Continuity Insights & KPMG LLP Present The

2011-2012 Global Business Continuity Management (BCM) Program Benchmarking Study

Sponsored by:

�

Table Of Contents

1 ExecutiveSummary.........................................................................................................................3

1.1 Introduction..................................................................................................................................3

1.2 KeyFindings..................................................................................................................................3

1.2.1ProgramIntegration....................................................................................................3

1.2.2ProgramDevelopment..............................................................................................4

1.2.3ProgramPerformance................................................................................................4

� SurveyResults.....................................................................................................................................4

2.1 PotentialOperationalRisks&ImpactOfAdverseEvents..................................4

2.2 EntityType,ProgramDrivers,Governance,Status&Investments...............6

2.3 ProgramExecution&Performance.................................................................................9

2.4 LeveragingStandardsToSupportTheProgram..................................................10

2.5 IntegrationWithOtherDisciplines...............................................................................11

2.6 IntegrationWithThirdParties..........................................................................................12

2.7 UseOfSoftware.......................................................................................................................13

2.8 ITRecoveryStrategy&DisasterRecoveryCapabilities....................................13

2.9 Cloud,SocialMedia&MobilityApplications.........................................................15

3 FutureOutlook&Recommendations............................................................................15

4 Conclusion...........................................................................................................................................16

5 ResearchMethodology.............................................................................................................16

5.1 RespondentProfiles...............................................................................................................16

5.1.1TypeOfEntityOrEnterprise..................................................................................16

5.1.2GeographicalRangeOfOperations.................................................................17

5.1.3Country..............................................................................................................................17

5.1.4Industry..............................................................................................................................18

5.1.5CompanySize................................................................................................................19

5.2 C-LevelExecutiveWithUltimateReportingResponsibility..........................20

5.3 BCMProgramLeader............................................................................................................20

6 RequestsforBenchmarkingReports&KeyContacts.......................................21

7 Acknowledgements.....................................................................................................................21

3

1 Executive Summary1.1 Introduction

Thecomplexenvironmentinwhichbusinessesoperatetodaycreatestheneedforsophisticatedbusinesscontinuitymanagement(BCM)programsthataddressawiderangeofthreats,includingnaturaldisasters,technologyissuesandman-madeincidents.Itisalsoimportantthattheseprogramsstayinsyncwiththestrategicgoalsoftheorganization.The2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Studyisacom-prehensivelookatthecurrentstateofBCMprogramsandthedriversforfurtherprogramdevelopment.

Datausedinthisreportisbasedonanonymoussurveyresponsesfrom685ex-ecutivesinpublicandprivatecompanies,governmentagenciesandauthorities,educationalinstitutions,andnot-for-profitentities.Respondentscomefromover40countrieswithapproximatelyone-thirdworkingfororganizationswithhead-quartersoutsidetheUnitedStates.

Theonlinesurvey,conductedbyContinuity InsightsbetweenNovember2011andJanuary2012,exploreschangestotheglobalrisklandscape,supplychaininterdependencies,theemergenceandincreasedusageofcloudcomputing,mobileapplications,andsocialmedia.

BusinesscontinuityprofessionalsshouldusethisreporttotargetunderdevelopedcapabilitieswithintheirownBCMprograms.Inadditiontothereport,readerscanviewthefullcollectionofsurveyresponsesontheContinuity InsightsWebsite(www.continuityinsights.com).

1.2 Key Findings

SomeBCMprogramsshowsignsofstrongintegrationwithotherbusinessfunc-tions,androbustpracticesfordevelopingandmeasuringprogramperformance;however,manyBCMprogramslackintheseareasand,inturn,arenotcurrentlypositionedtoachieveahighleveloforganizationalpreparedness.

Followingisaselectionofkeyfindingsintheareasofprogramintegration,devel-opmentandperformance.Detailedresultsfollowinthebodyofthereport.

1.2.1 Program Integration

•34%ofrespondentsfeeltheirBCMprogramsarewellintegratedwithstrategicplanningcapabilities.

•32%ofrespondentsindicatetheirBCMprogramsarewellintegratedwithstrategicsourcingandprocurementcapabilities.

•52%ofthosesurveyedfeeltheirBCMprogramsarewellintegratedwiththeirorganization’senterpriseriskmanagementprogram.

“

”

1.2.2 Program Development

•84%ofrespondentsranabusinesscontinuityplanexercisewithinthepastyear.•Themostwidely-usedstandardsareNFPA1600(46%),BS25999-1andBS25999-2(26%and27%respectively),andISO/IEC270001(12%).

•65%oforganizationshaveafull-timeBCMcoordinator.•Over38%donotknowthefinancialimpactofafive-daydisruptionoroutage.•Over57%donotutilizethecloudintheirITdisasterrecoveryplans;nearly40%do

notknowhowmuchoftheorganization’sapplicationdataiscurrentlystoredinthecloud.

•Training:Only18%oforganizationssignificantlyincreasedtheirspendingonBCM/disasterrecovery/emergencymanagementplantrainingin2011.

•Over43%oforganizationsuseorplantousesocialmediaaspartoftheirBCMprograms..

