3 Steps to Building an Effective KRI System Today

If your executives and managers love metrics, then they’re sure to use Key Performance Indicators (KPIs). Even if they don’t like numbers, any smart executive will be reviewing their KPIs dashboard. These historical measures are designed to gauge performance to ensure goals and milestones are being met.

As risk professionals, though, we know the value of metrics is limited—namely, that they cannot foretell the future. Sure, they can be charted to estimate future activity, but they can’t warn us of potential risk events.

For that, we need Key Risk Indicators (KRIs). Instead of historical metrics, these are leading indicators. Good KRIs establish thresholds that, when triggered, alert management to an increased potential for a future risk event, which means KRIs can be used as an early warning system. 

A Lack of Warning = A Lack of Value 

While most organizations utilize KPIs, KRIs are more elusive. According to the NC State’s “2017 Global Risk Oversight Report,” about a third of responding organizations indicated they were “mostly” or “very satisfied” with the nature and extent of their KRI reporting. The report concludes that there is “a widespread lack of KRIs that management can usefully monitor to proactively navigate the organization around emerging risks. This may explain why respondents generally do not believe that their organizations’ risk management processes are providing strategic value.”

Did you catch that? A lack of useful KRIs at an organization can make executives feel like their ERM program isn’t providing strategic value. 

Where are the KRIs? 

You’re probably wondering, “If executives want KRIs, why aren’t more ERM professionals providing them?”

In defense of our fellow risk professionals, it can take a while for a company to mature to the point where they want to track KRIs and are ready to take action based on the information collected. There’s a lot of foundational work that has to be completed first.

Another issue is information overload. Identifying KRIs is great, but if they’re not relevant or actionable, then they’re just noise—the kind that takes up a lot of resources to track and report.

In my personal opinion, I think there’s a third reason why companies don’t use KRIs: they’re making it more complicated than it has to be. And who can blame them? If you search the internet for “KRIs,” you’ll see a lot of impressive information, from case studies to fancy diagrams. These resources may help you down the road, but they probably won’t give you practical information on how to build an effective, sustainable system to identify and manage KRIs in your organization.

3 Steps to Building Your KRI System

If you’re looking to develop KRIs, we suggest a simple approach: base KRIs on existing KPIs. Then outline a basic process to report findings and escalate concerns to the appropriate individuals. The following is a high-level, 3-step process to get you started today

1. Pick Your Risks

Remember, KRIs are supposed to warn about potential risk events that could threaten organizational objectives. So before you even talk about KRIs, you need to understand your organization’s objectives and the primary risks that threaten them. Focus on your top risks, especially those with a high Impact, high Velocity, or low Controllability (i.e. the risks you really want to get ahead of).

(Read our prior article on simplifying the risk assessment process to ensure you’re focusing on the right risks.)


Imagine we work in the same ERM unit. Our executives have made a strategic decision to manufacture a new type of widget, and they set an objective to produce 1 million units by the end of the year. As part of the planning process, management determined that the existing workforce can produce 5,000 widgets in a six-hour period. Then they contracted with the appropriate vendors to upgrade the production machinery, store the raw materials and completed products, and ship them to warehouses for distribution to sales outlets.

These various data points and milestones are then used to develop KPIs. As each week and month progresses, executives will look to these KPIs to make sure they’re on target to reach their objective.

We’ve identified the primary risk broadly as anything that could slow down the manufacturing process, causing us to miss the production deadline. There are dozens of specific risks that could cause this slow down to occur, but we’re going to focus on the high-level risk.

2. Establish Your KRIs

Once you’ve identified the risks for which you want to create an early-warning system, you’re ready to establish the KRIs.

Since your organization is probably tracking KPIs, use them to create your KRIs. This has several benefits: executives will be familiar with the underlying data, while the time and resources necessary to pull together the information are greatly reduced, and bureaucracy is minimized by integrating with other areas in the organization.

