MHA Consulting BCM Metrics Resiliency Through Measurement

Transcription

1 0 MHA Consulting BCM Metrics Resiliency Through Measurement Presented by: Michael Herrera, CBCP March, MHA MHA Consulting All All Rights Rights Reserved. Reserved. Agenda 1 Overview A Menu of Standards Trends in Today s Standards Reality in Today s Environment What Standard Do We Choose? MHA s Approach Tier 1 & Tier 2 Metrics Practical Application

2 Experience & Qualifications 2 Who We Are Leading boutique consulting firm since 1999 Provider of consulting services to Fortune 1000 companies across the USA Proven cross-industry experience in Business Continuity, Disaster Recovery and IT Optimization What We Do What Makes Us Different Business Continuity Planning Disaster Recovery Planning Physical Security Consulting Information Technology Optimization & Best Practices Data Center Moves & Relocations Experienced professionals that possess a unique blend of knowledge Experience combines focus, dedication and independence of a specialty firm Proven methodologies and tools Financial and management stability Domestic presence and deep skill-sets of the Big 4 or larger consulting firm MHA combines the strengths of the large consulting companies and independent alternatives without compromise Michael Herrera CEO, MHA Consulting Experience & Qualifications 3 MetroWaterDistrict

3 BCM Metrics 4 BCM Metrics If you don't know where you are going, any road will get you there. Lewis Carroll A Menu of Standards 5 1. British Standard (BS 25999) 2. National Fire Protection Act (NFPA) ASIS Organizational Resilience Standard 4. Disaster Recovery Institute International G.A.P. 5. Federal Financial Inst Examination Council (FFEIC) 6. International Std for Organization (ISO) Health Insurance Portability & Account Act (HIPAA) 8. Information Technology Infrastructure Library (ITIL) 9. North American Electric Reliability Council (NERC) 10.Business Continuity Institute (BCI) Good Practices

4 What do the Standards Address? 6 Management Oversight Budget Policy Threat & Risk Assessment Business Impact Analysis Recovery Strategy Development Business Continuity Planning Disaster Recovery Planning Crisis/Incident Management Training Testing & Validation Maintenance Trends in Today s Standards 7 1. Core objectives remain the same 2. Higher level of specificity and sophistication 3. Reflect lessons learned from major disasters 4. Address higher-level of customer/client expectations 5. Reflect greater demands of up-time and timely response 6. Permitting the BCM process to be more clearly auditable and certifiable

5 The Reality in Today s Environment 8 1. Too many standards; can be difficult to understand 2. Very few, if any, use standards and metrics at all 3. Most struggle with just choosing a standard 4. Many are under false security their program can recover or do not know where critical gaps exist 5. Management does not understand BCM standards 6. Compliance doesn t always mean you can recover your business 7. Auditors / customers are increasingly sophisticated in their line of questioning and understanding of BCM So Which One Should I Use? 9 Majority are specific to an industry or a company in a particular commission or entity. Determine if your company falls under requirement of any BCM regulations. Standards represent focuses such as ISO, ITIL, etc. There are standards and practices that cover overall BCM development and management without any single/specific focus, such as: British Standards: BS The Disaster Recovery Institute International (DRII): Business Continuity Planning Professional Practices

6 How MHA Implemented Metrics 10 Tier 1 & 2 Metrics Characteristics of Sound Metrics Persistent: Outcome of a given action at one time will be similar to the outcome of the same action at another time. 2. Predictive: There is a causal relationship between the action the statistic measures and the desired outcome. 3. Sound Metrics: Measure skills that are persistent Distinguish between skill and luck Predict the result you are seeking Source: Harvard Business Review The True Measure of Success Oct 2012

7 MHA s Approach Selected DRII Business Continuity Planning Professional Practices as our baseline. 2. Compiled a composite set of questions addressing overall BCM management. 3. Also incorporated questions from leading standards and practices (e.g., BS25999, NFPA 1600, etc.). 4. Its realistic for the majority, if not all, of the industries we work with and for today. 5. Easy to understand and implement. MHA s Approach Using DRII subject areas, we created two tiers of metrics to assess program compliance and capability: Tier 1 Assess underpinnings of the program Tier 2 Assess demonstrated ability to to recover 1. Created questions for each tier for the following subject areas: Program Administration Tier 1 Crisis Management Tier 1 and 2 Business Recovery Tier 1 and 2 Disaster Recovery Tier 1 and 2 2. Implemented weighting and compliance scoring for each question to permit measurement of performance.

