We often see Key Performance Indicators and Key Risk Indicators (KPIs and KRIs) grouped together on cyber reporting dashboards, but there is an important distinction to be made between them. It’s worth stepping back and looking at why we use them, and what the difference is.
Measurement to reduce uncertainty
We learn how to measure at school. In science lessons, we are taught how to bring some element of order and certainty to a chaotic world that is full of uncertainties. We use measurement to reduce that uncertainty where it matters to us - whether it’s measuring out a certain volume of two liquids to initiate a chemical reaction, or measuring the output voltage between two points to maximise the efficiency of an electric motor.
In the world of business, measurement increasingly becomes focused on the bottom line (“How much dough are we making?”) but there are still lots of potential measurements that can help with reducing our uncertainty before we get to the end of the financial year, and check our profit & loss statements. That’s what key indicators do, whether they are Key Performance Indicators (KPIs) or Key Risk Indicators (KRIs).
Aim to be trendy
With most measurements, what matters most is the change over time - the trend. It can be as revealing, if not more revealing, than the single data point.
A single data point can be misleading. It might just be inaccurate, due to margins of error in reporting. It also might just be that some values vary on a more micro level. A good example of this is the short term volatility of stocks and shares, where an investor needs to look at the longer term trends to understand true performance and potential for return on investment.
So KPIs and KRIs have one thing in common: they both use historical data to build up a useful view of trends, but there is still a subtle difference between them. Together, they’re a data time machine to help you look into the past or the future. But each one does a different job.
KPIs act fine as trailing edge indicators. They can use historical data to give an indication of how an organisation has performed over a previous period. Yes, such data can be extrapolated to estimate future performance, but the KPI is more often than not built to report on past performance.
Leading the way
So while KPIs are inherently positive indicators – they look to measure the rise and/or fall of something an organisation wants to see, whether it’s growth or efficiency – KRIs are quite different.
KRIs are the flip side of the coin, because they focus on measuring a change in risk to the organisation, i.e. something that the organisation does not want to see more of.
So KRIs are a good leading edge indicator. Managing risk is all about trying to manage something that hasn’t happened yet, so not surprisingly, a good KRI tells the business something insightful about how much future risk there is in a certain business activity or process.
Keep an eye out for the other posts in this series: