Professor Emil SCARLAT, PhD

E-mail: emil_scarlat@yahoo.com
Professor Nora CHIRITA, PhD
E-mail:norachirita@yahoo.com
Ioana-Alexandra BRADEA, PhD Student
Department of Informatics and Economic Cybernetics
The Bucharest Academy of Economic Studies

INDICATORS AND METRICS USED IN THE ENTERPRISE RISK

MANAGEMENT (ERM)

Abstract. The main objective of the paper is to discuss how indicators

and metrics can be used in risk management. In introduction, there are presented
some general ideas about enterprise risk management and its implementation
using key risk indicators (KRIs). In Section, there are presented several definitions
for KRI and the steps which must be followed for implementing a set of KRI. In
Section 2, it is made the distinction between risk indicators and performance
indicators. In Section 3, it is described the notion of risk metric. Section 4 refers to
the importance of monitoring and measuring risks at any level of the company. In
Section 5 there are exposed the benefits recorded by the enterprise, which are
generated by an efficacious ERM. The last section targets the correlation between
risks and the scoring models used for prediction of bankruptcy. The paper ends
with some conclusions and with the list of references.
Key words: metrics, key risk indicators, management, risk, dashboard.

JEL Classification: C53, M10.

1. Introduction:

Enterprise Risk Management (ERM) represent the authority that is

dealing with uncertainty for the enterprise. The importance of ERM consists on the
need of managing the risks properly, in order to sustain operations and achieve the
business objectives.
COSO’s ERM Framework defines ERM as follows: “Enterprise risk
management is a process, effected by an entity’s board of directors, management,
and other personnel, applied in strategy setting and across the enterprise, designed
to identify potential events that may affect the entity, and manage risk to be within
the risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives”.
Through ERM, every company will be able to have a holistic view of the
potential events that may affect the achievement of the organization’s objectives.
Emil Scarlat, Nora Chirita, Ioana – Alexandra Bradea
________________________________________________________________
An efficient management will implement a set of indicators or metrics in order to
monitor the changes in risk conditions and to identify new risks. This approach
will allow a better management of risk events. Risk management involves
attention, a future-oriented focus. Implementation of key risk indicators is a
prerequisite to achieve goals.
All businesses have the difficult task of developing KRIs offering
an early warning system of possible future problems. KRIs are the cornerstone of
an effective risk management, are a critical part of the risk management
process, that is why it is necessary to allocate time in order to create a set
of reliable KRIs.

2. Key risk indicators ( KRIs)

Many researchers have been concerned lately with the problem of risk
indicators and how they help to detect and reduce the risk at an enterprise level. It
have been developed many books and articles on this topic. There were elaborated
a lot of definitions for this concept, definitions that will be presented in this
Section.
A risk indicator provides a forward direction, and information about risk,
which may or may not exist and is used as a warning system for future actions.
With a KRI it can be monitored a specific risk and can be undertaken mitigation
actions. Metrics are used to provide an early warning sign for increased exposure
of risk in different aspects of the enterprise.
An indicator is a key indicator if it serves a very important statement
and do it very well [Jonathan Davies, Mike Finlay, Tara McLenaghen, Duncan
Wilson, 2006].
Key risk indicators are "Statistics or measurements that can provide a
perspective into a company's risk position, tend to be revised periodically
(monthly or quarterly) to alert the company about the changes that may indicate
risks" [Les Coleman, 2009]. Key risk indicators are metrics that are used by
management to show how risky an activity or investment project is.
Response time to changes taking place in the risk profile is critical.
The faster a change is detected, the easier it is to take the necessary measures to
remedy the situation.
Building a set of key risk indicators requires skill and expertise. Every
person who is responsible with managing a risk must build a suitable set of KRIs
for it. Those involved in collecting and aggregating data for KRIs must know all
the definitions, conversions and standardization that will be used.
If the risk management department is not sure of the compliance of the
measurements used, the aggregate information will lose robustness and induce
unconfidence in the decision making. It is not enough to assume that the data are
correct, it must be validated.
Determination of the risk varies from one enterprise to another, from one
process to another and from one system to another. It is important to take into
Indicators and Metrics Used in the Enterprise Risk Management (ERM)
_______________________________________________________________

