Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Developed by the Risk Management Standards of Practice Working Group of the Professional Risk Managers International Association Adopted by the Professional Risk Managers International Association Version 0.3 July 2014

Approval History Name(s)

Email

Date

Prepared By:

Julian Fisher

[email protected]

7/24/3014

Peer Reviewer(s)

Dan Roberts

Revision History Date

Version

Description

Author(s)

7/24/2014

0.3

Draft for discussion

Julian Fisher

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

2

Table of Contents 1 Transmittal Memorandum: Purpose, Scope and Effective Date ............................... 4 1.1 1.2 1.3 1.4

Background ..................................................................................................................................................... 4 Key Issues Addressed ...................................................................................................................................... 5 Key Changes Made .......................................................................................................................................... 6 Committees Responsible for Drafting and Accepting the SoP ........................................................................ 6

2 Purpose, Scope, Effective Date ................................................................................ 7 2.1 2.2 2.3 2.4

Purpose ........................................................................................................................................................... 7 Scope ............................................................................................................................................................... 7 Exposure Draft History .................................................................................................................................... 8 Effective Date .................................................................................................................................................. 9

3 Risk Management Objectives addressed by Guidance ........................................... 10 3.1 3.2 3.3

Dependencies between Risk Management Objectives (RMO) ..................................................................... 10 Risk Management Objectives........................................................................................................................ 10 Associated Standards of Practice .................................................................................................................. 12

4 Recommended Minimum Sound Practice .............................................................. 14 4.1 4.2 4.3 4.4 4.5 4.6

RMO 2.01 Define and Maintain KRI Framework ........................................................................................... 14 RMO 2.02 Define / Select Key Risk Indicators ............................................................................................... 15 RMO 2.03 Set KRI Thresholds........................................................................................................................ 18 RMO 2.04 Monitor & Reassess KRIs .............................................................................................................. 18 RMO 2.05 Identify & Investigate KRI Exceptions .......................................................................................... 19 RMO 2.06 Notify and Escalate KRI Exceptions .............................................................................................. 20

5 Communications and Disclosures .......................................................................... 21 5.1 5.2 5.3

Communication ............................................................................................................................................. 21 Deviation from Guidance in the Standard .................................................................................................... 21 Glossary ......................................................................................................................................................... 21

6 Comments on the Exposure Draft and Responses Communication ........................ 23

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

3

1 Transmittal Memorandum: Purpose, Scope and Effective Date 1.1 Background Provides background information related to the SoP which may include: 

A brief synopsis on the evolution of the topic that the SoP addresses



Version history including Exposure Drafts and any PRMIA papers or SoPs that either contribute to, or have been superseded by, the current SoP



Cross-reference to the section in the PRMIA PRM Handbook that directly relates to the SoP

Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management A Key Risk Indicator, also known as a KRI, is a metric used by management to indicate changes in exposure to potential risk events. KRIs enable management to identify, assess and monitor Operational Risks. If a KRI identifies a potential change in exposure to potential events then management can investigate it to determine if there is an actual cause that will result in increased experience of events and assess this exposure based on the likelihood of the occurrence of resultant events and their severity. KRIs are similar to Key Performance Indicator (KPIs). KPIs are metrics used by management to measure how well a business activity is being executed as opposed to a KRI, which is an indicator of the possibility of future adverse impact. KRIs give an early warning to identify potential events that may harm continuity of the activity/project. KPIs and KRIs measure business performance and changes in risk exposure in similar ways by comparing a value against a threshold. The same metric may actually be used as both a KPI and as a KRI if a metric can provide meaningful inference about both performance and changes in risk exposure. The difference between a KPI and KRI is only in the purpose that the metric is being used for. KRIs are an important part of any Operational Risk Framework which include , Internal and External Loss Data Collection and Analysis, Risk and Control Self Assessments, Business Process Mapping, Scenario Analysis and Capital Modeling Version History N/A Associated PRMIA PRM Handbook Chapter(s) Section 3 – Risk Information Chapter 2 – Key Risk Indicators Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

4

1.2 Key Issues Addressed 

Provides a short introduction around the key issues that the SoP is intended to address



Illustrates the target audience that the SoP is intended for i.e. Members of The Professional Risk Managers International Association and Other Persons Interested in the SOP

Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management Introduction to KRIs In order to be effective, an Operational Risk function needs to be able to translate data into thoughtful, contextual management information which facilitates risk management decision making. Key Risk Indicators (KRIs) are a key tool to aid management with this objective. KRIs are metrics used to monitor risk exposures at a particular instance, or over a period of time, serving as an early warning tool for potential changes in risk exposures. KRIs are an important element of an Operational Risk Framework because they can be trended over time and provide current exposure information, whereas other elements of the framework are less dynamic as 

Loss data is historic



Risk assessments are infrequent and subjective



Scenario analysis is concerned with “what-if”, rather than “what-is”

KRIs, if specified intelligently and regularly reviewed, can help a firm determine where it has an elevated exposure to events in excess of its respective risk appetite. Properly selected KRIs can provide predictive information by measuring the causes of events rather than measuring the symptoms or experience of events directly (which is historical information). When implemented effectively, KRIs can be used to     

Aid in the quantification of risks and identify opportunities to improve processes Validate and enhance the risk assessment framework by linking KRIs to risk causes Allows management to monitor exposure to adverse events before they occur Help define and set working level risk appetite based on event frequency Aid with scenario analysis and stress test exercises as a means to scale and benchmark internal and external data Establish a framework for reporting business environment and internal control factors

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

5

1.3 Key Changes Made 

Description of key issues related to the development, or revision, of the SoP



Contains information on changes made between versions including: 

Impacts from changes in the associated Standards of Practice



Impacts from changes in regulations,



Changes in Industry best practice,



Revisions to PRMIA PRM Handbook, or,



Other

Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management Version 1 – No changes made to SOP prototype. Still in discussion stage

1.4 Committees Responsible for Drafting and Accepting the SoP To include names of those involved in drafting and approving the SoP, including: 

SoP Standards Board



SoP Working Committee



Other

Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management Drafted by the SOP Prototype Working Group 

Julian Fisher Approved for discussion by the SoP Working Committee

 

Justin McCarthy, PRMIA Andy Counderache, PRMIA

The exposure draft of this SoP is still under discussion but is due to be approved for exposure by October 2014, with a comment deadline of 15th November 2014 A date by which the PRMIA Steering Committee is due to adopt this standard has not yet been set.

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

6

2 Purpose, Scope, Effective Date 2.1 Purpose Details the purpose of the SoP along the lines of the SoP is designed to provide guidance to risk managers when performing professional services in respect of the [subject] of the SoP

Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management The purpose of this SoP is to provide guidance on recommended minimum sound practices around 

Utilizing the concepts of risk appetite, as detailed in SOP 5 – Risk Appetite, and link this to metrics and key risk indicators used by management in different areas of the firm



The definition for selection, measurement and monitoring of key risk indicators and what is needed to implement an effective key risk indicator framework



The mechanics for embedding best practice in operational risk management into an organization to support everyday business decisions, as well as strategic and change initiatives such as new products or markets

2.2 Scope Outlines the scope of the SoP in terms of: 

Who the SoP applies to



The level of applicability and enforceability by participant type i.e.





Mandatory for PRM holder



Minimum sound practice for risk professionals



Optional/ Guideline for those not performing services in any of the industries that PRMIA does not directly cover e.g. manufacturing, entertainment etc.

Mechanics for deviating from the SoP

Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management Scope

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

7

This SoP is industry agnostic and serves as guidance for risk management practitioiners, management and others who are involved in the design, selection, measurement and monitoring of KRIs. KRI selection, monitoring and management is performed as part of an Operational Risk Framework. Within a typical KRI Framework, risks are identified, evaluated and risk appetites chosen, limits are set, risks are accepted or avoided and risk mitigation activities are performed, and actions are taken when limits are breached. This SoP provides minimum recommended standard of sound practice in the design, selection, and measurement and monitoring of KRIs for:  

PRMIA PRM holders PRMIA Operational Risk Certification holders

Deviation from SoP If the risk practitioner departs from the guidance set forth in this standard in order to comply with applicable law (statutes, regulations, and other legally binding authority), or for any other reason the risk practitioner deems appropriate, the risk practitioner should refer to Section 5.2 of this SoP. Cross References When this standard refers to the provisions of other documents, the reference includes the referenced documents as they may be amended or restated in the future, and any successor to them, by whatever name called. If any amended or restated document differs materially from the originally referenced document, the risk practitioner should consider the guidance in this standard to the extent it is applicable and appropriate.

