business continuity management metrics

Metrics that Matter in Business Continuity & Disaster Recovery

Reporting on metrics is one of the few ways to know if what you're doing is working, but for many bcdr managers it's a challenge..

When it comes to business continuity and disaster recovery, we all know that data is king. Reporting on metrics is one of the few ways to truly know that what you’re doing works, but for many business continuity and disaster recovery managers, this is a huge challenge. If you don’t have an automated tool, it’s likely that you rely on Word, Excel and colleagues in other departments to collect BC/DR metrics. We all know the struggle of working with Kyle from finance, a guy who is “way too busy” for your “little” business continuity project.

So, what’s a BC/DR manager to do? You already know that BC/DR is a critical component of an organization’s success. And you know that you need metrics to measure the effectiveness of your efforts. The first step is to understand the metrics that matter in business continuity and disaster recovery planning, which is exactly what this guide will cover. You’ll also need a tool to collect and report on these metrics. Depending on your organization’s size and the maturity level of your BC/DR program, this could range from an Excel template to powerful, automated software.

Important BC/DR Metrics

There are 7 important BC/DR metrics that you should be tracking to grow and measure recovery plans:

• Recovery Time Objectives (RTO)
• Recovery Point Objectives (RPO)
• The number of plans that cover each critical business process
• The amount of time since each plan was updated
• The number of businesses processes that are threatened by a potential disaster
• The actual time it takes to recover a business process
• The difference between your target and actual recovery time

While there are several other metrics that you could track, these metrics serve as a core review of your program, and indicate how prepared you are for a real disaster.

Critical Metrics in BC/DR

The first two important BC/DR metrics are Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). RTOs is the maximum acceptable length of time that the item can be down. RPOs determine the age of the data you can afford to lose and whether your backups will save the rest. For example, if you can afford to lose an hour’s worth of data, you’ll have to run backups at least every hour.

Backup and recovery procedures are at the heart of a good BC/DR plan, so you need to consider both RTOs and RPOs to determine the best backup and recovery tools for the job. If, for example, you generate continuous transactions at a moderate-to-high-volume and value, how many minutes worth of transactions could you afford to lose? How long could you afford to be out-of-service? Such an application could benefit from the very frequent, block-level backups that are possible with Continuous Data Protection (CDP), but you wouldn’t know that unless you looked at both the RTOs and RPOs.

Finally, you should measure the number of plans that cover each business process , as well as the amount of time since each plan was updated . Key Performance Indicators (KPIs) are a measure of how well a program works and one that you can’t ignore. You can set KPIs for how often you review and update your plans (for example, every month, 6 months or year) and how many business functions are covered by a recovery plan, with an action plan to achieve 100% coverage. If you are limited on time and resources, start with your most critical business processes.

Metrics for Planning

Enterprises can have hundreds to thousands of processes and you can’t restore a process without a plan. A key metric for BC/DR planning is the number of processes that are threatened by a potential disaster .

You should start with a risk analysis and business impact analysis to a) understand the greatest risks that threaten your organization and, b) the impact of those risks on various functions of the business. Then, you can create plans to protect these processes and minimize the disruption when disaster strikes.

But static plans can stagnate. You can’t restore processes unless you update plans periodically to account for changes in applications, data, environments, employees and risks. You should set reminders for yourself to prompt plan reviews at appropriate points in the cycle. In a perfect world, you’d receive confirmation from the managers of various departments who have reviewed and updated their plans, but let’s be real — reviewing and updating those plans is a huge hassle and it’s near miraculous if they do it on time. Using software can alleviate this pain point — you can automate email reminders to the various plan owners and track their progress all within the software — no passive aggressive emails needed! Software also removes many of the tedious tasks concerned with change management. For example, automated data integrations will keep your data updated automatically as that data changes in other applications. If a single contact is used in 100 plans and their phone number changes, an integrated system will carry that change over to your business continuity and emergency management plans as well.

Using Metrics to Measure Plan and Recovery Effectiveness

One of the simplest ways to determine how business functions are interdependent is by using a dependency modeling tool. This will help you visualize whether application dependencies allow you to meet RTOs and SLAs.

For example, if you need to recover an accounts payable service in 12 hours, but that depends on finance software that can take up to 24 hours to recover, accounts payable cannot meet a 12-hour SLA. A dependency modeller illustrates these dependent relationships dynamically, and when and how a plan will break down as a result.

You should be measuring the actual time it takes to recover a business process . You can test recovery procedures using a BC/DR tool to track the time each step takes.

Alternatively, you could use the old-school method by timing each step manually. These tests will help you determine whether your people and processes can meet RTOs using your existing plan. You should be able to complete recovery tasks in the time the plan allows, and if you can’t, you need to revise your plan so that it’s realistic and achievable.

Finally, the last metric covered in this resource is the difference between your actual and target recovery time , also known as a gap analysis. You can (and should!) test for gaps with tabletop exercises, failover and recovery tests, enterprise wide BC/DR tests, and gap analyses. Once you’ve identified where there are gaps in your plans, you can set KPIs and use them in your planning process.

Best Practices for Clean BC/DR Data

The data that your BC/DR software collects needs to be “clean” to ensure accurate reports and planning. For good data hygiene, make sure you’re standardizing data input with drop down menus, pick lists, text formatting and data validation. For example, if you’re inputting employee phone numbers into a plan, you’ll want to validate whether those phone numbers include an area code and remain in use.

Deduplication and Identity and Access Management (IAM) can help you to cultivate elegant data. You can use deduplication to eliminate multiple appearances of the same entries. You can use credentials (authentication) together with permissions (authorization) to ensure that only qualified users enter vital records and data. You’ll also save yourself a lot of time and headaches by integrating your BC/DR system with other applications (for example, your HR system) to avoid the duplication of records and any chance of errors.

Where to Start

We live in a world where disasters happen and companies either suffer or die. BC/DR is critical to the success and resilience of an organization, and it’s your responsibility to keep the business afloat and your staff safe in an emergency”¦ but you already knew that.

With the weight of the world on your shoulders, you can only rely on data to sleep soundly at night.

You’ve made a great start to BC/DR planning by making it to the end of this guide, but now it’s time to turn your knowledge into action! Start by determining your critical business functions and how they are dependent on one another using a relationship modelling tool.

Next, set an acceptable downtime threshold using RTO and RPO metrics. Test your plans to see if you come close to or exceed those thresholds. If you do, revise the plans and test them again. You should set KPIs to measure how often your plans are updated and tested, and conduct a gap analysis to compare the planned vs. actual recovery time.

Finally, make sure that you’re maintaining “hygienic” data for accurate reporting. Your BC/ DR metrics are completely useless if the data isn’t accurate. It may seem like a no brainer, but it’s surprising how many companies lull themselves into a false sense of security with reports that misrepresent their SLAs. It’s always better to be a realist, even if that means you’re accepting the risks that go along with it.

Discover Resolver's Software

Incident management software.

Protect your organization and prove your security team’s value with Resolver’s Incident Management application. Improve data capture, increase operational efficiency, and generate actionable insights, so you can stop chasing incidents and start getting ahead of them.

Enterprise Risk Management Software

Provide your organization’s board and senior leaders a top-down, strategic perspective of risks on the horizon. Manage risk holistically and proactively to increase the likelihood your business will achieve its core objectives.

Regulatory Compliance

Save time by monitoring all regulatory compliance activities, providing insights into key risk areas, and then focusing resources on addressing regulatory concerns.

We value your privacy

Privacy overview.

• The Latest From Zerto
• Resource Center
• IT Uninterrupted
• Cloud Data Management
• Business Continuity and Disaster Recovery (BCDR)
• Business Resilience
• IT Resilience
• Data Replication
• Data Migration
• Backup and Recovery
• Maximum Tolerable Downtime (MTD) and Maximum Tolerable Data Loss (MTDL): Differences and Considerations
• Service Level Agreement (SLA) in Business Continuity
• What is Continuous Data Protection (CDP)?
• Risk Assessment
• Disaster Recovery
• Disaster Recovery Plan
• Appliance-based Replication
• Array-based Replication
• Multi-Cloud
• The Differences Between Backup and Replication
• RPO and RTO
• Disaster Recovery Testing
• IaaS Infrastructure-as-a-Service
• Types of Clouds: Public, Private, Hybrid
• Immutable Backup
• SaaS Software-as-a-Service
• Risk Management
• Virtualization
• Hypervisor-based Replication
• BIA Business Impact Analysis

Business Continuity

• 3-2-1 rule in Data Backup
• Cyber Resilience
• Total Cost of Ownership (TCO)
• Business Continuity Guide
• Disaster Recovery Guide
• Ransomware Recovery Guide

The Only Guide You Will Need

From the definition of business continuity and its related plans, to the description of the planning involved in establishing the business continuity plan, right down to its management, we cover everything in this ultimate Business Continuity guide.

