We're hiring! Become part of the RiskChallenger team. Take a look at our vacancies
nl
en

Key risk indicators: what are KRIs and how do you set them up?

May 29 2026
Team RiskChallenger

Your risk register is overflowing, but when does a risk actually become urgent? Usually you notice too late. The schedule has already slipped, the budget is tight, or the incident has already happened. Key risk indicators flip that around. They give you a heads-up that a risk is climbing, so you can act before things go wrong.

This post covers what key risk indicators are, how they differ from KPIs, how to set them up, and how to keep them from ending up in a forgotten spreadsheet tab.

What are key risk indicators?

Key risk indicators (KRIs) are measurable signals that show how likely a risk is to occur, or how serious the consequences could become. Think of them as the warning light on your dashboard. They don't tell you something is already broken. They tell you the values are heading the wrong way.

A good key risk indicator looks ahead. Instead of recording what went wrong after the fact, it measures the underlying factors that feed a risk. When a value crosses a threshold you agreed on in advance, that's your cue to do something.

This lines up with the international risk management standard ISO 31000, where monitoring and periodic review have a permanent place. Key risk indicators make that monitoring concrete. Not a vague intention to "keep an eye on the risk," but a number you actually track.

Key risk indicators versus KPIs: what's the difference?

Key risk indicators and key performance indicators (KPIs) get mixed up all the time, but they look in different directions.

A KPI measures performance: how well are things going right now? Customer satisfaction, revenue, throughput. A key risk indicator measures your exposure to a threat: how likely is it that something goes wrong next? The KPI tracks the result you're trying to hit. The KRI tracks what might get in its way.

Here's a concrete example. On a construction project, the percentage of milestones delivered on time is a KPI. The number of permits still pending shortly before the start date is a key risk indicator. That number says something about a delay that hasn't happened yet.

In practice, the two work together. KPIs tell you where you stand. Key risk indicators warn you about what's coming.

Examples of key risk indicators by sector

Good key risk indicators are always tailored to your organization and your project. Even so, examples help make it tangible. Here are a few from sectors where RiskChallenger is at home.

For water authorities, you can think about the number of structures past their inspection date, or groundwater levels falling outside the safe range. For infrastructure and construction companies, useful signals include the number of pending permits, understaffing in critical teams, and the number of scope changes per month. For municipalities and government agencies, compliance is often the driver, for example the number of systems not yet meeting NIS2 or CER requirements. For energy companies, you might track the number of critical suppliers without a backup, or the percentage of assets with deferred maintenance.

The common thread: a useful key risk indicator is something you can actually measure, that moves regularly, and that clearly connects to a risk you want to control.

How do you set up good key risk indicators?

Setting up key risk indicators is not about collecting as many numbers as possible. Too many distract you. Too few give you false confidence. These four steps help.

1. Start with the risks that really matter

Work from your most important risks, not from the data you happen to have already. For each risk, ask which underlying factor moves with it. That factor is the basis for your indicator. It's the same core question risk management starts with: what are you trying to protect, and what threatens it?

2. Make the indicator measurable and forward-looking

A key risk indicator has to be expressible as a number or percentage, and ideally it looks ahead. "Things aren't going great" is not an indicator. "The number of actions past their deadline" is. The earlier an indicator fires, the more time you have to steer.

3. Set thresholds and assign an owner

For each indicator, agree on which value is fine, which deserves attention, and which calls for immediate action. A simple traffic light model with green, amber, and red works well here. Also assign someone who tracks the indicator and raises the alarm the moment a threshold is crossed.

4. Review and adjust

Risks change, so your indicators have to as well. An indicator that mattered a year ago can be pure noise today. Build periodic review into your cycle, which is exactly what ISO 31000 expects.

From loose numbers to a real conversation

This is where most organizations get stuck. They put their key risk indicators in a spreadsheet that one person maintains and nobody else opens. The numbers sit there neatly, but nothing happens with them. The warning light is on, but nobody's looking at the dashboard.

At RiskChallenger we believe risk management is about the substantive conversation, not the number on the page. Key risk indicators only become powerful when your whole team can see them, understand them, and respond. An indicator going red should start a conversation, not just color a cell.

That's why the RiskChallenger platform makes indicators visible in clear dashboards, links them to the risks and controls they belong to, and brings the team in through interactive sessions and automatic reminders on deadlines. A static list becomes a live tool that gets the right people moving at the right time. And the broader the group looking at it, the better your risk management gets.

Getting started with key risk indicators

Key risk indicators are one of the more practical ways to get a grip on your risks. They turn an abstract threat into a concrete number and buy you time to act before the risk plays out. The trick isn't in having as many indicators as possible. It's in a handful of good ones that your team actually responds to.

Want to see how to lift key risk indicators out of that forgotten spreadsheet tab and turn them into a real conversation? Start a free 30-day trial or schedule a personal demo. That's the fastest way to experience how communicative risk management works.

Do you have any questions about this article?

Feel free to contact us via live chat or via

support@riskchallenger.nl

Read more about

Everything
RiskChallenger News
Risk Management
Software Development
Customer stories

Related blogs

Learn more from our blogs, and learn how to apply risk management to your daily projects.

All blogs
Risk Management
Risk Management
Risk Management
Risk Management
How to win a tender on the risk management part: 5 lessons from practice

Winning a tender takes more than just a strong technical approach. Our consultant Aurelia Bejenari shares five practical lessons on strategy, realism, and persuasion in tender processes.

Read more
Risk Management
Risk Management
Risk Management
Risk Management
AI and risk management: Hype, reality, and what you can actually do today

Everyone is talking about AI. And the risk management world is no exception. Automatic risk identification, predictive scoring, intelligent recommendations: the pitch sounds compelling. But what can AI actually deliver right now?

Read more

Experience the simplicity and effectiveness for yourself

Try out our software for 30 days or sign up for our software demo.

Free trial
Demo aanvragen
info@riskchallenger.nl
+31 (0) 33 2096 213
Hardwareweg 14, 3821 BM Amersfoort
Software
LicensesBrainstormInteractive QuantificationGeodata (GIS)VisualizationsIntegrationsExtras
Services
TrainingRaasTender SupportSecondment
About us
The teamVacanciesOur markets
Support
SecurityFAQRelease notesSoftware manual
Newsletter

Do you want to stay up to date with RiskChallenger or receive information about updates?

2026 Risk Challenger
Privacy StatementTerms & conditions
KVK 67345735
BTW NL856941104B01