International Business Continuity Program Management ... Management... · WorldAPP Key Survey, ......

Prepared by BC Management

& BC Management’s

International Benchmarking

Advisory Board

July XX, 2009

Prepared by BC Management, Inc.

- January 2012

Business Continuity Program Management Benchmarking Report

- USA Focused

Benchmarking. Plan Ahead. Be Ahead.

©2012 BC Management, Inc. All rights reserved Standard BCM Research Data Report - CONFIDENTIAL CONFIDENTIAL REPORT

Table of Contents

Introduction 4 Reporting History 4 Study Methodology 4 Assessment of Data & Reporting 5 Participant Data & Respondent Characteristics ~ An overview of respondent characteristics. 5-10

Business Continuity Program Management Awareness Study Topics 11-55

Program Maturity

Program maturity ratings 11

IT/ Disaster Recovery & Business Continuity strategies adequately supporting organizations 11-12

Maintain and foster relationships with other external organizations 13

Integration of program with other organizational disciplines 13-15

Status of current program 16-17

Assessment of program expenses, average full-time and part-time employees, average number of disciplines managed in program and average maturity rating by country

17

Budgeting

Budgeting of expenses within organization 17-18

Items included in the budget, percent of total budget and monetary budget amount per item 18

Budget revisions 19

Anticipated increase/ decrease by individual budget line item 19

Personnel

Current dedicated personnel 20

Hiring initiatives for the next year 21

Reduction of full-time, permanently employed personnel in the next year 22

Primary reason behind a reduction in force in the next year 22

Organizational Reporting Structure

Positioning of program for maximum visibility within organization 23

Change to department owner being considered 23

Department owner by program maturity 24

Department owner being considered for a change or department owner preferred 24-25

Program Sponsorship

Assessment by job title on who is totally engaged and sponsoring the program 25

Sponsor of program by program maturity 26

Sponsor’s level of engagement if a chief officer level or above 27

Sponsor’s level of separation from the executive committee 27

Change to level of sponsorship being considered 27

Level of sponsorship being considered for a change or level of sponsorship preferred 28

Program Assessment and Exercising Plans

Reviewing and updating the business impact assessment (BIA) 29

BIA by program maturity 29-30

Leverage the outcome of the BIA and/ or risk assessments to elevate the program 30

Exercising the plans 31

Exercise the plans for mission critical IT assets, mission critical business functions, less critical IT assets, and less critical business functions

31

Exercising the plans by program maturity 32-33

Scenarios implemented to exercise the plans 34

Auditing the program 34

Auditing the program by program maturity 35


Table of Contents Continued Recovery Time

Contingency program’s point of failure to a point of availability/ up time for the service 36

Estimated financial loss per hour by downtime 36

Technology Recovery Solutions – Internal or External

Utilization of third-party hot site/ alternate site technology providers 37-38

Considering an internal recovery capability 38

Change to the technology recovery solution in the previous two years 38-39

Change to the technology recovery solution in the next year – technology recovery solutions being considered and estimated budget

39

Cloud Computing

Consideration of cloud computing in the next year 40

If yes, rate the factors in your decision making process 40

Consulting Initiatives

Utilization of contractors 41

Longest engagement time for a contractor 41

Consulting work anticipated in the next year 42-43

Vendor Utilization

Utilization of software planning tools 44-45

Consideration software tools in the next year and estimated budget 45-46

Utilization of automated notification tools 46-47

Consideration automated notification tools in the next year and estimated budget 48

Utilization of mobile recovery solutions 49

Consideration mobile recovery solutions in the next year and estimated budget 50 Managing Dispersed Offices

Accountability of offices/ facilities outside current location under existing program 50

Assessment of managing the business continuity program for dispersed offices/ facilities 51

Reasons for Planning, Regulatory Requirements & Organizational Certification

Primary reasons for developing and maintaining a program 52

Regulatory requirements and/or standards to model program after 52-53

Obtaining an organizational certification in a standard 54

Consideration of becoming certified in an organizational standard 54-55

Thank you to BC Management’s International Benchmarking Advisory Board 55 Thank you to our Sponsors and those Organizations who Distributed the Study and/or Report 55 About BC Management, Inc. & Where to Download Complimentary Reports 56 Customize a Report Exclusively for your Organization 56-57

Confidential Report

This is a confidential report. As such, the information within this report should not be shared outside the

organization that requested and purchased the research data. This report is not being distributed as a

complimentary report among the profession. Please contact BC Management if you would like to share or site any

of the information included within the report.


Since 2001 BC Management, Inc. has been gathering data on business continuity management programs and compensations to provide

professionals with the information they need to elevate their programs. Each year our organization strives to improve upon the study

questions, distribution of the study and the reporting of the data collected. Below is a timeline detailing BC Management’s eight years of

business continuity reporting expertise.

* The advisory board is composed of 20 international thought leaders coming from the United States of America, Canada, Latin America, the United Kingdom, Singapore, Australia, China, Japan, and India. Our board encompasses not only business continuity, but also risk management, emergency management, high availability and environmental health and safety.

The on-line study was developed by the BC Management team in conjunction with the BC Management International Benchmarking

Advisory Board. WorldAPP Key Survey, an independent company from BC Management, maintains the study and assesses the data

collected. The study was launched in May 2011 and the study remained open through December 2011. Participants were notified of the

study primarily through e-newsletters and notifications from BC Management and from many other industry organizations. A full list of

participating organizations is included within this report. The study has been translated in 5 languages and it accommodates professionals

who are permanently employed on a full-time or part-time basis, self-employed as an independent contractor or unemployed.

Respondents receive a unique path of branching questions, which is dependent upon their experience and employment status. The

advanced study is coded with extensive JAVA script to ensure a correct question branching path and to eliminate unintelligible data. The

comprehensive study is comprised of two sections spanning over 100 questions. The first section focuses on the factors that impact

compensations within the business continuity and related professions. The second section focuses on the business continuity program

management initiatives, which includes budgets, dedicated personnel, organizational reporting structure, maturity of the program,

exercises, auditing, vendor utilization, program activation during an event and much more. Respondents to the study have the option to

complete one or both sections. Only those respondents who manage a program within business continuity or a related discipline qualify to

complete the program management portion of the study. All participants are given the option of keeping their identity confidential.

Reporting History

Study Methodology

Thank you for purchasing BC Management’s Business Continuity Program Management Benchmarking Report. This report

is designed to give your organization a picture of how other organizations are approaching their business continuity

planning initiatives without any customization relating to your specific organization. The data within this report will be

instrumental in assessing/elevating your business continuity management program.

This report is meant only for the individual who purchased the report. Do not distribute outside of your organization.


BC Management is continuously reviewing and verifying the data points received in the study. Data points in question are confirmed by

contacting the respondent that completed that study. If the respondent did not include their contact information, than their response to

the study may be removed. With our eight years of expertise in collecting and assessing such data points, BC Management has an

exceptional understanding of what is considered questionable or unintelligible data.

WorldAPP Key Survey built a customized reporting tool for BC Management, which enables us to prepare customized benchmarking reports

based on a client’s request. The result is a report that provides a unique understanding on how your program compares to competitors or

other similar organizations. Before creating the customized report, we verify the filters selected by the client and confirm the number of

respondents that will be included in their customized report. The charts and tables are instantaneously created once the client agrees to

the framework of the report. The client receives a PDF document as well as a business intelligence dashboard for further assessment. The

business intelligence dashboard allows the client to further assess the data points within their customized report in a dynamic, user friendly

interface. Study respondent contact information remains confidential and is never revealed. The charts and graphs will reflect what

respondents answered in the study. If a selection within a question is not selected it will NOT be included in the results.

3,152 study participants from over 50 countries as of December 15, 2011. Incomplete/ partial study responses were included as

appropriate within the report. Study was divided into 2 sections.

Business Continuity Compensation – 1,783 professionals participated in the compensation section from 59 countries. Incomplete study responses were included within this report along with the completed responses.

Business Continuity Program Management – 904 professionals participated in the program management section from 37 countries. Incomplete study responses were included within this report along with the completed responses.

Complete responses were received from the following countries: Australia, Belgium, Brazil, Canada, Cayman Islands, China, Colombia,

Denmark, Egypt, France, Germany, Honduras, India, Ireland, Italy, Japan, Kuwait, Malaysia, Malta, Mexico, Netherlands, New Zealand,

Norway, Pakistan, Philippines, Portugal, Qatar, Saudi Arabia, Singapore, South Africa, Sweden, Switzerland, United Arab Emirates, United

Kingdom, United States of America and Venezuela.

USA Respondent Characteristics = 1,364 Study Respondents

Company revenues span from non-profit/ government to over $400 Billion USD.

Study respondents span over 45 industries.

Company corporate locations span from 0-5 Locations to more than 10,000.

Company retail locations span from 0-5 Locations to more than 10,000.

Majority of respondents (38%) are globally distributed organizations.

Company employees span from 0-5 to more than 400,000.

Majority of respondents (63%) managed 5+ disciplines within their program.

Majority of respondents manage multiple disciplines within one program, including Business Continuity Process (Business Focus), Crisis Management, Emergency Management, Pandemic Planning and Disaster Recovery Process (IT Focus) to be the most popular of those disciplines.

Majority of respondents indicated a program existing within their organization for 4-8 years (30%).

Majority of respondents indicated that the program has been thoroughly updated in the last 6 months (35%).

Assessment of Data & Reporting

USA Participant Data & Respondent Characteristics

Jim Mannion

Highlight


Less than $10M, 17%

$10 - $50M, 7%

$50 - $100M, 3%

$100 - $500M, 10%

$500M - $1B, 8%$1 - $10B, 26%

$10 - $20B, 6%

$20 - $50B, 4%

Over $50B, 18%

Revenue in USD

USA Participant Data & Respondent Characteristics Continued

Jim Mannion

Highlight

Jim Mannion

Highlight



Those respondents who noted “Do not

manage a program” were exited from

study.

Jim Mannion

Highlight


6.34%

15.30%

38.43%

28.36%

11.57%

Program Maturity - Self Rating

Very Immature

Immature

Average

Mature

Very Mature

Program Maturity

To your knowledge, do you feel your current IT/Disaster Recovery and Business Continuit y

strategies adequately support the needs of your organization? If no, please select which best

describes future action for improvement. (An assessment of USA respondents.)

In your opinion, how would you rate the maturity of your program? Please rate on a scale of 1

to 5 with 1 meaning “Very Immature” and 5 meaning “Very Mature”. (An assessment of USA

respondents.)


