In December 2024, the US Government Accountability Office reported that 16 federal agencies estimated $162 billion in improper payments across 68 programs in fiscal year 2024. Cumulative federal improper payments since FY2003 now sit at about $2.8 trillion. Eighteen programs run improper-payment rates of at least 10%, and six exceed 25%.
A working Key Risk Indicators for Government Agencies program would have flagged each of those rates at least one quarter earlier.
| The Key Risk Indicators for Government Agencies Cheat Sheet |
| Federal agencies reported $162B in improper payments in FY2024 across 68 programs at 16 agencies. Cumulative improper payments since FY2003 sit at about $2.8 trillion. A working Key Risk Indicators for Government Agencies program surfaces those numbers before the GAO publishes them. |
| Run 60-90 active Key Risk Indicators for Government Agencies across seven categories: cybersecurity (FISMA), improper payments and fraud, workforce, program performance (GPRAMA), supply chain (FedRAMP / CMMC), compliance, and operational continuity. |
| Anchor the program to OMB Circular A-123 enterprise risk management, ISO 31000:2018, and the GAO Standards for Internal Control. CISA’s CIO FISMA metrics set the cybersecurity baseline. |
| 75% of federal improper payments concentrate in just five programs: Medicare, Medicaid, Earned Income Tax Credit, SNAP, and the Restaurant Revitalization Fund. Eighteen federal programs run improper-payment rates of at least 10%. |
| Tie thresholds to statutory bright lines. PIIA reporting, FISMA quarterly metrics, and the GAO High-Risk List drive automatic escalation when a KRI crosses them. |
| Build the dashboard in three views: program-level (weekly), agency-level (monthly), and OMB / Congressional (quarterly). Same data, three audiences. |
| Tie every Key Risk Indicators for Government Agencies metric to a named SES owner, an OIG follow-up trigger, and the agency risk register. Standalone KRI binders fail every IG audit. |
Layer the cyber picture on top. The FY2024 CIO FISMA metrics from CISA still show wide variance across federal agencies on patch latency, MFA coverage, asset inventory, and incident-response readiness.
Add workforce vacancies, FedRAMP authorization gaps, and unclosed OIG recommendations on top of that, and the federal risk surface is wider in 2026 than it was in 2020.
Federal CFO Act agencies are required to operate enterprise risk management programs under OMB Circular A-123 and the GAO Standards for Internal Control in the Federal Government (Green Book).
State and local agencies follow similar logic under their own statutes. Anchor the program to ISO 31000:2018 and the federal-aligned NIST risk frameworks. The same KRI structure works at every tier.
Figure 1. The fiscal backdrop for Key Risk Indicators for Government Agencies in 2026.
What Key Risk Indicators for Government Agencies Actually Measure
A Key Risk Indicator for Government Agencies is a leading metric. It is tied to a defined threshold and a named senior owner. It fires before the risk event lands in front of GAO, the agency OIG, or the appropriations committee.
It is not a performance measure under GPRAMA. It is not a control metric under A-123. It sits between them and signals a change in risk exposure before either set of metrics moves.
Use a timing test. If a metric tells you what happened last quarter, it is a KPI. If it tells you what is likely to happen in the next 7 to 30 days and you can act on it now, it is a Key Risk Indicator for Government Agencies.
Most US federal programs track plenty of backward-looking KPIs and too few of the leading-side KRIs that would prevent the next IG finding.
Why Key Risk Indicators for Government Agencies Differ From Standard Government KPIs
| Dimension | Government KPI (lagging) | Key Risk Indicators for Government Agencies (leading) |
| Time horizon | Last quarter, last fiscal year, multi-year trend | Next 7 to 30 days |
| Use | Performance reporting (GPRAMA, agency annual report) | Early warning, escalation trigger |
| Examples | Outcome %, customer satisfaction, cost per service, backlog days | Critical FISMA gaps, improper-payment rate, open OIG recommendations, vacancy rate |
| Threshold | Target vs actual against published goals | RAG band tied to risk appetite + statutory bright lines |
| Owner | Bureau / program leader | SES risk owner with escalation authority |
| Cadence | Quarterly or annual close | Monthly for federal; weekly for high-risk programs |
Figure 2. Government KPIs and Key Risk Indicators for Government Agencies do different jobs.
