global business continuity management (bcm) program ...€¦ · global business continuity...

April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona

2011–2012 Continuity Insights & KPMG LLP y gGlobal Business Continuity Management (BCM) Program Benchmarking Study Results and Leading Practices

Robbie Atabaigi and Marty PlevelRobbie Atabaigi and Marty PlevelKPMG LLPApril, 2012


Introduction

Today’s discussion: Hi hli ht f th 2011 2012 C ti it I i ht & KPMG LLP Gl b l B i C ti it– Highlights from the 2011–2012 Continuity Insights & KPMG LLP Global Business Continuity Management (BCM) Program Benchmarking Study

– Share some poignant observations from various BCM practitioners that reviewed the study results and shared their point of view regarding the responses

– Review the process for requesting copy of study results and custom reports to use in benchmarking your organization’s BCM program

2


Acknowledgements

Association of Contingency Planners (ACP) Association of Sacramento Area Planners (ASAP)

Continuity Central Continuity Planning Association of the Carolinas (CPAC) Association of Sacramento Area Planners (ASAP)

BC Management BCI - USA Business and Industry Council for Emergency

Planning and Preparedness (BICEPP)B i C ti it I tit t (BCI)

Continuity Planning Association of the Carolinas (CPAC) Disaster Recovery Journal (DRJ) Forbes Calamity Prevention (Singapore/Asia) Mid Atlantic Disaster Recovery Association (MADRA) New England Disaster Recovery Information Exchange

(NEDRIX) Business Continuity Institute (BCI) Business Continuity Planners Association (BCPA) Business Recovery Managers Association (BRMA) Business Resumption Planning Association (BRPA) Contingency Planners of Ohio (CPO)

(NEDRIX) Rothstein Business Survival Southeastern Business Recovery Exchange (SEBRE) Southeast Continuity Planners Association (SCPA) Survival InsightsContingency Planners of Ohio (CPO)

Contingency Planning Exchange (CPE)Survival Insights

Continuity Insights and KPMG LLP would like to acknowledge the following organizations for their contribution in helping raise the awareness and the value of the 2011 – 2012 Continuity Insights & KPMG LLP Global Business Continuity Management (BCM) Program Benchmarking Study.

In addition, we would like to acknowledge the subject matter professionals that reviewed the survey results and provided their point of view for use in this presentation, the study report and the companion article.

3


Agenda

Methodology

Demographics

IncidentsOverview

Program Management

Measuring Program Performance

Resource Management (Headcount, Budget and Training)Governance

Program Elements, Current State, Plans and Gaps

Benchmarking Study ReportsCapabilities

4


Methodology

Respondents for the 2011–2012 Continuity Insights (CI) & KPMG LLP Global Business Continuity Management (BCM) Program Benchmarking Study were obtained from theContinuity Management (BCM) Program Benchmarking Study were obtained from the Continuity Insights subscriber base by way of its publications, Website and email deployments, as well as from other professional organizations that supported the study.

The online survey was comprised of 52 questions and was fielded from November, 2011 through January 2012through January, 2012.

Data was collected from 958 respondents, of which 685 respondents completed the entire survey. An average 785 responses were collected for each question.

KPMG LLP business continuity professionals developed the survey questionnaire KPMG LLP business continuity professionals developed the survey questionnaire.

Mint Jutras prepared the resulting tabulation and supplied analysis for selected data points.

For more information on the study methodology, please contact Mint Jutras at [email protected]. y@ j

5


Q6 Responses: Location of global headquarters

1%1%

1%HQ Location

4%3%

2%

1%

United States

Rest of World

8%

Rest of World

Canada

Chile

United Kingdom

67%

13%U g

Romania

The Netherlands

Switzerland

France

6


Q2 Responses: Primary type of business

Aerospace/Defense 23 2 6% Non Government (NGO) 6 0 7%Aerospace/Defense 23 2.6%

Automotive 6 0.7%

Biotechnology 8 0.9%

Chemical/Petroleum 7 0.8%

C i ti /M di 12 1 4%

Non Government (NGO) 6 0.7%

Logistics 13 1.5%

Manufacturing 59 6.7%

Not for Profit 32 3.7%

Ph ti l 13 1 5%Communications/Media 12 1.4%

Computers/IT/Telecom 154 17.7%

Education 34 3.9%

Entertainment/Media 21 2.4%

Pharmaceuticals 13 1.5%

Power 7 0.8%

Professional Services 159 18.1%

Retail 27 3.1%

Financial Services 465 53.0%

Government 9.5%

Healthcare 61 7.0%

Insurance 93 10.6%

Transportation 15 1.7%

Utilities 44 4.0%

Wholesale Distributors 9 1.0%

Other 91 10.4 %

7


Q1 Responses: Organization uses survey results to enhance and/or Q p g ygenerate executive support for BCM Program

Yes (53.8%)

No (46.2%)

“As I read the 2011 – 2012 Continuity Insights and KPMG LLP Business Continuity Management Program Benchmarking Study I was pleasantly surprised at some of the results and was dismayed by others. There are some technologies and services that we need to be concerned with; Cloud Computing and social media for example. However, these seem not to be on people’s radar which is somewhat concerning. This benchmarking study is an important tool for organizations to understand where they are on the road tobenchmarking study is an important tool for organizations to understand where they are on the road to resilience compared to others across industries. I think it is a worthy exercise to review the findings and touch base with your particular program. You might be surprised at the results” Michael Jennings, Senior Director, Disaster Readiness Program, Blue Cross Blue Shield (BCBS) of Massachusetts.

