How To Understand The State Of Business Continuity Preparedness

Transcription

1 M ARKET STUDY The State of Business Continuity Preparedness Photo by Sergey Nivens Fotolia.com By STEPHANIE BALAOURAS Forrester Research and the Disaster Recovery Journal have partnered to field a number of market studies on business continuity (BC) and disaster recovery (DR) trends in order to gather data for company comparison and benchmarking, to guide research, and for the publication of best practices and recommendations. This study, which focuses on BC maturity and preparedness, was first fielded in 2008 and then again in first study provided us with a baseline for BC preparedness we can now compare to the 2011 and 2014 studies to see how BC maturity and preparedness are trending across time. Specifically, we designed this study to determine:

2 To what extent have companies formalized ongoing BC management programs with executive level sponsorship? How frequently, if at all, do companies conduct a business impact analysis (BIA) and risk assessment (RA)? To what extent are business owners involved in the BC management lifecycle? How well do companies document, keep up-to-date, and test their BC plans? What types of tests do companies run, and how frequently do they run these tests? What tools do companies use to manage plans? What is the scope of BC plans? What threat scenarios do they address? Do they include components for workforce continuity? Do they include components for emergency communication? How many times have companies invoked their BC plans in the past five years? What was the cause? How successful was the invocation? Increasingly, Chief Risk Officers Are The BC Executive Sponsor In our 2014 survey; approximately 88 percent of respondents had executive-level sponsorship for BC preparedness, relatively unchanged since 2011 (87 percent) and 2008 (90 percent). The most common sponsor was the CIO (23 percent), followed by the CEO (16 percent) and the CRO (16 percent). Overall, 75 percent of sponsors continue to come from the business, not IT, but this is the first year the CIO, not the CEO, was the most common executive-level sponsor. We attribute this to the increase in influence of the CRO. In 2014, 16 percent of respondents said the CRO was the executive-level BC sponsor, this is a significant increase from 2011 when only 9 percent of respondents reported the CRO was the executive-level sponsor. This trend represents the desire on the part of some organizations to unify, or at least attempt to integrate on some level, disparate risk management domains. BCM Programs Report Into The Business, But Not Always To A C-level Exec Overall, respondents feel good about the maturity of their BC management (BCM) programs. According to our survey, 46 percent of respondents rated their programs as a 3 on the COBIT maturity level definitions, which are: 0 nonexistent; 1 ad hoc; 2 repeatable; 3 defined; 4 measured; and 5 optimized. Twenty-seven percent were even more optimistic about their programs, rating their programs as a 4 or 5. In this survey, we also found: The majority of BCM programs report into the business or a CRO. According to our study, only 26 percent of BCM programs report into traditional IT departments such as the CIO or CISO (down from 35 percent in 2011). Thirteen percent of BCM programs report into an enterprise risk department or CRO (largely unchanged from 2011) while 32 percent report directly into business line executives (CEO, COO, CFO, HR, Board etc.) (see Figure 2-1). The majority of BCM program heads do not report to c-level executives. While most BCM programs do have executive level sponsorship, only 43 percent of the heads of BCM programs report directly into a c-level executive. In fact, most are two to three levels removed from a c-level executive (see Figure 2-2). BC professionals show no interest in certifying to BC standards. Even for the most well-known BC management standards such as ISO 22301, only 3 percent of respondents report they were already certified to it and only 2 percent plan to certify to it in the future.

