Navigating uncertainties with risk metrics

Imagine if the earliest sign of an emerging risk wasn’t found in a formal report or a sophisticated dashboard, but in something as ordinary as a surge in pizza orders.

During the lead-up to the 1991 Gulf War, staff at a Washington DC pizza chain reportedly noticed a sharp spike in late-night deliveries to the Pentagon and CIA headquarters (source: newspaper clipping from The Los Angeles Times). This unexpected pattern revealed a powerful truth that analysts had quietly stumbled upon: when pressure mounts, human behaviour leaves subtle but measurable clues. It turns out, risk indicators are everywhere – if you know what to look for.

“Insights can emerge from the most unlikely places, even something as ordinary as pizza orders – of all things”.

Adopt a ‘crystal ball’ mindset

Similarly, this approach can be applied to our everyday work in the Victorian public sector. Organisations must consider risk as part of their decision-making, which means being alerted to changes in the current operating environment that might indicate something could go wrong in the future. So, how can this be achieved?

The Victorian Government Risk Management Framework prescribes the adoption of the AS ISO 31000:2018 standard. At the core of the standard is the application of a consistent process, including ongoing monitoring and review.

Organisations must continuously track both their internal and external environments, including:

Operation of controls (measures which modify risks)
Performance against objectives
Validity of existing risks
Events and near misses (occurring within our own organisations or in others).

Adopting a crystal ball mindset is about being curious, proactive, and willing to question current assumptions. This forms the basis for cultivating a positive risk culture that supports informed decision-making and helps anticipate emerging risks, sometimes from the most unexpected sources, such as the spike in the pizza orders as mentioned earlier.

Choose the right metrics for meaningful monitoring

Monitoring isn’t just about looking backward at past performance but also looking forward at potential volatility. We’ll consider three distinct but interconnected metrics here: Key Performance Indicators (KPIs), Key Risk Indicators (KRIs), and Key Control Indicators (KCIs).

Focus: success and achievement
A KPI measures how effectively you’re achieving your core objectives. It acts as the ‘rear-view mirror’ and ‘speedometer’ of the organisation.
Example: Percentage of Freedom of Information (FOI) requests processed within the 30-day statutory limit.
In practice: A Department Head monitors this KPI monthly. If the rate drops from 95% to 80%, the KPI signals a performance failure.
Decision-making value: KPI tells the leader what's happening. It justifies the reallocation of staff to the FOI Unit or triggers a review of internal administrative bottlenecks to ensure the agency remains compliant with the Freedom of Information Act 1982.
Focus: anticipation and early warning
Unlike a KPI, which measures results, a KRI measures the probability of a future event that could impede those results. It acts as a ‘smoke detector’.
Example: Staff turnover rate within a specialised technical unit (e.g. cybersecurity, bridge engineering, hospital clinical team).
In practice: While a current program might be on track (a green KPI), a KRI showing a 20% spike in staff departures suggests a high risk of future delays, knowledge loss and business interruption affecting the community.
Decision-making value: KRI tells the leader what might happen. Instead of waiting for a business function to fail, the executive can intervene early by reallocating resources, reviewing business priorities or initiating an urgent recruitment drive.
Focus: reliability and defence
A KCI monitors the effectiveness of the specific ‘treatments’ or ‘controls’ put in place to manage a risk. It answers the question: ‘Are our safety nets holding?’.
Example: Percentage of staff who’ve completed mandatory 'Conflict of Interest' training and declarations.
In practice: If a department’s risk register identifies ‘procurement fraud’ as a high risk, the training completion rate is a KCI. If completion falls to 60%, the control isn’t operating as intended.
Decision-making value: KCI tells the leader how protected they are. If a KCI is low, a decision-maker cannot have confidence in their control environment. They might decide to halt new procurement contracts until the ‘control’ (staff awareness) is restored to 90%, thereby protecting the agency from fraud and corruption, leading to external investigations and reputational damage.

The practical lens – application, rather than theory

A ‘risk-based approach to work’ means making value judgements on what to prioritise and what to accept.

Monitoring risks using indicators is an important capability to recognise and develop as part of your risk management approach. However, collecting data requires effort involving systems, synthesis, collection, storage, reporting, classification and so on.

Here are some tips to help you apply a practical lens to risk monitoring:

Key takeaways

By adopting a curious, crystal ball mindset, you’re taking time to seek out and use evidence to increase your confidence when making decisions. When a KPI drops, you check the KCI to see if a process has failed, and the KRI to see if something else has changed (like a spike in pizza orders!).

This integrated approach ensures that Victorian agencies remain resilient, transparent, and most importantly, capable of delivering high-quality services to the community regardless of the uncertainties ahead.

Interested in finding out more?

Read our guide on this topic How key risk indicators help manage risk | vmia.vic.gov.au

Or reach out to us at clientlearning@vmia.vic.gov.au or register for our training at Learning hub | vmia.vic.gov.au