Discipline Integration by Program Maturity Rating

Disciplines Maturity Rating 1-No

Integration 2 3 4

5-Completely Integrated

Audit

All Respondents 23.53% 17.65% 17.65% 23.53% 17.65%

Very Immature 23.53% 17.65% 17.65% 23.53% 17.65%

Immature 22.45% 22.45% 22.45% 18.37% 14.29%

Average 11.50% 20.35% 35.40% 25.66% 7.08%

Mature 6.82% 13.64% 25.00% 38.64% 15.91%

Very Mature 0.00% 13.64% 18.18% 36.36% 31.82%

Business Unit Participation

All Respondents 2.75% 12.37% 29.55% 32.99% 22.34%

Very Immature 17.65% 29.41% 29.41% 11.76% 11.76%

Immature 4.00% 24.00% 36.00% 22.00% 14.00%

Average 1.75% 9.65% 35.96% 32.46% 20.18%

Mature 1.14% 9.09% 21.59% 44.32% 23.86%

Very Mature 0.00% 0.00% 13.64% 31.82% 54.55%

Change Management

All Respondents 14.19% 26.64% 32.18% 19.72% 7.27%

Very Immature 23.53% 29.41% 11.76% 23.53% 11.76%

Immature 18.00% 38.00% 32.00% 8.00% 4.00%

Average 14.91% 27.19% 33.33% 19.30% 5.26%

Mature 10.34% 21.84% 37.93% 24.14% 5.75%

Very Mature 9.52% 14.29% 19.05% 28.57% 28.57%

Compliance All Respondents 6.90% 16.90% 34.48% 26.55% 15.17%

Very Immature 11.76% 29.41% 17.65% 29.41% 11.76%

Immature 16.00% 18.00% 40.00% 16.00% 10.00%

Average 5.31% 20.35% 36.28% 27.43% 10.62%

Mature 2.27% 11.36% 37.50% 30.68% 18.18%

Very Mature 9.09% 9.09% 13.64% 27.27% 40.91%

Crisis Management

All Respondents 5.15% 6.53% 15.81% 33.33% 39.18%

Very Immature 35.29% 11.76% 11.76% 17.65% 23.53%

Immature 10.00% 10.00% 22.00% 26.00% 32.00%

Average 2.63% 8.77% 19.30% 39.47% 29.82%

Mature 1.14% 2.27% 12.50% 37.50% 46.59%

Very Mature 0.00% 0.00% 0.00% 13.64% 86.36%

In your opinion, does your organization strive to maintain and foster relations hips with external

agencies to ensure the recovery of your organization during a disaster? If your organization is

an external agency, do you strive to maintain and foster relationships with other external

agencies and outside organizations? Please rate on a scale of 1 to 5 with 1 meaning strong

disagree and 5 meaning strongly agree. (An assessment of USA respondents.)

How well integrated are the following within your organizational program? Please rate on a

scale of 1 to 5 with 1 meaning NO INTEGRATION and 5 meaning COMPLETELY INTEGRATED. (An

assessment of USA respondents.) *All related enterprise discipl ines are l isted within the study to accommodate a variety of discipline expertise .




Integration 2 3 4


Disaster Recovery Focus) Process (IT

All Respondents 2.41% 4.81% 17.18% 37.80% 37.80%

Very Immature 17.65% 11.76% 23.53% 35.29% 11.76%

Immature 4.00% 8.00% 30.00% 40.00% 18.00%

Average 1.75% 3.51% 20.18% 41.23% 33.33%

Mature 0.00% 3.41% 9.09% 37.50% 50.00%

Very Mature 0.00% 4.55% 0.00% 18.18% 77.27%

Emergency Management

All Respondents 3.78% 9.62% 16.84% 35.74% 34.02%

Very Immature 23.53% 11.76% 23.53% 23.53% 17.65%

Immature 6.00% 18.00% 26.00% 28.00% 22.00%

Average 3.51% 12.28% 17.54% 35.96% 30.70%

Mature 0.00% 1.14% 12.50% 44.32% 42.05%

Very Mature 0.00% 9.09% 4.55% 27.27% 59.09%

Executive Protection

All Respondents 21.25% 23.69% 26.13% 19.16% 9.76%

Very Immature 41.18% 17.65% 17.65% 11.76% 11.76%

Immature 32.00% 30.00% 24.00% 10.00% 4.00%

Average 19.47% 29.20% 26.55% 17.70% 7.08%

Mature 15.29% 14.12% 30.59% 29.41% 10.59%

Very Mature 13.64% 22.73% 18.18% 13.64% 31.82%

Facilities Management

All Respondents 5.86% 16.55% 31.03% 32.76% 13.79%

Very Immature 29.41% 5.88% 47.06% 11.76% 5.88%

Immature 6.12% 20.41% 34.69% 30.61% 8.16%

Average 5.26% 22.81% 34.21% 30.70% 7.02%

Mature 3.41% 12.50% 26.14% 38.64% 19.32%

Very Mature 0.00% 0.00% 13.64% 40.91% 45.45%

Health & Safety - Environmental

All Respondents 13.24% 21.60% 25.78% 29.62% 9.76%

Very Immature 41.18% 11.76% 23.53% 11.76% 11.76%

Immature 14.29% 20.41% 38.78% 18.37% 8.16%

Average 11.61% 28.57% 25.89% 29.46% 4.46%

Mature 5.75% 20.69% 22.99% 37.93% 12.64%

Very Mature 27.27% 0.00% 9.09% 36.36% 27.27%

Health & Safety - Occupational

All Respondents 13.33% 21.40% 26.67% 26.32% 12.28%

Very Immature 29.41% 17.65% 29.41% 11.76% 11.76%

Immature 12.77% 25.53% 36.17% 17.02% 8.51%

Average 12.50% 25.00% 26.79% 29.46% 6.25%

Mature 8.05% 20.69% 24.14% 28.74% 18.39%

Very Mature 27.27% 0.00% 13.64% 31.82% 27.27%

Information Technology

All Respondents 2.43% 7.64% 18.06% 40.28% 31.60%

Very Immature 12.50% 18.75% 12.50% 37.50% 18.75%

Immature 4.08% 16.33% 18.37% 44.90% 16.33%

Average 1.77% 7.96% 25.66% 44.25% 20.35%

Mature 1.14% 1.14% 13.64% 37.50% 46.59%

Very Mature 0.00% 4.55% 0.00% 22.73% 72.73%

Media Crisis Management

All Respondents 9.00% 13.49% 25.95% 31.83% 19.72%

Very Immature 35.29% 17.65% 17.65% 17.65% 11.76%

Immature 14.29% 20.41% 32.65% 26.53% 6.12%

Average 9.65% 16.67% 25.44% 31.58% 16.67%

Mature 2.30% 8.05% 27.59% 39.08% 22.99%

Very Mature 0.00% 0.00% 13.64% 27.27% 59.09%

Pandemic Planning

All Respondents 7.56% 11.00% 19.24% 31.62% 30.58%

Very Immature 35.29% 17.65% 11.76% 23.53% 11.76%

Immature 12.00% 16.00% 20.00% 32.00% 20.00%

Average 7.89% 10.53% 20.18% 34.21% 27.19%

Mature 1.14% 7.95% 22.73% 29.55% 38.64%

Very Mature 0.00% 9.09% 4.55% 31.82% 54.55%


Highlighted figures indicate the highest figures in each row by program maturity.



Integration 2 3 4


Privacy

All Respondents 15.86% 20.00% 28.62% 21.72% 13.79%

Very Immature 29.41% 23.53% 17.65% 17.65% 11.76%

Immature 26.00% 24.00% 28.00% 18.00% 4.00%

Average 15.93% 22.12% 28.32% 23.01% 10.62%

Mature 7.95% 15.91% 34.09% 22.73% 19.32%

Very Mature 13.64% 13.64% 18.18% 22.73% 31.82%

Records Management

All Respondents 15.33% 22.30% 29.97% 20.91% 11.50%

Very Immature 35.29% 11.76% 17.65% 17.65% 17.65%

Immature 22.45% 22.45% 32.65% 14.29% 8.16%

Average 15.04% 26.55% 30.97% 19.47% 7.96%

Mature 8.14% 18.60% 33.72% 27.91% 11.63%

Very Mature 13.64% 22.73% 13.64% 18.18% 31.82%

Risk Management - Enterprise

All Respondents 8.71% 15.33% 28.57% 31.01% 16.38%

Very Immature 40.00% 13.33% 13.33% 13.33% 20.00%

Immature 10.00% 22.00% 38.00% 24.00% 6.00%

Average 8.77% 19.30% 32.46% 27.19% 12.28%

Mature 3.45% 9.20% 27.59% 43.68% 16.09%

Very Mature 4.76% 4.76% 0.00% 28.57% 61.90%

Risk Management - Insurance

All Respondents 16.78% 16.08% 32.52% 22.73% 11.89%

Very Immature 43.75% 6.25% 25.00% 6.25% 18.75%

Immature 18.75% 25.00% 31.25% 18.75% 6.25%

Average 20.54% 17.86% 34.82% 20.54% 6.25%

Mature 6.82% 13.64% 35.23% 31.82% 12.50%

Very Mature 13.64% 4.55% 18.18% 18.18% 45.45%

Risk Management - Operational

All Respondents 10.84% 15.73% 25.52% 30.07% 17.83%

Very Immature 43.75% 12.50% 12.50% 6.25% 25.00%

Immature 10.20% 26.53% 30.61% 24.49% 8.16%

Average 9.91% 18.02% 31.53% 27.03% 13.51%

Mature 5.68% 10.23% 23.86% 44.32% 15.91%

Very Mature 13.64% 4.55% 0.00% 18.18% 63.64%

Security - Information

All Respondents 6.94% 12.50% 32.29% 30.90% 17.36%

Very Immature 29.41% 17.65% 23.53% 17.65% 11.76%

Immature 14.58% 18.75% 33.33% 27.08% 6.25%

Average 4.39% 14.04% 43.86% 28.07% 9.65%

Mature 3.45% 5.75% 24.14% 41.38% 25.29%

Very Mature 0.00% 13.64% 9.09% 22.73% 54.55%

Security - Physical

All Respondents 6.55% 12.76% 31.72% 29.66% 19.31%

Very Immature 31.25% 25.00% 12.50% 12.50% 18.75%

Immature 6.00% 12.00% 38.00% 28.00% 16.00%

Average 5.26% 14.91% 35.96% 31.58% 12.28%

Mature 4.55% 7.95% 30.68% 32.95% 23.86%

Very Mature 4.55% 13.64% 13.64% 22.73% 45.45%

Senior Management Participation/ Sponsorship

All Respondents 5.19% 11.76% 26.99% 35.29% 20.76%

Very Immature 31.25% 18.75% 18.75% 18.75% 12.50%

Immature 4.00% 28.00% 30.00% 26.00% 12.00%

Average 5.31% 10.62% 39.82% 25.66% 18.58%

Mature 2.27% 3.41% 17.05% 56.82% 20.45%

Very Mature 0.00% 9.09% 0.00% 31.82% 59.09%

Strategic Plan/ Corporate Mission Statement

All Respondents 9.38% 18.75% 28.13% 29.86% 13.89%

Very Immature 37.50% 18.75% 18.75% 18.75% 6.25%

Immature 8.16% 30.61% 30.61% 24.49% 6.12%

Average 10.62% 20.35% 32.74% 24.78% 11.50%

Mature 3.41% 11.36% 26.14% 43.18% 15.91%

Very Mature 9.09% 13.64% 13.64% 22.73% 40.91%


Status of Business Continuity Management Program ~ Multiple Selections Allowed

% of Resp Int’l

Program Status by Program Maturity Rating

Very Immature Immature Average Mature

Very Mature

There are no business continuity and/or IT disaster

recovery plans in place. 0.61% 0.95% 0.27% 0.29% 0.00% 5.12%

Off-site data recovery only. 5.92% 26.67% 7.49% 5.32% 3.37% 6.51%

There are contingency plans in place for IT DR functions

only. 15.96% 39.05% 34.22% 12.48% 10.10% 13.95%

Some departments/divisions have business continuity

plans. 43.34% 62.86% 68.18% 51.84% 24.47% 27.91%

Currently obtaining or have management support and

formulating the BCM program framework to include

contingency strategies, resiliency needs, recovery

objectives, operational and enterprise risk management

and crisis management plans.

