DRI2018

February 14, 2018 Nashville, TN

Using Key Performance and Risk Indicators to

Make the BCM Business Case
Roberta J. Witty, Research VP

CONFIDENTIAL AND PROPRIETARY

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain
information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates.
© 2018 Gartner, Inc. and/or its affiliates. All rights reserved.
 What Is the
Value of an
Exercise
Machine?
Benefits are harvested in the domain of the
user, not the machine.
To express value, do not report on the machine
— report on the user.
Source: "The Real Business of IT: How CIOs Create and Communicate Value"
1 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved. Richard Hunter and George Westerman, October, 2009, Harvard Business School Press
 Key Issues

•What do boards and line-of-business executives want from continuity

of operations?

•How do the risk-based disciplines impact corporate performance?

•How can you use KPIs and KRIs to present a defensible case for the
value and effectiveness of BCM to an executive audience?

2 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 Key Issues

•What do boards and line-of-business executives want from continuity

of operations?

•How do the risk-based disciplines impact corporate performance?

•How can you use KPIs and KRIs to present a defensible case for the
value and effectiveness of BCM to an executive audience?

3 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

Three Major Ways of Measuring (Digital) Business …

1 2 3

Business Outcomes Benchmark/Maturity (Digital) Business KPIs

What are the business benefits of How (digitally) mature am I How do I describe the goals and
pursuing these (digital) compared to the industry? progress of my (digital) journey?
initiatives?
Industry
80% Best
Benchmarks/
Norms
(Digital)
Business
KPIs
Business
Outcomes
Financials
Reduction in cost
per transaction % digital Operations
— Sefton Council Better Market
Robotic Process Automation (RPA) Set to Drive Share
Public Sector Transformation in the U.K.
Customer
Good

4 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 How BCM Organizations Can Show Business Value
Business Context

STOP spreading FUD — focus on

business operations integration
benefits

Run Grow SHOW value for money, meaning the

right services at the right level of
quality and the right price

POSITION BCM as an investment in

near- and long-term business
performance
Transform
COMMUNICATE BCM to the entire
workforce

Source: The Real Business of IT: How CIOs Create and Communicate Value
Richard Hunter and George Westerman, October, 2009, Harvard Business School Press

5 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 What's the Value of Subsecond Response Time?

Is it: "Why does IT cost so much?" — No

Yes: "How will slightly longer response times affect the value proposition
as the paying customer perceives it?"

The board wants the most cost-effective level of resilience that the
enterprise requires to fulfill its mission.
Source: The Real Business of IT: How CIOs Create and Communicate Value
Richard Hunter and George Westerman, October, 2009, Harvard Business School Press
6 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.
 Key Issues

•What do boards and line-of-business executives want from continuity

of operations?

•How do the risk-based disciplines impact corporate performance?

•How can you use KPIs and KRIs to present a defensible case for the
value and effectiveness of BCM to an executive audience?

7 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

Enterprise Risk Management Hierarchy
Crisis Management
Reputation Risk
Strategic Risk
Operational Risk
Market Risk Credit Risk (Compliance, Legal,
Operations)

• Finance
• Purchasing Materials/Supplies Customers Business
• Sales • Legal • Facilities
• Finance • Business Processes
• Finance • Compliance • Supplier/Vendor Risk
Interest Rates • Business Continuity/Recovery
• Marketing Disciplines
Exposures
• Marketing
• Product Management Competition Specialties
• Purchasing Suppliers IT
• Sales
• Finance • Enterprise Architecture
Economy • Compliance • Project Management
• AppDev
• Finance • Privacy
• IT Disaster Recovery
Currency • Cybersecurity
• Sourcing
• Finance • Compliance
Compliance
Liquidity • AML
• Know Your Customer
• Finance
8 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.
 Example 1: Supplier Outage

