WHITE PAPER UNDERSTANDING KEY CONTROL INDICATORS & HOW THEY CAN REDUCE RISK

Transcription

1 WHITE PAPER UNDERSTANDING KEY CONTROL INDICATORS & HOW THEY CAN REDUCE RISK

2 UNDERSTANDING KEY CONTROL INDICATORS & HOW THEY CAN REDUCE RISK 2 UNDERSTANDING KEY CONTROL INDICATORS & HOW THEY CAN REDUCE RISK This white paper provides an overview of KCIs, discusses how they compare with KRIs and how they contribute to effective risk management. An enterprise-wide approach to risk and compliance management can make a significant and tangible difference to the bottom line and is becoming increasingly necessary to meet the growing demands for transparency across organisations. Increasingly, organisations are looking to develop metrics to better monitor potential changes in risk conditions. One of the best known metrics is the Key Risk Indicator (KRI), which aims to provide a warning that a risk may occur before it impacts the organisation. Other metrics that are becoming more widely used are Key Control Indicators (KCIs). So how do these differ from KRIs, and what are the benefits of using them in the context of operational risk? By analysing trends in KCIs, managers can proactively identify impacts on the organisation s risk portfolio WHAT ARE KEY CONTROL INDICATORS? KCIs are measurable metrics that indicate the potential for a control to fail within an organisation. Broadly put, KCIs aim to answer the question, are our organisation s internal controls effective? By analysing trends in KCIs, board members and managers can proactively identify impacts on the organisation s enterprise and operational risk portfolio. As a result, they can take proactive decisions to address control failures as soon as potential weaknesses are identified.

3 UNDERSTANDING KEY CONTROL INDICATORS & HOW THEY CAN REDUCE RISK 3 HOW DO KCIs DIFFER FROM KRIs? Key Risk Indicators (KRIs) measure the potential for risks to occur by identifying metrics that indicate a raised risk profile. For example, a significant rise in employee staff turnover can indicate an increased likelihood of loss of key staff. KCIs have a strong relationship with KRIs, simply because if a KCI indicates the failure or weakness in a control, then it makes it likely that the level of risk is increasing. For example, a KCI that monitors the effectiveness of staff supervision. If this activity is reduced, then it is likely that the risks mitigated by the control will become more likely to occur. As the following diagram shows, KCIs are more focused than KRIs, in that they are specifically related to the controls that mitigate a risk. Moreover, KCIs can apply to multiple controls, which themselves can mitigate multiple risks. Figure 1 Typical relationships between KCIs, Controls and Risks THE BENFITS OF KCIs There are a number of benefits to creating and monitoring KCIs: Better focus: KCIs focus on ensuring that internal controls are effective in a measureable way. Rather than using broad definitions of control effectiveness, they provide a more empirical means of assessing the potential for control failure. This is something that can be quickly and easily determined in a systematic way. However, this obviously relies on the KCI metrics providing an accurate measure of potential failure. Wider impact: Controls can mitigate multiple risks, therefore effective KCIs have the potential to positively impact multiple risk areas within an organisation. KRIs on the other hand tend to just focus on individual risks, which can make them less widely applicable. Early warning: KCIs can often be viewed as leading KRIs in the sense that failure of a control is an early warning signal for the failure of a risk. For example, a KCI that flags the potential failure of IT security controls is likely to determine the potential of a security risk sooner than KRIs that measure security failures directly. Audit friendly: Many organisations will have an audit function as part of their three lines of defence governance model. A core part of this activity is an audit of existing controls to ensure that they are working effectively to reduce risk. Obviously, KCIs can assist in this activity by providing auditors with clear metrics with which to assess the effectiveness of controls.

4 UNDERSTANDING KEY CONTROL INDICATORS & HOW THEY CAN REDUCE RISK 4 TYPES OF KCIS Just like KRIs, some KCIs are common to most organisations, while many are specific to the type of business they undertake. An example of a common KCI is lack of supervision. A significant reduction in staff supervision levels could lead to a deeper problem in the business, which may have negative consequences on the organisation s ability to maintain staffing levels. An example of a specific KCI might be the frequency of monitoring the number of unauthorised trades or failed transactions in a brokerage or financial services organisation. Figure 2 Examples of KCIs SOURCES OF KCIS The primary sources of KCIs are the controls they relate to. A KCI should provide a measurable indicator of the effectiveness of a control. As an example, let s take a control IT Disaster Recovery Plan relating to the risk IT Infrastructure Failure. Its KCI should aim to highlight weaknesses or points of failure in the control. For instance the number of months since the recovery plan was reviewed, or the number of successful tests of the recovery plan in the previous 12 months. In addition, it is important to keep in mind the ultimate goal of the KCI, which is to reduce risk. Thus the number of successful tests of the recovery plan might be viewed as being more effective in reducing the overall risk, as testing of a plan may mitigate the risk more than just reviewing the plan on a regular basis. KCIS AND CONTROLS MEASURING KCIS KCIs are measured by one or more quantifiable values or metrics. Numerical or percentage thresholds are set that equate to a red, amber or green rating. For instance, a value less than 70% of staff receive monthly supervision might be given a red threshold, while a value of 80% is amber and a number above that results in a green value. While most KCIs are quantitative in nature, some KCIs can be qualitative. For example, a KCI might relate to an opinion on the quality of a procedure or process. In this case, three qualitative descriptions can be associated with the KCI metric, capturing a red, amber or green response. As mentioned above, an important feature of KCIs is that they must be linked to the controls that they aim to monitor otherwise they will not have any relevance! A KCI can be associated with more than one control. To illustrate this, consider the employee supervision KCI. This could be linked to a number of different risks, including people risks and regulatory risks such as failure to comply with trading standards or regulations.

