On October 7, 2020, the Office of the Comptroller of the Currency assessed Citigroup a $400 million civil money penalty for enterprise-wide deficiencies in risk management, data governance, and internal controls.
On July 10, 2024, the OCC added $75 million and the Federal Reserve added $61 million because Citigroup had still not fixed the risk-data and KRI gaps the 2020 order required.
| Free Key Risk Indicators Excel Template: The Practitioner Cheat Sheet |
| The Free Key Risk Indicators Excel Template ships with 50 pre-populated KRIs across eight categories: Operational, Compliance, Cyber, Financial, Strategic, People and HR, Third-party, and Reputational and ESG. Edit, extend, or trim to fit your risk register. |
| Each KRI carries a definition, owner, review frequency, Green-Amber-Red thresholds, and an automated RAG status formula. The Dashboard tab pivots counts by status and category in real time. |
| Citigroup paid $400 million to the OCC in October 2020 and another $135.6 million combined to the OCC and the Federal Reserve in July 2024 for unresolved risk-data and KRI deficiencies. That $535 million bill is what a missing or stale KRI register costs a US bank. |
| The template aligns to ISO 31000:2018, COSO ERM 2017, OCC Heightened Standards, and the NIST Cybersecurity Framework 2.0. The ISO + COSO Mapping tab evidences the alignment for any audit or board review. |
| The Threshold Setting tab anchors thresholds against three reference points: the regulator’s reporting line, the industry peer median, and the firm’s 12-month rolling baseline. Recalibrate quarterly. Anything older than that is a guess, not a threshold. |
| Conditional formatting turns the RAG Status column green, amber, or red automatically. The IF formula handles both higher-is-worse and lower-is-worse KRIs in a single cell, so you do not need to maintain two registers. |
| Built and maintained by riskpublishing.com. The Free Key Risk Indicators Excel Template downloads at the bottom of this article. No email gate, no signup, no marketing list. |
The Free Key Risk Indicators Excel Template is built for the exact gap Citigroup paid $535 million to keep open.
A KRI is a leading metric tied to a defined threshold and a named owner, refreshed on a fixed cadence, visible on a dashboard the board reads in three minutes. Most US mid-sized banks, insurers, healthcare systems, and manufacturers track some of this in spreadsheets that nobody maintains.
This template fixes the spreadsheet problem with 50 pre-populated KRIs across eight categories, automated RAG status formulas, a dashboard tab that pivots by status and category, an ISO 31000 + COSO ERM mapping, and a changelog.
It anchors to ISO 31000:2018, COSO ERM 2017, OCC Heightened Standards, and the NIST Cybersecurity Framework 2.0. Stats and named events come from OCC, FRB, FDIC, and Federal Register filings.
Figure 1. The Free Key Risk Indicators Excel Template ships with 50 KRIs across eight categories.
What’s Inside the Free Key Risk Indicators Excel Template
The Free Key Risk Indicators Excel Template ships as a single .xlsx file with eight tabs, each doing one job.
There is no macro, no add-in, and no external data connection, so the file opens cleanly in Excel for Microsoft 365, Excel 2021, LibreOffice Calc, and Google Sheets. The total file size sits under 25 KB, compared with the multi-tab spreadsheets most teams inherit from a departed risk lead.
Eight Tabs in the Free KRI Excel Template
The Instructions tab is the on-ramp. It explains the eight tabs, the methodology behind threshold setting, and the reference standards.
The KRI Register tab is the main work surface, with 50 rows pre-filled and 13 columns covering identification, threshold bands, current value, RAG, and linked actions. The Dashboard tab counts KRIs by status and by category.
The remaining five tabs support the register. Threshold Setting holds the three-point methodology, and ISO + COSO Mapping evidences framework alignment for audit. Owner and Cadence assigns the daily, weekly, monthly, and quarterly review tiers, while
Risk Appetite supplies pre-drafted appetite statements you can adapt for board approval. Changelog tracks every edit, which OCC and FRB examiners now request as part of risk-data governance evidence.
Fifty Pre-Populated KRIs in the Excel Template
Every KRI in the Free Key Risk Indicators Excel Template carries the same 13 fields. ID and category support filtering; name and definition let any team member understand the metric without a glossary; owner and frequency assign accountability.
Green, amber, and red thresholds set the appetite bands while current value and last-updated drive the RAG. Linked Risk or Action ties the indicator back to the parent risk register.
The RAG Status column runs an IF formula that compares the current value against the three thresholds. It handles higher-is-worse KRIs (error rates, complaints, breach exposure) and lower-is-better KRIs (LCR, MFA coverage, engagement score) without manual logic switching. Conditional formatting paints the cell green, amber, or red automatically when you open the file.
Eight Categories Covered in the Free Key Risk Indicators Excel Template
The eight categories trace to the working risk register of a mid-sized US bank or insurer running a mature ERM program.
Each category lines up with a standing committee at executive level. The table below shows the count, the dominant audience, and the typical refresh cadence baked into the template.
| Category | KRIs | Examples in the Excel template | Audience | Refresh |
| Operational | 8 | System downtime, transaction error rate, customer complaints, internal fraud, AML SAR volume | Operational Risk Committee | Daily-Weekly |
| Compliance | 7 | Open MRA findings, late filings, training overdue, OFAC hits, privacy incidents, audit overdue | Audit Committee | Monthly |
| Cyber | 7 | Critical patch compliance, phishing click rate, MFA coverage, vendor breaches, TTD, ransomware tabletop | Risk Committee | Weekly |
| Financial | 6 | Days cash on hand, LCR, interest rate gap, customer concentration, DSO, FX unhedged | ALM Committee | Daily-Weekly |
| Strategic | 5 | Market share drift, new product mix, initiative slippage, churn, M&A integration | Board | Quarterly |
| People and HR | 5 | Voluntary attrition, critical role vacancy time, OSHA rate, harassment claims open, engagement | Compensation Committee | Monthly |
| Third-party | 6 | Critical vendor concentration, due diligence backlog, SPOFs, cyber rating drops, renewal slippage | Risk Committee | Monthly |
| Reputational and ESG | 6 | Negative media sentiment, social escalations, MSCI ESG drift, environmental incidents, class actions, carbon intensity | Board + Disclosure | Monthly |
Figure 2. US risk management failures where KRI tracking could have caught the deterioration earlier.
How to Use the Free Key Risk Indicators Excel Template in Five Steps
Five steps will take a fresh download to a live, board-ready KRI register in roughly four hours. The Instructions tab walks through the same sequence. Allocate the time to a Friday afternoon and you have a Monday board-pack input.
Step 1: Open the KRI Register Tab in the Excel Template
Start in the KRI Register tab and walk row by row. For each pre-populated KRI, decide one of three: keep, edit, or delete.
Keep means the metric matches your operation as written; edit means the definition is close but needs your firm’s data source; delete is for KRIs that do not apply (an asset manager will delete the AML SAR row, a manufacturer will delete the LCR row).
Add your own KRIs by inserting rows. The conditional formatting and the IF formula in column K automatically extend if you insert inside the existing range.
Use the next available ID in your category code (OP-09, CY-08, FN-07) to keep the register navigable. Aim for 40 to 70 active KRIs after the cull; below 30 leaves blind spots and above 80 becomes dashboard noise.
Step 2: Set Thresholds Using the Excel Template Guide
Open the Threshold Setting tab. It documents the three-point method this template uses: the regulator reporting line, the peer median, and your 12-month rolling baseline. Apply it row by row.
The Red threshold should sit at the regulator notification line where one exists; the Amber threshold at peer median plus one standard deviation; the Green threshold at the boundary of your risk appetite statement.
Document the rationale in the Linked Risk and Action column. OCC, FRB, and FDIC examiners now ask for this evidence in CAMELS exams and model risk SR 11-7 reviews.
Treat the column as your audit trail, not a comment field. Quarterly recalibration without documented rationale fails the modern examiner test.
Step 3: Assign Owners with the Excel Template Cadence Tab
The Owner and Cadence tab assigns four owner tiers per category: daily, weekly, monthly, quarterly. Match the column entries to your accountability map.
Every KRI needs a named owner with authority to act on the indicator firing red, not a job title with no decision rights. “Risk team” is not an owner; “Director of Operational Risk” is.
Use the IIA Three Lines Model to test the assignment. The owner sits in the first line (the business or operations team running the process).
The CRO and the risk function sit in the second line and chair the committee that reviews the dashboard. Internal Audit in the third line tests both.
