Indicators
The Indicators module is the performance and trend layer of your governance program. Where Monitoring answers “is this rule currently true?”, Indicators answers “is the number going in the right direction, is it inside its target band, and what does the trend look like over time?”
Indicators are how a governance program reports upward. A KPI shows performance against an objective. A KRI tracks risk exposure. A KCI shows control effectiveness. A maturity scorecard rolls up a program’s posture for a board pack. All of them are indicators, with the same record shape and the same lifecycle.
When you would reach for this
You set up indicators when:
- A management system has objectives that need to be measured, and the measurement needs a target and a threshold (a KPI).
- A risk needs to be tracked over time with a metric that signals when exposure is approaching the appetite limit (a KRI).
- A control’s effectiveness needs to be summarized as a number that a board can read (a KCI).
- A maturity program needs scorecard projections across multiple dimensions (a maturity indicator).
- A regulator or framework expects you to publish quantitative measures of your program.
- A leadership team wants a single set of numbers that summarize the governance program’s health.
You don’t reach for this for the underlying continuous check (that’s Monitoring) or the point-in-time evaluation (that’s Assessments). Indicators take the outputs of those modules and turn them into measured-against-target numbers.
What lives in indicators
Two record types:
Indicator definition is the metric itself. It carries:
- A title and a stable key.
- An indicator kind (
kpi,kri,kci,kqi,maturity,custom). - The subject the indicator is about (a control, a risk, an obligation, a management system, a scope node, etc.).
- A source describing where measurements come from (a monitor’s pass rate, an assessment result, a count from another module, a manual entry, a formula combining several).
- A target (where the measure should be).
- Thresholds (warning band, breach band).
- A tolerance (acceptable variance from target).
- A trend policy (rising-is-better, falling-is-better, on-target, range).
- A breach policy describing what to do when thresholds are crossed.
- An owner.
Indicator measurement is one value at a point in time, sourced according to the definition’s source. Measurements accumulate over time, building the trend.
Indicator kinds
| Kind | Meaning |
|---|---|
kpi | Key Performance Indicator. Measures whether the program is delivering. |
kri | Key Risk Indicator. Tracks risk exposure over time to surface emerging issues. |
kci | Key Control Indicator. Tracks how well a control or set of controls is operating. |
kqi | Key Quality Indicator. Measures the quality of an output, process, or service. |
maturity | Tracks where a capability, program, or process sits on a maturity ladder. |
custom | Anything not in the above kinds. |
Kind is free text in product; the catalog above is what most organizations use.
A worked example: a payments processor publishes its governance scorecard
A payments processor runs continuous compliance monitoring, periodic assessments, an ongoing risk program, and a maturity uplift initiative. Its head of compliance, Mateusz, wants a single quarterly scorecard for the audit committee summarizing program health: control effectiveness, risk exposure, regulatory readiness, and program maturity.
He sets up Indicators like this.
Step 1: identify the indicators that matter. Mateusz picks roughly 15 indicators that together tell the program’s story:
- KCIs: pass rate of the privileged-access monitor, fraud-control effectiveness percentage, vendor due-diligence completion rate, training completion rate for regulated roles.
- KRIs: count of open critical findings, fraud-loss rate this quarter, third-party concentration metric, count of access exceptions active beyond 90 days.
- KPIs: time-to-close findings, percentage of evidence claims currently within validity, percentage of controls assessed in the last quarter.
- Maturity: privacy program maturity score, AI governance maturity score, vendor risk program maturity score.
Step 2: define each indicator. For each, Mateusz creates a definition:
- Source: where the measurement comes from. The privileged-access KCI sources from the monitor’s daily pass rate. The findings-time-to-close KPI sources from a formula over the findings module. The maturity scores source from quarterly assessments.
- Target: the goal. (Pass rate ≥99%; findings closed within 30 days of triage; privacy maturity at “managed” level by year-end.)
- Thresholds: warning bands and breach bands around the target.
- Trend policy: rising-is-better, falling-is-better, or on-target.
- Breach policy: open a finding when threshold breaches happen for two consecutive periods; notify the committee for immediate breaches.
