continuity insights & 2011-2012 - amazon web …...2011-2012 global business continuity...

Continuity Insights & KPMG LLP Present The

2011-2012 Global Business Continuity Management (BCM) Program Benchmarking Study

20,000 or More PeopleSegment Report

(Final Results)

Sponsored by:

2011-2012 Global Business Continuity Management Program Benchmarking Study

©2012 Continuity Insights/KPMG LLP

2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study Executive Summary The complex environment in which businesses operate today creates the need for sophisticated business continuity management (BCM) programs that address a wide range of threats, including natural disasters, technology issues and manmade incidents. It is also important that these programs stay in sync with the strategic goals of the organization. The 2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study is a comprehensive look at the current state of BCM programs and the drivers for further program development. Data used in this report is based on anonymous survey responses from 685 executives in public and private companies, government agencies and authorities, educational institutions, and not-for-profit entities. Respondents come from over 40 countries with approximately one-third working for organizations with headquarters outside the United States. The online survey, conducted by Continuity Insights between November 2011 and January 2012, explores changes to the global risk landscape, supply chain interdependencies, the emergence and increased usage of cloud computing, mobile applications, and social media. Business continuity professionals should use this report to target underdeveloped capabilities within their own BCM programs. In addition to the report, readers can view the full collection of survey responses on the Continuity Insights Web site (www.continuityinsights.com). Research Methodology Respondents for the 2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study were obtained from the Continuity Insights subscriber base by way of its publications, Web site, and email deployments, as well as from other professional organizations that supported the study. The 20-minute online survey comprised 52 questions and was fielded from November 2011 through January 2012. Data was collected from 958 respondents, of which 685 respondents completed the entire survey. An average of 785 responses was collected for each question. KPMG business continuity professionals developed the survey questionnaire. Mint Jutras prepared the resulting tabulation and supplied analysis for select data points. For more information on the study methodology, please contact Mint Jutras at [email protected]. Requests For Benchmarking Reports & Key Contacts If you would like to benchmark your organization by leveraging the 2011-2012Continuity Insights and KPMG LLP Business Continuity Management (BCM) Program Benchmarking Study or custom reports, please provide the following information to Bob Nakao at [email protected]: • Your name • Your organization • Your title • Your e-mail address • The complete study and/or custom report(s) you would like to receive: industry, type of entity, region of HQ operation, number of employees or annual revenue. You will be provided the custom report(s), if available, generally within five (5) business days of the receipt of your request. Other custom reports are available by type of entity include public companies, private companies, government agencies and authorities, and not for profits. Custom reports for industries include education, financial services, computers/information technology/ telecommunications, government, healthcare, manufacturing, professional services, and utilities.

http://www.continuityinsights.com/

mailto:[email protected]



Survey Questions

1 Does your organization use survey results to enhance and/or generate executive support for your

Business Continuity Management (BCM) Program?

2 How would you describe your organization's industry?

3 How many people are employed by your organization at all locations?

4 Which best describes your organization, type of entity, or enterprise?

5 How would you describe the geographical range of your operations?

6 Please indicate the location of your organization's global headquarters.

7 What are your company's approximate annual revenues in U.S. dollars?

8 Which best describes your primary job function?

9 How long has the BCM Program been in place at your organization?

10 What are the primary reasons for the establishment of the BCM Program at your organization?

11 Does your organization measure performance of the BCM Program?

12 How does your organization measure performance of the BCM Program?

13 What Business Continuity Standards are used by your company to support the BCM Program?

14 Has your organization incorporated capabilities to utilize social media in your current Business

Continuity Management Plans, Disaster Recovery Plans and/or Crisis Management Plans?

15 Does your organization have a Senior Management Advisory or Steering Committee that provides input

and assistance to the lead BCM Program Coordinator and BCM Program Coordination Team?

16 Does your organization have a designated full-time or part-time lead BCM Program Coordinator

authorized to administer and keep the BCM Program current?

17 Which best describes the job title of the lead BCM Program Coordinator?

18 Which best describes the job title of the executive sponsor for the BCM Program?

19 Which best describes the C-Level executive with ultimate reporting responsibility for your BCM

Program?

20 Please estimate the number of Full-Time Equivalent (FTE) employees who are dedicated to the BCM

Program in your Corporate Program Office AND in your various Business Units/Functions (including

contractors).

21 Please estimate the total budget for all staff in U.S. dollars (including contractors).

22 Please estimate the budget for the following components of your BCM Program in U.S. dollars.

23 Which of the following choices best describe how your organization's funds are allocated for BCM

Program initiatives?

24 What BCM-related software packages has your organization implemented or plans to implement in the

next year?

25 Which best describes your organization’s current BCM Program status?

26 How would you rate the maturity of your organization's BCM Program?

27 Do you agree that your organization maintains and fosters relationships with external agencies to

ensure the recovery of your organization during a disaster?

28 Do you require your mission critical 3rd party service providers to provide evidence that they have a

viable BCM Program?



29 How are 3rd party service providers (Utilities, Information Technology, or Business Process Service

Providers) integrated within your BCM Program?

30 How are key supply chain stakeholders that you rely on to deliver your products or services to market

integrated within your BCM Program?

