Just What the Doctor Ordered – Business Continuity Annual Health Check

One of the most important annual business continuity management program (BCMP) activities is to have the organization conduct a program health check. The annual BCMP should objectively review what has been accomplished over the past year, how program activities measured up against program objectives/expectations, and how well the program positioned for the next year of maturing planned activities. Identified program gaps and issues should be carefully reviewed and presented to the business continuity/resiliency steering committee with an action plan to address all known gaps and deficiencies (i.e. resources, budget, compliance, automation, validation, etc.).

The health check can be facilitated as a self-assessment, benchmarked against an industry standard, i.e. ISO 22301, internally reviewed, i.e. internal audit, externally reviewed (3^rd party review/peer review/benchmarking engagement) or via a hybrid collaboration of any of the above facilitations or strategies. The type of program health check usually aligns with program maturity. For the more emerging programs, self-check assessments or industry benchmarking may be appropriate while more mature and robust programs should challenge themselves and consider external reviews and readiness checks for potential program certifications.

Think of your personal annual physical – baseline measurements were taken by your primary care physician (i.e. your weight, body temperature, blood pressure, blood oxygen level, resting heart rate, etc.). Based on your age, other tests may have been performed (i.e. EKG, diagnostic testing, etc.). These metrics and tests provide an overall appraisal of your health and based on these results, a plan of care is recommended. Similarly, baseline BCMP measurements should be obtained, reviewed, tracked, and analyzed. The BCMP annual health check greatly benefits by leveraging agreed upon key performance indicators (KPIs), which monitor, measure, and trend performance of the program period over period (i.e. month over month, quarter over quarter, year over year, etc.).

Why do we use KPIs? What should we be measuring?

Quantitative and qualitative score carding is imperative in evaluating BCMP performance. It provides an organization with dynamic metrics, that can at any point in time, measure program effectiveness and health. If you measure, you can manage; measuring and tracking BCMP KPI’s typically result in:

• Driving behavior
• Supporting a culture of resiliency
• Defining critical metrics of progress toward an intended result
• Providing focus for strategic and operational improvement
• Helping set targets and expectations
• Providing objective evidence of progress towards achieving a desired result
• Supporting and documenting evidence-based comparisons and trends in measuring performance over time

Recommended key performance indicators should align with the following key BCMP lifecycle stages:

• Policy and program management
• Embedding
• Analysis
• Design
• Implementation
• Validation

Cautionary note, no one program is the same and enterprise resiliency varies greatly amongst companies – industries that are highly regulated such as financial institutions, insurance, pharmaceuticals, energy companies etc. typically have more robust and mature resiliency programs compared to non-regulated industries like retail, entertainment, publishing companies, etc. Regardless of industry profile, programs can be broadly categorized as being in the “crawl, walk, or run” stage of program maturity and within each grouping, there will be many levels of resiliency to achieve. Furthermore, BCMP is not a sprint but rather a perpetual marathon for every organization to navigate. One thing that is common amongst all quality BCMPs is that they have selected KPI metrics that are easily measured and clearly understood throughout the enterprise.

Policy And Program Management

• Scope of program – enterprise coverage percentage
• Management commitment (number of full time equivalents (FTEs), budget)
• Number of program lifecycle business activities (business impact analysis, threat and risk assessment, IT/DR gap analysis, etc.)?
• Number of program metrics (KPIs)?
• Number of management reviews?
• Number of employees that are continuously trained?
• Number of BCMP personnel that have or will be working towards a professional credential?

Embedding

• Number of BCM awareness sessions held?
• Number of corporate “go bags” issued?
• Number of new hire onboarding BCMP orientations?
• Number of user licenses for technology enabled software?
• Number of employees trained on media and communication protocols?
• Number of employees trained on cyber security best practices and data privacy?

Analysis

• Results rationalized – how many of the processes have been reviewed and rationalized?
• Processes identified/calculated recovery time objectives (RTOs), recovery point objectives (RPOs), and maximum tolerable period of disruption (MTPD)
• Number of single points of failure (SPoF)?
• How many operational risks have been identified? By process tier?
• Number of critical applications and instances
• Number of critical vendors?
• How many enterprise dimensions (incident management, crisis management, employee health and safety, enterprise risk management, vendor management, internal audit, supply chain, compliance, etc.) does BCMP cover?

Design

• What data are we collecting? How much data have we collected?
• Information gathering – how much of the data captured is auto populated from records of truth versus inquiry?
• BIA prep/review of existing documents, i.e. risk assessments, prior BIAs, service level agreements, legal or regulatory reports, etc.
• How many processes have been outsourced and not part of the BIA?
• How many process owners and instances?

Implementation

• Number of remediation activities/tasks in flight?
• How many process owners overrode RTO results?
• How much time has been spent on the BIA?
• Percent of program that is in compliance with adopted standards or industry regulations?
• How many people are participating in the BIA?
• How many meetings have occurred?
• How many plan approvers and instances?
• How many BIA and RA rationalization sessions held?

Validation

• How many processes were included in table-top simulations?
• How many functional areas (departments/cost centers/centers of excellence) participated in the table-top simulations?
• Compliance alignment percentage to a standard, such as ISO22301, NFPA1600
• Number of regular program audits?
• Number of emergency response tests (i.e. building evacuations, fire drills, active shooter drills, etc.)?
• Number of ITDR tests?

No matter your maturity level or industry, having an annual health check – paired with ongoing efforts and updates throughout the year – is imperative to continuity and resilience. All in all, it’s best to have a holistic view to adjust your annual review to what is best for your program and company.