On July 24, 2024, Boeing and the US Department of Justice filed a proposed plea agreement on a single count of conspiracy to defraud the FAA over the 737 MAX, with a fine above $240 million and a court-supervised independent monitor.
On December 5, 2024, US District Judge Reed O’Connor rejected the plea over the monitor selection process and sent the parties back to negotiate.
The board-level Key Risk Indicators for Legal and Compliance Teams that would have flagged the trajectory (deferred-prosecution-agreement breach risk, open consent orders, regulator inquiry aging, monitor-selection conformance, and FCPA / anti-fraud program effectiveness against the DOJ Evaluation of Corporate Compliance Programs) carry through to every public-company general counsel and chief compliance officer in 2026.
The Boeing case sits inside a record enforcement year. The SEC reported $8.2 billion in financial remedies for fiscal 2024 across 583 enforcement actions, the highest dollar number in agency history.
Disgorgement and prejudgment interest hit $6.1 billion. Civil penalties hit $2.1 billion. The agency received 45,130 tips, the most in a single year, and paid $255 million in whistleblower awards.
Six categories anchor the dashboard below: litigation and disputes, regulatory enforcement and investigations, ethics / conduct / whistleblower, sanctions / trade / anti-bribery and FCPA, contract risk and IP, and compliance program operations and training.
Each set of Key Risk Indicators for Legal and Compliance Teams ties to the DOJ Evaluation of Corporate Compliance Programs (refreshed September 2024), ISO 37301:2021 compliance management, or ISO 31000:2018.
A US general counsel or chief compliance officer can pull the thresholds straight into the next quarterly audit-committee paper.
Figure 1. Key Risk Indicators for Legal and Compliance Teams distributed across six categories used in US general counsel and chief compliance officer organizations.
What Are Key Risk Indicators for Legal and Compliance Teams?
A legal-and-compliance Key Risk Indicator is a leading metric that flags a litigation event, a regulator inquiry, an ethics breach, a sanctions / FCPA exposure, a contract failure, or a program weakness before the audit committee, the regulator, or the press finds out first.
Legal-and-compliance risk covers the loss exposure tied to laws, regulations, contracts, supervisory expectations, ethics, and the integrity of the program itself.
KPIs measure progress against a legal-or-compliance plan target. Key Risk Indicators for Legal and Compliance Teams measure exposure against a documented tolerance.
The same metric (open litigation matters, training completion, hotline tips) can play either role depending on whether it is reported against a function-team target or a board-approved risk threshold.
Useful Key Risk Indicators examples on a legal-and-compliance dashboard share four traits. They are measurable, owned by one named officer (general counsel, chief compliance officer, head of litigation, head of ethics, head of trade compliance, head of contracts), calibrated to a green / amber / red threshold, and they move ahead of the loss event rather than after it.
How Key Risk Indicators for Legal and Compliance Teams Differ from KPIs
| Attribute | Key Performance Indicator (KPI) | Legal-and-Compliance Key Risk Indicator (KRI) |
| Direction | Measures progress against the function plan (matters closed, contracts signed, training delivered, FCPA reviews completed) | Measures exposure against tolerance (open material matters, reserves vs. counsel exposure, regulator inquiries open, FCPA DD coverage gap, hotline tips per quarter, conflicts disclosure completeness) |
| Time view | Lagging or current performance against the legal / compliance scorecard | Leading early-warning signal of restatement, regulator inquiry, criminal plea, monitor imposition, or 10-K legal-proceedings disclosure |
| Trigger | Functional review, weekly stand-up, monthly matter management | Disclosure-committee paper, audit-committee paper, board reporting, 10-K legal-proceedings and risk-factor disclosure |
| Owner | General counsel, chief compliance officer, head of litigation, head of contracts | GC and CCO; reported jointly to the audit committee or risk committee |
| Reference | Annual legal / compliance plan, OKRs, matter-management calendar | DOJ ECCP (Sept 2024), ISO 37301:2021, ISO 37001:2016, US Sentencing Guidelines Chapter 8, FCPA Resource Guide 3rd ed., ABA Model Rules |
Litigation and Disputes Key Risk Indicators for Legal and Compliance Teams
Boeing’s plea-deal saga reset what every US public-company GC reads about litigation aging and reserve accuracy.
