The Department of Veterans Affairs signed a 10-year, $16 billion contract with Oracle Cerner in 2018 to modernize its electronic health record system. The Institute for Defense Analyses now projects full deployment will exceed $37 billion, more than double the original budget.
By March 2024, VA’s Office of Inspector General had documented at least five veteran deaths and 70,000 veterans exposed to potential harm tied to the rollout. Productivity at the five live hospitals fell by as much as 50%.
The board-level Project Risk Key Risk Indicators Examples that would have caught the trajectory (cost performance index, defect escape rate, change-request volume, schedule slippage on critical-path milestones) were either tracked late or escalated late.
| Key Takeaways |
| A 2026 Project Risk Key Risk Indicators program covers six categories: schedule and milestone, cost and budget (EVM), scope and change control, quality and defect, resource and team, and stakeholder, governance and risk management. |
| The VA’s Oracle Cerner EHR contract started at $16 billion in 2018 and is now projected to exceed $37 billion at full deployment. Five acknowledged veteran deaths, 70,000 veterans exposed to potential harm, productivity down as much as 50% at the five rollout hospitals. |
| GAO’s September 2025 F-35 report found 2024 deliveries late by an average of 238 days, Block 4 cost growth above 50% over baseline, and more than 4,000 parts shortages in February 2025 (twice the historic average). |
| NASA planned to invest about $74 billion in major projects in fiscal 2025, with two GAO high-priority recommendations on acquisition management still open as of June 2025. |
| PMI’s 2024 Pulse of the Profession reports an average project performance rate of 73.8%, with higher performance correlating to lower scope creep and lower budget loss on failed projects. Organizations with 3+ enablers run lower scope-creep and lower budget-loss numbers. |
| Standards: PMBOK Guide 7th Edition, ISO 31000:2018, ISO 21500:2021, PMI Standard for Earned Value Management, GAO High Risk List, OMB Capital Programming Guide A-11 Part 7 frame the program. |
| A working catalog runs 40 to 55 Project Risk Key Risk Indicators Examples, with 8 to 12 elevated to the steering committee or board project-oversight committee each month. Tracking fewer than 25 misses early signals; tracking more than 70 dilutes attention. |
Federal IT is not the only stress test. GAO’s September 2025 F-35 report flagged 2024 aircraft deliveries averaging 238 days late, Block 4 cost growth above 50% over baseline, and more than 4,000 parts shortages in February 2025.
NASA’s major-project portfolio sat at $74 billion with two GAO acquisition-management recommendations still open.
Six categories anchor the dashboard below: schedule and milestone, cost and budget (EVM), scope and change control, quality and defect, resource and team, and stakeholder, governance and risk management.
Each Project Risk Key Risk Indicators Examples indicator ties to the PMBOK Guide 7th Edition, ISO 31000:2018, or the PMI Standard for Earned Value Management. A US program-management office director can pull the thresholds straight into the next monthly steering-committee paper.
Figure 1. Project Risk Key Risk Indicators Examples distributed across six categories used in US program management offices.
What Are Project Risk Key Risk Indicators Examples?
A Key Risk Indicator on a project is a leading metric that flags a project failure before the steering committee finds out from the customer. Project risk covers the loss exposure tied to delivering a defined scope, on a fixed timeline, within an approved budget, at an agreed quality level.
KPIs measure progress against the project plan. Project Risk Key Risk Indicators Examples measure exposure against a documented tolerance.
The same metric (CPI, defect rate, open changes) can play either role depending on whether it is reported against a delivery target or a board-approved risk threshold.
Useful Key Risk Indicators examples on a project dashboard share four traits. They are measurable, owned by one named person, calibrated to a green / amber / red threshold, and they move ahead of the schedule slip or cost overrun rather than after it.
How Project Risk Key Risk Indicators Examples Differ from KPIs
| Attribute | Key Performance Indicator (KPI) | Project Key Risk Indicator (KRI) |
| Direction | Measures progress against the plan (milestones met, deliverables accepted, sprint velocity) | Measures exposure against tolerance (SPI < 0.95, CPI < 0.95, change-request count, critical-path slack, open high-severity defects) |
| Time view | Lagging or current performance against the baseline schedule and budget | Leading early-warning signal of schedule slip, cost overrun, scope explosion, or quality failure |
| Trigger | Status report, sprint review, monthly delivery dashboard | Escalation memo, steering-committee paper, change-control board, board project-oversight review |
| Owner | Project manager, scrum master, delivery lead | Project manager plus PMO risk lead and program risk officer |
| Reference | Baseline schedule, baseline budget, statement of work, sprint goal | PMBOK 7, ISO 31000:2018, ISO 21500, PMI EVM Standard, OMB A-11 Part 7, GAO Cost Estimating and Assessment Guide |
Schedule and Milestone Project Risk Key Risk Indicators Examples
Schedule Performance Index (SPI) sits below 0.95 long before a milestone slips publicly. The PMI Standard for Earned Value Management treats SPI and the schedule variance dollar figure as paired indicators.
