The BCMMETRICSTM self assessment tool has been in production since January 2014 and is being used by subscribers across a wide range of industries that include Consumer, Education, Financial, Insurance Technology and Utilities.
So, what have we learned in the first 12 months of its existence? The following paragraphs highlight a few of the learnings. The tool has proven to be a valuable BCM Governance Risk Control (GRC) tool proven by the size, complexity, global reach and mix of industries using the tool.
Global Learnings
-
The Financial and Utility industries had the highest level of compliance (e.g., those with Program Administration, Crisis Management, Business Recovery and Disaster Recovery each at 81 or above).
-
The most compliant BCM programs have been in existence for five (5) years or longer and have had the consistent management support and strategic direction needed to make incremental progress.
- The majority of subscribers had not adopted a specific BCM standard to gauge their level of program compliance prior to subscribing to the BCMMETRICS self-assessment tool.
- The ability to evaluate compliance across multiple standards and not just one has
Program Administration
- BCM policies are widely documented but program standards were often lacking. A lack of documented standards leads to inconsistency in application of the BCM process across the organization.
-
The Business Impact Analysis (BIA) is typically being conducted every two to three years. A number of highly regulated subscribers are being required to update their BIA results annually.
-
Pandemic planning is often being addressed through Loss of Resources/Workforce in Business Recovery Plans and not in a separate plan or process.
Crisis Management
-
Majority of subscribers have a defined Crisis Management Team to address an enterprise level disruption.
-
Most entities have defined physical and virtual locations for their Crisis Management Team to assemble as needed.
-
Those programs with a higher level of compliance are conducting regular training and mock disaster exercises with their Crisis Management Teams.
Business Recovery Planning
- BIA information is often not being integrated with Information Technology to ensure Recovery Time Objectives and Recovery Point Objectives are aligning.
-
The best recovery plans are “event neutral” and address multiple scenarios (e.g., Loss of Building, Loss of Technology, Loss of Resources, etc.).
-
The most compliant programs are performing full relocation exercises of their business units to their alternate work areas to validate recovery plans, strategies and integration with IT recovery of critical systems and applications
Disaster Recovery Planning
-
Standalone DR testing remains as the standard form of testing being conducted at the majority of subscribers. Lack of available testing time was identified as the primary reason for only conducting standalone exercises.
-
Integrated DR testing is very limited and only being performed by the most compliant subscribers.
-
The most compliant DR programs are exercising recovery of their critical systems and applications throughout the year.
The ability to quickly, easily and regularly measure the compliance of your program has been extremely valuable to the subscribers. The tool gives subscribers the ability to quickly identify the areas that have the highest importance and least level of compliance ensuring the greatest risk is identified and mitigated in a timely manner.
Heighten the sophistication and maturity of your BCM program today through intelligent measurement. Contact us today for a demo at [email protected]