1.2.3 Program Performance

•Businesscontinuityplanexercisesarebyfarthemostwidely-usedmethodtomeasuretheperformanceofBCMprograms(85%),followedbyauditfindings(62%)andBCMprogramreviews(60%).

•Lessthan8%ofrespondentsputtheirBCMprograminthehighest-tiercategoryformaturity(Level6–Synergistic).

•Lessthan31%ofrespondentsfeltthattheirrecoverytimeobjectivewascom-pletelymetduringthemostrecentinterruption.

2 Survey Results2.1 Potential Operational Risks & Impact Of Adverse Events

Oneofthecriticalsuccessfactorsforanorganizationistheabilitytoidentifyandsuccessfullymitigatetherisksassociatedwithrunningitsoperations.Theserisks,whichcanbegroupedintovariouscategoriesundertheheading“operationalrisks,”refertoanytypeofriskthatisneitherfinancialnormarketrelated.Forexample,operationalriskmightincluderisksassociatedwiththeorganization’shumanresources,businessprocesses,supplychaininterdependencies,facilities,informationtechnologyandrelationshipswithpublicauthorities.

Theleadingcausesofoperationaldisruptions–thosethatcausetheacti-vationofbusinesscontinuity,crisismanagementand/ordisasterrecoveryplan(s)–amongtheorganizationssurveyedaresevereweather(50%),poweroutages(47%),flood(31%)andvariousIT-relatedinterruptions.

I find it somewhat curi-ous that the numbers and magnitudes of the disas-ters that occurred in 2011 did not seem to cause any kind of discernible ‘ripple’ in the responses.– John Copenhaver,

Senior Advisor,

BCI

The reasons for interruptions fit well with similar BCI sur-veys; severe weather, floods, power outages and IT-related issues always score highly and of course earthquakes have become a key issue of late with both Japan and Christchurch, NZ happening in 2010. We have also found increasing concern about cyber attacks (particularly in government and financial services).– Lyndon Bird, Technical Development Director and Board Member, BCI

“

”

4

Figure1.Incidentorinterruptioninthepast1�monthsthatcausedtheactivationofBCMplan(s).

Thecostofinterruptionsoverthepasttwelvemonthsisestimatedtobeover$50,000foroveraquarter(26%)oforganizations,withnearly5%estimatinglossesatover$1million.Over47%ofrespondentsindicatedthey“donotknow”thetotalcostofinterruptionsoverthepasttwelvemonths.

Figure�.Estimatedcostofbusinessdisruptionsoverthepast1�months.

It is curious that based on the self-identified experience and program maturity of the respondents, more than 47% do not know the cost impact

of disruptions within their organizations. This is a basic element of conducting a BIA [business impact analysis].

In addition, most if not all of the respondents noted that

their organization experienced an interruption that caused

BCM activation. – Tim Mathews,

Director, Enterprise Resiliency,

Educational Testing Services

“

”

5

0

10

20

30

40

50

60

0100200300400500600700800

Civ

il U

nres

t

Fire

Indi

rect

ly D

ue to

S

uppl

ier I

ssue

s or

…

IT R

elat

ed -

Har

dwar

e/S

oftw

are…

IT R

elat

ed -

Upg

rade

/Sch

edul

ed…

Priv

acy

Terr

oris

t Atta

ck

Oth

er

Civil Unrest

Earthquake

Fire

Indirectl

y Due to Supplie

r Issues o

r High Profile Neighbor

IT Related - Change Management Is

sue, Data Corru

ption, D

enial of Acce

ss,

Virus, S

ecurity, etc.

IT Related - Hardware/Softw

are in Producti

on

IT Related - Telecommunica

tions (i

.e., Voice

, Data, Converged)

IT Related - Upgrade/Scheduled Outage

PowerPriv

acy

Severe Weather (i.e., H

urricane, To

rnado, Winter W

eather)Terro

rist A

ttack

Theft

Flood

Other

47.1%

21.7%

5.1%

4.9%

7.0%

4.7%

4.9%

2.1%

2.6%

700

600

500

400

300

200

100

0

Do not know

Less than $25,000

$25,000 to $50,000

$50,000 to $100,000

$100,000 to $250,000

$250,000 to $500,000

$500,000 to $1 million

$1 million to $5 million

More than $5 million

16.7%

28.0%

19.3%

30.9%

12.9%

30.6 30.5% 31.0%26.1%

46.8%

7.8%

50.3%

4.9%8.9%

5.9%

“

”

The fact that 31% of respon-dents felt they had met their

RTO during a disruption, when 85% are using exercises, indi-cates there is room to improve

the quality of exercises.– Ed Matley,

Director, Advisory Services,

KPMG LLP

6

2.2 Entity Type, Program Drivers, Governance, Status & Investments

Publiccompaniesmakeup40%oftheorganizationssurveyed,followedbyprivatecompanies(39%),governmentagenciesorauthorities(10%),not-for-profitorgani-zations(9%)andeducationalinstitutions(2%).

