The examiner wants to see your KRI dashboard. Not the metrics you wish you tracked — the ones you actually have, with data, owners, thresholds, and a defined escalation path.

Most teams can produce a list. Fewer can produce a working program.

The difference between a KRI that lives in a spreadsheet and one that drives real risk decisions comes down to four things: a verifiable data source, a real owner, calibrated thresholds, and a documented escalation response. The 40 KRIs below — 20 operational, 20 financial — are structured around those four elements so you can put them to work.

TL;DR

• Each of the 40 KRIs below includes risk measured, data source, owner, threshold idea, and escalation path — the fields that turn a metric into a working risk indicator
• A color change on a dashboard is not a risk management response; every red KRI needs a pre-defined action
• Operational risk KRIs should be owned by the function closest to the risk — the risk team governs, it doesn’t monitor everything
• Financial risk KRIs belong to Treasury and Finance; Risk Management provides review and challenge, not primary ownership

Why 40 KRIs, Not 140

Operational risk libraries often balloon after incidents: every exam recommendation becomes a new KRI candidate. The result is a 140-metric dashboard nobody reviews seriously.

According to the Operational Riskdata eXchange Association (ORX), effective KRI programs are built around a small number of genuinely predictive metrics owned by people with authority to act on them. The practical test: if a KRI breached red tomorrow, would anyone know who to call and what to do? If the answer is uncertain, you have metrics, not a program.

This post covers operational and financial risk KRIs specifically. A broader guide covering cyber, credit, compliance, model risk, and third-party domains is at the KRI guide with 50+ examples by risk domain.

Column Guide

The tables below use five columns. Thresholds listed are illustrative starting points — calibrate them against your actual risk appetite and historical data.

Column	What It Means
KRI	Metric name and the specific risk it predicts
Data Source	The system that produces the metric
Owner	Function responsible for monitoring and reporting
Amber → Red	Starting-point threshold levels
Escalation Note	What happens at amber or red (condensed)

---

Part 1: 20 Operational Risk KRI Examples

Process and Transaction Risk

KRI	Data Source	Owner	Amber → Red	Escalation Note
Transaction error rate — process execution failure; operational loss from incorrect transactions	Transaction processing system, reconciliation reports	Operations / Payments Ops	Amber >0.3%, Red >0.5% of daily transactions	Ops manager root cause within 24 hrs; COO + CRO at red
Aged unreconciled items (>3 business days) — settlement risk; potential loss from unresolved breaks	Reconciliation system or treasury ops ledger	Finance Operations / Treasury	Amber >5 items, Red >15 or any item >10 business days	Finance manager weekly review; CRO briefed at red
Chargeback rate — dispute/fraud losses; Visa/MC network threshold violations (~1% triggers account termination)	Card network dispute data / payment processor	Payments Operations / Risk	Amber >0.5%, Red >0.9%	Payments Ops investigates spike; Risk Committee at red; legal notified if suspension risk
Operational loss events above threshold — magnitude of operational risk materializing into loss	Loss event database / incident management system	Operational Risk Management	Amber >2 events/qtr above $50K; Red: any event >$500K	Events logged within 5 days; CRO at >$100K; Board Risk Committee at red

IT and System Risk

KRI	Data Source	Owner	Amber → Red	Escalation Note
Critical system availability rate — operational disruption; customer harm; regulatory reporting risk	ITSM platform (ServiceNow), infrastructure monitoring	IT Operations / Infrastructure	Amber <99.5% monthly uptime, Red <99.0%	IT Ops escalates within 2 hrs; BCP review triggered at red
Mean time to restore (MTTR) after P1/P2 incidents — recovery effectiveness after system failures	ITSM incident log (P1/P2 tickets)	IT Operations	Amber >4 hrs, Red >8 hrs	Post-incident review within 5 days; persistent red triggers BCP plan review
Change management failure rate (rollback rate) — IT change control discipline; defect introduction risk	ITSM change management module	IT Change Management / Engineering	Amber >5% of changes rolled back, Red >10%	CAB review for each rollback; red triggers change freeze audit
Critical patch lag (days past SLA) — cybersecurity exposure from unpatched vulnerabilities	Vulnerability management platform (Tenable, Qualys)	IT Security	Amber: any critical CVE >15 days; Red: any >30 days	CISO at amber; CRO + executives at red
Open P1/P2 IT incidents per quarter — IT reliability and accumulated system fragility	ITSM platform	IT Operations	Amber >3 P1 incidents/qtr, Red >5	Trend review at Operations Risk Committee; CTO remediation plan at red