8


Q3 Responses: Number of employees

Number of employees Replies

Approximate Percentages

The organizational profiles spanned:p y p g

Less than 25 63 7.2%

25 to 99 36 4.1%

100 to 499 94 10.7%

Organizations with less than 1,000 employees (approximately 30%)

Organizations with 1,000–4,999 employees (approximately 21%)

500 to 999 66 7.5%

1,000 to 4,999 185 21.1%

5,000 to 9,999 127 14.5%



5,000 o 9,999 5%

10,000 to 19,999 86 9.9%

20,000 or more 219 25.0%

Organizations with 20,000 or more employees (approximately 25%)

9


Q4 Responses: Best describes organization, type of entity or enterprise

Public company (40.0%)

Privately held company (39.2%)

Government agency or authority (9.5%)

Education (2.2%)

Not-for-profit organization (9.2%)

“The report is interesting in that it seems to show that businesses are adopting business continuity as an internal requirement in greater numbers than in the past. The trend looks positive, although there are still a few notable gaps such as the degree to which organizations are reaching out to include their public sector counterparts in aspects of their contingency planning” said John Copenhaver, Senior Advisor to the BCI Board.

It is interesting the relatively large base of companies that are privately held. Classical wisdom has been that private companies pay less attention to BCM and risk management in general. But these results suggest that there may be an increasing focus on these by privately held companies. I hope these point to a positive trend” said Douglas Weldon, President, BCI – USA Chapter.

10


Q5 Responses: Geographical range of operations

Approximately 45% of respondents have global multi-site operations

Geographic rangeGlobal Multi-Sitehave global multi site operations

Approximately 24% of respondents have national multi-site operations throughout the country of the organization’s operations

21%

10%

National Multi-Site

g

Approximately 21% of respondents have a regional multi-site operations in one country

Approximately 10% of organizations

45%21%

Regional Multi-Site (1 Region or Country)

Si l Si Approximately 10% of organizations have a single site operation 24%

Single Site

11


Q7 Responses: Approximate annual revenues

“I am rather surprised at the number of respondents that said they did not know

Revenue ($ US) Replies Percentagesrespondents that said they did not know what the company's revenues are—15%! Revenues are a key component to an understanding of "impact" in a BIA and risk assessment ” said Douglas Weldon, P id t BCI USA Ch t

Under $10 million 89 10.2%

$10 to $50 million 57 6.5%

$50 to $100 million 34 3.9%

$100 to $500 million 69 7 9% President, BCI – USA Chapter.

“Perhaps this is an indication of the relatively large number of privately held companies reporting in the survey, but BCM

$100 to $500 million 69 7.9%

$500 to $1 billion 60 6.8%

$1 to $5 billion 130 14.8%

$5 to $10 billion 82 9.4%people need to know revenues and other key financials whether the company is public or private!”

Greater than $10 billion 145 16.6%

Do Not Know 132 15.1%

Approximately 9% of survey respondents indicated that this question was not applicable to their organization.

12


Q36 Responses: Experienced an incident or interruption in the past year that caused your organization to activate any documented business y g ycontinuity, crisis management and/or disaster recovery plan(s)

Severe weather (Hurricanes, Tornadoes, Severe Winter etc ) (50 4%)

Earthquake (28.1%)Severe Winter, etc.) (50.4%)

Power (46.9%)

Flood (31%)

IT Related (Upgrade/Scheduled Outage) (26.2%)

Fire (19.4%)

Civil unrest (16.7%) IT Related (Telecommunications – voice,

data, converged network) (31.0%)

IT Related (Change Management, Data Corruption, DOS, Virus, Security) (30.7%)

Supplier issues or high profile neighbor (12.9%)

Theft (9.0%)

Other (7 9%) IT Related (Hardware/Software in

Production) (30.5%)

Other (7.9%)

Terrorist attack (4.9%)

13


Q36 Responses: Experienced an incident or interruption Q p p pin the past year that caused activation of plan(s)

350

400

326

350

250

300

350

90

116134

182

212 213 215 216

150

200

34 4154 62

90

0

50

100

14


Observations – Incidents and Interruptions

Lyndon Byrd, Technical Development Director and Board Member, The Business Continuity Institute (BCI) said, “The reasons for interruptions fit well with similar BCI surveys; severe weather, floods, power outages and IT related issues always score highly and of course earthquakes have become a key issue of late with both Japan and Christchurch NZ happening in 2010. We have alsobecome a key issue of late with both Japan and Christchurch NZ happening in 2010. We have also found increasing concern about cyber attacks (particularly in government and financial services).”