Supply Chain COO The Business

Risk Event Inventory Negative

Management Performance
Impact

Manufacturing
Key supplier Inventory for Supplier On-
slows after
has a fire five days only Time Delivery
three days

Leading Leading Leading

Indicator Indicator Indicator Order
That … That … That …
fulfillment
not
met

9 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 Example 2: Personnel Single Point of Failure

IT App Dev CIO The Business

Risk Event Application Negative

Failure Performance
Impact
Sole mainframe
programmer Pick list Orders cannot Agreement
on medical application be fulfilled Effectiveness
leave
Leading Leading Leading
Indicator Indicator Indicator Miss
That … That … That … the
quarter

10 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 Key Issues

•What do boards and line-of-business executives want from continuity

of operations?

•How do the risk-based disciplines impact corporate performance?

•How can you use KPIs and KRIs to present a defensible case for the
value and effectiveness of BCM to an executive audience?

11 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 Use Key Performance Indicators to Measure Operational
Risk
Risk Categories and Events

Fraud Damage Safety

Demand Market Sales Product

Management Responsiveness Effectiveness Development
Effectiveness
Existing
Gartner Approaches
Supply Customer Supplier Operational
Business Management Responsiveness Effectiveness Efficiency Bypass
Value Model Operational
Support Services Human Information Finance &
Resources Technology Regulatory Activities
Responsiveness Responsiveness Responsiveness

Revenue Cost Profit

Determine Financial Outcomes

12 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.
 The Gartner Business Value Model Is a Catalog of
Leading Indicators of Corporate Performance
Business
Aggregates Primes
Aspect
Target Market Market Coverage Market Share Opportunity/
Market Index Index Index Threat Index
Responsiveness Product Portfolio Channel Configurability
Index Profitability Index Index
Demand Sales Opportunity Sales Cycle Sales Close Sales Price
Management Sales Index Index Index Index
Effectiveness Cost-of-Sales Forecast Customer
Index Accuracy Retention Index
Product Development New Product Feature Function Time-to-Market R&D Success
Effectiveness Index Index Index Index
On-Time Order Fill Material Service
Customer Delivery Rate Quality Accuracy
Responsiveness Service Customer Care Agreement Transformation
Performance Performance Effectiveness Ratio
Supply Supplier On-Time Supplier Order Supplier Material Supplier Service
Management Supplier Delivery Fill Rate Quality Accuracy
Effectiveness Supplier Service Supplier Care Supplier Agreement
Supplier Transformation Ratio
Performance Performance Effectiveness
Operational Cash-to-Cash Conversion Asset Sigma
Efficiency Cycle Time Cost Utilization Value
Recruitment Benefits Skill Inventory Employee
Human Effectiveness Index Administration Index Index Training Index
Resources
Responsiveness HR Advisory HR Total
Index Cost Index
Support System IT Support Partnership Service-Level
Services Information Performance Performance Ratio Effectiveness
Technology
Responsiveness New Project
Cost Index
Index
Finance and Regulatory Compliance Accuracy Advisory Cost-of-Service
Responsiveness Index Index Index Index

13 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 Key Performance Indicators
What is a KPI? Sample KPIs for Resilience
A key performance indicator is a • Opportunity/Threat Index
nonfinancial leading indicator of
business performance • Customer Retention Index Gartner’s KPI
• R&D Success Index catalog can be
Traditional financial metrics are trailing found here:
indicators • On-Time Delivery
• Service Performance "The Gartner
• Agreement Effectiveness Business Value
How can I develop KPIs?
Model: A
Identify critical business processes • Supplier On-Time Delivery Framework for
and supporting applications • Supplier Service Performance Measuring
Business
Do not focus exclusively on • Supplier Agreement Effectiveness
IT-centric KPIs Performance”,
• Conversion Cost G00314698
• Skill Inventory Index
• System Performance
• Service-Level Effectiveness
14 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.
• Advisory Index
 KPI Example: Sales Opportunity Index
Business Aspect: Demand Management Aggregate Measure: Sales Effectiveness

