global business continuity management (bcm) program ...€¦ · global business continuity...
TRANSCRIPT
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
2011–2012 Continuity Insights & KPMG LLP y gGlobal Business Continuity Management (BCM) Program Benchmarking Study Results and Leading Practices
Robbie Atabaigi and Marty PlevelRobbie Atabaigi and Marty PlevelKPMG LLPApril, 2012
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Introduction
Today’s discussion: Hi hli ht f th 2011 2012 C ti it I i ht & KPMG LLP Gl b l B i C ti it– Highlights from the 2011–2012 Continuity Insights & KPMG LLP Global Business Continuity Management (BCM) Program Benchmarking Study
– Share some poignant observations from various BCM practitioners that reviewed the study results and shared their point of view regarding the responses
– Review the process for requesting copy of study results and custom reports to use in benchmarking your organization’s BCM program
2
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Acknowledgements
Association of Contingency Planners (ACP) Association of Sacramento Area Planners (ASAP)
Continuity Central Continuity Planning Association of the Carolinas (CPAC) Association of Sacramento Area Planners (ASAP)
BC Management BCI - USA Business and Industry Council for Emergency
Planning and Preparedness (BICEPP)B i C ti it I tit t (BCI)
Continuity Planning Association of the Carolinas (CPAC) Disaster Recovery Journal (DRJ) Forbes Calamity Prevention (Singapore/Asia) Mid Atlantic Disaster Recovery Association (MADRA) New England Disaster Recovery Information Exchange
(NEDRIX) Business Continuity Institute (BCI) Business Continuity Planners Association (BCPA) Business Recovery Managers Association (BRMA) Business Resumption Planning Association (BRPA) Contingency Planners of Ohio (CPO)
(NEDRIX) Rothstein Business Survival Southeastern Business Recovery Exchange (SEBRE) Southeast Continuity Planners Association (SCPA) Survival InsightsContingency Planners of Ohio (CPO)
Contingency Planning Exchange (CPE)Survival Insights
Continuity Insights and KPMG LLP would like to acknowledge the following organizations for their contribution in helping raise the awareness and the value of the 2011 – 2012 Continuity Insights & KPMG LLP Global Business Continuity Management (BCM) Program Benchmarking Study.
In addition, we would like to acknowledge the subject matter professionals that reviewed the survey results and provided their point of view for use in this presentation, the study report and the companion article.
3
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Agenda
Methodology
Demographics
IncidentsOverview
Program Management
Measuring Program Performance
Resource Management (Headcount, Budget and Training)Governance
Program Elements, Current State, Plans and Gaps
Benchmarking Study ReportsCapabilities
4
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Methodology
Respondents for the 2011–2012 Continuity Insights (CI) & KPMG LLP Global Business Continuity Management (BCM) Program Benchmarking Study were obtained from theContinuity Management (BCM) Program Benchmarking Study were obtained from the Continuity Insights subscriber base by way of its publications, Website and email deployments, as well as from other professional organizations that supported the study.
The online survey was comprised of 52 questions and was fielded from November, 2011 through January 2012through January, 2012.
Data was collected from 958 respondents, of which 685 respondents completed the entire survey. An average 785 responses were collected for each question.
KPMG LLP business continuity professionals developed the survey questionnaire KPMG LLP business continuity professionals developed the survey questionnaire.
Mint Jutras prepared the resulting tabulation and supplied analysis for selected data points.
For more information on the study methodology, please contact Mint Jutras at [email protected]. y@ j
5
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q6 Responses: Location of global headquarters
1%1%
1%HQ Location
4%3%
2%
1%
United States
Rest of World
8%
Rest of World
Canada
Chile
United Kingdom
67%
13%U g
Romania
The Netherlands
Switzerland
France
6
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q2 Responses: Primary type of business
Aerospace/Defense 23 2 6% Non Government (NGO) 6 0 7%Aerospace/Defense 23 2.6%
Automotive 6 0.7%
Biotechnology 8 0.9%
Chemical/Petroleum 7 0.8%
C i ti /M di 12 1 4%
Non Government (NGO) 6 0.7%
Logistics 13 1.5%
Manufacturing 59 6.7%
Not for Profit 32 3.7%
Ph ti l 13 1 5%Communications/Media 12 1.4%
Computers/IT/Telecom 154 17.7%
Education 34 3.9%
Entertainment/Media 21 2.4%
Pharmaceuticals 13 1.5%
Power 7 0.8%
Professional Services 159 18.1%
Retail 27 3.1%
Financial Services 465 53.0%
Government 9.5%
Healthcare 61 7.0%
Insurance 93 10.6%
Transportation 15 1.7%
Utilities 44 4.0%
Wholesale Distributors 9 1.0%
Other 91 10.4 %
7
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q1 Responses: Organization uses survey results to enhance and/or Q p g ygenerate executive support for BCM Program
Yes (53.8%)
No (46.2%)
“As I read the 2011 – 2012 Continuity Insights and KPMG LLP Business Continuity Management Program Benchmarking Study I was pleasantly surprised at some of the results and was dismayed by others. There are some technologies and services that we need to be concerned with; Cloud Computing and social media for example. However, these seem not to be on people’s radar which is somewhat concerning. This benchmarking study is an important tool for organizations to understand where they are on the road tobenchmarking study is an important tool for organizations to understand where they are on the road to resilience compared to others across industries. I think it is a worthy exercise to review the findings and touch base with your particular program. You might be surprised at the results” Michael Jennings, Senior Director, Disaster Readiness Program, Blue Cross Blue Shield (BCBS) of Massachusetts.
