Measuring Continuity Planning Program. Performance



Similar documents
Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

The Business Continuity Maturity Continuum

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Business Continuity Management 101. Patrick Potter, CBCP MHA Consulting ISACA November 19, 2009

Business Resiliency Business Continuity Management - January 14, 2014

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Plan Development Getting from Principles to Paper

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Many components can make up the risk management capability; some of the key elements are discussed below:

Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June

The PNC Financial Services Group, Inc. Business Continuity Program

IT Governance Regulatory. P.K.Patel AGM, MoF

Certified Information Security Manager (CISM)

ISO 27001:2005 & ISO 9001:2008

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

Business Continuity Trends, Requirements and Expectations in Brian Zawada (MBCP) Director of Consulting Services Avalution Consulting

The PNC Financial Services Group, Inc. Business Continuity Program

The Role of Internal Audit In Business Continuity Planning

MHA Consulting. Business Continuity Management 101

Policy : Enterprise Risk Management Policy

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Overview. Emergency Response. Crisis Management

Office of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

Improving Financial Performance, Governance and Compliance

DRAFT BUSINESS CONTINUITY MANAGEMENT POLICY

> State Street. Corporate Continuity Program. Continuity Organizational Structure. Program Oversight

Il nuovo standard ISO sulla Business Continuity Scenari ed opportunità

Meeting FFIEC Requirements: Enterprise-Wide Testing of Your. Business Continuity Plan

External Supplier Control Requirements BCM

International Diploma in Risk Management Syllabus

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

State of Minnesota. Enterprise Security Strategic Plan. Fiscal Years

Security Controls What Works. Southside Virginia Community College: Security Awareness

Why Should Companies Take a Closer Look at Business Continuity Planning?

BC / DR Implementation Tying Disaster Recovery Investment to Measurable Business Value

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

How To Transform It Risk Management

Enterprise Risk Management (ERM): In Action. January Co-presented by: Michael Yip, Marsh Risk Consulting Norma Essary, DFW International Airport

Risk Assessment & Enterprise Risk Management

Managing Risk at Bank of America Corporation. Overview

IFMA Facility Management Learning System - Table of Contents

Feature. Developing an Information Security and Risk Management Strategy

How to measure your business resiliency

Information Security. Incident Management Program. What is an Incident Management Program? Why is it needed?

Assessing Your Disaster. Andrews Hooper Pavlik PLC. Andrews Hooper Pavlik PLC

White Paper: ISO Business Continuity Management An Overview. ISO Business Continuity Management An Overview

Enterprise-Wide Risk Assessment

IT Governance. What is it and how to audit it. 21 April 2009

AGILE. Project OPM3 Portugal PM4S. All Rights Reserved. Lisbon, Portugal

Governance, Risk, and Compliance (GRC) White Paper

San Francisco International Airport Enterprise Risk Management

IT Governance and IT Operations Bizdirect, Mainroad, WeDo, Saphety Lisbon, Portugal October

CSC AND THE BUSINESS CONTINUITY MATURITY ASSESSMENT PROGRAM

Business Continuity Planning. Description and Framework. White Paper. Preface. Contents

Using the Business Continuity Maturity Model To Gain Executive Approval. June 20, 2006

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Cybersecurity The role of Internal Audit

Business Continuity and Disaster Recovery Policy

Metro Business Continuity and Disaster Recovery Plan Response to vendor questions RFP

Business Continuity / Disaster Recovery Context

PRACTICAL APPLICATIONS FOR BUSINESS CONTINUITY MANAGEMENT

Bridging the HIPAA/HITECH Compliance Gap

Matthew E. Breecher Breecher & Company PC November 12, 2008

A BCP Tale: From Theory to Practice

Accreditation Application Forms

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Subject Area 1 Project Initiation and Management

Developing a robust cyber security governance framework 16 April 2015

Aligning Compliance Program Priorities with Business Objectives

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Big Data Analytics; The value of the right action. April 1 st, 2014 Edwin Steenvoorden VP Business Analytics & Information Strategy

Portfolio Management Professional (PfMP)SM. Examination Content Outline

Introduction to Business Continuity Planning

Business Continuity Planning (800)

Business resilience: The best defense is a good offense

Control Design & Implementation Week #5 CRISC Exam Prep ~ Domain #4. Bill Pankey Tunitas Group. Job Practice

