MHA Consulting BCM Metrics – Resiliency Through …...There are standards and practices that cover overall BCM development and management without any single/specific focus, such

© 2009 MHA Consulting All Rights Reserved.© 2013 MHA Consulting All Rights Reserved.

0

Presented by: Michael Herrera, CBCP

March, 2013

MHA Consulting BCM Metrics – Resiliency Through Measurement


� Overview

� A Menu of Standards

� Trends in Today’s Standards

� Reality in Today’s Environment

� What Standard Do We Choose?

� MHA’s Approach

� Tier 1 & Tier 2 Metrics

� Practical Application

1Agenda


2Experience & Qualifications

Who We Are

WhatWe Do

WhatMakes

Us Different

“MHA combines the strengths of the large consulting companies and independent

alternatives … without compromise”Michael Herrera

CEO, MHA Consulting

� Leading boutique consulting firm since 1999

� Provider of consulting services to Fortune 1000 companies across the USA

� Proven cross-industry experience in Business Continuity, Disaster Recovery

and IT Optimization

� Business Continuity Planning

� Disaster Recovery Planning

� Physical Security Consulting

� Information Technology Optimization & Best Practices

� Data Center Moves & Relocations

� Experienced professionals that possess a unique blend of knowledge

� Experience combines focus, dedication and independence of a specialty firm

� Proven methodologies and tools

� Financial and management stability

� Domestic presence and deep skill-sets of the Big 4 or larger consulting firm


MetroWaterDistrict

3Experience & Qualifications


4

BCM Metrics

BCM Metrics

“If you don't know where you are going, any road will get you there.”

Lewis Carroll


A Menu of Standards

1. British Standard (BS 25999)

2. National Fire Protection Act (NFPA) 1600

3. ASIS Organizational Resilience Standard

4. Disaster Recovery Institute International G.A.P.

5. Federal Financial Inst Examination Council (FFEIC)

6. International Std for Organization (ISO) 27001

7. Health Insurance Portability & Account Act (HIPAA)

8. Information Technology

Infrastructure Library (ITIL)

9. North American Electric

Reliability Council (NERC)

10.Business Continuity Institute (BCI) Good

Practices

5


What do the Standards Address?

� Management Oversight

� Budget

� Policy

� Threat & Risk Assessment

� Business Impact Analysis

� Recovery Strategy Development

6

� Business Continuity Planning

� Disaster Recovery Planning

� Crisis/Incident Management

� Training

� Testing & Validation

� Maintenance


Trends in Today’s Standards

1. Core objectives remain the same

2. Higher level of specificity and sophistication

3. Reflect lessons learned from major disasters

4. Address higher-level of customer/client expectations

5. Reflect greater demands of up-time and timely response

6. Permitting the BCM

process to be more

clearly auditable and certifiable

7


The Reality in Today’s Environment

1. Too many standards; can be difficult to understand

2. Very few, if any, use standards and metrics at all

3. Most struggle with just choosing a standard

4. Many are under false security their program can recover or do not know where critical gaps exist

5. Management does not understand BCM standards

6. Compliance doesn’t always mean you can recover your business

7. Auditors / customers are increasingly sophisticated in their line of questioning and understanding of BCM

8


So Which One Should I Use?

� Majority are specific to an industry or a company in a particular commission or entity.

� Determine if your company falls under requirement of any BCM regulations.

� Standards represent focuses such as ISO, ITIL, etc.

� There are standards and practices that cover overall BCM development and management without any single/specific focus, such as:

– British Standards: BS 25999

– The Disaster Recovery Institute International (DRII):

“Business Continuity Planning Professional Practices

9


10

Tier 1 & 2 Metrics

How MHA Implemented Metrics


Characteristics of Sound Metrics

1. Persistent: Outcome of a given action at one time will be similar to the outcome of the same action at another time.

2. Predictive: There is a causal relationship between the action the statistic measures and the desired outcome.

3. Sound Metrics:

� Measure skills that are persistent

� Distinguish between skill and luck

� Predict the result you are seeking

Source: Harvard Business Review – “The True Measure of Success Oct 2012”

