Using ITIL® to Measure Your BCP

1

AgendaITIL v3 OverviewWhy Use ITILITIL Continual Improvement ProcessCritical Success Factors and Key Performance IndicatorsCreating MetricsScoring SystemS l  BCP M t iSample BCP MetricsKey ConsiderationsSample ScorecardITIL Resources

2

What is ITIL® v3

The Information Technology Infrastructure The Information Technology Infrastructure Library (ITIL) is a customizable framework of best practices designed to promote quality computing servicesITIL provides a systematic approach to the lifecycle management of IT services, from inception through d i  i l t ti   ti   d  ti l design, implementation, operation and continual improvement

3

Why Use ITILProvides a single, definable, repeatable, and scalable d d f k f  IT b   i   h  fl  documented framework for IT best practices that flows across the IT organizationProvides a framework for IT to support regulatory challengesReduces costsImproves productivitySupports ability of IT to measure and improve internal performance and service provisioningImplements along with other frameworks such as CMMI, PMBOK and COBIT can help an organization achieve ISO 20000 certification

4

Where ITIL Fits In The Big PictureCOBIT (Governance)

CMMI

PMIITIL

ISO Certification (9001: 20000)

CMMI

5

ITIL v3 Core AreasITIL® Five Service Lifecycle Stages:ITIL  Five Service Lifecycle Stages:

Service StrategyService Design

The design of appropriate and innovative IT services, including their architectures, processes, policies and documentation, to meet current and future agreed business requirements

Service TransitionService OperationContinual Service Improvement

6

4 of the 5 ITIL Phases & Processes

Service Strategy

Financial Management

Service Design

Service Catalogue Management 

(SCM)

Service Level Management 

(SLM)

Service Transition

Change Management

Service Operation

Event Management Process

Incident Management Process

Service Portfolio Management (SPM)

Demand Management

Capacity Management

Availability Management

Supplier Management

Information Security Management (ISM)

IT Service Continuity Management (ITSCM)

Knowledge Management

Service Asset and Configuration Management

Request Fulfillment Process

Access Management Process

Problem Management Process

7

Service Lifecycle Stages

8

Continual Improvement Process1. Define what you should you should measure

2. Define what you can measure

3. Gather the data. Who? How? When?7. Implement 

corrective action

Identify• Vision• Strategy• Tactical Goals• Operational Goals

4. Process the data frequency. 

Format? System?

5. Analyze the data relations? 

Trends? 

6. Present and use the 

information

9

Service MeasurementFour Major Reasons to Monitor and Measure: 

validate previous decisions that have been madevalidate previous decisions that have been made

direct activities in order to meet set targets ‐ this is the most important reason for monitoring and measuring

justify that a course of action is required, with factual evidence or proof

intervene at the appropriate point and take corrective intervene at the appropriate point and take corrective action

10

BenefitsBenefits of Metric Driven Continual Improvement Benefits of Metric Driven Continual Improvement Process

Consolidation of processes and toolsRepeatable processes  minimize reworkEfficient allocation of people and technology resourcesMitigate risks, penalties and finesValue add to customers, shows company is focused on delivering high quality products and services

11

Continual Process Improvement Metric Types

3 Types of Metrics:Technology metrics: used to measure hardware components and applications for metrics such as performance, availabilityProcess metrics: captured in the form of Critical Success Factors (CSFs), Key Performance Indicators (KPIs) and activity metrics.Service metrics: the results of the end‐to‐end service. Component/technology metrics are used to compute the service metrics

12

Creating MetricsMetrics Should be Created Using Smart Objectives

Specific – Objectives should specify what they want to p j p y yachieve.Measurable – You should be able to measure whether you are meeting the objectives or not.Achievable ‐ Are the objectives you set achievable and attainable?Realistic  Can you realistically achieve the objectives with Realistic – Can you realistically achieve the objectives with the resources you have?Time – When do you want to achieve the set objectives?