31 How well integrated is your BCM Program with the following capabilities?

32 How often does your organization conduct Risk Assessments?

33 How often does your organization conduct a Business Impact Analysis (BIA)?

34 How much would you estimate business disruptions have cost your organization in both outlays and

internal (soft) costs in the past 12 months?

35 What would you estimate the total financial impact would be of a major disruption or outage that lasts

for 5 business days?

36 Has your organization experienced an incident or interruption in the past year that caused you to

activate any documented BCM Plans, Crisis Management Plans, or Disaster Recovery Plans?

37 For the most recent interruption that required you to activate one or more BCM Plans, how well was

your recovery time objective met?

38 When was your company's most recent Business Continuity Plan exercise?

39 What elements of your BCM Program were utilized during your most recent exercise?

40 What external companies or agencies have been involved with your most recent BCM Program

exercise?

41 What percentage of your IT budget does your organization spend on disaster recovery capabilities?

42 What is your organization's current IT recovery strategy?

43 Which elements of your organization's current IT recovery strategy are undergoing change?

44 Is cyberterrorism included in your organization's current BCM Plans, Disaster Recovery Plans, and/or

Crisis Management Plans?

45 What percentage of your organization's application data is currently stored in the cloud?

46 When did your organization last conduct a test(s) of the IT Disaster Recovery Plans with representatives

from other key stakeholder companies or agencies?

47 How frequently does your organization carry out full scenario testing of its Disaster Recovery Plan?

48 Please indicate which of the following are utilized by your organization, and have an IT Disaster

Recovery Plan with documented procedures and written guidelines.

49 Did your organization’s employees receive sufficient Business Continuity Management training in the

past year?

50 What was your organization’s investment in Disaster/Emergency Management and BCM training this

past year in comparison to the year before?

51 What types of ongoing BCM training are utilized by your organization?


QUESTION 1

57.08%

42.92%

QUESTION 2

Aerospace/Defense 3.02%

Automotive 0.00%

Biotechnology 0.93%

Chemical/Petroleum 1.16%

Communications/Media 0.70%

Computer/Information Technology Telecommunications 1.39%

Computer/Information Technology Software 3.02%

Computer/Information Technology Services 5.80%

Education 1.62%

Entertainment/Media 1.39%

Financial Services/Banking 11.14%

Financial Services/Brokerage 6.73%

Financial Services/Credit Card 4.64%

Financial Services/Credit Union 0.93%

Financial Services/Investment 6.73%

Financial Services - Mortgages 4.87%

Government/City/Municipality 0.23%

Government - County 0.46%

Government/State/Providence 1.16%

Government (Federal) 2.09%

Healthcare Medical/Hospital 2.78%

Healthcare Medical/Service Provider 2.55%

Human Resources 0.46%

Insurance 5.57%

International Non Government Organization (NGO) 0.46%

Logistics 1.16%

Manufacturing - Consumer Goods 2.32%

Manufacturing - Industrial Goods (Non-technology) 1.16%

Manufacturing - Medical Devices/Other Healthcare Products 0.70%

Not for Profit Organization 1.39%

Pharmaceuticals 1.62%

Power (Production/Transmission) 0.70%

4.64%

Professional Services (IT/Business Process Outsourcing) 3.25%

Professional Services - Legal 0.00%

Professional Services (Other) 2.09%

Retail 3.48%

Transportation/Aviation 0.70%

Transportation/Mass Transit 0.70%

Transportation/Shipping 0.46%

Transportation - Trucking 0.46%

Utilities/Energy 0.93%

Utilities/Water 0.46%

Wholesale Distributors 0.23%

Other (please specify) 3.71%

Professional Services (Business Continuity/Operational Risk Consulting)

Does your organization use survey results to enhance and/or generate executive support for your

Business Continuity Management (BCM) Program?

Yes

No

How would you describe your organization's industry? (select all that apply)

20,000 or More People ©2012 Continuity Insights/KPMG LLP 1


QUESTION 3How many people are employed by your organization at all locations? (select one)

Less than 25 0.00%

25 to 99 0.00%

100 to 499 0.00%

500 to 999 0.00%

1,000 to 4,999 0.00%

5,000 to 9,999 0.00%

10,000 to 19,999 0.00%

20,000 or more 100.00%

QUESTION 4Which best describes your organization, type of entity, or enterprise? (select one)

Public Company 67.58%

Privately-Held Company 20.09%

Government Agency or Authority 5.02%

Education 2.28%

Not-for-Profit Organization 5.02%

QUESTION 5How would you describe the geographical range of your operations? (select one)

Local - Single site operation in one location 0.46%

Regional - Multi-site operations in one region of one country 7.76%

15.07%

Global - Multi-site operations worldwide 76.71%

QUESTION 6

Australia 0.00%

Austria 0.00%

Bahrain 0.00%

Belgium 0.46%

Brazil 0.46%

Canada 5.94%

Chile 0.46%

China (Hong Kong and Macau) 0.46%

Columbia 0.00%

Costa Rica 0.00%

Denmark 0.00%

France 3.20%

Hungary 0.00%

India 0.46%

Israel 0.00%

Italy 0.00%

Japan 0.91%

Germany 0.91%

Malaysia 0.00%

Mexico 0.00%

The Netherlands 2.74%

New Zealand 0.00%

Poland 0.00%

National - Multi-site operations throughout the country of the organization’s

operations

Please indicate the location of your organization's global headquarters. (select one)



