purpose of a capability maturity model (cmm) · web viewpurpose of a capability maturity model...

41

Upload: others

Post on 26-May-2021

6 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample
Page 2: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

ContentsPurpose of a Capability Maturity Model (CMM).......................................................................................................................................................................................3

Model Structure........................................................................................................................................................................................................................................ 3

Maturity Levels......................................................................................................................................................................................................................................... 4

Capability Maturity Model Report Sample ‘A’........................................................................................................................................................................................... 6

Capability Maturity Model Report Sample ‘A.1’........................................................................................................................................................................................7

Capability Maturity Model Report Sample ‘A.2’........................................................................................................................................................................................7

Capability Maturity Model Report Sample ‘A.3’........................................................................................................................................................................................7

Capability Maturity Model Report Sample ‘B’........................................................................................................................................................................................... 8

Capability Maturity Model Report Sample ‘B.1’ -......................................................................................................................................................................................9

Capability Maturity Model Report Sample ‘C’.........................................................................................................................................................................................10

Capability Maturity Model Report Sample ‘C.1’......................................................................................................................................................................................22

Workshop participants please note:

This workshop provides sample content only that must be adapted to your Corporate needs. Vanilla layout (no fancy, time consuming and ‘challenging to modify’ templates). Focus is on providing content in simple, easy to understand layouts that are effortless to add/delete/modify. You have ownership of final format and content best designed for your world. We are here to help, just reach out - [email protected]

Page 2 of 25

Page 3: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Purpose of a Capability Maturity Model (CMM)This Capability Maturity Model provides the BCM professional designer with a sample framework where industry standards, regulatory requirements and practices can be effectively measured and tracked against C-Suite expectations. It can be a very effective foundation for designing, developing, documenting, implementing and sustaining practices and procedures that facilitate response to unforeseen disasters and crises. It can also be used both internally and externally to conduct comparative analysis of different but inter-dependent services to identify and resolve challenges.

Model StructureThe Carnegie Mellon University model involves five aspects. As outlined in the Disaster Recovery Journal (DRJ) presentation that is the primary knowledge transfer related to this model, within the BCM/DR industry there are many industry standards and practices to choose from when designing a model specific to the environment in which you operate that will align well with the Carnegie Mellon model.

For ease of reference and demonstration purposes, we have chosen the DRII Professional Practices as an example for this workshop. Equally high quality content is available from many other sources. We are not advocating DRII as the premier CMM structure content, just the one that I (Betsy) am most familiar with and therefore am using here for demonstration purposes.

Carnegie-Mellon DRII Professional Practice Equivalent Maturity Levels: a 5-level process maturity continuum - where the uppermost (5th) level is a notional

ideal state where processes would be systematically managed by a combination of process optimization and continuous process improvement. Custom built by AskBetsyBCP.

Key Process Areas: a Key Process Area identifies a cluster of related activities that, when performed together, achieve a set of goals considered important. Professional Practices 1-10

Goals: the goals of a key process area summarize the states that must exist for that key process area to have been implemented in an effective and lasting way. The extent to which the goals have been accomplished is an indicator of how much capability the organization has established at that maturity level. The goals signify the scope, boundaries, and intent of each key process area.

Professional Practice goals summary

Common Features: common features include practices that implement and institutionalize a key process area. There are five types of common features: commitment to perform, ability to perform, activities performed, measurement and analysis, and verifying implementation.

Commitment to perform – BCM policy; governance etc.Ability to perform – BCM resources; budget; skillsActivities performed – Professional Practice ActivitiesMeasurement & Analysis – BCM CMM self-assessmentVerifying implementation – Annual Exercise program Demonstrating Success – Real event response is manageableProven Adoption – embedded in Corporate Culture

Page 3 of 25

Page 4: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Key Practices: The key practices describe the elements of infrastructure and practice that contribute most effectively to the implementation and institutionalization of the area. DRII Professional Practice Tasks

+ Corporate specific practices

Maturity LevelsThere are five levels defined along the Carnegie Mellon University continuum of the maturity model. We have adapted these levels to BCM as outlined below. In summary, they are:

1. Initial (chaotic, ad hoc, individual heroics, no alignment with BCM/DR industry standards or practices) - the starting point for BCM/DR.2. Repeatable – limited alignment with standards or practices sufficiently such that repeating the same steps may be attempted.3. Documented/Approved – documented/approved governance and plans aligned with industry standards/practices exist. 4. Managed – commitment is strong, recovery strategies have been demonstrated ready for use in a simulation exercise with AAR improvements completed. 5. Embedded – BCM/DR is embedded in the corporate business model and culture. Diligent, live change management program is in place.

