Metrics for measuring business continuity management performance

One of the key activities of business continuity (BC) management is measuring performance of the program. Good governance presumes analysis of ongoing business processes to ensure they are fulfilling company objectives. In most business continuity management activities, a management review and assessment process is (or should be) performed.

This article discusses metrics in a two-tier model that can be used to measure business continuity performance. Tier one metrics support the underpinnings of a BC program; tier two metrics provide more granular measurements.

Tier one metrics in business continuity programs

In a typical audit, controls (metrics) are in place, and performance is measured against them. Within business continuity, we can identify various high-level metrics, which we can call "tier one."

A simple way to use tier one and tier two metrics is to set up a gap analysis worksheet with the following column headings:

Action area

Metric

Current situation

Desired situation

Recommended action

If you set up a gap analysis worksheet, you can easily compare the metric to what is currently being done. Actions needed to achieve compliance can then be identified.

Tier one action areas

Examples of metrics

Project initiation and management

1. Program management process in place
2. Qualified program team who manages the program
3. Policies and procedures approved

Risk analysis and management

1. Risk assessment process
2. Periodic risk analyses conducted
3. Risk treatment process established

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Disaster recovery tips Creating a pandemic response for your disaster recovery plan Acquiring key personnel to maintain and update your disaster recovery plan How to prepare and plan for a pandemic disaster Disaster recovery plan basics: Updating and reviewing DR plans IT disaster recovery and business continuity planning for non-catastrophic disasters Is your disaster recovery (DR) plan out of date? The pros and cons of network-based data replication The importance of workforce continuity in a disaster recovery plan Twelve tips for business continuity management in a recession Disaster recovery planning fundamentals: DR testing basics Disaster Recovery Planning/Management Creating a pandemic response for your disaster recovery plan Acquiring key personnel to maintain and update your disaster recovery plan Exploring Microsoft Windows clustering and high-availability tools in disaster recovery How to prepare and plan for a pandemic disaster Disaster recovery plan basics: Updating and reviewing DR plans Disaster recovery news briefs: SteelEye supports disaster recovery and business continuity for Windows Server 2008 R2 Iowa Health System uses 'cloud' for disaster recovery to survive flood Disaster recovery and business continuity planning strategies for natural disasters Easy ways for SMBs to improve their disaster recovery and pandemic plans Disaster recovery news briefs: Riverbed updates Riverbed Optimization System software

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Business impact analysis (BIA)

1. Identify key relationships and dependencies with internal and external organizations
2. Identify financial implications of a disruptive incident
3. Identify recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical functions

Developing continuity strategies

1. List of prospective strategies defined
2. Process to map BIA-based recovery issues to strategies
3. Process to determine the effectiveness of strategies

Emergency response and management

1. Incident response and management plan
2. Linkage from IM plan to business continuity plan
3. IM team members trained in response activities

Developing and implementing business continuity plans and related documents

1. Process to develop a business continuity plan in place
2. Linkages to IM plans, strategies, BIAs, etc.
3. Operating procedures for business continuity plan defined

Awareness and training programs

1. Awareness and training program in place
2. Schedule for disseminating program information
3. Training schedule in place for BC and related actions

Maintaining and exercising business continuity plans and related activities

1. Exercise program in place with schedule of exercises
2. Post-exercise assessment and recommendations
3. Maintenance policies and schedule for updating

Public relations and crisis communication

1. Detailed contact list of all critical internal and external contacts
2. Policies and procedures for dealing with the media
3. Process for rapid alerting of employees, vendors and stakeholders

Coordination with public authorities

1. Contact list with key representatives from police, fire, emergency rescue, hospitals and office of emergency management
2. Schedule of meetings with first responder community
3. Periodic review of BC, disaster recovery and emergency plans by first responders

Tier two metrics in business continuity programs

By contrast, tier two metrics are often more detailed and granular than tier one metrics. They can be found in technology-focused disaster recovery (DR) plans that deal with the protection and recovery of data, prevention of cyber threats from compromising critical systems and data, recovery and restarting of critical servers, recovery of critical network infrastructure services, and relocation of staff to alternate work locations.

Let's examine some of these in the following table.

Tier two action areas

Examples of metrics

Data recovery

1. Backup copies current to within one hour of last update
2. Time to recover critical data files within one hour
3. Backup data tapes picked daily no later than 6:00 pm

Server recovery

1. Time to restart and reboot file servers within one hour of outage
2. Time to physically replace servers in designated racks within 30 minutes
3. Number of errors during reboot is less than two

Data network recovery

1. Time to recover, restart and reconfigure network routers within one hour of outage
2. Time needed to test and validate network performance before transmitting live data within one hour of outage
3. Maximum time needed to physically replace damaged network devices within four hours

Voice equipment recovery

1. Time needed to restart voice system following outage within one hour of outage
2. Maximum time for service company to arrive on site following service call within four hours
3. Time needed to resynchronize DS-1/PRI circuits with switch within four hours

Activation of hot site

1. Time needed to confirm approval from the hot site firm for recovery space within one hour of contact
2. Time needed to restart critical systems at hot site within four hours of outage
3. Time needed to relocate staff to hot site within four hours of reporting outage

The use of metrics for measuring business continuity performance provides tangible and auditable evidence that your program is performing up to expectations. The examples we have provided in this article can help you get started. The level of granularity depends on your company, how it conducts business and how it measures performance.

About this author: Paul Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.