In order to tease out the most compelling — and more subtle — results from the 2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study, a panel of subject-matter experts reviewed and commented on the raw data collected from 685 business continuity professionals. Reactions range from “disturbing” to “encouraging.”
The study questions were developed by Robbie Atabaigi, Director, KPMG LLP and Martin Plevel, Director, KPMG LLP. Respondents for the study were obtained from the Continuity Insights subscriber base by way of its publications, Web site, and email deployments, as well as from other professional organizations that supported the study.
As in previous years, a major focus of the 2011-2012 study is business continuity management (BCM) program integration with other disciplines and third parties. While these results show little progress since 2008, our experts were more focused on the emergence of technologies such as social media and cloud, as well as the lack of awareness surrounding several key business continuity metrics.
Some of the more positive reactions relate to the fact that close to two-thirds (63%) of organizations measure the performance of their BCM programs, of which 85% use exercises and 62% use audit findings.
“I am glad that the second largest measurement approach to evaluating BCM programs is audit findings, which are objective. So many other approaches can be manipulated — especially tests. I hope audit findings grows to be the number one approach,” says Doug Weldon, President, BCI — USA Chapter.
The widespread use of exercises to measure program performance has a downside when you take into account other performance metrics, according to Ed Matley, Director, Advisory Services, KPMG LLP.
“The fact that only 31% of respondents felt they had met their recovery time objective (RTO) during a disruption, when 85% are using exercises, indicates there is room to improve the quality of exercises.”
Two survey results drew strong reactions from nearly all of the experts. The first shows that nearly 40% of respondents could not estimate the financial impact of a five day outage or disruption. The second, and possibly more worrying, shows that close to half (47%) could not estimate the cost of business disruptions over the past 12 months.
“It is curious that based on the self-identified experience and program maturity of the respondents, more than 47% do not know the cost impact of disruptions within their organizations. This is a basic element of conducting a BIA [business impact analysis],” explains Tim Mathews, Director, Enterprise Resiliency, Educational Testing Services.
“This information is a must for a BCM program to track,” adds Weldon.
The lack of awareness surrounding organizations’ deployment of data in the cloud also caught the attention of several experts: Nearly 40% of respondents indicated they do not know the percentage of their organization’s data currently stored in the cloud.
“This is a scary statistic as far as I am concerned. It should be well known what is stored in the cloud — after all there has to be a recovery strategy associated with it,” says Mike Jennings, Director, Disaster Readiness Program, Blue Cross Blue Shield of Massachusetts.
Interestingly, over 38% of organizations do not have any data stored in the cloud.
Results from the survey show that 21% of organizations incorporate social media in BCM, disaster recovery and crisis management plans, with another 22% in the process of developing plans that incorporate social media. This level of adoption is staggering when you consider the fact that this technology is relatively new.
“I’ll bet this was close to zero just a few years ago,” Mathews points out.
Several experts point to the value of information available on social media when responding to crises or threats as the main reason to incorporate social media in BCM plans.
“I don't understand how social media can be ignored. News and information travel faster than ever before, and it is absolutely vital to be ‘plugged in’ to these outlets in order to be proactive in disaster response and management of information,” says Scott Hall, Vice President, Global Disaster Recovery & Business Continuity, Equifax.
According to Michele Guido, Business Assurance Principal, Southern Company, “All corporations use social media for communication at some level, but do not yet include it in continuity plans. During a crisis, ‘we’ clamor for information. As an industry, we should begin best practice discussions to incorporate social media into BCM plans.”
Jennings agrees that social media can offer strategic benefits, but stresses the importance of developing social media guidelines.
“I would caution that before you integrate social media with your program you take time to develop a social media policy that clearly defines the parameters of its use.”
Focus On Reputation
A subtle but compelling result from the survey shows that reputation is now a major driver for the establishment of BCM programs. While “continuity of operations” is by far the number one driver (84%), reputation came in second (40%) ahead of federal regulations (34%) and the need to address audit findings (32%).
Weldon sees a strong link between reputation and an organization’s bottom line.
“The financial aspect of goodwill — the value of a company over and above its assets — is tied to the company’s long-term reputation: What they offer; how they offer it; their ability to maintain integrity; the performance of products and services over an extended period of time. Reputation is a factor in both immediate and long-term financial performance.”
There are many reputational risks, but the actions of senior management can have a particularly devastating affect.
“Leadership is often times very visible, so if they are caught doing something inappropriate or they are no longer with the organization for whatever reason it can have a big impact on reputation. Succession planning can be an important aspect of protecting reputation in a threat scenario that involves your senior leadership.
“The thing about reputation is you can lose it much faster than you can gain it,” adds Weldon.
Michael Arcuri, Director of Business Continuity at KPMG LLP, uses results from the 2008 Continuity Insights & KPMG LLP benchmarking study to demonstrate the increased awareness surrounding reputation and points to social media as a reason for the shift.
“Reputation as a program driver has increased from 14% to 40% in the last four years. I believe this is the direct result of the pervasiveness of social media and its impact on public perception.”
The speed with which information is propagated across social media makes pre-panning vital, according to Hall.
“An organization's reputation can be ruined in minutes if not handled appropriately. That's why it is essential to have social media plans incorporated as part of an overall crisis management response.”
Who’s The Boss?
The C-level executive that serves as the BCM program executive sponsor varies greatly from organization to organization, with CEO or President the leading response at 17%. Lyndon Bird, Technical Development Director and Board Member of BCI, takes this result with a grain of salt.
“It reflects what we think should be the case, but I wonder if that is actually the view of the C-suite if asked the same question about BCM, without pre-defining the scale and scope for them.”
Mike Janko, Manager, Global Business Continuity at Goodyear, sees it as a positive sign.
“It appears that the business continuity function is getting better defined and is reporting at a higher level. This is significant since trends will come and go, but if you show business value then management support will be there.”
The title of Chief Continuity Officer (CCO) was found in less than 2% of organizations.
The bottom line is that BCM programs are maturing very slowly — if at all.
“I wonder if business continuity management has not received the support that we anticipated or if our industry is moving at a very slow pace. I would have expected that the organizations with plans in place would be closer to 70%,” says Jennings, referring to the fact that less than 60% of respondents have a BCM policy, senior management steering or advisory committee, and BC/DR plans in place.
This stagnation may not be the fault of business continuity planners due to the limited resources that are made available to them.
“Increasing budgets is a goal for many BC planners,” adds Janko.
The severe lack of BCM program integration with other disciplines, namely strategic planning, is another thorn in the side of BCM program maturity.
“Strategic planning is ‘completely’ or ‘well’ integrated for only 34% of organizations. Improvement in this area is key for BCM going forward,” says Lee Glendon, Head of Research & Advocacy at BCI.
One factor that could accelerate the development of BCM programs globally is the upcoming release of ISO 22301 — the first international standard that addresses BCM. With it comes a globally accepted set of BCM terminology and requirements. Soon after, ISO 22313, the “how-to” component of ISO 22301, will be released. Expect to see a shift away from some of the widely-used standards such as NFPA 1600 (46%) and BS25999-2 (27%).
For the full report and results, go to http://www.continuityinsights.com/white-papers/2012/04/2011-2012-continuity-insights-kpmg-llp-global-business-continuity-management-program-benchmarking-study or http://www.kpmg.com/US/en/IssuesAndInsights/ArticlesPublications/Documents/2012-cin-kpmg-management-study.pdf.
For more information about this survey, please contact:
Publisher, Continuity Insights
Director, KPMG LLP