So, you've been asked to create some risk metrics, but you're feeling a little rebellious today. Why bother with accurate risk metrics when you can have some fun creating some utterly useless and misleading ones? Here are some tips on how to create terrible risk metrics.
Use irrelevant data.
Throw in metrics and data that sound important, but don’t really measure your risks and aren’t linked to your objectives. The number of policies and procedures you have is a nice generic one. The key to a terrible metric is to find one that sounds plausible but provides no information whatsoever – or even better, provides misinformation. Choose the stuff that is easy to measure rather than what matters. People love that.
If you can, wherever possible use authoritative external data sources that have no relevance to your organisation.
Don’t set thresholds.
A metric itself might look informative, but if there are no thresholds set, it won’t inform anyone on when they need to act, or when the level of risk is actually unacceptable. Even if the metric itself is great (they can’t all be losers), at least this way there is no trigger for executives on when a decision actually needs to be made.
People will probably pick up on this weakness quickly. The backup plan is to come up with arbitrary thresholds that aren’t linked to risk appetite or otherwise linked to organisational objectives. If others propose thresholds, tell them you’ve got this. You are the risk expert after all.
Another important consideration when setting thresholds badly is to ensure that you face the minimum drama and hassle. If an indicator has been red for too long and people are asking awkward questions – just raise the threshold!
Ignore outliers.
Outliers? Who needs them? Ignore any data that doesn’t fit your pre-conceived notion of risk (for example, you can exclude those poor customer service survey results: those customers were clearly being unreasonable). If those pesky outliers do make their way into your dataset, try to use averages or other techniques to effectively obscure their impact.
Keep it vague.
Make your description of your metrics vague. When you request Steve to provide the “number of complaints”, he’ll probably wonder for what time period, whether it’s new complaints received, received, closed… you know, all that stuff that Steve seems to actually care about. When he asks for clarity, roll your eyes, say “other departments know how this is done”, and walk the other way.
This approach has a few great benefits. Firstly, the results will be unreliable (especially if you can get a different person to collect the data each time – which doubles up as more opportunities for eye rolling). Secondly, you can wring your hands with glee if the same metric is used for benchmarking: the executives will have no idea that they are comparing rotten apples and orange peel.
Make sure nobody owns the metric.
This one is great, because by having people be aware that metrics are being collected, it gives the illusion that something will be done about them. But if no one is actually responsible, metrics can often remain outside their thresholds for a while before someone actually asks what is being done. Let the finger pointing commence!
Creative reporting.
This tip is an excellent fall-back if people see through the above techniques, and you are responsible for preparing reporting (if your first line own risk reporting, try and take it away, they shouldn’t be responsible for risk). If people send you data that is actually valuable, you can choose how it is presented. Just say “I’m trying something new this time”. Another option is to make sure that the data isn’t timely. Give them that leading indicator a month after it mattered.
Make your risk metrics performance targets.
It’s brilliant really. The risk team keep banging out about how important risk management is; making Key Risk Indicators into performance targets will make you look like a hero. You can feign ignorance when someone arbitrarily raises their thresholds or fudges their numbers in order to maintain their performance record. That’s not a risk management problem, that’s a culture problem – and everyone knows that culture has nothing to do with risk management!
Conclusions and next steps for your organisation.
Creating terrible risk metrics is fun and all too easy. However, you may find that – despite the effort and hassle that you save at the time – they are not necessarily conducive to either your organisation’s long-term success, or to your career prospects in particular.
Another alternative, and one that we would recommend at Protecht, is to create functional risk metrics that provide useful, timely, actionable information for decision makers in your business. If you are interested in following this path, you may want to try our new Risk metrics and key risk indicators course on Protecht Academy.
The course covers all aspects of setting up, running and developing KRI processes that can be used both as an essential component of the overall risk management framework as well as a powerful tool to assist management in the day-to-day control of the business.