How Mature Is Your Business Continuity Program? by: Scott Ream Pages: 26-30; January, 2002



Similar documents
Business Continuity Maturity Model

CSC AND THE BUSINESS CONTINUITY MATURITY ASSESSMENT PROGRAM

Business Continuity in Healthcare

Adopting a Continuous Integration / Continuous Delivery Model to Improve Software Delivery

Using the Business Continuity Maturity Model To Gain Executive Approval. June 20, 2006

Where is Your Print Strategy? An IDC interactive document, sponsored by HP

The Business Continuity Maturity Continuum

Business Continuity / Disaster Recovery Context

DEVELOPING AN EFFECTIVE INTERNAL AUDIT TECHNOLOGY STRATEGY

Supply Chain Maturity and Business Performance: Assessment and Impact

DATA QUALITY MATURITY

Make Global Recruiting a Winning Strategy

Making the Transition to MSP 2.0

Is Business Continuity Certification Right for Your Organization?

Introduction to Strategic Supply Chain Network Design Perspectives and Methodologies to Tackle the Most Challenging Supply Chain Network Dilemmas

Successfully identifying, assessing and managing risks for stakeholders

IBM index reveals key indicators of business continuity exposure and maturity

Fortune 500 Medical Devices Company Addresses Unique Device Identification

FFIEC Cybersecurity Assessment Tool

The Resilient IT Infrastructure

Integrated Risk Management:

4G LTE Wireless Local Loop:

Business Analyst to Business Architect

Making A Case For Project Management

IT Risk & Security Specialist Position Description

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

The IBM Data Governance Council Maturity Model: Building a roadmap for effective data governance

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

BC / DR Implementation Tying Disaster Recovery Investment to Measurable Business Value

OPTIMUS SBR. Optimizing Results with Business Intelligence Governance CHOICE TOOLS. PRECISION AIM. BOLD ATTITUDE.

Finding, Fixing and Preventing Data Quality Issues in Financial Institutions Today

Training Programs for Enterprise-Wide Change

CFA Institute Contingency Reserves Investment Policy Effective 8 February 2012

The Role of Internal Audit In Business Continuity Planning

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Strategic Plan for the Enterprise Portfolio Project Management Office Governors Office of Information Technology... Ron Huston Director

Survey of more than 1,500 Auditors Concludes that Audit Professionals are Not Maximizing Use of Available Audit Technology

ISO 22301: Societal Security Terminology ISO 22313: BCMS Guidance ISO 22398: Exercises and Testing - Guidance

Agile Master Data Management TM : Data Governance in Action. A whitepaper by First San Francisco Partners

AICPA Discussion Paper - Enhancing Audit Quality, Plans and Perspectives for the U.S. CPA Profession

Global and US Trends in Management Consulting A Kennedy Information Perspective

Cost of Poor Quality:

Business Continuity Standards A Primer

BIM Pilot Getting Started Guide. For Construction Professionals. next

The IBM data governance blueprint: Leveraging best practices and proven technologies

GOVERNANCE DEFINED. Governance is the practice of making enterprise-wide decisions regarding an organization s informational assets and artifacts

The Cybersecurity Journey How to Begin an Integrated Cybersecurity Program. Version 1.0 March 2005

Victorian Government Risk Management Framework. March 2015

fs viewpoint

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Creating an Effective Mystery Shopping Program Best Practices

Measuring your most important Asset: Human Capital

OCC 98-3 OCC BULLETIN

4 Testing General and Automated Controls

RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES. Cost-Effective, Legally Defensible Records Management

The PMO as a Project Management Integrator, Innovator and Interventionist

IT Governance. What is it and how to audit it. 21 April 2009

Three proven methods to achieve a higher ROI from data mining

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Project Services. How do we do it?

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Armchair Quarterbacking in Sales Organizations

IT Service Management. The Role of Service Request Management

EMC PERSPECTIVE. Adopting an Agile Approach to OSS/BSS Development

Revenue Cycle Management: What s Next in Healthcare

Global Headquarters: 5 Speen Street Framingham, MA USA P F

Auditing the Unthinkable: Business Continuity and Disaster Recovery. Agenda

Creating the Strategy that Drives Your CRM Initiative. Debbie Schmidt FIS Consulting Services

A Capability Model for Business Analytics: Part 2 Assessing Analytic Capabilities

Much attention has been focused recently on enterprise risk management (ERM),

TELUS Business Continuity Program past and future

Start Anywhere and Go Everywhere with Cloud Services for HR

Your asset is your business. The more challenging the economy, the more valuable the asset becomes. Decisions are magnified. Risk is amplified.

