A WHITE PAPER CSC AND THE BUSINESS CONTINUITY MATURITY ASSESSMENT PROGRAM AUTHORS: Neil A. Smith, MBCP nsmith24@csc.com Sandra Riddell, MBCI sriddel4@csc.com CSC Papers 2013 ABSTRACT The auditors said our organization needs a Business Continuity Management (BCM) program, so our IT Manager documented a Disaster Recovery Plan (DRP) and performed a DR test. That s all we need... right? A few years ago, a tested DRP was all that was needed to comply with disaster recovery audit requirements. Today, it s a different story. Not only auditors, but BC/DR industry best practices suggest that plans be implemented and tested for Business Continuity, Crisis Management, Emergency Response, as well as Disaster Recovery in order to have a mature enterprise BCM program. The CSC Business Continuity Services (BCS) organization is advocating as a potential service offering, a Maturity Assessment program aligned with comprehensive processes that ensure continual governance and control over the sustainability of the organization against all possible threats which, when unplanned incidents cause a breach, can have a detrimental impact to the financial position and brand integrity of an organization. The BCM program answers the rhetorical questions of, Where are we now in terms of business continuity?, Where are we going?, How will we get there? and finally How do we communicate progress? Improving business continuity maturity across an organization, whilst demonstrating compliance to appropriate standards, e.g., ISO 22301 and BS25999, requires a structured roadmap and senior management commitment. The solution combines 30 years of CSC BC/DR practitioner experience across CSC s six industry verticals of 1. Chemical, Energy & Natural Resources 2. Financial Services 3. Technology & Consumer 4. Manufacturing 5. Health Services 6. Public Sector, and the Business Continuity Maturity Model (BCMM ), developed by Virtual Corporation, Inc., - a free open access tool, and the Continuity Management Solution (CMS), licensed by SunGard Availability Services. CMS, which incorporates multiple software modules, BIA Professional, LDRPS (Living Disaster Recovery Planning System) and NotiFind, will support the entire BCP lifecycle. This combination allows for the assessment of an enterprise s multiple locations, by way of an online survey, where LDRPS both presents, hosts and collates responses based on a potential BCMM assessment methodology, along with analyses by Business Continuity specialists providing the enterprise roadmap to a required maturity level.
Executives have an inherent business dilemma; Will our BCM program keep my business functional during and following a catastrophic event? Are our planning efforts going to be enough? An organization needs a structured roadmap that garners executive commitment, outlines business continuity principles, process and compliance throughout the enterprise, while projecting timelines to meet BC/DR maturity requirements. It is this roadmap that will assist Executives in defining BCM scope and objectives and to better lead and direct the wider organization in focussing on those objectives. In closing, the authors describe a variety of benefits of CSC s offerings, which include its use as a proven framework to assess Business Continuity capability by identification and customisation of a proper tool to automate the process of measuring maturity. BCM maturity measurements allow Executives to clearly understand their starting point on the road to BCM maturity, and most importantly, establish a clear roadmap and communication facilities for the enterprise organization to meet strategic Business Continuity objectives. 2
I. INTRODUCTION Business Continuity Management (BCM) is a management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response which safeguards the interests of its key stake holders, reputation, brand and value-creating activities. This means BCM is inclusive of disaster recovery, business recovery, crisis management, incident management, emergency management, contingency planning, notification and escalation plus the old fashioned Plan B. CEOs are quite nervous about Plan B options unless the organization has made the investment and commitment of resources to build a BCM structure that minimizes the impacts and implements the planning for and the response processes to taking action in the event of a disaster. The BCM program now gives the CEO confidence that his organization has implemented proper contingency planning and emergency response processes that minimises potential physical site and data security incidents, financial losses, worker productivity and morale issues, physical asset loss, as well as knowing the organization s key stake holders will support ally recovery and restoration activities needed to ensure continued operation of critical business functions ensuring overall organization survival. But to what extent will your current business continuity program ensure organizational survival? Will it all work together? Figure 1 - CSC s Modular View of Business Sustainability CSC s modular view of Business Sustainability integrates Notification and Escalation, Incident Management, defined and tested Crisis Management Plans, Business Continuity Plans and Disaster Recovery Plans, to document business resumption process and procedures following an interruption. Implementation of one or more sustainability modules will lessen the amount of scrambling around when reacting and responding to a disaster event. Keeping the business functional during a disaster is never easy, but a combination of business continuity, crisis management and disaster recovery planning will move the organization closer to a successful recovery and business restoration. But to what extent will your current business continuity program ensure organizational survival? Will it all work together? Executive leadership in any organization must focus on the ability to react and maintain operations should a catastrophic event adversely affect business functionality. Questions needing 3