Within each of these maturity levels are Key Process Areas (drawn from BCM/DR industry standards and practices; regulatory requirements; insurance; supply chain and other external partner obligations designed to meet the needs of individual organizations) which characterize that level. According to Carnegie Mellon, there are five features that contribute to success in almost all process improvement – goals; commitment; ability; measurement and verification. Analysing these features for service areas struggling to make progress with BCM/DR can be key to resolving challenges.

Within each Key Process Area (KPA) are activities required for successful completion of that KPA. Combined, key process areas and their supporting activities form the basis of criteria for maturity assessment. It is essential that every BCM/DR professional using this model add/delete/modify sample content provided to best fit their company needs.

Capability Maturity Level Dashboard Colour1. INITIAL – no alignment with BCM industry standards/practices. Typically in an undocumented state of dynamic change, efforts are ad hoc, chaotic and reliant on

individual free-lance heroics. RED

2. REPEATABLE - Limited ‘alignment’ with industry standards/practices. Processes are informally or inadequately documented; heavy reliance on key players or vendor support. ORANGE

3. DOCUMENTED/APPROVED – BCM/DR is approved through Corporate governance as a standard business process. Documented/approved BC/DR plans aligned with industry standards/practices are in place. Compliant with Corporate policies & procedures. Compliance with regulatory requirements (where applicable); successfully demonstrated feasibility in a table top exercise. YELLOW

4. MANAGED – BCM/DR activities are strongly championed by service owners; recovery strategy investments to support Ready For Use are completed; strategy implementation and team training is complete; effective crisis management exists; strategy is suitable for use in multiple complex scenarios; successfully demonstrated competence through simulation exercise; After Action Report improvement opportunities resolved. GREEN

5. EMBEDDED - BCM and DR processes are ‘embedded’ in Corporate business model and culture (e.g., project/program initiation and management; mergers/acquisitions and all contracts include BCM/DR clauses; annual exercises/tests demonstrating increasing competences; performance agreements/reviews include clear BCM/DR

WHITE

Page 4 of 25

Page 5: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Modelexpectations and deliverables); strong support and measured compliance to C-Suite reported at least semi-annually with follow-up action on shortfalls; continual improvement expected/rewarded; diligent live change management program in place.

Page 5 of 25

Page 6: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Start by assessing your own BCM Program Capability Maturity first. This will help you design the foundation for further CMM work.Use a simple high level format at first.

Increase complexity with experience and partnerships with Service Area managers supportive of your Program.

1. Which BCM/DR industry structure best applies to your mandate? BCM industry standards? IT industry standards? BCM industry practices? Other?

2. Are there regulatory requirements that must be met? Add these later

3. Which Corporate governance policies and standards must be included? Add these later

4. External partner contractual requirements? Add these later

5. What style of C-Suite Dashboard is already used? Radar/spider? Bubble graph? Table text? Stoplight?

For our example let’s use the DRII Professional Practices and Stoplight Reporting.Once you have mastered the concepts and process, modify content to match your business needs.

In this workshop, we are going to practice completing 3 different levels of Capability Maturity Assessment CMM Report Sample ‘A’ – a simple overview of status including the rationale for ratings. that can also be adapted to assess Corporate wide BCM program compliance CMM Report Sample ‘B’ –an overview of key practice elements required for success and where you may need to focus energy. CMM Report Sample ‘C’ –an in-depth report covering multiple Service Areas by Key Process Area (KPA) and activities within that KPA by Service.

Page 6 of 25

Page 7: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Capability Maturity Model Report Sample ‘A’ – a simple overview of status including the rationale for ratings. Complete this report for your program.

BCM/DR Capability Maturity Model (CMM) Status Report BCM Program as at: <date>

Key Process Area Status Level Rationale1. BCM Program Initiation & Management2. Risk Assessment Out of scope Enterprise Risk Mgt mandate – refer to Record of Decision 2020-043. Business Impact Analysis4. Business Continuity Strategies5. Incident Response6. Plan Development and Implementation7. Awareness and Training

8a. Continuity Plan Exercise 8b. Continuity Plan Assessment (audit, not CMM) 8c. Continuity Plan Maintenance

