Key Risk Indicators (KRIs): How to Define, Monitor, and Act

November 22, 2025

Key Risk Indicators (KRIs) are metrics that provide early warning that risk is increasing. Unlike KPIs (which measure performance), KRIs signal when risk levels are moving toward or beyond your risk appetite. This guide explains how to define, monitor, and act on KRIs and link them to your risk register and dashboards.

What Makes a Good KRI?

  • Relevant: Tied to a top risk or control. If the KRI moves, you know which risk or control to look at.
  • Measurable: You can get data consistently (e.g. from systems, surveys, or audits).
  • Leading or coincident: Ideally, KRIs move before the risk materializes (e.g. "number of overdue access reviews" before a breach).
  • Actionable: When the KRI breaches a threshold, someone knows what to do (escalate, investigate, remediate).

Defining KRIs

For each significant risk (or control), ask: What would we want to see early so we can act? Examples:

  • Cybersecurity: Failed login attempts, patch lag, number of open critical vulnerabilities.
  • Operational: Vendor concentration, backlog of incidents, system availability.
  • Compliance: Overdue control tests, policy attestation rate, open audit findings.
  • Financial: Exposure to a single counterparty, limit breaches.

Define the metric, the source of data, the frequency of measurement, and the owner.

Setting Thresholds (Green / Amber / Red)

  • Green: Within appetite; no action beyond routine monitoring.
  • Amber: Approaching or at the limit of appetite; review and possibly act.
  • Red: Beyond appetite; escalate and take action.

Calibrate thresholds with risk owners and the board so they're meaningful, not arbitrary.

Integrating KRIs into Reporting and Workflows

KRIs should feed into:

  • Dashboards: So management and the board see trends at a glance.
  • Escalation: So amber/red KRIs trigger reviews or actions automatically (e.g. in your risk platform).
  • Risk register: So each KRI is linked to one or more risks (or controls). When the KRI moves, the risk rating or treatment plan can be revisited.

When KRIs live in the same platform as your risk register and controls—as in ActiveERM—you get a real-time view of risk trends and can act before issues escalate. See our Risk OS and GRC Cloud pages.

Explore ActiveERM

See how ActiveERM helps you with governance, risk, compliance, and audit in one platform.

← Back to Blog