39.37% 50.48% 67.38% 46.23% 26.04% 7.44%

Currently conducting BIA or risk assessments. 47.50% 50.48% 60.43% 53.09% 42.87% 15.81%

Currently developing and implementing BC and/or IT DR

plans that meet the needs of the organization. 48.57% 62.86% 68.72% 58.61% 33.33% 21.40%

Currently assessing an Emergency Operations Center. 12.79% 13.33% 25.13% 12.77% 9.32% 5.58%

Currently implementing an Emergency Operations

Center. 15.20% 19.05% 26.20% 14.89% 12.79% 5.58%

A full functioning Emergency Operations Center is in

place. 54.30% 27.62% 27.27% 50.87% 66.22% 81.40%

Policies and procedures are in place to interact and

coordinate with external agencies in times of a disaster. 60.02% 40.00% 34.76% 52.61% 77.22% 78.14%

A Crisis Management process and plan is in place. 79.95% 43.81% 62.03% 80.37% 89.00% 89.30%

A Crisis Communications program is in place. 78.20% 60.00% 53.74% 78.82% 85.07% 98.14%

Considering conducting an enterprise risk assessment for

the board and/ or senior management. 15.88% 31.43% 29.95% 20.21% 5.95% 4.19%

Currently conducting an enterprise risk assessment for

the board and/ or senior management. 17.49% 24.76% 18.45% 13.25% 22.67% 11.16%

Incorporated a full enterprise risk management program

with controls in place to avoid or mitigate potential risks. 35.97% 24.76% 4.81% 33.08% 46.80% 64.65%

Implemented a full functioning, corporate wide BCM

program that meets the organization’s contingency,

resiliency, risk management, emergency management

and crisis management needs.

55.33% 7.62% 23.26% 45.36% 79.91% 80.47%

Implemented an awareness and training program to

promote and educate the entire organization on the BCM

program.

55.56% 26.67% 31.82% 52.22% 68.80% 72.09%

Maintain an assessment and audit schedule of the BCM

program to ensure the program is up to date and

complete.

53.61% 21.90% 31.28% 53.19% 63.30% 69.77%

Maintain an exercise schedule in order to identify new

potential vulnerabilities or weaknesses in the current

BCM program. Analyze findings to elevate the program.

72.78% 21.90% 37.70% 72.63% 88.22% 95.35%

Currently developing a pandemic preparedness policy. 7.48% 10.48% 21.66% 8.32% 2.02% 0.00%

Currently implementing a pandemic preparedness policy. 4.77% 10.48% 6.42% 7.16% 1.80% 0.00%

Please choose all that apply to describe your organization’s curr ent continuity program status under your direction and management. Please check all that apply. (An assessment of USA respondents.) * “% of Resp” column will exceed 100% due to multiple selections.


A full functioning pandemic preparedness policy is in

place. 73.96% 38.10% 41.44% 70.99% 92.59% 85.12%

Currently developing an executive/leadership transition

plan. 16.53% 50.48% 25.94% 21.28% 5.72% 5.58%

Currently implementing an executive/leadership

transition plan. 6.07% 0.00% 0.00% 8.90% 6.40% 4.65%

A full functioning executive/leadership transition is in

place. 34.86% 16.19% 10.70% 26.89% 53.20% 48.37%

Highlighted figures indicate the highest figures in each column by program maturity.

Indicates areas of improvement. Highlighted percent figures represent the highest percent for each selection of program status.

Program Maturity Rating Avg Budget

Avg Total FTE

Avg Total PTE

Avg Number of Disciplines in

Program

Very Immature $251,111 USD 0.94 0.53 5.4

Immature $898,656 USD 3.34 1.28 3.8

Average $1,241,713 USD 2.95 6.02 5.0

Mature $1,924,299 USD 3.76 3.63 5.2

Very Mature $3,850,000 USD 7.43 8.37 4.8

Individual responses for program budgets varied between $1,000 to $50,000,000 USD. Data findings indicate a

correlation between average program budgets and industry, size of company and/or company revenues.

47.78%

20.57%

31.65%

Budgeting of Program Expenses

Program expenses are allocated independently f rom other functions

within the organization.

Program expenses are allocated to other department(s).

Program expenses do NOT have a def ined budget.

An assessment of the average business continuity mana gement budget (approximate/ estimated

expenses spent), average number of dedicated full -time and part-time personnel, average

number of disciplines managed in a program and the average pro gram maturity rating by

country. (An assessment of USA respondents.)

Describe how continuity program expenses are budgeted under your direction and management?

(An assessment of USA respondents.)

Budgeting

Jim Mannion

Highlight


$0

$500,000

$1,000,000

$1,500,000

$2,000,000

$2,500,000

$3,000,000

Program expenses are allocated independently from

other functions within the organization.

Program expenses are allocated to other department(s).

Program expenses do NOT have a defined budget.

$1,515,813

$2,528,585

$805,521

Budgeting of Program Expenses

Budget Line Item % of Resp Include

Budget Item in

Total Budget

% of Total

Budget

Average

Budget Amount

Full Time Internal Staff 73.02% 41.04% $350,335.31

Consultants/ Contractors (Business focus) 36.33% 10.21% $112,146.04

Consultants/ Contractors (IT focus) 30.22% 4.33% $ 67,083.33

Emergency Operations Center (EOC) 33.45% 7.96% $ 70,794.41

Emergency Supplies 41.01% 4.79% $191,179.21

Hardware 38.49% 12.95% $248,674.25

Hot-site/ Outsourced Alternate Site 48.20% 25.19% $368,942.99

Internal Recovery Site 33.09% 9.76% $260,590.45

Software 47.12% 8.98% $ 69,268.20

Notification/ Alerts 52.16% 5.02% $ 35,042.23

Mobile Recovery 26.62% 3.23% $ 25,226.35

DR Technology 35.61% 13.06% $791,648.48

Exercises 65.83% 7.03% $ 74,121.22

Training /Awareness 62.95% 6.90% $ 48,827.90

Travel 59.71% 5.67% $ 59,849.08

Other 18.71% 1.30% $ 31,548.08

Average Total - - $1,531,268 USD*

* All questionable or incomplete budget information was verified by directly contacting the study respondent. Questionable data responses that couldn’t be

confirmed were removed.

“Other” budget line items as noted by study participants: Asset Protection - Global Call Center, E-Notify System, Network , Pandemic supplies, Record Retention .

Table shows a correlation between three different questions. First Question – Please specify

what is accounted for in your annual budget. Please check box if the line item is currently

included in your program budget. Second Question – Please indicate the percent of the overall

program budget for each line item. Third Question – What is your company’s approximate

annual budget for contingency related program expenses? (An assessment of USA respondents.)

* “% of Resp Included Budget Item” column will not 100% due to open/ multiple selections.

* The amount listed in the “Average Budget Amount” column was automatically calculated per study respondent based on the total budget and the

% of total budget for each line item. The average was then calculated for all study respondents.

Jim Mannion

Highlight

Jim Mannion

Highlight

Jim Mannion

Highlight

Jim Mannion

Highlight


Budget Item Increased Decreased Unchanged Not Sure Full Time Internal Staff 24.79% 2.56% 64.96% 7.69%

Consultants/ Contractors (Business focus) 17.19% 14.06% 62.50% 6.25%

Consultants/ Contractors (IT focus) 9.09% 20.45% 54.55% 15.91%

Emergency Operations Center (EOC) 12.24% 2.04% 85.71% 0.00%

Emergency Supplies 8.57% 2.86% 87.14% 1.43%

Hardware 22.22% 6.35% 53.97% 17.46%

Hot-site/ Outsourced Alternate Site 24.44% 8.89% 60.00% 6.67%

Internal Recovery Site 15.22% 4.35% 67.39% 13.04%

Software 14.13% 6.52% 71.74% 7.61%

Notification/ Alerts 13.19% 2.20% 82.42% 2.20%

Mobile Recovery 4.17% 8.33% 75.00% 12.50%

DR Technology 30.36% 1.79% 50.00% 17.86%

Exercises 15.11% 3.60% 77.70% 3.60%

Training /Awareness 16.42% 2.99% 76.87% 3.73%

Travel 22.88% 10.17% 62.71% 4.24%

Other 40.00% 20.00% 40.00% 0.00%

Average % 17.44% 5.76% 70.07% 6.73%

Budget Item Increased Decreased Full Time Internal Staff 9.41% 40.00%

Consultants/ Contractors (Business focus) 6.50% 25.71%

Consultants/ Contractors (IT focus) 1.00% 18.57%

Emergency Operations Center (EOC) 40.67% 5.00%

Emergency Supplies 8.40% 75.00%

Hardware 9.25% 3.50%

Hot-site/ Outsourced Alternate Site 10.00% 5.00%

Internal Recovery Site 23.33%

Software 4.88% 27.75%

Notification/ Alerts 13.90% 80.00%

Mobile Recovery 3.00% 100.00%

DR Technology 11.83%

Exercises 8.67% 16.25%

Training /Awareness 18.38% 20.00%

Travel 12.33% 19.33%

Other 7.00% 5.00%

Please specify budget revisions for the next year for each budget line item – Increase, Decrease,

Remain the Same, or Not Sure. (An assessment of USA respondents.)

For each line item, if the budget increased or decreased then what percent do you anticipate the

budget for that line item to increase or decrease? (An assessment of USA respondents.)