Portugal 0.46%

Romania 0.00%

Saudi Arabia 0.00%

Singapore 0.00%

South Africa 1.83%

South Korea (Republic of Korea) 0.00%

Spain 0.91%

Switzerland 2.74%

Taiwan 0.00%

Turkey 0.00%

United Arab Emirates 0.00%

United Kingdom 4.11%

United States 73.52%

Venezuela 0.46%


QUESTION 7

Less than $10 million 0.00%

$10 million to $50 million 0.46%



$500 million to $1 billion 2.28%

$1 billion to $5 billion 12.33%

$5 billion to $10 billion 15.98%

More than $10 billion 47.95%

Not applicable 6.39%

Do not know 11.87%

QUESTION 8Which best describes your primary job function? (select one)

45.37%

Business Continuity Coordinator in Business Unit/Site/Support Group 10.65%

Compliance/Internal Audit 2.31%

Crisis Management/Emergency Management 4.63%

Enterprise Risk Management 3.70%

Employee Health and Safety 0.46%

Facilities Management/Real Estate 0.46%

Finance/Accounting 0.00%

Insurance/Liability Management 0.46%

IT Disaster Recovery (IT DR) Planning 12.96%

Legal 0.93%

Security Management 4.63%

Consultant/Analyst 7.41%


Business Continuity Management or BC Coordinator in Corporate Program Office

What are your company's approximate annual revenues in U.S. dollars? (select one) (Government

agencies, please select Not Applicable)



QUESTION 9How long has the BCM Program been in place at your organization? (select one)

Less than 1 year 1.88%

1 year to 3 years 7.98%

3 years to 5 years 18.31%



More than 20 years 6.57%

Do not know 7.98%

QUESTION 10

Address audit finding(s) 13.08%

Continuity of business operations 29.51%

Customer request or requirement 10.21%

Federal government regulations/required by law 12.76%

Reputation 18.34%

Required by law 7.34%

Unique competitive advantage 7.50%


QUESTION 11Does your organization measure performance of the BCM Program?

YES 76.53%

NO 23.47%

QUESTION 12

Audit findings 13.52%

Benchmarking/comparison to industry norms 8.56%

Maturity modeling 8.44%

Metrics program (including executive reporting) 13.90%

BCM Program reviews 12.16%

Business Continuity Plan exercises 16.87%

Service level monitoring 4.47%

Review program capabilities vs. standards 6.70%

Technology recovery test results 12.16%

Cost/Benefit Analysis 2.98%


What are the primary reasons for the establishment of the BCM Program at your organization?

(select all that apply)

How does your organization measure performance of the BCM Program? (select all that apply)



QUESTION 13

1.08%

0.90%

0.36%

0.36%

0.18%

Austria - ONR 49000 0.00%

Austria - ONR 49001 0.00%

Austria - ONR 49002-1 0.00%

Austria - ONR 49002-2 0.00%

Austria - ONR 49002-3 0.00%

Austria - ONR 49003:2008 0.00%

0.18%

Canada - CAN/CSA-Z 731-03 1.26%

Canada - CSA Z1600-08 1.44%

China (Including Hong Kong and Macau) - Refer to International List 0.36%

Denmark - DS 3001:2009 Organisatorisk Robusthed 0.00%

Germany - Refer to International List 0.18%

India - Refer to International List 0.00%

Israel - SI 24001:2007 0.00%

Japan - Refer to International List 0.36%

Malaysia - MS1970:2007 0.36%

Netherlands - NEN 7131:2010 Organizational Resilience 0.18%

New Zealand - SAA/SNZ HB221:2004 0.18%

New Zealand - AS/NZS 5050 0.36%

New Zealand - AS/NZS 4360 0.36%

Singapore - SS 540:20-08 0.36%

Singapore - SS 507:2004 0.18%

0.54%

0.36%

Singapore - TR19:2005 0.36%

South Korea - KS A ISO/PAS 22399 0.18%

11.89%

12.07%

UK - BS25777: 2008 ICT Service Continuity 1.26%

UK - BS31100:2009 Risk Management Standard 0.72%

"UK -PD 25111 Human Aspects of BCM published 2010" 0.36%

"UK -PD 25666 Exercising BCM published 2010" 0.54%

"UK -PD 25888 Guidance on Business Recovery (Estimated Q2, 2011)" 0.36%

0.36%

"USA -ASIS SPC.1-2009" 2.70%

"USA -ASIS BCM.01-2010" 4.68%

"UK -PD 25222 Guidance on Supply Chain Continuity (Estimated Q3, 2011)"

Brazil - NC nº06/IN01/DSIC/GSIPR – Gestão De Continuidade de Negócios

Singapore - MAS Consultation Paper on Business Continuity Planning 9BCP)

Guidelines (10 Jan 2003)

Singapore - MAS Guidelines on Outsourcing – Section 6.6 BCM (Oct 2004)

UK - BS25999-1 : 2006 Code of Practice for Business Continuity management

UK - BS25999-2 : 2007 Specification for Business Continuity management

Australia - AS/NZS 5050:2010 Business continuity - Managing disruption-related risk

Australia - AS/NZS ISO 31000:2010 Risk management - Principles and guidelines

Australia - AS/NZS ISO/IEC 27001:2006 : Information technology - Security

techniques

Australia - AS/NZS ISO/IEC 27002:2006 : Information technology - Security

techniques

Australia - AS 3745-2002 : Emergency control organization and procedures for

buildings, structures and workplaces

What Business Continuity Standards are used by your company to support the BCM Program?




