Seventy-one percent of organizations experienced at least one third-party cyber incident with material impact last year. The incident itself is rarely the surprise. The surprise is that most organizations had no early warning that the vendor was becoming a problem.

Not because the data wasn’t there. Because nobody was watching the right metrics.

TL;DR

• Vendor KRIs measure risk trajectory, not current performance — the SLA rate that dropped from 99% to 95% over three quarters is a KRI signal even if 95% is still “acceptable.”
• The 2023 OCC/FDIC/Fed interagency guidance explicitly requires KRI-based ongoing monitoring as part of sound third-party risk management lifecycle.
• Five vendor KRI categories matter most: performance trending, compliance and audit signals, financial stability, concentration exposure, and fourth-party drift.
• Tier 1 vendors warrant continuous monitoring across all five categories; Tier 2 and Tier 3 warrant reduced but still structured coverage scaled to risk.

Vendor KRIs vs. Vendor KPIs: Why the Distinction Matters

Most TPRM programs monitor KPIs. They track whether the vendor is meeting SLAs today, whether the support ticket queue is within target, whether uptime hit the contractual threshold this month. Those are important. But they’re lagging indicators — they tell you how the relationship performed, not where it’s going.

A vendor risk KRI is different. It measures whether the risk profile of the relationship is changing. The same metric can operate as either. A 96% SLA compliance rate this month is a KPI. A SLA compliance rate that has dropped from 99.5% to 98% to 96% over three consecutive quarters — without explanation or remediation plan — is a KRI signal indicating something is deteriorating.

The distinction matters for how you act on the data. A KPI below threshold triggers a performance conversation. A KRI trend triggers a risk conversation: is this a temporary dip or a structural change? Is the vendor understaffed? Under financial pressure? Replacing systems mid-year? Has a key contact left who was keeping things running?

The 2023 OCC/FDIC/Fed Interagency Guidance on Third-Party Relationships explicitly identifies both KPIs and KRIs as tools for ongoing monitoring. The guidance describes ongoing monitoring as a continuous process — not an annual checkbox — requiring structured tracking of performance, compliance, and risk signals throughout the relationship lifecycle.

Category 1: Performance and SLA Trend KRIs

Performance KRIs are the most common, but the least well-used. Most organizations track current SLA compliance. Fewer track the trend over 6–12 months, and fewer still have defined thresholds that trigger escalation based on trend rather than snapshot.

The metrics to track — and what they signal:

The most underrated signal here is the escalation rate. If your team is escalating more frequently to get resolution — regardless of whether the formal SLA is technically being met — that’s the vendor telling you their normal operating capacity is stressed. Track it.

Category 2: Compliance and Audit KRIs

Compliance KRIs are where a lot of vendor monitoring programs have the biggest gaps. Most organizations collect the annual SOC 2 report and file it. Fewer track what changed from the prior year — and fewer still have a process for reviewing management responses to exceptions.

The metrics that matter most:

SOC report exception rate and age. The number of exceptions in a vendor’s SOC 2 Type II report is less important than whether the same exceptions recur year over year. A vendor with three new exceptions has a worse KRI profile than a vendor with five legacy exceptions they’ve been actively remediating. Pull the prior two years of reports and compare.

Unresolved audit findings. If you conduct vendor audits or receive third-party assessment results, track the number of findings by severity and how long they’ve been open. A finding that was “in remediation” at the last review and is still “in remediation” 12 months later is an amber KRI signal regardless of severity classification.

Regulatory or examination actions. A regulatory examination finding, consent order, or MRA against the vendor is a red KRI signal. It doesn’t mean the relationship has to end, but it requires an immediate off-cycle review. Per the OCC’s May 2024 community bank guide on third-party risk management, enforcement activity against a vendor is explicitly listed as an event requiring enhanced oversight.

Insurance or certification lapses. Cyber insurance renewal gaps, SOC 2 report expiration (>13 months since issuance), or lapsed ISO 27001 certification are compliance KRIs that often get missed because nobody assigned ownership for tracking them.

Category 3: Financial Stability KRIs

A vendor that is financially distressed behaves differently than one that isn’t. They cut staff, defer system investments, take on substandard work, and accept clients they can’t fully support — all of which increases your operational and concentration risk.

Financial KRIs to monitor:

• Credit score changes (if available via commercial credit data). A two-notch downgrade over six months is an amber signal.
• News and public filing alerts. Set Google Alerts or news monitoring for your Tier 1 vendors. Leadership changes, layoffs, litigation filings, and acquisition rumors are often visible publicly before they affect service.
• Vendor’s customer concentration. If you represent more than 20% of the vendor’s revenue, your relationship’s health is tightly coupled to theirs. That’s a structural KRI, not a metric you track — you need to flag it at onboarding and revisit it annually.
• Payment disputes or delayed invoicing. Unusual changes in billing behavior — sudden changes to payment terms, invoice discrepancies, requests for advance payment — can signal cash flow pressure before any financial report surfaces it.