IT Operations Managed Services A Perspective

BUSINESS PLAN. 2012/13 to 2014/15 LAND TITLE AND SURVEY AUTHORITY OF BC

Camber Quality Assurance (QA) Approach

NOTICE 158 OF 2014 FINANCIAL SERVICES BOARD REGISTRAR OF LONG-TERM INSURANCE AND SHORT-TERM INSURANCE

Serena Dimensions CM. Develop your enterprise applications collaboratively securely and efficiently SOLUTION BRIEF

PRESENTATIONS BY Mr. Richard Sanchez CIO, Chief Information Office Los Angeles County. December 2, 2010

Scheduling Process Maturity Level Self Assessment Questionnaire

Monetary Authority of Singapore BUSINESS CONTINUITY MANAGEMENT GUIDELINES

How Technology Supports Project, Program and Portfolio Management

SAP BUSINESSOBJECTS SUPPLY CHAIN PERFORMANCE MANAGEMENT IMPROVING SUPPLY CHAIN EFFECTIVENESS

What You Need to Know About Cloud Backup: Your Guide to Cost, Security, and Flexibility

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

September IFAC Member Compliance Program Strategy,

The optimization maturity model

5. SOCIAL PERFORMANCE MANAGEMENT IN MICROFINANCE 1

Introduction to Business Continuity Planning

New supervisory guidance on model Overview, analysis, and next steps

Best practices in project and portfolio management

ITPMG. February IT Performance Management: The Framework Initiating an IT Performance Management Program

RESEARCH PAPERS FACULTY OF MATERIALS SCIENCE AND TECHNOLOGY IN TRNAVA SLOVAK UNIVERSITY OF TECHNOLOGY IN BRATISLAVA

Transcription:

Source: Article Title. How Mature Is Your Business Continuity Program? January, 2002: pp 26-30. Reprinted with permission from Witter Publishing Corp. Content contained on www.contingencyplanning.com. How Mature Is Your Business Continuity Program? by: Scott Ream Pages: 26-30; January, 2002 Be it under the banner of disaster recovery, contingency planning, or business continuity management, the discipline of business protection has been around for over 40 years. And yet today, the discipline still lacks many of the sophisticated tools that would allow business continuity professionals to objectively measure the maturity of a company's business continuity program. For instance, consider the following scenario: The business continuity manager for an international manufacturer is responsible for directing the company's business continuity management (BCM) program. While management talks about the importance of assuring business continuity, to date the company's program is not much more than an ad hoc effort by a few departments who willingly give the business continuity manager their time and attention. The manager knows that her company's BCM program is not as strong as it could be, and she has a good idea of where she would like the program to be. But how does she demonstrate to senior management that there is a deficiency in the current program and show them the "evolutionary path" she knows will lead to better recoverability across the enterprise? Several years ago, Jerry Klawitter, the manager of Investment Banking BCM Americas for JP Morgan Chase, faced just such a scenario. He needed a way to objectively benchmark his BCM program against other firms in the investment banking industry. While speaking with his consultants, he expressed an interest in researching what, if any, tools were available at the time. Several "capabilities maturity models" existed for various disciplines, including software development. However, for the business continuity field, nothing had yet been developed. The opportunity to build one appeared worth pursuing, and the idea for a Business Continuity Management Maturity Model was born. BCM as a Sustainable Business Process The first consideration was to determine what factors most significantly influence the development of a sustainable BCM program. It was determined that for a BCM program to be sustainable, it must be implemented as a business process. Other enterprisewide business processes can be highly sustainable when implemented effectively, e.g., budgeting and personnel performance evaluations. The common success factors of such implementations include: Enterprisewide commitment, driven from the top down, and the recognition that it is the responsibility of every manager to be knowledgeable and accountable for the implementation of these processes (budgeting and personnel) within his or her functional area The existence of a dedicated corporate department or group, staffed with professionals deeply knowledgeable in the business discipline, functioning as internal consultants, trainers, and facilitators who support the management team and their staff in the execution of their individual responsibilities

