Metrics that Matter in Business Continuity & Disaster Recovery

Reporting on metrics is one of the few ways to know if what you're doing is working, but for many bcdr managers it's a challenge..

business continuity management metrics

When it comes to business continuity and disaster recovery, we all know that data is king. Reporting on metrics is one of the few ways to truly know that what you’re doing works, but for many business continuity and disaster recovery managers, this is a huge challenge. If you don’t have an automated tool, it’s likely that you rely on Word, Excel and colleagues in other departments to collect BC/DR metrics. We all know the struggle of working with Kyle from finance, a guy who is “way too busy” for your “little” business continuity project.

So, what’s a BC/DR manager to do? You already know that BC/DR is a critical component of an organization’s success. And you know that you need metrics to measure the effectiveness of your efforts. The first step is to understand the metrics that matter in business continuity and disaster recovery planning, which is exactly what this guide will cover. You’ll also need a tool to collect and report on these metrics. Depending on your organization’s size and the maturity level of your BC/DR program, this could range from an Excel template to powerful, automated software.

Important BC/DR Metrics

There are 7 important BC/DR metrics that you should be tracking to grow and measure recovery plans:

  • Recovery Time Objectives (RTO)
  • Recovery Point Objectives (RPO)
  • The number of plans that cover each critical business process
  • The amount of time since each plan was updated
  • The number of businesses processes that are threatened by a potential disaster
  • The actual time it takes to recover a business process
  • The difference between your target and actual recovery time

While there are several other metrics that you could track, these metrics serve as a core review of your program, and indicate how prepared you are for a real disaster.

Critical Metrics in BC/DR

The first two important BC/DR metrics are Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). RTOs is the maximum acceptable length of time that the item can be down. RPOs determine the age of the data you can afford to lose and whether your backups will save the rest. For example, if you can afford to lose an hour’s worth of data, you’ll have to run backups at least every hour.

Backup and recovery procedures are at the heart of a good BC/DR plan, so you need to consider both RTOs and RPOs to determine the best backup and recovery tools for the job. If, for example, you generate continuous transactions at a moderate-to-high-volume and value, how many minutes worth of transactions could you afford to lose? How long could you afford to be out-of-service? Such an application could benefit from the very frequent, block-level backups that are possible with Continuous Data Protection (CDP), but you wouldn’t know that unless you looked at both the RTOs and RPOs.

Finally, you should measure the number of plans that cover each business process , as well as the amount of time since each plan was updated . Key Performance Indicators (KPIs) are a measure of how well a program works and one that you can’t ignore. You can set KPIs for how often you review and update your plans (for example, every month, 6 months or year) and how many business functions are covered by a recovery plan, with an action plan to achieve 100% coverage. If you are limited on time and resources, start with your most critical business processes.

Metrics for Planning

Enterprises can have hundreds to thousands of processes and you can’t restore a process without a plan. A key metric for BC/DR planning is the number of processes that are threatened by a potential disaster .

You should start with a risk analysis and business impact analysis to a) understand the greatest risks that threaten your organization and, b) the impact of those risks on various functions of the business. Then, you can create plans to protect these processes and minimize the disruption when disaster strikes.

But static plans can stagnate. You can’t restore processes unless you update plans periodically to account for changes in applications, data, environments, employees and risks. You should set reminders for yourself to prompt plan reviews at appropriate points in the cycle. In a perfect world, you’d receive confirmation from the managers of various departments who have reviewed and updated their plans, but let’s be real – reviewing and updating those plans is a huge hassle and it’s near miraculous if they do it on time. Using software can alleviate this pain point – you can automate email reminders to the various plan owners and track their progress all within the software – no passive aggressive emails needed! Software also removes many of the tedious tasks concerned with change management. For example, automated data integrations will keep your data updated automatically as that data changes in other applications. If a single contact is used in 100 plans and their phone number changes, an integrated system will carry that change over to your business continuity and emergency management plans as well.

Using Metrics to Measure Plan and Recovery Effectiveness

One of the simplest ways to determine how business functions are interdependent is by using a dependency modeling tool. This will help you visualize whether application dependencies allow you to meet RTOs and SLAs.

For example, if you need to recover an accounts payable service in 12 hours, but that depends on finance software that can take up to 24 hours to recover, accounts payable cannot meet a 12-hour SLA. A dependency modeller illustrates these dependent relationships dynamically, and when and how a plan will break down as a result.

You should be measuring the actual time it takes to recover a business process . You can test recovery procedures using a BC/DR tool to track the time each step takes.

Alternatively, you could use the old-school method by timing each step manually. These tests will help you determine whether your people and processes can meet RTOs using your existing plan. You should be able to complete recovery tasks in the time the plan allows, and if you can’t, you need to revise your plan so that it’s realistic and achievable.

Finally, the last metric covered in this resource is the difference between your actual and target recovery time , also known as a gap analysis. You can (and should!) test for gaps with tabletop exercises, failover and recovery tests, enterprise wide BC/DR tests, and gap analyses. Once you’ve identified where there are gaps in your plans, you can set KPIs and use them in your planning process.

Best Practices for Clean BC/DR Data

The data that your BC/DR software collects needs to be “clean” to ensure accurate reports and planning. For good data hygiene, make sure you’re standardizing data input with drop down menus, pick lists, text formatting and data validation. For example, if you’re inputting employee phone numbers into a plan, you’ll want to validate whether those phone numbers include an area code and remain in use.

Deduplication and Identity and Access Management (IAM) can help you to cultivate elegant data. You can use deduplication to eliminate multiple appearances of the same entries. You can use credentials (authentication) together with permissions (authorization) to ensure that only qualified users enter vital records and data. You’ll also save yourself a lot of time and headaches by integrating your BC/DR system with other applications (for example, your HR system) to avoid the duplication of records and any chance of errors.

Where to Start

We live in a world where disasters happen and companies either suffer or die. BC/DR is critical to the success and resilience of an organization, and it’s your responsibility to keep the business afloat and your staff safe in an emergency… but you already knew that.

With the weight of the world on your shoulders, you can only rely on data to sleep soundly at night.

You’ve made a great start to BC/DR planning by making it to the end of this guide, but now it’s time to turn your knowledge into action! Start by determining your critical business functions and how they are dependent on one another using a relationship modelling tool.

Next, set an acceptable downtime threshold using RTO and RPO metrics. Test your plans to see if you come close to or exceed those thresholds. If you do, revise the plans and test them again. You should set KPIs to measure how often your plans are updated and tested, and conduct a gap analysis to compare the planned vs. actual recovery time.

Finally, make sure that you’re maintaining “hygienic” data for accurate reporting. Your BC/ DR metrics are completely useless if the data isn’t accurate. It may seem like a no brainer, but it’s surprising how many companies lull themselves into a false sense of security with reports that misrepresent their SLAs. It’s always better to be a realist, even if that means you’re accepting the risks that go along with it.

Discover Resolver's Software

Incident management software.

Protect your organization and prove your security team’s value with Resolver’s Incident Management application. Improve data capture, increase operational efficiency, and generate actionable insights, so you can stop chasing incidents and start getting ahead of them.

Enterprise Risk Management Software

Provide your organization’s board and senior leaders a top-down, strategic perspective of risks on the horizon. Manage risk holistically and proactively to increase the likelihood your business will achieve its core objectives.

Regulatory Compliance

Save time by monitoring all regulatory compliance activities, providing insights into key risk areas, and then focusing resources on addressing regulatory concerns.

Privacy Overview

  • Skip to content
  • Skip to search
  • Skip to footer

What Is Business Continuity?

What is business continuity

Business continuity is an organization's ability to maintain or quickly resume acceptable levels of product or service delivery following a short-term event that disrupts normal operations. Examples of disruptions range from natural disasters to power outages.

  • Watch video (1:14)
  • Business continuity

Contact Cisco

  • Get a call from Sales

Call Sales:

  • 1-800-553-6387
  • US/CAN | 5am-5pm PT
  • Product / Technical Support
  • Training & Certification

Is business continuity the same as business resilience or disaster recovery?

Business continuity, disaster recovery, and business resilience are not the same, but they are related.

  • Business continuity is a process-driven approach to maintaining operations in the event of an unplanned disruption such as a cyber attack or natural disaster. Business continuity planning covers the entire business—processes, assets, workers, and more. It isn't focused solely on IT infrastructure and business systems.
  • Business resilience encompasses crisis management and business continuity. It requires a response to all types of risk that an organization may face. An organization that is business resilient is essentially in a constant state of "expecting the unexpected." It means continuously preparing to meet disruptions head-on, including events of extended duration that may affect more than one facility or region.
  • Disaster recovery focuses specifically on how to restore an enterprise's IT infrastructure and business systems following a disruption. It is considered an element of business continuity. A business continuity plan (BCP) might contain several disaster recovery plans, for example.

What is a business continuity strategy?

A business continuity strategy is a summary of the mitigation, crisis, and recovery plans to be implemented after a disruption to resume normal operations. "Business continuity strategy" is often used interchangeably with "business continuity plan." Both consider the broader goals, legal and regulatory requirements, personnel, and even the business's clients and partners.

What does a business continuity plan mitigate?

A relevant and well-tested BCP can help ease the negative impacts of an unexpected business disruption in many ways.

  • Financial impact: Disruptions to product supply chains and critical services to customers can directly affect sales and revenue. Downtime caused by unplanned disruptions can also result in higher costs for a business as it looks to repair operations and mitigate previously unidentified threats.
  • Reputation and brand impact: Failure to resume operations quickly and supply customers with the products or services they expect can prompt customer defections and tarnish the brand. Damage to reputation can in turn cause investors and capital sources to pull back funding, exacerbating the financial impact of a business disruption.
  • Regulatory impact: Customers and vendors are likely to complain when businesses fail to respond appropriately to disruptions, which may result in regulatory scrutiny or even censure. In highly-regulated industries, such as energy and financial services, business continuity planning is mandatory to ensure regulatory compliance.

Business continuity planning activities

A well-crafted and tested BCP can go a long way toward helping a business recover swiftly from a disruption. These are key steps a business may want to take.

Identifying critical business areas and functions

Business continuity planning begins with identifying an organization's key business areas and the critical functions within those areas. A business needs to determine and document the acceptable downtime for each area and function considered vital to operations. Then a plan to restore operations can be established, documented, and communicated.

Analyzing risks, threats, and potential impacts

Creating appropriate response scenarios requires knowing what disruptions the business could experience. An upfront analysis of risks and threats is necessary in order to prepare contingency responses to events. Organizations can also conduct a back-end analysis after an event to gather metrics and assess lessons learned. This information can drive improvements in how the business responds to disruptions.

Outlining and assigning responsibilities

A BCP details which personnel will be responsible for implementing specific aspects of the plan. It also identifies key decision-makers and a chain of command. The plan should include alternative options in case primary personnel are incapacitated or unavailable to respond to the disruption.

Defining and documenting alternatives

A business continuity plan should define and document alternative communication strategies in case telephone services or the internet are down. Enterprises should also have alternatives for mission-critical spaces such as data centers or manufacturing facilities in case buildings are damaged.

Assessing the need for critical backups

Essential equipment may be damaged or unavailable during a disruptive event. A business should consider whether it has access to backup equipment and uninterruptible power supplies (UPS) during extended power outages. Business-critical data needs to be backed up regularly, and is mandatory in many regulated industries.

Testing, training, and communication

Business continuity plans need to be tested to ensure they will be effective. (Disaster recovery plans should be tested as well.) A best practice is to conduct a plan review at least quarterly with leadership and key team members who are responsible for executing the plan.

Many companies use role-playing sessions, simulations, and other types of exercises several times per year to test their BCPs. This approach helps to identify gaps, develop strategies for improvement, and determine if more resources are needed. Targeted staff training and communicating to the whole workforce the benefits of having a business continuity plan are also vital to its success.