Both belong on the project KRI dashboard, alongside critical-path slack, milestone hit rate, and dependency-driven schedule risk.
Top 10 Schedule and Milestone Project Risk Key Risk Indicators Examples
| Schedule and Milestone KRI | Green threshold | Amber threshold | Red threshold |
| Schedule Performance Index (SPI) | >=1.00 | 0.90-0.99 | <0.90 |
| Critical-path slack remaining (days) | >10 | 3-10 | <3 |
| Milestone hit rate (rolling 90 days) | >=95% | 85-94% | <85% |
| Major-milestone slippage (cumulative days) | <=5 | 6-20 | >20 |
| Sprint / iteration commitment hit rate | >=85% | 70-84% | <70% |
| Schedule baseline re-baselines (per qtr) | 0 | 1 | >1 |
| Dependency-blocked work items | <5 | 5-15 | >15 |
| Critical-path activities at risk (count) | <3 | 3-7 | >7 |
| Float consumption rate (% per month) | <10% | 10-25% | >25% |
| Schedule Variance ($) | +/-2% | -2 to -10% | <-10% |
Critical-path slack remaining is the schedule KRI most program managers under-watch. A project that crosses below three days of float on any critical-path activity has either a recovery plan or a dependency problem the next steering committee will hear about either way.
Cost and Budget Project Risk Key Risk Indicators Examples
Cost Performance Index (CPI) below 0.90 on a federal IT program rarely recovers without a formal restructuring. The VA EHR program ran far below 1.0 for years before the 2024 program reset.
EAC drift away from BAC, contingency burn vs. percent complete, and forecast EAC variance are the cost KRIs that read the future, not just the past.
Top 10 Cost and Budget Project Risk Key Risk Indicators Examples
| Cost and Budget KRI | Green threshold | Amber threshold | Red threshold |
| Cost Performance Index (CPI) | >=1.00 | 0.90-0.99 | <0.90 |
| EAC vs. BAC variance (%) | <=2% | 2-10% | >10% |
| Contingency burn vs. % complete | <=1.0x | 1.0-1.5x | >1.5x |
| Forecast EAC change vs. last forecast | Stable | +5-10% | >+10% |
| Cost Variance ($) cumulative | +/-2% | -2 to -10% | <-10% |
| Burn rate vs. plan (monthly) | <=plan | 5-15% over | >15% over |
| Approved budget changes (count, qtr) | 0-1 | 2-3 | >3 |
| Vendor / contract claims open ($) | <$100k | $100k-$1M | >$1M |
| Funded vs. unfunded scope ratio | >=0.95 | 0.85-0.94 | <0.85 |
| Working-capital / cash-burn coverage (mo) | >=12 | 6-12 | <6 |
Figure 2. US federal project risk data points 2024-2025 driving the Project Risk Key Risk Indicators Examples that belong on a 2026 steering-committee dashboard.
Scope and Change Control Project Risk Key Risk Indicators Examples
PMI’s 2024 Pulse of the Profession found that organizations with three or more project-management enablers report lower scope creep and lower budget loss on failed projects. Scope-and-change-control KRIs read the rate at which the agreed delivery is quietly being redefined.
Top 8 Scope and Change Control Project Risk Key Risk Indicators Examples
| Scope and Change Control KRI | Green threshold | Amber threshold | Red threshold |
| Open change requests (count) | <10 | 10-25 | >25 |
| Change-request aging > 30 days | <3 | 3-10 | >10 |
| Change-control board decision SLA | >=95% | 80-94% | <80% |
| Approved scope changes vs. baseline (%) | <=5% | 5-15% | >15% |
| Requirements churn rate (qtr) | <=5% | 5-15% | >15% |
| Out-of-scope work logged (% of effort) | <=2% | 2-5% | >5% |
| Defect-driven scope expansion ($) | <$50k | $50k-$250k | >$250k |
| Stakeholder-rejected deliverables (qtr) | 0 | 1 | >1 |
Quality and Defect Project Risk Key Risk Indicators Examples
VA EHR’s 70,000-veteran exposure number is the quality-and-defect outcome no project owner ever wants to read in a Federal News Network headline.
