The ISO 22301 Performance Evaluation Requirement
ISO 22301 Clause 9.1 requires you to determine what you need to measure, how to measure it, when to measure it, and who analyzes the results. Many organizations create a green dashboard that reports that everything is compliant, without measuring whether the BCMS actually works. The gap between compliance and capability measurement is where many BCMSs fail.
BCMS KPI Categories
Organize KPIs into categories: Plan currency KPIs (percentage of BCPs reviewed within the review cycle); Exercise program KPIs (exercises completed on schedule, findings addressed); Incident and activation KPIs (response times, RTO achievement); Training and awareness KPIs (staff completion rates); Corrective action KPIs (closure rates and timeliness). A balanced scorecard with indicators from each category prevents over-focus on any single aspect.
Core BCMS KPIs
These are the foundational KPIs that most BCMSs should track:
| KPI | Definition | Target | Frequency | Data Source |
|---|---|---|---|---|
| BCP Currency Rate | % of BCPs reviewed within review cycle | 100% | Monthly | BCMS document register |
| RTO Achievement Rate | % of exercises meeting documented RTO | >90% | Per exercise | Exercise reports |
| Exercise Completion Rate | Planned exercises completed on schedule | >95% | Quarterly | Exercise calendar |
| Corrective Action Closure Rate | CA closed within agreed timeframe | >90% | Monthly | CA register |
| Staff BCM Awareness Rate | % staff completed annual BCM awareness | >95% | Annual | Training records |
| BIA Review Currency | % critical activities with current BIA | 100% | Quarterly | BIA register |
RTO Achievement Analysis
How to measure RTO achievement in exercises: Start recovery procedures at a defined time; record actual recovery completion time; compare to documented RTO target. The common error is only testing in ideal conditions—full staff available, no competing priorities. Real exercises should include elements of stress: key people unavailable, incomplete information, competing operational demands. If you only achieve your RTO under ideal conditions, you have not demonstrated RTO capability; you have demonstrated that your RTO is achievable when nothing goes wrong. Benchmark against your certified targets and escalate when RTO targets are missed.
Presenting BCMS Performance at Management Review
ISO 22301 Clause 9.3 specifies what must be included in management review input: performance against objectives, audit findings, effectiveness of nonconformity corrections, changing needs and expectations, adequacy of resources, and actions from previous reviews. Present KPIs in a way that drives board-level decisions, not just compliance reporting. A green dashboard without context is useless; a dashboard that shows trailing performance in exercise completion or BCP currency and links that to future continuity risk drives governance engagement.
Leading vs. Lagging Indicators
Leading indicators predict future BCMS health; lagging indicators report past performance. The following table shows how to use both:
| Indicator Type | Examples | What It Tells You | When to Use |
|---|---|---|---|
| Lagging | Incidents activating BCP, RTO achieved/missed | BCMS outcome performance | Reporting, trend analysis |
| Leading | Exercise schedule adherence, BCP update triggers actioned | Future BCMS health | Operational monitoring |
Benchmarking and Maturity
Use KPI trends to assess BCMS maturity improvement over time. Year-on-year comparison shows whether your program is improving, stable, or degrading. Exercise completion rate trending up shows increasing program maturity. RTO achievement rate trending down suggests degradation. Comparison to industry benchmarks (when available) contextualizes your performance. A small organization achieving 100% BCP currency and 95% exercise completion is demonstrating higher relative maturity than a large organization with 70% currency and 60% completion.
| KEY IDEA | The most important BCMS KPI is not the one that looks best—it is the one that tells you earliest when the BCMS is degrading. BCP currency rate and exercise completion rate are leading indicators of a program that is quietly becoming non-functional. |
| IMPORTANT | Management review is not a compliance formality. ISO 22301 requires top management to review BCMS performance and make decisions about resources, objectives, and improvements. A management review that rubber-stamps a green dashboard is an audit finding waiting to happen. |
| BITLION INSIGHT | Indonesian organizations with OJK or BI oversight should align BCMS KPIs with regulatory reporting requirements—this allows a single measurement framework to satisfy both ISO 22301 Clause 9 and regulatory BCM reporting obligations. |