The DORA research programme has transformed how engineering teams measure software delivery performance. Its four core metrics—deployment frequency, lead time for changes, change failure rate, and mean time to restore—have become the industry standard for evaluating DevOps maturity. Yet these metrics were derived from organizations with cloud-native architectures and minimal regulatory constraints, leaving a critical blind spot for enterprises operating in highly regulated sectors.
For teams in banking, healthcare, utilities, or government, the DORA framework provides an incomplete picture. While it accurately assesses the technical delivery pipeline, it fails to account for operational sustainability—the factor that often determines whether an SRE programme thrives or collapses under regulatory pressure. Introducing a fifth metric can bridge this gap, offering a more nuanced understanding of SRE maturity in environments where compliance and operational efficiency must coexist.
How DORA’s Metrics Fall Short in Regulated Environments
The limitations of the DORA Four are not flaws in the research itself, but rather structural gaps that emerge when applied to regulated contexts. These environments impose constraints that distort the meaning of traditional performance benchmarks, making them misleading as diagnostic tools for SRE maturity.
Reevaluating Deployment Frequency Beyond Absolute Benchmarks
DORA defines elite performance as on-demand or multiple daily deployments. In regulated enterprises, this benchmark is unattainable due to mandatory compliance processes. Change Advisory Boards (CABs) impose review cycles, regulatory freeze windows restrict changes during critical periods (such as year-end financial reporting or healthcare accreditation cycles), and utilities face audit windows that limit deployment opportunities.
For example, a financial institution deploying weekly—due to mandatory CAB reviews—would be classified as a low performer under DORA’s absolute benchmarks. Yet this classification obscures the fact that the team is operating at elite efficiency within its regulatory constraints. The missing insight lies in normalized deployment frequency: how often an organization deploys relative to the windows available to it. An organization that maximizes every permitted deployment window demonstrates elite performance, regardless of absolute frequency.
Dissecting Lead Time to Reveal Hidden Bottlenecks
DORA’s lead time metric measures the duration from code commit to production deployment. In cloud-native settings, this is primarily driven by CI/CD pipeline efficiency. In regulated environments, however, the metric is heavily influenced by non-technical factors such as CAB review cycles, regulatory approval timelines, and documentation requirements.
Consider a team with a two-day CI/CD pipeline and a five-day CAB review cycle, resulting in a seven-day lead time. Reducing the CI/CD pipeline by half only cuts total lead time by 14%, while halving the CAB review cycle reduces it by 36%. Without decomposing lead time into its technical and process components, the DORA metric offers no guidance on where to prioritize improvements. Regulated teams need a way to distinguish between engineering inefficiencies and compliance-driven delays to allocate resources effectively.
Expanding Change Failure Rate to Include Compliance Risks
DORA’s change failure rate (CFR) focuses on technical failures requiring remediation after deployment. In regulated enterprises, this definition overlooks a critical dimension: compliance failures. A deployment may execute flawlessly from a technical standpoint but still trigger regulatory violations, such as breaching data residency requirements, failing to meet notification obligations, or creating audit findings.
For instance, a healthcare system might deploy a change that inadvertently exposes patient data to an unauthorized jurisdiction, violating HIPAA regulations. While the deployment itself may not fail technically, the resulting compliance failure could lead to regulatory fines, mandatory remediation programs, or reputational damage. The DORA metric provides no visibility into these risks, leaving teams unaware of potential long-term consequences.
Rethinking Mean Time to Restore Under Regulatory Constraints
DORA’s mean time to restore (MTTR) measures the time from service degradation to restoration. In regulated environments, restoration is only the first step in a longer compliance timeline. For example, a financial institution restoring service within twelve minutes must still notify its primary regulator within two hours, document the root cause within ten days, and potentially submit a formal incident report.
Moreover, the fastest technical remediation path may not align with compliance requirements. Rolling back a database schema change might restore service in minutes, but it could also create gaps in audit trails or violate regulatory record-keeping mandates. The DORA MTTR reflects not engineering capability but the friction between technical and compliance constraints, offering no insight into which factor is the real limiting constraint.
Introducing the Fifth Metric: Operational Sustainability Ratio
The structural gap in the DORA framework is its failure to measure operational sustainability—the ratio of engineering investment to operational burden that determines whether an SRE programme will thrive or stagnate. In regulated enterprises, this ratio is influenced by factors such as compliance overhead, audit frequency, regulatory scrutiny, and the complexity of maintaining audit-ready systems.
The proposed fifth metric, Operational Sustainability Ratio (OSR), is defined as:
OSR = (Engineering Investment) / (Operational Burden)Where:
- Engineering Investment includes time, resources, and tools dedicated to improving reliability, automation, and efficiency.
- Operational Burden encompasses compliance tasks, audit preparations, regulatory reporting, and manual interventions required to maintain systems in a compliant state.
A high OSR indicates that an organization is effectively balancing engineering innovation with operational demands, while a low OSR suggests that compliance overhead is stifling progress. By tracking this metric alongside the DORA Four, regulated SRE teams can identify where to invest resources to maximize both technical performance and long-term sustainability.
Closing the Measurement Gap for Future-Ready SRE Programmes
The DORA Four remain essential for evaluating software delivery performance, but they are not sufficient for regulated enterprises. The structural limitations of these metrics become apparent when teams operate under compliance-driven constraints that distort traditional benchmarks. Introducing the Operational Sustainability Ratio provides a complementary lens, enabling teams to measure not just how efficiently they deliver software, but also how sustainably they maintain it within regulatory frameworks.
As industries continue to face increasing regulatory scrutiny, the ability to balance high-performance delivery with compliance will become a defining factor in SRE success. By adopting a more comprehensive measurement framework, regulated enterprises can avoid the quiet demise of SRE programmes and instead build systems that are both technically robust and operationally sustainable. The future of SRE in regulated environments will belong to those who recognize that performance and compliance are not opposing goals, but complementary disciplines requiring equal attention.
AI summary
DORA’nın dört temel metriği yazılım dağıtım performansını ölçmede etkili olsa da, bankalar ve sağlık sistemleri gibi sıkı düzenlemelere tabi sektörlerde yeterli değildir. Operasyonel sürdürülebilirliği ölçmek için beşinci bir metrik öneriyoruz.
