Key Risk Indicators: your organisation's early warning system

From risk drivers to actionable insights

Original content provided by 

Mapping out your risk drivers through a bow tie analysis is an important part of building your risk management framework (as seen in this article of our BDO Risk Blueprint). Now, we turn to an important follow-up question: how can you monitor these drivers before they lead to incidents? 

The answer lies in developing effective Key Risk Indicators (KRIs) - metrics that serve as early warning signals for upcoming risks. While many organisations focus on lagging indicators that measure past events, leading KRIs allow you to monitor risk drivers proactively, giving you time to intervene before problems materialise.  

In this article, you will learn how to develop and implement KRIs that truly reflect your organisation’s risk profile and support informed decision-making. 

What is a Key Risk Indicator?

KRIs serve as proxies for the causes of risk and are applicable across all types of operational risks. One of the key types of effective KRIs focuses on abnormalities - situations that deviate from expected patterns. This principle is familiar to anyone who has seen safety announcements like “If you see something, say something” in public transportation systems. In your organisation, developing metrics that highlight abnormal behaviours, transactions, or conditions provides powerful early warning of potential risks. 

For example: in fraud detection, abnormal transaction patterns serve as leading indicators. Credit card companies have used this approach for decades, flagging unusual spending patterns as potential signs of fraud before significant losses occur. Similarly, in trading operations, deviations from normal trading activity can signal potential misconduct. 

The six-step KRI development process

Creating an effective KRI program requires a systematic approach. While this demands effort, the resulting insights are well worth the investment for your key risks. Here is a six-step process to guide your implementation: 

1. Identify your organisation’s key risks

Begin by focusing on your most significant risks, those that could materially impact your organisation’s objectives. Attempting to monitor every possible risk would be impractical and inefficient. If you have already completed a Risk and Control Self-Assessment as outlined in a previous article, you will have a clear starting point for this step. 

2. Understand causes and root causes

For each key risk, identify the primary drivers and root causes. This is where bow tie analysis from our previous article proves invaluable, providing a systematic approach to mapping risk causes. Remember to focus particularly on areas where your organisation has historically struggled, as these represent your greatest improvement opportunities. Focus your monitoring mostly on what you can improve, not only on what you are already doing well. 

3. Recycle existing metrics

Before developing new metrics, look at what you are already measuring. Your existing Key Performance Indicators (KPIs) and Key Control Indicators (KCIs) can often serve as effective KRIs: 

  • Failed performance indicators: when KPIs turn amber or red, they become KRIs. A weakening performance is a sign of troubles ahead  
  • Failed control indicators: when key controls are weak, they directly elevate the risks they are meant to mitigate 

For example, if your IT department already monitors system response times as a performance indicator, declining performance does not just signal customer experience issues – it is also a leading indicator of potential system failure risks. 

This recycling approach – reusing your KPIs and KCIs as KRIs - provides a quick win for your KRI program, leveraging data you already collect and reducing implementation effort. 

4. Identify missing metrics

After reviewing existing metrics, identify any gaps in your monitoring. Are there important risk drivers that remain unmeasured? Develop additional metrics as needed to ensure comprehensive coverage of your key risk causes. For each missing metric, consider what data would effectively proxy the underlying risk driver. 

5. Design your implementation approach

Once you know what you want to measure, determine how to implement these metrics in practice: 

  • Data sources: where will the information come from? 
  • Reporting frequency: how often should each KRI be measured and reported? 
  • Governance structure: who will review the KRIs and take action when thresholds are breached? 
  • Thresholds: what levels indicate normal operations, increased vigilance, and required action? 

Apply the golden rule of risk reporting: the value of information reported should always exceed the cost of collection. Some theoretically useful metrics might be too costly or complex to implement in practice. Focus on those that provide the greatest insight for the smallest cost. 

6. Validate through back testing

Finally, regularly assess whether your KRIs are actually helping prevent incidents. Look at cases where KRIs signalled emerging problems that were successfully addressed. Also examine incidents that occurred without prior warning from your KRIs, as these indicate gaps in your monitoring approach. 

This continuous improvement loop, as shown in video 1 of the Risk Blueprint, ensures that your KRI program remains effective as your organisation and its risk environment evolve. 

Four categories of Key Risk Indicators

Using four broad categories of KRIs help provide a comprehensive set of leading indicators. The first two categories typically apply organisation-wide, while the latter two are more bottom-up and process-specific. Each category below is illustrated by an example from an information security perspective. 

1. Exposure indicators: monitoring your risk environment


These indicators track changes in your external environment that could increase your risk exposure. Examples include: 

  • Geopolitical shifts: elections, government changes or policy changes 
  • Regulatory changes: new requirements or enforcement priorities 
  • Market conditions: economic indicators or competitive landscape changes 
  • Extreme event warnings: natural disaster forecasts or pandemic alerts 

For information security risks, an example would be tracking the number of users with super-admin access beyond your defined norms. This metric highlights increased exposure due to unnecessary access privileges, following the principle that information should be shared only on a need-to-know basis. 