Onaverage,BCMprogramshavebeeninplacefor7.7years.Two-thirds(66%)ofBCMprogramshavebeeninplaceforbetweenoneandtenyears.OrganizationswithnewBCMprograms–thosethatarelessthanoneyearold–makeupnearly6%ofthesample.

Amajority(60%)oforganizationsdescribedtheirBCMprogramstatusasfollows:“[We]haveapolicy,seniormanagementsteeringoradvisorycommittee,plansinplace,andhavedevelopedaprocessforupdatingplansonaregularbasistoreflectchangesinthebusinessandlessonslearnedfromexercises,testsorrealevents.”Justover9%oforganizationsareintheprocessofestablishingaBCMprogram.

“

”

It is interesting that a relatively large number of companies are privately held. Classical wisdom says that private companies pay less attention to BCM and risk management in general. But these results suggest that there may be an increasing focus on these practices by privately held companies. I hope this points to a positive trend.– Doug Weldon,

President,

BCI – USA Chapter

Figure4.LifespanofBCMprograms.

40.0%39.2%

9.5%2.2%9.2%

Figure3.Typeoforganization,entityorenterprise.

Public CompanyPrivately-Held CompanyGovernment Agency or AuthorityEducationNot-for-Profit Organization

5.8%15.4%19.9%30.8%17.8%

4.8%5.5%

Less than 1 year1 year to 3 years3 years to 5 years5 years to 10 years10 years to 20 yearsMore than 20 yearsDo not know

7

ThetoptwodriversforestablishmentofaBCMprogramarecontinuityofbusi-nessoperations(84%)andreputation(40%).Otherdriversincludegovernmentregulations/compliance(34%),theneedtoaddressauditfindings(32%),customerrequestsorrequirements(22%),legalrequirements(18%)andtheuniquecompetitiveadvantageaBCMprogramprovides(15%).

Inthe2008BCMprogrambenchmarkingstudy,alsoconductedbyContinuity Insights andKPMGLLP,only14%ofrespondentsnotedthatreputationwasoneofthekeyreasonsforestablishingaprogram.

Almost 85% of the respondents state that their

business continuity program is primarily implemented for

continuity of operations, which emphasizes the acknowledgement of

corporate responsibility and ownership to institutionalize

this continuity into business portfolios.

– Michele Guido,

Business Assurance Principal,

Southern Company

“

”

9.1%

6.7%

18.5%

59.5%

6.2%

Figure5.BCMprogramstatus.

Figure6.ReasonsforestablishingBCMprograms.

0

20

40

60

80

100

Address audit fi

nding(s)

90.0%

80.0%

70.0%

60.0%

50.0%

40.0%

30.0%

20.0%

10.0%

5.0%

0.0%

Continuity

of

business o

perations

Customer re

quest or

requirement

Federal government

regulations/r

equired law

Reputation

Required by law

Unique competiti

ve advantage Other

31.6%

84.2%

22.0%

33.5%39.7%

17.7% 14.7%

5.8%

We are currently in the process of establishing a BCM Program, defining program governance, scope, objectives, budgeting, and format for plans.

We are currently in the assessment phase (i.e., Risk Assessment, Business Impact Analysis, Strategy Selection, etc.) for the first time in the program’s lifecycle.

We are currently developing BCM Plans, Crisis Management Plans, and Disaster Recovery Plans.

We have a BCM Policy, Senior Management Steering or Advisory Committee, Business Continuity, Crisis Management, and Disaster Recovery Plans in place and have developed a process for updating those plans on a regular basis to reflect changes in the business and lessons learned from exercises, tests, or real events.

Other

“

”

It is interesting that reputation as a program

driver has increased from 14% to 40% in the last four years. I believe this is the direct result of the

pervasiveness of social media and its impact on

public perception.– Michael Arcuri,

Director of Business

Continuity,

KPMG LLP

�

The lack of common understanding about the role of BCM Manager/ Director/VP – or even the need for it – is disturbing. According to the results, the executive with the ultimate responsibility for BCM is most often the CEO. This re-flects what we think should be the case, but I wonder if that is actually the view of the C-suite if asked the same question about BCM, without pre-defining the scale and scope for them.– Lyndon Bird,

Technical Development

Director and Board Member,

BCI

It appears that the busi-ness continuity function is getting better defined, is reporting at a higher level and functional substantia-tion is based on value to the business. This is significant since trends will come and go, but if you show business value, management support will be there.– Michael Janko,

Manager, Global

Business Continuity,

Goodyear

“

”

Almosttwo-thirds(65%)ofrespondentsindicatetheirorganizationhasestablishedaseniormanagementadvisoryorsteeringcommitteethatprovidesinputandassis-tancetotheprogramleader.Another10%haveacommitteeunderdevelopment.

Additionally,two-thirdsoforganizations(65%)indicatetheyhaveafull-timeprogramcoordinator,with22%havingapart-timecoordinatorauthorizedtoadministerandkeeptheBCMprogramcurrent.

In17%oforganizations,theC-LevelexecutivethatservesastheBCMprogramexecutivesponsoriseithertheChiefExecutiveOfficerorPresident.Lessthan2%oforganizationshaveaChiefContinuityOfficer(CCO)responsiblefortheBCMprogram.

