Key Risk Indicators (KRIs): A Practitioner's Guide with 50+ Examples by Risk Domain

April 29, 2026 • Rebecca Leung •

Table of Contents

Your regulator just asked how you’re monitoring operational risk. Your head of internal audit wants to see the early warning indicators that feed into the board risk report. You’re building an ERM program from scratch and the framework document says “establish KRIs” but doesn’t tell you what those actually are.

Here’s a practitioner’s guide — including 50+ ready-to-use examples you can drop straight into your risk register.

TL;DR

KRIs are forward-looking metrics that signal increasing risk exposure before a loss or incident occurs — not the same thing as KPIs

Good KRIs are measurable, owned by the right function, and tied to three-tier thresholds (green/amber/red) that trigger defined escalation responses

Most organizations need 3–5 KRIs per material risk category — more creates noise, fewer creates blind spots

The 50+ examples below span operational, credit, compliance, cyber, liquidity, model, and third-party risk domains

KRI vs. KPI: The Distinction That Actually Matters

The most common mistake in KRI design is confusing a KRI with a KPI. They look similar — both are metrics, both are tracked on dashboards — but they serve opposite purposes.

A KPI (Key Performance Indicator) measures whether the business is achieving its objectives. Customer retention rate, revenue growth, loan origination volume — these are KPIs. They tell you where you’ve been.

A KRI (Key Risk Indicator) measures whether a risk is trending toward its tolerance limit. Percentage of overdue escalated complaints, rate of unpatched critical vulnerabilities, number of policy exceptions approved in the past quarter — these are KRIs. They tell you where you’re heading.

The relationship between them: a KPI records an outcome; a KRI predicts whether that outcome will deteriorate. If loan delinquency rates (a KPI) are rising, you’ve already had the problem. If your early-stage 30-day delinquency KRI has been trending up for three months, you can still intervene.

As the Institute of Operational Risk notes, KRIs work as an early warning system only when they’re prospective — measuring conditions that precede losses, not the losses themselves.

What Makes a KRI Actually “Key”

Not every metric that touches risk is a key risk indicator. The COSO ERM 2017 framework establishes that effective risk monitoring requires metrics that are predictive, measurable, and tied to risk appetite. That translates into four criteria a KRI has to meet:

1. Predictive, not reactive. The KRI should move before the risk materializes, not after. “Number of data breaches this quarter” is not a KRI — it’s a loss event count. “Percentage of systems with unpatched critical vulnerabilities older than 30 days” is a KRI — it predicts breach probability.

2. Measurable and timely. If you can’t produce the metric reliably on the required reporting cycle, it’s not operational. Don’t commit to weekly KRIs you can only measure monthly.

3. Linked to risk appetite. Each KRI should connect back to a specific risk category in your risk appetite statement. If your appetite says zero tolerance for regulatory violations, you need KRIs that predict regulatory violations before they occur — complaint escalation rates, exam finding aging, policy exception accumulation.

4. Owned by the right function. Metrics monitored by people who have no ability to act on them are decorative. KRI ownership should sit with the business function closest to the risk, with the risk function providing governance and escalation protocol.

How to Set Thresholds

Thresholds are what separate a KRI from a metric. Without defined escalation triggers, you have a dashboard. With thresholds, you have a risk monitoring program.

The three-tier structure used across most ERM frameworks:

Tier	Meaning	Typical Trigger Point
Green	Within normal operating range, no action required	Below 70% of risk tolerance limit
Amber	Warning — approaching tolerance, active monitoring and investigation required	70–99% of risk tolerance limit
Red	Breach — tolerance exceeded, escalation and response required immediately	At or above risk tolerance limit

In practice, amber should trigger at roughly 70–80% of the red threshold — early enough to act before you breach, late enough that you’re not in permanent amber. A KRI that’s almost always amber has the wrong threshold; a KRI that’s almost always green and never hits amber might have a threshold that’s too loose.

