Key Takeaways
| # | Takeaway |
| 1 | A Key Risk Indicator (KRI) is a quantitative metric that provides an early warning signal of increasing risk exposure before the risk materializes into a loss event. |
| 2 | This guide provides 50 ready-to-use KRI examples across ten risk categories: operational, cyber/information security, financial, compliance/regulatory, strategic, third-party/vendor, project, human capital, ESG/climate, and governance. |
| 3 | Every KRI includes the metric definition, measurement formula, tolerance threshold, and escalation trigger. Copy these directly into your KRI dashboard. |
| 4 | Effective KRIs meet the SMART-R criteria: Specific, Measurable, Actionable, Relevant, Timely, and Reportable. Vague indicators that cannot be measured or acted upon are useless. |
| 5 | KRIs are not KPIs. KPIs measure past performance; KRIs measure current risk exposure and predict future events. The best risk programs use both in tandem. |
| 6 | Configure KRIs in a traffic-light dashboard (Green/Amber/Red) with automated data feeds. Report KRI status to the board alongside the risk register and funded-status updates. |
| 7 | Start with 15–20 KRIs mapped to your top-rated risks. Scale to 50 as the risk program matures. Too many KRIs too soon creates monitoring fatigue. |
What Is a Key Risk Indicator?
A Key Risk Indicator is a quantitative or qualitative metric that signals a change in the organization’s risk exposure, providing an early warning that a risk is trending toward or beyond the organization’s tolerance threshold.
KRIs sit at the intersection of risk identification and risk monitoring. They convert the static risk register into a living, continuous surveillance system.
ISO 31000:2018 requires organizations to monitor and review the risk management framework on a continual basis (Clause 6.6). KRIs are the primary mechanism that makes continuous monitoring practical.
The COSO ERM Framework (2017) positions KRIs within the Review & Revision component, emphasizing that risk indicators should be linked to risk appetite and tolerance statements.
This guide provides 50 actionable KRI examples organized into ten risk categories. Each KRI includes the metric name, a plain-language definition, the measurement formula, a sample tolerance threshold, and the escalation trigger. Copy these into your KRI dashboard and customize the thresholds to your organization’s risk appetite.
KRI vs. KPI: Understanding the Difference
Risk managers and business leaders frequently confuse KRIs with KPIs. The distinction is critical because the two metrics serve fundamentally different purposes.
| Dimension | Key Risk Indicator (KRI) | Key Performance Indicator (KPI) |
| Purpose | Measures current risk exposure and predicts future adverse events | Measures past performance and progress toward objectives |
| Time Orientation | Leading indicator: signals risk BEFORE the event occurs | Lagging indicator: reports results AFTER the period closes |
| Action Trigger | Threshold breach triggers risk escalation, investigation, and mitigation | Target miss triggers performance review, coaching, or strategy adjustment |
| Example | % of critical patches uninstalled > 30 days (signals growing cyber risk) | Revenue growth of 12% year-over-year (reports past financial performance) |
| Reported To | CRO, Risk Committee, Board Risk Committee | CEO, CFO, Board Performance Committee |
| Data Source | Risk register, incident logs, control testing, system monitoring, vendor reports | Financial systems, CRM, HR systems, operational dashboards |
Some metrics serve as both a KPI and a KRI depending on the context. Employee turnover rate, measured monthly, is a KPI when the HR team tracks staffing levels.
The same metric becomes a KRI when the risk register links high turnover to operational risk (knowledge loss, processing delays, increased errors). The classification depends on the purpose of the measurement, not the metric itself.
