The risk committee sent a 47-page KRI pack to the board last quarter. The board chair returned it with one note: “Next time, tell us what we need to know.”

That note is the whole problem. Board members aren’t operational risk managers. A heat map with 84 metrics in ten colors doesn’t answer their question: is the risk profile inside our stated appetite, or isn’t it?

Operational risk KRI programs typically fail in one of two ways. Either management keeps all the detail and sends the board a vague “risk overview” that conveys nothing actionable. Or management sends the board everything — raw data, individual metric values, owner names, threshold debates — and the board checks a governance box without actually exercising oversight.

Both are exam findings.

TL;DR

• Board-level KRI reporting should show risk movement, breach escalations, and appetite context — not individual metric values
• Management reporting is where the detail lives: threshold values, root cause analysis, owner accountability, data freshness
• BCBS 239 Principle 11 and Federal Reserve SR 16-11 both require report content to be tailored to the recipient’s oversight role
• Citibank’s $400M OCC consent order explicitly cited board reporting failures: “inadequate reporting to the Board hindered effective oversight”
• A board dashboard is 2–4 pages maximum; the management dashboard contains everything the board report summarizes

Why the Distinction Is a Regulatory Requirement, Not a Design Preference

The Federal Reserve’s SR 16-11 supervisory guidance (revised February 2021) separates board and management responsibilities explicitly: boards approve strategies and set risk tolerances; management runs operations. The Fed expects boards to have “access to information to identify the size and significance of risks” — not access to every underlying metric that informs that determination.

BCBS 239 — the Basel Committee’s 14 principles for risk data aggregation and risk reporting — goes further. Principle 11 requires that reports be tailored to the needs of the recipient. Board-level reports should be concise and strategic. Management-level reports should be granular and actionable. As of the BCBS 2024 progress assessment, this distribution discipline remains one of the most commonly cited gaps among globally significant institutions — which tells you how often organizations get this wrong even under direct supervisory attention.

OCC 12 CFR Part 30, Appendix D (the Heightened Standards guidelines) requires a formal board-approved risk governance framework and establishes that the board’s role is oversight and challenge — not operational management. Boards must receive information sufficient to assess whether risk is being managed within appetite, but they should not be interpreting operational-level metrics to reach that conclusion.

The enforcement consequence of getting this wrong is documented. The OCC’s consent order against Citibank in October 2020 — a $400M civil money penalty — explicitly found that “inadequate reporting to the Board on the status of data quality and progress in remediating identified deficiencies…hindered the Board’s ability to provide effective oversight.” The board wasn’t receiving appropriate summary-level risk reporting. Management was filtering severity before it reached the board. In July 2024, the OCC and Federal Reserve added a combined $136M penalty for insufficient progress on the same consent order — the failure to remediate board reporting deficiencies is itself a reportable deficiency.

TD Bank’s $3.1B AML resolution in October 2024 illustrates the other failure mode: KRI monitoring breakdowns at the management level that were never escalated to the board or to the level where they could be addressed. The OCC consent order now requires mandatory quarterly board reporting on AML remediation with specific metrics defined in the order itself — a mandated KRI reporting structure imposed after the operational monitoring layer collapsed.

The pattern in FDIC consent orders is consistent: post-enforcement, institutions are required to provide the board quarterly reports on deficiencies by severity level, required corrective actions, and responsible parties. When regulators decide boards weren’t seeing the right information voluntarily, they specify it in the order.

What Goes on the Board Dashboard

The board needs to answer one question: is the institution operating within its risk appetite?

Board-level KRI reporting should be structured around that question. Here’s what belongs at the board level:

Risk Appetite Utilization

Not “our fraud rate is 0.12%.” Rather: “Fraud risk is at 60% of tolerance; the 90-day trend is stable.” Boards approve risk appetite statements — they need to see how much of each appetite tolerance is being consumed, not the underlying operational metrics. If your appetite says fraud losses should not exceed 0.20% of volume, the board dashboard shows the percentage of that tolerance consumed. The metric drives management reporting; the utilization drives board oversight.

Trend Direction on Material Risk Categories

Boards need trajectory, not snapshots. A metric that’s technically within threshold but has moved from 40% to 80% of tolerance in three months is more relevant than one sitting at 30% with no movement. Board reporting should show improving/stable/deteriorating designation for each material risk category, without requiring the board to compute trend lines from quarterly data points.

Threshold Breaches and Remediation Status

Any KRI that crossed amber or red since the last reporting period must appear on the board dashboard with: the risk domain, how long it has been in breach, a one-to-two sentence root cause summary, and the target remediation date. The underlying analysis lives in the management report — the board summary gets the headline, not the investigation file.

Aggregate Operational Loss Experience

Total operational losses vs. budget and vs. the same period last year — frequency and severity, not individual events. If a specific loss event warrants board-level awareness due to size or nature, it gets a separate notation; routine loss experience rolls up into an aggregate view that shows pattern, not incident detail.