8
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q3 Responses: Number of employees
Number of employees Replies
Approximate Percentages
The organizational profiles spanned:p y p g
Less than 25 63 7.2%
25 to 99 36 4.1%
100 to 499 94 10.7%
Organizations with less than 1,000 employees (approximately 30%)
Organizations with 1,000–4,999 employees (approximately 21%)
500 to 999 66 7.5%
1,000 to 4,999 185 21.1%
5,000 to 9,999 127 14.5%
Organizations with 5,000–9,999 employees (approximately 14%)
Organizations with 10,000–19,999 employees (approximately 10%)
5,000 o 9,999 5%
10,000 to 19,999 86 9.9%
20,000 or more 219 25.0%
Organizations with 20,000 or more employees (approximately 25%)
9
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q4 Responses: Best describes organization, type of entity or enterprise
Public company (40.0%)
Privately held company (39.2%)
Government agency or authority (9.5%)
Education (2.2%)
Not-for-profit organization (9.2%)
“The report is interesting in that it seems to show that businesses are adopting business continuity as an internal requirement in greater numbers than in the past. The trend looks positive, although there are still a few notable gaps such as the degree to which organizations are reaching out to include their public sector counterparts in aspects of their contingency planning” said John Copenhaver, Senior Advisor to the BCI Board.
It is interesting the relatively large base of companies that are privately held. Classical wisdom has been that private companies pay less attention to BCM and risk management in general. But these results suggest that there may be an increasing focus on these by privately held companies. I hope these point to a positive trend” said Douglas Weldon, President, BCI – USA Chapter.
10
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q5 Responses: Geographical range of operations
Approximately 45% of respondents have global multi-site operations
Geographic rangeGlobal Multi-Sitehave global multi site operations
Approximately 24% of respondents have national multi-site operations throughout the country of the organization’s operations
21%
10%
National Multi-Site
g
Approximately 21% of respondents have a regional multi-site operations in one country
Approximately 10% of organizations
45%21%
Regional Multi-Site (1 Region or Country)
Si l Si Approximately 10% of organizations have a single site operation 24%
Single Site
11
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q7 Responses: Approximate annual revenues
“I am rather surprised at the number of respondents that said they did not know
Revenue ($ US) Replies Percentagesrespondents that said they did not know what the company's revenues are—15%! Revenues are a key component to an understanding of "impact" in a BIA and risk assessment ” said Douglas Weldon, P id t BCI USA Ch t
Under $10 million 89 10.2%
$10 to $50 million 57 6.5%
$50 to $100 million 34 3.9%
$100 to $500 million 69 7 9% President, BCI – USA Chapter.
“Perhaps this is an indication of the relatively large number of privately held companies reporting in the survey, but BCM
$100 to $500 million 69 7.9%
$500 to $1 billion 60 6.8%
$1 to $5 billion 130 14.8%
$5 to $10 billion 82 9.4%people need to know revenues and other key financials whether the company is public or private!”
Greater than $10 billion 145 16.6%
Do Not Know 132 15.1%
Approximately 9% of survey respondents indicated that this question was not applicable to their organization.
12
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q36 Responses: Experienced an incident or interruption in the past year that caused your organization to activate any documented business y g ycontinuity, crisis management and/or disaster recovery plan(s)
Severe weather (Hurricanes, Tornadoes, Severe Winter etc ) (50 4%)
Earthquake (28.1%)Severe Winter, etc.) (50.4%)
Power (46.9%)
Flood (31%)
IT Related (Upgrade/Scheduled Outage) (26.2%)
Fire (19.4%)
Civil unrest (16.7%) IT Related (Telecommunications – voice,
data, converged network) (31.0%)
IT Related (Change Management, Data Corruption, DOS, Virus, Security) (30.7%)
Supplier issues or high profile neighbor (12.9%)
Theft (9.0%)
Other (7 9%) IT Related (Hardware/Software in
Production) (30.5%)
Other (7.9%)
Terrorist attack (4.9%)
13
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q36 Responses: Experienced an incident or interruption Q p p pin the past year that caused activation of plan(s)
350
400
326
350
250
300
350
90
116134
182
212 213 215 216
150
200
34 4154 62
90
0
50
100
14
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Observations – Incidents and Interruptions
Lyndon Byrd, Technical Development Director and Board Member, The Business Continuity Institute (BCI) said, “The reasons for interruptions fit well with similar BCI surveys; severe weather, floods, power outages and IT related issues always score highly and of course earthquakes have become a key issue of late with both Japan and Christchurch NZ happening in 2010. We have alsobecome a key issue of late with both Japan and Christchurch NZ happening in 2010. We have also found increasing concern about cyber attacks (particularly in government and financial services).”
15
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Agenda
Methodology
Demographics
IncidentsOverview
Program Management
Measuring Program Performance
Resource Management (Headcount , Budget and Training)Governance
Program Elements, Current State, Plans and Gaps
Benchmarking Study ReportsCapabilities
16
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q9 Responses: How long the BCM Program has been in place
Less than one year (5.8%)
1 year to 3 years (15.4%)
3 years to 5 years (19.9%)
5 years to 10 years (30.8%)
10 years to 20 years (17.8%)
More than 20 years (4.8%)
Do not know (5 5%) Do not know (5.5%)
17
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q10 Responses: Primary reasons for BCM Program establishment
Continuity of business operations (84.2%)
Reputation (39.7%)
Federal government regulations (33.5%)
Address Audit finding(s) (31.6 )
Customer request or requirement (22.0%)
Required by law (17.7%)
Unique competitive advantage (14 7%) Unique competitive advantage (14.7%)
Other (5.8%)
“Almost 85% of the respondents stated that their business continuity program was primarily implemented for continuity of operations…..which emphasizes the acknowledgement of corporate responsibility andcontinuity of operations…..which emphasizes the acknowledgement of corporate responsibility and ownership to institutionalize this continuity into business portfolios,” said Michele Guido, Business Assurance Principal, Southern Company.