The Sales Opportunity Index shows how successfully the organization can cultivate prospects
for its products and services.
Definition

Sales Opportunity Index = Contacts by prospects last month

Calculation 2 x (12-month rolling average prospect contacts per month)
A formal sales tracking process is required to record the activity level of potential customers or
“prospects” that have come into contact with the organization; e.g. entered a store, visited the
purchasing section of a website, responded to an advertisement.
Example ABC Computers, last year, implemented a sales force automation system that tracks prospects
from initial contact to “sales close” (defined as success or unsuccessful). The following data is
extracted:
Prospect contacts in the last 12 months = 7,500 (625 average per month)
Prospects contacts last month = 800
Sales Opportunity Index = 800 / (625 x 2) = 64%

Sales Opportunity Index is a leading indicator of the level of demand for the company’s
Application products and services, and is typically updated monthly. The income statement account most
affected by the Sales Opportunity Index is revenue.

Potentially Market Share Index, Product Portfolio Index, Sales Cycle Index, Sales Close Index, Sales
Affected Primes Price Index and Forecast Accuracy

15 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 Availability Key Risk Indicators
What is a KRI? Sample KRIs for Resilience
A key risk indicator is a leading • % of customer renewals because of resilience
indicator of risk to business • % of suppliers W/O BCM programs, or who
performance cannot recover in 12 weeks
Gartner’s starting
• % of facilities that have not been modified for point to develop
new flooding standards
availability KRIs
How can I develop KRIs? • % of mission-critical equipment without a can be found here:
backup
Do not solely use operational
metrics • % of departments W/O a BCM coordinator "Use KPI and KRI
Do not focus exclusively on • % of mission-critical recovery plans not Mapping to Make
IT-centric KRIs exercised within the last 12 months the Business Case
• % of mission-critical business processes without for Business
a backup/recovery architecture to support their Resilience“,
RTOs and RPOs G00280981
• % of new IT projects designed according to
continuity and resiliency requirements
• % turnover of mission-critical IT personnel
• % of crisis management plans not exercised
16 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.
within the last three months
• % of BIAs older than 12 months
 KRI Example: BIA Update Variance
ERM Category: Operational Risk, IT Operations

BIA update variance measures the number of BIAs that have been updated within a
predefined period of time; for example, 12 months. An updated BIA means a higher
Definition likelihood that business and IT recovery plans associated with the business unit will be up-
to-date with current business practices.

BIA update variance = Total number of BIAs updated within the prior 12 months
Calculation
Total number of BIAs for the business

In a 12-month period, ABC corporation had 110 BIAs updated based on 150 total BIAs for
Example the business.
BIA update variance = 110/150 = 73%

Potentially
Affected System performance, IT support performance, Service-level effectiveness
KPIs

17 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

Map KPIs to Availability KRIs
Key Performance Key Risk
Impact
Indicators Indicators
On-Time Delivery Single-Source More than 10% of single-source suppliers with no BCM program or
Suppliers' BCM one that requires more than 12 weeks to recover manufacturing
Programs operations leads to failure to meet contractual obligations

R&D Success Index Product Design Less than 25% growth rate year over year in new products being
delivered with no single-source component

Systems Mission-Critical A 15% turnover rate every six months in identified key positions
Performance Personnel Turnover impacts mission-critical system stability and efficiency leads to
failure to meet internal or external SLAs and delays in recovery
from disaster
Agreement Mission-Critical Products/services that represent 30% or more of revenue that
Effectiveness System Downtime have not exercised their recovery plans within the last six months
leads to delays in meeting contractual obligations, SLAs and
recovery from disaster

18 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 Bringing it All Together: A Shipping Company
The Business: A cross-country shipping company with a fleet of 500 trucks