8 MHA s Approach Each question consists of two parts: Critical Success Factor (CSF) Element critical to the service and maps to department objectives. Key Performance Indicator (KPI) Measures level of compliance with the CSF. 2. Added weighting and compliance scores: CSF Weighting: (6-Critical, 3-Moderate, 1-Low) KPI Compliance: (0-None, 1-Low, 2-Moderate, 3-Fully Compliant 3. Readiness Score & Level Multiplying the CSF weight time the KPI compliance scores gives you the readiness score for that question. Adding up all scores in an area gives you the readiness level for the subject area. Oversight Questions Sample CSF: Executive assigned as sponsor/owner of the BCM program. KPI: Assigned and regularly participating in active oversight of the program. 2. CSF: Executives assigned to provide management oversight function for the BCM program. KPI: Assigned and holding regular meetings to review BCM status, issues, etc. 3. CSF: Executives assigned to management oversight are representative of the organization. Executives include representation from key organizational departments, parts and KPI: functions 4. CSF: Dedicated internal or external resources assigned to implement the BCM program. KPI: BCM Office created, person(s) assigned and roles/responsibilities defined. 5. CSF: Dedicated internal or external resources actively managing the BCM program. BCM Office has sufficient authority and resources to actively manage and maintain the KPI: program 6. CSF: Dedicated internal or external resources assigned to implement the IT Disaster Recovery Planning (DRP) program KPI: IT DRP Office created, person(s) assigned and roles/responsibilities defined. 7. CSF: Dedicated internal or external resources actively managing the IT DR program IT DR Office has sufficient authority and resources to actively manage and maintain the KPI: program

9 BIA Questions Sample CSF: Business Impact Analysis studies conducted to determine impacts of an outage. KPI: Studies are conducted a minimum of every two years for each business unit. 2. CSF: Business Impact Analysis questionnaire is tailored to the organization. Questionnaire is consistent with industry best practices and the needs of the KPI: organization. 3. CSF: Business Impact Analysis questionnaire identifies the financial impacts of an outage. KPI: Quantitative impacts of not performing business processes over time are measured. 4. CSF: Business Impact Analysis questionnaire identifies non-financial impacts of an outage. KPI: Qualitative impacts of not performing a business process over time are measured. Business Impact Analysis questionnaire identifies critical systems and applications of the 5. CSF: organization. KPI: Critical systems and applications used by each business process are identified by the questionnaire. 6. CSF: Business Impact Analysis questionnaire identifies interdependencies. Internal and external business process interdependencies are identified by the KPI: questionnaire. 7. CSF: Business Impact Analysis questionnaire identifies Recovery Time Objectives (RTOs). The time to recover each business process and associated computer KPI: systems/applications is determined. Policy Questions Sample CSF: BCM policy is committed to best practices. KPI: Policy has statements to comply with accepted industry best practices and standards. 2. CSF: BCM policy is committed to continual improvement. KPI: Policy has statements to address risk prevention, reduction and mitigation. BCM policy is committed to alignment with organizational legal and regulatory 3. CSF: requirements Policy has statement(s) to comply with applicable organizational legal and regulatory KPI: requirements. 4. CSF: BCM policy is approved and maintained. Policy is approved by senior management, reviewed at regularly scheduled intervals KPI: and/or when significant changes occur. 5. CSF: BCM policy communicated to the organization. Policy existence and responsibility to comply with is communicated to all employees of KPI: the organization. C C C C C

10 Tier 1 Program Admin Metrics 18 Program Administration Metrics BCM Office BCM Policy Budget Oversight Metrics BIA Threat Assessment Exists, experience, training, certifications, etc. Documented, approved, enforced, maintained, etc. Line item, multi-year, appropriate, etc. Sponsor, oversight group, regularly meets, etc. Standard adopted, regular, approved, etc. Consistent with best practices, regular, approved, etc. Consistent with best practices, regular, approved, etc. Tier 1 Program Admin Metrics 19 Program Administration Metrics Recovery Strategies Recovery Exercises Aligned with BIA, management approved, realistic to needs, maintained, etc. Standardized approach, regularly scheduled, business process focused, etc. Maintenance Standardized, regular, approved, enforced, etc. Training & Awareness Multi-level, regular, approved, enforced, etc. Document Repository Secure, houses key documents, auditable, etc.

11 Tier 1 CM, BRP and DRP Metrics 20 Tier 1 CM, BRP and DRP Metrics Crisis Management Use team approach, enlists operational command centers, standardized plan, holds regular exercises, communication tools and plans, etc. Business Recovery Aligns with BIA, follows team approach, uses recovery strategy standards, enlists standard template, follows testing standards, etc. Disaster Recovery Aligns with BIA, follows team approach, uses recovery strategy standards, enlists standard template, follows testing standards, etc. How MHA Implemented Metrics 21 Sample Tier 1 Questions & Reporting

12 Tier 2 CM, BRP and DRP Readiness Metrics 22 Tier 2 CM, BRP and DRP Metrics Crisis Management Command Center Readiness, Notification System Readiness, Level of Mock Exercise Performed, Training Readiness, Supply Readiness, etc. Business Unit Recovery Plans BIA Completed, Plan Documented, Level of Exercise Performed, Training Readiness, Supply Readiness, etc. Disaster Recovery Plans BIA Completed, Plan Documented, Level of Infrastructure/Application Exercise Performed/Demonstrated, RTO/RPO Met, etc. Summary Standards Pick one that works for your organization. You may need to create your own tool. 2. Tier 1 Metrics Assesses underpinnings of the program. Does not assess true recovery capabilities. 3. Tier 2 Metrics Assesses recovery capability of key components (Crisis Management, Business Recovery, Disaster Recovery). Requires additional in-depth objective assessment of these areas. 4. Past Experiences Tier 1 versus Tier 2. Be prepared for pushback or less than truthful answers.

