key risk metric

The risk metric asked three questions:

1. what are our critical services that absolutely cannot go down or be compromised?
2. to what extent are they backed up using compliant backup platforms?
3. is a restoration test periodically performed on said backups to prove their capability?

When I took on the task there was very little clarity on these questions and a lot of unknowns:

• We did not know to what extent these critical services were backed up, what platforms/tools they were using or what vendors were supporting the recovery capabilities.
• We had no visibility over any restoration testing that was done.

Over two years I:

• helped improve the design and features of a web portal built for capturing data related to backup and restore attestation.
• managed a bi-annual data gathering exercise that required all service owners to report backup and restoration information about their services on the web portal. This involved a lot of stakeholder management.
• developed extensive management reporting and dashboards to track compliance of this key risk metric and provided monthly updates to technology council and quarterly updates to the board.
• Coordinated the development of two new web portals for capturing this critical data including features such as cmdb integration, document attachment/file storage. One of the portal was built with a team of consultants within the ServiceNow environment’s integrated risk module.
• Took the metric from 25% to 98% compliance.