Tag Archives: kpi

9 Pitfalls to Avoid in Setting 2019 KPIs

As we all start working toward our goals and targets for the year, what defines a good KPI? Guest blogger Hanne Sorteberg returns to share her experience and advice on how to get these priority metrics right. She also helpfully shares nine pitfalls to avoid.

Whether you are an analytics leader setting KPIs for your team, or influencing other teams, this is for you.

Over to Hanne…

A new business year often brings new strategies and plans. KPIs, key performance indicators, are metrics that provide information on how a business is performing. KPIs ensure that a strategy is achieved, by giving direction to the employees who can realize it.

Best case, KPIs are the compass that makes sure we are headed in the right direction. Worst case, they may drive behavior we do not want.

Best case, they motivate for increased and improved effort; worst case, they discourage and demotivate. Oftentimes, they are a theoretical exercise put in a drawer without value.

Avoiding worst-case KPIs

How can we build KPIs that contribute to the growth and development of our business?

KPIs should follow the checklist for SMART goals:

  • S = Specific, it is evident and clear what the goal is
  • M = Measurable, it is possible to measure the goal unambiguously
  • A = Ambitious, it’s a stretch to achieve, and at the same time realistic
  • R = Relevant, it contributes to the business’ strategy
  • T= Timed, the timeframe for when the goal is to be achieved is clearly defined

There are many pitfalls to avoid to succeed with KPIs and goal management. Here are nine to consider:

Pitfall #1: Too many KPIs

The most common mistake is to be too ambitious and clever, vigorously defining KPIs for the entire business with fancy graphs and Excel macros. The work requires a lot of time to set up, and even more to maintain. Important deviations drown in information overload.

A hospital went from one report of over 150 measurements, that no one paid attention to, to a lamp on the manager’s desk. It had a green, yellow or red light depending on the waiting time in the emergency room. The lamp caused a significant improvement.

A few, important KPIs can be enough to model the most important business processes. First ensure these are established, communicated and anchored in the organization. Then you can consider adding or adjusting the KPI process.

See also: Insurtech Starts With ‘I’ but Needs ‘We’  

Pitfall #2: Overly fancy KPIs

Some KPIs can measure performance well but still be a bad choice. It can be too difficult to obtain the data. It can be difficult to explain what the KPI is, or there may be disagreement on how the KPI should be defined or calculated.

Pitfall #3: KPIs that are impossible to measure

Some KPIs that are important can be difficult to measure. In such cases, you either have to drop them or find an alternative way to measure them. For instance, customer satisfaction can be measured by an index based on surveys.

It is important that the KPI is a numerical value, so that you can define thresholds and measure historical development. Make sure the KPI has the same meaning over time.

Pitfall #4: Vanity KPIs

Eric Ries, author of “The Lean Startup,“ uses the term “vanity metrics“ for measures that are celebrated as achievements but don’t contribute to the growth and development of the business.

The number of page views, clicks, downloads and the like are examples of metrics you can boast about, but they don’t necessarily contribute to increased sales, customers or loyalty. Vanity metrics can take your attention away from the important stuff to follow up on.

Pitfall #5: Not defining “good”

What are satisfactory results?

KPIs should drive the right behavior. It is important to define the thresholds of what is a good result, or green, making clear when there is a deviation that requires actions, to improve a yellow or red/critical situation.

Pitfall #6: Not following up on KPIs

Many businesses define KPIs as a part of their yearly strategy planning. The KPIs should be followed up so frequently that you have a chance to adjust course in time.

Some KPIs may be measured daily or weekly, others more seldom. If something is measured less frequently than quarterly, it is probably not a good KPI.

Pitfall #7: Not distinguishing between result and effort KPIs

Most KPIs show results a business has achieved. Sales, the number of customers and contracts, waiting time, etc. You cannot influence these metrics directly; they result from what you do.