"USA -ANSI/ARMA 5-2003" 1.44%

1.62%

"USA -NERC CIP 002-009 2006" 0.54%

"USA -NIST SP 800-34" 3.96%

18.20%

0.72%

USA - NFPA 232 : Standard on Protection of Records 1.62%

3.60%

"International - ITIL v.3 (international) – IT Infrastructure Library 4.86%

"International -ISO/IEM 22300" 0.90%

1.80%

"International -ISO PAS 22399" 0.72%

"International -ISO/IEC 27031" 0.54%

3.06%

3.96%

2.34%

1.08%

1.08%

"International -ISO 31000:2009 Risk Management Standard" 2.88%

QUESTION 14

Yes, included in current plans 19.51%

No, not included in current plans 54.63%

Plans are currently in development 25.85%

QUESTION 15

Yes 71.71%

No 15.12%

Committee under development 7.32%

Do not know 5.85%

QUESTION 16

Yes, full-time 84.39%

Yes, part-time 8.29%

No 7.32%

"International -ISO/IEC 24762 Management Systems Standards “ Information

Security"

"International -ISO/IEC 27035 Management Systems Standards “ Information

Security"

Has your organization incorporated capabilities to utilize social media in your current Business

Continuity Management Plans, Disaster Recovery Plans and/or Crisis Management Plans? (select

one)

Does your organization have a Senior Management Advisory or Steering Committee that provides

input and assistance to the lead BCM Program Coordinator and BCM Program Coordination

Team? (select one)

Does your organization have a designated full-time or part-time lead BCM Program Coordinator

authorized to administer and keep the BCM Program current? (select one)

"International -COBIT – Control Objectives for information & related technology 4.1

(May 2007)

"International -ISO DIS 22301 Continuity Management System Requirements

(Estimated Q2, 2012)"

"International -ISO 9000 series Management Systems Standards “ Quality"

"International -ISO/IEC 27001:2005 Management Systems Standards “ Information

Security"

"International -ISO/IEC 27002:2005 Management Systems Standards “ Information

Security"

"USA -CTIA Telecommunication Industry BCM Standard and certification"

USA - NFPA Standard 1600 on Disaster/Emergency Management and Business

Continuity Programs

USA - NFPA111: Standard on Stored Electrical Energy Emergency and Standby

Power Systems



QUESTION 17

13.98%

48.39%

Vice President, Risk Management 4.84%

Director or Manager, Risk Management 10.75%

Vice President of Information Technology 0.54%

Director or Manager of Information Technology 1.61%

CEO/President 0.00%

Chief Operating Officer 0.54%

Chief Financial Officer 0.00%

Chief Information Officer 1.08%

Chief Risk Officer 0.00%

Chief Security Officer, VP/Director 4.30%

Specific Department Director/Manager 5.91%


QUESTION 18

CEO/President 10.11%





Chief Continuity Officer 2.25%

Emergency Management 2.25%

Vice President, Information Technology 7.87%

Other Corporate/Executive Management 22.47%

QUESTION 19

CEO 15.92%

Chief Administrative Officer 1.99%

Chief Compliance Officer 1.00%




Chief Information Security Officer 5.47%


Chief Security Officer 6.97%

Chief Technology Officer 6.47%

General Counsel 1.49%

President 2.49%

8.96%

Vice President, Business Continuity Management or Business Resilience

Director or Manager, Business Continuity Management or Business Resilience

Which best describes the job title of the executive sponsor for the BCM Program? (select one)

Which best describes the C-Level executive with ultimate reporting responsibility for your BCM

Program? (select one)

Other C-Level Executive (Please identify the corporate/executive management

title):

Which best describes the job title of the lead BCM Program Coordinator? (select one)



QUESTION 20

Corporate BCM Program Office - 0 to 2 FTEs 11.44%




Corporate BCM Program Office - More than 20 FTEs 3.55%

Various Business Units/Functions - 0 to 2 FTEs 10.65%




Various Business Units/Functions - More than 20 FTEs 10.45%

Information Technology/Disaster Recovery - 0 to 2 FTEs 8.48%




Information Technology/Disaster Recovery - More than 20 FTEs 7.89%

QUESTION 21

Corporate BCM Program Office - Less than $250,000 11.71%

Corporate BCM Program Office - $250,000 to $500,000 7.71%

Corporate BCM Program Office - $500,000 to $1 million 8.29%

Corporate BCM Program Office - $1 million to $5 million 6.57%



Corporate BCM Program Office - More than $50 million 0.29%

Various Business Units/Functions - Less than $250,000 14.86%

Various Business Units/Functions - $250,000 to $500,000 5.14%

Various Business Units/Functions - $500,000 to $1 million 4.00%

Various Business Units/Functions - $1 million to $5 million 3.43%



Various Business Units/Functions - More than $50 million 0.57%

Information Technology/Disaster Recovery - Less than $250,000 8.86%

Information Technology/Disaster Recovery - $250,000 to $500,000 3.43%

Information Technology/Disaster Recovery - $500,000 to $1 million 6.86%

Information Technology/Disaster Recovery - $1 million to $5 million 8.00%



Information Technology/Disaster Recovery - More than $50 million 0.86%

Please estimate the number of Full-Time Equivalent (FTE) employees who are dedicated to the

