Click Here For The Accompaining Graphs
Forrester Research and the Disaster Recovery Journal have partnered to field a number of market studies in business continuity (BC) and disaster recovery (DR) in order to gather data for company comparison and benchmarking, to guide research, and for the publication of best practices and recommendations for the industry. The first study focused on gathering a baseline of company DR preparedness. This is the second study and focuses on gathering a baseline of company BC preparedness. Specifically, this study was designed to determine:
CEO, CIO, and COO Are The Most Common Executive Sponsors
- To what extent have companies formalized ongoing BC management programs with executive level sponsorship?
- How frequently, if at all, do companies conduct a business impact analysis (BIA) and risk assessment (RA)?
- To what extent are business owners involved in the BC management life cycle?
- How well do companies document BC plans, keep plans up-to-date, and test plans? What types of tests do companies run, and how frequently do they run them? What tools do companies use to manage plans?
- What is the scope of BC plans? What threat scenarios do they address? Do they include components for workforce continuity? Do they include components for emergency communication?
- How many times have companies invoked their BC plans in the past five years? What was the cause? How successful was the invocation?
There is some good news in our 2008 survey – approximately 90 percent of respondents had executive-level sponsorship for business continuity. Who is the executive-level sponsor? Approximately 25 percent indicated it was the CEO, 20 percent indicated it was the CIO, 14 percent indicated it was the COO, and 14 percent indicated it was “other” (see Figure 1-1). It was less common for the CRO, CFO, CISO/CSO, and board of directors to be the executive-level sponsor. The “other” category included cross-functional teams (for example CEO, CIO, and HR) or the next executive tier (for example, a general manager or VP of IT).
But while BC has executive-level sponsorship, it’s not always the top priority for executives. In our survey, only 23 percent of respondents felt that BC was a critical priority for senior executives at their company (see Figure 1-2). This means that BC managers and planners will need to continue to focus on building the business for BC in tough economic times. Companies Have Established BCM Programs, But There Are Still Challenges
Companies have made tremendous progress in business continuity management (BCM). Companies no longer treat business continuity as a one-time planning event but as an ongoing program. In this survey Forrester found that:
- A majority of companies have established a BCM program. Approximately 66 percent of respondents already have established BCM programs in place, and another 29 percent plan to have established BCM programs in place in the next year (see Figure 2-1).
- Staffing varies by company size. Companies with fewer than 1,000 employees typically have just one to two full-time equivalents (FTEs) supporting BC, while companies with tens of thousands of employees can often have five, six, seven, or more FTEs. Companies with a few thousand employees should expect between two to five FTEs.
- General BC standards are influential but not overwhelmingly so. The British Standard on Business Continuity Management (BS 25999), the National Fire Protection Agency standard (NFPA 1600), and ISO 27001 (Security Information Management) have all had little influence on BCM programs (see Figure 2-2).
Establishing a BCM program is an importantfirst step to improving overall business resiliency, but every program requires refinement and improvement. Given that most BCM programs are still nascent, many BC managers are still fighting for the appropriate budget and staff needed to manage the scope of these programs. Forrester found that:
Companies Execute Every BCM Phase, But Business Involvement Is Limited
- A minority of companies feel their BCM programs are very effective. Of those companies that do have established BCM programs, approximately 17 percent of respondents feel their program is very effective, 42 percent feel their program is effective, 32 percent feel it’s somewhat effective, and almost 8 percent feel it’s not effective at all (see Figure 3-1).
- Funding and program scope are top BCM challenges. When asked to select the top three BCM challenges, there was a tie between “inadequate funding” and “implementing a BCM program corporate-wide” for the No. 1 challenge, followed by “the scope of our BCM program is ill-defined” (see Figure 3-2).
