Metrics for measuring business continuity management performance

One of the key activities of business continuity (BC) management is measuring performance of the program. Good governance presumes analysis of ongoing business processes to ensure they are fulfilling company objectives. In most business continuity management activities, a management review and assessment process is (or should be) performed.

This article discusses metrics in a two-tier model that can be used to measure business continuity performance. Tier one metrics support the underpinnings of a BC program; tier two metrics provide more granular measurements.

Tier one metrics in business continuity programs

In a typical audit, controls (metrics) are in place, and performance is measured against them. Within business continuity, we can identify various high-level metrics, which we can call "tier one."

A simple way to use tier one and tier...

RELATED CONTENT Disaster recovery tips Disaster recovery career strategies: Advice for DR and business continuity professionals Business impact and risk assessments in IT disaster recovery planning Evaluating your disaster recovery program's maturity level The pros and cons of IT disaster recovery outsourcing The importance of incident response plans in disaster recovery Disaster recovery best practices: Avoiding DR interdependency predicaments Top 10 IT disaster recovery planning tips of 2009 Top five IT business continuity planning and management tips of 2009 Top 10 business continuity and disaster recovery management trends in 2009 Leveraging cloud computing for disaster recovery purposes Disaster Recovery Planning/Management Disaster recovery career strategies: Advice for DR and business continuity professionals What is change management and how does it relate to disaster recovery? Continuity Software adds disaster recovery service-level agreement management to RecoverGuard Business impact and risk assessments in IT disaster recovery planning Five key business continuity technologies to support BC planning in 2010 What advice do you have on disaster recovery and security for mobile devices? Using data deduplication products as part of an IT disaster recovery strategy IT disaster recovery statistics point to purchasing of more data backup tools Disaster recovery strategies for server virtualization technology Evaluating your disaster recovery program's maturity level

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

two metrics is to set up a gap analysis worksheet with the following column headings:

Action area

Metric

Current situation

Desired situation

Recommended action

If you set up a gap analysis worksheet, you can easily compare the metric to what is currently being done. Actions needed to achieve compliance can then be identified.

Tier one action areas

Examples of metrics

Project initiation and management

1. Program management process in place
2. Qualified program team who manages the program
3. Policies and procedures approved

Risk analysis and management

1. Risk assessment process
2. Periodic risk analyses conducted
3. Risk treatment process established

Business impact analysis (BIA)

1. Identify key relationships and dependencies with internal and external organizations
2. Identify financial implications of a disruptive incident
3. Identify recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical functions

Developing continuity strategies

1. List of prospective strategies defined
2. Process to map BIA-based recovery issues to strategies
3. Process to determine the effectiveness of strategies

Emergency response and management

1. Incident response and management plan
2. Linkage from IM plan to business continuity plan
3. IM team members trained in response activities

Developing and implementing business continuity plans and related documents

1. Process to develop a business continuity plan in place
2. Linkages to IM plans, strategies, BIAs, etc.
3. Operating procedures for business continuity plan defined

Awareness and training programs

1. Awareness and training program in place
2. Schedule for disseminating program information
3. Training schedule in place for BC and related actions

Maintaining and exercising business continuity plans and related activities

1. Exercise program in place with schedule of exercises
2. Post-exercise assessment and recommendations
3. Maintenance policies and schedule for updating

Public relations and crisis communication

1. Detailed contact list of all critical internal and external contacts
2. Policies and procedures for dealing with the media
3. Process for rapid alerting of employees, vendors and stakeholders

Coordination with public authorities

1. Contact list with key representatives from police, fire, emergency rescue, hospitals and office of emergency management
2. Schedule of meetings with first responder community
3. Periodic review of BC, disaster recovery and emergency plans by first responders

Tier two metrics in business continuity programs

By contrast, tier two metrics are often more detailed and granular than tier one metrics. They can be found in technology-focused disaster recovery (DR) plans that deal with the protection and recovery of data, prevention of cyber threats from compromising critical systems and data, recovery and restarting of critical servers, recovery of critical network infrastructure services, and relocation of staff to alternate work locations.

Let's examine some of these in the following table.

Tier two action areas

Examples of metrics

Data recovery

1. Backup copies current to within one hour of last update
2. Time to recover critical data files within one hour
3. Backup data tapes picked daily no later than 6:00 pm

Server recovery

1. Time to restart and reboot file servers within one hour of outage
2. Time to physically replace servers in designated racks within 30 minutes
3. Number of errors during reboot is less than two

Data network recovery

1. Time to recover, restart and reconfigure network routers within one hour of outage
2. Time needed to test and validate network performance before transmitting live data within one hour of outage
3. Maximum time needed to physically replace damaged network devices within four hours

Voice equipment recovery

1. Time needed to restart voice system following outage within one hour of outage
2. Maximum time for service company to arrive on site following service call within four hours
3. Time needed to resynchronize DS-1/PRI circuits with switch within four hours

Activation of hot site

1. Time needed to confirm approval from the hot site firm for recovery space within one hour of contact
2. Time needed to restart critical systems at hot site within four hours of outage
3. Time needed to relocate staff to hot site within four hours of reporting outage

The use of metrics for measuring business continuity performance provides tangible and auditable evidence that your program is performing up to expectations. The examples we have provided in this article can help you get started. The level of granularity depends on your company, how it conducts business and how it measures performance.

About this author: Paul Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.