Resiliency Scoring For Business Continuity Plans
Journal of Business Continuity & Emergency Planning Volume 10 Number 1Resiliency scoring for business continuityplansAnna Olson* and Jamie Anderson**Received (in revised form), 8th April, 2016*Senior Corporate Security Consultant, Target, 33 South Sixth Street, CC-3615, Minneapolis, MN55402, USA.Tel: 1 612-696-4635; e-mail: anna.olson@target.com**Lead Corporate Security Consultant, Target, 33 South Sixth Street, CC-3615, Minneapolis, MN55402, USA.Tel: 1 612-696-6653; e-mail: jamie.anderson@target.comAnna Olson is a CBCP certified SeniorCorporate Security Consultant with theGlobal Continuity and Resiliency (GCR) teamat Target Corporation. She has served as asubject matter expert and provides leadershipin developing and exercising plans to mitigatethe impact of potential business disruptionsat Target. Through her focus on plannerengagement, she developed the global GCRtraining programme, co-led the programmelife cycle through Assess, Planning, Exercisingand Mature phases, and provided recoverysupport and continuation efforts duringbusiness disruption events. Recently shedeveloped an online community to providea forum for Target planners to connect, askquestions, share ideas and provide recognition. She is also the co-host of an innovativepodcast dubbed Morning Latte which incorporates a talk show format style of training thatappeals to partners across the organisationand focuses on planner engagement.Jamie Anderson is a Certified BusinessContinuity Professional (CBCP) and a Memberof the Business Continuity Institute (MBCI).For the past ten years, she has worked in business continuity and disaster recovery at TargetCorporation and is currently a Lead CorporateSecurity Consultant on the Global Continuityand Resiliency team. She provides subjectmatter expertise and consulting for criticalbusiness functions and technology platformsacross Target and works with teams to maturetheir recovery posture by identifying andassessing risk, documenting continuity plansand performing exercises. She recently developed and implemented Resiliency Scoringfor the company’s Business Continuity Plansin order to aid in assessing plan contentsand to provide a roadmap for plan maturity.This is an exciting initiative that is enhancingengagement, visibility and compliance withinthe Target Continuity Programme.AbstractThrough this paper readers will learn of ascoring methodology, referred to as resiliencyscoring, which enables the evaluation of business continuity plans based upon analysis oftheir alignment with a predefined set of criteriathat can be customised and are adaptable to theneeds of any organisation. This patent pendingtool has been successful in driving engagementand is a powerful resource to improve reportingcapabilities, identify risks and gauge organisational resilience.The role of business continuity professionalsis to aid their organisations in planning andpreparedness activities aimed at mitigating theAnna OlsonJamie AndersonJournal of Business Continuity& Emergency PlanningVol. 10, No. 1, pp. 31–43 Henry Stewart Publications,1749–9216Page 31
Resiliency scoring for business continuity plansimpacts of potential disruptions and ensuringcritical business functions can continue in theevent of unforeseen circumstances. This mayseem like a daunting task for what can typicallybe a small team of individuals. For this reason,it is important to be able to leverage industrystandards, documented best practices and effectivetools to streamline and support your continuityprogramme. The resiliency scoring methodology developed and implemented at Targethas proven to be a valuable tool in taking theorganisation’s continuity programme to the nextlevel. This paper will detail how the tool wasdeveloped and provide guidance on how it canbe customised to fit your organisation’s uniqueneeds.Keywords: resiliency, metrics, risk, business continuity, engagement, maturity,scoringABOUT TARGETTarget was formed more than 50 yearsago when five brothers from the Daytonfamily, and owners of the Dayton’s department stores, had an idea to create a betterdiscount retail experience. In 1962, thesefive brothers turned their idea into areality by opening the first Target store inRoseville, Minnesota to establish discountretailing as it is known today.Target has come a long way since1962; today the company employs teammembers in over 20 countries, whichincludes sourcing offices around the worldand headquarters offices in Minneapolis,Minnesota and Bangalore, India. TheTarget team is comprised of approximately 350,000 team members, who areresponsible for operating more than 1,800stores, serving over 180 million guests andrunning nearly 40 distribution centres.From its department store roots to itsgrowing online presence, Target maintainsa passion for innovation and creating greatshopping experiences for its guests. TargetPage 32is currently the second largest generalmerchandise retailer in America, withTarget.com consistently being ranked asone of the most visited retail websites.Like all organisations, Target is susceptibleto the risk of business and technologydisruptions. The focus of the continuityprogramme at Target is to partner withteams across the organisation to ensurethat actionable plans are in place to enablethe company to continue to meet theneeds of its guests when faced with a disruption event.For its size, Target has a relatively smallbusiness continuity team. In order to maximise resources, an all-hazards approachto business continuity planning is utilised, with a focus on impact (e.g. teammember shortage, facility outage, application outage and vendor outage). Thisapproach helps to ensure that, regardless ofthe cause of the disruption, an