An effort KPI measures the activities you do to affect the results. The number of sales calls, marketing campaigns, number of service calls and hours used for improvements are examples of such KPIs.

It is useful to link result and effort KPIs. When a measurement hits yellow or red – which actions are taken? And how much effort does it take to correct?

See also: The Dark Side of Product KPI  

Pitfall #8: KPIs that drive unwanted behavior

Some KPIs can have consequences you did not foresee, or even lead to behavior that is unwanted. If you, as a software vendor, introduce a KPI on the number of bugs, the development time may increase significantly.

Measurements comparing when features are delivered to an estimate may lead to estimates that are way too high.

A KPI to shorten the length of a telephone call at a service desk to decrease waiting time may cause fewer issues to be handled at the first call. But it may also actually increase the total waiting time.

Some of these KPIs may be kept if they are balanced by an additional KPI. The number of bugs measured at the same time as development effort. The length of service calls in addition to the number of issues solved at the first call, in addition to customer satisfaction.

It is critical to reflect on whether the KPI will introduce negative and unexpected consequences. If you can imagine any, set up monitoring to evaluate how effective the KPI is over time.

Pitfall #9: KPIs aren’t communicated and anchored in the organization

KPIs are meant to change the way you act. To measure without doing something different based on the results is wasted time.

If you are to introduce a system of goals and measurements, it is important that the KPIs are communicated. This needs to be done in a clear way, and the organization needs to agree to them. Stakeholders should perceive that their effort can affect the KPIs. They need to believe that the goals are realistically achievable.

Something should happen when a KPI turns yellow or red, either corrective action or an adjustment of the KPI to make it reflect reality.

How are your KPIs?

Thanks to Hanne for that practical post, which I’m sure is relevant to many managers at this time of year.

What are you going to do differently as a result? Are you confident that you have the right KPIs for 2019? If not, how could they be improved?

If you do make changes that work, after reading Hanne’s advice, I’d love to hear your story.

The Dark Side of Product KPI

Why do we base product KPI on data to begin with? 

Product KPI (key performance indicator) is defined so we can measure how well the new feature works or resolve an A/B testing. That’s why it is only natural that when we come to set the KPI for a new product or feature, we start by looking at the data. This methodology fits nicely with the “scientific” and lean approach to product development: We base decisions on data and measurable KPIs rather than “soft,” qualitative guess work.

See also: 10 Trends on Big Data, Advanced Analytics  

The limitations of working only with data

But confining ourselves to data has its limitations. For starters, data is not immune to biases. We tend to interpret data to confirm our assumptions. But even if we reduce the bias risks, we can only look at the data we have. So if we already accumulated a lot of data, it still does not include behaviors and use cases that occur beyond our data, in the dark side of the data. Defining product KPI based on existing data is like looking for the solution under spotlight. That’s fine if the solution is there, but what if what we need to improve in our product market fit, or hack in our growth challenge, is hiding in the shadows?

The importance of articulating a product strategy 

Product life-cycle often starts with use cases. We ask ourselves what do our users do and how can we solve their problems or improve their experiences. That helps us to define the product KPI. But there is another important step in between. That is articulating product strategy. That is to say: given certain use cases, what do we want our product to achieve. Is it simply to help existing users do something faster? Or in a more sharing manner so we can hack viral growth? Or, are we looking for the product to serve a more business oriented goal of up-selling new features? Or, even help attract new types of users? While these questions may not change the basic use cases, nor our deep dive into product flow, these questions could be critical in defining the product KPI and eventually measuring product success and ROI.

See also: Big Data? How About Quality Data?  

Using product strategy to define product KPI

A well-articulated product strategy can influence our prioritization along the product life-cycle and make MVP decisions easier. We still want to test our value and growth assumptions first, but without a well-articulated product strategy we can find ourselves arguing about the definition of value. There are many ways to generate value in a certain use cases. Setting the product KPI based on product strategy means we are prioritizing the value proposition according to our preferred target segment and our business goals. That’s why when we define product KPI it’s not enough to look at data and use cases. We must define product KPI in the context of our overall business strategy and its derivative product strategy.

