Continuity Insights & KPMG LLP Present The 2011-2012 Global Business Continuity Management (BCM) Program Benchmarking Study Retail Segment Report (Final Results) Sponsored by:
2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study Executive Summary The complex environment in which businesses operate today creates the need for sophisticated business continuity management (BCM) programs that address a wide range of threats, including natural disasters, technology issues and manmade incidents. It is also important that these programs stay in sync with the strategic goals of the organization. The 2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study is a comprehensive look at the current state of BCM programs and the drivers for further program development. Data used in this report is based on anonymous survey responses from 685 executives in public and private companies, government agencies and authorities, educational institutions, and not-for-profit entities. Respondents come from over 40 countries with approximately one-third working for organizations with headquarters outside the United States. The online survey, conducted by Continuity Insights between November 2011 and January 2012, explores changes to the global risk landscape, supply chain interdependencies, the emergence and increased usage of cloud computing, mobile applications, and social media. Business continuity professionals should use this report to target underdeveloped capabilities within their own BCM programs. In addition to the report, readers can view the full collection of survey responses on the Continuity Insights Web site (www.continuityinsights.com). Research Methodology Respondents for the 2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study were obtained from the Continuity Insights subscriber base by way of its publications, Web site, and email deployments, as well as from other professional organizations that supported the study. The 20-minute online survey comprised 52 questions and was fielded from November 2011 through January 2012. Data was collected from 958 respondents, of which 685 respondents completed the entire survey. An average of 785 responses was collected for each question. KPMG business continuity professionals developed the survey questionnaire. Mint Jutras prepared the resulting tabulation and supplied analysis for select data points. For more information on the study methodology, please contact Mint Jutras at cindy@mintjutras.com. Requests For Benchmarking Reports & Key Contacts If you would like to benchmark your organization by leveraging the 2011-2012Continuity Insights and KPMG LLP Business Continuity Management (BCM) Program Benchmarking Study or custom reports, please provide the following information to Bob Nakao at robert.nakao@advantagemedia.com: Your name Your organization Your title Your e-mail address The complete study and/or custom report(s) you would like to receive: industry, type of entity, region of HQ operation, number of employees or annual revenue. You will be provided the custom report(s), if available, generally within five (5) business days of the receipt of your request. Other custom reports are available by type of entity include public companies, private companies, government agencies and authorities, and not for profits. Custom reports for industries include education, financial services, computers/information technology/ telecommunications, government, healthcare, manufacturing, professional services, and utilities. 2012 Continuity Insights/KPMG LLP
Survey Questions 1 Does your organization use survey results to enhance and/or generate executive support for your Business Continuity Management (BCM) Program? 2 How would you describe your organization's industry? 3 How many people are employed by your organization at all locations? 4 Which best describes your organization, type of entity, or enterprise? 5 How would you describe the geographical range of your operations? 6 Please indicate the location of your organization's global headquarters. 7 What are your company's approximate annual revenues in U.S. dollars? 8 Which best describes your primary job function? 9 How long has the BCM Program been in place at your organization? 10 What are the primary reasons for the establishment of the BCM Program at your organization? 11 Does your organization measure performance of the BCM Program? 12 How does your organization measure performance of the BCM Program? 13 What Business Continuity Standards are used by your company to support the BCM Program? 14 Has your organization incorporated capabilities to utilize social media in your current Business Continuity Management Plans, Disaster Recovery Plans and/or Crisis Management Plans? 15 Does your organization have a Senior Management Advisory or Steering Committee that provides input and assistance to the lead BCM Program Coordinator and BCM Program Coordination Team? 16 Does your organization have a designated full-time or part-time lead BCM Program Coordinator authorized to administer and keep the BCM Program current? 17 Which best describes the job title of the lead BCM Program Coordinator? 18 Which best describes the job title of the executive sponsor for the BCM Program? 19 Which best describes the C-Level executive with ultimate reporting responsibility for your BCM Program? 20 Please estimate the number of Full-Time Equivalent (FTE) employees who are dedicated to the BCM Program in your Corporate Program Office AND in your various Business Units/Functions (including contractors). 21 Please estimate the total budget for all staff in U.S. dollars (including contractors). 22 Please estimate the budget for the following components of your BCM Program in U.S. dollars. 23 Which of the following choices best describe how your organization's funds are allocated for BCM Program initiatives? 24 What BCM-related software packages has your organization implemented or plans to implement in the next year? 25 Which best describes your organization s current BCM Program status? 26 How would you rate the maturity of your organization's BCM Program? 27 Do you agree that your organization maintains and fosters relationships with external agencies to ensure the recovery of your organization during a disaster? 28 Do you require your mission critical 3rd party service providers to provide evidence that they have a viable BCM Program? 2012 Continuity Insights/KPMG LLP
