Operational Risk Key Risk Indicators Examples include metrics that signal emerging threats across people, processes, systems, and external events—such as the very issues highlighted below.
In January 2025, the OCC issued civil money penalties against three former Wells Fargo senior executives for unsafe and unsound practices tied to the bank’s sales-practices misconduct. The agency also ordered the bank to remediate Bank Secrecy Act, anti-money-laundering, and sanctions program deficiencies.
The ORX 2025 Annual Banking Loss Data Report covered 79 global banks and €640 billion in gross losses. Clients, Products and Business Practices led the share, followed by Execution, Delivery and Process Management. The numbers describe a year in which controls broke faster than capital ratios.
| Key Takeaways |
| A 2026 Operational Risk Key Risk Indicators program tracks at least six categories aligned to the Basel definition: people and HR, process and internal controls, systems and technology, external events and third parties, financial reporting and accounting, and compliance and regulatory. |
| Basel III’s standardized approach for operational risk capital takes effect on a phased US timetable. Operational loss data and the Business Indicator Component now drive Pillar 1 capital, making historical loss KRIs valuation-grade metrics. |
| ORX’s Annual Banking Operational Risk Loss Data Report 2025 covered 79 global banks and €640 billion in gross losses. Clients, Products and Business Practices and Execution, Delivery and Process Management dominate the loss share. |
| The EU Digital Operational Resilience Act (DORA) entered application on January 17, 2025, mandating ICT third-party risk KRIs across financial entities. US firms with EU operations now run parallel third-party KRIs to satisfy DORA Chapter V. |
| The OCC’s 2025 enforcement actions against three former Wells Fargo executives reinforced the personal-accountability layer of operational risk. Sales-practices, AML, and customer-due-diligence KRIs belong on every executive risk dashboard. |
| Standards: BCBS Principles for the Sound Management of Operational Risk, Basel III final rule, ISO 31000:2018, COSO ERM 2017, NIST CSF 2.0, FFIEC IT Handbook, and DORA frame the KRI program. |
| A working catalog runs 35 to 60 KRIs total, with 10 to 15 elevated to the executive risk committee each quarter. Tracking fewer than 25 leaves blind spots; tracking more than 70 invites monitoring fatigue. |
This is a working catalog of Operational Risk Key Risk Indicators Examples, written so US banks, broker-dealers, insurers, and fintechs can pull the metrics straight into a 2026 board pack.
The catalog covers the six categories the Basel Committee uses: people and HR, process and internal controls, systems and technology, external events and third parties, financial reporting and accounting, and compliance and regulatory.
Indicators align to BCBS Principles for the Sound Management of Operational Risk, ISO 31000:2018, and DORA.
Figure 1. Operational Risk Key Risk Indicators Examples distributed across six Basel-aligned categories.
What Are Operational Risk Key Risk Indicators Examples?
The Basel Committee defines operational risk as the risk of loss from inadequate or failed internal processes, people and systems, or external events. Legal risk is in scope; strategic and reputational risk are not. A Key Risk Indicator is a leading metric that flags rising exposure before the loss is booked.
KPIs measure performance against a goal. KRIs measure exposure against a tolerance. The same metric can play either role depending on whether it is reported against the strategic plan target or the risk appetite threshold.
Useful Key Risk Indicators examples on an operational risk dashboard share four traits. They are measurable, owned by one person, calibrated to a documented threshold, and they move ahead of the loss event.
How Operational Risk Key Risk Indicators Examples Differ from KPIs
| Attribute | Key Performance Indicator (KPI) | Key Risk Indicator (KRI) |
| Direction | Measures progress against a target (transactions processed, on-time deliveries, cost per FTE) | Measures exposure against a tolerance (operational losses, control breaks, near-misses, regulatory issues) |
| Time view | Lagging or current operating performance | Leading early-warning signal of operational failure |
| Trigger | Operations review, business unit scorecard | Escalation memo, executive risk committee paper, board appetite review |
| Owner | Business unit head, COO, line managers | First-line risk owner plus second-line operational risk function |
| Reference | Annual operating plan, OKRs, BU scorecard | BCBS Principles, Basel III SMA, ISO 31000:2018, DORA, COSO ERM 2017 |
People and HR Operational Risk Key Risk Indicators Examples
Operational losses traced to people drive a large share of every bank’s loss profile. Sales-practices misconduct at Wells Fargo cost the firm $3.7 billion in 2022 alone, and the OCC’s 2025 personal-accountability orders against former executives extended the bill.