2017: A Journey Toward Self-Disruption

Last year, an EIOPA stress test revealed that a large portion of European insurers remain vulnerable for one or both of the tested scenarios. At the same time, insurers continue to struggle with a constant shift in customer expectations. We are all used to seamlessly working digitally in more and more aspects of our lives, and we’ve come to expect the same treatment when it comes to insurance.

So what’s the problem? Shouldn’t a healthy insurer be perfectly able to cope with some adversity while making the change to become a more digital and customer-minded organization?

Unfortunately, a number of reasons mixed together provide a particularly toxic combination that slows the transformation. To start with, insurers are still largely running on legacy applications. Not only does this limit organizational agility dramatically, but it also means that available change capacity is predominantly used to keep the legacy infrastructure up and running.

On top of this, regulatory pressures are dramatically increasing the cost of doing business. Complex risk and compliance requirements in legacy-dominant environments reduce the ability to transform on a more fundamental level. Furthermore, there is continued pressure on product margins, and historically low interest rates are reducing returns.

See also: Insurance Disruption? Evolution Is Better  

Beyond the insurtech hype

As incumbents struggle with internal inefficiencies and adverse conditions, fintech and insurtech initiatives are starting to emerge – based on fresh thinking and modern application architectures. These new initiatives relentlessly exploit inefficiencies in the value chains. And with the rise of the sharing economy, new ways to manage risks like usage-based or P2P insurance are becoming increasingly important.

The right stuff?

The awareness that incumbents need to transform their way of working, and solve some fundamental problems in their business models, is prevalent. There is in fact a lot of activity and experimentation taking place, through innovation labs, partnerships or direct strategic investments in insurtech.

This is all well and good, but are these initiatives sufficiently grounded to become successful? Do incumbents possess the right stuff to create, develop, nurture and scale new business concepts with sufficient impulse to remain relevant and profitable in the long run?

The journey toward self-disruption

These are all questions that the industry will be posing in 2017, and there is no doubt the insurance sector needs to adapt to a new world. One thing is for certain, simply embarking on a journey to implement one of the “Top-10 Insurtech Solutions” is not going to cut it.

The real challenge lies in first removing the legacy culture from organizations before trying to solve the challenge in application landscapes and value chains. This journey toward self-disruption requires courage and leadership. To reach the desired destination, boards may consider numerous approaches to rebalance change programs. 

Considered approaches

Scenario planning and storytelling can be a powerful tool for coping with a large number of uncertainties. Scenarios are perfectly suited to translate into compelling, vivid images of the future, using powerful storytelling as an effective way to convey messages.

Changing the innovation mix is also something insurers will be contemplating. The composition of your innovation mix (product-, process- or business-model focused) should be in line with the lifespan of your dominant business model. For insurers, this might imply that now is the time to direct more resources toward more radical forms of innovation.

Replacing incentives blocking change is another approach to consider. If a board’s primary responsibility is to facilitate the presence of a long-term business model, then this implies that the board should worry about anything in the organization that blocks this purpose. A review of existing performance management and key performance indicator (KPI) frameworks might be one of the most critical things to address as this drives behavior throughout the organization.

See also: Which to Choose: Innovation, Disruption?  

Then there is creative destruction as a driving force. A constant process of internal creative destruction is required to avoid becoming the victim of an external, competing creative force. The likes of General Electric and Johnson & Johnson have mastered this. Carefully applying these design principles in the insurance sector might be a critical activity.

Looking ahead  

The insurance sector has a long way ahead adapting to a new world. There is a critical role for current and coming leadership. We see insurers increasingly partner with insurtech companies, hoping to find fresh thinking, agility and entrepreneurship. We’ll have to find out if this brings sufficient change. Otherwise, the EIOPA double-hit scenario might be a blessing in disguise – it could, in fact, provide the required burning platform for the long-awaited transformation.

