In the last decade, and due to a number of factors, including budget constraints caused by the economic crisis and the promotion of Free and Open Source Software - FLOSS by the brazilian federal government, public bodies have been increasingly using FLOSS both to cover own operational needs and to offer new and varied services to citizens. In this context, good governance rules suggest the establishment of the risk management process, which, in accordance with the ISO/IEC 27005 and ISO/IEC 31000 rules, broadly defines the context definition, analysis and risk assessment, risk management, communication, and critical risk monitoring and review of the organization’s assets. For the risk monitoring and review process, the COSO organization promotes the use of key risk indicators - KRI that help monitor alerts, changes in risk conditions, or new risks that may arise in the course of day to day operations. This article aims to present the theoretical framework for Risk management monitoring, review and improvement process of FLOSS applications using key risk indicators - KRI at a public agency.