How to Design a Great Key Risk Indicator
Article 2 of 2: How to produce optimal KRIs and effectively link them to the organization’s risk appetite.
Key risk indicators (KRIs) are a crucial component of treasury risk management. The first article in this series provides a high-level overview of the role KRIs can play in treasury risk management and the process for developing them. This article will provide further details for building successful KRIs and their associated limits.
One element of an effective key risk indicator that is frequently overlooked in practice is tying the metric tightly to the corporate risk appetite. That is not the only important factor. Additionally, KRIs should be quantitative, relevant, forward-looking, timely, consistent, and efficient.
Quantitative. The first of these characteristics is straightforward: Quantitative KRIs are more useful than qualitative ones. For example, metrics expressed as percentages, ratios, or numerical values are easier to use—and to compare with risk limits and industry standards—than are general descriptions such as “high risk,” “medium risk,” and “low risk.” Qualitative descriptions may increase subjectivity and bias around whether the current level of risk is acceptable.
Relevant. Establishing the relevance of a KRI may be a bit trickier. The goal should be to select as a KRI the most appropriate measure for a particular exposure. Treasury and risk management teams can gauge the relevance of a prospective KRI by considering how well it measures the two common attributes of risk:
- the likelihood of a future risk event and
- the impact of the future risk event.
For some risks, a company may not find any obvious direct KRIs, so it may need to rely on proxies. Consider the risk of breaching a loan’s financial covenant that requires the borrower to maintain a minimum interest coverage ratio (ICR). A common definition of the ICR is earnings before interest, tax, depreciation, and amortization (EBITDA) as a multiple of interest payable in a period. The ICR will vary with changes in quantifiable factors such as interest rates (if loans have variable interest rates), revenues, and operating costs. Many potential uncertainties could result in changes to the ICR, but the company should be cautious about which of those factors it monitors using KRIs.
Tracking too many discrete KRIs can be overwhelming. Instead, when possible, the treasury team should try to identify the two or three most influential drivers of risk in each area.
Suppose a company with an ICR-based loan covenant determines that the factors which cause the greatest uncertainty for its ICR are sales of a particular product (Product X) and the cost of steel. Other factors also create some uncertainty—such as changes in interest rates, transportation costs, marketing spend, non-steel commodity prices, energy prices, and staffing costs—but management has decided that these other variables cause less uncertainty due to their smaller size and/or relatively lower volatility. Thus, in this illustrative example, treasury has chosen Product X sales revenue and the cost of steel as the main KRIs for the risk of default on the ICR covenant. See Figure 1.
Forward-looking. KRIs should be leading indicators that attempt to measure the prospective change in the company’s exposure that could result in a risk event before the risk event actually occurs.
For the management team that identifies sales of Product X as a significant KRI for a loan covenant breach, past sales are not an ideal indicator. That’s because actual recorded sales are lagging, historical data. Still, prior sales might help the treasury team identify noteworthy patterns. For example, a continuous decline in sales over the past few months might suggest that future sales will continue to decline and the company will struggle to avoid breaching the ICR loan covenant in the future.
Nevertheless, rather than relying on past sales, the treasury and risk team would be better off utilizing a forecast of Product X sales. If Product X is a discretionary item, which consumers buy only after making all their essential purchases, then leading indicators for declining Product X sales could include the unemployment rate among target customers, the rate of inflation on essential goods and services, interest rates (which affect mortgage and car loan payments), and consumer confidence surveys. See Figure 2.
After identifying one or more metrics that indicate future sales of Product X, the treasury team should use a similar approach to ascertain forward-looking KRIs for the cost of steel. The treasury team will need to liaise with other departments in the company to come up with relevant and leading KRIs.
Note that the treasury group needs to regularly review their KRIs in order to confirm that they are still relevant and forward-looking. For example, they should monitor the performance of the KRIs and determine, after the fact, whether they successfully predicted specific risk events that actually affected the business.
Timely. Treasury and risk teams should consider the frequency with which they will be calculating and reporting on KRIs. Calculating and reporting on KRIs on an annual or semi-annual basis may fail to provide management with the information they need to take action in a timely manner.
