Blog | BCMMetrics

The BCM Trident: 3 KPIs That Can Sharpen Your Continuity Program

Written by Michael Herrera | Aug 2, 2018 7:20:09 AM

King Neptune gets power from his three-pronged trident, and those of us who work in business continuity can gain power from what I call the BCM Trident. That is, the three key performance indicators (KPIs) that can help you understand and improve your business continuity program.

These 3 KPIs are soundness, risk, and value.

In today’s post, I’ll talk about each one and explain how you can leverage them to sharpen your BCM program.

FYI ON KPIs

Key performance indicators (KPIs) provide a way for an organization to make a quantitative assessment of its performance of an activity that is critical to its ability to carry out its core mission.

KPIs are at the heart of any system of performance measurement and target-setting. When properly used, they are one of the most powerful management tools available to organizations.

MEANINGLESS METRICS

Unfortunately, many BCM offices focus on metrics that are of limited to no value in helping them understand whether their programs are capable.

What we often see is that people capture metrics that are about volume rather than effectiveness. Examples of this type of metric include the number of business impact analyses (BIAs) performed, the number of recovery plans written, and the number of recovery exercises conducted. These metrics all speak to how much work the team has done, not how good their program is.

For more on “meaningless metrics,” see Chapter 4: Measure and Manage in my ebook, 10 Keys to a Peak-Performing BCM Program, available for free download here.


THE BCM TRIDENT

If I were the head of a BCM office, I would deploy the BCM Trident: I would implement the use of metrics that assessed the program’s capability in the three areas of soundness, risk, and value.

Soundness measures how sturdy the infrastructure of the program is. Risk assesses the level of risk that remains in the program following the application of risk mitigation controls (steps taken to reduce risk) and taking into account management’s tolerance for risk. Value measures how well the program has utilized the organization’s investment of time, money, and resources.

We’ll explore each prong of the trident in greater detail below.

SOUND OFF

The first prong of the BCM Trident is Soundness. To implement this KPI, you would adopt one of the recognized business continuity standards and assess the level of compliance with that standard across your program.

Specifically, you would look at how your program stacks up to the standard across the following dimensions: Program Administration, Crisis Management, Business Recovery, IT Disaster Recovery, Supply Chain Risk Management, Fire and Life Safety, and Third Party Management.

You would then grade your performance in each area on a scale of 0 to 100 and weight the importance of the different areas based on your organization’s mission and priorities. High compliance with your standard equates with high soundness.


RESIDUAL RISK

Risk is the second prong of the BCM Trident—and specifically, residual risk.

Your organization has probably conducted BIAs, identified recovery strategies, and built and exercised recovery plans. But do you know how fully executable these controls are?

To implement a KPI for residual risk, you need to identify the remaining risk after accounting for management’s risk tolerance. You also need to look to the state of your critical recovery plan controls. These include your BIAs, Recovery Strategy, and Recovery Exercises. The lower your residual risk, the stronger your program.

A GREAT VALUE

The third prong of the BCM Trident of KPIs is Value on Investment (VOI).

Based on your Soundness and Residual Risk metrics, you can compute what the Value on Investment is in the program. High soundness and low risk will yield a high VOI.

THE TRIDENT’S POWER

The BCM Trident of the three key performance indicators of soundness, risk, and value might not give you the power to part the ocean. But it can help you understand the true capabilities of your BCM program and make it even stronger.

Two Amazing Facts about KPIs 

Sometimes we call them key performance indicators; sometimes we call them metrics.  

Whatever name you want to use, they are the quantifiable aspects of your BCM program that you look at to understand what’s really going on—and learn what should do next to make it better. 

Here are two things I think are amazing about KPIs: 

  1. Few programs use them, despite how powerful they are, and how cheap and easy they are to collect and utilize. (I can safely say this is through no fault of mine. I write and talk about the importance of metrics every chance I get.) 
  2. You only have to look at a small number of KPIs to get the information you need to understand and strengthen your program. (I’ll get to what those are in a second.) 

A State of Blissful Ignorance 

I love metrics, but I get tired of asking my clients if they have them. The reason is, the answer is almost always no. Most companies don’t even have what I call the meaningless metrics, the ones such as the number of BIAs completed that track how much work the BCM office has done but say nothing about recoverability. 

Most organizations have metrics for every other critical area but not for the BCM program. There a state of blissful ignorance frequently prevails.  

One reason for this might be the natural human tendency to not see the forest for the trees. Most people get caught up in tactics; few look at the big picture. 

Another reason might be the BCM office’s fear that, if they look too closely at the state of their program, they might not like what they find.  

I understand these tendencies, but neither helps the organization or protects its stakeholders. 

Opening the Door to Excellence 

Making use of KPIs is a golden key that every company can use to open the door to excellence for its business continuity program.  

Only three KPIs are needed to provide an accurate picture of your program and guidance on how to improve it: degree of alignment with your chosen standard, amount of residual risk, and VOI. 

Further Reading 

For more information on BCM key performance indicators and other hot topics in BCM and IT/disaster recovery, check out these recent posts from BCMMETRICS and MHA Consulting: