater clarity around the management information that is generated via these indicators. By being very clear about the type of question you are trying to answer and the type of indicators you are defining, you can significantly improve the quality and clarity of the resulting management information.

Within the Risk-Based Performance Management methodology, we suggests using three different types of scorecards – a performance scorecard, a risk scorecard and a controls scorecard – with the corresponding types of indicators.

In our experience, as clients work with this methodology, the quality of the resulting scorecard (and supporting management information) increases as the number of indicators reduces to the ‘vital few’, and the quality of each set of indicators is high. This illustrates that, because of data reuse, data volumes do not multiply three.

Additionally, being specific about the different types of indicators used allows for a wide range of audiences to be satisfied with the insights delivered from the Risk-Based Performance Management approach.

As a simple example, Management will be interested in all three types of information, whereas the Risk team, Internal Audit and the Regulator will be focused primarily on the risk and controls data.

We would strongly recommend that if you are implementing an approach which includes KPIs, KRIs and KCIs it is important to have a clear definition of each type and develop understanding of these differences within your organisation.

We have seen cases where everything is called a ‘KPI’ which leads to a lot of confusion about what the indicator means and what actions it triggers. We have also seen examples where KRIs and KCIs are used but they mean different things in different parts of the organisation, both different departments and different geographical locations. This leads to no end of confusion and time wasted.

Closing tip: Think about the questions you are trying to answer and your various audiences to determine the types of indicators you should deploy. Think about the relationships between indicators to enable data to be reused and to promote informed discussions and decision-making. Be very clear about the definitions for each of the different types of indicators and apply those definitions consistently across the organisation.