Business Continuity Management Key Performance Indicator/Key Risk Indicator Mapping
Notes accompany this presentation. Please select Notes Page view.These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: [email protected]. Gartner is a registered trademark of Gartner, Inc. or its affiliates.
Roberta Witty
What Is the Value of an Exercise Machine?
Source: The Real Business of IT: How CIOs Create and Communicate Value
Richard Hunter and George Westerman, October, 2009, Harvard Business School Press
•What do boards and line-of-business executives want from continuity of operations?
•How do the risk-based disciplines impact
Key Issues
•How do the risk-based disciplines impact corporate performance?
•How can you present a defensible case for the value and effectiveness of BCM to an executive audience?
How BCM Organizations Can Show Business Value
Business Context …
• RUN the business
• GROW the business
• TRANSFORM the
Actions …
• Stop spreading FUD — focus on business operationsintegration benefits
• Show value for money, meaning the right services at
• TRANSFORM the business
Source: The Real Business of IT: How CIOs Create and Communicate Value
Richard Hunter and George Westerman, October, 2009, Harvard Business School Press
meaning the right services at the right level of quality and the right price
• Position BCM as an investment in near- and long-term business performance
• Communicate BCM to the entire workforce
Case Study: What's the Value of Subsecond Response Time?
Is it: "Why does IT cost so much?" — No
Source: The Real Business of IT: How CIOs Create and Communicate Value
Richard Hunter and George Westerman, October, 2009, Harvard Business School Press
It is: "How will slightly longer response times affect the value proposition as the paying customer perceives it?"
(because the board wants the most cost-effective level of resilience that the enterprise requires to fulfill its mission)
•What do boards and line-of-business executives want from continuity of operations?
•How do the risk-based disciplines impact
Key Issues
•How do the risk-based disciplines impact corporate performance?
•How can you present a defensible case for the value and effectiveness of BCM to an executive audience?
Enterprise Risk Management Hierarchy
Reputation RiskReputation Risk
Strategic RiskStrategic Risk
CreditCreditRiskRisk
MarketMarketRiskRisk
OperationalOperationalRiskRisk
Disciplines
Exposures
Enterprise Risk Management
Operations
Legal
Compliance
IT
BusinessBusiness
Customers
Suppliers
Compliance
Interest Rates
Materials/Supplies
Economy
Competition
Specialists
Finance
Legal
Privacy
Security
Compliance
Supply Chain
IT DRM
App. Dev.
Sourcing
EA
PM
Compliance
AML
Know Your Customer
Business Processes
ITBusinessBusiness
Liquidity
Currency
Economy
Sales
Purchasing
Marketing
Product Management
Finance
BCM
Supplier On-Time Delivery
Inventory
Management
Inventory for 5 days only
Key Risk Indicator
Key supplier has a fire
Negative Impact KPI
Manufacturing slows after 3
days
Supply Chain COO The Business
Example 1: Key Performance Indicator
Time Delivery
Order Fulfillment
Not
Met
Leading Indicator That…
Leading Indicator That…
LeadingIndicator That…
days
Agreement Effectiveness
Application
Failure
Pick list application
Key Risk Indicator
Sole
mainframe
programmer
on medical
Negative Impact KPI
Orders cannot be fulfilled
IT DRM CIO The Business
Example 2: Key Performance Indicator
Effectiveness
Leading Indicator That…
Leading Indicator That…
LeadingIndicator That…
applicationon medical
leave
Miss
the Quarter
•What do boards and line-of-business executives want from continuity of operations?
•How do the risk-based disciplines impact
Key Issues
•How do the risk-based disciplines impact corporate performance?
•How can you present a defensible case for the value and effectiveness of BCM to an executive audience?
