Business Continuity Management Key Performance Indicator/Key Risk Indicator Mapping

Roberta Witty

Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates.

What Is the Value of an Exercise Machine?

Source: The Real Business of IT: How CIOs Create and Communicate Value Richard Hunter and George Westerman, October, 2009, Harvard Business School Press

Key Issues

What do boards and line-of-business executives want from continuity of operations? How do the risk-based disciplines impact corporate performance? How can you present a defensible case for the value and effectiveness of BCM to an executive audience?

How BCM Organizations Can Show Business Value

Business Context
Actions Stop spreading FUD focus on business operations integration benefits Show value for money, meaning the right services at the right level of quality and the right price Position BCM as an investment in near- and longterm business performance Communicate BCM to the entire workforce
Source: The Real Business of IT: How CIOs Create and Communicate Value Richard Hunter and George Westerman, October, 2009, Harvard Business School Press

RUN the business GROW the business TRANSFORM the business

Case Study: What's the Value of Subsecond Response Time?

Is it: "Why does IT cost so much?" No

It is: "How will slightly longer response times affect the value proposition as the paying customer perceives it?"
(because the board wants the most cost-effective level of resilience that the enterprise requires to fulfill its mission)
Source: The Real Business of IT: How CIOs Create and Communicate Value Richard Hunter and George Westerman, October, 2009, Harvard Business School Press

Key Issues

What do boards and line-of-business executives want from continuity of operations? How do the risk-based disciplines impact corporate performance? How can you present a defensible case for the value and effectiveness of BCM to an executive audience?

Enterprise Risk Management Hierarchy

Enterprise Risk Management
Reputation Risk Strategic Risk Disciplines Market Risk
Materials/Supplies Interest Rates

Credit Risk
Customers Suppliers Compliance

Operational Risk IT
Legal Compliance Operations

Exposures

Competition Economy Currency Liquidity

Business
IT

Business

Finance

Legal

Business Processes BCM Supply Chain

EA PM

Marketing

Finance

App. Dev. Privacy IT DRM Security

Specialists

Product Management

Compliance

Purchasing

AML

Sourcing Compliance

Sales

Know Your Customer

Example 1: Key Performance Indicator

Supply Chain
Key Risk Indicator

COO
Inventory Management Inventory for 5 days only

The Business
Negative Impact KPI Manufacturing slows after 3 days
Leading Indicator That Leading Indicator That

Key supplier has a fire

Leading Indicator That

Supplier OnTime Delivery

Order Fulfillment Not Met

Example 2: Key Performance Indicator

IT DRM
Key Risk Indicator
Sole mainframe programmer on medical leave

CIO
Application Failure Pick list application
Leading Indicator That Leading Indicator That

The Business
Negative Impact KPI

Orders cannot be fulfilled

Leading Indicator That

Agreement Effectiveness
Miss the Quarter

Key Issues

What do boards and line-of-business executives want from continuity of operations? How do the risk-based disciplines impact corporate performance? How can you present a defensible case for the value and effectiveness of BCM to an executive audience?

Use Key Performance Indicators to Measure Operational Risk

Risk Categories and Events
Fraud Damage Safety

Gartner Business Value Model

Existing Approaches Bypass Operational Activities

Revenue

Cost

Profit

Determine Financial Outcomes

The Gartner Business Value Model: Think Operationally, Not Just Financially
Know the 6-12 metrics in the mind of every business manager
BUSINESS ASPECT AGGREGATES
Market Responsiveness
Target Market Index Product Portfolio Index Sales Opportunity Index Cost-of-Sales Index New Products Index On-Time Delivery Service Performance Supplier On-Time Delivery Supplier Service Performance Cash-to-Cash Cycle Time Recruitment Effectiveness Index HR Advisory Index Systems Performance New Projects Index Compliance Index

PRIMES
Market Coverage Index Channel Profitability Index Sales Cycle Index Forecast Accuracy Feature Function Index Order Fill Rate Customer Care Performance Supplier Order Fill Rate Supplier Care Performance Conversion Cost Benefits Administration Index HR Total Cost Index IT Support Performance IT Total Cost Index Accuracy Index Market Share Index Configurability Index Sales Close Index Customer Retention Index Time-to-Market Index Material Quality Agreement Effectiveness Supplier Material Quality Supplier Agreement Effectiveness Asset Utilization Skill Inventory Index Opportunity/Threat Index

Demand Management

Sales Effectiveness Product Development Effectiveness Customer Responsiveness

Sales Price Index

Supply Management

Supplier Effectiveness Operational Efficiency Human Resource Responsiveness

R&D Success Index Service Accuracy Transformation Ratio Supplier Service Accuracy Supplier Transformation Ratio Sigma Value Employee Training Index