answers revolve around the uncertainty of Do we have a DRP? How old is it? Has it been tested? Can we survive? To answer Executive Leadership s questions and help determine the maturity of an organization s business continuity program and provide a roadmap for its development and maturity, CSC has developed a Business Continuity (BC) Maturity Assessment Program that leverages the Business Continuity Maturity Model (BCMM ) originally published in 2003. BCMM addresses the need of organizations to be able to assess and improve their business continuity program. BCMM creates a mechanism that can: BC maturity assessment benefits organizations by targeting the entire enterprise and defining BC maturity rules that accurately reflect the organization s business continuity needs. 1. Provide a diagnostic tool for objective evaluation of business continuity program effectiveness. 2. Generate consistent data from which meaningful benchmark analyses could be drawn. 3. Answer the following key questions for senior management: a. Where are we now? i. What level of BC program maturity do we currently possess? b. What is the target we are shooting for? i. What level of BC program maturity is our ultimate goal? c. What evolutionary path do we follow to get there? i. How should we progress most effectively to the next Level? e.g., let s crawl, then walk, then run. II. KEY BENEFITS OF A BUSINESS CONTINUITY MATURITY ASSESSMENT PROGRAM A business continuity maturity assessment service offering within CSC would benefit organizations by targeting the entire enterprise and defining BC maturity rules that accurately reflect the organization s business continuity needs. An effective Business Continuity Program... 1. Provides the ability to determine the level of Business Continuity maturity 2. Provides the ability to determine a unique client specific roadmap to meet corporate BC maturity requirements 3. Provides periodic monitoring and internal auditing processes to verify compliance to the set baseline Maturity level 4. Provides clearly allocated roles and responsibilities for each task identified in the program 5. Provides clear, demonstrable evidence of compliance to the maturity program in place and can be used as evidence in the certification process 6. Able to provide enterprise-wide communication of status and progress of BC maturity to management and concerned stakeholders 7. Able to proactively identify the impacts of an operational disruption 8. Has in place an effective response to disruptions which minimizes the impacts on the organization 9. Maintains an ability to manage risks 10. Is able to demonstrate a credible response through a process of exercising/testing 11. Could enhance the organization s reputation and brand. 4
III. THE BUSINESS CONTINUITY MATURITY MODEL The Business Continuity Maturity Model (BCMM ), developed by Virtual Corporation, Inc., is a free open access assessment tool which provides a standard approach to measure an organization s BC maturity and direction for creating and maintaining a BC program as a sustainable process. The model focuses on the presence and evolution of the core competencies and skill sets that lead to the development and maintenance of effective process. Competency Maturity Level Figure 3 BCMM Maturity Levels BCMM provides a standardized approach to gauging business continuity maturity and consists of: Six (6) Levels of maturity (from 1 to 6) Program Basics Sr. Mgmt Professional Commitment Support Governance Eight (8) Corporate Competencies All Units Participating Program Development Integrated Planning Cross- Functional Level 1 Self-Governed No No No No No No Level 2 Departmental Marginal Partial No No No No Level 3 Cooperative Partial Yes Partial No No No Level 4 Standards Compliant Yes Yes Yes Yes No No Level 5 Integrated Yes Yes Yes Yes Yes No Level 6 Synergistic Yes Yes Yes Yes Yes Yes Associated Criteria Categories & Descriptors The model focuses on the presence and evolution of the core competencies and skill sets that lead to the development and maintenance of effective process. Six (6) Levels of Maturity (from 1 to 6) Level 1 - Self-Governed: Individual business units and departments are "on their own" to organize, implement, and self-govern their own business continuity efforts. The state-of-preparedness is low across the Enterprise. The organization reacts to disruptive events when they occur. Level 2 Departmental: At least one business unit or corporate function has initiated efforts to establish management awareness of the importance of Business Continuity. A few functions or services have developed and maintain BC plans within one or more of the BC disciplines (see Program Content). At least one internal or external resource has been assigned responsibility to support the business continuity efforts of the participating business units and departments. The state-of-preparedness may be moderate for participants, but remains relatively low across the majority of the company. Management may see the value of a BCM Program but they are unwilling to make it a priority at this time. Level 3 Cooperative: Participating business units and departments have instituted a rudimentary governance program, mandating at least limited compliance to standardized BCM policy, practices, and processes to which they have commonly agreed. (Note: this is not necessarily an Enterprise BCM Policy). A BCM Program Office or Department has been established, which centrally delivers BCM governance and support services to the participating departments and/or business units. Audit findings from these participants are being used to reinforce competitive and strategic advantage for their groups. Interest in leveraging the work already done is being promoted as a business driver for launching a BCM Program. Several business units and departments have achieved a high state-of-preparedness. 5