Use Key Performance Indicators to Measure Operational Risk
Fraud
Gartner Existing
Damage Safety
Risk Categories and Events
Business
Value
Model
Approaches
Bypass
Operational
Activities
Revenue Cost Profit
Determine Financial Outcomes
The Gartner Business Value Model:Think Operationally, Not Just Financially
AGGREGATES PRIMESBUSINESSASPECT
DemandManagement
Target Market Index
Product PortfolioIndex
Sales OpportunityIndex
Sales PriceIndex
CustomerRetention Index
SalesEffectiveness
MarketResponsiveness
Market CoverageIndex
Market ShareIndex
ConfigurabilityIndex
Channel Profitability Index
Opportunity/ThreatIndex
Cost-of-SalesIndex
Sales CycleIndex
ForecastAccuracy
Sales CloseIndex
Product DevelopmentEffectiveness
New ProductsIndex
Feature FunctionIndex
Time-to-MarketIndex
R&D SuccessIndex
Know the 6-12 metrics in the mind of every business manager
SupportServices
SupplyManagement
On-TimeDelivery
ServiceAccuracy
AgreementEffectiveness
CustomerResponsiveness
Effectiveness Index Index Index Index
ServicePerformance
Order FillRate
MaterialQuality
Customer CarePerformance
TransformationRatio
SupplierEffectiveness
Supplier On-TimeDelivery
Supplier ServicePerformance
Supplier OrderFill Rate
Supplier CarePerformance
Supplier MaterialQuality
Supplier ServiceAccuracy
Supplier Trans-formation Ratio
Supplier AgreementEffectiveness
OperationalEfficiency
Cash-to-CashCycle Time
ConversionCost
AssetUtilization
SigmaValue
HumanResource
Responsiveness
Recruitment Effectiveness Index
HR AdvisoryIndex
BenefitsAdministration Index
HR TotalCost Index
Skill InventoryIndex
EmployeeTraining Index
InformationTechnology
Responsiveness
SystemsPerformance
New ProjectsIndex
IT SupportPerformance
IT TotalCost Index
PartnershipRatio
Service-LevelEffectiveness
Finance & RegulatoryResponsiveness
ComplianceIndex
AccuracyIndex
AdvisoryIndex
Cost-of-ServiceIndex
Key Performance Indicators
What is a KPI?
A key performance indicator is a nonfinancial leading indicator of
business performance
Traditional financial metrics are trailing indicators
Sample KPIs for Resiliency
• Opportunity/Threat Index
• Customer Retention Index
• R&D Success Index
• On-Time Delivery
• Service Performance
• Agreement Effectiveness
How can I develop KPIs?
Identify critical business processes and supporting applications
Do not focus exclusively on IT-centric KPIs
Gartner provides a catalog of KPIs in "The Gartner Business Value Model" (G00139413)
• Supplier On-Time Delivery
• Supplier Service Performance
• Supplier Agreement Effectiveness
• Conversion Cost
• Skill Inventory Index
• System Performance
• Service-Level Effectiveness
• Advisory Index
KPI Example: Supplier On-Time Delivery
Definition
Supplier on-time delivery measures the ability of the organization to select suppliers that can meet its expectations regarding the time it takes to satisfy a specific order or service request. The metric is
based on the organization's request date, not a negotiated date.
CalculationSupplier On-Time Delivery = Orders Received On Time
Total Orders
Business Aspect: Supply Management Aggregate Measure: Supplier Effectiveness
Example
During the past seven days, ABC Computers received 200 supplier shipments, of which 150 met their requested delivery date.
Supplier On-Time Delivery = 150 ÷ 200 = 75%
Applications
Supplier on-time delivery applies to product and service businesses. It is important as organizations look to manage inventory levels by controlling the timing of material receipts. The income statement
account most affected by supplier on-time delivery is operating expense.
Potentially
Affected
Primes
Time-to-Market Index, On-Time Delivery, Order Fill Rate, Cash-to-Cash Cycle Time, Conversion Cost and Asset Utilization
Availability Key Risk Indicators
What is a KRI?
A key risk indicator is a leading indicator of risk to business
performance
How can I develop KRIs?
Sample KRIs for Resilience• Customer renewals due to resilience
• % of suppliers with no BCM programs, or who can't recover in 12 weeks
• % of business units without a BCM coordinator
• % of mission-critical recovery plans not exercised within the last 12 months
• % of mission-critical business processes
Do not solely use operational metrics
Do not focus exclusively on IT-centric KRIs or availability
Gartner provides a starting point to develop availability KRIs in "A New Approach: Obtain Business Ownership and Investment Commitment for Business
Continuity and Resilience Management Through Key Performance and Risk Indicator Mapping" (G00171605)
• % of mission-critical business processes without a backup/recovery architecture to support their RTOs and RPOs
• % of new IT projects designed according to continuity and resiliency requirements
• % turnover of mission-critical IT personnel
• % of crisis management plans not exercised within the last three months
• % of BIAs older than 12 months
KRI Example: Single-Source Supplier Availability
Definition
Single-source supplier availability measures the level of continuity available from mission-critical, single-source suppliers. A stable and controlled supply chain reduces risk of
manufacturing delays and outages, which can lead to breach of contractual obligations.