5 UNDERSTANDING KEY CONTROL INDICATORS & HOW THEY CAN REDUCE RISK 5 KCI SPECIFICATION Once KCIs are identified, they will need to be clearly specified. This should include a distinct description of the KCIs objective and how it will be measured. To specify how they will be measured, each KCI should be associated with one or more metrics. Generally, metrics are quantitative values such as a number, percentage or currency value. In the case of the KCI employee supervision frequency, we might be interested in the metrics % employees receiving supervision in previous month. Next, the thresholds of the metrics must be identified. It is important at this point to focus on ensuring the thresholds relate to the risk appetite within the business. This is a decision that can only be made by senior management in conjunction with a risk expert or risk team. A threshold will either be an upper threshold (any value >= to the threshold is red) or a lower threshold (any value <= to the threshold is red). To complete the specification, the frequency at which the KCI will be measured must be chosen. Typically, this is monthly, as it enables three measurements to be trended prior to a quarterly risk review. However, weekly or even daily KCIs are sometimes used too. The following table shows an example of KCI specification: Figure 3 Example KCI Specifications KCI Name Employee Supervision ERM Frequency System Benefits Description Related Controls To measure the amount of supervision provided to employees Employee Supervision Frequency Monthly Business Unit HR Metric 1 Name Type Upper/ Lower Threshold Amber Threshold % employees receiving supervision in previous month Percentage Lower 70% 80%

6 UNDERSTANDING KEY CONTROL INDICATORS & HOW THEY CAN REDUCE RISK 6 COLLECTING KCI DATA KCI and KRI data is the core of an effective risk solution, so making it easy to gather by all the stakeholders involved is essential. If it is manually inputted, then relevant people should have a clear place to enter the data, along with comments on any perceived trends or issues. Where possible, KCI data should be collected automatically, for example, via internal systems such as databases and ERP systems, or from external data sources, e.g. market data, social media data and so on. Any approach to collecting KCI and KRI data must therefore have the ability to easily integrate with and gather data from multiple data sources. AGGREGATING KCIs While it is tempting to report on all the KCIs to the board, this can provide far too much detail to be fully understood during a board meeting. Instead, many organisations using KCIs create a KCI or risk dashboard that summarises the data in a variety of ways. At the simplest level, a 23 page report that summarises the KCIs for key controls and their trend over the previous 36 months is very useful (see below). An alternative approach is to aggregate KCI ratings around specific risk areas or control objectives, e.g. the control objective to ensure financial transactions are conducted in accurate, timely, and complete manner, and so on. This can result in a simple traffic light view of risk position based on risk category (see figure 5 below). However, it is important that the rules for aggregating this data are well defined. For instance, the worst case KCI ratings can be taken across each control objective, or a process of averaging or weighting scores across all KCIs can be adopted. In both cases, the results should be carefully calibrated over time against the actual risk events occurring in the business to ensure they are as accurate as possible. Figure 4 Example KCI Summary Report Figure 5 Example of a KCI Dashbaord

7 UNDERSTANDING KEY CONTROL INDICATORS & HOW THEY CAN REDUCE RISK 7 SUMMARY Key Control Indicators can provide a powerful approach to providing a quantitative assessment of control effectiveness within an organisation. In this white paper we have discussed some of their key features and benefits and aimed to provide some practical advice on their collection and reporting. EQ5 -/+

8 ABOUT XACTIUM Xactium is a cloud based GRC software provider that helps Risk, Audit and Compliance professionals to transform the way that Financial Services organisations evaluate and manage their enterprise risk. The value of the risk process and its profile is raised through the use of risk intelligence that improves efficiency and creates insights that influence decisions across the business. As the central risk platform used by the FCA to supervise the market, it has also been adopted by a wide range of financial services organisations from across the industry. Companies such as Direct Line Group, JLT, MS Amlin and Argo Group. Xactium is the world s first enterprise risk-intelligent system, with the revolutionary use of embedded AI (Artificial Intelligence), 3D visualisation and automation that dramatically improves efficiency and creates innovative analytics. Reporting is made easy and timely, and predictive insights enable senior managers to prioritise resources. Xactium is also built for managing change and is probably the most flexible and configurable enterprise risk management system available today. This adaptability ensures that our customers stay up to date and able to respond to both business and regulatory change, without the need for costly bespoke programming. Overall, Xactium releases more time and resource for the risk team to help promote best practice and demonstrate the value of risk across the business through actionable insight. Visit us online at Tel: +44 (0) info@xactium.com Head Office Xactium House 28 Kenwood Park Road Sheffield S7 1NF London Office Xactium Ltd 1st Floor 6 Bevis Marks London EC3A 7BA