Litigation-and-disputes KRIs read open matter counts, exposure, reserves vs. counsel best-estimate, settlement-rate trend, and the volume of class-action and shareholder complaints that signal the next 10-Q legal-proceedings note.
Top 9 Litigation and Disputes Key Risk Indicators for Legal and Compliance Teams
| Litigation / Disputes KRI | Green threshold | Amber threshold | Red threshold |
| Open material litigation matters | <5 | 5-10 | >10 |
| Reserves vs. counsel exposure variance | +/-10% | 10-25% | >25% |
| Class actions filed YTD | <3 | 3-7 | >7 |
| Securities class actions filed | 0 | 1 | >1 |
| Adverse rulings open / under appeal | <3 | 3-7 | >7 |
| Settlement rate vs. counsel forecast | +/-10% | 10-25% | >25% |
| Open insurance recovery claims | <5 | 5-15 | >15 |
| E-discovery aging > 60 days | <5 | 5-15 | >15 |
| Outside-counsel-fee variance vs. plan | <10% | 10-25% | >25% |
Reserves vs. counsel exposure variance over 25% is the litigation KRI most US GCs under-watch.
A reserve set 30% below counsel’s exposure estimate becomes the next 10-Q surprise that drives an audit-committee call. Pair this KRI with the disclosure-committee process so the gap is closed before the filing window opens.
Regulatory Enforcement and Investigations Key Risk Indicators for Legal and Compliance Teams
The SEC’s $8.2 billion FY2024 record was concentrated, with about 56% tied to the Terraform Labs / Do Kwon judgment.
The other half ran across 582 actions touching every sector. Regulatory-enforcement-and-investigations KRIs read open inquiries, MRA / consent-order status, supervisory escalations, and disclosure-control output that drives the 10-K and 10-Q legal-proceedings sections.
Top 10 Regulatory Enforcement and Investigations Key Risk Indicators for Legal and Compliance Teams
| Regulatory / Enforcement KRI | Green threshold | Amber threshold | Red threshold |
| Open SEC / DOJ / regulator inquiries | 0-1 | 2-3 | >3 |
| Open consent orders / DPAs / NPAs | 0 | 1 | >1 |
| DPA / NPA covenant findings open | 0 | 1-2 | >2 |
| Open MRAs / MRIAs from supervisors | 0 | 1-2 | >2 |
| MRA aging > 180 days | 0 | 1 | >1 |
| Regulator data requests open >30d | <3 | 3-7 | >7 |
| State-AG inquiries open | 0-1 | 2-3 | >3 |
| Wells notice / pre-charge letters open | 0 | 1 | >1 |
| External monitor reports rated < satisfactory | 0 | 1 | >1 |
| Self-disclosure decisions pending | 0 | 1-2 | >2 |
Figure 2. US legal and compliance enforcement data points 2024 driving the Key Risk Indicators for Legal and Compliance Teams that belong on a 2026 audit-committee paper.
Ethics, Conduct and Whistleblower Key Risk Indicators for Legal and Compliance Teams
The SEC paid $255 million in whistleblower awards in fiscal 2024 and received a record 45,130 tips. The DOJ’s September 2024 ECCP refresh added an explicit expectation that companies measure whistleblower-program effectiveness.
Ethics-conduct-and-whistleblower KRIs read culture signals at the line-item level alongside training completion, conflicts disclosure, and senior-leader conduct events.