BCM Program in your Corporate Program Office AND in your various Business Units/Functions

(including contractors). Please provide an estimate for all categories listed if you have an

understanding of the resources assigned for ALL of the groups noted. Otherwise, please skip this

question.

Please estimate the total budget for all staff in U.S. dollars (including contractors). Please provide

an estimate for all categories listed if you have an understanding of the approximate budgets for

ALL of the resources listed. Otherwise, please skip this question.



QUESTION 22

12.20%

2.13%

1.98%

0.46%

0.30%

0.00%

0.15%

10.37%

3.05%

1.83%

1.22%

0.30%

0.00%

0.15%

8.54%

2.13%

1.98%

1.37%

1.07%

0.30%

0.30%

3.81%

1.98%

IT Disaster Recovery Costs (include hardware, software, internal recovery

capabilities, 3rd party service provider fees, etc.) - $250,000 to $500,000

Work Area Recovery (include site costs, 3rd party service providers, etc.) - $1

million to $5 million





Work Area Recovery (include site costs, 3rd party service providers, etc.) - More

than $50 million


capabilities, 3rd party service provider fees, etc.) - Less than $250,000

BCM Software/Hardware (include plan-related document repository and

emergency notification solutions) - $10 million to $50 million


emergency notification solutions) - More than $50 million

Work Area Recovery (include site costs, 3rd party service providers, etc.) - Less than

$250,000

Work Area Recovery (include site costs, 3rd party service providers, etc.) - $250,000

to $500,000

Work Area Recovery (include site costs, 3rd party service providers, etc.) - $500,000

to $1 million


emergency notification solutions) - Less than $250,000


emergency notification solutions) - $250,000 to $500,000


emergency notification solutions) - $500,000 to $1 million





BCM Program Third-Party Consultants (include program assessments, improving

capabilities, etc.) - $500,000 to $1 million


capabilities, etc.) - $1 million to $5 million






capabilities, etc.) - More than $50 million

Please estimate the budget for the following components of your BCM Program in U.S. dollars.

Please provide an estimate for all categories listed if you have an understanding of the

approximate budgets for ALL of the capabilities listed. Otherwise, please skip this question.


capabilities, etc.) - Less than $250,000


capabilities, etc.) - $250,000 to $500,000



2.74%

4.27%

1.68%

1.22%

0.76%

12.35%

2.59%

1.22%

0.15%

0.46%

0.00%

0.15%

10.37%

3.35%

1.68%

0.76%

0.30%

0.15%

BCM Program Exercises (include planning, conducting exercises, 3rd-party

participation, travel and living expenses, etc.) - $500,000 to $1 million


participation, travel and living expenses, etc.) - $1 million to $5 million





Training and Awareness Programs (include internal/external training, registration

fees, travel and living expenses for conference attendance, etc.) - $5 million to $10

million



million


fees, travel and living expenses for conference attendance, etc.) - More than $50

million


participation, travel and living expenses, etc.) - Less than $250,000


participation, travel and living expenses, etc.) - $250,000 to $500,000


capabilities, 3rd party service provider fees, etc.) - More than $50 million


fees, travel and living expenses for conference attendance, etc.) - Less than

$250,000


fees, travel and living expenses for conference attendance, etc.) - $250,000 to

$500,000


fees, travel and living expenses for conference attendance, etc.) - $500,000 to $1

million



million


capabilities, 3rd party service provider fees, etc.) - $500,000 to $1 million


capabilities, 3rd party service provider fees, etc.) - $1 million to $5 million







0.15%

QUESTION 23

Do not know 29.50%

On a case-by-case basis based on individual needs 19.00%

As an individual line item in each functional budget 12.00%

6.50%

As a percentage of the IT budget 10.00%

As a percentage of the risk management budget 11.00%

As a percentage of the individual functional budget 6.50%

Other, please briefly describe how funds are allocated (BCM Funding): 5.50%

QUESTION 24

Business Continuity Management software 22.31%

Business Impact Analysis software 11.75%

Change Management software 6.18%

Emergency Notification software 23.51%

Enterprise Governance Risk and Compliance software 8.37%

Risk Assessment software 6.57%

MicroSoft© Office Tools (i.e., Word, Excel, etc.) 16.93%


QUESTION 25

6.52%

3.80%

19.02%

65.22%

Other (please describe) 5.43%

We are currently in the assessment phase (i.e., Risk Assessment, Business Impact

Analysis, Strategy Selection, etc.) for the first time in the program’s lifecycle.

