What a key risk indicator is, how KRIs differ from KPIs and KCIs, and how to set thresholds, escalation and board MI under FCA SYSC 7 and Basel guidance.

Risk rarely announces itself. By the time a control has failed, a limit has been breached or a customer has been harmed, the underlying exposure has usually been building for weeks or months. Key risk indicators exist to catch that build-up early, while there is still time to act. Used well, they turn risk management from an after-the-fact post-mortem into a forward-looking discipline.
A key risk indicator, or KRI, is a metric that provides an early warning of increasing risk exposure. It is not a measure of whether a process ran, nor a measure of whether a control worked, but a signal that the chance of an adverse outcome is rising. That distinction matters, because firms that confuse KRIs with performance measures or control checks end up with dashboards full of numbers that never actually warn anyone of anything.
This guide explains what a KRI is, how it differs from a key performance indicator and a key control indicator, and how KRIs support the risk management framework the FCA expects under SYSC 7. It draws on primary sources, including the FCA Handbook and the Basel Committee's Principles for the sound management of operational risk, so you can trace every point back to the regulator or standard-setter. The examples of specific indicators and thresholds are illustrative and are meant to prompt your own calibration, not to be copied as targets.
A key risk indicator is a metric that gives early warning that a firm's exposure to a particular risk is increasing. The emphasis is on the word early. A good KRI moves before the risk crystallises into a loss, a breach or a complaint, giving management time to intervene rather than simply to record what went wrong.
The Basel Committee's Principles for the sound management of operational risk describe this function directly. In its discussion of assessment tools, the Committee explains that banks often develop metrics to assess and monitor their operational risk exposure, and that these metrics may be simple indicators, such as event counts, or result from more sophisticated exposure models. Crucially, it states that such metrics provide early warning information to monitor ongoing performance of the business and the control environment, and to report the operational risk profile.
Two features separate a genuine KRI from an ordinary statistic. First, it is forward-looking: it tells you about the likelihood of future harm, not just the volume of past activity. Second, it is linked to a specific risk and its controls. The Basel principles make the same point, noting that effective metrics clearly link to the associated operational risks and controls. A number that cannot be tied to a named risk is unlikely to be a useful indicator, however interesting it looks on a chart.
In a compliance context the risks being watched are broad: regulatory breaches, financial crime, conduct failings, data protection lapses and the operational failures that sit beneath them. A KRI framework for compliance is simply the systematic selection, measurement and escalation of the metrics that give the earliest reliable warning across those categories.
The three acronyms are often used loosely, but they answer different questions and should not be substituted for one another. Confusing them is the most common reason a KRI programme fails to warn anyone of anything.
A key performance indicator measures how well an activity or objective is being achieved. It answers the question, are we doing this well? A key risk indicator measures whether the exposure to an adverse outcome is rising. It answers the question, is this becoming more dangerous? A key control indicator, sometimes called a key control indicator or KCI, measures whether a specific control is operating as intended. It answers the question, is the control working? The same underlying data can feed all three, but the interpretation and the response differ.
The three are complementary rather than competing. The Basel principles bring the risk and control strands together, describing a control monitoring and assurance framework that supports the evaluation, review and ongoing monitoring and testing of key controls, alongside metrics that provide early warning information about the business and the control environment. In practice a mature compliance dashboard carries a blend: performance measures to show throughput, control indicators to show the controls are holding, and risk indicators to show where exposure is trending.
A worked example makes the distinction concrete. Suppose a firm onboards customers and must complete due diligence. The percentage of applications processed within the service standard is a KPI: it tells you how efficient the team is. The percentage of new accounts opened with all required due diligence evidence on file is a KCI: it tells you whether the onboarding control is working. The number and age of overdue periodic reviews, or the trend in alerts that breach screening thresholds, are KRIs: they warn that financial crime exposure is building even if today's throughput looks healthy.
| Indicator type | Question it answers | Illustrative compliance example |
|---|---|---|
| KPI (key performance indicator) | Are we doing this activity well and efficiently? | Percentage of onboarding applications completed within the agreed service standard. |
| KRI (key risk indicator) | Is our exposure to an adverse outcome increasing? | Trend in the backlog and age of overdue customer due diligence reviews. |
| KCI (key control indicator) | Is the control operating as designed? | Percentage of new accounts opened with all required verification evidence on file. |
KRIs are not a nice-to-have bolted on to a risk function. They are one of the practical mechanisms through which a firm meets the FCA's risk control expectations in the Senior Management Arrangements, Systems and Controls sourcebook.
The foundation sits in SYSC 4. Under SYSC 4.1.1R a firm must have robust governance arrangements, which include effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms. The words monitor and report are doing real work here. A firm cannot credibly claim to monitor a risk it is not measuring, and KRIs are the metrics that make ongoing monitoring possible rather than a periodic guess.
