Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Operational Risk

How Many KRIs Is Too Many? Building a Dashboard That Does Not Become Metric Theater

More KRIs don't mean better risk visibility. Here's how to prune your dashboard, identify metric theater, and build a KRI program boards and examiners actually trust.

Table of Contents

TL;DR

  • More KRIs don’t mean better risk visibility—boards reviewing 50+ metric dashboards retain less signal than those reviewing 15 well-selected ones, and the metrics that matter get buried
  • Metric theater is the gap between the appearance of risk monitoring and substantive governance: consistently green dashboards, thresholds that never fire, metrics disconnected from decisions
  • The five tests for any KRI: Does it link to a material risk? Is it forward-looking? Is it actionable? Is the data reliable? Is it already captured elsewhere?
  • Board dashboards should target 10–20 KRIs; management dashboards can run wider, but each metric needs an owner, a threshold, and a documented escalation path

The Risk Committee’s quarterly package landed in the inbox at 9am Friday. Thirty-two pages, 47 KRIs, all green. The CFO skimmed it in four minutes between calls. Nobody asked a question.

That’s metric theater. The appearance of risk monitoring with none of the substance.

Most KRI programs start with good intentions: identify the risks, build metrics for each one, put them in a dashboard. The problem is that the program compounds year over year—risks get added, metrics get added, nothing gets removed—until the dashboard is a compliance artifact that stakeholders have learned to ignore. When an examiner asks which metrics prompted management action last quarter, the answer is uncomfortable silence.

This post is about building KRI programs that boards and examiners actually trust—starting with the most practical question in the room: how many is too many?

The Case Against More KRIs

There’s intuitive logic to comprehensive dashboards. More metrics mean more coverage. If you’re monitoring 60 KRIs, you’re less likely to miss something than if you’re watching 15.

The evidence says otherwise.

Research on board decision-making consistently finds that cognitive load limits how effectively boards process large volumes of information. In risk management terms: a board that reviews 47 KRIs retains less than one that reviews 15 carefully selected ones. The important signals get buried in the mass of consistently green indicators.

There’s a governance problem, too. Every KRI requires an owner, a threshold, a defined response when breached, and a documented escalation path. A program with 60 KRIs needs 60 owners who have reviewed their metric recently, know what triggers escalation, and can explain the threshold methodology. In most organizations, that’s not what happens. You get 20 KRIs with real governance and 40 orphans—metrics that show up in the dashboard because someone added them three years ago and nobody felt comfortable removing them.

The Institute of Operational Risk and Basel II operational risk guidance both identify over-instrumentation as a common failure mode in KRI programs. The COSO ERM framework recommends that organizations focus on KRIs that are material, actionable, and connected to strategic risk appetite—not maximum coverage for its own sake.

What Metric Theater Looks Like in Practice

Metric theater takes several recognizable forms.

The consistently green dashboard: If your KRI dashboard has been 80–100% green for two consecutive years, something is wrong—either with the metrics you chose, the thresholds you set, or what’s being measured. A well-calibrated KRI program should show amber regularly (that’s the purpose of the yellow flag) and red occasionally. Consistent green either means excellent risk management or means your thresholds are set too wide to be useful. In most programs, it’s the second.

Activity metrics masquerading as risk metrics: “Percentage of employees who completed BSA training” is a KPI—it measures whether an activity happened. “Percentage of new account openings with CIP deficiencies” is a KRI—it measures whether a risk event is materializing. Dashboards full of completion rates, headcount metrics, and process cycle times are measuring what happened, not what’s at risk. The KRI vs. KPI distinction sounds simple until you audit your own dashboard.

Threshold bands so wide that amber never fires: The amber threshold exists to give management time to respond before a real breach occurs. If your amber band doesn’t fire until you’re at 95% of a problem, it’s not warning you—it’s narrating your failure in real time. This is one of the most common KRI program deficiencies and one of the most common exam findings in operational risk reviews.

Metrics nobody owns: Walk through your KRI dashboard and ask who owns each metric, when they last reviewed it, and what they would do if it hit amber. If more than a quarter of your KRIs produce ambiguous answers, your program has orphaned metrics—indicators that exist in the dashboard but have no governance infrastructure behind them.

