Dimitrios Zampelis
Systems · Tier-1 Investment Bank

KRI Assessment & Survey Management Platform

Designing the data relationships behind a governed risk cycle, so every change surfaces its impact before it commits.

Launched

Confidential (Internal tool)

Role

Lead UX / Product Designer

Team

Risk & Control stakeholders, Reporting Oversight, Product Owner / BA, Engineering

Project context

Designing a monthly Key Risk Indicator (KRI) assessment workflow for a global bank, moving fragmented survey management out of Excel and email into a governed portal. The goal was to enable oversight teams to configure, distribute and validate KRI surveys at scale while maintaining a complete audit trail for regulatory expectations.

Impact

3,000+
regulatory report submissions per year now governed through a single portal instead of six Excel workbooks and email threads.
~2 min
to confirm an all-clear cycle of 100+ reports. The previous process required reviewers to open or confirm every line individually.
Days → minutes
to change survey questions or logic: from a developer release cycle to permissioned self-service configuration.
1 export
to evidence a full cycle for internal audit, replacing days of reconstructing decisions from emails and spreadsheet versions.

Survey definitions moved from uncontrolled spreadsheets into self-service configuration with clear ownership and permissions. Exceptions are captured as structured, comparable data, and bulk positive submissions are supported without sacrificing control or traceability.

i

Confidential project (NDA)

This case study is anonymised. I can discuss my responsibilities and design decisions in more detail during a call.

Anonymised KRI assessment dashboard
01

Clear assessment context: The header, tabs, assessment ID and "In progress" status make it obvious which KRI cycle the user is working on, reducing the risk of updating the wrong period or dataset.

02

Scoped reports in view: The "Reports in scope" panel on the left keeps the active set of reports visible and filterable, so users always know exactly what is included in this assessment without juggling external lists.

03

Structured KRI check cards: Key questions (e.g. regulatory submissions, new/amended rules) are presented as consistent cards with clear Yes/No patterns, turning a long flat form into a guided flow that's easier to complete and review.

04

Controlled submission & auditability: A single, prominent "Submit assessment" action finalises responses for that cycle, ensuring changes are captured in one place and can be evidenced for audit instead of spread across emails and spreadsheets.

We were asked to turn a fragile monthly KRI survey process into a governed assessment experience.

The bank's Reporting Oversight team coordinated monthly KRI surveys across hundreds of regulatory reports using Excel workbooks and manual email follow-ups. Survey questions, routing lists and responses were spread across multiple files with no single source of truth. I led the design of a KRI assessment module within the existing risk portal so that survey definitions, assignments and submissions could be maintained centrally, completed efficiently, and defended confidently in front of auditors and regulators.

PROBLEM 01

Fragmented survey definition: Survey questions and allowed responses lived in large Excel workbooks. Updating wording, logic or mandatory fields meant editing multiple sheets and redistributing files, introducing errors and version risk.

PROBLEM 02

No single source of truth for contacts: KRI invitations relied on manually maintained "golden source" contact lists in Excel. Aligning respondents, divisions and report owners across cycles was slow, error-prone and dependent on a few individuals.

PROBLEM 03

Inefficient exception handling: Exceptions (late submissions, penalties, resubmissions) were captured inconsistently via free-text emails and unstructured cells. Identifying which reports had issues, and why, was painful for both oversight and control teams.

PROBLEM 04

No scalable way to handle volume: When an assessment covered 100+ reports, reviewers had to touch every line, even when only one or two had issues. There was no way to quickly confirm "all clear" submissions while capturing detailed information only where there were exceptions.

Understanding the Reporting Oversight lead

Before designing screens, I modelled the needs of the Reporting Oversight role responsible for orchestrating the monthly KRI cycle. This persona highlighted goals (timely, accurate submissions), responsibilities (configuring surveys, chasing responses, managing issues), tools in use (Excel, email, Power Apps), and frustrations (manual follow-ups, no audit trail, duplicated contact management). This artefact aligned risk, product and engineering stakeholders on who we were really designing for.