CalculationSingle-Source Supplier Availability = Single-Source Suppliers With No BCM Program
ERM Category: Operational Risk, Supply Chain KPI: Supplier On-Time Delivery
PotentiallyAffected
KPIs
Example
Out of 37 single-source suppliers, 11 have no BCM program or one that requires more than 12 weeks to recover.
Single-Source Supplier Availability = 11 / 37 = 30%
Total Number of Mission-Critical Single-Source Suppliers
On-Time Delivery, Supplier On-Time Delivery, Customer Retention Index, Order Fill Rate, Service Performance
Map KPIs to KRIs
Key Performance Indicators
Key Risk Indicators Impact
On-Time DeliverySuppliers' BCM Programs
More than 10% of single-source suppliers with no BCM
program or one that requires more than 12 weeks to
recover manufacturing operations leads to failure to
meet contractual obligations
Product Less than 25% growth rate year over year in new
products being delivered with no single-source
R&D Success IndexProduct Design
products being delivered with no single-source
component
Systems Performance
Mission-Critical Personnel Turnover
A 15% turnover rate every six months in identified key
positions impacts mission-critical system stability and
efficiency leads to failure to meet internal or external
SLAs and delays in recovery from disaster
Agreement Effectiveness
Mission-Critical System Downtime
Products/services that represent 30% or more of
revenue that have not exercised their recovery plans
within the last six months leads to delays in meeting
contractual obligations, SLAs and recovery from disaster
Case Study: A Shipping Company
KPI/KRI• KPI: On-time delivery has reputation, sales,
and customer service implications
• KRI: Truck breakdown rates have a causal relationship with on-time delivery
Risk Management• Changing the oil every 3,000 miles raises
costs and does not significantly lower breakdown rates
• Changing the oil every 10,000 miles lowers
A cross-country shipping company has a fleet of 500 trucks The Business
relationship with on-time delivery
• KRI: Failure to change the oil has a causal relationship and negative impact on breakdown rates
• Control: An SLA has been developed within maintenance to change oil every 5,000 miles
• Changing the oil every 10,000 miles lowers costs but significantly raises breakdown rates
• It doesn't matter if you call it a KRI or KPI, it is the causal relationships that matter.
• Delivers visibility into risk to drive better business decisions with leading indicators.
Success Factors
Seven Guiding Principles for KRI Development
• KRIs should be quantifiable: To relate KRIs to KPIs, the KRIs must be quantifiable so that they can be included in KPI calculations.
• Align KRIs with business value: KRIs represent potential failures of KPIs. KPIs measure desirable, managed activities, but things do not always go as intended. KRIs measure events and trends that could create variances in intended outcomes. They should be based on the experience of the firm (truck value versus driver skills).
• Avoid purely operational metrics that have no direct relationship to business processes: Operational metrics have great value in running the operation (i.e., processes: Operational metrics have great value in running the operation (i.e., function), but they have little value in business communications or decisions.
• Select KRIs that benefit business decision makers: Metrics that cater only to identify gaps that require correction will have limited usefulness in a business context.
• KRIs should be correlated to KPIs and have a causal relationship: A common performance management mistake is selecting metrics that correlate with desired outcomes, but have no causal relationship with them.
• A KRI should reflect a relevant domain of risk: KRIs should represent fluctuations in existing areas of risk management directly related to business processes.
• KRIs should reflect fluctuations in risk posture: Business decision makers benefit most from information that represents a change in risk posture that directly impacts ongoing business processes.
