Building a Continuity Culture



Similar documents
KPMG Information Risk Management Business Continuity Management Peter McNally, KPMG Asia Pacific Leader for Business Continuity

Disaster Recovery Planning Process

Attachment #2. BUSINESS CONTINUITY PLAN Plan Development Guidelines

DISASTER RECOVERY PLANNING FOR CITY COMPUTER FACILITIES

BCP and DR. P K Patel AGM, MoF

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Desktop Scenario Self Assessment Exercise Page 1

Insights: Data Protection and the Cloud North America

Business Resiliency Business Continuity Management - January 14, 2014

How to write a DISASTER RECOVERY PLAN. To print to A4, print at 75%.

A NEW APPROACH TO CYBER SECURITY

Business Continuity Planning (BCP) & Disaster Recovery Planning (DRP).

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

Table of Contents... 1

Coping with a major business disruption. Some practical advice

PBSi Business Continuity Planning

Business Continuity Trends and Risk Considerations Financial Executives International Portland Chapter June

Business Continuity Planning

Protecting Your Business

Audit of Physical Security Management

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015

EVALUATING YOUR DISASTER READINESS?

Business continuity planning in the Swiss financial centre Review of the current situation. BCP steering committee for the Swiss financial centre

Business Continuity and Disaster Planning

Business Continuity Plan

Business Continuity and Disaster Survival Strategies for the Small and Mid Size Business.

Hedge Fund cost survey

IDA FAS Sub-Committee Guidelines for Testing 1 As of October 16, 2006

Highlights of the 2015 Manitoba Budget

Council Policy Business Continuity Management

Business Continuity and Disaster Recovery Planning

Post-Class Quiz: Business Continuity & Disaster Recovery Planning Domain

Performance Indicators for Disaster Recovery

How To Manage A Business Continuity Strategy

Midsize Enterprise Summit Business Continuity Questions

ASX CLEAR (FUTURES) OPERATING RULES Guidance Note 10

BSO Board Director of Human Resources & Corporate Services Business Continuity Policy. 28 February 2012

WHITE PAPER. Enterprise Mobility Barometer Manufacturing Industry

Why Should Companies Take a Closer Look at Business Continuity Planning?

London Business Interruption Association Technology new risks and opportunities for the Insurance industry

CFOs and CIOs: How do you know when to reach for the clouds?

ASX SETTLEMENT OPERATING RULES Guidance Note 10

Contingency Planning in ICSA Member Countries

IT Risk Closing the Gap

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

White Paper AN INTRODUCTION TO BUSINESS CONTINUITY PLANNING AND SOLUTIONS FOR IT AND TELECOM DECISION MAKERS. Executive Summary

GETTING STARTED WITH DISASTER RECOVERY PLANNING

Business Continuity Planning for Risk Reduction

KPMG s Financial Management Practice. kpmg.com

Business Continuity Business Continuity Management Policy

Third Quarter IT Executive Outlook Survey

Your Guide to Developing a Disaster Recovery Plan

Business Continuity Planning and Disaster Recovery Planning

STEP-BY-STEP BUSINESS CONTINUITY AND EMERGENCY PLANNING MAY

This is the third and final presentation on HIPAA Security Administrative Safeguards. This presentation focuses on the last 2 standards under the

BUSINESS CONTINUITY MANAGEMENT IN THE PUBLIC SECTOR A ROUGH GUIDE

Domain 3 Business Continuity and Disaster Recovery Planning

GETTING STARTED WITH MANAGED SERVICES

Half prepared? A global study into corporate preparedness for disaster recovery and business continuity

Business Continuity Planning:

ERM006 ERM and Business Continuity Management: Together at Last RIMS Annual Conference April 13, 2016

GUIDELINES FOR BUSINESS CONTINUITY IN WHOLESALE MARKETS AND SUPPORT SYSTEMS MARKET SUPERVISION OFFICE. October 2004

Business Continuity and Disaster Recovery Planning 3/16/2011. Lee Goldstein CPCP, MBCI President Business Contingency Group

