CUTTER BUSINESS TECHNOLOGY JOURNAL VOL. 32, NO. 1
In the past decade, failures in risk management have resulted in numerous catastrophes that could have been minimized, or even completely avoided, if the proper risk-monitoring mechanisms were in place. Hence, in this article, Cutter Consortium Senior Consultant Tom Teixeira, along with his peers George Simpson and Immanuel Kemp, discuss how the use of key risk indicators to drive proactive executive behavior can reduce unnecessary risk exposure and minimize the potential for disastrous events. This discussion includes a series of steps executives should take to improve risk monitoring.
The risk landscape of the modern business environment is constantly evolving, and companies need to maintain continuous oversight to deal with the key risks that may threaten their businesses. Over the past decade, a number of high-profile corporate crises, many directly attributed to failures in risk management, have highlighted the extent of the problem and the danger confronting many organizations. Notable recent examples include the collapse of UK construction giant Carillion (with contract risk as a key driver) and the cyberattack on shipping and energy company A.P. Moller–Maersk. Corporate boards are increasingly demanding the ability to continuously monitor risk exposure, using metrics to assess, validate, and verify whether risk is increasing or decreasing.
Meanwhile, executives and other stakeholders need the ability to respond rapidly to emerging threats before they crystallize into serious financial and reputational impact. This is of particular concern to executives, such as CFOs, general counsel, and company secretaries, who in many cases are responsible for ensuring that adequate risk governance is in place. In addition, companies stand to benefit financially by reducing their total cost of risk (TCOR) through reduced insurance premiums, reduced insurance losses, and improved credit ratings. According to the “2017 Aon Risk Maturity Index Insight Report,” companies with the best risk management maturity outperformed those with the poorest maturity financially, with up to 15% better stock-price performance and up to 25% lower stock-price volatility. Studies by other organizations, including the Federation of European Risk Management Associations (FERMA), have established similar links between risk management maturity and financial performance.
This article explores some of the ways in which effective risk management approaches, in particular the use of key risk indicators (KRIs) to drive proactive executive behavior, can reduce unnecessary risk exposure and minimize the potential for catastrophic events. We discuss the current state of risk-monitoring maturity in the business world, considerations for the selection of appropriate leading and lagging KRIs and their effective implementation, and then present insight for executives on what steps to take to improve risk monitoring. While the concepts we discuss are well established, evidence shows that management teams are still consistently poor at addressing the process and technical challenges necessary to produce fully operational solutions that deliver business value.
Risk Monitoring and Proactive Correction Are Still Immature
Risk management is a growing priority for companies across all sectors, not just those in highly regulated environments. Senior leadership needs to better monitor risk to support improved decision making as well as minimize the likelihood of catastrophic events that may cripple their businesses financially and reputationally. This is not a task that individual functions, such as a dedicated risk team, can manage independently. A cross-functional approach at the executive level is required for it to be effective. Additionally, there is a growing regulatory obligation for companies to make statutory disclosures on financial viability, solvency, and liquidity in light of the key risks they face. There is also pressure exerted by more active investors demanding evidence that risk management is reducing uncertainty and volatility, while improving confidence in financial forecasts.
Shortfalls in the risk management approaches many companies currently take can leave them dangerously exposed. These companies either have no corporate-level mechanisms for monitoring and acting on risk exposure or gather potentially relevant data but fail to develop appropriate metrics to support effective monitoring, control, and timely remediation. These metrics can take the form of KRIs, which all levels of management can use to provide evidence of the effectiveness of the implemented risk management strategies. Even when companies do employ KRIs, they frequently select inappropriate ones; for example, relying too heavily on lagging indicators rather than leading indicators. Alternatively, they struggle to implement effective monitoring environments that will provide early warnings that their risk management strategies are off track, and thus do not enable timely corrective actions.
The maturity in approach can vary enormously, even though this methodology has existed for some time. Indeed, many organizations operate in the first two boxes of the simple maturity model illustrated in Figure 1. Although insufficient KRI-related maturity assessments have been conducted to develop a robust universal benchmark, our experience assessing maturity suggests that most companies, even those conforming to Fortune 500 best practices, lie toward the lower end of the maturity scale, and usually lower than assumed by senior management.
KRIs selection is neither a trivial nor simple process. Figure 2 shows the characteristics required of effective KRIs. For example, cyber risk might be monitored via 20-25 KRIs within each business unit, while only a few metrics are reported at the board level. The challenge lies in developing board-level KRIs that appropriately capture multiple business unit–level KRIs to give an overall indication of a key risk area, such as data governance or cybersecurity awareness.
The distinction between leading and lagging indicators is, in our experience, often misunderstood. A lagging indicator is a measurable outcome that informs us about what has already happened (e.g., accident rates). A leading indicator is a predictor of future outcomes (e.g., the extent of employee compliance with a company’s safety standards may correlate with future accident trends). An effective set of KRIs requires the balanced use of both leading and lagging indicators, as they have complementary characteristics (see Figure 3).
The distinction between leading and lagging indicators is not a sharp one, but rather a continuum between two extremes based on how close the indicator is to the adverse event in its chain of causation. For example, the frequency of a known precursor to an accident may be used as a risk indicator. This is a leading indicator compared with accident frequency itself, but a lagging indicator compared with compliance with safety procedures that aim to prevent both the precursor and the accident. Leading indicators must causally link to the risks they are measuring (i.e., when an indicator improves, the likelihood of an eventual outcome also improves).
Lack of Leading Indicators: The Hatfield Rail Crash
The impact of the failure to recognize appropriate leading indicators is further demonstrated in the case of a 2000 Hatfield, UK, rail crash. On 17 October 2000, a train derailed at Hatfield, Hertfordshire, UK, killing four people and injuring more than 70. The accident was caused by metal fatigue of the rails, resulting from poor maintenance oversight by the private railway infrastructure company, Railtrack. Subsequently, the company was replaced by publicly owned Network Rail. From a KRI perspective, we can observe that:
Safety improvements following previous rail accidents at Southall and Paddington had led to complacency around the potential for train accidents, making this a “black swan” event.
Railtrack had failed to recognize the causal link between track defects and a fatal derailment event.
Railtrack had not been adequately monitoring track defects, which would have served as a leading KRI for derailment risk.
The Hatfield crash could be attributed in part to failure to use appropriate KRIs, which allowed Railtrack to be caught unaware by a major accident that ended the company through financial and reputational consequences.
Another major reason why companies fail to make effective use of KRIs is that while they may select relevant and useful indicators to monitor, and in many cases already possess most of the relevant data, they fall short of implementing systems to monitor and manage them proactively. Implementation is often more of a challenge to get right than the process of identifying and selecting the correct KRIs. This is something many boards overlook in favor of simply deciding on a KRI profile and leaving it to the subdivisions of the organization to measure them and report back.
Many organizations also fail to commit to full implementation once they understand the complexities and effort required to deploy an effective monitoring environment, citing lack of resources and capital. As mentioned, most of the data required to be monitored and interpreted already exists, and organizations need to answer the questions shown in Figure 4.
Features of effective KRI implementation should therefore include the following:
Appropriate limits and monitoring for when there are breaches.
Traffic lights for assessing the severity of breaches, with differentiation between “amber” levels, which require closer monitoring, and “red” levels, for which senior leadership intervention becomes essential (see Figure 5).
A data-driven approach to determine KRI thresholds and limits, relying on actuarial data as much as possible rather than pure estimation and a “finger in the air.” Any “red” limits should represent genuinely high-probability risk (i.e., close to impacting, with significant consequences requiring immediate attention and action) so as to avoid excessively frequent alarms — a situation that tends to breed complacency toward future, more serious breaches. Where robust data is not available (e.g., for various cyber-related scenarios), judgment using subject-matter expertise remains integral in determining appropriate limits.
Effective communication processes for ensuring the right information gets to the right level of management at the right time once a limit has been breached.
Selective focus to avoid the situation where senior leadership becomes accustomed to excessive “alarms” and begins to disregard them.
The following two case studies further illustrate the importance of senior management performing proper oversight.
Robust KRI Implementation: BP Texas City
On 23 March 2005, an explosion occurred at the BP-owned Texas City Refinery, killing 15 workers and injuring more than 180 others. The independent “Baker Report” identified a variety of causal factors:
BP had been effectively managing personal safety risk, employing KRIs such as accident rate. However, BP’s management of process safety risk (risk of releases, explosions, etc.) was poor, and due to overreliance on personal safety KRIs, managers were unaware of process safety risks.
BP had a poor culture of reporting risks upwards within the company, with bad news from safety audits often not reaching senior management.
Cost-cutting decisions by senior management had led to deficiencies in safety management on site, due to lack of awareness of the potential safety risk impact.
This incident illustrates the importance of ensuring causal linkage between the KRIs monitored and the risks requiring management, as well as the implications of senior management making decisions in the absence of appropriate risk information. Following the “Baker Report,” BP undertook a program of improvements to safety management across its five US refineries.
Poor Reporting Culture: Northern Rock
In 2012, the British financial services provider Northern Rock was forced to nationalize following the first run on a UK bank in over 150 years. This happened after a liquidity crisis in wholesale markets due to the large volume of mortgage defaults in the US, as 70% of Northern Rock’s funding came from these markets.
We make the following observations from this incident:
Northern Rock had failed to adequately “stress test” its business model.
A poor reporting culture was found to have been widespread, with staff tending to underreport mortgage arrears and not challenging management approaches. This poor culture would have been symptomatic of, and contributory to, shortcomings in management’s risk awareness, creating a vicious cycle of risk-blindness leading up to the event.
This case illustrates the importance of management proactively encouraging appropriate risk reporting to ensure it receives an accurate picture of risk exposure.
Capturing the Right Data
Crises such as those affecting BP and Northern Rock are, in part, unpredictable, but the risk can be managed if the right data and events are effectively captured across the organization, stored, processed, and visualized to support decision making and timely correction. To consolidate this data into a form that is usable for this purpose, management should consider using digital patterns such as event-driven architectures that:
Are designed to create insight from data that is locked into existing systems and was previously costly/very difficult to access
Are visualized through a near-real-time dashboard in a time frame that enables the management team to make a difference to the outcome
Use consumer commodity and open source technology, which can be implemented faster and significantly more cost-effectively than traditional enterprise integration approaches
Figure 6 illustrates a typical corporate arrangement that demonstrates how the complexity of a full set of company-wide data necessitates the use of a technology-based platform to process it and issue alerts as close to real time as possible.
The effective implementation and adoption of KRIs to support improved decision making and performance improvement can be an involved and complex task for any organization. In order to view risk management as an effective mechanism for achieving business objectives and delivering the overall corporate strategy, organizations should adopt a pragmatic approach that balances simplicity with innovative, technology-led solutions. Executives committed to improving risk reporting, getting better understanding of the effectiveness of controls across various operations, and addressing emerging threats early in the process should consider adopting the following steps:
Develop (or redevelop) an appropriate, balanced set of KRIs, ensuring proper alignment to the needs and strategic goals of the business, ease of measurement, and the ability to provide objective evidence of whether key exposures are being effectively dealt with on a timely basis.
Determine appropriate, data-driven limits for these KRIs. Where KRI monitoring has not been implemented previously, a simpler approach with a single limit for each KRI could be considered, with a view to developing a traffic-light system in the longer term.
Implement a proof of solution for a number of selected KRIs to demonstrate the technology solution, define the route to scale across the organization, explore adoption techniques to ensure take-up, and identify benefits resulting from the reporting output.
Be prepared to commit time and resources to the development of an effective KRI monitoring environment. Do not underestimate the scale of this task; ROI is soon achieved through reduced insurance premiums, reduced uninsured losses, reduced risk management costs, and improved credit ratings.
Consider the level of detail and format of reporting that will enable effective decision making, ensuring the inclusion of critical information while not burdening senior management with excessive detail.
Be prepared to use KRI information to inform all levels of management to ensure that these indicators are used to drive appropriate action. This should prompt timely investigation and intervention at appropriate levels when a risk limit is breached, avoiding adverse financial and reputational impact.
Organizations need a proactive approach for KRI development and implementation with clear sponsorship and commitment at the executive level in order to prevent reversion to a passive risk management approach. It should act as an enabler to drive decisive action to preemptively manage risks, reduce TCOR, improve financial performance, and provide the right level of board assurance that risk is being taken on a “controlled and informed” basis.