Metrics are a way to measure the completion of tasks within a business continuity program and show resilience capabilities.
This guide covers:
Business continuity programs typically have two types of metrics, Activity + Compliance Metrics and Product + Service Metrics.
Activity + Compliance Metrics
Activity and Compliance metrics track the completion of key deliverables in the business continuity lifecycle. These metrics can include the number of business impact analyses (BIAs) updated, the number of business continuity plans updated, or the number of exercises completed. By tracking the completion of activities, a program manager can check and report on the organization’s progress towards achieving compliance with various standards and to determine if business continuity planning process is “followed by all” (a key characteristic of a high-performing Business Continuity Operating System).
Of note, the typical audience for Activity and Compliance metrics are participants in the business continuity planning process, the program sponsor, and if chartered, a business continuity steering committee.
Below you will see two examples of how Activity and Compliance Metrics represent the completion of business continuity deliverables and outcomes. The first table shows BIA, Plan, and Exercise completion, while the second table has a high-level program overview.
|Department||Business Impact Analysis||Plan||Exercise|
|Human Resources||Complete||Complete||Not Started|
|Program Component||Status||Issue for Discussion?|
|Governance (Policy, SOP, Steering Committee Charter)||Complete||None|
|Business Impact Analysis||Complete||None|
|Business Impact Analysis and Risk Assessment (Summary Report)||Complete||None|
|Crisis Management / Communications Plan||Complete||None|
Product + Service Metrics
Product and Service metrics are critical in summarizing for executive leadership the organization’s ability to continue or recover products and services and communicating program gaps and risks. A program manager needs to show the organization’s confidence in continuity and recovery capabilities (often on one page) to inform leadership of capabilities quickly and concisely. Having metrics that convey current capabilities in relation to risk tolerance allows executives to prioritize risk mitigation for the future of the program.
Of note, the typical audience for Product + Service metrics are the executive leadership team (including the board of directors), the program sponsor, and if chartered, a business continuity steering committee.
Below you will see an example of Product and Service Metrics rated at medium and high preparedness.
|Product / Service||Business Continuity Objective||Current State Recovery Capability||Rating|
|Perform Customer Support||Ensure no more than 4 hours downtime with less than a 90 second wait time||8 hours, estimated 1-minute wait time at recovery|
|Process Warranty Claims||Seamless failover between each claims handling region in the United States||Claims failover process complete and had no downtime|
If you aren’t sure what your products and services are, use our Executive Support Amplifier to build that list.
Executives love metrics and dashboards that they can quickly review to understand program performance. Business continuity practitioners commonly find themselves developing metrics to communicate readiness and justify program investment to executives. But to be most effective, it is important to use quality and audience-appropriate metrics.
Quality and audience-appropriate metrics…
To ensure your metrics are quality, ask yourself the following questions:
Quality metrics should speak to both the goals of program performance (Activity + Compliance Metrics) and recoverability (Product + Service Metrics). When metrics include both, the business continuity program provides a clear picture to management that allows them to provide feedback and prioritize continual program improvement.
Business Continuity professionals and their program sponsors often find it easier to communicate program performance than continuity/recovery capabilities to leadership. It is commonly misunderstood that a program with good performance is automatically a resilient organization. As a result, management comes away feeling unclear if the business continuity program delivered solutions that manage the risks the organization faces.
FIFA World Cup Example
Here is an analogy to explain why activity-based metrics are not useful in conveying the performance of our business continuity programs:
During the 2018 FIFA World Championship Tournament, two major teams gave fans an entertaining match. Here is a report on the performance of each team using the activity-based metrics approach.
|Team 1||Team 2|
|Distance Covered||99 km||100 km|
Let’s pause to ask a few questions:
Business continuity professionals often develop metrics like those found above. The metrics focus on the activities performed, when they were completed, and if there are outstanding activities yet to be done. However, just like any soccer fan seeing only the stats above, organizational leaders are left with an incomplete view of the program’s performance, and quite often they are left without knowing if the program has improved the organization’s capability to recover from a disruptive event.
Based on the information in the table:
Even the most dedicated soccer fan would have trouble predicting the winner based on these statistics, and an even more difficult time guessing what the final score was. Presenting only activity-based metrics is like telling a soccer fan only the statistics above. The information is difficult to interpret and leaves the reader guessing what the outcome of all the activities performed are.
We need to take the perspective of our organization’s management and make sure we deliver the information they need to make informed business continuity decisions.
To build quality metrics:
Although there is still value in reporting on the number of BIA interviews performed, the number of plans approved, and the number of exercises conducted, that information does not provide leadership with a complete picture. As business continuity practitioners, we need to focus on supplying metrics that are valuable and informative.
And, in the spirit of reporting better metrics, the soccer example above was the 2018 FIFA World Cup Championship game between France and Croatia. France beat Croatia 4 to 2.
So, as a soccer fan, would you go to the game if you weren’t allowed to know the score?
In addition to the metrics discussed in this article, the following list provides alternate options to consider based on the program:
Activity + Compliance metrics and Product + Service metrics may look simplistic in their design, but they require a significant amount of effort to be reported against and meet the guidelines for quality metrics. Organizations may not have the processes or maintain documentation necessary to develop and report this level of detail, and practitioners may find it difficult to accurately explain what they mean for the program. However, once initially developed, quality metrics should provide an ongoing method for communicating performance, progress, and escalating issues that answer management’s questions about program performance and recoverability.