We are currently developing BCM Plans, Crisis Management Plans, and Disaster

Recovery Plans.

We have a BCM Policy, Senior Management Steering or Advisory Committee,

Business Continuity, Crisis Management, and Disaster Recovery Plans in place and

have developed a process for updating those plans on a regular basis to reflect

changes in the business and lessons learned from exercises, tests, or real events.

Which of the following choices best describe how your organization's funds are allocated for BCM

Program initiatives? (select one)

On a hybrid chargeback basis with a base fee plus additional usage charges

What BCM-related software packages has your organization implemented or plans to implement

in the next year? (select all that apply)

Which best describes your organization’s current BCM Program status? (select one)

We are currently in the process of establishing a BCM Program, defining program

governance, scope, objectives, budgeting, and format for plans.


participation, travel and living expenses, etc.) - More than $50 million



QUESTION 26How would you rate the maturity of your organization's BCM Program? (select one)

7.61%

7.07%

32.07%

23.37%

19.57%

10.33%

QUESTION 27

Strongly Disagree 6.59%

Disagree 6.59%

Neutral 20.33%

Agree 53.30%

Strongly Agree 13.19%

QUESTION 28

Yes 75.27%

No 24.73%

QUESTION 29

Not integrated/not applicable 14.84%

In the process of being integrated 18.13%

Integrated for certain mission critical 3rd party service providers 39.56%

Integrated for all mission critical 3rd party service providers 23.08%

Integrated for all 3rd party service providers 4.40%

Do you require your mission critical 3rd party service providers to provide evidence that they have

a viable BCM Program?

How are 3rd party service providers (Utilities, Information Technology, or Business Process

Service Providers) integrated within your BCM Program? (select one)

Level 3 (Centrally Governed) – A BCM Program Office or Department has been

established which centrally delivers BCM Program governance and support services

to the business units and other departments within the organization.

Level 4 (Enterprise Awakening) – Senior management understands and is

committed to the strategic importance of an effective BCM Program. All business

continuity plans are updated routinely.

Level 5 (Planned Growth) – A multi-year plan has been plan has been adopted to

“continuously raise the bar” for planning sophistication and enterprise wide state of

preparedness.

Level 6 (Synergistic) – Cross-functional coordination has led participants to develop

and successfully test upstream and downstream integration of their business

Do you agree that your organization maintains and fosters relationships with external agencies to

ensure the recovery of your organization during a disaster? (select one)

Level 1 (Self Governed) – The state of preparedness is generally low across the

organization.

Level 2 (Supported Self Governed) – Senior Management may see value in a BCM

Program but they are unwilling to make it a priority at this time.



QUESTION 30

Not integrated/not applicable 19.78%

In the process of being integrated 25.27%

Integrated for certain supply chain stakeholders 43.96%

Integrated for all supply chain stakeholders 10.99%

QUESTION 31

Compliance/Audit - Completely Integrated 22.03%

Compliance/Audit - Well Integrated 33.33%

Compliance/Audit - Somewhat Integrated 34.46%

Compliance/Audit - Not at all Integrated 7.91%

Compliance/Audit - Not Applicable 2.26%

Corporate Security - Completely Integrated 29.94%

Corporate Security - Well Integrated 32.77%

Corporate Security - Somewhat Integrated 31.07%

Corporate Security - Not at all Integrated 3.95%

Corporate Security - Not Applicable 2.26%

Crisis Management - Completely Integrated 41.24%

Crisis Management - Well Integrated 32.77%

Crisis Management - Somewhat Integrated 22.03%

Crisis Management - Not at all Integrated 3.39%

Crisis Management - Not Applicable 0.56%

Employee Health and Safety - Completely Integrated 25.42%

Employee Health and Safety - Well Integrated 32.77%

Employee Health and Safety - Somewhat Integrated 33.90%

Employee Health and Safety - Not at all Integrated 6.21%

Employee Health and Safety - Not Applicable 1.69%

Enterprise Risk Management - Completely Integrated 24.29%

Enterprise Risk Management - Well Integrated 29.94%

Enterprise Risk Management - Somewhat Integrated 33.90%

Enterprise Risk Management - Not at all Integrated 8.47%

Enterprise Risk Management - Not Applicable 3.39%

Facilities/Real Estate Management - Completely Integrated 22.03%

Facilities/Real Estate Management - Well Integrated 35.03%

Facilities/Real Estate Management - Somewhat Integrated 31.07%

Facilities/Real Estate Management - Not at all Integrated 11.30%

Facilities/Real Estate Management - Not Applicable 0.56%

Information Technology Management - Completely Integrated 31.07%

Information Technology Management - Well Integrated 41.81%

Information Technology Management - Somewhat Integrated 23.73%

Information Technology Management - Not at all Integrated 2.26%

Information Technology Management - Not Applicable 1.13%

Information Security Management - Completely Integrated 23.73%

Information Security Management - Well Integrated 37.29%

Information Security Management - Somewhat Integrated 33.90%

Information Security Management - Not at all Integrated 4.52%

Information Security Management - Not Applicable 0.56%

Strategic Sourcing/Procurement - Completely Integrated 9.60%

Strategic Sourcing/Procurement - Well Integrated 26.55%

Strategic Sourcing/Procurement - Somewhat Integrated 44.07%

How are key supply chain stakeholders that you rely on to deliver your products or services to

market integrated within your BCM Program? (select one)

