Measuring the level of risk in any organization is hard"¦..very hard. One metric that is often used are Key Risk Indicators (KRIs). These are numbers that are simple, hopefully easy to capture, and are used to indicate a certain level of risk to the organization. But, what does it actually mean if a KRI starts to increase, and how is the relationship between a KRI and the overall financial health of the organization established?

I think a useful approach is to view a KRI as a leading indicator of an area of risk to business performance. In effect, a KRI can predict downstream impacts on the business. Some examples of KRIs might be the:

• turnover rate of key IT admins




• amount of system configurations changes over time, and,




• availability level of key IT services.

But, how can we measure "impacts on the business"? Ultimately, of course, the business boils down to revenue, profit, and a few other key financial metrics as reported in the annual report. But, there are other, more immediate values that generally are impacted before these critical metrics. Sort of like the proverbial "canary in the coal mine."

This is where Key Performance Indicators (KPIs) come in. KPIs are non-financial leading indicators of business performance. If you wait until there is a measureable impact on your key financial metrics (profit) before taking action, your ability to correct the problem in a timely way is limited, at best. Example KPIs might be: your rate of on-time delivery, your rate of customer retention, quality of materials, etc. Each of these could cause, if left unchecked for a period of time, big changes in your financial performance. So, if you can identify an increasing KRI"¦"¦before it impacts a KPI"¦..before it impacts financial performance, you have gained a significant improvement in your overall governance model.

Let's look at an example to illustrate this point. Let's define a KRI as the "turnover rate of key IT administrators." If this rate increases significantly, it is likely that IT effectiveness will decrease. System downtime will probably go up, partners and distributors will have trouble getting their product information as needed, or placing their orders. So, define a KPI as the "Partner Order Rate," which is the rate at which your partners' orders are coming in, as compared to the historical average.

In another example, assume that your rate of IT changes increases for some reason. This could impact your ability to deliver services according to your contracts. This also will affect your ultimate revenue, as partners or customers start to cancel their agreements or contracts.

The relationship could be represented as follows:

Sounds simple, right? It's not. Deriving these indicators, and making sure that you understand the relationship between them, can be challenging. But, if you are going to manage risk to your business effectively, you need to understand what factors will impact it, and how you can identify trends before they become critical.