Disaster Recovery Journal- Volume 19, Issue 4 - Fall 2006 Issue -2005 BCM/DR Survey Results From Gartner, DRJ

2005 BCM/DR Survey Results From Gartner, DRJ

By ROBERTA J. WITTY, CISSP

In October, 2005, Gartner conducted a survey on the topic of business continuity management (BCM) and disaster recovery (DR). Partnering with Disaster Recovery Journal, Gartner used additional sample resources. The survey was conducted for North America only, and it crossed a number of industries. In all, 222 qualified participants completed the survey. Each respondent had to have decision-making responsibility for business continuity or disaster recovery, and the size of the firm had to be 250 employees and above (see Figure 1).

Mission-Critical Business Functions
Surprisingly, there is little difference between survey participants responding to the question of what percentage of their business functions are considered mission-critical (see Figure 2).

The average is 58 percent, with slight differences between industries. As would be expected due to the nature of these businesses and the dependence on them for basic services, utilities and energy organizations report 69 percent and 63 percent, respectively. The services rating (at 64.5 percent) likely reflects the focus of these businesses being on people because without them the business does not exist. Local government reporting at 60 percent versus federal government reporting at 54.4 percent reflects the larger reliance on local government agencies by businesses and citizens for basic services rather than the federal government.

Recovery Time
Among the more important findings was an analysis of the recovery time objectives (RTOs) for mission-critical functions in various industries (see Figure 3).

Business Continuity Management
The large proportion (21.3 percent) of organizations reporting that the business continuity management (BCM) program reports to the CEO is surprising. However, the survey data bears out that this reporting structure is more common in SMBs (29.7 percent) rather than in other size organizations – 22 percent with 1-5K employees and 12.5 percent with 5K or more employees.
It is not surprising that the same percentage of BCM programs report to the CIO. Gartner sees this reporting relationship to be a natural progression due to the focus of most organizations on disaster recovery – although this is not the best positioning. In addition, the survey data shows the exact opposite of the CEO reporting relationship with organizations with 1K or more employees having the majority of their BCM programs reporting to the CIO.
The third level (13.2 percent) reporting to the COO is in line with Gartner advice; although reporting to the CEO is politically advantageous, it is likely not as effective as reporting to the COO, a person who has a much better understanding of the business operations that keep the organization running on a daily basis (see Figure 4).

Action Item: Review and re-position your BCM program reporting relationship to ensure adequate attention and awareness of business resiliency by senior management.

BCM Methodology
The best case is to have the business continuity policy apply globally across all locations, lines of business and workforce with accommodations being made for local issues (such as staff size, locale-specific disaster scenarios and data center vs. sales office). Of all survey participants, 46 percent report that their BCM policy applies globally (see Figure 5).

Gartner research shows that an increasing number of regulatory audits are asking the question “Do you have a documented methodology for conducting your business continuity and disaster recovery program activities?” Consistency across all lines of business (LOBs) in conducting a business impact analysis (BIA), testing methodologies, reporting schedules and other aspects of BCM are all characteristics of an organization that takes BCM/DR seriously.

Disaster Scenario Planning
Gartner survey data shows that organizations are planning mainly for a single facility outage (90 percent) rather than a regional disaster (68 percent), which could have a much larger impact on long-term operations (see Figure 6). It is surprising that only 62 percent of organizations report that they plan for an IT outage, which is more likely reflecting a disconnection between linking an IT outage to the BC plan rather than a lack of basic IT outage planning. Disconcerting is that only 50 percent of participants plan for a key service provider failure. With the growing use of third-party service providers to conduct mission-critical business functions, organizations that do not plan for this type of business outage can find themselves in a very tough position in the event that this scenario becomes a reality. Although there has been tremendous hype around the Avian flu, organizations do need to start planning for its impact – even it is means doing only a tabletop walk-thru with LOBs of its impact on business operations.

DR Budgets
The change in budget percentages for 2003 thru 2006 (projected) from 35 percent in 2003 at “Less than 1 percent” to 25 percent in 2006 at “More than 10 percent” reveals the growing importance of BCM/DR in all organizations (see Figure 7).

