You are on page 1of 24
Business Continuity Management Key Performance Indicator/Key Risk Indicator Mapping
Business Continuity Management
Key Performance Indicator/Key
Risk Indicator Mapping

Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates.

Roberta Witty

e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Roberta Witty
What Is the Value of an Exercise Machine?
What Is the Value of an Exercise Machine?
What Is the Value of an Exercise Machine? Source: The Real Business of IT: How CIOs

Source: The Real Business of IT: How CIOs Create and Communicate Value Richard Hunter and George Westerman, October, 2009, Harvard Business School Press

How CIOs Create and Communicate Value Richard Hunter and George Westerman, October, 2009, Harvard Business School
Key Issues
Key Issues

What do boards and line-of-business executives want from continuity of operations?

How do the risk-based disci lines im act corporate performance?

How can you present a defensible case for the value and effectiveness of BCM to an executive audience?

p

p

• How can you present a defensible case for the value and effectiveness of BCM to
How BCM Organizations Can Show Business Value
How BCM Organizations Can Show
Business Value

Business Context …

RUN the business

GROW the business

TRANSFORM the business

Actions …

• Stop spreading FUD — focus on business operations integration benefits

• Show value for money, meaning the right services at the right level of quality and the right price

• Position BCM as an investment in near- and long- term business performance

• Communicate BCM to the entire workforce

Source: The Real Business of IT: How CIOs Create and Communicate Value Richard Hunter and George Westerman, October, 2009, Harvard Business School Press

How CIOs Create and Communicate Value Richard Hunter and George Westerman, October, 2009, Harvard Business School
Case Study: What's the Value of Subsecond Response Time?
Case Study: What's the Value of
Subsecond Response Time?

Is it: "Why does IT cost so much?" — No

Time? Is it: "Why does IT cost so much?" — No It is: "How will slightly

It is: "How will slightly longer response times affect the value proposition as the paying customer perceives it?"

(because the board wants the most cost-effective level of resilience that the enterprise requires to fulfill its mission)

Source: The Real Business of IT: How CIOs Create and Communicate Value Richard Hunter and George Westerman, October, 2009, Harvard Business School Press

How CIOs Create and Communicate Value Richard Hunter and George Westerman, October, 2009, Harvard Business School
Key Issues
Key Issues

What do boards and line-of-business executives want from continuity of operations?

How do the risk-based disci lines im act corporate performance?

How can you present a defensible case for the value and effectiveness of BCM to an executive audience?

p

p

• How can you present a defensible case for the value and effectiveness of BCM to
Enterprise Risk Management Hierarchy
Enterprise Risk Management Hierarchy

Disciplines

Exposures

Specialists

Enterprise Risk Management ReputationReputation RiskRisk StrategicStrategic RiskRisk MarketMarket CreditCredit
Enterprise Risk Management
ReputationReputation RiskRisk
StrategicStrategic RiskRisk
MarketMarket
CreditCredit
OperationalOperational
RiskRisk
RiskRisk
RiskRisk
IT
Materials/Supplies
Customers
Operations
Interest Rates
Suppliers
Legal
Competition
Compliance
Compliance
BusinessBusiness
Economy
Currency
BusinessBusiness
IT
Liquidity
Finance
Legal
EA
Business Processes
PM
BCM
Marketing
Finance
App. Dev.
Supply Chain
Privacy
Product Management
Compliance
IT DRM
Security
Purchasing
AML
Sourcing
Compliance
Sales
Know Your Customer
Example 1: Key Performance Indicator
Example 1: Key Performance Indicator

Supply Chain

COO

The Business

Key Risk Inventory Indicator Negative Impact KPI Management Key supplier has a fire Inventory for
Key Risk
Inventory
Indicator
Negative Impact
KPI
Management
Key supplier
has a fire
Inventory for 5
days only
Manufacturing
slows after 3
days
Supplier On-
Time Delivery
Leading
Leading
Leading
Indicator
Indicator
Indicator
Order
That…
That…
That…
Fulfillment
Not
Met
Example 2: Key Performance Indicator
Example 2: Key Performance Indicator
IT DRM CIO The Business Key Risk Application Indicator Negative Impact KPI Failure Sole mainframe
IT DRM
CIO
The Business
Key Risk
Application
Indicator
Negative Impact
KPI
Failure
Sole
mainframe
programmer
on medical
leave
Pick list
application
Orders cannot
be fulfilled
Agreement
Effectiveness
Leading
Leading
Leading
Indicator
Indicator
Indicator
Miss
That…
That…
That…
the
Quarter
Key Issues
Key Issues

What do boards and line-of-business executives want from continuity of operations?