Lagging indicators labeled as KRIs: Operational loss totals, prior-period complaint volumes, and closed exam findings are useful retrospective metrics. They are not KRIs—they are reports of what already happened. Effective KRIs provide warning before the loss or event. A dashboard built primarily on lagging indicators gives you excellent visibility into the past and no warning about the future. The leading vs. lagging KRI distinction is the difference between a program that anticipates and one that reports.

The Five Tests for Every KRI

Before adding a metric to your dashboard—and before keeping one that’s already there—apply five tests.

TestQuestionIf It Fails
MaterialityDoes this metric link to a risk that could cause a material loss, regulatory action, or strategic failure?Remove or demote to operational tracking
LeadingDoes this metric provide warning before the event occurs, not after?Redesign as a leading indicator or remove
ActionableDoes a threshold breach trigger a defined management response with an owner and timeline?Define the response first, then keep the metric
ReliableIs the underlying data consistently available, accurate, and auditable?Fix the data source or remove the metric
Non-redundantIs this metric materially different from another KRI already on the dashboard?Consolidate or remove the weaker one

A metric that fails any one of these tests belongs in one of three places: redesigned so it passes, demoted to an operational tracking report that management reviews but doesn’t present to the board, or removed entirely. There is no fourth option that involves keeping a weak metric in the board dashboard “just in case.”

Board vs. Management: Two Different Dashboards

One of the clearest structural fixes for KRI bloat is separating board and management reporting into explicitly different dashboards with different metric sets.

Board-level KRIs (10–20 metrics):

  • Directly tied to board-approved risk appetite tolerances
  • Each KRI has a narrative: what the metric measures, why it matters, what the threshold is, and what management is doing if it’s amber or red
  • Focus on risk domains where board-level decision-making is required: credit risk, strategic risk, regulatory compliance posture, liquidity position, major vendor concentration
  • Reviewed quarterly with management commentary

Management-level KRIs (30–60 metrics, varies by complexity):

  • More granular and more operational, reviewed more frequently (monthly for most domains, weekly for high-velocity metrics like fraud and transaction monitoring)
  • Each metric has an owner actively monitoring it and responsible for escalation if thresholds breach
  • Covers sub-domain detail the board summary can’t show: by product line, geography, customer segment
  • Feeds the board summary—management KRIs that breach amber get surfaced in the board report with commentary

The test for what belongs in a board report versus a management report is simple: does the board need to take an action or make a decision if this metric turns red? If not, it belongs in the management dashboard.

The KRI governance structure—who owns the metric, who approves the threshold, who escalates—needs to match this two-tier structure. A metric that escalates to the board needs board-level ownership and response protocols. A metric that escalates to the Risk Committee needs committee-level protocols.

A Practical Pruning Framework

If you’re looking at an existing dashboard and recognizing metric theater patterns above, here’s a practical pruning process:

Step 1: Audit ownership. Export every KRI from your current dashboard. For each one, identify: who owns it, when they last reviewed the threshold, and what their documented escalation action is. Any metric without an active, identifiable owner is an orphan. Flag it.

Step 2: Apply the five tests. Score each metric against materiality, leading, actionable, reliable, and non-redundant. Flag any that fail one or more tests.

Step 3: Separate board from management. Identify which metrics belong in board-level reporting (tied to risk appetite, requiring board action) versus management reporting (operational detail). Move management-level metrics out of the board package.

Step 4: Consolidate duplicates. Identify metrics measuring the same underlying risk in slightly different ways. Keep the one with better data quality, clearer ownership, and a cleaner threshold methodology.

Step 5: Set a target number. For most financial institutions: 10–20 KRIs in the board dashboard and 30–50 in the management dashboard. If you’re well above these ranges, the steps above will get you there.

Step 6: Document the removals. When you remove a KRI from active reporting, document why—and archive it rather than deleting it. This maintains the audit trail and gives you a reference if the risk domain becomes material again.

Starting the Right Way

Organizations building KRI programs from scratch have an advantage existing programs don’t: they can start with the right number and build structure before adding metrics.

