Risk management should be integrated into the performance management cycle of the organisation: both at the individual level and the corporate level.
One of the risk managers we interviewed shared an example where traditional static corporate key performance indicators (KPIs) have been replaced with dynamic, risk-based, ranged KPIs. This allowed their management to have bands of values instead of a single value. Some KPIs stayed as single value estimates however they were calculated as the 95% percentile of the distribution of possible values based on the Monte-Carlo simulation. Triggers and key risk indicators may also be set for corporate KPIs to improve monitoring and performance tracking.
At an individual level, risk management KPIs may be set around risk-based decision making, timely risk mitigation, risk management training grades or an internal audit assessment of the risk management effectiveness in different business units.
HERE IS A QUICK CHECKLIST TO TURN THIS SECTION INTO ACTIONS
|☐||Review existing methodology used to calculate strategic and operational KPIs|
|☐||Test whether KPIs are calculated based on appropriate risk analysis or whether current targets are overly optimistic and ignore risks|
|☐||Develop a set of corporate risk management or risk-based KPIs to raise risk management awareness|
|☐||Develop a set of individual KPIs for key managers to raise risk management awareness and assign responsibility|