Step 4: Refresh the Dashboard in the KRI Excel Template
The Dashboard tab pivots the register by RAG status and by category. Press F9 to refresh the formulas. The status counts (green, amber, red) and the category counts update from COUNTIF and COUNTIFS formulas pointing at the KRI Register.
Anything that does not update means you have inserted rows outside the formula range; extend the range and refresh again.
Step 5: Maintain the Changelog in the Excel Template
The Changelog tab is the most-skipped tab and the one examiners most often request. Every threshold change, every new KRI, every owner reassignment goes in here with the approver and the date.
This is the evidence that distinguishes a living KRI register from a static spreadsheet. Citigroup’s 2024 fine specifically cited insufficient evidence of risk-data governance, so do not skip this tab.
How the Free Key Risk Indicators Excel Template Aligns with ISO 31000 and COSO
Examiners and audit committees ask the same question every quarter: how does the KRI register map to ISO 31000 and COSO ERM? The ISO and COSO Mapping tab in the Free Key Risk Indicators Excel Template answers it on one page. The table below shows the alignment for the eight categories.
| Category | ISO 31000:2018 clause | COSO ERM 2017 component | Board reporting line |
| Operational | 6.4 Risk assessment | Performance | Operational Risk Committee monthly |
| Compliance | 5.2 Mandate and commitment | Governance and Culture | Audit Committee quarterly |
| Cyber | 6.4 Risk assessment | Performance + Information | Risk Committee monthly |
| Financial | 6.5 Risk treatment | Performance + Review | Risk Committee monthly |
| Strategic | 5.4 Integration | Strategy and Objective-Setting | Board quarterly |
| People and HR | 5.4 Integration | Governance and Culture | Compensation Committee quarterly |
| Third-party | 6.4 Risk assessment | Performance + Information | Risk Committee monthly |
| Reputational and ESG | 6.6 Monitoring and review | Governance + Strategy | Board quarterly |
Walk the table top to bottom in your next audit meeting. The ISO 31000 vs COSO ERM comparison piece on the riskpublishing.com library explains the crosswalk at framework level. The Free Key Risk Indicators Excel Template is the operational layer that sits underneath both.
Frequently Asked Questions on the Free Key Risk Indicators Excel Template
Six questions surface in every download cycle. The answers reflect OCC, FRB, and FDIC examiner expectations as of May 2026.
Is the Free Key Risk Indicators Excel Template really free?
The Free Key Risk Indicators Excel Template is free with no email gate, no signup, and no marketing list. It downloads directly from the link at the bottom of this article.
The file is published under a permissive use license (edit, rebrand, share with your team, and adapt for your firm), and attribution to riskpublishing.com is appreciated but not required.
How many KRIs come pre-populated in the Excel template?
Fifty KRIs across eight categories: Operational 8; Compliance 7; Cyber 7; Financial 6; Strategic 5; People and HR 5; Third-party 6; Reputational and ESG 6.
Each KRI carries a definition, owner, frequency, three thresholds, and a linked action, so trim categories that do not apply and add KRIs that do. Most mid-sized US firms converge on 40 to 70 KRIs after the first cull.
Does the Excel template work in Google Sheets and LibreOffice?
The .xlsx file opens in Excel for Microsoft 365, Excel 2021, Excel 2019, LibreOffice Calc, and Google Sheets. Conditional formatting and the IF-based RAG formula port cleanly, and the macro-free design keeps it portable.
The only feature that requires manual reproduction in Google Sheets is the named-range references on the Dashboard tab, which Sheets prefers to be written as range references rather than table names.
How often should I refresh the KRIs in the Excel template?
Refresh per the cadence column in the KRI Register tab: operational and cyber KRIs daily or weekly; compliance, financial, and third-party KRIs weekly or monthly; strategic, People and HR, and reputational KRIs monthly or quarterly.
Thresholds recalibrate quarterly across all categories. The Owner and Cadence tab assigns the four review tiers per category so nothing falls between owners.
How does the Excel template handle higher-is-worse and lower-is-better KRIs?
The IF formula in column K compares the Green and Amber thresholds. If Green is lower than Amber, the formula treats higher values as worse (error rates, fraud counts, breach exposure).
