Continuity Insights & 2011-2012 - KPMG Institutes · The online survey, conducted by Continuity Insights between November 2011 and January 2012, explores changes to the global risk
Post on 21-Aug-2018
213 Views
Preview:
Transcript
Continuity Insights & KPMG LLP Present The
2011-2012 Global Business Continuity Management (BCM) Program Benchmarking Study
Sponsored by:
�
Table Of Contents
1 ExecutiveSummary.........................................................................................................................3
1.1 Introduction..................................................................................................................................3
1.2 KeyFindings..................................................................................................................................3
1.2.1ProgramIntegration....................................................................................................3
1.2.2ProgramDevelopment..............................................................................................4
1.2.3ProgramPerformance................................................................................................4
� SurveyResults.....................................................................................................................................4
2.1 PotentialOperationalRisks&ImpactOfAdverseEvents..................................4
2.2 EntityType,ProgramDrivers,Governance,Status&Investments...............6
2.3 ProgramExecution&Performance.................................................................................9
2.4 LeveragingStandardsToSupportTheProgram..................................................10
2.5 IntegrationWithOtherDisciplines...............................................................................11
2.6 IntegrationWithThirdParties..........................................................................................12
2.7 UseOfSoftware.......................................................................................................................13
2.8 ITRecoveryStrategy&DisasterRecoveryCapabilities....................................13
2.9 Cloud,SocialMedia&MobilityApplications.........................................................15
3 FutureOutlook&Recommendations............................................................................15
4 Conclusion...........................................................................................................................................16
5 ResearchMethodology.............................................................................................................16
5.1 RespondentProfiles...............................................................................................................16
5.1.1TypeOfEntityOrEnterprise..................................................................................16
5.1.2GeographicalRangeOfOperations.................................................................17
5.1.3Country..............................................................................................................................17
5.1.4Industry..............................................................................................................................18
5.1.5CompanySize................................................................................................................19
5.2 C-LevelExecutiveWithUltimateReportingResponsibility..........................20
5.3 BCMProgramLeader............................................................................................................20
6 RequestsforBenchmarkingReports&KeyContacts.......................................21
7 Acknowledgements.....................................................................................................................21
3
1 Executive Summary1.1 Introduction
Thecomplexenvironmentinwhichbusinessesoperatetodaycreatestheneedforsophisticatedbusinesscontinuitymanagement(BCM)programsthataddressawiderangeofthreats,includingnaturaldisasters,technologyissuesandman-madeincidents.Itisalsoimportantthattheseprogramsstayinsyncwiththestrategicgoalsoftheorganization.The2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Studyisacom-prehensivelookatthecurrentstateofBCMprogramsandthedriversforfurtherprogramdevelopment.
Datausedinthisreportisbasedonanonymoussurveyresponsesfrom685ex-ecutivesinpublicandprivatecompanies,governmentagenciesandauthorities,educationalinstitutions,andnot-for-profitentities.Respondentscomefromover40countrieswithapproximatelyone-thirdworkingfororganizationswithhead-quartersoutsidetheUnitedStates.
Theonlinesurvey,conductedbyContinuity InsightsbetweenNovember2011andJanuary2012,exploreschangestotheglobalrisklandscape,supplychaininterdependencies,theemergenceandincreasedusageofcloudcomputing,mobileapplications,andsocialmedia.
BusinesscontinuityprofessionalsshouldusethisreporttotargetunderdevelopedcapabilitieswithintheirownBCMprograms.Inadditiontothereport,readerscanviewthefullcollectionofsurveyresponsesontheContinuity InsightsWebsite(www.continuityinsights.com).
1.2 Key Findings
SomeBCMprogramsshowsignsofstrongintegrationwithotherbusinessfunc-tions,androbustpracticesfordevelopingandmeasuringprogramperformance;however,manyBCMprogramslackintheseareasand,inturn,arenotcurrentlypositionedtoachieveahighleveloforganizationalpreparedness.
Followingisaselectionofkeyfindingsintheareasofprogramintegration,devel-opmentandperformance.Detailedresultsfollowinthebodyofthereport.
1.2.1 Program Integration
•34%ofrespondentsfeeltheirBCMprogramsarewellintegratedwithstrategicplanningcapabilities.
•32%ofrespondentsindicatetheirBCMprogramsarewellintegratedwithstrategicsourcingandprocurementcapabilities.
•52%ofthosesurveyedfeeltheirBCMprogramsarewellintegratedwiththeirorganization’senterpriseriskmanagementprogram.
“
”
1.2.2 Program Development
•84%ofrespondentsranabusinesscontinuityplanexercisewithinthepastyear.•Themostwidely-usedstandardsareNFPA1600(46%),BS25999-1andBS25999-2(26%and27%respectively),andISO/IEC270001(12%).
•65%oforganizationshaveafull-timeBCMcoordinator.•Over38%donotknowthefinancialimpactofafive-daydisruptionoroutage.•Over57%donotutilizethecloudintheirITdisasterrecoveryplans;nearly40%do
notknowhowmuchoftheorganization’sapplicationdataiscurrentlystoredinthecloud.