3 In general, respondents are aware of these standards and they influence the implementation of their programs but most draw from multiple standards as they see fit. BCM Program Funding Will Stay The Same The Same Or Increase There is good news when it comes to BC budgets; few organizations expect decreases in funding during the next 12 months and since 2011, there has been an increase in the number of full time equivalents dedicated to BCM. More specifically, Forrester found: One third of respondents expect increased funding. According to our study, 37 percent of respondents expect funding for their BCM program to increase in the next 12 months while 58 percent expect it to stay the same. Only 5 percent of respondents expected their funding to decrease (see Figure 3-1). When asked what prompted the increased funding, respondents cited a prior crisis or event or audit findings as the top reasons but also cited the fact the organization saw it as a competitive advantage or because of a change in the organization s business model. Staffing varies by company size but the mean is 4.4 full time staff equivalents. According to our study, the median number of full-time equivalents (FTEs) supporting the BCM program is 4.4, a notable increase from 2011 when it was just two in Of course, this varies by size, companies with fewer than 1,000 employees typically have just one to two FTEs supporting BC, while small and medium enterprise (companies with 1,000 to 5,000 employees) have three to five and larger enterprises will have between five and eight FTEs. Beyond direct funding, IT contributes to BC more than any other group. Even as more BCM programs report outside of IT, there is still a strong connection back to IT because of business dependency on technology and because so many BC services and solutions themselves (e.g. workforce recovery, automated crisis communication etc.) depend on technology. According to our survey, 30 percent of BC funding is direct while IT contributes 28 percent to BC initiatives across the company more than any other group or department. Most Conduct BIAs And Risk Assessments And Refresh Them Annually Our study found a majority of companies conduct a BIA and risk assessment in advance of BCP strategy development and plan documentation. More specifically, Forrester s survey found: A large majority of companies conduct a BIA. In 2014, 75 percent of respondents reported having conducted a BIA; this is a notable increase from 2011 when it was 69 percent and from 2008 when it was 68 percent (see Figure 4-1). There is more good news; of those respondents who have conducted a BIA, the vast majority (88 percent) reports they are able to quantify the maximum tolerable period of disruption. When asked at what level within the organization they conduct the BIAs, 49 percent reported conducting them by specific product line, service line, specific agency etc. Most respondents also reported relying heavily on in-person interviews and surveys. Refreshing the BIA is still a challenge. There was little change in the frequency

4 of refreshes between 2008, 2011 and 2014; most companies refresh the BIA annually. A majority of companies will conduct a risk assessment. There is no change in the percentage of organizations conduct risk assessments. In 2014, 57 percent respondents reported conducting one; this is almost unchanged from 2008 (59 percent) and 2011 (60 percent). The frequency of refreshes is also largely unchanged, the majority of respondents continue to report they refresh their assessments annually (see Figure 4-2). As a result of their risk assessment, 70 percent of respondents report they are able to quantify annual loss expectancy. Companies are concerned about technology reliance, complexity and cyber attacks. When asked if they felt the overall level of risk was increasing and if so, what was driving the increase, respondents replied the number driver was reliance on technology (43 percent) (see Figure 4-3). This is not surprising given very few business processes today are not supported by some kind of IT service whether s traditional back-office enterprise applications like ERP, CRM and HR systems or new employee productivity tools enabled by mobile devices and applications. The increasing complexity of business processes coupled with a reliance on third parties further complicates the ability to cleanly recover an end-to-end business process. In addition, with breaches dominating the news on an almost weekly basis, it s no surprise cyber attacks are a major concern. BCPs Are Increasingly Scenario-Based In 2008, Forrester found 77 percent of organizations had documented BC plans (BCPs). In 2014, percentage has jumped to 93 percent If you don t have documented BCPs, your BCM program is clearly in a dire condition. What we ve sought to discover in 2011 and 2014 is whether organizations have moved to the next stage of BCM maturity did they develop BCPs address specific scenarios identified through their risk assessment. Forrester found in this survey: A slim majority of companies, 52 percent, have scenario specific BCPs. This is unchanged from 2011 (see Figure 5-1). Scenario specific BCPs are important because it shows an organization understands you respond to an event with a boilerplate BCP different scenarios require customized responses (i.e. pandemic vs. IT outage vs. extreme weather). The most common scenarios include natural disasters/extreme weather, IT failure, Power outage, telecomm failures, pandemic, and fires (see Figure 5-2) BCPs are not kept up to date. One area needs improvement is the maintenance of BCPs. In 2008, only 26 percent of respondents indicate plans are updated continuously and 2011, this figure actually dropped to 14 percent. In 2014, it has remained flat at 15 percent (see Figure 5-3). Most organizations continue to update their BCP once or twice per year as part of an exercise. Forrester recommends organizations strive for continuously updating plans. Organizations continue to rely on internal tools to manage their BCPs. In 2011, 67 percent of respondents reported they managed their BCPs using internal tools (i.e., documents, spreadsheets, etc.); in 2014, this number actually increased to 60 percent of respondents (see Figure 5-4). It s always been difficult to build the business case for these

