I love metrics, as any regular reader of this blog knows. I think they are the only way to obtain a clear, objective view of the health of a business continuity management (BCM) program and the ability of an organization to recover from a disruption.
But metrics aren’t an end in themselves, obviously. They are a means to an end. Their real value lies in the fact that you can use them to improve the state of your BCM program.
I take it for granted that metrics can help you strengthen your BCM program because I have seen it happen so many times.
However, it occurred to me that a lot of business continuity professionals might have only a vague idea of how to go about leveraging metrics in this fashion.
For that reason, I decided to devote today’s blog to the topic.
In it, I’ll set forth a 7-step procedure you can follow to convert the metrics you have obtained about your organization into measurable, verifiable gains in its resilience and recoverability.
This post assumes that you are familiar with business continuity metrics, that you know which metrics are make-work versus which ones are meaningful, and that your organization has compiled a comprehensive set of data on its BCM program and organizational resilience.
For more introductory-level information on BCM metrics, please have a look at our recent posts on the topic: Beyond Compliance: Other Good Reasons to Gather Your BC Program Metrics, and 4 Metrics to Help Your Organization Improve at Crisis Management. You might also have a look at “Chapter 4: Measure and Manage,” in my ebook, 10 Keys to a Peak-Performing BCM Program, which is available for free download here. These resources will help you establish and improve your BCM program.
Once you have compiled the key data for your program, with your performance and readiness in the key areas assessed on a 0 to 100 scale (with 0 to 60 meaning you have little to nothing in place in that area, 61 to 80 meaning you are on your way, and 81 to 100 meaning that you are in excellent shape in that category), then you are in a position to leverage your data to improve your BCM program.
Here’s how you can go about doing it:
Here are the four I think matter most:
If your program is like most I work with, there are probably a number of areas where you’re in pretty good shape. If your metrics are at 75 or better for a given category, you’re probably justified in putting this on your list of successes. Compile a list of these, noting the program area, your judgment as to its importance to the organization, and any other relevant facts. Here are some examples of what this might look like for an IT Disaster Recovery program:
Make a list of areas that have been deemed “high” in terms of their importance for the organization, but where scores are low. Here are a few examples showing what this list might look like:
Create a table where you break out the areas where you need to do better and state your mitigation strategy and timeframe for each. Such a table might look like this:
| Critical Area | Time to Complete | Strategy |
|---|---|---|
| Recovery Strategy | 9 months | Increase budget, validate requirements |
| Recovery Plans | 12 months | Outsource development |
| Recovery Exercise | 12 to 15 months | Conduct integrated exercise when strategy in place |
Using the information you compiled in Steps 3 and 4, draft a plan setting forth how the organization is going to make the desired improvements. The BCM team will probably need to work with IT to create this map. Your goal should be to reach a moderate to high level of compliance for the areas of IT/DR deficiency over the next 24 to 36 months. Your plan should include the deliverables by quarter, high-level action steps by quarter, and the resource requirements by quarter (people, dollars, etc.). The steps should be divided into four phases. Here’s an example of a roadmap with action steps:
| PHASE 1 | PHASE 2 | PHASE 3 | PHASE 4 |
|---|---|---|---|
| Deliverables
DR Technical Recovery Procedure (TRP) Template List of Change Control Impacts to DR Environment |
Deliverables
DR Technical Recovery Procedures for all Sys/Apps DR Exercise #1 |
Deliverables
Technical Recovery Plans for Critical Systems/Apps |
Deliverables
DR Exercise #2 BCM Assessment & Roadmap Update |
| Tasks
Disaster Recovery Planning (DRP) Include DR in Change Control Technical Recovery Procedure (TRP) Template Approved Begin TRP Documentation Complete Build-out of DR Environment |
Tasks
Disaster Recovery Planning (DRP) DR Exercise Plan Template Approved DR Exercise #1 DR IT Infrastructure DR IT Services ISG’s Role Remote Recovery Capability |
Tasks
Disaster Recovery Planning (DRP) Begin documenting DR TRPs for all critical systems and applications |
Tasks
Disaster Recovery Planning (DRP) Complete TRP documentation DR Exercise #2 DR Exercise #1 Lessons Learned from #1 Application with Limited Dependencies |
The roadmap should be submitted to the IT/DR team and management for review and approval. Once any needed changes are made, the plan should be approved for implementation over a designated period of time, usually between 12 and 36 months.
Funds should be budgeted to enable the organization to reach a moderate to high level of compliance in each area of deficiency.
BCM metrics are magical things. And they’re especially magical when you use them to improve your program. Having a clear, objective view of your metrics gives you an unobstructed view on how to improve your business continuity program. I hope the above procedure will give you a better sense of how you can use metrics to improve your BCM program and will enable you to protect your business from disruptions.