What Makes a Good KRI? The SMART-R Criteria
| Criterion | Definition | Bad Example | Good Example |
| Specific | The KRI measures a single, clearly defined aspect of risk exposure | “System risk” | “Number of critical-severity CVEs unpatched beyond 30 days” |
| Measurable | The KRI can be quantified using available data sources | “Customer satisfaction level” (no defined scale) | “Net Promoter Score (NPS) measured monthly via survey” |
| Actionable | A threshold breach triggers a defined response (investigation, escalation, mitigation) | “Market volatility” (what do you do with this?) | “VaR utilization > 90% triggers CRO review and rebalancing discussion” |
| Relevant | The KRI is linked to a specific risk in the risk register and aligned to risk appetite | “Total number of emails sent” | “Phishing click-through rate (linked to R-012: Social engineering risk)” |
| Timely | The KRI is measured and reported at a frequency that enables early warning | “Annual audit findings count” (too slow to provide early warning) | “Weekly vulnerability scan results; monthly compliance deviation count” |
| Reportable | The KRI can be presented in a dashboard format that decision-makers understand | “Raw database query output” | “Traffic-light dashboard: Green (within tolerance), Amber (approaching threshold), Red (breach)” |
Test every KRI against all six criteria before adding the indicator to the dashboard. A KRI that fails any single criterion will either generate noise (if not relevant or timely) or prove useless when the risk materializes (if not actionable or measurable).
Operational Risk KRIs (1–7)
Operational risk arises from inadequate or failed internal processes, people, systems, or external events. These KRIs monitor the health of day-to-day operations. See our operational resilience guide to build the full operational risk monitoring framework.
| # | KRI Name | Measurement | Tolerance Threshold | Escalation Trigger |
| 1 | Operational incident count (high-severity) | Number of incidents rated “High” or “Critical” per month | ≤ 2 high-severity incidents per month | > 2 per month → COO review; > 5 → Board notification |
| 2 | Process error rate | Number of processing errors ÷ total transactions processed (×100) | ≤ 0.5% error rate | > 0.5% → department review; > 1.0% → root-cause investigation |
| 3 | SLA breach count | Number of internal or external SLA targets missed per quarter | ≤ 3 SLA breaches per quarter | > 3 → service-delivery review; > 5 → customer-impact assessment |
| 4 | System uptime (critical systems) | (Total scheduled hours – downtime hours) ÷ total scheduled hours (×100) | ≥ 99.5% uptime | < 99.5% → IT review; < 99.0% → CIO escalation and DR readiness check |
| 5 | Business continuity exercise success rate | Number of exercises meeting RTO targets ÷ total exercises conducted (×100) | ≥ 90% success rate | < 90% → BCM Coordinator review; < 80% → CRO escalation; BCP update required |
| 6 | Mean time to resolve incidents (MTTR) | Average hours from incident detection to resolution | MTTR ≤ 4 hours (high-severity); ≤ 24 hours (medium) | MTTR > threshold → incident-management process review |
| 7 | Backlog of overdue corrective actions | Count of corrective actions past due date from audit, incidents, or risk assessments | ≤ 5 overdue actions | > 5 → Risk Manager review; > 10 → CRO escalation and board reporting |
Cyber and Information Security KRIs (8–14)
Cyber risk consistently ranks as a top-five risk across all sectors. These KRIs monitor the organization’s technical attack surface, patching discipline, human vulnerability, and incident response.
See our cyber risk assessment framework guide and technology risk guide to pair these KRIs with a full assessment methodology.