Support Services

Information Technology Responsiveness Finance & Regulatory Responsiveness

Partnership Ratio

Service-Level Effectiveness

Advisory Index

Cost-of-Service Index

Key Performance Indicators

Sample KPIs for Resiliency What is a KPI? A key performance indicator is a nonfinancial leading indicator of business performance Traditional financial metrics are trailing indicators How can I develop KPIs? Identify critical business processes and supporting applications Do not focus exclusively on IT-centric KPIs
Opportunity/Threat Index Customer Retention Index R&D Success Index On-Time Delivery Service Performance Agreement Effectiveness Supplier On-Time Delivery Supplier Service Performance Supplier Agreement Effectiveness Conversion Cost Skill Inventory Index System Performance Service-Level Effectiveness Advisory Index

Gartner provides a catalog of KPIs in "The Gartner Business Value Model" (G00139413)

KPI Example: Supplier On-Time Delivery

Business Aspect: Supply Management Aggregate Measure: Supplier Effectiveness Supplier on-time delivery measures the ability of the organization to select suppliers that can meet its expectations regarding the time it takes to satisfy a specific order or service request. The metric is based on the organization's request date, not a negotiated date.

Definition

Calculation

Supplier On-Time Delivery = Orders Received On Time Total Orders During the past seven days, ABC Computers received 200 supplier shipments, of which 150 met their requested delivery date. Supplier On-Time Delivery = 150 200 = 75%

Example

Applications

Supplier on-time delivery applies to product and service businesses. It is important as organizations look to manage inventory levels by controlling the timing of material receipts. The income statement account most affected by supplier on-time delivery is operating expense.

Potentially Affected Primes

Time-to-Market Index, On-Time Delivery, Order Fill Rate, Cash-to-Cash Cycle Time, Conversion Cost and Asset Utilization

Availability Key Risk Indicators

Sample KRIs for Resilience
Customer renewals due to resilience % of suppliers with no BCM programs, or What is a KRI? who can't recover in 12 weeks A key risk indicator is a leading % of business units without a BCM indicator of risk to business coordinator performance % of mission-critical recovery plans not exercised within the last 12 months How can I develop KRIs? % of mission-critical business processes without a backup/recovery architecture to Do not solely use operational metrics support their RTOs and RPOs % of new IT projects designed according to Do not focus exclusively on continuity and resiliency requirements IT-centric KRIs or availability % turnover of mission-critical IT personnel % of crisis management plans not exercised within the last three months % of BIAs older than 12 months
Gartner provides a starting point to develop availability KRIs in "A New Approach: Obtain Business Ownership and Investment Commitment for Business Continuity and Resilience Management Through Key Performance and Risk Indicator Mapping" (G00171605)

KRI Example: Single-Source Supplier Availability

ERM Category: Operational Risk, Supply Chain KPI: Supplier On-Time Delivery Single-source supplier availability measures the level of continuity available from missioncritical, single-source suppliers. A stable and controlled supply chain reduces risk of manufacturing delays and outages, which can lead to breach of contractual obligations.

Definition

Single-Source Supplier Availability = Calculation

Single-Source Suppliers With No BCM Program

Total Number of Mission-Critical Single-Source Suppliers

Example

Out of 37 single-source suppliers, 11 have no BCM program or one that requires more than 12 weeks to recover. Single-Source Supplier Availability = 11 / 37 = 30%

Potentially Affected KPIs

On-Time Delivery, Supplier On-Time Delivery, Customer Retention Index, Order Fill Rate, Service Performance

Map KPIs to KRIs

Key Performance Indicators Key Risk Indicators Impact

On-Time Delivery

More than 10% of single-source suppliers with no BCM program or one that requires more than 12 weeks to recover manufacturing operations leads to failure to Suppliers' BCM Programs meet contractual obligations Product Design MissionCritical Personnel Turnover Less than 25% growth rate year over year in new products being delivered with no single-source component A 15% turnover rate every six months in identified key positions impacts mission-critical system stability and efficiency leads to failure to meet internal or external SLAs and delays in recovery from disaster

R&D Success Index

Systems Performance

Agreement Effectiveness

Products/services that represent 30% or more of revenue that have not exercised their recovery plans MissionCritical System within the last six months leads to delays in meeting contractual obligations, SLAs and recovery from disaster Downtime

Case Study: A Shipping Company

The Business A cross-country shipping company has a fleet of 500 trucks KPI/KRI
KPI: On-time delivery has reputation, sales, and customer service implications KRI: Truck breakdown rates have a causal relationship with on-time delivery KRI: Failure to change the oil has a causal relationship and negative impact on breakdown rates Control: An SLA has been developed within maintenance to change oil every 5,000 miles

Risk Management
Changing the oil every 3,000 miles raises costs and does not significantly lower breakdown rates Changing the oil every 10,000 miles lowers costs but significantly raises breakdown rates

Success Factors

It doesn't matter if you call it a KRI or KPI, it is the causal relationships that matter. Delivers visibility into risk to drive better business decisions with leading indicators.

