Summary:
Continuous Improvement is essential towards a stable business. In addition, it’s important and tactical to be able to measure the progress and effect of your Business Continuity Management Systems implementation programme. In this webinar, we will discuss some approaches and metrics that can be used to follow how well your project stays on track and achieves its objectives.
Presenter:
This webinar will be presented by PECB partner Mr. Brian Henry, CEO and Owner of Caridon Business Solutons. By leading his company, he has 30+ years of experience in IT, and 28 years on Management Consulting. Brian has been an active member in Disaster Recovery and Business Continuity since 1985, and he is also a University lecturer. He has gained his rich experience by working in industries like mining, financial services, manufacturing, and local government. His specialties are: GCR, Business Continuity Management, Knowledge Management.
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
PECB Webinar: Continuous improvement and project measurements when implementing an ISO 22301 BCMS
1.
2. About us
We offer experienced and cost
effective professional guidance
and provide quality independent
and confidential services.
• Our main focus areas:
• Governance, Risk and Compliance
• Business Continuity Management
• Contract Lifecycle and Risk
Management
• Project Management
• Knowledge Management
• Change Management
• Training, Mentoring and Coaching
• ISO Management Systems
www.thecaridongroup.com.au
3. Continuous improvement and project
measurements when implementing
an ISO 22301 BCMS
Brian Henry
The Caridon Group
4. Some Facts
The dramatic statistic that more that 80% of projects
initiated by enterprises never actually deliver the
intended results remains as a grim testament to the
ineffectiveness of traditional application of
programme management and project delivery
methodologies.
5. BCM is a Journey, not a
destination
It’s important that we are avoid getting
lost along the way.
That means knowing how to navigate
6. Coordinates:
1. A coordinate system in which locations of points
in space are expressed by reference to three
mutually perpendicular planes, called coordinate
planes. The three planes intersect in three
straight lines called coordinate axes.
2. Mathematics: Any of a set of two or more
numbers used to determine the position of a
point, line, curve, or plane in a space of a given
dimension with respect to a system of lines or
other fixed references.
7. Vectors:
In this context we are considering vectors as
depicting a point in space by two measurements:
1. distance
2. direction
10. Coordinates –a Sales Example
Improvement Factor Units (Metric) Current Required Scale
1. Recruit good people Majority must have
3 yrs experience
(target 85%)
30% 85% 0% - 100%
2. Keep their motivation high No of Sick leave
days (max is 25)
20 5 0 - 25
3. Productivity 75% must achieve
target in past 2 the
years
22% 75% 0% -100%
12. Improving Sales project plan
a project plan
Need three groups of activities or project ‘Phases’
1.Recruit good people
• Review current qualifications, competencies, capacities
• Retrench
• Retrain
• Review
2.Keep their motivation high
• Review past sick leave forms
• Identify causes of illness,
• Review seasonal trends
• Prepare corrective campaigns
3.Productivity
• Interview sales force
• Conduct workshops to Identify and understand reasons for wins and losses
• Revise targets and target markets and product focus
• Upgrade sales forecast and reporting system
14. Business Continuity
Worst case scenario
Recoverability
Resilience
consider the effectiveness of ongoing processes
procedures and activities
“How do we know when we have achieved
the end-state?”
15. ISO22301
-the BCM Frame of Reference
• Generic not prescriptive
• No specific answers
• Depends on your own circumstances, domain,
market etc.
16. ISO22301 coordinates
From Table of contents
4. Context of the
Organisation
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance
Evaluation
10. Improvement
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Context of the
Organisation
Leadership
Planning
SupportOperation
Performance
Evaluation
Improvement
ISO22301 Compliance
17. Implementing ISO22301
• From the start, base the
plan on Plan Do Check
Act (PDCA)
• Draft your project plan
accordingly
18. Align the project activities to the
coordinates:
• For each project activity,
identify if it affects the
coordinates.
• Ensure that the activities,
when completed will
result in an acceptable
level of compliance.
