CRMA· IIA
Certification in Risk Management Assurance (IIA)
IIA’s CRMA specialises audit on risk management (ERM, COSO ERM 2017, Three Lines Model). Single 10-week exam path.
Term DefinitionRisk
Key Risk Indicator (KRI)
A metric measuring the evolution of risk exposure over time.
A KRI is a forward-looking metric that alerts on a potential increase in risk before an incident occurs. Unlike a KPI which measures past performance, a KRI anticipates adverse trends. A good KRI is specific, measurable, directly linked to a risk in the register, and has an amber alert threshold and a red critical threshold. Example: high turnover rate as a KRI for internal fraud risk or key knowledge loss.
📌 Key points
- Forward-looking — alerts BEFORE the incident, unlike KPIs which measure AFTER
- An effective KRI has two thresholds: amber (enhanced monitoring) and red (immediate action)
- Each KRI must be linked to a specific risk in the risk register
- Examples: transaction error rates, number of unapproved changes, patch lag time
- Reported monthly to management, quarterly to the risk committee
Related certifications
These certifications cover the concept of "Key Risk Indicator (KRI)" in depth.
CIA· IIA
Certified Internal Auditor (IIA, 3 Parts)
The IIA CIA certification covers this concept in Part 1 (framework, IPPF) and Part 2 (audit practice). 60+ lessons and 1,258 original questions.
🔗 Related concepts
RiskRiskRiskRiskRisk
Risk Register
A centralized document listing all identified risks of an organization.
Risk Appetite
The level of risk an organization is prepared to accept in pursuit of its objectives.
Residual Risk
The level of risk remaining after controls and mitigations have been applied.
KPI vs KRI
KPI measures performance; KRI anticipates risk exposure.
Enterprise Risk Management (ERM)
An integrated, holistic approach to identifying and managing all organizational risks.
📖 Related articles
Master this concept and more
Start your GRC certification journey today.