Using ITIL® to Measure Your BCP
1
AgendaITIL v3 OverviewWhy Use ITILITIL Continual Improvement ProcessCritical Success Factors and Key Performance IndicatorsCreating MetricsScoring SystemS l BCP M t iSample BCP MetricsKey ConsiderationsSample ScorecardITIL Resources
2
What is ITIL® v3
The Information Technology Infrastructure The Information Technology Infrastructure Library (ITIL) is a customizable framework of best practices designed to promote quality computing servicesITIL provides a systematic approach to the lifecycle management of IT services, from inception through d i i l t ti ti d ti l design, implementation, operation and continual improvement
3
Why Use ITILProvides a single, definable, repeatable, and scalable d d f k f IT b i h fl documented framework for IT best practices that flows across the IT organizationProvides a framework for IT to support regulatory challengesReduces costsImproves productivitySupports ability of IT to measure and improve internal performance and service provisioningImplements along with other frameworks such as CMMI, PMBOK and COBIT can help an organization achieve ISO 20000 certification
4
Where ITIL Fits In The Big PictureCOBIT (Governance)
CMMI
PMIITIL
ISO Certification (9001: 20000)
CMMI
5
ITIL v3 Core AreasITIL® Five Service Lifecycle Stages:ITIL Five Service Lifecycle Stages:
Service StrategyService Design
The design of appropriate and innovative IT services, including their architectures, processes, policies and documentation, to meet current and future agreed business requirements
Service TransitionService OperationContinual Service Improvement
6
4 of the 5 ITIL Phases & Processes
Service Strategy
Financial Management
Service Design
Service Catalogue Management
(SCM)
Service Level Management
(SLM)
Service Transition
Change Management
Service Operation
Event Management Process
Incident Management Process
Service Portfolio Management (SPM)
Demand Management
Capacity Management
Availability Management
Supplier Management
Information Security Management (ISM)
IT Service Continuity Management (ITSCM)
Knowledge Management
Service Asset and Configuration Management
Request Fulfillment Process
Access Management Process
Problem Management Process
7
Service Lifecycle Stages
8
Continual Improvement Process1. Define what you should you should measure
2. Define what you can measure
3. Gather the data. Who? How? When?7. Implement
corrective action
Identify• Vision• Strategy• Tactical Goals• Operational Goals
4. Process the data frequency.
Format? System?
5. Analyze the data relations?
Trends?
6. Present and use the
information
9
Service MeasurementFour Major Reasons to Monitor and Measure:
validate previous decisions that have been madevalidate previous decisions that have been made
direct activities in order to meet set targets ‐ this is the most important reason for monitoring and measuring
justify that a course of action is required, with factual evidence or proof
intervene at the appropriate point and take corrective intervene at the appropriate point and take corrective action
10
BenefitsBenefits of Metric Driven Continual Improvement Benefits of Metric Driven Continual Improvement Process
Consolidation of processes and toolsRepeatable processes minimize reworkEfficient allocation of people and technology resourcesMitigate risks, penalties and finesValue add to customers, shows company is focused on delivering high quality products and services
11
Continual Process Improvement Metric Types
3 Types of Metrics:Technology metrics: used to measure hardware components and applications for metrics such as performance, availabilityProcess metrics: captured in the form of Critical Success Factors (CSFs), Key Performance Indicators (KPIs) and activity metrics.Service metrics: the results of the end‐to‐end service. Component/technology metrics are used to compute the service metrics
12
Creating MetricsMetrics Should be Created Using Smart Objectives
Specific – Objectives should specify what they want to p j p y yachieve.Measurable – You should be able to measure whether you are meeting the objectives or not.Achievable ‐ Are the objectives you set achievable and attainable?Realistic Can you realistically achieve the objectives with Realistic – Can you realistically achieve the objectives with the resources you have?Time – When do you want to achieve the set objectives?