appropriateresponse is in place to enable the continuation of critical functionality. A businessimpact analysis is leveraged to identifyessential teams and those teams are thenrequired to document business continuityplans for their critical processes. An ownerand a backup planner are assigned to eachplan and participate in an annual life cycleprocess that is designed to help themdocument their plan contents, validate theviability of their plans through exercisesand then mature their plans based on gapsthat have been identified. It is importantto note that the individuals identified asplanners are not business continuity professionals; rather, they are subject matterexperts in their areas of business and thebusiness continuity planning activities thatthey undertake go above and beyond theirregular job duties.DISRUPTION EXAMPLESTarget has had a continuity programme inplace for over 25 years. During that time,
Olson and Andersonthe company has experienced considerablegrowth and has seen its share of successesas well as challenges. Included in thosechallenges have been some unforeseenbusiness interruptions. The purpose ofthe continuity programme is to respondto these disruptions when they occur andensure the continued health and survivalof the organisation by mitigating theirimpact. Below are some examples of continuity incidents that have occurred inrecent years.A few years ago, Target faced the potentialof a major facility outage at its downtownMinneapolis headquarters buildings whena water main break flooded the nearbystreets with 14 million gallons of water.The incident rendered the nearby buildings unusable by impacting the availabilityof water and the use of plumbing. Theevent had the potential to displace 15,000Target team members. Thankfully the situation was addressed quickly by the city andthe buildings were only forced to close afew hours early on the day of the break.The business continuity team was engagedthroughout the course of the incidentand quickly communicated with planners.Team members were encouraged to taketheir laptops home with them that night asa precautionary measure in the event thatthe buildings would need to remain closed.Although this ultimately ended up beinga small event, it helped to highlight thepotential implications a large-scale facilityoutage could have on the company.Later that same year, Target did experience the displacement of 800 of itsteam members due to a flood at its CityCenter campus in Minneapolis. The incident, caused by a leaking ice machine,occurred during non-business hours andwent unnoticed for a period of time,resulting in severe damage to several floorswithin the building. The flooding led tothe complete loss of workspace for hundreds of team members and many othersencountered technology disruptions aswell due to damaged equipment. Thebusiness continuity team was activated fora total of 65 days in response to the eventuntil all of the impacted workspaces wererestored and normal business operationsresumed. This event remains the onlyofficial full-scale activation of the businesscontinuity team at Target headquarters.Recently, yet another water eventimpacted Target when a pipe burst overnight at its North Metro headquartersfacility in Minnesota. The event resulted indamage to the main floor of the buildingand required reconstruction of severalmeeting spaces as well as the temporaryrelocation of a critical team while theiroffice space was restored. Team memberimpact during this event was minimal dueto the quick efforts of the response teamand the location of the incident.These events serve to highlight howsusceptible organisations like Target areto business and technology interruptions,while also demonstrating the importanceof being able to continue critical businessfunctions during such events. A growingdependence on technology innovationsand an increasing global presence furtherestablish the need for a strong continuityprogramme that is supported by engagedplanners and leaders as well as robust continuity plans.OVERCOMING CHALLENGESTo ensure Target remains resilient, thebusiness continuity team relies heavily onplanners embedded across the organisationto develop actionable plans for their areasand on leadership to provide the supportnecessary to prioritise continuity efforts.In recent years, Target’s continuity programme had made tremendous strides andinnovations to better support planners andpartners through improved product andservice offerings, but the programme stillPage 33
Resiliency scoring for business continuity plansfaced challenges and experienced somecommon industry hurdles.Engaging planners and leaders was achallenge. Continuity planning often goesabove and beyond standard job requirements. Both planners and leaders struggledto prioritise preparing for a potential disruption that might occur in the futureover focusing on current work priorities.In addition, producing meaningful andactionable metrics was difficult. The teamrelied solely on compliance metrics (e.g.was training completed? had the planbeen updated? were exercises performed?).These metrics did not tell an effectivestory or provide leaders with the datathey needed to make informed decisions.Fundamentally, the programme lacked theability to provide measurable insight intohow resilient the organisation would be iffaced with a disruption event.The programme also lacked the meansto assess the quality of the business continuity plans that had been documented.Even though the plans might have contained all of the required fields, there oftenremained great disparity among the actualcontent of the plans being submitted forreview. Some plans contained very basic,rudimentary information while otherswere much more mature and detailed.The opportunity the programme facedwas being able to improve upon eachof the challenges, highlighted above, toenhance business continuity planning asa whole at Target. It was important to beable to answer the following questions:‘How can the best information possiblebe captured within the business continuityplans?’ and ‘How can a meaningful storyabout that information be shared with theorganisation?’In order to help answer these questions, a scoring methodology was createdby the business continuity team to assessthe company’s business continuity plans.The methodology included documentedPage 34guidelines that were designed to be utilised by the planners to provide them withtips on how to develop effective workarounds and complete activities aimed atimproving resilience. In order to createthe guidelines, the programme leveragedthe years of expertise of its membersalong with existing industry standards andcontents from some of company’s mostcomprehensive plans. Each section of theplan template was analysed to identify thecriteria that the team felt would makethat particular section of the plan strong.These guidelines were then documented,ranked in order of increasing resiliencyand assigned a value. It was important toorganise the information in a way thatwould make it easily accessible for all ofthe planners to adopt. It was also criticalto develop the scoring in a way thatwould effectively summarise the wealthof data that was being collected withinthe plans and translate it back into a powerful message for consumption by theorganisation.RESILIENCY SCORINGThe resiliency scoring methodology beganwith the creation of guidelines for planners and the development of a scoringguide. The scoring guide outlined thescoring criteria, including details on howplan contents and exercises would bescored, as well as opportunities available tocomplete additional resiliency score activities to obtain an even higher plan score.The scoring guide was used by the business continuity team in order to reviewbusiness continuity plans and assess theircurrent resiliency and it was also providedto planners as a roadmap by which todevelop and mature their plans’ contents.Resiliency scoring quickly added valueat Target; it enabled the business continuity team to evaluate and score thecompany’s business continuity plans based
Olson and Andersonupon analysis of their alignment with thepredefined standards as well as highlightingareas of opportunity and risk that existedwithin the plans.What is a resiliency score?A resiliency score is an assessment of howresilient a team would be in executingtheir critical functionality if faced witha disruption event that necessitated theimplementation of their business continuity plan. The score is based upon analysisof the documented plan contents and theexercises that have been performed toprove whether or not the plan will yieldthe desired result when put into effect.How is the score assessed?The score is assessed by reviewing thebusiness continuity plan against the predefined set of guidelines outlined in thescoring guide and then assigning an appropriate score based upon its alignment withthose standards.What factors impact the score?The score can be impacted by several different factors, including: Plan completeness and compliance —Have all of the annual requirementsbeen met and were they met on time? Recovery procedures — Are theydetailed, actionable and easy to follow? Risk acceptance — Has risk beenaccepted within the plan due to therenot being a viable workaround available? Exercise participation — Has the planbeen thoroughly exercised? Have findings from the exercises been documentedand remediated within the plan? Notification exercise — Verify accuracy of plan contact data and abilityto reach team members in the eventof an activation. Tabletop exercise — Verify plancompleteness through scenario baseddiscussions. Simulation exercise — Verify planviability through execution ofworkarounds. Completion of additional resiliencyscore activities, including: Awareness training — Review ofplan contents with team membersand leaders to discuss how the planwould be leveraged to respond to adisruption event. Self-led exercises — Performingin-depth exercises that go beyondthe scope of the standard exercisesfacilitated by the business continuityprogramme. These could includenotification, simulation, or tabletopexercises and could be conductedwith internal or external partners. Business continuity plan reviews —Meeting with interdependent teamsto review their plan contents andensure that gaps in planning do notexist between teams.It is important to note that the resiliencyscoring guidelines were designed to bestretch assignments for planners, meaningthe guidelines are rigorous, detailed, andprovide incentive for planners to strive forcontinual improvement. The continuityteam realised that it would not be possible for planners to obtain a high scorein every category, especially in the firstfew years. The goal of scoring is not forplanners to get all of the points possible, itis instead intended to help them look formeaningful ways to strengthen their plans’contents and better prepare them to enacttheir plans if necessary.Another important factor to mention isthat the score was not designed as a rewardsystem to highlight good plans or penalisemediocre ones. Rather, it was intendedto provide a realistic gauge of the currentresiliency of a plan, indicating how actionable it would be if enacted in response toa disruption event. It also makes sense thatPage 35