Emerging and Concentration Risks

Anything building outside normal patterns warrants board visibility before it hits a threshold. Third-party concentration creeping from 25% toward a 40% limit. Model dependency increasing as new AI tools go into production. These trend signals belong in a dedicated section, clearly labeled as emerging rather than breach-level items.

The board dashboard is 2–4 pages maximum. RAG status summaries and heat maps work at this level. Individual metric values belong elsewhere.

What Stays in Management Reporting

The risk committee, ALCO, or equivalent management forum is where the operational picture lives. Here’s how the two layers separate:

An examiner reviewing your reporting structure will ask: can you trace how the board summary was derived from the management detail? If you can’t, the board is receiving information that can’t be verified — which is a governance problem regardless of what the information says.

Commentary Rules: What to Write When Something Is Red

The most common failure in KRI dashboards isn’t the metrics — it’s the commentary. A color change with no explanation is not risk management; it’s a decoration. Every amber or red item in board reporting requires commentary that answers three questions:

What is the root cause? Not “elevated fraud rates” — but “credential-stuffing attack targeting new account onboarding; first detected May 12; fraud operations team engaged.” Specific, not generic.

What is the remediation action? Not “management is monitoring” — but “device fingerprinting controls deployed May 15; monitoring elevated to daily review through month-end.” An action with a timeline, not a posture.

What is the resolution target? “Target return to amber by June 15 if attack volume remains consistent with current trajectory; will escalate if pattern changes.” A date and a condition, not a vague “being addressed.”

One to two sentences in the board summary. Everything else goes in the management report that supports it.

This structure also enforces the right behavior in management: if writing the board commentary requires calling three people and searching three systems, the underlying management reporting isn’t working as designed. Good board commentary is a byproduct of a good management layer — not a separate exercise.

The Escalation Bridge: Connecting the Two Layers

Management reporting and board reporting should not operate as parallel systems. The board dashboard should be derived from the management report — not built separately. Every red item in the board summary should trace to a specific section in the management report. If the traceability isn’t there, you have two documents telling different versions of the same story, which is what the Citi consent order found.

The escalation bridge runs in both directions:

Management to Board (intra-quarter breach). Any KRI that hits red between quarterly board meetings should trigger an off-cycle escalation — not a full report, but a one-page notification confirming that the board is aware and that management has a documented response plan in place. Boards that only receive risk information quarterly create blind spots in their oversight record.

Board to Management (challenge). A board member who sees a risk category deteriorating from green to amber for two consecutive quarters should be able to request the underlying management report and get a meaningful response within 24 hours. SR 16-11 explicitly expects boards to have the ability to challenge management and obtain detailed information when oversight requires it. If the management layer isn’t structured to surface quickly, that’s a gap examiners document.

Practical Design Notes

Use the 3-3-3 rule for board packets. No more than three metrics per risk category, no more than three categories per page, no more than three pages of KRI content per board meeting. The discipline forces prioritization. If a category has seven management-level metrics, the board sees the one that most clearly answers “are we within appetite?”

Frequency mismatch is a common finding. Management should monitor KRIs at minimum monthly — some metrics weekly or daily for operational domains like fraud and liquidity. The board reviews quarterly with a defined escalation trigger for threshold breaches. When examiners ask whether the board received the same annual risk summary year after year, the answer needs to be no — with evidence of a live escalation pathway.

Stale thresholds produce false greens. A threshold set in 2022 for a business that has since tripled in transaction volume may generate a green reading on a metric that would be amber or red on a properly calibrated threshold. Threshold calibration isn’t a one-time setup step — it’s an annual review item, and more frequently for volatile domains. A board that’s been shown six consecutive quarters of green on a metric where the threshold hasn’t been reviewed is not being effectively informed.

Separate “what” from “so what.” Management reports show what the KRI number is. Board reports show what it means for the risk appetite statement and what management intends to do about it. The jump from data to decision is the board’s oversight function — your reporting structure should support it, not require the board to perform the analysis themselves.

So What?

Getting board vs. management reporting right is one of the highest-leverage structural improvements a KRI program can make. It’s the difference between a dashboard that satisfies governance theater and one that actually informs oversight decisions.

The KRI task force structure determines who owns and builds the management layer. Threshold calibration discipline determines whether the green/amber/red signals in either layer are trustworthy. And the 40 operational and financial KRI examples give you the underlying metrics that feed both layers.

If your board has been receiving the management report reformatted as a board report, that’s a fixable problem. The Citi consent order makes clear it’s also an exam risk. The fix is separating the content — not just the packaging — and building the escalation bridge that connects the two.

A board that’s informed about the right things at the right level of aggregation doesn’t slow down risk management. It enables the oversight function that management’s day-to-day monitoring can’t perform.