Business continuity metrics: what and how to track

Metrics are a key part of all business operations. They provide a way to clearly and objectively review how the company is progressing in specific areas and/or toward specific goals. They are a measurable way to review what is working, what isn’t, and where changes may need to be implemented.


Like many other areas of business—from marketing to profitability—it is key to have metrics that can demonstrate whether the business is successful or if additional changes should be made. The same is true for business continuity and resilience.


Creating a business continuity plan and a resilience strategy is the key first step to having trackable metrics. These planning tools ensure that the business has identified potential threats, weaknesses, and disruptions and that there is a plan in place not only to respond should one of these events occur but also to be able to shift to a new strategy should the event require a new approach. 


Once the business continuity plan and resilience strategy are clear, they can be objectively measured using KPIs and KRIs. Key performance indicators (KPIs) help quantify business goals, create objectivity, and provide an easy way to evaluate success on a frequently recurring basis. These metrics provide a measurable way to quantify performance and how well specific outcomes are being achieved. Key risk indicators (KRIs) can also be implemented to flag risks. The difference between KPIs and KRIs is that KPIs are used to measure success, whereas KRIs help indicate the potential for negative impacts.


The first hurdle is helping everyone understand the importance of having business continuity, and if you are already thinking about metrics, it’s likely that you’ve already surpassed this hurdle. But the biggest hurdle is still left to overcome: understanding what to track and how to report the data. Business continuity measures can be specific to your industry and your business, but here are a few ideas for both key performance indicators and key risk indicators that your business can use.


Key performance indicator examples:

  • Recovery time objectives

  • Recovery point objectives

  • Service legal agreements

  • Frequency of BCM exercises

  • Operational level agreements

Key risk indicator examples:

  • Number of customer complaints

  • Frequency and severity of severe weather events

  • Company stock prices

Creating quality metrics

There are many things that could be measured, but not all measurements are going to be useful. For that reason, it is important to select the most impactful metrics that are going to give an accurate depiction of how the business is doing. If you are not measuring the right things, it’s unlikely that you will have a clear picture of what’s really going on or that you will be able to appropriately and effectively respond.


Here are some tips you can use to help ensure you choose quality metrics that create value.


Select impactful metrics

The metrics that you select should have a clear relationship to your continuity and recovery plan. That means it should be a good mix of both continuity and resilience (KPIs and KRIs) to ensure that everyone can easily see response performance, continuity, and recovery. It is not just about specific activities that are completed—it’s also about performance.


Don’t select empty metrics for things like “the number of exercises conducted.” Metrics like these may show that the organization is taking steps to ensure business continuity, but they reveal little else. The number of exercises conducted doesn’t mean that those exercises were successful or give you any other data to determine whether additional steps or modifications should be made.


It can also be helpful to create a clear difference between milestones and metrics. For instance, “business continuity strategies documented, selected, and in place” may be more of a goal or checklist item than a measurable metric. Once that item is completed, it is done. It isn’t something that needs to be measured on an ongoing basis, unless it’s part of a regular review process.


Create consistency

A metric that is not kept up-to-date or reviewed is almost just as good as not having a metric at all. For metrics to be effective, they must be updated and reviewed on a regular recurring basis. Otherwise, it will be impossible to spot changes and red flags or to know when it is time to make adjustments. Once you have your metrics determined, be sure to also set a schedule (daily, weekly, quarterly, etc.) that is most accurate for that particular metric. Some metrics may need to be reviewed less frequently than others, but having a schedule is key.

Identify ranges for action


For all your indicators, it’s also important to consider adopting a system to label ranges with a call to action. For example, low risk may require no action, medium risk may require some form of action, and high risk may require immediate escalation to management with action taken immediately.

Have Questions?

Want to find out more about how Resilience3™ security, risk, and compliance solutions will improve your business resiliency?