29 How are 3rd party service providers (Utilities, Information Technology, or Business Process Service Providers) integrated within your BCM Program? 30 How are key supply chain stakeholders that you rely on to deliver your products or services to market integrated within your BCM Program? 31 How well integrated is your BCM Program with the following capabilities? 32 How often does your organization conduct Risk Assessments? 33 How often does your organization conduct a Business Impact Analysis (BIA)? 34 How much would you estimate business disruptions have cost your organization in both outlays and internal (soft) costs in the past 12 months? 35 What would you estimate the total financial impact would be of a major disruption or outage that lasts for 5 business days? 36 Has your organization experienced an incident or interruption in the past year that caused you to activate any documented BCM Plans, Crisis Management Plans, or Disaster Recovery Plans? 37 For the most recent interruption that required you to activate one or more BCM Plans, how well was your recovery time objective met? 38 When was your company's most recent Business Continuity Plan exercise? 39 What elements of your BCM Program were utilized during your most recent exercise? 40 What external companies or agencies have been involved with your most recent BCM Program exercise? 41 What percentage of your IT budget does your organization spend on disaster recovery capabilities? 42 What is your organization's current IT recovery strategy? 43 Which elements of your organization's current IT recovery strategy are undergoing change? 44 Is cyberterrorism included in your organization's current BCM Plans, Disaster Recovery Plans, and/or Crisis Management Plans? 45 What percentage of your organization's application data is currently stored in the cloud? 46 When did your organization last conduct a test(s) of the IT Disaster Recovery Plans with representatives from other key stakeholder companies or agencies? 47 How frequently does your organization carry out full scenario testing of its Disaster Recovery Plan? 48 Please indicate which of the following are utilized by your organization, and have an IT Disaster Recovery Plan with documented procedures and written guidelines. 49 Did your organization s employees receive sufficient Business Continuity Management training in the past year? 50 What was your organization s investment in Disaster/Emergency Management and BCM training this past year in comparison to the year before? 51 What types of ongoing BCM training are utilized by your organization? Twenty seven (27) responses were received from respondents that identified they work in the retail industry. The reader should consider the results in this custom report as directionally correct. 2012 Continuity Insights/KPMG LLP
QUESTION 1 Does your organization use survey results to enhance and/or generate executive support for your Business Continuity Management (BCM) Program? Yes 81.48% No 18.52% QUESTION 2 How would you describe your organization's industry? (select all that apply) Aerospace/Defense Automotive 3.70% Biotechnology Chemical/Petroleum 3.70% Communications/Media Computer/Information Technology Telecommunications 3.70% Computer/Information Technology Software 7.41% Computer/Information Technology Services 11.11% Education Entertainment/Media 3.70% Financial Services/Banking 7.41% Financial Services/Brokerage Financial Services/Credit Card 7.41% Financial Services/Credit Union Financial Services/Investment Financial Services - Mortgages Government/City/Municipality Government - County Government/State/Providence 3.70% Government (Federal) Healthcare Medical/Hospital Healthcare Medical/Service Provider 3.70% Human Resources Insurance International Non Government Organization (NGO) Logistics Manufacturing - Consumer Goods 3.70% Manufacturing - Industrial Goods (Non-technology) Manufacturing - Medical Devices/Other Healthcare Products Not for Profit Organization 3.70% Pharmaceuticals Power (Production/Transmission) Professional Services (Business Continuity/Operational Risk Consulting) Professional Services (IT/Business Process Outsourcing) Professional Services - Legal Professional Services (Other) 3.70% Retail 10 Transportation/Aviation 3.70% Transportation/Mass Transit Transportation/Shipping 3.70% Transportation - Trucking 3.70% Utilities/Energy Utilities/Water Wholesale Distributors 3.70% Other (please specify) 7.41% Retail 2012 Continuity Insights/KPMG LLP 1
