Venvera KRI catalogue listing indicators with direction, thresholds and status
The KRI catalogue: each indicator with its direction, green and amber thresholds and current RAG status.

Key Risk Indicators are the quantitative early-warning signals that sit alongside the risk register. While a risk describes a possible scenario, a KRI is the measurement that tells you whether that scenario is becoming more likely or more impactful right now. KRIs answer the regulator's first question: “How do you know your risk environment is still within tolerance?”

Venvera ships ~20 standard KRIs across all ten enterprise risk domains, each one anchored to specific regulatory articles. Common examples:

KRIDomainAnchored to
Critical risks above toleranceOperationalDORA Art. 6, Art. 16 · ISO 27001 6.1.2, 6.1.3 · NIS2 Art. 21(2)(a)
Open major incidentsCyber & ICTDORA Art. 17, Art. 19 · NIS2 Art. 23 · ISO 27001 A.5.24
Incidents with missed regulator deadline (90d)Cyber & ICTDORA Art. 19 · NIS2 Art. 23 · GDPR Art. 33
Mean time to remediate critical risksCyber & ICTDORA Art. 6, Art. 9 · ISO 27001 8.1, 10.1
% policies past review dateRegulatoryISO 27001 5.1, 5.5 · DORA Art. 9 · NIS2 Art. 21(2)(a)
Top-5 vendor spend concentrationThird-PartyDORA Art. 31
Vendor spend HHI (Herfindahl-Hirschman Index)Third-PartyDORA Art. 31
Critical functions on a single providerThird-PartyDORA Art. 31
% staff completed annual security trainingCyber & ICTNIS2 Art. 21(2)(g) · ISO 27001 A.6.3 · DORA Art. 13
Open vulnerabilities > 30 days (high / critical)Cyber & ICTISO 27001 A.8.8 · DORA Art. 9 · NIS2 Art. 21(2)(e)
AML alerts open > 30 daysFinancial CrimeAMLD6 Art. 13, Art. 30
% of resilience tests on scheduleResilienceDORA Art. 24-27
💡
Click Seed catalogue on the KRI page to populate the full reference set with a single click. Auto-computable KRIs immediately pull their first value from your live data; manual KRIs are seeded as green starter rows so the dashboard renders straight away.
Venvera KRI list table
The KRI list. Each row is one indicator you can open to record a measurement or edit thresholds.

Direction, thresholds and status

Each KRI declares whether lower is better (e.g. # open incidents) or higher is better (e.g. % staff training completion). Two thresholds — green and amber — partition the value range into three zones. The status that gets recorded with every measurement is:

StatusLower is betterHigher is better
Greenvalue ≤ green thresholdvalue ≥ green threshold
Ambergreen threshold < value ≤ amber thresholdamber threshold ≤ value < green threshold
Redvalue > amber thresholdvalue < amber threshold

Auto-computed vs manual KRIs

KRIs with an auto_compute_key derive their value from system data — risks, incidents, controls, vendors, sub-outsourcing chains, integration findings. Click Auto-compute on the KRI page (or wait for the daily worker) and every auto-computable KRI gets a fresh measurement. Manual KRIs (AML alerts, phishing click-rate, RTO/RPO compliance, ESG climate exposure) are recorded by their owner from the KRI detail page.

Regulatory-clock coupling on breach

On each KRI definition you can toggle “Auto-create regulatory incident on breach”. When the KRI crosses into red, Venvera immediately:

  1. Records a kri_breach_events row.
  2. If the toggle is on, opens an incidents row with the statutory clock derived from the KRI’s framework anchoring:
    • DORA — 4-hour initial / 24-hour intermediate / 72-hour final / 1-month root-cause (Art. 19)
    • NIS2 — 24-hour early warning / 72-hour notification / 1-month final (Art. 23)
  3. Fires an outbound webhook (Slack / Teams / custom) to the configured channels.
⚠️
Once a regulatory clock is running, the incident-clock worker (every 5 minutes) starts firing breach-approaching alerts at 60-minute-from-due and again at deadline. The board pack PDF marks any breach with an overdue clock in red.

Composite domain-health scores

The KRI page header card “Overall health” plus the per-domain composite grid surface a 0–100 score for each of the ten enterprise risk domains. The score is a weighted average of the constituent KRIs, where KRIs anchored to more framework articles weigh more (a KRI tagged to DORA Art. 6 and ISO 27001 6.1.3 and NIS2 Art. 21(2)(a) carries more pull than one with a single anchor). Trajectory (improving / stable / worsening) is derived from the last three snapshots.

Regression alerts

The dashboard banner “KRIs trending toward red” highlights indicators whose trajectory is worsening, including those still inside the green band. Detected patterns:

  • Status downgrade in the most recent measurement (green → amber or amber → red) — flagged as rapid worsening.
  • Three consecutive measurements each worse than the previous — flagged as worsening.
  • Value drifted >25 % closer to the amber threshold over the recent window.
💡
This is the early-warning surface regulators expect you to monitor. Two KRIs can both be green today — the one drifting upward each month is the one that ends up in front of the supervisor next quarter.

Control-failure to KRI propagation

Each KRI detail page has a Linked controls section. Pick the controls whose effectiveness materially affects the KRI value. When any of those controls fails (implementation_status not_implemented or effectiveness below partially_effective), the KRI is surfaced in the “KRIs at risk from failing controls” banner on the dashboard — even before the next measurement is recorded.

The KRI Dashboard

The KRI Dashboard (Risk Management › KRI Dashboard) rolls every indicator up into a single reporting view: how many KRIs are active, how many are breaching appetite or in early warning, the latest RAG-status split, the count of elevated measurements over recent months, reporting health (never reported or overdue), and a breakdown of KRIs by department. It is the fastest way to see whether your risk environment is drifting before the board meeting.

Venvera KRI Dashboard with RAG status donut and KRIs by department
The KRI Dashboard: active KRIs, how many breach appetite or sit in early warning, the RAG-status donut and KRIs by department.

Recording a measurement

  1. Open the KRI detail page (click any row in the KRI list).
  2. In the Record measurement card enter the new value (and optionally a note explaining the context).
  3. Click Record. The status is derived from the value plus thresholds. If the status crosses into red, the breach handler fires.

Auto-compute

Click Auto-compute at the top of the KRI page to refresh every auto-computable KRI from current system data. The action returns a count of measurements recorded plus the number of breaches opened in this batch. A daily background job runs the same code without user action.

Regulator-grounded threshold suggestions

When you define a new KRI and tag it to a framework article, Venvera suggests a sensible default for unit, direction and the green/amber thresholds — anchored to what the regulation actually expects. For example, an article-tagged DORA Art. 31 KRI starts with HHI thresholds at 1500 (green) and 2500 (amber), the bands used in competition-policy precedent. Suggestions cover DORA, NIS2, ISO 27001, GDPR and AMLD6.