How do the risk-based disci lines im act corporate performance?

How can you present a defensible case for the value and effectiveness of BCM to an executive audience?

p

p

• How can you present a defensible case for the value and effectiveness of BCM to
Use Key Performance Indicators to Measure Operational Risk
Use Key Performance Indicators
to Measure Operational Risk

Risk Categories and Events

Gartner

Business

Value

Model

Fraud
Fraud

Damage

SafetyEvents G a r t n e r Business Value Model Fraud Damage Revenue Cost Profit

G a r t n e r Business Value Model Fraud Damage Safety Revenue Cost Profit
G a r t n e r Business Value Model Fraud Damage Safety Revenue Cost Profit
Revenue
Revenue
Cost
Cost

Profite r Business Value Model Fraud Damage Safety Revenue Cost Existing Approaches Bypass Operational Activities Determine

Existing

Approaches

Bypass

Operational

Activities

Fraud Damage Safety Revenue Cost Profit Existing Approaches Bypass Operational Activities Determine Financial Outcomes

Determine Financial Outcomes

Fraud Damage Safety Revenue Cost Profit Existing Approaches Bypass Operational Activities Determine Financial Outcomes
The Gartner Business Value Model: Think Operationally, Not Just Financially
The Gartner Business Value Model:
Think Operationally, Not Just Financially

Know the 6-12 metrics in the mind of every business manager

BUSINESS

AGGREGATES

 

PRIMES

 

ASPECT

   

Target Market

Market Coverage

Market Share

Opportunity/Threat

Market

Index

Index

Index

Index

Responsiveness

Product Portfolio

Channel

Configurability

 

Demand

Index

Profitability Index

Index

 

Sales Opportunity

Sales Cycle

Sales Close

Sales Price

Management

Sales

Index

Index

Index

Index

Effectiveness

Cost-of-Sales

Forecast

Customer

 
 

Index

Accuracy

Retention Index

Product Development Effectiveness

New Products

Feature Function

Time-to-Market

R&D Success

Index

Index

Index

Index

   

On-Time

Order Fill

Material

Service

Customer

Delivery

Rate

Quality

Accuracy

Responsiveness

Service

Customer Care

Agreement

Transformation

Supply

Performance

Performance

Effectiveness

Ratio

 

Supplier On-Time

Supplier Order

Supplier Material Quality Supplier Agreement Effectiveness

Supplier Service

Management

Supplier

Delivery

Fill Rate

Accuracy

Effectiveness

Supplier Service

Supplier Care

Supplier Trans-

 

Performance

Performance

formation Ratio

Operational

Cash-to-Cash

Conversion

Asset

Sigma

Efficiency

Cycle Time

Cost

Utilization

Value

 

Human

Resource

Recruitment Effectiveness Index HR Advisory Index

Benefits Administration Index HR Total Cost Index

Skill Inventory

Employee

Index

Training Index

Responsiveness

 

Support

Services

Information

Technology

Responsiveness

Systems

Performance

IT Support

Performance

Partnership

Ratio

Service-Level

Effectiveness

New Projects

Index

IT Total

Cost Index

 

Finance & Regulatory Responsiveness

Compliance

Accuracy

Advisory

Cost-of-Service

Index

Index

Index

Index

Key Performance Indicators
Key Performance Indicators

What is a KPI?

A key performance indicator is a nonfinancial leading indicator of business performance

Traditional financial metrics are trailing indicators

How can I develop KPIs?