•Training:Only18%oforganizationssignificantlyincreasedtheirspendingonBCM/disasterrecovery/emergencymanagementplantrainingin2011.
•Over43%oforganizationsuseorplantousesocialmediaaspartoftheirBCMprograms..
1.2.3 Program Performance
•Businesscontinuityplanexercisesarebyfarthemostwidely-usedmethodtomeasuretheperformanceofBCMprograms(85%),followedbyauditfindings(62%)andBCMprogramreviews(60%).
•Lessthan8%ofrespondentsputtheirBCMprograminthehighest-tiercategoryformaturity(Level6–Synergistic).
•Lessthan31%ofrespondentsfeltthattheirrecoverytimeobjectivewascom-pletelymetduringthemostrecentinterruption.
2 Survey Results2.1 Potential Operational Risks & Impact Of Adverse Events
Oneofthecriticalsuccessfactorsforanorganizationistheabilitytoidentifyandsuccessfullymitigatetherisksassociatedwithrunningitsoperations.Theserisks,whichcanbegroupedintovariouscategoriesundertheheading“operationalrisks,”refertoanytypeofriskthatisneitherfinancialnormarketrelated.Forexample,operationalriskmightincluderisksassociatedwiththeorganization’shumanresources,businessprocesses,supplychaininterdependencies,facilities,informationtechnologyandrelationshipswithpublicauthorities.
Theleadingcausesofoperationaldisruptions–thosethatcausetheacti-vationofbusinesscontinuity,crisismanagementand/ordisasterrecoveryplan(s)–amongtheorganizationssurveyedaresevereweather(50%),poweroutages(47%),flood(31%)andvariousIT-relatedinterruptions.
I find it somewhat curi-ous that the numbers and magnitudes of the disas-ters that occurred in 2011 did not seem to cause any kind of discernible ‘ripple’ in the responses.– John Copenhaver,
Senior Advisor,
BCI
The reasons for interruptions fit well with similar BCI sur-veys; severe weather, floods, power outages and IT-related issues always score highly and of course earthquakes have become a key issue of late with both Japan and Christchurch, NZ happening in 2010. We have also found increasing concern about cyber attacks (particularly in government and financial services).– Lyndon Bird, Technical Development Director and Board Member, BCI
“
”
4
Figure1.Incidentorinterruptioninthepast1�monthsthatcausedtheactivationofBCMplan(s).
Thecostofinterruptionsoverthepasttwelvemonthsisestimatedtobeover$50,000foroveraquarter(26%)oforganizations,withnearly5%estimatinglossesatover$1million.Over47%ofrespondentsindicatedthey“donotknow”thetotalcostofinterruptionsoverthepasttwelvemonths.
Figure�.Estimatedcostofbusinessdisruptionsoverthepast1�months.
It is curious that based on the self-identified experience and program maturity of the respondents, more than 47% do not know the cost impact
of disruptions within their organizations. This is a basic element of conducting a BIA [business impact analysis].
In addition, most if not all of the respondents noted that
their organization experienced an interruption that caused
BCM activation. – Tim Mathews,
Director, Enterprise Resiliency,
Educational Testing Services
“
”
5
0
10
20
30
40
50
60
0100200300400500600700800
Civ
il U
nres
t
Fire
Indi
rect
ly D
ue to
S
uppl
ier I
ssue
s or
…
IT R
elat
ed -
Har
dwar
e/S
oftw
are…
IT R
elat
ed -
Upg
rade
/Sch
edul
ed…
Priv
acy
Terr
oris
t Atta
ck
Oth
er
Civil Unrest
Earthquake
Fire
Indirectl
y Due to Supplie
r Issues o
r High Profile Neighbor
IT Related - Change Management Is
sue, Data Corru
ption, D
enial of Acce
ss,
Virus, S
ecurity, etc.
IT Related - Hardware/Softw
are in Producti
on
IT Related - Telecommunica
tions (i
.e., Voice
, Data, Converged)
IT Related - Upgrade/Scheduled Outage
PowerPriv
acy
Severe Weather (i.e., H
urricane, To
rnado, Winter W
eather)Terro
rist A
ttack
Theft
Flood
Other
47.1%
21.7%
5.1%
4.9%
7.0%
4.7%
4.9%
2.1%
2.6%
700
600
500
400
300
200
100
0
Do not know
Less than $25,000
$25,000 to $50,000
$50,000 to $100,000
$100,000 to $250,000
$250,000 to $500,000
$500,000 to $1 million
$1 million to $5 million
More than $5 million
16.7%
28.0%
19.3%
30.9%
12.9%
30.6 30.5% 31.0%26.1%
46.8%
7.8%
50.3%
4.9%8.9%
5.9%
“
”
The fact that 31% of respon-dents felt they had met their
RTO during a disruption, when 85% are using exercises, indi-cates there is room to improve
the quality of exercises.– Ed Matley,
Director, Advisory Services,
KPMG LLP
6
2.2 Entity Type, Program Drivers, Governance, Status & Investments
Publiccompaniesmakeup40%oftheorganizationssurveyed,followedbyprivatecompanies(39%),governmentagenciesorauthorities(10%),not-for-profitorgani-zations(9%)andeducationalinstitutions(2%).