SYSC 7 then sets out specific risk control requirements. SYSC 7.1.4R requires a common platform firm to monitor the adequacy and effectiveness of the measures taken to address deficiencies in its risk management policies, procedures, arrangements, processes and mechanisms, including failures by relevant persons to comply with them. Monitoring adequacy and effectiveness over time is exactly what a trended KRI does: it shows whether remediation is holding or whether the same weakness is re-emerging.
SYSC 7 also pushes accountability upward. SYSC 7.1.5R requires the management body to approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks the firm is or might be exposed to, including those posed by the macroeconomic environment in which it operates. The management body cannot review whether the firm is staying within its intended risk profile without a reliable set of indicators to review. KRIs give the board and senior management a repeatable, comparable read on where exposure sits against the risk strategy they approved.
Finally, the SYSC framework refers to the risk management function. In the FCA Handbook the term risk management function refers to the generally understood concept of risk assessment within a firm, that is, the function of setting and controlling risk exposure. KRIs are one of that function's core instruments for controlling exposure, because they convert an abstract risk appetite into observable numbers that can be watched and acted upon.
An indicator with no threshold is just a number. What turns a metric into a key risk indicator is a defined level at which it demands attention, and a defined path for that attention to travel. Without both, a rising indicator can sit on a dashboard for months while everyone assumes someone else is watching it.
The Basel Committee ties indicators explicitly to thresholds and limits. It notes that monitoring metrics and related trends through time against agreed thresholds or limits provides valuable information for risk management and reporting purposes. The reference to trends is important: a single reading tells you little, whereas the direction of travel against an agreed threshold tells you whether exposure is building, stable or receding.
A common and workable approach is a tiered threshold, often described as a traffic-light or RAG model. Green means the indicator is within appetite and no action is needed beyond routine monitoring. Amber means the indicator is approaching the limit and warrants investigation and, if necessary, preventive action. Red means the threshold has been breached and requires escalation and a documented response. The specific values behind each band are for the firm to calibrate against its own risk appetite, loss history and control environment; they are not something a guide can prescribe.
Escalation must be defined before a breach happens, not improvised afterwards. The Basel principles anchor this in the risk appetite and tolerance statement, which the Committee says should establish boundaries or indicators, which may be quantitative or not, to enable monitoring of these risks. It adds that the board of directors should monitor management adherence to the risk appetite and tolerance statement and provide for timely detection and remediation of breaches. Translated into practice, each KRI should carry a named owner, a threshold, an escalation route and a defined response, so that an amber or red reading automatically reaches a person with the authority to act.
A tiered threshold turns a metric into an actionable indicator. Bands and values are illustrative and must be calibrated to a firm's own risk appetite. The approach reflects Basel guidance on monitoring metrics against agreed thresholds or limits.
The best KRIs are specific to a firm's business model, permissions and risk profile, so a universal list would be misleading. The examples below are illustrative starting points, grouped by risk category, to show the shape of a workable indicator set. Each would need a threshold, an owner and an escalation route, and the trend matters more than any single reading.
Two design points apply across every category. First, an indicator should be tied to a named risk and, ideally, to the control meant to manage it, in line with the Basel point that effective metrics clearly link to the associated operational risks and controls. Second, favour leading indicators that move before harm occurs over lagging ones that only confirm harm after the fact. A rising backlog of overdue reviews is a leading signal; a confirmed regulatory breach is a lagging one, useful for learning but too late to prevent the event it records.
| Risk category | Illustrative KRI | Illustrative escalation threshold |
|---|---|---|
| Financial crime (AML) | Number and age of overdue customer due diligence periodic reviews. | Escalate when overdue reviews exceed an agreed count or age band. |
| Financial crime (screening) | Volume of transaction monitoring alerts breaching threshold, and alert backlog age. | Escalate when the unworked alert backlog exceeds an agreed age or number. |
| Regulatory reporting | Number of regulatory returns submitted late or resubmitted after error. | Escalate on any late submission or on a rising resubmission trend. |
| Conduct and complaints | Trend in upheld complaints and complaints citing the same root cause. | Escalate when repeat root-cause complaints rise above an agreed level. |
| Data protection | Number of personal data incidents and the proportion assessed as reportable. | Escalate on any reportable incident or a rising incident trend. |
| Governance and controls | Number and age of overdue audit or compliance-monitoring actions. | Escalate when overdue remediation actions exceed an agreed age band. |
Building a KRI framework is a repeatable exercise, not a one-off. The aim is a small set of indicators that genuinely warn of rising exposure, each with a threshold and an escalation path, refreshed as the firm's risks change. A short list of well-chosen indicators beats a sprawling dashboard nobody reads.
The steps below describe a full cycle from risk to review. The discipline is in doing them in order: an indicator chosen before the underlying risk is understood tends to measure what is easy rather than what matters. A structured control framework such as Nasara Connect's Control product can help firms map indicators to the specific obligations and risks that apply to them, rather than assembling metrics in isolation.
