There are few things more important than the willingness to work hard when it comes to building a top-flight business continuity program. However, I am sorry to report that hard work is not enough. In fact, sometimes it can lead you into a ditch.
The answer is when people are so intent on working hard that they forget to make sure what they are doing is actually useful for accomplishing their primary goals.
As John Wooden said, “Never confuse activity with achievement.”
I mention the foregoing because I wanted to talk about BCM metrics today, and metrics is one area where, in my experience, people are especially likely to confuse effort with results.
I am a huge believer in the importance of metrics for managing BCM programs. Most BCM professionals believe taking quantitative measures of key aspects of your program (BCM metrics) over time is key to understanding and improving it. As I explain in my ebook 10 Keys to a Peak-Performing BCM Program (available for free download here), there are three reasons metrics are key to the performance of any process:
- BCM metrics drive the control and feedback loop.
- They make the process objective.
- They are necessary for setting improvement goals.
All of the above being the case, I always enjoy meeting fellow business continuity professionals who share my enthusiasm for gathering numerical data about their BCM programs.
Commonly, when this happens, my first reaction is to say to myself, Hey, this person is really on the ball. If their program isn’t top drawer, I bet it will be soon because they recognize that the best way to manage something is to measure it.
But you know what happens all too often? We talk a little more, and I find out that unfortunately, they are measuring the wrong things. The things they’re measuring capture little to no meaningful information about the soundness of their programs.
Are You Measuring the Wrong Things?
There are a few aspects of BCM that people have been diligently keeping track of forever, it seems. Here are four I see frequently:
- The amount of business impact analyses that you have completed.
- The total number of recovery plans that you have prepared.
- The quantity of updates that you have made to those plans.
- The total number of training sessions that you have held.
Do you see the two things these four activities have in common? 1) Yes, they are important, and 2) The number of times you do them provides no useful information about the health of your program.
They are a means to an end, and what really matters is the end, the final result.
Imagine if the sports page—or your favorite sports app or website—told you how many practice snaps your team took that week, but not the score of Sunday’s game?
Or suppose it told you how many practice rounds your favorite golfer played over the previous month, but not his score and results in the tournaments he played in.
The kind of information I mentioned above is essentially of the same type. It reflects the BCM department’s efforts, maybe, but it doesn’t tell you a thing about the effectiveness of their program. And no matter how high the numbers are, they say nothing about the ability of the program to help recover the business in the event of a disaster.
I guess it’s possible that having a high value for, for example, the number of BIAs you’ve done or the number of times you’ve updated your plan could indicate that you and your team are hard workers. But most likely you are not getting paid to be a hard worker. Most likely you are getting paid to make sure the business can be recovered. These are two very different things.
Like the man said, “Never confuse activity with achievement.”
So that’s the wrong way to do business continuity metrics. How do you do BCM metrics right?
Measure things that matter, things that truly provide a clear picture of the state and capability of your BCM program.
In my opinion, there are two things that are especially meaningful in this regard:
- Your level of compliance with an appropriate BCM standard. For more on the importance of adopting and complying with one of the recognized BCM standards, see our recent post, Standard Time: The Best Time to Adopt a Business Continuity Standard Is Right Now.
- The level of execution in your recovery plans. This metric measures residual risk, which tells you if you are within your management’s risk tolerance. Residual risk, remember, is the risk that remains after you have considered management’s risk tolerance, the criticality of each of your recovery plans, and the state of the mitigating controls in your plans (BIA, Recovery Strategy, Recovery Exercises, etc.). For more information, see our post from January, The 5 Most Important Risk Mitigation Controls.
Few worthwhile things are ever accomplished without hard work. But make sure your hard work is truly helping you reach your goals.
When it comes to business continuity metrics, that means measuring things—such as your level of compliance with a suitable BCM standard and the level of execution in your recovery plans—that provide true insight into the state of your program.
If you do that, you’ll be doing it right.