Relevant Contents
Need Tailored Business Continuity Insights?
Contact Us Now for Personalized Guidance!
Metrics are a down-to-earth tool that can have an almost magical impact on your organization’s business continuity management (BCM) program. However, getting their full benefit requires differentiating between meaningless volume metrics and metrics that can provide true insight into your company’s situation and practical guidance for improving its resilience.
Related on MHA Consulting: BCM by the Numbers: The Metrics That Matter Most
Everyday Metrics
Metrics are a familiar and important part of everyday life. When we go to the doctor, the nurses collect the metrics of our temperature, pulse, and blood pressure. In the car, dashboard instruments provide metrics on our speed, RPMs, and fuel supply. Our children’s report cards are a metric of how they’re doing in school, and portfolio reports measure the state of our financial investments. These everyday metrics provide insight into the current state of affairs and can offer sound guidance for our future actions. Business continuity metrics, provided they are of the right type, can perform the same critical function for our organizations’ business continuity position.
Missing Out on the Power of Metrics
Quality BCM metrics have the potential to deliver enormous insight and leverage into the hands of company leaders. Despite this fact, most executives squander the opportunity to avail themselves of this power. Relatively few companies use metrics widely or well. As business continuity consultants, we at MHA Consulting frequently ask our clients about their understanding of metrics and why they don’t use them. Here are some of the responses we hear most frequently:
-
- “We don’t know what to measure.”
-
- “Management isn’t asking, so why bring it up?”
-
- “We don’t want to know how the program is doing.”
-
- “It takes too much time to measure effectiveness.”
-
- “I think our process would work, so why waste time measuring it?”
-
- “We already know our program is a disaster; why would metrics be helpful?”
Most companies decline to use metrics not out of a rational consideration of what’s best for the organization, but out of factors such as lack of knowledge, management complacency, and reluctance to confront program deficiencies.
Meaningless Metrics
In some cases, we encounter organizations that do employ metrics but of the wrong sort. They gather data on such topics as the number of recovery exercises conducted, the number of plans that have been updated, and the number of business impact analyses (BIAs) completed. These are what I call meaningless metrics. They measure the volume of work completed by the BCM office but tell you nothing about how well the organization will be able to recover from an event. Nor do they provide any useful guidance on the best next steps the organization can take to improve its resilience. To learn more about meaningless metrics, read “ You’re Doing It Wrong: BCM Metrics.”
Measure and Manage
Measuring something over time and comparing it to reliable benchmarks improves your ability to manage it. When an organization comes into possession of solid BCM metrics, it gains the ability to tell how its BC process is functioning and know how it would fare in the event of a disruption. It also acquires a basis for identifying what aspects of the program are working and which need improvements. Metrics serve three important functions with regard to BCM program management:
-
- Metrics serve as a control and feedback loop. If an assessment determines that you are at 50 percent compliance with your chosen BCM standard, you know right away you are vulnerable and have a lot of work to do. If you are at 90 percent, it means you are doing a lot of things right and might be justified in diverting your resources to another area rather than continuing to invest in improving compliance.
-
- Metrics add objectivity to the evaluation process. We often encounter managers and BC staff who claim their BC program is in great shape, then reveal under questioning that this conclusion is based on a vague impression rather than data. Metrics provide solid evidence on which to base claims about program condition.
-
- Metrics are the foundation for improvement goals. Using numbers makes it easy to assess condition and set goals. If your program scores a 61 on a 0 to 100 scale, then you are in a position to set a measurable and definite goal, such as getting to 80. You can then outline a strategy to reach that goal, determine the steps needed to reach it, and determine afterward whether your strategy worked.
Meaningful Metrics
To measure the effectiveness of your BC process, you need metrics that focus on two key areas: the foundation of the program and the execution of the program. Evaluating these will provide true insight into how a program will perform when it’s needed. Metric Area #1: Alignment With Standards This area measures how aligned your program is with industry standards, such as FFIEC, ISO 22301, or NFPA 1600. (For more on the leading BC standards, see “ Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now.”) This area looks at how, on a scale of 0-100, your program measures up to those standards in terms of:
- Program Administration
- Crisis Management
- Business Recovery
- Disaster Recovery
- Supply Chain Risk Management
These results will tell you if you are building your program on sand or solid rock. If your process lines up well with industry standards, you can be confident your program has a solid foundation. The data shows that programs built on a solid foundation excel in a crisis. Metric Area #2: Level Of Execution This area measures the level of risk that remains after you have considered management’s risk tolerance, the inherent risk of your recovery capabilities, and the state of your mitigating controls. (See “ BCM Basics: Inherent Risk vs. Residual Risk” and “ The Top 8 Risk Mitigation Controls, in Order.”) Once you know how much residual risk remains, you can take steps to mitigate it, lowering it to an acceptable level. A lower level of residual risk indicates you have a program that has a high level of execution and capability; a higher level of risk indicates your program is weaker and needs to be strengthened to raise its level of execution. If all of your mitigating controls are operating at the highest levels, you’ve successfully reduced your level of residual risk to an acceptable level and increased your level of execution. A program with a high level of alignment with industry standards and low residual risk is one with a high Value of Investment (VOI). Programs with a high VOI make efficient and effective use of time, money and resources. Building a program with a high VOI should be the goal of every BCM practitioner.
Metrics’ Transformative Power
Metrics have the power to be transformative tools within BCM programs. By distinguishing between meaningful and meaningless metrics, organizations can assess their resilience, drive improvement, increase alignment with industry standards, reduce risk to an acceptable level, and ultimately bolster their ability to weather disruptions. Harnessing metrics’ transformative power enables organizations to navigate uncertainty with confidence. Through strategic measurement and management, businesses can elevate their BCM processes, ensuring robustness and adaptability in the face of adversity.
Further Reading
Michael Herrera
Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.