20 min Read

What Is Business Continuity?

High-profile events and disasters such as terrorist attacks, natural disasters, and data breaches have increased global awareness of the need for robust business continuity practices and strategies.

Business continuity encompasses the people, processes, technologies, and frameworks needed for an organization to ensure the continuous delivery of critical business functions when a disaster occurs. The business continuity definition also includes the prevention and mitigation of such disruptions from happening in the first place.

Company leaders have a crucial role to play in ensuring the resilience and continuity of business operations during crisis events.

Business continuity does not have an end date or state. It is a continuous process that keeps on evolving to adapt to never-ending business transformations and changes in the business environment. 

Business Resilience vs. Business Continuity: What’s the Difference?

Although both terms are sometimes used interchangeably within business circles, there are several subtle differences.

Business resilience describes the ability to return to a state of functionality that may either be the same as prior to a disruptive event, or a new state that enables operations in a new reality. It includes disaster response, incidence response, and business continuity management. A truly resilient organization is impervious to the effect and fallout of various kinds of disasters or disruptions.

On the other hand, business continuity assists companies to return to functional status by addressing the consequences of outages and disruptions to business operations. The goal of business continuity is to return the business to a state of operation/functionality prior to a disruptive event, in the shortest amount of time and with the least amount of disruption. It does this by reducing and preventing data loss and the risk of reputational harm by mitigating the consequences of disastrous events. 

Essentially, business continuity is concerned with helping a company resume operations immediately when a disaster occurs while business resilience is the company’s ability to resist and adapt to disruptive events or trends.

The Plans in Business Continuity

Multiple plans result from the business continuity planning process. They are all considered part of the business continuity plan (BCP).

Business Continuity Plan (BCP): business continuity initiatives, strategy, policies, standards, and planning activities produce this plan. It is all encompassing and includes the other plans below, or at least references to them.

Disaster Recovery Plan (DRP) : this plan will focus on business continuity from an IT / technology infrastructure standpoint.

Crisis Management Plan (CMP) : this identifies the chain-of-command and provides criteria to determine if a crisis has occurred —and therefore the activation of the BCP and related emergency response— the reporting and response management of the crisis, along with a communication plan.

Emergency Response Plan (ERP) : also called Incident Response Plan, this details the actions that need to take place to mitigate the immediate effects or consequences of an event responsible for business disruption. The priority of this plan is the safety of people directly or indirectly involved in the business. Then comes the protection of the business infrastructure (IT, building, equipment). Once the response phase is completed, it is possible to move to the Restore, Recover and Resume phases.

Business Continuity Plan (BCP) vs. Disaster Recovery Plan (DRP): What Are the Key Differences?

What Does Business Continuity Mean in a Business Emergency?

It means that the organization has made adequate preparations and has the ability to execute a business continuity plan that addresses customers, people, processes and technology. 

Ensuring Services or Products Are Delivered (Customers)

At its core, business continuity proactively ensures that organizations can still execute mission-critical operations and deliver products or services to customers during a disruption.

Proper business continuity mandates different responses to different levels of threats and disruptions. This is done for one major reason – to ensure that the products and services that are most vital to customers aren’t disrupted.

Supporting Employees (People)

The scope of business continuity covers the safety and security of human resources – from executive and middle management down to frontline workers – along with organizational assets and systems.

Since disasters and business emergencies can be confusing, business continuity planning takes cognizance of how, when, and what kind of information is delivered to employees…once disaster strikes.  

To help support company staff during operational disruptions and emergencies, business continuity ensures that employees have key information on how the organization plans to respond. Everyone needs to know what to expect from the BCM team as it implements strategies to navigate the company back to a state of normalcy.

Knowing Which Steps and Actions to Take (Process)

Company management and key personnel need to know what steps to take when faced with incidents that result in a business emergency.

A business continuity plan typically includes the contact information of relevant personnel, a guide on how to use the BCP document as well as clear guidelines on what to do to maintain critical operations. The plan should be honest about service level agreements (SLA) , recovery point and recovery time objectives ( RPO and RTO ) and identify what employees should or should not do to assist processes, facilities, and team members stay operational and productive.  

The Crisis Management and Emergency Response plans would actually provide detailed step-by-step procedures to follow to address particular situations addressed in the BCP.

Having the Right Disaster Recovery Solution in Place (Technology)

It’s imperative for organizations going through the business continuity planning process to leverage the right technologies.

In recent years, there has been a significant increase in the number of disaster recovery (DR) solutions, due to the prevalence of cloud computing applications and the aftermath of the COVID-19 pandemic.  

Depending on their DR needs, enterprises can build or rent off-site disaster recovery facilities or leverage a variety of cloud-based options such as disaster recovery as a service (DRaaS) . These offerings come with a range of tools and services that offer incident response capabilities such as DR, backup, and restore to prevent data loss and ensure the high availability of IT systems and databases. It is all about having the right solution to execute the DR plan .

Managing Business Continuity: The BC Management Team

While business continuity processes and strategies are designed to help organizations stay on track during unexpected disruptions, the success of these strategies depends largely on how well they are executed.

Business continuity management (BCM) teams are critical to the design and implementation of business continuity plans. They provide the insight, focus, and leadership that keeps a business on its feet when disaster strikes.  As such, deciding who is responsible for business continuity planning, and collating the resources and technologies needed to help them operate effectively are indispensable parts of business continuity initiatives.

Putting together a strong BCM team is challenging. A world-class business continuity team is cross-functional and includes personnel drawn from pockets of expertise across the entire organization, from executives to team members drawn from legal, facilities, finance/accounting, IT, HR, etc. The roles and responsibilities of individual BCM team members are outlined in the business continuity policy.

Regardless of company size, industry vertical, or business objectives, the BCM team should comprise the following:

Every BCM team must be headed by a company leader with the skill and experience to oversee business continuity efforts and make high-level decisions on the focus of the BCM team. The sponsor is usually drawn from the ranks of senior management.

For large enterprises, the Risk Management Officer may lead the BCM team assisted by someone from the IT department. In smaller organizations, the CTO or CFO may be picked to head the BCM team.

The Business Continuity Steering Committee or Office  

This is an interdisciplinary team at the C-suite level usually made of people overseeing key functions in the organization (COO, CIO, CSO, CISO, CPO, Legal Counsel, etc.). Their role is to ensure the BC program stays in lock-step with the corporate strategy, that proper resources are allocated and that goals are established and met within set timeframes.

In most instances, the BC Sponsor is also the chair of the Steering Committee when it exists.

The Business Continuity Plan Owners   

In larger organizations, the Business Unit or group leaders are accountable for the creation and maintenance of their own BCP, under the established policies, standards and processes set at the BC program level.

Business Continuity Planners and Managers  

The BC planners are the people in charge of developing the actual business continuity plan for their business unit or group. In larger enterprise, they will report to a BCP owner. In smaller organizations, they may just be reporting to the BC Program manager, and help to develop the BCP for various functions of the business.

The BC manager role is to ensure the BCP readiness by coordinating and organizing simulation exercises, training of the resources that would be involved in any BC activation plan. He also ensure a feedback loop into the process by bringing up any challenges that may arise during exercises testing the BCP.

BC planner and manager functions can be fulfilled by the same person. Again the size and global footprint of an organization will impact how these roles are set up.

Crisis Management Team (CMT) and Emergency Response Team (ERT)   

These are the people who are responsible for executing the BCP when it gets activated and they : 

1) Ensure all the activities get triggered and implemented,  

2) Make sure the proper resources get allocated,  

3) Make decisions to adjust the course of operations as needed,  

4) Execute the workflows and steps of the BCP ,  

5) Provide updates/reporting on the situation and its evolution on the ground .  

In some organizations this might be two teams, working closely together outside of a crisis, and obviously during one. In that scenario, the CMT would mainly cover areas 1) to 3) while the ERT would take care of 3) and 4). The overlap over decision-making (3) considers that adjustments can be made on the ground but also at higher level.

