One of the most challenging management system activities that business continuity professionals need to execute (outside of coordinating actual recovery following a disruptive incident) is developing meaningful business continuity program metrics. ISO 22301 does not tell practitioners how to craft meaningful metrics, only that we need to have and share them with management for feedback.
Many business continuity professionals experience challenges with their programs:
- Organizational leadership often pays lip service to support the business continuity program but not much more;
- Resources are often stripped from the business continuity program when the organization experiences financial hardship; and/or
- Business representatives throughout the organization delay or obstruct (either publicly or covertly) business continuity activities due to competing requirements.
These issues often are a result of not engaging with the organization’s key stakeholders in a meaningful way. One way that business continuity has failed to engage organizational leaders is through poor metrics that fail to describe risk. As business continuity practitioners, we need to rethink how we engage with our organization’s leaders by developing metrics – with content that means something to them by describing business risk in a language they understand.
Too often, business continuity professionals use metrics to exclusively report on activities they performed over the last quarter, year, or few years. Unfortunately and almost invariably, activity-based metrics do not tell organizational leaders what they need or want to know. Let’s look at an analogy to explain why activity-based metrics are not useful in conveying the performance of our business continuity programs.
During the 2013 football season, two major teams faced off in a rivalry game. So let’s report on the performance of the teams using the activity-based metrics approach:
Now let me ask you:
- Does the information above fulfill everything you would want to know about the game?
- Can you tell which team performed better?
- Can you tell who won the game?
Too often the metrics that business continuity professionals build are like the table above. The metrics focus on what activities are performed, when they were completed, and if there are outstanding activities yet to be done. But, just like any football fan seeing only the stats table above, organizational leaders are left without a full view of the program’s performance – and quite often are left without knowing the most important information: if the program has improved the organization’s capability to recover from a disruptive event.
So, based on the information in the table:
- Would it surprise you to know that Team 2 (20 points) beat Team 1 (7 points)?
- Would you have predicted that Team 2 won by 13 points?
Even the most dedicated football fan would have trouble predicting the winner based on those statistics and an even harder time guessing what the final score was. Presenting activity-based metrics is the same as telling football fans only the statistics in the table above. The information is difficult to interpret and leaves the reader guessing what the outcome of all the activity is for the organization.
Bottom-line – we need to rethink the way that we approach metrics.
We need to take the perspective of our organization’s leaders and make sure we deliver the information they need to be better informed and make the best decisions.
Good business continuity metrics:
- Help senior managers (and/or their target audience) to quickly see the performance of the response and recovery solutions based on risk to the organization’s products and services;
- Convey information important to senior managers;
- Focus on performance rather than an exclusive focus on activities; and
- Help senior managers identify problem areas to focus attention and remediation efforts.
So, when developing your metrics, make sure you start by thinking about what your audience would like to know about the program’s performance. For more on building quality metrics, please read: Quality Metrics – Business Continuity Program Performance versus Recoverability.
Although there may be times when reporting on the number of BIA interviews performed, the number of plans written, and the number of exercises conducted is of value, that information does not convey the information our organizations’ leaders need. As business continuity professionals we need to focus on generating metrics that are valuable and informative.
And, in the spirit of reporting better metrics, the football example above was the 2013 rivalry game between the Cleveland Browns and the Pittsburgh Steelers when the Steelers unfortunately beat the Browns 20 to 7.
So, as a football fan, would you go to the game if you were never allowed to know the score?
Business continuity and IT disaster recovery planning is all that we do. If you’re looking for help with building or improving your business continuity program, we can help.
Please contact us today to get started. We look forward to hearing from you!
Avalution Consulting: Business Continuity Consulting