Defect escape rate, severity-1 defect aging, post-release incident counts, and rework rate are the leading indicators that would have shown up months earlier.
Top 9 Quality and Defect Project Risk Key Risk Indicators Examples
| Quality and Defect KRI | Green threshold | Amber threshold | Red threshold |
| Defect escape rate (% to production) | <=1% | 1-3% | >3% |
| Severity-1 defect aging > 7 days | 0 | 1-2 | >2 |
| Post-release incidents per 30 days | <=2 | 3-7 | >7 |
| Rework rate (% of effort) | <=5% | 5-15% | >15% |
| Test-coverage gap on critical paths | <=5% | 5-15% | >15% |
| Test pass rate (release candidate) | >=95% | 85-94% | <85% |
| UAT defect inflow (per release) | <10 | 10-30 | >30 |
| Customer-reported safety incidents | 0 | 1 | >1 |
| Code-review findings open > 14d | <5 | 5-20 | >20 |
Customer-reported safety incidents stay on the dashboard for the full project lifecycle on any healthcare, defense, transportation, or critical-infrastructure program. A single incident is the difference between a routine review and a Congressional oversight hearing.
Figure 3. Illustrative threshold dashboard showing Project Risk Key Risk Indicators Examples across categories with green / amber / red bands.
Resource and Team Project Risk Key Risk Indicators Examples
F-35 production reported more than 4,000 parts shortages in February 2025, twice the historic average per GAO.
Resource-and-team KRIs read the same problem at the labor and supplier level: vacant critical roles, attrition on the program, supplier on-time delivery, and knowledge concentration in a single named contributor.
Top 8 Resource and Team Project Risk Key Risk Indicators Examples
| Resource and Team KRI | Green threshold | Amber threshold | Red threshold |
| Critical-role vacancies > 30 days | 0 | 1-2 | >2 |
| Voluntary attrition (rolling 90 days) | <5% | 5-10% | >10% |
| Resource utilization vs. plan | 85-100% | 70-85% | <70% or >110% |
| Supplier on-time delivery rate | >=95% | 85-94% | <85% |
| Supplier parts / component shortages | <=5 | 5-20 | >20 |
| Single-contributor knowledge risk (count) | 0 | 1-2 | >2 |
| Subcontractor share of effort (%) | <35% | 35-50% | >50% |
| Onboarding time-to-productive (days) | <30 | 30-60 | >60 |
Stakeholder, Governance and Risk Management Project Risk Key Risk Indicators Examples
GAO’s NASA assessment listed two high-priority recommendations on acquisition management still open in June 2025.
Governance KRIs measure how fast risks, issues, and audit findings move through the project’s escalation paths, and how often a steering committee is the first to hear about something the project team already knew.
Top 9 Stakeholder, Governance and Risk Management Project Risk Key Risk Indicators Examples
| Stakeholder / Governance / Risk Mgmt KRI | Green threshold | Amber threshold | Red threshold |
| Steering-committee escalations / qtr | <=2 | 3-5 | >5 |
| Open project risks > 60 days | <5 | 5-15 | >15 |
| High-severity risks without owner | 0 | 1-2 | >2 |
| Risk-mitigation actions overdue | <5 | 5-15 | >15 |
| Issue-log items open > 30 days | <5 | 5-15 | >15 |
| Audit / IV&V findings open | <3 | 3-7 | >7 |
| Stakeholder-survey approval score | >=4.0/5 | 3.0-3.9 | <3.0 |
| RAID-log update cadence (days) | <=7 | 7-14 | >14 |
| Lessons-learned closure rate | >=80% | 60-79% | <60% |
Risk-mitigation actions overdue is the governance KRI most program audits cite. A project with more than 15 overdue mitigation actions is one major incident from a finding letter that names the project sponsor by title.
How to Implement Project Risk Key Risk Indicators Examples
Standing up a Project Risk KRI program is a six-step exercise inside the wider enterprise risk management framework.
The reference texts are PMBOK Guide 7th Edition, ISO 31000:2018 clause 6.6, ISO 21500:2021, and the PMI Standard for Earned Value Management.
Six Steps to Deploy Project Risk Key Risk Indicators Examples
- Step 1. Anchor in the project risk taxonomy: Tie each KRI to one of the six categories (schedule, cost, scope, quality, resource, governance) so dashboard movement maps to a treatable exposure rather than a status-meeting talking point.
- Step 2. Calibrate thresholds: Set green / amber / red bands using internal trend, peer benchmarks, the project baseline, and the sponsor-approved risk appetite statement.
