In this episode of the Managing Uncertainty Podcast, Bryghtpath Principal & Chief Executive Bryan Strawser discusses the key metrics to measure the success of your business continuity program.
Topics discussed include business continuity program metrics, maturity models and measurements for continuity programs, strategic metrics that your c-suite wants to see, and operational metrics that show the day-to-day progress of your program.
Related Episodes & Blog Posts
- Blog Post: ISO 27031: Looking at ISO’s Disaster Recovery Standard
- Blog Post: Business Continuity as a Service: How to Outsource Your Continuity Program
- Episode #113: Roles and Responsibilities in a BC Program
- Episode #116: Tools We Use At Bryghtpath (2021 Edition)
Hello, and welcome to the Managing Uncertainty Podcast. This is Bryan Strawser, principal and chief executive here at Bryghtpath. In this week’s episode, I would like to talk about key metrics to measure the success of your business continuity program. I’ve been doing this for about 25 years and the question… One of the questions that just makes me cringe is this question: Are there metrics we should be tracking? In short, the answer is yes. Hell yes, there are. What metrics should you be tracking?
Well, it depends. Do you really want to know where your program is working? That your organization’s resilience and actually prepared to respond to the next disruption? Or you just want to make sure the boxes are checked. It’s really not a trick question. I think everyone wants to know if their program and plans would actually work. But if you can’t grasp the difference between these two questions, you’re not alone. We frequently encounter confusion about the fact that merely tracking business continuity program compliance (i.e. checking the boxes) is not the end game for business continuity program success.
It takes more than just know the requirements, do the thing, check the boxes to gauge whether your program is effective, and helping move your organization forward towards its resiliency goals. Employing the right combination of metrics, operational compliance, plan quality, and program maturity are all equally important to understand your organization’s true resilience. Implementing a system that measures all three will give your company the insights it needs to move your program to full maturity, long-term sustainability and success in responding to the next disruption.
Let’s talk about how to understand program metrics. The first is operational compliance metrics. And as I just said, these really only tell you part of the story, but there’s still a foundational starting point for measuring the success of your program. At the very least, you should be looking at progress at the business unit or plan level for BIA completion, business continuity plan completion, whether new plan creation or revisions to plan on whatever your cycle is, completion of exercises and then whether after-action items that have been identified in exercises or actual incidents have been addressed and the improvements implemented.
You can get more detailed here. You could track like policy compliance and attestation of the plan at the next leadership level. You could track… I think I already mentioned training, but you can track all the different elements of things that your program requires, which could be part of your operational metrics. But in short, your program manager should have a system that you can easily check and report on business unit progress towards basic business continuity program requirements.
In a smaller organization, just using a spreadsheet might be adequate for the job and it could look something like an example we have here in the article, here in the show notes. Larger organizations that have more complex operations might need a more robust solution for that. Many of your business continuity planning tools, which are often SaaS-based like Fusion, ServiceNow is a business continuity module that’s within the governance, risk and compliance solution. Resilience and others have this capability for metrics as people are updating their plans and executing on their business impact analysis.
The second type of metric is quality scoring. Tracking the progress of program activities in your organization is foundational to keeping your program on track. But your program’s only as good as the underlying quality of your actual business continuity plans. To avoid a situation where your plans look good on paper but they fall flat in actual practice, many companies choose to implement quality scoring. It’s a pretty straightforward concept.
Every continuity plan is scored, in this example, just using a rubric of one to 10 based upon defined objective criteria that are developed in alignment with industry standards and your company’s specific needs. You can have things that impact the score such as plan completeness, the quality of recovery procedures, whether risks that have no available workaround have been acknowledged and accepted, exercise participation, and continued training and evaluation.
Quality scoring enables you to assess your team’s true resilience capabilities in response to a disruption. I find it an invaluable tool to understand whether your plans are truly effective or just compliant and it’s one that I recommend your organization employ. In the show notes, we have an example of this from an article in the journal of… I think it’s from the Journal of Business Continuity and Crisis Management. The article by Jimmy Anderson and Anna Olson is titled Resiliency Scoring for Business Continuity Plans. You’ll find a link to that in the show notes.
Your third metric category is about evaluating program maturity. When we help our clients evaluate their business continuity program, our objective is to get their program to a point of full maturity and long-term sustainability. We measure this progress using a proprietary maturity model based on the ISO 22301 standard. We look at 98 core factors by evaluating how close each element aligns with the company’s predefined standards. Those standards informed by the ISO standard and the specific needs of the business. In doing so, we can identify gaps in the program and the strategic objectives that are needed to bridge those gaps. This maturity metric, I think, is the pinnacle of business continuity program performance and it’s integral to ensuring the long-term sustainability of your resiliency program.
How do you get the metrics right in your business continuity program? Well, let’s start by just getting started. Your board and executives might be too busy to hear about your business continuity program or maybe you’re too embarrassed to report on the progress. I’ve heard plenty of that from many as a consultant. But it’s implicit upon your board and I would argue part of their fiduciary responsibility to understand the risks of disruption and have plans in place through your program to respond to them.
Keeping your head in the sand is definitely the path of least resistance, but that rarely ends well. Your board or audit committee or whatever committee on your board’s responsible for continuity planning, they should be briefed at least annually on your program progress. That means you need to start tracking something and start tracking that now. You also want to make sure that your program metrics support your organization’s strategic objectives. Business continuity leaders, and I’ve been there, can be so caught up in the details you forget about the importance of linking your program objectives to that as the company as a whole. So whatever metrics you develop should help you establish direct connectivity between the two. That’s especially important when it comes to making the business case for resources and tools that you want for the maturity program.
Likewise, if you’re working with a consultant, it’s important to work with someone who understands how your program integrates with other risk disciplines in your organization and supports your overall strategic business objectives. Third, implement the solution that’s right for you. Your program as a whole doesn’t have to be world class to be effective. For example, some companies benefit from using business continuity software platforms such as Fusion Risk Management or ServiceNow or others that can take all your various aspects of continuity, the BIA, your continuity plans, your DR plans, including metrics, and roll this into one package. Those are great tools if you can afford them and if your organization is complex enough that you really need something like that. But not everybody has hundreds of plans to manage. Not everyone’s dealing with a business that has hundreds of thousands of employees and dozens of units and a presence in multiple countries.
Many times a less robust and less expensive solution can be efficient. As I said before, Microsoft Excel could be your friend here. You don’t have to get more complicated. Choose the solution that’s right for your business and if you need to work with a consultant to help you determine the best approach to meeting your metric needs, by all means, head down that road. It goes without saying that the final and ultimate metric for any business is when the disruptive event, the boom as I like to say, actually happens. And then will your organization be able to respond effectively and snap back quickly from that disruption.
Time will tell, but by implementing the right measures of program progress, performance and maturity, you can breathe a little easier that way. That’s it for this edition of the Managing Uncertainty Podcast. We’ll be back next week with another new episode. Be well.