Individual responses for number of full-time, dedicated personnel to the program varied between 1 and 350.

Individual responses for number of full-time, dedicated personnel to the Business Continuity Planning varied

between 1 and 23. 53% of the respondents indicated having 1 or more full-time, dedicated personnel headcount

under their direct management and supervision. Data findings indicate a correlation between number of dedicated

personnel and industry, size of company and/or company revenues.

Disciplines – Current Personnel Minimum

FTE Avg FTE

Maximum FTE

Avg PTE % of Resp

Multi-Discipline 1 7.21 350 12.26 88.52%

Audit 1 1.63 3 6.67 5.47%

Business Continuity Process (Business Focus)

1 2.58 23 7.44 52.58%

Compliance 1 1.42 3 2.22 9.38%

Crisis Management 1 1.9 6 4.6 28.83%

Disaster Recovery Process (IT Focus) 1 2.26 7 13.15 21.02%

Emergency Management 1 2.01 12 3.54 27.89%

Facilities Management 1 1.61 3 1.25 3.98%

Health & Safety – Occupational 1 11.50 22 1.33 5.78%

Health & Safety - Environmental 1 1.5 3 1.33 5.16%

Information Technology 1 2.67 10 52 6.09%

Pandemic Planning 1 1.95 8 5.89 29.45%

Records Management 1 1.44 5 4.75 5.39%

Risk Management – Enterprise 1 1.13 3 2.33 8.05%

Risk Management – Insurance 1 1.06 2 3.00 0.94%

Risk Management – Operational 1 1.43 4 1.67 11.02%

Security – Information 1 2.63 6 53.67 3.91%

Security – Physical 1 33.93 300 49.25 9.45%

Other 1 2.88 9 1.5 3.91%

Average Total 11.64 24.64

Average number of discipline FTE and PTE staff is the average only for those study respondents that indicated managing that specific discipline in their

program and having staff dedicated to that discipline.

Personnel

Table shows a correlation between two different questions. First Question – Please specify all

the disciplines that you personally manage. Select all that apply. Second Question - If you

personally manage more than one discipline within your program, please indicate how many

full-time employees (FTE) and/ or part-time employees (PTE) you have dedicated to your

continuity program? Please confirm that the number below is the total FTE and PTE headcount

for all locations under your direction and management. (Auto-sum function built into study.)

(An assessment of USA respondents.)


18%

32%

50%

Hiring in the Next Year

Yes

No

Not Sure

Disciplines – Hiring Personnel Avg FTE Avg PTE % of Resp Multi-Discipline 3.30 1.46 67.70%

Audit 2.00 1.00 2.33%

Business Continuity Process (Business Focus) 1.25 1.14 33.85%

Compliance 1.33 1.00 5.84%

Crisis Management 1.00 1.00 19.07%

Disaster Recovery Process (IT Focus) 1.44 1.00 13.62%

Emergency Management 1.00 1.00 15.95%

Facilities Management 1.00 0.00 2.72%

Health & Safety – Occupational 0.00 0.00 3.50%

Health & Safety - Environmental 0.00 0.00 1.95%

Information Technology 1.00 0.00 3.89%

Pandemic Planning 0.00 0.00 18.68%

Records Management 0.00 0.00 3.50%

Risk Management – Enterprise 1.00 1.00 2.33%

Risk Management – Operational 0.00 1.00 4.67%

Security – Information 0.00 0.00 1.95%

Security – Physical 1.00 0.0 4.67%

Other 1.00 1.00 2.72%

Average Total 3.31 1.40

Average number of discipline FTE and PTE staff of anticipated hires is the average only for those study respondents that indicated managing that specific

discipline in their program and having staff dedicated to that discipline.

Table shows a correlation between two different questions. First Question – Please specify all

the disciplines that you personally manage. Select all that apply. Second Question - If you

personally manage more than one discipline within your program, please indicate how many

full-time employees (FTE) and/ or part-time employees (PTE) dedicated to the continuity

program you plan to hire in the next year? Please confirm that the number below is the total

number of proposed new personnel for all locations under your direction and management.

(Auto-sum function built into study.) (An assessment of USA respondents.)


Will you be reducing your full-time dedicated continuity program staff in the next year under

your direction and management? (An assessment of USA respondents.)

If yes, what are the reasons for reducing your dedicated contin uity program staff in the next

year? Please select all that apply. (An assessment of USA respondents.) * Total percent may exceed 100% due to multiple selections.


Department Owner % of Resp

Program Best Situated for Maximum Visibility

Considering a Different

Department Owner?

Strongly disagree Disagree Neutral Agree

Strongly agree Yes No

Assurance/ Compliance 1.37% 0.00% 50.00% 0.00% 50.00% 0.00% 25.00% 75.00%

Audit - Internal 1.37% 25.00% 0.00% 50.00% 25.00% 0.00% 25.00% 75.00%

Business Continuity Office 16.04% 14.89% 4.26% 17.02% 34.04% 29.79% 17.02% 82.98%

Corporate Offices 5.46% 12.50% 6.25% 37.50% 18.75% 25.00% 6.25% 93.75%

Emergency/ Crisis Management 5.46% 0.00% 6.25% 18.75% 31.25% 43.75% 0.00% 100.00%

Facilities Management 3.07% 22.22% 22.22% 33.33% 0.00% 22.22% 0.00% 100.00%

Finance 3.41% 10.00% 10.00% 10.00% 50.00% 20.00% 20.00% 80.00%

Human Resources 1.37% 0.00% 25.00% 50.00% 25.00% 0.00% 25.00% 75.00%

Information Technology 26.28% 18.42% 21.05% 26.32% 22.37% 11.84% 19.48% 80.52%

Legal Counsel 1.37% 0.00% 33.33% 66.67% 0.00% 0.00% 75.00% 25.00%

Operations 5.12% 6.67% 13.33% 33.33% 20.00% 26.67% 6.67% 93.33%

Program Management Office 2.39% 14.29% 28.57% 42.86% 0.00% 14.29% 28.57% 71.43%

Risk Management 8.87% 3.85% 15.38% 3.85% 34.62% 42.31% 3.85% 96.15%

Security – Information 7.51% 22.73% 22.73% 18.18% 22.73% 13.64% 4.55% 95.45%

Security – Physical 4.78% 0.00% 14.29% 28.57% 50.00% 7.14% 14.29% 85.71%

Strategic Planning 0.34% 0.00% 0.00% 0.00% 100.00% 0.00% 0.00% 100.00%

Individual business units 1.37% 25.00% 50.00% 0.00% 25.00% 0.00% 25.00% 75.00%

Other 4.44% 7.69% 0.00% 15.38% 46.15% 30.77% 23.08% 76.92%

Highlighted figures indicate the highest figures by row of department owner.

Indicates the top three department owners by percent of respondents.

Indicates the top percent of study respondents who indicted “strongly disagree” for program organizational reporting structure.

Indicates the top percent of study respondents who indicted “strongly agree” for program organizational reporting structure.

“Other” Department Owners as noted by study participants: Administrative Operations, Business Quality Office, Chief Executive Officer, Compliance, Fire, Office of the CEO , Physical Security, Business Continuity,

Crisis & Emergency Management, Procurement and Administration, Quality Management , Risk and Compliance Management , Safety /Loss Control, Senior management , Technology Chief Information Officer

Organizational Reporting Structure

Table shows a correlation between three different questions. First Question - Which department

best describes the reporting structure of your program under your direction and management?

Please select the best response from the following departments. Second Question – Under the

current department ownership, do you agree that the continuity prog ram is best situated within

your organization for maximum visibility? Selection choices include strongly disagree, disagree,

neutral, agree and strongly agree. Third Question - Is your organization considering a different

department owner for the continuity program to maximize visibility? (An assessment of USA

respondents.)

Jim Mannion

Highlight


Department Owner Very

Immature Immature Average Mature Very

Mature

Assurance/ Compliance 5.88% 2.00% 0.00% 2.27% 0.00%

Audit - Internal 0.00% 2.00% 1.72% 1.14% 0.00%

Business Continuity Office 5.88% 12.00% 13.79% 20.45% 27.27%

Corporate Offices 5.88% 4.00% 5.17% 4.55% 13.64%

Emergency/ Crisis

Management 0.00% 6.00% 5.17% 7.95% 0.00%

Facilities Management 5.88% 6.00% 2.59% 1.14% 4.55%

Finance 0.00% 2.00% 5.17% 2.27% 4.55%

Human Resources 0.00% 2.00% 1.72% 1.14% 0.00%

Information Technology 47.06% 20.00% 24.14% 28.41% 27.27%

Legal Counsel 0.00% 2.00% 0.86% 2.27% 0.00%

Operations 5.88% 4.00% 4.31% 5.68% 9.09%

Program Management

Office 0.00% 4.00% 3.45% 1.14% 0.00%

Risk Management 5.88% 10.00% 10.34% 7.95% 4.55%

Security – Information 5.88% 8.00% 9.48% 4.55% 9.09%

Security – Physical 5.88% 10.00% 4.31% 3.41% 0.00%

Strategic Planning 0.00% 0.00% 0.86% 0.00% 0.00%

Individual business units 0.00% 2.00% 1.72% 1.14% 0.00%

Other 5.88% 4.00% 5.17% 4.55% 0.00%

Highlighted figures indicate the highest figures for each department owner by row.

If you are not considering a different department owner for the continuity program, which

department(s) would you prefer? Select all that apply. (An assessment of USA respondents.) - Total percent will exceed 100% due to multiple selections.

Table shows a correlation between two different questions. First Question - Which department

best describes the reporting structure of your program under your direction and managem ent?

Please select the best response from the following departments. Second Question – In your

opinion, how would you rate the maturity of your program? Please rate on a scale of 1 to 5 with

1 meaning VERY IMMATURE and 5 meaning VERY MATURE. (An assessment of USA respondents.)


If you are considering a different department owner for the continuity program, which

department(s) is being considered? Select all that apply . (An assessment of USA respondents.) - Total percent will exceed 100% due to multiple selections.

Program Sponsorship

Please specify by job title who is totally engaged and sponsoring the continuity program

functions. Please select the best response. (An assessment of USA respondents.)