2.3 Exposure Draft History Outlines the history of the Exposure Draft including 

Date and method of promulgation of 1st Exposure Draft



Comment Period deadlines



Reference to the Appendix regarding PRMIA member comments relating to the SoP



Outcome of member comments

Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

8

The exposure draft of this SoP is still under discussion but is due to be approved for exposure by October 2014

2.4 Effective Date 

Date that the SoP and the associated version is effective



Defines retrospective impact of changes to prior SOP

Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management Effective Date – TBD

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

9

3 Risk Management Objectives addressed by Guidance Risk Management Objectives are observable outcomes that result from the execution of the Minimum Recommended Sound Practices encompassed within this Standard of Practice. The Recommended Minimum Sound Practices required to achieve these Risk Management Objectives are described in section 4 of this Standard of Practice.

3.1 Dependencies between Risk Management Objectives (RMO) Risk Management Objectives within this Standard of Practice may be dependent on other Risk Management Objectives, both within this Standard of Practice, and on other Standards of Practice. The following shows the Risk Management Objectives within the scope of this Standard of Practice and its dependencies and which other Risk Management Objectives rely on its outputs.

3.2 Risk Management Objectives This section provides descriptions of the Risk Management Objectives within the scope of the guidance of this Standard of Practice as well as descriptions of dependencies on RMOs contained within other SoPs.

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

10

Risk Management Objective and Definition

Dependencies on other RMOs

RMOs which are dependent on the RMO

SOP 2 – Key Risk Indicators RMO 2.01 Define and Maintain KRI Framework A framework is defined, implemented and maintained that articulates the objectives for the use of KRIs within the organization. The KRI Framework defines the organization’s specific criteria for the selection of KRIs, criteria for the setting of thresholds and the requirements for investigation, escalation and notification of exceptions.

SOP 3 – Operational Risk Framework

 SOP 2 – KRIs RMO 2.02 Define/ Select Key Risk Indicators  SOP 6 – RCSA RMO 6.0X Assessing Control Effectiveness

SOP 2 – Key Risk Indicators RMO 2.02 Define / Select Key Risk Indicators An appropriate suite of metrics are defined, selected & set that provide management with effective indicators of changes in exposure to the occurrence of events arising from key risks. Metrics are also defined and/ or selected to enable management to assess whether the organization is operating within defined risk appetite limits.

 SOP 2 – KRIs

SOP 2 – Key Risk Indicators RMO 2.03 Set KRI Thresholds Thresholds are set that provide triggers to enable action to be taken in response to increases in exposure to potential events and / or to ensure that the experience of events is constrained within risk appetite tolerances.

 SOP 2 – KRIs RMO 2.02 Define/ Select Key Risk Indicators  SOP 5 – Risk Appetite

SOP 2 – Key Risk Indicators RMO 2.04 Monitor KRIs KRIs are monitored on an ongoing periodic basis and compared to current thresholds to identify exceptions.

 SOP 2 – KRIs RMO 2.03 Set Key Risk Indicator Thresholds

 SOP 2 – KRIs RMO 2.05 Identification and Investigation of KRI exceptions  SOP 5 – Risk Appetite RMO 5.0Y Set/ Update Risk Appetite Levels

SOP 2 – Key Risk Indicators RMO 2.05 Identification and Investigation of KRI Exceptions Causal event of KRI threshold breach identified and investigated

 SOP 2 – KRIs RMO 2.04 Monitor KRIs

 SOP 2 – KRIs RMO 2.04 Set KRI Thresholds  SOP 5 – Risk Appetite RMO 5.0Y Set/ Update Risk

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

RMO 3.01 Define & Maintain Operational Risk Framework

RMO 2.01 Define & Maintain KRI Risk Framework

 SOP 2 – KRIs RMO 2.03 Set KRI Thresholds

 SOP 5 – Risk Appetite RMO 5.0X Define Risk Appetite  SOP 2 – KRIs RMO 2.04 Monitor Key Risk Indicators

RMO 5.0Y Set / Update Risk Appetite Levels

11

Risk Management Objective and Definition

Dependencies on other RMOs

RMOs which are dependent on the RMO Appetite Levels SOP 3 – Operational Risk Losses RMO 3.0X Loss Investigation and Root Cause Analysis

SOP 2 – Key Risk Indicators RMO 2.06 Notification and Escalation of KRI Exceptions Valid exceptions reported to appropriate levels of Management to ensure challenge and required action

