Feature Operational Risk
Issue Management KRIs: Aging, Reopen Rates, Missed Due Dates, and Weak CAPs
Six key risk indicators that show whether your issues program is actually fixing things — issue aging by severity, due date extension rate, reopen rate, repeat root cause frequency, CAP validation failure rate, and evidence completeness at closure.
Table of Contents
TL;DR
- Most issue trackers measure activity (open count, closures this quarter) rather than program health — the KRIs that predict exam outcomes are aging by severity, reopen rate, repeat root cause frequency, and CAP quality
- A repeat finding — the same issue in two consecutive exam cycles — is the most damaging outcome in an OCC or FDIC examination; your KRI program should surface repeat-finding candidates months before the examiner does
- The October 2025 OCC/FDIC proposed rulemaking on MRAs explicitly links repeat findings to board and management capability — the issue tracker is no longer just operational recordkeeping
- Evidence completeness at closure is the KRI most programs skip and the one examiners check first
Your issues tracker says 47 items are in remediation. Twelve have been there for more than 180 days. Three have been extended twice. Four are technically “closed” but came back the next quarter.
An examiner looking at that list isn’t asking whether you have an issues program. They’re asking whether it works.
The distinction matters. Most compliance programs measure issues the wrong way — tracking open count, closures this quarter, overdue this week. Those metrics tell you volume. They don’t tell you whether your program is actually resolving risk.
The KRIs that correlate with exam outcomes — the ones that come up in MRA remediation conversations — are pattern metrics: aging by severity, reopen rate, repeat root cause frequency, and evidence completeness at closure. These are the signals a functioning issues program produces and a struggling one cannot hide.
Here are the six that matter most.
Why Issue Management KRIs Matter to Regulators
The OCC’s Comptroller’s Handbook on Compliance Management Systems identifies issues management as a core pillar of an effective compliance program — alongside policies, training, consumer complaint management, and internal audit and compliance reviews.
What examiners test in the issues component isn’t the existence of a tracker. It’s the quality of remediation: whether root causes are identified, whether corrective actions are designed to address those root causes, and whether closure decisions are supported by evidence.
In October 2025, the OCC and FDIC issued a proposed rulemaking that directly addressed the issue aging problem. The proposal acknowledged that MRAs are often kept outstanding long after institutions complete remediation — because examiners require demonstrated sustainability before closing a finding. It also confirmed that the FDIC treats repeat findings as evidence that the board and management either lack the willingness or the capability to correct deficiencies.
The implication: issue aging and repeat-finding risk are now explicitly board-level governance concerns. The issue tracker is not just operational recordkeeping. It’s evidence that your second line of defense is functioning.
The 6 Issue Management KRIs
KRI 1: Issue Aging by Severity
What it measures: The median and 90th-percentile days open for issues, segmented by severity tier (Critical, High, Medium, Low).
Why it matters: A 200-day average masks the real signal — which issues are aging, at which severity level, and why. An aggregate average that looks acceptable can hide two or three high-severity items that have been in remediation for a year. Segment by severity and track separately.
Data source: Issues tracker, filtered by open status, segmented by severity.
| Threshold | Criteria |
|---|---|
| Green | Critical ≤90 days; High ≤180 days; Medium ≤365 days |
| Amber | Any Critical 90–120 days without documented escalation; any High 180–270 days |
| Red | Any Critical >120 days; any High >270 days; >20% of issues in any tier past their ceiling |
Owner: Second-line compliance or risk. Board-level escalation when critical issues approach the red threshold without a clear resolution path.
KRI 2: Due Date Extension Rate
What it measures: The percentage of issues whose target remediation date was extended at least once, and the percentage extended more than once.
Why it matters: One extension with documented justification is a program functioning as designed. Recurrent extensions — especially concentrated in a specific business line or control owner — indicate that committed timelines were unrealistic, ownership is weak, or the root cause is harder to fix than originally assessed.
Data source: Issues tracker with date field history (requires date-change logging, not just the current due date).
| Threshold | Criteria |
|---|---|
| Green | ≤15% of open issues extended; ≤5% extended more than once |
| Amber | 15–30% extended; or >10% extended more than once |
| Red | >30% extended; or any Critical/High issue extended more than twice |
Owner: Issues management function. Report to senior management when amber; risk committee discussion at red.
KRI 3: Issue Reopen Rate
What it measures: The percentage of issues marked closed that are reopened within 90 days.
