1. No category

Risk Management Standards of Practice Number 2 Key

Risk Management
Standards of Practice Number 2
Key Risk Indicators in
Operational Risk Management
Developed by the Risk
Management Standards of
Practice Working Group of the
Professional Risk Managers
International Association
Adopted by the
Professional Risk Managers
International Association
Version 0.3
July 2014
Approval History
Name(s)
Email
Date
Prepared By:
Julian Fisher
[email protected]
7/24/3014
Peer Reviewer(s)
Dan Roberts
Revision History
Date
Version
Description
Author(s)
7/24/2014
0.3
Draft for discussion
Julian Fisher
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
2
Table of Contents
1 Transmittal Memorandum: Purpose, Scope and Effective Date ............................... 4
1.1
1.2
1.3
1.4
Background ..................................................................................................................................................... 4
Key Issues Addressed ...................................................................................................................................... 5
Key Changes Made .......................................................................................................................................... 6
Committees Responsible for Drafting and Accepting the SoP ........................................................................ 6
2 Purpose, Scope, Effective Date ................................................................................ 7
2.1
2.2
2.3
2.4
Purpose ........................................................................................................................................................... 7
Scope ............................................................................................................................................................... 7
Exposure Draft History .................................................................................................................................... 8
Effective Date .................................................................................................................................................. 9
3 Risk Management Objectives addressed by Guidance ........................................... 10
3.1
3.2
3.3
Dependencies between Risk Management Objectives (RMO) ..................................................................... 10
Risk Management Objectives........................................................................................................................ 10
Associated Standards of Practice .................................................................................................................. 12
4 Recommended Minimum Sound Practice .............................................................. 14
4.1
4.2
4.3
4.4
4.5
4.6
RMO 2.01 Define and Maintain KRI Framework ........................................................................................... 14
RMO 2.02 Define / Select Key Risk Indicators ............................................................................................... 15
RMO 2.03 Set KRI Thresholds........................................................................................................................ 18
RMO 2.04 Monitor & Reassess KRIs .............................................................................................................. 18
RMO 2.05 Identify & Investigate KRI Exceptions .......................................................................................... 19
RMO 2.06 Notify and Escalate KRI Exceptions .............................................................................................. 20
5 Communications and Disclosures .......................................................................... 21
5.1
5.2
5.3
Communication ............................................................................................................................................. 21
Deviation from Guidance in the Standard .................................................................................................... 21
Glossary ......................................................................................................................................................... 21
6 Comments on the Exposure Draft and Responses Communication ........................ 23
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
3
1 Transmittal Memorandum: Purpose, Scope
and Effective Date
1.1 Background
Provides background information related to the SoP which may include:

A brief synopsis on the evolution of the topic that the SoP addresses

Version history including Exposure Drafts and any PRMIA papers or SoPs that either contribute to, or
have been superseded by, the current SoP

Cross-reference to the section in the PRMIA PRM Handbook that directly relates to the SoP
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk
Management
A Key Risk Indicator, also known as a KRI, is a metric used by management to indicate changes in
exposure to potential risk events. KRIs enable management to identify, assess and monitor Operational
Risks. If a KRI identifies a potential change in exposure to potential events then management can
investigate it to determine if there is an actual cause that will result in increased experience of events
and assess this exposure based on the likelihood of the occurrence of resultant events and their
severity.
KRIs are similar to Key Performance Indicator (KPIs). KPIs are metrics used by management to measure
how well a business activity is being executed as opposed to a KRI, which is an indicator of the possibility
of future adverse impact. KRIs give an early warning to identify potential events that may harm
continuity of the activity/project. KPIs and KRIs measure business performance and changes in risk
exposure in similar ways by comparing a value against a threshold. The same metric may actually be
used as both a KPI and as a KRI if a metric can provide meaningful inference about both performance
and changes in risk exposure. The difference between a KPI and KRI is only in the purpose that the
metric is being used for.
KRIs are an important part of any Operational Risk Framework which include , Internal and External Loss
Data Collection and Analysis, Risk and Control Self Assessments, Business Process Mapping, Scenario
Analysis and Capital Modeling
Version History
N/A
Associated PRMIA PRM Handbook Chapter(s)
Section 3 – Risk Information
Chapter 2 – Key Risk Indicators
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
4
1.2 Key Issues Addressed

