Abe Wachsman, senior vice president of IT at Atlantis Health Plan Inc., had no trouble proving the value of a solid business continuity plan to senior management. But that was after the fledgling Manhattan-based health care management company had been struck by two major disasters in seven years: the Sept. 11 terrorist attacks and a 2008 fire that forced the business into a temporary space for six months. The first incident sent Atlantis Health to SunGard Availability Services LP, in Wayne, Pa., for disaster recovery help. Now Wachsman is in the midst of "bulletproofing our processes," he said, by adding a "much more robust layer of redundancy" to the company's systems.
"The mindset you develop if you have been through something like this is not that we are doing business continuity and disaster recovery to satisfy some abstract requirement," Wachsman said. "We are doing this to ensure that we can continue to exist as a business, because the business has value."
It's the bane of CIOs: How do you get senior management to appreciate the value of business continuity plans before the incident occurs? Unless the company is in a regulated industry that requires contingency plans, or is in an industry such as financial services where downtime clearly translates into boatloads of lost money, business continuity plans remain a tough sell for many CIOs and their business continuity managers.
Now risk experts at research consultancy Gartner Inc. contend they have hit upon a new approach that will help prove the value of business continuity by mapping the relationship between the company's key performance indicators (KPI) and the key risk indicators (KRI) for business continuity, or what Gartner refers to as "availability risk."
More on security and risk
Using key risk indicators to sell your information security program
Desktop, server virtualization help CIO fix disaster recovery plans
Business continuity is challenging to sell, "because business managers don't appreciate the value of availability risk information or their relationship to it," said Gartner analyst Roberta Witty, who copublished the report describing the new approach with colleagues Paul Proctor and Michael Smith. Until business managers understand how risk events link to day-to-day business performance, they won't invest in the appropriate mitigating controls until after a disaster strikes and the negative impact on their business operations becomes palpable, she said.
Linking business continuity KRIs with business's KPIs starts with knowing which measures are relevant, Witty and her colleagues write. For example, financial results are a fundamental measure of a company's performance, but they tell how well the company did, not how well it will do in the future. So, they are lagging, not leading, indicators of performance. To develop good KPIs, a business needs to understand the drivers of its performance.
A good KRI for business continuity should be simple and measurable, according to Gartner. KRIs should align with the threats particular to the company and directly affect multiple business performance indicators. An example of a good KRI, according to the Gartner analysts, is the loss of mission-critical IT personnel through attrition, layoffs and so forth. The loss of knowledge and the gaps in the workplace those events create raise the risk level; that in turn could result in mission-critical downtime, a key measure of IT performance. Rather than talk about the downtime as a failure to meet the IT department's service-level agreements, business continuity managers need to figure out how this KRI impacts the company's KPI for on-time delivery, for example.
Of course, mapping the relationship between good KPIs and good KRIs assumes that the company has even identified them -- which Gartner acknowledges is a big if. A study from the University of Pennsylvania's Wharton School shows that only 23% of the Fortune 1000 define and use KPIs effectively. "In the absence of KPIs, risk domain managers should create their own set," the Gartner analysts advised. Their report offers sample KPIs and KRIs that are relevant to business continuity.
Abe Wachsman, Senior Vice President of ITAtlantis Health Plan Inc.
Gordon Haff, principal IT analyst at Illuminata Inc., in Nashua, N.H., said that the idea of linking continuity risk to business performance, rather than IT performance, is not new and plain common sense. "Of course you talk in business terms!" he said.
That said, "This is one of those easier-said-than-done things, because the fact is, IT folks tend to understand how IT actions have an impact on IT things. They do not necessarily have a great feel for what that translates into at the business level," Haff added.
And the problem is not simply a matter of language. The relationships between IT risk and business performance are complicated. "We can talk about the downtime of systems. It is an indirect path to turn that into downtime for applications, and it is still another indirect step to figure out what that means in dollar terms," Haff said.
Haff also agreed that it's critical to have KPIs that benchmark performance within one's industry, but "IT can't be expected to know whether their company's supply chain, to take one example, is good, bad or indifferent in terms of performance within the industry," he said. It's not necessarily IT's job if the business needs a better supply chain. "The CIO is supposed to be more of a business person, but at some level, requirements need to be coming down from the business units," he added.
Meaningful metrics are important for making the case for business continuity plans to upper management, agreed Burton Group Inc. analyst Ramon Krikken. However, if KPIs for business are sometimes hard to get right, KRIs are harder. There is a paucity of data -- and agreed-on data -- for business continuity risks.
When the event is a hurricane or earthquake, or some other natural disaster, the risk analysis is fairly straightforward because there is data for the probability of such random events, Krikken said. Start looking at rare threats like hacking incidents or disgruntled employees, however, where there is no meaningful data yet, and the ability to predict the future from past incidents diminishes. How to calculate the appropriate investment to mitigate such risks is difficult, if not impossible.
"If all we are talking about is earthquakes and power failures, that is one thing. A harder story to sell is where we don't have the actuarial data," Krikken said. "Throw in a bunch of people who wish the company ill, and the equation changes a lot. Instead of two variables, now you have 30 variables, but we have no idea how they relate." The question is, what are the right indicators?
Let us know what you think about the story; email Linda Tucci, Senior News Writer.