KPI/KRI Risk Posture

• KPI: On-time delivery has reputation, sales, • Changing the oil every 3,000 miles raises
and customer service implications costs and does not significantly lower
• KRI: Truck breakdown rates have a causal breakdown rates
relationship with on-time delivery • Changing the oil every 10,000 miles lowers
• KRI: Failure to change the oil has a causal costs but significantly raises breakdown rates
relationship and negative impact on
breakdown rates
• Control: An SLA has been developed within
maintenance to change oil every 5,000
miles

Success • Concept received favorably by executive management

Factors • Creating meaningful metrics and getting buy-in at all levels has proved
challenging

19 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 Cross-Operational Risk Management KRI/KPI Mappings
KPI KRI

Confidentiality Competitiveness index % deals lost to competitive

(Manufacturing) intelligence (IP protection)

Privacy (Insurance) Customer satisfaction and renewal % of incidents where customer

indices personal data is put at risk

Availability (Manufacturing) Manufacturing capacity index % of lost/delayed inventory because

of IT failure

Risk Management Related to bad management decisions % of critical business processes that
(All Industries) have had a risk assessment in the last
24 months
Business Continuity Bed mortality rates (risk of IT % of DR plans tested in the last 12
Management (Healthcare) automation in clinical operations) months

Vendor/Sourcing Risk Sales index (for prospects that have % of suppliers with approved security
(All Industries) data security requirements) controls frameworks

Integrity (All Industries) Financial integrity, partnership Defect rate attributable to integrity
effectiveness, engineering failures
effectiveness

20 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 Case Study

21 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 KPI: Supplier On-Time Delivery
Business Aspect: Supply Management Aggregate Measure: Supplier Effectiveness

Supplier on-time delivery measures the ability of the organization to select suppliers that can
meet its expectations regarding the time it takes to satisfy a specific order or service request.
Definition The metric is based on the organization's request date, not a negotiated date.

Supplier On-Time Delivery = Orders Received On Time

Calculation
Total Orders

During the past seven days, ABC Computers received 200 supplier shipments, of which 150
met their requested delivery date.
Example
Supplier On-Time Delivery = 181 ÷ 200 = 90.5%

Supplier on-time delivery applies to product and service businesses. It is important as

organizations look to manage inventory levels by controlling the timing of material receipts.
Applications The income statement account most affected by supplier on-time delivery is operating
expense.

Potentially Time-to-Market Index, On-Time Delivery, Order Fill Rate, Cash-to-Cash Cycle Time,
Affected Conversion Cost and Asset Utilization
Primes

22 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 KRI: Single-Source Supplier Availability
ERM Category: Operational Risk, Supply Chain KPI: Supplier On-Time Delivery

Single-source supplier availability measures the level of continuity available from mission-
critical, single-source suppliers. A stable and controlled supply chain reduces risk of
Definition manufacturing delays and outages, which can lead to breach of contractual obligations.

Single-Source Supplier Availability = Single-Source Suppliers With No BCM Program

Calculation
Total Number of Mission-Critical Single-Source Suppliers

Out of 37 single-source suppliers, 11 have no BCM program, or one that requires more than 12
Example weeks to recover (12 weeks being your organization’s RTO).
Single-Source Supplier Availability = 17 / 37 = 46%

Potentially
On-Time Delivery, Supplier On-Time Delivery, Customer Retention Index, Order Fill Rate,
Affected
Service Performance
KPIs

23 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

 Risk-Adjusted KPIs: Supplier On-Time Delivery
Risk-adjusted KPI = KPI - risk factor adjustment

Today 90.5%
Supplier On-Time Delivery KPI
2018 Goal 90%
90%
181 on-time suppliers / 200 total suppliers = 90.5% Risk-Adjusted KPI 87.5%
KPI Target = 90%

Single-Source Supplier Risk Factor

Single-Source Supplier Availability KRI Availability KRI Adjustment
51% to 100% -5
17 SSS with no BCM program / 41% to 50% -3
31% to 40% +0
37 total mission-critical SSS = 46% 20% to 30% +3
<20% +5