QUESTION 3 How many people are employed by your organization at all locations? (select one) Less than 25 25 to 99 100 to 499 3.70% 500 to 999 1,000 to 4,999 11.11% 5,000 to 9,999 18.52% 10,000 to 19,999 11.11% 20,000 or more 55.56% QUESTION 4 Which best describes your organization, type of entity, or enterprise? (select one) Public Company 62.96% Privately-Held Company 29.63% Government Agency or Authority 3.70% Education Not-for-Profit Organization 3.70% QUESTION 5 How would you describe the geographical range of your operations? (select one) Local - Single site operation in one location 3.70% Regional - Multi-site operations in one region of one country 11.11% National - Multi-site operations throughout the country of the organization s operations 37.04% Global - Multi-site operations worldwide 48.15% QUESTION 6 Please indicate the location of your organization's global headquarters. (select one) Australia Austria Bahrain Belgium 3.70% Brazil Canada 11.11% Chile China (Hong Kong and Macau) Columbia Costa Rica Denmark France Hungary India Israel Italy 3.70% Japan 3.70% Germany Malaysia Mexico The Netherlands 3.70% New Zealand Poland Retail 2012 Continuity Insights/KPMG LLP 2
Portugal 3.70% Romania Saudi Arabia Singapore South Africa 3.70% South Korea (Republic of Korea) Spain 7.41% Switzerland Taiwan Turkey United Arab Emirates United Kingdom United States 59.26% Venezuela Other (please specify) QUESTION 7 What are your company's approximate annual revenues in U.S. dollars? (select one) (Government agencies, please select Not Applicable) Less than $10 million $10 million to $50 million 7.41% $50 million to $100 million $100 million to $500 million 7.41% $500 million to $1 billion 11.11% $1 billion to $5 billion 25.93% $5 billion to $10 billion 14.81% More than $10 billion 22.22% Not applicable 3.70% Do not know 7.41% QUESTION 8 Which best describes your primary job function? (select one) Business Continuity Management or BC Coordinator in Corporate Program Office 5 Business Continuity Coordinator in Business Unit/Site/Support Group 3.85% Compliance/Internal Audit Crisis Management/Emergency Management 7.69% Enterprise Risk Management 3.85% Employee Health and Safety Facilities Management/Real Estate Finance/Accounting Insurance/Liability Management IT Disaster Recovery (IT DR) Planning 23.08% Legal Security Management 7.69% Consultant/Analyst Other (please specify) 3.85% Retail 2012 Continuity Insights/KPMG LLP 3
QUESTION 9 How long has the BCM Program been in place at your organization? (select one) Less than 1 year 8.00% 1 year to 3 years 2 3 years to 5 years 16.00% 5 years to 10 years 44.00% 10 years to 20 years 8.00% More than 20 years Do not know 4.00% QUESTION 10 What are the primary reasons for the establishment of the BCM Program at your organization? (select all that apply) Address audit finding(s) 8.33% Continuity of business operations 5 Customer request or requirement 6.25% Federal government regulations/required by law 2.08% Reputation 16.67% Required by law 2.08% Unique competitive advantage 4.17% Other (please specify) 10.42% QUESTION 11 Does your organization measure performance of the BCM Program? YES 72.00% NO 28.00% QUESTION 12 How does your organization measure performance of the BCM Program? (select all that apply) Audit findings 13.64% Benchmarking/comparison to industry norms 10.61% Maturity modeling 9.09% Metrics program (including executive reporting) 12.12% BCM Program reviews 15.15% Business Continuity Plan exercises 19.70% Service level monitoring 3.03% Review program capabilities vs. standards 3.03% Technology recovery test results 12.12% Cost/Benefit Analysis 1.52% Other (please specify) Retail 2012 Continuity Insights/KPMG LLP 4
QUESTION 13 What Business Continuity Standards are used by your company to support the BCM Program? (select all that apply) Australia - AS/NZS 5050:2010 Business continuity - Managing disruption-related risk Australia - AS/NZS ISO 31000:2010 Risk management - Principles and guidelines Australia - AS/NZS ISO/IEC 27001:2006 : Information technology - Security techniques Australia - AS/NZS ISO/IEC 27002:2006 : Information technology - Security techniques Australia - AS 3745-2002 : Emergency control organization and procedures for buildings, structures and workplaces Austria - ONR 49000 Austria - ONR 49001 Austria - ONR 49002-1 Austria - ONR 49002-2 Austria - ONR 49002-3 Austria - ONR 49003:2008 Brazil - NC nº06/in01/dsic/gsipr Gestão De Continuidade de Negócios Canada - CAN/CSA-Z 731-03 Canada - CSA Z1600-08 China (Including Hong Kong and Macau) - Refer to International List Denmark - DS 3001:2009 Organisatorisk Robusthed Germany - Refer to International List India - Refer to International List Israel - SI 24001:2007 Japan - Refer to International List Malaysia - MS1970:2007 Netherlands - NEN 7131:2010 Organizational Resilience New Zealand - SAA/SNZ HB221:2004 New Zealand - AS/NZS 5050 New Zealand - AS/NZS 4360 Singapore - SS 540:20-08 Singapore - SS 507:2004 Singapore - MAS Consultation Paper on Business Continuity Planning 9BCP) Guidelines (10 Jan 2003) Singapore - MAS Guidelines on Outsourcing Section 6.6 BCM (Oct 2004) Singapore - TR19:2005 South Korea - KS A ISO/PAS 22399 UK - BS25999-1 : 2006 Code of Practice for Business Continuity management 13.51% UK - BS25999-2 : 2007 Specification for Business Continuity management 16.22% UK - BS25777: 2008 ICT Service Continuity UK - BS31100:2009 Risk Management Standard "UK -PD 25111 Human Aspects of BCM published 2010" "UK -PD 25666 Exercising BCM published 2010" "UK -PD 25888 Guidance on Business Recovery (Estimated Q2, 2011)" "UK -PD 25222 Guidance on Supply Chain Continuity (Estimated Q3, 2011)" "USA -ASIS SPC.1-2009" 2.70% "USA -ASIS BCM.01-2010" 2.70% Retail 2012 Continuity Insights/KPMG LLP 5