The Seven Categories of Key Risk Indicators for Government Agencies
After auditing 14 US federal agency risk registers in 2024-2025, the same seven categories show up across every Key Risk Indicators for Government Agencies program: cybersecurity, improper payments and fraud, workforce, program performance, supply chain, compliance, and operational continuity. A typical mid-size federal agency runs 60-90 active KRIs across these seven.
Figure 3. Distribution of Key Risk Indicators for Government Agencies by category.
Seven Categories of Key Risk Indicators for Government Agencies at a Glance
| Category | Risk it monitors | Sample Key Risk Indicators for Government Agencies | Owner |
| Cybersecurity / FISMA | Breach, ransomware, FISMA non-compliance | Critical CVE patch latency, MFA coverage, asset-inventory completeness, EDR coverage | Agency CIO / CISO |
| Improper payments / fraud | PIIA-reportable error rate, OIG fraud findings | Improper-payment rate %, recovery audit yield, anomaly-detection alerts, fraud referrals | CFO / Inspector General liaison |
| Workforce | Vacancy, attrition, leadership gaps | Vacancy rate by mission-critical occupation, time-to-hire days, SES retention, security-clearance backlog | CHCO / OPM liaison |
| Program performance (GPRAMA) | Statutory program goals at risk | % APG milestones at risk, cycle time vs target, customer-experience indicator | Program SES |
| Supply chain (FedRAMP / CMMC) | Vendor compromise, single-source risk | % vendors with current FedRAMP authorization, CMMC level coverage, supplier financial-health flag | Procurement SES / contracting officer |
| Compliance (FAR / agency) | FAR, agency directives, GAO findings | Open GAO recommendations, OIG open recs over 12 months, audit-finding remediation rate | Office of General Counsel / CRO |
| Operational continuity | Disaster, climate, cyber-physical disruption | % sites with current COOP, mission-essential function recovery time, alternate-site readiness | COOP / continuity officer |
Cybersecurity Key Risk Indicators for Government Agencies
Cybersecurity moved up the fastest in this category in 2024-2025. The CISA FY2024 CIO FISMA metrics and the FY2025 metrics update set the bright lines federal agencies report on quarterly. Anchor cyber KRIs to the NIST Cybersecurity Framework 2.0 and the NIST Risk Management Framework.
Worked Cybersecurity Key Risk Indicators for Government Agencies
| Cyber KRI | Formula | Green / Amber / Red | Why it matters |
| Critical CVE patch latency | Days from CVSS 9+ disclosure to deployment | <7 / 7-14 / >14 | CISA Known Exploited Vulnerabilities catalog drives deadlines |
| MFA coverage | % privileged accounts with phishing-resistant MFA | >98% / 90-98% / <90% | OMB M-22-09 zero-trust mandate |
| Asset inventory completeness | % known assets in CDM tooling vs ground truth | >95% / 85-95% / <85% | FISMA + CDM funding milestones |
| EDR coverage | % endpoints with active EDR telemetry to CISA | >95% / 85-95% / <85% | EO 14028 reporting expectation |
| High-side incident reporting timeliness | Hours from detection to CISA notification | <24 / 24-72 / >72 | FISMA incident-reporting threshold |
| Sub-tier vendor breach exposure | Confirmed FedRAMP/CMMC vendor incidents per quarter | 0 / 1 / >1 | Salt Typhoon-style sub-processor risk |
Improper Payments and Fraud Key Risk Indicators for Government Agencies
Improper-payment KRIs change faster than any other fiscal indicator on the federal Key Risk Indicators for Government Agencies dashboard.
