The purpose of Enterprise Focus is to establish sponsorship, strategic planning, and governance over the operational resilience management system.
Managing operational resilience requires a vast array of skills and competencies. These skills and competencies traverse the organization and must converge to achieve and sustain a desired level of operational resilience.
Because resilience is an enterprise concern, the focus and direction for the operational resilience management system must come from the top: leadership to set direction and ethical standards, sponsorship to provide support and resources, and governance to ensure that the process is achieving its goals as expected. In addition, managing operational resilience must be aligned with and supportive of the achievement of the organization’s strategic objectives. Focusing on these objectives provides the rationale for investing in resilience activities—because they enable the organization to achieve its mission.
The Enterprise Focus process area seeks to ensure that the enterprise owns the operational resilience management system and provides the necessary level of leadership and governance over the process. The strategic objectives of the organization are explicitly defined as the alignment factor for resilience plans, programs, and activities. Higher-level managers provide sponsorship to ensure resilience activities are properly and adequately funded and to promote and nurture a resilience-aware culture throughout the organization. Finally, the organization’s governance activities are expanded to focus directly on resilience—program objectives are set, standards for acceptable and ethical behavior are established, and the process is monitored to ensure it is achieving its goals. Higher-level managers also provide input and recommendations when the operational resilience management system is not performing within established standards.
Enterprise Focus establishes the “critical few” for the organization—the high-value services that must be resilient to ensure mission achievement. This sets the focus for all operational risk-based activities in the organization. Through an enterprise focus, the direction and target for operational resilience management are established, operational risk management activities are coordinated, and actions are taken that enable the organization to perform adequately in achieving its targets.
Organizational risk drivers, risk appetite, and risk tolerance are established in the Risk Management process area.
The establishment of plans and programs to ensure service continuity is addressed in the Service Continuity process area.
The relationship between services and assets is addressed in Asset Definition and Management.
The management of compliance activities is addressed in the Compliance process area.
The development and achievement of resilience goals and objectives for staff are addressed in the Human Resource Management process area.
Providing awareness training for staff, both internal and external to the organization, is addressed in the Organizational Training and Awareness process area.
The Monitoring process area outlines processes for identifying, gathering, and communicating relevant data for decision-making processes.
The establishment of resilience funding needs and the allocation of funds are addressed in the Financial Resource Management process area.
The strategic objectives of the organization are established as the foundation for the operational resilience management system.
The strategic objectives of the organization are derived from the organization’s strategic planning process, which typically addresses a future time span of two to five years. The strategic objectives of the organization form the basis for operational resilience targets and activities and must be clearly documented and communicated at the organizational unit and line of business levels.
The organization’s strategic objectives may be expressed in various forms. They may be articulated as organizational goals and objectives that form the basis for the performance of managers and staff. They may also be expressed in terms of critical success factors (CSFs), which complement goals and objectives by detailing the areas in which organizational performance is critical to meeting these goals and objectives.
Strategic objectives are important for the operational resilience management system because they provide a target that must be attained by services. Resilience activities must meet strategic objectives by protecting and sustaining assets and services to the extent necessary to attain these objectives. Failure to keep assets and services resilient may significantly impair the organization’s ability to meet strategic objectives.
As a target for operational resilience management, the organization must clearly articulate its strategic objectives, describe its critical success factors, and identify the services that it performs that are of high value in meeting these objectives and satisfying these factors. Through these activities, the goals for operational resilience management are made clear, tangible, and achievable.
Strategic objectives are identified and established as the basis for resilience activities.
Strategic objectives are the performance targets that the organization sets to accomplish its mission, vision, values, and purpose. They are decomposed into an organizational roadmap for performance so that all staff members are moving in the same direction.
Effective operational resilience ensures that the organization can reach its strategic objectives. The management of operational resilience must be specifically focused on enabling the achievement of strategic objectives and addressing a range of potential disruptions that can interrupt their achievement.