Consistent and efficient. KRIs should be defined and calculated in the same way throughout the company, across all business units and subsidiaries, and over successive time periods so that risk managers can easily compare risks throughout the organization and over time.
At the same time, the value derived from a KRI must be much greater than the cost of collecting data and calculating the KRI.
KRI Limits and Risk Appetite
In developing their portfolio of KRIs, many organizations fail to devote enough time and focus to setting the right limits for each of the metrics. Their process for setting KRI limits may involve less rigor than the KRI selection process and may not take into account their company’s strategy and associated risk appetite. That’s unfortunate, as the lack of KRI limits—or the use of weakly designed KRI limits—renders the KRIs pointless. KRI limits are necessary to alert management and other decision-makers when they need to initiate a risk response, and they support a company’s corporate strategy. See Figure 3.
An organization’s risk appetite is the level of risk that management is willing to accept to achieve its objectives. This is influenced by various factors, including corporate strategy, the company’s risk capacity and risk attitude, the company’s risk management sophistication, the stability of business operations, the competitive environment, and regulatory requirements. Different companies will likely have different appetites for the same type of risk, depending on their profile and strategy. For instance, a multinational mining company might have a higher appetite for commodity risk and foreign exchange (FX) risk than a domestic retailer with the same level of annual revenue.
Figure 4 shows a statement of risk appetite from Land Securities Group PLC, a UK company that is one of the largest real estate businesses in Europe. Land Securities Group manages a portfolio of retail, leisure, workplace, and residential hubs. The statement in Figure 4 comes from its 2023 annual report.
As they work to establish KRI limits, treasury team members need to devise a risk appetite statement for each of the company’s main treasury risks. There is no universally accepted, standard process for defining risk appetite levels, but an organization’s process should be designed to determine—and reflect—the management team’s desired risk appetite.
Organizations typically classify risk appetite levels according to the level of exposure management considers acceptable, such as in this illustrative example:
- Zero: The company has no appetite for the risk at all. Avoidance of any financial or reputational loss related to this exposure is a key corporate objective. Examples may include risks related to employee safety or regulatory breaches.
- Low: The company is prepared to tolerate a low level of risk in this area, if doing so is essential to deliver on corporate strategy. However, the company will manage the risk very carefully to limit potential losses. Examples may include IT, funding, and liquidity risks.
- Medium: For risks categorized with a medium management appetite, the company is prepared to tolerate a higher level of exposure than it is willing to endure for risks categorized as “low”—for example, if the risk is likely to result in an acceptable reward, and if the losses are capped at a predetermined level. Examples might include a systems upgrade or increased leverage to pursue an acquisition.
- High: If the company has a high appetite for a certain risk, the management team is prepared to accept that level of exposure in exchange for high risk/return opportunities that they are actively seeking, such as risks relating to research and the development of a new product.
Figure 5 shows examples of a risk appetite statement and description of the corporate appetite for a specific type of risk. These come from the 2023 annual report of Halma plc, a global group of companies that develop technologies and equipment for the safety, environment, and health sectors.
Translating Risk Appetite into KRI Limits
Pulling together information about the corporate appetite for various risks is a time-consuming but business-critical process. Once the treasury team have grouped the company’s key treasury risks by appetite level, they need to establish quantifiable triggers, or KRI limits, to monitor and manage the risk exposures.
KRI limits for the same treasury risks will vary by company and industry. For example, a company with very stable cash flows may be able to tolerate higher leverage than a company with volatile cash flows.
Determining the appropriate KRI limit for each risk appetite level is usually the most difficult part of the risk management process. Establishing KRI limits involves some or all of the following:
- Conducting interviews with senior management and the risk management team.
- Reviewing historical results and comparing past KRI metrics with the perceived current risk level.
- Benchmarking KRI limits against peer companies and researching best practice in the industry.
- Designating the treasury function as a profit center or service center.
- Reviewing published ratings-agency criteria to see whether there is any commentary on the level of risk (using credit ratings as a proxy) and risk metrics. For example, ratings agencies commonly publish tables that show typical credit ratings for a range of leverage and interest coverage ratios in various industry sectors.