Why it matters: Closure rate measures throughput. Reopen rate measures whether closures are real. A program optimizing for closure velocity without adequate validation will show strong closure metrics while accumulating reopened items that never permanently resolve. This is one of the signals examiners look for when assessing whether remediation is substantive or cosmetic.
Data source: Issues tracker with status history and closure/reopen timestamps.
| Threshold | Criteria |
|---|---|
| Green | Reopen rate ≤5% across all severity tiers |
| Amber | 5–15%; or any single source (regulatory, audit, self-identified) above 10% |
| Red | >15%; or any Critical/High reopen rate above 10% |
Owner: Issues management or operational risk. Reopen patterns by source type are a useful diagnostic — regulatory exam findings with elevated reopen rates warrant immediate root cause discussion.
KRI 4: Repeat Root Cause Rate
What it measures: The percentage of newly opened issues that share a root cause classification with issues closed within the prior 12 months.
Why it matters: This is the issue management KRI most closely correlated with examiner concern about whether remediation is working. The FFIEC BSA/AML examination framework and OCC supervisory standards both treat recurrence of the same root cause as evidence of systemic control failure — and it’s the technical definition of a repeat finding when it surfaces across consecutive exam cycles.
Data source: Issues tracker with root cause field. This KRI requires a controlled root cause taxonomy, not free text — programs using free-form root cause fields cannot reliably calculate it.
| Threshold | Criteria |
|---|---|
| Green | ≤10% of new issues share root cause with recently closed issues |
| Amber | 10–25% share root cause; or any single root cause category appearing in ≥3 new issues |
| Red | >25%; or any root cause appearing in both a prior exam finding and a currently open issue |
Owner: Risk or compliance, with root cause analysis facilitated by the second line. Building a structured root cause taxonomy (process failure, people/training, system/technology, third-party, data quality) is a prerequisite — and it’s where most programs need to start.
KRI 5: CAP Validation Failure Rate
What it measures: The percentage of corrective action plans submitted for closure that fail validation — assessed as complete by the business line but not meeting the criteria for confirmed remediation on first review.
Why it matters: A CAP validation failure is a leading indicator of weak remediation quality. It signals that CAPs are addressing symptoms rather than root causes, that closure criteria were insufficiently defined when the CAP was written, or that business lines are self-validating without adequate second-line challenge.
Data source: Issues tracker with validation workflow, capturing whether the first closure submission was accepted or rejected.
| Threshold | Criteria |
|---|---|
| Green | Validation failure rate ≤10% |
| Amber | 10–25%; or elevated failures from a specific control owner or business line |
| Red | >25%; or repeated failures (second failed validation) on any Critical/High issue |
Owner: Issues management or compliance. Validation failure patterns by source type often reveal whether the problem is cultural (business lines treating closure as checkbox) or structural (insufficient CAP guidance).
KRI 6: Evidence Completeness Rate at Closure
What it measures: The percentage of closed issues where the required evidence artifacts — documented root cause, completed corrective action, validation records, sign-off — are fully present in the tracker.
Why it matters: This is the KRI most programs skip and the first thing examiners check. The Sullivan & Cromwell analysis of the 2025 OCC/FDIC MRA proposal notes that examiners frequently cite evidence gaps as grounds for keeping MRAs open even when management believes the underlying issue is resolved. An evidence completeness rate below 80% signals that the program cannot defend its own closure decisions.
Data source: Issues tracker with a required evidence checklist per issue type. Implement as a pre-closure gate in the workflow, not a post-hoc audit.
| Threshold | Criteria |
|---|---|
| Green | ≥95% of closed issues have complete evidence artifacts |
| Amber | 85–95% complete; or any Critical/High closure missing validation evidence |
| Red | <85% complete; or any regulatory finding closed without documented examiner concurrence or sustainability evidence |
Owner: Issues management. Evidence completeness checks should be a mandatory workflow step before closure is confirmed — not something discovered when an examiner pulls the file.
Summary Table
| KRI | Primary Signal | Data Source | Review Cadence |
|---|---|---|---|
| Issue Aging by Severity | Unresolved critical/high items | Issues tracker | Monthly |
| Due Date Extension Rate | Timeline integrity | Issues tracker (date history) | Monthly |
| Issue Reopen Rate | Closure quality | Issues tracker (status history) | Monthly |
| Repeat Root Cause Rate | Systemic recurrence | Issues tracker + root cause taxonomy | Quarterly |
| CAP Validation Failure Rate | Remediation quality | Validation workflow | Monthly |
| Evidence Completeness Rate | Audit trail integrity | Required field checklist | Monthly |
What Examiners Actually See
OCC examination teams reviewing an institution’s issues program typically pull three views: the aging report (all open issues sorted by days open), the closure report (issues closed since the last exam), and the root cause distribution (which types of issues are recurring).