Provides a short introduction around the key issues that the SoP is intended to address

Illustrates the target audience that the SoP is intended for i.e. Members of The Professional Risk
Managers International Association and Other Persons Interested in the SOP
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk
Management
Introduction to KRIs
In order to be effective, an Operational Risk function needs to be able to translate data into thoughtful,
contextual management information which facilitates risk management decision making. Key Risk
Indicators (KRIs) are a key tool to aid management with this objective. KRIs are metrics used to monitor
risk exposures at a particular instance, or over a period of time, serving as an early warning tool for
potential changes in risk exposures.
KRIs are an important element of an Operational Risk Framework because they can be trended over
time and provide current exposure information, whereas other elements of the framework are less
dynamic as

Loss data is historic

Risk assessments are infrequent and subjective

Scenario analysis is concerned with “what-if”, rather than “what-is”
KRIs, if specified intelligently and regularly reviewed, can help a firm determine where it has an elevated
exposure to events in excess of its respective risk appetite. Properly selected KRIs can provide predictive
information by measuring the causes of events rather than measuring the symptoms or experience of
events directly (which is historical information).
When implemented effectively, KRIs can be used to





Aid in the quantification of risks and identify opportunities to improve processes
Validate and enhance the risk assessment framework by linking KRIs to risk causes
Allows management to monitor exposure to adverse events before they occur
Help define and set working level risk appetite based on event frequency
Aid with scenario analysis and stress test exercises as a means to scale and benchmark internal and
external data
Establish a framework for reporting business environment and internal control factors
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
5
1.3 Key Changes Made

Description of key issues related to the development, or revision, of the SoP

Contains information on changes made between versions including:

Impacts from changes in the associated Standards of Practice

Impacts from changes in regulations,

Changes in Industry best practice,

Revisions to PRMIA PRM Handbook, or,

Other
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk
Management
Version 1 – No changes made to SOP prototype. Still in discussion stage
1.4 Committees Responsible for Drafting and Accepting the SoP
To include names of those involved in drafting and approving the SoP, including:

SoP Standards Board

SoP Working Committee

Other
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk
Management
Drafted by the SOP Prototype Working Group

Julian Fisher
Approved for discussion by the SoP Working Committee


Justin McCarthy, PRMIA
Andy Counderache, PRMIA
The exposure draft of this SoP is still under discussion but is due to be approved for exposure by October
2014, with a comment deadline of 15th November 2014
A date by which the PRMIA Steering Committee is due to adopt this standard has not yet been set.
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
6
2 Purpose, Scope, Effective Date
2.1 Purpose
Details the purpose of the SoP along the lines of the SoP is designed to provide guidance to risk managers
when performing professional services in respect of the [subject] of the SoP
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk
Management
The purpose of this SoP is to provide guidance on recommended minimum sound practices around

Utilizing the concepts of risk appetite, as detailed in SOP 5 – Risk Appetite, and link this to metrics
and key risk indicators used by management in different areas of the firm

The definition for selection, measurement and monitoring of key risk indicators and what is needed
to implement an effective key risk indicator framework

The mechanics for embedding best practice in operational risk management into an organization to
support everyday business decisions, as well as strategic and change initiatives such as new products
or markets
2.2 Scope
Outlines the scope of the SoP in terms of:

Who the SoP applies to

The level of applicability and enforceability by participant type i.e.


