A recent article on Key Risk Indicators (KRI) issued by COSO (Beasley et al., 2010) is the starting point of this paper. Our aim is to discuss the relevance of business processes in the design and implementation of KRIs. We analyse the reasons of the systematic underestimation of business processes in the COSO ERM framework and debate the implications that the explicit consideration of business processes has on the design of Key Performance Indicators and, consequently, of KRIs. We propose a framework for the design of a system of KRIs based on a distinction between risk factors and risk drivers. Then, we illustrate the framework through a simplified but realistic case study. At the end of the paper, we present guidelines to integrate our framework within the COSO KRIs’ guidance, in the light of both its contributions and its limitations.
Keywords: Key Performance Indicator (KPI); Key Risk Indicator (KRI); ERM; business process; COSO