“

”

16.6%12.0%

8.4%13.6%

9.4%1.8%2.7%5.1%

17.5%12.9%

Figure7.Statusoforganizations’seniormanagementadvisoryorsteeringcommittee.

Figure�.Jobtitleoftheexecutivesponsorfororganizations’BCMprograms.

YesNoCommittee under developmentDo not know

65.3%21.7%10.1%

2.9%

CEO/PresidentChief Operating OfficerChief Financial OfficerChief Information OfficerChief Risk OfficerChief Continuity OfficerEmergency ManagementVice President, Info TechnologyOther Corporate/Executive ManagementSpecific Department Manager/ Director/VP (non C-Level executive)

�

“ By a large margin, the highest number of FTE employees in BCM is in

the zero-to-two range. It’s not very impressive, and

probably not seen as a great career building opportunity by young, ambitious people

who want to excel in core business. The value, impor-tance and responsibility of BCM people are not being

reflected in its status.– Lyndon Bird,

Technical Development

Director and Board Member,

BCI

”

Respondentswereaskedtoprovidethenumberoffulltimeequivalent(FTE)employeesdedicatedtotheBCMProgram(includingcontractors)inthefollowingcategories:

•TheBCMProgramManagementOffice(PMO)

•Businesscontinuityresourcesinbusinessunitsandbusinessfunctions

•Informationtechnologydisasterrecoveryresources

WithinBCMPMOs,theaverageheadcountis3.7.Forthebusinesscontinuityresourcesinbusinessunitsandbusinessfunctions,theaverageheadcountis7.3.Personnelsupportinginformationtechnologydisasterrecoverycapabilitiesaver-ages6.0FTEemployees.

Responsestothisquestion(andquestionsrelatingtoBCMprogrambudgets)varydependingontheentitytype,numberofemployees,revenueandindustryprofile.WhiletheaggregatemeannumberofFTEemployeesincreaseswithcompanysize,amajorityofallbuttheverylargecompanieshavezerototwoFTEemployees.

2.3 Program Execution & Performance

EarlierresultsindicatecontinuityofbusinessoperationsistheprimarydriverfortheestablishmentofaBCMprogramin84%oforganizations,yet37%donotconductactivemeasurementofBCMprogramperformance.TheleadingmethodformeasuringtheperformanceofBCMprogramsisbusinesscontinuityplanexercises(85%),followedbyauditfindingsat62%.

”

It is positive that two-thirds of BCM programs

have full time coordinators with senior advisory

committees in support, but less positive that the typical

title of the coordinator is Director or Manager.

– Doug Weldon,

President,

BCI – USA Chapter

“

Figure�.PercentageoforganizationswithzerototwoFTEemployeesdedicatedtotheBCMprogrambycompanysize(annualrevenue).

100%

75%

50%

25%

0%

93%

73% 71% 69%

42%

75%

64%57%

62%

41%

76%

64%56%

73%

34%

Small Mid-size Large Very Large N/A<$50M $50M-$1B $1B-$5B >$5B

Corporate BCM Program Office Various Business Units/Functions Information Technology/Disaster Recovery

10

“

”

37% say they don’t measure the performance of their program. Of those who do measure, only 13% measure perfor-mance using some kind of cost/benefit analysis. Most of the performance metrics are self-referencing and not related to the business. If we want to raise the profile of BCM and get execu-tive-level buy-in, then we need to measure the value contribution of BCM programs not just program performance. – Lee Glendon,

Head of Research

& Advocacy,

BCI

Usingthe2008benchmarkingstudyresults,asignificantincreaseintheinstancesoforganizationsreviewingtheirperformancecapabilitiesversusstandards(30%)canbeseen.In2008,only9%oftherespondentsindicatedthattheywereunder-takingthistypeofreview.

2.4 Leveraging Standards To Support The Program

StandardsareincreasinglyimportanttoolsforBCMprogramplanning.TheresultsshowthatNFPA1600isthemostwidelyusedstandard,butthisiscertainlyinflu-encedbythefactthattwo-thirdsoftherespondentshaveglobalheadquartersintheUnitedStates.

0

20

40

60

80

100

Plan exercises

90.0%

80.0%

70.0%

60.0%

50.0%

40.0%

30.0%

20.0%

10.0%

0.0% Audit fi

ndingsBCM program re

views

Technology recovery te

st results

Metrics p

rogram inclu

ding

executive re

porting

Benchmarking/comparis

on

to industr

y norms

Maturity m

odeling

85.0%

62.4%57.5%60.2%

54.7%

37.0%

29.9% 29.1%

20.9%

13.0%

Review perform

ance

capabilities v

s. standards

Cost/benefit a

nalysis

Service level m

onitorin

g

Figure10.MethodsusedbyorganizationstomeasureBCMprogramperformance.

