Measuring the Maturityof Your BCP Program

Michael Herrera

 Need to measure the maturity of your BCP program?  At MHA Consulting, we look at a number of components to measure the current state of a  BCP program.  The evaluated components are weighed according to the importance to the critical path of the program and its ability to execute in the event of an unplanned disruption.  The minimum components we consider for each area of the BCP program (business and information technology) are as follows:

  1. Governance & Oversight  – Do you have effective management oversight and direction?    Appropriate staff?
  2. Policy– Is your policy documented, communicated, and enforced by management?
  3. Budgeting –Is your BCP program part of the annual corporate budget?
  4. Program Management Methodology– Do you have roadmap and process to guide your BCP initiative over the next 12 to 18 months?
  5. Prioritization of Critical Processes and Systems – Have you identified and prioritized the most critical processes and systems you need to keep your business running in the first week of a disruption.  If you can recover what you need for the first 7 days, you will stay in business.
  6. Identification of  relevant Threats and Risks – Have you clearly identified the relevant threats and risks to your organization via a threat and risk assessment study.  Do you have a mitigation plan to either accept, transfer or mitigate threats?
  7. Recovery Strategy  – Based on the results of the prioritization of your processes and systems as well as identification of threats/risks, have you identified  recovery strategies that will recover your critical business processes and systems?
  8. Recovery Plans  – Do you have documented, comprehensive and tested plans for your mission critical business processes and systems?
  9. Data Backups & Offsite Storage –Are you meeting the Recovery Point Objectives (RPO’s) of your organization?
  10. Exercises – Do you have regular exercises to validate the capability of the recovery strategy,  recovery plans and people?
  11. Training– Is training held on a regular basis to educate new and existing staff members on the BCP program and its role in the culture of the organization?
  12. Maintenance – Do you have a comprehensive maintenance schedule in place to maintain currency of the components of the BCP program?
  13. Continuous Improvement –Do you have a process in place to look for improvements to the BCP program?  Do you know what maturity level is required to meet the needs of your business?

Our Current State Assessment (CSA) model looks at these components for each area (business and technical) to determine a programs’ level of compliance and corresponding maturity level (Ad-Hoc, Capable, Mature, etc.).   Remember, in the end, it comes down to execution!

About MHA:  MHA Consulting, with its decade-long track record, is a proven leader in business continuity planning, disaster recovery planning, IT best practices and data center moves and relocations. Every day, MHA helps protect trillions of dollars of global-market assets and top companies around the world rely on MHA services for the continuity of their business. For more information, please visit: http://staging.mha-it.com or contact Michael Herrera at herrera@mha-it.com.