"USA -ANSI/ARMA 5-2003" "USA -CTIA Telecommunication Industry BCM Standard and certification" "USA -NERC CIP 002-009 2006" 2.70% "USA -NIST SP 800-34" USA - NFPA Standard 1600 on Disaster/Emergency Management and Business Continuity Programs 32.43% USA - NFPA111: Standard on Stored Electrical Energy Emergency and Standby Power Systems USA - NFPA 232 : Standard on Protection of Records "International -COBIT Control Objectives for information & related technology 4.1 (May 2007) 2.70% "International - ITIL v.3 (international) IT Infrastructure Library 13.51% "International -ISO/IEM 22300" "International -ISO DIS 22301 Continuity Management System Requirements (Estimated Q2, 2012)" "International -ISO PAS 22399" "International -ISO/IEC 27031" "International -ISO 9000 series Management Systems Standards Quality" "International -ISO/IEC 27001:2005 Management Systems Standards Information Security" "International -ISO/IEC 27002:2005 Management Systems Standards Information Security" "International -ISO/IEC 24762 Management Systems Standards Information Security" 5.41% 8.11% "International -ISO/IEC 27035 Management Systems Standards Information Security" "International -ISO 31000:2009 Risk Management Standard" QUESTION 14 Has your organization incorporated capabilities to utilize social media in your current Business Continuity Management Plans, Disaster Recovery Plans and/or Crisis Management Plans? (select one) Yes, included in current plans 17.39% No, not included in current plans 52.17% Plans are currently in development 30.43% QUESTION 15 Does your organization have a Senior Management Advisory or Steering Committee that provides input and assistance to the lead BCM Program Coordinator and BCM Program Coordination Team? (select one) Yes 65.22% No 21.74% Committee under development 13.04% Do not know QUESTION 16 Does your organization have a designated full-time or part-time lead BCM Program Coordinator authorized to administer and keep the BCM Program current? (select one) Yes, full-time 73.91% Yes, part-time 13.04% No 13.04% Retail 2012 Continuity Insights/KPMG LLP 6
QUESTION 17 Which best describes the job title of the lead BCM Program Coordinator? (select one) Vice President, Business Continuity Management or Business Resilience Director or Manager, Business Continuity Management or Business Resilience 52.63% Vice President, Risk Management 5.26% Director or Manager, Risk Management 15.79% Vice President of Information Technology Director or Manager of Information Technology CEO/President Chief Operating Officer Chief Financial Officer Chief Information Officer Chief Risk Officer Chief Security Officer, VP/Director Specific Department Director/Manager 10.53% Other (please specify) 15.79% QUESTION 18 Which best describes the job title of the executive sponsor for the BCM Program? (select one) CEO/President Chief Operating Officer 10.53% Chief Financial Officer 31.58% Chief Information Officer 15.79% Chief Risk Officer 15.79% Chief Continuity Officer Emergency Management Vice President, Information Technology 10.53% Other Corporate/Executive Management 15.79% QUESTION 19 Which best describes the C-Level executive with ultimate reporting responsibility for your BCM Program? (select one) CEO 4.55% Chief Administrative Officer Chief Compliance Officer Chief Operating Officer Chief Financial Officer 36.36% Chief Information Officer 22.73% Chief Information Security Officer 4.55% Chief Risk Officer 18.18% Chief Security Officer Chief Technology Officer 4.55% General Counsel 9.09% President Other C-Level Executive (Please identify the corporate/executive management title): Retail 2012 Continuity Insights/KPMG LLP 7
QUESTION 20 Please estimate the number of Full-Time Equivalent (FTE) employees who are dedicated to the BCM Program in your Corporate Program Office AND in your various Business Units/Functions (including contractors). Please provide an estimate for all categories listed if you have an understanding of the resources assigned for ALL of the groups noted. Otherwise, please skip this question. Corporate BCM Program Office - 0 to 2 FTEs 25.93% Corporate BCM Program Office - 3 to 5 FTEs 5.56% Corporate BCM Program Office - 6 to 9 FTEs 5.56% Corporate BCM Program Office - 10 to 20 FTEs Corporate BCM Program Office - More than 20 FTEs Various Business Units/Functions - 0 to 2 FTEs 20.37% Various Business Units/Functions - 3 to 5 FTEs 1.85% Various Business Units/Functions - 6 to 9 FTEs 3.70% Various Business Units/Functions - 10 to 20 FTEs 1.85% Various Business Units/Functions - More than 20 FTEs Information Technology/Disaster Recovery - 0 to 2 FTEs 12.96% Information Technology/Disaster Recovery - 3 to 5 FTEs 16.67% Information Technology/Disaster Recovery - 6 to 9 FTEs 3.70% Information Technology/Disaster Recovery - 10 to 20 FTEs Information Technology/Disaster Recovery - More than 20 FTEs 1.85% QUESTION 21 Please estimate the total budget for all staff in U.S. dollars (including contractors). Please provide an estimate for all categories listed if you have an understanding of the approximate budgets for ALL of the resources listed. Otherwise, please skip this question. Corporate BCM Program Office - Less than $250,000 18.37% Corporate BCM Program Office - $250,000 to $500,000 12.24% Corporate BCM Program Office - $500,000 to $1 million 4.08% Corporate BCM Program Office - $1 million to $5 million 4.08% Corporate BCM Program Office - $5 million to $10 million Corporate BCM Program Office - $10 million to $50 million Corporate BCM Program Office - More than $50 million Various Business Units/Functions - Less than $250,000 22.45% Various Business Units/Functions - $250,000 to $500,000 2.04% Various Business Units/Functions - $500,000 to $1 million 4.08% Various Business Units/Functions - $1 million to $5 million Various Business Units/Functions - $5 million to $10 million Various Business Units/Functions - $10 million to $50 million Various Business Units/Functions - More than $50 million Information Technology/Disaster Recovery - Less than $250,000 10.20% Information Technology/Disaster Recovery - $250,000 to $500,000 12.24% Information Technology/Disaster Recovery - $500,000 to $1 million Information Technology/Disaster Recovery - $1 million to $5 million 10.20% Information Technology/Disaster Recovery - $5 million to $10 million Information Technology/Disaster Recovery - $10 million to $50 million Information Technology/Disaster Recovery - More than $50 million Retail 2012 Continuity Insights/KPMG LLP 8
