Organizations need to make BCM programs measurable to enable useful oversight and accountability. Too often, however, measuring BCM becomes unnecessarily complex, time-consuming and onerous, diverting resources and sapping engagement and commitment.
More importantly, the measurement process can evolve to focus increasingly on the implementation and management of the program, producing less actionable data that maximizes resilience.
How can you optimize and focus measuring your BCM program?
Put glibly to make a point, don’t measure the program. Measure the program’s result. Measure organizational resilience. The objective should be data that drives effective decision-making and meaningful positive change for enhanced resilience.
Of course, BCM programs can and should be measured to a reasonable extent, using quantitative criteria but avoiding marginally useful granularity. The majority of effort should be measuring resilience.
Here are some key measures you can include when measuring organizational resilience.
Each organization should subtract or add measures to align with organizational objectives and industry. All resilience measures should be quantitative, easy to compile and present in dashboards, laser-focused on quantifying resilience and identifying opportunities for resilience improvements.
Measuring resilience should be cost-effective and add to organizational value, not be a tedious, academic process.
The success of a business continuity management program (BCM) in no small measure relies on executive engagement and support. Engagement is vital when initiating a BCM program or introducing an existing program to a new senior executive, and there are ways to achieve this strategic objective.
Increasingly, you only can buy cyber insurance when you prove that you have implemented comprehensive strategies to reduce your risk and mitigate the cost of cyber-attacks. In fact, it is more valuable to implement those cyber security strategies than to have the insurance policy.
Luck and quick thinking are great in all aspects of life, but they aren’t business recovery strategies or risk mitigations. A near miss event should be treated very seriously, not as a success, and as a warning to bolster training, revise business recovery plans and implement additional risk mitigations.