A
Alex
Reporting Oversight Lead
Composite persona. Details anonymised for confidentiality.
Goals
  • Timely, accurate completion of all in-scope KRI assessments.
  • Single, trusted view of status, owners, and issues.
  • Ability to evidence controls quickly for audit/regulators.
Responsibilities
  • Configure and launch monthly KRI surveys.
  • Coordinate report owners and delegates across regions.
  • Monitor submissions, chase gaps, review exceptions.
Needs
  • Governed place to manage questions and rules.
  • Clear overview of assessments and their states.
  • Structured capture of exceptions and remediation.
Pain points
  • Heavy reliance on Excel and email chases.
  • Manual, duplicated "golden source" contact lists.
  • Hard to aggregate and explain exceptions at scale.

The legacy approach: offline surveys and brittle configuration

The existing solution combined a static portal view with offline configuration. KRI questions and answer rules were stored in complex Excel workbooks; administrators manually interpreted them when creating surveys. Regional details and respondent mappings were hard-coded or updated by developers. As the volume of reports and respondents grew, this model became unsustainable and risky.

Original survey submission interface
Legacy configuration workbook
Problem 01

Survey logic locked in spreadsheets: No direct link to the live experience.

Problem 02

Critical rules expressed in comments: Instead of enforceable configuration.

From spreadsheet rules to self-service assessment configuration

I designed an "Assessment Configuration" workspace where authorised users can define KRI questions directly in the portal, instead of in offline workbooks. Each row represents a question with its owner, grouping, tooltip, mandatory flag, dependencies and applicable report types. A lightweight edit pattern (right-hand side panel) lets administrators adjust questions without leaving the list context. This mirrors familiar spreadsheet workflows while ensuring every configuration change is captured, permissioned and instantly reflected in future assessments.

Anonymised KRI assessment dashboard
01

Centralised assessment library: The main grid acts as a single source of truth for all assessment questions (230 rows at the time of this screen), with no scattered Excel tabs.

02

Ownership and visibility per question: Columns for Risk Assessment, Question Owner and Group make accountability explicit and make it easy to filter who owns what.

03

In-context editing drawer: Selecting "Edit" opens a side panel beside the table, so admins can update a question without losing their place or context.

04

Rules as configuration, not comments: Fields like Mandatory/Optional, tooltip, and "When 'No' is selected…" turn business logic into structured data the system can enforce downstream.

Designing the data relationships, not just the screens

The configuration workspace is the visible layer of a more structural piece of design work. Before the screens existed, I worked through what had to exist as governed, related data for the system to behave safely: questions belong to groups; groups apply to report types; report types map to reports, each carrying its control ID, division and country; reports have owners and respondents; and questions can depend on other questions through conditional logic such as "When 'No' is selected". Exceptions are their own typed records, linked to specific reports, with category, root cause and remediation owner.

Mapping these relationships with the product owner and engineering changed the design conversation. A question is not a row of text: it is an entity referenced by live and future assessments. Editing its logic, mandatory flag or report-type mapping is never a local change, so the interface had to surface the downstream impact of a change before it was committed, not after it had broken an open cycle.

Assessment domain model: governed configuration, report inventory and monthly cycle entities, with references, conditional dependencies and change cascades between them.
01

Dependencies as first-class data: Conditional logic is captured as structured relationships between questions, not free-text instructions in a workbook, so the system can route, validate and enforce it downstream.

02

Impact before commit: When an administrator edits a question, the design surfaces what the change touches (which report types, divisions and open assessment cycles reference it) and asks for explicit confirmation before the change lands.

03

A clear designer/engineer boundary: I specified which relationships had to exist and designed how impact surfaced to the person making the change. Engineering owned the traversal, storage and enforcement behind it.

04

Screens stay simple because the model is right: Most of the visible simplicity (positive-by-default, scoped reports, structured exceptions) is only possible because the underlying relationships make those states unambiguous.