 SOP 2 – KRIs RMO 2.03 Set Key Risk Indicator Thresholds RMO 2.04 Monitor KRIs RMO 2.05 Identification and Investigation of KRI Exceptions

 SOP 5 – Risk Appetite RMO 5.0Y Set/ Update Risk Appetite Levels  SOP 6 – RCSA RMO 6.0Y Scenario Analysis

3.3 Associated Standards of Practice This section provides descriptions of the Standards of Practice that are dependent on RMOs within SOP 2 - Key Risk Indicators for Operational Risk, or impact RMOs outside SoP 2

Standards of Practice 3 – Operational Risk Losses SoPs that are either dependent on (D) or impact (I) this SoP

Specific RMO with this SoP

SOP 3 – Operational Risk Losses RMO 3.01 Define & Maintain Operational Risk Framework (D) The Operational Risk Framework defines the organization’s criteria for defining, building, monitoring and assessing an Operational Risk Framework

RMO 2.01 Define and Maintain Operational Risk Framework

SOP 3 – Operational Risk Losses RMO 3.0Y Loss Event & Root Cause Analysis (D) Investigation procedures for events that breach the organization’s materiality mandates and thresholds.

RMO 2.05 Identify & Investigate KRI Exceptions

Standards of Practice 4 – Operational Risk Capital Modeling

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

12

SoPs that are either dependent on (D) or impact (I) this SoP

Specific RMO with this SoP

SOP 4 – Capital Modeling for Operational Risk RMO 4.0X Capital Modeling - BEICF (D) Methodology for the integration of KRIs into the BEICF and Capital Modeling Framework.

RMO 2.04 Monitor KRIs

Standards of Practice 5 – Risk Appetite SoPs that are either dependent on (D) or impact (I) this SoP

Specific RMO with this SoP

SOP 5 – Risk Appetite (I) RMO 5.0X Define Risk Appetite Framework that defines and articulates Risk Appetite within and throughout an Organization.

RMO 2.02 Define/ Select KRIs

SOP 5 – Risk Appetite (I) RMO 5.0Y Set/ Update Risk Appetite Methodology for setting, monitoring and updating Risk Appetite within and throughout an Organization.

RMO 2.04 Monitor & Reassess KRIs RMO 2.05 Identify & Investigate KRI Exceptions RMO 2.06 Notify & Escalate KRI Exceptions

Standards of Practice 6 – Risk and Control Self Assessment SoPs that are either dependent on (D) or impact (I) this SoP

Specific RMO with this SoP

SOP 6 – Risk and Control Self-Assessment RMO 6.0X Assessing Control Effectiveness (I) Framework that defines, monitors and assesses control effectiveness within and throughout an Organization

RMO 2.01 Define & Maintain KRI Framework

SOP 6 – Risk Controlled Self-Assessment RMO 6.0X Scenario Analysis (I) Methodology for performing Scenario Analysis around events, trends and exceptions

RMO 2.05 Identify & Investigate KRI Exceptions

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

RMO 2.06 Notify & Escalate KRI Exceptions

13

4 Recommended Minimum Sound Practice This section documents the recommended minimum sound practice to achieve each of the Risk Management Objectives within the scope of this Standard of Practice. The guidance is documented as a series of Risk Management Practices (RMP) for each Risk Management Objective.

4.1 RMO 2.01 Define and Maintain KRI Framework Description

A framework is defined, implemented and maintained that articulates the objectives for the use of KRIs within the organization. The KRI Framework defines the organization’s specific criteria for the selection of KRIs, criteria for the setting of thresholds and the requirements for investigation, escalation and notification of exceptions.

Dependencies, or impacts, on other Risk Management Objectives

 

Practice ID

Recommended Minimum Sound Practice

RMP 2.01.01 KRI Program

Management should publish a framework that articulates the organization’s specific objectives and minimum mandatory requirements to achieve these objectives, for the use of KRIs across the organization.

RMP 2.01.02 KRI Framework

In order for KRIs to be an effective tool for Operational Risk Management, they should be deployed as an integral part of the overall Operational Risk Framework of the organization. The process of defining the objectives and requirements within the KRI framework should consider how the outcomes of the use of KRIs will be used by other parts of the Operational Risk Framework and how the KRI framework will place reliance on the outcomes of other components of the Operational Risk Framework.