The right starting framework: identify your top 8–12 risks from your risk register. Select 1–2 KRIs per risk that directly measure that risk’s materialization potential. Ensure each KRI has an owner, a threshold methodology, and a documented escalation response. That gives you 12–24 KRIs at launch—enough for genuine coverage, lean enough to be governable.

Expand only when a gap in coverage creates a demonstrated problem—a risk that materialized without warning from any existing metric. Don’t add metrics because they’re available or because someone requested coverage of a new area without also providing the ownership and response infrastructure.

The KRI Library (132 Key Risk Indicators) is organized by risk domain with threshold ranges already calibrated for financial services—which lets you select the KRIs that match your risk profile and build out from there, rather than starting with all 132 and trying to trim down. The starter tier of 20 KRIs covers the most critical domains for early-stage programs; the standard tier of 75 covers most mature programs’ needs without creating a 60-metric board package nobody reads.

So What? What Examiners Are Actually Testing

When an OCC, FDIC, or Federal Reserve examiner reviews your KRI program, they’re not counting metrics. They’re testing the governance chain behind each one: Who owns it? How was the threshold determined? What happened the last time it hit amber? Is the board seeing the right risks at the right level of granularity?

A dashboard with 12 well-governed KRIs—each with an owner, a documented threshold methodology, a traceable connection to board-approved risk appetite, and evidence of management action—will pass that examination. A dashboard with 55 metrics where half have no clear owner and nobody can explain why certain thresholds are set where they are will not.

The metric theater problem is ultimately a governance problem, not a dashboard design problem. Fix the governance chain first—ownership, thresholds tied to appetite, documented escalation protocols—and the right number of KRIs follows naturally from what you can actually govern.

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

How many KRIs should a board-level risk dashboard have?
Most experienced risk practitioners recommend 10–20 KRIs for board-level reporting—enough to cover your top risk domains without creating a document the board needs 30 minutes to read. The test isn't the number; it's whether a board member can ask a substantive follow-up question about any metric on the report. If several metrics never generate questions, those are candidates for pruning.
What is metric theater in risk management?
Metric theater is a risk dashboard that generates the appearance of risk monitoring without the substance—dashboards where everything is consistently green regardless of actual conditions, where thresholds rarely trigger action, or where the monitored metrics don't connect to decisions risk owners actually need to make. Common forms: activity metrics masquerading as risk metrics, lagging indicators reported too late to influence outcomes, and threshold bands so wide that amber almost never fires.
What's the difference between a KRI and a KPI, and why does it matter for dashboard design?
A KPI measures performance—did we achieve our objective? A KRI measures risk exposure—are conditions deteriorating in a way that could lead to a loss or failure event? The distinction matters for dashboards because KPIs and KRIs have different owners, different escalation paths, and different uses. A high KPI can coexist with a high KRI in the same period. Dashboards that conflate them create false reassurance—good performance numbers can mask rising risk.
How do you decide which KRIs to cut when pruning a dashboard?
Apply five tests: (1) Does this metric link to a specific risk that could cause a material loss or event? (2) Is it forward-looking—does it give warning before the event, not after? (3) Is it actionable—does a threshold breach trigger a defined management response? (4) Is the data reliable and consistently available? (5) Is this metric already captured in another KRI at a different level? A metric that fails any one of these tests is a candidate for removal or redesign.
How often should KRI dashboards be reviewed and pruned?
Formally, at least annually—typically aligned with the risk appetite review cycle. Additionally, review your KRI inventory whenever a metric has been consistently green for 18+ months (may indicate the threshold is too wide), the business has grown substantially (old thresholds may be meaningless at new volume), a new regulatory requirement changes what you need to monitor, or a material risk event occurred that your dashboard didn't predict.
What do regulators actually expect to see in a KRI dashboard?
Regulators—OCC, FDIC, Fed, CFPB—expect KRIs that connect to board-approved risk appetite tolerances, with documented evidence of who owns each metric, what thresholds trigger escalation, and how the board responded when thresholds were breached. They aren't counting KRIs; they're evaluating the governance chain behind them. A dashboard with 12 well-governed KRIs is more defensible than one with 60 metrics where half have no clear owner.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

KRI Library (132 Key Risk Indicators)

132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.