13
Metric ComponentsTwo Key Components for Establishing Metrics:
Critical Success Factor (CSF)Critical Success Factor (CSF)Critical Success Factors are elements that are vital for the overall service to be successful. Critical success factors should map to overall department or organization objectives
Key Performance Indicator(KPI)Key Performance Indicators are measures that quantify b d bl h fobjectives and enable the measurement of strategic
performance.All KPI’s must be specific about what needs to be done and when (due date) the action needs to be completed
14
Disaster Recovery CSF/KPI ExamplesObjective: Establish DR Program to Recover Mission Critical Applications Within 48 Hours of Disasterpp
CSF = Conduct annual disaster recovery drillKPI = Schedule drill to take place by July every year(or within a year of last drill)
CSF = Update DR planKPI = Plan reviewed/updated quarterly (use exact dates)p q y
CSF = Test all mission critical applicationsKPI = Test a minimum of 5 critical applications at each DR drill
15
Weighing Critical Success FactorsNot all CSFs are created equalSome CSFs are more critical to the success of recovery Some CSFs are more critical to the success of recovery efforts. Can use weight scale to prioritize Weight Examples:
6 = Critical to success of EP (timely recovery would not be successful without it)3 = Required for timely recovery (could recover with out but risk is increased)but risk is increased)1 = Needed to support recovery but only minimal impact on recovery efforts
Weighing CSFs is not part of the ITIL process
16
Scoring System
Scoring of KPIsScoring of KPIsNot in place or not implemented = 0
Completed but past the KPI deadline, not accurate or incomplete = 1
In place or completed on time = 3
17
Calculating the Final Rating
To get the final rating for each CSF and the associated To get the final rating for each CSF and the associated KPI, you simply multiply the weight of the CSF by the score of the KPI
Weight X Score = Rating
18
BCP Processes to Measure (samples)Contingency Planning: Establish CSFs and KPIs to measure the ff ti d t it f ti l i ff teffectiveness and maturity of contingency planning effortsDisaster Recovery Readiness: Establish CSFs and KPIs to measure ongoing maturity and readiness for a disaster that requires relocation to alternate facility Business Continuity Establish CSFs and KPIs to measure readiness to recover people and business functions in the event of a disasterOverall BCP Program Management: Establish CSFs and KPIs to measure the processes and organization structure needed to support measure the processes and organization structure needed to support the BCP program, determine mission critical systems processes set RTOs, RPOs and SLAs IT Security Incident Readiness: Establish CSFs and KPIs to measure readiness to respond to information security incidents
19
Contingency Planning Metrics(Events that do Not Require Relocation)Critical Success Factors/Key Performance IndicatorsCSF: Conduct contingency planning simulated exercise (Weight 6)
KPI = Use at least 1 planned outage a year as a simulated recovery exercise?
CSF: Update contingency planning documentation (Weight 3)KPI = Update CP documentation by end of every 1st quarter
CSF: Update dynamic plan information (staff contacts, system lists) (Weight 1)( g )
KPI = Update Dynamic information every other odd monthCSF: Conduct contingency planning tabletop exercise (Weight 1)
KPI = One tabletop by every 4th quarter
20
Disaster Recovery Readiness MetricsCritical Success Factors/Key Performance Indicators Examples
CSF: Conduct alternate site exercise (Weight 6)KPI = Conduct at least one DR exercise annually
CSF: Resolve action items from previous DR exercise (Weight 3)KPI = Resolve all issues within 6 months of DR drill
CSF: Test mission critical applications (Weight 6)KPI = All mission critical applications must be tested with 2 yearspp y
CSF: Test external connectivity related to critical systems (Weight 6)KPI = Include one external connection in DR drill
21
Disaster Recovery Metrics (continued)CSF: Conduct end user testing (Weight 1)
KPI Include at least one user group in drillKPI = Include at least one user group in drill
CSF: Update DR plans (production changes, updates from DR drill) (Weight 3)
KPI = Schedule and Conduct quarterly update of DR plan
CSF: Update Dynamic Plan information (staff contacts, system lists, etc.) (Weight 3)etc.) ( e g t 3)
KPI = Review and update dynamic plan data every other month
CSF: Backup mission critical data (Weight 6)KPI = All critical applications must be backed up at least weekly
22
Disaster Recovery Metrics (Continued)CSF: Ship backups offsite (Weight 6)
ll l l b k d ffKPI = All critical applications backups must reside offsite
CSF: Conduct DR awareness training for all employees (Weight 1)KPI = Conduct annual online training for all employees with 95% participation rate
CSF: All critical applications included in alternate site contract (Weight 3)KPI = All critical apps must have hardware identified and procedures in DR Plan
CSF: Conduct tabletop of Initial response, notification and activation (Weight 3)
KPI = Conduct annual tabletop drill of Phase I (Initial response, notification and activation) by Oct.