Top 9 Ethics, Conduct and Whistleblower Key Risk Indicators for Legal and Compliance Teams
| Ethics / Conduct / Whistleblower KRI | Green threshold | Amber threshold | Red threshold |
| Whistleblower hotline tips logged (qtr) | >=3 | 1-2 | 0 |
| Hotline tip closure within SLA (%) | >=95% | 85-94% | <85% |
| Substantiated hotline cases (qtr) | <3 | 3-7 | >7 |
| Senior-leader conduct events | 0 | 1 | >1 |
| Compensation-clawback events | 0 | 1 | >1 |
| Conflict-of-interest disclosures complete | 100% | 95-99% | <95% |
| Code-of-conduct attestations on file | 100% | 95-99% | <95% |
| Repeat conduct findings / employee | 0 | 1 | >1 |
| External whistleblower complaints open | 0 | 1-2 | >2 |
Whistleblower hotline volume reads inversely. Zero tips in a quarter is a red flag, not a green one. ACFE research shows tips drive over 40% of fraud detection. A hotline that records nothing usually has an awareness or retaliation problem, not a perfect-control profile.
Sanctions, Trade and Anti-Bribery Key Risk Indicators for Legal and Compliance Teams
DOJ’s FCPA stance shifted twice in 2025: paused in February, resumed in June with focus on cartel and transnational-criminal-organization links. OFAC, BIS, and State sanctions kept expanding through the year.
Sanctions-trade-and-anti-bribery KRIs read screening coverage, third-party DD aging, FCPA reviews, gifts and hospitality exceptions, and the high-risk-jurisdiction footprint that decides the next investigation’s exposure.
Top 10 Sanctions, Trade and Anti-Bribery Key Risk Indicators for Legal and Compliance Teams
| Sanctions / Trade / FCPA KRI | Green threshold | Amber threshold | Red threshold |
| Sanctions screening false-positive rate | <10% | 10-20% | >20% |
| OFAC / BIS list match events (qtr) | 0 | 1-2 | >2 |
| Sanctions list update latency (hours) | <24 | 24-72 | >72 |
| FCPA third-party DD coverage (high-risk) | 100% | 85-99% | <85% |
| FCPA third-party DD refresh aging | <24 mo | 24-36 mo | >36 mo |
| Gifts / hospitality policy exceptions | <5% | 5-10% | >10% |
| High-risk-jurisdiction revenue share | <15% | 15-30% | >30% |
| Open internal FCPA investigations | 0 | 1-2 | >2 |
| Trade-license export approvals (% on time) | >=95% | 85-94% | <85% |
| Charity / political-contribution review rate | 100% | 90-99% | <90% |
Figure 3. Illustrative threshold dashboard showing Key Risk Indicators for Legal and Compliance Teams across categories with green / amber / red bands.
Contract Risk and IP Key Risk Indicators for Legal and Compliance Teams
Tariff and sanctions volatility through 2025 forced thousands of US contracts back open for change-in-law, force-majeure, and most-favored-nation renegotiation.
Contract-risk-and-IP KRIs read whether the legal team has line-of-sight on every clause that costs money when the world shifts: pricing escalators, change-in-law, audit rights, indemnities, IP assignment, and termination.
Top 8 Contract Risk and IP Key Risk Indicators for Legal and Compliance Teams
| Contract / IP KRI | Green threshold | Amber threshold | Red threshold |
| Contract repository data-quality findings | <5 | 5-15 | >15 |
| Contracts expiring < 90d unrenewed | <5 | 5-15 | >15 |
| Right-to-audit clauses missing on critical | 0 | 1-3 | >3 |
| Indemnification gap / cap exceeded events | 0 | 1 | >1 |
| IP assignment / invention disclosures aging | <10 | 10-30 | >30 |
| Trademark / patent renewal on time (%) | 100% | 95-99% | <95% |
| Open IP infringement matters | <3 | 3-7 | >7 |
| NDA / DPA coverage on regulated data | 100% | 90-99% | <90% |
Compliance Program and Training Key Risk Indicators for Legal and Compliance Teams
DOJ ECCP (September 2024) made compliance program effectiveness an evidence-based test, not a paper review.
Compliance-program-and-training KRIs read training completion, policy refresh aging, risk-assessment cadence, control-testing coverage, third-line audit results, and the structural metrics ECCP asks for during a presentation to prosecutors.