account the events with low probability of occurrence, which can be extremely
risky. Another mistake which can be done is to focus only on the probability of
occurrence without considering the consequences [Ann Bostrom, Steven P.
French, Sara J. Gotllieb (ed.), 2008].
The existence of a risk culture in the company represent the first step in
the process of risk prevention. Implementation of key risk indicators is necessary
because any business is in continual change. Obtaining current information offers
the management an enhanced ability to lead effectively and to prevent undesirable
results.
In the U.S., the Risk Management Association (RMA) manages an
initiative that is designed for enterprises that want to improve their risk
management. This project is called "Library Services and Key Risk Indicators",
and aims to achieve a degree of consistency and standardization to allow
comparison, analysis and reporting of key risk indicators at the corporate level. The
library contains over 2500 indicators that have been developed to measure and
monitor various types of risks. When were created these indicators, 50 financial
institutions from all over the world and numerous teams of specialists contributed.
Using this library every person has the possibility to get specifications for
metrics, to define customize indicators and to record observations on each
indicator. RMA believes that this initiative will improve the efficiency of KRIs.
Thus, for a successful implementation of KRIs it must be ensured: the
quantification of indicators, the use of standards and methodologies available, the
continuous monitoring of progress indicators, the KRIs connection to business
objectives and the correctness of the formula.

3. KRIs must not be confused with KPIs ( Key performance indicators)

The two types of indicators should be implemented by any enterprise that

wants to be effective in its management. Often, KPIs and KRIs are mistaken. It is
very necessary for the risk manager to be able to distinguish between them.
The key performance indicators focus especially on the historical
performance of the enterprise or its key operations, are important for a successful
management. On the other hand, KRIs provide a real-time indicators that offers
information about emerging risks. KRIs can be the key relationships that locates
the emerging risks and opportunities that signals the need to act. The differences
between KPIs and KRIs are that KPIs tell us if we will achieve our goals, and KRIs
help us understand changes in risk profile, impact and likelihood to achieve our
goals.
If the distinction is made between two types of key indicators, will be
very clear about what types of questions we want to answer through these
indicators and how we define these indicators to improve management quality and
the clarity of results.
Emil Scarlat, Nora Chirita, Ioana – Alexandra Bradea
________________________________________________________________

4. Risk metrics

Metrics are a gauge. Risk metrics can be considered KRIs, which help to
determine the direction from where the risks are coming, so they are extremely
useful in any enterprise. A key risk indicator is a measure which indicates the level
or trend of risk.
The metric can identify the deviation or likely deviation from the target
for a strategic objective of the enterprise. By measuring the value of metrics, risk
metrics are used to warn in advance that the next strategic objective metric is
unfavorable.
It is very important to choose the right number of metrics. If an enterprise
implements too many metrics, managing these will steal from the time allocated for
other tasks and will provide too much information to shareholders. They will end
up not to distinguish critical information and the system will provide information
of limited value. On the other hand, if too few metrics are implemented, the
decision making process will be difficult, since there are no critical information.
Any metric requires a goal, a target, an interpretation and reporting
structure. Metrics can not provide value only if are measured, because you can not
control what you can not measure.

5. Measuring and monitoring risk

Risk indicators monitor the risk exposure, as early warning systems,

performing actions to minimize losses. Monitoring risk in the enterprise is done
through a Dashboard interface.
The purpose of dashboard is to display all of the required information on
a single screen, clearly and without distraction, in order to be understood by every
user. Using Dashboards for Risk Management assumes that it is clear what is being
measured, especially the key risk indicators.
Indicators and Metrics Used in the Enterprise Risk Management (ERM)
_______________________________________________________________

