1.2 Risk key performance indicators (KPIs)
Good risk review meetings often look to key performance indicators (KPIs) to help inform the debates and discussions.
There are many risk KPIs: some measure the process, some measure the result, some measure the amount (or value) at risk. Others look to be leading indicators predicting the direction of travel that a risk is likely to take. The key thing is to have a range of metrics that cover the breadth and depth of activity. Here are a few of the common areas to measure:
The amount of risk being taken | Value at risk (see Session 4) Risk profile and details of any risks out of appetite |
Change of risk level | Key risk indicators (KRIs) |
Risk treatment compared with plan | Amount of risk reduction achieved (compared to plan) Performance of controls (e.g. internal audit and other assurance findings) Timely completion of mitigation actions |
Compliance metrics | Completion of risk training Compliance with risk management policy and other directives |
Coverage metrics | Areas of the organisation performing or not performing risk management |
Measure of incidents | Incidents (and re-occurring incidents) Health and safety performance (e.g. HPI (or fatality rates) per million working hours) |
Maturity | Is the approach to risk management comprehensive and effective? |