Strategic objectives range from general to specific. General objectives include mission, vision, and values, while specific objectives are goal-oriented and outline the targets the organization is attempting to reach (such as opening 100 stores in China or improving revenue by 14% in the next year). Strategic objectives emanate from the organization’s strategic planning process. (Resilience planning as part of the organization’s overall strategic planning process is addressed in EF:SG2.SP1.)
From a resilience management perspective, the identification, comprehension, and communication of the organization’s strategic objectives provide essential and necessary guidance and direction for the operational resilience management system.
Typical work products
Subpractices
This information should be readily available in company literature such as staff handbooks and annual reports. Because some organizations are very large, this information may exist at each organizational unit or line of business level, rather than at an enterprise level.
These objectives should be readily available in the organization’s strategic plan (which may be composed at an enterprise or organizational unit or line of business level). These objectives are also typically the basis for the performance goals for staff and business partners and may be found as part of performance management activities.
The critical success factors of the organization are identified and established.
Critical success factors are the limited number of areas in which the organization must consistently and effectively perform to succeed in meeting its strategic objectives. Critical success factors reflect management’s implicit focus. They are areas that should receive constant and careful attention from managers. When critical success factors are identified, defined, and communicated, they represent a powerful set of criteria against which an organization can validate or align its activities, including those being performed to manage operational resilience.
Critical success factors have sources and dimensions. Sources represent the places where critical success factors originate. Because organizations are multi-dimensional, critical success factors can originate at every layer of management. In addition, because organizations typically have open borders, critical success factors can also be derived through industry affiliation or operating climate. In general, critical success factors have five sources:
• the industry in which the organization operates (e.g., financial services)
• the competitive environment or peer relationship of the organization (e.g., top 20 banks in the United States)
• the organization’s operating environment (e.g., geographical location, current sociopolitical climate)
• temporal issues (e.g., weather, increase in terrorist activity)
• management’s view of the organization (e.g., current priorities, budget climate)
In addition to sources, critical success factors have dimensions. Critical success factors can be internal or external (representing the extent to which the organization has span of control) or monitoring or adapting (keeping the status quo versus growing and evolving the organization). Dimensions are important because they represent the depth and breadth of critical success factors.
In essence, critical success factors establish a set of performance indicators that the operational resilience management system must contribute to achieving and form an important alignment factor between the policy-making level and the operational level of the organization.
Typical work products
Subpractices
Data may be collected through document review (the organization’s charter, strategic plan and objectives, etc.) and interviews of key organizational managers.
Data can be developed into activity statements and developed into summary themes through affinity grouping.
Critical success factors can be developed for many layers of the organization. Typically, the organization has a set of enterprise-level critical success factors that influence organizational unit or line of business critical success factors, which in turn are reflected in manager- and staff-level critical success factors. Depending on the level at which an organization manages operational resilience, critical success factors may have to be developed at one or more of these levels.
The critical success factors should represent a range of sources and dimensions.
Affinity analysis documents the direct relationship between the achievement of a critical success factor and the accomplishment of a strategic objective.
The high-value services that support the accomplishment of strategic objectives are established.
The high-value services of the organization are the focus of the organization’s operational resilience management activities. These services directly support the achievement of strategic objectives and therefore must be protected and sustained to the extent necessary to minimize disruption. Failure to keep these services viable and productive may result in significant inability to meet strategic objectives and, in some cases, the organization’s mission.
In order to appropriately scope the organization’s operational resilience management system and corresponding operational resilience management activities, the high-value services of the organization must be identified, prioritized, and communicated as a common target for success.
High-value services are fueled by organizational assets such as people, information, technology, and facilities. (The link between high-value services and their supporting assets is established in the Asset Definition and Management process area.)
Typical work products
Subpractices
The organization should have at its disposal an inventory of standard services that represents the activities that the organization performs to achieve its mission. The inventory of services should include service profiles that describe the services in sufficient detail to capture the activities, tasks, and expected outcomes of the services and the assets that are of high value to the services. The service profile should also detail the business processes that cumulatively compose the service. A service repository should be created that is accessible by all who need to understand the organization’s standard services.
