Feature Operational Risk
How Many KRIs Is Too Many? Building a Dashboard That Does Not Become Metric Theater
More KRIs don't mean better risk visibility. Here's how to prune your dashboard, identify metric theater, and build a KRI program boards and examiners actually trust.
Table of Contents
TL;DR
- More KRIs don’t mean better risk visibility—boards reviewing 50+ metric dashboards retain less signal than those reviewing 15 well-selected ones, and the metrics that matter get buried
- Metric theater is the gap between the appearance of risk monitoring and substantive governance: consistently green dashboards, thresholds that never fire, metrics disconnected from decisions
- The five tests for any KRI: Does it link to a material risk? Is it forward-looking? Is it actionable? Is the data reliable? Is it already captured elsewhere?
- Board dashboards should target 10–20 KRIs; management dashboards can run wider, but each metric needs an owner, a threshold, and a documented escalation path
The Risk Committee’s quarterly package landed in the inbox at 9am Friday. Thirty-two pages, 47 KRIs, all green. The CFO skimmed it in four minutes between calls. Nobody asked a question.
That’s metric theater. The appearance of risk monitoring with none of the substance.
Most KRI programs start with good intentions: identify the risks, build metrics for each one, put them in a dashboard. The problem is that the program compounds year over year—risks get added, metrics get added, nothing gets removed—until the dashboard is a compliance artifact that stakeholders have learned to ignore. When an examiner asks which metrics prompted management action last quarter, the answer is uncomfortable silence.
This post is about building KRI programs that boards and examiners actually trust—starting with the most practical question in the room: how many is too many?
The Case Against More KRIs
There’s intuitive logic to comprehensive dashboards. More metrics mean more coverage. If you’re monitoring 60 KRIs, you’re less likely to miss something than if you’re watching 15.
The evidence says otherwise.
Research on board decision-making consistently finds that cognitive load limits how effectively boards process large volumes of information. In risk management terms: a board that reviews 47 KRIs retains less than one that reviews 15 carefully selected ones. The important signals get buried in the mass of consistently green indicators.
There’s a governance problem, too. Every KRI requires an owner, a threshold, a defined response when breached, and a documented escalation path. A program with 60 KRIs needs 60 owners who have reviewed their metric recently, know what triggers escalation, and can explain the threshold methodology. In most organizations, that’s not what happens. You get 20 KRIs with real governance and 40 orphans—metrics that show up in the dashboard because someone added them three years ago and nobody felt comfortable removing them.
The Institute of Operational Risk and Basel II operational risk guidance both identify over-instrumentation as a common failure mode in KRI programs. The COSO ERM framework recommends that organizations focus on KRIs that are material, actionable, and connected to strategic risk appetite—not maximum coverage for its own sake.
What Metric Theater Looks Like in Practice
Metric theater takes several recognizable forms.
The consistently green dashboard: If your KRI dashboard has been 80–100% green for two consecutive years, something is wrong—either with the metrics you chose, the thresholds you set, or what’s being measured. A well-calibrated KRI program should show amber regularly (that’s the purpose of the yellow flag) and red occasionally. Consistent green either means excellent risk management or means your thresholds are set too wide to be useful. In most programs, it’s the second.
Activity metrics masquerading as risk metrics: “Percentage of employees who completed BSA training” is a KPI—it measures whether an activity happened. “Percentage of new account openings with CIP deficiencies” is a KRI—it measures whether a risk event is materializing. Dashboards full of completion rates, headcount metrics, and process cycle times are measuring what happened, not what’s at risk. The KRI vs. KPI distinction sounds simple until you audit your own dashboard.
Threshold bands so wide that amber never fires: The amber threshold exists to give management time to respond before a real breach occurs. If your amber band doesn’t fire until you’re at 95% of a problem, it’s not warning you—it’s narrating your failure in real time. This is one of the most common KRI program deficiencies and one of the most common exam findings in operational risk reviews.
