What are Business Continuity Metrics?
Metrics are a way to measure the completion of tasks within a business continuity program and show resilience capabilities.
This guide covers:
- The types of metrics commonly used in business continuity programs.
- Important characteristics of metrics.
- The value of using more than one type of metric.
- An example showing the importance of using the right metrics.
What Type of Metrics Exist?
Business continuity programs typically have two types of metrics, Activity + Compliance Metrics and Product + Service Metrics.
- Activity + Compliance Metrics: These are straightforward metrics and usually serve to ensure that program deliverables and outcomes are on track and consistent with expectations. Activity and Compliance Metrics answer the question “Are we doing the right things to prepare?”. Some organizations refer to this type of metric as a Key Performance Indicator, or KPI.
- Product + Service Metrics: These metrics help program leadership focus on evaluating the business’s ability to continue or recover time-sensitive activities and resources that contribute to the delivery of products and services. Product and Service Metrics answer the question “Are we really prepared?” Some organizations refer to this type of metric as a Key Risk Indicator, or KRI.
Activity + Compliance Metrics
Activity and Compliance metrics track the completion of key deliverables in the business continuity lifecycle. These metrics can include the number of business impact analyses (BIAs) updated, the number of business continuity plans updated, or the number of exercises completed. By tracking the completion of activities, a program manager can check and report on the organization’s progress towards achieving compliance with various standards and to determine if business continuity planning process is “followed by all” (a key characteristic of a high-performing Business Continuity Operating System).
Of note, the typical audience for Activity and Compliance metrics are participants in the business continuity planning process, the program sponsor, and if chartered, a business continuity steering committee.
Below you will see two examples of how Activity and Compliance Metrics represent the completion of business continuity deliverables and outcomes. The first table shows BIA, Plan, and Exercise completion, while the second table has a high-level program overview.
|Department||Business Impact Analysis||Plan||Exercise|
|Human Resources||Complete||Complete||Not Started|
|Program Component||Status||Issue for Discussion?|
|Governance (Policy, SOP, Steering Committee Charter)||Complete||None|
|Business Impact Analysis||Complete||None|
|Business Impact Analysis and Risk Assessment (Summary Report)||Complete||None|
|Crisis Management / Communications Plan||Complete||None|
Product + Service Metrics
Product and Service metrics are critical in summarizing for executive leadership the organization’s ability to continue or recover products and services and communicating program gaps and risks. A program manager needs to show the organization’s confidence in continuity and recovery capabilities (often on one page) to inform leadership of capabilities quickly and concisely. Having metrics that convey current capabilities in relation to risk tolerance allows executives to prioritize risk mitigation for the future of the program.
Of note, the typical audience for Product + Service metrics are the executive leadership team (including the board of directors), the program sponsor, and if chartered, a business continuity steering committee.
Below you will see an example of Product and Service Metrics rated at medium and high preparedness.
If you aren’t sure what your products and services are, use our Executive Support Amplifier to build that list.
Check out the Castellan demo.
How to Build Great Metrics
Executives love metrics and dashboards that they can quickly review to understand program performance. Business continuity practitioners commonly find themselves developing metrics to communicate readiness and justify program investment to executives. But to be most effective, it is important to use quality and audience-appropriate metrics.
Quality and audience-appropriate metrics…
- Provide a clear picture of performance against a set of goals.
- Are defined by inputs that can be reported on regularly and using a consistent method.
- Are detailed enough to describe the expected outcome or answer a key question.
- Attempt to remove subjectivity.
- Are easy for the intended audience to understand by using the same measurement and communications techniques that are in place in other areas of the business.
To ensure your metrics are quality, ask yourself the following questions:
- Are you highlighting your continuity and recovery capabilities (and gaps) compared to your business continuity requirements?
- Are you doing the work you’re supposed to do to prepare?
- Do your interested parties feel informed to help drive continual improvement?
Quality metrics should speak to both the goals of program performance (Activity + Compliance Metrics) and recoverability (Product + Service Metrics). When metrics include both, the business continuity program provides a clear picture to management that allows them to provide feedback and prioritize continual program improvement.
Business Continuity professionals and their program sponsors often find it easier to communicate program performance than continuity/recovery capabilities to leadership. It is commonly misunderstood that a program with good performance is automatically a resilient organization. As a result, management comes away feeling unclear if the business continuity program delivered solutions that manage the risks the organization faces.
FIFA World Cup Example
Here is an analogy to explain why activity-based metrics are not useful in conveying the performance of our business continuity programs:
During the 2018 FIFA World Championship Tournament, two major teams gave fans an entertaining match. Here is a report on the performance of each team using the activity-based metrics approach.
|Team 1||Team 2|
|Distance Covered||99 km||100 km|
Let’s pause to ask a few questions:
- Does the information above fulfill everything you would want to know about the game?
- Can you tell which team performed better?
- Can you tell who won the game?
Business continuity professionals often develop metrics like those found above. The metrics focus on the activities performed, when they were completed, and if there are outstanding activities yet to be done. However, just like any soccer fan seeing only the stats above, organizational leaders are left with an incomplete view of the program’s performance, and quite often they are left without knowing if the program has improved the organization’s capability to recover from a disruptive event.
Based on the information in the table:
- Would it surprise you to know that Team 1 (4 goals) beat Team 2 (2 goals)?
- Would you have predicted that Team 1 won by 2 goals?
Even the most dedicated soccer fan would have trouble predicting the winner based on these statistics, and an even more difficult time guessing what the final score was. Presenting only activity-based metrics is like telling a soccer fan only the statistics above. The information is difficult to interpret and leaves the reader guessing what the outcome of all the activities performed are.
We need to take the perspective of our organization’s management and make sure we deliver the information they need to make informed business continuity decisions.
To build quality metrics:
- Aim to help executive management quickly see the performance of the response, continuity and recovery strategies based on risk to the organization’s products and services
- Convey information that is important to those participating in the planning process
- Focus on performance rather than solely activities
- Aim to help senior managers find problem areas to focus attention and remediation efforts
Although there is still value in reporting on the number of BIA interviews performed, the number of plans approved, and the number of exercises conducted, that information does not provide leadership with a complete picture. As business continuity practitioners, we need to focus on supplying metrics that are valuable and informative.
And, in the spirit of reporting better metrics, the soccer example above was the 2018 FIFA World Cup Championship game between France and Croatia. France beat Croatia 4 to 2.
So, as a soccer fan, would you go to the game if you weren’t allowed to know the score?
Top 10 Business Continuity Metrics
In addition to the metrics discussed in this article, the following list provides alternate options to consider based on the program:
- Roles defined, and responsibilities currently assigned
- Policy, scope and objectives created, approved and published
- Competencies defined, documented, and approved
- Participation of team members in training and workforce awareness
- Business impact analyses completed, documented, and approved
- Business continuity strategies documented, selected, and in place
- Response procedures created and approved
- Exercises conducted, post-exercise reports produced and approved
- Management review completed within the past year
- Corrective actions documented, approved, and completed
Activity + Compliance metrics and Product + Service metrics may look simplistic in their design, but they require a significant amount of effort to be reported against and meet the guidelines for quality metrics. Organizations may not have the processes or maintain documentation necessary to develop and report this level of detail, and practitioners may find it difficult to accurately explain what they mean for the program. However, once initially developed, quality metrics should provide an ongoing method for communicating performance, progress, and escalating issues that answer management’s questions about program performance and recoverability.