“It is also noteworthy that the 2nd largest reason….is reputation, this is significant that companies are thinking this way, “ said Doug Weldon, President, BCI – USA Chapter.
18
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q25 Responses: Best describes organization’s current program status
In the process of establishing a BCM Program, defining program governance, scope, objectives, budgeting and format for plans (9 1%)budgeting, and format for plans (9.1%)
In the Assessment Phase (i.e., Risk Assessment, Business Impact Analysis, Strategy Selection) for the first time in the program’s life cycle (6.7%)
Developing BC Plans, Crisis Management Plans and Disaster Recovery Plans (18.5%)p g , g y ( )
Have a policy, senior management steering or advisory committee, plans in place, and have developed a process for updating plans on a regular basis to reflect changes in the business and lessons learned from exercises, tests or real events (59.5%)
Other (6.2%)
“I d if b i ti it t h t i d th t th t ti i t d if“I wonder if business continuity management has not received the support that we anticipated or if our industry is moving at a very slow pace. I would have expected that the organizations that have plans in place would have been closer to 70 percent, “ said Michael Jennings, Senior Director, Disaster Readiness Program, Blue Cross Blue Shield of Massachusetts.
19
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q11 Responses: The organization measures performance of the program
Yes (63.4%)
No (36.6%)
20
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q12 Responses: How the performance of the BCM Program is measured Q p p g(select all that apply)
Plan exercises (85.0%)
Audit findings (62.4%)
BCM Program reviews (60.2%)
Technology recovery test results (57.5%)
Metrics program (including executive reporting )(54.7%)
Benchmarking/comparison to industry norms (37.0%)
Review performance capabilities vs standards (29 9%) Review performance capabilities vs. standards (29.9%)
Maturity modeling (29.1%)
Service level monitoring (20.9%)
Cost/Benefit Analysis (13.0%)
Other (1.8%)
21
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Observations – Measuring Program Performance
Lee Glendon, Head of Research & Advocacy, BCI, said “Questions 11 and 12 ask about measuring performance of the BCM program. 37% say they don’t measure the performance of their program. Of those who do measure, only 13% measure in performance in some kind of cost/benefit analysis. Most of the performance metrics are self-referencing and not related to the business If we want toMost of the performance metrics are self referencing and not related to the business. If we want to raise the profile of BCM and get executive-level buy-in then we need to measure the value contribution of BCM programmes not just programme performance.”
22
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q13 Responses: Top standards used to support the BCM Program Q p p pp g(All that apply – All responses with greater than 5% response rate)
USA – NFPA 1600 (45.6%)
UK – BS25999-2: 2007 Specification for BCM (27%)
UK – BS25999-1: 2006 Code of Practice for BCM (26.1%)
International – ISO/IEC 27001:2005 (11.9%)
USA – ASIS BCM.01-2010 (11.2%)
International – COBIT 4.1 (11%)
USA – NIST SP 800 – 34 (10.6%)
Information Technology Infrastructure Library (ITIL) v.3 (10.2%)
USA – ASIS SPC.1-2009 (7.2%)
USA – NFPA 232 (7.2%)
International – ISO 9000 Series (8.7%)
International – ISO/IEC 27002: 2005 (7.9%)
International – ISO 31000: 2009 (7.7%)
23
International ISO 31000: 2009 (7.7%)
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q13 Responses: Top standards used to support the BCM Program Q p p pp g(All that apply – US HQ responses with greater than 5% response rate)
USA – NFPA 1600 (59.3%)
UK – BS25999-2: 2007 Specification for BCM (20.9%)
UK – BS25999-1: 2006 Code of Practice for BCM (19.3%)
USA – ASIS BCM.01-2010 (14.4%)
International – COBIT 4.1 (7.8%)
USA – NIST SP 800 – 34 (14.2%)
Information Technology Infrastructure Library (ITIL) v 3 (8 0%) Information Technology Infrastructure Library (ITIL) v.3 (8.0%)
USA – ASIS SPC.1-2009 (9.6%)
USA – NFPA 232 (10.0%)
International – ISO 9000 Series (7.3%)
International – ISO/IEC 27002: 2005 (7.9%)
International – ISO 31000: 2009 (6.4%)
24
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q37 Responses: For the most recent interruption that required you to activateQ37 Responses: For the most recent interruption that required you to activate one or more business continuity plans, how well recovery time objectives met
Completely (30.7%)
Mostly (28.3%)
Somewhat (11.8%)
Not at all (2.6%)
Not applicable (20.3%)
Do not know (6.3%)
25
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q34 Responses: Estimated cost (both outlays and internal costs) of Q p ( y )business disruptions in the past 12 months
($ US) Replies Percentages
Less than $25,000 152 21.7%
$25,000 to $50,000 36 5.1%
$50,000 to $100,000 34 4.9%
$100,000 to $250,000 49 7.0%
$250,000 to $500,000 33 4.7%
$500,000 to $1 million 34 4.9%
$1 million to $5 million 15 2.1%
More than $5 million 18 2.6%
Approximately 47% of the respondents that answered the question responded they did not know the estimated costs.