Adaptation Case Study #4: The Co-operators

Cloud Computing and Records Management

APRA REVIEW OF UNIT PRICING PRACTICES

How to Plan for Disaster Recovery and Business Continuity

Auditing Business Continuity Management Plans

Managing Growth, Risk and the Cloud

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Three

Business Continuity Planning and Disaster Recovery Planning. Ed Crowley IAM/IEM

Creating a Business Continuity Plan for your Health Center

IT Governance. What is it and how to audit it. 21 April 2009

Business Continuity Overcome the Challenges

Operational Risk Management Policy

Audit Committee Institute Assessment of audit committees

Disaster Management and Business Continuity Plan for Bankers

Disaster Recovery & Business Continuity Dell IT Executive Learning Series

Business Continuity Planning

Audit Committee Institute Evaluation of internal auditors

OUTSOURCING DUE DILIGENCE FORM

Service Children s Education

Information Security Management System. Business Continuity and Disaster Recovery Plan Policy. The Smart Cube. Description Change

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Business Continuity and Disaster Recovery for Law Firms CAROLINE POYNTON

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning MARCH 2003 IT EXAMINATION H ANDBOOK

Interagency Statement on Pandemic Planning

PAPER-6 PART-3 OF 5 CA A.RAFEQ, FCA

White Paper: ISO Business Continuity Management An Overview. ISO Business Continuity Management An Overview

Business Continuity Planning

The Top 10 Things to Look for When Choosing One

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

Business Continuity Planning (800)

Developing a Business Continuity Plan... More Than Disaster

Advisory Guidelines of the Financial Supervision Authority. Requirements for Organising the Business Continuity Process of Supervised Entities

The Role of a Prime Broker

Audit, Finance and Legislative Committee Mayor Craig Lowe, Chair Mayor-Commissioner Pro Tem Thomas Hawkins, Member

Cisco Disaster Recovery: Best Practices White Paper

Controls over CIS. Ryan O Halloran, Senior Manager KPMG Hobart. TAO Client Information Session. May 2015

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Transcription:

Building a Continuity Culture A survey of Canadian decision makers on Business Continuity Planning KPMG LLP

Building a Continuity Culture 1 Building a Continuity Culture A survey of Canadian decision makers on Business Continuity Planning The discipline of Business Continuity Planning helps organizations manage risk to critical systems including shared computer systems and communications networks from natural, man-made or political events that threaten a company s ability to conduct. Elements of a Business Continuity Plan Service the definition, real-time monitoring and management of performance criteria tied to service goals. Availability the design and implementation of resilient and scalable technology infrastructure underpinned by robust IT management practices focused on delivering information at the required service levels. Recoverability the design and implementation of technology solutions to deliver rapid restoration of information availability. Business continuity planning assumes a worst-case scenario, in which an external event renders the primary location totally inaccessible or otherwise unusable for an extended period of time. Examples of such events include extended loss of electrical power, an earthquake or fire that demolishes a company s building, or a flood that makes the building inaccessible or results in significant loss of records and equipment. In today s environment, continuity planning is increasingly seen as a strategic investment whose benefits far outweigh its costs. The effects of a long-term interruption of critical functions may be devastating to the. And the long term may be as little as 15 minutes for some organizations (such as a company with a large number of customers that does through the Internet). Furthermore, companies are bound by legal and board member obligations to protect the lives and assets of the corporation. The development of a continuity plan must, therefore, involve not only the providers of the organization s information technology services, but also the areas using those services, and senior management responsible for the life and health of the organization. A continuity culture must be in place at all levels, with clear roles, responsibilities and reporting processes in place. A key challenge is to keep management focused on the importance of sustained attention to consideration of continuity in planning, operational and budgeting activities.

