Integrating KRIs into Your KPIs and Performance-Driven Compliance Culture
By Robert Zelinsky on July 30, 2019
In a performance-driven culture, the entire organization is driven to achieve certain positive outcomes. Goals are clear. Accountability is welcome. Together, everyone works toward success.
The secret to developing a performance-driven culture is defining how you measure success and failure, then sharing this with your stakeholders. To make progress toward your goals, every person in the enterprise must understand precisely what they’re trying to achieve.
That’s where key risk indicators (KRIs) and key performance indicators (KPIs) come in. They’re integral to defining and accomplishing the goals of a performance-driven culture.
Life science compliance programs are typically focused on developing KRIs, but don’t invest time or effort into translating KRI outcomes into better KPIs. The best KPIs address the following question: How are our initiatives actually impacting KRI performance over time?
Defining KRI and KPI
First, let’s define the terms. KRIs highlight how much risk is associated with a certain activity. They work as an early warning system, alerting the company to areas where resources are being used in highly risky situations - particularly those monitored by regulators.
KRIs tend to describe things like waste, excess, failures, and variance. Risk managers sometimes view KRIs as capturing how much appetite a company has for risk. If a company sets very tight KRIs for all activities, it has a low appetite for risk.
KPIs are performance signals that show how well a company is accomplishing its business goals. Broadly speaking, KPIs fall into two categories: internal and external. Internal KPIs are often tied to core business goals of the company. External KPIs come from outside sources like regulators and consultants.
KPIs historically have been utilized primarily to measure performance against business goals. However, the KPI concept can be applied more broadly to other areas. Generally, KPIs are success indicators applied to areas where improvement can be measured over time and goals can be set.
The Role of Risk
At any company, risk is a constant concern. Risk is found in nearly every activity, from purchasing raw materials to providing customer service. It’s part of doing business.
But when companies fail to provide proper risk management, they can face economic hardship, legal penalties, and severe reputational damage. The public and shareholders hold company boards of directors accountable for failures to manage risk.
PricewaterhouseCoopers’ Annual Corporate Directors Survey reported that 84% of directors believe their company has a clear allocation of risk oversight responsibilities among board members and committees. However, more than half of these directors suggested that risk management responsibilities still needed further clarification.
At many companies, it is unclear exactly where the responsibility for everyday risk management falls. According to the Harvard Law School Forum on Corporate Governance and Financial regulation, a board of directors “cannot and should not be involved in actual day-to-day risk management.”
The board’s role is to ensure that the CEO and senior executives are doing their jobs in terms of risk management. Company directors should use their oversight roles to develop the KRIs, KPIs, and compliance policies it takes to manage risk.
For department directors and supervisors, the challenge is to assign individual risk management tasks to their employees. As the Harvard Forum puts it, supervisors must ensure “that risk-taking beyond the company’s determined risk appetite is recognized and appropriately escalated and timely addressed.”
For company employees and consultants, their duty is to stay within the established boundaries of risk. They must regularly report activities accurately, resist the urge to go beyond thresholds, and operate in a culture where oversight and accountability are the norm.
Life sciences companies typically assign risk management responsibilities related to anti-corruption and anti-bribery (ABAC) concerns to compliance departments or, in smaller companies, individuals designated with compliance responsibilities. Departments or individuals with compliance responsibilities should report directly to senior leadership and the board, to ensure compliance concerns retain strategic visibility at the highest levels of the company.
KRIs are a valuable way for life science compliance departments to effectively measure risk and improve their ability to:
- allocate resources
- rapidly initiate corrective actions
- communicate strategic concerns through established leadership channels
KPIs can be deployed by compliance departments to track improvement in KRIs over time. Now let’s look at how a company can improve its risk management over the long term.
Improving Performance By Tracking KRIs Over Time
In a performance-focused culture, KRIs are tracked over time to measure whether risky activities are staying at the company’s preferred levels. When KRIs are signaling red flags for excessive risk, performance will inevitably suffer.
To track KRI over time, a company must follow the 6 key steps in the lifecycle of a data-driven risk management program:
The first step is identifying the organization’s key risks.
Next, do research to uncover the drivers of key risks.
Refine and reuse the best and most proven strategies for your company.
Find and add any missing metrics, to get a clearer picture of risk status.
Create a reliable system to capture and monitor KRIs, setting clear thresholds.
Validate KRIs, perform testing, and prevent as many failures as possible.
In the lifecycle of a KRI, any risk that is significant enough to warrant active monitoring can be identified and influenced. Incidents should not just be counted; they should be actively minimized.
KRI design - step 5 in the lifecycle - must not be overlooked. It’s essential to have an organized structure for capturing and acting on important KRI data. This allows the company to manage risk in an organized way and react to any breaches or regulatory investigations that may occur.
A newly-established KRI tends to have an early lifespan of about 1-2 years during which time it should be thoroughly tested for effectiveness. In step 6 - validation - ask the question: Has it helped prevent any incidents? Based on the answer, further refine the KRI and continue moving it through its lifecycle. Remember, the KPI looks at improvements in your KRI metrics over time.
As we mentioned earlier, risk is part of running a successful business. Risk can’t be eliminated, but it must be managed carefully.
This is why risk management naturally requires a risk/benefit analysis approach, where company leaders examine the potential benefits and downsides of adding safeguards around risk-bearing activities. Sometimes in trying to minimize risk, negative outcomes occur.
For example, in our industry it is important to cap travel expenses to prevent them from reaching excessive levels. However, if the cap is set too low it will restrict travel too severely. People who would have previously traveled to do important company business may begin avoid it, fearing that they will exceed the cap.
Small changes to thresholds can have surprisingly large effects across a company. Just a 5% reduction in allowable speakers’ costs, for example, can have a chilling effect on speakers’ willingness or ability to participate in your event panels. This could harm the company’s reputation in a competitive marketplace.
Proper risk/benefit analysis creates a “Goldilocks effect” where your thresholds aren’t set too high, aren’t set too low, and are just right for consistently hitting your goals. This leads to the most desirable long-term outcomes for the company.
Maintaining a Performance-Driven Culture
A company has successfully created a performance-driven culture when risk management activities are a welcome and integral part of daily business. Rank-and-file employees have an understanding of the idea that minimizing excessively risky activities is good for everyone.
If your company needs help creating a performance-driven culture, Cresen Solutions is here to help. We developed a world-class compliance platform exactly for this purpose. It supports your mission with innovative auditing, monitoring, and analysis tools.
Monitor Mate is our global compliance monitoring platform that comes with fully-integrated global risk assessment functionality. It allows you to do the monitoring it takes to conduct effective risk/benefit analysis activities every day.
Data EZ puts your company’s data right at your fingertips. It’s a powerful cloud-based data management platform that supports the aggregation, cleansing and standardization of information for global transparency.
Data Analytics is a tool for the kind of strategic decision-making that comes with maintaining a performance-driven culture. It provides detailed reports and insights about payments, grants, contract fees, risk ratings, and more.
Vault Extender allows Cresen Solutions to handle the infrastructure required for risk management. It solves the problem of building, hosting, monitoring, and maintaining the framework of your business logic.
Cresen Solutions also offers life sciences consulting services that help you excel at the complex tasks that come with risk management. Our talented life sciences professionals have decades of combined experience.
We have a proven track record with solving the tough challenges that come with integrating KRIs and KPIs into a risk management framework. Cresen Solutions can provide the tools and guidance a company needs to develop a fully performance-focused culture.