Key Risk Indicators

What are they and do you need them?

Many organisations invest significant time and effort in Key Performance Indicators (KPI) to ensure teams are meeting their targets and the organisation is meeting its goals. However, it is less likely that they invest as much effort in identifying and tracking  Key Risk Indicators (KRI)

If this rings true for your organisation, you may want to start differentiating between your KPIs and KRIs, so that you can manage your risk exposure more effectively. At a fundamental level, KRIs are measures or metrics that provide an early warning, which can assist an organisation to identify exposure to risk events that may have a negative impact on business performance. In addition to KRIs, you may also derive value from understanding their relationship with Key Control Indicators (KCIs) and Key Performance Indicators (KPIs). Properly defined, these 3 types of indicators can provide the organisation with timely and insightful data to support better decision making and performance.

Authored by: Editorial Team Reading time: 5 Mins

What’s the difference between KPI, KRI and KCI?

At a fundamental level, Key Performance Indicators (KPIs) measure that degree to which as result of objective is met, while Key Risk Indicators (KRIs) measure changes to risk exposure. Key Control Indicators (KCIs) measure how well a control is performing in reducing causes, consequences or the likelihood of a risk.

How do KRIs and KCIs help an organisation?

A Risk Bow Tie Analysis is a useful model to assist in the identification of KRIs and KCIs, and to understand their connection to KPIs. The following diagram demonstrates where KRIs and KCIs sit in an analysis of the causes and consequences of a risk event, and how it connects to KPIs.

Image 1: How to apply KRI’s, KCI’s and KPI’s to a Risk Bow-tie Analysis

Watch our informative webinar on this subject to see how you can apply this diagram to a simple business example with a clear business objective and a risk event, and discover how KRIs and KCIs can help a business achieve its objectives more efficiently by managing and controlling potential risks.

Steps in developing and deploying KRIs

Outlined below are key steps in developing and deploying KRIs in your organisation.

Step 1 – Identification


Step 2 – Selection


Step 3 – Reporting

Step 4 – Actions

More detail on these key steps, based on the Australian Department of Finance’s Understanding and Developing Key Risk Indicators guideline, is provided by by watching our webinar.

Key points to consider when setting KRIs

  • Quality not quantity is the aim with identifying and tracking KRIs for your business.
  • Focus on the organisation’s high impact/critical risk events, and not everything in the risk register.
  • Identify KRI thresholds and trigger points.
  • Ensure key or critical controls, which have the greatest effect on mitigating causes or reducing consequences have been identified to inform the choice of the right KCIs.
  • Camms.Risk solution supports the 4-step development and deployment of KRIs.

Find out more key points for setting KRIs by watching our webinar.


If you are interested in learning more about Camms.Risk or if you would like to request a demo of the solution, please get in touch with us via

*Source: Australian Government | Department of Finance (2016)

Focus on analysing data, not preparing it!

Choose a report template, speak to reporting agent and customise the report
for your organisation through the Reporting Hub.
[if lte IE 8]
[if lte IE 8]
[if lte IE 8]
[if lte IE 8]