Crisis Communication Management Team (CCMT)   

Some organizations may also have a dedicated Crisis Communication Team that manages communication with the media and all key stakeholders of the organization (employees, customers, partners, etc.) during a crisis.  

The Map to Recovery: The Business Continuity Plan (BCP)

Business continuity planning culminates in the production of a business continuity plan that usually becomes a living document, constantly evolving.

The BCP is the tangible asset an organization produces to translate its strategy and approach to deal with disruptions and ensure its business can continue to operate. Because it is the result of a cyclical process —business continuity planning— it will evolve over time. Regular testing of the BCP usually brings its own set changes and adjustments too, making the BCP an actual living document.

Developed by the business continuity managers and planners, it will become the recovery map the crisis and emergency teams will rely on when disaster strikes.  

What Is a Business Continuity Plan?

The BCP is a document containing processes and procedures that when implemented, help ensure that company personnel, resources, and assets are protected and can continue operating in the event of disasters. 

According to ISO 22301 ¹ , a business continuity plan is defined as “documented procedures that guide organizations to complete the four R’s: R espond, R ecover, R esume, and R estore to a pre-defined level of operations following disruption.” 

The business continuity plan aims at meeting the four R’s against defined types of risks that can affect the organization’s operations —such as floods, fires, disease outbreaks, weather-related events, cyber-attacks, and other external threats— for specified sites or geographical areas. 

Key Elements of a Business Continuity Plan

There is unfortunately no one-size-fits-all template that can be applied but at least the elements listed should be considered as minimum requirements. 

The BCP is a document containing processes and procedures that when implemented, help ensure that company personnel, resources, and assets are protected and can continue operating in the event of disasters. The BCP should at a minimum contain the following elements:

• Contact information of the key individuals in charge of the BCP 
• A revision log with reference to documentation that describes change management procedures – This is key for audit purposes and to ensure that only the latest versions of a BCP are available. It also enables to connect changes and BCP testing, by highlighting what elements of a test drove changes in the BCP. 
• Information about and/or references to BC governance, policies and standards  
• The purpose and scope of the BCP – As seen later there will most likely be multiple BCPs developed for a single organization, to address specific types of disruptions over specific entities or locations. So, it is key to know what is the intended application of a particular BCP.
• Instructions about how to use the plan end-to-end , from activation to de-activation phases 
• Service Level Agreements (SLAs) over key business processes, defining the amount of time within which these processes must be restored.
• References to Disaster Recovery, Crisis Management and Emergency Response plans and procedures along with the identification of key roles and individuals. 
• References to Runbooks detailing all applicable procedures step-by-step, with checklists and flow diagrams.
• A glossary of terms used in the plan  
• A schedule showing dates for reviewing, testing and updating the plan, along with a record of past test dates and references to the results of these tests.

Each organization will have other items deemed important that will make it to their BCP. There is unfortunately no one-size-fits-all template that can be applied to meet every business needs.

The Lifecycle of an Active BCP

Great, you have a solid BCP. And now what? What happens when a crisis hits?

BCP Activation

A business continuity plan can be activated at multiple levels of the business continuity chain-of-command. This is how a business is best protected as it enables speed over its BCP activation when required. Obviously, this will vary with the type of disruption as not all disruptions are equal.

The response to a pandemic such as COVID-19 would  provide more time to plan and decide what parts of a BC plan to activate. In this case, it is most likely that the activation decision would be taken at the highest level of the chain. 

In contrast, the event of a shooting in a building office would most likely trigger the activation of that local BCP by the members of the teams located there. The activation would put in motion various elements of the BCP, including the reporting and potential further activations up the chain of command. The situation may end up being managed at a different level later for various reasons. 

The BCP should ensure that many members of the BC team, at various level of the organization, are empowered to act as leaders and activate a BCP, in order to enable a swift response when needed. Proper availability and coverage of these individuals is essential (designated backups in case of absence, redundancy in locations, shifts, etc.).   

Systems and procedures should also be in place to record events as they take place, or soon after (time stamps for events or decisions, people or agencies involved, etc). 

BCP De-activation

It is the responsibility of the Crisis Management Team to decide when the BCP needs or can be de-activated. The highest “ranked” individual in the activated crisis management cell is the one to make the call.

The BCP should incorporate the criteria to be met to start the deactivation process, and during the step-down process itself (validate at each step that the situation meets set criteria and conditions). At this stage, it is usually easier to properly document all these steps, and record time stamps, decision-makers names, and any other pieces of information that may be valuable for a later review of the response to a disruption. 

Other Consideration: BCP Accessibility

While it is impossible to list all the considerations that could apply to an organization’s BCP, there is one that is essential: the accessibility to the BCP, and any runbooks describing the applicable procedures step-by-step.

Training is of course important to make a lot of the activities and tasks feel like second nature for the individuals involved in executing the BCP, however it is still highly probable that during a crisis there will be a need to check some elements of the BCP.

However old-fashion this might feel, having print versions of the BCP available in designated locations is important, since some disruptions may bring down the IT infrastructure of an organization, or even the local grid, hence limiting or preventing any access to digital documents. Obviously, that adds another layer of management to ensure these documents are kept up-to-date. Other options can include having digital copies of a BCP hosted on other secured 3rd party systems or platforms. 

The Journey to a BCP: Business Continuity Planning

Business continuity planning is a top priority for any organization looking to minimize downtime and maintain the high availability of systems, products, and services, regardless of disastrous occurrences.

Business continuity planning describes the process of establishing risk management procedures and protocols (that should be followed in the event of a disaster) to prevent interruptions to mission-critical services and help re-establish full operational functionality as quickly as possible. It culminates in the production of a business continuity plan (BCP).  

The Key Parts to Business Continuity Planning

To ensure that the most likely scenarios are covered, the planning process involves identifying critical functions and the possible risks and disasters that would cause the failure/downtime of said functions.

The nature and severity of these threats will guide the rest of the planning process. The key parts of the business continuity planning process are:  

• Identification of critical functions or business processes – Reveals what processes are critical to maintaining and running in the event of an unplanned disruption in order to prioritize and focus recovery there 
• Business Impact Analysis (BIA) – A systematic process used first to evaluate the disruptive effects of disasters, accidents, or emergencies on critical business processes.
• Risk Assessment – Identifies all potential hazards to a company such as technology failures, cyberattacks, or natural disasters. It is also used to determine risk mitigation strategies and implementations.
• Establishment of Service Level Agreements (SLAs) – Based on the information collected from the previous stages, realistic and appropriate SLAs must be defined for specific services/teams supporting particular business functions or processes. This will drive technology solutions and processes used to deliver on these SLAs.
• Communications – Crisis communication management involves many parts and must be well planned in order to ensure clear and consistent information to many stakeholders during a crisis, which include: media, employees, customers, partners, agencies, etc.
• Testing and Maintenance – Testing the resulting BCP is essential to identify gaps and make improvements. Planning BCP testing should help determine test frequency, but also how to partially or fully test the BCP, i.e. what method to use. 

The various analysis and planning processes highlighted above will lead to the creation of other plans —and their related procedures— that are part of the business continuity plan, such as: 

• Disaster Recovery Plan 
• Crisis Management Plan, which will include the communication aspect. 
• Emergency Response Plan   

While driven and led by the BCM team, a lot of cross-organizational and cross-functional work and teams are involved to feed into and receive information from the various activities taking place to establish the BCP. This is not an easy task that requires a lot of coordination and alignment, hence the necessity to have a dedicated team managing that planning process.  

Establish Key Business Continuity Metrics: MTD and MTDL

Through the business impact analysis (BIA), an organization will estimate the downtime it can tolerate for a given process or function, and the maximum data loss it can handle. These limits are reflected in the SLAs.

Within the context of business continuity, an SLA represents a promise about how long a business process or function will remain unavailable in the event of a disruption. It assumes the commitment of every party involved.

Maximum tolerable downtime (MTD) and maximum tolerable data loss (MTDL) are two of the most important metrics of any business continuity plan, and are reflected in the business continuity SLAs related to each critical business process and/or function.

Risk Assessment, BIA, SLA, RTO and RPO: What’s the Link? MTD and MTDL

What is a Service Level Agreement (SLA) in Business Continuity

MTD and MTDL: Differences and Considerations

MTD, also referred to as maximum allowable downtime (MAD), is the longest downtime an organization can tolerate before facing serious repercussions. It is measured in units of time.

