Metrics are key to assessing the maturity and level of sophistication of your continuity planning program. We believe there are two (2) levels of metrics you can use to assess your program. Tier 1 metrics address the underpinnings of the program while Tier 2 metrics address what is the real recovery capability. Too many times, only Tier 1 metrics are used and give a false sense of recoverability to senior management. Tier 2 metrics, if used properly, will paint the real picture of the DR capability of the organization. Here are examples of Tier 1 and 2 metrics:
Example: A large organization has had a DR office and program in place for many years, multiple backup sites in place and holds recovery exercises on a regular basis throughout the year. Internal audit regularly gives them their seal of approval. Sounds good, right? On the surface, the Tier 1 metrics will paint an average or above average picture of the program and its adherence to best practices. Now, once we used Tier 2 metrics to assess the real recovery capability of the organization, it was quickly determined that the true IT disaster recovery capability did not exist and that the DR program was failing miserably in its ability to recover the critical systems and applications of the organization. Senior management in IT had lived under the belief that all was well in the realm of DR when in reality, could not even begin to recover the systems and applications needed to run the business.
Our metrics tool analyzes the level of compliance, weights them and produces speedometer graphs that quickly show management the state of the component. Additionally, our tool ensures that if key components in an area are below average, the entire component cannot be raised even if its score dictates it. Using metrics is painful and can be eye-opening but also can lead to increased management support, allocation of resources and most importantly, the multi-year budget needed to implement what you need to succeed. Use them, they work.