Helping Data Scientists Through Storytelling

Good communication is always a two-way street. Insurers that employ data scientists or partner with data science consulting firms often look at those experts much like one-way suppliers. Data science supplies the analytics; the business consumes the analytics.

But as data science grows within the organization, most insurers find the relationship is less about one-sided data storytelling and more about the synergies that occur in data science and business conversations. We at Majesco don’t think it is overselling data science to say these conversations and relationships can have a monumental impact on the organization’s business direction. So, forward-thinking insurers will want to take some initiative in supporting both data scientists and business data users as they work to translate their efforts and needs for each other.

In my last two blog posts, we walked through why effective data science storytelling matters, and we looked at how data scientists can improve data science storytelling in ways that will have a meaningful impact.

In this last blog post of the series, we want to look more closely at the organization’s role in providing the personnel, tools and environment that will foster those conversations.

Hiring, supporting and partnering

Organizations should begin by attempting to hire and retain talented data scientists who are also strong communicators. They should be able to talk to their audience at different levels—very elementary levels for “newbies” and highly theoretical levels if their customers are other data scientists. Hiring a data scientist who only has a head for math or coding will not fulfill the business need for meaningful translation.

Even data scientists who are proven communicators could benefit from access to in-house designers and copywriters for presentation material. Depending on the size of the insurer, a small data communication support staff could be built to include a member of in-house marketing, a developer who understands reports and dashboards and the data scientist(s). Just creating this production support team, however, may not be enough. The team members must work together to gain their own understanding. Designers, for example, will need to work closely with the analyst to get the story right for presentation materials. This kind of scenario works well if an organization is mass-producing models of a similar type. Smooth development and effective data translation will happen with experience. The goal is to keep data scientists doing what they do best—using less time on tasks that are outside of their domain—and giving data’s story its best possibility to make an impact.

Many insurers aren’t yet large enough to employ or attract data scientists. A data science partner provides more than just added support. It supplies experience in marketing and risk modeling, experience in the details of analytic communications and a broad understanding of how many areas of the organization can be improved.

Investing in data visualization tools

Organizations will need to support their data scientists, not only with advanced statistical tools but with visualization tools. There are already many data mining tools on the market, but many of these are designed with outputs that serve a theoretical perspective, not necessarily a business perspective. For these, you’ll want to employ tools such as Tableau, Qlikview and YellowFin, which are all excellent data visualization tools that are key to business intelligence but are not central to advanced analytics. These tools are especially effective at showing how models can be used to improve the business using overlaid KPIs and statistical metrics. They can slice and dice the analytical populations of interest almost instantaneously.

When it comes to data science storytelling, one tool normally will not tell the whole story. Story telling will require a variety of tools, depending on the various ideas the data scientist is trying to convey. To implement the data and model algorithms into a system the insurer already uses, a number of additional tools may be required. (These normally aren’t major investments.)

In the near future, I think data mining/advanced analytics tools will morph into something able to contain more superior data visualization tools than are currently available. Insurers shouldn’t wait, however, to test and use the tools that are available today. Experience today will improve tomorrow’s business outcomes.

Constructing the best environment

Telling data’s story effectively may work best if the organization can foster a team management approach to data science. This kind of strategic team (different than the production team) would manage the traffic of coming and current data projects. It could include a data liaison from each department, a project manager assigned by IT to handle project flow and a business executive whose role is to make sure priority focus remains on areas of high business impact. Some of these ideas, and others, are dealt with in John Johansen’s recent blog series, Where’s the Real Home for Analytics?

To quickly reap the rewards of the data team’s knowledge, a feedback vehicle should be in place. A communication loop will allow the business to comment on what is helpful in communication; what is not helpful; which areas are ripe for current focus; and which products, services and processes could use (or provide) data streams in the future. With the digital realm in a consistent state of fresh ideas and upheaval, an energetic data science team will have the opportunity to grow together, get more creative and brainstorm more effectively on how to connect analytics to business strategies.

