Properly implemented in its accepted sense, BCM offers assurance to stakeholders that their investment in continuity keeps risks at levels they can accept. Inevitably, if any part of this commitment breaks down, then there is a chance that governance will not be satisfied – simple enough, but clearly a bad thing.

So, are we doing enough to manage continuity? It’s a loaded question, since in most organisations the metrics needed to provide an unequivocal answer simply don’t exist. Similarly, stakeholders have no BCM-friendly way of stating what level of risk or protection-related spend is acceptable for them. Rarity and secrecy compound this, leaving few factual weapons at our disposal.

Can we justify increased expenditure?

---

This has important ramifications for BCM practitioners; it implies that ours may be labelled a ‘soft’ discipline whose value to the organisation is hard to pin down, making it vulnerable to undervaluation, budget cuts and squeezes. It makes it difficult for us to justify increases in expenditure or change; it provides minimal factual data to place before executives to show we are delivering great value, or that we need more budget. It suggests that if we don’t measure our achievements in BCM objectively, we may undermine our ability to manage it effectively.

All is not lost; there are a small but increasing number of BCM industry groups appearing; these are usually closed groups of like-minded organisations who meet periodically to discuss, develop and share best practice. They provide participants (often large firms) with a view of where they stand relative to each other. Positioning like this is important, particularly as stakeholders may have strong views on where the organisation stands in terms of its risk return on investment.

But what about the rest of us – what can we do to fill this seemingly important void? It appears that many of us would benefit from a reliable independent source of information about our position in BCM as a whole, relative to our peer groups and highlighting our own areas of strength and weakness relative to those groups e.g. “is it us, or is awareness characteristically low across our sector?” External measurements like these would help us manage our position, making clear to executives that BCM is a relevant and important business concern.

Significantly, the same management paradigms apply internally; BCM affects all areas and we need to know where weaknesses lie so they can be managed to an acceptable condition with due priority. Again, we need a way of measuring against a respectable and accepted standard, providing reliable information that assures us that what we are doing is right, and which helps us quantify shortfalls, prescribe treatments and justify investment. And, of course, it makes sense to draw on this information again as the basis for external measurement.

Self Assessment

---

If we do self-assess, remember it’s one thing being told how you scored, but another knowing what to do with the results. Interpretation can be challenging, since despite one-size-fits-all standards such as BS25999, there is no corresponding continuity panacea that fits all sectors, or satisfies all risk appetites. In some cases, the action required will be obvious, but currently you must decide what to do in the light of the organisation’s attitude to continuity risk or by referring to its BCM policy. A ‘how to do it’ guide linked to the assessment would be a valuable commodity.

To conclude, the discussion here shows that BCM needs objective measurement internally and externally to ensure stakeholders’ needs are properly met. We have shown it makes sense to do this against accepted external standards, couched in terms the organisation can relate to, and at a level that reflects its BCM maturity. We can also see how it should be possible to translate ‘what we did wrong’ into ‘what should we do now’ relative to the organisation’s appetite for continuity risk. But how can we make it all happen?

The BCI has grasped the nettle and produced an independent and evolving set of metrics that specifically support BCM practitioners worldwide. It provides a highly adaptable online assessment aligned with several national standards with reports that link to the BCI’s own 2007 Good Practice Guide, providing BC Managers with the factual data and resources they need to succeed.

Without an external reference like this, it’s possible that some of us may be left out in the open, exposed and not knowing if we are doing too much, or not enough to meet the organisation’s requirements.