Onaverage,BCMprogramshavebeeninplacefor7.7years.Two-thirds(66%)ofBCMprogramshavebeeninplaceforbetweenoneandtenyears.OrganizationswithnewBCMprograms–thosethatarelessthanoneyearold–makeupnearly6%ofthesample.
Amajority(60%)oforganizationsdescribedtheirBCMprogramstatusasfollows:“[We]haveapolicy,seniormanagementsteeringoradvisorycommittee,plansinplace,andhavedevelopedaprocessforupdatingplansonaregularbasistoreflectchangesinthebusinessandlessonslearnedfromexercises,testsorrealevents.”Justover9%oforganizationsareintheprocessofestablishingaBCMprogram.
“
”
It is interesting that a relatively large number of companies are privately held. Classical wisdom says that private companies pay less attention to BCM and risk management in general. But these results suggest that there may be an increasing focus on these practices by privately held companies. I hope this points to a positive trend.– Doug Weldon,
President,
BCI – USA Chapter
Figure4.LifespanofBCMprograms.
40.0%39.2%
9.5%2.2%9.2%
Figure3.Typeoforganization,entityorenterprise.
Public CompanyPrivately-Held CompanyGovernment Agency or AuthorityEducationNot-for-Profit Organization
5.8%15.4%19.9%30.8%17.8%
4.8%5.5%
Less than 1 year1 year to 3 years3 years to 5 years5 years to 10 years10 years to 20 yearsMore than 20 yearsDo not know
7
ThetoptwodriversforestablishmentofaBCMprogramarecontinuityofbusi-nessoperations(84%)andreputation(40%).Otherdriversincludegovernmentregulations/compliance(34%),theneedtoaddressauditfindings(32%),customerrequestsorrequirements(22%),legalrequirements(18%)andtheuniquecompetitiveadvantageaBCMprogramprovides(15%).
Inthe2008BCMprogrambenchmarkingstudy,alsoconductedbyContinuity Insights andKPMGLLP,only14%ofrespondentsnotedthatreputationwasoneofthekeyreasonsforestablishingaprogram.
Almost 85% of the respondents state that their
business continuity program is primarily implemented for
continuity of operations, which emphasizes the acknowledgement of
corporate responsibility and ownership to institutionalize
this continuity into business portfolios.
– Michele Guido,
Business Assurance Principal,
Southern Company
“
”
9.1%
6.7%
18.5%
59.5%
6.2%
Figure5.BCMprogramstatus.
Figure6.ReasonsforestablishingBCMprograms.
0
20
40
60
80
100
Address audit fi
nding(s)
90.0%
80.0%
70.0%
60.0%
50.0%
40.0%
30.0%
20.0%
10.0%
5.0%
0.0%
Continuity
of
business o
perations
Customer re
quest or
requirement
Federal government
regulations/r
equired law
Reputation
Required by law
Unique competiti
ve advantage Other
31.6%
84.2%
22.0%
33.5%39.7%
17.7% 14.7%
5.8%
We are currently in the process of establishing a BCM Program, defining program governance, scope, objectives, budgeting, and format for plans.
We are currently in the assessment phase (i.e., Risk Assessment, Business Impact Analysis, Strategy Selection, etc.) for the first time in the program’s lifecycle.
We are currently developing BCM Plans, Crisis Management Plans, and Disaster Recovery Plans.
We have a BCM Policy, Senior Management Steering or Advisory Committee, Business Continuity, Crisis Management, and Disaster Recovery Plans in place and have developed a process for updating those plans on a regular basis to reflect changes in the business and lessons learned from exercises, tests, or real events.
Other
“
”
It is interesting that reputation as a program
driver has increased from 14% to 40% in the last four years. I believe this is the direct result of the
pervasiveness of social media and its impact on
public perception.– Michael Arcuri,
Director of Business
Continuity,
KPMG LLP
�
The lack of common understanding about the role of BCM Manager/ Director/VP – or even the need for it – is disturbing. According to the results, the executive with the ultimate responsibility for BCM is most often the CEO. This re-flects what we think should be the case, but I wonder if that is actually the view of the C-suite if asked the same question about BCM, without pre-defining the scale and scope for them.– Lyndon Bird,
Technical Development
Director and Board Member,
BCI
It appears that the busi-ness continuity function is getting better defined, is reporting at a higher level and functional substantia-tion is based on value to the business. This is significant since trends will come and go, but if you show business value, management support will be there.– Michael Janko,
Manager, Global
Business Continuity,
Goodyear
“
”
Almosttwo-thirds(65%)ofrespondentsindicatetheirorganizationhasestablishedaseniormanagementadvisoryorsteeringcommitteethatprovidesinputandassis-tancetotheprogramleader.Another10%haveacommitteeunderdevelopment.
Additionally,two-thirdsoforganizations(65%)indicatetheyhaveafull-timeprogramcoordinator,with22%havingapart-timecoordinatorauthorizedtoadministerandkeeptheBCMprogramcurrent.