KRIs earn their place when they reach the people who set the firm's risk strategy. The FCA framework and the Basel principles both point to the board and senior management as the ultimate audience for risk monitoring, so a KRI programme that stops at operational dashboards is only half built.
The reporting expectation is explicit in the Basel principles. Under its monitoring and reporting principle, the Committee states that senior management should implement a process to regularly monitor operational risk profiles and material operational exposures, and that appropriate reporting mechanisms should be in place at the board, senior management and business unit levels to support proactive management of operational risk. It goes on to specify that operational risk reports should include breaches of the bank's risk appetite and tolerance statement, as well as thresholds, limits or qualitative requirements, together with a discussion and assessment of key and emerging risks. A board KRI pack that reports threshold breaches and emerging trends maps directly onto that expectation.
Good board management information is selective, trended and actionable. The Basel principles warn that effective decision-making is impeded by both excessive amounts and paucity of data, so a board KRI pack should present a focused set of indicators with their trends and threshold status, not a data dump. Each red indicator should come with the response being taken, so the board can discharge its oversight role rather than merely receive numbers.
This closes the loop back to SYSC 7.1.5R, under which the management body approves and periodically reviews the strategies and policies for managing, monitoring and mitigating the firm's risks. A concise, well-designed KRI pack is the practical instrument that lets the board carry out that periodic review with evidence in front of it. Firms building this capability as they enter new regulated activities often find the discipline reinforces the authorisation process, which is why many address both together when they seek or vary FCA authorisation.
Key risk indicators are the early-warning system of a compliance function. A KRI is a metric that signals rising exposure before harm occurs, which is what distinguishes it from a performance measure that reports throughput or a control indicator that confirms a control is working. Getting that distinction right, and choosing a small set of leading indicators tied to named risks and controls, is the difference between a dashboard that warns and one that merely decorates.
The regulatory logic is consistent from the FCA Handbook to the Basel principles. SYSC 4 and SYSC 7 require firms to identify, manage, monitor and report their risks, to monitor the adequacy and effectiveness of their risk measures, and to have the management body approve and review the strategies for managing and monitoring those risks. The Basel principles show how indicators, thresholds and escalation deliver that in practice, providing early warning against agreed thresholds and reporting breaches and emerging risks up to the board. Build the framework once, calibrate the thresholds honestly, and route the signals to people who can act, and KRIs become a genuine control rather than a compliance ornament.
A key risk indicator is a metric that provides an early warning that a firm's exposure to a particular risk is increasing. Unlike a simple statistic, a KRI is forward-looking and linked to a specific risk and its controls, so it warns of potential harm before the risk crystallises into a loss, breach or complaint. The Basel Committee describes such metrics as providing early warning information to monitor the business and control environment and to report the operational risk profile.
A key performance indicator (KPI) measures how well an activity is performed, answering whether you are doing something well. A key risk indicator (KRI) measures whether exposure to an adverse outcome is rising, answering whether something is becoming more dangerous. A key control indicator (KCI) measures whether a specific control is operating as designed, answering whether the control is working. They are complementary: a good compliance dashboard carries a blend of all three.
SYSC 4.1.1R requires firms to have effective processes to identify, manage, monitor and report the risks they are or might be exposed to, and KRIs are the metrics that make ongoing monitoring possible. SYSC 7.1.4R requires a common platform firm to monitor the adequacy and effectiveness of its risk measures, and SYSC 7.1.5R requires the management body to approve and periodically review the strategies for managing, monitoring and mitigating the firm's risks. KRIs give the firm and its board the evidence to meet those duties.
Turn each indicator into an actionable one by setting a threshold at which it demands attention and a defined path for that attention to travel. A common approach is a tiered green, amber and red model, calibrated to the firm's own risk appetite and history rather than to any external benchmark. The Basel principles support monitoring metrics against agreed thresholds or limits and providing for timely detection and remediation of breaches, so each KRI should have a named owner, a threshold, an escalation route and a defined response.
Illustrative examples include the number and age of overdue customer due diligence reviews, the backlog and age of transaction monitoring alerts, late or resubmitted regulatory returns, trends in upheld or repeat-root-cause complaints, reportable data protection incidents, and overdue audit or compliance-monitoring actions. These are illustrative starting points, not benchmarks; each must be tied to a named risk, given a threshold and calibrated to the firm's own profile, with the trend mattering more than any single reading.
KRIs should reach the board and senior management in a focused, trended and actionable form. The Basel principles state that reporting mechanisms should exist at board, senior management and business unit levels, and that operational risk reports should include breaches of thresholds and limits and an assessment of key and emerging risks. Because the same principles warn that both too much and too little data impede decisions, a board KRI pack should present a selective set of indicators with their trends, threshold status and the response to any breach.
Nasara Control helps UK firms send and control payments with lower fees, better rates and full visibility.
Practical guides and updates for UK firms, straight to your inbox.