| # | KRI Name | Measurement | Tolerance Threshold | Escalation Trigger |
| 8 | Critical CVEs unpatched > 30 days | Count of critical-severity vulnerabilities (CVSS ≥ 9.0) remaining unpatched beyond 30 days | ≤ 2 unpatched critical CVEs | > 2 → CISO review; > 5 → Board notification and emergency patching |
| 9 | Phishing simulation click-through rate | % of employees who click a simulated phishing link in the latest campaign | ≤ 5% click-through rate | > 5% → targeted re-training; > 10% → CISO escalation and mandatory training |
| 10 | Security incident count | Number of confirmed security incidents (malware, unauthorized access, data exposure) per month | ≤ 3 incidents per month | > 3 → CISO review; any single P1 incident → immediate IRT activation |
| 11 | Mean time to detect threats (MTTD) | Average hours from threat entry to detection | MTTD ≤ 24 hours | MTTD > 24 hours → SOC capability review; > 72 hours → CISO escalation |
| 12 | Privileged access accounts exceeding policy | Count of admin/root/elevated accounts that exceed the approved number or lack MFA | ≤ 5% above policy threshold | > 5% → IAM review; any unprotected admin account → immediate remediation |
| 13 | Data loss prevention (DLP) alert volume | Number of DLP policy-violation alerts per week | Declining trend; ≤ 20 alerts per week | > 20 alerts/week → DLP policy tuning; any confirmed data exfiltration → IRT activation |
| 14 | Third-party security assessment pass rate | % of critical vendors passing the annual security assessment or SOC 2 review | ≥ 95% pass rate | < 95% → TPRM review; any critical vendor failure → remediation plan within 30 days |
Financial Risk KRIs (15–21)
Financial KRIs monitor liquidity, credit, market, and budget-adherence risks. These indicators are essential across banking, insurance, pension funds, and corporates.
See our risk quantification guide to translate these metrics into board-ready financial reports.
| # | KRI Name | Measurement | Tolerance Threshold | Escalation Trigger |
| 15 | Days of operating cash coverage | Cash and liquid investments ÷ average daily operating expenses | ≥ 45 days of coverage | < 45 days → CFO review; < 30 days → Board notification and liquidity-contingency plan |
| 16 | Budget variance (adverse) | (Actual spend – budgeted spend) ÷ budgeted spend (×100) | ≤ 5% adverse variance | > 5% → Finance review; > 10% → CFO escalation and re-forecast |
| 17 | Accounts receivable aging (> 90 days) | Value of receivables outstanding > 90 days ÷ total receivables (×100) | ≤ 10% of total receivables | > 10% → Collections review; > 15% → CFO escalation and provision assessment |
| 18 | Credit concentration (single counterparty) | Largest single-counterparty exposure ÷ total portfolio (×100) | ≤ 5% per counterparty | > 5% → Risk review; > 10% → CRO escalation and immediate reduction plan |
| 19 | Revenue concentration (single client) | Largest single-client revenue ÷ total revenue (×100) | ≤ 15% from any single client | > 15% → Strategy review; > 25% → Board discussion on diversification |
| 20 | Debt covenant headroom | Current covenant metric value – covenant trigger level | ≥ 20% headroom above trigger | < 20% → CFO review; < 10% → Board notification and lender communication |
| 21 | Insurance coverage adequacy | Total insured value ÷ total insurable asset value (×100) | ≥ 90% coverage ratio | < 90% → Risk Manager review; < 80% → CRO escalation and policy renewal discussion |
Compliance and Regulatory Risk KRIs (22–28)
Compliance KRIs detect early signals of regulatory non-conformance before regulators do. See our compliance risk assessment guide to build the assessment framework these KRIs support.
| # | KRI Name | Measurement | Tolerance Threshold | Escalation Trigger |
| 22 | Regulatory finding closure rate | % of regulatory findings closed within the agreed remediation timeline | ≥ 90% on-time closure | < 90% → CCO review; < 80% → Board Audit Committee notification |
| 23 | Policy exception count | Number of active, approved exceptions to compliance policies | ≤ 10 active exceptions | > 10 → CCO review; > 15 → Policy refresh assessment |
| 24 | Mandatory training completion rate | % of employees who completed mandatory compliance training by the deadline | ≥ 95% completion within 30 days of deadline | < 95% → HR/Compliance follow-up; < 90% → CCO escalation |
| 25 | Suspicious activity report (SAR) filing timeliness | % of SARs filed within the regulatory deadline (typically 30 days) | 100% on-time filing | Any late filing → immediate AML Officer review and root-cause analysis |
| 26 | Regulatory change items pending implementation | Count of identified regulatory changes not yet implemented past the effective date | Zero overdue items | Any overdue item → CCO escalation; > 3 overdue → Board Audit Committee notification |
| 27 | Conflict-of-interest disclosure completion | % of employees/board members who completed annual COI disclosures on time | ≥ 98% completion | < 98% → Ethics Officer follow-up; < 95% → General Counsel escalation |
| 28 | Whistleblower/ethics hotline reports | Number of reports received and % investigated within 30 days | 100% investigated within 30 days | Any uninvestigated report > 30 days → CCO escalation; pattern of increased reports → root-cause review |
Strategic Risk KRIs (29–33)
Strategic KRIs monitor the external and internal forces that could derail the organization’s strategic objectives.
