Maximise return on your BCM investment by measuring BCM maturity
Ensuring the money and time spent on BCM yields the desired results is critical, says Karen Humphris, Senior Advisory Manager at ContinuitySA.
How do you ensure that the time and money spent on business continuity is yielding the desired results, asks Karen Humphris, Senior Advisory Manager at ContinuitySA.
As business continuity management (BCM) becomes more important as a way to mitigate risk and create peace of mind, ensuring the money and time spent on BCM yields the desired results is critical. Organisations need to be certain that the BCM programme they have in place is realistic, and that it will work. One of the best ways of answering these questions is to measure how mature the BCM plan and capability actually is.
Measuring, as we all know, is the first and vital step to managing anything.
ContinuitySA has identified 12 critical BCM success factors. Humphris believes that they make the logical areas against which BCM maturity should be judged. They are:
* Executive support, including a proper business case for BCM, BCM objectives and framework, a steering committee, budgetary commitment, and policies and procedures.
* Resources and expertise. Is there a skilled team with defined roles and responsibilities, and is its performance appraised?
* Core enterprise impact and threat management to understand the impact of disasters on critical business processes and what the resource dependencies are. It is also important to identify threats and single points of failure, as well as the measures for mitigation.
* Extended enterprise impact and threat management to cover risks relating to regulators and supply chains
* Continuity strategies and tactics for each of the resource dependencies based on a cost/ benefit analysis. What BCM strategies have been selected and how are they being implemented?
* Incident management framework that covers strategic, tactical and operational areas, including a communications network.
* Emergency response framework - the subset of the incident management framework that focuses on protecting the organisation's most valuable asset, its people.
* Reputation and trust management, with procedures, policies, infrastructure and teams in place to protect the second-most valuable asset, the brand.
* Solution implementation. Is the implementation strategy fit for purpose, and is the appropriate infrastructure in place. It is also critical to ensure that the identified risks are continually monitored, and that service-level agreements are in place to provide dependency assurance.
* Business recovery and resumption can take place within the agreed recovery time objective.
* Validation and assurance to ensure that the BCM solution is exercised and tested - probably the single most important success factor.
* Management system and continuous improvement to ensure that BCM is integrated into existing management systems and that the BCM capability is continuously improved.
"Each of these success factors can then be regularly assessed in terms of the existing best practices, the day-to-day practices within the organisation, the resources allocated to them and the underlying policies and procedures," adds Humphris. Scores can be given for each component of each factor in each business unit and geographical location.
This granular approach effectively highlights areas of notable success or failure in terms of different criteria. It thus is extremely useful in pinpointing areas meriting investigation, and thus acts as a diagnostic for over- and under-performing areas. More important, it offers a way to plot the path towards improvement and helps to set realistic time frames - and because it is score-based, it provides a way to quantify progress, and thus return on investment.