Not all metrics are created equal. The most commonly used metrics in business continuity management tell you very little of importance about your program. Two uncommon metrics tell you almost everything you need to know. In today’s post, we’ll look at BCM by the numbers: the metrics that matter most.
Related on BCMMETRICS: The Metrics System: How to Use Metrics to Improve Your BCM Program
Many organizations keep track of metrics that quantify aspects of their BCM programs. This is laudable, but it’s important to differentiate between metrics that measure the volume of work performed and those that measure results.
If you are only measuring such things as the number of BIAs conducted or the number of mock disaster exercises held, you are measuring effort rather than results.
It’s fine to keep track of how many BIAs and exercises you do; in fact, it’s well worth doing.
But you shouldn’t kid yourself about what such metrics say. They indicate the volume of work your office performed. They don’t say anything about how good your program is or how well-protected your organization is.
If you are the type of person who prefers to avoid unpleasant realities and live in hope that nothing bad ever happens to your organization, you might be satisfied with what I call meaningless metrics.
Everyone else should insist on measuring things that matter.
To properly perform the functions of a BCM professional, you have to be self-confident and realistic. This starts with facing up to the reality of what your program can or can’t do, and that starts with measuring meaningful indicators of your program’s capacity.
What metrics matter the most? There are two of them: 1) alignment with industry standards and 2) amount of residual risk.
This metric is a way of quantifying the extent to which your program is in compliance with your chosen business continuity standard.
A prerequisite for this metric is that you have previously chosen a BC standard (such as ISO 22301 or NFPA 1600) and made a commitment to follow it.
See this post for a breakdown of the leading business continuity standards.
These standards represent the consensus of industry professionals regarding what a program must have to adequately protect different kinds of organizations.
There are many methods to impose a rational measurement on the degree of a program’s compliance with a standard.
Our BCMMETRICS Compliance Confidence tool offers one such method. Our tool evaluates the key areas of a program (administration, business continuity, crisis management, IT/disaster recovery, and so on) in terms of how well each complies with a chosen BCM standard (which ever one the client has adopted). The results are then quantified and broken down into three categories.
Regardless of the method used, quantifying the degree of compliance with an industry standard is one of the best ways of assessing the true capability of a BC program.
Such a metric does not confuse effort with results. It measures true capability, and that’s what you want to know if you are intent on making sure your program will function adequately in the real world.
The second key metric is the amount of residual risk that is lurking in your program.
Residual risk is the amount of risk that remains in your operations after your mitigation controls have been implemented and your management’s risk tolerance subtracted.
Mitigation controls are measures such as BIAs and recovery plans that reduce risk. Risk tolerance is the amount of risk your management is prepared to live with.
By quantifying and measuring residual risk, you obtain an objective indication of how much risk is hiding in your company’s operations. If there is a great deal, your program is weak and your organization exposed. If the residual risk is small, your program is probably in good shape and your company resilient.
For a more detailed discussion of residual risk, including instructions on how to measure it, see “Risky Business: 9 Ways That Not Measuring Residual Risk Can Harm Your Organization”.
It’s easy for me to say these are the two metrics you need. I recognize that actually obtaining these metrics can be hard.
Here we come up against the human factor, which is all-important in BCM.
Measuring alignment with standards requires that the organization first adopt a standard. Measuring residual risk requires management to agree to tolerate a certain amount of risk.
Getting these steps accomplished can require the BC office to obtain the cooperation of parties over whom it has minimal leverage. That’s why I said in the beginning that succeeding as a BC professional takes self-confidence.
To successfully lead a BCM program, you have to have a strong personality. You have to know what is needed to protect the organization, and you have to be willing to push and persuade other people in order to obtain it. It’s challenging, but the stakes are nothing less than the ability of your organization and its stakeholders to recover swiftly from a disaster, if and when one should strike.
The most commonly used BCM metrics are unfortunately of little value. These typically measure the volume of work done by the BCM office but say nothing about the capabilities of the program. Two metrics that do provide critically important information on the health of a BCM program are alignment with a BC standard and the amount of residual risk in the program. By measuring these aspects of your program, you will gain a solid understanding of how capable it is and what you need to do to better protect your company.