In17%oforganizations,theC-LevelexecutivethatservesastheBCMprogramexecutivesponsoriseithertheChiefExecutiveOfficerorPresident.Lessthan2%oforganizationshaveaChiefContinuityOfficer(CCO)responsiblefortheBCMprogram.
“
”
16.6%12.0%
8.4%13.6%
9.4%1.8%2.7%5.1%
17.5%12.9%
Figure7.Statusoforganizations’seniormanagementadvisoryorsteeringcommittee.
Figure�.Jobtitleoftheexecutivesponsorfororganizations’BCMprograms.
YesNoCommittee under developmentDo not know
65.3%21.7%10.1%
2.9%
CEO/PresidentChief Operating OfficerChief Financial OfficerChief Information OfficerChief Risk OfficerChief Continuity OfficerEmergency ManagementVice President, Info TechnologyOther Corporate/Executive ManagementSpecific Department Manager/ Director/VP (non C-Level executive)
�
“ By a large margin, the highest number of FTE employees in BCM is in
the zero-to-two range. It’s not very impressive, and
probably not seen as a great career building opportunity by young, ambitious people
who want to excel in core business. The value, impor-tance and responsibility of BCM people are not being
reflected in its status.– Lyndon Bird,
Technical Development
Director and Board Member,
BCI
”
Respondentswereaskedtoprovidethenumberoffulltimeequivalent(FTE)employeesdedicatedtotheBCMProgram(includingcontractors)inthefollowingcategories:
•TheBCMProgramManagementOffice(PMO)
•Businesscontinuityresourcesinbusinessunitsandbusinessfunctions
•Informationtechnologydisasterrecoveryresources
WithinBCMPMOs,theaverageheadcountis3.7.Forthebusinesscontinuityresourcesinbusinessunitsandbusinessfunctions,theaverageheadcountis7.3.Personnelsupportinginformationtechnologydisasterrecoverycapabilitiesaver-ages6.0FTEemployees.
Responsestothisquestion(andquestionsrelatingtoBCMprogrambudgets)varydependingontheentitytype,numberofemployees,revenueandindustryprofile.WhiletheaggregatemeannumberofFTEemployeesincreaseswithcompanysize,amajorityofallbuttheverylargecompanieshavezerototwoFTEemployees.
2.3 Program Execution & Performance
EarlierresultsindicatecontinuityofbusinessoperationsistheprimarydriverfortheestablishmentofaBCMprogramin84%oforganizations,yet37%donotconductactivemeasurementofBCMprogramperformance.TheleadingmethodformeasuringtheperformanceofBCMprogramsisbusinesscontinuityplanexercises(85%),followedbyauditfindingsat62%.
”
It is positive that two-thirds of BCM programs
have full time coordinators with senior advisory
committees in support, but less positive that the typical
title of the coordinator is Director or Manager.
– Doug Weldon,
President,
BCI – USA Chapter
“
Figure�.PercentageoforganizationswithzerototwoFTEemployeesdedicatedtotheBCMprogrambycompanysize(annualrevenue).
100%
75%
50%
25%
0%
93%
73% 71% 69%
42%
75%
64%57%
62%
41%
76%
64%56%
73%
34%
Small Mid-size Large Very Large N/A<$50M $50M-$1B $1B-$5B >$5B
Corporate BCM Program Office Various Business Units/Functions Information Technology/Disaster Recovery
10
“
”
37% say they don’t measure the performance of their program. Of those who do measure, only 13% measure perfor-mance using some kind of cost/benefit analysis. Most of the performance metrics are self-referencing and not related to the business. If we want to raise the profile of BCM and get execu-tive-level buy-in, then we need to measure the value contribution of BCM programs not just program performance. – Lee Glendon,
Head of Research
& Advocacy,
BCI
Usingthe2008benchmarkingstudyresults,asignificantincreaseintheinstancesoforganizationsreviewingtheirperformancecapabilitiesversusstandards(30%)canbeseen.In2008,only9%oftherespondentsindicatedthattheywereunder-takingthistypeofreview.
2.4 Leveraging Standards To Support The Program
StandardsareincreasinglyimportanttoolsforBCMprogramplanning.TheresultsshowthatNFPA1600isthemostwidelyusedstandard,butthisiscertainlyinflu-encedbythefactthattwo-thirdsoftherespondentshaveglobalheadquartersintheUnitedStates.
0
20
40
60
80
100
Plan exercises
90.0%
80.0%
70.0%
60.0%
50.0%
40.0%
30.0%
20.0%
10.0%
0.0% Audit fi
ndingsBCM program re
views
Technology recovery te
st results
Metrics p
rogram inclu
ding
executive re
porting
Benchmarking/comparis
on
to industr
y norms
Maturity m
odeling
85.0%
62.4%57.5%60.2%
54.7%
37.0%
29.9% 29.1%
20.9%
13.0%
Review perform
ance
capabilities v
s. standards
Cost/benefit a
nalysis
Service level m
onitorin
g
Figure10.MethodsusedbyorganizationstomeasureBCMprogramperformance.
