Measuring, Reporting, and Improving: Making Resilience Tangible and Accountable

EDITOR’S NOTE: This article is part of a seven-part “Cross-Departmental Resilience Framework” series by Scott Balentine of Methodist Le Bonheur Healthcare. The series offers a practical roadmap for embedding resilience across governance, operations, and culture.

Previous articles in this series:

• https://drj.com/journal_main/resilience-council-governance-framework/
• https://drj.com/journal_main/defining-important-business-services-resilience/
• https://drj.com/journal_main/creating-dual-playbooks-business-continuity/
• /https://drj.com/journal_main/cross-functional-exercises-organizational-resilience/
• /https://drj.com/journal_main/modernizing-collaboration-tools-resilience/
• https://drj.com/journal_main/linking-resilience-to-culture-and-training/

***

A continuity plan sitting on a shelf provides little assurance of resilience. What matters is whether organizations can demonstrate their strategies work, they are tested, and corrective actions are tracked. Measurement transforms resilience from an abstract concept into quantifiable performance.

Global frameworks emphasize the importance of measurement. The ISO 22301:2019 standard requires organizations to establish methods for “monitoring, measurement, analysis and evaluation” of business continuity performance. The NIST SP 800-34 Contingency Planning Guide underscores the need for testing, analysis, and corrective actions to strengthen contingency plans. The NIST Cybersecurity Framework 2.0 integrates “govern” as a function, requiring boards and executives to oversee resilience outcomes, not merely activities.

Measurement, reporting, and improvement are therefore the final step in ensuring resilience is real, not rhetorical.

Why Measurement Matters

Accountability

Metrics ensure resilience is not left to chance or anecdote. They provide boards and regulators with evidence of progress, reinforcing accountability at the executive and governance levels. A resilience strategy that cannot be measured cannot be trusted.

Resource Allocation

Resilience requires investment in technology, training, and processes. Without measurement, leaders cannot prioritize effectively. Metrics highlight where resources yield the greatest return, such as identifying departments with chronic recovery delays or gaps in testing coverage.

Continuous Improvement

Resilience is not static. Every incident and exercise provides data that can feed back into governance structures. Metrics allow organizations to learn from disruptions, adjust plans, and increase maturity over time.

Case Studies

Norsk Hydro: Transparency in Recovery

In 2019, Norsk Hydro was struck by the LockerGoga ransomware attack. Instead of minimizing the incident, Hydro provided public updates on recovery progress, costs, and corrective actions. This transparency, underpinned by internal measurement systems, preserved trust among customers, regulators, and the public. Hydro’s leaders tied lessons learned directly to governance, using post-incident metrics to refine future continuity and security investments. The organization’s resilience maturity improved because it embedded measurement into both internal improvement and external communications.

UK Financial Conduct Authority: Mandated Measurement

The FCA’s PS21/3 operational resilience policy requires financial firms to identify “important business services,” define impact tolerances, and provide evidence of testing against severe but plausible scenarios. Firms must demonstrate corrective action tracking and closure. By embedding measurement into regulatory compliance, the FCA effectively raised the bar: resilience is no longer about producing plans but about proving outcomes with evidence.

Southwest Airlines: Absence of Metrics

By contrast, Southwest Airlines’ 2022 holiday meltdown exposed the dangers of failing to measure resilience. The airline’s outdated scheduling system lacked performance metrics to identify stress limits. During the disruption, leaders could not report clear recovery timelines, leaving employees and passengers without reliable updates. The absence of measurement compounded reputational damage and led to a $140 million fine from the US Department of Transportation. Southwest’s failure illustrates how the absence of metrics can turn a technical issue into an existential reputational crisis.

Framework Foundations

ISO 22301

ISO 22301 mandates measurement of continuity performance, corrective action tracking, and management review as core requirements. Organizations must document how they evaluate resilience effectiveness and provide evidence to auditors and regulators.

NIST SP 800-34

NIST’s guidance stresses analyzing test results, identifying deficiencies, and updating contingency plans accordingly. The emphasis is on learning from both exercises and real incidents, ensuring plans evolve with organizational needs.

NIST CSF 2.0

The updated CSF includes governance as a central function. Boards and executives are accountable for overseeing resilience outcomes, not simply the existence of policies. Communication of measurement results to stakeholders is considered essential.

Actionable Steps for Measuring, Reporting, and Improving

Defining KPIs & KRIs

The first step in strengthening measurement is to define resilience key performance indicators (KPIs) and key risk indicators (KRIs). These metrics should evaluate outcomes rather than simply tracking activities, ensuring performance reflects actual readiness. Useful examples include the time taken to reach decisions during crises, recovery times compared with established impact tolerances, the percentage of important business services tested each year, the proportion of corrective actions closed within defined deadlines, and levels of employee confidence in resilience as measured through surveys. Together, these indicators create a comprehensive picture of organizational capability.

Resilience Dashboards

Once metrics are defined, they should be consolidated into a resilience scorecard. This scorecard, ideally reviewed on a quarterly basis by the resilience council and executive leadership, serves as a single source of truth for the organization. By bringing together multiple measures of progress, risks, and gaps in one place, the scorecard ensures accountability, simplifies oversight, and provides decision-makers with a clear understanding of resilience maturity.

Transparent Reporting

Measurement alone is not enough without transparency. Organizations must establish reporting practices that make resilience performance visible to boards, regulators, and, when appropriate, customers. Sharing outcomes openly not only demonstrates accountability but also builds trust and credibility. Transparent reporting reduces speculation during disruptions and provides stakeholders with confidence the organization is actively managing its risks.

