An important way to demonstrate progress toward achieving operational resilience is to use key performance indicators.  This article describes KPIs and provides examples of KPIs for resilience.

Perhaps the number one concern of resilience professionals is “How well will my resilience plan work when a real event occurs?” This is true for just about any plans or procedures that address disruptive events and how to respond to them.

One way – most likely the best way – to ensure that resilience plans will work as designed is to exercise them. Another technique is to identify characteristics of the plan that can be measured in some way. Specifically, the goal is to examine and rate the performance of specific plan attributes.

Key Performance Indicators

An effective way to achieve the above measurements is to establish key performance indicators, or KPIs. They answer an essential question: What is really needed for achieving resilience? Consider both quantitative and qualitative metrics when developing KPIs for resilience. The following is an example of each:

Quantitative: Resilience plans must be exercised four (4) times per calendar year

Qualitative: Exercise results must demonstrate a significant improvement over prior exercises

Establishing KPIs is an important activity for professionals who are developing comprehensive resilience programs.  KPIs are also important metrics that senior management should understand.  This is an especially important way to assure management that the resilience program is performing properly, and that the organization is becoming more resilient.

The Importance of KPIs in Resilience

Resilience initiatives and their value may not be immediately understood by senior management. The ability to provide resilience performance data in an easily understood format can help management understand what is happening, how well the program is progressing, and how the organization can benefit from resilience.

Properly designed and regularly measured, KPIs can make a big difference in how well a resilience initiative is performing. Naturally, the true test is a live event, and regular measurement of resilience KPIs can provide insight to a program’s likely performance.

Regularly measuring performance reinforces activities that are performing well and highlights those that are underperforming. The challenge is to develop KPIs that are relevant to the overall resilience initiative.

How to Develop KPIs for Resilience

For organizations with established resilience activities, it makes sense to start out with a few KPIs and increase them over time.  Establish a measurement process to track how well the KPI metrics are being met.

Begin by identifying resilience criteria that can be measured.  It may be easier to start with quantitative criteria.  It is very important to understand how senior management defines resilience and views its importance. Their perspective is essential when developing a resilience program. KPIs should address a specific aspect of resilience, establish a specific performance goal, and set time frames as appropriate.

The SMART model may be a good way to help define KPIs.  The following are SMART criteria:

S = A Specific purpose is defined

M = The KPI should be Measurable

A = Defined goals must be Achievable

R = It must be Relevant to the organization

T = A Time component must be included

Make sure the candidate KPIs align with resilience initiatives.  They should also support business processes and systems, employees and facilities that are resilience components.

Examples of Resilience KPIs

The following section lists suggested KPIs for a variety of issues associated with the development and management of resilience.

Program Development

• Program development activities are compliant with standards
• Senior management awareness is achieved and maintained
• Senior management approval is maintained for the duration of the program
• Data related to key contacts is reviewed and updated monthly

Business Impact Analysis (BIA)

• Corporate-level BIAs are performed at least twice annually
• Department-level BIAs are performed at least annually

Risk Analysis (RA)

• Corporate-level RAs are performed at least twice annually
• Department-level RAs are performed at least annually

Technology Assessments

• Technology assessments relating to business resilience are performed at least twice annually
• Compliance reviews of various IT activities, e.g., data backup, system development are performed at least twice annually
• Assessments of data center operations are performed at least quarterly
• Assessments of network operations are performed at least quarterly

Procedure Development

• Procedures associated with responding to an incident are developed in accordance with standards
• Procedures to ensure resilience is achieved and maintained are reviewed at least twice annually
• Procedures associated with all aspects of continuity and resilience are reviewed and updated at least twice annually, or following the completion of exercises

Incident Response

• Incident response plans and procedures are reviewed and updated at least twice annually, or following the completion of an exercise
• Incident response plans are exercised at least twice annually

Technology Disaster Recovery (DR)

• DR plans for all major systems and networks are reviewed and updated at least twice annually, following an exercise or when major changes are made to the infrastructure
• Data centers and associated facilities are assessed at least twice annually for proper performance
• Systems and applications used for recovery and resumption of business operations are reviewed at least quarterly

Data Backup and Recovery

• Programs associated with data backup, data storage and recovery are assessed at least quarterly for proper performance
• Non-data-center data storage and recovery resources are assessed for proper performance at least quarterly

Business Continuity (BC)

• BC plans for all mission-critical business processes are reviewed and updated at least twice annually
• BC plans for non-mission-critical business processes are reviewed and updated at least annually

Cybersecurity

• Systems and software associated with the prevention, detection and mitigation of unauthorized infrastructure breaches are reviewed and updated monthly, or more frequently, as needed
• Systems and software designed to prevent attacks on the network perimeter, web sites and other external resources are reviewed and updated monthly, or more frequently, as needed

Media Relations

• Plans and procedures associated with media relations are reviewed and updated at least twice annually

Awareness and Training

• Awareness programs that remind employees about resilience and its importance are reviewed and updated at least quarterly
• Employee training and briefing programs relating to resilience activities are conducted at least twice annually
• Emergency teams receive training on their roles and responsibilities in an incident at least quarterly

Exercising

• Incident response plans, evacuation and other similar plans are exercised at least twice annually
• Technology DR plans are exercised at least twice annually, or when a major change in the technology infrastructure occurs
• Corporate-level BC plans are exercised at least annually
• Department-level BC plan s are exercised at least annually
• Cybersecurity plans are exercised at least twice annually

Continuous Improvement

• Activities associated with continuous improvement of resilience are performed at least twice annually

Summary

The use of key performance indicators is another way to ensure that resilience activities are being performed, and are regularly reviewed and exercised.  Results of KPI monitoring activities can be summarized into reports to senior management indicating the organization’s level of resilience.

# # # #