Equally important in these relationships is building adequate levels of trust. When the business not only understands the stories data scientists have translated for them but also trusts the sources and the scientists themselves, a vital shift has occurred. The value loop is complete, and the organization should become highly competitive.

Above all, in discussing the needs and hurdles, do not lose the excitement of what is transpiring. An insurer’s thirst for data science and data’s increased availability is a positive thing. It means complex decisions are being made with greater clarity and better opportunities for success. As business users see results that are tied to the stories supplied by data science, its value will continue to grow. It will become a fixed pillar of organizational support.

This article was written by Jane Turnbull, vice president – analytics for Majesco.

How to Understand Your Risk Appetite

This is Paper 3 of a series of five on risk appetite and associated questions. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards comprehend the links between risk and strategy. This is achieved either through painful crises or through the less expensive development of a risk appetite framework (RAF). Understanding of risk appetite is very much a work in progress for many organizations, but RAF development and approval can lead boards to demand action from executives.

Paper 1, the shortest paper, makes a number of general observations based on experience with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. This paper, Paper 3, answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between risk appetite frameworks and strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and risk maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy.

Paper 3: Should all organizations have a risk appetite framework?

The relationship between risk and strategy is a function or neither risk management nor strategic management. Rather, it is simply good management in an uncertain world, where business models are:

  1. Increasingly driven to be available on a 24/7 global footprint,
  2. Online using telecom networks,
  3. Becoming more dependent on third-party service providers,
  4. Becoming more connected within larger financial, supply chain and energy supply chains.

It is our view that the term “risk management” will, within the 2010 decade, become supplanted by the term “resilience management” and that the latter term will become an integral part of risk culture in organizations that are trading internationally or vulnerable to international supply chains.


Maintaining a risk appetite framework will thus, before the end of this decade, be a matter of necessity, and not a matter of choice. The driver in this regard will be the pace of change. Look at the pictures above, both at a papal blessing, and you see what a difference less than a decade years can make.

What is leading organizations to put formal risk appetite frameworks in place?

Greater investor and regulatory focus, combined with a recognition that risk practices are becoming increasingly professional, has caused organizations to change attitude toward risk from a broadly negative stance to a more positive and engaged approach.

We note a global scarcity of skilled chief risk officers and unwillingness by organizations to commit resources in the current economic climate. Nevertheless, enlightened organizations are gaining appreciation of the links between risk and strategy and in turn toward putting in place the necessary resources and supports to provide greater risk professionalism.

How are risk appetite and strategy related?

The diagram below describes the relationship.


Figure 2: RMI’s 7 elements approach to aligning strategy and risk

Earlier in these papers, we described board risk assurance as assurance that strategy, objectives and execution are aligned.

We further explained that alignment is achieved by operationalizing the links between risk and strategy. This is done by integrating each of the seven numbered elements described in the diagram above as follows:

1.     Reaching a determination as to long-term purpose and formulating those strategic initiatives and objectives that are required to achieve it[1],

2.     Understanding obstacles to the achievement of objectives: This needs to be understood practically in terms of a motor journey from say Dublin to Cork or Berlin to Paris.

Before the journey, people need to understand, and manage, what can stop them, slow them down or distract them on the journey. Once people understand risk management in these simple and practical terms, they understand that risk management is more about achieving objectives (getting from point A to point B) than compliance with regulations. It is about improving performance on the journey.

What people? In the simplest of terms, they are the owners of the car (shareholders represented by the board), the driver (CEO and executives) and passengers (primary stakeholders, i.e. customers, employees, investors, suppliers and secondary stakeholders and others with a legitimate interest in the business).

