KPIs for measuring Business Continuity Management performance

The purpose of BCM KPI's is to monitor and  measure the performance of  Business Continuity Management(BCM) program based on the references obtained through achievement of processes or goals . These indicators are used to help the organization evaluate its progress and / or performance (in terms of efficiency, effectiveness, robustness, and so on) of its BCM processes while pursuing short-term, medium-term and / or long-term goals / plans.

A well managed KPI dashboard gives the senior management information on how BCM program is managed across the organization. The board (senior management) can then concentrate on what it does best, focusing on the key tasks that need to be dealt immediately.
The KPI for BCM (described in this document) provides right KPI that helps to manage the BCM program effectively with good control. KPI Measures must be reported to the management in a timely fashion,  KPIs shall be reported weekly or with the frequency set in the BCM system.

KPI Evaluation Practices

The KPI’ evaluation process needs to be identified in terms of BCM best practices applied in the BCM program.  ISO22301 standard is globally recognized to manage BCM program. The KPI has to be derived from the BCM activities carried across the organization. The KPIs are simple to understand and invite action that needs immediate attention.
The BCM Manager needs to focus on a handful of key indicators which:
  • Reflect the performance and progress of your BCM program
  • Are measurable
  • Can be compared to a standard, such as ISO22301
  • Can be acted upon
Most indicators are used to monitor and control the effectiveness of BCM. The following is the  list of important areas to cover in and as BCM KPIs:
  • Business Impact Analysis
  • Risk Assessment
  • BCM Documentation and review
  • BCM exercising and testing
  • Embed BCM culture
  • Continual improvement

Master Dashboard

The Master Dashboard provides the complete picture of BCM activities, which are quantified and summarized.  The KPI will provide a clear picture to the senior management on what are the actions taken by the BCM teams, the status and the need for senior management intervention. This also exhibits the BCM team commitment to embed the BCM culture.  The following  sections exhibit the KPI of sample BCM activities on actual plan versus achieved. 
  • Document Review and Maintenance
  • BCP policy
  • BCP Scope
  • Business Impact Analysis
  • Risk Assessment
  • Business recovery procedure
  • Incident management Plan
  • Emergency Response plan
  • Business continuity plan
  • Documentation and Record control procedure
Embed BCM - Training & Awareness
  • BCM awareness session
  • BCM Tool training
  • First Aid & Health Training
  • Media & communication training
Exercise BCM - Testing
  • BCM Simulation testing
  • Evacuation test - Fire Drill
  • Conduct Quiz program
  • IT Drill
BCM  program Review
  • Conduct Steering committee meetings
  • Third parties review
  • Review BCM good practices
  • Internal Audit
  • External Audit ISO22301
Continual improvement  -  Preventive and corrective Action
  • BCM Test issues
  • Internal Audit observation
  • External audit observation
  • BCM Tool enhancement
  • Management Review Action items
  • Lessons from incident
  • Business impact analysis and risk assessment review

Business Impact Analysis (BIA)

The BIA review is the primary activity of BCM teams. This activity identifies the business units and its criticality. The data starts from identifying critical functions, the contact details of employees and the critical dependencies of the department or business unit. The following review checklist and table exhibit KPI which can be quantified with the available data.  Also, the quality of the BIA KPIs can be reflected in percentage for each department.
The BCM team also captures the following data for every department as part of BIA, below provided are samples on review checklist on KPI's.
  • Business Impact – Functions/processes :
  • Function descriptions 
  • Financial Impact
  • Max outage time frame 
  • Outage Impact 
  • Detailed Outage Impact
  • Dependent resources
  • RPO 
  • Peak Time 
  • Contact Details
  • Name 
  • Office phone
  • Office mobile
  • Home phone
  • Personal mobile
  • Staff photo
  • Emergency contact
  • Home address
  • Relationships
  • Description
  • Dependency detail
  • SLA for BCM
  • Main Number and contact
  • Main Fax
  • Web Address
  • Address
  • General Email

Risk Assessment

The risk assessment dashboard provides the number of risks identified for the sites that come under the BCM scope, the risks could be around physical security, facilities, relationship or dependencies and IT.  The dashboard needs to provide the number of risks identified , mitigated risks and residual risks those needs action.

BCM Exercising

This BCM exercise is one of the important activities that verifies the readiness of the BCM program across the company. The BCM exercise has to be set with certain objectives as per the readiness plans. The BCM exercising KPI measures the success of the exercise and corrective steps to be taken to mitigate the failures. The dashboard has to provide  a number of business units , total functions, those business units tested success or failed against objectives such as RTO and RPO.

BCM Documents, Incident Management, and Continuity Plans

The BCM department has to maintain its own documents to manage the BCM system effectively. The department plans are important to manage and schedule meeting with business units to review the plans such as BIA and Business Recovery procedure. The business continuity plan should have comprehensive information that covers all areas of the information; this has to be reviewed with frequency mentioned in BCM operating procedure.  The KPI measures the information for completeness and comprehensiveness as required by the standard against each of  the following in terms of numbers and covered in the document and missing components,
  • BCP policy
  • BCP Scope
  • BCM Standard Operating Procedure
  • Business recovery procedure
  • Incident management Plan
  • Emergency Response procedure
  • Business continuity plan
  • Documentation and Record control procedure

Embed BCM Culture

The BCM manager ensures that BCM program is embed to the organization by executing various business continuity awareness sessions and training.  Since the BCM program approached holistically, there are multiple BCM teams involved to execute the right tasks with great competence and skills. BCM teams are fully aware of the Business Continuity plan and are fully prepared for handling an incident or crisis by training and testing those teams periodically.  The following exhibits the KPI  of target vs achieved.
  • Number of BCM awareness session
  • Number of  BCM Tool training
  • Number of  First Aid & Health Training
  • Number of  Media and communication training
The dashboard should brief about number of staff trained or not trained  and clear information of gap on objectives vs achievement

Continual improvement

The Continual improvement is factored with regular maintenance issues, reviewing the best practices and real incidents. The BIA and RA result to drive the mitigation plan and the BCM strategy.  The samples KPI for the continual improvements is given in the Master Dashboard section.


The best and most effective business continuity management system is developed by taking a holistic approach with great KPI that provide good control over the system. However, this KPI needs to be reviewed during the steering committee meetings to prioritize the key tasks in focus.  The KPI table provides agile information on BCM program progress and immediate focus required for action. You can achieve this by restricting the number of figures you present to senior management. But the biggest breakthroughs are achieved by clever use of computer-generated graphs and charts. The trends instantly become clear to the senior management, should, therefore, have more time and resources to focus on the more important BCM issues.
Finally follow the below useful key steps during BCM KPI presentation with senior management.
  • Select the most urgent BCM problems, identify the causes, and agree on the best cure for each.
  • Agree which individual will be responsible for each action item, together with timescales. Record this in the minutes of the meeting.
  • If the same problem keeps re-occurring, it is often a sign that the person responsible is not doing the job properly.
  • Avoid being distracted. Always come back to focus on the real drivers of the BCM as listed in this document.

Authored By - Arunkumar Durairaj
TCS Enterprise Security and Risk Management

Rate this article: 
Average: 1 (1064 votes)
Article category: