The State Of Business Continuity Preparedness
- Published on January 4, 2012
- Written by STEPHANIE BALAOURAS
Forrester Research and the Disaster Recovery Journal have partnered to field a number of market studies on business continuity (BC) and disaster recovery (DR) trends in order to gather data for company comparison and benchmarking, to guide research, and for the publication of best practices and recommendations. This study, which focuses on industry BC preparedness, was also fielded in 2008. That first study provided us with a baseline for BC preparedness that we can now compare to the 2011 study to see how BC maturity and preparedness are trending across time. Specifically, this study was designed to determine:
- To what extent have companies formalized ongoing BC management programs with executive level sponsorship?
- How frequently, if at all, do companies conduct a business impact analysis (BIA) and risk assessment (RA)?
- To what extent are business owners involved in the BC management lifecycle?
- How well do companies document, keep up-to-date, and test their BC plans? What types of tests do companies run, and how frequently do they run these tests? What tools do companies use to manage plans?
- What is the scope of BC plans? What threat scenarios do they address? Do they include components for workforce continuity? Do they include components for emergency communication?
- How many times have companies invoked their BC plans in the past five years? What was the cause? How successful was the invocation?
BC Increases As A Critical Priority But Executive Sponsorship Remains Muddled
In our 2008 survey; approximately 90 percent of respondents had executive-level sponsorship for BC preparedness. The most common sponsor was the CEO (25 percent), followed by the CIO (20 percent). In the 2011 survey, we found that executive-level support dipped slightly to 87 percent (see Figure 1-1). CEOs (23 percent) and CIOs (21 percent) remained the most likely executive sponsors. The "other" category was the next most common response (13 percent) and it includes cross-functional teams (for example CEO, CIO, and HR) or the next executive tier (for example, a general manager or VP of IT).
Luckily the slight dip in executive-level support hasn't translated into a dip in priority. In 2008, 23 percent of respondents felt that BC was a critical priority for senior executives at their company while in 2011 this increased to 28 percent (see Figure 1-2). In tough economic times, senior executives tend to focus more on cost cutting measures and initiatives that drive productivity and efficiency rather than cost avoidance initiatives such as BC, so it's heartening news that its criticality has actually increased. The slight dip in executive-level support likely has more to do with on-going questions about where best to assign corporate accountability and responsibility than any lack of commitment to BC preparedness.
BCM Programs Increasingly Report Outside Of IT
Companies have made tremendous progress in BC management (BCM). Companies no longer treat business continuity as a one-time planning event but as an ongoing program. In this survey Forrester found that:
- If you don't have an established BCM program, you significantly lag your peers. In 2008, 66 percent of respondents reported they had established BCM programs in place. In 2011, this figure increased to 72 percent with another 25 percent that plan to have established programs in place in the next year (see Figure 2-1).
- The majority of BCM programs report outside of IT. According to our study, only 35 percent of BCM programs report into traditional IT departments such as the CIO or CISO. Twelve percent of BCM programs report into an enterprise risk department or chief risk officer (CRO) while 35 percent report directly into business line executives (CEO, COO, CFO, Board etc.) (See Figure 2-1).
- Staffing varies by company size and but the average is two full time staff. According to our study, the median number of full-time equivalents (FTEs) supporting the BCM program is two. Of course, this varies by size, companies with fewer than 1,000 employees typically have just one FTE supporting BC, while small and medium enterprise (companies with 1,000 to 5,000 employees) have two to three and larger enterprises will have between three and five FTEs.
- BC professionals show indifference to BC standards. Well known industry standards such as The British Standard on Business Continuity Management (BS 25999), its ISO replacement (22301), the National Fire Protection Agency standard (NFPA 1600), and ISO 27001 (Security Information Management) have all had little influence on BCM programs (see Figure 2-2).
BCM Program Effectiveness Remains Unchanged
Every BCM program requires refinement and improvement and many BC managers find themselves in a continuous battler for the appropriate executive-level support, budget, staff and tools needed to manage the increasing scope of these programs. Forrester found that:
- Confidence in the effectiveness of BCM programs has increased. In 2008, of those companies that did have established BCM programs, 17 percent of respondents felt their program was very effective, 42 percent felt their program was effective. In 2011, these percentages improved appreciably with 23 percent of respondents reporting their program was very effective and 53 percent reporting that it was effective (see Figure 3-1).
- Breadth and funding are top BCM challenges. In 2008, when asked to select the top three BCM challenges, "inadequate funding" and "implementing a BCM program corporate wide" topped the list as the No. 1 challenges, followed by "the scope of our BCM program is ill-defined". In 2011, implementing a BCM program corporate-wide and funding remain the top two challenges but this year we have a new No. 3 challenge, "lack of skilled staff" (see Figure 3-2).
