Fusion Risk Management Introduces Generative AI-powered Assistant to Help Businesses Build Resilience
Just What the Doctor Ordered – Business Continuity Annual Health Check
Posted on: January 29, 2020 Author:
One of the most important annual business continuity management program (BCMP) activities is to have the organization conduct a program health check. The annual BCMP should objectively review what has been accomplished over the past year, how program activities measured up against program objectives/expectations, and how well the program positioned for the next year of maturing planned activities. Identified program gaps and issues should be carefully reviewed and presented to the business continuity/resiliency steering committee with an action plan to address all known gaps and deficiencies (i.e. resources, budget, compliance, automation, validation, etc.).
The health check can be facilitated as a self-assessment, benchmarked against an industry-standard, i.e. ISO 22301, internally reviewed, i.e. internal audit, externally reviewed (3rd party review/peer review/benchmarking engagement), or via a hybrid collaboration of any of the above facilitations or strategies. The type of program health check usually aligns with program maturity. For the more emerging programs, self-check assessments or industry benchmarking may be appropriate while more mature and robust programs should challenge themselves and consider external reviews and readiness checks for potential program certifications.
Think of your personal annual physical – baseline measurements were taken by your primary care physician (i.e. your weight, body temperature, blood pressure, blood oxygen level, resting heart rate, etc.). Based on your age, other tests may have been performed (i.e. EKG, diagnostic testing, etc.). These metrics and tests provide an overall appraisal of your health and based on these results, a plan of care is recommended. Similarly, baseline BCMP measurements should be obtained, reviewed, tracked, and analyzed. The BCMP annual health check greatly benefits by leveraging agreed-upon key performance indicators (KPIs), which monitor, measure, and trend performance of the program period over period (i.e. month over month, quarter over quarter, year over year, etc.).
Why do we use KPIs? What should we be measuring?
Quantitative and qualitative score carding is imperative in evaluating BCMP performance. It provides an organization with dynamic metrics, that can at any point in time, measure program effectiveness and health. If you measure, you can manage; measuring and tracking BCMP KPI’s typically result in:
Defining critical metrics of progress toward an intended result
Providing a focus for strategic and operational improvement
Helping set targets and expectations
Providing objective evidence of progress towards achieving the desired result
Supporting and documenting evidence-based comparisons and trends in measuring performance over time
Recommended key performance indicators should align with the following key BCMP lifecycle stages:
Policy and program management
On a Cautionary note, no one program is the same, and enterprise resiliency varies greatly amongst companies – industries that are highly regulated such as financial institutions, insurance, pharmaceuticals, energy companies, etc. typically have more robust and mature resiliency programs compared to non-regulated industries like retail, entertainment, publishing companies, etc. Regardless of industry profile, programs can be broadly categorized as being in the “crawl, walk, or run” stage of program maturity and within each grouping, there will be many levels of resiliency to achieve. Furthermore, BCMP is not a sprint but rather a perpetual marathon for every organization to navigate. One thing that is common amongst all quality BCMPs is that they have selected KPI metrics that are easily measured and clearly understood throughout the enterprise.
Policy And Program Management
Scope of program – enterprise coverage percentage
Management commitment (number of full-time equivalents (FTEs), budget)
Number of program lifecycle business activities (business impact analysis, threat, and risk assessment, IT/DR gap analysis, etc.)?
Number of program metrics (KPIs)?
Number of management reviews?
Number of employees that are continuously trained?
Number of BCMP personnel that have or will be working towards a professional credential?
Number of BCM awareness sessions held?
Number of corporate “go bags” issued?
Number of new hire onboarding BCMP orientations?
Number of user licenses for technology-enabled software?
Number of employees trained on media and communication protocols?
Number of employees trained on cybersecurity best practices and data privacy?
Results rationalized – how many of the processes have been reviewed and rationalized?
Processes identified/calculated recovery time objectives (RTOs), recovery point objectives (RPOs), and maximum tolerable period of disruption (MTPD)
Number of single points of failure (SPoF)?
How many operational risks have been identified? By process tier?
Number of critical applications and instances
Number of critical vendors?
How many enterprise dimensions (incident management, crisis management, employee health and safety, enterprise risk management, vendor management, internal audit, supply chain, compliance, etc.) does BCMP cover?
What data are we collecting? How much data have we collected?
Information gathering – how much of the data captured is auto-populated from records of truth versus inquiry?
BIA prep/review of existing documents, i.e. risk assessments, prior BIAs, service level agreements, legal or regulatory reports, etc.
How many processes have been outsourced and not part of the BIA?
How many process owners and instances?
Number of remediation activities/tasks in flight?
How many process owners overrode RTO results?
How much time has been spent on the BIA?
Percent of program that is in compliance with adopted standards or industry regulations?
How many people are participating in the BIA?
How many meetings have occurred?
How many plan approvers and instances?
How many BIA and RA rationalization sessions held?
How many processes were included in table-top simulations?
How many functional areas (departments/cost centers/centers of excellence) participated in the table-top simulations?
Compliance alignment percentage to a standard, such as ISO22301, NFPA1600
Number of regular program audits?
Number of emergency response tests (i.e. building evacuations, fire drills, active shooter drills, etc.)?
Number of ITDR tests?
No matter your maturity level or industry, having an annual health check – paired with ongoing efforts and updates throughout the year – is imperative to continuity and resilience. All in all, it’s best to have a holistic view to adjust your annual review to what is best for your program and company.
Subscribe to our Newsletter
Stay up-to-date and receive our monthly insights!
Business Continuity Management and Disaster Recovery
Cookie Authorization Preferences
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!