MTD is made of several components, including recovery time objective (RTO), meaning setting things up to stay below its defined value is more complex and involves several teams.

MTDL determines the most amount of data or transactions the business can afford to lose over a specific business process or function. This limit is measured in units of time. MTDL will directly inform the DR team about the recovery point objective (RPO) that needs to be achieved to meet the SLA of a specific business process.

Where To Begin Your Business Continuity Planning

Let’s take a look at the core steps company leaders must undertake when embarking on business continuity planning.

Start With A Thorough Prep-work and a Strong Disaster Recovery Plan

The key parts of the business continuity planning —risk assessment, BIA, identification of critical functions— contribute to determine the business requirements for the DR plan, mainly through the establishment of SLAs. There is no shortcut: that is the tedious prep-work that has to be done in order to deliver a strong disaster recovery plan. 

A strong disaster recovery plan is a core part of your business continuity strategy and is integral to its success. The DRP focuses on the technology infrastructure required as well as the specific steps organizations must take to resume operations and access their data easily following a disaster. The DRP should include the following 

• plan goals and objectives 
• authentication tools 
• incident response and recovery steps 
• the DR policy statement 
• key action steps and guidelines for when to use the plan 
• responsibilities of individual DR team members  
• contact information of personnel needed to enact critical recovery tasks. 

Train a Strong BCM Team

Designating who will manage and implement your BCP, and all its related plans, is of paramount importance to the success of business continuity initiatives. As mentioned previously, the BCM team is broad, considering it goes from the sponsor, steering committee, program manager, plan owners and planners to the crisis and emergency response teams spanning across all the areas of the business. Therefore training and simulation exercises are critical to help prepare your BCM team for when an actual disruption occurs. 

Since it’s difficult to know ahead of time how well your BCM team would perform during an actual crisis, continuous training will go a long way in ensuring they’re ready to oversee and execute the BCP when disaster strikes. Training also includes getting BCM team members up to speed on the latest BCM best practices. The team can also leverage cloud-based or on-premise business continuity management software to help pinpoint areas of risk, create and update plans and conduct BIAs. 

Have Something Small In Place, Test It And Grow From There

Traditionally, business continuity planning was largely the province of big businesses and most plans seem to be designed with large enterprises in mind. However, anyone can undertake BCP without breaking the bank or straining already limited company resources. Savvy business leaders can begin their BCP journey with a small but easily scalable plan. 

The plan could target one specific area at a time (such as IT assets and sensitive business data) and expand to include other business areas and processes. Such a plan should be rigorously tested to minimize loopholes and vulnerabilities. Over time, company leadership can expand the initial BCP to ensure 360-degree business continuity across the entire organization. 

Business Continuity: How to Do It the Right Way

A solution that fits your BCDR strategy, and delivers on data protection and recovery.

BC planning takes inputs from the Risk Assessment, BIA, identification of critical functions and defined SLAs to establish the appropriate processes, procedures and technology solutions to be implemented and enabling the DR plan to achieve the defined SLAs. 

To protect your data from disasters and instantly recover applications without data loss, companies need a reliable data protection mechanism and cost-effective BCDR solution in place. A lot of enterprise-grade applications and databases have the built-in capability to handle data replication synchronously and asynchronously. 

However, this is not a viable option for business continuity purposes. Companies need a single data protection solution that supports their business continuity strategy and objectives, and that provides ransomware resilience, DR, restore and testing capabilities. This solution should be designed to work independently of any resource or host platform on a company’s IT estate and scalable enough to protect single applications as well as large clusters or multisite environments. 

What is Zerto Solution?

Short video (1 min 21 sec ) explaining what Zerto does and how it helps to deliver business continuity.

Zerto Solution: Overview

To exit, click outside the image

Zerto Solution Overview

Introducing Zerto for Business Continuity

Zerto , built on a foundation of continuous data protection, enables continuous availability which is essential to achieve business continuity. Zerto’s solution provides everything you need for ransomware resilience , disaster recovery , and data mobility while delivering the very best recovery time objective (RTO) and recovery point objective (RPO) possible.

With easy implementation and deployment, the Zerto solution can scale with your organization to ensure continuous data protection for all of your business-critical and lower tier applications. 

Get in Touch!

Speak to one of our specialists today to find out how Zerto can help your business to achieve business continuity.

MORE RESOURCES ON BUSINESS CONTINUITY SEE ALL

Business continuity & disaster recovery in healthcare.

Understand the unique challenges facing the healthcare industry and how, by adopting business continuity & disaster recovery, they can become more resilient.

Business Continuity and Disaster Recovery in the Cloud Era

Learn the different types of Cloud BCDR solutions along with their pros and cons, and then see how Zerto addresses these challenges and improves upon many of the traditional solutions that leave gaps in cloud-based BCDR .

Essential Guide: Disaster Recovery

After reviewing Business Continuity, let’s look at what is involved in getting Disaster Recovery right in this online guide.

1. ISO 22301:2019 – Security and resilience — Business continuity management systems — Requirements

Do not sell or share my personal information

Your privacy preferences for Zerto's websites has been saved. We will serve only essential cookies moving forward on this browser

• Skip to content
• Skip to search
• Skip to footer

What Is Business Continuity?

Business continuity is an organization's ability to maintain or quickly resume acceptable levels of product or service delivery following a short-term event that disrupts normal operations. Examples of disruptions range from natural disasters to power outages.

• Watch video (1:14)
• Business continuity

Contact Cisco

• Get a call from Sales

Call Sales:

• 1-800-553-6387
• US/CAN | 5am-5pm PT
• Product / Technical Support
• Training & Certification

Is business continuity the same as business resilience or disaster recovery?

Business continuity, disaster recovery, and business resilience are not the same, but they are related.

• Business continuity is a process-driven approach to maintaining operations in the event of an unplanned disruption such as a cyber attack or natural disaster. Business continuity planning covers the entire business—processes, assets, workers, and more. It isn't focused solely on IT infrastructure and business systems.
• Business resilience encompasses crisis management and business continuity. It requires a response to all types of risk that an organization may face. An organization that is business resilient is essentially in a constant state of "expecting the unexpected." It means continuously preparing to meet disruptions head-on, including events of extended duration that may affect more than one facility or region.
• Disaster recovery focuses specifically on how to restore an enterprise's IT infrastructure and business systems following a disruption. It is considered an element of business continuity. A business continuity plan (BCP) might contain several disaster recovery plans, for example.

What is a business continuity strategy?

A business continuity strategy is a summary of the mitigation, crisis, and recovery plans to be implemented after a disruption to resume normal operations. "Business continuity strategy" is often used interchangeably with "business continuity plan." Both consider the broader goals, legal and regulatory requirements, personnel, and even the business's clients and partners.

What does a business continuity plan mitigate?

A relevant and well-tested BCP can help ease the negative impacts of an unexpected business disruption in many ways.

• Financial impact: Disruptions to product supply chains and critical services to customers can directly affect sales and revenue. Downtime caused by unplanned disruptions can also result in higher costs for a business as it looks to repair operations and mitigate previously unidentified threats.
• Reputation and brand impact: Failure to resume operations quickly and supply customers with the products or services they expect can prompt customer defections and tarnish the brand. Damage to reputation can in turn cause investors and capital sources to pull back funding, exacerbating the financial impact of a business disruption.
• Regulatory impact: Customers and vendors are likely to complain when businesses fail to respond appropriately to disruptions, which may result in regulatory scrutiny or even censure. In highly-regulated industries, such as energy and financial services, business continuity planning is mandatory to ensure regulatory compliance.

Business continuity planning activities

A well-crafted and tested BCP can go a long way toward helping a business recover swiftly from a disruption. These are key steps a business may want to take.

Identifying critical business areas and functions

Business continuity planning begins with identifying an organization's key business areas and the critical functions within those areas. A business needs to determine and document the acceptable downtime for each area and function considered vital to operations. Then a plan to restore operations can be established, documented, and communicated.

Analyzing risks, threats, and potential impacts

Creating appropriate response scenarios requires knowing what disruptions the business could experience. An upfront analysis of risks and threats is necessary in order to prepare contingency responses to events. Organizations can also conduct a back-end analysis after an event to gather metrics and assess lessons learned. This information can drive improvements in how the business responds to disruptions.

