Crisis Communication and Risk Management in Business Continuity Preparedness
- Published on December 28, 2009
- Written by STEPHANIE BALAOURAS
Forrester Research and the Disaster Recovery Journal have partnered to field a number of market studies in business continuity (BC) and disaster recovery (DR) in order to gather data for company comparison and benchmarking, to guide research, and for the publication of best practices and recommendations for the industry. This is the third annual joint survey. This particular study focused on the role of crisis communication in business continuity and the relationship of business continuity to risk management.
- How much is crisis communication valued in BC preparedness? How do companies handle crisis communication?
- How frequently do crisis management and BC management teams meet to develop and document crisis communication strategies? Are these strategies part of standalone plans or subsets of BC plans? How frequently are plans tested?
- What modes of communication do companies rely on? Do they have backup plans in the event of telecommunication failure?
- Do companies automate communication or rely on manual procedures? Do companies set up a crisis management center?
- Is there adequate training and awareness for crisis communication? How effective were crisis communication plans in recent invocations?
- How do organizations typically structure their risk management functions? How does BC management interact and work with risk management programs? How do companies prioritize investments in BC?
The Importance Of Crisis Communication In BC Planning Is Not Universally Recognized
According to our 2009 study, approximately 54 percent of companies indicated that crisis communication was very or extremely important in BC planning while approximately 45 percent of companies indicated its importance was moderate, low or not at all important (see Figure 1). While the majority of companies do recognize the importance of crisis communication, it’s surprising that such a large percentage of companies do not. This partially explained by the fact that many people view crisis communication as strategy for protecting corporate reputation carried out by public relations and legal – not as a strategy for rapid decision-making amongst executives and decision-makers and the rapid mobilization of response teams.
There Is No Prevailing Approach To Crisis Communication
The fact that there is no prevailing approached in how companies handle crisis communication in BC planning is another indication that companies have wildly different views of its importance and role (see Figure 2-1). In this survey, we found that:
- Approximately 42 percent of companies have an independent crisis communication team that works closely with BC management teams. Crisis communication may be relevant to several different aspects of risk management, and many companies recognize the importance of its coordination with BC planning. Not surprisingly, only 18 percent of these companies say that the crisis communication team meets with BC planning team whenever the BC planning team meets. Almost 42 percent of these companies say that they meet at least four times a year with the BC planning team, which shows a strong commitment to cooperation (see Figure 2-2).
- Approximately 14 percent of companies have an independent crisis communication team with no direct link to BC management teams. Crisis communication at these companies may work with various functions related to risk management, but they are less likely to have a tight coordination with BC planning teams. There is probably some high-level guidance provided, but for the most part BC planning teams handle communication on their own. Not surprisingly, these communication teams meet far less frequently with the BC planning, typically only once or twice a year.
- Approximately 32 percent of companies rely on the BCM team to do its best to address crisis communication. At these companies, crisis communication is not viewed as its own discipline. If such a function exists at these companies, it may be part of other aspects of risk management or public relations, which means the BC planning team is likely on its own.
- Almost 13 percent of companies do not have any kind of crisis communication strategy. These companies have no formal approach to crisis communication and likely handle communication haphazardly as incidents, crises, business continuity threats, or other risk events occur.
A slight majority of companies prefer to embed a crisis communication strategy within their business continuity plans (BCPs) rather than have specific communication plans that complement each BCP (see Figure 2-3).
BC Managers Often Take A Leadership Role In Crisis Communication
Even if you have a dedicated a crisis communication team, it’s very likely that a senior BC manager is as involved as even the head of public relations and communications (see Figure 3-1). The most senior business executives (Chairman, CEO, COO, CFO) are the least involved. According to our study:
- Senior executives of BC planning and PR are most likely to lead crisis communication. If these individuals are not the team lead, they will still play a major role on the team. The significant involvement of these two roles represents the complexity of crisis communication. BC managers are likely to understand the wide-range of risks that the organization must prepare for as well as what it takes to mobilize a response for business disruptions, while PR professionals understand both the need and methods to communicate both internally and externally (see Figure 3-2).
- CIOs and CISO/CSOs also play a major role in crisis communication. While these roles are not as likely to lead the crisis communication team, they both are likely to play a major role. In many companies, the CIO or the CISO/CSO is the senior-most executive ultimately responsible for BC preparedness. In addition, the CIO is often tasked with enabling reliable, mass communication during crisis by whatever mode necessary.
Companies Rely On Wireless Communication
Companies rely on multiple modes of crisis communication but wireless phones, email and landline phones dominate (see Figure 4.1). In addition, approximately 67 percent of companies will use a web site to facilitate communication. Our survey also found that:
- Approximately 76 percent of companies also have plans to account for telecom loss. Email, landlines and websites are effective modes of communication when telecommunication is available. However, when a major catastrophe such as a hurricane knocks out local telecommunication for several days, companies will need another mode of communication (see Figure 4-2).
- Approximately 66 percent of companies will leverage SMS txt in the event of telecom loss. If local telecom is unavailable, many companies will turn to wireless technologies such as mobile phones, two-way radios and satellite communication (see Figure 4-3). In recent disasters, mobile networks are often overwhelmed, making voice calls impossible; however, these networks are often able to transmit text messages because they require significantly less bandwidth.