Top 9 People and HR Operational Risk Key Risk Indicators Examples
| People / HR KRI | Green threshold | Amber threshold | Red threshold |
| Staff turnover (annual) | <10% | 10-20% | >20% |
| Voluntary turnover in key roles | <8% | 8-15% | >15% |
| Vacancy rate on critical-person roles | <5% | 5-10% | >10% |
| Mandatory-training completion rate | 100% | 95-99% | <95% |
| Sales-practice complaints / 1,000 customers | <0.5 | 0.5-1.5 | >1.5 |
| Conflict-of-interest disclosures completed | 100% | 95-99% | <95% |
| Internal-fraud cases (rolling 12 mo) | 0 | 1-2 | >2 |
| HR ethics-line tips logged (qtr) | >2 | 1 | 0 |
| Time-to-fill on key positions (days) | <60 | 60-90 | >90 |
HR ethics-line tip volume looks like a soft metric until the next misconduct case lands. A hotline that records zero tips per quarter is almost certainly broken, not clean.
Pair turnover and vacancy KRIs with a board-approved risk appetite statement so the executive risk committee sees workforce stress before it shows up in error rates and customer complaints.
Process and Internal Controls Operational Risk Key Risk Indicators Examples
Execution, Delivery and Process Management is the second-largest Basel loss category in the ORX 2025 industry data.
Reconciliation breaks, manual workarounds, and aging exceptions are the metrics that catch the trend before the loss is booked.
Top 10 Process and Internal Controls Operational Risk Key Risk Indicators Examples
| Process / Controls KRI | Green threshold | Amber threshold | Red threshold |
| Reconciliation breaks aging >30 days | 0 | 1-3 | >3 |
| Manual workarounds in critical processes | <3 | 3-7 | >7 |
| Exception-approval rate (% transactions) | <2% | 2-5% | >5% |
| Failed-trade rate | <0.5% | 0.5-2% | >2% |
| Process error rate (per 1,000 transactions) | <0.5 | 0.5-2 | >2 |
| Aged open audit findings >12 months | 0 | 1-2 | >2 |
| Repeat audit findings YoY | 0 | 1 | >1 |
| Maker-checker override rate | <0.5% | 0.5-2% | >2% |
| Customer complaints / 1,000 transactions | <2 | 2-5 | >5 |
| Operational loss vs. plan (rolling 12 mo) | <+5% | +5-15% | >+15% |
Track reconciliation aging weekly. A break aging past 30 days has stopped being a reconciliation problem and started being a financial reporting risk.
Systems and Technology Operational Risk Key Risk Indicators Examples
Critical-system uptime, mean time to patch, and MFA coverage are the three metrics every executive risk committee will see in 2026.
The EU Digital Operational Resilience Act entered application on January 17, 2025, and US firms with EU subsidiaries now report ICT-resilience metrics on the same cadence.
Top 10 Systems and Technology Operational Risk Key Risk Indicators Examples
| Systems / Technology KRI | Green threshold | Amber threshold | Red threshold |
| Critical-system uptime (rolling 30d) | >99.95% | 99-99.95% | <99% |
| Mean time to patch CISA KEV CVEs | <14d | 14-30d | >30d |
| Mean time to recover (MTTR) major incidents | <2h | 2-4h | >4h |
| MFA coverage on production systems | 100% | 95-99% | <95% |
| Endpoint EDR coverage on managed devices | 100% | 95-99% | <95% |
| Open critical vulnerabilities >30 days | 0 | 1-3 | >3 |
| Phishing simulation click rate | <5% | 5-12% | >12% |
| Backup recovery test success (quarterly) | 100% | 90-99% | <90% |
| Privileged accounts with excess access | <5% | 5-15% | >15% |
| Major IT change failure rate | <5% | 5-15% | >15% |
Mean time to recover will define operational resilience in 2026. Regulators read it as the operational equivalent of liquidity coverage, and DORA’s ‘severe but plausible’ scenario testing puts it in the same conversation as stress-test results.