Related products and solutions

  • Cisco Webex Contact Center
  • Virtual Desktop Infrastructure (VDI)
  • Cisco Intersight Workload Optimizer
  • AppDynamics Application Performance Management
  • ThousandEyes End User Monitoring
  • ThousandEyes Endpoint Agents

You may also like…

  • Cisco’s Business Resiliency Strategy
  • Business Continuity Blogs
  • Business Continuity Planning

business continuity management metrics

  • The Latest From Zerto
  • Resource Center
  • IT Uninterrupted
  • Cloud Data Management
  • Business Continuity and Disaster Recovery (BCDR)
  • Business Resilience
  • IT Resilience
  • Data Replication
  • Data Migration
  • Backup and Recovery
  • Maximum Tolerable Downtime (MTD) and Maximum Tolerable Data Loss (MTDL): Differences and Considerations
  • Service Level Agreement (SLA) in Business Continuity
  • What is Continuous Data Protection (CDP)?
  • Risk Assessment
  • Disaster Recovery
  • Disaster Recovery Plan
  • Appliance-based Replication
  • Array-based Replication
  • Multi-Cloud
  • The Differences Between Backup and Replication
  • RPO and RTO
  • Disaster Recovery Testing
  • IaaS Infrastructure-as-a-Service
  • Types of Clouds: Public, Private, Hybrid
  • Immutable Backup
  • SaaS Software-as-a-Service
  • Risk Management
  • Virtualization
  • Hypervisor-based Replication
  • BIA Business Impact Analysis

Business Continuity

  • 3-2-1 rule in Data Backup
  • Cyber Resilience
  • Total Cost of Ownership (TCO)
  • Business Continuity Guide
  • Disaster Recovery Guide
  • Ransomware Recovery Guide

The Only Guide You Will Need

From the definition of business continuity and its related plans, to the description of the planning involved in establishing the business continuity plan, right down to its management, we cover everything in this ultimate Business Continuity guide.

20 min Read

What Is Business Continuity?

High-profile events and disasters such as terrorist attacks, natural disasters, and data breaches have increased global awareness of the need for robust business continuity practices and strategies.

business continuity management metrics

Business continuity encompasses the people. processes, technologies, and frameworks needed for an organization to ensure the continuous delivery of critical business functions when a disaster occurs. The business continuity definition also includes the prevention and mitigation of such disruptions from happening in the first place.

Company leaders have a crucial role to play in ensuring the resilience and continuity of business operations during crisis events.

Business continuity does not have an end date or state. It is a continuous process that keeps on evolving to adapt to never-ending business transformations and changes in the business environment. 

Business Resilience vs. Business Continuity: What’s the Difference?

Although both terms are sometimes used interchangeably within business circles, there are several subtle differences.

Business resilience describes the ability to return to a state of functionality that may either be the same as prior to a disruptive event, or a new state that enables operations in a new reality. It includes disaster response, incidence response, and business continuity management. A truly resilient organization is impervious to the effect and fallout of various kinds of disasters or disruptions.

On the other hand, business continuity assists companies to return to functional status by addressing the consequences of outages and disruptions to business operations. The goal of business continuity is to return the business to a state of operation/functionality prior to a disruptive event, in the shortest amount of time and with the least amount of disruption. It does this by reducing and preventing data loss and the risk of reputational harm by mitigating the consequences of disastrous events. 

Essentially, business continuity is concerned with helping a company resume operations immediately when a disaster occurs while business resilience is the company’s ability to resist and adapt to disruptive events or trends.

The Plans in Business Continuity

Multiple plans result from the business continuity planning process. They are all considered part of the business continuity plan (BCP).

Business Continuity Plan (BCP): business continuity initiatives, strategy, policies, standards, and planning activities produce this plan. It is all encompassing and includes the other plans below, or at least references to them.

Disaster Recovery Plan (DRP) : this plan will focus on business continuity from an IT / technology infrastructure standpoint.

Crisis Management Plan (CMP) : this identifies the chain-of-command and provides criteria to determine if a crisis has occurred —and therefore the activation of the BCP and related emergency response— the reporting and response management of the crisis, along with a communication plan.

Emergency Response Plan (ERP) : also called Incident Response Plan, this details the actions that need to take place to mitigate the immediate effects or consequences of an event responsible for business disruption. The priority of this plan is the safety of people directly or indirectly involved in the business. Then comes the protection of the business infrastructure (IT, building, equipment). Once the response phase is completed, it is possible to move to the Restore, Recover and Resume phases.

business continuity management metrics

Business Continuity Plan (BCP) vs. Disaster Recovery Plan (DRP): What Are the Key Differences?

What Does Business Continuity Mean in a Business Emergency?

It means that the organization has made adequate preparations and has the ability to execute a business continuity plan that addresses customers, people, processes and technology. 

Ensuring Services or Products Are Delivered (Customers)

At its core, business continuity proactively ensures that organizations can still execute mission-critical operations and deliver products or services to customers during a disruption.

Proper business continuity mandates different responses to different levels of threats and disruptions. This is done for one major reason – to ensure that the products and services that are most vital to customers aren’t disrupted.

Supporting Employees (People)

The scope of business continuity covers the safety and security of human resources – from executive and middle management down to frontline workers – along with organizational assets and systems.

Since disasters and business emergencies can be confusing, business continuity planning takes cognizance of how, when, and what kind of information is delivered to employees…once disaster strikes.  

To help support company staff during operational disruptions and emergencies, business continuity ensures that employees have key information on how the organization plans to respond. Everyone needs to know what to expect from the BCM team as it implements strategies to navigate the company back to a state of normalcy.

Knowing Which Steps and Actions to Take (Process)

Company management and key personnel need to know what steps to take when faced with incidents that result in a business emergency.

A business continuity plan typically includes the contact information of relevant personnel, a guide on how to use the BCP document as well as clear guidelines on what to do to maintain critical operations. The plan should be honest about service level agreements (SLA) , recovery point and recovery time objectives ( RPO and RTO ) and identify what employees should or should not do to assist processes, facilities, and team members stay operational and productive.  

The Crisis Management and Emergency Response plans would actually provide detailed step-by-step procedures to follow to address particular situations addressed in the BCP.

Having the Right Disaster Recovery Solution in Place (Technology)

It’s imperative for organizations going through the business continuity planning process to leverage the right technologies.

In recent years, there has been a significant increase in the number of disaster recovery (DR) solutions, due to the prevalence of cloud computing applications and the aftermath of the COVID-19 pandemic.  

Depending on their DR needs, enterprises can build or rent off-site disaster recovery facilities or leverage a variety of cloud-based options such as disaster recovery as a service (DRaaS) . These offerings come with a range of tools and services that offer incident response capabilities such as DR, backup, and restore to prevent data loss and ensure the high availability of IT systems and databases. It is all about having the right solution to execute the DR plan .

Managing Business Continuity: The BC Management Team

While business continuity processes and strategies are designed to help organizations stay on track during unexpected disruptions, the success of these strategies depends largely on how well they are executed.

Business continuity management (BCM) teams are critical to the design and implementation of business continuity plans. They provide the insight, focus, and leadership that keeps a business on its feet when disaster strikes.  As such, deciding who is responsible for business continuity planning, and collating the resources and technologies needed to help them operate effectively are indispensable parts of business continuity initiatives.

Putting together a strong BCM team is challenging. A world-class business continuity team is cross-functional and includes personnel drawn from pockets of expertise across the entire organization, from executives to team members drawn from legal, facilities, finance/accounting, IT, HR, etc. The roles and responsibilities of individual BCM team members are outlined in the business continuity policy.

Regardless of company size, industry vertical, or business objectives, the BCM team should comprise the following:

Every BCM team must be headed by a company leader with the skill and experience to oversee business continuity efforts and make high-level decisions on the focus of the BCM team. The sponsor is usually drawn from the ranks of senior management.

For large enterprises, the Risk Management Officer may lead the BCM team assisted by someone from the IT department. In smaller organizations, the CTO or CFO may be picked to head the BCM team.

The Business Continuity Steering Committee or Office  

This is an interdisciplinary team at the C-suite level usually made of people overseeing key functions in the organization (COO, CIO, CSO, CISO, CPO, Legal Counsel, etc.). Their role is to ensure the BC program stays in lock-step with the corporate strategy, that proper resources are allocated and that goals are established and met within set timeframes.

In most instances, the BC Sponsor is also the chair of the Steering Committee when it exists.

The Business Continuity Plan Owners   

In larger organizations, the Business Unit or group leaders are accountable for the creation and maintenance of their own BCP, under the established policies, standards and processes set at the BC program level.

Business Continuity Planners and Managers  

The BC planners are the people in charge of developing the actual business continuity plan for their business unit or group. In larger enterprise, they will report to a BCP owner. In smaller organizations, they may just be reporting to the BC Program manager, and help to develop the BCP for various functions of the business.

The BC manager role is to ensure the BCP readiness by coordinating and organizing simulation exercises, training of the resources that would be involved in any BC activation plan. He also ensure a feedback loop into the process by bringing up any challenges that may arise during exercises testing the BCP.

BC planner and manager functions can be fulfilled by the same person. Again the size and global footprint of an organization will impact how these roles are set up.

Crisis Management Team (CMT) and Emergency Response Team (ERT)   

These are the people who are responsible for executing the BCP when it gets activated and they : 

1) Ensure all the activities get triggered and implemented,  

2) Make sure the proper resources get allocated,  

3) Make decisions to adjust the course of operations as needed,  

4) Execute the workflows and steps of the BCP ,  

5) Provide updates/reporting on the situation and its evolution on the ground .  

In some organizations this might be two teams, working closely together outside of a crisis, and obviously during one. In that scenario, the CMT would mainly cover areas 1) to 3) while the ERT would take care of 3) and 4). The overlap over decision-making (3) considers that adjustments can be made on the ground but also at higher level.

Crisis Communication Management Team (CCMT)   

Some organizations may also have a dedicated Crisis Communication Team that manages communication with the media and all key stakeholders of the organization (employees, customers, partners, etc.) during a crisis.  

The Map to Recovery: The Business Continuity Plan (BCP)

Business continuity planning culminates in the production of a business continuity plan that usually becomes a living document, constantly evolving.

The BCP is the tangible asset an organization produces to translate its strategy and approach to deal with disruptions and ensure its business can continue to operate. Because it is the result of a cyclical process —business continuity planning— it will evolve over time. Regular testing of the BCP usually brings its own set changes and adjustments too, making the BCP an actual living document.

Developed by the business continuity managers and planners, it will become the recovery map the crisis and emergency teams will rely on when disaster strikes.  

What Is a Business Continuity Plan?

The BCP is a document containing processes and procedures that when implemented, help ensure that company personnel, resources, and assets are protected and can continue operating in the event of disasters. 

According to ISO 22301 ¹ , a business continuity plan is defined as “documented procedures that guide organizations to complete the four R’s: R espond, R ecover, R esume, and R estore to a pre-defined level of operations following disruption.” 

The business continuity plan aims at meeting the four R’s against defined types of risks that can affect the organization’s operations —such as floods, fires, disease outbreaks, weather-related events, cyber-attacks, and other external threats— for specified sites or geographical areas. 

Key Elements of a Business Continuity Plan

There is unfortunately no one-size-fits-all template that can be applied but at least the elements listed should be considered as minimum requirements. 

The BCP is a document containing processes and procedures that when implemented, help ensure that company personnel, resources, and assets are protected and can continue operating in the event of disasters. The BCP should at a minimum contain the following elements:

  • Contact information of the key individuals in charge of the BCP 
  • A revision log with reference to documentation that describes change management procedures – This is key for audit purposes and to ensure that only the latest versions of a BCP are available. It also enables to connect changes and BCP testing, by highlighting what elements of a test drove changes in the BCP. 
  • Information about and/or references to BC governance, policies and standards  
  • The purpose and scope of the BCP – As seen later there will most likely be multiple BCPs developed for a single organization, to address specific types of disruptions over specific entities or locations. So, it is key to know what is the intended application of a particular BCP.
  • Instructions about how to use the plan end-to-end , from activation to de-activation phases 
  • Service Level Agreements (SLAs) over key business processes, defining the amount of time within which these processes must be restored.
  • References to Disaster Recovery, Crisis Management and Emergency Response plans and procedures along with the identification of key roles and individuals. 
  • References to Runbooks detailing all applicable procedures step-by-step, with checklists and flow diagrams.
  • A glossary of terms used in the plan  
  • A schedule showing dates for reviewing, testing and updating the plan, along with a record of past test dates and references to the results of these tests.

Each organization will have other items deemed important that will make it to their BCP. There is unfortunately no one-size-fits-all template that can be applied to meet every business needs.

The Lifecycle of an Active BCP

Great, you have a solid BCP. And now what? What happens when a crisis hits?