Mandatory for PRM holder

Minimum sound practice for risk professionals

Optional/ Guideline for those not performing services in any of the industries that PRMIA does
not directly cover e.g. manufacturing, entertainment etc.
Mechanics for deviating from the SoP
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk
Management
Scope
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
7
This SoP is industry agnostic and serves as guidance for risk management practitioiners, management
and others who are involved in the design, selection, measurement and monitoring of KRIs.
KRI selection, monitoring and management is performed as part of an Operational Risk Framework.
Within a typical KRI Framework, risks are identified, evaluated and risk appetites chosen, limits are set,
risks are accepted or avoided and risk mitigation activities are performed, and actions are taken when
limits are breached.
This SoP provides minimum recommended standard of sound practice in the design, selection, and
measurement and monitoring of KRIs for:


PRMIA PRM holders
PRMIA Operational Risk Certification holders
Deviation from SoP
If the risk practitioner departs from the guidance set forth in this standard in order to comply with
applicable law (statutes, regulations, and other legally binding authority), or for any other reason the
risk practitioner deems appropriate, the risk practitioner should refer to Section 5.2 of this SoP.
Cross References
When this standard refers to the provisions of other documents, the reference includes the referenced
documents as they may be amended or restated in the future, and any successor to them, by whatever
name called. If any amended or restated document differs materially from the originally referenced
document, the risk practitioner should consider the guidance in this standard to the extent it is
applicable and appropriate.
2.3 Exposure Draft History
Outlines the history of the Exposure Draft including

Date and method of promulgation of 1st Exposure Draft

Comment Period deadlines

Reference to the Appendix regarding PRMIA member comments relating to the SoP

Outcome of member comments
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk
Management
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
8
The exposure draft of this SoP is still under discussion but is due to be approved for exposure by October
2014
2.4 Effective Date

