Google the terms ‘Key Performance Indicators’, ‘Key Risk Indicators’ and ‘Key Control Indicators’ and you will accumulate 1,560,000, 390,000 and 444,000 hits respectively. Clearly there is a lot of information out there on these topics but there are two questions that we are often asked – “KPIs, KRIs, KCIs – Are they different? If so, does it really matter?”
It is our view that the answer to both of these questions is YES so let’s explain why, starting by defining what we mean by each of these different indicators.
Key Performance Indicator (KPI)
An indicator which enables an organisation to define its performance targets based on its goals and objectives and to monitor its progress towards achieving these targets.
KPIs are used to answer the question: “Are we achieving our desired levels of performance?”
Within the Risk-based performance methodology, KPIs are/should be defined for all strategic objectives included on the performance scorecard and scored on a 0-3 scale – see previous post on the Risk-based performance scoring methodology.
KPIs can be financial and non-financial in nature, and leading or lagging. They can be quantitative or qualitative in nature.
Click here for a definition of Key Performance Indicator from Wikipedia
Key Risk Indicator (KRI)
An indicator which is used by organisations to help define its risk profile and monitor changes in that profile.
KRIs are used to answer the question: “How is our risk profile changing and is it within our desired tolerance levels?”
Within the Risk-based performance methodology, KRIs are/should be defined for all Key Risks, and included on the risk scorecard and scored on a 0-3 scale – see previous post on the Risk-based performance scoring methodology.
Like KPIs, KRIs can be financial and non-financial in nature, and leading or lagging. They can be quantitative or qualitative in nature. Where KPIs tell us if we are achieving our targets, KRIs help us understand the changes in our risk profile and the impact and likelihood of achieving our overall objective. KRIs should inform discussions around the Risk Map and the setting of Impact and Likelihood levels.
Click here for a definition of Key Risk Indicator from Wikipedia
Key Control Indicator (KCI)
An indicator which is used by organisations to help define its controls environment and monitor levels of control relative to desired tolerances.
KCIs are used to answer the question:”Are our organisation’s internal controls effective? Are we ‘in control’?”
Within the Risk-based performance methodology, KCIs are/should be defined for all Key Controls and included on the controls scorecard and scored on a 0-3 scale – see previous post on the Risk-based performance scoring methodology.
Having defined each of these different types of indicators, let us return to the questions;
Are they different?
From the definitions above it is clear that these three types of indicators each have a different emphasis and provide different management indicators to different audiences. However, one should not assume this means three times the volume of data is required; often it is not. This is because fundamentally these three different types of indicators are related and often data can be reused for different types of indicators. It would not be unusual to see data for a lagging KCI be reused for a leading KRI for example.
Does it matter?
Yes it does. Firstly we return to the point about developing greater clarity around the management information that will be generated with these indicators. By being very clear about the type of question you are trying to answer and the type of indicators you are defining, you can significantly improve the quality and clarity of the resulting management information. The Risk-based performance methodology suggests using three different types of scorecards – a performance scorecard, risk scorecard and controls scorecard – with the corresponding types of indicators. In our experience, as clients work with this methodology and engage in discussions about the different types of indicators and when to use them, the quality of the resulting scorecard (and MI) is significantly higher as the number of indicators generally reduces to the ‘vital few’ and the quality of each set of indicators is high. Data volumes do not go up by three because of data reuse.
Additionally, being very specific about the different types of indicators used allows for a wide range of audiences to be satisfied from the data set developed using Risk-based performance. As a simple example, Management will be interested in all three types of information, whereas the Risk team, Internal Audit and the Regulator will be focused primarily on the risk and controls data.
As a closing tip, we would strongly recommend that if you are implementing an approach which includes KPIs, KRIs and KCIs it is very important to have a clear definition of each type and develop understanding of these differences within your organisation. We have seen cases where everything is called a ‘KPI’ which leads to a lot of confusion about the information rather than what it was telling us and what actions to take. We have also seen examples where KRIs and KCIs are used but they mean different things in different parts of the organisation, both different departments and different geographical locations. This leads to no end of confusion and time wasted.
So the closing tip related to indicators is:
- Think about the questions you are trying to answer and your various audiences to determine the types of indicators you should deploy.
- Think about the relationships between indicators to enable data to be reused and to promote richer discussions about indicators.
- Be very clear about the definitions for each of the different types of indicators.
- Apply the definitions consistently across the organisation.
Click here for related posts about Risk-based performance.