Figure 1

The risk is generated by uncertainty. It must be monitored using key risk

indicators that do this while running the strategy chosen. Thresholds were set for
KRI in order to trigger actions to adjust the chosen strategies to combat the risk.
When strategies are reviewed, there are established new risk indicators and new
trigger points. This procedure increases the chance of achieving the objectives and
strategies chosen by management [Mark S. Beasley, Bruce C. Branson, Bonnie
V. Hancock, 2010].
KRI reflects what is accepted or not and the inclination to risk of the
enterprise. Since KRI can be measured, they help to communicate expectations to
risk.
The frequency of the measurement is an important factor. Generally, the
more frequently an indicator is revised, the more representative information will be
obtained. There will be cases where frequent measurements of an indicator will
show small changes in risk profile. In these situations it is important to consider the
trend before drawing conclusion. The trend indicates if the exposure to a risk
decreases or increases.
If a threshold was exceeded, the risk manager automatically receives a
message, through which is ordered to undertake urgent remedial actions. The
exceeding of thresholds is indicated by the yellow light of the monitoring risk
semaphore. The threshold is the limit or the boundary that once passed alert the
enterprise about the possibility of a significant change in the risk exposure. The
risk management need attention when establish the thresholds.
When the risk is in the green or yellow area, risk management must take
action to prevent that risk. If the situation is extremely unfavorable, and the risk is
Emil Scarlat, Nora Chirita, Ioana – Alexandra Bradea
________________________________________________________________
in the red zone, the enterprise records significant losses, and risk management have
to take actions in order to control these losses as possible.

Figure 2

It is very important to generate accurate information through KRI. Any

indicator must find a balance between speed and accuracy of reporting. If reporting
system generate delays, it is preferable to sacrifice some accuracy for the sake of
speed.
When it is implemented a system of KRIs is necessary to consider the
enterprise’s objectives and the stakeholders. It is important to build KRIs for all the
important risks that a company can face. KRIs must be continuously reviewed to
provide value especially because there are changes in environment, in processes, in
risks and data sources that can affect the relevance of KRIs.

6. Benefits of using an efficient ERM

This paper reflects the benefits which are acquired by the enterprise when
it is implemented an efficient risk management. Next are presented the main
advantages:
Improving Key Business Relationships: The early warning system of
risk management may perceive and react in time to the conditions that cause major
risks, which rests the operation of a small and medium-sized enterprise (financial,
operational, technological and regulatory). This will cause further the improvement
of satisfaction and engagement across customers, employees and partners. By
measuring the level of risk in different parts of the enterprise, using the introduced
Indicators and Metrics Used in the Enterprise Risk Management (ERM)
_______________________________________________________________

metrics, will be possible to form a comprehensive picture of the interdependencies

that form between the feedback processes that takes place in the enterprise and can
generate different types of risks. Decisions will be monitored by the indicators
calculated in the system and will be able to be evaluated in terms of their effects on
the risks arising or likely to occur. Decision-makers may, under these
circumstances, to act in those points where decisions are most effective and to
assess, using Dashboard, the medium and long term effects of these decisions on
the level of business risk. Thus, by controlling and risk reduction in the enterprise,
they will be able to make business plans which have much lower associated risks.
Increasing Revenues: Between income derived by an enterprise and its
operational risk, there is an inverse relationship, meaning that a company earns
greater revenue to how the risks affecting different parts or activities are lower.
Risk monitoring and reporting the causes of them, will make the enterprises able to
focus their resources and creativity on the important issues that require the
development of different internal or environmental activities. This leads on to a
growth of revenue from safest business.
Reduce Defection and Bankruptcy: A key risk in any enterprise is
bankruptcy risk. This risk is, however, consisted of the appearance of different
types of risks that are signaled in time. If in the bankruptcy risk treatment were so
far used data and information from past activities, the early warning system will
provide the management tools with which not only this risk will be able to be seen
in time, but will indicate the reasons that determines the risk of bankruptcy or
defection (failure in some business).
Prioritizing Decisions: A main source of enterprise risk is the decisions
that are either insufficient based, or too late adopted. Using Dashboards, we may
enter an order in adopting important decisions in relation to the seriousness
reported risks and the need to remove them. Prioritization of decisions will have
beneficial effects on the efficient use of enterprise resources, meaning that they
will be directed to those processes or business that take place under low risk,
avoiding processes that may be affected by major risks, that if occur, leads to waste
of a large amount of enterprise resources.
Optimizing Critical Points: Performance measurement in real time in
key points of an enterprise will optimize the flow of information and knowledge,
that formed within it, will enable storage, processing, sharing and efficient use of
each information which is formed within the network connections and feedback
processes of the company. This will lead to an improvement of methods of risk
management in the enterprise by the emergence and development of more effective
ways of action on the conditions that can lead to risks. Optimal distribution of these
key points will make possible the intervention of management exactly where it is
needed, to eliminate or reduce the developing conditions of risk.
Creating a Risk Culture: Every enterprise that is going to implement
ERM will acquire a risk culture that will prevail within the organization. The risk
culture can be highly conservative, highly aggressive, or essentially neutral. They
create a situation in which promises are made, obligations are undertaken, and
expectations are set. However, when we do not satisfy those obligations
Emil Scarlat, Nora Chirita, Ioana – Alexandra Bradea
________________________________________________________________
operationally, then we create a situation of great dissatisfaction for customers.
These situations can be avoided if the enterprise acts within the criteria of the risk
culture that has been established. In other words, they will adhere to the established
guidelines for promise dates and lead times. Whenever they depart from this
pattern of behavior, they create a risk subculture that is unacceptable. When the
risk culture is clearly established, everyone lives by the same rules, and no
exceptions should be allowed.