2 Building a Continuity Culture Survey Highlights During the fall of 2005, KPMG s Advisory practice engaged Ipsos-Reid to seek the views of senior Canadian decision makers on how their organizations are dealing with continuity planning as part of Ipsos Executive Panel program. A total of 254 senior executives involved in or IT management were involved in the survey, which utilized both telephone interviews and on-line questionnaires. The survey results show that the awareness of the need for effective continuity planning is well entrenched in Canadian companies. A sizable majority of respondents (83%) indicated that they have procedures in place to ensure the continuation and recovery of services and processes in the event of a disruption. Business Continuity Plans Managed Internally A majority of companies indicated that they manage and test their continuity plans internally. Eighty-one percent (81%) of companies overall perform this function in house with a slight prevalence in the very large enterprise segment (88%) as well as in the Financial Services group (89%). Figures 1 and 2 (below) present detailed views by market size and industry group. Business Continuity is a Challenge to Manage in Outsourced Environment Forty-one percent (41%) of companies overall believed that continuity is a challenge to manage in an outsourced technology environment. This finding is most prevalent in the very large company segment, where 50% of companies reported this finding. The Services sector is most sensitive to managing continuity in an outsourced environment, with 44% of companies from this group citing this issue as a challenge (compared to 41% overall).

Building a Continuity Culture 3 New Regulatory Requirements Drive Business Continuity Plans Half of the responding companies (51%) reported that they believe market and regulatory requirements demand an effective and tested continuity plan. There was a slightly higher percentage of companies in the very large enterprise segment (53%) that felt this way. A significantly higher proportion of companies from the Financial Services sector believed that regulatory requirements demanded an effective continuity plan, with 74% of companies from this vertical group, as compared to 51% overall (see sidebar, Business Continuity as a Compliance Issue). Nearly One-Third Use External Service Providers for Business Continuity Twenty-eight percent (28%) of companies manage their continuity plan with the assistance of an external provider. There is a higher reliance on external support in the very large enterprise segment (38% of companies from this segment). Companies in the Financial Services sector showed the highest preference for usage of an external service provider, with 41% of companies from this group (compared to 28% overall). Close to one quarter of companies (22%) have not been able to justify the costs of continuity plans. Most of these companies are focused in the large enterprise segment of 500-999 employees (30%). There is a very slight and insignificant variation by industry group. Business Continuity as a Compliance Issue: The IDA Takes Action Within Canada s financial sector, there is a growing awareness of risks presented by natural and other disasters to the integrity of the capital markets. As a result, new regulatory requirements are moving Business Continuity Planning towards centre stage on management s agenda. The investment dealer industry provides a leading example. In July 2005 the Board of Directors of the Investment Dealers Association (IDA) approved By-law 17.19, Business Continuity Planning (BCP) requirements. The new By-law requires that all IDA Members have a documented BCP, implemented and tested by of July 31, 2006. The adoption of this By-law makes it a requirement for all IDA Member firms to have a documented and tested continuity plan. The objective of requiring an IDA member firm to have a BCP is to provide clients with access to their assets within a maximum of 48 hours following a significant disruption. The IDA board has defined access to assets to mean the ability of the clients to buy, sell or redeem securities and have assets (including funds) delivered out based on clients instructions. Compliance to By-law 17.19 means that each IDA Member firm must: Designate a member of senior management to be responsible for Business Continuity Planning. Have a documented Business Continuity Plan that assures clients can access their assets within 48 hours following a significant disruption. The Member s BCP may be a collection of individual plans, but must be based on the results of Business Impact Assessments. Ensure that the BCP complies, at minimum, with the requirements specified in the IDA s BCP Guidelines and in the IDA s BCP Adequacy Checklist. Keep the BCP up to date at all times and test their BCP at least annually. Key to the IDA By-law is the requirement to have the BCP reviewed by an independent third party who would report to the IDA on the adequacy of the Member s BCP.

4 Building a Continuity Culture Low Tolerance for Downtime Companies overwhelmingly agreed that they have little tolerance for downtime where critical functions are involved. Eighty-three percent (83%) of companies reported a low tolerance threshold when it comes to downtime, providing clear indication that reliability is a highly significant requirement in most mid and large size es. This finding was unanimously important across all market sizes and vertical groups. Figures 1 and 2 present further detail by market size and industry group. 100 Figure 1. Conditions that Apply to Company, By Market Size 80 83 81 60 Per cent 40 51 41 28 20 22 83 82 81 83 73 88 55 40 53 39 42 50 30 21 38 19 30 19 Base: Valid Respondents (n=254) We have little tolerance for downtime where critical functions are involved. We manage and test our continuity plan internally. Market and regulatory requirements demand an effective tested Business continuity is a challenge to manage in an outsourced technology environment. We manage and test our continuity plan with the help of an external provider. We have not been able to justify the costs of continuity arrangements. continuity plan. Mid Market (100-499) Large (500-999) Very Large (1000+) Total