15


Agenda

Methodology

Demographics

IncidentsOverview

Program Management


Resource Management (Headcount , Budget and Training)Governance



16


Q9 Responses: How long the BCM Program has been in place

Less than one year (5.8%)

1 year to 3 years (15.4%)

3 years to 5 years (19.9%)



More than 20 years (4.8%)

Do not know (5 5%) Do not know (5.5%)

17


Q10 Responses: Primary reasons for BCM Program establishment

Continuity of business operations (84.2%)

Reputation (39.7%)

Federal government regulations (33.5%)

Address Audit finding(s) (31.6 )

Customer request or requirement (22.0%)

Required by law (17.7%)

Unique competitive advantage (14 7%) Unique competitive advantage (14.7%)

Other (5.8%)

“Almost 85% of the respondents stated that their business continuity program was primarily implemented for continuity of operations…..which emphasizes the acknowledgement of corporate responsibility andcontinuity of operations…..which emphasizes the acknowledgement of corporate responsibility and ownership to institutionalize this continuity into business portfolios,” said Michele Guido, Business Assurance Principal, Southern Company.

“It is also noteworthy that the 2nd largest reason….is reputation, this is significant that companies are thinking this way, “ said Doug Weldon, President, BCI – USA Chapter.

18


Q25 Responses: Best describes organization’s current program status

In the process of establishing a BCM Program, defining program governance, scope, objectives, budgeting and format for plans (9 1%)budgeting, and format for plans (9.1%)

In the Assessment Phase (i.e., Risk Assessment, Business Impact Analysis, Strategy Selection) for the first time in the program’s life cycle (6.7%)

Developing BC Plans, Crisis Management Plans and Disaster Recovery Plans (18.5%)p g , g y ( )

Have a policy, senior management steering or advisory committee, plans in place, and have developed a process for updating plans on a regular basis to reflect changes in the business and lessons learned from exercises, tests or real events (59.5%)

Other (6.2%)

“I d if b i ti it t h t i d th t th t ti i t d if“I wonder if business continuity management has not received the support that we anticipated or if our industry is moving at a very slow pace. I would have expected that the organizations that have plans in place would have been closer to 70 percent, “ said Michael Jennings, Senior Director, Disaster Readiness Program, Blue Cross Blue Shield of Massachusetts.

19


Q11 Responses: The organization measures performance of the program

Yes (63.4%)

No (36.6%)

20


Q12 Responses: How the performance of the BCM Program is measured Q p p g(select all that apply)

Plan exercises (85.0%)

Audit findings (62.4%)

BCM Program reviews (60.2%)

Technology recovery test results (57.5%)

Metrics program (including executive reporting )(54.7%)

Benchmarking/comparison to industry norms (37.0%)

Review performance capabilities vs standards (29 9%) Review performance capabilities vs. standards (29.9%)

Maturity modeling (29.1%)

Service level monitoring (20.9%)

Cost/Benefit Analysis (13.0%)

Other (1.8%)

21


Observations – Measuring Program Performance

Lee Glendon, Head of Research & Advocacy, BCI, said “Questions 11 and 12 ask about measuring performance of the BCM program. 37% say they don’t measure the performance of their program. Of those who do measure, only 13% measure in performance in some kind of cost/benefit analysis. Most of the performance metrics are self-referencing and not related to the business If we want toMost of the performance metrics are self referencing and not related to the business. If we want to raise the profile of BCM and get executive-level buy-in then we need to measure the value contribution of BCM programmes not just programme performance.”

22


Q13 Responses: Top standards used to support the BCM Program Q p p pp g(All that apply – All responses with greater than 5% response rate)

USA – NFPA 1600 (45.6%)

UK – BS25999-2: 2007 Specification for BCM (27%)

UK – BS25999-1: 2006 Code of Practice for BCM (26.1%)

International – ISO/IEC 27001:2005 (11.9%)

USA – ASIS BCM.01-2010 (11.2%)

International – COBIT 4.1 (11%)

USA – NIST SP 800 – 34 (10.6%)

Information Technology Infrastructure Library (ITIL) v.3 (10.2%)

USA – ASIS SPC.1-2009 (7.2%)

USA – NFPA 232 (7.2%)

International – ISO 9000 Series (8.7%)

International – ISO/IEC 27002: 2005 (7.9%)

International – ISO 31000: 2009 (7.7%)

23

International ISO 31000: 2009 (7.7%)


Q13 Responses: Top standards used to support the BCM Program Q p p pp g(All that apply – US HQ responses with greater than 5% response rate)

USA – NFPA 1600 (59.3%)

UK – BS25999-2: 2007 Specification for BCM (20.9%)

UK – BS25999-1: 2006 Code of Practice for BCM (19.3%)

USA – ASIS BCM.01-2010 (14.4%)

International – COBIT 4.1 (7.8%)

USA – NIST SP 800 – 34 (14.2%)

Information Technology Infrastructure Library (ITIL) v 3 (8 0%) Information Technology Infrastructure Library (ITIL) v.3 (8.0%)

USA – ASIS SPC.1-2009 (9.6%)

USA – NFPA 232 (10.0%)

International – ISO 9000 Series (7.3%)

International – ISO/IEC 27002: 2005 (7.9%)

International – ISO 31000: 2009 (6.4%)

24


Q37 Responses: For the most recent interruption that required you to activateQ37 Responses: For the most recent interruption that required you to activate one or more business continuity plans, how well recovery time objectives met

Completely (30.7%)

Mostly (28.3%)

Somewhat (11.8%)

Not at all (2.6%)

Not applicable (20.3%)

Do not know (6.3%)

25


Q34 Responses: Estimated cost (both outlays and internal costs) of Q p ( y )business disruptions in the past 12 months

($ US) Replies Percentages

Less than $25,000 152 21.7%

$25,000 to $50,000 36 5.1%

$50,000 to $100,000 34 4.9%

$100,000 to $250,000 49 7.0%

$250,000 to $500,000 33 4.7%

$500,000 to $1 million 34 4.9%

$1 million to $5 million 15 2.1%

More than $5 million 18 2.6%

Approximately 47% of the respondents that answered the question responded they did not know the estimated costs.