Outlining and assigning responsibilities

A BCP details which personnel will be responsible for implementing specific aspects of the plan. It also identifies key decision-makers and a chain of command. The plan should include alternative options in case primary personnel are incapacitated or unavailable to respond to the disruption.

Defining and documenting alternatives

A business continuity plan should define and document alternative communication strategies in case telephone services or the internet are down. Enterprises should also have alternatives for mission-critical spaces such as data centers or manufacturing facilities in case buildings are damaged.

Assessing the need for critical backups

Essential equipment may be damaged or unavailable during a disruptive event. A business should consider whether it has access to backup equipment and uninterruptible power supplies (UPS) during extended power outages. Business-critical data needs to be backed up regularly, and is mandatory in many regulated industries.

Testing, training, and communication

Business continuity plans need to be tested to ensure they will be effective. (Disaster recovery plans should be tested as well.) A best practice is to conduct a plan review at least quarterly with leadership and key team members who are responsible for executing the plan.

Many companies use role-playing sessions, simulations, and other types of exercises several times per year to test their BCPs. This approach helps to identify gaps, develop strategies for improvement, and determine if more resources are needed. Targeted staff training and communicating to the whole workforce the benefits of having a business continuity plan are also vital to its success.

Related products and solutions

• Cisco Webex Contact Center
• Virtual Desktop Infrastructure (VDI)
• Cisco Intersight Workload Optimizer
• AppDynamics Application Performance Management
• ThousandEyes End User Monitoring
• ThousandEyes Endpoint Agents

You may also like…

• Cisco’s Business Resiliency Strategy
• Business Continuity Blogs
• Business Continuity Planning

• All Categories >
• Business Continuity Management Program Solutions

Business Continuity Management Program Solutions Reviews and Ratings

What are business continuity management program solutions.

Gartner defines business continuity management program solutions as the primary tools used by organizations to manage all phases of the business continuity management (BCM) life cycle, from planning to crisis activation. BCMP solutions provide capabilities for availability risk assessment, business impact analysis (BIA), business process and resource/asset dependency mapping, recovery plan management, exercise and crisis management, and BCMP management metrics and analysis.

How these categories and markets are defined

Products In Business Continuity Management Program Solutions Market

• Number of Ratings, High to Low
• Number of Ratings, Low to High
• Average Rating, High to Low
• Average Rating, Low to High

Castellan Platform

"Great idea for a great future. "

The Catalyst bring to us another vision about the market place. We can see that women dosent have a great space yet. Catalyst help the market place be better and work better. So I'm proud to be part of this.

Fusion Framework System

"Outstanding Business Continuity and Operational Risk Software"

Fusion has been a great addition to our Risk Management Information System strategy. We use this tool for Security incidents, Business Continuity Planning, Site Visits, and IT Cyber Security Risk Mapping.

Archer Business Resiliency

"It is very easy to use and develop but price is very high."

I used this solution for Business Continuity purposes. It was very user friendly and quite easy to configure fields for admin or tool owner. I embedded the Business Impact Analysis which made as process based. All dependencies as application, staff, facility, equipment, document can be mapped with the processes. Therefore it can be very easy if you want to map whole company's dependencies.

• Parasolution

"Customizable workflow, scalable user access, efficient modular deliverable"

Our company uses Parasolution and we are satisfy with it, easy to configure, and easy to use.

"Excellent Continuity Tools to keep Businesses aware & relavant in Continuity Management"

Software is user friendly, adjustable to meet different business and regulatory needs as they change; vendor is very professional and supportive of their tool; vendor listens to users and adjust the overall tool to keep it current and very useful in a highly regulated industry.

SAI360 Business Continuity Management

"Transparent, easy implementation, easy to use product and fantastic support"

Our experience has been quite positive, from the demo until implementation. The vendor has been very transparent in their approach.

NAVEX IRM Software

"Simple, Direct"

Vendor support and customer experience is excellent. Configurability is excellent and easy. Their's vision and product was very clear and which makes understand easily by anyone.

Frontline Live

"Frontline Live : experience is amazing"

Our selection to apply front Line live turned into primarily based on value, functionality, easy of implementation and simplicity of use by using a small BC group. This product met all those elements and greater. Our enjoy has been advantageous. The overall performance troubles i was to begin with concerned with were remedied, and customer support by way of the seller has now not dwindled as time as handed.

Quantivate Business Continuity

"Business Continuity Services Beneficial to Start or Enhance Program"

Quantivate's Business Continuity module and consulting services has greatly improved our business continuity program. The ease of the software and helpful guidance from our consultants allowed us to complete a comprehensive implementation in a manageable timeframe.

BC in the Cloud

"BC in the Cloud has empowered our program."

BC in the Cloud has enabled our organization to take our program to the next level. The application has provided us with unparalleled flexibility.

"Very flexible and comprehensive BCM Automation Platform"

Very flexible and comprehensive BCM Automation Platform. Easy to use and to integrate with other legacy applications and data sources.

Business Continuity Management

"Best IT Risk Management in the market"

Some of the business problems we are solving is optimizing risk based audits and compliance management. It helps our company and shows what we need to work on as a company itself.

Competitor or alternative data is currently unavailable

"Implementation is easy as predicted, and very responsive to needs"

Very responsive to all requests, from selection process throughout implementation. Definitiely would work with this vendor again for further efforts.

Sustainable Planner

"With Virtual's SP, you're not just getting a product, you're getting a program"

Virtual is a trusted, valuable strategic partner. Their customer service and support engagement model are very efficient and effective. Clients have access to knowledgeable, seasoned professionals who go above and beyond to ensure implementations are highly successful and that all elements are in place for a smooth "business as usual" transition. The service and support model and user group collaboration experience are very effective. We have been very satisfied customers for 12 years and have previewed many tools over this time, none that surpasses the quality and value of SP. Planning model adapts to a highly regulatory environment. We've demonstrated to our customers who rely on our services that it's not just about having plans in place -- they must work, be executable, and be part of a sustainable program -- and we've proven that to them through SP.

"Implementation was easy, VEOCI is only limited by your imagination"

Grey Wall has been a very responsive company and VEOCI has been successfully implemented and they continue to provide incremental improvements to meet our companies needs. Their services is excellent. As with everything, there is room for improvement.

Ascent AutoBCM

"Ascent: Business Continuty Tools"

Very good tools for getting the operations of the company in record time during a crisis.

Gartner Research

Trending products, popular comparisons.

• Castellan Platform vs Fusion Framework System
• Archer Business Resiliency vs Fusion Framework System
• BC in the Cloud vs Fusion Framework System
• Archer Business Resiliency vs Castellan Platform
• Castellan Platform vs RPX

• Australasia
• Asia Pacific
• Middle East
• North America

The latest business continuity news from around the world

101 business continuity metrics….

Jon Seaton, chair of the Scottish Chapter of the BCI, looks at the subject of business continuity metrics, exploring why they are necessary and how to determine which metrics are required at different levels in the organization.

We spend our lives being constantly measured, and constantly measuring ourselves; how old we are, how long we have been married, or single, how many steps have we done today (!), how long we have been working and so on. It has become a habit and one which easily (and sadly) transfers to the workplace. How many years continuous service we have, are we on track at half year or full year, how many days leave do we have left…

Measurement in the workplace is not new, what are our profits (or losses), what is our shareprice, how are our sales, how many ‘hits’ does our website achieve, how long do people stay on the phone; the list goes on. It is argued that to know how we are doing we need to measure ourselves, it is by opening our eyes to how we are performing that we can understand what we can do better, or even what we need to stop doing. In our home life we may call these measurements goals, in work they tend to be captured by the term ‘metrics’. And these tend to be what the Board and external analysts look at to determine whether or not an organization has had a ‘good’ year, or is seen as a good investment. But it is not just these high level metrics that are capturing the imagination, they are being seen throughout organizations.

I work in business continuity and crisis management; my remit is to ensure that if there is a disruption, we can continue operations in as seamless a way for our customers as possible until we return to business as usual (BAU). It could be argued that the only metric required for me would be to ensure that we recover during an event. This would often as not lead to a very short end of year review!