Training And Awareness Are No Longer Optional
In last year’s “State Of Business Continuity” survey, when we asked companies that had invoked a BCP in the past five years to identify and rank the top lessons learned from their invocations, lack of training and awareness came in at number one. It goes without saying that any response plan requires not only frequent testing but training and awareness across the company. In this year’s study, we found that 62 percent of companies with crisis communication plans have training and awareness programs in place and another 30 percent plan to implement training in the next 12 months (see Figure 5).
BCP Invocations And Crisis Communication
Companies often believe that BCP invocations are rare occurrences, but according to our survey, more than 52 percent of the companies with crisis communication plans have invoked a BCP in the last five years (see Figure 6-1). There are a number of reasons for this. First, as prior surveys have identified, the most common cause of BCP and DRP invocations are commonplace events such as severe weather, power failures and IT failures. Second, companies with documented, up to date , and well-tested BCPs and DRPs likely feel more confident about invoking them.
Of the companies that have invoked, only 20 percent feel that their crisis communication was very effective (see Figure 6-2). The vast majority of companies, 72 percent feel that their crisis communication was somewhat effective to effective.
Companies Are Reducing Risk Management Silos
Historically companies have approached risk management disciplines such as operational risk management, business continuity, disaster recovery, and information security as separate silos. In reality these risk management disciplines are closely related and not easily handled separately without creating gaps in preventative measures and responses. Understanding this, organizations are starting to show signs of more coordinated risk management programs. In this survey we found that:
- Only 20 percent of companies have separate risk management silos not connected by a single program. The majority of respondents report that their organization has either a chief risk officer (CRO) role with responsibility for risk disciplines across the entire enterprise or at least a head of risk management overseeing a number of key disciplines (see Figure 7-1).
- Approximately 64 percent of BC management programs have a relationship with enterprise risk management. Of these, almost 16 percent of BCM programs report directly to risk management and approximately 9 percent have a dotted line relationship. Another 38 percent report working closely with risk management to share information and efforts (see Figure 7-2).
Companies Are Taking A Risk-Based Approach To Prioritizing BC Risks
When it comes to justifying investments in BC, ideally, companies should work with business owners and risk managers to understand which risks expose the organization to the greatest potential losses. One basic formula companies use is Impact (e.g., $1,000) x likelihood (e.g., 1-in-10 or 10%) = expected loss (e.g., loss expectancy is $100). In this survey, we found that:
- Almost 65 percent of BCM teams work with the business to determine the impact of risks. Some BCM teams attempt to quantify the impact and probability of risks on their own (34 percent according to this study). This is certainly not the most effective approach, but it is typical of companies where it’s difficult to foster business involvement (see Figure 8-1).
- Almost 57 percent of BCM teams prioritize efforts based on the level of risk. Knowing that it is impossible to address every business continuity risk, the majority of respondents said they prioritize their planning and mitigation efforts to address the most significant risks first. Fewer organizations prioritize efforts based a cost/benefit analysis (34 percent) or the ability to leverage existing projects and investments (19 percent), which are also reasonable strategies. Surprisingly, almost 23 percent of companies still do not have a formal method for prioritizing efforts (see Figure 8-2)
In the Fall of 2009, Forrester Research and the Disaster Recovery Journal (DRJ) conducted an online survey of 345 DRJ members. In this survey:
- All respondents indicated that they were decision-makers or influencers in regard to planning and purchasing technology and services related to business continuity.
- Respondents were from a range of company sizes: 36.5 percent had 1 to 999 employees; 18.8 percent had 1,000 to 4,999 employees; 18.8 percent had 5,000 to 19,999 employees; and 25.8 percent had 20,000 or more employees.
- Respondents were from companies with a range of revenues: 40.8 percent of respondents were from companies with revenues of less than $500 million; 13.9 percent were from companies with revenues of $500 million to $999 million; 20 percent were from companies with revenues of $1 billion to $4.99 billion; 7.8% percent were from companies with revenues of $5 billion to $10 billion; and 17.4 percent were from companies with revenues of more than $10 billion.
- Respondents were from a variety of industries.
- Respondents were primarily from North America but there was representation from Europe, the Middle East, Africa and Asia. Many companies had business operations in multiple regions: 90.4 percent of respondents had locations in North America; 33.5 percent had locations in Europe, Middle East, or Africa; 24.1 percent had locations in Asia; and 15.7 percent had locations in South America.
This survey used a self-selected group of respondents (DRJ members) and is therefore not random. These respondents are likely to be more sophisticated than peers who do not read and participate in business continuity and disaster recovery publications, online discussions, etc. They likely have above-average knowledge of best practices and technology in BC/DR. While nonrandom, the survey is still a valuable tool in understanding the characterists of current BC programs and to explore relevant industry trends.
Stephanie Balaouras is a principal analyst for Forrester Research. Balaouras primarily contributes to Forrester’s offerings for security and risk professionals. She is a leading expert in how companies build resilient IT infrastructures to support key business initiatives. During her four years with Forrester, Balaouras has been instrumental in the development of Forrester’s research and offerings in business continuity, disaster recovery, and information storage and protection.