26


Q35 Responses: Estimated cost of the total financial impact of a major Q p p jdisruption or outage that lasts 5 business days

($ US) Replies Percentages

Less than $25,000 36 5.1%

$25,000 to $50,000 23 3.3%

$50,000 to $100,000 20 2.9%

$100,000 to $250,000 34 4.9%

$250,000 to $500,000 51 7.3%

$500,000 to $1 million 61 8.7%

$1 million to $5 million 85 12.1%

More than $5 million 123 17.5%

Approximately 38% of the respondents that answered the question responded they did not know the estimated costs.

27


Observations – Estimated Costs of Disruptions

According to Lee Glendon Head of Research & Advocacy BCI “I think this theme that BCMersAccording to Lee Glendon, Head of Research & Advocacy, BCI, I think this theme that BCMers need to get closer to the business of their employers becomes more evident in the responses to Questions 34 and 35. 47% couldn’t estimate the cost of business disruptions over the past 12 months and when asked what would be the financial impact of a 5 day outage/disruption only 18% felt it would be more than US$5M 38% wouldn’t hazard a guess”felt it would be more than US$5M – 38% wouldn t hazard a guess .

“I am quite surprised that nearly half (47.1%) of respondents do not know the costs of business disruptions. This information is a must for a BCM Program to track,” said Doug Weldon, President, BCI USA Ch tBCI – USA Chapter.

“It is curious that based on the self-identified experience and program maturity of the respondents, more than 47% do not know the cost impact of disruptions within their organizations. This is a basic element of conducting a BIA. In addition, most if not all of the respondents noted that their organization experienced an interruption that caused BCM activation,” said Tim Mathews, Director, Enterprise Resiliency, Educational Testing Services.

28


Q15 Responses: Senior Management Advisory or Steering Committee Q p g y gthat provides input and assistance

Yes (65.3%)

No (21.7%)

Committee Under Development (10.1%)

Do Not Know (2.9%)

29


Q16 Responses: Designated program coordinator authorized to Q p g p gadminister and keep the BCM Program current

Full Time (65.3%)

Part Time (22.5%)

No (12.2%)

“M th 50% f d t id tifi d th l “BC M BC L d ith th 5“More than 50% of respondents identified themselves as “BC Managers or BC Leaders with more than 5 years experience, yet more than 22% note a “part time” lead on their program. Given 10+ years since 9/11, I would expect more dedicated resources to BC”, said Tim Mathews, Director, Enterprise Resiliency, Educational Testing Service.

30


Q17 Responses. Job title of the program leader for the BCM Program

BCM Program Director or Manager (35.4%) CEO/President (1.9%)

BCM Program VP (11.1%)

Specific Department Manager/Director (8.1%)

Risk Management Director or Manager (7.8%)

Chief Operating Officer (1.9%)

Vice President, IT (1.5%)

Chief Information Officer (1.5%)

Chief Security Officer, VP or Director (3.7%)

Director or Manager of IT (3.4%)

Risk Management VP (2.9%)

Chief Risk Officer (1.3%)

Chief Financial Officer (1.2%)

Other (Approximately 18.3%)

31


Q18 Responses. Job Title of the BCM Program executive sponsor

Other Corporate/Executive Management (17.5%)

CEO/President (16.6%)


Specific Department Manager/Director/VP (non-C Level) (12.9%)



Chief Financial Officer (8 4%) Chief Financial Officer (8.4%)

Vice President, IT (5.1%)

Chief Continuity Officer (1.8%)

Emergency Management (2.7%)

32


Q19 Responses: C-Level executive with ultimate reporting responsibility

CEO (18.7%)


Other C – Level Executive (Approximately 11.7%)

Chief Financial Officer (11.5%)



Chief Technology Officer (5.5%)

Chief Security Officer (3.9%)

General Counsel (3.7%)

Chief Information Security Officer (3.3%)

Chief Administrative Officer (3.3%)

President (2.8%)

Chief Compliance Officer (2.2%)

33

Chief Compliance Officer (2.2%)


Observations – BCM Program Leadership and Governance

Lyndon Byrd, Technical Development Director and Board Member, BCI, said, “There were many different job titles, some that seemed to indicate a very senior position as head of BCM, some very junior. Again the lack of common understand about the role of BCM Manager/Director/VP (or even the need for it) was disturbing Asked who was the person with the ultimate responsibility for BCMthe need for it) was disturbing. Asked who was the person with the ultimate responsibility for BCM, the highest score was CEO followed by COO and CRO – but CTO and CIO somewhat lower. This reflects what we think should be the case, but I wonder if that is actually the view of the C-Suite if asked same questions about BCM (without pre-defining its scale/scope) for them.”

