How do you design effective Key Risk Indicators (KRIs) and what distinguishes a good KRI from a bad one?
I'm studying operational risk for FRM I and the topic of Key Risk Indicators comes up frequently. I understand they're early warning signals, but how do you actually design KRIs that are useful? What makes one KRI effective while another is just noise?
Key Risk Indicators (KRIs) are quantitative metrics that provide early warning signals of increasing risk exposure or weakening controls. They sit between risk identification and loss events — ideally flagging problems before they materialize into actual losses.
KRI vs KPI Distinction:
A Key Performance Indicator (KPI) measures whether you're achieving business objectives. A KRI measures whether you're approaching risk thresholds. Sometimes the same metric serves both purposes — high revenue growth (KPI) might correlate with increased operational strain (KRI).
Properties of Effective KRIs:
- Leading, Not Lagging — A good KRI predicts future risk events rather than just counting past losses. Employee turnover in the compliance department (leading) is more useful than the number of regulatory fines received (lagging).
- Quantifiable and Measurable — 'Employee morale seems low' is not a KRI. 'Unplanned staff turnover rate in risk-sensitive roles exceeded 15%' is a KRI.
- Linked to Specific Risks — Each KRI should map to one or more identified risks in the risk register. A generic 'customer complaints' metric is less useful than 'complaints related to unauthorized transactions.'
- Threshold-Based — KRIs need green/amber/red thresholds that trigger escalation. Without defined thresholds, the metric is informational but not actionable.
- Timely — Available frequently enough to serve as an early warning. A KRI that's only updated annually won't catch fast-developing risks.
Examples of Good vs Poor KRIs:
| Risk Area | Good KRI | Poor KRI |
|---|---|---|
| IT/Cyber | Number of unpatched critical vulnerabilities > 30 days | Total IT budget spent |
| Credit | Percentage of loans with modified terms > 5% | Total loan volume |
| Operational | Failed trade confirmations > 2% of daily volume | Number of trades processed |
| Compliance | Overdue regulatory reports > 0 | Number of regulations applicable |
| People | Trader compensation vs market median deviation | Headcount |
KRI Monitoring Framework:
- Green — Within normal range, monitored routinely
- Amber — Approaching threshold, increased monitoring frequency, management notification
- Red — Threshold breached, immediate escalation to senior management, remediation plan required
Common Mistakes in KRI Design:
- Selecting too many KRIs (50+ creates monitoring fatigue)
- Choosing only lagging indicators (counting losses after they occur)
- Setting static thresholds that don't adjust for business growth or seasonality
- Monitoring KRIs in isolation rather than looking for correlated signals across multiple indicators
Exam Focus: FRM I may test whether you can identify a leading vs lagging indicator, or select the most appropriate KRI for a given risk scenario.
Build your operational risk toolkit with our FRM practice questions.
Master Part I with our FRM Course
64 lessons · 120+ hours· Expert instruction
Related Questions
How exactly do futures margin calls work, and what happens if I can't meet one?
How do you calculate the settlement amount on a Forward Rate Agreement (FRA)?
When should I use Monte Carlo simulation instead of parametric VaR, and how does it actually work?
Parametric VaR vs. Historical Simulation VaR — when does each method fail?
What are the core components of an Enterprise Risk Management (ERM) framework, and how does it differ from siloed risk management?
Join the Discussion
Ask questions and get expert answers.