11
2.5 Integration With Other Disciplines
Usingresultsfromthe2008benchmarkingstudyasapointofreference,theintegrationofBCMprogramswithotherdisciplinesshowslittleprogress.Themostwidely-integrateddisciplineiscrisismanagement,with68%ofrespondentsindi-catingitis“completely”or“well”integratedwiththeirBCMprograms.
Given such interdependent economies and supply chains,
it is interesting that more than 20% are ’not at all’ integrated
with their strategic sourc-ing function. Also, knowing the strategic implications of recovery and response to an interruption, it is interesting
that more than 23% are ’not at all’ integrated with
strategic planning. – Tim Mathews,
Director, Enterprise Resiliency,
Educational Testing Service
“
”
High level of BCM Integration with: 2011-2012 2008
Strategic Planning Capabilities 34% 36%
Strategic Sourcing And Procurement Capabilities 32% 27%
Enterprise Risk Management Program 52% 50%
Crisis Management Program 68% 67%
0
10
20
30
40
50
0.0
0.2
0.4
0.6
0.8
1.0
USA – NFPA 1600
50%
40%
30%
20%
10%
0%
UK – BS25999-2: 2007
Specificatio
n for B
CMUK – BS25999-1: 2
006
Code of Practi
ce for B
CMInternatio
nal – ISO/IE
C
27001:2005 USA – ASIS BCM.01-2010Internatio
nal – COBIT 4.1
USA – NIST SP 800 – 34Inform
ation Te
chnology
Infrastr
ucture Lib
rary (IT
IL) v.3
46%
27% 26%
12% 11% 11% 11% 10%
Figure11.Widelyusedbusinesscontinuity-relatedstandards.
Figure1�.BCMprogramintegrationprogresssince�00�.
These standards contain the vital components to help
organizations develop and map their planning efforts in
order to mature their BCM programs.
– Robbie Atabaigi,
Director, Advisory Services,
KPMG LLP
“
”
1�
2.6 Integration With Third Parties
Lessthanone-third(32%)oforganizationsindicateahigh-levelofintegrationwiththird-partyserviceproviders(utilities,informationtechnologyserviceprovidersand/orbusinessprocessserviceproviders),downfrom35%in2008,while37%arewellintegratedwithpublicauthorities(police,fire,andlocalemergencymanage-mentservices),upfrom34%in2008.
Two-thirds(66%)ofrespondentsindicatedtheirorganizationsrequiremissioncriti-calthird-partyserviceproviderstoprovideevidenceofaviableBCMprogram.Lessthanhalf(47%)oftheorganizationssurveyedinvolveexternalcompaniesoragen-ciesintheirBCMprogramexercises.Third-partyserviceproviders(33%)areinvolvedmoreoftenthanpublicsectoragencies(18%)andsupplychainpartners(10%).
Figure14.EngagementofexternalcompaniesorentitiesduringBCMprogramexercises.
High level of BCM Integration with: 2011-2012 2008
Third-party Service Providers 32% 35%
Public Authorities 37% 34%
Figure13.BCMprogramintegrationprogresssince�00�.
0
10
20
30
40
50
60%
50%
40%
30%
20%
10%
0%
Public secto
r agencie
s
17.7%
10.2%
33.3%
53.5%
Supply chain partn
ers
Service providers
None or not a
pplicable
13
The cloud may be a high- availability strategy but
concerns exist about recovery of cloud-based applications
and data. – Tim Mathews,
Director, Enterprise Resiliency,
Educational Testing Services
“
”
2.7 Use Of Software
OrganizationswereaskedtoidentifyallBCM-relatedsoftwarepackagescurrentlyinuseordesignatedforimplementationwithinthenextyear.Emergencynotificationsoftware(47%)andBCMsoftware(46%)arethemostcommon.
2.8 IT Recovery Strategy & Disaster Recovery Capabilities
Respondentswereaskedaseriesofquestionsregardingtheirorganization’sITdisas-terrecoverystrategyandrecovery-relatedcapabilities.ITrecoverystrategiesaremostcommonlydescribedasacombinationofinternalandexternalsolutions(50%),anin-ternalhardwareandsoftwaresolution(46%),andanexternalhardwareandsoftwaresolution(21%).Forthoseorganizationswithplanstomovecapabilitiestothecloud,privatecloudsolutions(11%)arefavoredoverpubliccloudsolutions(6%).
0
10
20
30
40
50
Business C
ontinuity
Management softw
are
50%
40%
30%
20%
10%
0%
Business I
mpact Analysis
softw
are-
Change Management softw
areChange Management
software
Emergency Notificatio
n softw
are
Enterprise Governance Risk
and Compliance so
ftware
Risk Asse
ssment so
ftware
MicroSoft©
Office Tools
(i.e., W
ord, Excel, e
tc.)
Other
46.0%
22.8%
12.3%
46.7%
11.5%13.4%
45.5%
14.1%
Figure15.WidelyusedBCMprogram-relatedsoftwarepackages.
14
Manyorganizations’ITrecoverystrategiesareundergoingchange,namelyinternalsoftwareandhardwaresolutions(43%),combinationinternalandexternalsolu-tions(36%),andexternalhardwareandsoftwaresolutions(23%).Onaverage,3.8%ofITbudgetsgotodisasterrecoverycapabilities.