BCP Activation

A business continuity plan can be activated at multiple levels of the business continuity chain-of-command. This is how a business is best protected as it enables speed over its BCP activation when required. Obviously, this will vary with the type of disruption as not all disruptions are equal.

The response to a pandemic such as COVID-19 would  provide more time to plan and decide what parts of a BC plan to activate. In this case, it is most likely that the activation decision would be taken at the highest level of the chain. 

In contrast, the event of a shooting in a building office would most likely trigger the activation of that local BCP by the members of the teams located there. The activation would put in motion various elements of the BCP, including the reporting and potential further activations up the chain of command. The situation may end up being managed at a different level later for various reasons. 

The BCP should ensure that many members of the BC team, at various level of the organization, are empowered to act as leaders and activate a BCP, in order to enable a swift response when needed. Proper availability and coverage of these individuals is essential (designated backups in case of absence, redundancy in locations, shifts, etc.).   

Systems and procedures should also be in place to record events as they take place, or soon after (time stamps for events or decisions, people or agencies involved, etc). 

BCP De-activation

It is the responsibility of the Crisis Management Team to decide when the BCP needs or can be de-activated. The highest “ranked” individual in the activated crisis management cell is the one to make the call.

The BCP should incorporate the criteria to be met to start the deactivation process, and during the step-down process itself (validate at each step that the situation meets set criteria and conditions). At this stage, it is usually easier to properly document all these steps, and record time stamps, decision-makers names, and any other pieces of information that may be valuable for a later review of the response to a disruption. 

Other Consideration: BCP Accessibility

While it is impossible to list all the considerations that could apply to an organization’s BCP, there is one that is essential: the accessibility to the BCP, and any runbooks describing the applicable procedures step-by-step.

Training is of course important to make a lot of the activities and tasks feel like second nature for the individuals involved in executing the BCP, however it is still highly probable that during a crisis there will be a need to check some elements of the BCP.

However old-fashion this might feel, having print versions of the BCP available in designated locations is important, since some disruptions may bring down the IT infrastructure of an organization, or even the local grid, hence limiting or preventing any access to digital documents. Obviously, that adds another layer of management to ensure these documents are kept up-to-date. Other options can include having digital copies of a BCP hosted on other secured 3rd party systems or platforms. 

The Journey to a BCP: Business Continuity Planning

Business continuity planning is a top priority for any organization looking to minimize downtime and maintain the high availability of systems, products, and services, regardless of disastrous occurrences.

Business continuity planning describes the process of establishing risk management procedures and protocols (that should be followed in the event of a disaster) to prevent interruptions to mission-critical services and help re-establish full operational functionality as quickly as possible. It culminates in the production of a business continuity plan (BCP).  

The Key Parts to Business Continuity Planning

To ensure that the most likely scenarios are covered, the planning process involves identifying critical functions and the possible risks and disasters that would cause the failure/downtime of said functions.

The nature and severity of these threats will guide the rest of the planning process. The key parts of the business continuity planning process are:  

  • Identification of critical functions or business processes – Reveals what processes are critical to maintaining and running in the event of an unplanned disruption in order to prioritize and focus recovery there 
  • Business Impact Analysis (BIA) – A systematic process used first to evaluate the disruptive effects of disasters, accidents, or emergencies on critical business processes.
  • Risk Assessment – Identifies all potential hazards to a company such as technology failures, cyberattacks, or natural disasters. It is also used to determine risk mitigation strategies and implementations.
  • Establishment of Service Level Agreements (SLAs) – Based on the information collected from the previous stages, realistic and appropriate SLAs must be defined for specific services/teams supporting particular business functions or processes. This will drive technology solutions and processes used to deliver on these SLAs.
  • Communications – Crisis communication management involves many parts and must be well planned in order to ensure clear and consistent information to many stakeholders during a crisis, which include: media, employees, customers, partners, agencies, etc.
  • Testing and Maintenance – Testing the resulting BCP is essential to identify gaps and make improvements. Planning BCP testing should help determine test frequency, but also how to partially or fully test the BCP, i.e. what method to use. 

The various analysis and planning processes highlighted above will lead to the creation of other plans —and their related procedures— that are part of the business continuity plan, such as: 

  • Disaster Recovery Plan 
  • Crisis Management Plan, which will include the communication aspect. 
  • Emergency Response Plan   

While driven and led by the BCM team, a lot of cross-organizational and cross-functional work and teams are involved to feed into and receive information from the various activities taking place to establish the BCP. This is not an easy task that requires a lot of coordination and alignment, hence the necessity to have a dedicated team managing that planning process.  

Establish Key Business Continuity Metrics: MTD and MTDL

Through the business impact analysis (BIA), an organization will estimate the downtime it can tolerate for a given process or function, and the maximum data loss it can handle. These limits are reflected in the SLAs.

Within the context of business continuity, an SLA represents a promise about how long a business process or function will remain unavailable in the event of a disruption. It assumes the commitment of every party involved.

Maximum tolerable downtime (MTD) and maximum tolerable data loss (MTDL) are two of the most important metrics of any business continuity plan, and are reflected in the business continuity SLAs related to each critical business process and/or function.

Risk Assessment, BIA, SLA, RTO and RPO: What’s the Link? MTD and MTDL

What is a Service Level Agreement (SLA) in Business Continuity

MTD and MTDL: Differences and Considerations

MTD, also referred to as maximum allowable downtime (MAD), is the longest downtime an organization can tolerate before facing serious repercussions. It is measured in units of time.

MTD is made of several components, including recovery time objective (RTO), meaning setting things up to stay below its defined value is more complex and involves several teams.

MTDL determines the most amount of data or transactions the business can afford to lose over a specific business process or function. This limit is measured in units of time. MTDL will directly inform the DR team about the recovery point objective (RPO) that needs to be achieved to meet the SLA of a specific business process.

Where To Begin Your Business Continuity Planning

Let’s take a look at the core steps company leaders must undertake when embarking on business continuity planning.

Start With A Thorough Prep-work and a Strong Disaster Recovery Plan

The key parts of the business continuity planning —risk assessment, BIA, identification of critical functions— contribute to determine the business requirements for the DR plan, mainly through the establishment of SLAs. There is no shortcut: that is the tedious prep-work that has to be done in order to deliver a strong disaster recovery plan. 

A strong disaster recovery plan is a core part of your business continuity strategy and is integral to its success. The DRP focuses on the technology infrastructure required as well as the specific steps organizations must take to resume operations and access their data easily following a disaster. The DRP should include the following 

  • plan goals and objectives 
  • authentication tools 
  • incident response and recovery steps 
  • the DR policy statement 
  • key action steps and guidelines for when to use the plan 
  • responsibilities of individual DR team members  
  • contact information of personnel needed to enact critical recovery tasks. 

Train a Strong BCM Team

Designating who will manage and implement your BCP, and all its related plans, is of paramount importance to the success of business continuity initiatives. As mentioned previously, the BCM team is broad, considering it goes from the sponsor, steering committee, program manager, plan owners and planners to the crisis and emergency response teams spanning across all the areas of the business. Therefore training and simulation exercises are critical to help prepare your BCM team for when an actual disruption occurs. 

Since it’s difficult to know ahead of time how well your BCM team would perform during an actual crisis, continuous training will go a long way in ensuring they’re ready to oversee and execute the BCP when disaster strikes. Training also includes getting BCM team members up to speed on the latest BCM best practices. The team can also leverage cloud-based or on-premise business continuity management software to help pinpoint areas of risk, create and update plans and conduct BIAs. 

Have Something Small In Place, Test It And Grow From There

Traditionally, business continuity planning was largely the province of big businesses and most plans seem to be designed with large enterprises in mind. However, anyone can undertake BCP without breaking the bank or straining already limited company resources. Savvy business leaders can begin their BCP journey with a small but easily scalable plan. 

The plan could target one specific area at a time (such as IT assets and sensitive business data) and expand to include other business areas and processes. Such a plan should be rigorously tested to minimize loopholes and vulnerabilities. Over time, company leadership can expand the initial BCP to ensure 360-degree business continuity across the entire organization. 

Business Continuity: How to Do It the Right Way

A solution that fits your BCDR strategy, and delivers on data protection and recovery.

BC planning takes inputs from the Risk Assessment, BIA, identification of critical functions and defined SLAs to establish the appropriate processes, procedures and technology solutions to be implemented and enabling the DR plan to achieve the defined SLAs. 

To protect your data from disasters and instantly recover applications without data loss, companies need a reliable data protection mechanism and cost-effective BCDR solution in place. A lot of enterprise-grade applications and databases have the built-in capability to handle data replication synchronously and asynchronously. 

However, this is not a viable option for business continuity purposes. Companies need a single data protection solution that supports their business continuity strategy and objectives, and that provides ransomware resilience, DR, restore and testing capabilities. This solution should be designed to work independently of any resource or host platform on a company’s IT estate and scalable enough to protect single applications as well as large clusters or multisite environments. 

business continuity management metrics

What is Zerto Solution?

Short video (1 min 21 sec ) explaining what Zerto does and how it helps to deliver business continuity.

Zerto Solution: Overview

To exit, click outside the image

Zerto Solution Overview

Introducing Zerto for Business Continuity

Zerto , built on a foundation of continuous data protection, enables continuous availability which is essential to achieve business continuity. Zerto’s solution provides everything you need for ransomware resilience , disaster recovery , and data mobility while delivering the very best recovery time objective (RTO) and recovery point objective (RPO) possible.

With easy implementation and deployment, the Zerto solution can scale with your organization to ensure continuous data protection for all of your business-critical and lower tier applications. 

Get in Touch!

Speak to one of our specialists today to find out how Zerto can help your business to achieve business continuity.


Business continuity & disaster recovery in healthcare.

Understand the unique challenges facing the healthcare industry and how, by adopting business continuity & disaster recovery, they can become more resilient.

Business Continuity and Disaster Recovery in the Cloud Era

Learn the different types of Cloud BCDR solutions along with their pros and cons, and then see how Zerto addresses these challenges and improves upon many of the traditional solutions that leave gaps in cloud-based BCDR .

Essential Guide: Disaster Recovery

After reviewing Business Continuity, let’s look at what is involved in getting Disaster Recovery right in this online guide.

1. ISO 22301:2019 – Security and resilience — Business continuity management systems — Requirements

Do not sell or share my personal information

Your privacy preferences for Zerto's websites has been saved. We will serve only essential cookies moving forward on this browser

  • All Categories >
  • Business Continuity Management Program Solutions

Business Continuity Management Program Solutions Reviews and Ratings

What are business continuity management program solutions.

Gartner defines business continuity management program solutions as the primary tools used by organizations to manage all phases of the business continuity management (BCM) life cycle, from planning to crisis activation. BCMP solutions provide capabilities for availability risk assessment, business impact analysis (BIA), business process and resource/asset dependency mapping, recovery plan management, exercise and crisis management, and BCMP management metrics and analysis.

How these categories and markets are defined

Products In Business Continuity Management Program Solutions Market

  • Number of Ratings, High to Low
  • Number of Ratings, Low to High
  • Average Rating, High to Low
  • Average Rating, Low to High

Castellan Platform

Castellan Platform

"Great idea for a great future. "

The Catalyst bring to us another vision about the market place. We can see that women dosent have a great space yet. Catalyst help the market place be better and work better. So I'm proud to be part of this.

Fusion Framework System

Fusion Framework System

"Outstanding Business Continuity and Operational Risk Software"

Fusion has been a great addition to our Risk Management Information System strategy. We use this tool for Security incidents, Business Continuity Planning, Site Visits, and IT Cyber Security Risk Mapping.

Archer Business Resiliency

Archer Business Resiliency

"It is very easy to use and develop but price is very high."

I used this solution for Business Continuity purposes. It was very user friendly and quite easy to configure fields for admin or tool owner. I embedded the Business Impact Analysis which made as process based. All dependencies as application, staff, facility, equipment, document can be mapped with the processes. Therefore it can be very easy if you want to map whole company's dependencies.



"Parasolution is your go-to solution for BCM software"

Parasolution offers unequalled flexibility and customization towards every aspects of business continuity management and all implicated disciplines. Customer support is solution-oriented and always available to address any business needs with great flexibility. End-user experience is prime focus.