9. Crisis Communications10. Co-ordination with External Agencies

September 14, 2020 18

BCM/DR Capability Maturity Model (CMM) Status ReportBCM Program as at <date>

Key Process Areas Status RationaleBCM Program Initiation & Management Embedded

complete - internal to BCM teamannual review/update Q4

Risk Assessment Managed Out of scope – not BCM/DR – see RoD #2020-01

Business Impact Analysis Approved Steering Ctte approval rec’d April 2020 – RoD #2020-17

Business Continuity Strategies InitialOptions analysis not started –

Contractor hiring approval submitted Dec 3, 2019 pending

Incident Response ManagedComplete – adopted EM activation/escalation & teams

RoD #2020-03

Plan Development & Implementation ManagedPlan completed based on existing continuity strategy

at Mgt Meeting Nov 23, 2018 - Change management in place

Awareness & Training Repeatabledelayed due to lack of resources (COVID)resource request for FY 2021 submitted

Business Continuity Plan Exercise, Assessment, and Maintenance Repeatable Covid experience applicable

Crisis Communications Repeatable Covid experience applicable

Coordination with External Agencies Repeatable Covid experience applicable

CMM Report - Sample ‘A’ Improve withCompetency

Start small by doing your program first - A simple overview of status including the rationale for ratings.

Download the full CMM program template at www.KingsBridgeBCP.com

5 Levels of BCM/DR Maturity6. INITIAL – no alignment with BCM industry standards/practices. Typically in an

undocumented state of dynamic change, efforts are ad hoc, chaotic and reliant on individual free-lance heroics.

7. REPEATABLE - Limited ‘alignment’ with industry standards/practices. Processes are informally or inadequately documented; heavy reliance on key players or vendor support.

8. DOCUMENTED/APPROVED – BCM/DR is approved through Corporate governance as a standard business process. Documented/approved BC/DR plans aligned with industry standards/practices are in place. Compliant with Corporate policies & procedures. Compliance with regulatory requirements (where applicable); successfully demonstrated feasibility in a table top exercise.

9. MANAGED – BCM/DR activities are strongly championed by service owners; recovery strategy investments to support Ready For Use are completed; strategy implementation and team training is complete; effective crisis management exists; strategy is suitable for use in multiple complex scenarios; successfully demonstrated competence through simulation exercise; After Action Report improvement opportunities resolved.

10. EMBEDDED - BCM and DR processes are ‘embedded’ in Corporate business model and culture (e.g., project/program initiation and management; mergers/acquisitions and all contracts include BCM/DR clauses; annual exercises/tests demonstrating increasing competences; performance agreements/reviews include clear BCM/DR expectations and deliverables); strong support and measured compliance to C-Suite reported at least semi-annually with follow-up action on shortfalls; continual improvement expected/rewarded; diligent live change management program in place.

Page 7 of 25

Page 8: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Capability Maturity Model Report Sample ‘A.1’ – a simple overview of status including the rationale for ratings. Complete this report for your program.

BCM/DR Capability Maturity Model (CMM) Status ReportBCM Program as at: <date>

Key Process Area Service A Service B Service C Service D Service E Service F Service G1. BCM Program Initiation & Management Out of scope – BCM Program Team mandate refer to Record of Decision 2020-172. Risk Assessment3. Business Impact Analysis4. Business Continuity Strategies5. Incident Response6. Plan Development and Implementation7. Awareness and Training8a. Continuity Plan Exercise8b. Continuity Plan Assessment (audit, not CMM)8c. Continuity Plan Maintenance9. Crisis Communications10. Co-ordination with External Agencies Out of scope – Emergency management Office mandate – refer to Record of Decision 2020-3

Capability Maturity Model Report Sample ‘A.2’ – a simple overview of company wide status. Each Service owner self-assesses for this report.BCM PROGRAM Capability Maturity Model (CMM) Status Report as at: <date>

Service Area Name BIA Strategy Plan Doc Response Training Exercise Comms1.2.3.

Capability Maturity Model Report Sample ‘A.3’ – a simple overview of company wide status. Your Tech team self-assesses input for this report.BCM PROGRAM Capability Maturity Model (CMM) Status Report as at: <date>

Application or Infrastructure Name BIA Strategy Plan Doc Response Training Exercise Comms1.2.3.

Page 8 of 25

Page 9: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Capability Maturity Model Report Sample ‘B’ –an overview of key practice elements required for success and where you may need to focus energy. Ask Service Owners to complete this report for the Professional Practice(s) of your choosing.

