Recently I was asked by a fellow President of a company why it was so hard to get the IT department to implement KPI (key performance indicator) measurements for their activities?  The President mentioned that numerous KPI measurements were already in place for the other departments such as Sales, Marketing, Account Management, Finance, etc.  However, the process of getting IT to define their KPI measurements was akin to pulling teeth.  I replied that there certainly was no logical reason why IT should not have KPI measurements, and I sent a list of some common metrics that could be considered by leadership for use in their IT department.  After I sent the list, I wondered if other companies were experiencing the same challenge and frustration.  Some quick reference checks confirmed that too many IT organizations do not have effective KPI measurements, and they do not hold themselves to the same level of accountability as their peer business departments.  Obviously, that needs to change, and change quickly.  So, to help other President, CFO, COO or IT leaders out there, I’ve compiled the following list of sample KPI’s you can implement at your organization.  Not all of them will apply to your business, so you can cherry-pick which one’s make sense for your organization.

However, before I list the sample KPI’s, I have a note for IT leaders:  if the IT department wants to be taken seriously and given a seat at the table with the business, they need to treat themselves like a business unit and define their key performance indicators, set baselines, measure current performance, evaluate trends, and take action…just like the business units they serve.  Of course, this will increase the level of accountability for the IT department, but increased accountability makes sense given the investment in IT and technology, along with the impact IT and technology can have on the efficiency, operations, revenue generation, marketing/branding, and overall profitability of any company. Now, a message for the President/COO/CFO:  if your IT leadership team is not willing to hold themselves to this level of measurement, performance management, and accountability, my only recommendation is to get new IT leadership.  Would you let your head of Sales or Marketing operate without KPI measurements and high levels of accountability?  Of course not.  Don’t let your IT department either.

Ok, I’m off my soap box…onto the metrics themselves.  I’ve broken these into some logical business-friendly categories. Additionally, these metrics are “actionable”, which means they should give you early visibility to make changes, or show you trends over time that indicate where change might be needed.

Budget/Financials

• Total IT Expenditure vs. Plan – actual total expense divided by budgeted expense; this measure indicates how well IT is managing their spend against budget.
• Dollars Saved in Vendor Negotiations – dollar amount saved in the current fiscal year by renegotiating existing vendor contracts; this measure indicates how well IT is at re-negotiating contracts for the benefit of the organization; savings can include getting rid of unused licenses; bringing in new lower cost vendor; negotiating lower costs for longer term contract, etc.
• Total IT Spend by Customer – actual total expense divided by number of customers; the point of measuring this metrics is to verify whether you are getting “leverage” from your IT investments. If spend per customer is going up, you are not getting leverage and are instead spending more money to likely both acquire and keep customers. If spend per customer is going down, you should be getting leverage with your investments that are either lowering customer acquisition costs, or lowering the costs to serve existing customers. Now, this metric can be influenced by many factors outside of IT control, but over time the trends will tell you whether you are heading in the right direction, or the wrong direction.

Compliance/Regulatory

• Payment Card Industry (PCI) Compliance % – the percentage of systems/processes that are PCI compliant with the latest version of PCI (version 3.2 as of this post); this should eventually become 100%, but might dip down as new PCI versions are released, so it’s good to keep on the list if you process or even handle credit cards in your business operations.
• SOX (Sarbanes-Oxley) Compliance % – the % of IT systems in-scope for SOX compliance that have no weaknesses in their controls.
• HIPPA (Health Insurance Portability and Accountability Act) Compliance % – the % of IT systems in-scope for HIPPA related information that are in compliance with the stated security standards for protecting certain health information that is held or transferred in electronic form.

PC Support/Helpdesk

• % of Onboarding Tickets Completed within SLA – one of the biggest gripes of management is finding out that new hires are not ready to be productive on day 1 of their employment. This metric measures the % of new hires (onboarding tickets) that are fully setup to operate with everything requested in the onboarding ticket (e.g. PC/Laptop ready, phone/VoIP setup, sign on established, etc.). Now this depends on an agreed upon SLA so that IT has time to get things setup, typically 3-5 days’ after onboarding ticket is received.
• 1^st Call Resolution Rate – % of calls to the help desk that are resolved during the call and do not require follow-up for resolution.
• 1^st Contact Resolution Rate – % of emailed help desk tickets that are resolved the first time someone opens the ticket and attempts to resolve it or contacts you to resolve it.
• Speed to Response – the average time during operating hours that it takes for someone to answer the phone when you call the help desk.
• Average Hold Time – how much time the average person sits on hold waiting to speak with someone at the Help Desk.

