All articles
monitoringkey risk indicatorsKRIrisk process

How to Monitor and Review Risks

Risk assessments expire. Key risk indicators, review cadences, and incident feedback loops keep your risk picture current — here's how to build them.

5 min read
KRI · % of revenue in top-1 customerThreshold: 60%
Q1Q9
A leading indicator warns you before the risk does.

There's a moment in every risk management effort when the hard work seems done. Risks identified, matrix populated, treatments assigned. The team exhales.

That's precisely the moment the clock starts ticking — because every risk assessment is a photograph of a moving object, and it begins aging the moment it's taken. New suppliers, new systems, new hires, new regulations, new attackers: the world your register describes shifts weekly. Monitoring and review is the discipline that keeps the map matched to the territory. It's the least glamorous phase of the risk process and, over time, the one that decides whether the whole thing works.

Two activities, often confused

The terms travel together but do different jobs.

Monitoring is continuous: watching indicators that tell you a risk's likelihood or impact is shifting, or that a control is weakening — ideally before anything happens. It's the smoke detector.

Review is periodic: sitting down at intervals to re-examine assessments, question assumptions, and check treatment progress. It's the fire inspection.

You need both. Monitoring without review drowns you in signals with no reflection; review without monitoring means you only notice change at quarterly meetings — and some risks move faster than quarters.

Key Risk Indicators: your early-warning system

The core instrument of monitoring is the Key Risk Indicator — a measurable value correlated with a risk, tracked over time, with defined thresholds.

The distinction that matters: KPIs measure performance (what has been achieved); KRIs measure exposure (what is building up). Revenue is a KPI. The share of revenue depending on a single customer is a KRI. Both matter; only one warns you.

Good KRIs share three properties. They're leading, not lagging — they move before the risk materializes, not after. "Number of successful cyberattacks" is a lagging fact; "share of systems with unpatched critical vulnerabilities" and "phishing simulation click rate" are leading signals. They're cheap to collect — ideally falling out of systems you already run (ticketing, HR, finance, monitoring), because manually compiled indicators tend to die within a year. And they have thresholds with consequences: green/amber/red bands where amber means "risk owner investigates" and red means "escalate now." An indicator without a threshold is scenery; a threshold without a defined reaction is a broken promise.

Some proven examples across categories: staff turnover in critical roles and open positions unfilled past 90 days (key-person risk); share of overdue maintenance or patch tasks (operational and cyber risk); customer concentration and days-sales-outstanding trend (financial risk); overdue audit findings (compliance risk); backlog of unreviewed access rights (security risk).

Choose few. Three to five KRIs for your top risks beat forty indicators nobody watches. The register tells you where to point them: your red and amber zones deserve KRIs; the green zone mostly doesn't.

The review cadence

Reviews turn monitoring signals — and everything else that changed — into updated assessments. What works in practice is a layered rhythm:

Quarterly, risk owners re-examine their risks: Are likelihood and impact still right? What do the KRIs say? Are treatments progressing? Anything new in my area? This should take minutes per risk, not hours — brief but honest.

Quarterly, leadership reviews the aggregate picture: the matrix now versus last quarter, movers and their explanations, overdue treatments, KRIs in amber or red. The most valuable slide in this meeting is the delta view: what changed and why.

Annually, the deeper refresh: full re-identification to catch new risks, retirement of obsolete entries, and — importantly — recalibration. Ratings drift over time as people and moods change; once a year, check that a "3" still means what your scale says it means.

Event-driven, immediately: some triggers shouldn't wait for the calendar. A serious incident, a major project decision, an acquisition, a new regulation, a critical supplier wobbling — each prompts an immediate look at the affected register entries.

Incidents: reality grading your homework

The most underused source of risk intelligence is your own incident history. Every incident — and every near-miss — is reality delivering a verdict on your register.

Three questions turn any incident into register improvements. Was this risk in the register? If not, your identification process has a blind spot worth understanding. Were the ratings right? An event you rated "rare" happening twice in a year is a calibration lesson. Did the controls work? The backup that failed to restore, the escalation chain that stalled on a weekend — incidents expose the gap between controls on paper and controls in operation.

Organizations that systematically feed incidents and near-misses back into their register develop something close to institutional learning. Organizations that don't are doomed to re-derive every lesson the expensive way.

Controls decay: the silent failure mode

A special monitoring target deserves its own mention: your existing controls. Treatments, once implemented, are assumed to keep working. They don't — not automatically.

The redundant supplier quietly gets dropped in a cost round. The backup job fails silently for months. The trained employees leave and their replacements never get the training. Control decay is invisible in a register that only tracks whether a measure was implemented, never whether it still operates.

The fix is cheap: for each significant control, define how you'd know it's working, and check on a schedule. Restore a backup twice a year. Run the phishing simulation quarterly. Walk through the incident response plan annually. The test that fails is a gift — it found the gap before the incident did.

Making it sustainable

The whole apparatus — KRIs, cadences, incident loops, control checks — survives only if it's lightweight. Three design principles keep it so:

Automate the collection. Every manual data-gathering step is a future point of abandonment. Pull indicators from systems, schedule the reminders, let the tooling chase the overdue reviews.

Review by exception. Don't re-litigate all sixty risks quarterly; focus on movers, amber-and-red KRIs, overdue items, and anything touched by events. Stable green risks need a glance, not a meeting.

Keep the trend visible. A register that shows each risk's history — the arrows, the timeline — makes review meetings shorter and sharper, because the question "what changed?" answers itself.

Risk management's last phase is really its engine. Identification and analysis produce a picture; monitoring and review keep it true. And a true picture, continuously maintained, is the entire product: an organization that sees change coming while there's still time to act.