Business Continuity Management Key Performance Indicator/Key Risk Indicator Mapping

Notes accompany this presentation. Please select Notes Page view.These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: vendor.relations@gartner.com. Gartner is a registered trademark of Gartner, Inc. or its affiliates.

Roberta Witty

What Is the Value of an Exercise Machine?

Source: The Real Business of IT: How CIOs Create and Communicate Value

Richard Hunter and George Westerman, October, 2009, Harvard Business School Press

•What do boards and line-of-business executives want from continuity of operations?

•How do the risk-based disciplines impact

Key Issues

•How do the risk-based disciplines impact corporate performance?

•How can you present a defensible case for the value and effectiveness of BCM to an executive audience?

How BCM Organizations Can Show Business Value

Business Context …

• RUN the business

• GROW the business

• TRANSFORM the

Actions …

• Stop spreading FUD — focus on business operationsintegration benefits

• Show value for money, meaning the right services at

• TRANSFORM the business

Source: The Real Business of IT: How CIOs Create and Communicate Value

Richard Hunter and George Westerman, October, 2009, Harvard Business School Press

meaning the right services at the right level of quality and the right price

• Position BCM as an investment in near- and long-term business performance

• Communicate BCM to the entire workforce

Case Study: What's the Value of Subsecond Response Time?

Is it: "Why does IT cost so much?" — No

Source: The Real Business of IT: How CIOs Create and Communicate Value

Richard Hunter and George Westerman, October, 2009, Harvard Business School Press

It is: "How will slightly longer response times affect the value proposition as the paying customer perceives it?"

(because the board wants the most cost-effective level of resilience that the enterprise requires to fulfill its mission)

•What do boards and line-of-business executives want from continuity of operations?

•How do the risk-based disciplines impact

Key Issues

•How do the risk-based disciplines impact corporate performance?

•How can you present a defensible case for the value and effectiveness of BCM to an executive audience?

Enterprise Risk Management Hierarchy

Reputation RiskReputation Risk

Strategic RiskStrategic Risk

CreditCreditRiskRisk

MarketMarketRiskRisk

OperationalOperationalRiskRisk

Disciplines

Exposures

Enterprise Risk Management

Operations

Legal

Compliance

IT

BusinessBusiness

Customers

Suppliers

Compliance

Interest Rates

Materials/Supplies

Economy

Competition

Specialists

Finance

Legal

Privacy

Security

Compliance

Supply Chain

IT DRM

App. Dev.

Sourcing

EA

PM

Compliance

AML

Know Your Customer

Business Processes

ITBusinessBusiness

Liquidity

Currency

Economy

Sales

Purchasing

Marketing

Product Management

Finance

BCM

Supplier On-Time Delivery

Inventory

Management

Inventory for 5 days only

Key Risk Indicator

Key supplier has a fire

Negative Impact KPI

Manufacturing slows after 3

days

Supply Chain COO The Business

Example 1: Key Performance Indicator

Time Delivery

Order Fulfillment

Not

Met

Leading Indicator That…

Leading Indicator That…

LeadingIndicator That…

days

Agreement Effectiveness

Application

Failure

Pick list application

Key Risk Indicator

Sole

mainframe

programmer

on medical

Negative Impact KPI

Orders cannot be fulfilled

IT DRM CIO The Business

Example 2: Key Performance Indicator

Effectiveness

Leading Indicator That…

Leading Indicator That…

LeadingIndicator That…

applicationon medical

leave

Miss

the Quarter

•What do boards and line-of-business executives want from continuity of operations?

•How do the risk-based disciplines impact

Key Issues

•How do the risk-based disciplines impact corporate performance?

•How can you present a defensible case for the value and effectiveness of BCM to an executive audience?