Risk Portal user.name Inventory Configuration Assessment Configuration Edit Risk Assessment Question Owner Assessment Group Assessment Question Tooltip Status Regulatory Reportinguser.name@bank.comGroup PlaceholderQuestion PlaceholderOn Regulatory Reportinguser.name@bank.comGroup PlaceholderQuestion PlaceholderOn Regulatory Reportinguser.name@bank.comGroup PlaceholderQuestion PlaceholderOn Regulatory Reportinguser.name@bank.comGroup PlaceholderQuestion PlaceholderOn Regulatory Reportinguser.name@bank.comGroup PlaceholderQuestion PlaceholderOn Regulatory Reportinguser.name@bank.comGroup PlaceholderQuestion PlaceholderOn Regulatory Reportinguser.name@bank.comGroup PlaceholderQuestion PlaceholderOn Regulatory Reportinguser.name@bank.comGroup PlaceholderQuestion PlaceholderOn Total Rows: 230 Edit Assessment Question Risk Assessment * Regulatory Reporting Question Owner * user.name@bank.com Assessment Question * Question Placeholder Mandatory Optional When 'No' is selected Select Reports with issues Rationale Issue Tracking System new Tooltip Description * Mandatory Regulatory ✕ Cancel Save ! Review impact before saving You are changing the conditional logic of this question. Change · When "No" is selected: also require Issue Tracking System reference 3 report types reference this question Regulatory Reporting · XFO KRI Reporting · 1 more 3 2 divisions affected Risk and Prevention · Group Operations 2 1 open assessment cycle uses the current logic KRI-327 · In progress · Risk and Prevention 1 Submitted responses are not changed. The update applies to assessments created after you confirm. Cancel Confirm change Anonymised · illustrative example

Designing an overview and workspace that scale with the KRI cycle

To support continual monthly cycles and growing volumes, I introduced a two-level structure: an overview of all KRI assessments, and a focused workspace for completing each one.

Anonymised KRI assessment dashboard
01

Portfolio view for the KRI function: Single overview of all KRI assessments with filters for type, division and status, replacing multiple tracking sheets.

02

Immediate visibility of risk & effort: Columns highlight where gaps or issues exist so oversight can prioritise reviews instead of scanning every assessment manually.

At the top level, the KRI Assessments Overview gives Reporting Oversight and Inventory Owners a single view of every active and historical assessment. Filters for report type, division and status, combined with sortable columns, make it easy to see where attention is needed. Each row surfaces key signals such as number of reports in scope and whether any gaps or issues have been identified. From this list, users can either start a New KRI Assessment or select an existing Assessment ID to open the detailed workspace. This keeps navigation simple: one command centre, many assessments, no hunting through spreadsheets or deep navigation trees.

Anonymised KRI assessment dashboard
01

Clear assessment context: The KRI-327 label, active tab, and "In progress" status at the top make it obvious which assessment the user is working on, reducing the risk of updating the wrong cycle.

02

Scoped reports in view: The Reports panel on the left shows exactly which report sets are in scope (e.g. Regulatory reporting, New/Amended rules), so users don't need external lists to know what they're attesting for.

03

Guided assessment cards: Each check is presented as a focused card with clear wording and Yes/No controls, turning a long form into a readable, consistent assessment flow.

04

Controlled submission: A single Submit assessment action in the header finalises responses for that KRI, ensuring everything is captured in one governed place for audit.

The KRI Assessment workspace then provides the structured environment for that specific assessment. Users see the relevant reports in scope and complete the configured questions through consistent card-based patterns. This flow ensures that:

  • every assessment is created from governed configuration (no one-off forms),
  • roles and permissions are visible,
  • and the entire process (from configuration to submission) is captured in a single, auditable experience.

Exception-first design for large volumes

A key requirement was to support scenarios where a reviewer is responsible for more than 100 reports, but only a handful have issues. The previous process forced them to open or confirm each line individually.

Anonymised KRI assessment dashboard
01

Scale-friendly list: A searchable, scrollable list with checkboxes allows users to quickly pick exceptions from hundreds of reports.

02

Select-all with control: The "Select all" option speeds up bulk scenarios while still allowing users to adjust individual rows, balancing efficiency and accuracy.

03

Clear selection feedback: The "Selected X" indicator and chosen chips confirm exactly which reports are flagged before the user moves on.