Building a Continuity Culture 5 Figure 2. Conditions that Apply to Company, By Industry 100 80 83 81 Per cent 60 40 51 41 28 20 22 81 89 78 85 80 89 80 81 42 74 43 56 43 37 35 44 20 41 28 32 22 15 22 23 Base: Valid Respondents (n=254) We have little tolerance for downtime where critical functions are involved. We manage and test our continuity plan internally. Market and regulatory requirements demand an effective tested Business continuity is a challenge to manage in an outsourced technology environment. We manage and test our continuity plan with the help of an external provider. We have not been able to justify the costs of continuity arrangements. continuity plan. Financial and Insurance Manufacturing Government Services Total Minimizing the Risk of Critical Business Interruptions A majority of companies reported the establishment of procedures to reduce the risk of critical service and functions from being interrupted. Eighty-three per cent (83%) of companies in this study indicated that they have procedures in place to ensure the continuation and recovery of services and processes in the event of a disruption. Only nine per cent of companies reported that they do not have a contingency plan in place to reduce this risk of critical interruptions. Three quarters (76%) of the responding companies stated that they document and test specific processes, and 73% indicated that they have a continuity plan in place to prevent disruptive or prolonged interruptions. There was very slight variation by market size and industry group, as shown in Figures 3 and 4

6 Building a Continuity Culture Figure 3. Minimizing the Risks of Critical Business Interruptions, By Market Size 00 100 80 80 83 76 73 Per cent 60 40 60 40 20 20 83 84 81 75 76 78 74 70 75 7 13 13 0 Base: Valid Respondents (n=254) 9 Establish Document and test Have a Do not have procedures if a specific processes. continuity plan. predetermined contingency plan. interruption occurs. Mid Market (100-499) Large (500-999) Very Large (1000+) Total

Building a Continuity Culture 7 00 100 Figure 4. Minimizing the Risks of Critical Business Interruptions, By Industry 80 80 83 76 73 60 Per cent 40 60 40 20 20 85 78 87 80 75 78 72 78 73 78 80 67 11 11 6 10 0 Base: Valid Respondents (n=254) 9 Have a continuity plan. Document and test specific processes. Establish procedures if a interruption Do not have predetermined occurs. contingency plan. Financial and Insurance Manufacturing Government Services Total Survey Methodology The research for this study is based on primary data collection. A total of 254 companies were selected to participate. Data was collected from October to December 2005. One senior respondent was qualified and interviewed from each company. The prerequisite qualification for respondents was that they be senior decision makers within their company in either an IT or executive capacity. This included CIOs, CTOs, Directors and Managers; executives included CEOs, Presidents, CFOs VPs, LOBs, Directors and Senior Managers. The research was conducted using two parallel approaches: an on-line survey and a telephone interview. No aspect of the survey or interview was revealed to the respondent prior to the interview to ensure the validity and spontaneity of responses. A sample of this size provides an overall margin of error of +/- 6.19 percentage points, 19 times out of 20.

8 Building a Continuity Culture About KPMG KPMG LLP is the Canadian member firm of KPMG International, the global network of professional services firms whose aim is to turn knowledge into value for the benefit of their clients, people and the capital markets. With nearly 94,000 people worldwide, KPMG member firms provide industry-focused audit, tax, and advisory services from more than 717 cities in 148 countries. Please visit www.kpmg.ca. KPMG s Advisory practice offers a suite of high-impact services that can help organizations to build value during a time of change. The practice includes a dedicated team of Business Continuity professionals who assist clients in identifying risks and enhancing their preparedness for unexpected interruptions. For further information contact: Graeme Booth, Advisory Services, Toronto, 416 777-8356, gbooth@kpmg.ca Mike Moszynski, Advisory Services, Toronto, 416 777-8007, mmoszynski@kpmg.ca

kpmg.ca The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2006 KPMG LLP, the Canadian member firm of KPMG International, a Swiss cooperative. All rights reserved. Printed in Canada. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information