CRMA· IIA
Certification in Risk Management Assurance (IIA)
IIA’s CRMA specialises audit on risk management (ERM, COSO ERM 2017, Three Lines Model). Single 10-week exam path.
Term DefinitionRisk
KPI vs KRI
KPI measures performance; KRI anticipates risk exposure.
A KPI (Key Performance Indicator) measures whether objectives are met (retrospective view). A KRI (Key Risk Indicator) measures whether risk exposure is evolving (prospective view). In a mature GRC framework, both coexist in an integrated governance dashboard. The same indicator can be both a KPI and a KRI depending on context: absenteeism rate is an HR KPI and an operational risk KRI. Confusion between KPI and KRI is common and leads to dashboards that measure without anticipating.
📌 Key points
- KPI: retrospective view — 'did we meet our objectives?'
- KRI: prospective view — 'is our risk exposure increasing?'
- One indicator can be both a KPI and a KRI depending on its use
- Mature GRC dashboards combine KPIs, KRIs, and KCIs (Key Control Indicators)
- Common confusion in practice — training management on the distinction is essential
Related certifications
These certifications cover the concept of "KPI vs KRI" in depth.
🔗 Related concepts
RiskRiskRiskRiskFrameworks
Key Risk Indicator (KRI)
A metric measuring the evolution of risk exposure over time.
Risk Register
A centralized document listing all identified risks of an organization.
Risk Appetite
The level of risk an organization is prepared to accept in pursuit of its objectives.
Enterprise Risk Management (ERM)
An integrated, holistic approach to identifying and managing all organizational risks.
GRC Platform
Integrated software to manage Governance, Risk, and Compliance in one place.
📖 Related articles
Master this concept and more
Start your GRC certification journey today.