Jim Mannion

Highlight


Program Sponsor Very

Immature Immature Average Mature Very

Mature Board/ General Council/ Executive Committee

11.76% 7.84% 4.24% 15.22% 9.09%

President 17.65% 5.88% 2.54% 2.17% 0.00%

CEO – Chief Executive Officer

0.00% 0.00% 5.93% 9.78% 13.64%

CIO/ CTO – Chief Information Officer/ Chief Technology Officer

23.53% 21.57% 16.95% 19.57% 22.73%

CSO/ CISO – Chief Security Officer/ Chief Information Security Officer

0.00% 5.88% 5.08% 3.26% 4.55%

CFO – Chief Financial Officer

0.00% 9.80% 9.32% 9.78% 13.64%

COO – Chief Operating Officer

0.00% 5.88% 6.78% 9.78% 13.64%

CAO – Chief Administrative Officer

0.00% 0.00% 3.39% 1.09% 4.55%

CRO – Chief Risk Officer

5.88% 3.92% 8.47% 0.00% 4.55%

CCO – Chief Compliance Officer

5.88% 5.88% 1.69% 2.17% 0.00%

CCO – Chief Continuity Officer

0.00% 1.96% 0.00% 1.09% 0.00%

Other Chief Title 0.00% 0.00% 2.54% 0.00% 0.00%

Executive VP, Executive Director, General Manager

0.00% 0.00% 5.93% 6.52% 4.55%

Senior VP, Senior Director, Senior Manager

0.00% 13.73% 9.32% 5.43% 4.55%

VP/ Director 11.76% 7.84% 10.17% 6.52% 0.00%

Assistant VP, Assistant Director, Manager

5.88% 1.96% 1.69% 2.17% 4.55%

Specialist, Coordinator, Planner

0.00% 1.96% 3.39% 3.26% 0.00%

Other 17.65% 5.88% 2.54% 2.17% 0.00%

Highlighted figures indicate the highest figures for each sponsor by row.

Table shows a correlation between two different questions. First Question - Please specify by job

title who is totally engaged and sponsoring the continuity program functions. Please select the

best response. Second Question – In your opinion, how would you rate the maturity of your

program? Please rate on a scale of 1 to 5 with 1 meaning VERY IMMATURE and 5 meaning VERY

MATURE. (An assessment of USA respondents.)


Sponsoring Job Title

How is Engaged is this Individual?

1 – Very Little Involvement 2 3 4

5 – Very Involved

Board/ General Council/ Executive Committee 3.70% 14.81% 25.93% 29.63% 25.93%

President 9.09% 9.09% 18.18% 18.18% 45.45%

CEO – Chief Executive Officer 5.26% 15.79% 5.26% 42.11% 31.58%

CIO/ CTO – Chief Information Officer/ Chief Technology Officer 1.72% 10.34% 17.24% 39.66% 31.03%

CSO/ CISO – Chief Security Officer/ Chief Information Security Officer 7.69% 0.00% 15.38% 38.46% 38.46%

CFO – Chief Financial Officer 3.57% 14.29% 35.71% 32.14% 14.29%

COO – Chief Operating Officer 4.35% 8.70% 30.43% 39.13% 17.39%

CAO – Chief Administrative Officer 0.00% 0.00% 33.33% 33.33% 33.33%

CRO – Chief Risk Officer 0.00% 14.29% 21.43% 35.71% 28.57%

CCO – Chief Compliance Officer 0.00% 37.50% 0.00% 25.00% 37.50%

CCO – Chief Continuity Officer 0.00% 0.00% 0.00% 50.00% 50.00%

Other Chief Title 0.00% 0.00% 33.33% 0.00% 66.67%

Highlighted figures indicate the highest figures for each sponsor by row.

Level of Separation from Executive Committee

% of Resp

Program Best Situated for Maximum Visibility

Considering a Different Level of

Sponsorship?

Strongly disagree Disagree Neutral Agree

Strongly agree Yes No

0 48.66% 5.52% 7.59% 12.41% 33.10% 41.38% 4.14% 95.86%

1 29.53% 7.95% 19.32% 20.45% 36.36% 15.91% 7.95% 92.05%

2 12.08% 22.22% 22.22% 25.00% 27.78% 2.78% 22.22% 77.78%

3 5.70% 5.88% 47.06% 35.29% 11.76% 0.00% 11.76% 88.24%

4 2.68% 25.00% 12.50% 62.50% 0.00% 0.00% 0.00% 100.00%

5 0.67% 0.00% 0.00% 100.00% 0.00% 0.00% 50.00% 50.00%

6+ 0.67% 0.00% 0.00% 50.00% 0.00% 50.00% 0.00% 100.00%

Highlighted figures indicate the highest figures for each level of separation by row.

If the program is being sponsored by a Chief Officer or above, is this person really engaged in

your opinion? Rate on a scale of 1 to 5 with 1 meaning Very Little Involvement and 5 meaning

Very Involve. (An assessment of USA respondents.)

Table shows a correlation between three different questions. First Question – What is the level

of separation from the Executive Committee for this individual? Selection choices include 0 to

6+. Second Question – Based on the current level of separation from the Executive Committee,

do you agree that the continuity program is best situated within your organization for maximum

visibility? Selection choices include strongly disagree, disagree, neutral, agree and strongly

agree. Third Question - Is your organization considering a different level of sponsorship for the

continuity program to maximize visibility? (An assessment of USA respondents.)


If you are not considering a different level of separation from the Executive Committee for the

continuity program, which level of separation would you prefer? (An assessment of USA

respondents.)

If you are considering a different level of separation from the Executive Committee for the

continuity program, to the best of your knowledge, what level of separation from the Executive

Committee is being considered? (An assessment of USA respondents.)


Review & Update the BIA – Critical Processes


Very Mature

Every six months 17.65% 43.14% 48.28% 50.56% 36.36%

Annually 11.76% 1.96% 7.76% 8.99% 13.64%

Every other year 5.88% 19.61% 15.52% 19.10% 27.27%

Every three years 5.88% 9.80% 10.34% 10.11% 9.09%

Less often than three years 11.76% 9.80% 10.34% 10.11% 13.64%

Never 47.06% 15.69% 7.76% 1.12% 0.00%

Highlighted figures indicate the highest figures for each row.

Program Assessment & Exercising Plans

How often does your company review and update the BIA for organizational processes dee med

critical and non-critical? (An assessment of USA respondents.)

Table shows a correlation between two different questions. First Question - How often does your

company review and update the BIA for organizational processes deemed critical? Second

Question – In your opinion, how would you rate the maturity of your program? Please rate on a

scale of 1 to 5 with 1 meaning VERY IMMATURE and 5 mea ning VERY MATURE. (An assessment

of USA respondents.)


Review & Update the BIA – Non-Critical Processes


Very Mature

Every six months 12.50% 30.00% 39.66% 37.50% 27.27%

Annually 0.00% 0.00% 1.72% 5.68% 4.55%

Every other year 0.00% 18.00% 19.83% 21.59% 36.36%

Every three years 6.25% 10.00% 10.34% 7.95% 0.00%

Less often than three years 6.25% 12.00% 17.24% 15.91% 22.73%

Never 75.00% 30.00% 11.21% 11.36% 9.09%


In your opinion, does your organization leverage the outcome of the BIA and/ or risk

assessments to elevate the program? Please rate on a scale of 1 to 5 with 1 meaning Strongly

Disagree and 5 meaning Strongly Agree. (An assessment of USA respondents.)

Table shows a correlation between two different questions. First Question - How often does your

company review and update the BIA for organizational processes deemed non-critical? Second

Question – In your opinion, how would you rate the maturity of your program? Please rate on a

scale of 1 to 5 with 1 meaning VERY IMMATURE and 5 meaning VERY MATURE. (An assessment

of USA respondents.)


Never Daily Weekly Monthly Quarterly Twice a

year Annually

Every other year

Less than every other

year

Mission Critical IT Assets

1.19% 0.79% 0.79% 2.78% 14.29% 22.22% 53.57% 3.17% 1.19%

Mission Critical Business Functions

1.97% 0.00% 0.00% 1.57% 7.87% 16.54% 63.78% 5.12% 3.15%

Less Critical IT Assets

17.74% 0.40% 0.00% 0.81% 3.23% 7.26% 36.69% 17.34% 16.53%

Less Critical Business Functions

17.00% 0.40% 0.00% 0.40% 2.37% 5.93% 42.29% 17.39% 14.23%

Highlighted figures indicate the highest figures for each column.

Do you exercise your program? (An assessment of USA respondents.)

How often do you exercise plans for Mission Critical IT Assets, Mission Critical Business

Functions, Less Critical IT Assets and Less Critical Business Functions? (An assessment of USA

respondents.)


Testing Plans – Mission Critical IT Assets


Very Mature

Daily 0.00% 0.00% 0.00% 1.19% 5.00%

Weekly 0.00% 0.00% 0.96% 1.19% 0.00%

Monthly 0.00% 0.00% 3.85% 3.57% 0.00%

Quarterly 11.11% 14.29% 16.35% 9.52% 25.00%

Twice a year 11.11% 14.29% 20.19% 25.00% 40.00%

Annually 77.78% 62.86% 50.00% 57.14% 30.00%

Every other year 0.00% 5.71% 4.81% 1.19% 0.00%

Less than every other year 0.00% 2.86% 1.92% 0.00% 0.00%

Never 0.00% 0.00% 1.92% 1.19% 0.00%


Testing Plans – Mission Critical Business Functions


Very Mature

Daily 0.00% 0.00% 0.00% 0.00% 0.00%

Weekly 0.00% 0.00% 0.00% 0.00% 0.00%

Monthly 0.00% 0.00% 1.90% 1.20% 4.76%

Quarterly 0.00% 5.56% 8.57% 4.82% 23.81%

Twice a year 11.11% 19.44% 12.38% 19.28% 23.81%

Annually 66.67% 61.11% 65.71% 67.47% 42.86%

Every other year 0.00% 5.56% 4.76% 6.02% 4.76%


Never 22.22% 2.78% 1.90% 0.00% 0.00%

Table shows a correlation between two different questions. First Question - How often do you

exercise plans for Mission Critical IT Assets? Second Question – In your opinion, how would you

rate the maturity of your program? Please rate on a scale of 1 to 5 with 1 meaning VERY

IMMATURE and 5 meaning VERY MATURE. (An assessment of USA respondents.)


exercise plans for Mission Critical Business Functions? Second Question – In your opinion, how

would you rate the maturity of your program? Please rate on a scale of 1 to 5 with 1 meaning

VERY IMMATURE and 5 meaning VERY MATURE. (An assessment of USA respondents.)