Service attributes help to describe services using a common language and taxonomy.
Service attributes to consider in developing service profiles include
• inputs to the service
• outputs from the service
• assets associated with or used by the service (This activity is formally performed in ADM:SG2.SP1 in the Asset Definition and Management process area.)
• the owners and stakeholders of the service
• related services and business processes
• expected service levels
• service-focused resilience requirements (This activity is formally performed in RRD:SG2.SP2 in the Resilience Requirements Development process area.)
Affinity analysis compares the organization’s standard services to the objective measures used by the organization to determine and validate the value of the services. Affinity analysis using the organization’s strategic objectives and critical success factors is a means to help the organization prioritize services and to identify high-value services that must be made resilient.
Organizationally high-value services are those that must meet their resilience requirements consistently in order to ensure that the organization can accomplish its strategic objectives and mission. These services are the focus of the resilience activities performed in the organization.
The organization must revise service profiles and the service repository as necessary to ensure that they reflect the most current information about services, particularly high-value services. Otherwise, the organization’s resilience activities may be misdirected.
Planning for the operational resilience management system is performed.
Managing operational resilience enables the achievement of strategic objectives and critical success factors and therefore must be specifically acknowledged and addressed at the highest levels of the organization, particularly in strategic planning performed at the enterprise level. Failing to consider operational resilience as a constraint in the development of the organization’s strategic plan can result in an underappreciation of the activities, tasks, and practices that must be performed to ensure that potential barriers to achieving business objectives are identified and addressed. Proper consideration of operational resilience and its role in supporting strategic objectives (as described in EF:SG1.SP1) is achieved by establishing a plan and a program for the operational resilience management system.
A plan for managing operational resilience is established as the basis for the operational resilience management program.
The organization must develop and implement a plan for managing operational resilience that is based on meeting strategic objectives and critical success factors and that considers the organization’s risk tolerances and appetite. The operational resilience management plan is a part of the organization’s strategic business plan that specifically addresses the actions, activities, and tasks that must be performed to reach resilience goals. The resilience plan becomes the foundation for the performance of the operational resilience management system in the organization.
Strategic business planning typically includes standard elements that describe the intentions of the organization and the means for achieving the intentions. In general, strategic plans include
• a description of the organization’s vision, purpose, and values
• the organization’s mission statement
• an articulation of the organization’s critical success factors (See EF:SG1.SP2.)
• short- and long-term strategic objectives with corresponding actions, activities, and tasks to reach them
• a schedule for achieving the strategic objectives over the period of the plan (typically two to three years)
The strategic business plan sets forth the direction for the organization in the near and long term. The strategic objectives stated in the plan form the basis for the goals and objectives of everyone in the organization—from C-level executives to middle managers to staff. The actions of all staff must be commensurate with the strategic objectives in order for the organization to succeed in reaching business goals.
In much the same way, the organization must plan for success in managing operational resilience. Not only are the goals for operational resilience important, they are also critical for the organization to meet its strategic objectives. Thus, the organization must develop a resilience plan alongside its strategic business plan to detail the actions that must be taken to minimize disruptions that could draw the organization off course in achieving its strategic objectives.
Typical work products
Subpractices
The resilience plan should be developed in conjunction with the development of the organization’s strategic business plan. The elements of the resilience plan should focus on the development of operational resilience objectives that are to be achieved by performing resilience activities throughout the organization and that correspond to the achievement of strategic objectives. The resilience plan should address
• the organization’s philosophy on resilience management
• the structure of the resilience program for managing the resilience plan (Establishing the resilience program is addressed in EF:SG2.SP2.)
• the strategic resilience objectives
• coverage of the essential activities as described in the operational resilience management program
• linkages to the organization’s plan for service continuity (Planning for service continuity is addressed in the Service Continuity process area.)
• roles and responsibilities for carrying out the strategic resilience objectives
• resources that will be required to meet the resilience objectives
• applicable training needs and requirements
• relevant costs or budgets associated with meeting the resilience objectives
A program is established to carry out the activities and practices of the operational resilience management plan.
The organization sets resilience program goals based on the resilience plan objectives and related program activities, tasks, and practices. The resilience program oversees and “owns” the operational resilience management system and the achievement of resilience objectives. This practice includes establishing a formal resilience program, staffing the program, assigning accountability and responsibility, providing oversight, and measuring performance.
Typical work products
Subpractices
The operational resilience management program is typically responsible for ensuring that the strategic resilience objectives as documented in the operational resilience plan are achieved. Program management includes staffing the program, assigning accountability and responsibility to plan activities, tasks, and projects, and measuring performance. The operational resilience management program should draft a charter that describes its functions, scope, and objectives.
Funding the organization’s operational resilience management program and related activities, tasks, and projects is addressed in the Financial Resource Management process area.
Remember that some staff members will have explicit resilience-focused roles and responsibilities, while others will contribute to resilience processes through the execution of their job responsibilities. Typically, the operational resilience management program will be operated by staff whose job responsibilities are resilience-focused. The organization should confirm that staff involved in carrying out the operational resilience management program have the requisite skills and training. (Training for resilience-focused roles is addressed in the Human Resource Management process area.)
The organization must oversee the activities of the operational resilience management program to ensure that strategic resilience objectives are being met consistently. Corrective actions must be identified and implemented when course correction is necessary. (Governance over the operational resilience management program and process is addressed in EF:SG4.)
Visible sponsorship of higher-level managers for the operational resilience management system is established.
Sponsorship by higher-level managers is a key factor in the success of the operational resilience management system. Sponsorship means that higher-level managers take an active interest in the success of the operational resilience management system through actions such as including resilience in strategic planning, adequately funding resilience activities, communicating the importance of resilience, and providing oversight. Sponsorship also means that higher-level managers are willing to invest in resilience activities and be measured on their success.
Visible sponsorship of the operational resilience management program can take many forms, such as
• approval and support for achieving strategic resilience objectives
• commitment to allocate the necessary resources (financial and human) for meeting the objectives
• visible, continued support for the resilience program (through inclusion on meeting agendas and the establishment of a resilience committee on the organization’s board or leadership council)
• active encouragement of staff participation through support of goal setting and performance management for resilience
• establishing guiding principles, direction, and expectations for the organization through supporting resilience policies, guidelines, and standards
• delegation of responsibility and authority for accomplishing program objectives
• agreement to provide oversight and decisions on corrective activity
Through sponsorship, higher-level managers set the tone for the organization—in essence, they represent to the organization that resilience is important and is everyone’s job rather than an exercise driven by external compliance or industry and regulatory obligations.
A commitment by higher-level managers to fund resilience activities is established.
Budgeting is a process of allocating funds to organizational activities that support and promote strategic objectives. When resilience is considered a strategic competency, funding for resilience activities must be included as part of the organization’s capital and expense funding needs rather than as an afterthought that is indirectly funded through IT activities or as needed when disruptive events occur.
Sponsorship of the operational resilience management system is made actionable by higher-level managers’ commitments to funding the resilience program and the accompanying activities and tasks. This requires that they commit to
• supporting the business case for operational resilience management
• including resilience needs in the funding of strategic objectives
• ensuring that resilience needs are adequately funded
• releasing funds as necessary to support the attainment of strategic resilience objectives
Sponsoring a financial commitment to resilience is different from allocating and budgeting the funds for resilience activities. (The establishment of resilience funding needs and the allocation of funds are addressed in the Financial Resource Management process area.)