Transforming risk management into a competitive advantage kpmg.com

Beyond risk identification Evolving provider ERM programs

Business Continuity Management

ITIL v3 Service Manager Bridge

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

Managing the Shadow Cloud

Birmingham CrossCity Clinical Commissioning Group. Business Continuity Management Policy

BCM and DRP - RFP Template

Datacenter Migration Think, Plan, Execute

Enabling Compliance Requirements using ISMS Framework (ISO27001)

Global Statement of Business Continuity

Blending Corporate Governance with. Information Security

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

Transcription:

Measuring Continuity Planning Program Performance Carl B Jackson Director Crisis Management & Continuity Planning Resource Center (CMCPRC) Measuring Continuity Planning Program Performance Session Agenda How an enterprise-wide BCP program should be structured Business Continuity and Crisis Management Process Overview Two approaches to building metrics processes Utilizing and Enterprise Risk Management Approach Value Driver Based Utilizing the ISO 27001 Information Security Management System Standards Based Metrics Program Benefits and Recommendations

Enterprise-wide BCP Bus. Process Infrastructure & Approach Business Process Focused Risk Management/Analysis/BIA Continuity and Recovery Strategy ebusiness Uptime Requirements Benchmarking/Peer Analysis Metrics Business Process/Function/Unit Recovery Planning/Execution Teams Time-Critical Processing Resource Requirements Plan Development Plan Exercise Quality Assurance Change Management Business (requirements) Continuity Planning (BCP) Continuous Availability Continuous Operations Disaster Avoidance etechnologies Redundancy & Diversity Known Failover and Recovery Timeframes Crisis Management Planning (CM) Continuous Availability Technology and Communications IT Disaster Recovery Planning (DRP). Global Enterprise Crisis Management & Emergency and Response Team(s) Emergency Response Command Center Planning Awareness Training Communications Coordination Technology Infrastructure Recovery Planning and Execution Teams Strategy Implementation Assistance Plan Development Plan Exercise Quality Assurance Change Management Metrics Development Approach 1 - Base metrics on Enterprise Value Drivers

Value Drivers Risk Drivers Strategy Capability (most KPIs here) Implement Best Business Practices Manage Growth Drive Innovation Enterprise Risk Management Framework Risks Strategic Operational Stakeholder Financial Intangible Risk Strategy Assess Appetite Prioritize Treatment Approach BCP /EM Legal Risk Functions Internal Audit ERM Crisis Mgmt Risk Management Process Risk Strategy & Assess Appetite Assess Risk Risk Mgmt IT Security Organization Enterprise Risk Committee CRO or ERM Manager Culture Knowledge Mgmt Metrics Training Communication Tools RiskWeb Early Warning System Assessment and Quantification tools Control Cost Allocation of Capital Capability Functions Process Organization Culture Tools Enterprise- Wide Integration Program Strategy Develop Deploy Continuously Improve Treat Risk Monitor & Report Enterprise-wide Integration Strategic Planning Programs/PMO Processes Functions Risk Attributes Lifecycle Individual Portfolio Qualitative Quantitative Examples of Value Drivers Satisfaction Impact on external customers # of customers impacted Duration of impact People Loss/ access to private employee information Workforce endangerment Access to executive information, systems, etc Financial Cost Increase Revenue loss Intangible Proprietary information Damage to brand

If you can't measure it, you don't know it 1. 1. Identify/Monitor Identify/Monitor Enterprise Enterprise Value Value Drivers Drivers Financial Financial Increase Increase sales sales 10% 10% Decrease Decrease expenses expenses 8% 8% Increase Increase customer customer privacy privacy Increase Increase customer customer service service efficiency efficiency Metrics Development Process 3. 3. Define Define Metrics Metrics for for Linked Linked Components Components Financial Financial BIA BIA updated updated annually annually BCP BCP quality quality survey survey demonstrates demonstrates percentage percentage increase increase in in awareness awareness service service survey survey demonstrates demonstrates higher higher levels levels of of approval approval wait wait time time decreased decreased by by 13% 13% 2. 2. Define Define Value Value Driver Driver Linkages Linkages to to Program Program Components Components Financial Financial Business Business Impact Impact Assessment Assessment Process Process (drives (drives down down expenses expenses due due to to increased increased BCP BCP efficiencies) efficiencies) Recovery Recovery strategy strategy deployment deployment (redundant (redundant solutions solutions provide provide additional additional bandwidth) bandwidth) Metrics Development Time Line Phase 1/4 Phase 2/5 Phase 3/6 1. Identification of Value Drivers 2. Map Value Drivers to BCP Process Components 3. Develop Qualitative & Quantitative Metrics for linked components 4. Monitor/Modify Value Drivers 5. Map Value Drivers to BCP Process Components 6. Develop Qualitative & Quantitative Metrics for linked components T I M E