Figure 2. Illustrative Operational Risk Key Risk Indicators Examples loss event distribution across Basel taxonomy categories.
External Events and Third-Party Operational Risk Key Risk Indicators Examples
Third-party concentration risk hit US regulators’ top-three concerns list in 2025. The DORA Chapter V third-party rules set a high bar that has already pulled US institutions with EU operations into parallel programs.
Top 8 External and Third-Party Operational Risk Key Risk Indicators Examples
| External / Third-Party KRI | Green threshold | Amber threshold | Red threshold |
| Vendor concentration (top-3 spend share) | <35% | 35-55% | >55% |
| Critical vendors with concentration risk | 0 | 1-2 | >2 |
| Fourth-party (sub-contractor) risk reviews | 100% | 70-99% | <70% |
| Vendor SLA breaches (rolling 12 mo) | 0 | 1-3 | >3 |
| Vendor breach exposures | 0 | 1 | >1 |
| Cloud-provider concentration (% workloads) | <60% | 60-80% | >80% |
| Climate / physical-asset incidents / yr | 0 | 1 | >1 |
| Sanctioned-counterparty hits / qtr | 0 | 1 | >1 |
Cloud concentration risk is the operational risk most boards still under-measure. A bank running 80% of workloads on a single cloud provider has bought a single point of failure that the next regional outage will price in.
Pair the metric with a structured third-party risk management program so the executive risk committee sees vendor stress on the same paper as internal controls.
Figure 3. Illustrative threshold dashboard showing Operational Risk Key Risk Indicators Examples across categories with green / amber / red bands.
Financial Reporting and Accounting Operational Risk Key Risk Indicators Examples
Restatements, material weaknesses, and SOX 404(b) deficiencies sit on the same risk register as cyber and process. The Wells Fargo 2025 enforcement actions tied executive accountability to financial reporting integrity in a way that every CFO read as a leading indicator.
Top 8 Financial Reporting and Accounting Operational Risk Key Risk Indicators Examples
| Financial Reporting KRI | Green threshold | Amber threshold | Red threshold |
| Material weaknesses (SOX 404) | 0 | 1 | >1 |
| Significant deficiencies open >60 days | 0 | 1-2 | >2 |
| Account reconciliations completed on time | 100% | 95-99% | <95% |
| Manual journal entries (% volume) | <10% | 10-20% | >20% |
| Late close days (rolling 12 mo) | 0 | 1-2 | >2 |
| Restatement events (rolling 36 mo) | 0 | 1 | >1 |
| Auditor-proposed adjustments ($ posted) | <$1M | $1-5M | >$5M |
| Internal-audit ratings unsatisfactory | 0 | 1 | >1 |
Manual journal entry share is the financial reporting metric that tells you the most about control maturity. A close cycle running above 20% manual journals has automation gaps the next audit will price into the management letter.
Compliance and Regulatory Operational Risk Key Risk Indicators Examples
AML, sanctions, consumer-protection, and prudential rules sit at the intersection of operational risk and compliance.
The OCC’s 2024 BSA/AML order against Wells Fargo identified deficiencies in suspicious-activity reporting, customer due diligence, and beneficial ownership programs. Those gaps are exactly what compliance KRIs are built to catch.
Top 9 Compliance and Regulatory Operational Risk Key Risk Indicators Examples
| Compliance / Regulatory KRI | Green threshold | Amber threshold | Red threshold |
| AML/CTF SAR filings within 30 days | 100% | 95-99% | <95% |
| Sanctions-screening false-positive rate | <10% | 10-20% | >20% |
| KYC / CIP backlog (open files) | <25 | 25-100 | >100 |
| Open MRAs / MRIAs from supervisors | 0 | 1-2 | >2 |
| Consumer complaints filed with CFPB | <5/qtr | 5-20/qtr | >20/qtr |
| Privacy / FCRA incident reports | 0 | 1-2 | >2 |
| Reg-change items past implementation date | 0 | 1-3 | >3 |
| Open enforcement actions / consent orders | 0 | 1 | >1 |
| Compliance training completion (annual) | 100% | 95-99% | <95% |
Open MRAs and MRIAs are the cleanest forward indicator of supervisory escalation. A bank with two open Matters Requiring Immediate Attention is on a published path toward a public consent order. Boards that track the count and aging recover faster.