04

Direct handoff to details: Once reports are selected, only those items generate detail panels in the next step, keeping the flow tight and avoiding noise for clean submissions.

Anonymised KRI assessment dashboard
01

Explicit exception path: Only when "Yes" is selected do we reveal the exception controls, keeping the default "all good" path simple for most users.

02

Targeted report selection: The "Select reports with exceptions" multi-select lets users mark only impacted reports, instead of touching every report in scope.

03

Structured exception details: For each selected report, a focused panel captures ID, dates, country and exception type as structured fields, making issues traceable and comparable.

04

Positive-by-default clarity: Helper text (or label copy) makes it clear that all unselected reports are treated as submitted without exceptions, drastically reducing clicks while avoiding ambiguity.

I designed an exception-first pattern:

  • The user is asked whether there were any reports submitted with exceptions (late, resubmitted, penalties, etc.).
  • If they select "Yes", a searchable multi-select dropdown lists all reports in scope. The reviewer only selects those with exceptions.
  • As they confirm exceptions, the interface clearly states that all unselected reports in this set will be treated as "submitted without exceptions".
  • For each selected report, an inline or side-panel form captures the required details (exception type, root cause, remediation owner), ensuring consistent data.

This design means reviewers touch only the minority of problematic reports, while the system safely assumes positive submissions for the rest, with a transparent rule and complete audit trail.

Decisions and trade-offs

Three calls shaped the design more than any individual screen.

01

Positive-by-default over line-by-line attestation: Forcing reviewers to confirm every report individually felt safer to stakeholders but did not scale and bred rubber-stamping. I argued for the inverse: declare exceptions explicitly, treat the rest as clean under a transparent, on-screen rule, and let the audit trail record that rule. Efficiency without losing defensibility.

02

Side-panel editing over inline grid editing: Editing directly in the grid would have mimicked Excel, the exact behaviour we were retiring, and made accidental changes to governed data too easy. The side panel keeps list context, fits the full set of fields and dependencies, and makes every edit a deliberate act.

03

One command centre over per-division dashboards: Division-specific views were requested early, but would have fragmented the single source of truth the project existed to create. One overview with filters for type, division and status gives each group its slice without splitting the data.

04

Mirror the spreadsheet, don't fight it: The configuration grid deliberately keeps the mental model administrators already had (rows, columns, familiar scanning) while moving the dangerous parts (logic, permissions, versioning) into governed structure. Adoption beats novelty in a monthly regulatory cycle.

Testing with the people who run the cycle

I validated the design with the people who would live in it: moderated walkthroughs with five Reporting Oversight and control users, run over two rounds, followed by a pilot on one monthly cycle running in parallel with the legacy process. Three findings changed the design directly.

ROUND 1

The silent majority problem: Reviewers hesitated at the exception multi-select because it was not obvious what happened to the reports they did not pick. The explicit "all unselected reports are treated as submitted without exceptions" rule copy came directly out of this round.

ROUND 1

Excel habits die hard: Administrators clicked into grid cells expecting to type, as they would in a workbook. We made the per-row Edit affordance explicit and kept all changes inside the side panel, so governed fields could not be altered by accident.

ROUND 2

Selection confidence: Users wanted proof of what they had flagged before moving on. The "Selected X" counter and removable chips were added so the state of a bulk action is always visible and reversible.

PILOT

Fewer chases, cleaner data: In the pilot cycle, chase emails dropped to under half of the previous cycle's volume, and exceptions arrived as structured records instead of free text, removing the manual reconciliation step entirely.

Reflection

This work reinforced the importance of treating configuration, workflows and evidence as part of the same experience in regulated environments. The design work that mattered most was structural: deciding what had to exist as governed, related data (questions, dependencies, report types, exceptions) so that the screens above it could stay simple. By moving KRI surveys from offline artefacts into governed UI patterns, we reduced operational risk and made life easier for the people accountable for monthly reporting. For me, it was also a chance to blend product thinking (requirements, roles, rules) with hands-on interface design and close collaboration with engineering: exactly the mode of working I bring into consulting engagements.

← All case studiesInteractive version ↗