34


Observations – BCM Program Leadership and Governance

“According to Michael Janko Manager Global Business Continuity Goodyear “It appears that theAccording to Michael Janko, Manager, Global Business Continuity, Goodyear, It appears that the Business Continuity function is getting better defined, is reporting at a higher level and functional substantiation is based on value to the business. This is significant since trends will come and go, but if you show business value, management support will be there“.

“It is positive that 2/3 of the programs have full time coordinators with senior advisory committees in support, but less positive that the typical title of the coordinator is Director or Manager” said Doug Weldon, President, BCI – USA Chapter.

35


Q23 Responses: How funds are allocated for BCM Program initiatives

On a case-by-case basis, on individual project needs (28.4%)

Do not know (23.0%)

As an individual line item in each functional budget (13.2%)

As a percent of the Information Technology budget (10.6%)

As a percent of the risk management budget (7.8%)

Other, please describe how funds are allocated (6.8%)

As a percent of individual functional budget (6 0%) As a percent of individual functional budget (6.0%)

On a hybrid chargeback basis with base fee and usage charges (4.2%)

36


Q20 Responses: Estimated number of Full Time Equivalent (FTE) Q p q ( )headcount dedicated to the program in the PMO (including contractors)

684 Replies

300

350

400

450

444

Approximately 64.9% have 2 or less FTE headcount dedicated to the BCM Program in the PMO

Approximately 18.6% have 3 to 5 FTE headcount dedicated to the BCM Program in the PMO

100

150

200

250

127



0

50

100

0 to 2 3 to 5 6 to 9 10 to 20 20 or >

5338 22

Approximately 3.2% have more than 20 FTE headcount dedicated to the BCM Program in the PMO

37


Q20 Responses: Estimated number of FTE headcount dedicated to the program in business units and business functions (including contractors)

596 Replies Approximately 56.7% have 2 or less FTE headcount dedicated to the BCM Program in business units and

250

300

350

338

business functions

Approximately 12.9% have 3 to 5 FTE headcount dedicated to the BCM Program in business units and business functions

100

150

200 Approximately 7.0% have 6 to 9 FTE headcount dedicated

to the BCM Program in business units and business functions

Approximately 8.4% have 10 to 20 FTE headcount dedicated to the BCM Program in business units and

0

50

0 to 2 3 to 5 6 to 9 10 to 20 20 or >

77

42 50

89 business functions

Approximately 14.9% have more than 20 FTE headcount dedicated to the BCM Program in business units and business functions

38


Observations – Resource Management

Lyndon Byrd Technical Development Director and Board Director BCI said “By a large marginLyndon Byrd, Technical Development Director and Board Director, BCI, said, By a large margin the highest number of FTE in BCM was in the 0-2 range. Not very impressive, and probably therefore not seen as a great career building opportunity by young ambitious people who want to excel in core business. The value, importance and responsibility of BCM people are not being reflected in its statusreflected in its status.

“While not much is surprising in this report, one thing I find somewhat curious is that the numbers and magnitudes of the disasters that occurred in 2011 did not seem to cause any kind of discernible “ i l ” i th ” id J h C h S i Ad i t th BCI B d“ripple” in the responses.” said John Copenhaver, Senior Advisor to the BCI Board.

39


Q20 Responses: Estimated number of FTE headcount dedicated to the program for IT Disaster Recovery (including contractors)

645 Replies Approximately 54.6% have 2 or less FTE headcount dedicated to the BCM Program for Information Technology

250

300

350

400

352

Disaster Recovery

Approximately 20% have 3 to 5 FTE headcount dedicated to the BCM Program for Information Technology Disaster Recovery

100

150

200

250

129

Approximately 9% have 6 to 9 FTE headcount dedicated to the BCM Program for Information Technology Disaster Recovery

Approximately 7.1% have 10 to 20 FTE headcount dedicated to the BCM Program for Information Technology

0

50

0 to 2 3 to 5 6 to 9 10 to 20 20 or >

5846

60Disaster Recovery

Approximately 9.3% have more than 20 FTE headcount dedicated to the BCM Program for Information Technology Disaster Recovery

40


Q21 Responses: Estimated annual BCM Program budget for staff for the Q p g gcorporate Program Management Office (including contractors)

A i t l 65 1% h BCM P b d t f l

460 Replies

Approximately 65.1% have a BCM Program budget of less than $250k for the corporate program office

Approximately 16.8% have a budget of between $250k and $500k for the corporate program office

A i t l 10 1% h b d t f b t $500k250

300

350

345

Approximately 10.1% have a budget of between $500k and $1M for the corporate program office

Approximately 6.2% have a budget of between $1M and $5M for the corporate program office

A i t l 0 6% h b d t f b t $5M d100

150

200

Approximately 0.6% have a budget of between $5M and $10M for the corporate program office

Approximately 1.3% have a budget greater than $10M for the corporate program office 0