How to Implement Operational Risk Key Risk Indicators Examples
Standing up an operational risk KRI program is a six-step exercise inside the wider enterprise risk management framework. The reference texts are BCBS Principles for the Sound Management of Operational Risk, ISO 31000:2018 clause 6.6, and COSO ERM 2017.
Six Steps to Deploy Operational Risk Key Risk Indicators Examples
- Step 1. Anchor in the operational risk taxonomy: Tie each KRI to a specific Basel event-type and a risk in the register so dashboard movement maps to a treatable exposure.
- Step 2. Calibrate thresholds: Set green / amber / red bands using ORX peer benchmarks, internal loss data, and the board-approved risk appetite statement.
- Step 3. Assign owners: Every KRI gets a named first-line owner and a second-line operational risk partner. Cyber goes to the CISO; AML to the BSA officer; financial reporting to the CFO.
- Step 4. Define escalation: Document what happens at each band: who is notified, the response window, the executive risk committee trigger, and the board-paper threshold.
- Step 5. Automate collection: Pull data from the GL, GRC tool, IT service management platform, AML/KYC system, vendor risk platform, and HR system into a single Operational Risk KRI workbench.
- Step 6. Review quarterly: Recalibrate thresholds, retire indicators that never breach, replace those that always breach, and add KRIs for newly identified risks (AI use, climate, geopolitical events).
Common Pitfalls in Operational Risk Key Risk Indicators Examples
Implementation failures around Operational Risk Key Risk Indicators Examples tend to fail the same way at every institution size.
Global systemically important banks and 100-FTE community banks alike, the traps below keep coming up in supervisory examinations and audit reviews.
| Pitfall | Root cause | Remedy |
| KPI / KRI confusion | Same metric reported as both with one threshold | Document the threshold (KRI) separately from the target (KPI); report side by side |
| Tail-risk under-weighting | Loss data dominated by high-frequency low-severity events | Add scenario-driven KRIs covering tail events; use ORX scenarios as a starting point |
| Static thresholds | Bands set once at launch and never recalibrated | Quarterly review tied to internal loss trend, ORX peers, and risk appetite |
| Third-party blind spot | Vendor risk treated as procurement issue, not operational risk | Promote vendor concentration, fourth-party, and SLA breach KRIs to the executive risk committee |
| Compliance silo | AML, BSA, and conduct KRIs reported only to compliance committee | Surface compliance KRIs on the operational risk dashboard alongside process and systems |
| Vanity dashboards | Beautiful charts no committee acts on | Tie each amber / red band to a triggered action; track action closure as a meta-KRI |
| Annual-only cadence | KRIs reviewed once per year for the audit committee | Quarterly delta review of high-severity KRIs; weekly automated alerts on cyber, AML, and reconciliation |
Frequently Asked Questions About Operational Risk Key Risk Indicators Examples
What are the most important Operational Risk Key Risk Indicators Examples?
The seven most important Operational Risk Key Risk Indicators Examples are operational loss vs. plan, critical-system uptime, mean time to recover, reconciliation breaks aging, vendor concentration, open MRAs / MRIAs, and material-weakness count.
Together they cover the dominant 2026 risk drivers across people, process, systems, third parties, financial reporting, and compliance. Add 30 to 50 more across the six categories for a complete Basel-aligned program.
How many Operational Risk Key Risk Indicators Examples should an organization track?
US banks, broker-dealers, insurers, and large fintechs typically run 35 to 60 Operational Risk Key Risk Indicators Examples in total, with 10 to 15 elevated to the executive risk committee each quarter. Tracking fewer than 25 leaves blind spots.
Tracking more than 70 invites monitoring fatigue and dilutes the committee’s attention. The right number scales with Basel category exposure, regulatory footprint, and complexity, not with the size of the GRC tool’s catalog.
How do Operational Risk Key Risk Indicators Examples differ from KPIs?
Operational Risk Key Risk Indicators Examples measure exposure against a tolerance, while KPIs measure performance against a goal. A KPI tells management whether a process hit the productivity target. A KRI tells the board whether the risk of process failure is rising.
The same raw metric (system uptime, complaint volume, training completion) can serve both purposes if its threshold (KRI) and target (KPI) are documented separately and reported side by side.
Which standards govern Operational Risk Key Risk Indicators Examples?
