Q&A: The Value of Metrics
Q. You say that designing a metrics program is “not about numbers.” What do you mean by that?
A. Simply counting isn’t metrics. It’s just the first step in a process of digging into the data to find the root causes and connect the dots. What is the significance of 46 background investigations processed in one month versus 37 the month before? In this simple example, there are multiple stories to be told that can contribute directly to reduced risk, efficiency, workplace safety, and opportunities for engaging internal customers. A good program can tell a story about a reduction in screening staff, for example, with relevant facts and data.
Q. What is the most important piece of advice you can offer someone who is designing a metrics program for his or her company?
A. There is a business axiom that states, “If you are not measuring, you are not managing.” Measuring how well people, processes, and programs are performing in preventing and responding to risks confronting the enterprise is the essence of putting that axiom into action. Have a clear understanding of what must be measured and then embed, validate, and maintain the processes to do it. The book contains a metrics program self-assessment to evaluate current programs. A six-step construction process for building a program follows the assessment.
Q. How important is the presentation of the data?
A. We have all seen a presentation that totally confused or failed to inform. Good metrics are reliable, actionable, and tell a story. Effectively summarize a clear, supportable conclusion. The purpose of metrics is to advise, persuade, sell, and drive action. We are in the serious business of using our knowledge to reduce and prevent risk and enable the business. When we have an opportunity to share the results of this work, we need to present it in ways that will engage the audience with verifiably reliable data that will influence action. Every company has developed a style and content format for their business metrics. Find out who is doing it well in the company and get their ideas on your presentation.
Q. What business drivers are pushing the need for better metrics?
A. There are four that should be at the heart of every program. First, risks related to business operations are big variables, so being able to measure change from a desirable to an undesirable state of risk is critical. Second, from a governance perspective, the ability to measure conformance with corporate values and policy helps engage senior management. Given the global regulatory business environment, a related third is the ability to measure compliance with regulations and accepted security standards. Fourth, from a performance perspective, the ability to measure the success or failure of past and current security program investments has to be a priority. If you carefully look at the implications and reach of these drivers, they clearly link to the success of the security program.
George Campbell, Emeritus faculty member at the Security Executive Council—a consulting firm specializing in security-risk mitigation—discusses his new book, Measuring and Communicating Security’s Value, published by Elsevier and available in the ASIS Bookstore.