To start, simply use a YES (no problems) vs NO (challenges exist) reply.As Service Owner experience with CMM increases, you may decide to increase granularity by using CMM maturity levels instead of just yes/no.

Service Area Name: <enter the name of the service this report covers>Professional Practice: <enter PP Title (or other BCM/DR standard or program element of your choosing) here.>Goals (DRII Summary): <enter ‘goals’ from DRII Professional Practice Summary (or other goals of your choosing) here.>

BCM PROFESSIONAL PRACTICE <PP# and title> Capability Maturity Model (CMM) Key Practice Status Report Service Area <Dept Title> as at: <date>

#KEY PROCESS AREA

ORKEY PRACTICE ACTIVITIES/TASKS

Commitment(governance)

Ability(resources,

budget, skills)

Key Practice Performed

Measurement& Analysis

(CMM, audit)

Verifying Implementation

(exercise/test)

Demonstrated Success

(real event)

Continual Process

Improvement(AAR completed)

Provide details for all ‘NO’ entries here:CMM Report - Sample ‘B’

September 14, 2020 19

Capability Maturity Model (CMM) SAMPLE KEY PROCESS AREA #3: DRII PROFESSIONAL PRACTICE #3 - BUSINESS IMPACT ANALYSIS

GOALS:a) Identify and prioritize the entity’s functions and processes in order to ascertain which ones will have the greatest impact should they not be available.b) Assess the resources required to support the business impact analysis process.c) Analyze the findings to ascertain any gaps between the entity’s requirements and its ability to deliver those requirements.d) Other Corporate goals consistent with needs.

# KEY PRACTICES Commitment (governance)

Ability (resources,

budget, skills)

KeyPractice

Performed

Measurement& Analysis

(CMM, audit)

Verifying Implementation (exercise/test)

Demonstrated Success

(real event)

Continual Process

Improvement(AAR

completed)

3.1Identify the qualitative and quantitative criteria to be used to assess the impact to the entity as the result of an event.

Yes/no? Yes/no? Yes/no? Yes/no? Yes/no? Yes/no? Yes/no?

3.2

Gain leadership agreement on business impact analysis methodology and the criteria to be used to establish the business impact analysis process and methodology.

Initial Approved Repeatable Embedded Managed Covid Repeatable

3.3 Plan and coordinate data gathering and analysis. out of scope – see Record of Decision (RoD) Log # 14

Improve withCompetency

It’s ok at first to consider simple ‘yes/no’ content – with maturity use CMM levels to provide greater detail.

Download the full CMM program template at www.KingsBridgeBCP.com

Page 9 of 25

Page 10: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Capability Maturity Model Report Sample ‘B.1’ - an overview of key practice elements required for success and where you may need to focus energy.

Ask Service/Application Owners to complete this report for the Professional Practice(s) of your choosing. To start, simply use a YES (no problems) vs NO (challenges exist) reply.

As experience with CMM increases, you may decide to increase granularity by using CMM maturity levels instead of just yes/no.

Service Area/Application Name: <enter the name of the service/application/infrastructure component this report covers>Professional Practice: <enter PP Title (or other BCM/DR standard or program element of your choosing) here.>

You can also START by asking owners to rate their current status of BCM (in totality as they see it) using the 5 CMM levels.Goals (DRII Summary): <enter ‘goals’ from DRII Professional Practice Summary (or other Corporate BCM/DR policy statements/goals of your choosing) here.>

BCM/DR Capability Maturity Model (CMM) Status Report as at: <date>

ID # Service Area 1 OR Application X OR Infrastructure Y

Commitment(governance)

Ability(resources,

budget, skills)

Key Practices

Performed

Measurement& Analysis

(CMM, audit)

Verifying Implementation

(exercise/test)

Demonstrated Success

(real event)

Continual Process

Improvement(AAR completed)

Page 10 of 25

Page 11: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Page 11 of 25

Page 12: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Capability Maturity Model Report Sample ‘C’ –an in-depth report by Key Process Area (KPA) and activities within that KPA.With experience in doing Capability Maturity Modelling, comes complexity and enhanced results. Add/delete/modify content to meet your needs.

Ask Service Owners OR YOUR TECH TEAM to complete this report for the Professional Practice(s) of your choosing. Some clients like to see the ‘words’ denoting CMM level, others like to see results represented by stoplight, radar or bubble reporting.

Sample content is provided in first few Key Process Areas – simply delete once you have decided on the best approach for you.

Service Area OR Application/Infrastructure Name & Description: Primary Contact Details:

Capability Maturity Model (CMM) KEY PROCESS AREA #1: DRII PROFESSIONAL PRACTICE #1 - PROGRAM INITIATION & MANAGEMENT

GOALS:a) Establish the need for a business continuity program.b) Obtain support and funding for the business continuity program.c) Build the organizational framework to support the business continuity program.d) Introduce key concepts, such as program management, risk awareness, identification of critical functions/processes, recovery strategies, training and awareness, and exercising/testing.e) Other Corporate goals consistent with needs.

# DRI International KEY PROCESS ACTIVITIESService Area 1 orApplication X orInfrastructure Y

Service Area 2 orApplication X orInfrastructure Y

Service Area 3 orApplication X orInfrastructure Y

Service Area 4 orApplication X orInfrastructure Y

Service Area 5 orApplication X orInfrastructure Y

1.1 Establish the need for a business continuity program.

BCM Program Team mandate - Out of scope for this assessmentRefer to Record of Decision 2020-17

1.2 Obtain support and funding for the business continuity program.

1.3 Coordinate and manage the implementation of the business continuity program throughout the entity.

Page 12 of 25

Page 13: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Service Area Name & Description of Service: Primary Contact Details:

Capability Maturity Model (CMM) KEY PROCESS AREA #2: DRII PROFESSIONAL PRACTICE #2 - RISK ASSESSMENT

GOALS:a) Identify risks that can adversely affect an entity’s resources or image.b) Assess risks to determine the potential impacts to the entity, enabling the entity to determine the most effective use of resources to reduce these potential impacts.c) Other Corporate goals consistent with needs.

# DRI International KEY PROCESS ACTIVITIESService Area 1 orApplication X orInfrastructure Y

Service Area 2 orApplication X orInfrastructure Y

Service Area 3 orApplication X orInfrastructure Y

Service Area 4 orApplication X orInfrastructure Y

Service Area 5 orApplication X orInfrastructure Y

2.1

Work with leadership and any internal and/or external risk management or enterprise risk management groups (hereafter referred to as risk management groups) within the entity to gain agreement on a clear, standardized risk assessment methodology and to gain understanding of the entity’s risk appetite and threshold.

INITIAL REPEATABLE APPROVED MANAGED EMBEDDED

2.2. Identify, develop, and implement information-gathering activities across the entity to identify risks.

2.3 Determine the probability and impact of the identified risks.

2.4 Identify and evaluate the effectiveness of controls and safeguards that are currently in place.

2.5 Identify resilience strategies to control or mitigate the potential impact of the risk and/or reduce vulnerabilities.

2.6Document and present the risk and vulnerability assessment and recommendations to leadership for approval.

2.7

Upon receiving approval from leadership, develop the entity’s risk appetite and threshold to use as a basis for the ongoing management of a sustainable risk assessment process.

Page 13 of 25

Page 14: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Service Area Name & Description of Service: Primary Contact Details:

Capability Maturity Model (CMM) KEY PROCESS AREA #3: DRII PROFESSIONAL PRACTICE #3 - BUSINESS IMPACT ANALYSIS

GOALS:a) Identify and prioritize the entity’s functions and processes in order to ascertain which ones will have the greatest impact should they not be available.b) Assess the resources required to support the business impact analysis process.c) Analyze the findings to ascertain any gaps between the entity’s requirements and its ability to deliver those requirements.d) Other Corporate goals consistent with needs.

# DRI International KEY PROCESS ACTIVITIESService Area 1 orApplication X orInfrastructure Y

Service Area 2 orApplication X orInfrastructure Y

Service Area 3 orApplication X orInfrastructure Y

Service Area 4 orApplication X orInfrastructure Y

Service Area 5 orApplication X orInfrastructure Y

3.1 Identify the qualitative and quantitative criteria to be used to assess the impact to the entity as the result of an event. INITIAL REPEATABLE APPROVED MANAGED EMBEDDED

3.2Gain leadership agreement on business impact analysis methodology and the criteria to be used to establish the business impact analysis process and methodology.

3.3 Plan and coordinate data gathering and analysis.

3.4 Establish the criteria and methodology to be used in conducting the business impact analysis process.

3.5

Analyze the collected data against the approved criteria to establish a recovery time objective (RTO) and recovery point objective (RPO) for each operational area and the technology that supports the operational area.

3.6

Prepare and present the business impact analysis results to leadership. Gain acceptance of the recovery time objective and recovery point objectives as detailed in the business impact analysis.