People and Control Risk

KRI	Data Source	Owner	Amber → Red	Escalation Note
Turnover rate in critical or hard-to-replace roles — key person risk; knowledge loss; continuity	HR system (HRIS)	Human Resources / Business Line Heads	Amber >20% annualized, Red >35%	Quarterly Business Unit Risk report; succession planning review at amber
Training non-completion rate for required programs — compliance and conduct risk from undertrained staff	Learning Management System (LMS)	L&D / Compliance	Amber >10% non-completion 30 days pre-deadline, Red >20%	Manager notification at amber; Compliance escalation at red
Segregation of duties exceptions outstanding — control environment integrity; fraud risk from unchecked access	IAM system, access review logs	IT Security / Internal Audit	Amber >5 open exceptions without compensating controls, Red >10	Monthly access review; CRO + CAE at red
Open internal audit findings >90 days past remediation target — control remediation effectiveness	Audit management system	Internal Audit / Business Line Heads	Amber >3 past 90 days, Red >5 or any high-rated finding	Business line escalation at amber; Board Audit Committee at red
Policy exceptions approved per quarter — policy adherence and control discipline	Policy management system / exception log	Compliance / Risk Management	Amber >5/qtr, Red >10 or any exception >6 months	Monthly Risk Committee review; multi-quarter exceptions to CRO
Complaint escalation rate (first to second level) — customer experience; UDAAP exposure	CRM / complaint management system	Compliance / Customer Operations	Amber >8%, Red >15%	Compliance monthly review; root cause analysis + regulatory risk assessment at red

Vendor, BCP, and Model Risk

KRI	Data Source	Owner	Amber → Red	Escalation Note
Third-party SLA misses per quarter — third-party operational risk; service disruption from supplier failure	Vendor management platform / SLA reporting	Vendor Management / Business Line	Amber >2 misses from any critical vendor/qtr, Red >5	Vendor escalation call within 5 days; Vendor Risk Committee at red
BCP plans not tested within 12 months — business continuity readiness; examiner finding risk	BCP test tracker / business continuity platform	Business Continuity / Risk Management	Amber >10% of critical plans untested, Red >25%	BC Manager escalates to CRO; FFIEC exam prep review at red
Model validations overdue — model risk from unvalidated models in production	Model inventory / model risk management system	Model Risk Management	Amber >1 high-risk model past due date; Red >2 or any >18 months unvalidated	CRO briefed; model placed under enhanced monitoring or suspended at red per OCC 2026-13
Near-miss incident report rate vs. prior quarter — risk culture; near misses predict future losses	Incident reporting system	Operational Risk Management	Flag both: decline >30% QoQ (underreporting); spike >200% (deteriorating operations)	Trends reviewed monthly; declines investigated as cultural indicators; spikes trigger root cause analysis
RCSA action item completion rate — whether control gaps from RCSA are being remediated	RCSA platform / issue tracking system	ORM / Business Lines	Amber <75% of actions completed by due date, Red <50%	Risk Committee monthly review; CRO + business line heads at red

---

Part 2: 20 Financial Risk KRI Examples

Treasury and Finance own these metrics. Risk Management provides review and challenge, not primary monitoring. For structuring KRI ownership across the organization, see the KRI task force guide.

Liquidity and Capital

KRI	Data Source	Owner	Amber → Red	Escalation Note
Liquidity coverage ratio (LCR) vs. regulatory minimum — short-term liquidity risk; 30-day stress survival	Treasury LCR calculation engine	Treasury	Amber <120%, Red <110% (regulatory min 100%)	CRO at amber; CFO + Board ALCO at red; CFP review triggered
Net stable funding ratio (NSFR) — medium-term structural funding risk	Treasury / ALM system	Treasury	Amber <110%, Red <100%	Monthly ALCO; regulator notification assessed at red
Funding concentration — top 5 depositors as % of total deposits — single-depositor withdrawal vulnerability	Core banking system / deposits ledger	Treasury / ALCO	Amber >25%, Red >35%	ALCO quarterly; funding diversification plan at amber
Contingent funding line utilization rate — proximity to contingency capacity ceiling	Credit facility agreements / treasury monitoring	Treasury	Amber >50%, Red >75%	ALCO briefing at amber; CFP activation review at red
Deposit runoff rate (MoM decline) — liquidity outflow velocity; leading indicator of funding stress	Core banking / deposit monitoring system	Treasury / Retail Banking	Amber >5% MoM, Red >10%	Daily monitoring in stress; CFP activation assessed at amber; CEO briefed at red
Cash runway at current burn rate (fintech) — going concern risk for pre-profitability entities	Finance / FP&A system	CFO / Finance	Amber <12 months, Red <6 months	Monthly board report; investor/lender communication at red
Total capital ratio vs. regulatory minimum (banks) — capital adequacy; loss absorption capacity	Regulatory capital calculation system	Finance / Treasury	Amber within 200bps of well-capitalized minimum, Red within 100bps	Monthly Board ALCO; dividend suspension reviewed at amber
Operational loss as % of revenue (rolling 12 months) — materialization of operational risk relative to business size	Operational loss database / financial reporting	ORM / Finance	Amber >2%, Red >4% of revenue	Quarterly Risk Committee; CRO action plan at red