Metrics nobody owns: Walk through your KRI dashboard and ask who owns each metric, when they last reviewed it, and what they would do if it hit amber. If more than a quarter of your KRIs produce ambiguous answers, your program has orphaned metrics—indicators that exist in the dashboard but have no governance infrastructure behind them.
Lagging indicators labeled as KRIs: Operational loss totals, prior-period complaint volumes, and closed exam findings are useful retrospective metrics. They are not KRIs—they are reports of what already happened. Effective KRIs provide warning before the loss or event. A dashboard built primarily on lagging indicators gives you excellent visibility into the past and no warning about the future. The leading vs. lagging KRI distinction is the difference between a program that anticipates and one that reports.
The Five Tests for Every KRI
Before adding a metric to your dashboard—and before keeping one that’s already there—apply five tests.
| Test | Question | If It Fails |
|---|---|---|
| Materiality | Does this metric link to a risk that could cause a material loss, regulatory action, or strategic failure? | Remove or demote to operational tracking |
| Leading | Does this metric provide warning before the event occurs, not after? | Redesign as a leading indicator or remove |
| Actionable | Does a threshold breach trigger a defined management response with an owner and timeline? | Define the response first, then keep the metric |
| Reliable | Is the underlying data consistently available, accurate, and auditable? | Fix the data source or remove the metric |
| Non-redundant | Is this metric materially different from another KRI already on the dashboard? | Consolidate or remove the weaker one |
A metric that fails any one of these tests belongs in one of three places: redesigned so it passes, demoted to an operational tracking report that management reviews but doesn’t present to the board, or removed entirely. There is no fourth option that involves keeping a weak metric in the board dashboard “just in case.”
Board vs. Management: Two Different Dashboards
One of the clearest structural fixes for KRI bloat is separating board and management reporting into explicitly different dashboards with different metric sets.
Board-level KRIs (10–20 metrics):
- Directly tied to board-approved risk appetite tolerances
- Each KRI has a narrative: what the metric measures, why it matters, what the threshold is, and what management is doing if it’s amber or red
- Focus on risk domains where board-level decision-making is required: credit risk, strategic risk, regulatory compliance posture, liquidity position, major vendor concentration
- Reviewed quarterly with management commentary
Management-level KRIs (30–60 metrics, varies by complexity):
- More granular and more operational, reviewed more frequently (monthly for most domains, weekly for high-velocity metrics like fraud and transaction monitoring)
- Each metric has an owner actively monitoring it and responsible for escalation if thresholds breach
- Covers sub-domain detail the board summary can’t show: by product line, geography, customer segment
- Feeds the board summary—management KRIs that breach amber get surfaced in the board report with commentary
The test for what belongs in a board report versus a management report is simple: does the board need to take an action or make a decision if this metric turns red? If not, it belongs in the management dashboard.
The KRI governance structure—who owns the metric, who approves the threshold, who escalates—needs to match this two-tier structure. A metric that escalates to the board needs board-level ownership and response protocols. A metric that escalates to the Risk Committee needs committee-level protocols.
A Practical Pruning Framework
If you’re looking at an existing dashboard and recognizing metric theater patterns above, here’s a practical pruning process:
Step 1: Audit ownership. Export every KRI from your current dashboard. For each one, identify: who owns it, when they last reviewed the threshold, and what their documented escalation action is. Any metric without an active, identifiable owner is an orphan. Flag it.
Step 2: Apply the five tests. Score each metric against materiality, leading, actionable, reliable, and non-redundant. Flag any that fail one or more tests.
Step 3: Separate board from management. Identify which metrics belong in board-level reporting (tied to risk appetite, requiring board action) versus management reporting (operational detail). Move management-level metrics out of the board package.
Step 4: Consolidate duplicates. Identify metrics measuring the same underlying risk in slightly different ways. Keep the one with better data quality, clearer ownership, and a cleaner threshold methodology.