QUESTION 22 Please estimate the budget for the following components of your BCM Program in U.S. dollars. Please provide an estimate for all categories listed if you have an understanding of the approximate budgets for ALL of the capabilities listed. Otherwise, please skip this question. BCM Program Third-Party Consultants (include program assessments, improving capabilities, etc.) - Less than $250,000 BCM Program Third-Party Consultants (include program assessments, improving capabilities, etc.) - $250,000 to $500,000 BCM Program Third-Party Consultants (include program assessments, improving capabilities, etc.) - $500,000 to $1 million BCM Program Third-Party Consultants (include program assessments, improving capabilities, etc.) - $1 million to $5 million BCM Program Third-Party Consultants (include program assessments, improving capabilities, etc.) - $5 million to $10 million BCM Program Third-Party Consultants (include program assessments, improving capabilities, etc.) - $10 million to $50 million BCM Program Third-Party Consultants (include program assessments, improving capabilities, etc.) - More than $50 million BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - Less than $250,000 BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - $250,000 to $500,000 BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - $500,000 to $1 million BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - $1 million to $5 million BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - $5 million to $10 million BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - $10 million to $50 million BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - More than $50 million Work Area Recovery (include site costs, 3rd party service providers, etc.) - Less than $250,000 Work Area Recovery (include site costs, 3rd party service providers, etc.) - $250,000 to $500,000 Work Area Recovery (include site costs, 3rd party service providers, etc.) - $500,000 to $1 million Work Area Recovery (include site costs, 3rd party service providers, etc.) - $1 million to $5 million Work Area Recovery (include site costs, 3rd party service providers, etc.) - $5 million to $10 million Work Area Recovery (include site costs, 3rd party service providers, etc.) - $10 million to $50 million Work Area Recovery (include site costs, 3rd party service providers, etc.) - More than $50 million 15.89% 0.93% 15.89% 0.93% 10.28% 3.74% 0.93% 0.93% IT Disaster Recovery Costs (include hardware, software, internal recovery capabilities, 3rd party service provider fees, etc.) - Less than $250,000 IT Disaster Recovery Costs (include hardware, software, internal recovery capabilities, 3rd party service provider fees, etc.) - $250,000 to $500,000 2.80% 3.74% Retail 2012 Continuity Insights/KPMG LLP 9
IT Disaster Recovery Costs (include hardware, software, internal recovery capabilities, 3rd party service provider fees, etc.) - $500,000 to $1 million IT Disaster Recovery Costs (include hardware, software, internal recovery capabilities, 3rd party service provider fees, etc.) - $1 million to $5 million IT Disaster Recovery Costs (include hardware, software, internal recovery capabilities, 3rd party service provider fees, etc.) - $5 million to $10 million IT Disaster Recovery Costs (include hardware, software, internal recovery capabilities, 3rd party service provider fees, etc.) - $10 million to $50 million 1.87% 5.61% IT Disaster Recovery Costs (include hardware, software, internal recovery capabilities, 3rd party service provider fees, etc.) - More than $50 million Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - Less than $250,000 Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - $250,000 to $500,000 Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - $500,000 to $1 million Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - $1 million to $5 million Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - $5 million to $10 million Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - $10 million to $50 million Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - More than $50 million BCM Program Exercises (include planning, conducting exercises, 3rd-party participation, travel and living expenses, etc.) - Less than $250,000 BCM Program Exercises (include planning, conducting exercises, 3rd-party participation, travel and living expenses, etc.) - $250,000 to $500,000 BCM Program Exercises (include planning, conducting exercises, 3rd-party participation, travel and living expenses, etc.) - $500,000 to $1 million BCM Program Exercises (include planning, conducting exercises, 3rd-party participation, travel and living expenses, etc.) - $1 million to $5 million BCM Program Exercises (include planning, conducting exercises, 3rd-party participation, travel and living expenses, etc.) - $5 million to $10 million BCM Program Exercises (include planning, conducting exercises, 3rd-party participation, travel and living expenses, etc.) - $10 million to $50 million 0.93% 16.82% 0.93% 14.02% 1.87% 0.93% 0.93% Retail 2012 Continuity Insights/KPMG LLP 10
