RWRD Docs

Appearance

Risk Management & KRIs

The Risk Management section provides a structured framework for identifying, categorizing, and quantitatively tracking enterprise risks. It uses a three-level hierarchy (Category > Risk > KRI) with automatic status aggregation from the bottom up.

Risk Categories

RWRD provides eight standard risk categories that cover the typical enterprise risk landscape:

CategoryDescription
StrategicRisks related to business model, strategy, and long-term planning
OperationalRisks from day-to-day operations, processes, and service delivery
People & CultureRisks related to workforce, talent, culture, and organizational health
TechnologyRisks from IT systems, cybersecurity, data management, and digital infrastructure
Legal & ComplianceRisks from regulatory requirements, legal obligations, and contractual commitments
ExternalRisks from external factors outside direct control that require monitoring
FinancialRisks related to financial health, reporting accuracy, and capital management
ESGEnvironmental, social, and governance risks related to sustainability

When using AI-powered onboarding, these categories are pre-populated with industry-relevant risks and KRIs. When adding a new category manually, clickable chip suggestions appear showing the standard categories that have not yet been added, allowing you to pre-fill the name and description with a single click.

You can also create custom categories beyond the eight standard ones by typing your own name in the Category Name field.

Risk Structure: Category, Risk, KRI Hierarchy

The risk framework has three levels, each with its own purpose:

Risk Category (top level)

  • A broad domain of risk (e.g., "Technology," "People & Culture")
  • Contains one or more individual risks
  • Its RAG status is automatically aggregated from the statuses of its child risks

Risk (middle level)

  • A specific risk within a category (e.g., "Cybersecurity," "Talent & Retention")
  • Has an optional severity rating (Low, Medium, High, Critical)
  • Contains one or more Key Risk Indicators (KRIs)
  • Its RAG status is automatically aggregated from the statuses of its child KRIs

Key Risk Indicator / KRI (bottom level)

  • A quantitative, measurable metric that tracks a specific risk (e.g., "Employee Turnover Rate," "Mean Time to Patch")
  • Has configurable thresholds that define green/yellow/red zones
  • Has a directional logic (higher-is-better or lower-is-better)
  • This is where actual data entry happens -- you enter current values and the system calculates status

The hierarchy flows upward: KRI values determine KRI status, KRI statuses aggregate into risk status, and risk statuses aggregate into category status. You never manually set the status of a risk or category -- it is always computed from the data below.

The Sunburst Visualization

The risk section features a sunburst chart -- a multi-ring circular visualization that displays the entire risk hierarchy at a glance.

Reading the sunburst:

  • Inner ring: Risk categories (8 segments for the standard categories)
  • Outer ring: Individual risks within each category
  • Segment colors: Each segment is colored by its computed RAG status (green, yellow, red, or gray for "not tracked")

Click any segment to drill into that category or risk, opening the details panel (see Risk Details Panel).

The sunburst description reads: "This sunburst shows your complete risk hierarchy. Inner ring = categories, outer ring = risks. Colors update live as you configure KRI thresholds and values."

When all KRIs are unconfigured (baseline mode), the entire sunburst appears in gray, accurately reflecting that no risk tracking is active yet.

Adding and Editing Categories, Risks, and KRIs

Adding a new category:

  1. Click the Manage button in the risk section header.
  2. In the Risk Manage Modal, click Add Category.
  3. Choose from the standard category suggestions (chips) or type a custom name.
  4. Optionally add a description.
  5. Click Add Category.

Adding a new risk:

  1. Open a category in the details panel by clicking it on the sunburst or in the Manage modal.
  2. Click Add Risk.
  3. Select the parent category, enter a risk name and description.
  4. Optionally set a severity rating (see Severity Ratings).
  5. Click Add Risk.

Adding a new KRI:

  1. Open a risk in the details panel.
  2. Click Add KRI.
  3. Configure the KRI (see KRI Configuration for full details).
  4. Click Add KRI.

Editing: Click any existing category, risk, or KRI to open its modal pre-filled with current values. Admins can edit all structural elements. Contributors can update values and action plans for KRIs they own.

Deleting: Admins can delete categories (and all their child risks and KRIs), risks (and all their child KRIs), or individual KRIs. Each deletion requires a confirmation dialog.

KRI Configuration

The KRI Modal (titled "Edit Key Risk Indicator" for existing items, "Add Key Risk Indicator" for new ones) is the most detailed configuration screen in the risk section.