How well integrated is your BCM Program with the following capabilities? (select a response for

each category listed)



Strategic Sourcing/Procurement - Not at all Integrated 15.25%

Strategic Sourcing/Procurement - Not Applicable 4.52%

Strategic Planning - Completely Integrated 11.30%

Strategic Planning - Well Integrated 20.34%

Strategic Planning - Somewhat Integrated 45.76%

Strategic Planning - Not at all Integrated 19.21%

Strategic Planning - Not Applicable 3.39%

Relationships with 3rd Party Service Providers - Completely Integrated 9.04%

Relationships with 3rd Party Service Providers - Well Integrated 27.12%

Relationships with 3rd Party Service Providers - Somewhat Integrated 48.59%

Relationships with 3rd Party Service Providers - Not at all Integrated 12.99%

Relationships with 3rd Party Service Providers - Not Applicable 2.26%

Relationships with Public Authorities - Completely Integrated 15.25%

Relationships with Public Authorities - Well Integrated 26.55%

Relationships with Public Authorities - Somewhat Integrated 41.24%

Relationships with Public Authorities - Not at all Integrated 14.69%

Relationships with Public Authorities - Not Applicable 2.26%

Management of Insurance Coverage - Completely Integrated 19.21%

Management of Insurance Coverage - Well Integrated 26.55%

36.72%

Management of Insurance Coverage - Not at all Integrated 11.86%

Management of Insurance Coverage - Not Applicable 5.65%

QUESTION 32How often does your organization conduct Risk Assessments? (select one)

In response to business changes 20.34%

Semi-annually 7.34%

Annually 46.89%

Every two years 6.78%

Every three years 3.95%

Never 4.52%


QUESTION 33


Semi-annually 2.82%

Annually 39.55%



Never 6.78%


How often does your organization conduct a Business Impact Analysis (BIA)? (select one)

Management of Insurance Coverage - Somewhat IntegratedManagement of

Insurance Coverage - Not at all Integrated Management of Insurance Coverage -



QUESTION 34

Do not know 55.37%

Less than $25,000 9.60%

$25,000 to $50,000 1.69%

$50,000 to $100,000 1.13%

$100,000 to $250,000 7.91%

$250,000 to $500,000 4.52%

$500,000 to $1 million 8.47%


More than $5 million 7.34%

QUESTION 35

Do not know 45.20%

Less than $25,000 1.69%

$25,000 to $50,000 0.00%

$50,000 to $100,000 0.56%

$100,000 to $250,000 0.00%

$250,000 to $500,000 3.95%

$500,000 to $1 million 5.08%


More than $5 million 31.07%

QUESTION 36

Civil Unrest - Yes 29.55%

Civil Unrest - No 70.45%

Earthquake - Yes 46.59%

Earthquake - No 53.41%

Fire - Yes 34.10%

Fire - No 65.90%

Flood - Yes 50.57%

Flood - No 49.43%

Indirectly Due to Supplier Issues or High Profile Neighbor - Yes 18.86%

Indirectly Due to Supplier Issues or High Profile Neighbor - No 81.14%

40.57%

59.43%

IT Related - Hardware/Software in Production - Yes 35.80%

IT Related - Hardware/Software in Production - No 64.20%

How much would you estimate business disruptions have cost your organization in both outlays

and internal (soft) costs in the past 12 months? (in U.S. dollars) (Include estimated costs of

delayed/cancelled product and service revenues from existing offers, new products and services

delayed/cancelled, lifetime cost of lost customers, and erosion/loss of brand value.)

What would you estimate the total financial impact would be of a major disruption or outage that

lasts for 5 business days? (In U.S. dollars)(Include estimated costs of delayed/cancelled product

and service revenues from existing offers, new products and services delayed/cancelled, lifetime

cost of lost customers, and erosion/loss of brand value.)

Has your organization experienced an incident or interruption in the past year that caused you to

activate any documented BCM Plans, Crisis Management Plans, or Disaster Recovery Plans?

(select yes/no for each type of incident/interruption)

IT Related - Change Management Issue, Data Corruption, Denial of Access, Virus,

Security, etc. - Yes

IT Related - Change Management Issue, Data Corruption, Denial of Access, Virus,

Security, etc. - No



IT Related - Telecommunications (i.e., Voice, Data, Converged) - Yes 35.80%

IT Related - Telecommunications (i.e., Voice, Data, Converged) - No 64.20%

IT Related - Upgrade/Scheduled Outage - Yes 32.39%

IT Related - Upgrade/Scheduled Outage - No 67.61%

Power - Yes 56.25%

Power - No 43.75%

Privacy - Yes 12.57%

Privacy - No 87.43%

Severe Weather (i.e., Hurricane, Tornado, Winter Weather) - Yes 69.14%

Severe Weather (i.e., Hurricane, Tornado, Winter Weather) - No 30.86%

Terrorist Attack - Yes 7.95%

Terrorist Attack - No 92.05%

Theft - Yes 13.14%

Theft - No 86.86%

Other - Yes 7.69%

Other - No 92.31%

If you selected "Other," please specify: 5.68%

QUESTION 37

Completely 35.80%

Mostly 34.09%

Somewhat 11.93%

Not at all 2.27%

Not applicable 7.95%

Do not know 7.95%

QUESTION 38

Within the past 6 months 71.43%

Within the past year 18.86%

Within the past 2 years 4.00%

We do not exercise our plans 5.71%

QUESTION 39

Call Tree/Notification Process 26.58%

22.49%

Entire site-specific business and technology recovery exercise 11.86%

Alternate site (work area recovery) exercise 15.75%

Mock crisis/emergency management exercise 20.65%

None/Not applicable 2.66%

For the most recent interruption that required you to activate one or more BCM Plans, how well

was your recovery time objective met? (select one)