26
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q35 Responses: Estimated cost of the total financial impact of a major Q p p jdisruption or outage that lasts 5 business days
($ US) Replies Percentages
Less than $25,000 36 5.1%
$25,000 to $50,000 23 3.3%
$50,000 to $100,000 20 2.9%
$100,000 to $250,000 34 4.9%
$250,000 to $500,000 51 7.3%
$500,000 to $1 million 61 8.7%
$1 million to $5 million 85 12.1%
More than $5 million 123 17.5%
Approximately 38% of the respondents that answered the question responded they did not know the estimated costs.
27
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Observations – Estimated Costs of Disruptions
According to Lee Glendon Head of Research & Advocacy BCI “I think this theme that BCMersAccording to Lee Glendon, Head of Research & Advocacy, BCI, I think this theme that BCMers need to get closer to the business of their employers becomes more evident in the responses to Questions 34 and 35. 47% couldn’t estimate the cost of business disruptions over the past 12 months and when asked what would be the financial impact of a 5 day outage/disruption only 18% felt it would be more than US$5M 38% wouldn’t hazard a guess”felt it would be more than US$5M – 38% wouldn t hazard a guess .
“I am quite surprised that nearly half (47.1%) of respondents do not know the costs of business disruptions. This information is a must for a BCM Program to track,” said Doug Weldon, President, BCI USA Ch tBCI – USA Chapter.
“It is curious that based on the self-identified experience and program maturity of the respondents, more than 47% do not know the cost impact of disruptions within their organizations. This is a basic element of conducting a BIA. In addition, most if not all of the respondents noted that their organization experienced an interruption that caused BCM activation,” said Tim Mathews, Director, Enterprise Resiliency, Educational Testing Services.
28
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q15 Responses: Senior Management Advisory or Steering Committee Q p g y gthat provides input and assistance
Yes (65.3%)
No (21.7%)
Committee Under Development (10.1%)
Do Not Know (2.9%)
29
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q16 Responses: Designated program coordinator authorized to Q p g p gadminister and keep the BCM Program current
Full Time (65.3%)
Part Time (22.5%)
No (12.2%)
“M th 50% f d t id tifi d th l “BC M BC L d ith th 5“More than 50% of respondents identified themselves as “BC Managers or BC Leaders with more than 5 years experience, yet more than 22% note a “part time” lead on their program. Given 10+ years since 9/11, I would expect more dedicated resources to BC”, said Tim Mathews, Director, Enterprise Resiliency, Educational Testing Service.
30
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q17 Responses. Job title of the program leader for the BCM Program
BCM Program Director or Manager (35.4%) CEO/President (1.9%)
BCM Program VP (11.1%)
Specific Department Manager/Director (8.1%)
Risk Management Director or Manager (7.8%)
Chief Operating Officer (1.9%)
Vice President, IT (1.5%)
Chief Information Officer (1.5%)
Chief Security Officer, VP or Director (3.7%)
Director or Manager of IT (3.4%)
Risk Management VP (2.9%)
Chief Risk Officer (1.3%)
Chief Financial Officer (1.2%)
Other (Approximately 18.3%)
31
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q18 Responses. Job Title of the BCM Program executive sponsor
Other Corporate/Executive Management (17.5%)
CEO/President (16.6%)
Chief Information Officer (13.6%)
Specific Department Manager/Director/VP (non-C Level) (12.9%)
Chief Operating Officer (12.0%)
Chief Risk Officer (9.4%)
Chief Financial Officer (8 4%) Chief Financial Officer (8.4%)
Vice President, IT (5.1%)
Chief Continuity Officer (1.8%)
Emergency Management (2.7%)
32
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q19 Responses: C-Level executive with ultimate reporting responsibility
CEO (18.7%)
Chief Operating Officer (11.8%)
Other C – Level Executive (Approximately 11.7%)
Chief Financial Officer (11.5%)
Chief Information Officer (10.9%)
Chief Risk Officer (10.7%)
Chief Technology Officer (5.5%)
Chief Security Officer (3.9%)
General Counsel (3.7%)
Chief Information Security Officer (3.3%)
Chief Administrative Officer (3.3%)
President (2.8%)
Chief Compliance Officer (2.2%)
33
Chief Compliance Officer (2.2%)
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Observations – BCM Program Leadership and Governance
Lyndon Byrd, Technical Development Director and Board Member, BCI, said, “There were many different job titles, some that seemed to indicate a very senior position as head of BCM, some very junior. Again the lack of common understand about the role of BCM Manager/Director/VP (or even the need for it) was disturbing Asked who was the person with the ultimate responsibility for BCMthe need for it) was disturbing. Asked who was the person with the ultimate responsibility for BCM, the highest score was CEO followed by COO and CRO – but CTO and CIO somewhat lower. This reflects what we think should be the case, but I wonder if that is actually the view of the C-Suite if asked same questions about BCM (without pre-defining its scale/scope) for them.”
34
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Observations – BCM Program Leadership and Governance
“According to Michael Janko Manager Global Business Continuity Goodyear “It appears that theAccording to Michael Janko, Manager, Global Business Continuity, Goodyear, It appears that the Business Continuity function is getting better defined, is reporting at a higher level and functional substantiation is based on value to the business. This is significant since trends will come and go, but if you show business value, management support will be there“.