RMP 2.01.03 KRI Framework Maturity Level

The level of sophistication regarding the objectives, processes, automation and number of KRIs used should be defined at a level that is commensurate with the current maturity of the organization. Although a more sophisticated KRI framework may result in more effective Risk Management outcomes, introducing a sophisticated KRI methodology to a less mature organization may, in practice, lead to less satisfactory results.

RMP 2.01.04 Sub-Unit Organization KRI

The overall KRI framework should articulate minimum mandatory requirements for the design and use of KRIs across the organization. Sub-units (e.g. divisions within an organization) should be able to articulate their own specific requirmens for

SOP 5 – Risk Appetite, RMO 5.0X Define Risk Appetite (D) SOP 6, RCSA, RMO 6.0x Assessing Control Effectiveness (D)

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

14

Practice ID

Recommended Minimum Sound Practice

Framework

selection of KRIs and associated framework requirements, that are appropriate for their specific operating requirements. Cost-Benefit analysis should be undertaken prior to creating such KRIs and their associated frameworks. These KRIs should enable comparisons with equivalent metrics used by other units and allow for aggregation across the enterprise where appropriate.

RMP 2.01.05 KRI Framework Minimum requirements

The KRI framework should specify the following:

RMP 2.01.06 KRI continual improvement

Once the initial KRI Framework has been developed and adopted, it should be continually monitored and refined.

       

Minimum data requirements for defining a KRI and recording the results of monitoring a KRI. Responsibilities for defining and implementing KRIs. Criteria for selecting effective KRIs. Requirements for aggregation of the outputs from KRI monitoring. Requirements for the setting of thresholds for KRIs. Requirements for the investigation of KRI exceptions. Requirements for the notification and escalation of KRI exceptions. Requirements for review and challenge of the selection of KRIs and thresholds and the results of KRI monitoring by the Independent Risk Function.

4.2 RMO 2.02 Define / Select Key Risk Indicators Description

An appropriate suite of metrics are defined, selected and set that provide management with effective indicators of changes in exposure to the occurrence of events arising from key risks. Metrics are also defined and / or selected to enable management to assess whether the organization is operating within risk appetite limits.

Dependencies, or impacts, on other Risk Management Objectives



SOP 5 – Risk Appetite, RMO 5.0X Define Risk Appetite (D)



RMO 2.01 Define and Maintain KRI Framework (D)

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

15

Practice ID

Recommended Minimum Sound Practice

RMP 2.02.01 KRI Purpose

KRIs should be selected to address two key purposes:  

To provide management with forward-looking indicators of the organization’s exposure to potential events arising from key risks to enable management to take proactive preventative or mitigative actions; and / or To provide management with measures of the experience (i.e. frequency and / or severity) to specific types of events in order to enable management to assess if the experience of events is within the tolerances defined within the organization’s risk appetite statement.

RMP 2.02.02 Selection of KRIs to Monitor Changes in Cause not Events

In order to be effective, forward-looking KRIs should be selected to monitor changes in exposure to the causes of events, rather than attempt to correlate to the experience of events directly. Management should take action to reduce, avoid or mitigate the organization’s exposure to the experience of events through management of their causes. Causes of events that are measured by KRIs may be either exogenous or endogenous, however, the way that they are defined, managed and monitored within a KRI framework are the same.

RMP 2.02.03 KRI Selection

KRIs should be selected via a top-down or a bottom-up approach from either a set of existing KRIs or by narrowing down a list of potential KRIs that fulfill the criteria in RMO 2.02.01, .02 and .04

RMP 2.02.04 Properties of Effective KRIs

To be effective, KRIs must possess the following properties: 

Relevant: Either be forward looking, causally-aligned indicators used in measuring increases in exposure to events; or measures of the experience of specific types of events that enable compliance with associated risk appetite tolerances



Quantitative: Capable of being captured quantitatively e.g. count, amount, duration, etc. If KRIs capture subjective assessments (i.e. management assessments of staff morale) then these should be objectively transmuted into quantitative scales and values



Actionable: Defined so that the nature of remedial action (if required) is clearly understood. Subject to being: 

Consistent and Comparable: KRIs must be capable of being benchmarked between business lines, geographies and /or activities



Efficient and Repeatable: KRIs must be selected, designed and implemented that produce returns in excess of the cost needed to collect them



Auditable: KRIs must be produced from transparent data sources and include any actions performed converting the data into information (including aggregation formulae, weightings, scalars) and must be capable of being repeated at any point in time

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

16

Practice ID

Recommended Minimum Sound Practice In practice, it will often not be possible to select measures that satisfy all of the above. In these instances KRIs should be selected that best optimize the achievement of the above in a manner that is appropriate for the current maturity of the Risk Framework of the organization.

RMP 2.02.05 KRI key data attributes

Specifications of KRIs should include the following minimum data requirements: 

Definition: Narrative description of the metric



Formula: Attributes captured for calculating the measure and rules for how they should be combined to calculate a value for the measure.



Value Format: e.g. decimal, count, percentage, duration, rating scale, monetary amount, ratio



Frequency of Collection: e.g. Hourly, daily, monthly, quarterly etc.



Frequency of Reporting: e.g. Hourly, daily, monthly, quarterly etc.



Data Source



Goal Direction: i.e. where there is an exception, if the metric value is higher or lower than the threshold value.



Threshold value: Current value for threshold



KRI Owner: Individual or (sub-) organization responsible for designing & selecting the KRI.



Associated Risk: Description, or identifier, of the risk that is being monitored



Associated Control: Description, or identifier, of the control associated with the KRI.



Effective Date of KRI



Valid Until Date of the KRI

RMP 2.02.06 KRI Automation

Management should assess the benefits and costs of manual vs. automated data capture

RMP 2.02.07 KRI Capture vs. Reporting Freq.

When evaluating the economics of data capture management should balance the needs between the frequency of data capture versus that of information reporting

RMP 2.02.08 KRI Back Test

KRIs, once selected, should be subject to review and back-tested against the actual experience of events to determine their effectiveness.

RMP 2.02.09 New Business or Products

A process to incorporate new KRIs as it relates to new products or types of business should be developed and implemented. New Business and Product reviews should identify key risks resulting from introduction of new businesses and new products and requirement for key controls to mitigate these risks. Plans for implementation of these key controls should include implementation of Key Control Indicators (KCIs) to measure the effectiveness of these controls. These KCIs once implemented can be used as KRIs

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

17

Practice ID

Recommended Minimum Sound Practice to measure changes in exposure to the associated risks.

4.3 RMO 2.03 Set KRI Thresholds Description

Thresholds are set that provide triggers to enable action to be taken in response to increases in exposure to potential events and / or to ensure that the experience of events is constrained within risk appetite tolerances.

Dependencies, or impacts, on other Risk Management Objectives



RMO 2.02 Define / Select Key Risk Indicators (D)



SOP 5 – Risk Appetite, RMO 5.0Y Set / Update Risk Appetite Levels (D)

Practice ID

Recommended Minimum Sound Practice

RMP 2.03.01 Set KRI Thresholds

Thresholds should apply for each KRI with breaches as a trigger for management escalation steps. Thresholds should be objectively set at a level where exposure to a loss event is in excess, or below, the associated risk appetite

4.4 RMO 2.04 Monitor & Reassess KRIs Description

KRIs monitored on an ongoing periodic basis and compared to current thresholds to identify exceptions.

Dependencies, or impacts, on other Risk Management Objectives



RMO 2.02 Define / Select Key Risk Indicators



RMO 2.03 Set KRI Thresholds

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

18

Practice ID

Recommended Minimum Sound Practice

RMP 2.04.01 Monitor KRIs

Once the initial KRI Framework has been developed and adopted, KRIs should be continually monitored to assess their effectiveness

RMP 2.04.02 Reassess KRI Thresholds

KRI thresholds should be continually refined to ensure that thresholds are set such that the lower and upper bounds capture events or trends that can serve as a predictive indicator for management

RMP 2.04.03 Reassess Applicability of KRIs

KRI thresholds should be continually monitored to determine if they’re achieving management objectives in terms of tracking to risk appetite, management actions and associated decisions

4.5 RMO 2.05 Identify & Investigate KRI Exceptions Description

Causal event identified and investigated

Dependencies, or impacts, on other Risk Management Objectives



Practice ID

Recommended Minimum Sound Practice

RMP 2.05.01 Exception Identification

If the value for a KRI passes either above or below the threshold band then a KRI exception should be identified

RMP 2.05.02 Exception Investgation

After an exception has been identified the KRI Owner should investigate the reason for the exception. The KRI Owner should determine if the exception is the result of an actual instance of cause that exceeds a predefined tolerance