Live status preview: At the top of the modal, a live preview shows the KRI name, current value with unit, and a status dot that updates in real time as you change values and thresholds.

Structural fields (Admin only):

  • Risk Category -- The parent category (dropdown)
  • Risk -- The parent risk within that category (dropdown, filtered by selected category)
  • KRI Name (required) -- e.g., "Employee Turnover Rate," "Patch Deployment Time"
  • Description -- What this KRI measures
  • Unit -- The unit of measurement (e.g., "%," "days," "count")
  • Direction -- A segmented toggle between "Higher is better" and "Lower is better." This controls how thresholds are interpreted:
    • Higher-is-better: Green when value >= green threshold, Red when value < yellow threshold
    • Lower-is-better: Green when value <= green threshold, Red when value > yellow threshold
  • Threshold Configuration -- Three numeric fields defining the green, yellow, and red zones. A description below the fields explains the current logic (e.g., "Higher values are better. Green >= 95, Yellow >= 85, Red < 85"). When AI suggestions are available from onboarding, they appear as a hint line (e.g., "AI suggested: Green 95, Yellow 85, Red 70").
  • Measurement Interval -- How often this KRI is measured: Daily, Weekly, Monthly, Quarterly, or Annually. This drives the period selector in the Current Measurement section.

Current measurement (Admin + Owner):

  • Period -- Automatically adapts to the measurement interval:
    • Daily: A date picker
    • Weekly: Week number with Monday date (e.g., "Week 12 (Mar 18)")
    • Monthly: Month name (e.g., "March")
    • Quarterly: Quarter label (e.g., "Q1 (Jan-Mar)")
    • Annually: "Annual"
  • Year -- The measurement year
  • Current Value -- The numeric value to record

Owner assignment and update schedule (Admin only):

  • Assigned Owner -- Select from organization members who are Contributors or Admins. An "Invite a team member" link is available if you need to add someone.
  • Update Frequency -- How often the owner should update the value (Weekly, Bi-weekly, Monthly, Quarterly). Changing this automatically recalculates the next update due date.
  • Next Update Due -- A date picker for the expected next update
  • Auto-remind -- Toggle to enable automatic reminders for the owner
  • Last updated -- Shows the timestamp and name of the person who last updated the value

Status notes (Admin + Owner):

  • Free-form text field for context about the KRI's current state, risk factors, or mitigation efforts
  • Example: "Turnover increased due to market conditions. Action plan in progress..."

Update history:

  • Shows the most recent 5 updates with date, notes (or value change), and who made the change

Action plans (Admin + Owner):

  • Same system as financial metrics (see Action Plans): description, assignee, due date, and status (On Track, At Risk, Completed, Blocked, Overdue)

AI rationale (read-only):

  • When a KRI was generated by AI during onboarding, its original rationale is displayed as a teal-bordered quote. This explains why the AI recommended tracking this particular indicator.

Permission model:

  • Admin: Can edit everything
  • Owner (Contributor assigned to this KRI): Can update value, notes, and action plans. Cannot change thresholds, direction, or ownership. A green banner at the top confirms: "You are the owner of this KRI."
  • Others: Read-only

When you save a KRI with a current value and reviewed thresholds, RWRD activates RAG status tracking for that KRI.

KRI Baseline Pattern

When KRIs are generated by AI during onboarding, they start in a baseline state (not yet configured with a current value). This mirrors the financial metric baseline pattern.

What baseline KRI cards look like:

  • Gray border and background (muted appearance)
  • An amber "Set value" pill badge
  • Values labeled as "AI Suggested" rather than "Current"
  • Suggested thresholds displayed for reference
  • A "Click to configure" call-to-action

Transitioning to active: When you open a baseline KRI and save it (entering a current value and reviewing thresholds), the KRI transitions to active mode:

  • The KRI is marked as configured and begins tracking
  • The card displays in full color with live RAG status
  • The KRI begins contributing to its parent risk's aggregated status

This design prevents false signals from unconfigured AI suggestions. A risk with 3 AI-suggested KRIs that have not been reviewed will show gray ("not tracked") rather than misleading green.

How Risk RAG Status Aggregates

RAG status flows upward through the hierarchy using a standardized aggregation formula. The same formula is used at both the risk level (aggregating KRI statuses) and the category level (aggregating risk statuses).