• Review the coordinates
to identify indicators that
can be used to track
compliance in your own
enterprise
Assumptions:
1. The coordinate scales
are all 0% to 100%
2. Completing all
activities relating to a
coordinate, results in a
coordinate value of
100%
19. Effectiveness
of the Project
Tracks the project
progress, assigning task
progress to the
coordinates as a measure
of progress top the end
goal,
The project end goal may
be set as say 85%
compliant on all 7
coordinates.
Completion of the project
sets benchmark from
which to improve
20. The Check- Act Cycles
• BCMS Management procedures
• Policy,
• Business Impact Assessments
• Risk Assessments
• Strategies
• BCMS Plans
• Testing Schedules
• Exercises and Tests
• Audit programmes
• Management reviews
• Non-conformity procedures and execution
• BCM awareness at a strategic and project level
• Capability and capacity of the BCMS teams
• Training schedules and attendance
• Awareness programmes –cultural alignment
• Some items on the left are
deliverables from the
implementation project.
• Set review dates where
appropriate as compliance
metrics; e.g. Anything older
than 12 months is non-
compliant,
• Measure compliance as a
percentage where relevant
21. The Check- Act Cycles -some examples
Compliance / Maturity measure Example Metric
BCMS Management procedures Currency of formalised procedures
Policy <12 months old
BCMS Scope % <12 months old
Business Impact Assessments % <12 months old
Risk Assessments Update annually, risks in ERM register
Strategies % <12 months
BCMS Plans % <12 months
Testing Schedules Every January
Exercises and Tests1 % completed against schedule
Exercises and Tests2 % completed by exercise level
Audit programmes1 Current year
Audit programmes2 % completed this year
Management reviews % conducted as scheduled
Non-conformity procedures and execution % non-conformities remedied
BCM awareness at a strategic and project
level
% of projects with a BC Plan
Capabilityof the BCMS teams %Role players trained and level thereof
Capacity of the BCMS teams % vacant posts
Training schedules and attendance % of candidates following schedule
Awareness programmes –cultural alignment
% attendance at awareness sessions or completed online
awareness successfully.
22. Setting the scorecard
BCMS Element
Contextofthe
Organisation
Leadership
Planning
Support
Operation
Performance
Evaluation
Improvement
Compliance / Maturity measure Sec 4 Sec 5 Sec 6 Sec 7 Sec 8 Sec 9 Sec 10
BCMS Management procedures X X X X
Policy X X
BCMS Scope X X X
Business Impact Assessments X
Risk Assessments X
Strategies X
BCMS Plans X X X
Testing Schedules X
Exercises and Tests1 X
Exercises and Tests2
Audit programmes1 X X
Audit programmes2 X
Management reviews X
Non-conformity procedures and execution X
BCM awareness at a strategic and project level X
Capabilityof the BCMS teams X
Capacity of the BCMS teams X
Training schedules and attendance X X
Awareness programmes –cultural alignment X
23. Setting the scorecard
BCMS Element Status Score
ContextoftheOrganisation
Leadership
Planning
Support
Operation
PerformanceEvaluation
Improvement
Sec 4 Sec 5 Sec 6 Sec 7 Sec 8 Sec 9 Sec 10
Compliance / Maturity measure Example Metric
2 6 5 1 2 6 6
Score 100% 17% 29% 0% 11% 25% 0%
BCMS Management procedures Currency of formalised procedures y 100% 1 1 1 1
Policy <12 months old y 100% 1 1
BCMS Scope % <12 months old y 100% 1 1 1
Business Impact Assessments % <12 months old n 0% 1
Risk Assessments Update annually, risks in ERM register n 0% 1
Strategies % <12 months y 100% 1
BCMS Plans % <12 months n 0% 1 1 1
Testing Schedules Every January y 100% 1
Exercises and Tests1 % completed against schedule 40% 40% 1
Exercises and Tests2 % completed by exercise level 56% 56%
Audit programmes1 Current year Y 100% 1 1
Audit programmes2 % completed this year 35% 35% 1
Management reviews % conducted as scheduled 45% 45% 1
Non-conformity procedures and execution % non-conformities remedied 80% 80% 1
BCM awareness at a strategic and project level % of projects with a BC Plan 18% 18% 1
Capabilityof the BCMS teams % Role players trained and level thereof 88% 88% 1
Capacity of the BCMS teams % vacant posts 20% 80% 1
Training schedules and attendance % of candidates following schedule 100% 100% 1 1
Awareness programmes –cultural alignment
% attendance at awareness sessions or
completed online awareness successfully.