Set thresholds by working backward from your risk appetite statement. If your appetite says acceptable operational loss is less than 2% of annual revenue, the red threshold for your operational loss KRI is 2%. Amber starts at 1.4–1.6%. Calibrate with historical data where you have it; start with judgment-based estimates where you don’t, and revise after the first year of monitoring data.

50+ KRI Examples by Risk Domain

Operational Risk KRIs

KRI	What It Measures	Monitoring Frequency
System downtime incidents per month	IT reliability risk	Monthly
Mean time to restore (MTTR) after critical outages	Recovery effectiveness	Per incident
Process failure rate (errors per 1,000 transactions)	Operational execution risk	Weekly
Employee turnover rate in critical functions	Key person and knowledge risk	Monthly
Number of operational loss events >$X threshold	Severity of operational incidents	Monthly
Percentage of critical processes without documented procedures	Process documentation risk	Quarterly
Backlog of open internal audit findings >90 days	Control remediation risk	Monthly
Number of near-miss incidents reported	Operational error culture	Monthly
Percentage of business continuity plans not tested in past 12 months	BCP readiness risk	Quarterly

Credit Risk KRIs (Financial Services)

KRI	What It Measures	Monitoring Frequency
30-day delinquency rate	Early-stage credit deterioration	Monthly
90-day delinquency rate	Late-stage credit risk	Monthly
Charge-off rate vs. prior period	Portfolio loss trend	Monthly
Loan-to-value (LTV) ratio concentration above 90%	Collateral risk	Monthly
Percentage of portfolio in single industry >X%	Concentration risk	Quarterly
Credit loss reserve adequacy ratio	Reserve sufficiency	Monthly
New origination vintage early delinquency rate	Underwriting quality	Monthly
Percentage of loans modified or restructured	Forbearance and distress	Monthly

Compliance Risk KRIs

KRI	What It Measures	Monitoring Frequency
Number of consumer complaints per 1,000 customers	Consumer protection risk	Monthly
Complaint escalation rate (% escalating to regulatory)	Regulatory complaint exposure	Monthly
Percentage of overdue regulatory filings	Filing compliance risk	Monthly
Number of policy exceptions approved	Policy control adherence	Monthly
Percentage of staff with overdue mandatory compliance training	Training compliance risk	Monthly
Regulatory exam findings open >90 days (MRAs/MRBAs)	Exam remediation risk	Monthly
Number of suspicious activity reports (SARs) filed	BSA/AML risk indicators	Monthly
Days since last BSA/AML risk assessment update	Program currency risk	Quarterly
Percentage of customer risk ratings not refreshed per schedule	CDD/KYC hygiene	Monthly

Cybersecurity KRIs

KRI	What It Measures	Monitoring Frequency
Percentage of critical systems with unpatched vulnerabilities >30 days	Patch management risk	Weekly
Mean time to detect (MTTD) security incidents	Detection capability	Per incident
Number of failed privileged login attempts	Access control risk	Daily/Real-time
Percentage of users with MFA enrolled	Authentication control risk	Weekly
Number of phishing simulation failures	User security awareness	Monthly
Percentage of critical data assets with no access logs	Data visibility risk	Monthly
Open critical/high severity findings from last penetration test	Remediation velocity	Per test cycle
Number of third-party vendors with overdue security reviews	Vendor cyber risk	Monthly
Percentage of endpoints with current EDR coverage	Endpoint protection gap	Weekly

Liquidity Risk KRIs

KRI	What It Measures	Monitoring Frequency
Liquidity coverage ratio (LCR) vs. internal minimum	Liquidity buffer adequacy	Daily
Net stable funding ratio (NSFR) trend	Funding stability	Weekly
Concentration of funding from top 5 counterparties	Funding concentration risk	Monthly
Percentage of contingent funding sources tested in past 12 months	CFP reliability	Quarterly
Cash runway at current burn rate (for fintechs)	Operational liquidity risk	Monthly
Ratio of short-term liabilities to liquid assets	Asset-liability mismatch	Monthly
Utilization rate on available credit facilities	Available liquidity buffer	Weekly