The dominant references are the BCBS Principles for the Sound Management of Operational Risk, the Basel III final rule and its standardized approach for operational risk, ISO 31000:2018, COSO ERM 2017, NIST CSF 2.0, the FFIEC IT Handbook, and the OCC Heightened Standards.
EU-regulated entities and US firms with EU operations also run KRIs against DORA Chapter V third-party rules. Public-bond issuers and SEC registrants add cybersecurity disclosure-rule artifacts to the same set.
How often should Operational Risk Key Risk Indicators Examples be reviewed?
Operational Risk KRIs should be measured continuously where GRC, ITSM, and AML systems permit. Review weekly at the operating level, monthly at the operational risk committee, and quarterly at the executive risk committee or board.
Cyber, AML, and reconciliation KRIs warrant real-time alerts. Process and HR KRIs typically run on a weekly or monthly cadence. Financial reporting KRIs anchor on each close cycle and audit period.
Can community banks use the same Operational Risk Key Risk Indicators Examples as global banks?
Yes, with calibration. Community banks and credit unions can use the same Operational Risk Key Risk Indicators Examples catalog but should narrow the scope to 20 to 30 indicators that match their actual risk surface.
Thresholds change with asset size, business mix, and regulatory tier, but the metric definitions do not. Discipline and ownership are the binding constraints, not headcount or GRC-tool spend.
How do Operational Risk Key Risk Indicators Examples feed board reporting?
Operational Risk KRIs feed the quarterly board risk report through a tiered rollup. Function-level dashboards aggregate to enterprise heat maps, with the top 10 to 15 indicators reaching the audit-and-risk committee or the full board.
The board paper should show trend, threshold breach history, owner, and remediation status, all anchored to the institutional risk appetite. Without that structure, the board sees decoration rather than decision support.
How does Basel III change Operational Risk Key Risk Indicators Examples?
Basel III’s standardized measurement approach (SMA) for operational risk capital ties the regulatory charge to the Business Indicator Component and the internal loss multiplier. Historical operational losses now drive Pillar 1 capital.
That makes the loss-data quality KRIs (event capture rate, near-miss reporting, recovery accounting) board-level metrics. A US bank with a weak loss-data process will run higher capital under Basel III final rule than a peer that runs the same business with a clean dataset.
Looking Ahead: Operational Risk Key Risk Indicators Examples in 2026 and 2027
Basel III implementation will reshape the dashboard before anything else. The US final rule makes loss-data quality and the Business Indicator Component capital drivers. Loss-event capture rate and near-miss reporting now sit on every executive risk committee agenda.
Operational resilience moves into the same Pillar 2 conversation as capital and liquidity. DORA in the EU and the Federal Reserve’s continued focus on critical-operations recovery push mean time to recover, third-party concentration, and scenario-test results onto the board paper.
Conduct and consumer-protection KRIs round out the picture. The OCC’s 2025 personal-accountability orders against former Wells Fargo executives showed that supervisors will pursue individuals where systemic misconduct is found. Sales-practice, AML, and complaint KRIs belong on the same dashboard as system uptime.
A live KRI dashboard with quarterly recalibration is what holds up under OCC, Fed, FDIC, and FCA scrutiny. Without it, boards rotate through the same concerns until something in the news forces one of them to the top of the agenda.
Ready to Operationalize Operational Risk Key Risk Indicators Examples?
At riskpublishing.com we help US banks, broker-dealers, insurers, and large fintechs build Operational Risk Key Risk Indicators Examples that hold up under board questions, supervisory examinations, and rating-agency surveillance.
The work usually includes the KRI catalog, a threshold-calibration workshop, a function-to-enterprise rollup model, and a quarterly board-paper template anchored to BCBS Principles, Basel III, ISO 31000, COSO ERM 2017, NIST CSF 2.0, and DORA.
Explore our risk advisory services, or contact us to scope an operational risk KRI maturity review tailored to your asset size, business mix, and 2026-2027 regulatory priorities.
Related reading on riskpublishing.com: Key Risk Indicators examples, how to use Key Risk Indicators, operational risk management framework, the compliance Key Risk Indicators examples, financial Key Risk Indicators examples, cyber security Key Risk Indicators examples, and the integrated risk management approach.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.