Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Operational Risk

KRI Library vs. Building Your KRIs From Scratch: An Honest Comparison

Buy a pre-built KRI library or derive key risk indicators internally? Real thresholds, real trade-offs, and where each approach actually wins.

By Rebecca Leung · July 8, 2026 ·
Table of Contents

TL;DR

  • Building KRIs from scratch means defining metric, formula, data source, owner, thresholds, and escalation per indicator — teams budget a quarter for 20–30 and still launch with guessed thresholds
  • A pre-built library ($49, 132 key risk indicators with green/amber/red thresholds) wins on coverage and calibration starting points — you select and adjust instead of authoring
  • Custom derivation wins for firm-specific risks a generic library can’t anticipate: platform concentration, novel products, unusual funding structures
  • The honest answer is hybrid: library for the standard 80%, custom KRIs for the exposures unique to your business

Your board just approved a risk appetite statement, and now someone has to answer the obvious follow-up: how will we know when we’re approaching the limits? Or maybe your bank partner’s oversight team sent a questionnaire with a section titled “Risk Metrics and Monitoring” and you’re currently monitoring vibes.

Either way, you need key risk indicators (KRIs) — metrics with thresholds that tell you risk is rising before it becomes a loss. And you have two ways to get them: derive them internally, or buy a pre-built library and adapt it. Vendors will tell you libraries solve everything. Consultants will tell you only bespoke KRIs reflect your true risk profile. Both are selling something, so let’s do the comparison honestly.

What Building a KRI From Scratch Actually Involves

The phrase “just pick some metrics” hides a lot of work. A KRI that survives contact with an examiner needs, per indicator:

  1. A definition — precise enough that whoever inherits it computes the same number
  2. A calculation formula — numerator, denominator, time window
  3. A data source — the specific system and report, not “IT has it”
  4. An owner — who collects it, and who acts on it (often different people)
  5. Three thresholds — green, amber, red, each with documented rationale
  6. An escalation trigger — what specifically happens at amber and at red

Multiply by 20–30 indicators for even a starter program. Teams that do this rigorously budget a quarter — and the thresholds still launch as educated guesses, because statistical calibration needs 6–12 months of your own history. The OCC’s Corporate and Risk Governance booklet puts risk monitoring squarely in the board and senior management’s lap; “we track some numbers in a spreadsheet without thresholds” does not meet that expectation, because a KRI without thresholds is just a chart.

The hidden cost isn’t the definition work — it’s threshold defense. When a bank partner asks why amber starts at 15% and your answer is “it felt right,” you don’t have a KRI program, you have a dashboard with opinions.

What a Pre-Built Library Gives You

The comparison anchor: the KRI Library — Fintech Edition ($49) ships 132 KRIs across compliance, operational, financial, cyber, vendor, and BSA/AML domains. Each indicator comes with the full operational package — definition, calculation formula, reporting frequency, green/amber/red thresholds with written rationale, data source guidance (down to which report in which system), an owner, implementation difficulty, and an escalation trigger.

Here’s a sample of actual indicators from the library, thresholds included:

KRICategoryFrequencyGreenAmberRed
Key Person Coverage RatioPeople RiskQuarterly≥80%60–79%<60%
Voluntary Turnover RatePeople RiskQuarterly<15%15–25%≥25%
System Uptime / AvailabilityTechnology RiskMonthly≥99.9%99.5–99.89%<99.5%
Mean Time to Recovery (P1/P2 incidents)Technology RiskMonthly<2 hours2–4 hours>4 hours
Change Failure RateTechnology RiskMonthly<5%5–15%>15%
Critical Vulnerability Patch TimeTechnology RiskMonthly<7 days7–30 days>30 days
Phishing Click-Through RateCyber RiskQuarterly<5%5–15%>15%
Terminated Employee Access Deprovisioning SLAPeople RiskMonthly100%95–99%<95%

Notice what’s doing the work in that table: not the metric names — you could brainstorm those in an afternoon — but the thresholds and their rationale. The library’s uptime thresholds encode what bank partner SLAs typically require (99.9%, with 99.5% as the contractual pain line). The patch-time thresholds reflect what regulators and security frameworks expect for critical vulnerabilities. The escalation triggers are specific: a red on deprovisioning SLA means revoke access within an hour and review activity logs, not “inform management.”

Each KRI also carries an implementation difficulty rating and a phased automation path — start with a manual quarterly spreadsheet pull, graduate to a system dashboard, then automate. That’s the difference between a KRI catalog and a KRI program: the library assumes a real team with real constraints has to collect these numbers.

The library is tiered — Starter (20 KRIs), Standard (75), Advanced (all 132) — which quietly solves the most common failure mode: adopting 100 indicators in month one and abandoning half by month six.

Where Custom KRIs Genuinely Win

Now the honest part. A library — this one or any other — cannot know your business. Three situations where deriving your own KRIs isn’t just better, it’s mandatory:

Firm-specific concentrations. If 40% of your deposits arrive through one platform partnership, your most important KRI is that partner’s health and flow metrics — a number no generic library defines because no generic library knows the partner exists. Same for a single fraud corridor, a dominant merchant vertical, or one revenue-critical bank relationship.

Novel products. Launching earned wage access, crypto settlement, or an agentic payments feature? The risks that matter most are the ones with no industry benchmark yet. You’ll be setting thresholds from first principles and your own early data, because nobody else’s calibration exists.

Risks your own incidents taught you. The best KRIs often come from your own near-misses — the reconciliation break that almost became a customer-funds problem, the vendor outage that exposed a dependency. Post-incident KRI derivation is firm-specific by definition.

