As risk management evolves and matures, many organizations are focusing more on performance management, which measures how effectively they are achieving their key business objectives. With this growing emphasis on performance, internal auditors should provide assurance and consulting advice regarding the achievement of objectives communicated to stakeholders.
An organization’s strategic planning function and other functions provide management timely, useful information necessary for effective decision-making. However, many organizations have limited alignment among the groups providing information to management and the board. Also, one fundamental difference between these functions and internal audit is the use of a “performance lens” versus a “risk lens.”
One way internal auditors can help create more alignment among functions is to encourage formalization and integration of top-down key performance indicators (KPIs) and key risk indicators (KRIs). KPIs are metrics that provide visibility into the performance of the business and enable decision-makers to take action. KRIs can provide an early signal of increasing risk exposure. Both types of indicators can give management and the board significant insight into how effectively the organization manages risks and resolves performance issues.
Although KPIs and KRIs can add business and shareholder value, few organizations have implemented a sustainable process at the entity level that truly drives performance. Even fewer have integrated KPIs and KRIs into one seamless process.
To build executive support, it may be easier to begin by implementing KPIs. Internal audit can help facilitate the development of a sustainable top-down KPI management process, which must be aligned with corporate planning, goal-setting, budgeting and forecasting, and capital allocation activities. A project to develop an effective KPI management process will typically include several elements.
Project Charter A formal project charter, with executive sponsorship, helps ensure management support and alignment of activities as the KPI management process is developed. The charter clearly defines the business case, problem statement, project objective, project scope, resources needed, and project timeline. The problem statement and project objective are key to aligning KPI activities. An example of a problem statement is, “Our company does not consistently focus on the activities and metrics that truly drive shareholder value.” A project objective example is, “Implement an ongoing KPI management process that directs focus on the true value drivers of the business and total shareholder return.”
KPI Framework The framework provides a high-level overview of the components necessary to ensure a sustainable process. Five major components include:
- A KPI management process with four major phases: KPI planning, performance measurement, reporting and action planning, and taking action and monitoring.
- KPI governance, with executive committee oversight, a steering committee, and a data governance council.
- KPI integration, with strategic planning, goal-setting, capital allocation, budget and forecast, and compensation.
- A KPI infrastructure, including organizational structure, operations leadership role, KPI vision and objectives, and technology support.
- A KPI culture/foundation, with common terminology, change management, communication, training, and continuous improvement.
Key Metrics Identification This element focuses on determining the few metrics that are most critical to driving business value and shareholder return. Whether the focus is on performance or risk, many times the word “key” is lost when deciding the appropriate number of metrics to measure and monitor at the entity level. Identifying about a half-dozen metrics can be a good start. This requires executive management to consider which metrics truly make a difference to the organization’s success. For example, KPIs for an energy company may include production growth, operational expenses, and safety.
KPI Executive Dashboard Having a visualization tool in place enables management to easily review the organization’s performance compared to targets and budgets. An effective KPI executive dashboard should graphically present a manageable number of KPIs that focus management’s attention on the true value drivers of the business and shareholder return. The dashboard must be visually clean and easy to navigate. Using a simple color scheme — such as red, yellow, and green — can highlight performance levels in comparison with tolerances set by management. Features may include:
- A menu tab, including a drop-down list of specific KPIs and action plans.
- An information icon for each KPI, including the KPI definition, metric calculation, related goal, and data source.
- A KPI title, for metric clarity and ability to quickly view more detailed information about the KPI.
- Clearly defined and approved performance tolerances.
- A KPI current status indicator, highlighting actual performance versus target and budget.
- Hover-overs to highlight a further breakdown of performance for all business units.
Integrating Risk With Performance
Once a KPI management process is in place, organizations can follow a similar process to develop and integrate KRIs. Because internal audit has experience with identifying emerging and changing risks, auditors can help management determine the KRIs of most significance to business value and shareholder return. For example, KRIs for an energy company could include global macro-economics, commodity price volatility, stakeholder activism, and safety. These KRIs can be added to the executive dashboard to allow easy access to both KPI and KRI information.
Depending on the level of transparency accepted by the organization’s executive team, KPIs and KRIs can be monitored in the executive dashboard by management, auditors, and other leaders across the organization. For example, a safety-related KRI could track the number of incidents caused by mechanical failure. As the number of incidents increase, so does the likelihood of a serious injury or fatality.
To generate value, organizations must achieve or exceed performance goals communicated to stakeholders. To retain value, they must understand, monitor, and proactively manage significant risks to the achievement of key objectives. By facilitating the integration of KRIs with KPIs, internal auditors can help management gain timely, useful risk and performance information that allows it to make effective decisions.