BCM Program Exercises (include planning, conducting exercises, 3rd-party participation, travel and living expenses, etc.) - More than $50 million QUESTION 23 Which of the following choices best describe how your organization's funds are allocated for BCM Program initiatives? (select one) Do not know 4.35% On a case-by-case basis based on individual needs 30.43% As an individual line item in each functional budget 8.70% On a hybrid chargeback basis with a base fee plus additional usage charges 4.35% As a percentage of the IT budget 21.74% As a percentage of the risk management budget 8.70% As a percentage of the individual functional budget 8.70% Other, please briefly describe how funds are allocated (BCM Funding): 13.04% QUESTION 24 What BCM-related software packages has your organization implemented or plans to implement in the next year? (select all that apply) Business Continuity Management software 21.15% Business Impact Analysis software 9.62% Change Management software 7.69% Emergency Notification software 25.00% Enterprise Governance Risk and Compliance software 5.77% Risk Assessment software 5.77% MicroSoft Office Tools (i.e., Word, Excel, etc.) 19.23% Other (please specify) 5.77% QUESTION 25 Which best describes your organization s current BCM Program status? (select one) We are currently in the process of establishing a BCM Program, defining program governance, scope, objectives, budgeting, and format for plans. 4.76% We are currently in the assessment phase (i.e., Risk Assessment, Business Impact Analysis, Strategy Selection, etc.) for the first time in the program s lifecycle. We are currently developing BCM Plans, Crisis Management Plans, and Disaster Recovery Plans. 4.76% 14.29% We have a BCM Policy, Senior Management Steering or Advisory Committee, Business Continuity, Crisis Management, and Disaster Recovery Plans in place and have developed a process for updating those plans on a regular basis to reflect changes in the business and lessons learned from exercises, tests, or real events. 61.90% Other (please describe) 14.29% Retail 2012 Continuity Insights/KPMG LLP 11
QUESTION 26 How would you rate the maturity of your organization's BCM Program? (select one) Level 1 (Self Governed) The state of preparedness is generally low across the organization. 4.76% Level 2 (Supported Self Governed) Senior Management may see value in a BCM Program but they are unwilling to make it a priority at this time. Level 3 (Centrally Governed) A BCM Program Office or Department has been established which centrally delivers BCM Program governance and support services to the business units and other departments within the organization. Level 4 (Enterprise Awakening) Senior management understands and is committed to the strategic importance of an effective BCM Program. All business continuity plans are updated routinely. Level 5 (Planned Growth) A multi-year plan has been plan has been adopted to continuously raise the bar for planning sophistication and enterprise wide state of preparedness. Level 6 (Synergistic) Cross-functional coordination has led participants to develop and successfully test upstream and downstream integration of their business 14.29% 42.86% 23.81% 9.52% 4.76% QUESTION 27 Do you agree that your organization maintains and fosters relationships with external agencies to ensure the recovery of your organization during a disaster? (select one) Strongly Disagree Disagree 9.52% Neutral 4.76% Agree 76.19% Strongly Agree 9.52% QUESTION 28 Do you require your mission critical 3rd party service providers to provide evidence that they have a viable BCM Program? Yes 61.90% No 38.10% QUESTION 29 How are 3rd party service providers (Utilities, Information Technology, or Business Process Service Providers) integrated within your BCM Program? (select one) Not integrated/not applicable 4.76% In the process of being integrated 28.57% Integrated for certain mission critical 3rd party service providers 52.38% Integrated for all mission critical 3rd party service providers 14.29% Integrated for all 3rd party service providers Retail 2012 Continuity Insights/KPMG LLP 12
QUESTION 30 How are key supply chain stakeholders that you rely on to deliver your products or services to market integrated within your BCM Program? (select one) Not integrated/not applicable 19.05% In the process of being integrated 38.10% Integrated for certain supply chain stakeholders 42.86% Integrated for all supply chain stakeholders QUESTION 31 How well integrated is your BCM Program with the following capabilities? (select a response for each category listed) Compliance/Audit - Completely Integrated 2 Compliance/Audit - Well Integrated 15.00% Compliance/Audit - Somewhat Integrated 3 Compliance/Audit - Not at all Integrated 3 Compliance/Audit - Not Applicable 5.00% Corporate Security - Completely Integrated 3 Corporate Security - Well Integrated 25.00% Corporate Security - Somewhat Integrated 4 Corporate Security - Not at all Integrated 5.00% Corporate Security - Not Applicable Crisis Management - Completely Integrated 4 Crisis Management - Well Integrated 25.00% Crisis Management - Somewhat Integrated 35.00% Crisis Management - Not at all Integrated Crisis Management - Not Applicable Employee Health and Safety - Completely Integrated 2 Employee Health and Safety - Well Integrated 