Model Risk KRIs (AI/ML)

KRI	What It Measures	Monitoring Frequency
Percentage of production models without current validation	Model validation coverage	Quarterly
Model performance degradation vs. baseline (PSI/CSI)	Model drift risk	Monthly
Number of high-risk AI models without explainability documentation	Explainability compliance	Quarterly
Percentage of AI use cases without completed bias testing	Fairness/disparate impact risk	Per deployment
Number of production models without monitoring alerts	Oversight gap	Monthly
Age of training data in production models beyond threshold	Data currency risk	Quarterly

Third-Party/Vendor Risk KRIs

KRI	What It Measures	Monitoring Frequency
Percentage of critical vendors with overdue risk assessments	Vendor assessment currency	Monthly
Number of critical vendors with open high/critical findings	Vendor risk remediation	Monthly
Percentage of vendor contracts missing required security addenda	Contractual protection gaps	Quarterly
Number of fourth-party dependencies not inventoried	Supply chain visibility risk	Quarterly
Vendor concentration: percentage of critical services with a single provider	Concentration risk	Quarterly
Days since last onsite or virtual assessment of Tier 1 vendors	Oversight depth	Annually

KRI Governance: Who Owns What

The most common KRI failure isn’t bad metrics — it’s orphaned metrics. KRIs that exist in a spreadsheet, are reported upward every quarter, and never trigger any conversation because nobody owns the response.

Effective KRI governance requires three things:

1. Explicit ownership at the business level. Every KRI has a named owner in the function responsible for the underlying risk. That owner reports on threshold status in risk committee and initiates investigation when amber is reached — without waiting to be asked.

2. Risk function governance. The risk team sets the framework, reviews thresholds annually, tracks breach trends, and ensures KRIs connect to the risk appetite statement. Risk is the referee, not the player.

3. Board-level visibility for red threshold breaches. When a KRI hits red, it should be on the board risk committee agenda within one reporting cycle. Not buried in an appendix — explicitly discussed, with a named response plan.

The COSO ERM 2017 framework establishes that risk monitoring is a continuous process, not a periodic report. KRIs operationalize that principle — they turn abstract risk appetite language into specific metrics with specific owners and specific escalation protocols.

Common KRI Design Mistakes

Tracking outcomes instead of leading indicators. “Number of regulatory fines paid this year” is not a KRI. It’s a loss event log. By the time you’re counting fines, the risk has already materialized.

Setting thresholds without owner alignment. A threshold your risk team set without consulting the business owner will get challenged every time it goes amber. Set thresholds collaboratively, document the rationale, and revisit annually.

Too many KRIs. A KRI library with 150 indicators across 30 categories generates reporting fatigue and organizational numbness. When everything is monitored, nothing is monitored. Three to five KRIs per material risk category is the right density.

KRIs with no escalation protocol. A metric that goes red with no defined response is theater. Before you publish a KRI, document what happens when each threshold tier is breached: who is notified, what investigation is initiated, what treatment is required.

Monitoring frequency mismatch. Cyber KRIs need daily or real-time monitoring. Vendor risk KRIs work monthly or quarterly. Matching monitoring cadence to risk volatility is a governance decision, not a convenience choice.

So What?

KRIs aren’t a compliance checkbox. They’re the operational mechanism that connects your risk appetite statement to real-world monitoring — the thing that lets you tell your regulator, your board, and yourself that you know when your risk exposure is shifting before it becomes a problem.

The examples above are starting points. The right KRIs for your organization depend on your business model, risk profile, and what your risk appetite statement actually says. Start with your highest-priority risk categories, pick 3–5 indicators per domain, set three-tier thresholds, assign owners, and build the reporting cadence. Revise after the first year of data.

If you’re building this from scratch and want a pre-built library mapped to risk categories, the KRI Library includes 100+ KRIs across 15 risk domains with suggested thresholds, ownership guidance, and monitoring frequency — designed to be dropped into an existing risk register without rebuilding from scratch.