Typical work products
Subpractices
Sponsorship of the investment in the operational resilience management system must be based on a sound business case. The investment in resilience must bring about tangible, measurable, and demonstrable value to the organization. The business case for resilience should
• justify the investment through itemization of tangible benefits and results
• articulate the strategic outcomes that would result from investments in resilience activities
• articulate the potential risks and costs associated with not investing in resilience activities
• establish that the funding necessary for resilience is appropriate and adequate
• provide sufficient information to allow comparative evaluations of alternative actions
• establish the accountability and commitments for the achievement of the benefits and strategic outcomes
A resilience-aware culture is promoted through goal setting and achievement.
The success of enterprise-wide programs or initiatives often depends on the organization’s ability to get all stakeholders (internal and external) moving in the same direction toward a common goal and for the common good. Evolving from a narrow security- or business-continuity-focused view to an operational resilience view requires significant changes in organizational structure, approach, and activities. Visible sponsorship by higher-level managers is a key factor in catalyzing this type of organizational change.
Higher-level managers promote a resilience-aware culture by their actions. These actions can be very broad but are typically focused on giving staff members a reason to “invest” their time and part of their job responsibilities in operational resilience management. These are some of the activities that higher-level managers can perform to promote a resilience-aware culture:
• Communicate and promote the importance of resilience at all opportunities.
• Communicate the need for change based on the impact on achieving strategic objectives, and quell resistance efforts.
• Build a sponsorship alliance of higher-level and middle managers to promote and sustain the message.
• Sponsor the development, implementation, and enforcement of resilience policies, standards, and guidelines. (See EF:SG3.SP3.)
• Sponsor the organizational training and awareness program. (This is addressed in the Organizational Training and Awareness process area.)
• Sponsor resilience awards and recognition programs for staff who make significant contributions to sustaining the organization’s operational resilience.
• Set performance goals and objectives that focus on resilience and be willing to be measured on them.
• Keep resilience on the organizational performance scorecard of all staff.
• Provide opportunities for staff members to speak freely about resilience issues, concerns, and impediments.
• Sponsor inclusion of resilience concepts in job descriptions and in the hiring of new staff or the promotion of existing staff.
• Sponsor inclusion of resilience concepts in contracts with suppliers and business partners.
The development and achievement of resilience goals and objectives for staff are addressed in the Human Resource Management process area.
Providing awareness training for staff, both internal and external to the organization, is addressed in the Organizational Training and Awareness process area.
Typical work products
Subpractices
The plan should address the specific activities that higher-level managers perform to support and promote a resilience-aware culture.
Higher-level managers should have explicit resilience goals that are reflected in the goals of middle managers and staff. Performance management activities should measure higher-level managers on their ability to promote and communicate the importance of resilience programs and activities.
The development, implementation, enforcement, and management of resilience standards and policies are sponsored.
Policies establish an acceptable range of behaviors that managers intend to enforce and reinforce as a means to ensure accomplishment of common goals. Policies are unenforceable and lack effectiveness unless they are sponsored by higher-level managers and higher-level managers express their intention to hold stakeholders to compliance with the policies.
Polices are an expression of higher-level managers’ level of commitment to the operational resilience management system. Lack of policy sponsorship typically renders policies less effective as an administrative control because stakeholders may assume that the policies are not being enforced or that they are simply meant to be used as a guideline rather than a requirement.
The existence of policies, standards, and guidelines to support the operational resilience management system is considered to be a pervasive indicator of process maturity across all operational resilience management process areas. Policies are an important component of institutionalizing a managed process. (Appropriate goals and practices related to policy development and implementation to support the operational resilience management system are generically described in GG2:GP1.)
Typical work products
Subpractices
Governance over the operational resilience management system is established and performed.
Governance is a process of providing strategic direction for the organization while ensuring that it meets its obligations, appropriately manages risk, and efficiently uses financial and human resources. From a resilience perspective, the concept of governance is extended to provide oversight over the operational resilience management system and to ensure that the process supports and sustains strategic objectives. Governance also typically includes the concepts of sponsorship (setting the managerial tone), compliance (ensuring that the organization is meeting its compliance obligations), and alignment (ensuring that processes such as those for operational resilience management align with strategic objectives).