However, as a whole, the Enterprise is at best moderately prepared. Senior management has not committed the Enterprise to a BCM Program Level 4 Standards Compliant: Senior management understands and is committed to the strategic importance of an effective BCM Program. An enforceable, practical BCM Policy and associated standards have been adopted, including methods and tools for addressing all four BC disciplines (see BC Program Content below). A BCM Program Office or Department has been created to govern the program and support all Enterprise participants. Each group has acquired its own and/or utilizes the central BCM professional resources. BCM policy, practices, and processes are being standardized across the Enterprise. A BCM competency baseline was developed and a competency development program is underway. All critical business functions have been identified and continuity plans for their protection have been developed across the Enterprise. Departments conduct unit tests of critical business continuity plan elements. All business continuity plans are updated routinely. Level 5 Integrated: All business units and departments have completed tests on all elements of their business continuity plan including their internal and external dependencies. Plan update methods have proven to be effective. Senior management has participated in crisis management exercises. A multi-year plan has been adopted to continuously "raise the bar" for planning sophistication and Enterprise-wide state-of-preparedness. A communications and training program exists to sustain the high level of business continuity awareness following a structured BCM competency maturity program. Audit reports no longer highlight business continuity shortcomings. Strategic and competitive advantages achieved from the BCM Program are highlighted in periodic internal and external communications. Level 6 Synergistic: Sophisticated business protection strategies are formulated and tested successfully. Cross-functional business continuity capabilities are measured. Change control methods and continuous process improvement keeps this organization at an appropriately high state-of-preparedness even though the business environment continues to change radically and rapidly. Innovative policy, practices, processes, and technologies are piloted and incorporated into the BCM Program Generally maturity models can show the clear business value derived by the organization as it progresses up each level of maturity (e.g., reduced errors, faster delivery, and improved on-time, on-budget performance). Within the BCMM, selfgoverning (Levels 1-2) can work, but without the infrastructure investment it will not be sustainable, and cross-functional recovery strategies will be more difficult to implement. In the model, Levels 1-3 represent organizations that have not yet completed the necessary program basics needed to launch a sustainable enterprise BCM program. Levels 4-6 represent the evolutionary path of the maturing enterprise BCM program. When determining maturity and trying to assess the current Level (1 to 6), there are eight Corporate Competencies which address key behaviours and central disciplines of Business Continuity. 6
Eight (8) Corporate Competencies There are eight BCMM Corporate Competencies. The first seven address the key behaviors of the BC program. The eighth Corporate Competency, Program Content, addresses how the organization implements the four central disciplines of business continuity; Incident Management (IM), Security Management, (SM) Technology Recovery (TR) and Business Recovery (BR). Each Corporate Competency categorizes a critical organizational characteristic of an organization s ability to create a sustainable business continuity program. Each corporate competency categorizes a critical organizational characteristic of an organization s ability to create a sustainable business continuity program. Each corporate competency categorizes a critical organizational characteristic of an organization s ability to create a sustainable business continuity program. 1. Leadership The commitment and understanding demonstrated by executive management with regard to the implementation of an appropriately scaled, enterprise-wide business continuity program. As well, the degree to which the business case for implementing sustainable business continuity has been articulated and understood by executive management. 2. Employee Awareness The breadth and depth of business continuity conceptual awareness throughout all staff levels of the organization including consideration for the quality and sustainability of the BC training and awareness program. 3. BC Program Structure The scale and appropriateness of the business continuity program implemented across the Enterprise. The degree to which the BCM Program matches the articulated business case. 4. Program Pervasiveness The level of business continuity coordination between departments, functions, and business units across the Enterprise. The degree to which business continuity considerations have been incorporated in other appropriate business initiatives, programs, and processes. 5. Metrics The development and monitoring of appropriate measures of BCM Program performance. The establishment and tracking of a business continuity competency baseline. 6. Resource Commitment The application of sufficient, properly trained and supported personnel, financial, and other resources to ensure the sustainability of the BCM Program. 7. External Coordination Coordination of business continuity issues and requirements with external community including customers, vendors, government, unions, banks, creditors, insurance carriers, etc., ensuring that critical supply chain partners have adequate BCM Programs of their own in place. 8. BC Program Content The previous seven Corporate Competencies address the key behaviors of the BC program. This eighth Corporate Competency addresses how the organization implements the four central disciplines of business continuity: a. Incident Management (IM) Ensuring that all aspects of emergency response, crisis management, and any other activities involved in command, control, and communications during an organizational crisis and/or disastrous event are appropriately addressed. b. Security Management (SM) Ensuring that physical security, information security, and any other activities associated with protecting the integrity of targeted information and resources are appropriately addressed. 7