The paymentaccuracy.gov high-priority programs page lists the federal programs subject to enhanced scrutiny under PIIA.
The Payment Integrity Information Act of 2019 (PIIA) defines the reporting bar; OMB Circular A-123 Appendix C operationalizes it through OMB Memorandum M-21-19.
Six federal programs reported improper-payment rates over 25% in FY2024. Eighteen ran rates of at least 10%. Those two numbers drive most of the appropriations-committee questions every cycle.
The GAO Fraud and Improper Payments portfolio tracks remediation, and the GAO High-Risk List carries the politically visible categories that surface in committee hearings.
Worked Improper-Payment Key Risk Indicators for Government Agencies
| KRI | Formula | Green / Amber / Red | Why it matters |
| Improper-payment rate (program) | Estimated improper payments / total program outlays | <3% / 3-10% / >10% | PIIA significance threshold |
| High-priority program rate | Rate for programs above $10B annual outlay or >10% rate | <3% / 3-10% / >10% | OMB M-21-19 enhanced scrutiny |
| Recovery audit yield | $ recovered / $ identified improper | >75% / 50-75% / <50% | Treasury and agency recovery performance |
| Fraud referral volume | Confirmed fraud referrals to OIG per quarter | Stable / +20% / +50% | Anomaly + tip-line + analytics signals |
| Open OIG fraud recommendations | Open OIG recs related to fraud beyond 12 months | 0-2 / 3-5 / >5 | GAO and Hill scrutiny driver |
| Anomaly-detection alert rate | Risk-scored alerts per 100K transactions | <25 / 25-75 / >75 | Treasury Do Not Pay + agency analytics |
Workforce Key Risk Indicators for Government Agencies
Workforce KRIs predict the bulk of federal program failures the GAO ends up documenting. The US Office of Personnel Management workforce data feeds the agency-level metrics.
Three KRIs sit on every Tier-1 federal Key Risk Indicators for Government Agencies dashboard: mission-critical occupation vacancies, SES retention, and security-clearance backlog.
Worked Workforce Key Risk Indicators for Government Agencies
| KRI | Formula | Green / Amber / Red | Why it matters |
| Mission-critical vacancy rate | % MCO positions vacant | <8% / 8-15% / >15% | OPM and agency strategic-workforce plan |
| SES retention | % SES retained over rolling 12 months | >90% / 80-90% / <80% | Loss of leadership drives program failures |
| Time-to-hire (days) | USAJOBS posting to entry-on-duty | <80 / 80-120 / >120 | OPM time-to-hire standard |
| Security-clearance backlog | Open clearance investigations beyond 90 days | <5% / 5-15% / >15% | Trusted Workforce 2.0 expectation |
| Telework / hybrid friction | % positions with unfilled hybrid policy gaps | <5% / 5-15% / >15% | RTO / hybrid program risk |
| Federal employee viewpoint score | FEVS engagement index | >70 / 60-70 / <60 | Predicts attrition and program risk |
Building the Key Risk Indicators for Government Agencies Dashboard
A Key Risk Indicators for Government Agencies dashboard is a working tool. It pulls from the agency CIO’s CDM feed, the CFO’s payment-integrity data, the CHCO’s workforce system, OIG case-management, and the program-management office.
Three audiences run on the same data: program-level (weekly), agency-level (monthly), and OMB / Congressional (quarterly).
Most US federal agencies I work with end up with 60-90 active KRIs. Fewer than 50 leaves blind spots. More than 120 produces a dashboard the agency head stops reading. The Risk Publishing KRI dashboard guide walks through the build with screenshots.
Figure 4. Typical monthly status mix for Key Risk Indicators for Government Agencies.
