Adding key risk indicators to the strategy measurement conversation

We all know the value of Key Performance Indicators (KPIs). Although most organizations have way too many and generally have a poor understanding of how they work, they are critical elements of a Balanced Scorecard system.

As much as anything, KPIs are the vital navigation instruments used by managers to understand whether the organization is on a successful voyage or whether it is veering off course. Without the right KPIs managers are sailing blind.

Strategy and risk

However, as argued in the Risk-Based Performance Management: integrating strategy and risk managementKey Risk Indicators (KRIs) are equally important navigation instruments and are critical components of the overall strategic narrative.

Strategy and Risk are two sides of the same coin. Strategy cannot be managed effectively without understanding both the “performance” story (KPIs) and “risk” story (KRIs). The proper use of KRIs provides for much greater insight into the future, and promotes much greater quality of management conversation than can be gained by simply using KPIs.

To be fair, many organizations are using both KPIs and KRIs: although this is certainly an improvement on KPIs alone, they still tend to be managed separately by a performance management team and a risk management team, and feeding into different reporting and decision-making processes.

As the KPIs and KRIs are not integrated, they deliver a “siloed”, and often competing, view of the organization and its performance. Therefore, the executive team does not have the appropriate data and information to inform the required high quality management conversations that provide a more complete view of progress toward the strategic objectives or enable the trade-off between risk and reward to be discussed, understood and acted upon.

Defining the indicators

So let’s define KPI and KRI. Definitional clarity will remove much of the confusion that today exists concerning the meaning of these indicator terms.

One cause of confusion is that many organizations that have existing indicators will be using the term “KPIs” for both sets of indicators: performance and risk. This leads to much misunderstanding during reviews and decision-making events as people interpret the data from a performance point of view, which often leads to a lot of time-wasting around discussing performance when they are actually discussing risk.


KPIs enable an organization to do two things:

  1. Monitor its progress towards achieving strategic objectives
  2. Identify, and monitor progress towards performance targets

In the broadest sense, a KPI can be defined as providing the most important performance information that enables organizations or their stakeholders to understand whether the organization is on track, and make timely interventions if not. By providing data and information on critical performance issues, KPIs are used to answer the question “Are we achieving our desired levels of performance?”


KRIs are used to help define an organization’s risk profile and monitor changes in that profile. KRIs are used to answer the question “How is our risk profile changing and is it within our desired tolerance levels?”

KRIs are used to support the risk assessment process in order to develop an understanding of the impact on the organization of identified risks materializing and the likelihood of their materializing.

Assessing strategic risk

A simple likelihood multiplied by impact equation is often used to assess the level of risk the organization is facing. KRIs provide a base of data and trend information that informs the calculation of risk exposures and informs management conversations as to current level of risk-taking, changes in risk-taking, and about how much risk needs to be taken to successfully deliver to the strategic objectives.

The other function of KRIs is that they help translate risk appetite into operational risk tolerances (which are expressed as thresholds around the indicators). If the organization has a high appetite, it would be expected that the threshold would be wider allowing for greater levels of variation away from the baseline, whereas a low risk organization is going to have tight thresholds to promote a higher level of control.

KRIs might simply be a key ratio that the board and senior management track as indicators of evolving problems, which signal that corrective or mitigating actions need to be taken. On other occasions they might be more complex, aggregating several individual risk indicators into a multidimensional risk score regarding emerging potential risk exposures. COSO’s 2009 white paper Strengthening Risk Management for Competitive Advantage explained:

“KRIs are typically derived from specific events or root causes, identified internally or externally, that can prevent achievement of performance goals. Examples can include items such as the introduction of a new product by a competitor, a strike at a supplier’s plant, proposed changes in the regulatory environment, or input price changes.”

Two separate scorecards

KPIs and KRIs should both be tracked on their own separate scorecards, so a risk scorecard (or dashboard, to avoid terminology confusion) will complement the more conventional performance scorecard. As Professor Robert Kaplan (co-creator of the Balanced Scorecard) said to me in an interview I did with him in late 2015 on integrating strategy and risk management:

“Risks (both threats and opportunities) impact each and ev­ery objective on a Strategy Map – financial and non-financial. Identified risks should be managed through a separate risk dashboard. For example, Infosys has a strategy focused on large contracts with large corporations. The concentration of revenues was identified as a significant strategic risk (a large account failure would show up on the income statement). The company identified a strategic risk indicator, credit default swap (CDS) rates, for its risk dashboard. If the CDS rate, the price for insuring against a client’s default, went outside a specified range, then mitigation steps could be taken to cope with the client’s increased risk.”

Furthermore, a risk mitigation might well be a strategic initiative that impacts both sets of indicators and ultimately the delivery of the strategic objective.

Key control indicators

Best practice organizations also introduce Key Control Indicators (KCIs) into the overall indicator universe. KCIs are indicators that are used by an organization to help define its controls environment and monitor levels of control relative to desired tolerances.

KCIs play an important role in managing the execution of strategy and management of risk as they enable the effectiveness of controls to be monitored and proactively managed. This in turn helps create an environment within which decisions can be effectively implemented. A robust controls environment also helps create a “no surprises” culture; thus enabling the organization to remain focused on delivering its strategic objectives. KCIs are used to answer the question “Are our internal controls effective? Are we, as an organization, ‘in control’?”

Parting words

As we move deeper into the digital-era (or the 4th industrial revolution), it will become increasingly critical to manage performance and risk equally as part of the strategy management process. As Professor Kaplan said:

“With good data and insights from both strategy and risk officers, the executive team can then make an informed decision about how much risk they are willing to take in their strategy implementation efforts and how much to spend on strategy execution and risk management. With a deep knowledge of the performance/risk dynamic, managers might even take on more risk than their competitors – knowing that their risks are visible, that they are tracked through the strategic management system and that the limit of the risk taking is understood. In this way, risk management becomes another tool for competitive advantage: as much about saying yes as saying no.”


As always feedback is welcomed.

Adapted from Risk-Based Performance Management: integrating strategy and risk management, Andrew Smart and James Creelman, Palgrave MacMillan, 2013. Additional material from an interview with Professor Kaplan for How do you integrate strategy and risk management? Strategically Speaking, Palladium, October 2015.

About the author

A recognized thought-leading author, trainer and advisor specializing in Strategy Management, The Balanced Scorecard, Leadership & Culture Change, Enterprise Performance Management and Strategic Risk Management.

Extensive experience of leading consulting and training assignments across the world, for both Government and commercial organizations, most notably in the Gulf and Indonesia (as a resident in both) as well as Europe North America, Australia and India.

Author of numerous articles/blogs as well as 24 in-depth research-based management books, including Doing More with Less: measuring, analyzing and improving performance in the government and not-for-profit sector, Palgrave Macmillan, 2014, Risk-based Performance Management: integrating strategy and risk management (Palgrave Macmillan, 2013).