Inaddition,20%ofrespondentsindicatetheirorganizationisundergoingchangestomovecertaincapabilitiestoaprivatecloudsolutionand8%ofrespondentsaremovingcertaincapabilitiestoapubliccloudsolution.
Internal – Hardware and
Software Solutio
n
50%
40%
30%
20%
10%
0%
External – Hardware and
Software Solutio
nCombinatio
n/Hybrid of
Internal and External So
lutions
Move certa
in capabilit
ies to
a Public Cloud Vendor
Move certa
in capabilit
ies to
a Private Cloud Solutio
n Other
42.5%
22.9%
36.4%
8.2%
19.9%
10.0%
0
10
20
30
40
50
Figure17.Elementsoforganizations’ITdisasterrecoverystrategiesundergoingchange.
Figure16.CurrentITdisasterrecoverystrategies.
Internal – Hardware and Software SolutionExternal – Hardware and Software SolutionCombination/Hybrid of Inter-nal and External SolutionsMove certain capabilities to a Public Cloud VendorMove certain capabilities to a Private Cloud SolutionOther
45.7%
20.8%
50.2%
6.1%
11.1%
3.5%
All corporations, com-munities and individuals at some level use social media for communication, but do not yet include it in continu-ity plans. During a crisis, ‘we’ clamor for information. As an industry, we should begin best practice discussions to incorporate social media into BCM plans.– Michele Guido,
Business Assurance Principal,
Southern Company
“
”
15
2.9 Cloud, Social Media & Mobility Applications
Theuseofcloud,mobileapplicationsandsocialmedia,andtheirincorporationintodocumentedITdisasterrecoveryplans,variesgreatlyfromorganizationtoorganiza-tion.Over41%ofrespondentsincorporatemobileapplicationsintoITdisasterrecoveryplanswhereaslessthan18%incorporatesocialmediaintodisasterrecoveryplans.
3 Future Outlook & Recommendations
Therearemanysourcesofoperationaldisruptions,allofwhichcanhavedevastat-ingaffectsifnotsufficientlyplannedfor.Theprocessofplanningcanbeginonlywhenthesethreatsandtheirimpactshavebeenthoroughlyassessed.
Markettrendssuchascloud,mobilityandsocialmediaarekeydriversthatbusi-nesscontinuityprofessionalsandexecutivesresponsibleforgoverningBCMpro-gramsshouldconsiderasorganizationsadapttheirprogramsandassociatedplans.However,priorityshouldbegiventotheestablishmentofcriticalBCMprogramelementsandactivities,andthegatheringofvitalinformationandmetrics,suchas:
•ABCMprogramsteeringcommittee.
•Thecostofoutages(viabusinessimpactanalysis).
•Thestoragelocationandvolumeofcriticaldataandapplications.
•BCMprogrammaturityassessmentanddevelopment.
•Engagementwithcriticalthird-partysuppliersandpublicauthorities.
•AppropriateBCMprogramleadership.
ItisimportanttonotethatBCMprogramgapscannotbeaddressedwithoutconsideringtheorganization’sbroaderstrategicpriorities,andorganization-specificthreatsandobligations.
Movingforward,organizationsareencouragedtoreviewandassesstheirBCMprogramcapabilitiesandgapsusingthefindingsfromthisstudy.Thisholistic,data-drivenapproachwillbothimproveorganizationalpreparednessandfurthereffortstomakeBCMastrategic,boardroom-levelagendaitem.
Capability Utilize and have an IT Disaster Recovery Plan
Utilize and do not have an IT Disaster Recovery Plan Do Not Utilize
Cloud Applications 28.2% 14.4% 57.4%
Mobile Applications 41.6% 23.6% 34.8%
Social Media 17.8% 24.64% 57.6%
Figure1�.Cloud,mobileapplicationsandsocialmediausagewithITdisasterrecoveryplans.
“
”
An organization’s reputa- tion can be ruined in
minutes if not handled appropriately. That is why
it is essential to have social media plans incorporated as part of an overall crisis
management response. – Scott Hall,
Vice President,
Global Disaster Recovery &
Business Continuity,
Equifax
Social media continues to evolve – with or without
formal buy in.– Michael Janko,
Manager, Global
Business Continuity,
Goodyear
“ ”
16
4 Conclusion
BCMhasemergedasoneofthekeydisciplinesthatorganizationscanusetoman-ageoperationalrisk.Thedisciplinecontinuestoevolvefromonethatisfocusedonrespondingtoaneventorincidenttoonethatadaptstochangingmarkettrendsandthreats.
AholisticapproachtoplanningandgoverningBCMprogramsmustbecombinedwithregularprogramreviewsthatallowtheprogram–andhencetheorganization–toevolveinordertoaddresstheeverchangingrisklandscapewithwhichwearefaced.