Date that the SoP and the associated version is effective

Defines retrospective impact of changes to prior SOP
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk
Management
Effective Date – TBD
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
9
3 Risk Management Objectives addressed by
Guidance
Risk Management Objectives are observable outcomes that result from the execution of the Minimum
Recommended Sound Practices encompassed within this Standard of Practice. The Recommended
Minimum Sound Practices required to achieve these Risk Management Objectives are described in
section 4 of this Standard of Practice.
3.1 Dependencies between Risk Management Objectives (RMO)
Risk Management Objectives within this Standard of Practice may be dependent on other Risk
Management Objectives, both within this Standard of Practice, and on other Standards of Practice.
The following shows the Risk Management Objectives within the scope of this Standard of Practice and
its dependencies and which other Risk Management Objectives rely on its outputs.
3.2 Risk Management Objectives
This section provides descriptions of the Risk Management Objectives within the scope of the guidance
of this Standard of Practice as well as descriptions of dependencies on RMOs contained within other
SoPs.
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
10
Risk Management Objective and Definition
Dependencies on
other RMOs
RMOs which are
dependent on
the RMO
SOP 2 – Key Risk Indicators
RMO 2.01 Define and Maintain KRI Framework
A framework is defined, implemented and maintained that
articulates the objectives for the use of KRIs within the
organization. The KRI Framework defines the organization’s
specific criteria for the selection of KRIs, criteria for the setting of
thresholds and the requirements for investigation, escalation and
notification of exceptions.
SOP 3 – Operational
Risk Framework
 SOP 2 – KRIs
RMO 2.02 Define/
Select Key Risk
Indicators
 SOP 6 – RCSA
RMO 6.0X
Assessing Control
Effectiveness
SOP 2 – Key Risk Indicators
RMO 2.02 Define / Select Key Risk Indicators
An appropriate suite of metrics are defined, selected & set that
provide management with effective indicators of changes in
exposure to the occurrence of events arising from key risks.
Metrics are also defined and/ or selected to enable management
to assess whether the organization is operating within defined
risk appetite limits.
 SOP 2 – KRIs
SOP 2 – Key Risk Indicators
RMO 2.03 Set KRI Thresholds
Thresholds are set that provide triggers to enable action to be
taken in response to increases in exposure to potential events
and / or to ensure that the experience of events is constrained
within risk appetite tolerances.
 SOP 2 – KRIs
RMO 2.02 Define/
Select Key Risk
Indicators
 SOP 5 – Risk
Appetite
SOP 2 – Key Risk Indicators
RMO 2.04 Monitor KRIs
KRIs are monitored on an ongoing periodic basis and compared to
current thresholds to identify exceptions.
 SOP 2 – KRIs
RMO 2.03 Set Key
Risk Indicator
Thresholds
 SOP 2 – KRIs
RMO 2.05
Identification and
Investigation of KRI
exceptions
 SOP 5 – Risk
Appetite
RMO 5.0Y Set/
Update Risk
Appetite Levels
SOP 2 – Key Risk Indicators
RMO 2.05 Identification and Investigation of KRI Exceptions
Causal event of KRI threshold breach identified and investigated
 SOP 2 – KRIs
RMO 2.04 Monitor
KRIs
 SOP 2 – KRIs
RMO 2.04 Set KRI
Thresholds
 SOP 5 – Risk
Appetite
RMO 5.0Y Set/
Update Risk
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
RMO 3.01 Define &
Maintain Operational
Risk Framework
RMO 2.01 Define &
Maintain KRI Risk
Framework
 SOP 2 – KRIs
RMO 2.03 Set KRI
Thresholds
 SOP 5 – Risk
Appetite
RMO 5.0X Define Risk
Appetite
 SOP 2 – KRIs
RMO 2.04 Monitor
Key Risk Indicators
RMO 5.0Y Set /
Update Risk Appetite
Levels
11
Risk Management Objective and Definition
Dependencies on
other RMOs
RMOs which are
dependent on
the RMO
Appetite Levels
SOP 3 – Operational
Risk Losses
RMO 3.0X Loss
Investigation and
Root Cause Analysis
SOP 2 – Key Risk Indicators
RMO 2.06 Notification and Escalation of KRI Exceptions
Valid exceptions reported to appropriate levels of Management
to ensure challenge and required action
 SOP 2 – KRIs
RMO 2.03 Set Key
Risk Indicator
Thresholds
RMO 2.04 Monitor
KRIs
RMO 2.05
Identification and
Investigation of KRI
Exceptions
 SOP 5 – Risk
Appetite
RMO 5.0Y Set/
Update Risk
Appetite Levels
 SOP 6 – RCSA
RMO 6.0Y Scenario
Analysis
3.3 Associated Standards of Practice
This section provides descriptions of the Standards of Practice that are dependent on RMOs within SOP
2 - Key Risk Indicators for Operational Risk, or impact RMOs outside SoP 2
Standards of Practice 3 – Operational Risk Losses
SoPs that are either dependent on (D) or impact (I) this SoP
Specific RMO with
this SoP
SOP 3 – Operational Risk Losses
RMO 3.01 Define & Maintain Operational Risk Framework (D)
The Operational Risk Framework defines the organization’s
criteria for defining, building, monitoring and assessing an
Operational Risk Framework
RMO 2.01 Define and
Maintain Operational
Risk Framework
SOP 3 – Operational Risk Losses
RMO 3.0Y Loss Event & Root Cause Analysis (D)
Investigation procedures for events that breach the
organization’s materiality mandates and thresholds.
RMO 2.05 Identify &
Investigate KRI
Exceptions
Standards of Practice 4 – Operational Risk Capital Modeling
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
12
SoPs that are either dependent on (D) or impact (I) this SoP
Specific RMO with
this SoP
SOP 4 – Capital Modeling for Operational Risk
RMO 4.0X Capital Modeling - BEICF (D)
Methodology for the integration of KRIs into the BEICF and
Capital Modeling Framework.
RMO 2.04 Monitor KRIs
Standards of Practice 5 – Risk Appetite
SoPs that are either dependent on (D) or impact (I) this SoP
Specific RMO with
this SoP
SOP 5 – Risk Appetite (I)
RMO 5.0X Define Risk Appetite
Framework that defines and articulates Risk Appetite within and
throughout an Organization.
RMO 2.02 Define/
Select KRIs
SOP 5 – Risk Appetite (I)
RMO 5.0Y Set/ Update Risk Appetite
Methodology for setting, monitoring and updating Risk Appetite
within and throughout an Organization.
RMO 2.04 Monitor &
Reassess KRIs
RMO 2.05 Identify &
Investigate KRI
Exceptions
RMO 2.06 Notify &
Escalate KRI Exceptions
Standards of Practice 6 – Risk and Control Self Assessment
SoPs that are either dependent on (D) or impact (I) this SoP
Specific RMO with
this SoP
SOP 6 – Risk and Control Self-Assessment
RMO 6.0X Assessing Control Effectiveness (I)
Framework that defines, monitors and assesses control
effectiveness within and throughout an Organization
RMO 2.01 Define &
Maintain KRI
Framework
SOP 6 – Risk Controlled Self-Assessment
RMO 6.0X Scenario Analysis (I)
Methodology for performing Scenario Analysis around events,
trends and exceptions
RMO 2.05 Identify &
Investigate KRI
Exceptions
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
RMO 2.06 Notify &
Escalate KRI Exceptions
13
4 Recommended Minimum Sound Practice
This section documents the recommended minimum sound practice to achieve each of the Risk
Management Objectives within the scope of this Standard of Practice. The guidance is documented as a
series of Risk Management Practices (RMP) for each Risk Management Objective.
4.1 RMO 2.01 Define and Maintain KRI Framework
Description
A framework is defined, implemented and maintained that articulates the
objectives for the use of KRIs within the organization. The KRI Framework defines
the organization’s specific criteria for the selection of KRIs, criteria for the setting
of thresholds and the requirements for investigation, escalation and notification of
exceptions.
Dependencies,
or impacts, on
other Risk
Management
Objectives