Frequently Asked Questions

What is a key risk indicator (KRI)?

A key risk indicator (KRI) is a metric that signals changing exposure to a specific risk before that risk materializes into a loss or incident. Unlike a KPI (which measures performance after the fact), a KRI is forward-looking — it gives early warning when a risk is trending toward its tolerance limit. Good KRIs are measurable, timely, and tied to explicit thresholds that trigger an escalation response.

How many KRIs should an organization track?

Most risk frameworks recommend 3–5 KRIs per material risk category. Tracking too few means blind spots; tracking too many creates noise and reporting fatigue. A useful test: if a KRI has been green for 18 consecutive months and nobody has ever discussed it, it's probably not 'key.' If a threshold breach would provoke no response, the KRI is decorative. Review your KRI library annually and cut anything that hasn't triggered a meaningful conversation in the past year.

What is the difference between a KRI and a KPI?

A KPI measures progress toward a business objective — it answers 'are we achieving our goals?' A KRI measures exposure to a risk — it answers 'what could prevent us from achieving our goals?' KPIs are retrospective; KRIs are prospective. The metric 'customer churn rate' is a KPI. The metric 'percentage of customers with overdue escalated complaints' is a KRI — it predicts churn before it shows up in the churn number. Both are necessary; they serve different purposes in a risk and performance reporting framework.

How do you set KRI thresholds?

Thresholds should be set in three tiers: green (normal operating range), amber (warning — approaching risk tolerance limit), and red (breach — tolerance exceeded, escalation required). Amber typically triggers at 70–80% of the red threshold. Set thresholds by working backward from your risk appetite statement: if your appetite says 'no more than 5% of IT systems with unpatched critical vulnerabilities,' your red threshold is 5%, your amber is 3.5–4%. Calibrate using historical data where available; revise annually as operating context changes.

Who should own KRI monitoring in an organization?

KRI ownership should sit with the business function closest to the underlying risk — not solely with the risk management team. The cyber KRI for unpatched systems is owned by IT Security. The credit KRI for 90-day delinquencies is owned by Credit Risk. The compliance KRI for overdue regulatory filings is owned by Compliance. The risk function provides governance: it sets the framework, reviews thresholds, escalates breaches, and reports to management and the board.

How often should KRIs be reviewed?

Monitoring frequency should match risk volatility. Cyber KRIs (open vulnerabilities, failed login attempts) warrant daily or real-time monitoring. Credit KRIs (delinquency rates, charge-off ratios) are typically reviewed monthly. Compliance KRIs (training completion, policy exceptions) work on a monthly or quarterly cadence. The KRI library itself — thresholds, owners, relevance — should be reviewed annually or whenever strategy or risk appetite changes materially.

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

Related Framework

KRI Library (132 Key Risk Indicators)

132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.

See What's Included → Buy Now — $49

Keep Reading

Operational Risk

Liquidity Stress Testing Techniques: Modeling Run-Off, Wholesale Withdrawal, and Contingent Draws

Go beyond the scenario labels. How to build defensible run-off rate assumptions, model wholesale funding cliff risk, and quantify contingent draw exposure — with the specific techniques examiners challenge.

May 4, 2026

Operational Risk

Risk Matrix Template: 5x5 vs 3x3 vs Heat Map — Which to Use and How to Defend It

A risk matrix is only as good as the calibration behind it. Here's how to choose between 5x5 and 3x3, build defensible scoring criteria, and present the result in a way regulators and boards actually trust.

May 3, 2026

Operational Risk

Risk Register Template: A Fintech Edition with 30+ Real Risk Examples and Scoring

Build a fintech risk register that survives examiner scrutiny. 30+ real risks across BaaS, fraud, vendor, AI, and compliance — with scoring, owners, and controls.

May 3, 2026

Immaterial Findings ✉️

Weekly newsletter

Sharp risk & compliance insights practitioners actually read. Enforcement actions, regulatory shifts, and practical frameworks — no fluff, no filler.

Join practitioners from banks, fintechs, and asset managers. Delivered weekly.