What is the difference between key risk indicators and key control indicators?

At a fundamental level, key performance indicators (KPIs) measure the degree to which the objective is met, while key risk indicators (KRIs) measure changes in exposure to risk. Key Control Indicators (KCIs) measure the performance of a control in reducing the causes, consequences, or likelihood of a risk. Another of the most used indicators in corporate governance are KPIs or key performance indicators. While KRI is used to indicate possible risks, KPIs measure performance.

While many organizations use them interchangeably, it is necessary to distinguish between the two. KPIs are often designed to provide a high-level overview of organizational performance. Therefore, while these metrics may not adequately provide early warning signs of a developing risk, they are important for analyzing trends and monitoring performance. Sometimes, they represent key indices that management can track as indicators of the evolution of risks and potential opportunities, indicating the need for action.

In both implementations, customers addressed their initial requirements and moved on to using the rest of the solution's capabilities, including managing the three types of indicators, KPIs, KRIs and KCIs, in a coherent and structured way. A risk specialist would first create a mathematical model that would approach the various scenarios in which fundamental causes were related to each other, precipitated risk events and affected the desired objectives. To properly balance risks and opportunities and obtain the best possible alignment between performance management and risk management, each KRI must be linked to a KPI. KRIs, independently or together with other data related to the risk environment, such as loss events, evaluation results and problems, provide significant information on the weaknesses of risk and control environments.

Because they provide useful information about the possible risks that may affect the achievements and objectives of the organization, KRIs are informative and act as catalysts for decision-making. Allocating key risks to key strategic initiatives allows management to identify the most critical metrics and monitor their performance. They monitor changes in levels of exposure to risk and contribute to generating the first warning signs that allow organizations to report risks, prevent crises and mitigate them in time. Once established, you can define thresholds (such as green, amber and red), which represent rising and descending indicators, both critical and non-critical.

As a simple example, management will be interested in all three types of information, while the risk team, the internal audit and the regulator will focus mainly on risk and control data. One of the main differences between ERM and operational risk is that ERM programs track the higher-level (or summary-level) risks that the senior leadership team and the board of directors have accumulated for consumption. Metrics of causes, consequences and risks can be tracked, and can be easily accessed by staff who study them within the organization. We strongly recommend that, if you are implementing an approach that includes KPIs, KRIs and KCIs, it's important to have a clear definition of each type and to develop an understanding of these differences within your organization.

Quantitative risk is an approach to risk management that focuses on factual and numerical data, together with mathematical models and analysis methods, to reduce bias. By integrating them, a company can measure and monitor performance and risk at the same time, as part of the same process.