The Synapse collapse in 2024 is the clearest recent example of financial stability KRIs that, if tracked, would have triggered earlier action. Evolve Bank’s subsequent Federal Reserve enforcement action cited its failure to have “an effective risk management framework” for its fintech partnerships — including the absence of structural oversight over Synapse’s financial health.

Category 4: Concentration Risk KRIs

Concentration risk is the category that gets least attention until it’s too late. You don’t need to have a vendor fail for concentration risk to become a problem — you need a regulator to ask whether you’ve quantified it and what you’d do if it materialized.

The metrics to track:

Vendor concentration ratio. What percentage of a critical function is performed by a single vendor? If one vendor processes 80% of your payment transactions, that’s a concentration KRI regardless of that vendor’s performance. Anything above 60% for a mission-critical function should carry an amber designation with a documented diversification plan.

Geographic concentration. A cluster of vendors with data centers in the same physical region creates correlated failure risk. Track the distribution of critical vendor infrastructure across geographies.

Technology dependency concentration. How many critical vendors use the same cloud infrastructure provider (AWS, Azure, GCP)? Concentration at the fourth-party level creates risk even when all your direct vendors are healthy. The 2024 CrowdStrike outage demonstrated this: organizations whose vendors were heavily concentrated in that single endpoint security platform experienced cascading disruptions across their entire vendor ecosystem simultaneously.

For more on how to classify vendors by criticality and concentration exposure, tiering methodology is the prerequisite to building meaningful concentration KRIs.

Category 5: Fourth-Party and Supply Chain KRIs

Fourth-party risk is where most monitoring programs stop. Your vendor has their own vendors — and changes in their supply chain affect your risk profile even though you have no direct relationship with those parties.

The signals that matter:

Disclosed subcontractor changes. Your contract should require notification when critical subcontractors are added, changed, or terminated. If your vendor notifies you that they’ve changed their hosting provider, encryption vendor, or background check processor — that’s a KRI event requiring review. Track the cadence of these notifications: a vendor that was transparent last year and is now quiet may be concealing changes.

Critical data sharing disclosures. If customer PII or regulated data flows to a fourth party, any change in that fourth party’s security posture or regulatory status affects your TPRM obligations. Per the FDIC third-party guidance, you bear responsibility for the overall risk of the third-party relationship, including the risks created by fourth parties.

SOC 2 report coverage of subcontractors. Check whether the vendor’s SOC 2 explicitly covers subprocessors. A Type II report that carves out key subcontractors is providing incomplete assurance — and a KRI that should be flagged in your risk assessment.

See the fourth-party risk management deep-dive for a full treatment of how to map and monitor fourth-party exposure.

Building the Escalation Structure

A vendor KRI that turns amber without a defined escalation path is just a number on a spreadsheet.

For each KRI, define:

1. Threshold levels. Green (normal), amber (trending), red (breach). Calibrate amber at 70-80% of the red threshold — close enough to drive action, far enough to distinguish from noise.
2. Review trigger. Amber triggers a defined review by a named owner. Red triggers escalation to risk committee or TPRM governance.
3. Escalation action. Not just “notify.” Who does what, within what timeframe, and what documentation is produced?
4. Off-cycle reassessment rules. Which single events (vendor breach, regulatory action, ownership change) trigger an immediate full reassessment regardless of KRI status?

The OCC’s community bank guide is specific on this point: monitoring should be calibrated to the risk tier of the vendor and should produce documented outputs that an examiner can review. Undocumented monitoring is no monitoring.

So What? Connecting KRIs to Action

The point of vendor KRIs is not to generate reports. It’s to change behavior before a loss event.

The practical test: if your top five Tier 1 vendor KRIs all turned amber tomorrow, would your team know what to do in the first 48 hours? If the answer involves “check with legal” or “schedule a meeting to figure out next steps,” your escalation structure needs work.

Build the playbook first. Define what amber means for each KRI category — is it a vendor call, a contract review, a conditional offboarding review, an immediate regulatory notification? Then calibrate the threshold to the action you’re willing to take. If you’re not willing to escalate for anything below a 5% SLA miss, your amber threshold should be at least 5%, not 2%.

The goal is KRI thresholds that actually drive decisions — not dashboards that stay perpetually green while vendors quietly deteriorate.

For a structured set of vendor-specific KRIs you can implement immediately, the KRI Library includes 132 indicators across operational, financial, third-party, cyber, and compliance domains — each with an owner assignment, threshold guidance, and escalation path.

Related reading:

• Vendor Risk Management: The Complete Lifecycle
• Key Risk Indicators: 50+ Examples by Risk Domain
• Vendor Risk Questionnaire Template