When was your company's most recent Business Continuity Plan exercise? (select one)

What elements of your BCM Program were utilized during your most recent exercise? (select all

that apply)

Integrated people, process, and technology exercise for one or more processes



QUESTION 40

Public Sector Agencies 17.27%

Supply Chain Partners 13.18%

3rd Party Service Providers 33.64%

None/Not Applicable 35.91%

QUESTION 41

< 1% 5.78%

1% to 2% 9.25%

3% to 4% 8.67%

5% to 10% 5.20%

More than 10% 6.36%

Do not know 64.74%

QUESTION 42

Internal – Hardware and Software Solution 35.92%

External – Hardware and Software Solution 12.24%

Combination/Hybrid of Internal and External Solutions 37.55%

Move certain capabilities to a Public Cloud Vendor 6.12%

Move certain capabilities to a Private Cloud Solution 5.71%


QUESTION 43

Internal – Hardware and Software Solution 29.73%

External – Hardware and Software Solution 14.29%

Combination/Hybrid of Internal and External Solutions 27.03%

Move certain capabilities to a Public Cloud Vendor 7.34%

Move certain capabilities to a Private Cloud Solution 14.29%


QUESTION 44

Yes, included in current plans 46.24%

No, not included in current plans 31.79%

No, but plans to include are in development 21.97%

QUESTION 45

Do not know 56.65%

None 28.90%

< 10% 7.51%

What percentage of your organization's application data is currently stored in the cloud? (select

one)

What external companies or agencies have been involved with your most recent BCM Program

exercise? (select all that apply)

What percentage of your IT budget does your organization spend on disaster recovery

capabilities? (select one)

What is your organization's current IT recovery strategy? (select all that apply)

Which elements of your organization's current IT recovery strategy are undergoing change?


Is cyberterrorism included in your organization's current BCM Plans, Disaster Recovery Plans,



Between 10% - 24% 4.05%

Between 25% – 49% 1.16%

Between 50% - 75% 0.58%

>75% 0.58%

All 0.58%

QUESTION 46

Never 11.56%

In the past six months 43.93%

Within the last year 21.97%

Within the last two years 1.73%

More than two years ago 0.58%

Do not know 20.23%

QUESTION 47

Do not know 17.34%

Never 17.92%


Semi-annually 7.51%

Annually 45.09%




QUESTION 48

Cloud Applications - Utilize - HAVE an IT DisasterRecovery Plan 35.84%

10.98%

Cloud Applications - Do NotUtilize 53.18%

Mobile Applications - Utilize - HAVE an IT DisasterRecovery Plan 54.34%

21.39%

Mobile Applications - Do NotUtilize 24.28%

Social Media - Utilize - HAVE an IT DisasterRecovery Plan 25.43%

Social Media - Utilize - DO NOT have an IT Disaster Recovery Plan 21.97%

Social Media - Do NotUtilize 52.60%

Mobile Applications - Utilize - DO NOT have an IT Disaster Recovery Plan

When did your organization last conduct a test(s) of the IT Disaster Recovery Plans with

representatives from other key stakeholder companies or agencies? (e.g., supply chain partners,

service providers, public sector agencies) (select one)

How frequently does your organization carry out full scenario testing of its Disaster Recovery

Plan? (select one)

Please indicate which of the following are utilized by your organization, and have an IT Disaster

Recovery Plan with documented procedures and written guidelines. (please provide a response

for each category)

Cloud Applications - Utilize - DO NOT have an IT Disaster Recovery Plan



QUESTION 49

YES 60.12%

NO 39.88%

100.00%

QUESTION 50

We spent significantly more money in 2011 than in 2010 20.81%

65.90%

We spent less money in 2011 than we did in 2010 13.29%

QUESTION 51

Attend industry conferences 20.54%

Attend association meetings 19.75%

Attend continuing education courses at colleges/universities 9.16%

Internal company training 20.38%

Training provided by third-party companies 8.53%

Pursue professional certification courses 16.11%

Undergraduate degree program 1.90%

Graduate degree program 2.69%


Did your organization’s employees receive sufficient Business Continuity Management training in

the past year?

What was your organization’s investment in Disaster/Emergency Management and BCM training

this past year in comparison to the year before? (select one)

What types of ongoing BCM training are utilized by your organization? (select all that apply)

We spent approximately the same amount of money in 2011 as in 2010


continuity insights & 2011-2012 - amazon web …...2011-2012 global business continuity...

Documents