A recent article published on Risk.Net "Firms fail to unlock benefits of Key Risk Indicators" [LINK] is an interesting read and I agree with much of what Rodriguez has written. Her analysis of why Key Risk Indicators (KRIs) have failed in banks is pretty spot on but at the same time, one is left with this sense that these systems are being unjustly described.

Before we dart off and incriminate the a KRI network as unyielding or worse, the core reason of what is wrong with a risk management framework, perhaps we need to take a look at why KRI systems miss their targets.

The idea that we can remove the cloak of uncertainty by capturing and reading data from factors that influence something we are working with is not a novel one. Key Risk Indicator systems are also a common assessment practice outside the domain of enterprise and operational risk management.

• In medicine, measuring the temperature, blood pressure and pulse rate of a patient gives doctor’s great insight into whether those sick are recovering or deteriorating.

• Ask yourself a different question. Would you drive in a car without a dashboard that gives you up to date details on your speed or remaining fuel for a journey you are on? ... Probably not.

• Elsewhere and back in the domain of banking; credit and market risk systems are deemed solid when Risk Indicators System are integrated with daily decision making. Risk reporting dashboards in these areas of banking have in the most part been successful.

One has to ponder then, why is it so difficult to to implement a similar Key Risk Indicator facility in an enterprise risk management framework?

Why Key Risk Indicators Fail | Martin Davies [LINK]

In the diagram above we have listed fourteen common hurdles that interfere with the success of a Key Risk Indicator system and many institutions I have come across suffer from more than one of these ailments.

Thoughts on making this work would be to start off small. Most operational risk units fail because they try to run before they can walk as the saying goes, they become too sophisticated with huge expectations for their KRI system. If a risk management department hasn't bedded down the core processes of their existing risk framework, attempting to enable any additional functionality is going to be troublesome.

Key Risk Indicators don't work well if the other infrastructure around risk management is missing and I would not try and run a KRI program until the following items are in play: The business unit has been mapped, there is an existing risk taxonomy in place, objectives (targets) and risks have been registered. Once this little lot is in place, then try to implement a KRI service but not before.