6. Correlated risks. Building a risk map and a Dashboard

Risk management activities are gaining more and more ground today. Early
detection of risks in the enterprise, risks that are producing negative effects in
chain, resulting in other new risks, is a huge challenge for risk managers. Doing so
illustrates the experience, professionalism and a good implementation of a risk
culture within the organization, as well as a significant reduction of the probability
of bankruptcy establishment. Risk culture assumes responsibility, identify and
transmission of the problem and risks assumption.
Next we will sketch a map of risks that may affect the business, from
specific risks of every department of the company: accounting, treasury, tax, legal,
HR, IT, business planning, purchasing, sales and marketing, operations, production
planning & control, engineering, receiving, inventory control, quality assurance,
manufacturing departments, pick pack & stage, shipping & logistics, financial,
debts. [Gregory H. Duckert, Practical Enterprise Risk Management, Wiley, 2010].
We will choose a significant risk from each department and will perform
correlations among them.

No. Department Key Risk Indicator Risk

1. accounting Unreconciled Balances Manipulation of
accounting data
2. treasury Interest rate on debts Credit costs
3. tax Revaluation Accuracy of
accounting records
4. legal Number of litigation actions brought— Number of litigation
trend actions
5. HR ETO ( employee turnover) Employee turnover
6. IT Network downtime Old technology
7. business Return on investments Bad investments
planning
8. purchasing Excess inventories Excess materials
9. sales and Customer complaints / lost Lost customers
marketing
Indicators and Metrics Used in the Enterprise Risk Management (ERM)
_______________________________________________________________

10. production Percent of idle capacity Percent of idle

planning & capacity
control
11. engineering Warranty claims/average useful Complaints
life/customer complaints
12. receiving Unanticipated stock outs in raw Bad receiving
materials/shortages
13. inventory Obsolete and slow-moving/stockouts Poor stock rotation
control
14. quality Market share Loss of market share
assurance
15. manufacturing Net quantity produced versus shop order Producing an
departments requirements uncorrelated quantity
with demand
16. pick pack & Expenditures for damaged goods Expenditures for
stage damaged goods
17. shipping & Expenditures for damaged goods in Expenditures for
logistics transit damaged goods in
transit
18. financial Average unit sales price declining Price declining

19. debt Overall solvency ratio

Insolvency

20. management Managerial capacity Weak managers

Emil Scarlat, Nora Chirita, Ioana – Alexandra Bradea
________________________________________________________________

Figure 3
Indicators and Metrics Used in the Enterprise Risk Management (ERM)
_______________________________________________________________

We can easily make correlations between risks previously chosen.

However, most correlations are made between the only one selected qualitative
indicator "management quality" and other indicators, that is why the importance of
focusing on qualitative risk indicators during ERM process is essential.

Most dashboards are created in Excel. The dashboard puts the managers
in touch with the business in real-time. The CEO of Verizon Communications said
that „The more eyes that see the results we’re obtaining every day, the higher the
quality of the decisions we can make” [Ron Person, p. 108].
Further we will present a dashboard built for some indicators which
reflect the financial state of an enterprise which has as object of activity the gas
transport, international transit for gas, gas dispatching and research-
design gas transport. In this dashboard we will present the company status and the
likelihood of bankruptcy, using scoring methods.
1968 is a critical year point for predicting bankruptcy, thanks to Altman
who introduced the first method of scoring to separate the solvent enterprises from
the companies at risk of bankruptcy. For developing this rating system, Altman
introduced a statistical function using discriminant analysis and financial
performance. After applying this method on a large sample of companies, Altman
observed that he could predict more than 75% of bankruptcies in analyzes
conducted two years prior to bankruptcy. This percentage reaches 95% in case of
analysis conducted a year earlier and gradually decreases to 70% for those with
five years before the onset of bankruptcy.
Another model is the scoring of Conan and Holder appeared in 1978,
offering the possibility to identify the probability of introducing short-term
bankruptcy.