11


MHA’s Approach

1. Selected DRII “Business Continuity Planning Professional Practices” as our baseline.

2. Compiled a composite set of questions addressing overall BCM management.

3. Also incorporated questions from leading standards and practices (e.g., BS25999, NFPA 1600, etc.).

4. Its realistic for the majority, if not all, of the industries we work with and for today.

5. Easy to understand and implement.

12


MHA’s Approach

1. Using DRII subject areas, we created two tiers of metrics to assess program compliance and capability:

� Tier 1 – Assess underpinnings of the program� Tier 2 – Assess demonstrated ability to to recover

1. Created questions for each tier for the following subject areas:

� Program Administration – Tier 1� Crisis Management – Tier 1 and 2� Business Recovery – Tier 1 and 2� Disaster Recovery – Tier 1 and 2

2. Implemented weighting and compliance scoring for each question to permit measurement of

performance.

13


MHA’s Approach

� Critical Success Factor (CSF) – Element critical to the

service and maps to department objectives.

� Key Performance Indicator (KPI) – Measures level of

compliance with the CSF.

14

� CSF Weighting: (6-Critical, 3-Moderate, 1-Low)

� KPI Compliance: (0-None, 1-Low, 2-Moderate, 3-Fully Compliant

1. Each question consists of two parts:

2. Added weighting and compliance scores:

� Multiplying the CSF weight time the KPI compliance scores

gives you the readiness score for that question.

� Adding up all scores in an area gives you the readiness level

for the subject area.

3. Readiness Score & Level


Oversight Questions – Sample 15

1. CSF: Executive assigned as sponsor/owner of the BCM program.

KPI: Assigned and regularly participating in active oversight of the program.- Select Score -

2. CSF: Executives assigned to provide management oversight function for the BCM program.

KPI: Assigned and holding regular meetings to review BCM status, issues, etc.- Select Score -

3. CSF: Executives assigned to management oversight are representative of the organization.

KPI:Executives include representation from key organizational departments, parts and

functions

- Select Score -

4. CSF: Dedicated internal or external resources assigned to implement the BCM program.

KPI: BCM Office created, person(s) assigned and roles/responsibilities defined.- Select Score -

5. CSF: Dedicated internal or external resources actively managing the BCM program.

KPI:BCM Office has sufficient authority and resources to actively manage and maintain the

program

- Select Score -

6. CSF: Dedicated internal or external resources assigned to implement the IT Disaster Recovery

Planning (DRP) program

KPI: IT DRP Office created, person(s) assigned and roles/responsibilities defined.

- Select Score -

7. CSF: Dedicated internal or external resources actively managing the IT DR program

KPI:IT DR Office has sufficient authority and resources to actively manage and maintain the

program

- Select Score -


BIA Questions – Sample 16

1. CSF: Business Impact Analysis studies conducted to determine impacts of an outage.

KPI: Studies are conducted a minimum of every two years for each business unit.- Select Score -

2. CSF: Business Impact Analysis questionnaire is tailored to the organization.

KPI:Questionnaire is consistent with industry best practices and the needs of the

organization.

- Select Score -

3. CSF: Business Impact Analysis questionnaire identifies the financial impacts of an outage.

KPI: Quantitative impacts of not performing business processes over time are measured.- Select Score -

4. CSF: Business Impact Analysis questionnaire identifies non-financial impacts of an outage.

KPI: Qualitative impacts of not performing a business process over time are measured.- Select Score -

5. CSF:Business Impact Analysis questionnaire identifies critical systems and applications of the

organization.

KPI: Critical systems and applications used by each business process are identified by the

questionnaire.

- Select Score -

6. CSF: Business Impact Analysis questionnaire identifies interdependencies.

KPI:Internal and external business process interdependencies are identified by the

questionnaire.

- Select Score -

7. CSF: Business Impact Analysis questionnaire identifies Recovery Time Objectives (RTOs).

KPI:The time to recover each business process and associated computer

systems/applications is determined.

- Select Score -


Policy Questions – Sample 17

1. CSF: BCM policy is committed to best practices.

KPI: Policy has statements to comply with accepted industry best practices and standards.- Select Score -

C

2. CSF: BCM policy is committed to continual improvement.

KPI: Policy has statements to address risk prevention, reduction and mitigation.- Select Score -

C

3. CSF:BCM policy is committed to alignment with organizational legal and regulatory

requirements

KPI:Policy has statement(s) to comply with applicable organizational legal and regulatory

requirements.