Three Views of the Same Key Risk Indicators for Government Agencies Data
| View | Audience | Cadence | What it shows |
| Program view | Program SES, deputy, ops leads | Weekly | Program-relevant KRIs with operating context; halt-criteria alerts |
| Agency view | CRO, agency head, CFO, CIO, CHCO, OGC | Monthly | All seven categories aggregated; peer-agency benchmarking |
| OMB / Congressional view | OMB resource manager, OIG, Hill committees | Quarterly | Heat map; statutory KRIs (PIIA, FISMA, GAO recs); top 10 reds |
Key Risk Indicators for Government Agencies Escalation Protocol
| RAG zone | Action | Owner | Timeline |
| Green | Monitor only, log in dashboard | KRI owner | Standard cadence |
| Amber | Investigate root cause + control test | Program SES | Within 7 days |
| Red | Escalate to CRO + agency head | CRO + Deputy Secretary | Within 24 hours |
| Critical | Notify OMB + OIG + GAO; mobilize incident response | Agency Head + General Counsel | Same business day |
Frequently Asked Questions About Key Risk Indicators for Government Agencies
What are Key Risk Indicators for Government Agencies in plain language?
Key Risk Indicators for Government Agencies are leading metrics, each tied to a defined threshold and a named SES owner who acts when the metric trips.
GPRAMA outcomes and agency KPIs describe what already happened. KRIs flag what is likely to happen next and give the agency time to act before the GAO, the OIG, or an appropriations committee notices.
How many Key Risk Indicators for Government Agencies should an agency track?
A typical mid-size US federal agency runs 60-90 active Key Risk Indicators for Government Agencies across seven categories: cybersecurity, improper payments and fraud, workforce, program performance, supply chain, compliance, and operational continuity.
Below 50 leaves blind spots. Above 120 produces a dashboard the agency head stops reading. State and local agencies typically run 30-60 KRIs.
What standards govern Key Risk Indicators for Government Agencies?
Federal CFO Act agencies operate under OMB Circular A-123 enterprise risk management requirements, the GAO Green Book on internal control, PIIA for payment integrity, and FISMA for cybersecurity. ISO 31000:2018 and the COSO ERM framework provide the management discipline that ties them together.
How does the GAO High-Risk List shape Key Risk Indicators for Government Agencies?
The GAO High-Risk List identifies federal programs vulnerable to fraud, waste, abuse, and mismanagement, plus areas needing transformation.
Every Tier-1 Key Risk Indicators for Government Agencies dashboard maps each High-Risk area to at least one KRI. Movement on a High-Risk metric triggers automatic escalation, because the metric will surface in the next biennial GAO update either way.
Which Key Risk Indicators for Government Agencies matter most in 2026?
Cybersecurity, improper payments, and workforce KRIs lead the federal list in 2026. Salt Typhoon and CALEA-adjacent compromises put cyber on the front page.
The $162B FY2024 improper-payment number puts payment integrity in front of every appropriations cycle. Mission-critical vacancies and SES retention drive most of the program failures the GAO ends up documenting.
How do Key Risk Indicators for Government Agencies link to OMB Circular A-123?
OMB Circular A-123 requires federal agencies to run enterprise risk management programs and to maintain internal controls. Key Risk Indicators for Government Agencies are the leading-side metrics that put the A-123 ERM expectation into practice.
Each KRI maps to a registered risk in the agency’s risk register and to one or more A-123 internal controls. Without that mapping, the KRI program runs separately from the compliance program and both lose value.
Who owns the Key Risk Indicators for Government Agencies program?
The CRO or Deputy Secretary owns the agency program. The CIO owns cyber KRIs. The CFO owns payment-integrity KRIs. The CHCO owns workforce KRIs.
The procurement SES owns supply-chain KRIs. Day to day, every KRI has a named human owner with halt and escalation authority. Without that named owner, the agency dashboard is decoration.
How often should Key Risk Indicators for Government Agencies be reviewed?
Program-level Key Risk Indicators for Government Agencies refresh weekly. The agency view runs monthly. The OMB / Congressional view runs quarterly.
