What is the effective risk control?

A crucial element of an effective risk management strategy is the setup of the risk control framework and identification of the appropriate KRIs (Key Risk Indicators). This task requires a precise definition of the objectives to select the potential elements that might hinder the achievement of those objectives.

The process of identifying the KRIs may bring significant advantages to an organisation:

A better understanding of risk dynamics: Defining and monitoring KRIs provides a deeper insight into the main threats to the business;

More reliable risk strategies: With a greater understanding of the risk dynamics the management team can define more accurate methods to assess and minimise potential risks;

Risk tolerance levels: Using KRIs, the management can define the company’s tolerance threshold and the risk limits that trigger a corrective action;

Better insight into risk trends: Periodic and regular monitoring of KRIs provides the organisation with a more accurate view of the risk trends. These might be used to determine which activities or business lines are more vulnerable and need further monitoring, as well as new opportunities for growth.

KRI can be explained as the antithesis of KPI, because of the following: while KPI (Key Performance Indicator) indicates how well a company is doing, KRI (Key Risk Indicator) shows the opposite. It warns the company about the dangers and threats and enables the windows of opportunity to react to a specific risk.

KRIs must meet a specific set of requirements:

Measurable: Either in absolute numbers or as a percentage;
Traceable: KRI’s should show a consistent scale of value that allows comparing of their evolution;
Predictable: KRIs should provide early signals of potential risks;
Informative: Providing an accurate outlook on the risk status.

Once the KRIs are selected, the management should define the thresholds that would trigger risk mitigation plans.

Risk control is not a one-time project but needs to be performed as a cyclical process where risks are monitored systematically. But what is the optimal frequency? Real-time, daily, weekly, monthly or yearly?

These two measures need to be taken into consideration when we decide upon the frequency:

i) each realized risk (loss event) can have a different impact on the organisation and
ii) the frequency of risk control is determined by the impacts.

The risk control process must also include the information from the loss event management (do you track your loss events systematically? Stay tuned for our next blog where we will talk about the systematic Loss event management and all it’s benefits for the risk management) and data from all the executed mitigations. And don’t forget: be alert and respond to all the changes.

In general, we can say that KRI’s should be monitored regularly, and their evolution needs to be reported to the organisation’s management so that they are informed to make strategic decisions. In that sense, it is essential to be selective with the KPI’s, as managing too many of them might be complicated and could lead to wrong conclusions.

In many cases, monitoring and reporting KRIs manually in real-time might be challenging and time-consuming. If you still handle your monitoring and reporting in Excel tables you know what I am talking about. In these cases, only technology allows access to accurate and updated data on the various risk metrics to obtain immediate reporting.

Businesses with a clear risk management strategy in place can leverage technology to monitor the evolution of the KRIs and to deliver periodical reports to the management team. This automated reporting with customizable dashboards would liberate the company’s risk managers from low-value tasks such as risk monitoring, improve data traceability over time and minimise human error. And most importantly: it will save them time, and enable them to focus on the effectiveness.

P.S.: To refresh your knowledge about systematic risk management, check a few previous articles:

How to manage risks systematically?

How to identify risks?

How to define “a risk”?

Risk assessment [Part 1]: Setting up the risk measurement framework

Risk assessment [Part 2]: How to assess risks in practice?


Contact our team if you need help with risk assessment.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.