- Select Score -

C

4. CSF: BCM policy is approved and maintained.

KPI:Policy is approved by senior management, reviewed at regularly scheduled intervals

and/or when significant changes occur.

- Select Score -

C

5. CSF: BCM policy communicated to the organization.

KPI:Policy existence and responsibility to comply with is communicated to all employees of

the organization.

- Select Score -

C


Tier 1 Program Admin Metrics 18

Program Administration Metrics

BCM Office Exists, experience, training, certifications, etc.

BCM Policy Documented, approved, enforced, maintained, etc.

Budget Line item, multi-year, appropriate, etc.

Oversight Sponsor, oversight group, regularly meets, etc.

Metrics Standard adopted, regular, approved, etc.

BIAConsistent with best practices, regular, approved, etc.

Threat AssessmentConsistent with best practices, regular, approved, etc.


Tier 1 Program Admin Metrics 19

Program Administration Metrics

Recovery StrategiesAligned with BIA, management approved, realistic to needs, maintained, etc.

Recovery ExercisesStandardized approach, regularly scheduled,

business process focused, etc.

Maintenance Standardized, regular, approved, enforced, etc.

Training & Awareness Multi-level, regular, approved, enforced, etc.

Document Repository Secure, houses key documents, auditable, etc.


Tier 1 CM, BRP and DRP Metrics 20

Tier 1 CM, BRP and DRP Metrics

Crisis ManagementUse team approach, enlists operational command centers, standardized plan, holds regular exercises, communication tools and plans, etc.

Business Recovery Aligns with BIA, follows team approach, uses recovery strategy standards, enlists standard template, follows testing standards, etc.

Disaster RecoveryAligns with BIA, follows team approach, uses recovery strategy standards, enlists standard template, follows testing standards, etc.


21

Sample Tier 1 Questions & Reporting

How MHA Implemented Metrics


Tier 2 CM, BRP and DRP Readiness Metrics 22

Tier 2 CM, BRP and DRP Metrics

Crisis Management

Command Center Readiness, Notification System Readiness, Level of Mock Exercise Performed, Training Readiness, Supply Readiness, etc.

Business Unit Recovery PlansBIA Completed, Plan Documented, Level of Exercise Performed, Training Readiness, Supply Readiness, etc.

Disaster Recovery Plans

BIA Completed, Plan Documented, Level of Infrastructure/Application Exercise Performed/Demonstrated, RTO/RPO Met, etc.


Summary

1. Standards

� Pick one that works for your organization.

� You may need to create your own tool.

2. Tier 1 Metrics

� Assesses underpinnings of the program.

� Does not assess true recovery capabilities.

3. Tier 2 Metrics

� Assesses recovery capability of key components (Crisis

Management, Business Recovery, Disaster Recovery).

� Requires additional in-depth objective assessment of these

areas.

4. Past Experiences

� Tier 1 versus Tier 2.

� Be prepared for pushback or less than truthful answers.

23


24

Presented by: Michael Herrera, CBCP

March, 2013

MHA Consulting Applying Tier 2 Metrics to Disaster Recovery


Applying Tier 2 DR Metrics – Agenda 25

� Traditional Metrics

� Metrics that Make a Difference

� Implementing Tier 2 Metrics

� Management Reporting

� Conclusion


Disaster Recovery Program Metrics

1. Two Types of Metrics

� Basic and Advanced

2. Basic Metrics Examples

� %’age of Applications that have Test Plans

� %’age of Applications Tested w/in RTO Targets

� %’age of Applications Backed Up

3. Advanced Metrics

� Measures Overall Health, Usefulness and Reliability of the Recovery Program

26


Basic DR Metrics Examples 27


MHA’s Approach

1. Built advanced metrics to assess Overall Health,

Usefulness and Reliability of the DR Program.

2. Assess infrastructure and application recoverability.

3. Present dashboard of recoverability for management.

4. Its realistic for the majority, if not all, of the industries we

work with and for today.

5. Easy to understand and implement.

28


Advanced Metrics – Examples 29


Advanced Metrics – Infrastructure 30

Period Risk Red Zone Yellow Zone

Q3 2011 0.0 50 78

Q4 2011 40.0 50 78

Q1 2012 40.0 50 78

Q2 2012 40.0 50 78

Infrastructure

0.0

20.0

40.0

60.0

80.0

100.0

Q3

2011

Q4

2011

Q1

2012

Q2

2012

Infrastructure Risk

Infrastructure Yellow

Zone

Infrastructure Red

Zone


Metrics that Make a Difference 31

Tier 2 DR Infrastructure / Application Readiness Metrics

Recovery SiteEstablished, connected, tested, in or out region, integrated with CM and SDLC, etc.

NetworkCan recover voice/data, sized properly, capacity tested, time to switch, etc.

StorageCapacity met, performance adequate, no capacity issues, etc.

Data ManagementOffsite copies, replicated updates, in-synch with

business, etc.

Desktop ImagesImage available, maintained, integrated with CM &

SDLC.


Metrics that Make a Difference 32

Tier 2 Infrastructure/Application Readiness Metrics

Application Access

Unlimited access by IT and business, VPN

and otherwise, no performance degradation,

capacity tested, etc.

Systems at Recovery SiteAdequate equipment, integrated with CM &

SDLC, sizing, performance, etc.

Security at Recovery SitePhysical and logical security in place and

operational.

Application Recovery Plans

BIA Completed, Plan Documented, Level of Application Exercise Performed, RTO/RPO Met, Training Readiness, integrated with CM and SDLC, etc.


33

Sample Tier 2 Questions & Reporting

MHA Metric Implementation


Generating Advanced Metrics – Infrastructure 34


Generating Advanced Metrics – Infrastructure 35


–

36Generating Advanced Metrics – Applications


–

Generating Advanced Metrics – Applications 37


Metrics that Make A Difference 38

These metrics present a real world picture of your recovery capability based on what is in place and been exercised.

EXECUTIVE DASHBOARD


Implementing Tier 2 Metrics

Internal Team Support

1. DR Coordinator

2. Data Backup & Offsite Storage

3. Data and Voice Network

4. Storage

5. Desktop

6. Infrastructure

7. Applications

39



Create Assessment Questions

40

STORAGE

Level 0: Insufficient Storage Exists at Recovery Site for a Complete Restore of all Data

Level 1: Sufficient Storage Exists, But Restore Times Takes Too Long to Meet RTO Objectives

Level 2: Sufficient Storage Exists, Restore Times Meets RTO Objectives, Performance of Storage Less Than Adequate

Level 3: Sufficient Storage, Restore Times Meet RTO, Performance Adequate, Cannot Meet Daily Backup Requirements

Level 4: Sufficient Storage, Restore Times Meet RTO, Performance Adequate, Daily Backups Meet Requirements, Near or At Capacity

Level 5: Sufficient Storage, Restore Times Meet RTO, Performance Adequate, Daily Backups Meet Requirements, No Capacity Issues



Create Assessment Questions

41



1. Create Questions for Each Area to be Measured.

2. Measure Compliance for Each Area.

3. Weight Questions Based on Importance.

4. Calculate Maturity Levels.

5. Create Simplistic

Graphs to Show Capability.

42


Reporting the Results

1. Produce One Page Executive Dashboard

2. Create Supporting Detail Reports as Needed

3. Weight Questions Based on Importance

4. Zero in on Red and Yellow Zone Issues

5. Teach Management to Focus on Tier 2

6. Be Prepared to Defend Your Analysis

7. If You Spend A lot of Dollars and the Metrics Show Low Capability, Figure Out What is Wrong!

8. If You Don’t Spend A lot of Dollars and the Metrics Show Low Capability, Ask for More Money in the Key Areas that are Weak

43

Key Considerations


Metrics that Make A Difference 44

These metrics present a real world picture of your recovery capability based on what is in place and been exercised.

EXECUTIVE DASHBOARD

TIER 2 DISASTER RECOVERY METRICS


Further Questions?

If you have questions about what we’ve covered or BCM related inquiries, please call or email:

Michael Herrera

Phone: 602.708.1718

Email: [email protected]

17

Documents

MHA Consulting BCM Metrics – Resiliency Through …...There are standards and practices that cover overall BCM development and management without any single/specific focus, such