The development of a companywide infrastructure that reinforces the value and importance of the discipline, including the presence of well-articulated company policy, the integration of specific performance measurements in the company's management incentive and audit programs, the development of a skills competency baseline, a competency development program, and a variety of communications vehicles that keep the message in front of the management team on a consistent basis Applying these factors to the implementation of a sustainable BCM program, the following Program Basics emerged: The commitment of senior management to drive and fund the BCM program, grounded in the corporate recognition that responsibility for BCM rests with every manager in the organization The availability of professional business continuity personnel to manage, deliver, and administer a program that adheres to accepted best practices The application of prudent and practical business continuity governance supported by a properly implemented infrastructure Tracking a Program's Maturity With the basic ingredients for establishing a sustainable program identified, the evolutionary path for the emergence of this BCM program as it matures could now be characterized. It was determined that this path should articulate how the BCM program matures from simple participation to complex interactions between participants. Based on comparisons with a variety of successful enterprise BCM program implementations, the following milestones along this evolutionary path came to light: Milestone 1 All departments across the enterprise have been included in the BCM program. All the Program Basics described above are now in place and the enterprise has completed an appropriately scaled program launch that distributes BCM responsibility across all departments. Every critical business function is covered by a business continuity plan. Milestone 2 The participants have gained expertise with and confidence in BCM principles. They are able to develop, write, and test more complex plans. Risk assessment, business impact analysis, and mitigation activities have become familiar exercises. Critical multidepartmental aspects of the business are now being integrated into the business protection strategy. Milestone 3 The BCM program now encompasses the full scope of the business and keeps pace with change in the organization. Enterprise business processes are protected through appropriately structured cross-functional recovery plans and risk mitigation programs. Creative new continuity strategies are identified, evaluated, and utilized as appropriate. These milestones and program ingredients fit into a six-level maturity development sequence (Figure). Levels One through Three represent organizations that have not yet completed the necessary Program Basics needed to launch a sustainable enterprise BCM program. Levels Four through Six represent the evolutionary path of the maturing enterprise BCM program.

Level 1: Self-Governed Business continuity management has not yet been recognized as strategically important by senior management. There is no enterprise governance or centrally coordinated support function. If the company has a BCM policy, it is not enforced. Individual business units and departments are "on their own" to organize, implement, and self-govern their business continuity efforts. The state of preparedness is generally low across the enterprise. Level 2: Supported Self-Governed At least one business unit or corporate function has recognized the strategic importance of business continuity and has begun efforts to increase executive and enterprisewide awareness. At least one internal or external BCM professional is available to support the business continuity efforts of the participating business units and departments. The state of preparedness may be moderate for participants but remains relatively low across the majority of the company. Senior management may see the value of a BCM program but they are unwilling to make it a priority at this time. Level 3: Centrally Governed Participating business units and departments have instituted a rudimentary governance program, mandating at least limited compliance to standardized BCM policy, practices, and processes to which they have commonly agreed. (Note: this is not necessarily an enterprise BCM policy.) A BCM program office or department has been established, which centrally delivers BCM governance and support services to the participating departments and/or business units. Audit findings from these participants are being used to reinforce competitive and strategic advantage for their groups. Senior management interest is being piqued. Interest in leveraging the work already done is being promoted as a business driver for launching a BCM program. Several business units and departments have achieved a high state of preparedness. However, as a whole, the enterprise is at best moderately prepared. Senior management, as a group, has not yet committed the enterprise to a BCM program, although they may have a project under way to assess the business case for it. Level 4: Enterprise Awakening Senior management understands and is committed to the strategic importance of an effective BCM program. An enforceable, practical BCM policy has been adopted. A BCM program office or department has been created to govern the program and support all enterprise participants. Each group has acquired its own and/or utilizes the central BCM professional resources. BCM policy, practices, and processes are being standardized across the enterprise. A BCM competency baseline was developed and a competency development program is under way. All critical business functions have been identified and continuity plans for their protection have been developed across the enterprise. Departments conduct "unit tests" of critical business continuity plan elements. All business continuity plans are updated routinely. Level 5: Planned Growth All business units and departments have completed tests on all elements of their business continuity plans, and their plan update methods have proven to be effective. Senior management has participated in crisis management exercises. A multiyear plan has been adopted to continuously "raise the bar" for planning sophistication and enterprisewide state of preparedness. An energetic communications and training program exists to sustain the high level of business continuity awareness following a structured BCM competency maturity program. Audit reports no longer highlight business continuity shortcomings. Examples of