13

Metric ComponentsTwo Key Components for Establishing Metrics:

Critical Success Factor (CSF)Critical Success Factor (CSF)Critical Success Factors are elements that are vital for the overall service to be successful. Critical success factors should map to overall department or organization objectives

Key Performance Indicator(KPI)Key Performance Indicators are measures that quantify b d bl h fobjectives and enable the measurement of strategic 

performance.All KPI’s must be specific about what needs to be done and when (due date) the action needs to be completed

14

Disaster Recovery CSF/KPI ExamplesObjective: Establish DR Program to Recover Mission Critical Applications Within 48 Hours of Disasterpp

CSF = Conduct annual disaster recovery drillKPI = Schedule drill to take place by July  every year(or within a year of last drill)

CSF = Update DR planKPI = Plan reviewed/updated quarterly (use exact dates)p q y

CSF = Test all mission critical applicationsKPI = Test a minimum of 5 critical applications at each DR drill

15

Weighing Critical Success FactorsNot all CSFs are created equalSome CSFs are more critical to the success of recovery Some CSFs are more critical to the success of recovery efforts.  Can use weight scale to prioritize Weight Examples:

6 = Critical to success of EP (timely recovery would not be successful without it)3 = Required for timely recovery (could recover with out but risk is increased)but risk is increased)1 = Needed to support recovery but only minimal impact on recovery efforts

Weighing CSFs is not part of the ITIL process

16

Scoring System

Scoring of KPIsScoring of KPIsNot in place or not implemented = 0

Completed but past the KPI deadline, not accurate or incomplete = 1

In place or completed on time = 3

17

Calculating the Final Rating

To get the final rating for each CSF and the associated To get the final rating for each CSF and the associated KPI, you simply multiply the weight of the CSF by the score of the KPI

Weight  X  Score = Rating

18

BCP Processes to Measure (samples)Contingency Planning: Establish CSFs and KPIs to measure the ff ti   d  t it   f  ti   l i   ff teffectiveness and maturity of contingency planning effortsDisaster Recovery Readiness: Establish CSFs and KPIs to measure ongoing maturity and readiness for a disaster that requires relocation to alternate facility Business Continuity  Establish CSFs and KPIs to measure readiness to recover people and business functions in the event of a disasterOverall BCP Program Management: Establish CSFs and KPIs to measure the processes and organization structure needed to support measure the processes and organization structure needed to support the BCP program, determine mission critical systems processes set RTOs, RPOs and SLAs IT Security Incident Readiness: Establish CSFs and KPIs to measure readiness to respond to information security incidents 

19

Contingency Planning Metrics(Events that do Not Require Relocation)Critical Success Factors/Key Performance IndicatorsCSF: Conduct contingency planning simulated exercise (Weight 6)

KPI = Use at least 1 planned outage a year as a simulated recovery exercise?

CSF: Update contingency planning documentation (Weight 3)KPI = Update CP documentation by end of every 1st quarter

CSF: Update dynamic plan information (staff contacts, system lists) (Weight 1)( g )

KPI = Update Dynamic information every other odd monthCSF: Conduct contingency planning tabletop exercise (Weight 1)

KPI = One tabletop by every 4th quarter

20

Disaster Recovery Readiness MetricsCritical Success Factors/Key Performance Indicators Examples

CSF: Conduct alternate site exercise (Weight 6)KPI = Conduct at least one DR exercise annually

CSF: Resolve action items from previous DR exercise (Weight 3)KPI = Resolve all issues within 6 months of DR drill

CSF: Test mission critical applications (Weight 6)KPI = All mission critical applications must be tested with 2 yearspp y

CSF: Test external connectivity related to critical systems (Weight 6)KPI = Include one external connection in DR drill

21

Disaster Recovery Metrics (continued)CSF: Conduct end user testing (Weight 1)

KPI  Include at least one user group in drillKPI = Include at least one user group in drill

CSF: Update DR plans (production changes, updates from DR drill) (Weight 3)

KPI = Schedule and Conduct quarterly update of DR plan

CSF: Update Dynamic Plan information (staff contacts, system lists, etc.) (Weight 3)etc.) ( e g t 3)

KPI = Review and update dynamic plan data every other month 

CSF: Backup mission critical data (Weight 6)KPI = All critical applications must be backed up at least weekly

22

Disaster Recovery Metrics (Continued)CSF: Ship backups offsite (Weight 6)

ll l l b k d ffKPI = All critical applications backups must reside offsite

CSF: Conduct DR awareness training for all employees (Weight 1)KPI = Conduct annual online training for all employees with 95% participation rate

CSF: All critical applications included in alternate site contract (Weight 3)KPI = All critical apps must have hardware identified and procedures in DR Plan

CSF: Conduct tabletop of Initial response, notification and activation (Weight 3)

KPI = Conduct annual tabletop drill of Phase I (Initial response, notification and activation) by Oct.

