Cyber events, and subsequent losses, can impact an organization's highest objectives, especially if a strong enterprise‐wide risk management program is not in place. This chapter discusses design considerations for effective key risk indicators (KRIs), particularly for board and senior management. Each of these KRI examples may also be separately categorized in one of four categories: incident counts, loss magnitude data, threat data, or control data. Risk that an organization faces at the highest levels, organizational risk, can have a direct impact on a company's profit and loss (P&L). The objective of a strong KRI program is to improve decision making within the organization. Such a program should include several metrics to evaluate inherent risk and residual risk. The 2013 data breach of retailer Target is used as a case study.