- Evaluating the company’s financial position and analyzing its resilience—for example, what capacity does the company have to withstand an economic shock, and how close is it to breaching financial covenants?
- Analyzing current market conditions and forecasts.
- Engaging with stakeholders, such as investors, regulators, key customers and suppliers, and employee representatives.
- Determining whether there are any regulatory requirements that set the level of some of the organization’s KRIs.
Using some or all of these factors, the treasury team should set KRI limits based on the company’s risk appetite levels.
Consider a business whose management team decides that a suitable KRI for measuring funding risk—the risk that the company will experience a shortage of funds for operations and investment as a result of not being able to raise capital or refinance existing debt—is the corporate leverage ratio (debt as a proportion of debt plus equity). Note that the level of leverage also serves as an input to cost-of-capital calculations, which in turn help the company determine its optimal funding mix.
The treasury team derives the table in Figure 6 using the processes described earlier. Then executives set the minimum and maximum limits for the leverage ratio: They choose the range of 20 percent to 30 percent because they want a ‘low’ risk appetite for their company’s funding risk given its profile, optimal cost of capital, and industry sector. Note that other companies may determine different limits and risk appetite levels based on their own profile, strategy, and industry.
Once the KRI limit is set, treasury should establish an action plan to follow in case the KRI breaches that limit. The action plan should include, but not be limited to, notifications for all the appropriate senior management and corporate committees.
For this example, if the company’s leverage ratio ever exceeds 30 percent, then its immediate reaction should be to follow a predefined plan, which might include retaining profits, paying down debt over an agreed-upon period through the sale of assets, or reducing the business’s capital investment. That said, developers of the KRI might set an early-warning trigger of, say, 27 percent, at which point management will receive an alert that the company is approaching a breach of risk appetite. In some circumstances, executives might decide to tolerate a leverage ratio above 30 percent for a short time. For example, management might tolerate a leverage ratio of 35 percent (and so accept a ‘medium’ risk appetite) for six months because the company has decided to make an acquisition that it expects to be highly profitable. In the event of this temporary change, the treasury team should put in place a plan to bring the leverage ratio back down to the KRI’s ‘low’ range within six months.
As described earlier, there may be more relevant and forward-looking KRIs for funding risk than the leverage ratio. Treasury and risk management staff should regularly test their KRIs and KRI limits by reviewing those metrics’ performance in predicting actual risk events and their consequences. These reviews should happen annually, at minimum, and certainly after any major change in the company’s profile or in periods of market stress. They should consider: Did the KRIs accurately predict risk events that occurred? How volatile were they? And did the chosen limits enable the company to continue to do business while keeping risk at an acceptable level?
Overcoming Resistance
Key risk indicators play a vital role in a company’s risk management process. They serve as early warning signals, enabling management to take timely action to prevent or mitigate negative risk events. They also contribute to strategic decision-making, helping decision-makers optimize the balance between risk and reward.
It’s important to note that KRIs enhance transparency of the company’s risk profile for both internal and external stakeholders, and the process of developing KRIs can foster risk awareness among employees. Still, the process of implementing KRIs can create resistance within the company, particularly if staff will have to make significant changes to processes, increase their data collection efforts, and expand their workload.
To mitigate resistance, a treasury team developing new KRIs should take care to involve the employees who will ultimately be responsible for managing them. Setting up multifunctional teams to discuss and produce KRIs is generally a good idea. In addition to aiding with corporate unity, this approach creates opportunities for people from different areas to explore and analyze the relationships among the company’s different risks and associated KRIs.
It is vital for senior management to sponsor the use of KRIs and to be actively involved in reviewing them. However, it’s also crucial for management to avoid an over-reliance on these metrics. Some KRIs may act as lagging indicators, failing to provide a current view of the organization’s risk profile—so having them in place might offer a false sense of security. To comprehensively assess the company’s risk profile, management should complement KRIs with other risk assessment techniques, such as scenario analysis, stress testing, and horizon scanning.
See also:
- Key Risk Indicators: A Powerful Tool in Treasury Risk Management
- Risk Resilience for Treasurers and CFOs
- Real-Time, Dynamic Scenario Planning
- Designing Operational Scenario Tests That Build Proactive Risk Intelligence