Author: Manu Steens
An important concept in strategic risk management is that of risk intelligence.
Risk intelligence is a “systematic process for gathering and analyzing information about the risks of the organization’s business, to be able to make strategic decisions based on this and then to do better as business in a competitive environment.” So it is a possible answer to competitive intelligence from potential opponents.
It is therefore more extensive than a classic risk analysis process with accompanying actions. It is all relevant information.
The organization must therefore be capable of providing for events and external impulses for changes. Furthermore, it must be a process because risks are changeable, and strategies must be able to be adjusted, and because new risks constantly arise.
One of the possible predictors are indicators: KPI and KRI (Key Performance Indicators and Key Risk Indicators). I discuss the KRI here. (Please note: the KRI provides information, the analysis of this information must still be done (to create knowledge) by the owners of the risk.)
KRI based on outcomes
Key Risk Indicators are often effect indicators. They measure whether the set objectives, the outcomes of the processes, have been met.
KRI on the basis of outcomes, are effect indicators. Conversely, impact indicators can be considered as a sub-class of the risk indicators. However, it is best to speak of effect indicators with regard to people who are averse to risk management as another topic that management adheres to.
But how do you achieve effect indicators?
Strictly spoken by determining the outcomes of the process, the project, the objective. A trick to determine these outcomes is not t take the output of the processes or projects as the final stage of the activity, but the purpose of the activity. This can be done by describing the process / project in one or only a few sentences, and ending this description with one or more completions after the words “in order to …” or “so that …”.
There you contrast criteria that you then periodically want to keep an eye on to see if they are exceeded, or show a tendency, or make a jump and the like.
An example here can create clarity.
In the operation of a BCM manager, there is a process that starts with each cycle. This cycle can be described in ISO 22301, but also in the GPG of TheBCI.org.
An example is for crisis communication: “Speaking to the media with a clear voice from the organization during the crisis”. This is an objective of the crisis management team, because the goal during a crisis is that the transfer of information is easily verifiable, just as fully as possible and in accordance with the requirements of the moment. The undesirable consequence that you are running is that a number of people wrongfully talked to the media with all the wrong information flows that can follow from them. You can therefore do a measurement as follows:
T = “Sum of (The number of people who (unjustly) speak to the media) of the crises that month.”
You can then illustrate the measurement with smileys as follows:
Green smiley: 0 people
Yellow smiley: youdo not use this one here
Red smiley: 1 or more people
Gray smiley: there was no need for communication to the media due to no crisis settlement that month.
KRI based on risk analysis
But there is also a second class of Key Risk Indicators, which do not base themselves on the outcomes or targets set, but which refer back to the risk analysis of the process, the project or the objective (s).
An explanation of the method can most easily be illustrated with the Bow-Tie risk analysis method.
In the Bow-Tie method one can predictively work by looking at the left side (preventive side) of the bow tie, where one has pierced through to the root causes of a desired or undesirable event.
Once the relevant causes have been inventoried, criteria must be established in which these causes occur. For example, (hypothetical) accidents among foresters peak when 15% of foresters have less than 1 year experience in the sector and their supervisors are younger than 30. Then one can draw up a KRI for HRM to find out what the age of the supervisors is. and the combination of the experience of their guests. When a new recruitment with this combination exceeds this criterion, for example, a reorganization of seniors and juniors can be implemented.
As one readily sees, these KRI are certainly important for their predictive power. They are predictive, where the KRI on the basis of outcomes show that something has gone wrong or something is going wrong.
That predictive indicators can make the difference between success and failure in the intended effect, and they are based on the results of the complete risk analysis, is a reason to carry out a complete risk analysis according to the American model.
The important thing about the KRI is that it is possible to adapt the existing strategies during the process. One can anticipate.