Identify critical business processes and supporting applications

Do not focus exclusively on IT-centric KPIs

Sample KPIs for Resiliency

Opportunity/Threat Index

Customer Retention Index

R&D Success Index

On-Time Delivery

Service Performance

Agreement Effectiveness

Supplier On-Time Delivery

Supplier Service Performance

Supplier Agreement Effectiveness

Conversion Cost

Skill Inventory Index

System Performance

Service-Level Effectiveness

Advisory Index

Gartner provides a catalog of KPIs in "The Gartner Business Value Model" (G00139413)
Gartner provides a catalog of KPIs in
"The Gartner Business Value Model" (G00139413)
KPI Example: Supplier On-Time Delivery
KPI Example:
Supplier On-Time Delivery

Business Aspect: Supply Management

Aggregate

Measure: Supplier Effectiveness

Definition Calculation
Definition
Calculation
Example
Example
Applications Potentially Affected Primes
Applications
Potentially
Affected
Primes
Supplier on-time delivery measures the ability of the organization to select suppliers that can meet
Supplier on-time delivery measures the ability of the organization to select suppliers that can meet its
expectations regarding the time it takes to satisfy a specific order or service request. The metric is
based on the organization's request date, not a negotiated date.
Supplier On-Time Delivery = Orders Received On Time Total Orders
Supplier On-Time Delivery = Orders Received On Time
Total Orders
During the past seven days, ABC Computers received 200 supplier shipments, of which 150 met
During the past seven days, ABC Computers received 200 supplier shipments, of which 150 met
their requested delivery date.
Supplier On-Time Delivery = 150 ÷ 200 = 75%
Supplier on-time delivery applies to product and service businesses. It is important as organizations look
Supplier on-time delivery applies to product and service businesses. It is important as organizations
look to manage inventory levels by controlling the timing of material receipts. The income statement
account most affected by supplier on-time delivery is operating expense.
Time-to-Market Index, On-Time Delivery, Order Fill Rate, Cash-to-Cash Cycle Time, Conversion Cost and Asset Utilization
Time-to-Market Index, On-Time Delivery, Order Fill Rate, Cash-to-Cash Cycle Time, Conversion
Cost and Asset Utilization
Availability Key Risk Indicators
Availability Key Risk Indicators

What is a KRI?

A key risk indicator is a leading indicator of risk to business performance

How can I develop KRIs?

Do not solely use operational metrics

Do not focus exclusively on IT-centric KRIs or availability

Sample KRIs for Resilience

• Customer renewals due to resilience

• % of suppliers with no BCM programs, or who can't recover in 12 weeks

• % of business units without a BCM coordinator

• % of mission-critical recovery plans not exercised within the last 12 months

• % of mission-critical business processes without a backup/recovery architecture to support their RTOs and RPOs

• % of new IT projects designed according to continuity and resiliency requirements

• % turnover of mission-critical IT personnel

• % of crisis management plans not exercised within the last three months

• % of BIAs older than 12 months

Gartner provides a starting point to develop availability KRIs in "A New Approach: Obtain Business
Gartner provides a starting point to develop availability KRIs in
"A New Approach: Obtain Business Ownership and Investment Commitment for Business
Continuity and Resilience Management Through Key Performance and Risk Indicator
Mapping" (G00171605)
KRI Example: Single-Source Supplier Availability
KRI Example: Single-Source Supplier
Availability

ERM Category: Operational Risk, Supply Chain

KPI: Supplier On-Time Delivery

Definition
Definition
Calculation Example
Calculation
Example
Potentially Affected KPIs
Potentially
Affected
KPIs
Single-source supplier availability measures the level of continuity available from mission- critical, single-source
Single-source supplier availability measures the level of continuity available from mission-
critical, single-source suppliers. A stable and controlled supply chain reduces risk of
manufacturing delays and outages, which can lead to breach of contractual obligations.
Single-Source Supplier Availability = Single-Source Suppliers With No BCM Program Total Number of Mission-Critical
Single-Source Supplier Availability =
Single-Source Suppliers With No BCM Program
Total Number of Mission-Critical Single-Source Suppliers
Out of 37 single-source suppliers, 11 have no BCM program or one that requires more
Out of 37 single-source suppliers, 11 have no BCM program or one that requires more than 12
weeks to recover.
Single-Source Supplier Availability = 11 / 37 = 30%
On-Time Delivery, Supplier On-Time Delivery, Customer Retention Index, Order Fill Rate, Service Performance
On-Time Delivery, Supplier On-Time Delivery, Customer Retention Index, Order Fill
Rate, Service Performance
Map KPIs to KRIs
Map KPIs to KRIs

