Once risk management roles and responsibilities have been documented in job descriptions and committee charters then appropriate and measurable KPIs should be developed. Just like anything else, risk management KPIs need to be integrated into the overall performance management system, better still existing KPIs should be made risk-based instead of separate risk management KPIs.

Risk management is everyone's responsibility. Yet, research in neuroeconomics [1]shows that managing risks is not natural for people, it may even be against human nature. Without proper motivation or with inadequate motivation, employees are often reluctant to consider and disclose risks as part of their decision making. This message was reinforced during our interviews. Companies that have implemented and monitored risk management KPIs for key employees have demonstrated significantly higher risk management maturity.

KPIs should be specific for each role within the overall risk governance model.

For example, KPIs for the CEO may include:

• 
  
• an improvement in the risk management culture rating;
  
• regularity and quality of risk disclosure to shareholders;
  
• achieving risk-adjusted profitability measures.
  

For CFO or COO risk management KPIs may include:

• 
  
• improvement in risk management culture maturity;
  
• RAROC (risk-adjusted return on capital);
  
• risk-adjusted cash flow and liquidity measures;
  
• the number of critical operational events and so on.
  

For the employees, a risk management KPI may include timely and accurate risk analysis during core business processes or significant decisions.