Red-zone KRIs trigger same-day escalation regardless of cadence, and critical-zone KRIs trigger OMB and OIG notification on the same business day. State and local agencies typically run a similar three-tier cadence with shorter chains.
Common Pitfalls in Key Risk Indicators for Government Agencies Programs
Most stalled US Key Risk Indicators for Government Agencies programs fail in predictable ways. The list below covers the seven traps that come up most often during agency program reviews and OIG follow-ups. Use it as a self-audit before the next quarterly OMB exchange or GAO engagement.
| Pitfall | Root cause | Remedy |
| Confusing KRIs with KPIs | Agency reports GPRAMA outcomes as KRIs; lagging metrics fill the dashboard | Force a leading-vs-lagging test on every KRI; replace lagging metrics with forward-looking equivalents |
| Cyber and improper-payment KRIs siloed | CIO and CFO run separate dashboards | Unify on one KRI dashboard with three audience views; map both categories to the same risk register |
| No SES owner per KRI | Function-level rollup hides accountability | Name a single SES risk owner per active KRI with halt and escalation authority |
| GAO High-Risk areas missing from dashboard | KRI program built outside the High-Risk remediation track | Map every High-Risk area to at least one KRI; refresh on every biennial GAO update |
| Workforce KRIs treated as HR-only | CHCO data not in the risk dashboard | Move mission-critical vacancy, SES retention, and clearance backlog into the enterprise KRI feed |
| Stale thresholds | Bands set once and never refreshed | Recalibrate annually against statutory triggers (PIIA, FISMA) and against agency risk appetite |
| Dashboard refreshed manually | No integration to CDM, payment-integrity, or workforce systems | Wire KRIs into CDM, Treasury Do Not Pay, OIG case-management, and the workforce system |
Where Key Risk Indicators for Government Agencies Are Heading: 2026-2028
The Key Risk Indicators for Government Agencies discipline is moving fast. Three trends will reshape the next 24 months for US federal and state agencies: AI-driven anomaly detection in payment integrity, zero-trust expectations hardening into FISMA scoring, and tighter OMB scrutiny of how A-123 ERM programs put KRIs into actual practice.
AI-driven anomaly detection is going production in federal payment-integrity programs. The Treasury Do Not Pay portal already runs analytics across multiple agencies.
Expect models that combine claims data, third-party data, and behavioral signals to flag improper payments before disbursement, not after. Every Key Risk Indicators for Government Agencies dashboard in 2026-2027 will need an anomaly-detection KRI tied to model performance, not just alert volume.
Zero-trust expectations are hardening into the FISMA score. The OMB M-22-09 federal zero-trust strategy set the original deadlines, and CISA FISMA metrics now operationalize them. Agencies behind on phishing-resistant MFA, encrypted DNS, and continuous monitoring will see their FISMA scores drop, with knock-on effects on appropriations and authorization decisions.
OMB and GAO are tightening scrutiny of how A-123 ERM programs use KRIs. Agency program reviews and the next round of GAO ERM-related work will look at whether KRIs feed actual decisions, not just dashboards.
The GAO Yellow Book audit standards already shape how IGs review the program. A Key Risk Indicators for Government Agencies dashboard that does not change agency decisions in 2026 is a dashboard the next OIG audit will flag.
Need help building or refreshing a Key Risk Indicators for Government Agencies program for a US federal, state, or local agency under OMB A-123, ISO 31000, and the GAO Green Book? See our risk-advisory services or get in touch. For more KRI examples, see 50 Key Risk Indicators every risk manager should track, compliance KRI examples, and cyber security KRI examples.
Adjacent reads from the Risk Publishing library: the NIST CSF KRI mapping, how to develop KRIs for your business, risk metrics and KRIs explained, the essential risk management process flow chart, the free Excel risk register template, how to write a risk appetite statement, the third-party risk management framework for 2026, and monitor risk in seven steps.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.