Key Performance Indicators

Key Risk Indicators

Impact

On-Time Delivery

Suppliers' BCM Programs

More than 10% of single-source suppliers with no BCM program or one that requires more than 12 weeks to recover manufacturing operations leads to failure to meet contractual obligations

 

Product

Less than 25% growth rate year over year in new products being delivered with no single-source component

R&D Success Index

Design

 

Mission-

A 15% turnover rate every six months in identified key positions impacts mission-critical system stability and efficiency leads to failure to meet internal or external SLAs and delays in recovery from disaster

Critical

Systems

Personnel

Performance

Turnover

 

Mission-

Products/services that represent 30% or more of revenue that have not exercised their recovery plans within the last six months leads to delays in meeting contractual obligations, SLAs and recovery from disaster

Agreement

Critical System Downtime

Effectiveness

contractual obligations, SLAs and recovery from disaster Agreement Critical System Downtime Effectiveness
Case Study: A Shipping Company
Case Study: A Shipping Company

The Business

A cross-country shipping company has a fleet of 500 trucks

KPI/KRI • KPI: On-time delivery has reputation, sales, and customer service implications • KRI: Truck
KPI/KRI
• KPI: On-time delivery has reputation, sales,
and customer service implications
• KRI: Truck breakdown rates have a causal
relationship with on-time delivery
• KRI: Failure to change the oil has a causal
relationship and negative impact on
breakdown rates
• Control: An SLA has been developed within
maintenance to change oil every 5,000
miles
Risk Management • Changing the oil every 3,000 miles raises costs and does not significantly
Risk Management
• Changing the oil every 3,000 miles raises
costs and does not significantly lower
breakdown rates
• Changing the oil every 10,000 miles lowers
costs but significantly raises breakdown rates

Success

Factors

It doesn't matter if you call it a KRI or KPI, it is the causal relationships that matter.

Delivers visibility into risk to drive better business decisions with leading indicators.

relationships that matter. • Delivers visibility into risk to drive better business decisions with leading indicators.
Seven Guiding Principles for KRI Development
Seven Guiding Principles for KRI
Development

KRIs should be quantifiable: To relate KRIs to KPIs, the KRIs must be quantifiable so that they can be included in KPI calculations.

Align KRIs with business value: KRIs represent potential failures of KPIs. KPIs measure desirable, managed activities, but things do not always go as intended. KRIs measure events and trends that could create variances in intended outcomes. They should be based on the experience of the firm (truck value versus driver skills).

Avoid purely operational metrics that have no direct relationship to business processes: Operational metrics have great value in running the operation (i.e., function), but they have little value in business communications or decisions.

Select KRIs that benefit business decision makers: Metrics that cater only to identify gaps that require correction will have limited usefulness in a business context.

KRIs should be correlated to KPIs and have a causal relationship: A common performance management mistake is selecting metrics that correlate with desired outcomes, but have no causal relationship with them.

A KRI should reflect a relevant domain of risk: KRIs should represent fluctuations in existing areas of risk management directly related to business processes.

KRIs should reflect fluctuations in risk posture: Business decision makers benefit most from information that represents a change in risk posture that directly impacts ongoing business processes.

benefit most from information that represents a change in risk posture that directly impacts ongoing business
benefit most from information that represents a change in risk posture that directly impacts ongoing business
Availability KRI Catalog
Availability KRI Catalog

ERM

Category

Aggregates

Primes

Credit

Credit Risk

Risk 1

Risk 3

Risk 5

Risk 7

Risk

Aggregate 1

Risk 2

Risk 4

Risk 6

 
 

Market Risk

Risk 1

Risk 3

Risk 5

Risk 7

Market

Aggregate 1

Risk 2

Risk 4

Risk 6

 

Risk

 
   

Vulnerability

Network

Risk 1

Risk 3

Information

Management

Security

Security

Program

Identity and

Risk 2

Risk 4

Maturity

Access Management

   

