Thilak PathirageThilak PathirageMBA(Sri j) BCOM(spl) CISSP CISA CISM CGEIT CRISC CBCP ITIL

ISO27K(LA) FIB]AGM O Ri k & I f Ri k M tAGM-OpRisk & Info.Risk Mgt.

Seylan BankPLC

Definition Example Roles and responsibilities for KRIs Major steps necessary to generate KRIs Tool Generic operational risk KRIs

Key risk indicators (KRI) are measurements that are used by management to show how risky an activity is—a project or an investment, for exampleexample.

They are called key because they warn of the most obvious areas where problems may arise.

KRI help to flag up early warnings of a possible adverse impact arising from an activity in the futurefuture.

Developing operational risk indicators is not easy.

highlight current risk levels by providing a measure of the status of an identified risk and the effectiveness of its control. Risk indicators can provide information which gives a useful ongoing p g g gview of the underlying behavior of the risk profile1;

highlight trends and changes in risk level by monitoring changes in risk between formal risk

d land control assessments;

provide early warning signals through predictive p y g g g prisk indicators which highlight changes in the risk environment, control effectiveness and potential risk issues before they crystallise and result in loss

Another type of indicator is a key control indicator (KCI) which is a measure of the effectiveness (e g(KCI), which is a measure of the effectiveness (e.g. design and performance) of a specific control. Deterioration in KCIs can show an increase in residual risk impact or likelihood. KCIs are relevant to a

i l l i i ( )particular control activity(s).

enable actions that prevent or minimise material loss or incident by prompting timely action on earlyloss or incident by prompting timely action on early warning signals; and

express escalation criteria for risk management by express escalation criteria for risk management by using thresholds to convert raw indicator data into meaningful risk ratings to aid effective decision making.g

Key risk indicators can be classified into two categories, namely:• specific indicators, which relate to particular

processes within a franchisee such as the numberprocesses within a franchisee, such as the number of reconciling items in a given area; and

• environmental indicators, which impact the f hi h l f l b ifranchisee as a whole, for example, business volume.

KRI can provide early warning of future losses or other problems.

They are useful in supporting management decisions and actionsdecisions and actions.

They can be benchmarked both internally and externallyexternally.

Mastering KRI has proven difficult to date. The company has to believe in them, even

though past history may not fully support their valuetheir value.

KRI can provide early warning of future losses or other problems.

They are useful in supporting management decisions and actionsdecisions and actions.

They can be benchmarked both internally and externallyexternally.

RCSA Exercise Bottom Up risk Top down Risk

RCSA Fundamentals: Impact Vs. P b biliORM is the management of the frequency AND severity of operational losses

Probabilitylosses

Share COSOShare

Mitigate & Control

COSO Framework

COBITFramework

C t l

Framework

ControlAccept

We established norms of Impact and Probability

OPS # Pre OPS

5 10 15 20 255

7

CFUFIN

#

#

Control

PostControl

PWNSCC

OPS

4 8 12 16 204

EXP10

LEG5

68

MKT3

PWN21

IMP4

PWN Criteria

Category

Tolerability

Risk Level

3 6 9 12 153

pact ABC

9

LEG

CFUABC

EXP

y y

Very Low ( VL)

Acceptable

1-2

Low Acceptab 3-4

2 4 6 8 102

FIN

Im SCC MKT

IMP

(LO)p

le

Medium (ME)

Tolerable 5-7

High Tolerable 8-14

1 2 3 4 51

(HI)

Very High (VH)

Unacceptable

15 and Above

11 2 3 4 5

Likelihood

90%

100%

Low

)

The Most Risky Business Functions Rating by Summery Business Function

50%

60%

70%

80%

( Hig

h / M

ediu

m /

L

10%

20%

30%

40%

Perc

enta

ge

0%

10%

OP

S

PW

N

MK

T

SLI

LEG

SC

C

IMP

FCC

AC

T

AB

C

EX

P

Business FunctionsLow Medium High

Some of the following resources can be useful in helping create your own KRI listhelping create your own KRI list.

Policies and regulations, particularly those that are aimed at regulating the business activities of the company Such KRI may include riskthe company. Such KRI may include risk exposures relating to compliance with regulatory requirements and standards.

Strategies and objectives Corporate and Strategies and objectives. Corporate and business strategies, as established by senior management, are a good source.

Previous losses and incidents Databases Previous losses and incidents. Databases containing historical losses and incidents can provide useful input on what processes or events can cause losses.

Do Make your KRI quantifiable. Make your KRI quantifiable. Base KRI on consistent methodologies and standards. Track them along a timeline against standards or limits. Link KRI to objectives, risk owners, and standard risk categories.

R l i h k h f l ill Run regular overviews to check that your formulae are still relevant and accurate in assessing risk.

Don’t Don’t complicate risk. Don’t be too simplistic. Don’t put 100% faith in your initial KRI.