If Green is higher than Amber, the formula treats lower values as worse (LCR, MFA coverage, days cash on hand). One cell, one formula, no separate registers, with conditional formatting painting the result green, amber, or red automatically.
Can the Excel template support SOX, FFIEC, and CFPB examinations?
Yes for first-line operational evidence, with caveats. The template covers the indicator side of the FFIEC IT Examination Handbook expectations and supports SOX 404 ICFR documentation when KRIs link to keyed controls.
For CFPB consumer compliance examinations, add UDAAP-specific KRIs to the Compliance category. The template is a starting point, not a turnkey examination-response artifact, so pair it with your control matrix and policy library.
Challenges When Using a Free Key Risk Indicators Excel Template
Five failure modes recur across firms that download and abandon their KRI Excel template within ninety days. Watch for them before your first quarterly recalibration.
| Challenge | Root cause | Remedy |
| Pre-populated KRIs left untouched | Treating the template as turnkey instead of as a starting register | Walk every row in week one. Keep, edit, or delete. A KRI you do not understand is a KRI you cannot defend. |
| No owner with decision rights | Assigning ownership to ‘the risk team’ or a job title rather than a named role with authority | Use the Owner and Cadence tab. Every KRI gets a named first-line owner who can act on a red firing. |
| Thresholds never recalibrated | Quarterly recalibration skipped after the first cycle | Add the recalibration date to the Linked Risk and Action column. Examiners check this. |
| Changelog left empty | Tab perceived as overhead | Citigroup’s $135M July 2024 fine specifically cited missing risk-data governance evidence. The changelog is your evidence. |
| Dashboard never refreshed | F9 not pressed before board pack export | Build a one-line procedure: refresh, screenshot the dashboard, paste into the board pack. Add to the OCC’s Heightened Standards governance script. |
| Template grows to 200+ KRIs | Adding metrics without removing any | Cap at 80 active KRIs. Anything beyond becomes noise the board cannot read in three minutes. |
Looking Ahead: Free Key Risk Indicators Excel Template Trends for 2026-2028
Three shifts will shape how US firms use a KRI Excel template over the next two years. The first is the OCC and FRB push for automated risk-data governance evidence.
Examiners increasingly want to see the changelog, the owner sign-off trail, and the threshold rationale captured in tooling rather than narrated in interview. The Excel changelog tab is a credible first stop; a GRC platform is the next step.
Second comes the rise of climate-linked and ESG KRIs in financial-institution risk registers. The SEC climate disclosure rule finalized in March 2024 forces public companies to track and disclose climate-related risk metrics.
The Reputational and ESG category in the Free Key Risk Indicators Excel Template starts you on that path. Expect every disclosure committee to review a climate KRI subset quarterly by late 2027.
Third is generative AI for KRI threshold setting. Predictive analytics tools now suggest amber and red bands using peer-group and historical data.
Expect the manual three-point method documented in the Threshold Setting tab to be augmented (not replaced) by AI-driven recommendation engines by the end of 2027. The human owner still signs off.
Firms that keep their KRI register in a maintained Excel template will outpace firms running orphaned legacy spreadsheets.
The Free Key Risk Indicators Excel Template is the operational layer that gets you started; the GRC platform is where you land. The journey from one to the other usually takes 18 to 24 months and three full quarterly recalibration cycles.
Download the Free Key Risk Indicators Excel Template
Download link: free-key-risk-indicators-excel-template.xlsx (~25 KB, .xlsx, 8 tabs, 50 KRIs).
Risk Publishing designs KRI registers that hold up to OCC, FRB, FDIC, and SEC examiner scrutiny. We pressure-test the register against industry benchmarks, build the three-tier dashboard, and integrate the output with your enterprise risk management framework and risk management lifecycle.
Continue reading the Risk Publishing KRI library: 50 key risk indicators every risk manager should track, key risk indicators examples, best key risk indicators, how to develop key risk indicators, how to use key risk indicators, and best practices for utilizing key risk indicators effectively.
Adjacent reading: the operational key risk indicators guide, cyber security KRI examples, supply chain key risk indicators, key risk indicators dashboard, and what is a key risk indicator.
To discuss implementation, visit the contact page or the about page. For the parent framework, the key risk indicators in enterprise risk management piece sets the strategic context for the Free Key Risk Indicators Excel Template.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.