Blackhall & Pearl 37
Many risk indicators tend to track incidents rather than provide an early warning measure before the incident arises. A genuine indicator measures the root cause of a risk.

The proactive monitoring of risk exposure is top of mind for Boards and Senior Management. Risk indicators can play a major role in this process. Despite this heightened focus, many indicators are in fact lagging incident reports rather than leading measures.

As a result, organisations that have invested significant resources in developing indicators are often monitoring lagging data rather than early warning signals. This can stifle the preventative nature of their risk control efforts and result in a misleading profile of risk exposure.

Genuine Risk Indicators are quantitative early warning signals of the root causes of the risk in question.

Blackhall & Pearl Approach

The two main reasons why many so called Risk Indicators track incidents (i.e. lagging data), rather than early warning signals (i.e. leading data), is because of Cognitive Bias and confusion around the Cause-Effect Correlation. 

Cognitive Bias

More advanced approaches for the development of Risk Indicators adopt a “bow-tie” analysis process. Whilst this can provide a valid framework for the root cause analysis of risks, it can also be prone to Cognitive Bias, which can result in the identification of inaccurate causes of risk. Examples of relevant Cognitive Biases include “Availability Bias” (making decisions on what you currently recall), and “Framing Bias” (reacting to a particular choice in different ways depending on how it is presented). Our approach controls the influence of all relevant Cognitive Biases (particularly when workshopping indicators and scenarios with stakeholders and subject matter experts). For example, with Availability Bias, it is important to make sure you review all trends likely to affect the risk in question – particularly interconnected risk factors. In the case of Framing Bias, it’s always critical to look at both sides of a situation and not get influenced mainly by the perspective that is presented to you.

Cause-Effect Correlation

​Risk factors may be positively related without one of these factors causing the other. For example, there are three elements to fire: Heat (e.g. sparks, hot surfaces, etc.), Fuel (i.e. gases, liquids and solids) and Oxygen. Despite the size of the Fuel (e.g. large amount of propane), it will not ignite without Heat or energy. The Fuel is a correlation – it is required for a fire, but it does not cause it (although the amount of fuel will influence the fire’s impact). The cause could be a spark that ignites the Fuel. Therefore, a causal Risk Indicator should measure Heat factors and not Fuel factors in this example. Our approach distinguishes between root-cause drivers of risk (i.e. sources) and correlation events related to risks (i.e. related or necessary factors for the risk to occur, but not causes). This ensures we monitor genuine early warning signals of changing risk exposure, which provides the ability to proactively control risk events at the source or trigger level.


A timely example of the propensity to track inaccurate Risk Indicators can be illustrated with the risk of CyberCrime:

CyberCrime Indicators

The risk of CyberCrime is often monitored by the number of hacking attempts as the Risk Indicator. However, the number of hacking attempts is a correlation to CyberCrime and not a cause. There needs to be a hacking attempt to perpetrate many forms of CyberCrime (e.g. receiving a hoax email is the “hacking attempt”), but the cause of CyberCrime in this instance is Social Engineering – where staff members are manipulated into divulging confidential or personal information. The number of hacking attempts is certainly of interest, but it is a correlation and not a cause and should therefore be monitored as “lagging” data or trend analysis. Where the root cause is Social Engineering (i.e. staff behaviour), the type of predictive or early warning Risk Indicators for CyberCrime can be data such as:  

  • % of staff that have not completed information security training (indicates staff awareness); and
  • # of sensitive information transmissions via email (indicates relevant staff habits).

Such indicators can provide early warning signals (i.e. leading data) as to the risk of the organisation experiencing CyberCrime and therefore a more effective means of proactively monitoring and targeting its causes. At the same time, the number of hacking attempts (i.e. lagging data in this case) can be used to understand the evolving nature of CyberCrime from a trend analysis perspective (e.g. type and frequency of hacking), so as to enhance the focus of preventative measures such as the syllabus for staff security training.

Client Benefits

Our approach to the development of Risk Indicators enables our clients to:


Identify the full range of root causes for each risk so that the correct impact and likelihood exposures are captured.


​Enhance the effective prioritisation of key risks in terms of management attention and reporting.


​Enable the proactive monitoring of each key risk with the opportunity to intervene at the causal stages of the risk process before it becomes acute.