Key Risk Indicators (KRIs)
Define and monitor quantitative metrics that provide early warning signals when risks are increasing, enabling proactive risk management.
What are KRIs?#
Key Risk Indicators (KRIs) are quantitative metrics that provide early warning signals when risks are increasing. Unlike lagging indicators that tell you what happened, KRIs are leading indicators that help you anticipate problems before they materialize.
Effective KRIs enable proactive risk management by triggering attention and action when metrics breach defined thresholds. This transforms risk management from reactive firefighting to predictive prevention.
Quantitative
KRIs are numbers, not subjective assessments. They can be measured consistently.
Leading
KRIs predict future problems, not just report past events.
Actionable
Threshold breaches trigger specific response actions.
KRIs vs KPIs#
While Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) are related, they serve different purposes:
| Aspect | KPIs | KRIs |
|---|---|---|
| Purpose | Measure performance and success | Measure risk exposure and early warnings |
| Focus | Value creation and achievement | Value protection and risk prevention |
| Direction | Higher is usually better | Depends on the metric (could be either) |
| Trigger | Celebrate success or investigate underperformance | Trigger risk response and escalation |
| Example | Revenue growth rate: 15% | Customer concentration: Top customer = 35% of revenue |
KPIs Can Become KRIs
Creating a KRI#
To add a Key Risk Indicator to a risk in Risk Radar:
Open the risk
Go to the KRI tab
Click "Add KRI"
Define the metric
Set thresholds
Configure data source
Save and start tracking
KRI Configuration#
Each KRI includes the following configuration options:
| Field | Description | Example |
|---|---|---|
| Name | Short, descriptive name for the KRI | Customer Concentration |
| Description | What the KRI measures and why it matters | Revenue percentage from largest customer |
| Unit | Unit of measurement | Percentage, Days, Count, Currency |
| Frequency | How often the metric is measured | Daily, Weekly, Monthly, Quarterly |
| Direction | Whether higher values increase or decrease risk | Higher is riskier / Lower is riskier |
| Green Threshold | Value indicating acceptable risk level | Less than 20% |
| Yellow Threshold | Value indicating elevated risk (warning) | Between 20% and 30% |
| Red Threshold | Value indicating critical risk level | Greater than 30% |
| Owner | Person responsible for monitoring this KRI | CFO |
| Data Source | Where the metric data comes from | Manual entry, API, Integration |
Thresholds#
Thresholds define the boundaries between acceptable and unacceptable risk levels. Well-defined thresholds are critical for effective KRI monitoring.
Green Zone
Normal operating range. No action required beyond routine monitoring.
Yellow Zone
Warning level. Increased attention and potential preparation for action.
Red Zone
Critical level. Immediate action and escalation required.
Thresholds can be set as:
| Threshold Type | Description | Example |
|---|---|---|
| Absolute | Fixed numeric values | Red if > 100 failed logins |
| Percentage | Relative to a baseline | Red if > 20% above baseline |
| Trend-based | Rate of change over time | Red if increasing > 10% per week |
| Range | Upper and lower bounds | Red if < 30 days or > 400 days |
Start Conservative
Data Sources#
KRI values can be populated through several methods:
Manual Entry
Enter values directly through the Risk Radar interface. Best for metrics collected through other processes.
Automated Integration
Connect to data sources via API or integration. Values update automatically on schedule.
Calculated Metrics
Compute KRIs from other data points using formulas and aggregations.
Report Import
Import KRI values from spreadsheets or exported reports on a scheduled basis.
Integration Partners
Trend Analysis#
Beyond current values, analyzing KRI trends over time provides deeper insight into risk trajectory and the effectiveness of mitigation efforts.
Trending Up
For 'higher is riskier' KRIs, an upward trend may indicate deteriorating conditions even if still in green zone.
Trending Down
A downward trend may indicate improving conditions or effective mitigation, warranting positive recognition.
Historical Charts
View KRI history over time with configurable date ranges and comparisons to thresholds.
Volatility Analysis
Identify KRIs with high variability that may need more frequent monitoring or refined thresholds.
Trend analysis is available in the KRI detail view and on the Risk Radar dashboard. Use the date range selector to examine specific time periods.
KRI Examples#
Here are examples of effective KRIs organized by risk category:
Financial Risk KRIs#
| KRI | Description | Thresholds |
|---|---|---|
| Days Sales Outstanding | Average days to collect receivables | Green: <30 | Yellow: 30-45 | Red: >45 |
| Cash Runway | Months of operating expenses in cash | Green: >12 | Yellow: 6-12 | Red: <6 |
| Customer Concentration | Revenue % from top customer | Green: <15% | Yellow: 15-25% | Red: >25% |
| Debt-to-Equity Ratio | Total debt relative to equity | Green: <1.0 | Yellow: 1.0-1.5 | Red: >1.5 |
Operational Risk KRIs#
| KRI | Description | Thresholds |
|---|---|---|
| System Uptime | Percentage of scheduled availability | Green: >99.9% | Yellow: 99-99.9% | Red: <99% |
| Supplier Dependency | Critical suppliers with single-source | Green: 0 | Yellow: 1-2 | Red: >2 |
| Process Error Rate | Errors per 1,000 transactions | Green: <1 | Yellow: 1-5 | Red: >5 |
| Backlog Age | Oldest item in processing queue | Green: <7 days | Yellow: 7-14 days | Red: >14 days |
Cybersecurity Risk KRIs#
| KRI | Description | Thresholds |
|---|---|---|
| Failed Login Attempts | Failed logins per day | Green: <50 | Yellow: 50-100 | Red: >100 |
| Patch Compliance | Systems with current patches | Green: >95% | Yellow: 90-95% | Red: <90% |
| Mean Time to Patch | Days from patch release to deployment | Green: <7 | Yellow: 7-30 | Red: >30 |
| Phishing Click Rate | Users clicking simulated phishing | Green: <5% | Yellow: 5-15% | Red: >15% |
Compliance Risk KRIs#
| KRI | Description | Thresholds |
|---|---|---|
| Training Completion | Employees with current compliance training | Green: >95% | Yellow: 90-95% | Red: <90% |
| Policy Acknowledgment | Employees who acknowledged policies | Green: 100% | Yellow: 95-100% | Red: <95% |
| Days Since Audit | Days since last compliance audit | Green: <365 | Yellow: 365-400 | Red: >400 |
| Open Audit Findings | Unresolved findings from audits | Green: 0 | Yellow: 1-3 | Red: >3 |
Best Practices#
Follow these best practices to maximize the effectiveness of your KRIs:
KRI Best Practices
- Link to specific risks: Every KRI should be tied to one or more risks in your registry. Orphan metrics add noise without value.
- Keep it measurable: If you cannot objectively measure it, it is not a good KRI. Avoid subjective assessments.
- Choose leading indicators: Prefer metrics that predict future problems over those that report past events.
- Set realistic thresholds: Thresholds should be based on organizational context, industry benchmarks, and historical data.
- Review regularly: Revisit KRIs and thresholds periodically to ensure they remain relevant and calibrated.
- Limit the number: Focus on 3-5 KRIs per risk. Too many KRIs dilute attention and create alert fatigue.
- Automate when possible: Manual data entry is prone to delays and errors. Automate KRI collection where feasible.
- Define response actions: For each threshold breach, document what action should be taken and by whom.