Management Score Cards and Metrics

Presented by:  Ray Mach

1

Ray Mach, CBCP

• Business Continuity Program Management• ProgramManagement and Governance – BCP and DRProgram Management and Governance  BCP and DR• Experience with Financial Services, Retail, Manufacturing, Logistics

• Specialty in BC Planning, Testing/Exercises, Training, Pandemic Plans, Crisis Management, BIA, Program Controls and Management

• Experienced IT Manager• Project and Program Management• Application Development, Support and DR

2

Agenda

• Level Setting Expectations

• Purpose of Measurements

• Aligning Objectives and Audiences

• Data Sources and Presentation Formats

• Other Considerations

• Samples

• Recap/Adjourn

3

Why Are You Here?

Why did I i fsign up for 

thissession?

What do I want to get out of 

this?

What information do I want to take away?

• Who uses a good set of metrics already?

4

y

My Goals for Today

• Share ideas establish effective management ti th t i t b dreporting that is measurement based

• Present key considerations

• Offer examples

• Provide a sample project plan  Groupthink

• Leverage audience input

5

Why Measure and Report?

Cost Benefit

• Where are we at?

Wh d t t ?• Where do we want to go?

• What will it take to get there?

• How are we progressing?

6 6

Accuracy and Quality 

• Quality – “goodness of fit for intended purpose”• What is the purpose focus on the desired• What is the purpose – focus on the desired outcome

• What action are you looking for?– Provide Status – Compel ActionEducate– Educate

– Other?

• Tell a story with clarity

7

Target Audience ‐ Intended vs. Actual

• Business Area Management

• Executive Management

• BCP/DR Coordinators

• Steering Committee

• Your Managementg

• Audit

8

Potential Objectives

• Status of ongoing activities– Gaps/Risks

– Program enhancements

• Set Annual objectives and status

• Obtain/maintain program sponsorship and commitmentcommitment

• Obtain funding and support

• Get direction or buy in

9

Align Objectives to AudienceAudience Objective Data Source Frequency

Steering Committee

Communicate Program Status

What’s complete vs

Program Plan

Quarterly Committee Program Status complete vs. 

PlannedPlan

Business Unit Management

Address late activities

What’s outstanding and who is responsible

BCP System

Monthly

BCP Coordinators Address late activities

What’s outstanding 

BCP System

Monthly

10

who’s responsible

Executives Communicate key risks

Recovery GapsActivity 

Tracking Data base

Quarterly 

Steering Committee

Funding and support

Cost/Benefits Ad‐hoc

Data Sources

• Leverage Existing Controls

• Reliable

• Easy Accessed

• Timely (frequency)

• Appropriate

11

Method of Presentment

• Don’t overdo it ‐ Keep it Simple• Appropriate for the intent• Appropriate for the intent• Graphical

– Simple Tables– Charts– Cultural Fit – Graphs, colors, bars, pie, lists

• Red / Yellow / Green for simplicity and understanding• Ability to provide notes for clarity (i.e. status/actions)• Static data vs. comparative – Discerning progress

12

Tools – Source Data and Presentation

• Excel – supports tables, notes, graphs

• Access – Can help manage lots of data 

– Can feed Excel

• BCP System/Database

Oth E t bli h d S t• Other Established Systems – Linkage of data to improve accuracy and timeliness

13

Other Considerations

• Education, Educate, Educate

• Consistency of terms – promotes understanding

• Establish baselines early

• Tell a story

• Be clear on intended action

• Be prepared with supporting details

• Marketing of accomplishments

14

Management Reporting Byproduct

• Gaining and sustaining management support dand resources

– Keep the message in the forefront 

– Utilize dashboards and metrics

– Communicate gaps and needs

– EducateEducate

15

Some Samples

• Format• Format

• Content• Tools

16

Tracking Program Progress

RiskBusiness Unit Prty

Risk Assmt BIA BCP Pand Training Testing

Accounting A 100% 100% 100% 100% 100% 100%Corporate Communications B 80% 80% 80% 100% 40% 80%Information Technology A 90% 80% 80% 100% 90% 70%Human Resources B 100% 100% 100% 100% 100% 100%Marketing B 100% 100% 100% 100% 100% 100%Operations A 100% 86% 86% 57% 95% 60%Product Development B 90% 70% 90% 70% 90% 50%Procurement C 20% 40% 60% 80% 20% 60%Protection Services B 100% 100% 100% 100% 100% 100%