23

Business Continuity ReadinessCritical Success Factors/Key Performance Indicators Examples:

CSF: Alternate infrastructure to deliver required services in place (Weight 6)

KPI = Validate serviceability of the infrastructure annually

CSF: Conduct drill at alternate facility (Weight 6)KPI = Conduct an annual drill that includes staff relocating to alternate facility

CSF: Update BCP Plans (Weight 3)KPI = Update BCP plans by September 30th each yearKPI   Update BCP plans by September 30th each year

CSF: Review BCP Plans (Weight 3)KPI = Review and update dynamic plan data every other odd month

CSF: Conduct Annual Tabletop of BCP Plan (Weight 3)KPI = Conduct at least 1 annual tabletop of BCP plans by December

24

BCP Program ManagementCritical Success Factors/Key Performance Indicators (Examples)CSF: Executive assigned ownership of EP (Weight = 6)CSF: Executive assigned ownership of EP (Weight = 6)

KPI = POC Assigned and conducting monthly meetings

CSF: Dedicated resource assigned responsibly to implement and manage BCP (Weight 6)

KPI =  BCP team lead assigned, organizing and facilitating monthly meetings

CSF: BIA conducted to determine RPO, RTO, critical systems and applications (Weight 3)(Weight 3)

KPI =  Conduct full BIA annually by September

CSF: SLAs established for disaster recovery (Weight 3) KPI =  SLAs established/reviewed annually for all critical applications by September

25

BCP Program Management (Continued)CSF: EP budget in place (Weight 6)

KPI =  EP Budget created and approved by October KPI =  EP Budget created and approved by October for next fiscal year

CSF: EP policy statement created and issued to all staff (Weight 1)

KPI =  Policy statement created and distributed to all employees by January of every year 

CSF: Customer satisfaction questionnaire (Weight 1)KPI =  Customer satisfaction questionnaire completed by LOB leaders by September (annually)

26

Security Incident ResponseCritical Success Factors/Key Performance Indicators (Examples)CSF: Conduct annual Security Incident Response tabletop (Weight 6)

KPI = Complete tabletop by December of each year

CSF: Update Security Incident Response Plan (Weight 3)KPI = Update Security plan annually by February

CSF: Review Security Incident plan for accuracy (Weight 1)KPI = Update dynamic information every other odd month p y y(contact names, system configurations)

CSF: Conduct Security incident awareness training (Weight 1)KPI = Conduct security awareness training once annually by February

27

Sample Business Continuity Scorecard Business Continuity Readiness

Critical Success Factors/Key Perrformance Indicators Weight Score RatingCritical Success Factors/Key Perrformance Indicators Weight Score RatingCSF: Alternate infrastructure to deliver required services in place 6.00 CSF Weight Scale:KPI = Validate serviceability of the infrastructure annually 0 0

CSF: Conduct drill at alternate facility 6.00 6 = Critical to success of EP (recovery would not be successful without it)

KPI = Conduct an annual drill that includes staff relocating to alternate facility 0 0CSF: Update BCP Plans 3.00 3 = Required for timely recovery (could recover with out but risk is increased without it)

KPI = Update BCP plans by September 30th each year 0 0CSF: Review BCP Plans 3.00 1 = Needed to support recovery and mature the recovery program

KPI = Review and update dynamic plan data every other month 0 0CSF: Conduct Annual Tabletop of BCP Plan 3.00

KPI = Conduct at least 1 annual tabletop of BCP plans by December 0 0CSF: Conduct BCP awareness training for all employees 1.00

KPI = Distribute awareness training material or conduct classes annually with 95% staff participation 0 0p p

CSF: Requirements for alternate work site identified 6.00 Score:KPI: Review Requirements with Business leaders annually 0 0