SAI360 Business Continuity Management

"Transparent, easy implementation, easy to use product and fantastic support"

Our experience has been quite positive, from the demo until implementation. The vendor has been very transparent in their approach.

NAVEX IRM Software

"Simple, Direct"

Vendor support and customer experience is excellent. Configurability is excellent and easy. Their's vision and product was very clear and which makes understand easily by anyone.


"Excellent Continuity Tools to keep Businesses aware & relavant in Continuity Management"

Software is user friendly, adjustable to meet different business and regulatory needs as they change; vendor is very professional and supportive of their tool; vendor listens to users and adjust the overall tool to keep it current and very useful in a highly regulated industry.

Frontline Live

Frontline Live

"Frontline Live : experience is amazing"

Our selection to apply front Line live turned into primarily based on value, functionality, easy of implementation and simplicity of use by using a small BC group. This product met all those elements and greater. Our enjoy has been advantageous. The overall performance troubles i was to begin with concerned with were remedied, and customer support by way of the seller has now not dwindled as time as handed.

Quantivate Business Continuity

Quantivate Business Continuity

"Business Continuity Services Beneficial to Start or Enhance Program"

Quantivate's Business Continuity module and consulting services has greatly improved our business continuity program. The ease of the software and helpful guidance from our consultants allowed us to complete a comprehensive implementation in a manageable timeframe.

BC in the Cloud

"BC in the Cloud has empowered our program."

BC in the Cloud has enabled our organization to take our program to the next level. The application has provided us with unparalleled flexibility.


"Very flexible and comprehensive BCM Automation Platform"

Very flexible and comprehensive BCM Automation Platform. Easy to use and to integrate with other legacy applications and data sources.

Business Continuity Management

Business Continuity Management

"Best IT Risk Management in the market"

Some of the business problems we are solving is optimizing risk based audits and compliance management. It helps our company and shows what we need to work on as a company itself.

"Implementation is easy as predicted, and very responsive to needs"

Very responsive to all requests, from selection process throughout implementation. Definitiely would work with this vendor again for further efforts.

Sustainable Planner

Sustainable Planner

"With Virtual's SP, you're not just getting a product, you're getting a program"

Virtual is a trusted, valuable strategic partner. Their customer service and support engagement model are very efficient and effective. Clients have access to knowledgeable, seasoned professionals who go above and beyond to ensure implementations are highly successful and that all elements are in place for a smooth "business as usual" transition. The service and support model and user group collaboration experience are very effective. We have been very satisfied customers for 12 years and have previewed many tools over this time, none that surpasses the quality and value of SP. Planning model adapts to a highly regulatory environment. We've demonstrated to our customers who rely on our services that it's not just about having plans in place -- they must work, be executable, and be part of a sustainable program -- and we've proven that to them through SP.

"Implementation was easy, VEOCI is only limited by your imagination"

Grey Wall has been a very responsive company and VEOCI has been successfully implemented and they continue to provide incremental improvements to meet our companies needs. Their services is excellent. As with everything, there is room for improvement.

Ascent AutoBCM

Ascent AutoBCM

"Ascent: Business Continuty Tools"

Very good tools for getting the operations of the company in record time during a crisis.

Competitor or alternative data is currently unavailable

Gartner Research

This research requires a log in to determine access

Popular Comparisons

  • Castellan Platform vs Fusion Framework System
  • Archer Business Resiliency vs Fusion Framework System
  • BC in the Cloud vs Fusion Framework System
  • Archer Business Resiliency vs Castellan Platform
  • Castellan Platform vs RPX
  • Australasia
  • Asia Pacific
  • Middle East
  • North America

Continuity Central

The latest business continuity news from around the world

The metrics struggle: creating metrics for a bc or dr program.

After years struggling with tracking metrics for a disaster recovery program, the authors of this article came across a metric tracking system used by a peer which was successfully modified for DR use. The system is shared here to help you move from nagging to supporting the teams that you work with.

By Cullen Case Jr., CBCP and Stephen Wolters .

Metrics to show efficacy and return on investment are not new. There have been surges and dips in the intensity of the push for implementing these depending on what industry you are in. It may be surprising to many that cities and counties have excellent metrics to track and report on the work they do. Look up your local Comprehensive Financial Report and I suspect you will be surprised the number of metrics that are tracked for any given city or county. That doesn’t help though when you can’t track number of widgets produced, rejection rates, miles of road plowed for snow, emergency medical calls per staff member, and the list goes on. For business continuity and disaster recovery types like us, the metrics are a little softer. And, more often than not, you are beholden to someone else’s effort and the competing priorities to get their attention so that their task is accomplished and therefore your metric is in good standing. It really, really, can be frustrating.

Having worked in emergency management, business continuity, and disaster recovery for over two decades combined I’ve always taken the perspective that this is our lot in life. We ask, nag, cajole, and rely on our personal relationships to get the teams we work with to get their tasks done. And from what my friends in the profession say, this is the norm. For years we have looked for a good metric to track to show our effectiveness, and each time in the end we scrapped the metric since we were reliant on someone else’s effort. Then I saw a tracking board that a peer used for his work that required other teams’ support to get the work done. It was mind blowing; I could immediately grasp the vision of how to flip the script: from us being rated on other people’s work, to us tracking their efforts to ensure their systems were resilient for the disaster recovery program.

This changed our relationship from the nag spending hours reaching out to check on the status and get a new ETA; to being the helper that others sought out to figure out what they needed to do to get their system listed as passing. The examples and descriptions here will be for a disaster recovery program, but can just as easily be implemented for a business continuity focus or emergency management focus…. or most any documented program. I say documented because you have to have defined what is expected of others related to the program you are tracking.

For our disaster recovery program we have documented that each critical application must have a DR plan (with standardized sections including assigned roles, storage, network, and failover and failback information) filled out, a tabletop exercise, a functional failover exercise, RPO, RTO, etc… The DR plan is our single source of truth and we treat it with a trust but verify mentality, in that the application manager or DR planner updates the information and we review some, all, or none depending on our past experiences with that team and our ability to review.

These fields from the DR plan then populate in a pass/fail state in the Disaster Recovery Scorecard (DRSC), resulting in a view like this (modified to protect the innocent):

The Disaster Recovery Scorecard

We realize this is not perfect by any means, however it is light years ahead of our past efforts and we have found that the teams we work with are much more readily available and keenly interested in updating their information to make sure that their application is listed in a passing state. Of enormous assistance to this desire is that the VP of Infrastructure reviews the DRSC periodically and about once a month shows it to the IT leadership team, which includes the CIO. However, even before this increased visibility there was significant interest to make sure that that all failing fields were remedied; so as with any program having a champion and governing body make a difference.

Depending on program maturity you will need to have the following, not all but as much of it as possible (items with an ** are a must):

  • Program champion,
  • Program governing body/committee,
  • **Established expectations such as service level agreements or policy for readiness of systems,
  • Single source of truth; this reduces your duplication of effort and need to go to multiple resources to gather the information,
  • **SharePoint, shared drive, intranet, or other means of publicizing the results where all can see; have no secrets,
  • Repercussionless (yes this is a made-up word); this is about improving the resiliency of the program not about punishing people or making examples of them,
  • Flip the script; make sure to change the interaction from the team constantly nagging for updates to being the team there to help get applications to a passing state (you are there to help).

With the above steps in place any program can have an effective metric based review process and you can move from the dreaded position of the nag to the lauded position of the subject matter expert that this a resource to help.

The authors

By Cullen Case Jr., CBCP and Stephen Wolters. Contact Cullen at

business continuity management metrics

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

The Hunt for Hidden Risks

Additional Resources

  • Business continuity resources
  • 2023 predictions
  • Operational resilience
  • Cyber resilience
  • Business resilience
  • DR and ICT continuity information
  • Business continuity standards

A website you can trust

Business continuity, get the latest news and information sent to you by email.

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.

The Essential 3 Elements of a High-Functioning BCM Plan

The role of Business Continuity Management is to plan and prepare in advance so an that organization can identify, mitigate and reduce risk impact while ensuring continuity of its critical business processes.

Regardless of a company’s current BCM maturity, planning and preparing for the next incident is an ongoing process driven by continuous improvement. The cornerstone of that is the business continuity management (BCM) plan.

A BCM plan is the base for most BCM processes and consists of three distinct sections: an emergency response plan, a crisis management plan and an operational recovery plan. Each part of a three-pronged business continuity plan must be strong to have a high-functioning BCM program.

business continuity management metrics

Emergency Management and Response

An emergency response plan provides a detailed set of protocols and guidelines that seek to minimize the impact on the safety and health of personnel and reduce the overall effect of an emergency. Proper planning and training of an organization and its staff enable a quick and effective response to the threat. Every emergency response plan should:

  • Set specific emergency response goals
  • Design evacuation routes and staging areas
  • Evaluate and enhance emergency response communications

Regular reviews and testing are needed to ensure that the plan functions as intended and delivers when disaster strikes.

business continuity management metrics

Crisis Management and Communication

A crisis management plan may sound similar to an emergency response plan, but in a BCM context, they address two different needs. Organizations should view the crisis management plan as the bridge between its emergency response and its operational recovery. To execute a crisis management plan effectively, organizations need a well-trained crisis management team. Every crisis management plan should:

  • Verify the appropriate resources available in support of the decisions and activities of the crisis management team
  • Provide instructions for identifying, managing and recovering from the crisis
  • Develop status boards designed to track all team activities and assist in the coordination of incident remediation
  • Identify key constituencies and outline necessary communication protocols

Disasters will test even the most experienced people's capabilities, which is why it is necessary to conduct training and exercises that challenge the crisis management team to maintain the plan’s effectiveness.

business continuity management metrics

Business Restoration and Operational Recovery

An operational recovery plan helps ensure that personnel and assets are protected, and operations are efficiently restored following business interruptions, emergencies, crises or disasters. This plan helps organizations recognize threats to their operations and develop functional response capabilities to recover. Every operational recovery plan should:

  • Qualify and quantify threats and vulnerabilities
  • Develop mitigation and control strategies for the significant threats to business continuity
  • Determine the impact that major risks have on the supply chain and logistics

Threats and vulnerabilities often escalate after a business interruption. Qualitative and quantitative analysis across an organization is needed to identify the natural, technical and human-made gaps to any Business Continuity Management strategy.

Testing and Updating are Crucial to BCM Plan Success

Successfully recovering after an interruption depends on not only the business continuity plan's comprehensiveness, but also the organization's ability to execute the plan effectively. Untested plans and teams have a greater likelihood of failure, loss of revenue and increased reputation damage. Organizations can keep their plans updated and their employees sharp through rigorous exercising. The options can vary depending on the organization, but here are the most common and useful exercises and tests:

Structured Walkthrough: An informal review with team members to assess comprehensiveness, effectiveness and identify enhancements and deficiencies.

Desktop Exercise: A simulation typically conducted in a conference room and is designed to execute documented plan activities in a stress-free environment.

Multi-Location Simulation: A series of simulated events across several locations where multiple teams execute the plan.

Functional Test: An exam that tests whether plan procedures are effective, assumptions are accurate, and resources are available during a simulated event.

  • Skip to right header navigation
  • Skip to main content
  • Skip to secondary navigation
  • Skip to footer


Business Continuity and Crisis Management Consultants

3 Key Metrics for Business Continuity Program Success

business continuity management metrics

September 2, 2021 By //  by  Bryan Strawser

In my 25+ years as a business continuity & crisis management expert, I often get asked one particular question that that makes me cringe:

“Are there metrics we should be tracking?”

In short and emphatically, YES!

What metrics should you be tracking?

It depends:

  • Do you really want to know whether your business continuity program is working; that your organization is resilient and actually prepared to respond to the next disruption?
  • Or do you just want to make sure all of the boxes are checked?

This is not a trick question.

We think that everyone should want their business continuity program and your business continuity plans to actually work!

But if you don’t quite grasp the difference between the two, you’re not alone.

I frequently encounter confusion around the fact that merely tracking business continuity program compliance—i.e., checking the boxes— isn’t the end game for business continuity success.

But it takes more than “Know the requirements-Do the things-Check the boxes” to gauge whether your business continuity program is effective and moving your organization towards its resiliency goals.

Employing the right combination of metrics—operational compliance, plan quality, and program maturity—are all equally important to understanding your organization’s true resilience.

Implementing a system that measures all three will give your organization the insights it needs to move your business continuity program to full maturity, sustainability, and success in responding to the next disruption.