“It is positive that 2/3 of the programs have full time coordinators with senior advisory committees in support, but less positive that the typical title of the coordinator is Director or Manager” said Doug Weldon, President, BCI – USA Chapter.
35
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q23 Responses: How funds are allocated for BCM Program initiatives
On a case-by-case basis, on individual project needs (28.4%)
Do not know (23.0%)
As an individual line item in each functional budget (13.2%)
As a percent of the Information Technology budget (10.6%)
As a percent of the risk management budget (7.8%)
Other, please describe how funds are allocated (6.8%)
As a percent of individual functional budget (6 0%) As a percent of individual functional budget (6.0%)
On a hybrid chargeback basis with base fee and usage charges (4.2%)
36
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q20 Responses: Estimated number of Full Time Equivalent (FTE) Q p q ( )headcount dedicated to the program in the PMO (including contractors)
684 Replies
300
350
400
450
444
Approximately 64.9% have 2 or less FTE headcount dedicated to the BCM Program in the PMO
Approximately 18.6% have 3 to 5 FTE headcount dedicated to the BCM Program in the PMO
100
150
200
250
127
Approximately 7.7% have 6 to 9 FTE headcount dedicated to the BCM Program in the PMO
Approximately 5.6% have 10 to 20 FTE headcount dedicated to the BCM Program in the PMO
0
50
100
0 to 2 3 to 5 6 to 9 10 to 20 20 or >
5338 22
Approximately 3.2% have more than 20 FTE headcount dedicated to the BCM Program in the PMO
37
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q20 Responses: Estimated number of FTE headcount dedicated to the program in business units and business functions (including contractors)
596 Replies Approximately 56.7% have 2 or less FTE headcount dedicated to the BCM Program in business units and
250
300
350
338
business functions
Approximately 12.9% have 3 to 5 FTE headcount dedicated to the BCM Program in business units and business functions
100
150
200 Approximately 7.0% have 6 to 9 FTE headcount dedicated
to the BCM Program in business units and business functions
Approximately 8.4% have 10 to 20 FTE headcount dedicated to the BCM Program in business units and
0
50
0 to 2 3 to 5 6 to 9 10 to 20 20 or >
77
42 50
89 business functions
Approximately 14.9% have more than 20 FTE headcount dedicated to the BCM Program in business units and business functions
38
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Observations – Resource Management
Lyndon Byrd Technical Development Director and Board Director BCI said “By a large marginLyndon Byrd, Technical Development Director and Board Director, BCI, said, By a large margin the highest number of FTE in BCM was in the 0-2 range. Not very impressive, and probably therefore not seen as a great career building opportunity by young ambitious people who want to excel in core business. The value, importance and responsibility of BCM people are not being reflected in its statusreflected in its status.
“While not much is surprising in this report, one thing I find somewhat curious is that the numbers and magnitudes of the disasters that occurred in 2011 did not seem to cause any kind of discernible “ i l ” i th ” id J h C h S i Ad i t th BCI B d“ripple” in the responses.” said John Copenhaver, Senior Advisor to the BCI Board.
39
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q20 Responses: Estimated number of FTE headcount dedicated to the program for IT Disaster Recovery (including contractors)
645 Replies Approximately 54.6% have 2 or less FTE headcount dedicated to the BCM Program for Information Technology
250
300
350
400
352
Disaster Recovery
Approximately 20% have 3 to 5 FTE headcount dedicated to the BCM Program for Information Technology Disaster Recovery
100
150
200
250
129
Approximately 9% have 6 to 9 FTE headcount dedicated to the BCM Program for Information Technology Disaster Recovery
Approximately 7.1% have 10 to 20 FTE headcount dedicated to the BCM Program for Information Technology
0
50
0 to 2 3 to 5 6 to 9 10 to 20 20 or >
5846
60Disaster Recovery
Approximately 9.3% have more than 20 FTE headcount dedicated to the BCM Program for Information Technology Disaster Recovery
40
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q21 Responses: Estimated annual BCM Program budget for staff for the Q p g gcorporate Program Management Office (including contractors)
A i t l 65 1% h BCM P b d t f l
460 Replies
Approximately 65.1% have a BCM Program budget of less than $250k for the corporate program office
Approximately 16.8% have a budget of between $250k and $500k for the corporate program office
A i t l 10 1% h b d t f b t $500k250
300
350
345
Approximately 10.1% have a budget of between $500k and $1M for the corporate program office
Approximately 6.2% have a budget of between $1M and $5M for the corporate program office
A i t l 0 6% h b d t f b t $5M d100
150
200
Approximately 0.6% have a budget of between $5M and $10M for the corporate program office
Approximately 1.3% have a budget greater than $10M for the corporate program office 0
50
Less than
$250K to $500K
$500K to $1M
$1M to $5M
$5M to $10M
$10M to $50M
More than
5430
21 5 3 2
$250k $50M
41
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q21 Responses: Estimated annual BCM Program budget for staff for the Q p g gbusiness units and business functions (including contractors)
460 Replies
250
300
350
345
Approximately 75% have a BCM Program budget of less than $250k for business units and functions
Approximately 11.7% have a budget of between $250k and $500k for business units and functions
100
150
200 Approximately 6.5% have a budget of between $500k and
$1M for business units and functions
Approximately 4.6% have a budget of between $1M and $5M for business units and functions
0
50
Less than
$250K to $500K
$500K to $1M
$1M to $5M
$5M to $10M
$10M to $50M
More than
5430 21 5 3 2
Approximately 1.1% have a budget of between $5M and $10M for business units and functions
Approximately 1.1% have a budget of greater than $10M for business units and functions
$250k $50M
42
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q21 Responses: Estimated annual BCM Program budget for staff for IT Q p g gDisaster Recovery (including contractors)
502 replies
Approximately 53 0% have a BCM budget of less than
200
250
300
266
Approximately 53.0% have a BCM budget of less than $250k for IT DR
Approximately 15.9% have a budget of between $250k and $500k for IT DR
Approximately 13 5% have a budget of between $500k
100
150
200 Approximately 13.5% have a budget of between $500k and $1M for IT DR
Approximately 12.4% have a budget of between $1M and $5M for IT DR
Approximately 3 0% have a budget of between $5M and
0
50
Less than
$250K to $500K
$500K to $1M
$1M to $5M
$5M to $10M
$10M to $50M
More than
8068 62
158 3
Approximately 3.0% have a budget of between $5M and $10M for IT DR
Approximately 2.2% have a budget of greater than $10M for IT DR
than $250k
$500K $1M $5M $10M $50M than $50M
43
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q22 Responses: Estimated budget for training and awarenessprograms (include internal and external training, registration fees, p g ( g, g ,travel and living expenses for conference attendance, etc.)
