Measuring Continuity Planning Program. Performance

Transcription

1 Measuring Continuity Planning Program Performance Carl B Jackson Director Crisis Management & Continuity Planning Resource Center (CMCPRC) Measuring Continuity Planning Program Performance Session Agenda How an enterprise-wide BCP program should be structured Business Continuity and Crisis Management Process Overview Two approaches to building metrics processes Utilizing and Enterprise Risk Management Approach Value Driver Based Utilizing the ISO Information Security Management System Standards Based Metrics Program Benefits and Recommendations

2 Enterprise-wide BCP Bus. Process Infrastructure & Approach Business Process Focused Risk Management/Analysis/BIA Continuity and Recovery Strategy ebusiness Uptime Requirements Benchmarking/Peer Analysis Metrics Business Process/Function/Unit Recovery Planning/Execution Teams Time-Critical Processing Resource Requirements Plan Development Plan Exercise Quality Assurance Change Management Business (requirements) Continuity Planning (BCP) Continuous Availability Continuous Operations Disaster Avoidance etechnologies Redundancy & Diversity Known Failover and Recovery Timeframes Crisis Management Planning (CM) Continuous Availability Technology and Communications IT Disaster Recovery Planning (DRP). Global Enterprise Crisis Management & Emergency and Response Team(s) Emergency Response Command Center Planning Awareness Training Communications Coordination Technology Infrastructure Recovery Planning and Execution Teams Strategy Implementation Assistance Plan Development Plan Exercise Quality Assurance Change Management Metrics Development Approach 1 - Base metrics on Enterprise Value Drivers

3 Value Drivers Risk Drivers Strategy Capability (most KPIs here) Implement Best Business Practices Manage Growth Drive Innovation Enterprise Risk Management Framework Risks Strategic Operational Stakeholder Financial Intangible Risk Strategy Assess Appetite Prioritize Treatment Approach BCP /EM Legal Risk Functions Internal Audit ERM Crisis Mgmt Risk Management Process Risk Strategy & Assess Appetite Assess Risk Risk Mgmt IT Security Organization Enterprise Risk Committee CRO or ERM Manager Culture Knowledge Mgmt Metrics Training Communication Tools RiskWeb Early Warning System Assessment and Quantification tools Control Cost Allocation of Capital Capability Functions Process Organization Culture Tools Enterprise- Wide Integration Program Strategy Develop Deploy Continuously Improve Treat Risk Monitor & Report Enterprise-wide Integration Strategic Planning Programs/PMO Processes Functions Risk Attributes Lifecycle Individual Portfolio Qualitative Quantitative Examples of Value Drivers Satisfaction Impact on external customers # of customers impacted Duration of impact People Loss/ access to private employee information Workforce endangerment Access to executive information, systems, etc Financial Cost Increase Revenue loss Intangible Proprietary information Damage to brand

4 If you can't measure it, you don't know it Identify/Monitor Identify/Monitor Enterprise Enterprise Value Value Drivers Drivers Financial Financial Increase Increase sales sales 10% 10% Decrease Decrease expenses expenses 8% 8% Increase Increase customer customer privacy privacy Increase Increase customer customer service service efficiency efficiency Metrics Development Process Define Define Metrics Metrics for for Linked Linked Components Components Financial Financial BIA BIA updated updated annually annually BCP BCP quality quality survey survey demonstrates demonstrates percentage percentage increase increase in in awareness awareness service service survey survey demonstrates demonstrates higher higher levels levels of of approval approval wait wait time time decreased decreased by by 13% 13% Define Define Value Value Driver Driver Linkages Linkages to to Program Program Components Components Financial Financial Business Business Impact Impact Assessment Assessment Process Process (drives (drives down down expenses expenses due due to to increased increased BCP BCP efficiencies) efficiencies) Recovery Recovery strategy strategy deployment deployment (redundant (redundant solutions solutions provide provide additional additional bandwidth) bandwidth) Metrics Development Time Line Phase 1/4 Phase 2/5 Phase 3/6 1. Identification of Value Drivers 2. Map Value Drivers to BCP Process Components 3. Develop Qualitative & Quantitative Metrics for linked components 4. Monitor/Modify Value Drivers 5. Map Value Drivers to BCP Process Components 6. Develop Qualitative & Quantitative Metrics for linked components T I M E