Page 14 of 25

Page 15: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Service Area Name & Description of Service: Primary Contact Details:

Capability Maturity Model (CMM) KEY PROCESS AREA #4: DRII PROFESSIONAL PRACTICE #4 - BUSINESS CONTINUITY STRATEGIES

GOALS:a) Select cost-effective strategies to reduce deficiencies as identified during the risk assessment and business impact analysis processes.b) Other Corporate goals consistent with needs.

# DRI International KEY PROCESS ACTIVITIESService Area 1 orApplication X orInfrastructure Y

Service Area 2 orApplication X orInfrastructure Y

Service Area 3 orApplication X orInfrastructure Y

Service Area 4 orApplication X orInfrastructure Y

Service Area 5 orApplication X orInfrastructure Y

4.1

Utilize the data collected during the risk assessment and business impact analysis processes to identify the available continuity and recovery strategies for the entity’s operations that will meet both the recovery time objective and recovery point objective requirements as defined in the business impact analysis.

4.2

Utilize the data collected during the risk assessment and business impact analysis to identify the available continuity and recovery strategies for the entity’s technology that will meet the recovery time objectives and recovery point objectives as defined in the business impact analysis.

4.3Identify supply chain issues, for both suppliers and customers, from the business impact analysis that may affect the selection of a recovery strategy.

4.4

Consolidate strategies where appropriate to reduce costs and/or complexity. Identify areas in which the same recovery strategy could be used to meet the requirements for multiple areas of operations, such as using a single alternate site for the recovery of business operations from different sites that are not expected to be impacted by the same event.

4.5 Assess the cost of implementing identified strategies through a cost/benefit analysis.

4.6 Recommend strategies and obtain approval to implement.

Page 15 of 25

Page 16: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Service Area Name & Description of Service: Primary Contact Details:

Capability Maturity Model (CMM) KEY PROCESS AREA #5: DRII PROFESSIONAL PRACTICE #5 - INCIDENT RESPONSE

GOALS:a) Develop and assist with the implementation of an incident management system that defines organizational roles, lines of authority and succession of authority.b) Define requirements to develop and implement the entity’s incident response plan.c) Ensure that incident response is coordinated with outside organizations in a timely and effective manner when appropriate.d) Other Corporate goals consistent with needs.

# DRI International KEY PROCESS ACTIVITIESService Area 1 orApplication X orInfrastructure Y

Service Area 2 orApplication X orInfrastructure Y

Service Area 3 orApplication X orInfrastructure Y

Service Area 4 orApplication X orInfrastructure Y

Service Area 5 orApplication X orInfrastructure Y

5.1

Identify applicable emergency preparedness and incident response guidelines including, but not limited to, health and safety, fire prevention, and those required by regulations issued by the federal, state, provincial, county, parish, tribal, or local levels of government.

5.2 Identify potential types of incidents that may occur and the impacts that may result.

5.3 Identify the necessary incident response capabilities.

5.4Review existing incident response procedures and assess the capabilities to protect life, property and the environment.

5.5

Recommend the development, and assist with the implementation, of an incident management system for command, control, and coordination of personnel and resources during incident response activities. Develop and assist with the implementation of a delegation of authority that defines organizational roles, lines of authority, and succession of authority.

5.6Review and coordinate incident response plans and procedures with personnel and relevant organizations as appropriate.

Page 16 of 25

Page 17: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Service Area Name & Description of Service: Primary Contact Details:

Capability Maturity Model (CMM) KEY PROCESS AREA #6: DRII PROFESSIONAL PRACTICE #6 - PLAN DEVELOPMENT & IMPLEMENTATION

GOALS:a) Document plans to be used during an incident that will enable the entity to continue to function.b) Other Corporate goals consistent with needs.

# DRI International KEY PROCESS ACTIVITIESService Area 1 orApplication X orInfrastructure Y

Service Area 2 orApplication X orInfrastructure Y

Service Area 3 orApplication X orInfrastructure Y

Service Area 4 orApplication X orInfrastructure Y

Service Area 5 orApplication X orInfrastructure Y

6.1 Use the approved strategies developed in Professional Practice 4 as the basis for plan documentation.

6.2 Define the structure for the plan documentation.

6.3 Coordinate the effort to document recovery plans for the entity’s operations and the supporting infrastructure.

6.4 Publish the plan documents.

Page 17 of 25

Page 18: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Service Area Name & Description of Service: Primary Contact Details:

Capability Maturity Model (CMM) KEY PROCESS AREA #7: DRII PROFESSIONAL PRACTICE #7 - AWARENESS & TRAINING PROGRAMS

GOALS:a) Establish and maintain training and awareness programs that result in personnel being able to respond to incidents in a calm and efficient manner.b) Other Corporate goals consistent with needs.