11

2.5 Integration With Other Disciplines

Usingresultsfromthe2008benchmarkingstudyasapointofreference,theintegrationofBCMprogramswithotherdisciplinesshowslittleprogress.Themostwidely-integrateddisciplineiscrisismanagement,with68%ofrespondentsindi-catingitis“completely”or“well”integratedwiththeirBCMprograms.

Given such interdependent economies and supply chains,

it is interesting that more than 20% are ’not at all’ integrated

with their strategic sourc-ing function. Also, knowing the strategic implications of recovery and response to an interruption, it is interesting

that more than 23% are ’not at all’ integrated with

strategic planning. – Tim Mathews,

Director, Enterprise Resiliency,

Educational Testing Service

“

”

High level of BCM Integration with: 2011-2012 2008

Strategic Planning Capabilities 34% 36%

Strategic Sourcing And Procurement Capabilities 32% 27%

Enterprise Risk Management Program 52% 50%

Crisis Management Program 68% 67%

0

10

20

30

40

50

0.0

0.2

0.4

0.6

0.8

1.0

USA – NFPA 1600

50%

40%

30%

20%

10%

0%

UK – BS25999-2: 2007

Specificatio

n for B

CMUK – BS25999-1: 2

006

Code of Practi

ce for B

CMInternatio

nal – ISO/IE

C

27001:2005 USA – ASIS BCM.01-2010Internatio

nal – COBIT 4.1

USA – NIST SP 800 – 34Inform

ation Te

chnology

Infrastr

ucture Lib

rary (IT

IL) v.3

46%

27% 26%

12% 11% 11% 11% 10%

Figure11.Widelyusedbusinesscontinuity-relatedstandards.

Figure1�.BCMprogramintegrationprogresssince�00�.

These standards contain the vital components to help

organizations develop and map their planning efforts in

order to mature their BCM programs.

– Robbie Atabaigi,

Director, Advisory Services,

KPMG LLP

“

”

1�

2.6 Integration With Third Parties

Lessthanone-third(32%)oforganizationsindicateahigh-levelofintegrationwiththird-partyserviceproviders(utilities,informationtechnologyserviceprovidersand/orbusinessprocessserviceproviders),downfrom35%in2008,while37%arewellintegratedwithpublicauthorities(police,fire,andlocalemergencymanage-mentservices),upfrom34%in2008.

Two-thirds(66%)ofrespondentsindicatedtheirorganizationsrequiremissioncriti-calthird-partyserviceproviderstoprovideevidenceofaviableBCMprogram.Lessthanhalf(47%)oftheorganizationssurveyedinvolveexternalcompaniesoragen-ciesintheirBCMprogramexercises.Third-partyserviceproviders(33%)areinvolvedmoreoftenthanpublicsectoragencies(18%)andsupplychainpartners(10%).

Figure14.EngagementofexternalcompaniesorentitiesduringBCMprogramexercises.

High level of BCM Integration with: 2011-2012 2008

Third-party Service Providers 32% 35%

Public Authorities 37% 34%

Figure13.BCMprogramintegrationprogresssince�00�.

0

10

20

30

40

50

60%

50%

40%

30%

20%

10%

0%

Public secto

r agencie

s

17.7%

10.2%

33.3%

53.5%

Supply chain partn

ers

Service providers

None or not a

pplicable

13

The cloud may be a high- availability strategy but

concerns exist about recovery of cloud-based applications

and data. – Tim Mathews,

Director, Enterprise Resiliency,

Educational Testing Services

“

”

2.7 Use Of Software

OrganizationswereaskedtoidentifyallBCM-relatedsoftwarepackagescurrentlyinuseordesignatedforimplementationwithinthenextyear.Emergencynotificationsoftware(47%)andBCMsoftware(46%)arethemostcommon.

2.8 IT Recovery Strategy & Disaster Recovery Capabilities

Respondentswereaskedaseriesofquestionsregardingtheirorganization’sITdisas-terrecoverystrategyandrecovery-relatedcapabilities.ITrecoverystrategiesaremostcommonlydescribedasacombinationofinternalandexternalsolutions(50%),anin-ternalhardwareandsoftwaresolution(46%),andanexternalhardwareandsoftwaresolution(21%).Forthoseorganizationswithplanstomovecapabilitiestothecloud,privatecloudsolutions(11%)arefavoredoverpubliccloudsolutions(6%).

0

10

20

30

40

50

Business C

ontinuity

Management softw

are

50%

40%

30%

20%

10%

0%

Business I

mpact Analysis

softw

are-

Change Management softw

areChange Management

software

Emergency Notificatio

n softw

are

Enterprise Governance Risk

and Compliance so

ftware

Risk Asse

ssment so

ftware

MicroSoft©

Office Tools

(i.e., W

ord, Excel, e

tc.)

Other

46.0%

22.8%

12.3%

46.7%

11.5%13.4%

45.5%

14.1%

Figure15.WidelyusedBCMprogram-relatedsoftwarepackages.

14

Manyorganizations’ITrecoverystrategiesareundergoingchange,namelyinternalsoftwareandhardwaresolutions(43%),combinationinternalandexternalsolu-tions(36%),andexternalhardwareandsoftwaresolutions(23%).Onaverage,3.8%ofITbudgetsgotodisasterrecoverycapabilities.