5 tools given it s primarily used only by the BC team and prices can range from tens of thousands to hundreds of thousands of dollars. There is also increased competition from other tools such as those for governance, risk and compliance (GRC). BCPs Are Not Tested Frequently, Partner Involvement Remains Static We ve said this every year but it bears repeating; if you re not exercising or testing your BCPs, you simply aren t prepared not to mention you ve wasted significant efforts on BIAs, risks and plan development you will most likely be unable to execute. Despite years of urging from industry experts and consultants, testing remains a major area for improvement across organizations of all sizes and industries. More specifically Forrester found: Most organizations only test their BCPs once per year. Unfortunately, the situation is largely unchanged from For all test types (walk-through, tabletop exercises, simulations), most organizations only test once per year and as tests become more extensive, test frequency declines (see Figure 6-1). Managing third party risk remains a critical issue. In 2014, 59 percent of respondents reported their business partners participate in at least one test (see Figure 6-2). This is a major increase from 2008 when it was only 47 percent but there is still room for improvement. With increasing reliance on third parties to conduct business, particularly with the rapid adoption of cloud services, these percentages need to be much closer to 100 percent. In many cases, organizations not even bothering to validate the readiness of third parties, let alone include them in testing; according to our study, 49 percent have not validated the readiness of their critical suppliers, partners, and other third parties. Moreover, of those have, many are relying on superficial audits (see Figure 6-3). The Business Still Does Not Take An Active Role In The BCM Lifecycle For a BCM program to truly be successful not only do you need executive-level support but you need line of business owners and employees involved in the entire BCM lifecycle. And unfortunately, their involvement remains limited. Business owners are more likely to be involved in the BIA but even this involvement is anemic, with just 28 percent of respondents reporting business owners are very involved a decrease from 2008 (33 percent) and flat over 2011 (see Figure 7). Companies Use A Mix Of Strategies For Workforce Continuity And Communication Organizations often go to extraordinary lengths to develop BC plans address the failover of IT systems to alternate sites but often neglect or underestimate the human aspects such as workforce recovery and crisis or emergency communication. In this survey, Forrester found: Remote access remains the dominant strategy for workforce continuity. Remote access was the most common strategy in 2008 (86 percent), 2011 (81 percent) and 2014 (80 percent) (see Figure 8-1). The use of another internal site as an

