15 Business Continuity Program Metrics You Should Be Using

— June 8, 2017

As a business executive, you can likely point to a number of metrics currently being utilized in your company, all of which measure the effectiveness of various practices and processes—everything from marketing, to sales, to customers. That’s because the value of metrics is not generally up for debate. If you’re not well-informed about all aspects of your business—knowledge gained by continually tracking and assessing your performance—you may not be in business for long.


The logic behind such measurements is clear; they help us understand where we’ve been and where we’re going. Somehow, though, this logic never seems to extend to the business continuity (BC) program.


Why? I’ve heard every reason under the sun as to why business continuity managers don’t use metrics to measure the effectiveness of their program, but none of them hold up if you consider this: As the business continuity manager, the “product” you deliver is a BC program that works. If you can’t say for sure that it will, then you’ve failed to deliver. You’re also putting the health of the company—which has been so carefully monitored and maintained with the help of myriad metrics—at risk.


If you’re unsure about which business continuity program metrics to use, you’re in good company; few resources offer guidance or a definitive list. But there are, in fact, numerous key performance indicators (KPIs) that are useful in measuring the state of your program; I’ve listed the most critical below to get you started. If your program performs well against the following 15 business continuity KPI examples, you can rest assured you’re heading in the right direction.


15 Business Continuity Program Metrics



  1. Senior management support: Senior management promotes continual improvement of the program by:


  • Conducting management reviews.
  • Requiring regular program audits.
  • Confirming that employees are continuously trained.
  • Validating that enterprise tests are being conducted regularly.
  • Reviewing test results for successes and opportunities.
  • Validating that the program is regularly updated to heighten its sophistication and maturity.


  1. Policies and standards: The business continuity management policy and standards consider and address the scope of the program, management commitment, organizational activities, roles and responsibilities, business activities, services, products, partnerships, supply chains, relationships with interested parties, and the potential impacts related to a disruptive incident.


  1. Program metrics: A comprehensive metrics process consistent with organizational and industry best practices, standards, and guidelines has been implemented to monitor and measure the performance of the business continuity management program at regularly planned intervals.


  1. BC budget: The business continuity management budget(s) is a regular line item on the annual corporate-wide budget and is consistent with the scope and needs of the program.


  1. Business Impact Analysis (BIA) reporting: A Business Impact Analysis is conducted at regularly planned intervals (a minimum of every two years) for critical business units and associated activities that support the organization’s products and services.


  1. BIA/Disaster Recovery plan alignment: The BIA and its most current results (including recovery time objectives and recovery point objectives) are used as the basis for alignment of recovery requirements between individual business units and IT.


  1. Threat and risk assessment process: Your threat and risk assessment process systematically identifies, analyzes, and evaluates the risk of disruptive incidents to the organization on a regular basis, at least annually.


  1. BC management program training: Training is multi-tiered and addresses general employees, recovery team leaders and members, the crisis management team, and senior management.


  1. Crisis management team: A cross-functional crisis management team representative of the scope and nature of the organization (senior management, facilities, human resources, information technology, etc.) has been identified and is in place to manage incidents across the organization.


  1. Recovery exercises: Recovery exercises (tabletop, walkthrough, functional, etc.) are held at regularly planned intervals (at least annually) to provide crisis management and recovery team members with a training scenario to further assess and heighten their capabilities, validate the plan and its content, assess operational capabilities of the recovery strategies, and identify opportunities for further improvement.


  1. Crisis communications plan: A crisis communications plan uses accepted incident/crisis management best practices and standards in its format, content, and steps to communicate the status of an incident from its detection, to activation, to recovery, to resumption of normal operations.


  1. Emergency notifications: Emergency notifications follow industry best practices and address the escalation processes, procedures, and various communication methods (such as pagers, satellite phones, cell phones, email, or two-way radios) that can be used to promptly notify internal and external parties of an impending or in-progress disaster situation.


  1. Recovery plan template: Business units and the IT department use a standardized recovery plan template that is consistent with approved recovery plan standards.


  1. Alternate work strategies: Business units follow an approved mix of alternate work strategies (e.g., work from home, from another company facility, or at a third-party site) established by the business continuity management office that are based on the recovery time objectives derived from the BIA.


  1. BC alignment with Disaster Recovery for incident response: Incident response is a complex undertaking that requires substantial planning and resources. The business continuity management program specifically addresses and integrates its structure and operations with key IT policies and procedures such as those used to prevent, mitigate and respond to cyber-security related attacks (computer security incident response).

These business continuity KPI examples are just a sampling of the metrics needed to truly evaluate your program’s effectiveness, but they are a great place to start.


Will your business recovery plans work when you need them? Here’s everything you need to know about how to create and implement a business recovery plan successfully.

Business & Finance Articles on Business 2 Community

(244)