Inaddition,20%ofrespondentsindicatetheirorganizationisundergoingchangestomovecertaincapabilitiestoaprivatecloudsolutionand8%ofrespondentsaremovingcertaincapabilitiestoapubliccloudsolution.

Internal – Hardware and

Software Solutio

n

50%

40%

30%

20%

10%

0%

External – Hardware and

Software Solutio

nCombinatio

n/Hybrid of

Internal and External So

lutions

Move certa

in capabilit

ies to

a Public Cloud Vendor

Move certa

in capabilit

ies to

a Private Cloud Solutio

n Other

42.5%

22.9%

36.4%

8.2%

19.9%

10.0%

0

10

20

30

40

50

Figure17.Elementsoforganizations’ITdisasterrecoverystrategiesundergoingchange.

Figure16.CurrentITdisasterrecoverystrategies.

Internal – Hardware and Software SolutionExternal – Hardware and Software SolutionCombination/Hybrid of Inter-nal and External SolutionsMove certain capabilities to a Public Cloud VendorMove certain capabilities to a Private Cloud SolutionOther

45.7%

20.8%

50.2%

6.1%

11.1%

3.5%

All corporations, com-munities and individuals at some level use social media for communication, but do not yet include it in continu-ity plans. During a crisis, ‘we’ clamor for information. As an industry, we should begin best practice discussions to incorporate social media into BCM plans.– Michele Guido,

Business Assurance Principal,

Southern Company

“

”

15

2.9 Cloud, Social Media & Mobility Applications

Theuseofcloud,mobileapplicationsandsocialmedia,andtheirincorporationintodocumentedITdisasterrecoveryplans,variesgreatlyfromorganizationtoorganiza-tion.Over41%ofrespondentsincorporatemobileapplicationsintoITdisasterrecoveryplanswhereaslessthan18%incorporatesocialmediaintodisasterrecoveryplans.

3 Future Outlook & Recommendations

Therearemanysourcesofoperationaldisruptions,allofwhichcanhavedevastat-ingaffectsifnotsufficientlyplannedfor.Theprocessofplanningcanbeginonlywhenthesethreatsandtheirimpactshavebeenthoroughlyassessed.

Markettrendssuchascloud,mobilityandsocialmediaarekeydriversthatbusi-nesscontinuityprofessionalsandexecutivesresponsibleforgoverningBCMpro-gramsshouldconsiderasorganizationsadapttheirprogramsandassociatedplans.However,priorityshouldbegiventotheestablishmentofcriticalBCMprogramelementsandactivities,andthegatheringofvitalinformationandmetrics,suchas:

•ABCMprogramsteeringcommittee.

•Thecostofoutages(viabusinessimpactanalysis).

•Thestoragelocationandvolumeofcriticaldataandapplications.

•BCMprogrammaturityassessmentanddevelopment.

•Engagementwithcriticalthird-partysuppliersandpublicauthorities.

•AppropriateBCMprogramleadership.

ItisimportanttonotethatBCMprogramgapscannotbeaddressedwithoutconsideringtheorganization’sbroaderstrategicpriorities,andorganization-specificthreatsandobligations.

Movingforward,organizationsareencouragedtoreviewandassesstheirBCMprogramcapabilitiesandgapsusingthefindingsfromthisstudy.Thisholistic,data-drivenapproachwillbothimproveorganizationalpreparednessandfurthereffortstomakeBCMastrategic,boardroom-levelagendaitem.

Capability Utilize and have an IT Disaster Recovery Plan

Utilize and do not have an IT Disaster Recovery Plan Do Not Utilize

Cloud Applications 28.2% 14.4% 57.4%

Mobile Applications 41.6% 23.6% 34.8%

Social Media 17.8% 24.64% 57.6%

Figure1�.Cloud,mobileapplicationsandsocialmediausagewithITdisasterrecoveryplans.

“

”

An organization’s reputa- tion can be ruined in

minutes if not handled appropriately. That is why

it is essential to have social media plans incorporated as part of an overall crisis

management response. – Scott Hall,

Vice President,

Global Disaster Recovery &

Business Continuity,

Equifax

Social media continues to evolve – with or without

formal buy in.– Michael Janko,

Manager, Global

Business Continuity,

Goodyear

“ ”

16

4 Conclusion

BCMhasemergedasoneofthekeydisciplinesthatorganizationscanusetoman-ageoperationalrisk.Thedisciplinecontinuestoevolvefromonethatisfocusedonrespondingtoaneventorincidenttoonethatadaptstochangingmarkettrendsandthreats.

AholisticapproachtoplanningandgoverningBCMprogramsmustbecombinedwithregularprogramreviewsthatallowtheprogram–andhencetheorganization–toevolveinordertoaddresstheeverchangingrisklandscapewithwhichwearefaced.