5 Research Methodology
Respondentsforthe2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study wereobtainedfromtheContinuity Insightssubscriberbasebywayofitspublications,Website,andemaildeployments,aswellasfromotherprofessionalorganizationsthatsupportedthestudy.The20-minuteonlinesurveycomprised52questionsandwasfieldedfromNovember2011throughJanuary2012.Datawascollectedfrom958respondents,ofwhich685respondentscompletedtheentiresurvey.Anaverageof785responseswascollectedforeachquestion.KPMGbusinesscontinuityprofessionalsdevelopedthesurveyquestionnaire.
MintJutraspreparedtheresultingtabulationandsuppliedanalysisforselectdatapoints.Formoreinformationonthestudymethodology,pleasecontactMintJutrasatcindy@mintjutras.com.
5.1 Respondent Profiles
5.1.1 Type Of Entity Or Enterprise
Figure1�.Typeoforganization,entityorenterprise.
40.0%
39.2%
9.5%
2.2%
9.2%
Public company
Privately held company
Government agency or authorityEducation
Not-for-profit organization
Executive sponsorship, funding and other metrics are important consider-ations for all organizations. One way we can further develop BCM programs is to increase collaboration across all industries.– Mike Jennings,
Director, Disaster Readiness
Program, Blue Cross Blue
Shield of Massachusetts
“
”
17
5.1.2 Geographical Range Of Operations
5.1.3 Country
Figure�0.Geographicalrangeofoperations.
10.5%
21.0%
23.9%
44.6%
Single Site
Regional Multi-Site (1 Region or Country)National Multi-Site
Global Multi-Site
67%
13%
8%
4%
3%
2%
1%
1%
1%
United States
Rest of World
Canada
Chile
United Kingdom
Romania
The Netherlands
Switzerland
France
Figure�1.Locationofglobalheadquarters.
1�
Figure��.Industriesrepresentedinthesurvey.
2.6%
0.7%
0.9%
0.8%
1.4%
3.7%
5.3%
8.7%3.9%
2.4%
18.6%7.3%
5.7%
3.4%
11.3%
6.7%
0.9%
1.8%
2.9%
3.9%
3.3%
3.7%
0.5%
10.6%0.7%
1.5%
3.5%
2.1%
1.1%
3.7%
1.5%
0.8%
8.0%
4.3%
1.1%
4.7%
3.1%
0.8%
0.6%
0.9%
0.8%
4.0%
1.0%
1.0%10.4%
5.1.4 Industry
Aerospace/Defense
Automotive
Biotechnology
Chemical/Petroleum
Communications/Media
Computer/Information Technology Telecommunications
Computer/Information Technology Software
Computer/Information Technology Services
Education
Entertainment/Media
Financial Services – Banking
Financial Services – Brokerage
Financial Services – Credit Card
Financial Services – Credit Union
Financial Services – Investment
Financial Services - Mortgages
Government – City/Municipality
Government - County
Government – State/Providence
Government (Federal)
Healthcare Medical – Hospital
Healthcare Medical – Service Provider
Human Resources
Insurance
International Non Government Organization (NGO)
Logistics
Manufacturing - Consumer Goods
Manufacturing - Industrial Goods (Non-technology)
Manufacturing - Medical Devices/Other Healthcare Products
Not for Profit Organization
Pharmaceuticals
Power (Production/Transmission)
Professional Services (Business Continuity/Operational Risk Consulting)
Professional Services (IT/Business Process Outsourcing)
Professional Services - Legal
Professional Services (Other)
Retail Retail
Transportation – Aviation
Transportation – Mass Transit
Transportation – Shipping
Transportation - Trucking
Utilities – Energy
Utilities – Water
Wholesale Distributors
Other
1�
Therevenueprofileforthevariousrespondentsvariessignificantly.
Overtwo-thirds(70%)oforganizationshavemorethan1,000employees.
5.1.5 Company Size I am rather surprised at the number of respondents
that said they did not know what the company’s
revenues are: 15%! Revenues are a key component to an understanding of “impact”
in a BIA and risk assessment. Perhaps this is an indica-
tion of the relatively large number of privately held
companies reporting in the survey, but BCM people need to know revenues
and other key financials whether the company is
public or private! – Doug Weldon,
President,
BCI – USA Chapter.
“
10.2%
6.5%
3.9%
7.9%
6.8%
14.8%
9.4%
16.6%
8.9%
15.1%
Less than $10 million
$10 million to $50 million
$50 million to $100 million
$100 million to $500 million
$500 million to $1 billion
$1 billion to $5 billion
$5 billion to $10 billion
More than $10 billion
Not applicable
Do not know
Figure�3.Revenueprofile.
7.2%
4.1%
10.7%
7.5%
21.1%
14.5%
9.8%
25.0%
Less than 25
25 to 99
100 to 499
500 to 999
1,000 to 4,999
5,000 to 9,999
10,000 to 19,999
20,000 or more
Figure�4.Employeeprofile.
”
�0
5.2 C-Level Executive With Ultimate Reporting Responsibility
5.3 BCM Program Leader
Forthoserespondentsthatselected“other”forjobtitle,thelargestnumberofre-sponsesrelatedtooneormorecontingencyplanning-relateddisciplines.