Practice ID
Recommended Minimum Sound Practice
RMP 2.01.01
KRI Program
Management should publish a framework that articulates the organization’s
specific objectives and minimum mandatory requirements to achieve these
objectives, for the use of KRIs across the organization.
RMP 2.01.02
KRI Framework
In order for KRIs to be an effective tool for Operational Risk Management, they
should be deployed as an integral part of the overall Operational Risk Framework
of the organization. The process of defining the objectives and requirements
within the KRI framework should consider how the outcomes of the use of KRIs will
be used by other parts of the Operational Risk Framework and how the KRI
framework will place reliance on the outcomes of other components of the
Operational Risk Framework.
RMP 2.01.03
KRI Framework
Maturity Level
The level of sophistication regarding the objectives, processes, automation and
number of KRIs used should be defined at a level that is commensurate with the
current maturity of the organization. Although a more sophisticated KRI
framework may result in more effective Risk Management outcomes, introducing a
sophisticated KRI methodology to a less mature organization may, in practice, lead
to less satisfactory results.
RMP 2.01.04
Sub-Unit
Organization KRI
The overall KRI framework should articulate minimum mandatory requirements for
the design and use of KRIs across the organization. Sub-units (e.g. divisions within
an organization) should be able to articulate their own specific requirmens for
SOP 5 – Risk Appetite, RMO 5.0X Define Risk Appetite (D)
SOP 6, RCSA, RMO 6.0x Assessing Control Effectiveness (D)
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
14
Practice ID
Recommended Minimum Sound Practice
Framework
selection of KRIs and associated framework requirements, that are appropriate for
their specific operating requirements. Cost-Benefit analysis should be undertaken
prior to creating such KRIs and their associated frameworks. These KRIs should
enable comparisons with equivalent metrics used by other units and allow for
aggregation across the enterprise where appropriate.
RMP 2.01.05
KRI Framework
Minimum
requirements
The KRI framework should specify the following:
RMP 2.01.06
KRI continual
improvement
Once the initial KRI Framework has been developed and adopted, it should be
continually monitored and refined.