Our study found that most companies do take the time to conduct a BIA and RA before they embark on BC strategy development and plan documentation. Forrester’s survey found that:
BCPs Are Typically Updated And Tested Once Per Year
- Companies refresh BIAs and RAs frequently. Approximately 68 percent of respondents have conducted a BIA, and almost 50 percent of these respondents refresh the BIA annually, while almost 26 percent refresh it every two years (see Figure 4-1). Approximately 59 percent of respondents have conducted an RA, 54 percent of these respondents refresh the RA annually, and 22 percent refresh it every two years (see Figure 4-2).
- Business owners are not involved in every phase of the BCM life cycle. Business owners are more likely to be involved in the BIA and plan testing but less involved in the risk assessment and in awareness and training (see Figure 4-3).
One area that needs improvement is the maintenance of business continuity plans (BCPs). The vast majority of companies, almost 77 percent, have documented their BC strategies into BCPs (see Figure 5-1). However, only 26 percent of respondents indicate that plans are updated continuously (see Figure 5-2). In addition, for all test types (walk-through, tabletop exercises, simulations, complete tests), most companies only test once per year and the more extensive the test (simulation, full test), test frequency declined (see Figure 5-3). Forrester also found in this survey that:
- Most companies use internal tools to manage their BCPs. According to our survey, approximately 64 percent of respondents indicate that they manage BCPs using internal tools (i.e., documents, spreadsheets, etc.), while 22 percent use a commercial BCP software application or service. There are many factors that contribute to this, such as tight budgets for BCM, but it also has to do with the fact that many companies are managing a small number of documented BCPs. According to our survey, approximately 36 percent are managing fewer than 20 BCPs and approximately 38 percent are managing between 20 and 99 BCPs.
- Business partners also participate in tests. When it comes to business partner participation in tests, there are two camps: those that include their business partners and those that don’t. According to our survey, approximately 47 percent of respondents indicated that their business partners participate in at least one test, and almost 13 percent indicated that business partners participate in tests more than once year. Approximately 40 percent of respondents indicated that business partners never participated in tests.
"Appeared in DRJ's Winter 2009 Issue"
Companies Are Getting Better At Addressing The Human Side Of BC
Companies often go to extraordinary lengths to develop BC/DR strategies that address the failover of IT systems to alternate sites but often neglect or underestimate the human aspects. First, companies need a way of communicating effectively during an event from the start of the event to the return of normal operations. Second, in addition to the failover of IT systems, they need to develop strategies that address workforce continuity. Companies must develop strategies so that people can continue to have access to their applications, data, and communication (e-mail, messaging, voicemail, fax, etc.) in order to remain productive.
According to our survey, 68 percent of respondents include a workforce continuity component in their BCPs, and 20 percent of respondents plan to include one in the next year (see Figure 6-1).
In addition, Forrester found that 79 percent of respondents include emergency communication in their BCPs, and more than 14 percent plan to do so in the next year (see Figure 6-2). In this survey Forrester also found that:
- More companies are turning to remote access procedures for workforce continuity. Almost 86 percent of respondents indicated that they would provision employees with remote access procedures for workforce continuity (see Figure 6-1). In addition, more companies plan to take advantage of another internal site to provide physical seats for workforce continuity.
- By a slight margin, companies prefer to use commercial offerings for emergency communication. Almost 49 percent of respondents planned to use internal tools to facilitate emergency communication, while 51 percent of respondents plan to use either a hosted service (45 percent) and/or commercial software deployed onsite (6 percent) (see Figure 6-2).
More BCPs To Address IT Security Risks
During the risk assessment, when companies identify the list of potential threats to business operations, IT security threats are on the list, and more companies are deciding that the preventive measures to mitigate these risks are clearly IT in nature. However, should these threats occur, it requires a business as well as an IT response to them. A virus outbreak or a denial of service attack that debilitates the company’s mission-critical IT systems is as disruptive and costly to the business as if a natural disaster had taken out the data center. Forrester found in this survey that:
- Companies develop BCPs to address IT security threats. Sixty-seven percent of respondents indicated that they have BCPs that address IT security risks, and another 18 percent plan to develop BCPs for IT security risks in the next year (see Figure 7).