Is your organization truly resilient, or are you just checking off the boxes?

3hzKqKBM_2OH79EsrklydIaKkL961qCj7Z3pxvH5UdmxaZibFN4SQh1X6HkJ7XU5nbQLq67Uib8Pr5ti-BCpHw=s0 3 Key Metrics for Business Continuity Program Success

About Bryan Strawser

Bryan Strawser is Founder, Principal, and Chief Executive at Bryghtpath LLC, a strategic advisory firm he founded in 2014. He has more than twenty-five years of experience in the areas of, business continuity, disaster recovery, crisis management, enterprise risk, intelligence, and crisis communications.

At Bryghtpath, Bryan leads a team of experts that offer strategic counsel and support to the world’s leading brands, public sector agencies, and nonprofit organizations to strategically navigate uncertainty and disruption.

Learn more about Bryan at this link .

business continuity management metrics

PO Box 131416 Saint Paul, MN 55113 USA

[email protected]

Our Capabilities

  • Active Shooter Programs
  • Business Continuity as a Service (BCaaS)
  • IT Disaster Recovery Consulting
  • Resiliency Diagnosis®️
  • Crisis Communications
  • Global Security Operations Center (GSOC)
  • Emergency Planning & Exercises
  • Intelligence & Global Security Consulting
  • Workplace Violence & Threat Management

Our Free Courses

Active Shooter 101

Business Continuity 101

Crisis Communications 101

Crisis Management 101

Workplace Violence 101

Our Premium Courses

5-Day Business Continuity Accelerator

Communicating in the Critical Moment

Crisis Management Academy®️

Managing Threats Workshop

Preparing for Careers in Resilience

Our Products

Communications & Awareness Collateral Packages

Crisis Playbook®

Exercise in a Box®

Exercise in a Day®

Ready-Made Crisis Plans

Resilience Job Descriptions

Pre-made Processes & Templates

business continuity management metrics

Creating meaningful business continuity management programme metrics


  • 1 Blue Cross and Blue Shield of Florida, Jacksonville, FL 32246, USA. [email protected]
  • PMID: 21177222

The popular axiom, 'what gets measured gets done', is often applied in the quality management and continuous improvement disciplines. This truism is also useful to business continuity practitioners as they continually strive to prove the value of their organisation's investment in a business continuity management (BCM) programme. BCM practitioners must also remain relevant to their organisations as executives focus on the bottom line and maintaining stakeholder confidence. It seems that executives always find a way, whether in a hallway or elevator, to ask BCM professionals about the company's level of readiness. When asked, they must be ready with an informed response. The establishment of a process to measure business continuity programme performance and organisational readiness has emerged as a key component of US Department of Homeland Security 'Voluntary Private Sector Preparedness (PS-Prep) Program' standards where the overarching goal is to improve private sector preparedness for disasters and emergencies. The purpose of this paper is two-fold: to introduce continuity professionals to best practices that should be considered when developing a BCM metrics programme as well as providing a case study of how a large health insurance company researched, developed and implemented a process to measure BCM programme performance and company readiness.

  • Blue Cross Blue Shield Insurance Plans / organization & administration
  • Disaster Planning*
  • Private Sector / organization & administration*
  • Program Evaluation / methods*
  • Risk Assessment
  • Risk Management / organization & administration*


Drive a Connected GRC Program for Improved Agility, Performance, and Resilience


Power Business Performance and Resilience

  • Enterprise Risk
  • Operational Risk
  • Business Continuity
  • Observation
  • Regulatory Change
  • Regulatory Engagement
  • Case and Incident
  • Compliance Advisory
  • Internal Audit
  • SOX Compliance
  • Third-Party Risk

Manage IT and Cyber Risk Proactively

  • IT & Cyber Risk
  • IT & Cyber Compliance
  • IT & Cyber Policy
  • IT Vendor Risk

Enable Growth with Purpose

AI-based Knowledge Centric GRC

  • Integration
  • Marketplace
  • Developer Portal

Latest Release

Explore the right questions to ask before buying a cyber governance, risk & compliance solution..

By Gaurav Kapoor, Co-founder and Co-CEO, MetricStream

Menu Images

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

  • Enterprise GRC
  • Integrated Risk Management
  • CyberSecurity
  • Corporate Compliance
  • Supplier Risk and Performance
  • Digital Risk
  • IT and Security Compliance, Policy and Risk
  • UK SOX Compliance
  • Privacy Compliance
  • Operational Resilience
  • IDW PS 340 n.F.
  • Banking and Financial Services
  • Life Sciences

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Menu Images

Explore What Makes MetricStream the Right Choice for Our Customers

Customer Stories

  • GRC Journey
  • Training & Certification
  • Compliance Online

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Menu Images

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Featured Resources

  • Analyst Reports
  • Case Studies
  • Infographics
  • Product Overviews
  • Solution Briefs
  • Whitepapers

Download this report to explore why cyber risk is rising in significance as a business risk.

Menu Images

Learn about our mission, vision, and core values

  • Our Partners
  • Want to become a Partner?

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Menu Images

MetricStream Business Continuity Management empowers enterprises to execute and manage an effective business continuity and disaster recovery (DR) program. It provides a flexible, integrated, and robust platform to meet multiple BCM (Business Continuity Management) needs, including business continuity planning, risk assessments, disaster tracking, and recovery action initiation and management.

The product enables a centralized approach to recovery planning and crisis management. Emergency mass notification capabilities, as well as mobile-enabled access to continuity plans and crisis reports (both online and offline), improve response time during a critical event.

Business Continuity Management

Proactively manage crises with real-time situational awareness.

Request Demo product details


Measure Your Program Outcomes


decrease in the time taken to create and review a business impact analysis

Cost saving BCM

reduction in the costs of managing a scaled-up business continuity planning and exercise process

Learn More product details


Ensure Uninterrupted Operations, Respond Better and Recover Faster from Disasters

MetricStream Business Continuity Management software, built on the MetricStream Platform, empowers enterprises to execute and manage an effective business continuity and disaster recovery (DR) program. It provides a flexible, integrated, and robust platform to orchestrate business continuity planning, risk assessments, disaster tracking, recovery action initiation, and emergency mass notification in case of crises.

Read More product details

How Our BCM Software Helps You

How Our BCM Software Helps You

Centralized Process and Asset Inventory for Maintaining Organizational Hierarchy

Leverage MetricStream’s centralized library to maintain a hierarchical structure of your organization, including objectives and relationships between processes, sub-processes, and dependent assets.

Proactive Approach to Business Impact Analysis

Trigger Business Impact Analysis (BIA) surveys and automate cumulative criticality scoring through the mapping of Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Map RTO and RPO dependencies through the product’s business process modeling capabilities and visualize them with the Data Explorer.

Structured and Systematic Continuity Planning

Create and maintain continuity plans from templates and link these plans to business processes, critical resources, functions, IT assets, locations, and key contacts. Test business continuity and recovery plans to check if the activities outlined are effective and up-to-date. Manage course corrections with streamlined workflows.

Qualitative and Quantitative Business Continuity Risk Assessments

Perform qualitative and quantitative assessments of business continuity risks impacting key processes and assets. Gain a comprehensive view of aggregated risks across geographies and business units.

Robust Emergency and Crisis Management System

Implement powerful workflows to declare, report, and follow a crisis to closure. Monitor risk profiles, control ownership, and assessment plans. Record the crisis remediation status using real-time graphical charts.

Emergency Mass Notifications for Accelerated Response Strategy

Trigger emergency mass notifications in case of crisis/risk event. Create and manage emergency call trees and user distribution lists, as well as emergency notification templates across 25+ channels.

AI-Powered Intelligent Issue Management

Manage, track, and close issues and actions triggered from risk assessments, planned exercises, and crises. Leverage AI/ML to quickly and intelligently identify issues based on relation and recommend issue classification and action plans.


Integration with Vendor Risk Management to Achieve Business Resilience

Ensure uninterrupted operations across your extended ecosystem by integrating with Third-Party/Vendor Risk Management product. Conduct business continuity assessments and analyze risks across vendors ecosystem.

Mobile Capabilities for Continued Operations

Create and publish business continuity plans on MetricStream’s mobile app anywhere and anytime. Send and track emergency notifications during crisis recovery.

How Our BCM Software Benefits Your Business

  • Achieve operational resilience with better preparedness across enterprise operations, supply chains, and third parties
  • Strengthen business resilience with a coordinated and agile strategy for recovery from business disruptions
  • Drive better decisions with the help of a 360-degree business impact analysis that helps prioritize key assets and processes for recovery
  • Improve the agility of incident response through seamless integration with emergency mass notification systems

business continuity management metrics

Trusted by Leading Brands

Case Study: Akhenaton Marcano, Assistant General Manager – Group Operational Risk and Controls, First Citizens Bank

First Citizens Bank Trinidad and Tobago

Case study: akhenaton marcano, assistant general manager – group operational risk and controls, first citizens bank.

Dermot McCarthy, Head of Crisis Management, Standard Chartered discusses implementing MetricStream Business Continuity Management

Standard Chartered Bank

Dermot mccarthy, head of crisis management, standard chartered discusses implementing metricstream business continuity management.

Customer Success Story: Almarai

Customer Success Story: Almarai

Customer Success Story: Almarai

Customer Success Story: Ken Kaberia, Head of Enterprise Risk, Safaricom

Customer Success Story: Ken Kaberia, Head of Enterprise Risk, Safaricom

Related Resources

Agility and Adaptability. Key Drivers to Future-Proof Organizational Resilience

Agility and Adaptability. Key Drivers to Future-Proof Organizational Resilience

BusinessGRC Buyer’s Guide

BusinessGRC Buyer’s Guide

The Future of GRC: 10 Trends for 2023 and Beyond

The Future of GRC: 10 Trends for 2023 and Beyond

Frequently asked questions, can i maintain process and asset inventory in the metricstream bcm product.

Yes, you can leverage MetricStream’s GRC Library to maintain a hierarchical structure of the organization, including objectives and relationships between processes, sub-processes, and dependent assets.

Can I configure Business Impact surveys? Does MetricStream provide standard templates to manage business continuity plans?

Yes. You can trigger Business Impact Analysis (BIA) surveys to identify critical assets and processes. Further, you can map Recovery Time Objective (RTO) and Recovery Point Objective (RPO) dependencies through the product’s business process modeling capabilities and visualize them with the Data Explorer. Standard templates enable you to create and maintain continuity plans. Link these plans to business processes, critical IT assets, locations, and key contacts. Define recovery tasks and timelines using Gantt charts.

Does MetricStream support email mass notifications to all assigned users during a crisis?

Yes. You can create and manage emergency call trees and user distribution lists, as well as emergency notification templates across 25+ channels.

What issue management capabilities do you offer?

MetricStream software provides intelligent issue management capabilities to manage, track, and close issues and actions triggered from risk assessments, plan exercises, and crises. Leverage AI/ML to quickly identify issues based on relation and recommend issue classification.

Where can I learn more about MetricStream solutions for business resilience?

You can explore our Operational Resilience solution , which brings all aspects of the business and operational resilience framework on to a single unified platform by seamlessly embedding risk management practices into compliance, cybersecurity, vendor risk management, and business continuity planning to prepare for and prevent potential disruptions. To request a demo, click here. get a demo

Also, you can visit our Learn section to dive deeper into the GRC universe and the Insight section to explore our customer stories, webinars, thought leadership, and more.

Subscribe for Latest Updates

Ready to get started?

Business Continuity & Disaster Recovery Metrics Defined

' src=

Metrics are everywhere. Think about it: Every doctor’s visit includes standard measurements designed to provide important information about the state of your physical self, like a blood pressure check and confirmation of your height and weight. In the car, your dashboard measures speed and fuel supply. Quarterly report cards measure your kids’ progress in school. And periodic portfolio reports measure the state of your financial investments. Without these and a mountain of other measurements, or metrics, you’d have no clear way of knowing how things are going in your life and, as a result, no real way to positively impact your future.

Business Continuity Program Metrics? We Don’t Need No Stinking Metrics.

CFOs are usually analytical, hence their preoccupation with corporate spending and measuring the impact of billions of dollars spent (and rightly so). But as critical as business continuity (BC) and disaster recovery (DR) programs are to a company—along with the steep budgets sometimes accompanying them—there’s often little-to-no required measurement of these programs by management.