We have a lot more than a single metric…. like most companies (especially those regulated in the financial services sector) we have a top level Business Continuity Policy. It is based on the Business Continuity Institute’s Good Practice Guidelines, ISO 22301: Business Continuity Management Systems, ISO11200: Crisis Management and even aligns to the UK Financial Conduct Authority’s Systems and Controls Handbook. Sitting beneath our policy we have three framework documents which look at Business Continuity Planning, Crisis Management and Site Response.

Whilst the policy sets out our high level approach to ‘how’ we do business continuity, the framework documents show us ‘what’ we need to do. The idea being that by ensuring that our businesses adhere to what is captured within these it means that, whilst it will not always stop events happening, it does mean that we put ourselves in with a fighting chance of recovering from the event.  By providing us with the ‘what’ we need to do this gives us a couple of easy to use metrics…

I reviewed our policy and framework documents adding all the deliverables up and there were certainly a few of them, 101 to be precise! These are made up of 33 for Business Continuity Planning, 42 for Crisis Management and 26 for Site Response! So, as part of my day to day role it is my responsibility to ensure that we remain within governance for each of those 101 metrics. Thankfully the requirements to complete them vary; whether monthly, quarterly, six monthly, and some annually; but the results of the associated activities all need to be captured. Whilst our internal second and third lines of assurance appreciate the robust governance we have in place, the executive do not want to know this level of detail.  They are only concerned with our top metrics… but which of our 101 metrics are the ‘top’ ones?

This is difficult; there are metrics which determine that we have policy and frameworks in place, ones that ensure that we review and update our documentation on a regular basis, ones that ensure all staff are trained to a minimum standard of knowledge on business continuity and ones that ensure that we run regular desktop exercises to prove our plans are fit for purpose. Although these are the nuts and bolts of business continuity and will fill up a large percentage of our roles, I would argue that these are not the critical activities or key metrics of what we do.

If we take it back to my remit:

“To ensure that if there is a disruption, we can continue operations in as seamless a way for our customers as possible until we return to business as usual (BAU).”

How do we continue operations following a disruption? We put in place alternate means of working if people, property, systems, and suppliers are unavailable. I would suggest that our key metrics are as follows:

• Are there up to date business continuity plans in place detailing all critical activities and agreed recovery times?
• Have we tested our plans through scenario-based exercises? (These exercises should be believable yet challenging).
• Have we tested our staff’s ability to work from alternate locations?
• Have we trained all staff to ensure that they have enough knowledge of business continuity to know what to do in the event of an incident?
• Have we tested our ability to contact all staff during a major event?

So, we have now reduced 101 to 5, but are these what we would report up the line? I would suggest that there is further refinement required before reporting upwards to the executive. Some of these metrics are, in my opinion, enablers for what I believe to be the key metrics from a business continuity perspective, so I would refine our key metrics to the following:

Essentially can we recover our business, and can we contact our staff if we need to. The other 99 problems (sorry!) we manage on a day to day basis still need to be managed. Myself and my team need to ensure that the checks and assurance are carried out on a regular basis and if asked for more detail we need to be able to provide an overview of all 101 metrics to show our governance framework is robust and fit for purpose. To work from an alternate location, we need to know what to recover and how to recover it. To do that we need to understand our business and ensure that plans are agreed and tested, and once we have a clear view on that then we are in a position to recover the business and keep the key activities going to support our customer needs. 

So, is 101 metrics overkill? Is it measurement for the sake of measuring? I would suggest that it is not. The very nature of business continuity and crisis management means that this is managing exceptional circumstances: the invocation of these plans is thankfully not a daily occurrence and there will often be long periods of time where a major incident does not cross the desks of our executive team. But when it does happen we need to be ready for it; and these 101 measurable activities ensure that when that event does occur, we are in as strong a position as we can be.

As I said at the start, whether we like it or not, we cannot stop measuring ourselves, by having these metrics to hand, when we are asked the questions as to what we spend the money invested in business continuity on we have the answer. We build an understanding of our organization, we build plans to recover the business if things go wrong and we run scenarios when times are quiet so that when we are in the heat of battle our methods of recovery do not seem too alien to us. If we do this right when we get that call that things are going wrong we are in as good a position as possible to recover and keep the business operating until we can return to BAU.

Jon Seaton FBCI, is Chair, Scottish Chapter of the BCI. Contact him at [email protected] or on Twitter at @BalernoDad

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

Additional Resources

• Business continuity resources
• 2023 predictions
• Operational resilience
• Cyber resilience
• Business resilience
• DR and ICT continuity information
• Business continuity standards

A website you can trust

Business continuity, get the latest news and information sent to you by email.

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.

GITNUX MARKETDATA REPORT 2023

Must-Know Business Continuity Metrics

• Last Updated: October 31, 2023
• How we write

Highlights: The Most Important Business Continuity Metrics

• 1. Recovery Time Objective (RTO)
• 2. Recovery Point Objective (RPO)
• 3. Maximum Tolerable Downtime (MTD)
• 4. Incident Response Time (IRT)
• 5. Mean Time to Recovery (MTTR)
• 7. Recovery Percentage
• 8. Recovery Test Success Rate
• 9. Employee Training Completion Rate
• 10. Plan Update Frequency
• 12. Mean Time Between Failures (MTBF)
• 14. Downtime Cost
• 15. Time-to-Escalation

Table of Contents

Business continuity metrics: our guide.

In this updated report, we delve into the crucial business continuity metrics every enterprise must be familiar with for efficient business operations. Take a journey with us as we explore these key performance indicators, equipping you for the unexpected and bolstering your business resilience. This insightful knowledge is invaluable in formulating strategies that ensure uninterrupted business processes even in the face of unexpected disruptions.

Recovery Time Objective

The maximum acceptable time it takes to restore a business process or system after a disruption.

Recovery Point Objective

The maximum acceptable amount of data loss, measured in time, that a business can tolerate.

Maximum Tolerable Downtime

The longest period of time a business can tolerate before a disruption leads to significant loss or damage.

Incident Response Time

The time taken to identify, assess, and respond to a business disruption.

Mean Time To Recovery

The average time it takes to restore operations to normal after a disruption.

Business Impact Analysis Scores

Quantitative and qualitative assessments that evaluate the potential impact of various threats and disruptions on critical business functions.

Recovery Percentage

The degree to which a business is able to restore its critical functions and processes following a disruption.

Recovery Test Success Rate

The proportion of successful recovery tests conducted as part of a business continuity plan.

Employee Training Completion Rate

The percentage of employees who have completed mandatory business continuity training.

Plan Update Frequency

The frequency at which the business continuity plan is reviewed and updated to reflect changes in internal and external factors.

Business Continuity Plan Compliance Rate

The percentage of compliance with organizational BCP policies and procedures.

Mean Time Between Failures

The average time between system failures or disruptions that impact business operations.

Service Level Agreement Compliance

The percentage of time that a given service or system meets predefined performance criteria, as specified in the SLA.

Downtime Cost

The financial impact of downtime, measured in lost revenue, productivity loss and costs associated with recovering from a disruption or other potential penalties.

Time-To-Escalation

The time taken for an issue or disruption to be escalated to the appropriate level of management or external support.

Frequently Asked Questions

What are business continuity metrics, why are business continuity metrics important, what are some examples of business continuity metrics, how can organizations effectively track and monitor their business continuity metrics, how can organizations improve their business continuity metrics.

We have not conducted any studies ourselves. Our article provides a summary of all the statistics and studies available at the time of writing. We are solely presenting a summary, not expressing our own opinion. We have collected all statistics within our internal database. In some cases, we use Artificial Intelligence for formulating the statistics. The articles are updated regularly. See our Editorial Guidelines .

Leadership Personality Test

Must-Know Productivity Metrics

Essential Valuation Metrics

Must-know operations metrics, essential segmentation metrics, must-know customer metrics, must-know diversity metrics, explore more.

Sdr Metrics

Customer Success Metrics

Customer Retention Metrics

Call Center Performance Metrics

Sales Enablement Metrics

Crm Metrics

Help Desk Metrics

Customer Satisfaction Metrics

Conversion Metrics

Outbound Call Center Metrics

Service Level Agreement Metrics

Funnel Metrics

Churn Metrics

Customer Experience Measurement Metrics

Sales Ops Metrics

Sales Management Metrics

Key Sales Metrics

Sales Dashboard Metrics

Call Center Agent Productivity Metrics

Special Report

The 2023 security benchmark — methodology, learn more about the 2023 security benchmark report's goals and construction..