13 24 MHA Consulting Applying Tier 2 Metrics to Disaster Recovery Presented by: Michael Herrera, CBCP March, MHA MHA Consulting All All Rights Rights Reserved. Reserved. Applying Tier 2 DR Metrics Agenda 25 Traditional Metrics Metrics that Make a Difference Implementing Tier 2 Metrics Management Reporting Conclusion

14 Disaster Recovery Program Metrics Two Types of Metrics Basic and Advanced 2. Basic Metrics Examples % age of Applications that have Test Plans % age of Applications Tested w/in RTO Targets % age of Applications Backed Up 3. Advanced Metrics Measures Overall Health, Usefulness and Reliability of the Recovery Program Basic DR Metrics Examples 27

15 MHA s Approach Built advanced metrics to assess Overall Health, Usefulness and Reliability of the DR Program. 2. Assess infrastructure and application recoverability. 3. Present dashboard of recoverability for management. 4. Its realistic for the majority, if not all, of the industries we work with and for today. 5. Easy to understand and implement. Advanced Metrics Examples 29

16 Advanced Metrics Infrastructure Infrastructure Risk Infrastructure Yellow Zone Infrastructure Red Zone 0.0 Q Q Q Q Infrastructure Period Risk Red Zone Yellow Zone Q Q Q Q Metrics that Make a Difference 31 Tier 2 DR Infrastructure / Application Readiness Metrics Recovery Site Established, connected, tested, in or out region, integrated with CM and SDLC, etc. Network Storage Data Management Desktop Images Can recover voice/data, sized properly, capacity tested, time to switch, etc. Capacity met, performance adequate, no capacity issues, etc. Offsite copies, replicated updates, in-synch with business, etc. Image available, maintained, integrated with CM & SDLC.

17 Metrics that Make a Difference 32 Tier 2 Infrastructure/Application Readiness Metrics Application Access Unlimited access by IT and business, VPN and otherwise, no performance degradation, capacity tested, etc. Systems at Recovery Site Adequate equipment, integrated with CM & SDLC, sizing, performance, etc. Security at Recovery Site Application Recovery Plans Physical and logical security in place and operational. BIA Completed, Plan Documented, Level of Application Exercise Performed, RTO/RPO Met, Training Readiness, integrated with CM and SDLC, etc. MHA Metric Implementation 33 Sample Tier 2 Questions & Reporting

18 Generating Advanced Metrics Infrastructure 34 Generating Advanced Metrics Infrastructure 35

19 Generating Advanced Metrics Applications 36 Generating Advanced Metrics Applications 37

20 Metrics that Make A Difference 38 EXECUTIVE DASHBOARD These metrics present a real world picture of your recovery capability based on what is in place and been exercised. Implementing Tier 2 Metrics 39 Internal Team Support 1. DR Coordinator 2. Data Backup & Offsite Storage 3. Data and Voice Network 4. Storage 5. Desktop 6. Infrastructure 7. Applications

21 Implementing Tier 2 Metrics 40 Create Assessment Questions STORAGE Level 0: Level 1: Level 2: Level 3: Level 4: Level 5: Insufficient Storage Exists at Recovery Site for a Complete Restore of all Data Sufficient Storage Exists, But Restore Times Takes Too Long to Meet RTO Objectives Sufficient Storage Exists, Restore Times Meets RTO Objectives, Performance of Storage Less Than Adequate Sufficient Storage, Restore Times Meet RTO, Performance Adequate, Cannot Meet Daily Backup Requirements Sufficient Storage, Restore Times Meet RTO, Performance Adequate, Daily Backups Meet Requirements, Near or At Capacity Sufficient Storage, Restore Times Meet RTO, Performance Adequate, Daily Backups Meet Requirements, No Capacity Issues Implementing Tier 2 Metrics 41 Create Assessment Questions

22 Implementing Tier 2 Metrics Create Questions for Each Area to be Measured. 2. Measure Compliance for Each Area. 3. Weight Questions Based on Importance. 4. Calculate Maturity Levels. 5. Create Simplistic Graphs to Show Capability. Reporting the Results 43 Key Considerations 1. Produce One Page Executive Dashboard 2. Create Supporting Detail Reports as Needed 3. Weight Questions Based on Importance 4. Zero in on Red and Yellow Zone Issues 5. Teach Management to Focus on Tier 2 6. Be Prepared to Defend Your Analysis 7. If You Spend A lot of Dollars and the Metrics Show Low Capability, Figure Out What is Wrong! 8. If You Don t Spend A lot of Dollars and the Metrics Show Low Capability, Ask for More Money in the Key Areas that are Weak

23 Metrics that Make A Difference 44 EXECUTIVE DASHBOARD TIER 2 DISASTER RECOVERY METRICS These metrics present a real world picture of your recovery capability based on what is in place and been exercised. Further Questions? 17 If you have questions about what we ve covered or BCM related inquiries, please call or Michael Herrera Phone: herrera@mha-it.com