Minimum data requirements for defining a KRI and recording the results of
monitoring a KRI.
Responsibilities for defining and implementing KRIs.
Criteria for selecting effective KRIs.
Requirements for aggregation of the outputs from KRI monitoring.
Requirements for the setting of thresholds for KRIs.
Requirements for the investigation of KRI exceptions.
Requirements for the notification and escalation of KRI exceptions.
Requirements for review and challenge of the selection of KRIs and
thresholds and the results of KRI monitoring by the Independent Risk
Function.
4.2 RMO 2.02 Define / Select Key Risk Indicators
Description
An appropriate suite of metrics are defined, selected and set that provide
management with effective indicators of changes in exposure to the occurrence of
events arising from key risks. Metrics are also defined and / or selected to enable
management to assess whether the organization is operating within risk appetite
limits.
Dependencies,
or impacts, on
other Risk
Management
Objectives

SOP 5 – Risk Appetite, RMO 5.0X Define Risk Appetite (D)

RMO 2.01 Define and Maintain KRI Framework (D)
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
15
Practice ID
Recommended Minimum Sound Practice
RMP 2.02.01
KRI Purpose
KRIs should be selected to address two key purposes:


To provide management with forward-looking indicators of the organization’s
exposure to potential events arising from key risks to enable management to
take proactive preventative or mitigative actions; and / or
To provide management with measures of the experience (i.e. frequency and /
or severity) to specific types of events in order to enable management to
assess if the experience of events is within the tolerances defined within the
organization’s risk appetite statement.
RMP 2.02.02
Selection of KRIs
to Monitor
Changes in
Cause not
Events
In order to be effective, forward-looking KRIs should be selected to monitor
changes in exposure to the causes of events, rather than attempt to correlate to
the experience of events directly.
Management should take action to reduce, avoid or mitigate the organization’s
exposure to the experience of events through management of their causes.
Causes of events that are measured by KRIs may be either exogenous or
endogenous, however, the way that they are defined, managed and monitored
within a KRI framework are the same.
RMP 2.02.03
KRI Selection
KRIs should be selected via a top-down or a bottom-up approach from either a set
of existing KRIs or by narrowing down a list of potential KRIs that fulfill the criteria
in RMO 2.02.01, .02 and .04
RMP 2.02.04
Properties of
Effective KRIs
To be effective, KRIs must possess the following properties:

Relevant: Either be forward looking, causally-aligned indicators used in
measuring increases in exposure to events; or measures of the experience of
specific types of events that enable compliance with associated risk appetite
tolerances

Quantitative: Capable of being captured quantitatively e.g. count, amount,
duration, etc. If KRIs capture subjective assessments (i.e. management
assessments of staff morale) then these should be objectively transmuted into
quantitative scales and values

Actionable: Defined so that the nature of remedial action (if required) is clearly
understood.
Subject to being:

Consistent and Comparable: KRIs must be capable of being benchmarked
between business lines, geographies and /or activities

Efficient and Repeatable: KRIs must be selected, designed and implemented
that produce returns in excess of the cost needed to collect them

Auditable: KRIs must be produced from transparent data sources and include
any actions performed converting the data into information (including
aggregation formulae, weightings, scalars) and must be capable of being
repeated at any point in time
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
16
Practice ID
Recommended Minimum Sound Practice
In practice, it will often not be possible to select measures that satisfy all of the
above. In these instances KRIs should be selected that best optimize the
achievement of the above in a manner that is appropriate for the current maturity
of the Risk Framework of the organization.
RMP 2.02.05
KRI key data
attributes
Specifications of KRIs should include the following minimum data requirements:

Definition: Narrative description of the metric

Formula: Attributes captured for calculating the measure and rules for how
they should be combined to calculate a value for the measure.

Value Format: e.g. decimal, count, percentage, duration, rating scale,
monetary amount, ratio

Frequency of Collection: e.g. Hourly, daily, monthly, quarterly etc.

Frequency of Reporting: e.g. Hourly, daily, monthly, quarterly etc.

Data Source

Goal Direction: i.e. where there is an exception, if the metric value is higher or
lower than the threshold value.

Threshold value: Current value for threshold

KRI Owner: Individual or (sub-) organization responsible for designing &
selecting the KRI.

Associated Risk: Description, or identifier, of the risk that is being monitored

Associated Control: Description, or identifier, of the control associated with
the KRI.