17

Protection Services B 100% 100% 100% 100% 100% 100%Data Security B 100% 100% 75% 75% 100% 75%Transportation A 40% 80% 100% 80% 40% 90%Legal C 60% 100% 60% 0% 60% 70%

Activity Based ‐ % Completion

Multi‐Year Improvement PlanRisk Assessment

Review and refresh data based on valuePrepare executive summary of risksRefresh risk assessment annually

Business Impact AnalysisEnhance data collection and review processShare recovery requirements with ITCapture critical vendor dependencies

Business Continuity PlanningInclude loss of vendor services  in recovery strategiesDefine improved alternate space planning processIdentify all areas not covered by a BCP

BCP Testing

18

gEstablish standard test types and templates for tabletops

IT Disaster Recovery PlanningAddress Identify critical end user computing systemsEnhance navigators to improve planning

Crisis ManagementDetermine participation in national test

Measuring and Tracking Program MaturityBIA 4 Determine  RTO, RPO and quantify impacts of severe interruption.

Risk Assessment 3 Identify internal and external events that are threats to the continuity of the business.  Used to prioritize risks for remediation.

Gap Analysis 2 Identifying where BC requirements are not being met

BC  Testing 3 Review/execution plans to validate usability and preparedness 

DR  Testing 3 Review/execution plans to validate usability and preparedness 

Crisis Response Testing 4 Review/execution plans to validate usability and preparedness 

Business Continuity   5 Procedures to ensure the recovery of business functions

Disaster Recovery   2 Procedures to ensure the recovery of technology

Crisis Response  4 Procedures that guide companywide coordination during a crisis

Pandemic  4 Procedures to guide the recovery of business during a severe loss of people

19

Governance 3 Methods for exercising authority, accountability, controls and performance.

Education/Training 3 Material to promote awareness, understanding and the ability to execute BC responsibilities.

Supporting Tools 2 Technology used to support the BC program.

Metrics ‐ Dashboard 1 Key tactical  and performance indicators to manage the BC program.

Pandemic Testing 2 Review/execution plans to validate usability and preparedness 

Graphic and Tabular

Metric Grade Weight Weighted Avg Scoring Guidance

Roles and responsibilities 3 20% 20%

3= Roles are defined, backups are assigned, and primary/backups have received necessary training and tools2= Primary roles are defined with necessary training, but backups have not been assigned or received necessary training1= Roles have not been adequately assigned or the necessary trainings have not taken place

3 R l t t d t iTesting 2 20% 13%

3= Recovery plans are tested twice per year2= Recovery plans are tested once per year1= Recovery plans are not tested during the year

Maintenance 2 40% 27%

3= Recovery plans are reviewed and issues are addressed quarterly2=Recovery plans are reviewed and issues are addressed twice per year1= Recovery plans are reviewed and issues are addressed once per year0= Recovery plans are not reviewed during the year

Audit 3 20% 20%

3= An independent review of compliance with testing and maintenance requirements is conducted once every two years1= An independent review of compliance with testing and maintenance requirements is not conducted at least once every two years

Recovery Score 80%

20

DashboardSUMMARY SCORE

21

Disaster Recovery Status% with DR

Plans % TestedHigh Availability - 0 to 4 Hours

Total Distributed 93% 91%Mainframe 100% 100%Total Business 98% 96%

Tier A - 4 to 12 HoursTotal Distributed 69% 44%Mainframe 100% 100%Total Business 89% 81%

Tier B – 12 to 24 HoursTotal Distributed 34% 34%Mainframe 100% 100%T t l B i 63% 63%

22

Total Business 63% 63%

Tier C – Over 24 HoursTotal Distributed 11% 11%Mainframe 100% 78%Total Business 89% 69%

Activity Progress ‐ Graph 

100%15%

20%

40%

60%

80%

20%10%

50% 55%25% 40%

30%30%55% 50%

20% 15%

Needed

Active

Complete

23

0%

General Office Supermarket Divisions

Logistics Manufacturing

10%

Operations         Retail    Accounting        Plants

Project Plan

1. Define Objectives2 Determine Audiences2. Determine Audiences3. Match Objectives to Audience4. Determine needs and desired actions5. Determine available data and sources6. Validate data accuracy and change frequency7. Draft metrics and gain feedback8. Educate Audience9. Rollout

24

Audience Input 

RAY MACH

Management Scorecards and Metrics

25