6 alternate site has increased notably in popularity from 2011(69 percent) to 2014 (76 percent) almost on par with remote access. Remote access procedures became very popular as a strategy during pandemic planning. They are effective when power and telecommunication services are still available or when employees can travel outside of the effective area. Thus, organizations will still need to have other workforce continuity options for a variety of risk scenarios. dominates communication strategies. While 54 percent of organizations report using an automated communication service, a large percentage of organizations also continue to use a mix of communications modes are more manual in nature, everything from sending out corporate (77 percent), manual call tree lists (69 percent), and corporate website/portal (61 percent) (see Figure 8-2). The use of social technology so a big boost from 18 percent in2011 to 32 percent in 2014 Invocations Are Frequent; Training Is Key To Successful Invocations Invocations of BCPs are more frequent than organizations would suspect, in each of the years we have fielded this study, more than half of respondents had invoked a BCP during the previous five years:.2008 (50 percent), 2011 (61 percent), and 2014 (53 percent) (see Figure 9-1). In 2014, the most common causes included extreme weather and natural disasters (same as in 2008 and 2011) and followed closely by IT failures, power outages, telecom failures, and floods (see Figure 9-2). In this survey, Forrester found: Three quarters report invocations as a result of technology failures. During the last few years, catastrophic natural disasters have made the news once again, everything from Hurricane Sandy striking the US Northeast to typhoons striking the Philippines. However, it s important organizations don t make the mistake of focusing solely on catastrophic disasters. In reality, extreme but not catastrophic weather, such as winter storms, can debilitate a business if the data center is running but no one can get to work. In addition, it s important to note 75 percent of respondents indicated they had experience one invocation as a result of a technology IT or telecom. Also, many don t realize the frequency of power outages as a result of extreme weather and also because of aging and saturated power grids in developed countries. Communication, collaboration and training remain the top lessons learned. When we asked organizations what were the top three lessons they learned from their invocations, the top two lessons have been the same in 2008, 2011 and 2014, either: 1) there hadn t been enough training and awareness across the company; or 2) plans didn t adequately address internal communication and collaboration. In 2014, we have a new No. 3: plans didn t adequately address communication and collaboration with strategic partners and other third party dependents (see Figure 9-3). The typical large enterprise has several hundred third party relationships. Moreover, with the rapid adoption of cloud services, today s business processes are often a composite of IT services delivered on-premise and

7 from the cloud. If you re not testing with your partners, you re not ready. Everyone Wants To Know If You re Ready Or Not BC readiness is no longer just a good practice; it s considered a fiduciary responsibility to employees, partners, and customers. Increasingly, you must provide proof of BC readiness not just internally but externally. In our study, Forrester found: Regulators are the most likely to demand proof of readiness. More often than not, it was a government or industry regulator demands proof of readiness. According to our study, 71 percent of companies had to provide proof of preparedness to regulators. However, partners and customers also frequently asked for proof (see Figure 10). Study Methodology In the months of September, October, and November 2014, Forrester Research and the Disaster Recovery Journal (DRJ) conducted an online survey of 175 business continuity decision-makers and influencers. In this survey: All respondents indicated they were decision-makers or influencers concerning planning and purchasing technology and services related to business continuity. Respondents were from a range of company sizes: 31 percent had 1 to 999 employees; 29 percent had 1,000 to 4,999 employees; 21 percent had 5,000 to 19,999 employees; and 20 percent had 20,000 or more employees. Respondents were from companies with a range of revenues: 26 percent of respondents were from companies with revenues of less than $500 million; 14 percent were from companies with revenues of $500 million to $999 million; 22 percent were from companies with revenues of $1 billion to $4.99 billion; 9 percent were from companies with revenues of $5 billion to $10 billion; and 16 percent were from companies with revenues of more than $10 billion. Nine percent of respondents were from non-profits (e.g. government agencies, non-profits, academic institutions etc.). Five percent did not know their company revenues. Respondents were from a variety of industries. Respondents had substantial operations across North America, Europe, Middle East, or Africa (EMEA), South America and Asia: 91 percent of respondents had operations North America; 30 percent had operations in EMEA; 27 percent had operations in Asia; and 15 percent had operations in South America. This survey used a self-selected group of respondents (predominantly DRJ subscribers and Forrester clients) and is therefore not random. These respondents are more sophisticated than the average. They read and participate in business continuity and disaster recovery publications, online discussions, etc. They have above-average knowledge of best practices and technology in BC/DR. While non-random, the survey is still a valuable tool in understanding where advanced users are today and where the industry is headed. v Stephanie Balaouras is a vice president and research director for Forrester Research. Balaouras serves security and risk professionals. She leads a team of analysts who provide research and advisory services on topics like IT security frameworks; governance, risk, and compliance; identity and access management; application security; data security; and IT infrastructure security. She also provides Forrester s coverage of specific risk topics including business continuity, IT continuity/disaster recovery, and backup and recovery.