Budgeting/Investing

Program

Business

Governance

Program Scope

Management

Operational

Risk

Continuity

Planning

Organization

Availability Framework

Architecture

Management

Processes/Controls

Communications/

Awareness

Exercising

Execution

   

Risk 1

Risk 2

Risk 3

Risk 4

Supply

Chain

Risk 5

Risk 6

Risk 7

Risk 8

Sourcing

Vendor

Contracts

Viability

Risk 1

Risk 2

Compliance

E-Discovery

Solvency 2

Risk 1

Risk 2

SOX

Internal

 

IT Operations

Applications

PPM

Enterprise

Risk 1

 

Architecture

 

Change

Risk 2

 

Management

Privacy

Cross-Border

Privacy

Privacy

Data Flows

Policies

Training

Risk-Adjusted KPIs: Availability
Risk-Adjusted KPIs: Availability

Supplier On-Time Delivery KPI

Supplier on-time delivery measures the ability of the organization to select suppliers that can meet its expectations regarding the time it takes to satisfy a specific order or service request.

Supplier on-time delivery = 181 / 200 = 90.5% KPI target = 90%

Single-Source Supplier Availability KRI

Single-source supplier availability measures the level of continuity available from mission-critical, single- source suppliers.

SSSA KRI = 11 / 37 = 30%

Single-Source Supplier Availability KRI

Risk Factor Adjustment

50

to 100

+1

40

to 50

+0

30

to 40

-1

20

to 30

-2

<20

-3

Risk-adjusted supplier on-time delivery KPI = KPI - risk factor adjustment Risk-adjusted on-time delivery KRI = 90.5% - 2% = 88.5%

The company has visibility into negative factors and can act before revenue is lost, in
The company has visibility into negative factors and can act before revenue
is lost, in this case, by identifying single-source suppliers in their supply
chain and making the corrections in the design process.
Guidance for BCM Leaders
Guidance for BCM Leaders

Enhance relevance

- KPI/KRI mapping provides BCM leaders with insight to better position the value they bring to the organization. CIOs, risk management officers and BCM managers can help their enterprises gain competitive advantage by linking risks to business performance.

Justify budget

- KPI/KRI mapping assists BCM managers in justifying the budget by linking to direct business impact.

Pick your battles

- KPI/KRI mapping can provide a crucible in which to understand which availability risks are truly relevant and defensible from a business perspective.

Acknowledge political realities

- Avoid turning this into a dashboard of threats, vulnerabilities, and unmet control objectives — doing so will only reinforce the perception that BCM or IT DRM has nothing to do with running a business.

- Use this as an opportunity to demonstrate how good risk information can be a valuable asset in making informed business decisions.

as an opportunity to demonstrate how good risk information can be a valuable asset in making
as an opportunity to demonstrate how good risk information can be a valuable asset in making
Your Action Plan
Your Action Plan

In the short term (when you get back to your desk):

- Assess the maturity of the major elements of your BCM and operational risk management program

- Develop an understanding of your company's key business processes

In the midterm (within six months):

- Formalize your BCM program with a governance matrix and charter

- Map key availability risk indicators into key performance indicators, and use this to engage the business in availability risk discussions

In the long term (one year):

- Develop and deliver an executive reporting scheme that addresses the needs of a business audience

- Track program maturity metrics to continuously measure progress

scheme that addresses the needs of a business audience - Track program maturity metrics to continuously
Related Gartner Research
Related Gartner Research

The Gartner Business Value Model: A Framework for Measuring Business Performance (G00139413)

Map Key Risk Indicators to Key Performance Indicators to Support IT and Enterprise Risk Management (G00166093)

A New Approach: Obtain Business Ownership and Investment Commitment for Business Continuity and Resilience Management Through Key Performance and Risk Indicator Mapping (G00171605)

A Risk Hierarchy for Enterprise and IT Risk Managers,

(G00156664)

Toolkit: Assessing Risk Posture and Setting Priorities Using a Process Maturity Tutorial (G00151765)

Transparency Provides Opportunities and Threats in the 21st Century (G00169930)

For more information, stop by Gartner Solution Central or e-mail us at solutioncentral@gartner.com.

Century (G00169930) For more information, stop by Gartner Solution Central or e-mail us at solutioncentral@gartner.com .