Top 8 Compliance Program and Training Key Risk Indicators for Legal and Compliance Teams
| Compliance Program / Training KRI | Green threshold | Amber threshold | Red threshold |
| Mandatory training completion rate | 100% | 95-99% | <95% |
| Targeted high-risk-role training completion | 100% | 95-99% | <95% |
| Compliance policy refresh aging (mo) | <12 | 12-24 | >24 |
| Compliance risk assessment refresh aging | <12 mo | 12-18 mo | >18 mo |
| Compliance control-testing coverage | >=95% | 80-94% | <80% |
| Internal audit findings open >180d | <5 | 5-15 | >15 |
| Compliance budget vs. plan variance | <10% | 10-25% | >25% |
| Voluntary turnover in compliance roles | <10% | 10-20% | >20% |
Voluntary turnover in second-line compliance roles is the program KRI that quietly precedes program drift.
A compliance department running 20%+ annual turnover loses institutional knowledge faster than the next examiner can write the MRA. ECCP asks how the compliance officer is treated in the organization; turnover answers it numerically.
How to Implement Key Risk Indicators for Legal and Compliance Teams
Standing up a legal-and-compliance KRI program is a six-step exercise inside the wider enterprise risk management framework. The reference texts are the DOJ Evaluation of Corporate Compliance Programs, ISO 37301:2021, ISO 37001:2016 anti-bribery, and ISO 31000:2018.
Six Steps to Deploy Key Risk Indicators for Legal and Compliance Teams
- Step 1. Anchor in the legal-and-compliance taxonomy: Tie each KRI to one of the six categories so dashboard movement maps to a treatable exposure rather than a status-meeting talking point.
- Step 2. Calibrate thresholds: Set green / amber / red bands using internal trend, peer benchmarks, regulator findings history, and the audit-committee-approved risk appetite statement.
- Step 3. Assign owners: Every KRI gets one named officer. Litigation KRIs go to the head of litigation; enforcement KRIs to the chief compliance officer; ethics KRIs to the chief ethics officer; sanctions / FCPA KRIs to the head of trade compliance; contract KRIs to the contract management lead; program KRIs to the compliance program lead.
- Step 4. Define escalation: Document what happens at each band: who is notified, the response window, the disclosure-committee trigger, the audit-committee trigger, and the full-board paper threshold. Align with DOJ ECCP’s expectation of escalation through documented channels.
- Step 5. Automate collection: Pull data from the matter management system, GRC tool, hotline platform, contract lifecycle management tool, sanctions / FCPA screening platform, training LMS, and HRIS into a single legal-and-compliance KRI workbench updated at least weekly.
- Step 6. Review monthly and quarterly: GC and CCO review KRIs weekly for litigation and enforcement signals, monthly at the disclosure committee, and quarterly at the audit-and-risk committee. Recalibrate thresholds at each ECCP self-assessment, ISO 37301 surveillance, and external compliance-program review.
Common Pitfalls in Key Risk Indicators for Legal and Compliance Teams
Implementation failures around Key Risk Indicators for Legal and Compliance Teams repeat at every program size. Fortune 500 multinationals and 100-person regulated firms alike, the traps below show up in DOJ ECCP presentations, SEC settlement papers, and post-incident audit-committee reviews.
| Pitfall | Root cause | Remedy |
| Activity counts mistaken for KRIs | Matters closed and trainings delivered reported as risk metrics | Reframe as exposure: open material matters, regulator inquiry aging, MRA aging, conflict disclosure gap |
| Reserves divorced from counsel exposure | Finance sets reserves; legal manages exposure; nobody reconciles | Track reserves vs. counsel exposure variance as a standing KRI; align disclosure-committee process to close the gap pre-filing |
| Hotline silence as good news | Quarter with zero tips celebrated rather than investigated | Set the green threshold at >=3 tips per quarter; investigate any quarter with zero (awareness or retaliation problem) |
| Stale FCPA third-party DD | Vendor onboarded with clean DD in 2022, not refreshed since | Track FCPA DD refresh aging; refresh on a 24-month cycle for high-risk and 36-month for medium |
| Sanctions-list latency unmonitored | OFAC / BIS list updates pulled weekly rather than real-time | Track sanctions list update latency in hours; OFAC violations are strict-liability |
| Compliance program presented as paper | Policy library and training records substituted for ECCP-grade evidence | Track compliance control-testing coverage and program audit findings; align reporting to DOJ ECCP design / application / access-to-resources test |
| Vanity dashboards | Beautiful charts no committee acts on | Tie each amber / red band to a triggered action; track action closure as a meta-KRI |
What are the most important Key Risk Indicators for Legal and Compliance Teams?