There’s also a subtler issue: library thresholds are starting points, and treating them as final is a real failure mode. A 15% voluntary turnover amber threshold calibrated for a typical fintech may be meaningless for your 12-person team, where one departure is 8%. The library’s own calibration guidance says as much — thresholds should be recalibrated annually against your history, and the methodology (industry benchmarks where they exist, regulatory bright lines where regulators have drawn them, statistical methods on your own data, contractual thresholds where bank partner agreements set them) is the durable part of the purchase, arguably more than the 132 indicators.

The Comparison Table

CriteriaPre-Built KRI LibraryBuilding From Scratch
Time to first reportDays — select a tier, adjust thresholds, assign ownersA quarter for 20–30 indicators, done properly
Coverage132 indicators across 6 domains; standard risks won’t be missedOnly what you think of — gaps invisible until an incident finds them
Threshold qualityCalibrated starting points with documented rationale; still need firm-specific adjustmentGuesses until you accumulate 6–12 months of history
Firm-specific risksBlind to your concentrations, novel products, and unique dependenciesThe whole point — this is where custom wins outright
DefensibilityRationale pre-written; you adapt and adopt itFully yours — strongest possible answer if documented well
Cost$49Weeks of a risk manager’s time, repeated at each recalibration
When it’s rightStanding up monitoring fast; bank partner or board asking for metrics nowMature program layering firm-specific indicators on an existing base

The Answer Is Hybrid (and the Sequence Matters)

Almost no one should choose purely. The pattern that works:

  1. Start with a library tier matched to your capacity — 20 indicators for a solo hire, not 132. Get the reporting rhythm running, because a KRI program’s first enemy is collection fatigue, not metric selection.
  2. Adjust thresholds where your reality diverges — small team, unusual customer base, contractual SLAs stricter than the defaults. Document each adjustment; the paper trail is the defensibility.
  3. Derive 3–5 custom KRIs for your genuinely firm-specific risks — the concentration, the novel product, the near-miss. These are the indicators your board should stare at hardest.
  4. Recalibrate annually once you have your own history, shifting from benchmark-based to statistically-based thresholds where the data supports it.

That sequencing matters because the library solves the cold-start problem — the reason most from-scratch KRI efforts stall isn’t intellectual difficulty, it’s that defining 25 indicators while also doing the rest of a compliance job takes months, and the board meeting is in three weeks. Buy the 80%, build the 20% that’s actually yours. (The OCC’s Comptroller’s Handbook series is the reference shelf for what examiners expect that monitoring to cover, domain by domain.)

If you’re deeper into specific KRI design questions, start with leading vs. lagging indicators — the distinction that determines whether your KRIs warn you or just document the damage. For a worked example of domain-specific KRI depth, see the 12 liquidity risk KRIs beyond LCR and NSFR. And for connecting KRIs upward to governance, KRI-linked risk appetite statements covers how thresholds become board-approved limits.

The uncomfortable truth in this whole comparison: the KRIs you pick matter less than whether you actually collect them, every period, and act on the ambers. A mediocre indicator monitored consistently beats a perfect one that died in month four. Pick the path that gets you to a sustainable reporting rhythm fastest — for most teams standing up monitoring under deadline, that’s a pre-calibrated library plus a short list of custom indicators only you could have written.

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What's the difference between a KRI and a KPI?
A key performance indicator (KPI) measures progress toward a business objective — revenue, conversion, uptime as a customer promise. A key risk indicator (KRI) measures exposure to a potential loss — the same uptime number, but framed as an early warning that operational risk is rising. Many metrics serve both roles; what makes something a KRI is the threshold structure (green/amber/red) and the escalation action attached to a breach.
How many KRIs should a small risk program actually track?
Fewer than you think. A solo compliance hire can realistically operate 15–25 KRIs — roughly one or two per major risk category — before collection becomes the job instead of monitoring. Mature programs with dedicated staff scale to 75+. The failure mode isn't too few KRIs; it's 100 KRIs where half stopped being collected and nobody noticed, which is worse than 20 that are current.
How do you set green/amber/red thresholds for a KRI?
Four defensible bases: industry benchmarks (where external data exists, like uptime or fraud rates), regulatory bright lines (like Nacha return rate thresholds), statistical methods on your own history (mean plus standard deviations from 12 months of data), and contractual obligations (bank partner SLAs). Document which basis each threshold uses — 'why is amber set there?' is the first question a good examiner or bank partner asks.
Do bank partners really ask fintechs for KRI reporting?
Increasingly, yes — especially BSA/AML metrics. Bank partner oversight programs commonly request transaction monitoring alert volumes, SAR filing counts, CIP completion rates, and high-risk customer exposure as standing monthly or quarterly reports. Having those metrics pre-defined with thresholds turns a scramble into an export. This is a direct consequence of regulators holding sponsor banks accountable for their fintech programs.
When is building a custom KRI better than using a library?
When the risk is specific to your business model — a novel product, an unusual funding structure, a dependency no generic library anticipates. A library can't know that 40% of your deposits come from one platform partner or that your fraud exposure concentrates in one corridor. The best programs run a hybrid: library KRIs for the standard 80% of risk coverage, custom-derived KRIs for the handful of exposures that could actually kill the company.
How long does it take to build a KRI program from scratch?
Deriving KRIs internally means, per indicator: defining the metric, writing a calculation formula, identifying a data source and owner, setting three thresholds, and documenting the rationale. Teams that do this well budget a quarter to stand up 20–30 KRIs, and the thresholds still start as educated guesses until 6–12 months of history allows real calibration. A pre-calibrated library compresses the definition work to selection and adjustment.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

KRI Library (132 Key Risk Indicators)

132 KRIs with thresholds, data sources, and escalation triggers pre-built for financial services.

◆ Keep reading

Related posts.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.