Figure�5.Jobtitleoftheexecutivesponsorfororganizations’BCMprograms.
11.1%
35.4%
2.9%
7.8%
1.5%
3.4%
1.9%
1.9%
1.2%
1.5%
1.3%
3.7%
8.1%
18.4%
Vice President, Business Continuity Management or Business ResilienceDirector or Manager, Business Continuity Management or Business ResilienceVice President, Risk Management
Director or Manager, Risk Management
Vice President of Information Technology
Director or Manager of Information TechnologyCEO/President
Chief Operating Officer
Chief Financial Officer
Chief Information Officer
Chief Risk Officer
Chief Security Officer, VP/Director
Specific Department Director/ManagerOther
Figure�6.JobtitleofBCMprogramsponsor.
16.6% CEO/Presidentt
12.0% Chief Operating Officer
8.4% Chief Financial Officer
13.6% Chief Information Officer
9.4% Chief Risk Officer
1.8% Chief Continuity Officer
2.7% Emergency Management
5.1% Vice President, Information Technology
17.5% Other Corporate/Executive Management
12.9% Specific Department Manager/Director/VP (non C-Level executive)
Organizations need to have the right business continuity leader who understands the company, the industry and the business continuity process components.– Michael Janko,
Manager, Global
Business Continuity,
Goodyear
“
”
�1
6 Requests For Benchmarking Reports & Key Contacts
Ifyouwouldliketobenchmarkyourorganizationbyleveragingthe2011-2012 Continuity Insights and KPMG LLP Business Continuity Management (BCM) Program Benchmarking Studyorcustomreports,pleaseprovidethefollowinginformationtoBobNakaoatrobert.nakao@advantagemedia.comortoBruceHageratbhager@kpmg.com:
•Yourname
•Yourorganization
•Yourtitle
•Youre-mailaddress
•Thecompletestudyand/orcustomreport(s)youwouldliketoreceive:industry,typeofentity,regionofHQoperation,numberofemployeesorannualrevenue
Youwillbeprovidedwiththecustomreport(s),ifavailable,generallywithinaweekofthereceiptofyourrequest.Customreportsbytypeofentityincludepubliccompanies,privatecompanies,governmentagenciesandauthorities,andnotforprofits.Customreportsforindustriesincludeeducation,financialservices,computers/informationtechnol-ogy/telecommunications,government,healthcare,manufacturing,professionalservices,andutilities.
Formoreinformationaboutthissurvey,pleasecontact:
BobNakaoPublisher,Continuity Insights215-968-1516robert.nakao@advantagemedia.com
RobbieAtabaigiDirector,BusinessContinuityServicesKPMGLLP404-222-3257ratabaigi@kpmg.com
7 Acknowledgements
Continuity InsightsandKPMGLLPwouldliketoacknowledgethefollowingorgani-zationsfortheircontributionsinhelpingraisetheawareness–andhencethevalue–ofthe2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Manage-ment (BCM) Program Benchmarking Study.
•AssociationofContingencyPlanners(ACP)
•AssociationofSacramentoAreaPlanners(ASAP)
•BCManagement
•BCI-USA
•BusinessandIndustryCouncilforEmergencyPlanningandPreparedness(BICEPP)
•BusinessContinuityInstitute(BCI)
•BusinessContinuityPlannersAssociation(BCPA)
•BusinessRecoveryManagersAssociation(BRMA)
•BusinessResumptionPlanningAssociation(BRPA)
•ContingencyPlannersofOhio(CPO)
•ContingencyPlanningExchange(CPE)
•ContinuityCentral
•ContingencyPlanningAssociationoftheCarolinas(CPAC)
•DisasterRecoveryJournal(DRJ)
•ForbesCalamityPrevention(Singapore/Asia)
•MidAtlanticDisasterRecoveryAssociation(MADRA)
•NewEnglandDisasterRecoveryInformationExchange(NEDRIX)
•RothsteinBusinessSurvival
•SoutheasternBusinessRecoveryExchange(SEBRE)
•SoutheastContinuityPlannersAssociation(SCPA)
•SurvivalInsights
Inaddition,wewouldliketoacknowledgethesubjectmatterprofessionalsthatreviewedthesurveyresultsandprovidedtheirpointofviewforuseinthisreport.
KPMGLLP,theaudit,taxandadvisoryfirm(www.kpmg.com/us),istheU.S.memberfirmofKPMGInternationalCooperative(“KPMGInternational”).KPMGInternational’smemberfirmshave145,000professionals,includingmorethan8,000partners,in152countries.
TheKPMGname,logoand“cuttingthroughcomplexity”areregisteredtrademarksortrademarksofKPMGInternational.
Theinformationcontainedhereinisofageneralnatureandisnotintendedtoaddressthecircumstanc-esofanyparticularindividualorentity.Althoughweendeavortoprovideaccurateandtimelyinforma-tion,therecanbenoguaranteethatsuchinformationisaccurateasofthedateitisreceivedorthatitwillcontinuetobeaccurateinthefuture.Nooneshouldactonsuchinformationwithoutappropriateprofessionaladviceafterathoroughexaminationoftheparticularsituation.
��
top related