Continuous Improvement

Building continuous improvement loops is also essential. After every incident or exercise, organizations should conduct an after-action review to capture lessons learned. Findings should be documented in a centralized platform, with corrective actions assigned to clear owners and deadlines. Closure rates should be tracked and progress reviewed regularly in governance meetings. This feedback process transforms exercises and incidents from isolated events into drivers of long-term improvement.

Benchmarking

Benchmarking adds further value by aligning internal measurement with external standards. Organizations should compare their resilience metrics against requirements such as ISO 22301, functions within the NIST Cybersecurity Framework, and sector-specific expectations like the FCA’s PS21/3.

Benchmarking helps identify gaps and ensures resilience practices keep pace with global best practices and regulatory obligations. Technology can play a pivotal role in supporting measurement and improvement. Governance, risk, and compliance (GRC) platforms, for example, automate the collection of data, track corrective actions, and generate dashboards. Automation not only improves data quality and reduces manual errors but also enables real-time reporting that supports agile decision-making during crises.

Resilience Metrics Must be Dynamic

Finally, organizations must recognize resilience metrics cannot remain static. As risks evolve and business models change, the indicators used to measure readiness must adapt. For instance, as organizations migrate critical services to the cloud, resilience metrics should expand to include vendor availability, latency, and failover testing. Without such evolution, metrics risk creating a false sense of security. Updating indicators ensures measurement reflects current realities and keeps resilience strategies aligned with emerging threats and opportunities.

Challenges and Mitigations

One challenge organizations often encounter when measuring resilience is metric overload. In the effort to capture every detail, leaders may track too many indicators, creating complexity that dilutes focus and makes it difficult to interpret results. When measurement becomes excessive, the signal gets lost in the noise. The solution is to select a small, meaningful set of outcome-based metrics that are tied directly to critical business services and board-level priorities. This focused approach ensures measurement drives action rather than distraction.

Data quality issues present another barrier. Inconsistent, incomplete, or inaccurate reporting undermines the credibility of resilience metrics and can erode trust among executives, regulators, and stakeholders. If data cannot be relied upon, decision-makers are left without a solid foundation for resource allocation or performance evaluation. To address this, organizations should automate data collection where possible, assign clear ownership for data inputs, and standardize definitions across departments. These practices strengthen consistency and create a more accurate picture of resilience performance.

Cultural resistance can also slow progress. Departments may be hesitant to share performance data for fear it will be used to assign blame, leading to a lack of transparency. This resistance undermines the effectiveness of measurement by concealing weaknesses that need attention. To mitigate this, leaders should frame measurement as an opportunity for learning and improvement rather than punishment. By communicating resilience metrics are intended to strengthen the organization as a whole, leaders can encourage openness and collaboration.

Finally, short-termism remains a persistent challenge. Under financial or operational pressure, leaders may deprioritize resilience measurement in favor of immediate results. This short-sighted approach leaves organizations vulnerable, as it undermines the long-term capability to withstand and recover from disruptions. The best mitigation is to tie resilience outcomes directly to regulatory obligations and reputational protection. By linking measurement to compliance requirements and the preservation of stakeholder trust, leaders reinforce the long-term value of resilience and keep it on the strategic agenda.

Benefits of Measuring, Reporting, and Improving

One of the key benefits of resilience measurement is stronger governance. Boards and senior executives require evidence to evaluate the maturity and effectiveness of resilience programs, and well-structured metrics provide that visibility. By reviewing measurable outcomes rather than relying on anecdotal reports, boards can hold leadership accountable and ensure resilience remains a strategic priority.

Measurement also supports informed investment. When leaders have access to reliable data, they can prioritize resources toward the areas of greatest impact. Instead of spreading funding evenly or making decisions based on assumptions, organizations can direct investment to the services, processes, or technologies most critical to continuity. This targeted approach ensures resilience spending delivers maximum value.

Another benefit lies in regulatory compliance. Standards such as ISO 22301, NIST frameworks, and financial regulations like the FCA’s PS21/3 require organizations to provide evidence of resilience testing and performance. By maintaining structured measurement and reporting processes, organizations not only meet these regulatory expectations but also reduce the risk of penalties and reputational damage associated with non-compliance.

Organizational learning is also advanced through measurement. After-action reviews and corrective action tracking ensure exercises and real incidents become catalysts for continuous improvement. Instead of treating disruptions as isolated events, organizations use data to refine playbooks, close gaps, and enhance overall maturity. Over time, this feedback loop strengthens resilience across all functions.

Finally, transparent reporting fosters stakeholder trust. Regulators, investors, employees, and customers all expect organizations to demonstrate accountability during disruptions. When organizations share resilience outcomes openly and honestly, they build credibility and reinforce confidence in their ability to withstand crises. Transparency in measurement transforms resilience from an internal exercise into a public commitment to reliability and stability.

Conclusion

Resilience is proven through evidence. Plans and tools are necessary, but without measurement, organizations cannot know whether they will succeed under pressure. Case studies from Norsk Hydro, the FCA, and Southwest Airlines show that measurement is the dividing line between maturity and failure. Frameworks such as ISO 22301, NIST SP 800-34, and NIST CSF 2.0 offer guidance, but leadership commitment to measurement and accountability is what sustains resilience over time.

Measurement, reporting, and continuous improvement close the resilience loop. They ensure preparedness is not aspirational but demonstrable, transforming resilience from rhetoric into reality. Organizations that embrace these practices strengthen governance, optimize resources, and preserve stakeholder trust—ensuring they are ready not only to withstand disruption but to emerge stronger from it.