When creating the KRIs, be sure the data is:

  • Relevant – There should be a direct correlation to the risk.
  • Quantifiable – To be effective as an early-warning indicator, the KRI should be quantitative. However, don’t ignore relevant qualitative information, such as negative media attention or negative social media posts. If possible, develop a way to categorize and scale this type of information so you can measure and report it.
  • Easily accessible – If the information isn’t readily available (e.g. it costs too much to mine and analyze), then don’t pursue it. Start with the information at your fingertips.

Let’s take another look at our Example:

We know the primary risk is around missing our production time frame, and we know the data available to us. Therefore, we establish the following KRI:

The time frame to manufacture 5,000 widgets and prepare them for shipment should not exceed 8 hours.

Notice the time frame is two hours above the estimated production time of six hours. That’s because we’re setting an upper-limit threshold that will trigger a mitigating response. The two-hour difference gives us “wiggle room” to handle normal production fluctuations.

Also, note that the wording of the KRI is as high-level as the risk we identified. We could have created separate KRIs to warn us of the underlying risks such as manufacturing failures and strikes by personnel, but then we would have to monitor and track that information. Instead, we developed a single KRI that alerts us to any issues in the manufacturing process that impact production time. We know this one KRI will be effective because it’s relevant to the risk, quantifiable, and easily accessible.

3. Formalize Your Process

Remember, the purpose of KRIs is to alert decision-makers of a potential increase in risk that could affect the company’s objectives. That means the information can’t just be collected—it has to be monitored, analyzed, and reported to the appropriate individuals. Since these activities will occur across departmental lines, you should take the lead in outlining the process and securing appropriate approvals.

When working with stakeholders, follow these best practices:

  • Engage stakeholders early on, while the KRIs are being identified.
  • Don’t just notify the stakeholders, secure their buy-in of the KRIs and the process. Each person needs to understand and believe in what he’s doing, or he won’t make it a priority.
  • Make the KRIs and the process surrounding them available to all stakeholders.
  • Be the central point of contact so they all know where to go when there are questions or issues.

Once you have established the KRIs and the processes, record the information in a systematic form, such as a protected Excel spreadsheet. Be sure to include a unique identifier, the risk being tracked, the KRI thresholds, the owner of the data, the person who monitors the data, and how the information is escalated if the thresholds are reached.

Over all, keep your process as simple as it can be to get the job done.

Back to our Example:

The following was the KRI we established (with approval from all stakeholders): 

The time frame to manufacture 5,000 widgets and prepare them for shipment should not exceed 8 hours. 

After working with the stakeholders, we all agree to the following process:

The Production Manager monitors the data each day and notifies the appropriate executive if the production time exceeds the 8-hour threshold noted in the KRI.

The following chart shows the production data over a 12-day period:

KRI system

Notice that days 2 and 10 both have data points higher than the 8-hour threshold. Given our new process, this should trigger the Production Manager to take action.

Also note that the trend line has been increasing over time and is now dangerously close to the upper threshold of 8. On Day 8, you now have a leading indicator that a risk is about to materialize, and the Production Manager should reach out to other managers to take mitigating steps. These mitigating steps would be noted, so the executives can be made aware of what is being done to reduce the risk.

Mature Your KRI System

By following these three steps, you can quickly build an effective KRI system that supports the strategic plan of your organization. While this is a great start, you should plan to mature your KRIs and the process over time.

What has been your experience with KRIs? Do you feel your organization is using them to the fullest?

We’d love to get your perspective on this important yet often neglected topic. Please feel free to leave a comment below or join the conversation on LinkedIn.

We’ll be discussing this topic more in upcoming posts and in future training programs. If you would like to know when we publish new posts or plan to offer training on building a KRI system, click here and also receive our step-by-step guide to developing an enterprise risk management program as a free thank you!

And if you need to make more immediate progress on a KRI system or any other facet of your ERM program, be sure to contact me today.

Sign Up For Our Newsletter

Sign Up For Our Newsletter


Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More