A few days back Lee Spencer posted a comment on my “1 year on” post. He posed a question about the tools and techniques needed to measure resilience as an emergent property (i.e. without actually having a disaster to bring it out).
It seems that Lee is not the only one feeling the need for measurement.
Around the same time the ITIL Skeptic posted an article on Capability Maturity Modelling. While he is primarily talking about measuring IT operations (more tangible than an emergent property) he makes an excellent point how we often confuse processes and practices.
Capability Maturity Modelling (CMM) is really about measuring the maturity of your management of a process, rather than your maturity to execute the process.
As Rob points out you can make a process repeatable (and therefore measure maturity) but you cannot do this for a practice. So is CMM really applicable? The same would certainly apply with the concept of resilience – which is perhaps more practice (and theory) than it is process.
That presents an interesting intellectual challenge for me …
Recently I was appointed to the ASIS Organizational Resilience Maturity Model (ORMM) Technical Committee, so I guess I will be having to think a lot about how we can apply Capability Maturity Modelling to resilience. It will be an interesting experience I think, and I will update you as the work of this group proceeds in the New Year.
CERT have also released a paper on “Measuring Operational Resilience Using the CERT Resilience Management Model“. I posted about their model back in February 2010, which drew fairly quick fire from one of the authors – unfortunately he never answered my follow up questions. This measurement paper has just been released.
The CERT Model is very process-oriented, but it does include some ‘practices’ (perhaps they use a different meaning). I haven’t read it yet, but would expect to find some good metrics here for the areas included in the CERT view of operational resilience (security, BC and IT Operations).
There a range of other aspects of resilience outside of the CERT model, and we need to look elsewhere to be able to measure these.
Of course you could look at the benchmarking exercise that the Resilient Orgs folks did in NZ, this includes a number of dimensions they use for measuring resilience.
Welcome to the Resilience Observatory!
This is the first post in a series to develop ideas around how to measure progress towards resilience, I hope this will generate some (preferably a lot) of discussion – the more ideas the better.
My starting thoughts reflect a concept I outlined in various earlier posts;
- resilience needs a balance of Art and Science – currently we are too focussed on the Science
- so we need to find a balance of measures that mix both Art and Science
- that will mean using some commonly accepted metrics
- and it will mean creating some of your own metrics
- it will also mean that the process-police and pseudo-science bigots may scoff at some of the metrics
Remember, it is not innovation if everybody else is already doing it.
Got any immediate ideas for measuring resilience?
What key metrics are you using?