CSF: Alternate work location for staff n place 6.00 0 = Not in place or not implemented

KPI: Is there an alternate service location for employees 0 01 = Completed but past the KPI deadline or not accurate

3 = In place or completed on time

Functionality Totals 0Perfect Score = 102Danger Zone = less than 94

28

Sample Program Management ScorecardOverall Program Management

Critical Success Factors/key Performance Indicators Weight Score RatingCSF: POC assigned ownership of EP (POC Assigned?) 6.00KPI = POC Assigned and conducting monthy meetings 3 18 CSF Weight Scale:g g y g gCSF: Dedicated resource assigned responsibly to implement and manage EP 6.00 6 = Critical to success of EP (recovery would not be successful without it)KPI = Team lead assigned, organizing and facilitating monthly meetings 3 18 3 = Required for timely recovery (could recover with out but risk is increased without it)CSF: BIA conducted to determine RPO, RTO, critical systems, applications and dependencies 3.00 1 = Needed to support recovery and mature the recovery programKPI = Conduct Full BIA bi-annually September 0 0CSF: SLAs established for disaster recovery 3.00KPI = SLAs established and reviewed annually for all critical applications by September 1 3CSF: Conduct tabletop of Initial response, notification and activation 3.00KPI = Conduct annual tabletop drill of Phase I (Initial response, notification and activation by Oct. 3 9CSF: EP budget in place 6.00KPI = EP Budget created and approved by October for next fiscal year 3 18CSF: EP policy statement created and issued to all staff 1.00KPI = Policy statement created and distributed to all employees by January of every year 0 0 Score:y yCSF: Customer satisfaction questionnaire 1.00 0 = Not in place or not implemented KPI = Customer satisfaction questionnaire completed by LOB leaders by September (annually) 0 0 1 = Completed but past the KPI deadline or not accurateCSF: Relationship with Corporate COOP plan 3.00KPI = Participate in annual Corporate COOP tabletop exercise 3 9 3 = In place or completed on timeCSF: Document relationship with Application Teams 3.00KPI = Conduct review/Update of Application recovery procedures 1 3CSF: Ensure DR capability meets line of Business recovery requirements 3.00KPI = meet with LOB owners on a quarterly basis 0 0CSF: Ensure business processes are mapped to critical systems 1.00KPI = create and update process maps of critical business processes with system flows 0 0

Feasibility Totals 78

Perfect Score = 117Danger Zone = Less than 99

29

Key ConsiderationsWork with key stakeholders to agree on CSFs and KPIsM k    CSF   d KPI     bj i   d  l    Make sure CSFs and KPIs are objective and clear cut Set up formal and regular meetings with key stakeholders to review resultsPresent results in format that stakeholders are used toDo not make “Conduct Successful Disaster Recovery Drill” a Critical Success factor Measurements should directly support organizational goalsFor disaster recovery, measurements should be focused on results of processes, not on individual performance

30

Sample Dash Board MetricsOverall Program

0 15 30 45 60 75 90

Overall Program Management

Danger level below 72

Disaster Recovery Readiness

0 12 42 72 102 132 162Danger level below 120

31

Tracking ProgressBusiness Continuity Maturity

(Danger Zone Below 60)

40

50

60

70

80

90

KPI Score

0

10

20

30

2007 2008 2009 2010 2011

32

ITIL® Educational ResourcesLinks to ITIL® and Service Continuity Informationy

An Introductory Overview of ITILhttp://www.best‐management‐practice.com/gempdf/itSMF_An_Introductory_Overview_of_ITIL_V3.pdf

Official ITIL® Website (Certification Information)http://www.itil‐officialsite.com/home/home.asp

ISO/IEC 20000 Certificationhttp://www.isoiec20000certification.com/index.asp

Book: Metrics for IT Service Management ‐ by Peter Brooks (about $48.00 on Amazon.com)Book: Implementing Metrics for IT Service Management (ITSM Library Introduction Guide) – by David Smith (about $161.00 on Amazon.com)

33

Final Thought“Measurement is not the goal. The goal is Measurement is not the goal. The goal is improvement, through measurement, analysis, and feedback.” ‐Michael Daskalantonakis, Motorola

34

Questions

35