Metrics for measuring business continuity management

One of the key activities of business continuity (BC) management is measuring the performance of the program. Good governance presumes analysis

    Requires Free Membership to View

    Login

of ongoing business processes to ensure they are fulfilling company objectives. In most business continuity management activities, a management review and assessment process is (or should be) performed.

Learn more about business continuity management

Download free business continuity planning templates

Read about change management

Study our tutorial on data center relocation plans

Get twelve tips for business continuity management in a recession

This article discusses metrics in a two-tier model that can be used to measure business continuity performance. Tier one metrics support the underpinnings of a business continuity program; tier two metrics provide more granular measurements.

Tier one metrics in business continuity programs

In a typical audit, controls (metrics) are in place, and performance is measured against them. Within business continuity, we can identify various high-level metrics, which we can call "tier one."

A simple way to use tier one and tier two metrics is to set up a gap analysis worksheet with the following column headings:

Tier one metrics in business continuity programs

In a typical audit, controls (metrics) are in place, and performance is measured against them. Within business continuity, we can identify various high-level metrics, which we can call "tier one."

A simple way to use tier one and tier two metrics is to set up a gap analysis worksheet with the following column headings:

Action area Metric Current situation Desired situation Recommended action

If you set up a gap analysis worksheet, you can easily compare the metric to what is currently being done. Actions needed to achieve compliance can then be identified.

Tier one action areas Examples of metrics
Project initiation and management
  1. Program management process in place
  2. Qualified program team who manages the program
  3. Policies and procedures approved
Risk analysis and management
  1. Risk assessment process
  2. Periodic risk analyses conducted
  3. Risk treatment process established
Business impact analysis (BIA)
  1. Identify key relationships and dependencies with internal and external organizations
  2. Identify financial implications of a disruptive incident
  3. Identify recovery time objectives (RTOs) and recovery point objectives (RPOs) for critical functions
Developing continuity strategies
  1. List of prospective strategies defined
  2. Process to map BIA-based recovery issues to strategies
  3. Process to determine the effectiveness of strategies
Emergency response and management
  1. Incident response and management plan
  2. Linkage from IM plan to business continuity plan
  3. IM team members trained in response activities
Developing and implementing business continuity plans and related documents
  1. Process to develop a business continuity plan in place
  2. Linkages to IM plans, strategies, BIAs, etc.
  3. Operating procedures for business continuity plan defined
Awareness and training programs
  1. Awareness and training program in place
  2. Schedule for disseminating program information
  3. Training schedule in place for BC and related actions
Maintaining and exercising business continuity plans and related activities
  1. Exercise program in place with schedule of exercises
  2. Post-exercise assessment and recommendations
  3. Maintenance policies and schedule for updating
Public relations and crisis communication
  1. Detailed contact list of all critical internal and external contacts
  2. Policies and procedures for dealing with the media
  3. Process for rapid alerting of employees, vendors and stakeholders
Coordination with public authorities
  1. Contact list with key representatives from police, fire, emergency rescue, hospitals and office of emergency management
  2. Schedule of meetings with first responder community
  3. Periodic review of BC, disaster recovery and emergency plans by first responders

Tier two metrics in business continuity programs

By contrast, tier two metrics are often more detailed and granular than tier one metrics. They can be found in technology-focused disaster recovery (DR) plans that deal with the protection and recovery of data, prevention of cyber threats from compromising critical systems and data, recovery and restarting of critical servers, recovery of critical network infrastructure services, and relocation of staff to alternate work locations.

Let's examine some of these in the following table.

Tier two action areas Examples of metrics
Data recovery
  1. Backup copies current to within one hour of last update
  2. Time to recover critical data files within one hour
  3. Backup data tapes picked daily no later than 6:00 pm
Server recovery
  1. Time to restart and reboot file servers within one hour of outage
  2. Time to physically replace servers in designated racks within 30 minutes
  3. Number of errors during reboot is less than two
Data network recovery
  1. Time to recover, restart and reconfigure network routers within one hour of outage
  2. Time needed to test and validate network performance before transmitting live data within one hour of outage
  3. Maximum time needed to physically replace damaged network devices within four hours
Voice equipment recovery
  1. Time needed to restart voice system following outage within one hour of outage
  2. Maximum time for service company to arrive on site following service call within four hours
  3. Time needed to resynchronize DS-1/PRI circuits with switch within four hours
Activation of hot site
  1. Time needed to confirm approval from the hot site firm for recovery space within one hour of contact
  2. Time needed to restart critical systems at hot site within four hours of outage
  3. Time needed to relocate staff to hot site within four hours of reporting outage

The use of metrics for measuring business continuity performance provides tangible and auditable evidence that your program is performing up to expectations. The examples we have provided in this article can help you get started. The level of granularity depends on your company, how it conducts business and how it measures performance.

About this author: Paul Kirvan, FBCI, CBCP, CISSP, has more than 20 years experience in business continuity management as a consultant, author and educator. He is also secretary of the Business Continuity Institute USA Chapter.

This was first published in October 2009

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Back to top