5 Metrics Development Method Identify & Define Value Drivers Executive Management motivation data gathering (customer satisfaction, financial, intangible, etc.) Timely business impact assessments are performed The Continuity Planning infrastructure was developed utilizing a methodological approach Emergency Response Procedures are: - Formalized - Address life safety considerations of both employees and outsiders - Located or posted in conspicuous locations throughout each facility - Operating personnel have received training within the past six months -Emergency Response Procedures are tested periodically (at least semi-annually) -Emergency Response actions are coordinated with Civil Authorities, internal facilities management, etc. -Updated at least semi-annually - Auditable and audited with no resulting significant criticisms Categorize Continuity Program Measurement Components Examples could include BCP Lifecycle Components (BIA, Emergency response Procedures, Crisis Management Teams, Documented Plans, Test Plans, Training, etc.) Continuity Program Measurement Criteria Metrics Development Approach 2 Base metrics on commonly recognized standards and practices (ISO for instance)

6 ISO 17799/27001 Scope ISO (should) is an International Standard that provides: recommendations for Information Security Management (133 control objectives) a common basis for developing organizational security standards and effective security management practices confidence in inter-organization dealings an organization cannot get certified against ISO ISO (shall) is an International Standard that provides management guidelines for implementing and managing the 133 control objectives utililizing a coordinated Information Security Management System (ISMS) approach: When properly implemented the ISMS provides auditable and certifiable proof as to the effectiveness of the ISMS and the 133 control objectives ISO assists us in how we manage information security for auditability and certification Base Standards on ISO27001 BCP Requirements ISO27001 Aspects of the Business Continuity Management Program Business Continuity Management Process Business continuity management processes shall be established to ensure uninterrupted of business activities. Business Continuity and Impact Analysis A comprehensive risk management process shall be applied to business processes Writing and Implementing Continuity Plans Business continuity plans shall ensure maintenance or timely recovery of business activities Business Continuity Planning Framework Business continuity plans shall have a single framework to facilitate the testing and review of plans Establish Testing, maintenance, and assessments for business continuity plans

7 ISO27001 BCP Framework Executive Policy Statement (Info Sec, Phy. Sec., BCP, etc.) Business Continuity Program - Charter Business Continuity Program Enterprise Standards/Processes Metrics BCP Program Framework BCP Policy & Charter Governance Scope Roles & Responsibilities Company Objectives The WHY BCP Standards/Processes Baseline Requirements Enterprise-Wide Synergy Repeatable Processes Consistency/Predictability The WHAT Legislative / Regulatory Compliance Executive Management Direction Enterprise-Wide Due Diligence Competitive Advantage ISO Alignment Predictable/Repeatable Industry Best Practices BCP Specifications Operating Area Established Operating Area Maintained Operating Area Defined Metrics The HOW

8 BUSINESS CONTINUITY SAMPLE METRIC CATEGORIES Objective Threshold Transactions Calls Equipment Required People Required Time to Recover Event Assessment BCP Framework - Gap Analysis Gap Analysis Process Same Process as ISMS Alignment with Standards Operating Area Specifications Operating Area Procedures Gap Remediation Critical and Highs Remediation Plans Gap Acceptance Formal Process & Signoffs Measurement Test Objectives vs. Results

9 Benefits of Metrics Can be used to reduce costs (insurance possibly) Can be used as an advantage in the marketplace Provides a map to where process improvement may be needed Provides oversight insight (audit, compliance) Recommendations Think in terms of how do you as a planner get management attention, buy-in and budget? One way is to develop and be measured against a set of metrics. How do you as a Continuity Planner demonstrate the value-add contributions of the enterprise continuity planning business process? Stay out of the weeds Don t focus on IT recovery only THINK Value-add contribution to the business/mission or Adherence to standards through periodic gap analysis. Focus on defining who the stakeholders are (corporations -shareholders, government-the people) What does the key stakeholder value from this organization? Break the BCP process down so we can make operational, manageable, and measurable decisions. Discuss and present in Executive Management terminology.