23
Business Continuity ReadinessCritical Success Factors/Key Performance Indicators Examples:
CSF: Alternate infrastructure to deliver required services in place (Weight 6)
KPI = Validate serviceability of the infrastructure annually
CSF: Conduct drill at alternate facility (Weight 6)KPI = Conduct an annual drill that includes staff relocating to alternate facility
CSF: Update BCP Plans (Weight 3)KPI = Update BCP plans by September 30th each yearKPI Update BCP plans by September 30th each year
CSF: Review BCP Plans (Weight 3)KPI = Review and update dynamic plan data every other odd month
CSF: Conduct Annual Tabletop of BCP Plan (Weight 3)KPI = Conduct at least 1 annual tabletop of BCP plans by December
24
BCP Program ManagementCritical Success Factors/Key Performance Indicators (Examples)CSF: Executive assigned ownership of EP (Weight = 6)CSF: Executive assigned ownership of EP (Weight = 6)
KPI = POC Assigned and conducting monthly meetings
CSF: Dedicated resource assigned responsibly to implement and manage BCP (Weight 6)
KPI = BCP team lead assigned, organizing and facilitating monthly meetings
CSF: BIA conducted to determine RPO, RTO, critical systems and applications (Weight 3)(Weight 3)
KPI = Conduct full BIA annually by September
CSF: SLAs established for disaster recovery (Weight 3) KPI = SLAs established/reviewed annually for all critical applications by September
25
BCP Program Management (Continued)CSF: EP budget in place (Weight 6)
KPI = EP Budget created and approved by October KPI = EP Budget created and approved by October for next fiscal year
CSF: EP policy statement created and issued to all staff (Weight 1)
KPI = Policy statement created and distributed to all employees by January of every year
CSF: Customer satisfaction questionnaire (Weight 1)KPI = Customer satisfaction questionnaire completed by LOB leaders by September (annually)
26
Security Incident ResponseCritical Success Factors/Key Performance Indicators (Examples)CSF: Conduct annual Security Incident Response tabletop (Weight 6)
KPI = Complete tabletop by December of each year
CSF: Update Security Incident Response Plan (Weight 3)KPI = Update Security plan annually by February
CSF: Review Security Incident plan for accuracy (Weight 1)KPI = Update dynamic information every other odd month p y y(contact names, system configurations)
CSF: Conduct Security incident awareness training (Weight 1)KPI = Conduct security awareness training once annually by February
27
Sample Business Continuity Scorecard Business Continuity Readiness
Critical Success Factors/Key Perrformance Indicators Weight Score RatingCritical Success Factors/Key Perrformance Indicators Weight Score RatingCSF: Alternate infrastructure to deliver required services in place 6.00 CSF Weight Scale:KPI = Validate serviceability of the infrastructure annually 0 0
CSF: Conduct drill at alternate facility 6.00 6 = Critical to success of EP (recovery would not be successful without it)
KPI = Conduct an annual drill that includes staff relocating to alternate facility 0 0CSF: Update BCP Plans 3.00 3 = Required for timely recovery (could recover with out but risk is increased without it)
KPI = Update BCP plans by September 30th each year 0 0CSF: Review BCP Plans 3.00 1 = Needed to support recovery and mature the recovery program
KPI = Review and update dynamic plan data every other month 0 0CSF: Conduct Annual Tabletop of BCP Plan 3.00
KPI = Conduct at least 1 annual tabletop of BCP plans by December 0 0CSF: Conduct BCP awareness training for all employees 1.00
KPI = Distribute awareness training material or conduct classes annually with 95% staff participation 0 0p p
CSF: Requirements for alternate work site identified 6.00 Score:KPI: Review Requirements with Business leaders annually 0 0
CSF: Alternate work location for staff n place 6.00 0 = Not in place or not implemented
KPI: Is there an alternate service location for employees 0 01 = Completed but past the KPI deadline or not accurate