2023 Security Benchmark Index

Main report, sector reports, 2023 benchmark achievers, 2023 benchmark leader profiles, methodology, download pdf of full report, security benchmark report archives.

Each year with The Security Benchmark Report, Security magazine adds to an ongoing database measuring how security teams function, budget, train and use technology. We survey security leaders across 22 industry verticals and present data from the industry as a whole and broken down by sector to allow for the comparison of security programs amongst their own industries, against others and as part of the security industry as a whole.

Security  magazine’s priority with The Security Benchmark Report is to showcase the value of security within the enterprise, as well as be a business enabler to our readers’ security programs. By tracking the metrics in this report year-over-year, we hope to offer a comparison of how trends in budget, responsibility, training and technology shift over time.

We also highlight a number of The Security Benchmark Report respondents in our Achievers section, which showcases examples of innovation in training, crisis management, new initiatives and technology. This year, we have included two Benchmark Leader Profiles along with the report, which serve as deeper investigations of the achievements of specific corporate security programs in the past year.

Organizations are able to remain anonymous for this survey. If the organization chooses to be marked anonymous, they are not eligible to be listed in the published report’s metrics listings or achievement sections.

The Security Benchmark Report is broken down into a general overview comparing all respondents’ data with one another, as well as by sector. Respondents are asked which sector their overall enterprise resides in, and this is the sector in which they are placed. While the survey has a choice of 22 market sectors, some sectors are chosen by too few respondents to report on individually. Therefore, for better comparisons, some market sectors are combined in the report. Combined sectors are labeled as such, and combinations may vary each year.

 Sectors with too small a dataset that don’t lend themselves to combining with other sectors may be excluded from the sector reports, but will be included in the main report. To attempt to make the most meaningful comparisons, particular comparisons are left out of sector groupings if the data varied too greatly from one respondent to the next.

In some cases, when calculating certain statistics, including “security budget as a percent of revenue,” outliers or data points that appeared to be reported incorrectly are removed before calculations to present a cleaner comparison.

While we recognize that security roles, responsibilities and programs can vary widely from one organization to another in terms of maturity, position within the enterprise, size of staff, budget, etc., Security magazine has made every effort — via input from readers and Editorial Advisory Board members —  to break down and compare organizations in a meaningful, valuable way.

If you don’t see your enterprise’s primary sector represented, we encourage you to fill out the survey next year and ask your peers to fill out the survey as well. The more organizations and security professionals that fill out the survey, the more robust the data.

Security magazine encourages all security leaders and organizations to participate in this free editorial survey that makes up The Security Benchmark Report. As a benefit to filling out The Security Benchmark Report survey, security leader respondents receive a full (anonymized) report of responses with more detailed information beyond what is covered in  Security’s November eMagazine and online.

The Security Benchmark Report is an editorial project, and respondent contact information collected is not sold or shared. There is no cost to participate in The Security Benchmark Report. All respondents must be responsible, at least in part, for the physical security of their organization. Organizations may only fill out the survey once for a particular company or agency. The Security Benchmark Report does not include contract security companies, guarding companies or those without a level of direct responsibility for security within their enterprise.

Back to the Top of the Page

Share this story.

Restricted Content

You must have JavaScript enabled to enjoy a limited number of articles over the next 30 days.

Related Articles

The 2018 Security 500 Methodology

The 2020 Security 500 Methodology

The 2017 Security 500 Methodology

Get our new emagazine delivered to your inbox every month., stay in the know on the latest enterprise risk and security industry trends..

Copyright ©2023. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Vulnerability management metrics: How to measure success

Without the right metrics, vulnerability management is pretty pointless. If you’re not measuring, how do you know it’s working? So how do you know what to focus on? The list is potentially endless, and it can be hard to know what’s really important.

In this article, we’ll help you identify the key metrics that you need to track the state of your vulnerability management program and create audit-ready reports that:

• Prove your security posture
• Meet vulnerability remediation SLAs and benchmarks
• Help pass audits and compliance
• Demonstrate ROI on security tools
• Simplify risk analysis
• Prioritize resource allocation

Why vulnerability management needs metrics

Measuring how quickly you find, prioritize and fix flaws allows you to continuously monitor and optimize your security. With the right metrics you can determine which issues are critical, prioritize what to fix first, and measure your performance. Ultimately, the right metrics allow you to make properly informed decisions.

Intelligent prioritization

Without prioritization and advisories, where do you start? Prioritizing and fixing your most critical vulnerabilities are more important than simply finding every vulnerability.

Intelligent prioritization and filtering out noise are important because overlooking genuine security threats is too easy when you’re being overwhelmed by non-essential information. Intelligent results make your job easier by prioritizing issues that have real impact on your security, without burdening you with irrelevant findings.

Prioritizing issues that leave your internet-facing systems exposed minimizes your attack surface . Intruder makes vulnerability management easy by explaining the risks and providing actionable remediation advice.

Time to fix

You want to be able to fix issues as soon as possible. Especially as the average time between an attacker discovering and exploiting a vulnerability is just 12 days. Intruder interprets the output from various scanners and prioritizes results according to context, saving you time to focus on what really matters. How long it takes to fix issues is down to you, and this gives you a current snapshot of your ‘cyber hygiene’ – the scan coverage, the time taken to fix issues over a period of six months, and the average time to fix issues overall.

3 top metrics for every vulnerability management program

Scan coverage.

What are you tracking and scanning? Scan coverage includes all the assets you’re covering and analytics of all business-critical assets and applications, and the type of authentication offered (e.g., username- and password-based, or unauthenticated).

Average time to fix

The time it takes your team to fix your critical vulnerabilities shows how responsive your team is when reacting to the results of any reported vulnerabilities. This should be consistently low since the security team is accountable for resolving issues and delivering the message and action plans for remediation to management.

The severity of each issue is automatically calculated by your scanner, usually Critical, High or Medium. If you decide not to patch a specific or group of vulnerabilities within a specified time period, this is an acceptance of risk. With Intruder you can snooze an issue if you’re willing to accept the risk and there are mitigating factors.

What metrics do you need to show management?

What metrics you want to report depends on who you’re reporting to. If it’s the CTO or senior management, they will just want to know the business is protected and they’re getting ROI. For example, have there been any new critical issues, how quickly were they fixed, and how many are still open (and why).

Make sure everything is covered

Are you capturing everything from every asset in your IT environment? Modern scanners like Intruder provide automated, audit-ready reports, but it’s important to know where all your digital assets are to avoid blind spots, unpatched systems and inaccurate reporting – which is why asset discovery is integral to successful vulnerability management. By making sure all your digital estate is covered, you can validate what to prioritize in your remediation plans of your most critical systems.

Where are vulnerability management metrics heading?

Average (or mean) time to detect.

This is the point from a vulnerability going public, to us having scanned all targets and detecting the vulnerability. Essentially, how quickly are you detecting vulnerabilities across your attack surface to reduce the window of opportunity for an attacker.

Attack surface visibility

Very few people are lucky enough to manage and see 100% of their attack surface. So that’s where attack surface discovery comes in. You’ll have a total number of assets that you know are exposed or that you’ve found, but how many of those are covered by the vulnerability management program? What you want to see is the percentage of assets that are protected by your vulnerability management program across your attack surface, discovered or undiscovered.

Mean time to inform

Prioritization – or intelligent results – is increasingly important to measure and help you decide what to fix first, because of their impact on the business.

Looking to the future: Time to fix 0

You want the right people – the people who will actually be fixing issues – to get the information they need as quickly as possible. This means including features like role-based access control (RBAC) which can reduce the time to fix from hours or days down to a matter of minutes.

Intruder’s analytics page

Intruder measures what matters most. It provides audit-ready reports for stakeholders and compliance auditors with vulnerabilities prioritized and integrations with your issue tracking tools. See what’s vulnerable and get the exact priorities, remedies, insights, and automation you need to manage your cyber risk.

Intruder offers a 14-day free trial of its vulnerability assessment platform . Visit their website today to take it for a spin!

• cybersecurity
• vulnerability management

Featured news

• Cybersecurity workforce shortages: 67% report people deficits
• 6 steps to accelerate cybersecurity incident response
• How human behavior research informs security strategies
• eBook: Cybersecurity career hacks for newcomers
• Guide: SaaS Offboarding Checklist
• Webinar: The external attack surface & AI’s role in proactive security
• Why legacy system patching can’t wait
• Product showcase: LayerX browser security extension

• Skip to right header navigation
• Skip to main content
• Skip to secondary navigation
• Skip to footer

Business Continuity and Crisis Management Consultants

3 Key Metrics for Business Continuity Program Success

September 2, 2021 By //  by  Bryan Strawser

In my 25+ years as a business continuity & crisis management expert, I often get asked one particular question that that makes me cringe:

“Are there metrics we should be tracking?”