65% 65% 1
24. Reporting principles
• Summarise
• Keep it short
• Make it highlight key aspects
• Make it understandable
• Remember in an all day EXCO, BCM is only one
agenda item
• Executives seldom read even 2 pages beforehand
• Use graphics that are clear
• Compare with the last report
25. BCMS Scorecard Score
Context of the Organisation 100% 20% urgent attention
Leadership 66% 40% in progress
Planning 40% 60% semi compliant
Support 100% 80% compliant
Operation 50% 100% fully compliant
Performance Evaluation 79%
Improvement 80%
Overall 74%
Legend
Summarised Status
0%
20%
40%
60%
80%
100%
Context of the
Organisation
Leadership
Planning
SupportOperation
Performance
Evaluation
Improvement
BCMS Status
28. In Summary
• BCM is a journey, not a
destination
• Clearly define where you need to
get to and by when
• Define clearly how you will know
when you arrive (set
‘coordinates’)
• Draw up the route map in the
form of a project plan
• Make sure that you the avoid
deviations (irrelevant tasks)
• Run the project
• Define a new set of improved
coordinates
• Repeat the process
My name is Brian Henry.
I’m the CEO of the Caridon Group and are a PECB training partner in Africa and Australia. We are also members of the Business Continuity Institute.
We are a select consultancy providing consulting and project support in Governance, Compliance & Risk. We have been specialising particularly in Business Continuity management and the ISO 22301 standard.
We have assisted in implementing many Business Continuity Management Systems for large and medium organisations in various Industries.
While there is nothing wrong with all the thought leadership that has created the PMBok, Prince 2 and so on, it is in the application of these methods that things go wrong.
Large organisations, with a Programme Management Office, may have some 300-600 projects on the go at any one time, all initiated with the very best intentions. These may have massive budgets and objectives that will affect the working lives of a wide spectrum of personnel and interested parties. They may even have an impact on the operating models within the organisation.
The champions of such projects may face strong resistance to their efforts because of all these factors, so Change Management becomes a challenge.
Add to this complexity the duration of the project, and any plan that spans more than 12 months faces the danger of creating a deliverable that is no longer relevant.
The human factor is also an issue. Failed projects may not be terminated, but rather used as a means of supplementing other project budgets that are in trouble.
Gradually the initial objectives of the projects become dissipated, and change as time goes by.
An often quoted sentence is that ‘Business Continuity is a journey, not a destination.
Let’s use that as an analogy in the context of this presentation.
We can draw some ideas of navigation from travelling by ship or air.
Solet’s talk about navigation
What do we understand by the word coordinate as a noun?
From the dictionaries …
In simple terms it is a set of numbers defining a particular position in two or more dimensions.
More from the dictionaries.
In this simple to understand case, the coordinates of the end state can be reached by the navigator by travelling along the x-axis for a certain distance, then along the y-axis and finally up the vertical axis to get to the desired location.
Simply put, a vector is a combination of direction and distance, so instead of travelling along the green, red and blue vectors, the navigator may calculate a combination of the 3 directions and distances to aim directly to the end point, with a single direction and distance combination.
In travel terms, continuous improvement is the distance from the destination during the journey. The closer the traveller is to the end point, the greater the ‘improvement’ in achieving a desired state.
So far so good, but how does this translate to an implementation project?
The Frame of Reference
First identify how you know when you will have achieved the end goal. This means determining defining and agreeing on the coordinates or metrics you will use to determine your position.
Then decide the values for each coordinate that you would want to achieve. This is the end goal of the implementation or ‘intervention’.
The required state can be reached by three separate project phases or vectors depicted here by the green, red and blue lines, but that’s not how project managers set up plans.