Use Key Performance Indicators to Measure Operational Risk

Fraud

Gartner Existing

Damage Safety

Risk Categories and Events

Business

Value

Model

Approaches

Bypass

Operational

Activities

Revenue Cost Profit

Determine Financial Outcomes

The Gartner Business Value Model:Think Operationally, Not Just Financially

AGGREGATES PRIMESBUSINESSASPECT

DemandManagement

Target Market Index

Product PortfolioIndex

Sales OpportunityIndex

Sales PriceIndex

CustomerRetention Index

SalesEffectiveness

MarketResponsiveness

Market CoverageIndex

Market ShareIndex

ConfigurabilityIndex

Channel Profitability Index

Opportunity/ThreatIndex

Cost-of-SalesIndex

Sales CycleIndex

ForecastAccuracy

Sales CloseIndex

Product DevelopmentEffectiveness

New ProductsIndex

Feature FunctionIndex

Time-to-MarketIndex

R&D SuccessIndex

Know the 6-12 metrics in the mind of every business manager

SupportServices

SupplyManagement

On-TimeDelivery

ServiceAccuracy

AgreementEffectiveness

CustomerResponsiveness

Effectiveness Index Index Index Index

ServicePerformance

Order FillRate

MaterialQuality

Customer CarePerformance

TransformationRatio

SupplierEffectiveness

Supplier On-TimeDelivery

Supplier ServicePerformance

Supplier OrderFill Rate

Supplier CarePerformance

Supplier MaterialQuality

Supplier ServiceAccuracy

Supplier Trans-formation Ratio

Supplier AgreementEffectiveness

OperationalEfficiency

Cash-to-CashCycle Time

ConversionCost

AssetUtilization

SigmaValue

HumanResource

Responsiveness

Recruitment Effectiveness Index

HR AdvisoryIndex

BenefitsAdministration Index

HR TotalCost Index

Skill InventoryIndex

EmployeeTraining Index

InformationTechnology

Responsiveness

SystemsPerformance

New ProjectsIndex

IT SupportPerformance

IT TotalCost Index

PartnershipRatio

Service-LevelEffectiveness

Finance & RegulatoryResponsiveness

ComplianceIndex

AccuracyIndex

AdvisoryIndex

Cost-of-ServiceIndex

Key Performance Indicators

What is a KPI?

A key performance indicator is a nonfinancial leading indicator of

business performance

Traditional financial metrics are trailing indicators

Sample KPIs for Resiliency

• Opportunity/Threat Index

• Customer Retention Index

• R&D Success Index

• On-Time Delivery

• Service Performance

• Agreement Effectiveness

How can I develop KPIs?

Identify critical business processes and supporting applications

Do not focus exclusively on IT-centric KPIs

Gartner provides a catalog of KPIs in "The Gartner Business Value Model" (G00139413)

• Supplier On-Time Delivery

• Supplier Service Performance

• Supplier Agreement Effectiveness

• Conversion Cost

• Skill Inventory Index

• System Performance

• Service-Level Effectiveness

• Advisory Index

KPI Example: Supplier On-Time Delivery

Definition

Supplier on-time delivery measures the ability of the organization to select suppliers that can meet its expectations regarding the time it takes to satisfy a specific order or service request. The metric is

based on the organization's request date, not a negotiated date.

CalculationSupplier On-Time Delivery = Orders Received On Time

Total Orders

Business Aspect: Supply Management Aggregate Measure: Supplier Effectiveness

Example

During the past seven days, ABC Computers received 200 supplier shipments, of which 150 met their requested delivery date.

Supplier On-Time Delivery = 150 ÷ 200 = 75%

Applications

Supplier on-time delivery applies to product and service businesses. It is important as organizations look to manage inventory levels by controlling the timing of material receipts. The income statement

account most affected by supplier on-time delivery is operating expense.

Potentially

Affected

Primes

Time-to-Market Index, On-Time Delivery, Order Fill Rate, Cash-to-Cash Cycle Time, Conversion Cost and Asset Utilization

Availability Key Risk Indicators

What is a KRI?

A key risk indicator is a leading indicator of risk to business

performance

How can I develop KRIs?

Sample KRIs for Resilience• Customer renewals due to resilience

• % of suppliers with no BCM programs, or who can't recover in 12 weeks

• % of business units without a BCM coordinator

• % of mission-critical recovery plans not exercised within the last 12 months

• % of mission-critical business processes

Do not solely use operational metrics

Do not focus exclusively on IT-centric KRIs or availability

Gartner provides a starting point to develop availability KRIs in "A New Approach: Obtain Business Ownership and Investment Commitment for Business

Continuity and Resilience Management Through Key Performance and Risk Indicator Mapping" (G00171605)

• % of mission-critical business processes without a backup/recovery architecture to support their RTOs and RPOs

• % of new IT projects designed according to continuity and resiliency requirements

• % turnover of mission-critical IT personnel

• % of crisis management plans not exercised within the last three months

• % of BIAs older than 12 months

KRI Example: Single-Source Supplier Availability

Definition

Single-source supplier availability measures the level of continuity available from mission-critical, single-source suppliers. A stable and controlled supply chain reduces risk of

manufacturing delays and outages, which can lead to breach of contractual obligations.