Credit and Payments

KRI	Data Source	Owner	Amber → Red	Escalation Note
30-day delinquency rate — early-stage credit deterioration in the portfolio	Loan servicing system	Credit Risk / Servicing	Amber >1.5%, Red >2.5% (varies by portfolio type)	Monthly credit risk reporting; underwriting review at red
Charge-off rate vs. reserve assumption — actual losses relative to what the reserve model predicted	Loan servicing + accounting system	Credit Risk / Finance	Amber: exceeds reserve assumption >25%; Red: >50%	ALCO monthly; reserve adequacy review at amber
Single-counterparty credit exposure vs. regulatory limit — concentration risk; potential Reg W violation	Credit exposure management system	Credit Risk / Treasury	Amber >80%, Red >95% of regulatory limit	Credit Officer review; ALCO briefing; regulatory notification if limit breached
ACH return rate vs. NACHA thresholds — NACHA Rule violation risk; account validity and authorization issues	ACH processing platform / NACHA reports	Payments Ops / Compliance	Amber: admin returns approaching 15%; Red: unauthorized returns >0.5%	NACHA suspension risk briefed to Compliance at amber; ODFI notification at red
Settlement fail rate — settlement and counterparty risk; operational loss from failed settlement	Clearinghouse / settlement platform reports	Treasury / Payments Ops	Amber >0.1% of settlement value, Red >0.3%	Daily reconciliation; counterparty relationship review at red
Fraud loss rate as % of transaction volume — fraud control effectiveness and operational loss	Fraud management platform	Fraud Risk / Payments Ops	Amber >5bps, Red >10bps	Daily monitoring; model and rule refresh at red

Compliance and Model Financial Risk

KRI	Data Source	Owner	Amber → Red	Escalation Note
Regulatory filing on-time rate — compliance risk; penalties and exam findings from late filings	Compliance calendar / regulatory reporting system	Compliance / Finance	Amber: any filing late >3 days; Red: any >10 days or missed deadline	Immediate GC + CRO escalation; regulator notification if required
OFAC screening — unresolved potential matches — sanctions violation risk; regulatory penalty exposure	Sanctions screening platform	BSA/AML / Compliance	Amber >5 unresolved hits >48 hrs; Red: any confirmed hit not escalated within 24 hrs	BSA Officer reviews all hits within 24 hrs; OFAC reporting for confirmed matches
SAR filing timeliness — BSA compliance; exam findings from late SAR filings	SAR tracking system	BSA/AML / Compliance	Amber <95% on-time, Red <90%	BSA Officer immediate review; exam finding risk briefed to CRO at red
Model output exception rate — model drift, degradation, and model risk for production models	Model monitoring platform / model outputs	Model Risk Management	Amber >5% outputs outside 2 SD; Red >10%	Model under enhanced oversight at amber; suspended pending revalidation at red per OCC 2026-13
Net interest margin (NIM) trend (banks, lending fintechs) — interest rate risk; margin compression	ALM system / financial reporting	Treasury / Finance	Amber: NIM decline >25bps QoQ; Red: >50bps or NIM below cost of capital	Monthly ALCO; repricing strategy review at amber; Board at red
Insurance coverage gap vs. loss scenarios — underinsurance risk; unrecovered losses from operational events	Insurance schedule vs. operational loss data / scenario analysis	Risk Management / Finance	Amber: gap >25% of 1-in-10-year scenario; Red: >50%	Annual insurance review; broker consultation at amber

---

Making This List Work

Map to your RCSA. KRIs should correspond directly to the risk ratings from your RCSA process. If the RCSA rates process failure as high, you need 2–3 KRIs actively monitoring that category. Mismatches between RCSA ratings and KRI coverage are a common examiner finding.

Assign real owners. Don’t let the risk team claim ownership of KRIs it can’t monitor. Process error rates belong to Operations. Charge-off rates belong to Credit Risk. IT incident rates belong to IT Operations. The risk function governs — it challenges thresholds, escalates breaches, and aggregates reporting.

Review thresholds annually. Thresholds set in Year 1 are usually wrong by Year 2. Transaction volumes change. Portfolio mix shifts. Stale thresholds create false greens and false reds — both dangerous in different ways.

So What?

Select the subset that maps to your material risks, assign real owners, and get thresholds calibrated before your next risk committee review. Don’t paste all 40 into your register on day one — start with the 10 most critical and build from there.

The KRI Library (132 Key Risk Indicators) extends this across nine additional domains — cyber, compliance, model risk, AML/BSA, third-party, credit, and more — with ownership guidance, threshold calibration notes, and escalation path templates built in.