Testing Plans – Less Critical IT Assets


Very Mature

Daily 0.00% 0.00% 0.00% 1.20% 0.00%

Weekly 0.00% 0.00% 0.00% 0.00% 0.00%

Monthly 0.00% 0.00% 0.98% 1.20% 0.00%

Quarterly 0.00% 2.94% 0.98% 2.41% 20.00%

Twice a year 0.00% 11.76% 7.84% 2.41% 20.00%

Annually 33.33% 26.47% 36.27% 43.37% 30.00%

Every other year 22.22% 17.65% 10.78% 24.10% 20.00%


Never 33.33% 20.59% 20.59% 14.46% 5.00%


Testing Plans – Less Critical Business Functions


Very Mature

Daily 0.00% 0.00% 0.00% 1.19% 0.00%

Weekly 0.00% 0.00% 0.00% 0.00% 0.00%

Monthly 0.00% 0.00% 0.97% 0.00% 0.00%

Quarterly 0.00% 2.78% 0.97% 0.00% 19.05%

Twice a year 0.00% 2.78% 7.77% 2.38% 19.05%

Annually 33.33% 33.33% 42.72% 50.00% 28.57%

Every other year 22.22% 16.67% 13.59% 21.43% 19.05%


Never 44.44% 33.33% 16.50% 10.71% 4.76%


exercise plans for Less Critical IT Assets? Second Question – In your opinion, how would you

rate the maturity of your program? Please rate on a scale of 1 to 5 with 1 meaning VERY

IMMATURE and 5 meaning VERY MATURE. (An assessment of USA respondents.)


exercise plans for Less Critical Business Functions? Second Question – In your opinion, how

would you rate the maturity of your program? Please rate on a scale of 1 to 5 with 1 meaning

VERY IMMATURE and 5 meaning VERY MATURE. (An assessment of USA respondents.)



What type of scenarios have you implemented to exercise your plans? Select all that apply. (An

assessment of USA respondents.) - Total percent will exceed 100% due to multiple selections.

How often do your internal audit department and external auditor review your program? (An

assessment of USA respondents.)


0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Internal Audit of Program by Program Maturity

Very Immature

Immature

Average

Mature

Very Mature

0%

10%

20%

30%

40%

50%

60%

External Audit of Program by Program Maturity

Very Immature

Immature

Average

Mature

Very Mature

Table shows a correlation between two differen t questions. First Question - How often do

Internal Auditors review your program? Second Question – In your opinion, how would you rate

the maturity of your program? Please rate on a scale of 1 to 5 with 1 meaning VERY IMMATURE

and 5 meaning VERY MATURE. (An assessment of USA respondents.)

Table shows a correlation between two different questions. First Question - How often do

External Auditors review your program? Second Question – In your opinion, how would you rate

the maturity of your program? Please rate on a scale of 1 to 5 with 1 meaning VERY IMMATURE

and 5 meaning VERY MATURE. (An assessment of USA respondents.)


Recovery Time

When a critical system fails, what is your contingency program’s point of failure to poin t of

availability/ up time for the service? (An assessment of USA respondents.)

What is your estimated financial loss per hour for every hour of downtime? Please consider all

potential losses.. (An assessment of USA respondents.)

Jim Mannion

Highlight


Third Party Hot-Site/ Alternate Site Providers % of Resp Agility Recovery Solutions 6.86%

AT&T 16.18%

CoSentry 2.94%

Dell 8.33%

DRS 0.98%

EDS 4.41%

Equinix, Inc. 2.94%

Fujitsu 4.41%

Hewlett-Packard 17.16%

Hitachi 4.41%

Hosted Continuity 2.45%

IBM 33.33%

Infosys 1.96%

Iron Mountain 15.20%

Qwest 1.96%

Recovery Point Systems 0.98%

Rentsys 6.37%

SunGard 60.78%

Wanbishi 0.98%

Technology Recovery Solutions

Do you contract with a third-party hot site/ alternate site technology recovery vendor under

your direction and management? (An assessment of USA respondents.)

.

If yes, who is your third party hot-site/ alternate site technology recovery vendor? Select all

that apply. (An assessment of USA respondents.) - Total percent may exceed 100% due to multiple selections.


Wipro Technologies/ Infocrossing 0.98%

Other 31.86%

Other Responses for Hot-Site/ Alternate Site Providers: A vendor we work with in Chennai India; ACS, CyrusOne; Amazon Cloud Services; Another State Agency; Another state agency; Arise, Live Ops; Bankup;

CDW, Insight; COLO5; CSX; Cervalis and ColoSpace; Cervalis; CoSentry; DBSI & own hotsite; DBSi; DRS; EMC, RecoveryPlanner; Expediant; Fibertown;

Hewlett-Packard; IBM; Iron Mountain ; Mutual Agreement with other utility; NEMRIC; National Modular Bank Buildings, Watermark Restoration Inc, Fuel

Specialties; Northrop Grumman; Peak 10; Pitney Bowes; Presidio; Qwest ; Regus; Rentsys; State of Wisconsin and TW Telecom; SunGard; TBD; Tonaquint

Data Center (St George, Utah); Verzion ; Wipro Technologies/ Infocrossing; cannot disclose; confidential; others; prefer not to identify; savvis;

verizon/terremark;

If currently utilizing a third party hot-site/ alternate site for your technology recovery solution,

are you considering an internal recovery capability? (An assessment of USA respondents.)

Have you changed your technology recovery solution in the last two years? (An assessment of USA

respondents.) (An assessment of USA respondents.)


Technology Solution Being Considered % of Resp Estimated Average Budget Exclusively at vendor location 8.26% $8,733,333.00

Mixed solution between multiple vendors 10.09% $5,695,000.00

Mixed solution between vendor (s) and internal recovery solution 41.28% $3,363,235.00

Internal solutions at primary site 11.01% $1,193,333.00

Internal solutions at alternate site 29.36% $4,423,240.00

If yes, what was your previous technology recovery solution? (An assessment of USA

respondents.)

Are you considering a change to your technology recovery solution in the next year? (An

assessment of USA respondents.)

If yes, please select all technology solutio ns you are considering. To the best of your ability,

please indicate the budget amount being considered. (An assessment of USA respondents.) *Total percent will exceed 100% due to multiple selections.


Cloud Computing

Is your company considering cloud computing in the next year? (An assessment of USA

respondents.)

If yes, please rate the following in your decision making process. (An assessment of USA

respondents.)


Consulting Initiatives

How many contractors do you currently employ for your program under your direction and

management? (An assessment of USA respondents.)

If yes, what is the length of the contract for the longest contractor? (An assessment of USA

respondents.)


Consulting Work in the Next Year % of Respondents

Assessment

BIA 37.33%

Facility Evaluation 28.00%

Gap analysis 45.33%

None/does not apply 13.33%

Other 13.33%

Risk Assessment 44.00%

Technical 36.00%

Compliance/ Standard

BASEL II 2.67%

BS 31100 (Risk Management) 4.00%

BS25777 4.00%

BS25999 Part 2 Business Continuity Management Systems 17.33%

COBIT 10.67%

DRI International Professional Practices 33.33%

FFIEC 14.67%

Good Practice Guidelines 2008 (BCI) 9.33%

Gramm Leach Bliley Act (GLBA) 8.00%

HIPAA 20.00%

Hong Kong Monetary Authority 1.33%

ISO 20000 IT Service Management 5.33%

ISO 27001 Information Security 6.67%

ISO 9000 Fundamentals and Vocabulary of Quality Systems 1.33%

ISO 9001 Quality Management 2.67%

Joint Commission (Hospitals) 8.00%

Local Banking Superintendency Requirement 1.33%

NFPA 1600 33.33%


Will you be engaging in consulting work in the next year for your program under your direction

and management? (An assessment of USA respondents.)

What consulting initiatives are you planning in the next year in regards to ASSESSMENT,

COMPLIANCE/ STANDARD, BC PROGRAM, DR PROGRAM AND GENERAL MANAGEMENT OF

PROGRAM? (An assessment of USA respondents.)

.


OSHA Compliance 13.33%

Other 25.33%

Patriot Act 5.33%

Sarbanes Oxley 21.33%

SEC Regulations 5.33%

Title IX 2.67%

BC Program (Business Processes)

Awareness 49.33%

Crisis Mgt (Emergency Operations Center) 32.00%

Development 42.67%

Documentation 44.00%

Emergency Management 32.00%

Exercise 58.67%

Implementation 37.33%


Other 2.67%

Pandemic Planning 18.67%

DR Program (IT Processes)

Back-up/Resiliency 36.00%

Development 28.00%

Documentation 32.00%

Exercise 42.67%

High availability/ Operational Resilience 37.33%

Implementation 25.33%


Other 2.67%

General Continuity Consulting

BCM Policy 28.00%

Customer Training 17.33%

Electronic Risk 9.33%

Executive Buy-in 28.00%

Media/ Event Planning 6.67%


Operational Risk 25.33%

Other 2.67%

Project Management 32.00%

Recommendations 30.67%

Software Implementation 33.33%

Software Support 17.33%

Software Upgrade 16.00%

Strategic Planning 38.67%

Vendor Assessment 18.67%

Other Consulting Initiatives for the Next Year:

Assessment Work - Crisis Management/Response, DR Exercise Evaluation/Plan Audit, Just completed a BIA last month, Pandemic Planning, Plan evaluation,

Program Development Support, Reports, Training – software, cost of downtime, no consulting

Compliance/ Standard Work – ASIS/BSI BCM standard, Australian Business Continuity Standard AS/NZS 5050:2010, CIP-009, Commonwealth of Virginia

VDEM COOP Planning Manual, FINRA, HITRUST, Not determined at this time

Other BC Program (Business Processes) Work – Integration of…

Other DR Program (IT Processes) Work – IT Security, no consulting

Other General Continuity Consulting Work – Software Support, Software Upgrade, Testing, Vendor Assessment , no consulting


Software Providers % of Resp

21st Century Software DR/VFI 10.57%

Archer Technologies Archer SmartSuite Framework 6.17%

Business Protection Systems Int’l Business Protector 1.76%

CAPS Business Recovery Services CAPS BIA 0.88%

CAPS Recovery Planner 1.32%

COOP Systems myCOOP 6.0 3.52%

CPACS, LLC RecoveryPAC Full 0.88%

Crisis Management Software, LCC Crisis Commander 1.32%

eBRP Solutions Inc. Toolkit Suite 0.44%

ESi

Web EOC Professional 7.0 11.01%

Web EOC Air 3.08%

Web EOC FUSION 3.08%

Web EOC – Hospitals 3.08%

Web EOC Mapper Professional 4.85%

Web EOC Resource Manager 4.85%

Evergreen Data Continuity, Inc Mitigator 0.88%

NC4 E-TEAM 4.85%

Office Shadow Shadow-Planner 0.44%

Paradigm Solutions OpsPlanner 0.44%

RecoveryPlanner.com RPX 2.20%

SunGard BIA Professional 36.12%

Incident Manager, powered by Web EOC 4.85%

Vendor Utilization

Do you utilize software planning tools to assist with your Business Continuity Management

program initiatives under your direction and management? (An assessment of USA respondents.)

If yes, which software tool(s) do you utilize? Select all that apply. (An assessment of USA

respondents.) - Total percent may exceed 100% due to multiple selections.