50

Less than

$250K to $500K

$500K to $1M

$1M to $5M

$5M to $10M

$10M to $50M

More than

5430

21 5 3 2

$250k $50M

41


Q21 Responses: Estimated annual BCM Program budget for staff for the Q p g gbusiness units and business functions (including contractors)

460 Replies

250

300

350

345

Approximately 75% have a BCM Program budget of less than $250k for business units and functions

Approximately 11.7% have a budget of between $250k and $500k for business units and functions

100

150

200 Approximately 6.5% have a budget of between $500k and

$1M for business units and functions

Approximately 4.6% have a budget of between $1M and $5M for business units and functions

0

50

Less than

$250K to $500K

$500K to $1M

$1M to $5M

$5M to $10M

$10M to $50M

More than

5430 21 5 3 2

Approximately 1.1% have a budget of between $5M and $10M for business units and functions

Approximately 1.1% have a budget of greater than $10M for business units and functions

$250k $50M

42


Q21 Responses: Estimated annual BCM Program budget for staff for IT Q p g gDisaster Recovery (including contractors)

502 replies

Approximately 53 0% have a BCM budget of less than

200

250

300

266

Approximately 53.0% have a BCM budget of less than $250k for IT DR

Approximately 15.9% have a budget of between $250k and $500k for IT DR

Approximately 13 5% have a budget of between $500k

100

150

200 Approximately 13.5% have a budget of between $500k and $1M for IT DR

Approximately 12.4% have a budget of between $1M and $5M for IT DR

Approximately 3 0% have a budget of between $5M and

0

50

Less than

$250K to $500K

$500K to $1M

$1M to $5M

$5M to $10M

$10M to $50M

More than

8068 62

158 3

Approximately 3.0% have a budget of between $5M and $10M for IT DR

Approximately 2.2% have a budget of greater than $10M for IT DR

than $250k

$500K $1M $5M $10M $50M than $50M

43


Q22 Responses: Estimated budget for training and awarenessprograms (include internal and external training, registration fees, p g ( g, g ,travel and living expenses for conference attendance, etc.)

Approximately 90% have a budget of less than $250k

Approximately 6% have a budget of between $250k and $500k

Approximately 3% have a budget of between $500k and $1M

Approximately 2% have a budget of greater than $1M

44


Q49 Responses: Organization’s employees received sufficient BCM, Disaster Recovery and Crisis Management/Emergency Management y g g y gtraining the past year

Yes (53.3%)

No (46.7%)

45


Q50 Responses: Organization’s investment in Disaster/Emergency Q p g g yManagement and BCM related training in comparison to last year

Spent approximately the same in 2011 than in 2010 (Approximately 64.7%)

Spent significantly more in 2011 than 2010 (Approximately 18.0%)

Spent less in 2011 than 2010 (Approximately 17.3%)

46


Q51 Responses: Types of ongoing BCM Program training

Attend industry conferences (66.4%)

Internal company training (65.0%)

Attend Association meetings (63.6%)

Pursue professional certification courses (43.5%)

Training by third party companies (28.6%)

Attend continuing education courses at colleges/universities (22.3%)

Other (6 1%) Other (6.1%)

Graduate degree program (5.8%)

Undergraduate degree program (4.1%)

47


Q22 Responses: Estimated annual budget for third party consultants Q p g p y(includes program assessments, improving capabilities, etc.)





48


Q22 Responses: Estimated annual budget for BCM software and hardware Q p g(including plan repository and emergency notification solutions)





49


Q24 Responses: BCM related software packages implemented or plan Q p p g p pto implement in next year

Emergency notification (46.7%)

Business Continuity Management (46.0%)

Microsoft ™ Office Tools (45.5%)

Business Impact Analysis (22.8%)

Risk Assessment (13.4%)

Other (14.1%)

Change Management (12 3%) Change Management (12.3%)

Governance, Risk and Compliance (11.5%)

50


Q22 Responses: Estimated annual budget for Work Area Recovery Q p g y(including recovery site costs, third party service providers, etc.)





51


Q22 Responses: Estimated annual budget for IT Disaster Recovery Q p g y(including hardware, software, recovery capabilities, etc.)




Approximately 14% have a budget of between $1M and $5M

Approximately 7% have a budget of more than $5M

52


Q41 Responses: Percentage of organization’s IT budget that is spent on Q p g g g pIT Disaster Recovery (e.g., hardware, software, recovery capabilities, etc.)

Less than 1% of the IT Budget (13.5%)

Between 1% and 2% of the IT budget (13.0%)

Greater than 2% and less than 4% of the IT budget (10.3%)

Greater than 5% and less than 10% of the IT budget (8.3%)

More than 10% of the IT budget (4.4%)

Do not know (50.5%)

53


Q22 Responses: Estimated annual budget for BCM Program exercises (include planning exercises, conducting exercises, debrief, third party ( p g , g , , p yparticipation, travel and living, etc.)





54


Observations – BCM Program Funding

Lyndon Byrd Technical Development Director and Board Member BCI said “Again budgets areLyndon Byrd, Technical Development Director and Board Member, BCI, said, Again budgets are very low, around 65% or more usually fall in the lowest budget category provided in the survey. At this level of spending, BCM is not really addressing the level of corporate strategic impact needed.”

