Overview
Operational risk materializes before it fails. The patterns that precede a missed compliance deadline, a failed audit, or a customer escalation are usually visible days or weeks earlier, if someone is tracking the right signals. Most organizations aren't. They measure outcomes. By the time the outcome is bad, the window for easy intervention has closed.
Most teams measure outputs: audit pass or fail, NPS, quarterly revenue. The operational metrics that would have predicted those outcomes earlier remain invisible, because they require a structured execution layer to even exist as data. The 12 KPIs below are derived directly from Cadenio Flow data, with no additional tooling required once runs are configured with proper SLAs and evidence fields.
Execution velocity KPIs (1–3)
Average cycle time per Flow type is the baseline, without it, nothing else is comparative. A sustained increase above 20% usually means one of three things: resource degradation, process confusion, or a structural bottleneck. It's worth diagnosing which before you call a team meeting about it.
Watch how long it takes for the first task to be picked up after a run opens. When that gap exceeds 24 hours, assignment is usually the problem, either nobody knew it was theirs or nobody was watching. First-task latency is often the earliest signal you'll get that a run is headed for trouble.
On-time completion rate against SLA is the most-watched number, and the most misleading when tracked as a single average. Any Flow type sitting below 90% consistently deserves a root-cause conversation, not just a push from management. The per-Flow breakdown is where the useful signal lives; the aggregate number hides it.
Approval health KPIs (4–6)
Tracking approval turnaround by gate and by approver surfaces something most ops leaders already suspect but can rarely prove: who is the throughput bottleneck. An approver with consistently slow turnaround isn't necessarily a performance problem, they may just be overloaded. The data makes that a factual conversation instead of a political one.
Rising rejection rates at a specific gate almost never mean the reviewer is too strict. They mean something upstream is broken. If the legal review gate starts rejecting 30% of submissions, the submission template needs a redesign, not the legal team. Rejection rates are one of the few metrics that point to a process step you haven't fixed yet.
Loop-back rate tracks how often a rejected task cycles back to the same reviewer without actually being resolved. Above 15%, this stops being an execution problem and becomes a design one: the rejection criteria aren't clear enough for whoever is upstream to know what a good submission looks like.
Evidence completeness KPIs (7–9)
Mandatory field completion rate at run close sounds basic until you actually check it. Below 97% on a compliance-critical Flow isn't a small gap, evidence is being skipped regularly, and those skips compound into audit exposure. Worth noting: this metric only exists if your template actually enforces those fields. If you can't measure it, the first problem to fix is the template.
Late evidence attachment, tasks closed first, proof added afterward, is the compliance equivalent of backdating. It erodes audit trail integrity and reliably signals that deadline pressure is outrunning evidence discipline. When this spikes near quarter-end, you can usually predict an audit finding before the auditor shows up.
A single exception in a run is an incident. The same exception recurring across five or ten runs is a template problem. Exception log frequency by Flow type separates one-off incidents from structural gaps, and tells you which steps keep generating problems regardless of who is running them.
Escalation and SLA risk KPIs (10–12)
SLA alert frequency by Flow type shows which processes are consistently failing their own declared targets, before those failures appear in an audit report. Consistently high alert frequency on the same Flow is the data you need for a capacity or redesign conversation. When alerts keep firing and nothing changes, that silence is also telling you something about escalation culture.
How quickly someone acknowledges an SLA alert tells you more about escalation culture than any survey. Above 4 hours on compliance-critical Flows, that gap stops being an individual behavior issue and starts being a governance problem that auditors can find independently.
Runs that exceed twice their baseline cycle time need individual attention, these aren't statistical outliers, they're runs in active distress. Aggregate analysis won't help here; each one has a specific breakdown that needs to be named. Tracking these three escalation KPIs together gives you the closest thing to a live compliance risk signal that operational data can produce.
How to read KPI combinations
None of these metrics mean much in isolation. The diagnostic value is in the combinations. When approval turnaround spikes but rejection rates fall, approvers are probably clearing work under pressure without reviewing closely. When cycle time climbs alongside late evidence attachment rates, teams are marking tasks complete before the evidence exists. Single metrics surface symptoms. Patterns tell you what's actually wrong.
Build a monthly review where each category gets at least one decision output, not a status update, an actual decision. The hard part is never the dashboard. It's the discipline to act on early warning signals before they show up in an audit findings report.