Approximately 90% have a budget of less than $250k
Approximately 6% have a budget of between $250k and $500k
Approximately 3% have a budget of between $500k and $1M
Approximately 2% have a budget of greater than $1M
44
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q49 Responses: Organization’s employees received sufficient BCM, Disaster Recovery and Crisis Management/Emergency Management y g g y gtraining the past year
Yes (53.3%)
No (46.7%)
45
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q50 Responses: Organization’s investment in Disaster/Emergency Q p g g yManagement and BCM related training in comparison to last year
Spent approximately the same in 2011 than in 2010 (Approximately 64.7%)
Spent significantly more in 2011 than 2010 (Approximately 18.0%)
Spent less in 2011 than 2010 (Approximately 17.3%)
46
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q51 Responses: Types of ongoing BCM Program training
Attend industry conferences (66.4%)
Internal company training (65.0%)
Attend Association meetings (63.6%)
Pursue professional certification courses (43.5%)
Training by third party companies (28.6%)
Attend continuing education courses at colleges/universities (22.3%)
Other (6 1%) Other (6.1%)
Graduate degree program (5.8%)
Undergraduate degree program (4.1%)
47
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q22 Responses: Estimated annual budget for third party consultants Q p g p y(includes program assessments, improving capabilities, etc.)
Approximately 86% have a budget of less than $250k
Approximately 8% have a budget of between $250k and $500k
Approximately 4% have a budget of between $500k and $1M
Approximately 2% have a budget of greater than $1M
48
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q22 Responses: Estimated annual budget for BCM software and hardware Q p g(including plan repository and emergency notification solutions)
Approximately 83% have a budget of less than $250k
Approximately 10% have a budget of between $250k and $500k
Approximately 4% have a budget of between $500k and $1M
Approximately 3% have a budget of greater than $1M
49
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q24 Responses: BCM related software packages implemented or plan Q p p g p pto implement in next year
Emergency notification (46.7%)
Business Continuity Management (46.0%)
Microsoft ™ Office Tools (45.5%)
Business Impact Analysis (22.8%)
Risk Assessment (13.4%)
Other (14.1%)
Change Management (12 3%) Change Management (12.3%)
Governance, Risk and Compliance (11.5%)
50
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q22 Responses: Estimated annual budget for Work Area Recovery Q p g y(including recovery site costs, third party service providers, etc.)
Approximately 76% have a budget of less than $250k
Approximately 12% have a budget of between $250k and $500k
Approximately 7% have a budget of between $500k and $1M
Approximately 5% have a budget of greater than $1M
51
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q22 Responses: Estimated annual budget for IT Disaster Recovery Q p g y(including hardware, software, recovery capabilities, etc.)
Approximately 47% have a budget of less than $250k
Approximately 19% have a budget of between $250k and $500k
Approximately 13% have a budget of between $500k and $1M
Approximately 14% have a budget of between $1M and $5M
Approximately 7% have a budget of more than $5M
52
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q41 Responses: Percentage of organization’s IT budget that is spent on Q p g g g pIT Disaster Recovery (e.g., hardware, software, recovery capabilities, etc.)
Less than 1% of the IT Budget (13.5%)
Between 1% and 2% of the IT budget (13.0%)
Greater than 2% and less than 4% of the IT budget (10.3%)
Greater than 5% and less than 10% of the IT budget (8.3%)
More than 10% of the IT budget (4.4%)
Do not know (50.5%)
53
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q22 Responses: Estimated annual budget for BCM Program exercises (include planning exercises, conducting exercises, debrief, third party ( p g , g , , p yparticipation, travel and living, etc.)
Approximately 85% have a budget of less than $250k
Approximately 9% have a budget of between $250k and $500k
Approximately 3% have a budget of between $500k and $1M
Approximately 3% have a budget of greater than $1M
54
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Observations – BCM Program Funding
Lyndon Byrd Technical Development Director and Board Member BCI said “Again budgets areLyndon Byrd, Technical Development Director and Board Member, BCI, said, Again budgets are very low, around 65% or more usually fall in the lowest budget category provided in the survey. At this level of spending, BCM is not really addressing the level of corporate strategic impact needed.”