LDRPS 56.39%

Paragon 3.96%

PLANet 0.44%

Tamp Systems (DRS) Disaster Recovery System 0.44%

Virtual Corporation Sustainable Planner 6.61%

Non-BCP Focused Packages (Word, Excel or Sharepoint) 19.38%

In-house/Internally Developed Tool In-house/ Internally Developed Tool 13.22%

Other Other 7.93%

Other Responses for Software Providers: BOLD Planning solutions EMPLANS software, Currently choosing, EnterPlan, Fusion, Fusion Risk Management, Global "AlertLink, Global AlertLink, Kuali

Ready, Living Disaster Recovery Planning System, MIR3, Waypoint, Web Planner

Software Providers Being Considered in the Next Year % of Resp

Avg Budget

21st Century Software DR/VFI 23.14% $200,000.00

Archer Technologies Archer SmartSuite Framework 38.02% $165,000.00

Business Protection Systems Int’l Business Protector 28.93% $150,000.00

CAPS Business Recovery Services CAPS BIA 23.14% $200,000.00

CAPS Recovery Planner 23.14% $200,000.00

Contingency Planning & Outsourcing, Inc CPOtracker 32.23% $ 73,333.33

COOP Systems myCOOP 6.0 52.89% $ 78,571.43

CPACS, LLC

RiskPAC 23.14% $200,000.00

RecoveryPAC Full 23.14% $200,000.00

RecoveryPAC Web 23.14% $200,000.00

Crisis Management Software, LCC Crisis Commander 23.14% $200,000.00

eBRP Solutions Inc. Toolkit Suite 38.84% $ 88,200.00

If not currently utilizing a software tool, are you considering in the next year? If yes, to the best

of your ability, please indicate the budget amount being considered and which software tools

are being considered. (An assessment of USA respondents.)


ESi Web EOC Professional 7.0 11.57% $300,000.00

Evergreen Data Continuity, Inc Mitigator 4.96% $ 25,000.00

LBL Technology Partners LBL Contingency Planner (client/server based) 23.14% $200,000.00

ContingencyPro (web based) 23.14% $200,000.00

Linus Information Security Solutions Revive 23.14% $200,000.00

NC4 E-TEAM 5.79% $100,000.00

Office Shadow Shadow-Planner 25.62% $200,000.00

Paradigm Solutions OpsPlanner 36.36% $116,666.67

Protiviti PACEmaker 23.14% $200,000.00

RecoveryPlanner.com RPX 47.11% $ 73,000.00

SunGard

BIA Professional 33.06% $103,333.33

EPlanner 4.96%

Incident Manager, powered by Web EOC 6.61% $ 50,000.00

LDRPS 56.20% $215,714.29

Paragon 9.92% $100,000.00

PLANet 32.23% $ 86,666.67

Tamp Systems (DRS) Disaster Recovery System 35.54% $ 81,250.00

Virtual Corporation Sustainable Planner 39.67% $ 91,250.00

Non-BCP Focused Packages (Word, Excel or Sharepoint) 34.71% $ 79,166.67

In-house/Internally Developed Tool In-house/ Internally Developed Tool 42.15% $ 56,250.00

Other Other 2.48% $ 40,000.00

Do you utilize automated emergency notification tools to assist with your Business Continuity

Management program initiatives under your direction and management? (An assessment of USA

respondents.)


Automated Notification Providers % of Resp

3N 3n InstaCom Enterprise 3.02%

AMCOM e.Notify 1.29%

DCC- Dialogic Communications Corp. The Communicator! NXT 4.31%

Dell Message One AlertFind 13.36%

ESi WebEOC – MIR3 interface 2.43%

MIR3

inEnterprise 0.86%

inAlertCenter 8.19%

inCampusAlert 2.16%

inTechCenter 1.29%

inConnect 2.59%

inWebServices 1.29%

TelAlert 6e 1.72%

TelAlert Failover Support 1.72%

TelAlert Massaging Server 1.72%

TelAlert Voice Server 1.72%

Mission Mode Emergency Notification Alert System 1.29%

PlantCML REVERSE 911 1.29%

Rapid Notify Emergency Notification Services 2.16%

Send Word Now SWN Alert Service 12.50%

SunGard NotiFind, powered by Varolli 15.52%

Paragon Notifications 1.72%

Twenty First Century Communications Crisis Communications Systems (CRISCOM) 1.72%

Varolii

First Responder Communications 1.72%

Enterprise Business Continuity 4.31%

Employee Accountability 2.16%

Utilities – Critical Communications 0.86%

Wallace Wireless

WIC Alerter 3.45%

WIC Messenger 3.45%

WIC Responder 3.45%

Whispir Crisis Mobile 0.43%

Other Other 21.55%

In-house/Internally Developed Tool In-house/Internally Developed Tool 11.21%

Other Responses for Notification Providers: ?cast, Arcos Siren , Command Caller, Communicator, Digital Mailer - Exigent 911, Everbridge, Global AlertLink, GroupCast, Honeywell, Intercall Crisis

Connect provided by MIR3 , Live Process, Message 911, Message Media, Message One back up email., NY-ALERT, NY-ALERT (NY State's notification tool)

One Call, PIER, Part of our BC software package, PlantCML CommunicatorNXT, Cooper Statewide Alert Network (Based on Roam Secure), Premier Global

Systems, RAVE, RPX, Rallypoint, Singlewire, TALX, Tech Radium: IRIS, alarm point, an open source notification system, connected, erms through Recovery

Planner

If yes, which automated notification tool(s) do you u tilize? Select all that apply. (An assessment

of USA respondents.) - Total percent may exceed 100% due to multiple selections.


Automated Notification Providers Being Considered Next Year % of Resp

Avg Budget

3N 3n InstaCom Enterprise 58.16% $ 66,333.33

AMCOM e.Notify 26.53% $107,500.00

DCC- Dialogic Communications Corp. The Communicator! NXT 48.98% $ 68,250.00

Dell Message One AlertFind 38.78% $ 72,000.00

Emergency Communications Network, Inc.

ThunderCall 3.06% $ 15,000.00

ESi WebEOC – MIR3 interface 31.63% $ 24,333.33

MIR3 inEnterprise 58.16% $ 66,333.33

Mission Mode Emergency Notification Alert System 54.08% $ 62,166.67

PlantCML REVERSE 911 27.55% $104,000.00

Rapid Notify Emergency Notification Services 42.86% $ 68,250.00

One Call Now Emergency Notification Service 4.08% $ 17,500.00

Send Word Now SWN Alert Service 71.43% $ 37,750.00

SunGard NotiFind, powered by Varolli 69.39% $ 52,500.00

Paragon Notifications 4.08%

Twenty First Century Communications Crisis Communications Systems (CRISCOM)

33.67% $ 77,500.00

Varolii First Responder Communications 13.27% $ 15,000.00

Enterprise Business Continuity 18.37% $ 29,000.00

Wallace Wireless WIC Responder 8.16% $ 50,000.00

Other Other 9.18% $111,320.00

In-house/Internally Developed Tool In-house/Internally Developed Tool 1.02%

If not currently utilizing an automatic notification t ool, are you considering in the next year? If

yes, to the best of your ability, please indicate the budget amount being considered and which

notification tools are being considered. (An assessment of USA respondents.)


Mobile Recovery Providers % of Resp Agility 32.31%

Pandora Recovery 4.62%

RentSys 26.15%

SunGard 53.85%

Other 13.85%

Other Responses for Mobile Recovery Providers: Have our own recovery trailers domestically; In-House; Internal; Internal- Mobile Stores, Network Equipment Trailers, Generators,

Communications/Command/Control, Cell-on-Wheels, others; National Modular bank Buildings (NMBB); RentSys; Rignet; SunGard; vocera

Do you utilize a mobile recovery solution to assist with your Business Continuity Management

program initiatives under your direction and management? (An assessment of USA

respondents.)

If yes, which mobile recovery provider(s) do you utilize? Select all that apply. (An assessment of

USA respondents.) - Total percent may exceed 100% due to multiple selections.

Jim Mannion

Highlight


Mobile Recovery Providers Being Considered Next Year % of Resp

Avg Budget

Agility 74.07% $ 31,500.00

RentSys 55.56% $ 95,833.33

SunGard 44.44% $135,000.00

Other 7.41% $ 10,000.00

If not currently utilizing a mobile recovery provi der, are you considering in the next year? If

yes, to the best of your ability, please indicate the budget amount being considered and which

vendors are being considered. (An assessment of USA respondents.)

Managing Dispersed Offices

Does your existing program account for offices and/ or facilities outside your current office

location under your direction and management? (An assessment of USA respondents.)


0%

10%

20%

30%

40%

50%

60%

70%

80%

Management of Program at Non Corporate Offices by Number of Non Corporate Offices

Engage professional consulting services local to the location(s).

Engage professional consulting services not local to the location(s).

Hire consultants/ independent contractors local to the location(s).

Hire consultants/ independent contractors not local to the location(s).

Hire full-time, permanent professionals local to the location(s).

Manage program from primary corporate office with periodic travel to location(s).

Managed locally with existing resources that are not experienced in the discipline.

Place expatriate in facility location for specified time period.

Total percent will exceed 100% due to multiple selections.

Table shows a correlation between two different questions. First Question –Within your span of

direct management and control, please specify the number of office locations/ facilities accounted

for in your existing plans. Second Question – How do you manage the program at these locations?

Select all that apply. (An assessment of USA respondents.) - Total percent may exceed 100% due to multiple selections.


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Comply with regulations or laws

Contractual agreements/service-level agreements

Customer requirement

Good business sense

History of business interruption(s)

In response to audit results/recommendations

Insurance policy recommendation

Minimize future impact

Organization wants to be globally competitive and must comply with international standards.

Organization wants to be perceived to be compliant with good Corporate Governance.

Organization wants to ensure safety of their employees.

Organization wants to protect and increase its economic value.

Protect stakeholders

Protection of reputation and brand of organization.