These indicators bridge the gap between enterprise risk and strategic planning. See our enterprise risk management framework guide and geopolitical risk guide.
| # | KRI Name | Measurement | Tolerance Threshold | Escalation Trigger |
| 29 | Market share change | Year-over-year change in market share (% points) | Loss ≤ 1 percentage point per year | Loss > 1 point → Strategy review; > 2 points → Board strategic risk discussion |
| 30 | Customer concentration risk index | Herfindahl-Hirschman Index (HHI) across top 10 clients | HHI ≤ 0.15 (diversified) | HHI > 0.15 → Sales diversification plan; > 0.25 → Board notification |
| 31 | Product/service pipeline health | Number of new products/services in active development pipeline | ≥ 3 products in pipeline | < 3 → Innovation review; zero pipeline → CEO/Board strategic risk escalation |
| 32 | Competitive pricing pressure index | Average price discount required to win new business (%) vs. prior year | Discount increase ≤ 2 percentage points YoY | > 2 points → Pricing strategy review; > 5 points → CSO escalation |
| 33 | Geopolitical risk exposure | % of revenue from countries rated “High” or “Extreme” geopolitical risk | ≤ 15% of total revenue | > 15% → Strategic review; > 25% → Board risk committee discussion and contingency planning |
Third-Party and Vendor Risk KRIs (34–38)
Third-party risk is one of the fastest-growing risk categories across all sectors. These KRIs monitor vendor health, concentration, and compliance. See our third-party risk management guide.
| # | KRI Name | Measurement | Tolerance Threshold | Escalation Trigger |
| 34 | Critical vendor financial health score | Composite financial health score (D&B, CreditSafe, or equivalent) of Tier 1 vendors | All Tier 1 vendors score ≥ 70/100 | Any Tier 1 vendor < 70 → TPRM review; < 50 → contingency plan activation |
| 35 | Vendor SLA breach rate | Number of SLA breaches across all monitored vendors per quarter | ≤ 5% of total SLA commitments breached | > 5% → Vendor management review; any critical-vendor breach → immediate remediation discussion |
| 36 | Vendor concentration (single provider) | % of critical services dependent on a single vendor | ≤ 30% from any single vendor | > 30% → Diversification plan; > 50% → CRO escalation and alternate-vendor sourcing |
| 37 | Overdue vendor risk assessments | Count of Tier 1/Tier 2 vendors with risk assessments past the scheduled review date | Zero overdue assessments | > 0 → TPRM team follow-up; > 3 overdue → CCO/CRO escalation |
| 38 | Fourth-party risk visibility | % of critical vendors whose material subcontractors have been identified and assessed | ≥ 80% visibility | < 80% → TPRM team action; < 60% → CRO escalation and vendor contract review |
Project Risk KRIs (39–42)
Project risk KRIs monitor the health of capital projects, IT implementations, and transformation programs. See our project risk assessment guide.
| # | KRI Name | Measurement | Tolerance Threshold | Escalation Trigger |
| 39 | Schedule variance (SV) | (Earned Value – Planned Value) ÷ Planned Value (×100) | SV ≥ –5% (within 5% of schedule) | SV < –5% → Project Manager review; < –10% → Sponsor escalation |
| 40 | Cost variance (CV) | (Earned Value – Actual Cost) ÷ Earned Value (×100) | CV ≥ –5% (within 5% of budget) | CV < –5% → Project Manager review; < –10% → Sponsor escalation and re-baseline |
| 41 | Open project risk count (High-rated) | Number of High or Extreme-rated risks on the project risk register currently open | ≤ 5 open High/Extreme risks | > 5 → Project risk workshop; > 8 → Steering Committee escalation |
| 42 | Scope change request rate | Number of approved scope changes per project phase | ≤ 3 scope changes per phase | > 3 → Project Manager scope-control review; > 5 → Sponsor re-scope decision |
Human Capital Risk KRIs (43–46)
People risk is often undermonitored. These KRIs detect workforce-related risk exposures that can cascade into operational, compliance, and reputational failures.
