Sunday, September 2, 2007

Basic IT KPI development tutorial

This time I want to share my experience of Key Performance Indicator (KPI) development in IT area.

For instance we have a procedure saying all user accounts in domain must be disabled after employee's dismissal. Employee should sign-off depature clearance by system administrator, who will lock or delete user accounts of such an employee. Our task is to implement KPI that will show us how well this function is performed.

Let's suppose that as IT Auditor (IS Security specialist) you perform a monthly-based review of all domain accounts. You request the list of actually working people and compare it with the list of existing domain accounts. After that you will know the number of accounts that should be blocked/deleted but was not. But how to express it with numbers? How to evaluate the scale of problem? These questions could be answered by implementation of simple key performance indicator.

In our case we should take a number of dismissed employees and compare it with number of actually disabled accounts. If we express it in percentage, we receive following numbers:

  • Not disabled accounts - 10
  • Dismissed employees - 15
  • KPI - 100 - 10* 100 / 15 = ~33%

This shows us that only 33% of dismissed employees are blocked. But effective KPI should be 100%. That is why we should give the recommendations not only to disable residuary user accounts of dismissed employee's, but also recommendations on how to improve our process of user accounts administration.

Then we need to get history after some months of reviews. It will help up us to follow-up how effective were our recommendations and plan our further steps.

It could be also very useful for evaluation of efficiency of our employees' work. But it is another story.

What do you think about it? Please do not hesitate to leave comments on this article!


Andrey said...

As KPI is quantitative you need numbers.
In this example you can easily obtain trusted values (dismissed employees, unblocked accounts).
But when you want to implement more complicated KPI like "average time of successful implementation of modification to financial application" you need to get assurance about all necessary values completeness and integrity (and of course confidentiality but for other reasons:). Cause you can effectively analyze something only if you register it correctly.
It is like in accounting to get assurance about finance statements you need to get assurance about transactions.
I think that with good organization KPIs are very useful for IT decisions. But when you can not trust raw data then KPI useless and harmful.

Andrey said...

One more thought.
For your example KPI 100% is understantable and mandatory.
But what about complicated KPIs where standard value may be 35% or 2hours in month. How to detect what value normal and what extraordinary.
I think you if you can observe average KPIs in industry then you can try to achieve same results in your company.
But if you can not then just try to make KPIs better in the process of work.
What do you think?

I audit said...

First of all yes, this example is very simple.
I wrote it only to show the idea. The reliable sources of information is a "must have" for KPI.

Please give the example of KPI that you are interested in and we could try to develop this KPI together.

Anonymous said...

First of all. Thanks very much for your useful post.

I just came across your blog and wanted to drop you a note telling you how impressed I was with the information you have posted here.

Please let me introduce you some info related to this post and I hope that it is useful for community.

Source: key performance indicators examples

Thanks again

Alan said...


I like this post very much. It help me to solve some my work under my director’s requirements.

Apart from that, below article also is the same meaning

key performance indicators examples

Tks again and nice keep posting

ahadoo said...

When i was a BSc students i remember having visited your blog. And now i am working on my MSc dissertation, again i landed on your blog. I am currently working on a formula about KPI with respect to Information Security.

Your blog is real good.

Keep it up!