RMP 2.05.03 False Flags

If the exception is a “false flag” where inappropriate thresholds or KRIs have been set or selected, then Management should reassess KRI and threshold selection and limit criteria & act accordingly as dictated by SOP 5, Risk Appetite

RMP 2.05.04 Material Exception

If the exception is material, as defined by the size, frequency or nature of deviation from associated thresholds, then a detailed investigation of the cause of the breach should be carried out as dictated by SOP 3 – Operational Risk Losses, RMO 3.0X Loss Investigation and Root Cause Analysis. It may also require inclusion in Scenario Analysis as dictated by SOP 6 – RCSA, Scenario Analysis

  

RMO 2.04 Monitor KRIs (D) SOP 3 – Operational Risk Losses, RMO 3.0X Loss Event Investigation & Root Cause Analysis (D) SOP 5 – Risk Appetite, RMO 5.0Y Set/ Update Risk Appetite Level (D) SOP 6 - RCSA, RMO 6.0Y Scenario Analysis (D)

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

19

4.6 RMO 2.06 Notify and Escalate KRI Exceptions Description

Valid exceptions reported to appropriate levels of management to ensure challenge and required action

Dependencies, or impacts, on other Risk Management Objectives



Practice ID

Recommended Minimum Sound Practice

RMP 2.06.01 Exception Management Program

An exception management program must be designed, documented and implemented detailing the course of action to be taken as documented when predefined KRI thresholds are breached

RMP 2.06.02 Notification of Breach

If, after investigation, the exception is determined to be valid, it must be reported to the KRI owner within the timeframe agreed upon within the KRI Framework

RMP 2.06.03 Severe Breach Escalation

If the breach is severe, as defined per the KRI Framework, the KRI Owner and the appropriate level of senior management must be notified as soon as the breach has been identified, rather than after a detailed event investigation has been carried out



RMO 2.05 Identification and Investigation of KRI Exceptions SOP 5 – Risk Appetite, RMO 5.0Y Set/ Update Risk Appetite Level (D)

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

20

5 Communications and Disclosures 5.1 Communication 

Details communication flow, both internal and external, for the organization that the risk manager is providing services or duties for, and the associated disclosures pertinent to the subject of the SOP or associated SoPs are to be handled



Detail any applicable limitations to the need for public or internal disclosure, the risk manager should consider the intended purpose or use of the SoP including: 

Inconsistencies between the organization’s financial size, risk profile, and risk environment, and the maturity, level of depth, spend and XXX adopted by the organization under the SoP i.e. if a organization is a SIFI yet the environment is not as would be expected for an organization of its’ complexity



Deviation from Guidance in the Standard – See Section 5.2



Any significant assumptions used in implementing the SoP including, but not limited to: 

Anticipated future actions by management to manage or mitigate risks identified by the risk manager



Other related areas (pre-requisites and dependents) covered by either other SoPs or outside the scope of the risk managers purview on which the risk manager has to rely on management to carry out pre-requisites

5.2 Deviation from Guidance in the Standard 

If the risk manager departs from the guidance set forth in this standard, the risk manager should include the following applicable disclosure stating: 

If any material assumption or method was prescribed by applicable law (statutes, regulations, and other legally binding authority);



If the risk manager disclaims responsibility for any material assumption or method in any situation not covered under the section above; and



If the risk manager otherwise deviated materially from the guidance of this SoP



Specific references within PRMIA’s Code of Conduct that they are being asked to breach

5.3 Glossary 

The Glossary is provided for informational purposes, but is not part of the standard of practice 

Provides additional background on the content referred to in the SOP



Outlines current, or alternative, practices associated with the subject addressed by the SoP

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

21



Summary of all comments raised by PRMIA members in the SOP development process and their disposition by the drafting committee

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

22

6 Comments on the Exposure Draft and Responses Communication The first exposure draft of this SOP, Key Risk Indicators in Operational Risk Management, was issued in August 2014 with a comment deadline of November, 2014 XXX comment letters were received, some of which were submitted on behalf of multiple commentators, such as by firms or committees. For purposes of this section, the term “commentator” may refer to more than one person associated with a particular comment letter. The SoP Management Committee carefully considered all comments received, and the PRMIA Board, reviewed (and modified, where appropriate) the changes proposed by the Management Committee Summarized below are the significant issues and questions contained in the comment letters and the responses. Transmittal Memorandum Comment Response

Practice ID

General Comments

Comment Response

Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x

23