Metrics Development Method Identify & Define Value Drivers Executive Management motivation data gathering (customer satisfaction, financial, intangible, etc.) Timely business impact assessments are performed The Continuity Planning infrastructure was developed utilizing a methodological approach Emergency Response Procedures are: - Formalized - Address life safety considerations of both employees and outsiders - Located or posted in conspicuous locations throughout each facility - Operating personnel have received training within the past six months -Emergency Response Procedures are tested periodically (at least semi-annually) -Emergency Response actions are coordinated with Civil Authorities, internal facilities management, etc. -Updated at least semi-annually - Auditable and audited with no resulting significant criticisms Categorize Continuity Program Measurement Components Examples could include BCP Lifecycle Components (BIA, Emergency response Procedures, Crisis Management Teams, Documented Plans, Test Plans, Training, etc.) Continuity Program Measurement Criteria Metrics Development Approach 2 Base metrics on commonly recognized standards and practices (ISO 27001 for instance)

ISO 17799/27001 Scope ISO 17799 (should) is an International Standard that provides: recommendations for Information Security Management (133 control objectives) a common basis for developing organizational security standards and effective security management practices confidence in inter-organization dealings an organization cannot get certified against ISO 17799 ISO 27001 (shall) is an International Standard that provides management guidelines for implementing and managing the 133 control objectives utililizing a coordinated Information Security Management System (ISMS) approach: When properly implemented the ISMS provides auditable and certifiable proof as to the effectiveness of the ISMS and the 133 control objectives ISO 27001 assists us in how we manage information security for auditability and certification Base Standards on ISO27001 BCP Requirements ISO27001 Aspects of the Business Continuity Management Program Business Continuity Management Process Business continuity management processes shall be established to ensure uninterrupted of business activities. Business Continuity and Impact Analysis A comprehensive risk management process shall be applied to business processes Writing and Implementing Continuity Plans Business continuity plans shall ensure maintenance or timely recovery of business activities Business Continuity Planning Framework Business continuity plans shall have a single framework to facilitate the testing and review of plans Establish Testing, maintenance, and assessments for business continuity plans

ISO27001 BCP Framework Executive Policy Statement (Info Sec, Phy. Sec., BCP, etc.) Business Continuity Program - Charter Business Continuity Program Enterprise Standards/Processes 5 4 3 2 1 Metrics BCP Program Framework BCP Policy & Charter Governance Scope Roles & Responsibilities Company Objectives The WHY BCP Standards/Processes Baseline Requirements Enterprise-Wide Synergy Repeatable Processes Consistency/Predictability The WHAT Legislative / Regulatory Compliance Executive Management Direction Enterprise-Wide Due Diligence Competitive Advantage ISO 27001 Alignment Predictable/Repeatable Industry Best Practices BCP Specifications Operating Area Established Operating Area Maintained Operating Area Defined Metrics The HOW

BUSINESS CONTINUITY SAMPLE METRIC CATEGORIES Objective Threshold Transactions Calls Equipment Required People Required Time to Recover Event Assessment BCP Framework - Gap Analysis Gap Analysis Process Same Process as ISMS Alignment with Standards Operating Area Specifications Operating Area Procedures Gap Remediation Critical and Highs Remediation Plans Gap Acceptance Formal Process & Signoffs Measurement Test Objectives vs. Results

Benefits of Metrics Can be used to reduce costs (insurance possibly) Can be used as an advantage in the marketplace Provides a map to where process improvement may be needed Provides oversight insight (audit, compliance) Recommendations Think in terms of how do you as a planner get management attention, buy-in and budget? One way is to develop and be measured against a set of metrics. How do you as a Continuity Planner demonstrate the value-add contributions of the enterprise continuity planning business process? Stay out of the weeds Don t focus on IT recovery only THINK Value-add contribution to the business/mission or Adherence to standards through periodic gap analysis. Focus on defining who the stakeholders are (corporations -shareholders, government-the people) What does the key stakeholder value from this organization? Break the BCP process down so we can make operational, manageable, and measurable decisions. Discuss and present in Executive Management terminology.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information