5 Research Methodology

Respondentsforthe2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study wereobtainedfromtheContinuity Insightssubscriberbasebywayofitspublications,Website,andemaildeployments,aswellasfromotherprofessionalorganizationsthatsupportedthestudy.The20-minuteonlinesurveycomprised52questionsandwasfieldedfromNovember2011throughJanuary2012.Datawascollectedfrom958respondents,ofwhich685respondentscompletedtheentiresurvey.Anaverageof785responseswascollectedforeachquestion.KPMGbusinesscontinuityprofessionalsdevelopedthesurveyquestionnaire.

MintJutraspreparedtheresultingtabulationandsuppliedanalysisforselectdatapoints.Formoreinformationonthestudymethodology,pleasecontactMintJutrasatcindy@mintjutras.com.

5.1 Respondent Profiles

5.1.1 Type Of Entity Or Enterprise

Figure1�.Typeoforganization,entityorenterprise.

40.0%

39.2%

9.5%

2.2%

9.2%

Public company

Privately held company

Government agency or authorityEducation

Not-for-profit organization

Executive sponsorship, funding and other metrics are important consider-ations for all organizations. One way we can further develop BCM programs is to increase collaboration across all industries.– Mike Jennings,

Director, Disaster Readiness

Program, Blue Cross Blue

Shield of Massachusetts

“

”

17

5.1.2 Geographical Range Of Operations

5.1.3 Country

Figure�0.Geographicalrangeofoperations.

10.5%

21.0%

23.9%

44.6%

Single Site

Regional Multi-Site (1 Region or Country)National Multi-Site

Global Multi-Site

67%

13%

8%

4%

3%

2%

1%

1%

1%

United States

Rest of World

Canada

Chile

United Kingdom

Romania

The Netherlands

Switzerland

France

Figure�1.Locationofglobalheadquarters.

1�

Figure��.Industriesrepresentedinthesurvey.

2.6%

0.7%

0.9%

0.8%

1.4%

3.7%

5.3%

8.7%3.9%

2.4%

18.6%7.3%

5.7%

3.4%

11.3%

6.7%

0.9%

1.8%

2.9%

3.9%

3.3%

3.7%

0.5%

10.6%0.7%

1.5%

3.5%

2.1%

1.1%

3.7%

1.5%

0.8%

8.0%

4.3%

1.1%

4.7%

3.1%

0.8%

0.6%

0.9%

0.8%

4.0%

1.0%

1.0%10.4%

5.1.4 Industry

Aerospace/Defense

Automotive

Biotechnology

Chemical/Petroleum

Communications/Media

Computer/Information Technology Telecommunications

Computer/Information Technology Software

Computer/Information Technology Services

Education

Entertainment/Media

Financial Services – Banking

Financial Services – Brokerage

Financial Services – Credit Card

Financial Services – Credit Union

Financial Services – Investment

Financial Services - Mortgages

Government – City/Municipality

Government - County

Government – State/Providence

Government (Federal)

Healthcare Medical – Hospital

Healthcare Medical – Service Provider

Human Resources

Insurance

International Non Government Organization (NGO)

Logistics

Manufacturing - Consumer Goods

Manufacturing - Industrial Goods (Non-technology)

Manufacturing - Medical Devices/Other Healthcare Products

Not for Profit Organization

Pharmaceuticals

Power (Production/Transmission)

Professional Services (Business Continuity/Operational Risk Consulting)

Professional Services (IT/Business Process Outsourcing)

Professional Services - Legal

Professional Services (Other)

Retail Retail

Transportation – Aviation

Transportation – Mass Transit

Transportation – Shipping

Transportation - Trucking

Utilities – Energy

Utilities – Water

Wholesale Distributors

Other

1�

Therevenueprofileforthevariousrespondentsvariessignificantly.

Overtwo-thirds(70%)oforganizationshavemorethan1,000employees.

5.1.5 Company Size I am rather surprised at the number of respondents

that said they did not know what the company’s

revenues are: 15%! Revenues are a key component to an understanding of “impact”

in a BIA and risk assessment. Perhaps this is an indica-

tion of the relatively large number of privately held

companies reporting in the survey, but BCM people need to know revenues

and other key financials whether the company is

public or private! – Doug Weldon,

President,

BCI – USA Chapter.

“

10.2%

6.5%

3.9%

7.9%

6.8%

14.8%

9.4%

16.6%

8.9%

15.1%

Less than $10 million

$10 million to $50 million

$50 million to $100 million

$100 million to $500 million

$500 million to $1 billion

$1 billion to $5 billion

$5 billion to $10 billion

More than $10 billion

Not applicable

Do not know

Figure�3.Revenueprofile.

7.2%

4.1%

10.7%

7.5%

21.1%

14.5%

9.8%

25.0%

Less than 25

25 to 99

100 to 499

500 to 999

1,000 to 4,999

5,000 to 9,999

10,000 to 19,999

20,000 or more

Figure�4.Employeeprofile.

”

�0

5.2 C-Level Executive With Ultimate Reporting Responsibility

5.3 BCM Program Leader

Forthoserespondentsthatselected“other”forjobtitle,thelargestnumberofre-sponsesrelatedtooneormorecontingencyplanning-relateddisciplines.

Figure�5.Jobtitleoftheexecutivesponsorfororganizations’BCMprograms.

