When you look at the state of your business continuity program, are you looking at it objectively? Here’s how to honestly judge your BC program compatibility.
We may not want to admit it, but we are a biased species – whether in the positive or negative. I know some beautiful young people who only see their faults and some mature adults who can’t see their faults at all. We become accustomed to the current state. I live in the Phoenix metro area. What friends and family in other parts of the country think is hot is a nice day to me. Temps in the 100s are normal and expected for us in the summer months – we are used to it. Last week it was hot – and not just hot through my Phoenix filter (it was in the 110s, with a high of 117). But, no matter what I am accustomed to, I recognize that a temperature in the 100s is hot, even though those of us in Phoenix look at the low 100s as a cooling trend in June and July.
When it comes to our business continuity programs, we can often get used to the current state and lose our objectivity. When you look at the current state of your business continuity program, are you, your auditors and your management looking at it objectively or with a filter or bias?
Possibly the best tool to use is a set of objective metrics. Identifying and using the proper metrics will assist in keeping the assessment of the BC program in your organization valid. There are commercial tools for doing this – MHA has one that we think is easy and useful (see www.mha-it.com/bcmmetrics). Even basic self-generated spreadsheets can be helpful. The question is, what are the correct metrics to use? Here are a few we think are important.
- What percentage of BC and DR plans have been updated in the past year?
- Do you have a Crisis Management Plan?
- Do you have an identified Crisis Management Team?
- Are they trained?
- When was your last DR exercise?
- Did it demonstrate actual functional recovery?
- Were the DR Plans used?
- When was your last Crisis Management exercise?
- Did you perform tasks from the plan or just talk about performing tasks?
- Have you performed a BIA in the past two years?
- Have you performed a Threat and Risk Assessment in the past two years?
- What is the state of the findings?
- If you perform another TRA, will the findings be the same?
- Do you have a process for updating/reviewing documentation and strategies to ensure they are current?
- Is there a formal Program Oversight Committee or Program Steering Committee with Management representation?
These metrics can be given values that provide an overall readiness or functional score. With metrics like these, you can generate reports that quickly show the state of the various components of your program.
Good and objective information will:
- Help you identify both the areas that are working well and those which need more attention
- Help management make appropriate risk and funding decisions
- Assist auditors in their assessment
The reason for business continuity is to reduce risk to the organization. It is wonderful if the program is mature and running optimally. However, if there are issues, it is important to remember that “bad news does not get better with age.” You must have some understanding of what will happen if you actually have to use the plans and strategies during a crisis or emergency event, when BC program compatibility is essential. Metrics allow you to be confident when communicating the state of your program and to make appropriate plans. For more information and examples of metrics and the use of them in your organization, see visit mha-it.com/bcmmetrics.