How aggregation works:

Given a set of tracked statuses (items that have not yet been configured are excluded from the calculation):

  • If a significant proportion of items are in the red zone, the aggregate status is Red
  • If any red items exist, the aggregate is at least Yellow
  • If a significant proportion of items are in the yellow zone, the aggregate is Yellow
  • If all tracked items are green, the aggregate is Green
  • If no items have been configured yet, the status is None (gray)

The aggregation uses proportional thresholds to determine when the concentration of at-risk or critical items is enough to elevate the overall status. This prevents a single outlier from dominating the aggregate while still ensuring that any critical item gets attention.

Key detail: Only KRIs that have been configured with thresholds and a current value are included in the aggregation. Unconfigured KRIs are excluded. This means a risk with 5 AI-suggested KRIs where only 1 has been configured will aggregate based on that single KRI, not all 5.

At the category level, the same formula applies but operates on risk statuses rather than KRI statuses. A risk's status is itself an aggregation of its KRI statuses.

Severity Ratings

Every risk can have an optional severity rating, selected using a 4-column color-coded chip grid:

SeverityColorWhen to Use
LowGreenMinimal impact if the risk materializes
MediumYellowModerate impact, manageable with existing controls
HighOrangeSignificant impact, requires active mitigation
CriticalRedSevere impact, could threaten business continuity

Click a severity chip to select it. Click it again to deselect (severity is optional). The selected chip receives a bold highlight with a ring indicator for clear visual feedback.

Severity ratings are informational -- they do not directly affect the RAG status calculation. RAG status is always computed from KRI thresholds and values. Severity provides qualitative context that complements the quantitative KRI data.

During AI-powered onboarding, the AI assigns severity ratings to each discovered risk based on its analysis of your company and industry. These ratings can be adjusted at any time.

AI Insight Fields

When risks are generated by AI during onboarding, three read-only insight fields are preserved on the risk:

AI Severity Analysis -- The AI's explanation for why it assigned a particular severity rating. Displayed in a teal-accented panel with a sparkle icon.

  • Example: "Critical severity assigned due to Volkswagen's diesel emissions scandal history and ongoing regulatory scrutiny across multiple jurisdictions."

Industry Context -- Contextual information about how this risk relates to your industry. Displayed in an amber-accented panel with an info icon.

  • Example: "In the automotive manufacturing sector, regulatory compliance is a top-3 risk factor, with average fine costs exceeding $500M for major violations."

Source Quote -- A relevant quote from the analyzed source material. Displayed as an indented blockquote.

  • Example: "The company faces ongoing investigations in multiple jurisdictions related to its diesel emissions compliance programs."

These fields are not editable from the Risk Modal. They are populated during AI analysis and preserved across edits. When no AI analysis is available, each section shows "No AI analysis available yet" or "No industry context available yet" in italic gray text.

Risk Details Panel

When you click a category or risk on the sunburst chart (or in the Manage modal), the Risk Details Panel opens alongside the sunburst, showing detailed information about the selected item.

Category detail view:

  • Category name and description
  • A computed status dot (auto-calculated, with "Auto-calculated" label)
  • A count summary: "N risks with M of K KRIs configured"
  • A 3-color KRI stat box summary showing the count of green, yellow, and red KRIs across all risks in the category
  • A status distribution bar showing the proportion of tracked risk statuses (green/yellow/red/none segments)
  • A list of all risks in the category, each with its own status dot

Risk detail view:

  • Risk name, description, and severity badge
  • A computed status dot with the aggregation explanation
  • A distribution showing green/yellow/red/none KRI counts
  • A list of all KRIs in the risk, each with:
    • Status dot
    • KRI name
    • Current value and unit
    • A click target to open the KRI modal

Baseline KRIs in the details panel display with the muted gray treatment, amber "Set value" pill, and "AI Suggested" label, prompting you to configure them.

Color Dots, Not Text Labels

A deliberate design principle in the risk section: risk and KRI statuses are displayed as colored dots only, never as text labels like "On Track" or "Critical."

This is different from the financial metrics and OKR sections, which use text labels ("On Track," "At Risk," "Critical," "Not Tracked").

The reasoning: risk status colors mean what the user decides they mean in their organizational context. A red KRI in one organization might mean "investigate immediately" while in another it means "escalate to the board." By avoiding prescriptive text labels, RWRD lets each organization interpret the colors according to their own risk appetite and governance framework.

All risk status dots include aria-label attributes for accessibility (e.g., aria-label="Green status"), ensuring screen reader users can still identify the status.

RWRD Enterprise Intelligence Platform

Copyright 2026 RWRD Innovations, Inc.