55
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Agenda
Methodology
Demographics
IncidentsOverview
Program Management
Measuring Program Performance
Resource Management (Headcount, Budget and Training)Governance
Program Elements, Current State, Plans and Gaps
Benchmarking Study ReportsCapabilities
56
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q31 Responses: How well integrated is the BCM Program with….
ExtremelyVery Much Somewhat Not At All
Not ApplicableExtremely Much Somewhat Not At All Applicable
The Corporate Strategic Planning Program? 10.8% 22.9% 37.4% 22.9% ~
6.0%
The Enterprise Risk Management Program? 16.9% 35.0% 32.3% 9.9% 5.9%
The Strategic Sourcing/Procurement 8 5% 23 7% 40 8% 20 1% 6 9%The Strategic Sourcing/Procurement Program? 8.5% 23.7% 40.8% 20.1% 6.9%
57
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Observations – Strategic Alignment
Lee Glendon, Head of Research & Advocacy, BCI, said “The other interesting finding (for me) wasLee Glendon, Head of Research & Advocacy, BCI, said The other interesting finding (for me) was Question 31 – how well integrated is your BCM program with other corporate activities – Strategic planning stood out with 23% saying not integrated at all and likewise strategic sourcing/procurement, with over 20% stating it was not integrated at all (as opposed to “not applicable”). These are key areas for BCM going forward ”areas for BCM going forward.
“Given such interdependent economies and supply chains, it is interesting that more than 20% are “not at all” integrated with their strategic sourcing function. Also, knowing the strategic implications of recovery and response to an interruption more than 23% are “not at all” integrated with strategicrecovery and response to an interruption, more than 23% are “not at all” integrated with strategic planning,” said Tim Mathews, Director, Enterprise Resiliency, Educational Testing Service.
58
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q33 Responses. Frequency of conducting a Business Impact Analysis
Annually (36.8%)
In response to business changes (19.5%)
Every two years (15.7%)
Other (9.0%)
Never (8.3%)
Every three years (7.3%)
Semi-annually (3 4%) Semi-annually (3.4%)
59
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q32 Responses. Frequency of conducting Risk Assessments
Annually (44.9%)
In response to business changes (18.4%)
Semi-annually (8.8%)
Every two years (8.6%)
Other (7.6%)
Never (6%)
Every three years (5 7%) Every three years (5.7%)
60
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q14 Responses. Organization has incorporated capabilities to utilize Q p g p psocial media in current BCPs, crisis management and/or IT DR plans
Yes, included in current plans (20.6%)
No, not included in current plans (57.1%)
Plans are currently in development (22.3%)
61
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Observations – Social Media
Michael Jennings BCBS Massachusetts said “Social media is rapidly becoming main stream inMichael Jennings, BCBS Massachusetts said Social media is rapidly becoming main stream in business today. I think that the strategic use of social media in business continuity and disaster recovery is a great benefit. I would caution that before you integrate social media with your program that you take time to develop a social media policy that clearly defines the parameters of its use. “
“Social media... all corporations, communities, and individuals at some level use it for communication but it is not yet included in continuity plans. During a crisis, “we" clamor for information….need to evaluate as an industry and begin best practice discussion to incorporate.”
id Mi h ll G id B i A P i i l S th Csaid Michelle Guido, Business Assurance Principal, Southern Company.
“It is still difficult to quickly implement social media and other trending programs. Based on the size and complexity of most respondents, it takes a while to make change in communications policies and procedures. This is one question where responses will likely change the next time a survey is completed. Social media continues to evolve with or without formal buy in, so this remains a major activity for all to focus on, said Michael Janko, Manager, Global Business Continuity, Goodyear.
62
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Additional Observations – Social Media (continued)
Scott Hall, Vice President, Global Disaster Recovery & Business Continuity, Equifax said, “Social media is making one of the largest impacts on our media outlets today. News and information travel faster than ever before, and it is absolutely vital to be "plugged in" to this outlet in order to be proactive in response and management of information. An organization's reputation can be ruined in minutes if not handled appropriately. That's why it is essential to have social media plans incorporated as part of an overall crisis management response through crisis communications capabilities”.
63
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q28 Responses. Require mission critical service providers to provide Q p q p pevidence that they have a viable BCM Program
Yes (65.7%)
No (34.3%)
64
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q31 Responses. How well integrated is the BCM Program with…
ExtremelyVery Much Somewhat Not At All
Not ApplicableExtremely Much Somewhat Not At All Applicable
IT Management? 28.0% 45.5% 20.8% 3.5% ~ 2.2%
Information Security Management? 24.1% 37.5% 28.5% 7.8% 2.1%
Corporate Security Management? 22.2% 35.4% 30.6% 8.1% 3.7%
65
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q43 Responses. Elements of current IT recovery strategy undergoing changeQ43 Responses. Elements of current IT recovery strategy undergoing change(select all that apply)
Internal hardware and software solution (42.5%)
Combination/Hybrid of internal and external solutions (36.4%)
External hardware and software solution (22.9%)
Move certain capabilities to a private cloud solution (19.9%)
Other (10%)
Move certain capabilities to a public cloud solution (8.2%)
66
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q45 Responses. Percentage of organization’s application data is Q p g g ppcurrently stored in the cloud?
