Executives love metrics and dashboards. Always time-constrained, they ask for metrics that can be reviewed at a glance to understand performance quickly and determine if an investment is paying off. Not unlike other disciplines, business continuity practitioners commonly find themselves developing metrics to communicate readiness and justify investment, as well as seeking feedback to prioritize continual improvement and remediation activities. But to be most effective, they must be Quality metrics. But, what do we mean by “Quality” metrics? In this perspective, we’ll not only describe attributes of Quality metrics, but we hope to make the case that business continuity professionals should be reporting on much more than the planning activities that they perform or manage – they must also compare the end results of the planning processes (strategies and solutions) to management’s approved recovery objectives.
Attributes of Quality Metrics
Many organizations utilize metrics that fall short of this Quality level and therefore hinder their ability to communicate an accurate message.
- Provide a clear picture of performance against a set of goals.
- Are defined by inputs that can be reported on regularly and using a consistent method.
- Are detailed enough to describe the expected outcome or answer a key question.
- Attempt to remove subjectivity.
- Are easy for the intended audience to understand by using the same measurement and communication techniques that are in place in other areas of the business.
Business Continuity-Oriented Quality Metrics
Quality metrics are all of the above. In a business continuity program, Quality metrics should speak to goals related to both program performance (the planning process, such as performing a business impact analysis, documenting plans and facilitating exercises) and recoverability (can the organization meet its recovery objectives when facing a disruptive incident). When metrics include both, the business continuity program provides a clear picture to management that allows them to provide feedback and prioritize continual improvement opportunities. However, business continuity professionals and their program sponsors often struggle to communicate when it comes to recoverability and find it easier to communicate program performance. As a result, management comes away feeling unclear if the business continuity program delivered solutions that manage the risk associated with disruptive events in line with their risk appetite. In our opinion, this is where metrics reporting must improve in order to meet expectations and engage management on a consistent basis.
Example: Business Continuity – Program Performance Metrics
Sometimes called key performance indicators (a.k.a. KPIs) or planning scorecards, program performance metrics focus on reporting the status related to planning activity completion. Examples include:
- # of Department-Specific Business Impact Analyses Completed/Updated Compared to Total Expected (organized by business unit)
- # of Department-Specific Business Continuity Plans or Application-Specific Disaster Recovery Plans Completed/Updated Compared to Total Expected (organized by business unit)
- # of Department-Specific Table Top Exercises Completed Compared to Total Expected (organized by business unit)
- # of Supplier Business Continuity Assessments Completed Compared to Total Number of “Critical” Suppliers Deemed Single or Sole Source
A basic metrics dashboard for program performance may look like the table below. These metrics are important – important to audiences concerned with the appropriate implementation of the program processes such as regulators, auditors, risk management groups and business unit program coordinators.
The common misunderstanding or inappropriate message is that a program that has good performance automatically provides a highly recoverable organization OR the opposite where poor program performance means an unrecoverable organization. These statements should not be assumed without Quality recoverability metrics.
Example: Business Continuity – Recoverability Metrics
Recoverability metrics focus on comparing management approved recovery objectives to proven recovery capability (through testing or actual recovery efforts). An example dashboard for recoverability is summarized in the table below. This dashboard outlines recovery targets, compares performance, and provides criticality or priority ratings to show level of importance. This dashboard is a true look at recoverability and answers the common executive question: Can our organization be recovered within our tolerance for downtime?
Both of the example metrics dashboards are simplistic in their design, but they can require a significant amount of effort to be reported against and meet the guidelines for Quality metrics. Organizations may not have the processes or maintain documentation necessary to develop and report this level of detail. However, once initially developed, Quality metrics should provide an ongoing method for communicating performance, progress and escalating issues that answer executive questions about program performance and recoverability.
Susan Giffin, Managing Consultant
Avalution Consulting: Business Continuity Consulting