c. Technology Recovery (TR) Ensuring that critical information systems hardware, software, networks, and applications are adequately recoverable within defined recovery time objectives. d. Business Recovery (BR) Ensuring that critical business functions and resources are adequately recoverable within defined recovery time objectives. Increasing Business Continuity Competency Maturity Maturity Model Levels Athlete Analogy Comparative Model Level 1 Self-Governed Level 2 Departmental Level 3 Cooperative Level 4 Standards Compiant Level 5 Integrated Level 6 Synergistic Able to Crawl Able to Walk Able to Run Fit Runner Competitive Runner Olympic Runner Organization At Risk Competent Performer Best of Breed Corporate Competencies General Attributes of an Organization at Each Maturity Level Leadership VL L M H H H BC Awareness VL L L M H H BC Program Structure VL L L M H H Program Pervasiveness VL L L L M H Metrics VL L M M H H Resource Commitment VL L M H H H External Coordination VL L L M H H BC Program Content Incident Management VL L M H H H Technology Recovery VL L M H H H Business Recovery VL L M H H H Security Management VL L M H H H VL Very Low L Low M Medium H High Figure 4 BCMM Maturity Levels and Corporate Competencies BCMM Levels 1 through 3 represent organizations that have not yet completed the necessary program basics needed to launch a sustainable enterprise BCM program. Levels 4 through 6 represent the evolutionary path of the maturing enterprise BCM program. 8
IV. BC MATURITY CHALLENGES Deciphering the BCMM Maturity Levels and Corporate Competencies and applying them to your organization and your Business Continuity Management program creates a significant challenge. How does one collect, collate, document and apply all the verifiable data necessary to measure BCMM? How do you collect the intangible types of BCMM data that reside in the minds of executive leadership within the organization? BCMM data gathering methods may include face-to-face interviews/meetings with executives, business unit management, IT operations management, supply chain management and vendors and facilities and security management. Multiple surveys targeting different organizational entities may be distributed. Current BC/DR documentation reviews may be initiated. The time taken to complete these methods may lengthen the approved timeline of the BCMM measurement process to the point where the time taken gradually degrades the quality and effectiveness of the overall purpose of measuring the organization s maturity level. It is the scope of the organization s BCM that will determine the depth of data gathering to be undertaken Once the data gathering team believe the information is finally available for analysis... What are the next steps in the roadmap? Where is all the data stored and collated? How are the BCMM metrics applied to discern the valuable data versus the extraneous? How does the team report meaningful results to the organization s senior leadership so the program s direction can be determined? Isn t there a centralized, efficient method to gather, collate, analyze, calculate and report the results of BC maturity? Are we confident we can recover from a disaster event based on business continuity maturity? Will BCMM measurement make the organization compliant with industry standards and regulations? V. BCM CORPORATE TOOLS CMS / LDRPS Addressing the BC maturity challenges and finding answers to the questions presented are not easy tasks. The key to managing the vast amount of BCM data is to have a centralized utility, or software tool, to use as a data repository and analytical tool that provide meaningful BC maturity reports for executives to make informed decisions going forward. CSC Business Continuity Services (BCS) has globally implemented the Continuity Management Solution (CMS) integrated software platform, of which the Living Disaster Recovery Planning System (LDRPS), BIA Professional and NotiFind is a part. CMS will support the functionality requirements of BCM with regard to data analysis and effective data management and BC/DR planning. LDRPS is the comprehensive tool that effectively manages the BC/DR planning process and components. The entire CMS platform serves as a potential data repository for BC maturity data gathering to the analysis and reporting within LDRPS as BC maturity measurement is determined. A key feature of how CMS effectively manages the BC data gathering process is its unique ability to build and generate specific end user surveys. This functionality is the basis for proposing data gathering, analysis and reporting as part of this service. 9
It s the BC maturity survey that can be distributed and responded to, via the internet, to an enterprise s end users in all facets of the organization. The survey is accessed via a supplied user ID and password. As survey results are submitted, CMS will store the response, analyze the data against the preset criteria defined by CSC s subject matter experts and provide LDRPS reports showing the level(s) of BC maturity within the organization. It s this level of functionality that makes CSC s CMS utility software a valuable tool for advocating and using BCMM as part of a business continuity assessment program. VI. BC MATURITY ASSESSMENT PROGRAM CSC BCS can take the BCMM assessment structure and generate a series of survey questions related to the eight Corporate Competencies where the selected response relates to one of the six Maturity Levels within BCMM. The survey questionnaire can be designed to utilize the survey functionality of CMS-LDRPS and the BCMM -determined questions, formulating a complete online BC maturity assessment tool. The online BC maturity assessment tool would be part of the CSC Business Continuity Maturity Assessment Program. Improving an organization s BCMM maturity and corporate competency levels requires structured planning and commitment from the client s board of directors, senior leadership and a roadmap to achieve the next levels of BCMM maturity. Following the base-lining of results from an online assessment, the next stages leverage the experience and knowledge of CSC s BCS experts providing the clients with a roadmap and schedule to achieve their required level(s) of maturity. Attaining the next level of BCMM maturity will take time based on the requirements of the BCMM model and an organization s progress in achieving their BCM program goals. Depending on management structure, it is the organization s site management, or business unit management, who knows best what the organization is capable of achieving within specific timeframes based upon the scope of BCM and the guidance, support, funding and direction from executive management. To demonstrate current visibility of the BC maturity of client sites, the BC Maturity Assessment Program would include a BCM dashboard. Completing the BCMM Survey online within CMS would allow multiple types of dashboard charts to be generated based on the results of each survey response. The dashboard automatically shows clients visibility to their organization s maturity level and progress towards demonstrable compliance with internal and external audit requirements, and is a catalyst for any industry regulatory compliance and/or business continuity certification standards such as the British standard BS25999 and ISO 22301 compliance. On a regular basis, BCS subject matter experts can assess the organization s progress on following the BCMM roadmap and schedule. Based on the new assessment findings, the roadmap and schedule will be updated with progress and any remediation tasks required keeping the roadmap on track. 10
VII. RELATIONSHIP OF BCM TO BS25999 STANDARDS Continued operations in the event of a business disruption, due to a major disaster or a minor incident, are a fundamental requirement for any organization. Ensuring operational continuity has led to the development of Business Continuity Management (BCM) as a recognized business discipline, but not until the recent publication of BS 25999 has there been an internationally-recognized management framework certification that adds consistency, credibility and viability to an organization s existing BCM programs. BS 25999, currently a British Standard which is the foundation upon which the new ISO 22301 international standard and certification is based on BCM program guidelines, is designed to keep your business going during the most challenging and unexpected circumstances. It, in conjunction with BCM, provides a basis for understanding, developing, implementing and managing business continuity within your organization and gives you confidence when dealing with stakeholders both within and outside your organization. BCM, BS25999 and ISO 22310 are suitable for any organization, large or small, from any sector. It is particularly relevant if an organization operates in a high risk environment such as the finance, telecommunications, transport, utilities and public sectors, where the ability to continue operating is paramount for both executive management and the organization s stakeholders. A BCM Assessment Program is specifically designed to move an organization from its infancy in BC/DR goals and objectives to a full BCM program that manages all BC/DR activities and measures the maturity of the organization s BCM development at given times of the BCM lifecycle. Most organizations do not have the time, resources or BCM software utility toolsets at their disposal to build and maintain their organization s BCM program while striving to comply with BS25999 industry standards. CSC s BC/DR industry subject matter experts are specifically trained to guide an organization to implement a successful BCM program and move towards BS25999 and ISO standards. CSC s expertise in the use of LDRPS as the utility to manage the BCM program not only replaces the organization s need to provide that time and resources, but also provides the organization with the necessary support and expertise required to get the job done. VIII. SUMMARY This paper has proposed a practical solution to the question How robust is your organization s business continuity management program? It sets out a proven solution to identify a consistent level of understanding/measurement with regard to how effective your continuity management practices are across the organization, in order to establish the building blocks, where applicable, for developing improvement plans in support of the organization s strategic direction for the Business Continuity Program. The solution combines 30 years of CSC BC/DR practitioner experience and CSC s LDRPS comprehensive recovery planning software offering. It is this strategic combination of products, along with analysis by CSC s Business Continuity specialists, regular assessment and dashboard status updates, that form the potential basis for a new Business Continuity Maturity Assessment Program. 11