- Step 3. Assign owners: Every Project Risk KRI gets a named project-team owner and a PMO risk-lead partner. Schedule KRIs go to the project manager; cost KRIs to the EVM analyst; quality KRIs to the QA lead; governance KRIs to the program risk officer.
- Step 4. Define escalation: Document what happens at each band: who is notified, the response window, the change-control-board trigger, the steering-committee trigger, and the board project-oversight threshold.
- Step 5. Automate collection: Pull data from the scheduling tool (MS Project, Primavera P6, Jira), the EVM tool, the defect / issue tracker, the resource-management system, and the RAID log into a single Project Risk KRI workbench updated at least weekly.
- Step 6. Review weekly and monthly: Project team reviews KRIs weekly, the PMO and steering committee review monthly, and the board project-oversight committee reviews high-severity Project Risk KRIs at each quarterly meeting. Recalibrate thresholds at each major-milestone gate.
Common Pitfalls in Project Risk Key Risk Indicators Examples
Implementation failures around Project Risk Key Risk Indicators Examples repeat at every project size. Federal IT programs and three-month software releases alike, the traps below show up in GAO audit reports, IV&V findings, and post-incident reviews.
| Pitfall | Root cause | Remedy |
| Status reports treated as risk reports | Project status (green / yellow / red) substituted for KRI thresholds | Track KRIs separately with their own thresholds; status colors describe overall health, KRIs describe specific exposure |
| EVM tracked but ignored | CPI / SPI computed monthly and not actioned until variance is double-digit | Set amber at 0.95 and red at 0.90; trigger root-cause review at amber, not red |
| Static thresholds across the project | Bands set at kickoff and never recalibrated as risk profile shifts | Recalibrate at each major-milestone gate; tighten thresholds for late-phase work |
| Risk register without leading indicators | Open risks counted but not converted into measurable KRIs | Each top-10 risk gets at least one KRI with a green / amber / red threshold |
| Quality KRIs added too late | Defect tracking starts in UAT instead of build | Track defect escape rate, severity-1 aging, and rework rate from sprint 1, not from the release candidate |
| Vendor / supplier KRIs missed | Subcontractor performance treated as a contract issue, not a project KRI | Add supplier on-time delivery, parts shortages, and claims-open-dollars to the dashboard |
| Vanity dashboards | Beautiful charts no one acts on | Tie each amber / red band to a triggered action; track action closure as a meta-KRI |
Frequently Asked Questions About Project Risk Key Risk Indicators Examples
What are the most important Project Risk Key Risk Indicators Examples?
The seven most important Project Risk Key Risk Indicators Examples are SPI, CPI, critical-path slack remaining, open change requests aging, defect escape rate, severity-1 defect aging, and steering-committee escalations per quarter.
Together they cover the dominant project-risk drivers across schedule, cost, scope, quality, and governance. Add 30 to 45 more across the six categories for a full program.
How many Project Risk Key Risk Indicators Examples should a program track?
Most US public-sector and Fortune-500 programs run 40 to 55 Project Risk Key Risk Indicators Examples in total, with 8 to 12 elevated to the steering committee or board project-oversight committee monthly. Tracking fewer than 25 leaves blind spots that show up in the next IV&V finding.
Tracking more than 70 invites monitoring fatigue and delays the response to genuine red-band breaches. The right number scales with program size, contract complexity, and risk profile, not with the size of the project-management tool catalog.
How do Project Risk Key Risk Indicators Examples differ from KPIs?
Project Risk Key Risk Indicators Examples measure exposure against a tolerance, while KPIs measure progress against a goal.
A KPI tells the project manager whether milestones are being delivered. A KRI tells the steering committee whether the rate of milestone slippage is heading toward a baseline reset.
The same metric (CPI, defect rate, change-request count) can serve both purposes if its threshold (KRI) and target (KPI) are documented separately and reported side by side in the project status pack.
Which standards govern Project Risk Key Risk Indicators Examples?
The dominant references are PMBOK Guide 7th Edition, ISO 31000:2018, ISO 21500:2021, the PMI Standard for Earned Value Management, the GAO Cost Estimating and Assessment Guide, and OMB Circular A-11 Part 7 for federal programs. Defense programs add DoD 5000-series acquisition policy.
Healthcare programs add FDA 21 CFR Part 11 for software validation. Critical infrastructure adds NIST SP 800-53 controls referenced in the project risk register. Agile programs add the Scaled Agile Framework (SAFe) measurement model alongside the EVM baseline.
How often should Project Risk Key Risk Indicators Examples be reviewed?
Project Risk KRIs should be measured at least weekly and reviewed by the project team weekly. The PMO and steering committee review the elevated 8 to 12 KRIs monthly.