BIAs And Risk Assessments Are Updated Annually
Our study found that a majority of companies conduct a BIA and risk assessment in advance of BCP strategy development and plan documentation. More specifically, Forrester's survey found that:
- A large majority of companies conduct a BIA. In 2008, 68 percent of respondents reported having conducted a BIA; in 2011, this was almost unchanged at 69 percent. However, in 2011, a greater percentage of companies that have not completed a BIA plan to complete one during the next 12 months (see Figure 4-1). There was little change in the frequency of refreshes between 2008 and 2011; most companies refresh the BIA annually.
- A majority of companies will conduct a risk assessment. In 2008, 59 percent of respondents reported conducting a risk assessment. In 2011, this increased slightly to 60 percent. While in 2008 and 2011, 54 percent of these respondents reported that they refresh their assessments annually (see Figure 4-2).
- Companies are concerned about increasing reliance on technology. When asked if they felt the overall level of risk was increasing and if so, what was driving the increase, respondents replied that the number driver was reliance on technology (48 percent) (see Figure 4-3). This is not surprising given that very few business processes today are not supported by some kind of IT service – whether that's traditional back-office enterprise applications like ERP, CRM and HR systems or new employee productivity tools enabled by mobile devices and applications. The increasing complexity of business processes coupled with a reliance on third parties further complicates the ability to cleanly recover an end-to-end business process.
BCPs Are Increasingly Scenario-Based
In 2008, Forrester found that 77 percent of companies had documented BC plans (BCPs). If you don't have documented BCPs, your BCM program is clearly in a dire condition. What we sought to discover this year is whether companies have moved to the next stage of BCM maturity – did they develop BCPs address specific scenarios identified through their risk assessment. Forrester found in this survey that:
- A slim majority of companies, 52 percent, have scenario specific BCPs. In addition to this majority, another 21 percent of companies reported that they planned to create scenario specific BCPs in the next 12 months (see Figure 5-1). Of those companies that do have scenario specific BCPs, 73 percent have fewer than 20 of them (see Figure 5-2). Scenario specific BCPs are important because it shows that a company understands that you respond to an event with a boiler plate BCP – different scenarios require customized responses (i.e. pandemic vs. IT outage vs. extreme weather).
- BCPs are not kept up to date. One area that needs improvement is the maintenance of BCPs. In 2008, only 26 percent of respondents indicate that plans are updated continuously and 2011, this figure actually dropped to 14 percent (see Figure 5-3). Most companies continue to update their BCP once or twice per year as part of an exercise. Forrester recommends that companies strive for continuously updating plans.
- Companies continue to rely on internal tools to manage their BCPs. In 2008, 64 percent of respondents reported that they managed their BCPs using internal tools (i.e., documents, spreadsheets, etc.); in 2011 this number actually increased to 67 percent of respondents. It's always been difficult to build the business case for these tools given tight BC budgets, the global recession has only made it more difficult.
BCPs Are Not Tested Frequently, Partner Involvement Remains Static
If you're not testing your BCPs, you simply aren't prepared – not to mention you've wasted significant efforts on BIAs, risks and plan development that you will most likely be unable to execute. Despite years of urging from industry experts and consultants, testing remains a major area for improvement across companies of all sizes and industries. More specifically Forrester found that:
- Most companies only test their BCPs once per year. Unfortunately, the situation is largely unchanged from 2008. For all test types (walk-through, tabletop exercises, simulations), most companies only test once per year and as exercises get more extensive, test frequency declined (see Figure 6-1).
- Business partner participation in testing remains unchanged. In 2008, 47 percent of respondents reported that their business partners participate in at least one test. Unfortunately, despite the increasing reliance on third parties to conduct business, particularly with the rapid adoption of cloud services, these percentages remain largely unchanged. The picture is even bleaker when it comes to critical suppliers; a majority of companies have not validated the readiness of their critical suppliers (see Figure 6-2).
- Confidence in BC preparedness is exuberantly high. Despite the fact that companies only test once per year, a majority do not include their partners in tests and a majority do not validate the readiness of critical suppliers, 62 percent of companies report that they are confident or very confident in their readiness (see Figure 6-3).
The Business Still Does Not Take An Active Role In The BCM Lifecycle
For a BCM program to truly be successful not only do you need executive-level support but you need line of business owners and users involved in the entire BCM lifecycle. And unfortunately, their involvement remains limited. Business owners are more likely to be involved in the BIA but even this involvement is anemic, with just 29 percent of respondents reporting that business owners are very involved – a decrease from 2008 (see Figure 7). There is some good news, however, as business owner involvement significantly improved in plan development.
