Metrics are everywhere. Think about it: Every doctor’s visit includes standard measurements designed to provide important information about the state of your physical self, like a blood pressure check and confirmation of your height and weight. In the car, your dashboard measures speed and fuel supply. Quarterly report cards measure your kids’ progress in school. And periodic portfolio reports measure the state of your financial investments. Without these and a mountain of other measurements, or metrics, you’d have no clear way of knowing how things are going in your life and, as a result, no real way to positively impact your future.
Business Continuity Program Metrics? We Don’t Need No Stinking Metrics.
CFOs are usually analytical, hence their preoccupation with corporate spending and measuring the impact of billions of dollars spent (and rightly so). But as critical as business continuity (BC) and disaster recovery (DR) programs are to a company—along with the steep budgets sometimes accompanying them—there’s often little-to-no required measurement of these programs by management.
Among the usual reasons we hear for a lack of business continuity management (BCM) metrics and disaster recovery metrics are:
- “What are metrics? We really don’t know.”
- “We don’t know what to measure.”
- “Management isn’t asking, so why bring it up?”
- “We don’t care to know how the program is doing.”
- “It takes too much time to measure effectiveness.”
- “I think our process would work, so why waste time measuring it?”
- “We already know our program is a disaster; why would metrics be helpful?”
In other cases, there are BCM or disaster recovery metrics at work, but more often than not they’re meaningless. Such metrics usually focus on volume of work (the number of exercises conducted, plans updated, analyses completed, etc.) rather than on the reality of whether a program will work in a true crisis.
Why You Do Need Business Continuity Management Metrics
Why is the lack of real business continuity program metrics a problem? Because if you can’t measure it, you can’t manage it.
Without the metrics to tell if your BC process is functioning, you have no idea how your business would actually fare in the case of a disruption, and you have no basis for identifying what aspects of the program are working and which need improvements.
Metrics serve three very important functions:
- Metrics serve as a control and feedback loop. Once you’ve determined the ideal state of your BC process (i.e., “I know the best program should be rated between 80 and 100 on a 1-100 scale”), metrics allow you to know whether your process is in order or requires external interference to make it better.
- Metrics add objectivity to the evaluation process. A lot of people claim that their BC program is in great shape and complies fully with standards, but such claims are often based on nothing but vague impressions. Metrics offer a way to quantify that claim with solid evidence.
- Metrics are the foundation for improvement goals. Numbers make for easy assessment and goal planning. If the ideal rating is between 80 and 100 and your program comes in at 61, you can set a definitive improvement goal to reach 80. Along with that, you can specifically outline how you’ll reach that goal—and determine if your strategy worked.
Valuable Business Continuity Metrics
To truly measure the effectiveness of your BC process, you need a combination of metrics that focus on two key areas: the foundation of the program and the execution of the program. Evaluating both of these areas together gives insight into how a program will perform when it’s needed. It also clearly illustrates the program’s return on investment. High numbers in both areas indicate that money has been well spent.
Metric Area #1: Foundational Alignment With Standards
This area measures how aligned your program is with industry standards, such as ISO 22301 or NFPA 1600. On a scale of 0-100, how does it measure up to those standards in terms of:
- Program Administration
- Crisis Management
- Business Recovery
- Disaster Recovery
- Supply Chain Risk Management
In other words, are you building your program on sand or solid rock? If your process lines up with accepted industry standards, you can rest assured that your program’s foundation is solid, which promotes stronger execution of the process.
Metric Area #2: Level Of Execution
This area measures the level of risk that remains after you have considered management’s risk tolerance, the inherent risk of your recovery plans, and the state of mitigating controls. You then take steps to mitigate that risk, lowering it to an acceptable level.
Here are some business continuity KPI examples you should measure, among other things:
- The currency of your business impact analysis. (Is it current, or more than two years old?)
- The reach of your recovery strategy. (Do you have a dedicated alternate work site or will it be determined at time of event?)
- The recovery exercises you’ve done to ensure the process can be smoothly put into place. (Are you conducting desktop exercises or relocating to the alternate work site?)
A lower level of risk indicates you have a program that has a high level of execution and capability; a higher level of risk indicates your program is weaker and needs to be strengthened to raise its level of execution.
Looking for other key performance indicators (KPIs) to measure your program’s effectiveness? See our online assessment tool in action for key business continuity KPI examples and the critical success factors (CSFs) that determine your program’s level of success.
If all of your mitigating controls are operating at the highest levels, you’ve successfully reduced your level of risk and increased your level of execution.
Business Continuity Program Metrics Done Right
Business Continuity Management metrics are just one piece of a successful continuity program. With our online business continuity software suite, BCMMetrics™, you can easily and effectively assess your organization’s levels of compliance and risk and access tools that can help you build a better BC program from the ground up. It’s simple to use (there’s no software to install) and secure—your data is protected with military-grade encryption and backed up to multiple off-site locations. And the tool updates automatically with the most current industry standards, so your program will always be up to date.
We believe that, with the right tools, an effective BC program is within reach of every organization. Schedule a free demo of the tool in action to get a sense of what it can do for your business, or contact us with questions—we’re happy to help.