Resiliency scoring for business continuity plansfor some aspects of the business there ismore inherent risk than there is in otherparts of the business. The score capturesthis fact and demonstrates where increasedrisk exists. The scores are tracked andreported to planners and leaders, includingthe Executive Steering Committee. Thisreporting has improved transparency intothe viability of the organisation’s plans.SCORING METHODOLOGYOn a practical level, resiliency scoringmakes it simple for the business continuityteam to assess plans, as the scoring criteriaare clearly defined and documented andplanners are trained on the guidelines thatwill lead to higher plan resiliency andtherefore a higher score. When evaluatinga plan, the assessor has a copy of the documented scoring guide at hand to assist inassigning scores. Each section of the plan isassessed individually and then a total scoreis assigned based on the combined sum ofthe scores of the individual sections.To demonstrate how the scoring is putinto practice, below are generic exampleworkarounds documented by a planner.The first example workaround has beendeveloped to account for how a criticalprocess would continue if faced with technology disruption involving the loss of acritical application:‘If the critical application were tobecome unavailable all reportingresults would be entered and trackedFigure 1Page 36Required Applications section of Resiliency Scoring Guidein an Excel spreadsheet titled “BusinessReporting Results” which is currentlystored on a restricted drive and is password protected to ensure the securityof the data (see critical drive sectionof the plan). The primary contact tocomplete this action would be JohnSmith and the backup contact wouldbe Jane Doe. In the event that boththe primary and backup contacts areunavailable the results can be documented by our vendor interdependencyAnalytics Enterprises (see vendor interdependency section of the plan forcontact information) which maintainsPCI compliance standards. When thecritical application is restored all datathat was captured during the outage willneed to be manually entered back intothe critical application. This workaround would remain viable for twoweeks at which point we would reacha threshold where catchup processingwould become too time consuming tocomplete successfully.’In order to score this section, the RequiredApplications section of the scoring guide(shown below, Figure 1) would be referenced by the assessor.The guide outlines the criteria thatwould merit each level of scoring for theRequired Applications section of the plan.According to the resiliency scoring standards, this documented procedure wouldreceive 6 points for having included thefollowing components:
Olson and Anderson A documented manual workaround tocontinue operations without the reliance on other corporate systems. Sustainability and return to normalprocedures. Data security procedures a
Jamie Anderson is a Certified Business Continuity Professional (CBCP) and a Member of the Business Continuity Institute (MBCI). For the past ten years, she has worked in busi - ness continuity and disaster recovery at Target Corporation and is currently a Lead Corporate Security Consultant on the Global Continuity and Resiliency team.
Bruksanvisning för bilstereo . Bruksanvisning for bilstereo . Instrukcja obsługi samochodowego odtwarzacza stereo . Operating Instructions for Car Stereo . 610-104 . SV . Bruksanvisning i original
11/19/2015 7 Today we will: Define business continuity Compare and contrast business continuity with emergency management Describe the elements of a viable continuity plan Illustrate the process used to plan for continuity of operations Identify strategies for building support for business continuity activities and programs Review case studies and identify the lessons
10 tips och tricks för att lyckas med ert sap-projekt 20 SAPSANYTT 2/2015 De flesta projektledare känner säkert till Cobb’s paradox. Martin Cobb verkade som CIO för sekretariatet för Treasury Board of Canada 1995 då han ställde frågan
service i Norge och Finland drivs inom ramen för ett enskilt företag (NRK. 1 och Yleisradio), fin ns det i Sverige tre: Ett för tv (Sveriges Television , SVT ), ett för radio (Sveriges Radio , SR ) och ett för utbildnings program (Sveriges Utbildningsradio, UR, vilket till följd av sin begränsade storlek inte återfinns bland de 25 största
Hotell För hotell anges de tre klasserna A/B, C och D. Det betyder att den "normala" standarden C är acceptabel men att motiven för en högre standard är starka. Ljudklass C motsvarar de tidigare normkraven för hotell, ljudklass A/B motsvarar kraven för moderna hotell med hög standard och ljudklass D kan användas vid
LÄS NOGGRANT FÖLJANDE VILLKOR FÖR APPLE DEVELOPER PROGRAM LICENCE . Apple Developer Program License Agreement Syfte Du vill använda Apple-mjukvara (enligt definitionen nedan) för att utveckla en eller flera Applikationer (enligt definitionen nedan) för Apple-märkta produkter. . Applikationer som utvecklas för iOS-produkter, Apple .
IAAF SCORING TABLES OF ATHLETICS / IAAF TABLES DE COTATION D’ATHLETISME VI AUTHORS’ INTRODUCTION The Scoring Tables of Athletics are based on exact statistical data and according to the following principles: The scores in the tables of different events cover equivalent performances. Therefore, the tables can beFile Size: 2MBPage Count: 368Explore furtherIAAF Scoring Calculatorcaltaf.comIAAF Scoring Tables of Athletics 2017ekjl.eeIAAF Scoring Tables for Combined Eventswww.rfea.esIAAF scoring tables updated for 2017 Newswww.worldathletics.orgstatistics - How to calculate IAAF points? - Sports Stack .sports.stackexchange.comRecommended to you b
Peninsula School District School Improvement Worksheet. version 1.0 . ELA SMART Goal Worksheet 2015-16 School: DISCOVERY ELEMENTARY Team: ELA Leaders: ALL The primary focus of our work is for all students to meet or exceed rigorous standards.