Among the usual reasons we hear for a lack of business continuity management (BCM) metrics and disaster recovery metrics are:

  • “What are metrics? We really don’t know.”
  • “We don’t know what to measure.”
  • “Management isn’t asking, so why bring it up?”
  • “We don’t care to know how the program is doing.”
  • “It takes too much time to measure effectiveness.”
  • “I think our process would work, so why waste time measuring it?”
  • “We already know our program is a disaster; why would metrics be helpful?”

In other cases, there are BCM or disaster recovery metrics at work, but more often than not they’re meaningless. Such metrics usually focus on volume of work (the number of exercises conducted, plans updated, analyses completed, etc.) rather than on the reality of whether a program will work in a true crisis.

Why You Do Need Business Continuity Management Metrics

Why is the lack of real business continuity program metrics a problem? Because if you can’t measure it, you can’t manage it.

Without the metrics to tell if your BC process is functioning, you have no idea how your business would actually fare in the case of a disruption, and you have no basis for identifying what aspects of the program are working and which need improvements.

Metrics serve three very important functions:

  • Metrics serve as a control and feedback loop. Once you’ve determined the ideal state of your BC process (i.e., “I know the best program should be rated between 80 and 100 on a 1-100 scale”), metrics allow you to know whether your process is in order or requires external interference to make it better.
  • Metrics add objectivity to the evaluation process. A lot of people claim that their BC program is in great shape and complies fully with standards, but such claims are often based on nothing but vague impressions. Metrics offer a way to quantify that claim with solid evidence.
  • Metrics are the foundation for improvement goals. Numbers make for easy assessment and goal planning. If the ideal rating is between 80 and 100 and your program comes in at 61, you can set a definitive improvement goal to reach 80. Along with that, you can specifically outline how you’ll reach that goal—and determine if your strategy worked.

Valuable Business Continuity Metrics

To truly measure the effectiveness of your BC process, you need a combination of metrics that focus on two key areas: the foundation of the program and the execution of the program. Evaluating both of these areas together gives insight into how a program will perform when it’s needed. It also clearly illustrates the program’s return on investment. High numbers in both areas indicate that money has been well spent.

Metric Area #1: Foundational Alignment With Standards

This area measures how aligned your program is with industry standards, such as ISO 22301  or NFPA 1600 . On a scale of 0-100, how does it measure up to those standards in terms of:

  • Program Administration
  • Crisis Management
  • Business Recovery
  • Disaster Recovery
  • Supply Chain Risk Management

In other words, are you building your program on sand or solid rock? If your process lines up with accepted industry standards, you can rest assured that your program’s foundation is solid, which promotes stronger execution of the process.

Metric Area #2: Level Of Execution

This area measures the level of risk that remains after you have considered management’s risk tolerance, the inherent risk of your recovery plans, and the state of mitigating controls. You then take steps to mitigate that risk, lowering it to an acceptable level.

Here are some business continuity KPI examples you should measure, among other things:

  • The currency of your business impact analysis . (Is it current, or more than two years old?)
  • The reach of your recovery strategy. (Do you have a dedicated alternate work site or will it be determined at time of event?)
  • The recovery exercises you’ve done to ensure the process can be smoothly put into place. (Are you conducting desktop exercises or relocating to the alternate work site?)

A lower level of risk indicates you have a program that has a high level of execution and capability; a higher level of risk indicates your program is weaker and needs to be strengthened to raise its level of execution.

Looking for other key performance indicators (KPIs) to measure your program’s effectiveness? See our online assessment tool in action for key business continuity KPI examples and the critical success factors (CSFs) that determine your program’s level of success.

If all of your mitigating controls are operating at the highest levels, you’ve successfully reduced your level of risk and increased your level of execution.

Business Continuity Program Metrics Done Right

Business Continuity Management metrics are just one piece of a successful continuity program. With our online business continuity software suite, BCMMetrics™ , you can easily and effectively assess your organization’s levels of compliance and risk and access tools that can help you build a better BC program from the ground up. It’s simple to use (there’s no software to install) and secure—your data is protected with military-grade encryption and backed up to multiple off-site locations. And the tool updates automatically with the most current industry standards, so your program will always be up to date.

We believe that, with the right tools, an effective BC program is within reach of every organization. Schedule a free demo of the tool in action to get a sense of what it can do for your business, or contact us with questions—we’re happy to help.


  • Client Login
  • Compliance Confidence
  • BIA On-Demand
  • BCM Planner
  • Residual Risk

MHA Consulting

  • Business Continuity
  • Training and Awareness

We're not around right now. But you can send us an email and we'll get back to you, asap.

Start typing and press Enter to search

Power Outage Procedures For Businesses

  • Generative AI
  • Business Operations
  • IT Leadership
  • Application Security
  • Business Continuity
  • Cloud Security
  • Critical Infrastructure
  • Identity and Access Management
  • Network Security
  • Physical Security
  • Risk Management
  • Security Infrastructure
  • Vulnerabilities
  • Software Development
  • United States
  • United Kingdom
  • Newsletters
  • Foundry Careers
  • Privacy Policy
  • Cookie Policy
  • Member Preferences
  • About AdChoices
  • E-commerce Links
  • Your California Privacy Rights

Our Network

  • Computerworld
  • Network World


10 benefits of security performance metrics for CISOs

There are multiple metrics CISOs can use to improve the effectiveness of security efforts and demonstrate key business alignment, among other benefits.

business leader presenting to colleagues

Measuring security performance may not sound like the most exciting exercise on the CISO's agenda, but the right metrics can deliver significant value to security leaders and go a long way to helping them tackle a diverse set of challenges. The intersection of modern security and business means there are multiple metrics that CISOs can use to not only measure and improve the effectiveness of their security efforts but also demonstrate valuable strategic alignment with an organization, among numerous other benefits.

However, to get true value from any security performance metrics, it's important that CISOs avoid drowning in metrics that lack meaning or context, focusing on those that show how security is enabling the business.

There are thousands of things that can be measured in terms of security performance, and it takes serious time, effort, and resources to extract those measurements and report on them, says Richard Absalom, principal research analyst at the Information Security Forum (ISF). "The important thing to always consider is: Why are we measuring this? How is this measurement helping? What is the question that it can help to answer? If the measurement does not help to answer something that the stakeholder/decision-maker needs to know, it is likely to be ignored."

CISOs need business-relevant, risk-focused, and -- most critically -- evidenced-based metrics, Brian Contos, CSO at Sevco Security, tells CSO. "The highest priority areas that require metrics include business continuity, regulatory compliance, asset protection, operational efficiencies, and business mission enablement."

Here are 10 benefits that the right security performance metrics can offer CISOs:

1. Objective decision-making

Incident response metrics -- such as mean time to detect (MTTD) and mean time to respond (MTTR) -- offer quantitative data that helps CISOs make objective decisions. "By tracking and analyzing key security indicators, CISOs can prioritize efforts, allocate resources, and focus on areas that need the most improvement," says Frank Kim, fellow at the SANS Institute and lead of the Cybersecurity Leadership Curriculum.

2. Demonstrate ROI

Security investment metrics -- such as the percentage of key business initiatives with embedded security processed -- allow CISOs to demonstrate the return on investment (ROI) of security initiatives to executive leadership and stakeholders. This helps to justify budgets and investments by showing how these efforts contribute to risk reduction and incident prevention. "Regarding risk, it's not cyber risk that stakeholders are concerned with; it's the business risk from cyber," Contos says. More specifically, it's risks associated with revenue, brand, operations, and environmental, social, and governance, he adds.

3. Effective communication

Security awareness metrics -- such as the percentage of business units with regular ambassador program engagement -- help convey whether an organization is building a security-aware and risk-aware culture, providing "a common language for communicating security risks and improvements to non-technical stakeholders," Kim says. CISOs can use metrics to explain the effectiveness of security measures and the overall security posture of the organization, something that has traditionally been a challenge for a lot of security leaders.

Bear in mind, CISOs that present very technical metric readouts to the board many times miss the mark as board members cannot contextualize them, says Fred Rica, partner at accounting and consulting firm BPM and former head of KPMG's cyber practice "Telling the board you've blocked 100,00 events at the firewall is meaningless. Board members need to be asking (and CISOs need to be answering) three simple questions: What are we doing? Is it enough? How do we know?"

4. Risk assessment

Vulnerability management metrics -- such as the window of exposure -- help CISOs better understand an organization's risk profile, and by monitoring trends and identifying potential vulnerabilities, they can proactively address security threats before they escalate.

"Ultimately, vulnerability management is about addressing the broken windows and unlocked doors of an enterprise, Kim says. "These metrics convey how long these doors are potentially open for and serve to roll up day-to-day operational activities like scanning coverage, time to analyze and prioritize, as well as time to patch," he adds.

5. Continuous improvement

Security process improvement metrics -- such as the percentage of incidents with the same repeat root cause -- track progress over time, enabling CISOs to set specific goals. "This data-driven approach helps drive continuous improvement in security practices and fosters a culture of accountability," Kim says. These risk-based metrics can then make their way into annual reports, corporate governance documents, and committee charters, as they should because security is strategic to the business, says Contos.

6. Benchmarking

Security maturity metrics -- such as capability maturity scores -- can be compared with industry benchmarks like the various Center for Internet Security (CIS) Benchmarks , or even past performance, to help CISOs understand how their organization fares in terms of security maturity. This information can guide the development of realistic security targets and strategies.

For the board, the five pillars of the NIST Cybersecurity Framework often seem to resonate, Absalom says. Security leaders should look for indicators and metrics that help to answer how well the organization:

  • Identifies threats and assets at risk.
  • Protects identified assets.
  • Detects threat events.
  • Responds to detected events.
  • Recovers from incidents and limits their impact.

7. Regulatory compliance

As many regulations and standards require organizations to report on specific security metrics, having compliance metrics -- such as the percentage of systems compliant with necessary standards or regulations -- readily available makes it easier to meet compliance requirements, and avoid potential penalties, Kim says.

8. Early detection of issues

Threat detection metrics -- such as the number of incidents detected by internal versus external entities or false positive/negative rates -- can serve as early warning signs of potential security incidents or weaknesses in the security infrastructure. CISOs can proactively address these issues to prevent larger-scale breaches.

9. Resource optimization

Resource utilization metrics -- such as the percentage of time spent on proactive versus reactive security tasks -- can enable CISOs to identify areas of inefficiency or redundant security controls, leading to better resource allocation and cost optimization. This can prove crucial to helping security leaders manage the much-maligned cybersecurity skills shortage.

A recent report from the Department for Science, Innovation and Technology (DSIT) found that half of UK businesses are suffering from a basic cybersecurity skills gap, with a third battling more advanced skills shortages in relation to aspects of security such as forensic breach analysis, storing or transferring personal data, or detecting and removing malware.

10. Building trust

Security transparency metrics -- such as the number of security incidents communicated to the business or feedback scores from internal stakeholders on security communication -- can enhance the level of trust between the security team and other business units. When the effectiveness of security measures is quantified and communicated transparently, it boosts confidence in the security program, says Kim.

Related content

Suspected london’s met police data breach potentially exposes sensitive officer, staff information, how financial institutions can reduce security and other risks from mras, cyber-awareness education is a change-management initiative, stressed out and overwhelmed, secops teams struggle to keep up, from our editors straight to your inbox.


Michael Hill is the UK editor of CSO Online. He has spent the past 8 years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author

Nist publishes draft post-quantum cryptography standards, calls for industry feedback, immuniweb releases mobile neuron to scan for owasp mobile top 10 vulnerabilities, ios/android weaknesses, trulioo enhances identity verification with “person match” intelligent routing, most popular authors.

business continuity management metrics

  • Cynthia Brumfield Contributing Writer

Show me more

Cyberthreats are taking center field.


How international cybersecurity frameworks can help CISOs


Hacking the future: Notes from DEF CON's Generative Red Team Challenge


CSO Executive Sessions Australia with Eugene Ostapenko, Head of Information Security, Risk and Compliance at illion Australia and New Zealand


CSO Executive Sessions / ASEAN: IDC's Christian Fam on the state of digital trust in APAC


CSO Executive Sessions / ASEAN: Eddie Hau on Sunway Group’s cybersecurity strategy


Sponsored Links

  • dtSearch® - INSTANTLY SEARCH TERABYTES of files, emails, databases, web data. 25+ search types; Win/Lin/Mac SDK; hundreds of reviews; full evaluations
  • Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.

