Measuring Success: Using Validation and Metrics in Your Business Continuity Program

Size: px

Start display at page:

Download "Measuring Success: Using Validation and Metrics in Your Business Continuity Program"

Cordelia Thompson
5 years ago
Views:

1 Lisa Trousdale, Ernst & Young June 2014 Measuring Success: Using Validation and Metrics in Your Business Continuity Program

2 Fundamental Questions Why do you want to validate and measure? To report to executives? To garner support /increase visibility for your program? To show progress or maturity? To point attention to trouble spots? To get funding/staff/resources? To align with standard(s)? To provide assurance to clients and/or customers? What do you want to validate and measure? Entire just plans or entire program? Are plans complete? Accurate? Updated? Posted? Have plans/tools been tested? Are users proficient? Program/plan effectiveness (this is the tough one!) Page 2

3 EY Approach: What we set out to do Stated purpose: Implement a comprehensive method to validate, measure and demonstrate value of BC Program to include: Self assessments Audits Independent 3 rd Party Review Practical purpose: Provide tools for those responsible; give them an opportunity to make it right and improve plans and processes Be an ally, not an auditor Create program reporting capability and visibility at the exec levels Work toward a more mature state Did we accomplish these things? Page 3

4 The Scope Americas Area 10 regions 29 countries 41,500 people 150 offices United States Regions - East Central - Midwest - Northeast - Southeast - Southwest - West Canada Region Israel Region FSO Region (BBC) - Bahamas - Bermuda - British Virgin Islands - Cayman Islands Mexico and Central America Region (MECAR) - Costa Rica - Dominican Republic - El Salvador - Guatemala - Honduras - Mexico - Nicaragua - Panama South America Region (SAR) - Argentina - Bolivia - Brazil - Chile - Colombia - Ecuador - Paraguay - Peru - Uruguay - Venezuela EY Caribbean Region - Aruba - Barbados, Jamaica - Jamaica - Netherland, Antilles - Trinidad and Tobago Page 4

Brief Overview of BC Framework F o c u s Program structure high level Global EY Global has a Global Crisis Response Plan Area Americas Area has an Americas Crisis Response Plan Region (10 regions

5 Brief Overview of BC Framework F o c u s Program structure high level Global EY Global has a Global Crisis Response Plan Area Americas Area has an Americas Crisis Response Plan Region (10 regions with 29 countries) Each Region/Country has a Business Continuity Plan (BCP) Location (150 offices) Each has a location-specific Emergency Response Plan (ERP) Each has a Floor Warden/Searcher Guide Page 5

6 Validation Techniques Big Picture Self Assessments Audits Location level Emergency Preparedness Self Assessment completed by each location annually Region level Emergency Preparedness/Business Continuity Current State Assessment (CSA) completed by each Region annually EP/BCP Compliance Review Conducted by Global Security for each location and Region annually to validate completeness of Emergency Response Plans and BCPs Random Spot Checks of Plans Conducted by Global Security Continued on next page Page 6

7 Validation (con t) Training & Exercises Evacuation Drills for each location annually Crisis Response Team (CRT) emergency communications drill completed by each location annually Crisis Response Team training for each location, frequency is based on risk matrix Business Continuity Planning exercises for each Region every two years Self-guided CRT exercises not very successful Internal Audit Independent 3 rd Party Review Page 7

8 Examples of Self Assessments

9 LOCATION: Emergency Preparedness Self Assessment Checklist sample Conducted annually by each location Page 9

10 LOCATION: CRT Emergency Communications Drill sample Conducted annually by each location Page 10

11 REGION: EP/BCP Current State Assessment completed annually by each Region DOMAINS Program Management Emergency Preparedness Crisis Response Business Continuity Planning Awareness, Training & Exercising Maintenance One-click Response Method User-Friendly Features Navigation Menu Capability to add comments/ explanations Current State Assessment Tool Compare Results Over A Period 5 Years Automated Calculation of Results Results sorted on various criteria Graphical dashboard view of current state results and comparison of results over time Page 11

12 Sample Domain Screen - Consistent Assessment Criteria - Prevents multiple selections of current state - Customizable to be conducted at a business unit level or a location (e.g., Region) level - Includes a User Help Feature Page 12

13 Dashboard Views - Multiple Executive Summary Data and Visual Views - Overall Assessment Stage and what it means Page 13

14 Dashboard Views Multiple Executive Summary Data and Visual Views (across domains and within each domain; over time) Page 14

Region Year by Year Average Results Comparison 4.50 4.00 3.50 3.97 3.98 3.99 3.98 4.00 3.98 4.00 3.91 3.84 3.

85 3.91 3.90 3.76 3.89 3.81 3.00 2.50 2.00 1.50 1.00 0.

15 Region Year by Year Average Results Comparison Year 2008 Year 2009 Year 2010 Year 2011 Year 2012 Year Canada East Central Midwest Northeast Southeast Southwest West Page 15

16 Assumptions and Limitations for CSA Tool Assumptions Region has reviewed the Emergency Preparedness Self- Assessment checklist submitted by each location Region has reviewed the EP/BCP Compliance Review (audit of plans) conducted by Global Security for each location and Region and taken corrective action to close gaps Region answers questions accurately and honestly Limitations The CSA is a self-assessment; therefore, there may be variances in how the Region interprets the questions and responds Location moves or new office openings can result in some lower scores as local emergency response plans are adjusted and new offices get up to speed on EP/BCP compliance Page 16

17 Audits

18 Internal Audits Emergency Preparedness Compliance Review conducted annually by Global Security for each location Sample Scores Only Page 18

19 Internal Audits BCP Compliance Review conducted annually by Global Security for each Region Page 19

20 Internal Audits Global Internal Audit Team Conducted by Global Internal Audit team Selected locations/plans/functions based on priority Five Times Square (New York) Beckett House (London) What s next? Page 20

21 External Audits Independent 3 rd Party Objectives Validation of elements of program Client assurance Compliance with ISO22301 Executive reporting Call attention to areas requiring resources Page 21

22 So what have we validated and what do we have numbers for? Validation Program has critical components Plans have been reviewed and are current Plans are posted in central repository Those responsible are held accountable (Region Managing Partners, Office Managing Partners, Regional Directors of Administration, Region Security & Emergency Preparedness Points of contact) Tools have been tested (Emergency Notification System, CRT call lists, EY Roll Call) Metrics (Who gets a score? Locations and Regions do!) Plan completeness (ERP, BCP, Floor Warden Searcher Guide) Were assessments and drills completed? Program completeness Page 22

23 Is it worth it? Yes! Those responsible at the location and Region level become more accountable and assume greater ownership Regional Managing Partners have a dashboard to review and discuss, which promotes dialogue and support Global Security able to report to executive leadership on progress and problem areas Findings used to make case for budget and resource requests.so what s next? Page 23

24 Page 24

25 Challenge Question: How do we measure effectiveness? Page 25