Step 5: Set a target number. For most financial institutions: 10–20 KRIs in the board dashboard and 30–50 in the management dashboard. If you’re well above these ranges, the steps above will get you there.
Step 6: Document the removals. When you remove a KRI from active reporting, document why—and archive it rather than deleting it. This maintains the audit trail and gives you a reference if the risk domain becomes material again.
Starting the Right Way
Organizations building KRI programs from scratch have an advantage existing programs don’t: they can start with the right number and build structure before adding metrics.
The right starting framework: identify your top 8–12 risks from your risk register. Select 1–2 KRIs per risk that directly measure that risk’s materialization potential. Ensure each KRI has an owner, a threshold methodology, and a documented escalation response. That gives you 12–24 KRIs at launch—enough for genuine coverage, lean enough to be governable.
Expand only when a gap in coverage creates a demonstrated problem—a risk that materialized without warning from any existing metric. Don’t add metrics because they’re available or because someone requested coverage of a new area without also providing the ownership and response infrastructure.
The KRI Library (132 Key Risk Indicators) is organized by risk domain with threshold ranges already calibrated for financial services—which lets you select the KRIs that match your risk profile and build out from there, rather than starting with all 132 and trying to trim down. The starter tier of 20 KRIs covers the most critical domains for early-stage programs; the standard tier of 75 covers most mature programs’ needs without creating a 60-metric board package nobody reads.
So What? What Examiners Are Actually Testing
When an OCC, FDIC, or Federal Reserve examiner reviews your KRI program, they’re not counting metrics. They’re testing the governance chain behind each one: Who owns it? How was the threshold determined? What happened the last time it hit amber? Is the board seeing the right risks at the right level of granularity?
A dashboard with 12 well-governed KRIs—each with an owner, a documented threshold methodology, a traceable connection to board-approved risk appetite, and evidence of management action—will pass that examination. A dashboard with 55 metrics where half have no clear owner and nobody can explain why certain thresholds are set where they are will not.
The metric theater problem is ultimately a governance problem, not a dashboard design problem. Fix the governance chain first—ownership, thresholds tied to appetite, documented escalation protocols—and the right number of KRIs follows naturally from what you can actually govern.
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
KRI Library (132 Key Risk Indicators)
132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
How many KRIs should a board-level risk dashboard have?
What is metric theater in risk management?
What's the difference between a KRI and a KPI, and why does it matter for dashboard design?
How do you decide which KRIs to cut when pruning a dashboard?
How often should KRI dashboards be reviewed and pruned?
What do regulators actually expect to see in a KRI dashboard?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
KRI Library (132 Key Risk Indicators)
132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.
◆ Keep reading
Related posts.
Operational Risk
1,155 Violations and $1.2 Billion in Restitution: What the FDIC's Spring 2026 Supervisory Highlights Say About Where Your Program Gets Tested
The FDIC's Spring 2026 Consumer Compliance Supervisory Highlights documented 1,155 violations from 2025 exams — with TILA/Reg Z alone accounting for 462, flood insurance violations generating $150 million in orders, and formal enforcement actions requiring $1.2 billion in restitution. Here's how to use the FDIC's own findings as a self-assessment checklist before your next examination.
Jul 8, 2026
Operational Risk
KRI Library vs. Building Your KRIs From Scratch: An Honest Comparison
Buy a pre-built KRI library or derive key risk indicators internally? Real thresholds, real trade-offs, and where each approach actually wins.
Jul 8, 2026
Operational Risk
What the OCC's CFSB Consent Order Says About BSA/AML Risk in Fintech Payment Partnerships
On May 21, 2026, the OCC released a consent order against Community Federal Savings Bank—sponsor bank for Wise and Crypto.com—for BSA/AML failures tied directly to rapid payment processing growth. The core problem wasn't the fintech partners. It was that alert tuning, CDD, and staffing never scaled with transaction volume. Here's the operational risk lesson for every institution growing through fintech relationships.
Jul 7, 2026