Invocations Are Frequent; Training Is Key To Successful Invocations
Invocations of BCPs are more frequent than companies would suspect. According to our survey, 50 percent of respondentshave invoked at least once during the past five years. The most common causes included extreme weather and natural disasters, followed closely by power outages, IT failures, telecommunication failures, and fire (see Figure 8-1).
There has always been a common misperception that BCPs are only invoked in the case of catastrophic natural disasters such as hurricanes and earthquakes. In reality, extreme but not catastrophic weather, such as winter storms, can debilitate a business if the data center is running but no one can get to work. In addition, many companies don’t realize the frequency of power outages and IT failures and the impact they can have on business operations.
When we asked companies what were the top three lessons they learned from their invocations, they learned that: 1)there hadn’t been enough training and awareness across the company; 2) plans didn’t adequately address internal communication and collaboration; and 3) plans didn’t adequately address workforce continuity (see Figure 8-2).
Companies Are Confident In Their BC Efforts, But There Is Still Room For Improvement
There has been progress in BC preparedness: Most companies have established BCM programs, perform BIAs and RAs, document plans, and take the human side of BC into consideration. But we still have a long way to go. Companies still don’t update and test plans frequently enough, and business owners don’t participate in every phase of the BCM life cycle. Another area of concern is that almost 54 percent of respondents to this survey have never validated or investigated the BC readiness of their strategic partners (see Figure 9-1).
Overall, companies feel confident in their plans. Almost 37 percent are “confident” and 22 percent are “very confident,” but almost 32 percent are somewhat confident and about 9 percent don’t feel confident at all (see Figure 9-2).
Everyone Wants To Know If You’re Ready Or Not
BC readiness is critical to your profitability and long-term longevity as a company, but it also affects the profitability and well-being of your employees, partners, and customers. Increasingly, you must provide proof of BC readiness not just internally but externally. More companies are increasing the frequency with which they report BC readiness efforts to senior executives, and more companies find that in the past 12 months external parties have demanded proof of their BC readiness (see Figure 10-1). More often than not it was a government or industry regulator that demanded the proof, but customers also frequently asked for proof (see Figure 10-2).
In October 2008, Forrester Research and the Disaster Recovery Journal (DRJ) conducted an online survey of 295 DRJ members. In this survey:
- All respondents indicated they were decision-makers or influencers in regard to planning and purchasing technology and services related to business continuity.
- Respondents were from a range of company sizes: 33 percent had 1 to 999 employees; 27 percent had 1,000 to 4,999 employees; 17 percent had 5,000 to 19,999 employees; and 21 percent had 20,000 or more employees.
- Respondents were from companies with a range of revenues: 44 percent of respondents were from companies with revenues of less than $500 million; 9 percent were from companies with revenues of $500 million to $999 million; 22 percent were from companies with revenues of $1 billion to $4.99 billion; 8 percent were from companies with revenues of $5 billion to $10 billion; and 17 percent were from companies with revenues of more than $10 billion.
- Respondents were from a variety of industries.
- Respondents were primarily from North America: 92 percent of respondents were from North America; 5 percent were from Europe, the Middle East, or Africa; 2 percent were from Asia; and 1 percent were from South America.
This survey used a self-selected group of respondents (DRJ members) and is therefore not random. These respondents are more sophisticated than the average. They read and participate in business continuity and disaster recovery publications, online discussions, etc. They have above-average knowledge of best practices and technology in BC/DR. While nonrandom, the survey is still a valuable tool in understanding where advanced users are today and where the industry is headed. Stephanie Balaouras is a principal analyst for Forrester Research. Balaouras primarily contributes to Forrester’s offerings for security and risk professionals. She is a leading expert in how companies build resilient IT infrastructures to support key business initiatives. During her three years with Forrester, Balaouras has been instrumental in the development of Forrester’s research and offerings in business continuity, disaster recovery, and information storage and protection.