Dashboards. Metrics. Data. Everybody has them; most don’t know how to use them effectively. It’s a bold statement; but, according to Jack Jones and Jack Freund it is a truism in the risk management field.
In my presentation at the 2017 FAIR Conference I had an opportunity to communicate some of the common problems concerning risk management metrics today. Additionally, I provided six go-to metrics to get any FAIR program started.
Let me start by outlining the goal of FAIR-based risk management programs: to cost-effectively achieve and maintain an acceptable level of loss exposure.
This is the goal of every organization with regards to managing the seemingly innumerable loss events. We are charged with balancing the need to run the business with the task of protecting it from ever-changing threats.
Adapted from Isaiah McGowan's talk "What Metrics Matter in Risk Management?" at the 2017 FAIR Conference.
See the complete video of Isaiah's talk and his slides on the Member Resources Page.
Here's a video preview of the talk:
Our goal statement should already give you ideas about metrics we should concern ourselves with:
- What does "cost-effective" mean and how would we keep our thumb on that pulse?
- What is "an acceptable level of loss exposure"?
- What does it look like to achieve an acceptable level of loss exposure?
- How do we know we’re maintaining that level of risk?
This brings us to the value proposition of metrics: They inform decisions that seek to cost-effectively achieve and maintain an acceptable level of loss exposure.
What kind of metrics are there?
There are two dimensions in which we evaluate the use of metrics in risk management:
- Risk analysis metrics that communicate the wellbeing of our organization
- Risk management metrics that communicate our ability to meet and maintain a desired wellbeing
We leverage telemetry to inform Operational Metrics (and FAIR analyses; but that’s redundant isn’t it?) which then feed Risk Management Metrics which inform strategic decisions. Those strategic decisions seek to cost-effectively achieve and maintain an acceptable level of risk.
Pervasive in our two dimensions, risk analysis and risk management, are three types of metrics we concern ourselves with:
- Loss Event
In short, loss event metrics help us understand how much risk we have today which is pivotal to understanding an acceptable level of loss exposure. Over time they will show us the trajectory of risk.
Additionally, loss event metrics in concert with decision metrics help us understand if we are managing cost-effectively. Finally, variance metrics primarily help us understand the gaps which give us the information we need to achieve and maintain an acceptable level of risk.
How can you evaluate the efficacy of your current risk management metrics?
Remember, the value proposition of any risk management metric is its ability to inform decisions that cost-effectively achieve and maintain an acceptable level of loss exposure. What this boils down to is this:
If any risk management metric you provide today does not inform decisions towards this goal you are wasting time and money.
That doesn’t mean the metric itself is useless; but, it most likely means it’s not tailored towards your decision-maker audience. Don’t get caught in the trap of designing and reporting metrics that are valuable to one audience and presume they are appropriate for executives and senior leadership.
More from Isaiah McGowan:
Think You Don’t Have the Data to Quantify Risk? Think Again.
Does Your Business Impact Analysis Leave You Wanting More?
How Are Risk Treatment Decisions Delegated?