The board project-oversight committee reviews high-severity Project Risk KRIs at each quarterly meeting alongside the milestone-gate decision.
Schedule, cost, and severity-1 defect KRIs warrant real-time alerts. Resource and supplier KRIs run on a weekly cadence.
Stakeholder-survey and lessons-learned KRIs anchor on monthly cycles. Recalibrate thresholds at each major-milestone gate, not at calendar year-end.
How do Project Risk Key Risk Indicators Examples support the steering committee?
Project Risk KRIs feed the monthly steering-committee paper through a tiered rollup. Workstream dashboards aggregate to the program scorecard, with the top 8 to 12 indicators reaching the steering committee on the same agenda as the milestone-gate decision and the change-control-board log.
The steering-committee paper should show trend, threshold breach history, owner, and remediation status for each KRI. Without that structure, the committee sees status colors rather than decision support, and the next major-milestone gate inherits the same blind spots.
How does VA EHR’s overrun change Project Risk Key Risk Indicators Examples?
VA EHR’s $16 billion to $37 billion projected overrun, five veteran deaths, and 70,000 veterans exposed to harm reset the bar for federal IT project KRIs. Boards and oversight committees now expect leading indicators on patient-safety incidents, defect escape rate, and rework rate alongside SPI and CPI.
Programs in healthcare, defense, transportation, and critical infrastructure should add a customer-safety-incident KRI with a zero-tolerance red threshold. The next program reset will price in any project that did not.
Can agile programs use the same Project Risk Key Risk Indicators Examples as waterfall?
Yes, with calibration. An agile program can use the same Project Risk Key Risk Indicators Examples catalog but reframes EVM CPI and SPI as feature-flow CPI and SPI, replaces baseline-schedule slippage with sprint commitment hit rate and release-burn-down, and replaces requirements churn with backlog-volatility metrics.
Threshold definitions change with cadence (sprint, PI, release) but the metric categories do not.
Hybrid programs run both tracks in parallel and aggregate to the same steering-committee dashboard. Discipline and ownership are the binding constraints, not method.
Looking Ahead: Project Risk Key Risk Indicators Examples in 2026 and 2027
Federal IT and defense oversight tightens through 2026 as Congress reviews VA EHR, F-35, and NASA major-project deliverables.
Boards and program offices will want leading indicators on patient-safety incidents, parts shortages, and supplier on-time delivery on every monthly steering-committee paper.
AI-assisted project delivery adds two new Project Risk Key Risk Indicators Examples to the catalog: model-output defect rate (where AI is generating code, drawings, or test cases) and AI-tool adoption variance against the program plan. PMI is updating Pulse-of-the-Profession guidance to track both.
OMB and GAO are pressing federal programs to publish CPI and SPI more frequently. The 2025 OMB Capital Programming Guide A-11 Part 7 expectation is monthly EVM data plus a documented variance-recovery plan whenever CPI or SPI cross 0.95. Public-sector PMOs are aligning to that cadence ahead of the FY 2027 budget cycle.
A live KRI dashboard with weekly recalibration and a clear integrated risk management approach is what holds up under GAO audits, IV&V reviews, OMB Capital Programming reviews, and Congressional oversight. Without it, the program rotates through the same concerns until the next forced restructuring lands them at the top of the agenda.
Ready to Operationalize Project Risk Key Risk Indicators Examples?
At riskpublishing.com we help US program-management offices build Project Risk Key Risk Indicators Examples that hold up under steering-committee review and GAO oversight.
The work usually includes the KRI catalog, a threshold-calibration workshop tied to PMBOK 7 and EVM standards, a workstream-to-program rollup model, and a monthly steering-committee paper template anchored to ISO 31000:2018, PMI Standard for Earned Value Management, the OMB Capital Programming Guide A-11 Part 7, and the GAO Cost Estimating and Assessment Guide.
Explore our risk advisory services, or contact us to scope a Project Risk KRI maturity review tailored to the program’s contract structure, milestone cadence, and oversight environment.
Related reading on riskpublishing.com (KRI library): Key Risk Indicators examples, how to develop Key Risk Indicators, how to use Key Risk Indicators, Key Risk Indicators dashboard, and supply chain Key Risk Indicators.
Related reading (project risk and assessment): a guide to risk assessment methodology, a step by step guide to risk assessment, scenario based risk assessment, approaches and tools for risk identification, and how to mitigate risk.
Related reading (ERM and frameworks): enterprise risk management framework, ISO 31000 vs COSO ERM Framework, Key Risk Indicators in Enterprise Risk Management, risk appetite statements examples, and integrated risk management approach.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.