55


Agenda

Methodology

Demographics

IncidentsOverview

Program Management


Resource Management (Headcount, Budget and Training)Governance



56


Q31 Responses: How well integrated is the BCM Program with….

ExtremelyVery Much Somewhat Not At All

Not ApplicableExtremely Much Somewhat Not At All Applicable

The Corporate Strategic Planning Program? 10.8% 22.9% 37.4% 22.9% ~

6.0%

The Enterprise Risk Management Program? 16.9% 35.0% 32.3% 9.9% 5.9%

The Strategic Sourcing/Procurement 8 5% 23 7% 40 8% 20 1% 6 9%The Strategic Sourcing/Procurement Program? 8.5% 23.7% 40.8% 20.1% 6.9%

57


Observations – Strategic Alignment

Lee Glendon, Head of Research & Advocacy, BCI, said “The other interesting finding (for me) wasLee Glendon, Head of Research & Advocacy, BCI, said The other interesting finding (for me) was Question 31 – how well integrated is your BCM program with other corporate activities – Strategic planning stood out with 23% saying not integrated at all and likewise strategic sourcing/procurement, with over 20% stating it was not integrated at all (as opposed to “not applicable”). These are key areas for BCM going forward ”areas for BCM going forward.

“Given such interdependent economies and supply chains, it is interesting that more than 20% are “not at all” integrated with their strategic sourcing function. Also, knowing the strategic implications of recovery and response to an interruption more than 23% are “not at all” integrated with strategicrecovery and response to an interruption, more than 23% are “not at all” integrated with strategic planning,” said Tim Mathews, Director, Enterprise Resiliency, Educational Testing Service.

58


Q33 Responses. Frequency of conducting a Business Impact Analysis

Annually (36.8%)

In response to business changes (19.5%)

Every two years (15.7%)

Other (9.0%)

Never (8.3%)

Every three years (7.3%)

Semi-annually (3 4%) Semi-annually (3.4%)

59


Q32 Responses. Frequency of conducting Risk Assessments

Annually (44.9%)


Semi-annually (8.8%)


Other (7.6%)

Never (6%)

Every three years (5 7%) Every three years (5.7%)

60


Q14 Responses. Organization has incorporated capabilities to utilize Q p g p psocial media in current BCPs, crisis management and/or IT DR plans

Yes, included in current plans (20.6%)

No, not included in current plans (57.1%)

Plans are currently in development (22.3%)

61


Observations – Social Media

Michael Jennings BCBS Massachusetts said “Social media is rapidly becoming main stream inMichael Jennings, BCBS Massachusetts said Social media is rapidly becoming main stream in business today. I think that the strategic use of social media in business continuity and disaster recovery is a great benefit. I would caution that before you integrate social media with your program that you take time to develop a social media policy that clearly defines the parameters of its use. “

“Social media... all corporations, communities, and individuals at some level use it for communication but it is not yet included in continuity plans. During a crisis, “we" clamor for information….need to evaluate as an industry and begin best practice discussion to incorporate.”

id Mi h ll G id B i A P i i l S th Csaid Michelle Guido, Business Assurance Principal, Southern Company.

“It is still difficult to quickly implement social media and other trending programs. Based on the size and complexity of most respondents, it takes a while to make change in communications policies and procedures. This is one question where responses will likely change the next time a survey is completed. Social media continues to evolve with or without formal buy in, so this remains a major activity for all to focus on, said Michael Janko, Manager, Global Business Continuity, Goodyear.

62


Additional Observations – Social Media (continued)

Scott Hall, Vice President, Global Disaster Recovery & Business Continuity, Equifax said, “Social media is making one of the largest impacts on our media outlets today. News and information travel faster than ever before, and it is absolutely vital to be "plugged in" to this outlet in order to be proactive in response and management of information. An organization's reputation can be ruined in minutes if not handled appropriately. That's why it is essential to have social media plans incorporated as part of an overall crisis management response through crisis communications capabilities”.

63


Q28 Responses. Require mission critical service providers to provide Q p q p pevidence that they have a viable BCM Program

Yes (65.7%)

No (34.3%)

64


Q31 Responses. How well integrated is the BCM Program with…



IT Management? 28.0% 45.5% 20.8% 3.5% ~ 2.2%

Information Security Management? 24.1% 37.5% 28.5% 7.8% 2.1%

Corporate Security Management? 22.2% 35.4% 30.6% 8.1% 3.7%

65


Q43 Responses. Elements of current IT recovery strategy undergoing changeQ43 Responses. Elements of current IT recovery strategy undergoing change(select all that apply)

Internal hardware and software solution (42.5%)

Combination/Hybrid of internal and external solutions (36.4%)

External hardware and software solution (22.9%)

Move certain capabilities to a private cloud solution (19.9%)

Other (10%)

Move certain capabilities to a public cloud solution (8.2%)

66


Q45 Responses. Percentage of organization’s application data is Q p g g ppcurrently stored in the cloud?

