Ripping off a band aid is painful but its temporary in nature. Assessing your BCM compliance is a lot like ripping off a band aid; you deal with the initial pain of finding out where your gaps and exposures exist but then experience the healing aspect of generating a roadmap for remediation that brings about a heightened level of compliance and resiliency that significantly outweighs the temporary pain of the assessment.
So, why are some reasons planners aren’t assessing and scoring their BCM compliance?
- Fear of the Unknown
- My Program is Already Bad, Why Bother?
- What Standard Should We Use that Makes Sense for Us?
- How Do I Present the Results?
- What Do I Do With the Results
The need to assess BCM compliance and generate metrics that depict your current and future state is coming to the forefront of our senior management and industry. We must effectively and efficiently balance risks and exposures in our programs by knowing where we stand today and where we need to be over time.
Assessing your BCM compliance permits you to identify critical exposures, that if prioritized for mitigation, will bring about the greatest improvement in compliance and resiliency while permitting you to hold off resolving other exposures off that are a nice to have that we can get to later in the lifecycle of the program.
A very simple approach is as follows:
1. Pick one standard (ISO 22301, FFIEC, BCI Good Practices, etc.) that best suits your needs.
2. Review the standard and its requirements for each dimension (Oversight, Crisis Management, Business Recovery, etc.)
3. Separate out each dimension and its associated requirements.
4. Weight each requirement based on its importance (high, medium, low) to the successful execution of the program.
5. Score your compliance on each requirement (no compliance, minimal, full).
6. Multiply the importance times score the compliance score.
7. Rank your compliance score (0 to 60 poor, 61 to 80 Moderate, 81 to 100 Excellent).
Once you have ranked each dimension, present the results to management for review and prioritization and remediation of the exposures.
You get a physical on a regular basis why wouldn’t you do a regular health check on your program? Why do so many programs run without direction year after year?
So, I challenge you, rip off the band aid; pick a standard and assess your BCM compliance. The time is now…not tomorrow.
If you want to see how we have automated the BCM compliance assessment process, visit our BCMMETRICS self assessment tool website at www.bcmmetrics.com.