Model
Altman Conan and Holder

The Z = 3,3 x1+ 1,0 x2 + 0,6 Z = 0,16 x1 + 0,22 x2 – 0,87 x3 –

description x3 + 1,4 x4 + 1,2 x5 0,10 x4 + 0,24 x5
functon of
the model x1 = Current result x1 - partial solvency ratio
before tax / Total asset x2 – the rate of financial stability
x2 = Turnover / Total x3 - financial expenses ratio
asset x4 - remuneration of staff ratio
x3 = Market x5 - the share of gross operating
capitalization / Loans surplus in value added
x4 = Reinvested
earnings / Total Assets
x5 = Current assets /
Emil Scarlat, Nora Chirita, Ioana – Alexandra Bradea
________________________________________________________________
Total Assets

Z <1.8- bankruptcy Z <0.04 - The financial situation is

Scoring Z> 3 - good financial difficult
situation, the company 0.04 <Z <0.0 9 - The financial
is solvent; situation is uncertain
1.8 <Z <3 - The Z> 0.09 - good financial situation,
financial situation is the company is solvent;
difficult

According to our calculations, there were obtained for each method

applied a score reflecting a good financial situation of the company, placing it
away from the risk of bankruptcy. The score Z for Altman Method is 4.1053 and
for Conan and Holder is 0.42901.
Indicators and Metrics Used in the Enterprise Risk Management (ERM)
_______________________________________________________________

It can be seen from the above tables that the total score places the
company in a good position. This is indicated too by the green flag from the box.

Figure 4

7. Conclusions:

When we implement a system of KRI it is necessary to consider the

enterprise’s objectives and stakeholders. It is important to build KRI for the
important risks that a company can face. KRI must be continuously reviewed to
provide value.
The use of metrics offers multiple benefits for the company, among
which are the following: early identification of trends and issues, represents a
source of critical information for control, provides information about the likelihood
of achieving target sites, if there is a sign of improvement or contrary a worsening
of the situation, helps to make decisions based on information, helps in evaluating
performance, leads to a proactive management, improves future estimates and
performance, evaluates success and failure and improves customer satisfaction.
Businesses are constantly changing, like this modifying risk exposures. It
may be that certain key risk indicators which were relevant last year but they might
not be this year as well. The measurement of the risk indicators will provide added
value to the company, if they are implemented in accordance with its operations,
they will be reviewed and will be updated continuously.
Emil Scarlat, Nora Chirita, Ioana – Alexandra Bradea
________________________________________________________________

REFERENCES

[1] Ann Bostrom, Steven P. French, Sara J. Gotllieb (2008), Risk Assessment
Modeling and Decision Support . Springer Publishing, Berlin;
[2]Jonathan Davies, Mike Finlay, Tara McLenaghen, Duncan Wilsonm(2006),
Key Risk Indicators – Their Role in Operational Risk Management and
Measurement. Risk Business International Limited;
[3]Gregory H. Duckert (2010), Practical Enterprise Risk Management – A
Business Process Approach. John Wiley & Sons, USA, p. 145 – 154;
[4]Les Coleman (2009), Risk Strategies – Dialling up Optimum Firm Risk.
Gower e-Book, Publishing, Burlington, USA;
[5]Mark S. Beasley, Bruce C. Branson, Bonnie V. Hancock (2010), Developing
Key Risk Indicators to Strengthen Enterprise Risk Management. Research
Commissioned by COSO, December;
[6]Ron Person (2009), Balanced Scorecards and Operational Dashboards with
Microsoft Excel . Wiley Publishing, USA;
[7]Gabriela Munteanu (2010), Metode de analiză a riscului de faliment.
Romanian Statistical Review no. 12;
[8]Scarlat, E., Popovici, I.F, Bolos, M. (2011), Decision Model on Financing a
Project Using Knowledge about Risk Areas. Economic Computation and
Economic Cybernetics Studies and Research , ASE Publishing, issue 2, vol. 45;
[9]Web, http://www.kriex.org/Public.KRILibrary.aspx.