Do not know (39.7%)

None (38.1%)

Less than 10% (12.7%)

Between 10%–24% (3.8%)

Between 25%–49% (2.6%)

Between 50%–75% (1.2%)

Greater than 75% (1 3%) Greater than 75% (1.3%)

All (0.6%)

Michael Jennings, Senior Director, Disaster Readiness Program, BCBS of Massachusetts said , “39.5 percent of respondents stated that they “did not know” what percentage of their organization’s application data is currently stored in the cloud. This is a scary statistic as far as I am concerned. It should be well known what is stored in the cloud, after all there has to be a recovery strategy associated with that…correct?”

67


Q47 Responses: Frequency of conducting full scenario testing of IT Q p q y g gDisaster Recovery Plan(s)

Annually (38.3%)

Never (23.1%)

Do not know (13.0%)

Semi-annually (9.6%)



Other (~ 4 0%) Other (~ 4.0%)

Every three years (1.2%)

68


Q48 Responses: The following are utilized by the organization and have Q p g y gan IT DR Plan associated with the capability

CapabilityUtilize and have an IT

Disaster Recovery PlanUtilize and do not have an IT Disaster Recovery Plan Do Not UtilizeCapability Disaster Recovery Plan IT Disaster Recovery Plan Do Not Utilize

Cloud Applications 28.2% 14.4% 57.4%

M bil A li ti 41 6% 23 6% 34 8%Mobile Applications 41.6% 23.6% 34.8%

Social Media 17.8% 24.64% 57.6%

69


Q44 Responses: Cyber terrorism is included in current business Q p ycontinuity, crisis management and/or DR plans

Yes, included in current plans (41.3%)

No, not included in current plans (37.8%)

No, but plans are in development (~ 20.9%)

Lyndon Byrd, Technical Development Director and Board Member, BCI said “ Your survey indicated that cyber terrorism was included in 41% of plans – it would be interesting to know exactly how they do that (is it security to prevent or crisis management to respond/mitigate). It is odd that 40% do not know what data is held in the cloud, whilst 41% claim they have Cyber DR/BCP. I suspect some wishful thinking.”

70


Q31 Responses: How well integrated is the BCM Program with…



Employee Health and Safety Program? 18.3% 36.4% 32.4% 8.6% ~ 4.3%

F iliti /R l E t t M t? 16 4% 36 3% 32 4% 10 8% 4 1%Facilities/Real Estate Management? 16.4% 36.3% 32.4% 10.8% 4.1%

The Crisis Management Program? 30.6% 37.0% 23.9% 5.2% 3.3%

71


Q38 Responses: Most recent business continuity planning exercise was Q p y p gconducted

Within the last 6 months (60.7%)

Within the past year (23.2%)

Do not exercise plans (10.5%)

Within the past 2 years (5.6%)

72


Q31 Responses: How well integrated is the BCM Program with…



Management of Insurance Coverage? 13.2% 26.9% 35.1% 15.9% 8.9%

Thi d t S i P id (UtilitiThird-party Service Providers (Utilities, Telecommunications, IT Service Providers or Business Process Service Providers)?

7.5% 24.6% 47.6% 15.7% ~ 4.6%

Public Authorities (Police Fire Emergency

Approximately 66% of respondents indicated that their organization requires their mission critical 3rd

Public Authorities (Police, Fire, Emergency Medical Services, Local Emergency Management Agencies, etc.)?

11.2% 25.6% 38.1% 18.8% ~ 6.3%

pp y p g qparty service providers to provide evidence that they have a viable BCM Program. (Q28 responses)

73


Q27 Responses: Your organization maintains and fosters relationships Q p g pwith external government agencies

Agree (45.4%)

Neutral (25.6%)

Strongly agree (14.0%)

Disagree (8.2%)

Strongly disagree (6.8%)

74


Q 40 Responses: External companies or agencies involved with your most Q p p g yrecent BCM Program exercise (select all that apply)

None or not applicable (53.5%)

Third party service providers (33.3%)

Public sector agencies (17.7%)

Supply chain partners (10.2%)

75


Requests for Custom Benchmarking Reports If you would like to benchmark your organization by leveraging the 2011–2012 Continuity Insights

and KPMG LLP Global BCM Program Benchmarking Study report or custom reports, please provide Robbie Atabaigi Bob Nakao or Marty Plevel the following information:provide Robbie Atabaigi, Bob Nakao or Marty Plevel the following information:– Your name– Your organization– Your title– Your e-mail address– The complete study and/or custom report(s) you would like to receive (industry, type of entity,

country of HQ operation, or annual revenue

You will be provided the custom report(s), if available, generally within 5 business days of the receipt of your request

Available custom reports based on type of entity, revenue, number of employees and various industries: Annual revenue Number of employees Entity type (public companies, private companies, government agencies or authorities, and not for profits) Industries (computers/IT/telecommunications, education, financial services, government, healthcare,

manufacturing, professional services, retail and utilities)

76


Summary

Thank you for your participation in today’s session.

The quotes in this presentation were provided to Continuity Insights by business continuity practitioners that provided quotes for this presentation, the companion report and an article published by Continuity Insights

Reprints of the article are available at www.continuityinsights.com. p y g

Complete study results and custom reports that have been published are available upon request.

For more information, contact Robbie Atabaigi at [email protected], Marty Plevel at [email protected] or Bob Nakao at [email protected].

77

global business continuity management (bcm) program ...€¦ · global business continuity...

Documents