What are Key Risk Indicators (KRIs) and how do banks set thresholds for them?
I understand KRIs are forward-looking metrics for operational risk, but I'm struggling with how banks actually choose them, set escalation thresholds, and use them in practice. Can someone give concrete examples across different risk types?
Key Risk Indicators (KRIs) are quantifiable metrics that signal changes in the operational risk profile before losses materialize. Think of them as early warning dashboards.
KRI Design Principles:
- Relevance — The metric must correlate with actual operational losses
- Measurability — Must be objectively quantifiable and consistently collected
- Timeliness — Available frequently enough to trigger action (daily, weekly, monthly)
- Actionability — When a threshold is breached, there's a clear escalation path
Concrete KRI Examples by Risk Type:
| Risk Category | KRI | Green | Amber | Red |
|---|---|---|---|---|
| Cyber risk | Failed login attempts per day | < 500 | 500–2,000 | > 2,000 |
| Process risk | Trade settlement fails (%) | < 0.5% | 0.5%–1.5% | > 1.5% |
| People risk | Staff turnover in risk functions | < 10% | 10%–20% | > 20% |
| Compliance | Overdue regulatory filings | 0 | 1–3 | > 3 |
| Technology | System downtime (hours/month) | < 2 | 2–8 | > 8 |
| Fraud | Suspicious transaction alerts | < 100 | 100–300 | > 300 |
How Thresholds Are Set:
At Vantage Risk Partners (hypothetical), the process involves:
- Historical analysis — Look at KRI levels before past loss events. If settlement fails exceeded 1.2% in the three months before a $5M processing error, that informs the amber threshold.
- Statistical methods — Set green/amber at the 75th percentile and amber/red at the 95th percentile of historical KRI values.
- Expert calibration — Risk committees adjust statistical thresholds based on current context (e.g., during system migrations, temporarily tighten technology KRI thresholds).
- Regular review — Thresholds are recalibrated quarterly or when the risk environment changes materially.
Common pitfalls:
- Too many KRIs (>100) creates noise; best practice is 15–30 well-chosen indicators
- KRIs that are lagging (loss counts) rather than leading (failed controls)
- Static thresholds that aren't updated as the business evolves
Explore more operational risk topics in our FRM course on AcadiFi.
Master Part II with our FRM Course
64 lessons · 120+ hours· Expert instruction
Related Questions
How exactly do futures margin calls work, and what happens if I can't meet one?
How do you calculate the settlement amount on a Forward Rate Agreement (FRA)?
When should I use Monte Carlo simulation instead of parametric VaR, and how does it actually work?
Parametric VaR vs. Historical Simulation VaR — when does each method fail?
What are the core components of an Enterprise Risk Management (ERM) framework, and how does it differ from siloed risk management?
Join the Discussion
Ask questions and get expert answers.