| # | KRI Name | Measurement | Tolerance Threshold | Escalation Trigger |
| 43 | Voluntary turnover rate (critical roles) | Number of voluntary departures in critical/specialist roles ÷ total critical-role headcount (×100), trailing 12 months | ≤ 10% annualized | > 10% → HR review and retention action plan; > 15% → CHRO/COO escalation |
| 44 | Key-person dependency count | Number of critical business activities dependent on a single individual with no trained backup | ≤ 3 single-person dependencies | > 3 → Cross-training plan; > 5 → COO escalation and succession planning |
| 45 | Vacancy rate in risk/compliance functions | Number of open positions in risk, compliance, audit, and security functions ÷ total approved headcount (×100) | ≤ 10% vacancy rate | > 10% → CHRO review; > 20% → CRO/Board notification (second-line capacity risk) |
| 46 | Workplace safety incident rate (OSHA-recordable) | Number of OSHA-recordable incidents per 200,000 hours worked | ≤ industry benchmark (e.g., ≤ 3.0 TRIR) | > benchmark → EHS review; > 2x benchmark → COO escalation and safety stand-down |
ESG and Climate Risk KRIs (47–49)
ESG KRIs are becoming mandatory reporting metrics under SEC, ISSB, and CSRD frameworks. See our ESG key risk indicators framework to access 43 additional ESG KRIs mapped to global disclosure standards.
| # | KRI Name | Measurement | Tolerance Threshold | Escalation Trigger |
| 47 | Scope 1 + 2 emissions variance | Actual GHG emissions vs. annual reduction pathway target (% variance) | Variance ≤ +5% above target | > +5% → Sustainability review; > +10% → CSO escalation and corrective action plan |
| 48 | Board gender/diversity ratio | % of board seats held by underrepresented groups | ≥ 30% diverse representation (or Board-approved target) | < 30% → Nominations Committee action; < 20% → Board Chair escalation |
| 49 | ESG rating agency score change | Change in composite ESG score (MSCI, Sustainalytics, or equivalent) vs. prior assessment | Stable or improving score | Downgrade → CSO/CRO review and remediation plan; downgrade below investment-grade → Board notification |
Governance Risk KRI (50)
Governance risk underpins every other risk category. When governance fails, every control fails.
| # | KRI Name | Measurement | Tolerance Threshold | Escalation Trigger |
| 50 | Board Risk Committee effectiveness score | Composite score based on: meeting attendance (≥ 80%), agenda coverage of top risks (100%), challenge documented in minutes (≥ 3 challenge items per meeting), and action-item closure rate (≥ 90%) | Composite score ≥ 80/100 | Score < 80 → Board Chair review; score < 60 → Governance reform action plan |
How to Build a KRI Dashboard: Traffic-Light Framework
| Dashboard Element | Purpose | Design Principle |
| Traffic-Light Status | Show the current risk position at a glance: Green (within tolerance), Amber (approaching threshold), Red (breach) | Use three distinct colors. No more than three status levels. Every KRI must have a defined color rule. |
| Trend Arrow | Indicate the direction of change: improving (↑), stable (→), deteriorating (↓) | Calculate trend from the last 3 data points. An Amber KRI with a deteriorating trend is more urgent than a Red KRI that is improving. |
| Linked Risk | Show which risk register entry the KRI monitors | Every KRI maps to at least one risk ID. Orphan KRIs (not linked to the register) should be removed. |
| Owner | Named individual responsible to monitor and act on the KRI | The KRI owner is typically the risk owner from the register. Ownership must be clear and accepted. |
| Data Source and Frequency | Where the data comes from and how often the KRI is updated | Automate data feeds where possible. Manual data collection introduces delays and errors. |
| Escalation Protocol | What happens when the KRI breaches each threshold level | Document the escalation path: who is notified, within what timeframe, and what action is expected. |
Our KRI dashboard guide provides the complete blueprint: dashboard layout, data-feed architecture, escalation protocols, and board-reporting format.