The seven most important Key Risk Indicators for Legal and Compliance Teams are open material litigation matters, reserves vs. counsel exposure variance, open SEC / DOJ / regulator inquiries, whistleblower hotline tips per quarter, FCPA third-party DD coverage on high-risk vendors, sanctions screening false-positive rate, and mandatory training completion rate.
Together they cover the dominant 2026 legal-and-compliance risk drivers across litigation, enforcement, ethics, sanctions / FCPA, and program operations. Add 30 to 45 more across the six categories for a complete GC and CCO program.
How many Key Risk Indicators for Legal and Compliance Teams should an organization track?
Most US Fortune-500 legal-and-compliance organizations run 40 to 55 Key Risk Indicators for Legal and Compliance Teams in total, with 8 to 12 elevated to the audit-and-risk committee or full board each quarter. Tracking fewer than 25 leaves blind spots that surface in the next regulator inquiry or 10-K legal-proceedings disclosure.
Tracking more than 70 invites monitoring fatigue and dilutes board attention. The right number scales with revenue scale, jurisdictional footprint, and regulatory tier (SEC issuer, OCC bank, DOJ-monitored), not with the size of the matter management or GRC platform catalog.
How do Key Risk Indicators for Legal and Compliance Teams differ from KPIs?
Key Risk Indicators for Legal and Compliance Teams measure exposure against a tolerance, while KPIs measure progress against a plan target. A KPI tells the legal team whether matters closed on time. A KRI tells the audit committee whether the open-matter count and reserve variance are heading toward an inquiry, an SEC Wells notice, or a 10-Q surprise.
The same metric (open matters, training completion, FCPA reviews completed) can serve both purposes if its threshold (KRI) and target (KPI) are documented separately and reported side by side in the disclosure-committee paper.
Which standards govern Key Risk Indicators for Legal and Compliance Teams?
The dominant references are the DOJ Evaluation of Corporate Compliance Programs (ECCP, refreshed September 2024), ISO 37301:2021 (compliance management systems), ISO 37001:2016 (anti-bribery), the US Sentencing Guidelines Chapter 8, the FCPA Resource Guide 3rd edition, the OFAC enforcement guidelines, the ABA Model Rules of Professional Conduct, and ISO 31000:2018.
US public companies add SEC enforcement program guidance and disclosure rules. Banks add OCC Heightened Standards and FinCEN BSA guidance. Healthcare adds HIPAA and HHS-OIG fraud and abuse guidance. Defense contractors add DFARS supplier flow-down. Multinationals add UK Bribery Act, EU CSDDD, and host-country anti-corruption regimes.
How often should Key Risk Indicators for Legal and Compliance Teams be reviewed?
Legal-and-compliance KRIs should be measured continuously where the matter management system, GRC tool, hotline platform, and screening platform permit. GC and CCO review them weekly for litigation and enforcement signals, monthly at the disclosure committee, and quarterly at the audit-and-risk committee.
Sanctions, OFAC, and breach KRIs warrant real-time alerts. FCPA, training, and policy KRIs run on monthly or quarterly cycles. ECCP-aligned program KRIs anchor on annual self-assessments. Recalibrate thresholds after each material enforcement event, ECCP refresh, or ISO 37301 surveillance audit.
How does the Boeing DOJ saga change Key Risk Indicators for Legal and Compliance Teams?
The Boeing 737 MAX plea-deal trajectory moved DPA / NPA covenant findings open, external monitor reports rated below satisfactory, and self-disclosure decisions pending from generic risk-register entries to monthly audit-committee paper KRIs across most US public-company GC and CCO organizations. Monitor selection conformance became a separate question after Judge O’Connor’s December 2024 rejection.
