King Neptune gets power from his three-pronged trident, and those of us who work in business continuity can gain power from what I call the BCM Trident. That is, the three key performance indicators (KPIs) that can help you understand and improve your business continuity program.
These 3 KPIs are soundness, risk, and value.
In today’s post, I’ll talk about each one and explain how you can leverage them to sharpen your BCM program.
FYI ON KPIs
Key performance indicators (KPIs) provide a way for an organization to make a quantitative assessment of its performance of an activity that is critical to its ability to carry out its core mission.
KPIs are at the heart of any system of performance measurement and target-setting. When properly used, they are one of the most powerful management tools available to organizations.
Unfortunately, many BCM offices focus on metrics that are of limited to no value in helping them understand whether their programs are capable.
What we often see is that people capture metrics that are about volume rather than effectiveness. Examples of this type of metric include the number of business impact analyses (BIAs) performed, the number of recovery plans written, and the number of recovery exercises conducted. These metrics all speak to how much work the team has done, not how good their program is.
For more on “meaningless metrics,” see Chapter 4: Measure and Manage in my ebook, 10 Keys to a Peak-Performing BCM Program, available for free download here.
For more on BCM metrics in general, check out these recent posts:
- The Metrics System: How to Use BCM Metrics to Improve Your BCM Program
- You’re Doing It Wrong: BCM Metrics
THE BCM TRIDENT
If I were the head of a BCM office, I would deploy the BCM Trident: I would implement the use of metrics that assessed the program’s capability in the three areas of soundness, risk, and value.
Soundness measures how sturdy the infrastructure of the program is. Risk assesses the level of risk that remains in the program following the application of risk mitigation controls (steps taken to reduce risk) and taking into account management’s tolerance for risk. Value measures how well the program has utilized the organization’s investment of time, money, and resources.
We’ll explore each prong of the trident in greater detail below.
The first prong of the BCM Trident is Soundness. To implement this KPI, you would adopt one of the recognized business continuity standards and assess the level of compliance with that standard across your program.
Specifically, you would look at how your program stacks up to the standard across the following dimensions: Program Administration, Crisis Management, Business Recovery, IT Disaster Recovery, Supply Chain Risk Management, Fire and Life Safety, and Third Party Management.
You would then grade your performance in each area on a scale of 0 to 100 and weight the importance of the different areas based on your organization’s mission and priorities. High compliance with your standard equates with high soundness.
For more details, check out these recent posts:
- How to Go from Adopting a BCM Standard to Knowing What to Do to Comply with It
- Standard Time: The Best Time to Adopt a Business Continuity Standard Is Right Now
Risk is the second prong of the BCM Trident—and specifically, residual risk.
Your organization has probably conducted BIAs, identified recovery strategies, and built and exercised recovery plans. But do you know how fully executable these controls are?
To implement a KPI for residual risk, you need to identify the remaining risk after accounting for management’s risk tolerance. You also need to look to the state of your critical recovery plan controls. These include your BIAs, Recovery Strategy, and Recovery Exercises. The lower your residual risk, the stronger your program.
For more on residual risk, check out these recent posts:
- You’re Doing It Wrong: Residual Risk
- Risky Business: 9 Ways That Not Measuring Residual Risk Can Harm Your Organization
A GREAT VALUE
The third prong of the BCM Trident of KPIs is Value on Investment (VOI).
Based on your Soundness and Residual Risk metrics, you can compute what the Value on Investment is in the program. High soundness and low risk will yield a high VOI.
For more information on VOI, see the section “Demonstrating Value on Investment: in Chapter 10 of my ebook 10 Keys to a Peak-Performing BCM Program.
THE TRIDENT’S POWER
The BCM Trident of the three key performance indicators of soundness, risk, and value might not give you the power to part the ocean. But it can help you understand the true capabilities of your BCM program and make it even stronger.