Pair the dashboard with the risk register to create a closed-loop monitoring system.
Eight Pitfalls in KRI Programs
| # | Pitfall | Consequence | Fix |
| 1 | Too many KRIs too soon | Monitoring fatigue; dashboard becomes noise; nobody reads the report | Start with 15–20 KRIs mapped to top-rated risks. Scale gradually as the program matures. |
| 2 | KRIs disconnected from the risk register | Indicators monitor generic concepts, not specific identified risks; no link to treatment actions | Map every KRI to at least one risk register entry. Remove orphan KRIs. |
| 3 | No defined tolerance thresholds | Dashboard shows numbers but nobody knows what “good” or “bad” looks like | Set Green/Amber/Red thresholds aligned to the Board-approved risk appetite statement. |
| 4 | Manual data collection only | KRI updates are late, incomplete, or inaccurate; the dashboard is always out of date | Automate data feeds from source systems. Reserve manual collection only when no system source exists. |
| 5 | KRIs reported without context or trend | A single number without trend direction, historical context, or comparison is meaningless | Show trend (3-period minimum), brief commentary, and linked risk register entry alongside each KRI. |
| 6 | Lagging indicators disguised as KRIs | Metrics report past events (losses, fines, incidents) rather than signaling future exposure | Pair each lagging indicator with a leading indicator. Patch rate (leading) complements incident count (lagging). |
| 7 | No escalation protocol defined | KRI breaches are observed but no action follows; the dashboard becomes decorative | Document escalation: who is notified, within what timeframe, and what decision is expected at each threshold. |
| 8 | Board receives raw KRI data without interpretation | Trustees or directors see numbers but cannot translate them into risk decisions | Present KRIs to the board in “What, So What, Now What” format: current status, implication, recommended action. |
Launching a KRI Program
| Phase | Timeline | Actions | Owner | Deliverable |
| Phase 1: Design | Days 1–25 | Review the risk register; select 15–20 top-rated risks to monitor; identify candidate KRIs using the 50-KRI library in this guide; apply SMART-R criteria; define Green/Amber/Red thresholds aligned to risk appetite; assign KRI owners | CRO / Risk Manager | KRI catalog with linked risk IDs, thresholds, data sources, owners, and reporting frequency |
| Phase 2: Build | Days 26–50 | Configure the KRI dashboard (Excel, Power BI, or GRC platform); establish data-feed connections from source systems; build automated threshold alerts; document the escalation protocol per KRI | Risk Manager / IT / Analytics | Live KRI dashboard; automated alert rules; escalation protocol document |
| Phase 3: Validate | Days 51–70 | Run a parallel monitoring period: track KRIs alongside existing reporting; validate data accuracy; stress-test thresholds (too many false alerts = recalibrate); collect first-line feedback on usability | Risk Manager / First-Line Owners | Validation report; threshold adjustments; owner feedback log |
| Phase 4: Embed | Days 71–90 | Present the first KRI report to the Board Risk Committee; integrate KRI status into the quarterly risk report; schedule monthly KRI reviews with risk owners; set an annual KRI program review date | CRO / Board Risk Committee | First board KRI report; quarterly risk report integration; monthly review calendar; annual program review date |
The Future of Key Risk Indicators
AI-Powered KRI Generation. Machine learning models are beginning to analyze incident data, control-testing results, and external threat feeds to recommend new KRIs and dynamically adjust thresholds.
Rather than setting static thresholds annually, AI models calibrate the Green/Amber/Red bands based on real-time data distributions. See our AI risk assessment framework guide.