35.00% Employee Health and Safety - Somewhat Integrated 4 Employee Health and Safety - Not at all Integrated 5.00% Employee Health and Safety - Not Applicable Enterprise Risk Management - Completely Integrated 3 Enterprise Risk Management - Well Integrated 3 Enterprise Risk Management - Somewhat Integrated 25.00% Enterprise Risk Management - Not at all Integrated 1 Enterprise Risk Management - Not Applicable 5.00% Facilities/Real Estate Management - Completely Integrated 25.00% Facilities/Real Estate Management - Well Integrated 25.00% Facilities/Real Estate Management - Somewhat Integrated 4 Facilities/Real Estate Management - Not at all Integrated 1 Facilities/Real Estate Management - Not Applicable Information Technology Management - Completely Integrated 35.00% Information Technology Management - Well Integrated 45.00% Information Technology Management - Somewhat Integrated 15.00% Information Technology Management - Not at all Integrated 5.00% Information Technology Management - Not Applicable Information Security Management - Completely Integrated 15.00% Information Security Management - Well Integrated 55.00% Information Security Management - Somewhat Integrated 25.00% Information Security Management - Not at all Integrated 5.00% Information Security Management - Not Applicable Strategic Sourcing/Procurement - Completely Integrated Strategic Sourcing/Procurement - Well Integrated 3 Strategic Sourcing/Procurement - Somewhat Integrated 45.00% Retail 2012 Continuity Insights/KPMG LLP 13
Strategic Sourcing/Procurement - Not at all Integrated 2 Strategic Sourcing/Procurement - Not Applicable 5.00% Strategic Planning - Completely Integrated Strategic Planning - Well Integrated 2 Strategic Planning - Somewhat Integrated 5 Strategic Planning - Not at all Integrated 2 Strategic Planning - Not Applicable 1 Relationships with 3rd Party Service Providers - Completely Integrated 5.00% Relationships with 3rd Party Service Providers - Well Integrated 15.00% Relationships with 3rd Party Service Providers - Somewhat Integrated 55.00% Relationships with 3rd Party Service Providers - Not at all Integrated 25.00% Relationships with 3rd Party Service Providers - Not Applicable Relationships with Public Authorities - Completely Integrated 5.00% Relationships with Public Authorities - Well Integrated 1 Relationships with Public Authorities - Somewhat Integrated 6 Relationships with Public Authorities - Not at all Integrated 25.00% Relationships with Public Authorities - Not Applicable Management of Insurance Coverage - Completely Integrated 3 Management of Insurance Coverage - Well Integrated 2 Management of Insurance Coverage - Somewhat IntegratedManagement of Insurance Coverage - Not at all Integrated Management of Insurance Coverage - 3 Management of Insurance Coverage - Not at all Integrated 15.00% Management of Insurance Coverage - Not Applicable 5.00% QUESTION 32 How often does your organization conduct Risk Assessments? (select one) In response to business changes 5 Semi-annually 15.00% Annually 2 Every two years 1 Every three years Never 5.00% Other (please specify) QUESTION 33 How often does your organization conduct a Business Impact Analysis (BIA)? (select one) In response to business changes 4 Semi-annually 5.00% Annually 15.00% Every two years 2 Every three years 15.00% Never Other (please specify) 5.00% Retail 2012 Continuity Insights/KPMG LLP 14
QUESTION 34 How much would you estimate business disruptions have cost your organization in both outlays and internal (soft) costs in the past 12 months? (in U.S. dollars) (Include estimated costs of delayed/cancelled product and service revenues from existing offers, new products and services delayed/cancelled, lifetime cost of lost customers, and erosion/loss of brand value.) Do not know 45.00% Less than $25,000 2 $25,000 to $50,000 5.00% $50,000 to $100,000 $100,000 to $250,000 5.00% $250,000 to $500,000 5.00% $500,000 to $1 million 1 $1 million to $5 million More than $5 million 1 QUESTION 35 What would you estimate the total financial impact would be of a major disruption or outage that lasts for 5 business days? (In U.S. dollars)(include estimated costs of delayed/cancelled product and service revenues from existing offers, new products and services delayed/cancelled, lifetime cost of lost customers, and erosion/loss of brand value.) Do not know 35.00% Less than $25,000 $25,000 to $50,000 $50,000 to $100,000 $100,000 to $250,000 5.00% $250,000 to $500,000 5.00% $500,000 to $1 million 5.00% $1 million to $5 million 2 More than $5 million 3 QUESTION 36 Has your organization experienced an incident or interruption in the past year that caused you to activate any documented BCM Plans, Crisis Management Plans, or Disaster Recovery Plans? (select yes/no for each type of incident/interruption) Civil Unrest - Yes 25.00% Civil Unrest - No 75.00% Earthquake - Yes 25.00% Earthquake - No 75.00% Fire - Yes 42.11% Fire - No 57.89% Flood - Yes 4 Flood - No 6 Indirectly Due to Supplier Issues or High Profile Neighbor - Yes 15.00% Indirectly Due to Supplier Issues or High Profile Neighbor - No 85.00% IT Related - Change Management Issue, Data Corruption, Denial of Access, Virus, Security, etc. - Yes 3 IT Related - Change Management Issue, Data Corruption, Denial of Access, Virus, Security, etc. - No 7 IT Related - Hardware/Software in Production - Yes 35.00% IT Related - Hardware/Software in Production - No 65.00% Retail 2012 Continuity Insights/KPMG LLP 15
