Module 35: Key Performance Indicators (KPIs)

CRISC Domain 3 — Risk Response and Reporting Section C 8–10 min read
KPIs measure how well something is working.
KRIs measure how exposed you are.

KPIs evaluate:

  • Control performance
  • Process efficiency
  • Remediation progress
  • Treatment plan execution

KPIs answer:

Are we doing what we said we would do?

They do not directly measure risk exposure.

What the exam is really testing

When KPIs appear, CRISC is asking:

  • Is control performance measurable?
  • Are treatment plans progressing?
  • Are remediation timelines met?
  • Are controls operating consistently?
  • Are operational goals achieved?

KPIs measure execution — not exposure.

KPI characteristics

Effective KPIs are:

  • Specific
  • Measurable
  • Time-bound
  • Actionable
  • Linked to control or process objectives
  • Aligned to risk treatment plans

If KPIs are vague or unmeasurable, governance weakens.

KPI examples

Examples of KPIs:

  • % of access reviews completed on time
  • Average time to remediate high-risk findings
  • % of critical systems with updated patches
  • % of vendor assessments completed
  • % of policy exceptions reviewed quarterly
  • % of controls tested as scheduled

These measure performance of controls and processes.

They do not directly measure residual risk.

KPI vs KRI (critical distinction)

Let’s make this crystal clear.

KPI:
Measures control/process performance.
Example: 95% patch compliance.

KRI:
Measures risk exposure.
Example: % of critical vulnerabilities beyond SLA.

Patch compliance is performance.
Unpatched critical vulnerabilities beyond SLA is exposure.

CRISC frequently tests this difference.

Example scenario (walk through it)

Scenario:
An organization tracks the percentage of access reviews completed on time.

This is a:

A. Key Risk Indicator
B. Key Performance Indicator
C. Heatmap metric
D. Residual risk score

Correct answer:

B. Key Performance Indicator

This measures performance of the review process.

Slightly harder scenario

A dashboard shows that 98% of controls were tested as scheduled. However, incident frequency is increasing.

What does this MOST likely indicate?

A. Strong KPI performance but rising risk exposure
B. Weak inherent risk
C. Excessive appetite
D. Poor threat modeling

Correct answer:

A. Strong KPI performance but rising risk exposure

KPIs may look strong while KRIs indicate rising exposure.

KPI design principles

KPIs should:

  • Be tied to treatment plans
  • Align with control objectives
  • Have defined targets
  • Have defined thresholds
  • Be monitored regularly
  • Trigger corrective action when performance degrades

KPIs without action are meaningless.

KPI thresholds

KPIs should define:

  • Target (e.g., 95% compliance)
  • Warning level (e.g., < 90%)
  • Escalation threshold (e.g., < 80%)

If performance degrades, corrective action must occur.

CRISC tests failure to act on degraded KPIs.

KPI & treatment plan integration

KPIs should measure:

  • Implementation milestones
  • Remediation progress
  • Control execution rates
  • Closure of issues
  • Exception aging

KPIs support monitoring of treatment plans.

The most common exam mistakes

Candidates often:

  • Confuse KPIs and KRIs.
  • Focus on activity metrics without exposure context.
  • Assume high KPI performance means low risk.
  • Ignore trend movement.
  • Fail to link KPIs to escalation thresholds.

CRISC evaluates structural clarity.

Slightly uncomfortable scenario

An organization reports 100% completion of control testing as a KPI. However, testing reveals recurring control failures.

What is the MOST significant governance concern?

A. Strong performance
B. KPI measuring activity instead of effectiveness
C. Excessive mitigation
D. Weak inherent risk

Correct answer:

B. KPI measuring activity instead of effectiveness

Completion of testing does not measure control effectiveness.

KPI vs activity metrics

Activity Metric:
Number of meetings held.
Number of reports generated.

KPI:
% of remediation plans completed on time.
% of controls operating effectively.

Activity does not equal performance.

CRISC favors meaningful KPIs.

Quick knowledge check

1) KPIs primarily measure:

A. Risk exposure
B. Control and process performance
C. Threat likelihood
D. Inherent risk

Answer & reasoning

Correct: B

KPIs measure performance.

2) Which is a KPI?

A. % of vulnerabilities beyond SLA
B. Risk heatmap severity
C. % of controls tested as scheduled
D. Residual risk score

Answer & reasoning

Correct: C

This measures process execution.

3) Strong KPI performance always guarantees low risk exposure.

A. True
B. False

Answer & reasoning

Correct: B

KPIs measure performance, not exposure.

Final takeaway

KPIs measure:

  • Execution
  • Performance
  • Process discipline
  • Control activity

KRIs measure:

  • Exposure
  • Trend risk
  • Threshold breaches
  • Potential loss movement

Confusing the two is one of the easiest ways to miss CRISC questions.

CRISC rewards candidates who separate performance from exposure clearly.

Next Module Module 36: Key Risk Indicators (KRIs)