In the real world it seems that end goal coordinates are not defined at the outset.
Consider a change intervention in which you need to improve three things affecting your sales efforts
Recruit good people
Keep their motivation high
Improve their productivity
Change these into coordinates and set a scale or metric to measure each one.
The end goal coordinates are therefore
85% by 5 by 75%
Consider a change intervention in which you need to improve three things affecting your sales efforts
Recruit good people
Keep their motivation high
Productivity
In this case the frame of reference involves just three ‘dimensions’ so its easy to visualise.
Define and plan a project to achieve the sales improvement.
It’s important to choose activities that contribute directly to the end goal. Anything else is just a waste. For example, will upgrading reporting and monitoring system really help? If not, don’t include it.
So many projects in organisations to day have lost their way, which may explain why so many fail.
As implementers, consultants and auditors we have all for some time been experimenting with scorecards and dashboards, and ways to determining how well our BCMS is operating.
Original thinking was directed at the ability to recover from a worst case scenario, but ISO22301 has formally introduced the Resilience factor and the continuous improvement requirements
That means we need to also consider the effectiveness of ongoing processes procedures and activities before an event occurs.
ISO 22301 is short but very comprehensive. Your interpretation of how it is to be applied may be very different from any other person’s,
so you need to develop your own metrics.
However the overall coordinates are well defined. How you get there depends on the route you chose. The route or ‘roadmap’ is your project plan.
The headings from Section 4 can be regarded as the 7 dimensions of a BCMS. They are in fact the titles of the various compliance factors.
Interpreting each one in your context should reveal which of the indicators are most relevant to your situation. If you do not have a BCMS of any kind, then an implementation project must be created, so let’s assume that is the case.
We have found great value in the PECB IMS2 framework.
The trick is to get the measurement of the project progress to indicate the compliance or maturity of the BCMS as the project continues.
Thereafter, it should be possible to use the same metrics to review and re-calibrate the BCMS against the original objectives
For each of the blocks in the IMS2, document the project activities to be carried out.
Build the project plan to cover all the stages at least to the ‘check’ stage.
Make sure that the roadmap (i.e. the project plan) will reach the end goal as defined by the coordinates of ISO22301. Check what effect the activity will have and set a compliance value to be expected by completing that part of the project plan.
In this discussion we will assume that:
the coordinate scales are all 0% to 100%
if we have completed all the activities relating to a coordinate, then the coordinate value will be 100%
This illustrates the framework, rather than the metrics.
Having established the BCMS within the scope agreed, and to the compliance levels set, the maintenance activities must be defined to ensure that the original deliverables are improved whenever possible.
Identify what needs to be reviewed and revised, and when.
Items for consideration are:
BCMS Management procedures
Policy,
Business Impact Assessments
Risk Assessments
Strategies
BCMS Plans
Testing Schedules
Exercises and Tests
Audit programmes
Management reviews
Non-conformity procedures and execution
BCM awareness at a strategic and project level
Capability and capacity of the BCMS teams
Training schedules and attendance
Awareness programmes –cultural alignment
As the corporation evolves and changes in response to strategic drivers, the revision of the Scoping document should reveal non-conformities or gaps in the BCMS framework, and the PDCA cycle may restart.
These are just examples. More detail can be devised to suit the individual circumstances and requirements.
Once again, however, the metrics used must be related to the chosen framework of Coordinates-in this case the 7 chapters of the ISO22301 standard.
Now it is possible to relate the scores or compliance levels of each of your metric elements to the 7 coordinates
Now the compliance to the standard can be determined, and
There are all the traditional reporting graphics –bar charts, radar graphs, curves, area graphs and almost any combination of these.
After all the calculations have been done, the final conclusions should be on at most two pages in graphic form with key conclusions and recommendations
This is a simple example of a report content.
It is possible with some thought to relate compliance to a maturity scale from 1-5. This may not bean exact science, but it works well as a tool for comparison.
Provides an easy track on progress towards the end goal.
If there are multiple business units or divisions to be considered, then scorecards for each can be created, compared and summarised in one or two pages.