IT Related - Telecommunications (i.e., Voice, Data, Converged) - Yes 35.00% IT Related - Telecommunications (i.e., Voice, Data, Converged) - No 65.00% IT Related - Upgrade/Scheduled Outage - Yes 2 IT Related - Upgrade/Scheduled Outage - No 8 Power - Yes 45.00% Power - No 55.00% Privacy - Yes 5.00% Privacy - No 95.00% Severe Weather (i.e., Hurricane, Tornado, Winter Weather) - Yes 65.00% Severe Weather (i.e., Hurricane, Tornado, Winter Weather) - No 35.00% Terrorist Attack - Yes 1 Terrorist Attack - No 9 Theft - Yes 15.00% Theft - No 85.00% Other - Yes 7.69% Other - No 92.31% If you selected "Other," please specify: 5.00% QUESTION 37 For the most recent interruption that required you to activate one or more BCM Plans, how well was your recovery time objective met? (select one) Completely 25.00% Mostly 3 Somewhat 5.00% Not at all Not applicable 2 Do not know 2 QUESTION 38 When was your company's most recent Business Continuity Plan exercise? (select one) Within the past 6 months 85.00% Within the past year 1 Within the past 2 years We do not exercise our plans 5.00% QUESTION 39 What elements of your BCM Program were utilized during your most recent exercise? (select all that apply) Call Tree/Notification Process 20.83% Integrated people, process, and technology exercise for one or more processes 22.92% Entire site-specific business and technology recovery exercise 12.50% Alternate site (work area recovery) exercise 20.83% Mock crisis/emergency management exercise 20.83% None/Not applicable 2.08% Retail 2012 Continuity Insights/KPMG LLP 16
QUESTION 40 What external companies or agencies have been involved with your most recent BCM Program exercise? (select all that apply) Public Sector Agencies 15.00% Supply Chain Partners 1 3rd Party Service Providers 2 None/Not Applicable 55.00% QUESTION 41 What percentage of your IT budget does your organization spend on disaster recovery capabilities? (select one) < 1% 2 1% to 2% 3% to 4% 5% to 10% 1 More than 10% Do not know 7 QUESTION 42 What is your organization's current IT recovery strategy? (select all that apply) Internal Hardware and Software Solution 29.17% External Hardware and Software Solution 20.83% Combination/Hybrid of Internal and External Solutions 45.83% Move certain capabilities to a Public Cloud Vendor Move certain capabilities to a Private Cloud Solution Other (please specify) 4.17% QUESTION 43 Which elements of your organization's current IT recovery strategy are undergoing change? (select all that apply) Internal Hardware and Software Solution 25.71% External Hardware and Software Solution 11.43% Combination/Hybrid of Internal and External Solutions 28.57% Move certain capabilities to a Public Cloud Vendor 8.57% Move certain capabilities to a Private Cloud Solution 2 Other (please specify) 5.71% QUESTION 44 Is cyberterrorism included in your organization's current BCM Plans, Disaster Recovery Plans, Yes, included in current plans 35.00% No, not included in current plans 4 No, but plans to include are in development 25.00% QUESTION 45 What percentage of your organization's application data is currently stored in the cloud? (select one) Do not know 4 None 45.00% < 10% 15.00% Retail 2012 Continuity Insights/KPMG LLP 17
Between 10% - 24% Between 25% 49% Between 50% - 75% >75% All QUESTION 46 When did your organization last conduct a test(s) of the IT Disaster Recovery Plans with representatives from other key stakeholder companies or agencies? (e.g., supply chain partners, service providers, public sector agencies) (select one) Never 3 In the past six months 35.00% Within the last year 15.00% Within the last two years More than two years ago 5.00% Do not know 15.00% QUESTION 47 How frequently does your organization carry out full scenario testing of its Disaster Recovery Plan? (select one) Do not know Never 3 In response to business changes 1 Semi-annually 15.00% Annually 3 Every two years 1 Every three years Other (please specify) 5.00% QUESTION 48 Please indicate which of the following are utilized by your organization, and have an IT Disaster Recovery Plan with documented procedures and written guidelines. (please provide a response for each category) Cloud Applications - Utilize - HAVE an IT DisasterRecovery Plan 2 Cloud Applications - Utilize - DO NOT have an IT Disaster Recovery Plan 2 Cloud Applications - Do NotUtilize 6 Mobile Applications - Utilize - HAVE an IT DisasterRecovery Plan 45.00% Mobile Applications - Utilize - DO NOT have an IT Disaster Recovery Plan 2 Mobile Applications - Do NotUtilize 35.00% Social Media - Utilize - HAVE an IT DisasterRecovery Plan 2 Social Media - Utilize - DO NOT have an IT Disaster Recovery Plan 25.00% Social Media - Do NotUtilize 55.00% Retail 2012 Continuity Insights/KPMG LLP 18
QUESTION 49 Did your organization s employees receive sufficient Business Continuity Management training in the past year? YES 45.00% NO 55.00% 10 QUESTION 50 What was your organization s investment in Disaster/Emergency Management and BCM training this past year in comparison to the year before? (select one) We spent significantly more money in 2011 than in 2010 3 We spent approximately the same amount of money in 2011 as in 2010 6 We spent less money in 2011 than we did in 2010 1 QUESTION 51 What types of ongoing BCM training are utilized by your organization? (select all that apply) Attend industry conferences 21.25% Attend association meetings 23.75% Attend continuing education courses at colleges/universities 7.50% Internal company training 16.25% Training provided by third-party companies 8.75% Pursue professional certification courses 15.00% Undergraduate degree program 2.50% Graduate degree program 3.75% Other (please specify) 1.25% Retail 2012 Continuity Insights/KPMG LLP 19