CalculationSingle-Source Supplier Availability = Single-Source Suppliers With No BCM Program

ERM Category: Operational Risk, Supply Chain KPI: Supplier On-Time Delivery

PotentiallyAffected

KPIs

Example

Out of 37 single-source suppliers, 11 have no BCM program or one that requires more than 12 weeks to recover.

Single-Source Supplier Availability = 11 / 37 = 30%

Total Number of Mission-Critical Single-Source Suppliers

On-Time Delivery, Supplier On-Time Delivery, Customer Retention Index, Order Fill Rate, Service Performance

Map KPIs to KRIs

Key Performance Indicators

Key Risk Indicators Impact

On-Time DeliverySuppliers' BCM Programs

More than 10% of single-source suppliers with no BCM

program or one that requires more than 12 weeks to

recover manufacturing operations leads to failure to

meet contractual obligations

Product Less than 25% growth rate year over year in new

products being delivered with no single-source

R&D Success IndexProduct Design

products being delivered with no single-source

component

Systems Performance

Mission-Critical Personnel Turnover

A 15% turnover rate every six months in identified key

positions impacts mission-critical system stability and

efficiency leads to failure to meet internal or external

SLAs and delays in recovery from disaster

Agreement Effectiveness

Mission-Critical System Downtime

Products/services that represent 30% or more of

revenue that have not exercised their recovery plans

within the last six months leads to delays in meeting

contractual obligations, SLAs and recovery from disaster

Case Study: A Shipping Company

KPI/KRI• KPI: On-time delivery has reputation, sales,

and customer service implications

• KRI: Truck breakdown rates have a causal relationship with on-time delivery

Risk Management• Changing the oil every 3,000 miles raises

costs and does not significantly lower breakdown rates

• Changing the oil every 10,000 miles lowers

A cross-country shipping company has a fleet of 500 trucks The Business

relationship with on-time delivery

• KRI: Failure to change the oil has a causal relationship and negative impact on breakdown rates

• Control: An SLA has been developed within maintenance to change oil every 5,000 miles

• Changing the oil every 10,000 miles lowers costs but significantly raises breakdown rates

• It doesn't matter if you call it a KRI or KPI, it is the causal relationships that matter.

• Delivers visibility into risk to drive better business decisions with leading indicators.

Success Factors

Seven Guiding Principles for KRI Development

• KRIs should be quantifiable: To relate KRIs to KPIs, the KRIs must be quantifiable so that they can be included in KPI calculations.

• Align KRIs with business value: KRIs represent potential failures of KPIs. KPIs measure desirable, managed activities, but things do not always go as intended. KRIs measure events and trends that could create variances in intended outcomes. They should be based on the experience of the firm (truck value versus driver skills).

• Avoid purely operational metrics that have no direct relationship to business processes: Operational metrics have great value in running the operation (i.e., processes: Operational metrics have great value in running the operation (i.e., function), but they have little value in business communications or decisions.

• Select KRIs that benefit business decision makers: Metrics that cater only to identify gaps that require correction will have limited usefulness in a business context.

• KRIs should be correlated to KPIs and have a causal relationship: A common performance management mistake is selecting metrics that correlate with desired outcomes, but have no causal relationship with them.

• A KRI should reflect a relevant domain of risk: KRIs should represent fluctuations in existing areas of risk management directly related to business processes.

• KRIs should reflect fluctuations in risk posture: Business decision makers benefit most from information that represents a change in risk posture that directly impacts ongoing business processes.