Business Continuity Management Statistics 2023 - Everything You Need to Know

WebinarCare is led by Steve Bennett, a seasoned expert in the business world. He's gathered a team that's passionate about giving you reliable advice on everything from starting a business to picking the right tools. We base our tips and guides on real-life experience, ensuring you get straightforward and proven advice. Our goal is to make your business journey smoother and more successful. When you choose WebinarCare, you're choosing a trustworthy guide for all things business.

Are you looking to add Business Continuity Management to your arsenal of tools? Maybe for your business or personal use only, whatever it is – it’s always a good idea to know more about the most important Business Continuity Management statistics of 2023. My team and I scanned the entire web and collected all the most useful Business Continuity Management stats on this page. You don’t need to check any other resource on the web for any Business Continuity Management statistics. All are here only 🙂 How much of an impact will Business Continuity Management have on your day-to-day? or the day-to-day of your business? Should you invest in Business Continuity Management? We will answer all your Business Continuity Management related questions here. Please read the page carefully and don’t miss any word. 🙂

On this page, you’ll learn about the following:

Business Continuity Management Software Statistics

Best business continuity management statistics.

  • This is followed by the loss of power (35%), software failure (34%), data corruption (24%), external security breaches (23%), and accidental user error (20%). [0]
  • 29.2 percent of organizations rely on a software based disaster recovery solution. [1]
  • 3 44% of organizations plan to implement or expand/upgrade their existing implementation of GRC or risk management software. [2]
  • This trend is changing, as 40% are now using dedicated business continuity planning software, which is “essential for complex organizations, particularly those with limited staff, and with the growing importance of BC to business operations and strategy.”. [2]
  • Followed by the loss of power (35%), software failure (34%), data corruption (24%), external security breaches (23%), and accidental user error (20%). [3]
  • Hardware failures cause 45% of total unplanned downtime. [0]
  • According to Backblaze, the failure rate for hard drives in Q1 of 2020 was 1.07%, the lowest figures on record. [0]
  • In 2020, the average rate of hard drive failure was 0.93% (pretty consistent with 2019 failure rates which were 0.92%). [4]
  • Among companies that reported downtime incidents, 45% of them said it was due to hardware failure. [5]
  • According to Dynamic Technologies, hardware failures cause 45% of total unplanned downtime. [3]

Business Continuity Management Latest Statistics

  • 75% of small businesses have no disaster recovery plan objective in place. [0]
  • 96% of companies with a trusted backup and disaster recovery plan were able to survive ransomware attacks. [0]
  • 93% of companies without Disaster Recovery who suffer a major data disaster are out of business within one year. [0]
  • 22% of folders are not protected in any way. [0]
  • According to the 2019 Global Data Risk Report by Varonis, 22% of all folders used by a company are open to everyone. [0]
  • E.g. 80% of companies with 1 million+ folders have 50,000+ folders open to everyone. [0]
  • According to Datto “An hour of downtime costs £6,038 for a small company, £55,851 for a medium company and £528,325 for a large enterprise.”. [0]
  • 51% of companies have no plans for how to address this type of emergency. [0]
  • Whilst 85.0% of respondents report ISO certification increased their organisation’s resilience, over a quarter (27.5%). [0]
  • According to figures from Datto, just one hour of downtime can cost $10,000 for small businesses. [4]
  • In a survey highlighted by DataCore, 54% of businesses said they had experienced a downtime incident in the past five years that lasted at least eight hours. [4]
  • Data from FEMA shows that 90% of businesses fail within a year if they are unable to get back up and running within 5 days after a disaster. [4]
  • In 2020, 28% of breaches affected small businesses, according to data from Verizon’s Data Breach Investigations Report. [4]
  • Most breaches were linked to attacks on web applications (roughly 43%). [4]
  • Also, not surprisingly, 83% of these attacks were financially motivated. [4]
  • A 2020 survey found that 51% of companies across the globe don’t have a business continuity plan. [4]
  • The COVID 19 pandemic demonstrated just how vulnerable a large percentage of businesses were, and a report by the Economic Times underscores the value of having a business continuity plan. [4]
  • Statistics for 2020 found that 70% of attacks on small businesses were perpetrated by external factors. [4]
  • but what’s perhaps more frightening is this means the other 30% are perpetrated by internal personnel or third parties that have authorized access to systems. [4]
  • A survey conducted in March 2020 found that 75% of companies suffered a supply disruption in the early days of the pandemic. [4]
  • Furthermore, an October survey found 90% of businesses, across all industries, believe the disruption of global supply chains will have long lasting impacts on their businesses. [4]
  • A recent survey found that approximately 33% of all folders used by a company are open to everyone. [4]
  • Data breaches are a problem that nearly all organizations face, and 45% of them suffer a breach due to successfully being hacked. [4]
  • According to the latest business continuity statistics, 84% of businesses currently store data and backups in the cloud, and additional 8% plan to do so within the next year. [4]
  • Ransomware has become one of the leading causes of operational downtime, affecting 1 in 5 small businesses, according to Datto. [4]
  • Companies that faced attacks suffered, on average, 16.2 days of downtime, according to ZD Net, and the costs associated with this downtime are increasing at an alarming rate. [4]
  • Furthermore, 24% of those surveyed expect their data to be recovered in under 10 minutes after a disaster. [4]
  • One third (29%). [4]
  • Of those surveyed, 31% said they don’t have the right resources or budget. [4]
  • 2021 was the busiest year for climate disasters according to the analysis of NOAA/NCEI data by climate control. [6]
  • Downtime costs have risen 32% in the past 7 years. [6]
  • Currently, for 44% of enterprises, 1 hour of downtime costs over $1 million. [6]
  • 33% of folders are not protected in any way, providing easy access for cybercriminals. [6]
  • FEMA estimates that 75% of SMBs do not have a disaster recovery plan. [6]
  • 93% of small enterprises have adopted the cloud. [6]
  • 84% of businesses store backups in the cloud. [6]
  • 75% of data loss is caused by human error. [6]
  • 1) 54% of companies have experienced prolonged downtime Operational downtime can happen to any company, at any time. [5]
  • 40 to 60% of small companies do not survive a major disaster. [5]
  • FEMA found that 20% of companies have no disaster recovery planning in place. [5]
  • Stats highlighted by show that only 2% of surveyed businesses recovered from their last downtime in less than hour. [5]
  • 28% of companies reported a data loss event in the previous 12 months. [5]
  • Data breaches overwhelmingly occur at small businesses a staggering 43%, according to numbers from Verizon’s Data Breach Investigations Report. [5]
  • According to figures from Seagate, 22% of downtime events are caused by human errors, including inadvertent data loss, device mismanagement and other accidents. [5]
  • Seagate found that only 5% of business downtime is caused by natural disasters. [5]
  • According to figures from Datto, the costs of ransomware caused downtime have increased by 200% over the past year. [5]
  • 37% of small to mid sized businesses reported losing the data in the cloud, due to incidents such as accidental data loss, overwrites, ransomware and other causes. [5]
  • 93% of businesses that were unable to recover their data within 10 days after the disaster were forced to file for bankruptcy within a year. [5]
  • In a survey, 70% of businesses admitted “that a single loss in data could have a significant and costly impact on the business.”. [5]
  • Figures highlighted by Avast show that 60% of data backups are incomplete. [5]
  • To make matters worse, 50% of backup restores fail. [5]
  • Above, we mentioned how 20% of businesses have no DRP or business continuity plan. [5]
  • 43% of companies that experience a major data loss event go out of business if they don’t have any recovery planning in place. [5]
  • 96% of businesses are able to fully restore their operations after a data loss incident if they have disaster recovery solutions in place. [5]
  • Maximum costs in 2016 were estimated at $2.4 million, up 39 percent from the costs reported in 2013. [1]
  • Mean costs increased by 36.6 percent between 2010 and 2013, then jumped up another 7.2 percent in 2016. [1]
  • Cybercrime rose from 2 percent of outages in 2010 to 18 percent in 2013 to 22 percent in the latest study. [1]
  • This translates into an increase of 12% compared to 2016. [1]
  • In 2016, the Emerson study shows a duration of 130 minutes for total unplanned outages, which is 9% more than in 2013. [1]
  • The costs also went up 5% to $946,788. [1]
  • Only 30 percent reported to having a fully documented disaster recovery strategy in place. [1]
  • 32.1 percent reported to having a plan that outlines the specific business critical applications and components that need to be recovered. [1]
  • 33 percent revealed that their disaster recovery plan proved inadequate when deployed in response to an outage. [1]
  • 15.4 percent didn’t even consider a fully documented plan applicable to their situation. [1]
  • Following an outage 35 percent of organizations lost at least one mission critical application – 11.7 percent for hours at a time. [1]
  • 24.3 percent lost multiple mission. [1]
  • 18.8 percent lost most or all of their data center functions. [1]
  • 12.1 percent loss data that could not be recovered. [1]
  • 36.7 percent suffered no financial loss 18.3 percent lost $1000 to $6000 10 percent loss $50,001 to $100,000 3.3 percent loss 100,001 to 500,000 2.1 percent loss more than $5 million. [1]
  • 25.9 percent of recovery efforts consumed staff time that impacted the business. [1]
  • 13.8 percent of recovery costs the company money that wasn’t included in the budget. [1]
  • 42.9 percent of organizations report to use a remote disaster recovery site that mirrors most of their primary site. [1]
  • 20.4 percent of organizations use a secondary site that is not similar to the their primary disaster recovery site. [1]
  • 53 percent reported to not backing up their data on a daily basis. [1]
  • 32 percent of IT administrators cited that backing up every day is not an efficient use of their time. [1]
  • 23 percent of IT administrators felt that conducting frequent backups was either unnecessary, or unwarranted based on the amount of data in their possession. [1]
  • In contrast, 10 percent of IT administrators cited having too much data as the main reason they don’t backup on a daily basis. [1]
  • 75 percent of organizations claimed that daily backups threaten workplace productivity. [1]
  • 32 percent of IT administrators admitted that their organizations do not test their backup systems on a regular basis. [1]
  • By industry, the healthcare field is considered to be among the most negligent as an alarming 66 percent of respondents. [1]
  • Ironically, time is the aspect that can stand to be improved as roughly 50 percent of organizations would prefer their existing backup solutions to be faster or more efficient. [1]
  • 14 percent want their backup solutions to be more affordable. [1]
  • 6 percent want a more secure backup solution. [1]
  • Another 6 percent want their backup solution to be managed by a third. [1]
  • 39 percent of organizations that developed their own comprehensive BCM framework recovered all mission critical business processes according to predefined RTOs and RPOs, or while only experiencing minor problems. [1]
  • 12 percent of Level 5 organizations experienced significant problems in recovering one or more mission. [1]
  • In contrast, only 13 percent of organizations with no BCM framework in place were able to recover all mission critical processes according to predefined recovery objectives. [1]
  • 15 percent of Level 1 organizations experienced significant problems in recovering one or more mission. [1]
  • Overall, business continuity management programs improve disaster recovery rates by as much as 17 percent. [1]
  • By 2019, Gartner predicts that 35 percent of organizations with BCM programs that lack maturity will endure major problems recovering one or more mission critical business processes. [1]
  • This is a 17 percent increase compared to 2015. [1]
  • In 2015, 52 percent of business leaders revealed that their companies planned to allocate more resources to business continuity and disaster recovery solutions. [1]
  • 75% of small businessesdo NOT have a disaster planin place, but 52% say it would take at leastthree months to recoverfrom a disaster. [7]
  • 2.90% of smaller companies fail within a yearunless they can resume operations within 5 days after a disaster. [7]
  • 3.4060% of small businesses never re open their doorsfollowing a disaster. [7]
  • Only 56 percent of US and Canadian businesses surveyed have a business continuity plan that addresses overseas risks. [8]
  • A new industry survey has found that of those who responded the largest group estimated that the costperminute of downtime in their organization fell into the £10,000. [8]
  • Databarracks research finds that only 30 percent of small organizations had a business continuity plan in place, compared with 54 percent of medium and 73 percent of large businesses. [8]
  • Buyers of a median price home are looking at a monthly mortgage payment that is almost 50% higher than it was a year ago.’. [9]
  • The 30 year mortgage rate dips slightly to 5.1%. [9]
  • Employee productivity (62%). [2]
  • Employee safety (29%) Competitive differentiation (29%) Brand and reputation (28%). [2]
  • Enhancing the quality, availability, and timeliness of risk data (79%) Enhancing risk information systems and technology infrastructure (68%). [2]
  • Financial institutions rank their top ERM program priorities as 6 Collaboration between business units and the risk management function (66%). [2]
  • Managing increasing regulatory requirements and expectations (61%) Establishing and embedding the risk culture across the enterprise (55%). [2]
  • Boards devote a relatively small amount of their meeting time to risk management about 9% on average. [2]
  • Only 6% of directors believe their organization’s board is effective at managing risk. [2]
  • 16 65% of organizations are operating “reactive” or “basic” policy management programs. [2]
  • 15 Credit unions in the U.S. face a combined $6.1 billion in annual regulatory costs, or about 15% of operating expenses. [2]
  • More than half (51.75%). [2]
  • 7 56% of organizations lack a formal program for assessing the BC readiness of third parties. [2]
  • Only 27% of organizations rank their BC program maturity as a 4 or 5 out of 5, according to COBIT maturity level definitions. [2]
  • The remaining 73% fall into maturity levels 0­–3. [2]
  • The projected percent change in employment from 2020 to 2030. [10]
  • The average growth rate for all occupations is 8 percent. [10]
  • The percent change of employment for each occupation from 2020 to 2030. [10]
  • It’s easy to assume a downtime event will never happen to your company, but the truth is more than 50% of companies have experienced a downtime event that lasted a full workday in the last five years. [11]
  • Of the companies that experienced a major data disaster, 96% of those that had a disaster recovery plan survived while 93% of those that didn’t were out of business within one year. [11]
  • This happens to almost 17% of companies, often costing millions of dollars. [11]
  • Yet, 75% of small businesses have no disaster recovery plan objective in place. [3]
  • 93% of companies without Disaster Recovery who suffer a major data disaster are out of business within one year. [3]
  • 96% of companies with a trusted backup and disaster recovery plan were able to survive ransomware attacks. [3]
  • More than 50% of companies experienced a downtime event in the past five years that longer than a full workday. [3]
  • 40 60% of small businesses who lose access to operational systems and data without a DR plan close their doors forever. [3]
  • 96% of businesses with a disaster recovery solution in place fully recover operations. [3]
  • 20% of those came from ransomware attacks. [3]
  • More than 50% of businesses don’t have the budget to recover from the attack. [3]
  • Human error is the number one cause of security and data breaches, responsible for 52 percent of incidents. [3]
  • Only 52% receive cybersecurity policy training once a year. [3]
  • It was reported that in 2018, malware attacks increased by 25 percent. [3]
  • Cryptojacking attacks are increasing by over 8000% as miners exploit the computing power of unsuspecting victims. [3]