Boards now read DPA breach risk on the same paper as litigation reserves and regulator inquiry aging. The next monitorship review or DOJ ECCP presentation gets the same treatment as a 10-K signature.
How do Key Risk Indicators for Legal and Compliance Teams support the audit committee?
Legal-and-compliance KRIs feed the quarterly audit-committee paper through a tiered rollup. Function dashboards (litigation, enforcement, ethics, sanctions / FCPA, contracts, program) aggregate to the enterprise heat map, with the top 8 to 12 indicators reaching the audit committee on the same agenda as the ERM update and the internal-audit progress report.
The committee paper should show trend, threshold breach history, owner, and remediation status, anchored to the audit-committee-approved risk appetite. Without that structure, the committee sees activity color rather than decision support, and the next 10-Q legal-proceedings disclosure inherits the same blind spots.
Can private companies use the same Key Risk Indicators for Legal and Compliance Teams as public companies?
Yes, with calibration. A private company can use the same Key Risk Indicators for Legal and Compliance Teams catalog but should narrow scope to 20 to 30 indicators that match the actual jurisdictional footprint, contract base, and regulatory obligation.
Thresholds change with revenue scale, segment count, and lender or insurance covenants, but the metric definitions do not. Most private-company GCs and CCOs adopt the catalog ahead of an IPO, sale, refinancing, or first DOJ / SEC engagement.
Looking Ahead: Key Risk Indicators for Legal and Compliance Teams in 2026 and 2027
DOJ ECCP and SEC enforcement set the cadence through 2026. The September 2024 ECCP refresh added an explicit data-quality and analytics expectation. SEC’s record FY2024 financial remedies set the new baseline. Audit committees expect KRI dashboards that map to ECCP and SEC’s evidence standards, not just policy libraries.
AI risk enters the legal-and-compliance dashboard. New KRIs emerge: AI-tool inventory, AI policy coverage, AI incidents reportable to the GC, and shadow-AI usage volume. The Texas-Meta biometric settlement and California SB 253 disclosure reset shape AI-and-privacy KRI thresholds in parallel.
Sanctions and trade compliance hold intensity. OFAC, BIS, and State sanctions volumes rose through 2024-2025; the 2025 tariff regime added another layer. Sanctions screening latency, list-match events, and high-risk-jurisdiction exposure stay on every quarterly paper through the 2026-2027 enforcement cycle.
A live KRI dashboard with monthly recalibration and a clear integrated risk management approach is what holds up under DOJ ECCP, SEC review, audit-committee scrutiny, and external monitor inspection. Without it, the legal-and-compliance organization rotates through the same concerns until the next Boeing-scale plea or TD-scale settlement forces one of them to the top of the agenda.
Ready to Operationalize Key Risk Indicators for Legal and Compliance Teams?
At riskpublishing.com we help US general counsel and chief compliance officers build Key Risk Indicators for Legal and Compliance Teams that hold up under audit-committee review and DOJ / SEC examinations.
The work usually includes the KRI catalog, a threshold-calibration workshop tied to peer benchmarks and ECCP expectations, a function-to-enterprise rollup model, and a quarterly audit-committee paper template anchored to the DOJ Evaluation of Corporate Compliance Programs, ISO 37301:2021, ISO 37001:2016, the US Sentencing Guidelines, the FCPA Resource Guide, and ISO 31000:2018.
Explore our risk advisory services, or contact us to scope a legal-and-compliance KRI maturity review tailored to the matter portfolio, jurisdictional footprint, and 2026-2027 enforcement priorities.
Related reading on riskpublishing.com (KRI library): Key Risk Indicators examples, how to develop Key Risk Indicators, how to use Key Risk Indicators, Key Risk Indicators dashboard, and Key Risk Indicators in Enterprise Risk Management.
Related reading (compliance and audit): compliance risk analysis, how to conduct compliance risk assessment, a better way to manage compliance risks, the risk-based internal audit guide, and guide to audit risk assessment.
Related reading (ERM and frameworks): enterprise risk management framework, ISO 31000 vs COSO ERM Framework, integrated risk management approach, risk appetite statements examples, and operational risk management framework.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.