Availability KRI CatalogAggregates Primes

ERM

Category

Market Risk

Aggregate 1

Information

Security

Credit Risk

Aggregate 1

Vulnerability

Management

Risk 1

Risk 2

Program

Maturity

Risk 3

Risk 4

Network

Security

Identity and

Access Management

Risk 2

Risk 6

Risk 5

Risk 1 Risk 3

Risk 7

Risk 4

Market

Risk

Credit

Risk Risk 2 Risk 4 Risk 6

Risk 1 Risk 3 Risk 5 Risk 7

Program

Supply

Chain

Sourcing

Compliance

IT Operations

Privacy

Risk 1

Risk 5

Vendor

Viability

E-Discovery

SOX

Applications

Change

Management

Cross-Border

Data Flows

Risk 2

Risk 6

Contracts

Solvency 2

Internal

PPM

Risk 2

Privacy

Policies

Risk 3

Risk 7

Risk 1

Enterprise

Architecture

Privacy

Training

Risk 4

Risk 8

Risk 2

Risk 1

Operational

Risk

Risk 1 Risk 2

Business

Continuity

Management

Governance

Planning

Program Scope

Organization

Budgeting/Investing

Availability Framework

Program

Management

Architecture

Processes/ControlsCommunications/

Awareness Exercising Execution

Risk-Adjusted KPIs: AvailabilitySingle-Source Supplier Availability KRI

Single-source supplier availability measures the level of continuity available from mission-critical, single-source suppliers.

SSSA KRI = 11 / 37 = 30%

Supplier On-Time Delivery KPI

Supplier on-time delivery measures the ability of the organization to select suppliers that can meet its expectations regarding the time it takes to satisfy a specific order or service request.

Supplier on-time delivery = 181 / 200 = 90.5%

KPI target = 90%

Single-Source Supplier Availability KRI Risk Factor Adjustment

50 to 100 +1

The company has visibility into negative factors and can act before revenue

is lost, in this case, by identifying single-source suppliers in their supply

chain and making the corrections in the design process.

50 to 100 +1

40 to 50 +0

30 to 40 -1

20 to 30 -2

<20 -3

Risk-adjusted supplier on-time delivery KPI = KPI - risk factor adjustment

Risk-adjusted on-time delivery KRI = 90.5% - 2% = 88.5%

Guidance for BCM Leaders

• Enhance relevance- KPI/KRI mapping provides BCM leaders with insight to better position the

value they bring to the organization. CIOs, risk management officers and BCM managers can help their enterprises gain competitive advantage by linking risks to business performance.

• Justify budget- KPI/KRI mapping assists BCM managers in justifying the budget by

linking to direct business impact.linking to direct business impact.

• Pick your battles- KPI/KRI mapping can provide a crucible in which to understand which

availability risks are truly relevant and defensible from a business perspective.

• Acknowledge political realities- Avoid turning this into a dashboard of threats, vulnerabilities, and unmet

control objectives — doing so will only reinforce the perception that BCM or IT DRM has nothing to do with running a business.

- Use this as an opportunity to demonstrate how good risk information can be a valuable asset in making informed business decisions.

Your Action Plan

• In the short term (when you get back to your desk):- Assess the maturity of the major elements of your BCM and

operational risk management program- Develop an understanding of your company's key business

processes

• In the midterm (within six months):• In the midterm (within six months):- Formalize your BCM program with a governance matrix and

charter- Map key availability risk indicators into key performance

indicators, and use this to engage the business in availability risk discussions

• In the long term (one year):- Develop and deliver an executive reporting scheme that

addresses the needs of a business audience- Track program maturity metrics to continuously

measure progress

Related Gartner Research

� The Gartner Business Value Model: A Framework for Measuring Business Performance (G00139413)

� Map Key Risk Indicators to Key Performance Indicators to Support IT and Enterprise Risk Management (G00166093)

� A New Approach: Obtain Business Ownership and Investment Commitment for Business Continuity and Resilience Commitment for Business Continuity and Resilience Management Through Key Performance and Risk Indicator Mapping (G00171605)

� A Risk Hierarchy for Enterprise and IT Risk Managers, (G00156664)

� Toolkit: Assessing Risk Posture and Setting Priorities Using a Process Maturity Tutorial (G00151765)

� Transparency Provides Opportunities and Threats in the 21st Century (G00169930)

For more information, stop by Gartner Solution Central or e-mail us at solutioncentral@gartner.com.