Systems and Infrastructure

• System Availability (or Uptime) – a measure of whether critical business operating systems are fully functioning during the standard business hours of operation, excluding scheduled maintenance or scheduled downtime. To hold your IT team accountable, make sure that if any piece of a system that is critical is not operating, this counts as the system not being available, since IT teams should hold themselves to a standard of providing uptime to all parts of critical systems, not just parts of the systems.
• % of Systems with Tested Disaster Recovery (DR) Plans – the worst thing that can happen to a company is not being able to recover from a disaster such as a fire, flood, or even extended power outage (remember the East Coast blackout). The only way to know if you can recover is to execute actual DR tests to prove your plan to recover works.  Not testing critical systems almost ensures you will have problems recovering, and sadly a high percentage of companies never recover from disasters…they just cease operating.
• % of Redundant Devices/Systems that Failed for the Period – modern IT teams have gotten good at putting in place redundant devices and applications to improve Uptime and reduce the likelihood of downtime or system failure. However, if systems are failing over to their redundant pairs too often, this is a critical measure telling you that something is wrong and you may have weaknesses and your IT team is not addressing the core reasons why something is frequently failing over.
• % of Servers/Virtual Servers Utilized – this is a measure of whether you have servers that are not being utilized (under 25-30%), or if you have servers that are being too highly utilized (constantly over 90%). Both scenarios are bad…if you have underutilized servers you are spending too much money, and this is quite the expensive problem with cloud based servers at AWS or Azure.  On the flip-side, if you run servers at greater than 90% capacity for too long, you invite component failure at the worst, or just poor response-time at best.

Security

• % of Servers with High Vulnerabilities – if your IT department doesn’t do vulnerability scanning, please allocate them the budget to do so. Vulnerability scanning is the best practical way to ensure whether you are closing holes in your systems that hackers can use to infiltrate your organization.  If your IT team is not patching systems with High Vulnerabilities, then your company is exposed to hacking just like Equifax, Marriott, Home Depot, Sony, and too many others.
• % of Network Devices with High Vulnerabilities – this is the same as the metric above, but just specific to network devices (not servers) such as routers, switches, WiFi end-points, Firewalls, et al.

Personnel

• Retention Rate of Performance Talent – the % of FTE’s retained for the year, excluding FTE’s who were terminated for cause or who quit while on performance improvement plans; the reason to measure this is to ensure IT management is managing their people and not losing hard-to-find talent to other companies due to poor HR skills of your IT leadership.
• Training Hours Per IT Staff Member – the # of IT training hours taken on average (and median) for each staff member; Technology literally seems to change daily or weekly in our fast paced economy, so thinking that your IT team can keep up with all the new changes, security holes, new features, and everything else…without taking time for Training…you are sadly mistaken.  Tech teams must take time for training just to stay current.  In addition, one of the best ways to retain IT talent is to give them training.  It’s like that old saying:  “What if we train our people and they leave?  What if we don’t train them and they stay?”

Projects

• % of Annual IT Project Objectives Met – this is a quarterly and annual measure of whether the IT department met their project objectives for that quarter, or for the full year. This assumes IT does effective yearly planning and has an IT roadmap against which they are executing.  Of course, things on the roadmap can change, but if Business Leadership approves the change, then IT just changes what they measure to match the change.
• % of Projects with On-Time Delivery – everyone wants projects to finish on time; however, given the amount of unknown factors for every project, such as requirements, scope, resource availability (both IT and Business), contract negotiation time, etc., I’ve found that the best definition of on time to be any project that finishes within 30 days of target date should be considered On Time. Trust me, if your IT team is hitting this metrics 90% of the time, you will have some happy internal and external customers.

Application Development

• % of AppDev Team Hours Spent on (1) Admin tasks, (2) Training, (3) Projects, and (4) Support – this metric will tell you whether your expensive AppDev team is able to spend sufficient time on your projects, or whether other activities are taking up too much of their time, likely leading to project delays.
• Application Response Time – this usually requires a 3^rd party software or set of scripts to constantly monitor the response time of critical applications using what is called ‘synthetic transactions’ meant to simulate a user performing typical functions of the application. This metric will tell you if your internal or external customers are experiencing poor response time from your applications, on either a periodic or, worse, a consistent basis.
• Visitor to Inquiry (V2I) – assuming your IT team supports your public facing lead generating websites, this is a typical IT and Marketing metric that measures the % of visitors to your website that convert to an inquiry/lead

 

Of course, there are many more potential KPI measurements that could be added to this list, and I’m sure you have thought of a few just by reading these examples.  The point is not how long or short the list is. The point is whether you are measuring items critical to both IT and the Business success based on the technologies deployed to your internal personnel and to your customers.  Only you can determine which KPI’s are best for your unique company setup and operations.  Remember, as Peter Drucker said: “What gets measured gets managed.”

Thanks for reading!

Eric Dirst