Measuring what matters means selecting relevant evaluation criteria so that we can obtain actionable intelligence relating to the performance of something. As part of a business continuity management plan, this means that we evaluate the things that give an indication of the effectiveness of our recovery arrangements and the capability of the resources that support them. Too many organisations focus on reporting metrics such as documents reviewed, documents updated, meetings attended etc.  This has limited value in establishing the actual capability of the organisation to respond to and recover from a major incident.  In the context of business continuity, exercises may provide more tangible information on certain aspects of capability but that depends on the scope of the exercise. In most organisation it is not practical to exercise or test all aspects of the recovery arrangements in a single exercise.

​

Management teams in many organisations are now pressing for more meaningful information by which to manage their levels of resilience and to answer that all important question – will it work when we need it? To answer that question we need to consider:

• That our perception of priorities and exposures remains accurate

• That the arrangements we have made to support these priorities remain effective and relevant

Here’s some evaluation criteria that I have found helpful to generate actionable intelligence:

​

Risk & Exposures

Positive affirmation that threats, business exposures, and impacts to critical activities are relevant to current conditions. In other words, every critical activity has confirmed that there are no material changes to their perception of threats and exposures since the last time these were evaluated

.

Operational Priorities

Confirmation that nature of the business and the way in which goods and services has not significantly changed and that no significant changes are on the horizon

​

Incident Management

Roles, responsibilities and contact information of the Incident Management Team are accurate, complete and understood by it’s members

IMT can respond and collaborate to alert within acceptable timeframe

Designated incident management locations provide sufficient accommodation for the IMT

Designated incident management locations provide all relevant services that may be required by the IMT

Evacuation procedures are effective and compliant with relevant regulatory requirements

Staff are in possession of accessible information regarding, evacuation, safety, first actions and sources of information

​

Core Capabilities

Information technology services can be restored within required timeframe

Remote access services are reliable and support envisaged use cases

Off-line data can be retrieved and restored within required time frames

Alternative premises provide sufficient and fit for purpose accommodation

Telephony services can be restored and/or diverted within required timeframe

​

Departmental Plans

Roles and responsibilities remain relevant to activities & required skill sets

Role holders understand their responsibilities, departmental priorities and action plans

Priorities and action plans remain relevant to business, customer needs, contractual and SLA obligations

Priorities and action plans remain compliant with laws and regulations

Requirements for core service recovery remain unchanged

​

Communications with Stakeholders

Interfaces with Core Services and Departments ensures accurate and timely information flow

Individual role holders are proficient with communications and tools and media available

​

Metrics for measuring your BCP is covered in the module 3: oversight, awareness and assurance of business continuity plan video.