Corrective: Designed to correct errors or irregularities that have been detected.

Preventive: Designed to keep errors or irregularities from occurring in the first place.

KCIs are used to answer the question:”Are our organization’s internal controls effective? Are we ‘in control’?”

Source : www.riskbasedperformance.com

KRIs are used to answer the question: “How is our risk profile changing and is it within our desired tolerance levels?”

Source : www.riskbasedperformance.com

KPIs are used to answer the question: “Are we achieving our desired levels of performance?”

Source : www.riskbasedperformance.com

Source : COSO Integrated Risk Management Framework

Source : BS31100:2008

Source : COSO Integrated Risk Management Framework

Source : COSO Integrated Risk Management Framework

Person or group concerned with, affected by, or perceiving themselves to be affected by an organisation.

Note: A decision maker is also a stakeholder

Source : BS31100:2008

Note 1: Risk treatment can involve: avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk; seeking an opportunity by deciding to start or continue with an activity likely to create or enhance the risk; removing the source of the risk; changing the nature and magnitude of likelihood; changing the consequences; sharing the risk with another party or parties; and retaining the risk by choice.
Note 2: Risk treatments that deal with negative consequences are sometimes referred to as risk mitigation, risk elimination, risk prevention, risk reduction, risk repression and risk correction.

Source : BS31100:2008 [ISO Guide 73]

Note: This might be achieved through legislation, contract, insurance or other means.

Source : BS31100:2008