Step 3: measurements accumulate. As the underlying monitors run, assessments complete, and findings open and close, indicator measurements accumulate automatically (for indicators sourced from modules) or manually (for indicators that need human entry).
Step 4: scorecards and reports. Quarterly, Mateusz exports the scorecard. The trend chart per indicator shows the audit committee not just “where are we now” but “how are we moving.” A KRI rising toward its breach threshold becomes a discussion topic. A KPI tracking on target with stable trend confirms program health.
Step 5: breach handling. When a KCI breaches its threshold (say the vendor due-diligence completion rate drops below 90%), the breach policy fires: a finding opens with the indicator owner as the responsible party. The remediation work flows through the standard finding lifecycle.
Six months later, the audit committee can confidently answer “is the governance program working?” with numbers, trends, and the action stream that closes the loop when something drifts.
Targets and thresholds
A typical indicator definition specifies:
| Setting | Meaning |
|---|---|
target | The goal value or target band. Where the measurement should sit. |
tolerance | Acceptable variance from target without triggering anything. |
warningThreshold | Crossing this triggers a warning state. |
breachThreshold | Crossing this triggers the breach policy. |
trendPolicy | rising-is-better, falling-is-better, on-target, range. |
Targets and thresholds live in the indicator definition’s snapshot; the in-product editor walks you through configuring them per kind.
Sources of measurement
An indicator’s measurements come from one of several sources, configured in the definition:
- Monitor result — the measurement is derived from a monitor’s pass rate or count.
- Assessment result — the measurement is derived from one or more assessment outcomes.
- Module signal — the measurement is a count or rate from another governance module (open finding count, evidence claim validity rate, etc.).
- Manual — the measurement is entered by a person each period.
- Formula — the measurement is computed from other indicators or values.
- External — the measurement is pushed in from outside the workspace.
The source choice depends on what produces the underlying signal. A KPI tied to a monitor uses monitor-result; a maturity score driven by a quarterly assessment uses assessment-result; a KRI from an external risk model uses external.
What you’ll see in the product
Indicators lives under Governance → Indicators in the workspace.
The Indicator definitions list shows every indicator with its kind, current value, target, threshold status (within target / warning / breach), and the trend chart over recent periods.
Inside an indicator, you see:
- The definition (subject, source, target, thresholds, breach policy).
- The full measurement history.
- A trend chart over various time windows.
- Linked sources (the monitor, assessment, or module the measurements come from).
- Linked findings (the ones generated by past breaches).
- Activity history.
Scorecards are rollup views that group indicators by management system, framework, scope, or organization. These are the views audit committees and boards consume.
Every definition change and every measurement is captured in the workspace Audit Log.
Common workflows
Defining a new indicator
- Indicators → New indicator definition. Pick the kind, subject, title, key.
- Configure the source (which module/monitor/assessment/formula provides measurements).
- Set target, thresholds, trend policy, breach policy.
- Assign an owner.
- Activate; measurements start accumulating per the source.
Reviewing a quarterly scorecard
- Filter Indicators by management system or scope.
- Open the scorecard view.
- Review each indicator’s current value, position relative to target, and trend.
- Drill into indicators showing warning or breach states.
- Export for the audit committee.
Investigating a breach
- The breach surfaces in the inbox and (if the breach policy fires) creates a finding.
- From the indicator’s detail page, see the measurement that crossed the threshold.
- Trace back to the source (which monitor, which assessment, which formula).
- Address the underlying cause; close the finding when the indicator returns within target.
Retiring an indicator
- Mark the definition as
retired. - Historical measurements remain visible; no new measurements accumulate.
- Scorecards no longer include the retired indicator.
Looking for the API?
See Indicators API reference for the v1 REST endpoints to read indicator definitions and measurements from an external system.
Related
- Monitoring - monitor pass rates often feed KCIs.
- Assessments - assessment outcomes often feed KPIs and maturity indicators.
- Risks - KRIs track risk posture over time.
- Controls - KCIs often summarize control effectiveness.
- Management Systems - program-level objectives often have indicators.
- Findings - breach policies typically open findings.
- Evaluation Models - indicators can score against an evaluation model.