strategic and competitive advantage achieved from the BCM program are highlighted in periodic enterprise communications. Business continuity plans and tests incorporate multidepartmental considerations of critical enterprise business processes. Level 6: Synergistic All business units have a measurably high degree of business continuity planning competency. Complex business protection strategies are formulated and tested successfully. Cross-functional coordination has led participants to develop and successfully test upstream and downstream integration of their business continuity plans. Tight integration with the company's change control methods and continuous process improvement keeps the organization at an appropriately high state of preparedness, even though the business environment continues to change radically and rapidly. Innovative policy, practices, processes, and technologies are piloted and incorporated into the BCM program. Note that at each level companies may progress to the next level or, if they lose momentum, fall back one or more levels. As with any business process, if the supporting infrastructure is removed or significantly diminished, the effectiveness of the BCM program will deteriorate and with it the company's state of preparedness. Why Should Management Buy In? The key to other maturity models is the fundamental business value derived by the organization as it progresses up the scale (e.g., reduced errors, faster delivery, and improved on-time, on-budget performance). Within the BCM Maturity Model, self-governing (Levels 1-2) can work, but without the infrastructure investment it will not be sustainable, and cross-functional recovery strategies will be more difficult to implement. Why would business management be interested in reaching Level 6 to become synergistic? Integrating BCM into existing business processes minimizes rework, mitigates risk by becoming part of normal business thinking, reduces the scale of the core BCM program function, and promotes interoperability across integrated business functions. Through wider acceptance, use, and refinement, this BCM Maturity Model can be of significant benefit to the business continuity profession at large. The model can be used by professionals to address some key questions raised by their managers, such as: Where are we now? What level of BCM program maturity do we currently possess? What is the target we are shooting for? What does a mature BCM program look like? What evolutionary path do we want to follow to get there? What level of BCM program maturity do we want to achieve next? The model can also be used in other ways, such as: 1. A concept tool helpful in persuading senior management to invest appropriate resources in establishing a sustainable BCM program 2. A benchmark measurement tool for any organization looking to evaluate how their efforts compare with others in their industry, geographic region, or other relevant classification 3. An evaluation tool that can be used by auditors and insurers to objectively assess the effectiveness of an organization's state of preparedness, leading to more accurate risk assessment and program direction As business continuity management continues to evolve over the next 40 years, many

breakthroughs in technology, practices, and other business tools will undoubtedly occur. In these post September 11 times, business continuity is gaining broader support. Through recognition of BCM's value as a sustainable enterprise business process, continued diligence and forbearance on the part of business continuity practitioners, and an effort to further standardize terminology, methods, and practices by all those within the field, these gains will continue. About the Author Scott Ream is president and founder of Virtual Corporation. He can be reached at (800) 944-VIRT or via e-mail at SReam@virtual-corp.net. BCM Maturity Model is a trademark of Virtual Corporation. The Maturity Model in Action In May 2000, Virtual Corporation hosted the opening morning breakfast at the CPM 2000 Conference & Exhibition. Over 250 attendees responded to an interactive questionnaire comprised of 21 targeted questions designed to uncover the essence of the respondents' BCM programs. Of course, as with any survey exercise the results are subject to deviation. However, the aggregate results were remarkable, and industry aggregates were the most telling. Looking at these statistics (Figure, below), one notices that the results reflect higher maturity levels in most industries than experience would suggest. For example, 66 percent of all respondents were at Level 4 and above, which seems unreasonably high. The banking and telecommunications industries have historically led other industries in BCM maturity for a variety of reasons, including the presence of government regulation mandating certain business continuity requirements. For these reasons, companies in the banking and telecommunications industries generally demonstrate BCM maturity levels of 3 and above. Most other industries, however, tend to score lower, at Level 3 and below. Why were the survey results so positive? Perhaps this is explained by the fact that the CPM conference attracts companies that have an active interest in business continuity. In fact, many attendees are certified business continuity professionals. This level of personal and corporate commitment is a key ingredient in building a sustainable BCM program.

Participate in Maturity Model Research Projects Three projects are currently under way, for which participants are being sought: 1. In preparation for an updated Baseline Study for 2002, a survey questionnaire is currently being tested via Virtual Corporation's Web site, www.virtual-corp.net. To participate in the survey, go to the site and click on "BCM Maturity Model Survey." Your answers will be evaluated and a determination of where your organization is within the BCM Maturity Model will be calculated. You then will be asked to respond to a number of related questions to assess the accuracy of the calculation. The outcome of this research will greatly strengthen the quality of the survey used for the 2002 Baseline Study. 2. Virtual Corporation is mapping degrees of competency in each subject area of the complete DRI/BCI Professional Practices Guideline to corresponding levels in the BCM Maturity Model. Individuals interested in helping with this project are asked to e- mail Scott Ream at SReam@virtual-corp.net. 3. Virtual Corporation recently established a live discussion database at www.virtualcorp.net (click on "BCM Maturity Model Discussion"). The primary objective of this discussion database is to explore how the BCM Maturity Model can be utilized and refined.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information