The activities involved in governance are often confused with management activities. Governance is focused on providing oversight to the operational resilience management system, not performing or managing process tasks to completion. For example, the process of overseeing the identification, definition, and inventorying of high-value assets is a governance task, while performing these tasks is part of operational resilience process management. Effective resilience process governance means that senior leadership (which typically includes boards of directors and higher-level managers) provides sponsorship and oversight to the process and provides direction and guidance on course correction when deemed necessary.
The inclusion of operational resilience as a focus area of the organization’s broader governance activities is necessary to ensure that the operational resilience management system is viable, meets its goals and objectives, aligns with the organization’s strategic objectives, and is performed to comply with all applicable laws and regulations. Failure to provide governance over the operational resilience management system may result in a lack of awareness of operational resilience issues and problems that may result in consequences to the organization.
Effective governance over the operational resilience management system requires the establishment of resilience as a governance focus area, processes for providing oversight and review, and a means for identifying, documenting, communicating, implementing, and monitoring corrective actions.
Governance activities are extended to the operational resilience management system and accomplishment of the process goals.
Governance is a demonstration of the attention and sponsorship of management to the operational resilience management system. Higher-level managers understand their responsibility for governing the operational resilience management system as exhibited by their sponsorship of related processes, procedures, policies, standards, and guidelines.
Most organizations have defined governance processes. Typically, they extend to areas such as strategic planning, financial management, human resources, and audit. Increasingly, governance processes include areas such as business continuity and security—which extend to operational resilience and risk management. Governance also extends to improving and sustaining a resilience-aware culture.
Effective governance is necessary to reinforce desirable behaviors and to catalyze organizational change, particularly when there are significant barriers to organizational effectiveness. Because resilience is generally a new focus area in many organizations, a change in an organization’s existing governance structure may be warranted to ensure adequate coverage of resilience and to encourage significant behavioral changes throughout the organization. In some cases, the resilience needs of the organization will compete with compliance obligations and the accomplishment of strategic objectives. Extending governance to the operational resilience management system provides an opportunity for higher-level managers to resolve this conflict to the overall benefit of the organization.
Typical work products
Subpractices
The governance framework for operational resilience management specifies the structure for extending the governance activity to the operational resilience management system. The framework may address a wide range of resilience topics and needs, such as
• the development of resilience committees
• the specific inclusion of resilience topics on existing governance committees
• the extension of resilience governance activities beyond the board of directors and higher-level managers to organizational unit and line of business managers and other levels of the organizational structure
• the recasting of committee charters to include resilience responsibilities
• the establishment of a structure for monitoring and managing performance, including clear measures for success (This is addressed in EF:SG4.SP2.)
• the identification and inclusion of appropriate stakeholders in the resilience governance process
• the procedures, policies, standards, guidelines, and regulations around which governance for the operational resilience management system will be based
• an operational-resilience–focused code of ethics
Governance must have ownership and accountability to be effective. Typically, an organization will have a board of directors or similar construct that will own the governance process and from which the governance activity will emanate. Board members or their equivalent will have specific roles in committees that extend to resilience. Extending governance to resilience activities may require the organization to extend roles and responsibilities to other higher-level or middle managers deep into the organization.
Oversight is performed over the operational resilience management system for adherence to established procedures, policies, standards, guidelines, and regulations.
The governance function has responsibility to ensure that the organization’s internal control system (whether financial, security, etc.) is implemented and functioning properly. A formal operational resilience management oversight committee or governance function is established with consistent and regular processes and procedures to “govern” the operational resilience management system.
The oversight function validates the operational resilience management system for adherence to established procedures, policies, standards, guidelines, and regulations. Exceptions to these foundational elements are addressed through a standard and consistent process, and corrective action feedback is provided to ensure alignment.