Companies Use A Mix Of Strategies For Workforce Continuity And Communication
Companies often go to extraordinary lengths to develop BC plans that address the failover of IT systems to alternate sites but often neglect or underestimate the human aspects such as workforce recovery and crisis or emergency communication. In this survey Forrester found that:
- Remote access procedures remain the dominant strategy for workforce continuity. In 2008, 86 percent of respondents indicated that they would provision employees with remote access procedures for workforce continuity. While there was a slight dip to 81 percent in 2011, remote access procedures remain the dominant strategy for workforce recovery (see Figure 8-1). Companies continue to employ a mix of other strategies from alternate sites to mobile recovery units to seats at DR service providers.
- Companies rely on a mix of channels for communication, even social. While 53 percent of companies report using an automated communication service, it's clear that companies are augmenting these services with everything from manual call tree lists (71 percent) to social technologies like Facebook and Twitter (18 percent) (see Figure 8-2).
Invocations Are Frequent; Training Is Key To Successful Invocations
Invocations of BCPs are more frequent than companies would suspect. In 2008, 50 percent of respondents reported that they had invoked a BCP plan at least once during the past five years. In 2011, that percentage has increased to 61 percent (see Figure 9-1)! The most common causes included extreme weather and natural disasters (same as in 2008) and then once again followed closely by power outages, IT failures, floods and fire (see Figure 9-2).
During the last few years, catastrophic natural disasters have made the news once again, everything from the Haiti earthquake to the Japanese Tsunami. However, it's important that companies don't make the mistake of focusing solely on catastrophic disasters. In reality, extreme but not catastrophic weather, such as winter storms, can debilitate a business if the data center is running but no one can get to work. In addition, many companies don't realize the frequency of power outages as a result of extreme weather and also because of aging and saturated power grids in developed countries.
When we asked companies what were the top three lessons they learned from their invocations, the top two lessons are identical in 2008 and 2011: 1) there hadn't been enough training and awareness across the company; and 2) plans didn't adequately address internal communication and collaboration. In 2011, we have a new No. 3: key staff hadn't been included in testing (see Figure 9-3). When you don't include more staff in training, they are less likely to know their roles and responsibilities during a crisis or to execute their responsibilities effectively under duress. Remember that one of the key reasons for running tests is to train staff.
Everyone Wants To Know If You're Ready Or Not
BC readiness is no longer just a good practice; it's considered a fiduciary responsibility to employees, partners, and customers. Increasingly, you must provide proof of BC readiness not just internally but externally. In our study, Forrester found that:
- One fifth of companies report BC status to executives quarterly. More companies are increasing the frequency with which they report BC readiness efforts to senior executives. In our study, we found that 20 percent of companies now report BC readiness to executives quarterly, 4 percent report three times, 19 percent twice a year and 38 percent report at least once a year. Only 12 percent of companies reported that they did not report results to senior executives (See Figure 10-1).
- Regulators are the most likely to demand proof of readiness. More often than not, it was a government or industry regulator that demands proof of readiness. According to our study, 68 percent of companies had to provide proof of preparedness to regulators. However, partners and customers also frequently asked for proof (see Figure 10-2).
In October 2011, Forrester Research and the Disaster Recovery Journal (DRJ) conducted an online survey of 300 DRJ members. In this survey:
- All respondents indicated that they were decision-makers or influencers in regard to planning and purchasing technology and services related to business continuity.
- Respondents were from a range of company sizes: 39 percent had 1 to 999 employees; 23 percent had 1,000 to 4,999 employees; 17 percent had 5,000 to 19,999 employees; and 21 percent had 20,000 or more employees.
- Respondents were from companies with a range of revenues: 43 percent of respondents were from companies with revenues of less than $500 million; 11 percent were from companies with revenues of $500 million to $999 million; 20 percent were from companies with revenues of $1 billion to $4.99 billion; 10 percent were from companies with revenues of $5 billion to $10 billion; and 16 percent were from companies with revenues of more than $10 billion.
- Respondents were from a variety of industries.
- Respondents were primarily from North America: 82 percent of respondents were from North America; 9 percent were from Europe, Middle East, or Africa; 6 percent were from Asia; and 3 percent were from South America.
This survey used a self-selected group of respondents (DRJ members) and is therefore not random. These respondents are more sophisticated than the average. They read and participate in business continuity and disaster recovery publications, online discussions, etc. They have above-average knowledge of best practices and technology in BC/DR. While non-random, the survey is still a valuable tool in understanding where advanced users are today and where the industry is headed.
Stephanie Balaouras is the principal analyst, research director at Forrester Research. Balaouras leads a team of analysts who provide research and advisory services on topics like IT security frameworks; governance, risk, and compliance (GRC); identity and access management (IAM); application security; data security; and IT infrastructure security. Balaouras also provides Forrester's coverage of specific risk topics including business continuity (BC), IT continuity/disaster recovery (DR), and backup and recovery. Balaouras has more than 12 years of experience in BC/DR, backup and recovery, and information storage industries. She holds a bachelor's degree in business administration and finance and investments from Babson College.