Do not know (39.7%)
None (38.1%)
Less than 10% (12.7%)
Between 10%–24% (3.8%)
Between 25%–49% (2.6%)
Between 50%–75% (1.2%)
Greater than 75% (1 3%) Greater than 75% (1.3%)
All (0.6%)
Michael Jennings, Senior Director, Disaster Readiness Program, BCBS of Massachusetts said , “39.5 percent of respondents stated that they “did not know” what percentage of their organization’s application data is currently stored in the cloud. This is a scary statistic as far as I am concerned. It should be well known what is stored in the cloud, after all there has to be a recovery strategy associated with that…correct?”
67
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q47 Responses: Frequency of conducting full scenario testing of IT Q p q y g gDisaster Recovery Plan(s)
Annually (38.3%)
Never (23.1%)
Do not know (13.0%)
Semi-annually (9.6%)
In response to business changes (5.4%)
Every two years (5.4%)
Other (~ 4 0%) Other (~ 4.0%)
Every three years (1.2%)
68
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q48 Responses: The following are utilized by the organization and have Q p g y gan IT DR Plan associated with the capability
CapabilityUtilize and have an IT
Disaster Recovery PlanUtilize and do not have an IT Disaster Recovery Plan Do Not UtilizeCapability Disaster Recovery Plan IT Disaster Recovery Plan Do Not Utilize
Cloud Applications 28.2% 14.4% 57.4%
M bil A li ti 41 6% 23 6% 34 8%Mobile Applications 41.6% 23.6% 34.8%
Social Media 17.8% 24.64% 57.6%
69
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q44 Responses: Cyber terrorism is included in current business Q p ycontinuity, crisis management and/or DR plans
Yes, included in current plans (41.3%)
No, not included in current plans (37.8%)
No, but plans are in development (~ 20.9%)
Lyndon Byrd, Technical Development Director and Board Member, BCI said “ Your survey indicated that cyber terrorism was included in 41% of plans – it would be interesting to know exactly how they do that (is it security to prevent or crisis management to respond/mitigate). It is odd that 40% do not know what data is held in the cloud, whilst 41% claim they have Cyber DR/BCP. I suspect some wishful thinking.”
70
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q31 Responses: How well integrated is the BCM Program with…
ExtremelyVery Much Somewhat Not At All
Not ApplicableExtremely Much Somewhat Not At All Applicable
Employee Health and Safety Program? 18.3% 36.4% 32.4% 8.6% ~ 4.3%
F iliti /R l E t t M t? 16 4% 36 3% 32 4% 10 8% 4 1%Facilities/Real Estate Management? 16.4% 36.3% 32.4% 10.8% 4.1%
The Crisis Management Program? 30.6% 37.0% 23.9% 5.2% 3.3%
71
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q38 Responses: Most recent business continuity planning exercise was Q p y p gconducted
Within the last 6 months (60.7%)
Within the past year (23.2%)
Do not exercise plans (10.5%)
Within the past 2 years (5.6%)
72
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q31 Responses: How well integrated is the BCM Program with…
ExtremelyVery Much Somewhat Not At All
Not ApplicableExtremely Much Somewhat Not At All Applicable
Management of Insurance Coverage? 13.2% 26.9% 35.1% 15.9% 8.9%
Thi d t S i P id (UtilitiThird-party Service Providers (Utilities, Telecommunications, IT Service Providers or Business Process Service Providers)?
7.5% 24.6% 47.6% 15.7% ~ 4.6%
Public Authorities (Police Fire Emergency
Approximately 66% of respondents indicated that their organization requires their mission critical 3rd
Public Authorities (Police, Fire, Emergency Medical Services, Local Emergency Management Agencies, etc.)?
11.2% 25.6% 38.1% 18.8% ~ 6.3%
pp y p g qparty service providers to provide evidence that they have a viable BCM Program. (Q28 responses)
73
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q27 Responses: Your organization maintains and fosters relationships Q p g pwith external government agencies
Agree (45.4%)
Neutral (25.6%)
Strongly agree (14.0%)
Disagree (8.2%)
Strongly disagree (6.8%)
74
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Q 40 Responses: External companies or agencies involved with your most Q p p g yrecent BCM Program exercise (select all that apply)
None or not applicable (53.5%)
Third party service providers (33.3%)
Public sector agencies (17.7%)
Supply chain partners (10.2%)
75
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Requests for Custom Benchmarking Reports If you would like to benchmark your organization by leveraging the 2011–2012 Continuity Insights
and KPMG LLP Global BCM Program Benchmarking Study report or custom reports, please provide Robbie Atabaigi Bob Nakao or Marty Plevel the following information:provide Robbie Atabaigi, Bob Nakao or Marty Plevel the following information:– Your name– Your organization– Your title– Your e-mail address– The complete study and/or custom report(s) you would like to receive (industry, type of entity,
country of HQ operation, or annual revenue
You will be provided the custom report(s), if available, generally within 5 business days of the receipt of your request
Available custom reports based on type of entity, revenue, number of employees and various industries: Annual revenue Number of employees Entity type (public companies, private companies, government agencies or authorities, and not for profits) Industries (computers/IT/telecommunications, education, financial services, government, healthcare,
manufacturing, professional services, retail and utilities)
76
April 16–18, 2012 • Talking Stick Resort • Scottsdale, Arizona
Summary
Thank you for your participation in today’s session.
The quotes in this presentation were provided to Continuity Insights by business continuity practitioners that provided quotes for this presentation, the companion report and an article published by Continuity Insights
Reprints of the article are available at www.continuityinsights.com. p y g
Complete study results and custom reports that have been published are available upon request.
For more information, contact Robbie Atabaigi at [email protected], Marty Plevel at [email protected] or Bob Nakao at [email protected].
77