# DRI International KEY PROCESS ACTIVITIESService Area 1 orApplication X orInfrastructure Y

Service Area 2 orApplication X orInfrastructure Y

Service Area 3 orApplication X orInfrastructure Y

Service Area 4 orApplication X orInfrastructure Y

Service Area 5 orApplication X orInfrastructure Y

7.1 Establish the objectives and components of the business continuity awareness and training program.

7.2 Identify the awareness and training requirements across the functions of the entity.

7.3 Prioritize the awareness and training requirements for the entity’s internal personnel.

7.4 Develop the methodology for the awareness and training program for the entity.

7.5Identify, develop, or acquire awareness and training tools and resources needed to meet the objectives of the program.

7.6Oversee the delivery of the activities conducted to accomplish the objectives of the awareness and training program.

Page 18 of 25

Page 19: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Service Area Name & Description of Service: Primary Contact Details:

Capability Maturity Model (CMM) KEY PROCESS AREA #8a: DRII PROFESSIONAL PRACTICE #8a - BCP EXERCISE

GOALS:a) Establish an exercise program to maintain a state of readiness.b) Other Corporate goals consistent with needs.

# DRI International KEY PROCESS ACTIVITIESService Area 1 orApplication X orInfrastructure Y

Service Area 2 orApplication X orInfrastructure Y

Service Area 3 orApplication X orInfrastructure Y

Service Area 4 orApplication X orInfrastructure Y

Service Area 5 orApplication X orInfrastructure Y

8a.1 Identify appropriate governance.

8a.2 Develop an exercise/test program that meets the entity’s business continuity program’s scope and objectives.

8a.3 Create realistic scenarios based on the risk assessment as described in Professional Practice Two.

8a.4 Determine the exercise/test requirements and draft a detailed plan for the activities.

8a.5 Define and document objectives for the exercise/test.

8a.6Define and document the scope of the exercise/test. Ensure clear parameters that differentiate in-scope and out-of-scope activities.

8a.7Define and document both quantitative and qualitative evaluation criteria aligned with the objectives and scope of the exercise/test.

8a.8 Conduct the exercise/test as planned. 8a.9 Record the exercise/test events.

8a.10 Document the exercise/test results.

8a.11Conduct debriefing sessions to review the results of the exercise/test. Identify lessons learned and actions for improvements.

8a.12Document expected versus actual results and unexpected results, creating an action plan for the recommendations that resulted from the exercise/test.

Page 19 of 25

Page 20: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Service Area Name & Description of Service: Primary Contact Details:

Capability Maturity Model (CMM) KEY PROCESS AREA #8b: DRII PROFESSIONAL PRACTICE #8b - PLAN MAINTENANCE

GOALS:a) Establish a maintenance program to maintain a state of readiness.b) Other Corporate goals consistent with needs.

# DRI International KEY PROCESS ACTIVITIESService Area 1 orApplication X orInfrastructure Y

Service Area 2 orApplication X orInfrastructure Y

Service Area 3 orApplication X orInfrastructure Y

Service Area 4 orApplication X orInfrastructure Y

Service Area 5 orApplication X orInfrastructure Y

8b.1 Establish the plan maintenance program. 8b.2 Monitor the maintenance activities. 8b.3 Establish an update process for the plan.

8b.4 Report on maintenance activities to the relevant organizational parties.

8b.5 Define a change management process for the plan maintenance program.

8b.6 Create proper version control. 8b.7 Create procedures to facilitate maintenance of the plan. 8b.8 Implement change control process.

Page 20 of 25

Page 21: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Service Area Name & Description of Service: Primary Contact Details:

Capability Maturity Model (CMM) A116KEY PROCESS AREA #8c: DRII PROFESSIONAL PRACTICE #8c - ASSESSMENT

GOALS:a) Establish an assessment program to maintain a state of readiness.b) Other Corporate goals consistent with needs.

# DRI International KEY PROCESS ACTIVITIESService Area 1 orApplication X orInfrastructure Y

Service Area 2 orApplication X orInfrastructure Y

Service Area 3 orApplication X orInfrastructure Y

Service Area 4 orApplication X orInfrastructure Y

Service Area 5 orApplication X orInfrastructure Y

8c.1 Identify appropriate governance.

