There is a golden key that can be used by every organization to open the door to excellence for its business continuity management program. It is making use of key performance indicators (KPIs) to assess the program and guide future efforts and investments.
Related on BCMMETRICS: BCM by the Numbers: The Metrics That Matter Most
Two Amazing Facts about KPIs
Sometimes we call them key performance indicators; sometimes we call them metrics.
Whatever name you want to use, they are the quantifiable aspects of your BCM program that you look at to understand what’s really going on—and learn what should do next to make it better.
Here are two things I think are amazing about KPIs:
- Few programs use them, despite how powerful they are, and how cheap and easy they are to collect and utilize. (I can safely say this is through no fault of mine. I write and talk about the importance of metrics every chance I get.)
- You only have to look at a small number of KPIs to get the information you need to understand and strengthen your program. (I’ll get to what those are in a second.)
A State of Blissful Ignorance
I love metrics, but I get tired of asking my clients if they have them. The reason is, the answer is almost always no. Most companies don’t even have what I call the meaningless metrics, the ones such as the number of BIAs completed that track how much work the BCM office has done but say nothing about recoverability.
Most organizations have metrics for every other critical area but not for the BCM program. There a state of blissful ignorance frequently prevails.
One reason for this might be the natural human tendency to not see the forest for the trees. Most people get caught up in tactics; few look at the big picture.
Another reason might be the BCM office’s fear that, if they look too closely at the state of their program, they might not like what they find.
I understand these tendencies, but neither helps the organization or protects its stakeholders.
The Most Important KPIs
The irony is, KPIs are not complex and overwhelming. They’re straightforward. Only a few really matter.
The first important KPI is degree of alignment with standards. To what extent is the organization in compliance with its chosen business continuity standard? If you know this, you know most of what matters about the state of your program and the resilience of your company. For more on BCM standards, see “Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now.”
A second important KPI is residual risk, which is the amount of risk remaining in your organization after your mitigation controls have been applied. (Mitigation controls are measures taken to reduce risk, such as business impact analyses, recovery plans, and recovery exercises.) To learn more about residual risk, see “The Big Three of Residual Risk.”
A third informative KPI is value on investment (VOI), a measure of the value of the BC program in terms of people, time, and money. High compliance and low residual risk equates to a high VOI and vice versa. For more on VOI, see the section “Demonstrating Value on Investment” in Chapter 10 of my ebook 10 Keys to a Peak-Performing BCM Program.
By knowing these three KPIs for your BCM program, you will come to a clear understanding of its strengths and be able to create a roadmap to rectify its weaknesses and guide your future budget decisions.
Opening the Door to Excellence
Making use of KPIs is a golden key that every company can use to open the door to excellence for its business continuity program.
Only three KPIs are needed to provide an accurate picture of your program and guidance on how to improve it: degree of alignment with your chosen standard, amount of residual risk, and VOI.
For more information on BCM key performance indicators and other hot topics in BCM and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting:
- BCM by the Numbers: The Metrics That Matter Most
- The Metrics System: How to Use Metrics to Improve Your BCM Program
- You’re Doing It Wrong: BCM Metrics
- Enter the Matrix: Why You Should Employ a Risk Management Matrix
- Get Out the Map: Why Your BCM Program Needs a Roadmap
- Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now
- The BCM Trident: 3 KPIs That Can Sharpen Your Continuity Program