I know you want to use Business Continuity Management Software, thus we made this list of best Business Continuity Management Software. We also wrote about how to learn Business Continuity Management Software and how to install Business Continuity Management Software. Recently we wrote how to uninstall Business Continuity Management Software for newbie users. Don’t forgot to check latest Business Continuity Management statistics of 2023.

  • sysgroup – .
  • storagecraft – .
  • quantivate – .
  • phoenixnap – .
  • invenioit – .
  • invenioit – .
  • icorps – .
  • dewittguam – .
  • continuitycentral – .
  • marketwatch –—global-trends-top-players-analysis-business-statistics-emerging-technologies-regional-overview-growth-segments-and-key-countries-forecast-to-2029-2023-03-02 .
  • bls – .
  • fssi-ca – .

In Conclusion

Be it Business Continuity Management benefits statistics, Business Continuity Management usage statistics, Business Continuity Management productivity statistics, Business Continuity Management adoption statistics, Business Continuity Management roi statistics, Business Continuity Management market statistics, statistics on use of Business Continuity Management, Business Continuity Management analytics statistics, statistics of companies that use Business Continuity Management, statistics small businesses using Business Continuity Management, top Business Continuity Management systems usa statistics, Business Continuity Management software market statistics, statistics dissatisfied with Business Continuity Management, statistics of businesses using Business Continuity Management, Business Continuity Management key statistics, Business Continuity Management systems statistics, nonprofit Business Continuity Management statistics, Business Continuity Management failure statistics, top Business Continuity Management statistics, best Business Continuity Management statistics, Business Continuity Management statistics small business, Business Continuity Management statistics 2023, Business Continuity Management statistics 2021, Business Continuity Management statistics 2023 you will find all from this page. 🙂 We tried our best to provide all the Business Continuity Management statistics on this page. Please comment below and share your opinion if we missed any Business Continuity Management statistics.

Leave a Comment Cancel reply

Save my name, email, and website in this browser for the next time I comment.


  1. Business Continuity Management System

    business continuity management metrics

  2. Kpi Business Continuity Management

    business continuity management metrics

  3. Business Continuity Management

    business continuity management metrics

  4. Laife Reply BCM to keep business running

    business continuity management metrics

  5. Ja! 17+ Sannheter du Ikke Visste om Construction Business Continuity

    business continuity management metrics

  6. Business Continuity Management

    business continuity management metrics


  1. How Metric Empowers Businesses

  2. 5 Critical Business Metrics

  3. Demand Management

  4. 128 Business Continuity Management

  5. Why Metrics Review Is So Important For Your Business

  6. Business Continuity Plan


  1. Working Toward a Managed, Mature Business Continuity Plan

    These metrics can be indicators of progress and, at times, even precursors to other events, meaning they could be used for many purposes, even planning capacity upgrades. ... (ISO)/International Electrotechnical Commission (IEC), ISO/IEC 22301:2019 Security and resilience—Business continuity management systems—Requirements, Switzerland ...

  2. How to Measure Your Business Continuity Performance

    KPDs are metrics that reflect the factors or inputs that contribute to or influence your BCP performance, helping you understand the root causes and drivers of your BCP outcomes and identify...

  3. Metrics that Matter in Business Continuity & Disaster Recovery

    There are 7 important BC/DR metrics that you should be tracking to grow and measure recovery plans: Recovery Time Objectives (RTO) Recovery Point Objectives (RPO) The number of plans that cover each critical business process The amount of time since each plan was updated The number of businesses processes that are threatened by a potential disaster

  4. What Is Business Continuity?

    Business continuity is a process-driven approach to maintaining operations in the event of an unplanned disruption such as a cyber attack or natural disaster. Business continuity planning covers the entire business—processes, assets, workers, and more. It isn't focused solely on IT infrastructure and business systems.

  5. Business Continuity: The Only Guide You Will Need

    Business continuity management (BCM) teams are critical to the design and implementation of business continuity plans. ... and maximum tolerable data loss (MTDL) are two of the most important metrics of any business continuity plan, and are reflected in the business continuity SLAs related to each critical business process and/or function ...

  6. PDF Measurement matters

    2 Measurement matters - A BSI whitepaper for business Executive summary ••The business continuity standard ISO 22301 recognizes the importance of having accurate performance information •The standard lays down requirements for "monitoring, measurement, analysis and evaluation"

  7. 101 business continuity metrics…

    Published: 24 January 2020 Jon Seaton, chair of the Scottish Chapter of the BCI, looks at the subject of business continuity metrics, exploring why they are necessary and how to determine which metrics are required at different levels in the organization.

  8. Business Continuity Management Program Solutions Reviews and ...

    Gartner defines business continuity management program solutions as the primary tools used by organizations to manage all phases of the business continuity management (BCM) life cycle, from planning to crisis activation. BCMP solutions provide capabilities for availability risk assessment, business impact analysis (BIA), business process and ...

  9. Business Continuity Metrics: All you need to know!

    Introduction Business continuity metrics are performance measures used to assess the effectiveness and efficiency of an organization's business continuity planning and management...

  10. The metrics struggle: creating metrics for a BC or DR program

    After years struggling with tracking metrics for a disaster recovery program, the authors of this article came across a metric tracking system used by a peer which was successfully modified for DR use. ... Having worked in emergency management, business continuity, and disaster recovery for over two decades combined I've always taken the ...

  11. The BCM Trident: 3 KPIs That Sharpen Your Continuity Program

    August 2, 2018 King Neptune gets power from his three-pronged trident, and those of us who work in business continuity can gain power from what I call the BCM Trident. That is, the three key performance indicators (KPIs) that can help you understand and improve your business continuity program. These 3 KPIs are soundness, risk, and value.

  12. You're Doing It Wrong: BCM Metrics

    Most BCM professionals believe taking quantitative measures of key aspects of your program (BCM metrics) over time is key to understanding and improving it. As I explain in my ebook 10 Keys to a Peak-Performing BCM Program (available for free download here), there are three reasons metrics are key to the performance of any process:

  13. The Essential 3 Elements of a High-Functioning BCM Plan

    The cornerstone of that is the business continuity management (BCM) plan. A BCM plan is the base for most BCM processes and consists of three distinct sections: an emergency response plan, a crisis management plan and an operational recovery plan. ... 4 Steps to Boost Property Risk Narrative With Metrics That Win Over C-Suite

  14. 3 Key Metrics for Business Continuity Program Success

    Understanding Business Continuity Program Metrics 1. Operational Compliance As discussed above, operational metrics only tell part of the story. But they are still a foundational starting point for measuring the progress of your business continuity program. At the very least you should be tracking progress at the business unit or plan level for:

  15. 15 Business Continuity Program Metrics You Should Be Using

    Program metrics: A comprehensive metrics process consistent with organizational and industry best practices, standards, and guidelines has been implemented to monitor and measure the...

  16. Business Continuity Metrics

    You should - sound metrics help business continuity professionals communicate the true capabilities of their continuity management programs by defining program milestones, expected results, and other much needed data.

  17. The Metrics System: How to Use Metrics to Improve Your BCM Program

    This post assumes that you are familiar with business continuity metrics, that you know which metrics are make-work versus which ones are meaningful, and that your organization has compiled a comprehensive set of data on its BCM program and organizational resilience.


    BCMMETRICS™ is a robust suite of tools designed to give you clarity within your BCM program. Compliance Confidence Get "FICO-like" scores of your program's alignment with industry standards. Detailed Reporting on: Program Compliance Industry Standards Alignment Risk-Based Auditing & Reporting Program Benchmarking Find Out More BCM Planner

  19. ISO 22301:2019(en), Security and resilience ? Business continuity

    0.1 General. This document specifies the structure and requirements for implementing and maintaining a business continuity management system (BCMS) that develops business continuity appropriate to the amount and type of impact that the organization may or may not accept following a disruption.

  20. Creating meaningful business continuity management programme metrics

    This truism is also useful to business continuity practitioners as they continually strive to prove the value of their organisation's investment in a business continu … Creating meaningful business continuity management programme metrics J Bus Contin Emer Plan. 2010 Nov;4(4):360-7. Author Brian Strong 1 ...

  21. Business Continuity Management Software Solutions

    MetricStream Business Continuity Management software, built on the MetricStream Platform, empowers enterprises to execute and manage an effective business continuity and disaster recovery (DR) program.

  22. Business Continuity & Disaster Recovery Metrics Defined

    Business Continuity Program Metrics Done Right. Business Continuity Management metrics are just one piece of a successful continuity program. With our online business continuity software suite, BCMMetrics™, you can easily and effectively assess your organization's levels of compliance and risk and access tools that can help you build a ...

  23. 10 benefits of security performance metrics for CISOs

    Here are 10 benefits that the right security performance metrics can offer CISOs: 1. Objective decision-making. Incident response metrics -- such as mean time to detect (MTTD) and mean time to ...

  24. PDF Integrating Business Continuity Criteria into Your Supply Chain

    sustainable basis with the client's business continuity management strategy. ! Continuity Strategy and Approach: as defined herein refers to the metrics ... business continuity metrics in the procurement process should be related to the key elements of the procurement process. Incorporating the recommended business continuity capability

  25. Business Continuity Management Statistics 2023

    Overall, business continuity management programs improve disaster recovery rates by as much as 17 percent. [1] By 2019, Gartner predicts that 35 percent of organizations with BCM programs that lack maturity will endure major problems recovering one or more mission critical business processes. [1] This is a 17 percent increase compared to 2015. [1]