Effective Date of KRI

Valid Until Date of the KRI
RMP 2.02.06
KRI Automation
Management should assess the benefits and costs of manual vs. automated data
capture
RMP 2.02.07
KRI Capture vs.
Reporting Freq.
When evaluating the economics of data capture management should balance the
needs between the frequency of data capture versus that of information reporting
RMP 2.02.08
KRI Back Test
KRIs, once selected, should be subject to review and back-tested against the actual
experience of events to determine their effectiveness.
RMP 2.02.09
New Business or
Products
A process to incorporate new KRIs as it relates to new products or types of
business should be developed and implemented.
New Business and Product reviews should identify key risks resulting from
introduction of new businesses and new products and requirement for key
controls to mitigate these risks. Plans for implementation of these key controls
should include implementation of Key Control Indicators (KCIs) to measure the
effectiveness of these controls. These KCIs once implemented can be used as KRIs
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
17
Practice ID
Recommended Minimum Sound Practice
to measure changes in exposure to the associated risks.
4.3 RMO 2.03 Set KRI Thresholds
Description
Thresholds are set that provide triggers to enable action to be taken in response to
increases in exposure to potential events and / or to ensure that the experience of
events is constrained within risk appetite tolerances.
Dependencies,
or impacts, on
other Risk
Management
Objectives

RMO 2.02 Define / Select Key Risk Indicators (D)

SOP 5 – Risk Appetite, RMO 5.0Y Set / Update Risk Appetite Levels (D)
Practice ID
Recommended Minimum Sound Practice
RMP 2.03.01
Set KRI
Thresholds
Thresholds should apply for each KRI with breaches as a trigger for management
escalation steps. Thresholds should be objectively set at a level where exposure to
a loss event is in excess, or below, the associated risk appetite
4.4 RMO 2.04 Monitor & Reassess KRIs
Description
KRIs monitored on an ongoing periodic basis and compared to current thresholds
to identify exceptions.
Dependencies,
or impacts, on
other Risk
Management
Objectives

RMO 2.02 Define / Select Key Risk Indicators

RMO 2.03 Set KRI Thresholds
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
18
Practice ID
Recommended Minimum Sound Practice
RMP 2.04.01
Monitor KRIs
Once the initial KRI Framework has been developed and adopted, KRIs should be
continually monitored to assess their effectiveness
RMP 2.04.02
Reassess KRI
Thresholds
KRI thresholds should be continually refined to ensure that thresholds are set such
that the lower and upper bounds capture events or trends that can serve as a
predictive indicator for management
RMP 2.04.03
Reassess
Applicability of
KRIs
KRI thresholds should be continually monitored to determine if they’re achieving
management objectives in terms of tracking to risk appetite, management actions
and associated decisions
4.5 RMO 2.05 Identify & Investigate KRI Exceptions
Description
Causal event identified and investigated
Dependencies,
or impacts, on
other Risk
Management
Objectives

Practice ID
Recommended Minimum Sound Practice
RMP 2.05.01
Exception
Identification
If the value for a KRI passes either above or below the threshold band then a KRI
exception should be identified
RMP 2.05.02
Exception
Investgation
After an exception has been identified the KRI Owner should investigate the
reason for the exception. The KRI Owner should determine if the exception is the
result of an actual instance of cause that exceeds a predefined tolerance
RMP 2.05.03
False Flags
If the exception is a “false flag” where inappropriate thresholds or KRIs have been
set or selected, then Management should reassess KRI and threshold selection and
limit criteria & act accordingly as dictated by SOP 5, Risk Appetite
RMP 2.05.04
Material
Exception
If the exception is material, as defined by the size, frequency or nature of deviation
from associated thresholds, then a detailed investigation of the cause of the
breach should be carried out as dictated by SOP 3 – Operational Risk Losses, RMO
3.0X Loss Investigation and Root Cause Analysis. It may also require inclusion in
Scenario Analysis as dictated by SOP 6 – RCSA, Scenario Analysis



