Google the terms ‘Key Performance Indicators’, ‘Key Risk Indicators’ and ‘Key Control Indicators’ and you will accumulate 13,900,000, 7,180,000 and 9,400,000 hits respectively. Evidently there is a lot of information out there on these topics, but the two specific questions that we are often asked are – KPIs, KRIs, KCIs – are they different? And if so, does it really matter?
As far as we are concerned, the answer to both of these questions is YES, so let’s explain why, starting by defining what we mean by each of these different indicators.
Key Performance Indicator
An indicator which enables an organisation to define its performance targets based on its goals and objectives and to monitor its progress towards achieving these targets. KPIs are used to answer the question: Are we achieving our desired levels of performance?
KPIs can be financial and non-financial in nature, and leading or lagging. They can be quantitative or qualitative in nature.
Key Risk Indicator
An indicator which is used by organisations to help define its risk profile and monitor changes in that profile. KRIs are used to answer the question: How is our risk profile changing and is it within our desired tolerance levels?
Like KPIs, KRIs can be financial and non-financial in nature, and leading or lagging. They can be quantitative or qualitative in nature. Where KPIs tell us if we are achieving our targets, KRIs help us to understand the changes in our risk profile and the impact and likelihood of achieving our overall objective. KRIs should inform discussions around the Risk Map and the setting of Impact and Likelihood levels.
Key Control Indicator
An indicator which is used by organisations to help define its controls environment and monitor levels of control relative to desired tolerances. KCIs are used to answer the question: Are our organisation’s internal controls effective? Are we ‘in control’?
Having defined each of these different types of indicators, let us return to the original questions:
Are they different?
From the definitions above it is clear that these three types of indicators each have a different emphasis and provide different management indicators to different audiences. However, do not assume that three times the volume of data is required; often it is not. This is fundamentally because these three different types of indicators are interlinked (but not the same!) and often data can be reused for different types of indicators. It would not be unusual to see data for a lagging KCI being reused for a leading KRI, for example.
Does it matter?
Yes, it does. Firstly, we return to the point about developing greater clarity around the management information that is generated via these indicators. By being very clear about the type of question you are trying to answer and the type of indicators you are defining, you can significantly improve the quality and clarity of the resulting management information. The Risk-Based Performance Management methodology suggests using three different types of scorecards – a performance scorecard, a risk scorecard and a controls scorecard – with the corresponding types of indicators. In our experience, as clients work with this methodology, the quality of the resulting scorecard (and MI) increases as the number of indicators generally reduces to the ‘vital few’, and the quality of each set of indicators is high. This illustrates that, because of data reuse, data volumes do not multiply three.
Additionally, being specific about the different types of indicators used allows for a wide range of audiences to be satisfied with the data set developed using Risk-Based Performance Management. As a simple example, Management will be interested in all three types of information, whereas the Risk team, Internal Audit and the Regulator will be focused primarily on the risk and controls data.
We would strongly recommend that if you are implementing an approach which includes KPIs, KRIs and KCIs it is important to have a clear definition of each type and develop understanding of these differences within your organisation. We have seen cases where everything is called a ‘KPI’ which leads to a lot of confusion about what the indicator means and what actions it triggers. We have also seen examples where KRIs and KCIs are used but they mean different things in different parts of the organisation, both different departments and different geographical locations. This leads to no end of confusion and time wasted.
- Think about the questions you are trying to answer and your various audiences to determine the types of indicators you should deploy.
- Think about the relationships between indicators to enable data to be reused and to promote informed discussions about indicators.
- Be very clear about the definitions for each of the different types of indicators.
- Apply the definitions consistently across the organisation.
How does StratexPoint support each of these 3 indicator types?
StratexPoint fully supports each of the three different indicator types, KPIs, KRIs and KCIs, at both a strategic level (Objectives have KPIs, Risks related to the Objective have KRIs and Controls related to the Risks have KCIs) and Operational level when Processes, Initiatives, Systems, People & Roles and Assets all have KPIs and each of these operational enablers have a supporting Risk/KRI and Control/KCI structure available.
Typically, clients who have deployed StratexPoint prioritise their business needs and deploy in a modular way, working through their specific priorities. For example, a recent client stated that they wanted to roll out an ERM framework but within that, their highest priority was implementing an information risk framework so we started the implementation by identifying Information Assets and defining a risk framework for each asset. Another client’s priority was operational risk, and particularly the end-to-end mortgage administration process across their branch network. In this implementation we started by using the process framework within the StratexPoint solution. In both deployments, the clients have addressed their initial requirement and have moved to utilising the rest of the solution’s capabilities, including managing the three indicator types, KPIs, KRIs and KCIs in a coherent and structured way.
Do not hesitate to get in touch if you would like further details on KPIs, KRIs and KRIs, or to talk to one of our team.
To find out more about StratexPoint, visit http://www.ascendore.com/stratexpoint