Glossary term
Key Risk Indicator (KRI)
A key risk indicator is a measurable signal used to monitor changes in risk exposure before they become losses, failures, or control problems.
Updated
Read time
What Is a Key Risk Indicator?
A key risk indicator, or KRI, is a measurable signal used to monitor changes in risk exposure. A KRI is designed to warn management when a risk is increasing, approaching a threshold, or moving outside the organization's risk appetite.
KRIs are common in enterprise risk management, operational risk, cybersecurity, compliance, financial services, insurance, manufacturing, and internal audit. They help turn risk from a vague concern into something that can be tracked and escalated.
Key Takeaways
- A KRI measures risk exposure or early warning conditions.
- KRIs are usually tied to risk appetite, thresholds, owners, and escalation rules.
- They differ from KPIs, which measure performance against objectives.
- Good KRIs are specific enough to support timely action.
- Weak KRIs can create false comfort if they measure activity instead of risk.
How KRIs Work
An organization identifies important risks, then chooses indicators that can show whether those risks are rising or falling. A bank may track early loan delinquencies. A technology company may track unresolved critical vulnerabilities. A manufacturer may track safety incidents, supplier failures, or defect spikes.
The KRI becomes useful when it has a threshold. A green range may show normal conditions, a yellow range may require management review, and a red range may require escalation, mitigation, or board reporting.
Examples of KRIs
Risk area | Possible KRI | Warning sign |
|---|---|---|
Credit risk | Delinquency rate | Borrowers are falling behind. |
Cybersecurity | Unpatched critical systems | Exposure to attack is rising. |
Operations | Failed transactions | Processes or systems are breaking down. |
Compliance | Open audit findings | Control issues are unresolved. |
Liquidity | Cash coverage ratio | Funding cushion is shrinking. |
KRI Versus KPI
A KPI measures performance. A KRI measures risk. The two can overlap, but they answer different questions. A sales-growth KPI asks whether revenue is improving. A concentration-risk KRI asks whether too much revenue depends on one customer, channel, region, or product.
Both can sit on the same dashboard. The danger is using only KPIs and missing the risk being taken to produce the performance. Fast growth can look good until KRIs show rising churn, credit losses, service failures, or compliance exceptions.
Financial Interpretation
KRIs matter because risk eventually becomes cost. Credit deterioration can become charge-offs. Control failures can become penalties. Cyber exposure can become business interruption. Safety problems can become claims, shutdowns, and reputational damage.
Investors and boards use KRIs to judge whether management understands emerging risk before it reaches the financial statements. A risk that is measured early can often be mitigated more cheaply than a risk discovered after a loss.
Designing Useful KRIs
Useful KRIs are connected to a specific risk, reliable data, clear thresholds, an owner, and an escalation path. A number that nobody owns is just a statistic. A number that triggers a decision can become a control tool.
KRIs should also be reviewed as the business changes. A risk indicator that worked for a small company may not work after an acquisition, new product launch, regulatory change, or technology shift.
Where KRIs Can Mislead
A KRI can fail if it measures the wrong thing. Counting the number of policies written may not show whether risk quality is worsening. Counting training completion may not show whether employees understand a control. Some KRIs are too late to be useful because they only move after the damage has happened.
The best KRIs do not eliminate judgment. They support it by making risk visible, comparable, and actionable.
The Bottom Line
A key risk indicator is an early warning metric for risk exposure. It is valuable when it connects risk appetite to thresholds and action, and weak when it becomes a passive dashboard number.