The most common observations in issues programs with weak KRI discipline:
Timelines don’t reflect urgency. High-severity items are routinely extended without senior approval. No differentiation between an issue extended once with documented justification and one extended three times with no clear path to resolution.
Root cause fields are too generic. Free-text or overly broad root cause categories (e.g., “process gap,” “training needed”) that cannot be compared across issues, making repeat-root-cause analysis impossible.
Closure evidence is incomplete. Issues marked closed where the tracker shows a corrective action description but no validation record, no sign-off, and no artifact confirming the fix was tested.
The log doesn’t tell the story of the remediation. A record that captures opening date, a brief description, and a closure date — but nothing about what was done, who validated it, or whether the root cause was confirmed.
If your compliance KRI program shows strong performance in issue volume and closure rates but the metrics above haven’t been built, you may be measuring activity rather than outcomes.
Calibrating Thresholds
The thresholds above are starting points. Your program should calibrate to:
Your severity definitions. If your program has five severity tiers, aging expectations for each tier need to be defined explicitly. Ambiguity in what “critical” means is itself an issues management risk.
Your issue volume. Small programs (fewer than 50 open issues at any time) should track absolute counts alongside percentages — a 10% reopen rate that represents two reopened issues is a different risk signal than a 10% rate on 40 closures.
Your regulatory context. A bank with an open MRA is operating under different expectations than one with a clean exam history. The amber/red thresholds for aging should tighten in the presence of active regulatory findings.
Your product roadmap. Launching a new product or entering a new business line generates a wave of new issues. A temporary rise in open count or extension rate is expected — but repeat root causes or validation failures in a new-product context signal that the issues program hasn’t scaled to match the risk change.
The KRI exceptions documentation process should capture context behind every threshold breach — including whether it reflects an expected pattern or a genuine warning signal.
So What?
Issue management KRIs are the closest proxy for one question examiners bring to every exam: does this institution’s risk management actually fix things?
The metrics above don’t require a GRC platform. They require a few additional fields in your existing tracker, a root cause taxonomy you enforce, and a validation workflow that captures evidence before closure is confirmed.
If your issues program can answer the following questions from its own data — without pulling ad hoc reports — you’re tracking the right things:
- Which issues at High severity or above have been open longer than 180 days?
- Which closed issues came back?
- Which root causes have appeared more than once this year?
- Which closed issues would fail an evidence review right now?
If it can’t, start there. The answers will tell you more about your program health than any issue count.
The KRI Library includes pre-built issue management KRIs with threshold ranges calibrated for financial services programs, alongside 132 indicators across operational, compliance, cyber, vendor, and BSA/AML risk domains.
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
KRI Library (132 Key Risk Indicators)
132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What is an issue management KRI?
What do regulators consider a 'repeat finding'?
How long should a high-severity issue stay open?
Why does the reopen rate matter more than the closure rate?
What does a weak CAP look like to an examiner?
How does issue aging affect the MRA count at examination?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
KRI Library (132 Key Risk Indicators)
132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.
◆ Keep reading
Related posts.
Operational Risk
1,155 Violations and $1.2 Billion in Restitution: What the FDIC's Spring 2026 Supervisory Highlights Say About Where Your Program Gets Tested
The FDIC's Spring 2026 Consumer Compliance Supervisory Highlights documented 1,155 violations from 2025 exams — with TILA/Reg Z alone accounting for 462, flood insurance violations generating $150 million in orders, and formal enforcement actions requiring $1.2 billion in restitution. Here's how to use the FDIC's own findings as a self-assessment checklist before your next examination.
Jul 8, 2026
Operational Risk
KRI Library vs. Building Your KRIs From Scratch: An Honest Comparison
Buy a pre-built KRI library or derive key risk indicators internally? Real thresholds, real trade-offs, and where each approach actually wins.
Jul 8, 2026
Operational Risk
What the OCC's CFSB Consent Order Says About BSA/AML Risk in Fintech Payment Partnerships
On May 21, 2026, the OCC released a consent order against Community Federal Savings Bank—sponsor bank for Wise and Crypto.com—for BSA/AML failures tied directly to rapid payment processing growth. The core problem wasn't the fintech partners. It was that alert tuning, CDD, and staffing never scaled with transaction volume. Here's the operational risk lesson for every institution growing through fintech relationships.
Jul 7, 2026