11.1%

35.4%

2.9%

7.8%

1.5%

3.4%

1.9%

1.9%

1.2%

1.5%

1.3%

3.7%

8.1%

18.4%

Vice President, Business Continuity Management or Business ResilienceDirector or Manager, Business Continuity Management or Business ResilienceVice President, Risk Management

Director or Manager, Risk Management

Vice President of Information Technology

Director or Manager of Information TechnologyCEO/President

Chief Operating Officer

Chief Financial Officer

Chief Information Officer

Chief Risk Officer

Chief Security Officer, VP/Director

Specific Department Director/ManagerOther

Figure�6.JobtitleofBCMprogramsponsor.

16.6% CEO/Presidentt

12.0% Chief Operating Officer

8.4% Chief Financial Officer

13.6% Chief Information Officer

9.4% Chief Risk Officer

1.8% Chief Continuity Officer

2.7% Emergency Management

5.1% Vice President, Information Technology

17.5% Other Corporate/Executive Management

12.9% Specific Department Manager/Director/VP (non C-Level executive)

Organizations need to have the right business continuity leader who understands the company, the industry and the business continuity process components.– Michael Janko,

Manager, Global

Business Continuity,

Goodyear

“

”

�1

6 Requests For Benchmarking Reports & Key Contacts

Ifyouwouldliketobenchmarkyourorganizationbyleveragingthe2011-2012 Continuity Insights and KPMG LLP Business Continuity Management (BCM) Program Benchmarking Studyorcustomreports,pleaseprovidethefollowinginformationtoBobNakaoatrobert.nakao@advantagemedia.comortoBruceHageratbhager@kpmg.com:

•Yourname

•Yourorganization

•Yourtitle

•Youre-mailaddress

•Thecompletestudyand/orcustomreport(s)youwouldliketoreceive:industry,typeofentity,regionofHQoperation,numberofemployeesorannualrevenue

Youwillbeprovidedwiththecustomreport(s),ifavailable,generallywithinaweekofthereceiptofyourrequest.Customreportsbytypeofentityincludepubliccompanies,privatecompanies,governmentagenciesandauthorities,andnotforprofits.Customreportsforindustriesincludeeducation,financialservices,computers/informationtechnol-ogy/telecommunications,government,healthcare,manufacturing,professionalservices,andutilities.

Formoreinformationaboutthissurvey,pleasecontact:

BobNakaoPublisher,Continuity Insights215-968-1516robert.nakao@advantagemedia.com

RobbieAtabaigiDirector,BusinessContinuityServicesKPMGLLP404-222-3257ratabaigi@kpmg.com

7 Acknowledgements

Continuity InsightsandKPMGLLPwouldliketoacknowledgethefollowingorgani-zationsfortheircontributionsinhelpingraisetheawareness–andhencethevalue–ofthe2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Manage-ment (BCM) Program Benchmarking Study.

•AssociationofContingencyPlanners(ACP)

•AssociationofSacramentoAreaPlanners(ASAP)

•BCManagement

•BCI-USA

•BusinessandIndustryCouncilforEmergencyPlanningandPreparedness(BICEPP)

•BusinessContinuityInstitute(BCI)

•BusinessContinuityPlannersAssociation(BCPA)

•BusinessRecoveryManagersAssociation(BRMA)

•BusinessResumptionPlanningAssociation(BRPA)

•ContingencyPlannersofOhio(CPO)

•ContingencyPlanningExchange(CPE)

•ContinuityCentral

•ContingencyPlanningAssociationoftheCarolinas(CPAC)

•DisasterRecoveryJournal(DRJ)

•ForbesCalamityPrevention(Singapore/Asia)

•MidAtlanticDisasterRecoveryAssociation(MADRA)

•NewEnglandDisasterRecoveryInformationExchange(NEDRIX)

•RothsteinBusinessSurvival

•SoutheasternBusinessRecoveryExchange(SEBRE)

•SoutheastContinuityPlannersAssociation(SCPA)

•SurvivalInsights

Inaddition,wewouldliketoacknowledgethesubjectmatterprofessionalsthatreviewedthesurveyresultsandprovidedtheirpointofviewforuseinthisreport.

KPMGLLP,theaudit,taxandadvisoryfirm(www.kpmg.com/us),istheU.S.memberfirmofKPMGInternationalCooperative(“KPMGInternational”).KPMGInternational’smemberfirmshave145,000professionals,includingmorethan8,000partners,in152countries.

TheKPMGname,logoand“cuttingthroughcomplexity”areregisteredtrademarksortrademarksofKPMGInternational.

Theinformationcontainedhereinisofageneralnatureandisnotintendedtoaddressthecircumstanc-esofanyparticularindividualorentity.Althoughweendeavortoprovideaccurateandtimelyinforma-tion,therecanbenoguaranteethatsuchinformationisaccurateasofthedateitisreceivedorthatitwillcontinuetobeaccurateinthefuture.Nooneshouldactonsuchinformationwithoutappropriateprofessionaladviceafterathoroughexaminationoftheparticularsituation.

��