3. Setting objectives and getting balance and alignment (Note: strategy maps, e.g. Balanced Scorecard):

This is done in risk management terms by:

a. Strengthening the strategic planning process; for example:

i.     Increasing rigor, formality and consistency in the strategic planning office (SPO), which derives its authority from the board and  the CEO’s office,

ii.     Aligning strategy, risk and audit board subcommittees (through cross-representation) in a manner that largely mirrors the conventional three lines of defense model[2] and reflects the requirement to strengthen board risk oversight, reporting and monitoring[3],

iii.     Embedding risk management competence within the SPO[4],

iv.     Explicitly articulating corporate and organizational objectives,

v.     Testing the alignment of group, corporate and organizational objectives through development and review of risk appetite statements.

b. Establishing an effective risk appetite framework, which includes:

i.     Statement of purpose and values of the organization,

ii.    Explicitly stated board risk assurance requirements; factors to consider would include:

  1. Mapping objectives to a risk appetite continuum,
  2. Qualitatively expressed risk appetite statements,
  3. Quantitatively expressed risk criteria related to both risk tolerance and risk limits.

c. Understanding and improving the organizational level of risk maturity

Risk maturity is outside the scope of this paper; however, discussion on the topic would be welcomed by RMI. RMI has developed a five-level RMI Risk Maturity Index, which provides a road map to risk optimization. The index scores risk maturity capability requirements, etc. In summary, it describes:

  • Level 5: “Value-Driven” — Optimizing value through aligning risk and strategy with corporate objectives,
  • Level 4: “Managed” — Gaining value through aligning risk and strategy in pursuit of corporate objectives,
  • Level 3: “Insight” — Gaining insights into how to better align risk and strategy in pursuit of corporate objectives,
  • Level 2: “Awareness” — Developing awareness  into how to align risk and strategy in pursuit of corporate objectives,
  • Level 1: “Basic” — Seeking awareness of the links of risk and strategy in pursuit of corporate objectives.

d.   Building resilience:

i.     Ensuring that the SPO engages in systematic risk horizon scanning as well as:

1. Understanding near misses and escalation reports in the organization and externally,
2. Monitoring performance of risk treatments[5],
3. Proofs and tests of the quality of decision making, and decision making processes, through simulated threat and opportunity crisis[6] scenario(s) exercises,

ii.     Anticipating Emerging Risks[7].

4.     Evaluating the amount of risk the organization is prepared to accept in pursuit of the long-term statement of purpose; and then deciding how to treat risks:

Just as implementation is critical to performance[8], risk treatment is at the cutting edge of risk management and managing risks!

Disappointingly, however, very many organizations commit disproportionate resources to risk assessment with inadequate attention paid to what really matters; that is, treating risks. In essence, very many organizations concentrate on the P in the PDCA (plan, do, check, act) cycle, with not enough attention paid to doing, checking and acting on continuous improvement requirements.

This is pretty much in evidence in a review of many of the risk registers we have examined on behalf of clients. The majority of the surface area/content of the report (sadly, and sometimes tragically, an Excel, Word or Power Point document, as distinct from a credible database solution[9]) is given to risk assessment.

In our experience, often, precious little detail is given to:

  1. Who, specifically is responsible for individual risk treatments,
  2. Change management and resource requirements supporting risk treatments,
  3. The project/risk treatment key performance indicators (KPIs), milestones and gateways,
  4. The expected residual effect of risk treatments on likelihood and impact,
  5. The role of management in reviewing performance against KPIs, milestones and gateways. 

Risk treatment reports, which are presented to the level of detail described above and which are evaluated by the SPO in a manner that provides a feedback loop to the performance of objectives, become leading indicators of the future state of health of objectives.

5.       Weighing the odds consistently throughout the organization: This is the function of the chief risk officer (CRO), a most important role within the organization, and risk committee.

The ability of the CRO and risk committee to efficiently and effectively perform this function is directly proportional to the efficacy of the assurances delivered as described above.

