How do you know your business continuity and disaster recovery (BC/DR) programs and associated activities are performing...
up to expectations? Setting metrics and expectations gives you the opportunity to check your program's performance against your goals. For example, performance metrics addressing the frequency of BC plan exercises and business impact analysis (BIA) updates will help ensure proper plan performance. Be sure to involve your quality assurance (QA) and internal audit (IA) departments in performance evaluations.
In Section 9, Performance Evaluation, of the global business continuity standard ISO 22301:2012, Business Continuity Management Systems -- Requirements, the following three subsections address performance evaluation in detail:
9.1 -- Monitoring, Measurement, Analysis and Evaluation
9.2 -- Internal Audit
9.3 -- Management Review
It is important to examine what happens when something out of the ordinary occurs, such as a minor operational disruption, system or technology outage, or supply chain interruption, and use those lessons learned to improve your ability to anticipate potential disruptions. It is also helpful to study real-world examples of disaster response in organizations similar to your own. The information that you gather will allow you to recommend modifications to existing operational, strategic, planning, financial, legal, technological, structural, physical, intellectual and human-based activities so as to increase their reliability, resilience and recoverability from disruptive incidents -- minimizing the impact to business operations.
Here's how this works:
In both cases, the business continuity staff examined key operations within the company in detail. A business impact analysis (BIA) is typically used to gather information. Data from a BIA and risk assessment (RA) should identify what could happen if there was a disruption to the supply chain, technology or other important business function. Analysis of other companies' experiences can shed light on possible outcomes of a supply chain and/or technology failure and will also identify strategies to prevent these disasters from occurring.
By analyzing all elements in a supply chain, for example, and asking pointed questions regarding the impact of a supply chain disruption, business continuity analysts can pinpoint areas of greatest risk to a supply chain and thereby also identify strategies to prevent disruptions and mitigate the severity of disruptions that may occur. The same can be true of critical technology operations.
Performance evaluation of BC/DR programs should be an ongoing activity. An organization's BC staff should regularly examine all aspects of company business operations, identify internal/external risks to those operations and then identify potential solutions to address those risks. Outcomes may come in the form of modifications to BC plan procedures, updates to BC policies, revisions to IT infrastructure operations, changes to training programs and revisions to plan exercises.
It's been said time and again that business continuity and disaster recovery plans are living documents. They reflect current business operations and requirements, and as such must be fluid enough to adapt quickly and dynamically reflect changes in those operational attributes. A key part of the performance evaluation process is that it is an ongoing activity. It's not something that occurs annually or on an ad hoc basis.
By constantly looking for ways to improve business operations and reduce the likelihood of emergencies, BC/DR professionals can ensure that their efforts will keep the organization, its supply chain, its technology infrastructure and its employees performing in the most resilient ways possible.
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant/auditor and is secretary of the Business Continuity Institute USA chapter and member of the BCI Global Membership Council. He can be reached at [email protected].