Malcolm Smeaton, Director Security Services and Contingency Planning at Government of Ontario, posted the following question on LinkedIn's Business Continuity-COOP group:
BCM Key Metric: I and others are to consolidate our annual reports to executives. This will include an executive summary that only allows the BCM program to highlight one key metric, what should it be?
I have considered: Last Exercised, last updated, departments covered, critical services covered, % of employees trained on BCP. Any suggestions what key metric I should select? Or any articles that you can point me to that will help me select?
A long-time acquaintenance of mine, Howard Pierpont, Board Chair - Disaster Preparedness and Emergency Response Association, responded that Smeaton should consider:
Being in Ontario, I'd suggest you look at 'Where are we in meeting the requirements of BS25999 or the Canadian equiv of NFPA1600".
Howard's been in the business a long time and has an enviable record; I generally respect his opinion.
But this time, I think he came up a tad short.
My problem is that, in my opinion, "meeting the requirements" does not necessarily equate to being prepared to handle an event.
BS25999-* is a rather broad ISO-want-to-be that was cobbled together by a committee of practitioners, many of whom - and I know this first hand - ignore avoidance and mitigation as if risks are inevitable and must be accepted as the occur. The Canadian version of NFPA 1600 is a better standard, but again, it is generic.
Each organization is unique; indeed, similar operations within the same organization - think national vehicle rental companies - can be unique from one to another. One size generic standard, be it CNFPA 1600 or the BS effort, cannot be all things to all organizations.
There simply are too many things that can go "bump in the night" to be addressed by a standard, accepted or want-to-be.
My answer to Mr. Smeaton's query, probably no more helpful that Howard's, took a different approach and one I think more accurately, yet briefly, states the organization's readiness:
The organisation is prepared for an event based on the recent enterprise exercise using a
I added that, considering the kick-off question's contents,
Everyone should be trained on the plan; that's a given.
All departments need to be covered; that's a given.
The "last exercised" is included in my suggested statement; the "last update" is a given following the exercise - I assume there were some deficiencies noted during the exercise and they were/are being eliminated
Admittedly I think primarily in terms of enterprise risk management, but even dealing with functional units (creating "mini-plans" if you will), I firmly believe that everyone involved in the unit - functional or enterprise - needs to have a role in the management of risks and should be involved in risk management exercises.
Given that, it seems obvious to me that the best indicator of an organization's readiness is the most recent enterprise exercise.
I do not expect the exercise to be perfect; the points - at least two - of an exercise are to (a) identify any deficiencies and (b) enhance responder confidence and ability; the "B" is as important as the "A."
Critiquing an exercise to determine what "we" can do better - finger pointing and personal criticisms are counter-productive - usually, at least in my experience, usually results in a "to do" list that becomes a living part of the plan, with each item closed out as it is completed (and confirmed) - in other words, answering the Mr. Smeaton's "last updated" concern.
As this is cobbled together only Howard and I have responded; it will be interesting to see others' opinions. The great thing about LinkedIn and its groups is that people can build on each other's input.
Long ago I understood that no one should create a plan - or a program - in a vacuum. People such as Howard are part of a personal, highly valued network of fellow risk professionals. We don't always agree, but we always share our knowledge.