8c.2 Establish an audit process for the business continuity program.

8c.3 Conduct audit activities and monitor the process.

8c.4Document and communicate the results and recommendations from the exercise/test, and audit process.

Page 21 of 25

Page 22: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Service Area Name & Description of Service: Primary Contact Details:

Capability Maturity Model (CMM) KEY PROCESS AREA #9: DRII PROFESSIONAL PRACTICE #9 - CRISIS COMMUNICATIONS

GOALS:a) Provide a framework for developing a crisis communications plan.b) Ensure that the crisis communications plan will provide for timely, effective communication with internal and external parties.c) Other Corporate goals consistent with needs.

# DRI International KEY PROCESS ACTIVITIESService Area 1 orApplication X orInfrastructure Y

Service Area 2 orApplication X orInfrastructure Y

Service Area 3 orApplication X orInfrastructure Y

Service Area 4 orApplication X orInfrastructure Y

Service Area 5 orApplication X orInfrastructure Y

9.1 Design, develop, and implement a crisis communications plan.

9.2 Communicate and train members of the crisis communications team on their roles and responsibilities.

9.3 Exercise/test the crisis communications plan. 9.4 Update the crisis communication plan.

Page 22 of 25

Page 23: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Service Area Name & Description of Service: Primary Contact Details:

Capability Maturity Model (CMM) KEY PROCESS AREA #10: DRII PROFESSIONAL PRACTICE #10 – CO-ORDINATING WITH EXTERNAL AGENCIES

GOALS:a) Establish policies and procedures to coordinate incident response activities with public entities.b) Other Corporate goals consistent with needs.

# DRI International KEY PROCESS ACTIVITIESService Area 1 orApplication X orInfrastructure Y

Service Area 2 orApplication X orInfrastructure Y

Service Area 3 orApplication X orInfrastructure Y

Service Area 4 orApplication X orInfrastructure Y

Service Area 5 orApplication X orInfrastructure Y

10.1 Identify and establish incident response procedures for the entity in accordance with Professional Practice Five.

10.2

Identify applicable emergency preparedness and incident response <and reporting> guidelines and the agencies having jurisdiction over the entity’s facilities and operations.

10.3Develop or update emergency preparedness and incident response procedures to comply with laws, ordinances, regulations, and other mandated directives.

10.4 Report information to regulatory agencies as appropriate.

10.5 Coordinate incident response procedures with external agencies.

10.6Coordinate, conduct, and participate in training, drills, and exercises with external agencies and first responders to increase awareness and compliance with regulations.

10.7Conduct a debriefing meeting following any training, drills, and exercises. Document actions that must be taken in order to improve incident response capabilities.

10.8

Document the exercise results and lessons learned. Provide copies to leadership and other relevant organizational parties. Update the incident response plans using the lessons learned and feedback from exercises/training in accordance with the schedule established in Professional Practice Eight.

Page 23 of 25

Page 24: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Capability Maturity Model Report Sample ‘C.1’ – a summary level report by Key Process Area (KPA) and activities within that KPA.

With experience in doing Capability Maturity Modelling, comes complexity and enhanced results. Add/delete/modify content to meet your needs.Ask Service Owners OR YOUR TECH TEAM to complete this report for the Professional Practice(s) of your choosing.

Some clients like to see the ‘words’ denoting CMM level, others like to see results represented by stoplight, radar or bubble reporting. Sample content is provided in first few Key Process Areas – simply delete once you have decided on the best approach for you.

Capability Maturity Model (CMM) KEY PROCESS AREA (KPA) SUMMARY REPORT (refer to legend for numeric KPA details)

ID# Service Area 1 (or Application X) or (Infrastructure Y)

Key Process Area (KPA) Activities (DRII Professional Practices)

1.1 1.2 1.3 2.1 2.2 2.3 2.4 2.5 3.1 3.2 3.3 3.4 3.5 3.6 4.1 4.2 4.

3 4.4 5.1 5.2 5.3 5.4 5.5 Etc.

Page 24 of 25

Page 25: Purpose of a Capability Maturity Model (CMM) · Web viewPurpose of a Capability Maturity Model (CMM) This Capability Maturity Model provides the BCM professional designer with a sample

Designing a BCM Capability Maturity Model

Assessing BCM Capability Maturity

Presentation, word and xls files are available at:https://KingsBridgeBCP.biz/AskBetsyBCP

https://www.KingsBridgeBCP.com

Page 25 of 25