Predictive KRIs. Traditional KRIs measure current exposure. Predictive KRIs use statistical models (regression, time-series analysis, Monte Carlo simulation) to forecast future exposure based on current trends.
A predictive vendor-risk KRI might project the probability that a critical vendor’s financial health score will breach the tolerance threshold within the next 6 months, giving the TPRM team time to activate contingency plans. See our Monte Carlo simulation guide.
Integrated Dashboards. KRI dashboards are converging with performance dashboards, compliance monitoring, and business continuity status into unified operational-resilience displays.
A single executive dashboard will show KPI performance, KRI status, compliance posture, and BCP readiness side by side. The NIST Cybersecurity Framework 2.0 Govern function and the EU’s DORA both push toward this integrated model.
Start Building Your KRI Dashboard Today
You now have 50 KRIs across ten risk categories, each with a measurement formula, tolerance threshold, and escalation trigger. Start with the 15–20 KRIs that map to your highest-rated risks and expand from there. Use these riskpublishing.com resources: KRI Dashboard Guide • Risk Register Template • Risk Assessment Matrix • Enterprise Risk Management Framework • Risk Appetite vs. Tolerance.
More resources: ESG KRI Framework (43 KRIs) • Risk Quantification for Boards • Three Lines Model • Scenario Analysis • Compliance Risk Assessment • Third-Party Risk Management • Business Continuity Plan • Operational Resilience • Geopolitical Risk • AI Risk Assessment Framework • Shadow AI Risk Management.
Frequently Asked Questions
How many KRIs should an organization track?
Start with 15–20 KRIs mapped to the organization’s top-rated risks. Scale to 30–50 as the risk program matures and data-collection infrastructure improves.
Tracking more than 50 KRIs at the enterprise level creates reporting overload. Departments may track additional operational KRIs locally, but only the most material should escalate to the board dashboard.
Should KRIs be leading or lagging indicators?
Ideally both, paired together. A leading KRI signals growing exposure before a loss event (e.g., patch compliance rate declining). A lagging KRI confirms that a risk has materialized (e.g., security incident count).
Leading indicators enable prevention; lagging indicators enable learning. The best KRI programs pair each lagging indicator with at least one leading indicator.
Who owns the KRI program?
The CRO or Head of Risk Management owns the KRI program design, threshold calibration, and board reporting. Individual KRI owners are typically the risk owners from the risk register.
The first line collects and reports data; the second line (risk function) validates, aggregates, and presents; the third line (internal audit) assures the program’s effectiveness.
How do I set the right tolerance thresholds?
Thresholds must align to the Board-approved risk appetite statement. Start with industry benchmarks (NIST, FAIR Institute, RIMS). Adjust based on your organization’s historical data and the board’s stated tolerance.
Run a 60-day parallel period: if the threshold triggers too many false alerts (> 20% amber/red with no real risk increase), widen the band. If real risk increases go undetected, tighten the band.
Can KRIs be automated?
Yes, and they should be wherever possible. KRIs that rely on manual data collection are slower, less accurate, and more expensive to maintain.
Automate data feeds from source systems (SIEM, ERP, HR, CRM, vulnerability scanners, vendor monitoring platforms) into the KRI dashboard.
Reserve manual collection only when no system source exists. GRC platforms like Archer, ServiceNow, and LogicGate support automated KRI feeds natively.
References
1. ISO 31000:2018 – Risk Management Guidelines
2. ISO 31010:2019 – Risk Assessment Techniques
3. COSO Enterprise Risk Management (2017)
4. IIA Three Lines Model (2020)
5. NIST Cybersecurity Framework 2.0
6. FAIR Institute – Factor Analysis of Information Risk
9. IRM – Institute of Risk Management
10. ISO 22301:2019 – Business Continuity Management
11. SEC Climate-Related Disclosures
12. IFRS / ISSB Sustainability Standards
13. EU DORA – Digital Operational Resilience Act
14. PMI PMBOK Guide – Project Risk Management
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.