The company has visibility into negative factors and can act before revenue is lost, in this case, by identifying
single-source suppliers in their supply chain and making the corrections in the design process.
24 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.
Seven Guiding Principles for KRI Development
1 • KRIs should be quantifiable

• Align KRIs with business value

2
• Avoid operational metrics that have no direct relationship to
3 business processes

4 • Select KRIs that benefit business decision makers

5 • KRIs should be correlated to KPIs and have a causal relationship

6 • A KRI should reflect a relevant domain of risk

7 • KRIs should reflect fluctuations in risk posture

25 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.
The Gartner Business Risk Model: BCM Readiness Index

Gartner’s Business
Risk Model can be
found here:

" The Gartner

Business Risk
Model: A
Framework for
Integrating Risk and
Performance”,
G00314696

26 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

Creating A BCM Risk Model
Demand Market Sales Product
Management Responsiveness Effectiveness Development
Effectiveness
Supply Customer Supplier Operational
Management Responsiveness Effectiveness Efficiency

Support Services Human Information Finance &

Resources Technology Regulatory
Responsiveness Responsiveness Responsiveness

Program
Governance Program Scope Budgeting/Investing
Management
Business
Availability
Continuity Planning Organization
Framework
Architecture
Management
Communications/
Processes/Controls Exercising Execution
Awareness

27 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

Guidance for BCM Leaders
1. Enhance relevance
KPI/KRI mapping provides BCM leaders with
insight to better position the value they bring to the
organization. CIOs, risk management officers and
BCM managers can help their enterprises gain
competitive advantage by linking risks to business
performance.
3. Pick your battles
This exercise can provide a framework with which
to understand which availability risks are truly
relevant and defensible from a business
perspective.
28 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.
2. Justify budget
This exercise assists risk and BCM leaders with
justification links to direct business impact, which
can be of great value at budget time.
4. Understand political realities
Avoid turning this into a dashboard of threats,
vulnerabilities and unmet control objectives. Doing
so will only reinforce the perception that BCM is all
about FUD and has nothing to do with running a
business.
Use this is an opportunity to demonstrate how
availability risk information can be a valuable asset
in making informed business decisions.
 Your Action Plan
1. In the short term (when you get back to your desk)
 Assess the maturity of the major elements of your BCM and operational risk
management program
 Develop an understanding of your company's key business processes

2. In the midterm (within six months)

 Formalize your BCM program with a governance matrix and charter
 Map key availability risk indicators into key performance indicators, and use
this to engage the business in availability risk discussions

3. In the long term (one year)

 Develop and deliver an executive reporting scheme that addresses the
needs of a business audience
 Track program maturity metrics to continuously
measure progress
29 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.
Related Gartner Research
 Use KPI and KRI Mapping to Make the Business Case for Business Resilience (G00280981)
 The Gartner Business Value Model: A Framework for Measuring Business Performance (G00314698)
 The Gartner Business Risk Model: A Framework for Integrating Risk and Performance (G00314696)
 Developing Key Risk Indicators: The Relationship Between KRIs, KPIs and Business Outcomes
(G00325598)
 Definition: Business Continuity Management (G00332688)

 Hype Cycle for Business Continuity Management and IT Resilience, 2017 (G00315161)
 Prepare for and Respond to a Business Disruption After an Aggressive Cyberattack (G00275607)

 The Business Continuity Manager's First 100 Days (G00266694)

 ITScore for Business Continuity Management (G00311263)

 Business Continuity Management Program Primer for 2018 (G00344112)

 Best Practices for Business Continuity Management Governance Roberta J. Witty and Louis Boyle
(G00271251)

30 © 2018 Gartner, Inc. and/or its affiliates. All rights reserved.

For more information, stop by Gartner Solution Central or e-mail us at solutioncentral@gartner.com.