In short and emphatically, YES!

What metrics should you be tracking?

It depends:

• Do you really want to know whether your business continuity program is working; that your organization is resilient and actually prepared to respond to the next disruption?
• Or do you just want to make sure all of the boxes are checked?

This is not a trick question.

We think that everyone should want their business continuity program and your business continuity plans to actually work!

But if you don’t quite grasp the difference between the two, you’re not alone.

I frequently encounter confusion around the fact that merely tracking business continuity program compliance—i.e., checking the boxes— isn’t the end game for business continuity success.

But it takes more than “Know the requirements-Do the things-Check the boxes” to gauge whether your business continuity program is effective and moving your organization towards its resiliency goals.

Employing the right combination of metrics—operational compliance, plan quality, and program maturity—are all equally important to understanding your organization’s true resilience.

Implementing a system that measures all three will give your organization the insights it needs to move your business continuity program to full maturity, sustainability, and success in responding to the next disruption.

Is your organization truly resilient, or are you just checking off the boxes?

About Bryan Strawser

Bryan Strawser is Founder, Principal, and Chief Executive at Bryghtpath LLC, a strategic advisory firm he founded in 2014. He has more than twenty-five years of experience in the areas of, business continuity, disaster recovery, crisis management, enterprise risk, intelligence, and crisis communications.

At Bryghtpath, Bryan leads a team of experts that offer strategic counsel and support to the world’s leading brands, public sector agencies, and nonprofit organizations to strategically navigate uncertainty and disruption.

Learn more about Bryan at this link .

PO Box 131416 Saint Paul, MN 55113 USA

[email protected]

Our Capabilities

• Active Shooter Programs
• Business Continuity as a Service (BCaaS)
• IT Disaster Recovery Consulting
• Resiliency Diagnosis®️
• Crisis Communications
• Global Security Operations Center (GSOC)
• Emergency Planning & Exercises
• Intelligence & Global Security Consulting
• Workplace Violence & Threat Management

Our Free Courses

Active Shooter 101

Business Continuity 101

Crisis Communications 101

Crisis Management 101

Workplace Violence 101

Our Premium Courses

5-Day Business Continuity Accelerator

Communicating in the Critical Moment

Crisis Management Academy®️

Managing Threats Workshop

Preparing for Careers in Resilience

Our Products

After-Action Templates

Communications & Awareness Collateral Packages

Crisis Plan Templates

Crisis Playbook®

Disaster Recovery Templates

Exercise in a Box®

Exercise in a Day®

Maturity Models

Ready-Made Crisis Plans

Resilience Job Descriptions

Pre-made Processes & Templates

Business Continuity & Disaster Recovery Metrics Defined

Metrics are everywhere. Think about it: Every doctor’s visit includes standard measurements designed to provide important information about the state of your physical self, like a blood pressure check and confirmation of your height and weight. In the car, your dashboard measures speed and fuel supply. Quarterly report cards measure your kids’ progress in school. And periodic portfolio reports measure the state of your financial investments. Without these and a mountain of other measurements, or metrics, you’d have no clear way of knowing how things are going in your life and, as a result, no real way to positively impact your future.

Business Continuity Program Metrics? We Don’t Need No Stinking Metrics.

CFOs are usually analytical, hence their preoccupation with corporate spending and measuring the impact of billions of dollars spent (and rightly so). But as critical as business continuity (BC) and disaster recovery (DR) programs are to a company—along with the steep budgets sometimes accompanying them—there’s often little-to-no required measurement of these programs by management.

Among the usual reasons we hear for a lack of business continuity management (BCM) metrics and disaster recovery metrics are:

• “What are metrics? We really don’t know.”
• “We don’t know what to measure.”
• “Management isn’t asking, so why bring it up?”
• “We don’t care to know how the program is doing.”
• “It takes too much time to measure effectiveness.”
• “I think our process would work, so why waste time measuring it?”
• “We already know our program is a disaster; why would metrics be helpful?”

In other cases, there are BCM or disaster recovery metrics at work, but more often than not they’re meaningless. Such metrics usually focus on volume of work (the number of exercises conducted, plans updated, analyses completed, etc.) rather than on the reality of whether a program will work in a true crisis.

Why You Do Need Business Continuity Management Metrics

Why is the lack of real business continuity program metrics a problem? Because if you can’t measure it, you can’t manage it.

Without the metrics to tell if your BC process is functioning, you have no idea how your business would actually fare in the case of a disruption, and you have no basis for identifying what aspects of the program are working and which need improvements.

Metrics serve three very important functions:

• Metrics serve as a control and feedback loop. Once you’ve determined the ideal state of your BC process (i.e., “I know the best program should be rated between 80 and 100 on a 1-100 scale”), metrics allow you to know whether your process is in order or requires external interference to make it better.
• Metrics add objectivity to the evaluation process. A lot of people claim that their BC program is in great shape and complies fully with standards, but such claims are often based on nothing but vague impressions. Metrics offer a way to quantify that claim with solid evidence.
• Metrics are the foundation for improvement goals. Numbers make for easy assessment and goal planning. If the ideal rating is between 80 and 100 and your program comes in at 61, you can set a definitive improvement goal to reach 80. Along with that, you can specifically outline how you’ll reach that goal—and determine if your strategy worked.

Valuable Business Continuity Metrics

To truly measure the effectiveness of your BC process, you need a combination of metrics that focus on two key areas: the foundation of the program and the execution of the program. Evaluating both of these areas together gives insight into how a program will perform when it’s needed. It also clearly illustrates the program’s return on investment. High numbers in both areas indicate that money has been well spent.

Metric Area #1: Foundational Alignment With Standards

This area measures how aligned your program is with industry standards, such as ISO 22301  or NFPA 1600 . On a scale of 0-100, how does it measure up to those standards in terms of:

• Program Administration
• Crisis Management
• Business Recovery
• Disaster Recovery
• Supply Chain Risk Management

In other words, are you building your program on sand or solid rock? If your process lines up with accepted industry standards, you can rest assured that your program’s foundation is solid, which promotes stronger execution of the process.

Metric Area #2: Level Of Execution

This area measures the level of risk that remains after you have considered management’s risk tolerance, the inherent risk of your recovery plans, and the state of mitigating controls. You then take steps to mitigate that risk, lowering it to an acceptable level.

Here are some business continuity KPI examples you should measure, among other things:

• The currency of your business impact analysis . (Is it current, or more than two years old?)
• The reach of your recovery strategy. (Do you have a dedicated alternate work site or will it be determined at time of event?)
• The recovery exercises you’ve done to ensure the process can be smoothly put into place. (Are you conducting desktop exercises or relocating to the alternate work site?)

A lower level of risk indicates you have a program that has a high level of execution and capability; a higher level of risk indicates your program is weaker and needs to be strengthened to raise its level of execution.

Looking for other key performance indicators (KPIs) to measure your program’s effectiveness? See our online assessment tool in action for key business continuity KPI examples and the critical success factors (CSFs) that determine your program’s level of success.

If all of your mitigating controls are operating at the highest levels, you’ve successfully reduced your level of risk and increased your level of execution.

Business Continuity Program Metrics Done Right

Business Continuity Management metrics are just one piece of a successful continuity program. With our online business continuity software suite, BCMMetrics™ , you can easily and effectively assess your organization’s levels of compliance and risk and access tools that can help you build a better BC program from the ground up. It’s simple to use (there’s no software to install) and secure—your data is protected with military-grade encryption and backed up to multiple off-site locations. And the tool updates automatically with the most current industry standards, so your program will always be up to date.

We believe that, with the right tools, an effective BC program is within reach of every organization. Schedule a free demo of the tool in action to get a sense of what it can do for your business, or contact us with questions—we’re happy to help.

• Client Login
• Compliance Confidence
• BIA On-Demand
• BCM Planner
• Residual Risk

• Business Continuity
• Training and Awareness

We're not around right now. But you can send us an email and we'll get back to you, asap.

Start typing and press Enter to search