2. Stretch indicators: measuring organisational stress


These metrics track how much stress your organisation is experiencing, recognising that stretched resources often correlate with increased risk. They fall into three main subcategories: 

  • Human stretch: vacancies, turnover rates or overtime hours 
  • System stretch: capacity utilisation, buffer capacity reduction, and system performance metrics 
  • Infrastructure stretch: maintenance backlogs, renovation delays, and aging equipment 

In an IT department, a classic stretch indicator is the number of change requests per staff member. As this ratio increases, the likelihood of errors during implementation typically rises as well. Similarly, in customer service operations, increasing case volumes per agent often precede quality issues and control breakdowns. 

3. Failure indicators: monitoring performance and controls

These indicators track failures in your performance metrics or control functions. Examples include: 

  • IT response time increases 
  • Customer service quality declines 
  • Backlog in reconciliations of financial transactions  
  • Missing validations

In information security, an example would be overdue resolutions on penetration test recommendations. When action plans from security testing remain unimplemented, they indicate weak controls and increased vulnerability. 

4. Causal indicators: tracking inherent causes


These metrics directly monitor the root causes of specific risks. 

For information security, examples include metrics that track risk awareness culture, such as employee compliance with security policies or results from phishing simulation tests. Tracking repeat offenders in security testing can highlight areas requiring additional training and awareness. 

Designing effective Key Risk Indicators

The effectiveness of your KRI program depends not just on what you measure, but how you design and implement your indicators. These principles will help you create KRIs that provide genuine value: 

The ‘minimum meaningful’ approach

When determining how many KRIs to implement, follow the principle of the minimum meaningful - the smallest number of indicators that provide comprehensive coverage of your risk drivers. Typically, this means: 

  • One KRI per significant cause of each key risk 
  • One KRI per significant driver of impact 
  • Independence between indicators to minimise redundancy

This approach reduces information overload while ensuring you capture essential risk drivers. Remember that collecting and analysing metrics requires resources, so focus on those that provide the greatest insight. 

Avoiding the average trap

When designing KRIs, beware of relying on averages. Let’s take the example of a distribution of customer satisfaction scores across multiple service centres. While the average score might look acceptable, individual locations could be performing either exceptionally well or poorly. By focusing only on the average, you miss the valuable information contained in these deviations. 

The true value in KRIs lies in identifying abnormalities - both positive and negative. Positive outliers may indicate best practices that could be implemented elsewhere, while negative outliers highlight areas requiring intervention. Set thresholds that capture these deviations rather than focusing on average performance. 

Peaks & Drops

Key Risk Indicators selection and reporting for an international institution

Implementing a KRI governance framework

Even the best-designed KRIs provide little value without a robust governance framework to translate insights into action. Implement these key elements to ensure your KRI program delivers results: 

Colour-coded threshold framework

Establish a consistent approach to KRI interpretation across your organisation: 

  • Green status: continue current approach (status quo) 
  • Amber status: increase vigilance and monitoring as you approach the danger zone 
  • Red status: take action, as the risk has exceeded your defined appetite and tolerance 

This colour-coded system provides a clear, visual representation of risk status that drives appropriate responses. Importantly, each colour should have predefined response protocols, reducing uncertainty of action when indicators change. 

These thresholds should align with your organisation's risk appetite and tolerance levels as discussed in our article on Risk Appetite. As we explored there, your risk appetite defines not only how much risk you want to face, but also the level of residual risk you are willing to accept. 

Accountability and contingency planning

For each KRI, designate: 

  • An indicator owner responsible for data collection, analysis, and reporting 
  • A risk owner accountable for action when thresholds are breached 
  • Contingency plans that outline response options for amber and red status

This accountability framework ensures that rising risk levels trigger appropriate responses rather than simply generating reports. Preparing contingency plans in advance allows for quicker, more effective intervention when risks escalate. 

Documentation and reporting

Maintain comprehensive documentation of your KRI program, including: 

  • Indicator definitions and calculation methodologies 
  • Data sources and collection protocols 
  • Threshold levels and rationale 
  • Governance structure and responsibilities 
  • Historical performance and trend analysis

Documentation supports auditability while providing valuable context for decision-making. Regular reporting to key stakeholders ensures that risk insights inform strategic and operational decisions, fulfilling the role of the Three Lines of Defence model we discussed in our fifth article. 

Effective Key Risk Indicators transform risk management from a reactive exercise to a proactive discipline. By monitoring the drivers of risk rather than just their outcomes, your organisation can identify emerging issues before they materialise into incidents. This early warning system allows you to intervene at the earliest possible stage, reducing both the likelihood and impact of events.

As you implement your KRI program, remember that its true value lies not in the metrics themselves, but in the actions they drive. KRIs should inform decision-making at all levels of your organisation, from strategic planning to operational responses. By connecting your indicators to clear action thresholds and accountability frameworks, you ensure that risk insights translate into tangible improvements in resilience and performance.

Ready to develop and monitor your own leading KRIs?

Feel free to contact our experts for more information.