101 business continuity metrics…

Published: Friday, 24 January 2020 08:37

Jon Seaton, chair of the Scottish Chapter of the BCI, looks at the subject of business continuity metrics, exploring why they are necessary and how to determine which metrics are required at different levels in the organization.

We spend our lives being constantly measured, and constantly measuring ourselves; how old we are, how long we have been married, or single, how many steps have we done today (!), how long we have been working and so on. It has become a habit and one which easily (and sadly) transfers to the workplace. How many years continuous service we have, are we on track at half year or full year, how many days leave do we have left…

Measurement in the workplace is not new, what are our profits (or losses), what is our shareprice, how are our sales, how many ‘hits’ does our website achieve, how long do people stay on the phone; the list goes on. It is argued that to know how we are doing we need to measure ourselves, it is by opening our eyes to how we are performing that we can understand what we can do better, or even what we need to stop doing. In our home life we may call these measurements goals, in work they tend to be captured by the term ‘metrics’. And these tend to be what the Board and external analysts look at to determine whether or not an organization has had a ‘good’ year, or is seen as a good investment. But it is not just these high level metrics that are capturing the imagination, they are being seen throughout organizations.

I work in business continuity and crisis management; my remit is to ensure that if there is a disruption, we can continue operations in as seamless a way for our customers as possible until we return to business as usual (BAU). It could be argued that the only metric required for me would be to ensure that we recover during an event. This would often as not lead to a very short end of year review!

We have a lot more than a single metric…. like most companies (especially those regulated in the financial services sector) we have a top level Business Continuity Policy. It is based on the Business Continuity Institute’s Good Practice Guidelines, ISO 22301: Business Continuity Management Systems, ISO11200: Crisis Management and even aligns to the UK Financial Conduct Authority’s Systems and Controls Handbook. Sitting beneath our policy we have three framework documents which look at Business Continuity Planning, Crisis Management and Site Response.

Whilst the policy sets out our high level approach to ‘how’ we do business continuity, the framework documents show us ‘what’ we need to do. The idea being that by ensuring that our businesses adhere to what is captured within these it means that, whilst it will not always stop events happening, it does mean that we put ourselves in with a fighting chance of recovering from the event.  By providing us with the ‘what’ we need to do this gives us a couple of easy to use metrics…

I reviewed our policy and framework documents adding all the deliverables up and there were certainly a few of them, 101 to be precise! These are made up of 33 for Business Continuity Planning, 42 for Crisis Management and 26 for Site Response!
So, as part of my day to day role it is my responsibility to ensure that we remain within governance for each of those 101 metrics. Thankfully the requirements to complete them vary; whether monthly, quarterly, six monthly, and some annually; but the results of the associated activities all need to be captured. Whilst our internal second and third lines of assurance appreciate the robust governance we have in place, the executive do not want to know this level of detail.  They are only concerned with our top metrics… but which of our 101 metrics are the ‘top’ ones?

This is difficult; there are metrics which determine that we have policy and frameworks in place, ones that ensure that we review and update our documentation on a regular basis, ones that ensure all staff are trained to a minimum standard of knowledge on business continuity and ones that ensure that we run regular desktop exercises to prove our plans are fit for purpose. Although these are the nuts and bolts of business continuity and will fill up a large percentage of our roles, I would argue that these are not the critical activities or key metrics of what we do.

If we take it back to my remit:

“To ensure that if there is a disruption, we can continue operations in as seamless a way for our customers as possible until we return to business as usual (BAU).”

How do we continue operations following a disruption? We put in place alternate means of working if people, property, systems, and suppliers are unavailable. I would suggest that our key metrics are as follows:

So, we have now reduced 101 to 5, but are these what we would report up the line? I would suggest that there is further refinement required before reporting upwards to the executive. Some of these metrics are, in my opinion, enablers for what I believe to be the key metrics from a business continuity perspective, so I would refine our key metrics to the following:

Essentially can we recover our business, and can we contact our staff if we need to. The other 99 problems (sorry!) we manage on a day to day basis still need to be managed. Myself and my team need to ensure that the checks and assurance are carried out on a regular basis and if asked for more detail we need to be able to provide an overview of all 101 metrics to show our governance framework is robust and fit for purpose. To work from an alternate location, we need to know what to recover and how to recover it. To do that we need to understand our business and ensure that plans are agreed and tested, and once we have a clear view on that then we are in a position to recover the business and keep the key activities going to support our customer needs. 

So, is 101 metrics overkill? Is it measurement for the sake of measuring? I would suggest that it is not. The very nature of business continuity and crisis management means that this is managing exceptional circumstances: the invocation of these plans is thankfully not a daily occurrence and there will often be long periods of time where a major incident does not cross the desks of our executive team. But when it does happen we need to be ready for it; and these 101 measurable activities ensure that when that event does occur, we are in as strong a position as we can be.

As I said at the start, whether we like it or not, we cannot stop measuring ourselves, by having these metrics to hand, when we are asked the questions as to what we spend the money invested in business continuity on we have the answer. We build an understanding of our organization, we build plans to recover the business if things go wrong and we run scenarios when times are quiet so that when we are in the heat of battle our methods of recovery do not seem too alien to us. If we do this right when we get that call that things are going wrong we are in as good a position as possible to recover and keep the business operating until we can return to BAU.

The author

Jon Seaton FBCI, is Chair, Scottish Chapter of the BCI. Contact him at jon_seaton@yahoo.co.uk or on Twitter at @BalernoDad