Metrics are a down-to-earth tool that can have an almost magical impact on your organization’s business continuity management (BCM) program. However, getting their full benefit requires differentiating between meaningless volume metrics and metrics that can provide true insight into your company’s situation and practical guidance for improving its resilience.
Related on MHA Consulting: BCM by the Numbers: The Metrics That Matter Most
Metrics are a familiar and important part of everyday life. When we go to the doctor, the nurses collect the metrics of our temperature, pulse, and blood pressure. In the car, dashboard instruments provide metrics on our speed, RPMs, and fuel supply. Our children’s report cards are a metric of how they’re doing in school, and portfolio reports measure the state of our financial investments. These everyday metrics provide insight into the current state of affairs and can offer sound guidance for our future actions. Business continuity metrics, provided they are of the right type, can perform the same critical function for our organizations’ business continuity position.
Quality BCM metrics have the potential to deliver enormous insight and leverage into the hands of company leaders. Despite this fact, most executives squander the opportunity to avail themselves of this power. Relatively few companies use metrics widely or well. As business continuity consultants, we at MHA Consulting frequently ask our clients about their understanding of metrics and why they don’t use them. Here are some of the responses we hear most frequently:
Most companies decline to use metrics not out of a rational consideration of what’s best for the organization, but out of factors such as lack of knowledge, management complacency, and reluctance to confront program deficiencies.
In some cases, we encounter organizations that do employ metrics but of the wrong sort. They gather data on such topics as the number of recovery exercises conducted, the number of plans that have been updated, and the number of business impact analyses (BIAs) completed. These are what I call meaningless metrics. They measure the volume of work completed by the BCM office but tell you nothing about how well the organization will be able to recover from an event. Nor do they provide any useful guidance on the best next steps the organization can take to improve its resilience. To learn more about meaningless metrics, read “ You’re Doing It Wrong: BCM Metrics.”
Measuring something over time and comparing it to reliable benchmarks improves your ability to manage it. When an organization comes into possession of solid BCM metrics, it gains the ability to tell how its BC process is functioning and know how it would fare in the event of a disruption. It also acquires a basis for identifying what aspects of the program are working and which need improvements. Metrics serve three important functions with regard to BCM program management:
To measure the effectiveness of your BC process, you need metrics that focus on two key areas: the foundation of the program and the execution of the program. Evaluating these will provide true insight into how a program will perform when it’s needed. Metric Area #1: Alignment With Standards This area measures how aligned your program is with industry standards, such as FFIEC, ISO 22301, or NFPA 1600. (For more on the leading BC standards, see “ Standard Time: The Best Time to Choose a Business Continuity Standard Is Right Now.”) This area looks at how, on a scale of 0-100, your program measures up to those standards in terms of:
These results will tell you if you are building your program on sand or solid rock. If your process lines up well with industry standards, you can be confident your program has a solid foundation. The data shows that programs built on a solid foundation excel in a crisis. Metric Area #2: Level Of Execution This area measures the level of risk that remains after you have considered management’s risk tolerance, the inherent risk of your recovery capabilities, and the state of your mitigating controls. (See “ BCM Basics: Inherent Risk vs. Residual Risk” and “ The Top 8 Risk Mitigation Controls, in Order.”) Once you know how much residual risk remains, you can take steps to mitigate it, lowering it to an acceptable level. A lower level of residual risk indicates you have a program that has a high level of execution and capability; a higher level of risk indicates your program is weaker and needs to be strengthened to raise its level of execution. If all of your mitigating controls are operating at the highest levels, you’ve successfully reduced your level of residual risk to an acceptable level and increased your level of execution. A program with a high level of alignment with industry standards and low residual risk is one with a high Value of Investment (VOI). Programs with a high VOI make efficient and effective use of time, money and resources. Building a program with a high VOI should be the goal of every BCM practitioner.
Metrics have the power to be transformative tools within BCM programs. By distinguishing between meaningful and meaningless metrics, organizations can assess their resilience, drive improvement, increase alignment with industry standards, reduce risk to an acceptable level, and ultimately bolster their ability to weather disruptions. Harnessing metrics’ transformative power enables organizations to navigate uncertainty with confidence. Through strategic measurement and management, businesses can elevate their BCM processes, ensuring robustness and adaptability in the face of adversity.