3 = In place or completed on time
Functionality Totals 0Perfect Score = 102Danger Zone = less than 94
28
Sample Program Management ScorecardOverall Program Management
Critical Success Factors/key Performance Indicators Weight Score RatingCSF: POC assigned ownership of EP (POC Assigned?) 6.00KPI = POC Assigned and conducting monthy meetings 3 18 CSF Weight Scale:g g y g gCSF: Dedicated resource assigned responsibly to implement and manage EP 6.00 6 = Critical to success of EP (recovery would not be successful without it)KPI = Team lead assigned, organizing and facilitating monthly meetings 3 18 3 = Required for timely recovery (could recover with out but risk is increased without it)CSF: BIA conducted to determine RPO, RTO, critical systems, applications and dependencies 3.00 1 = Needed to support recovery and mature the recovery programKPI = Conduct Full BIA bi-annually September 0 0CSF: SLAs established for disaster recovery 3.00KPI = SLAs established and reviewed annually for all critical applications by September 1 3CSF: Conduct tabletop of Initial response, notification and activation 3.00KPI = Conduct annual tabletop drill of Phase I (Initial response, notification and activation by Oct. 3 9CSF: EP budget in place 6.00KPI = EP Budget created and approved by October for next fiscal year 3 18CSF: EP policy statement created and issued to all staff 1.00KPI = Policy statement created and distributed to all employees by January of every year 0 0 Score:y yCSF: Customer satisfaction questionnaire 1.00 0 = Not in place or not implemented KPI = Customer satisfaction questionnaire completed by LOB leaders by September (annually) 0 0 1 = Completed but past the KPI deadline or not accurateCSF: Relationship with Corporate COOP plan 3.00KPI = Participate in annual Corporate COOP tabletop exercise 3 9 3 = In place or completed on timeCSF: Document relationship with Application Teams 3.00KPI = Conduct review/Update of Application recovery procedures 1 3CSF: Ensure DR capability meets line of Business recovery requirements 3.00KPI = meet with LOB owners on a quarterly basis 0 0CSF: Ensure business processes are mapped to critical systems 1.00KPI = create and update process maps of critical business processes with system flows 0 0
Feasibility Totals 78
Perfect Score = 117Danger Zone = Less than 99
29
Key ConsiderationsWork with key stakeholders to agree on CSFs and KPIsM k CSF d KPI bj i d l Make sure CSFs and KPIs are objective and clear cut Set up formal and regular meetings with key stakeholders to review resultsPresent results in format that stakeholders are used toDo not make “Conduct Successful Disaster Recovery Drill” a Critical Success factor Measurements should directly support organizational goalsFor disaster recovery, measurements should be focused on results of processes, not on individual performance
30
Sample Dash Board MetricsOverall Program
0 15 30 45 60 75 90
Overall Program Management
Danger level below 72
Disaster Recovery Readiness
0 12 42 72 102 132 162Danger level below 120
31
Tracking ProgressBusiness Continuity Maturity
(Danger Zone Below 60)
40
50
60
70
80
90
KPI Score
0
10
20
30
2007 2008 2009 2010 2011
32
ITIL® Educational ResourcesLinks to ITIL® and Service Continuity Informationy
An Introductory Overview of ITILhttp://www.best‐management‐practice.com/gempdf/itSMF_An_Introductory_Overview_of_ITIL_V3.pdf
Official ITIL® Website (Certification Information)http://www.itil‐officialsite.com/home/home.asp
ISO/IEC 20000 Certificationhttp://www.isoiec20000certification.com/index.asp
Book: Metrics for IT Service Management ‐ by Peter Brooks (about $48.00 on Amazon.com)Book: Implementing Metrics for IT Service Management (ITSM Library Introduction Guide) – by David Smith (about $161.00 on Amazon.com)
33
Final Thought“Measurement is not the goal. The goal is Measurement is not the goal. The goal is improvement, through measurement, analysis, and feedback.” ‐Michael Daskalantonakis, Motorola
34
Questions
35