Even without a specific focus on resilience, governance is concerned with the continued effective operation of the organization toward its strategic objectives. To do this, governance requires the establishment of a benchmark from which it can measure performance. This includes the development or expansion of common tools such as an organizational dashboard or scorecard that includes not only typical information such as key metrics (key performance indicators, key risk indicators, and key control indicators), but also resilience-specific information (such as the ability to meet resilience requirements for high-value assets and services) to establish that the organization is on course.
Finally, auditing and monitoring are critical processes that extend to the timely oversight of the operational resilience management system. Auditing and monitoring the operational resilience management system on a regular basis enable the organization to identify and correct processes that are not meeting key metrics.
Governance activities include the responsibility for ensuring proper compliance with relevant resilience regulations and laws. (The processes for compliance with these regulations and laws are addressed in the Compliance process area.)
Governance relies upon timely and accurate data for decision making. (The Monitoring process area outlines processes for identifying, gathering, and communicating relevant data for decision-making processes.)
Typical work products
Subpractices
Key governance stakeholders include those staff, internal and external, who are responsible for providing oversight over the operational resilience management system and developing and implementing corrective actions for poor performance.
A resilience dashboard or scorecard is a means to provide general information about the state of resilience in the organization and the effectiveness of the organization’s operational resilience management activities. The dashboard or scorecard is populated from data that is monitored for and collected throughout the organization for the purposes of governance. Key indicators are established and monitored to determine performance. These key indicators incorporate the organization’s tolerances and thresholds as well as standards and policies that provide a foundation for measurement and determination of process variation that is detrimental to the organization.
Not all decisions will be clear-cut, and there will be conflicting priorities. The governance framework must provide for processes to resolve these conflicts and to result in decisions that are in the best overall interest of the organization. Exceptions to existing procedures, policies, standards, guidelines, and regulations may become an acceptable operating construct.
Corrective actions are identified to address performance issues.
The establishment of key metrics provides the organization with a means to identify performance issues and gaps that can result in an inability to achieve strategic objectives. Governance over the operational resilience management system relies upon the ability to identify these performance gaps in a timely and complete manner so that corrective actions can be taken before the organization’s operational capacity is affected.
The governance function is responsible for interpreting the data collected for measurement of key metrics. Gaps in performance are analyzed and, if necessary, are escalated so that corrective actions can be developed and implemented.
Typical work products
Ensure that persons or groups accountable for implementing and managing corrective actions have the requisite skills and training.
If the corrective actions are not initially successful, additional corrective actions may have to be developed and implemented in order to provide continuing oversight.
Refer to the Generic Goals and Practices document in Appendix A for general guidance that applies to all process areas. This section provides elaborations relative to the application of the Generic Goals and Practices to the Enterprise Focus process area.
The operational resilience management system supports and enables achievement of the specific goals of the Enterprise Focus process area by transforming identifiable input work products to produce identifiable output work products.
Perform the specific practices of the Enterprise Focus process area to develop work products and provide services to achieve the specific goals of the process area.
Elaboration:
Practices EF:SG1.SP1 through EF:SG4.SP3 are performed to achieve the goals of the enterprise focus process.
Enterprise focus is institutionalized as a managed process.
Establish and maintain governance over the planning and performance of the enterprise focus process.
Elaboration:
The Enterprise Focus process area is responsible for governing the operational resilience management system, which includes providing governance over all process area processes and practices described in the CERT Resilience Management Model. (The practices contained in EF:SG4, Provide Resilience Oversight, describe how this is accomplished.)
Process governance described here in EF:GG2.GP1 specifically addresses governance of the enterprise focus process. Governance of governance can be confusing and appear somewhat recursive on initial reading.
Subpractices
Elaboration:
Elaboration:
Establish and maintain the plan for performing the enterprise focus process.
Subpractices
Provide adequate resources for performing the enterprise focus process, developing the work products, and providing the services of the process.
Refer to the Organizational Training and Awareness process area for information about training staff for resilience roles and responsibilities.