Typical weaknesses and challenges that can occur include:

1. Frequency of changes required to risk criteria (tolerances and limits) in early stage (risk) maturity organizations as a consequence of:

  • Pace of change internally and externally in the organization,

Identification of emerging and external risks hitherto not understood.

2. Inability to undertake real time dynamic tests of risk aggregations:

  • Around discrete objectives,
  • Across risk categories.

The weaknesses and challenges described above often result in:

1. Meetings where questions asked can only be answered in terms of:

i.     This is the historic “point in time” information we have prepared.

ii.     We will need to revert with answers to your query in X days.

2. Risk aggregation tests not being run and emerging/known unknown risks not being identified until there is an occurrence.

6.     Compliance with laws and regulations: Organizations are established to achieve superior returns, with limited liability to risk takers. However, they are expected to do so having full regard for all legal requirements.

Clearly, it is axiomatic to assume the lawful intent of a company’s original promoters, and thereafter its directors and the executive. To this extent, compliance is an operational imperative and a sunken cost.

Compliance alone does not drive value, but without it value cannot be created.

It would seem inappropriate to place compliance at the center of board agenda, just as it would be a mistake to place compliance at the center of the diagram above, which describes the relationship between risk and strategy.

However, compliance is a mission-critical element within the risk/strategy governance framework.

7.    Tough governance, setting policy and monitoring performance: In the context of the relationship between risk and strategy, tough governance means risk culture.

“Risk culture” is a term describing the values, belief, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organization or of teams or groups within an organization. This applies whether the organizations are private companies, public bodies or not-for profits, wherever they are in the world.[10].

Risk culture, as an aspect of culture, can be practically described thus:

Culture: The way we do things around here!

Risk culture: The freedom we have to challenge around here!

Risk culture is capable of being demonstrably and credibly evidenced by:

1. Board and executive messaging[11] on threats and risks to operations and jobs when people fail to act/report when they:

i.     Identify a smarter way of completing a task, achieving an objective,
ii.     See a threat or risk to the organization.

2. Escalation reports and their treatment by the executive and management,

3. Near misses reported and averted.



[1] Strategy formulation is not part of the development of risk appetite frameworks; however, each is intrinsic to, and informs, the other.

[2] IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Internal Control, January 2013

[3] Board Risk Oversight, A Progress Report: Where Boards of Directors Currently Stand in Executing Their Risk Oversight Responsibilities (Protiviti Report commissioned by COSO (Committee of Sponsoring Organizations of the Threadway Commission))

[4] NOTE: Risk Management and the Strategy Execution System by Robert S. Kaplan, which advances a method for aligning enterprise risk management with strategy through the Balanced Scorecard

[5] Effective reporting and monitoring of risk treatments delivers the twin benefits of 1) monitoring risk performance, and 2) establishing leading indicators on the future state of health of objectives

[6] Crisis is defined as: An inherently abnormal, unstable and complex situation that represents a threat to the strategic objectives, reputation or existence of an organization: PAS 200:2011 Crisis Management – Guidance and Good Practice, UK Cabinet Office in partnership with the British Standards Institute

[7] Reference Kaplan, Mikes Level 1 Global Enterprise Risks,

[8] McKinsey, August 2014, Why Implementation Matters: Good implementers—defined as companies where respondents reported top-quartile scores for their implementation capabilities—are 4.7 times more likely than bottom-quartile companies to say they ran successful change efforts over the past five years. Respondents at the good implementers also score their companies around 30% higher on a series of financial performance indexes. Perhaps most important, the good-implementer respondents say their companies sustained twice the value from their prioritized opportunities two years after the change efforts ended, compared with those at poor implementers

[9] Functionally designed and specified to meet the ISO 31000 series

[10] Institute of Risk Management (IRM) , Risk Culture, Under the Microscope: Guidance for Boards

[11] Speak up/Stand up/Ethics Line/Whistleblower Lines etc.