Availability KRI CatalogAggregates Primes
ERM
Category
Market Risk
Aggregate 1
Information
Security
Credit Risk
Aggregate 1
Vulnerability
Management
Risk 1
Risk 2
Program
Maturity
Risk 3
Risk 4
Network
Security
Identity and
Access Management
Risk 2
Risk 6
Risk 5
Risk 1 Risk 3
Risk 7
Risk 4
Market
Risk
Credit
Risk Risk 2 Risk 4 Risk 6
Risk 1 Risk 3 Risk 5 Risk 7
Program
Supply
Chain
Sourcing
Compliance
IT Operations
Privacy
Risk 1
Risk 5
Vendor
Viability
E-Discovery
SOX
Applications
Change
Management
Cross-Border
Data Flows
Risk 2
Risk 6
Contracts
Solvency 2
Internal
PPM
Risk 2
Privacy
Policies
Risk 3
Risk 7
Risk 1
Enterprise
Architecture
Privacy
Training
Risk 4
Risk 8
Risk 2
Risk 1
Operational
Risk
Risk 1 Risk 2
Business
Continuity
Management
Governance
Planning
Program Scope
Organization
Budgeting/Investing
Availability Framework
Program
Management
Architecture
Processes/ControlsCommunications/
Awareness Exercising Execution
Risk-Adjusted KPIs: AvailabilitySingle-Source Supplier Availability KRI
Single-source supplier availability measures the level of continuity available from mission-critical, single-source suppliers.
SSSA KRI = 11 / 37 = 30%
Supplier On-Time Delivery KPI
Supplier on-time delivery measures the ability of the organization to select suppliers that can meet its expectations regarding the time it takes to satisfy a specific order or service request.
Supplier on-time delivery = 181 / 200 = 90.5%
KPI target = 90%
Single-Source Supplier Availability KRI Risk Factor Adjustment
50 to 100 +1
The company has visibility into negative factors and can act before revenue
is lost, in this case, by identifying single-source suppliers in their supply
chain and making the corrections in the design process.
50 to 100 +1
40 to 50 +0
30 to 40 -1
20 to 30 -2
<20 -3
Risk-adjusted supplier on-time delivery KPI = KPI - risk factor adjustment
Risk-adjusted on-time delivery KRI = 90.5% - 2% = 88.5%
Guidance for BCM Leaders
• Enhance relevance- KPI/KRI mapping provides BCM leaders with insight to better position the
value they bring to the organization. CIOs, risk management officers and BCM managers can help their enterprises gain competitive advantage by linking risks to business performance.
• Justify budget- KPI/KRI mapping assists BCM managers in justifying the budget by
linking to direct business impact.linking to direct business impact.
• Pick your battles- KPI/KRI mapping can provide a crucible in which to understand which
availability risks are truly relevant and defensible from a business perspective.
• Acknowledge political realities- Avoid turning this into a dashboard of threats, vulnerabilities, and unmet
control objectives — doing so will only reinforce the perception that BCM or IT DRM has nothing to do with running a business.
- Use this as an opportunity to demonstrate how good risk information can be a valuable asset in making informed business decisions.
Your Action Plan
• In the short term (when you get back to your desk):- Assess the maturity of the major elements of your BCM and
operational risk management program- Develop an understanding of your company's key business
processes
• In the midterm (within six months):• In the midterm (within six months):- Formalize your BCM program with a governance matrix and
charter- Map key availability risk indicators into key performance
indicators, and use this to engage the business in availability risk discussions
• In the long term (one year):- Develop and deliver an executive reporting scheme that
addresses the needs of a business audience- Track program maturity metrics to continuously
measure progress
Related Gartner Research
� The Gartner Business Value Model: A Framework for Measuring Business Performance (G00139413)
� Map Key Risk Indicators to Key Performance Indicators to Support IT and Enterprise Risk Management (G00166093)
� A New Approach: Obtain Business Ownership and Investment Commitment for Business Continuity and Resilience Commitment for Business Continuity and Resilience Management Through Key Performance and Risk Indicator Mapping (G00171605)
� A Risk Hierarchy for Enterprise and IT Risk Managers, (G00156664)
� Toolkit: Assessing Risk Posture and Setting Priorities Using a Process Maturity Tutorial (G00151765)
� Transparency Provides Opportunities and Threats in the 21st Century (G00169930)
For more information, stop by Gartner Solution Central or e-mail us at [email protected].