Five Keys to Using Operational Risk Metrics

Dawn Ward , Susan Palm


April 1, 2015

operational risk metrics

Most financial institutions have now built their enterprise risk management programs and are conducting qualitative risk assessments at least annually. As they progress in their risk management journey, firms are starting to realize the value of capturing data that can be included in their risk assessments.

“Big data” is now a buzz-phrase, but with good reason. Big data presents big opportunities for organizations to leverage internal and external information to develop a stronger data-driven operational risk management program. Once the organization has a good handle on how to manage its big data, it becomes imperative to extract and contextualize the data, and engage the right stakeholders from across the organization to discuss and define the right operational risk metrics.

When properly pieced together, metrics can be used to track a company’s performance, and the effectiveness of its strategy execution. Fortunately, with more metrics and big data than ever before come more opportunities to glean insights into an organization and its operations.

As the volume of enterprise data increases, the process of collecting, measuring and reporting becomes more challenging. It is essential, therefore, for organizations to determine which data and which metrics are most important to the enterprise and best aligned with supporting business strategies. Too much data, too many metrics or the wrong metrics can all lead an organization to miss important trends.

The following operational risk management best practices from risk executives from leading U.S. banks can help.

1. Engage Key Stakeholders

While it may seem obvious, operational risk programs that do not have buy-in and input from a diverse set of stakeholders can be counter-productive. Organizations need to engage the right stakeholders when establishing metrics and indicators such as key risk indicators (KRIs) and key performance indicators (KPIs), and when planning how to use data to track performance against these metrics. Clearly, management is constantly dealing with risks and analyzing data to drive results. While they understand the key information, they may not use the same language as the enterprise risk management team to communicate that data. The ERM team also must work more closely with the business line managers.

At times, this is not only an exercise in educating management on terminology related to risk, but also in helping management understand which metrics are key to navigating the risks of their specific areas.

2. Determine Which Indicators are Important to Your Business

Many organizations still track thousands of KRIs and KPIs, which makes it extremely difficult to analyze and report the risk insights that really matter to management and the board. A deluge of data leads to inefficiencies and redundancies, and can cause the business to miss critical information. Executives need to focus first on the indicators that are vital to the business and its priorities, as well as those that can help the organization get a firm grip on its risks, exposures and opportunities.

One way to identify important indicators is to conduct a root-cause analysis, or cause-effect analysis, of a loss event. This involves studying the operational losses that have occurred and quantifying the risk exposure, as well as the impact of those losses on business objectives. Another way to prioritize leading indicators is to aggregate and analyze other risk and compliance data points to understand correlation and causation. This may help identify other significant risk exposures that might otherwise have been missed. Finally, talk to the audit group, as their history of control testing will provide new insights into key gaps that may be measurable.

An important success factor is setting a limit on the initial KPIs/KRIs to be defined within each line of business. It can become cumbersome to drive the alignment from the risk indicators to the risk tolerances and oversight for the overall business unit and then to the organization’s risk appetite statement unless there are limits on the downstream KPIs/KRIs. As the foundation of the metrics is built out within the governance, risk and compliance system, however, it becomes easier to demonstrate the management of more metrics.

3. Align Metrics to Controls

Many organizations use metrics to understand their risk profiles. To take it one step further, organizations can use metrics to define their controls as well. This allows organizations to see two sides of the same coin at once. From there, they can get a better picture of their inherent risk and how well they are managing it, which can better position them to determine if their residual risk is increasing or decreasing. This additional step can either be worked into the preliminary process or taken on as the process matures, depending on the available resources.

4. Tie Metrics to the Business Plan and Strategy

It is critical to closely align risk metrics to the organization’s short- and long-term business plans, taking into account specific qualitative and quantitative objectives. Indicators mean different things to different people and to different organizations. By aligning key indicators to business plans, everyone will be better positioned to judge the effectiveness of new initiatives, identify new growth opportunities and better understand potential risks.

To drive success in the alignment of the KPIs/KRIs, it is important to take a top-down approach. Defining the organizational risk appetite as it relates to the organizational strategy through a risk appetite statement or some other method, then moving into the risk tolerances within key lines of business or business units, sets the stage for this top-down perspective.

5. Build a Risk-Aware Culture through Employee Involvement

Every organization has employees who are hesitant to report or identify risks for fear of revealing a critical failure in the company. However, it is absolutely necessary that all employees are held accountable and encouraged to be part of developing a risk-aware culture with open and transparent communication.

Cultivating a risk-aware culture of transparency and accountability helps prevent important warning signals from slipping through the cracks, which can lead to losses, increased risk exposure or missed opportunities. Encouraging employees to take ownership of risk reporting can impact the bottom line, and individual employees and teams should understand how disclosure benefits the company.

A good way to encourage disclosure is to create incentives for employees to understand, manage and report risk across the organization. One way to do this successfully is to start the process with facilitated sessions working with the line of business leadership and using each of these facilitated risk assessments as a training tool to enhance understanding throughout the organization. By working with this leadership group, the conversation then filters both upward and downward. Then, as the program is built out and matures, there is an embedded culture that supports and understands the risk landscape.

Big data is drastically changing the way companies assess and react to risk. Data-driven decision-making is achieved by leveraging big data, developing risk metrics, defining stronger controls and creating synergies and alignment among broader business plans and objectives. Creating a culture of risk by engaging and empowering key stakeholders is no easy feat, but it remains a fundamental component of an organization’s ability to continuously improve, grow and succeed.
Dawn Ward is a solutions manager at MetricStream.
Susan Palm is vice president of industry solutions at MetricStream.