Key Risk Indicators (KRIs)

Definition

Key Risk Indicators (KRIs) is measurable indicators used to monitor changes in risk exposure, vulnerability, or control effectiveness so that organizations can detect rising risk levels and act before an adverse event causes material loss or disruption.

What is Key Risk Indicators (KRIs)?

KRIs are early warning measures for risk management. They do not prove that a loss event will occur, but they signal that the likelihood, potential impact, or detectability of a risk is changing in an unfavorable way. That makes them different from after the fact incident reporting.

In procurement and supply chain contexts, KRIs can highlight supplier distress, geopolitical concentration, quality deterioration, cyber vulnerability, contract noncompliance, logistics congestion, or inventory dependency on a single fragile source. Their value lies in prompting action while there is still time to reduce exposure.

How KRIs Are Constructed

A KRI begins with a clearly defined risk scenario, such as supplier insolvency, delivery failure, ethical breach, or cyber incident. The organization then selects a measurable signal that changes before or as the risk increases, defines a calculation method, assigns thresholds, and establishes who will monitor and escalate the result.

Examples of Procurement KRIs

Examples include percentage of spend with single source suppliers, share of supply from high risk jurisdictions, repeated decline in supplier on time delivery, rising defect escape trends, lack of business continuity testing, overdue audit findings, or concentration of critical spend with financially weak suppliers.

Thresholds and Escalation

KRIs are most useful when thresholds are linked to action. A green, amber, and red structure may indicate when observation is sufficient, when mitigation planning is required, and when escalation to senior management is necessary. Without action rules, the KRI becomes passive reporting rather than active risk management.

KRIs vs KPIs

KPIs track performance against objectives. KRIs track exposure to adverse outcomes. The two can be related, but they are not the same. For example, on time delivery can be a KPI for supplier performance, while rising late delivery concentration among critical suppliers may operate as a KRI for continuity risk.

Limits of KRIs

KRIs are only useful when the selected indicator actually moves with the underlying risk. Weak data, late reporting, or poorly chosen proxies can create false comfort or constant noise. Effective KRIs therefore require periodic validation and review against real incidents and near misses.

Frequently Asked Questions about Key Risk Indicators (KRIs)

Why are KRIs important if a company already has a risk register?

A risk register usually lists identified risks and describes ownership, controls, and mitigation plans, but it may not show whether exposure is rising right now. KRIs provide dynamic monitoring. They translate static risk statements into measurable conditions that can be observed over time, helping managers see when a risk is becoming more acute rather than discovering that only after a disruption has already happened.

What makes a good KRI?

A good KRI is clearly linked to a specific risk scenario, measurable with reliable data, sensitive enough to change before the loss event occurs, and actionable once thresholds are breached. If the indicator changes only after the damage is done, or if no one knows what response is expected when it worsens, it is not performing the role a KRI is meant to play.

Can the same metric be both a KPI and a KRI?

Yes, depending on context and interpretation. Supplier on time delivery may be a KPI when used to assess operational performance against a target. The same underlying measure can become part of a KRI framework when worsening performance among critical suppliers signals rising continuity risk. The distinction lies in management purpose, threshold design, and the decision the metric is intended to support.

How often should KRIs be reviewed?

The frequency should match the speed of the underlying risk. Some supply chain KRIs need weekly or even daily review during volatile periods, while structural risks may be reviewed monthly or quarterly. Reviewing too slowly can make the signal useless, but reviewing too often without meaningful movement can create noise. The best cadence reflects how quickly management can still intervene effectively.