The State of Business Continuity Preparedness
- Published on January 6, 2009
- Written by STEPHANIE BALAOURAS
Companies Are Getting Better At Addressing The Human Side Of BC
Companies often go to extraordinary lengths to develop BC/DR strategies that address the failover of IT systems to alternate sites but often neglect or underestimate the human aspects. First, companies need a way of communicating effectively during an event from the start of the event to the return of normal operations. Second, in addition to the failover of IT systems, they need to develop strategies that address workforce continuity. Companies must develop strategies so that people can continue to have access to their applications, data, and communication (e-mail, messaging, voicemail, fax, etc.) in order to remain productive.
According to our survey, 68 percent of respondents include a workforce continuity component in their BCPs, and 20 percent of respondents plan to include one in the next year (see Figure 6-1).
In addition, Forrester found that 79 percent of respondents include emergency communication in their BCPs, and more than 14 percent plan to do so in the next year (see Figure 6-2). In this survey Forrester also found that:
- More companies are turning to remote access procedures for workforce continuity. Almost 86 percent of respondents indicated that they would provision employees with remote access procedures for workforce continuity (see Figure 6-1). In addition, more companies plan to take advantage of another internal site to provide physical seats for workforce continuity.
- By a slight margin, companies prefer to use commercial offerings for emergency communication. Almost 49 percent of respondents planned to use internal tools to facilitate emergency communication, while 51 percent of respondents plan to use either a hosted service (45 percent) and/or commercial software deployed onsite (6 percent) (see Figure 6-2).
More BCPs To Address IT Security Risks
During the risk assessment, when companies identify the list of potential threats to business operations, IT security threats are on the list, and more companies are deciding that the preventive measures to mitigate these risks are clearly IT in nature. However, should these threats occur, it requires a business as well as an IT response to them. A virus outbreak or a denial of service attack that debilitates the company’s mission-critical IT systems is as disruptive and costly to the business as if a natural disaster had taken out the data center. Forrester found in this survey that:
- Companies develop BCPs to address IT security threats. Sixty-seven percent of respondents indicated that they have BCPs that address IT security risks, and another 18 percent plan to develop BCPs for IT security risks in the next year (see Figure 7).
Invocations Are Frequent; Training Is Key To Successful Invocations
Invocations of BCPs are more frequent than companies would suspect. According to our survey, 50 percent of respondentshave invoked at least once during the past five years. The most common causes included extreme weather and natural disasters, followed closely by power outages, IT failures, telecommunication failures, and fire (see Figure 8-1).
There has always been a common misperception that BCPs are only invoked in the case of catastrophic natural disasters such as hurricanes and earthquakes. In reality, extreme but not catastrophic weather, such as winter storms, can debilitate a business if the data center is running but no one can get to work. In addition, many companies don’t realize the frequency of power outages and IT failures and the impact they can have on business operations.
When we asked companies what were the top three lessons they learned from their invocations, they learned that: 1)there hadn’t been enough training and awareness across the company; 2) plans didn’t adequately address internal communication and collaboration; and 3) plans didn’t adequately address workforce continuity (see Figure 8-2).
Companies Are Confident In Their BC Efforts, But There Is Still Room For Improvement
There has been progress in BC preparedness: Most companies have established BCM programs, perform BIAs and RAs, document plans, and take the human side of BC into consideration. But we still have a long way to go. Companies still don’t update and test plans frequently enough, and business owners don’t participate in every phase of the BCM life cycle. Another area of concern is that almost 54 percent of respondents to this survey have never validated or investigated the BC readiness of their strategic partners (see Figure 9-1).
Overall, companies feel confident in their plans. Almost 37 percent are “confident” and 22 percent are “very confident,” but almost 32 percent are somewhat confident and about 9 percent don’t feel confident at all (see Figure 9-2).
Everyone Wants To Know If You’re Ready Or Not
BC readiness is critical to your profitability and long-term longevity as a company, but it also affects the profitability and well-being of your employees, partners, and customers. Increasingly, you must provide proof of BC readiness not just internally but externally. More companies are increasing the frequency with which they report BC readiness efforts to senior executives, and more companies find that in the past 12 months external parties have demanded proof of their BC readiness (see Figure 10-1). More often than not it was a government or industry regulator that demanded the proof, but customers also frequently asked for proof (see Figure 10-2).
In October 2008, Forrester Research and the Disaster Recovery Journal (DRJ) conducted an online survey of 295 DRJ members. In this survey:
- All respondents indicated they were decision-makers or influencers in regard to planning and purchasing technology and services related to business continuity.
- Respondents were from a range of company sizes: 33 percent had 1 to 999 employees; 27 percent had 1,000 to 4,999 employees; 17 percent had 5,000 to 19,999 employees; and 21 percent had 20,000 or more employees.
- Respondents were from companies with a range of revenues: 44 percent of respondents were from companies with revenues of less than $500 million; 9 percent were from companies with revenues of $500 million to $999 million; 22 percent were from companies with revenues of $1 billion to $4.99 billion; 8 percent were from companies with revenues of $5 billion to $10 billion; and 17 percent were from companies with revenues of more than $10 billion.
- Respondents were from a variety of industries.
- Respondents were primarily from North America: 92 percent of respondents were from North America; 5 percent were from Europe, the Middle East, or Africa; 2 percent were from Asia; and 1 percent were from South America.
Stephanie Balaouras is a principal analyst for Forrester Research. Balaouras primarily contributes to Forrester’s offerings for security and risk professionals. She is a leading expert in how companies build resilient IT infrastructures to support key business initiatives. During her three years with Forrester, Balaouras has been instrumental in the development of Forrester’s research and offerings in business continuity, disaster recovery, and information storage and protection.