Blog | BCMMetrics

The Metrics System: How to Use Metrics to Improve Your BCM Program

Written by Michael Herrera | Jul 26, 2018 9:28:53 AM

I love metrics, as any regular reader of this blog knows. I think they are the only way to obtain a clear, objective view of the health of a business continuity management (BCM) program and the ability of an organization to recover from a disruption.

But metrics aren’t an end in themselves, obviously. They are a means to an end. Their real value lies in the fact that you can use them to improve the state of your BCM program.

Using Metrics to Improve Your BCM Program

I take it for granted that metrics can help you strengthen your BCM program because I have seen it happen so many times.

However, it occurred to me that a lot of business continuity professionals might have only a vague idea of how to go about leveraging metrics in this fashion.

For that reason, I decided to devote today’s blog to the topic.

In it, I’ll set forth a 7-step procedure you can follow to convert the metrics you have obtained about your organization into measurable, verifiable gains in its resilience and recoverability.

Background Knowledge

This post assumes that you are familiar with business continuity metrics, that you know which metrics are make-work versus which ones are meaningful, and that your organization has compiled a comprehensive set of data on its BCM program and organizational resilience.

For more introductory-level information on BCM metrics, please have a look at our recent posts on the topic: Beyond Compliance: Other Good Reasons to Gather Your BC Program Metrics, and 4 Metrics to Help Your Organization Improve at Crisis Management. You might also have a look at “Chapter 4: Measure and Manage,” in my ebook, 10 Keys to a Peak-Performing BCM Program, which is available for free download here. These resources will help you establish and improve your BCM program.

The Procedure

Once you have compiled the key data for your program, with your performance and readiness in the key areas assessed on a 0 to 100 scale (with 0 to 60 meaning you have little to nothing in place in that area, 61 to 80 meaning you are on your way, and 81 to 100 meaning that you are in excellent shape in that category), then you are in a position to leverage your data to improve your BCM program.

Here’s how you can go about doing it:

1. Identify your drivers for assessment.

Here are the four I think matter most:

  • Compliance. Is the program maximizing its alignment with industry standards in order to be compliant with rules, regulations, contractual agreements, etc.? 
  • Operations. Is the program operating optimally with the resources available to it?
  • Recoverability. Based on the assessment, can the program respond to and recover from an unplanned disruption?
  • Budget. Are the right amount of funds being budgeted to maximize recoverability and minimize risk?

2. Identify what’s working.

If your program is like most I work with, there are probably a number of areas where you’re in pretty good shape. If your metrics are at 75 or better for a given category, you’re probably justified in putting this on your list of successes. Compile a list of these, noting the program area, your judgment as to its importance to the organization, and any other relevant facts. Here are some examples of what this might look like for an IT Disaster Recovery program:

  • BIA Integration (75-High Importance). The business and IT groups have done a good job of aligning the system/application needs of the business and ensuring the recovery strategy that is being developed addresses the critical needs.
  • Data Backup & Offsite Storage (75-High Importance). The approach ensures that data and information recovery point objectives (RPOs) are aligned with the needs of the BIA. There is minimal work to be done to maximize efforts.
  • Maintenance (80-Medium Importance). The current disaster recovery plan(s) are being maintained on a regular basis. Even though the plans themselves aren’t fully compliant with standards they are being kept up to date.

3. Identify areas where you have room for improvement.

Make a list of areas that have been deemed “high” in terms of their importance for the organization, but where scores are low. Here are a few examples showing what this list might look like:

  • Recovery Strategy (62-High Importance). The strategy score revealed progress was being made, but the strategy is not fully complete and/or implemented. Without a comprehensive strategy that is fully aligned and implemented, and which meets or exceeds the BIA-derived requirements, recoverability is in question.
  • Plan Development (7-High Importance). The plan is documented at a high level and lacks the comprehensiveness needed to be aligned with the recovery strategy. It does not detail the steps and actions necessary to execute a proper recovery of each critical system/application.
  • Recovery Exercises (14-High Importance). No recovery exercises consistent with industry standards have been conducted. As a result, we have not validated our recovery strategy and plans.

4. Prioritize the areas where you have room for improvement.

Create a table where you break out the areas where you need to do better and state your mitigation strategy and timeframe for each. Such a table might look like this:

Critical Area Time to Complete Strategy
Recovery Strategy 9 months Increase budget, validate requirements
Recovery Plans 12 months Outsource development
Recovery Exercise 12 to 15 months Conduct integrated exercise when strategy in place

 

5. Build the roadmap and list your action steps.

Using the information you compiled in Steps 3 and 4, draft a plan setting forth how the organization is going to make the desired improvements. The BCM team will probably need to work with IT to create this map. Your goal should be to reach a moderate to high level of compliance for the areas of IT/DR deficiency over the next 24 to 36 months. Your plan should include the deliverables by quarter, high-level action steps by quarter, and the resource requirements by quarter (people, dollars, etc.). The steps should be divided into four phases. Here’s an example of a roadmap with action steps:

PHASE 1 PHASE 2 PHASE 3 PHASE 4
Deliverables

 

DR Technical Recovery Procedure (TRP) Template

List of Change Control Impacts to DR Environment

Deliverables

 

DR Technical Recovery Procedures for all Sys/Apps

DR Exercise #1

Deliverables

 

Technical Recovery Plans for Critical Systems/Apps

Deliverables

 

DR Exercise #2

BCM Assessment & Roadmap Update

Tasks

 

Disaster Recovery Planning (DRP)

Include DR in Change Control

Technical Recovery Procedure (TRP) Template Approved

Begin TRP Documentation

Complete Build-out of DR Environment

Tasks

 

Disaster Recovery Planning (DRP)

DR Exercise Plan Template Approved

DR Exercise #1
(limited scope):

DR IT Infrastructure

DR IT Services

ISG’s Role

Remote Recovery Capability

Tasks

 

Disaster Recovery Planning (DRP)

Begin documenting DR TRPs for all critical systems and applications

Tasks

 

Disaster Recovery Planning (DRP)

Complete TRP documentation

DR Exercise #2
(limited scope):

DR Exercise #1
Plus …

Lessons Learned from #1

Application with Limited Dependencies

 

6. Submit for review and approval.

The roadmap should be submitted to the IT/DR team and management for review and approval. Once any needed changes are made, the plan should be approved for implementation over a designated period of time, usually between 12 and 36 months.

7. Obtain the budget.

Funds should be budgeted to enable the organization to reach a moderate to high level of compliance in each area of deficiency.

Magical Metrics

BCM metrics are magical things. And they’re especially magical when you use them to improve your program. Having a clear, objective view of your metrics gives you an unobstructed view on how to improve your business continuity program. I hope the above procedure will give you a better sense of how you can use metrics to improve your BCM program and will enable you to protect your business from disruptions.