Seven Guiding Principles for KRI Development

KRIs should be quantifiable: To relate KRIs to KPIs, the KRIs must be quantifiable so that they can be included in KPI calculations. Align KRIs with business value: KRIs represent potential failures of KPIs. KPIs measure desirable, managed activities, but things do not always go as intended. KRIs measure events and trends that could create variances in intended outcomes. They should be based on the experience of the firm (truck value versus driver skills). Avoid purely operational metrics that have no direct relationship to business processes: Operational metrics have great value in running the operation (i.e., function), but they have little value in business communications or decisions. Select KRIs that benefit business decision makers: Metrics that cater only to identify gaps that require correction will have limited usefulness in a business context. KRIs should be correlated to KPIs and have a causal relationship: A common performance management mistake is selecting metrics that correlate with desired outcomes, but have no causal relationship with them. A KRI should reflect a relevant domain of risk: KRIs should represent fluctuations in existing areas of risk management directly related to business processes. KRIs should reflect fluctuations in risk posture: Business decision makers benefit most from information that represents a change in risk posture that directly impacts ongoing business processes.

Availability KRI Catalog

ERM Category Credit Risk

Aggregates
Risk 1 Credit Risk Aggregate 1 Risk 2 Risk 1 Risk 4 Risk 3 Risk 4 Network Risk 3

Primes
Risk 5 Risk 6 Risk 5 Risk 6 Risk 1 Risk 2 Risk 3 Risk 4 Risk 7 Risk 7

Market Risk

Market Risk Aggregate 1 Risk 2 Vulnerability Information Security Management Program Maturity

Security Identity and Access Management

Business

Governance Planning Processes/Controls

Risk 1

Program Scope Organization Communications/ Awareness

Risk 2 Risk 6 Contracts Solvency 2 Internal PPM

Budgeting/Investing
Availability Framework

Program Management Architecture Execution

Risk 4 Risk 8 Risk 2 Risk 2

Operational Risk

Continuity Management
Supply Chain Sourcing

Exercising
Risk 3 Risk 7

Risk 5 Vendor Viability E-Discovery SOX Applications Change

Risk 1 Risk 1

Compliance

IT Operations

Enterprise Architecture

Risk 1

Privacy

Management Cross-Border Data Flows

Risk 2 Privacy Policies Privacy Training

Risk-Adjusted KPIs: Availability

Supplier On-Time Delivery KPI
Supplier on-time delivery measures the ability of the organization to select suppliers that can meet its expectations regarding the time it takes to satisfy a specific order or service request.

Single-Source Supplier Availability KRI

Single-source supplier availability measures the level of continuity available from mission-critical, singlesource suppliers.

Supplier on-time delivery = 181 / 200 = 90.5% KPI target = 90% Single-Source Supplier Availability KRI 50 to 100 40 to 50 30 to 40 20 to 30 <20

SSSA KRI = 11 / 37 = 30%

Risk Factor Adjustment +1 +0 -1 -2 -3

Risk-adjusted supplier on-time delivery KPI = KPI - risk factor adjustment Risk-adjusted on-time delivery KRI = 90.5% - 2% = 88.5%
The company has visibility into negative factors and can act before revenue is lost, in this case, by identifying single-source suppliers in their supply chain and making the corrections in the design process.

Guidance for BCM Leaders

Enhance relevance
- KPI/KRI mapping provides BCM leaders with insight to better position the value they bring to the organization. CIOs, risk management officers and BCM managers can help their enterprises gain competitive advantage by linking risks to business performance.

Justify budget
- KPI/KRI mapping assists BCM managers in justifying the budget by linking to direct business impact.

Pick your battles

- KPI/KRI mapping can provide a crucible in which to understand which availability risks are truly relevant and defensible from a business perspective.

Acknowledge political realities

- Avoid turning this into a dashboard of threats, vulnerabilities, and unmet control objectives doing so will only reinforce the perception that BCM or IT DRM has nothing to do with running a business. - Use this as an opportunity to demonstrate how good risk information can be a valuable asset in making informed business decisions.

Your Action Plan

In the short term (when you get back to your desk): - Assess the maturity of the major elements of your BCM and operational risk management program - Develop an understanding of your company's key business processes In the midterm (within six months): - Formalize your BCM program with a governance matrix and charter - Map key availability risk indicators into key performance indicators, and use this to engage the business in availability risk discussions In the long term (one year): - Develop and deliver an executive reporting scheme that addresses the needs of a business audience - Track program maturity metrics to continuously measure progress

Related Gartner Research

The Gartner Business Value Model: A Framework for Measuring Business Performance (G00139413) Map Key Risk Indicators to Key Performance Indicators to Support IT and Enterprise Risk Management (G00166093) A New Approach: Obtain Business Ownership and Investment Commitment for Business Continuity and Resilience Management Through Key Performance and Risk Indicator Mapping (G00171605) A Risk Hierarchy for Enterprise and IT Risk Managers, (G00156664) Toolkit: Assessing Risk Posture and Setting Priorities Using a Process Maturity Tutorial (G00151765) Transparency Provides Opportunities and Threats in the 21st Century (G00169930)
For more information, stop by Gartner Solution Central or e-mail us at solutioncentral@gartner.com.