RMO 2.04 Monitor KRIs (D)
SOP 3 – Operational Risk Losses, RMO 3.0X Loss Event Investigation & Root
Cause Analysis (D)
SOP 5 – Risk Appetite, RMO 5.0Y Set/ Update Risk Appetite Level (D)
SOP 6 - RCSA, RMO 6.0Y Scenario Analysis (D)
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
19
4.6 RMO 2.06 Notify and Escalate KRI Exceptions
Description
Valid exceptions reported to appropriate levels of management to ensure
challenge and required action
Dependencies,
or impacts, on
other Risk
Management
Objectives

Practice ID
Recommended Minimum Sound Practice
RMP 2.06.01
Exception
Management
Program
An exception management program must be designed, documented and
implemented detailing the course of action to be taken as documented when
predefined KRI thresholds are breached
RMP 2.06.02
Notification of
Breach
If, after investigation, the exception is determined to be valid, it must be reported
to the KRI owner within the timeframe agreed upon within the KRI Framework
RMP 2.06.03
Severe Breach
Escalation
If the breach is severe, as defined per the KRI Framework, the KRI Owner and the
appropriate level of senior management must be notified as soon as the breach
has been identified, rather than after a detailed event investigation has been
carried out

RMO 2.05 Identification and Investigation of KRI Exceptions
SOP 5 – Risk Appetite, RMO 5.0Y Set/ Update Risk Appetite Level (D)
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
20
5 Communications and Disclosures
5.1 Communication

Details communication flow, both internal and external, for the organization that the risk manager is
providing services or duties for, and the associated disclosures pertinent to the subject of the SOP or
associated SoPs are to be handled

Detail any applicable limitations to the need for public or internal disclosure, the risk manager should
consider the intended purpose or use of the SoP including:

Inconsistencies between the organization’s financial size, risk profile, and risk environment, and
the maturity, level of depth, spend and XXX adopted by the organization under the SoP i.e. if a
organization is a SIFI yet the environment is not as would be expected for an organization of its’
complexity

Deviation from Guidance in the Standard – See Section 5.2

Any significant assumptions used in implementing the SoP including, but not limited to:

Anticipated future actions by management to manage or mitigate risks identified by the risk
manager

Other related areas (pre-requisites and dependents) covered by either other SoPs or outside
the scope of the risk managers purview on which the risk manager has to rely on
management to carry out pre-requisites
5.2 Deviation from Guidance in the Standard

If the risk manager departs from the guidance set forth in this standard, the risk manager should
include the following applicable disclosure stating:

If any material assumption or method was prescribed by applicable law (statutes, regulations,
and other legally binding authority);

If the risk manager disclaims responsibility for any material assumption or method in any
situation not covered under the section above; and

If the risk manager otherwise deviated materially from the guidance of this SoP

Specific references within PRMIA’s Code of Conduct that they are being asked to breach
5.3 Glossary

The Glossary is provided for informational purposes, but is not part of the standard of practice

Provides additional background on the content referred to in the SOP

Outlines current, or alternative, practices associated with the subject addressed by the SoP
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
21

Summary of all comments raised by PRMIA members in the SOP development process and their
disposition by the drafting committee
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
22
6 Comments on the Exposure Draft and
Responses Communication
The first exposure draft of this SOP, Key Risk Indicators in Operational Risk Management, was issued in
August 2014 with a comment deadline of November, 2014
XXX comment letters were received, some of which were submitted on behalf of multiple
commentators, such as by firms or committees. For purposes of this section, the term “commentator”
may refer to more than one person associated with a particular comment letter. The SoP Management
Committee carefully considered all comments received, and the PRMIA Board, reviewed (and modified,
where appropriate) the changes proposed by the Management Committee
Summarized below are the significant issues and questions contained in the comment letters and the
responses.
Transmittal Memorandum
Comment
Response
Practice ID
General Comments
Comment
Response
Risk Management Standards of Practice Number 2
Key Risk Indicators in Operational Risk Management
Version 0.x
23

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz