One of the most important annual business continuity management program (BCMP) activities is to have the organization conduct a program health check. The annual BCMP should objectively review what has been accomplished over the past year, how program activities measured up against program objectives/expectations, and how well the program positioned for the next year of maturing planned activities. Identified program gaps and issues should be carefully reviewed and presented to the business continuity/resiliency steering committee with an action plan to address all known gaps and deficiencies (i.e. resources, budget, compliance, automation, validation, etc.).
The health check can be facilitated as a self-assessment, benchmarked against an industry standard, i.e. ISO 22301, internally reviewed, i.e. internal audit, externally reviewed (3rd party review/peer review/benchmarking engagement) or via a hybrid collaboration of any of the above facilitations or strategies. The type of program health check usually aligns with program maturity. For the more emerging programs, self-check assessments or industry benchmarking may be appropriate while more mature and robust programs should challenge themselves and consider external reviews and readiness checks for potential program certifications.
Think of your personal annual physical – baseline measurements were taken by your primary care physician (i.e. your weight, body temperature, blood pressure, blood oxygen level, resting heart rate, etc.). Based on your age, other tests may have been performed (i.e. EKG, diagnostic testing, etc.). These metrics and tests provide an overall appraisal of your health and based on these results, a plan of care is recommended. Similarly, baseline BCMP measurements should be obtained, reviewed, tracked, and analyzed. The BCMP annual health check greatly benefits by leveraging agreed upon key performance indicators (KPIs), which monitor, measure, and trend performance of the program period over period (i.e. month over month, quarter over quarter, year over year, etc.).
Quantitative and qualitative score carding is imperative in evaluating BCMP performance. It provides an organization with dynamic metrics, that can at any point in time, measure program effectiveness and health. If you measure, you can manage; measuring and tracking BCMP KPI’s typically result in:
Recommended key performance indicators should align with the following key BCMP lifecycle stages:
Cautionary note, no one program is the same and enterprise resiliency varies greatly amongst companies – industries that are highly regulated such as financial institutions, insurance, pharmaceuticals, energy companies etc. typically have more robust and mature resiliency programs compared to non-regulated industries like retail, entertainment, publishing companies, etc. Regardless of industry profile, programs can be broadly categorized as being in the “crawl, walk, or run” stage of program maturity and within each grouping, there will be many levels of resiliency to achieve. Furthermore, BCMP is not a sprint but rather a perpetual marathon for every organization to navigate. One thing that is common amongst all quality BCMPs is that they have selected KPI metrics that are easily measured and clearly understood throughout the enterprise.
No matter your maturity level or industry, having an annual health check – paired with ongoing efforts and updates throughout the year – is imperative to continuity and resilience. All in all, it’s best to have a holistic view to adjust your annual review to what is best for your program and company.