Figure 7.
Disaster Recovery Budget as a Percentage of Data Center Budget: 2003 to Projected 2006

The average percentage range for 2005 is 4-7 percent evenly split across all size organizations. Very large organizations (10,000 or more employees) show a smaller percentage of their DR budgets being more than 8 percent, likely due to the much larger size of their IT budgets in general; so the percentage for DR is proportionately smaller than in organizations under 10,000 employees.
For 2006, 25 percent of organizations of all size report that their DR budget will be “more than 10 percent” of their data center budget. Very large organizations report an increase in this category over 2005: 7.7 percent and 15.4 percent respectively, likely indicating an increased focused on DR due to regulatory pressures, e.g. Sarbanes-Oxley Act (SOX) and Gramm-Leach-Bliley (GLB) Act being the two regulations with the biggest impact on large organizations.
For 2006, manufacturing has the largest percentage (35.7 percent) reporting at the “less than 1 percent” budget range. Communication (42.9 percent) and federal government (40 percent) reporting at the next lowest budget range – 1-3 percent. Education is evenly split (30-30) between the 1-3 percent and 4-7 percent budget ranges. Local government rates the highest at 40 percent in the 4-7 percent budget range. Retail/wholesale (50 percent) and utilities (100 percent) report the highest percentages for the 8-10 percent budget ranges. Energy is evenly split (50-50) between budget ranges 8-10 percent and “More than 10 percent.” Healthcare (40 percent), financial services (33.3 percent), and services (36.4 percent) report the highest budget category of “more than 10 percent.” Transportation is evenly split between 1-3 percent, 2-4 percent and “more than 10 percent” budget ranges.

DR Budget Approval and Funding
Although the majority (48 percent) of DR budget approvals go through IT management, those funds are part of corporate budget overhead (45 percent) rather than absorbed in the IT budget (26 percent), which is in keeping with a 43 percent approval of the DR budget being done by a central business program (see Figure 8). Only 17 percent of organizations recoup their DR expenses by allocation back to the LOBs.

Figure 8.
Final Approval Authority for the Disaster Recovery Budget

Plan Testing
It is no surprise that the average frequency (42.2 percent) of plan testing is annually for all components of the BCM program (see Figure 9). This result is consistent across industries as well. A proportionately higher percentage of SMBs report that they test their disaster recovery and work-area recovery plans quarterly – 41.7 percent and 25.7 percent respectively. This does not map to Gartner research in this area, which indicates that SMBs have a harder time getting awareness and, therefore, funding for their BCM/DR activities.

Figure 9.
Plan Testing Frequency

Source: Gartner

Formality of DR Procedures
Given the number of organizations (90 percent) that report that no formal BCM/DR methodology is used, it is not surprising to see the results of the two questions: “Which of the following methods does your organization use to ensure that IT resources at your recovery sites are current?” and “Is disaster recovery involvement mandatory for any of the following phases of the development cycle as a part of enterprise governance architecture?” The result from neither question indicates that DR is part of the fabric of an organization’s business operations (see Figure 10).

Figure 10.
Ensuring IT Resources at Recovery Sites Are Current

If changes to the DR environment are made on a predetermined maintenance cycle (51 percent), then the DR site will likely be out-of-sync with production, and could result in a failed recovery execution if a disaster occurs between maintenance cycles. In addition, with 48 percent of survey participants reporting that DR site changes are made as a result of an audit, the situation is even worse for those organizations (see Figure 11).

Figure 11.
Disaster Recovery Requirements in Product Life Cycle/Service Delivery Life Cycle Phases

Having 43 percent of survey participants reporting that DR is mandatory for the production implementation phase of an IT project indicates that DR is not being considered early enough in the life of an IT project. It must be included is all phases of a project. With 22 percent of survey participants reporting that DR is not mandatory in their product life cycle/service delivery life cycle shows that there is a significant amount of room for improvement.

Conclusion
To assist enterprises in their DR and BCM efforts, Gartner offers the following recommendations.

BCM program reporting relationships are moving away from the CIO to the COO or CEO.
More effort must be allocated to regional disaster preparedness.
Avian flu planning must begin now! It is not BCM as usual.
Outage time frames being planned for need to be expanded.
Inclusion of local/state/federal authorities in BCM programs needs improvement.
DR is handled in the majority of organizations. What is now needed is focusing on the recovery of the business.
Restoration must be added to the DR program.
High-availability usage will grow.
Use of tape backups is not adequate for stated RTOs. There is a high proportion of organizations backing up instant messages, calendars and e-mail messages. Review your firm’s regulatory requirements to see if this is necessary.
Include BCM and DR in the enterprise’s product life cycle/service delivery life cycle.
Organizations must formalize the approach to business continuity and disaster recovery for regulatory compliance purposes.

Roberta J. Witty, CISSP, is the vice president of research for Gartner, Inc. Witty has more than 20 years of experience in the IT industry and has been at Gartner for seven years.

«BACK to the Articles Index