Refer to the Human Resource Management process area for information about acquiring staff to fulfill roles and responsibilities.
Refer to the Financial Resource Management process area for information about budgeting for, funding, and accounting for the enterprise focus process.
Elaboration:
Assign responsibility and authority for performing the enterprise focus process, developing the work products, and providing the services of the process.
Elaboration:
The resilience strategic plan described in EF:SG2.SP1 addresses roles and responsibilities for carrying out strategic resilience objectives. EF:SG2.SP2 assigns accountability and responsibility for operational resilience management program activities, tasks, projects, and performance. EF:SG4.SP1 describes the responsibility of higher-level managers for governing the operational resilience management system and the reflection of this in committee charters. EF:SG4.SP2 specifies governance responsibilities for ensuring proper compliance with relevant resilience regulations and laws and the role of key stakeholders in providing oversight.
Refer to the Human Resource Management process area for more information about establishing resilience as a job responsibility, developing resilience performance goals and objectives, and measuring and assessing performance against these goals and objectives.
Subpractices
Elaboration:
Train the people performing or supporting the enterprise focus process as needed.
Refer to the Organizational Training and Awareness process area for more information about training the staff performing or supporting the process.
Refer to the Human Resource Management process area for more information about creating an inventory of skill sets, establishing a skill set baseline, identifying required skill sets, and measuring and addressing skill set deficiencies.
Subpractices
Elaboration:
Elaboration:
Place designated work products of the enterprise focus process under appropriate levels of control.
Elaboration:
Identify and involve the relevant stakeholders of the enterprise focus process as planned.
Elaboration:
Several EF-specific practices address the involvement of stakeholders in the enterprise focus process. For example, EF:SG1.SP3 calls for identifying and documenting stakeholders of services in the service profile. EF:SG3.SP2 describes the importance of involving all stakeholders in promoting a resilience-aware culture. EF:SG4.SP1 and EF:SG4.SP2 require that stakeholders be identified and included in the operational resilience governance process. EF:SG4.SP3 requires that key stakeholders receive reports on the success of corrective actions.
Subpractices
Monitor and control the enterprise focus process against the plan for performing the process and take appropriate corrective action.
Refer to the Monitoring process area for more information about the collection, organization, and distribution of data that may be useful for monitoring and controlling processes.
Refer to the Measurement and Analysis process area for more information about establishing process metrics and measurement.
Subpractices
Elaboration:
Elaboration:
Elaboration:
EF:SG4.SP3 specifically describes practices for developing corrective action plans when performance issues exist with key indicators and metrics (KPIs, KRIs, KCIs). In these cases, root-cause analysis is performed to identify improvements to the enterprise focus process.
Objectively evaluate adherence of the enterprise focus process against its process description, standards, and procedures, and address non-compliance.
Elaboration:
Review the activities, status, and results of the enterprise focus process with higher-level managers and resolve issues.
Elaboration:
Status reporting on the enterprise focus process is likely part of the formal governance structure or may be performed through other organizational reporting requirements (such as through the chief risk officer or the chief resilience officer to an immediate superior). Audits of the process may be escalated to higher-level managers and board members through the organization’s audit committee of the board of directors or similar construct.
Enterprise focus is institutionalized as a defined process.
Establish and maintain the description of a defined enterprise focus process.
Establishing and tailoring process assets, including standard processes, are addressed in the Organizational Process Definition process area.
Establishing process needs and objectives and selecting, improving, and deploying process assets, including standard processes, are addressed in the Organizational Process Focus process area.
Subpractices
Collect enterprise focus work products, measures, measurement results, and improvement information derived from planning and performing the process to support future use and improvement of the organization’s processes and process assets.
Elaboration:
Establishing the measurement repository and process asset library is addressed in the Organizational Process Definition process area. Updating the measurement repository and process asset library as part of process improvement and deployment is addressed in the Organizational Process Focus process area.