Right thing to do

6%

18%

16%

1%

18%

6%

20%

2%

31%

7%

3%

6%

3%

1%

3%

10%

19%

18%

4%

18%

20%

27%

6%

13%

10%

7%

9%

5%

3%

5%

22%

26%

29%

21%

24%

28%

32%

15%

25%

26%

14%

21%

20%

17%

21%

32%

23%

23%

41%

27%

33%

16%

36%

21%

42%

25%

31%

36%

29%

37%

29%

14%

14%

33%

14%

13%

4%

41%

9%

16%

51%

32%

36%

50%

35%

Primary Reasons for Developing and Maintaining a Program

Low Priority 1 2 3 4 High Priority 5

Regulatory Requirement/ Standard 1 - Low priority 2 3 4

5 - High priority

Not Applicable

ASIS/BSI BCM standard 13.14% 8.00% 14.86% 11.43% 7.43% 45.14%

ASIS SPC.1-2009 - Organizational Resilience 13.10% 3.57% 11.90% 7.74% 7.14% 56.55%

Australian Business Continuity Standard AS/NZS 5050:2010 17.22% 3.31% 5.30% 1.99% 1.32% 70.86%

BS25999 Part 2 Business Continuity Management Systems 8.12% 6.09% 15.74% 18.78% 16.75% 34.52%

BS25777 15.69% 4.58% 9.15% 4.58% 1.96% 64.05%

BS 31100 (Risk Management) 16.44% 4.11% 6.85% 2.74% 1.37% 68.49%

BASEL II 16.33% 2.72% 6.80% 3.40% 2.72% 68.03%

The Business Continuity Maturity Model – Virtual Corporation 9.82% 2.45% 13.50% 9.82% 7.36% 57.06%

Circular No. G-139 -2009 (Peru) Managing business continuity 15.00% 1.43% 5.00% 0.00% 0.00% 78.57%

Reasons for Planning, Regulatory Requirements & Organizational Certification

What regulatory requirement and/ or standard do you model your Business Continuity

Management program after. Rate on a scale of 1 to 5 with 1 meaning LOW PRIORITY and 5

meaning HIGH PRIORITY. Please include Not Applicable (N/A) if the regulatory requirement

and/or standard do not apply to your organization. (An assessment of USA respondents.)

Please rate the following primary reasons for developing & maintaining a program on a scale

from 1 to 5 with 1 meaning LOW PRIORITY and 5 meaning HIGH PRIORITY. (An assessment of

USA respondents.)


COBIT 12.99% 6.49% 11.69% 9.74% 5.19% 53.90%

DRI International Professional Practices 4.67% 3.74% 13.55% 24.30% 35.51% 18.22%

External Circular 048 (Colombia) - Rules for the Operational Risk

Management 18.06% 0.69% 2.78% 0.69% 0.00% 77.78%

FFIEC 11.05% 2.91% 3.49% 6.98% 22.09% 53.49%

Good Practice Guidelines 2008 (BCI) 13.46% 5.13% 9.62% 7.69% 9.62% 54.49%

Gramm Leach Bliley Act (GLBA) 12.88% 1.23% 9.20% 6.75% 15.34% 54.60%

HB 167:2006 – Security Risk Management (Australia Standard) 17.61% 0.70% 3.52% 0.00% 0.00% 78.17%

HB 203:2006 – Environmental Risk Management (Australia

Standard) 17.61% 0.70% 2.82% 0.00% 0.00% 78.87%

HB 221:2004 (Australia Standard) 17.02% 1.42% 2.84% 0.00% 0.00% 78.72%

HB 292-2006 (Australia Standard) 17.61% 1.41% 2.82% 0.00% 0.00% 78.17%

HB 436:2004 – Risk Management (Australia Standard) 17.86% 0.71% 2.86% 0.00% 0.00% 78.57%

HIPAA 12.72% 2.31% 9.83% 10.40% 26.59% 38.15%

Hong Kong Monetary Authority 17.86% 1.43% 3.57% 0.00% 1.43% 75.71%

ISO 14001 Environmental Management 16.78% 2.80% 4.90% 2.10% 3.50% 69.93%

ISO 9000 Fundamentals and Vocabulary of Quality Systems 13.38% 2.82% 8.45% 0.70% 3.52% 71.13%

ISO 9001 Quality Management 13.99% 4.20% 9.09% 7.69% 5.59% 59.44%

ISO 27001 Information Security 10.19% 2.55% 14.65% 7.64% 11.46% 53.50%

ISO 20000 IT Service Management 15.28% 1.39% 9.03% 7.64% 2.08% 64.58%

Joint Commission (Hospitals) 17.33% 0.00% 3.33% 3.33% 6.67% 69.33%

Local Banking Superintendency Requirement 19.42% 1.44% 2.88% 0.00% 0.72% 75.54%

MS 1970 (Malaysia Standard) 18.57% 0.71% 2.86% 0.71% 0.00% 77.14%

NFPA 1600 8.59% 6.06% 14.65% 19.19% 27.27% 24.24%

NFPA 1600 (Canadian Version) 15.97% 2.08% 3.47% 2.08% 0.00% 76.39%

NYSE 446/NASD 3500 17.45% 0.67% 6.04% 2.01% 6.04% 67.79%

OSHA Compliance 11.88% 3.13% 10.63% 10.00% 20.00% 44.38%

Patriot Act 15.58% 6.49% 6.49% 5.84% 12.99% 52.60%

Prudential Standard APS 232 on BCM (Australia) 17.27% 1.44% 2.88% 0.72% 0.00% 77.70%

Prudential Standard GPS 222 on BCM (Australia) 17.02% 1.42% 2.84% 0.71% 0.00% 78.01%

Prudential Standard LPS 232 on BCM (Australia) 16.90% 1.41% 2.82% 0.70% 0.00% 78.17%

Sarbanes Oxley 9.50% 5.03% 10.61% 13.41% 21.79% 39.66%

SAS70 12.05% 5.42% 10.24% 12.65% 16.27% 43.37%

SAS70-1 14.38% 3.27% 6.54% 5.88% 13.07% 56.86%

SEC Regulations 14.38% 1.31% 10.46% 5.88% 11.76% 56.21%

SS540/TR19 (Singapore Standard) 18.31% 0.70% 3.52% 1.41% 0.70% 75.35%

Title IX 14.48% 2.07% 8.28% 3.45% 6.21% 65.52%

Other 4.39% 0.88% 2.63% 1.75% 8.77% 81.58%


Has your organization achieved certification in a standard? (An assessment of USA

respondents.)

If no, is your organization considering becoming certified in a standard? (An assessment of USA

respondents.)


BC Management’s International Benchmarking Advisory Board was instrumental in reviewing the study to ensure it focused on the topics

that are of the greatest interest to continuity professionals today. The goal was to develop a credible reporting tool that would add value

to the business continuity profession. A full listing of board members and bios is available on the complimentary BCM Compensation

Report and made available to those respondents who completed the BCM Annual Study.

A special thanks to our sponsoring organizations that assisted in translating our study. Without these organizations the study may not have

been available in Chinese, Japanese and Spanish.

Distributing Organizations

BC Management also greatly appreciates the efforts of those organizations that assisted in this global effort. The contribution of each

individual organization does not indicate an endorsement of the study findings or the activities of BC Management, Inc. A full listing of

distributing organizations is available on the complimentary BCM Compensation Report and made available to those respondents who

completed the BCM Annual Study.

If yes, please select which standard(s) your organization has achieved certification. Please

select all that apply. (An assessment of USA respondents.) - Total percent may exceed 100% due to multiple selections.

Thank you to BC Management’s International Benchmarking Advisory Board

Thank you to our sponsors and organizations that assisted with this global effort

Global Data Solutions LTD

Sponsored the Chinese translation

Risk Managers and Consultants Association

Sponsored the Japanese translation

MiaTomi

Sponsored the Spanish translation


BC Management, Inc., founded in 2000, is an executive staffing and research firm solely dedicated to the business continuity, disaster

recovery, risk management, emergency management, crisis management and information security professions. With decades of industry

expertise, our staff has a unique understanding of the challenges professionals face with hiring, benchmarking and analyzing best practices

within these niche fields.

BC Management’s Complimentary Research - BC Management has been collecting data on the factors that impact compensations and

business continuity programs since 2001. To download our current complimentary reports please visit

www.bcmanagement.com.

We Value Your Comments - Thank you for participating in our annual study. Your contribution adds value to our comprehensive reporting

and allows us the opportunity to assess industry trends. Please share any comments or suggestions on how we can improve at

[email protected].

As a result of our advancement in reporting technology with World APP Key Survey, BC Management is able to offer a true benchmarking

service exclusively for the business continuity management profession. Our benchmarking service includes a report (similar to this report)

customized to your specific filters used to drill down to the data points that compare to your compensations or program planning

initiatives. As a part of our benchmarking service, BC Management is also offering a business intelligence dashboard technology in which

you will receive all the data points (based on your filter specifications) for further independent assessment. This technology will allow your

organization to further assess the data within a flexible, intelligent, user friendly format. Obtain information on our comprehensive

Business Continuity research reporting.

COMPENSATION RESEARCH DATA: Benefits of Our Customized Compensation Benchmarking Service

Saves time and money in assessing compensations for current and future personnel. Provides a fair comparison on compensation bands based on expertise, degree, certification and geography. Assists in retaining current personnel based on compensations in the same geography and job title.

Filters Available to Customize Your Compensation Report

Employment Status – may choose from full-time permanent, part-time permanent, independent contractor and unemployed.

Geography – may choose country, state/providence, or city.

Job Title/ Position – may choose from a selection of job titles.

Discipline – may choose multiple disciplines that are managed with the program (17 to choose from).

Years of Experience – may choose from an experience band of your choice.

PROGRAM MANAGEMENT RESEARCH DATA: Benefits of Our Customized Program Management Benchmarking Service

Allows you to assess the maturity of your business continuity program focusing on industry best practices, dedicated staff, budget breakouts, reporting structure, vendor utilization, program activation and much more.

Provides assistance in presenting business case objectives to your executives to substantiate and expand your program. Prioritizes key initiatives in elevating the maturity of your programs. Assists in building a road map to advance your program and meet your goals. Makes you more efficient by eliminating the need to do research on your own. Provides an unbiased source on how your company compares to the industry; specifically other “like” organizations, which can be

Customize Your Compensation and/or Program Management Benchmarking Report

About BC Management, Inc.

http://www.bcmanagement.com/

mailto:[email protected]

http://www.bcmanagement.com/comprehensive-reports.html

http://www.bcmanagement.com/comprehensive-reports.html


used to support your recommendations.

Filters Available to Customize Your Program Management Report

Industry – may choose more than one industry. Company Revenue – may choose a revenue band of your choice. Number of Employees – may choose a selection from number of company employees. Number of Locations – may choose a selection from number of company locations in either operational and/or retail interfacing. Geographic Distribution – may choose multiple countries as well as how the company locations are dispersed (global, multi-

country, one country, regionally within one country, statewide or citywide). Disciplines within program – may choose multiple disciplines that are managed with the program (17 to choose from). Scope of program – may choose a combination of the following: global, multi-country, one country or regionally within one

country. Maturity Rating of Program – may choose on a scale of 1 to 5 with 1 being Very Immature and 5 being Very Mature (please note

this is a self rating by the study participant). Names of Organization – may choose a list of company names that have participated in our study and completed the program

management portion of the study. Please keep in mind that not all respondents indicated their company name. Many respondents kept their organizational name private. Also, not all study respondents qualified for the program management portion of the study. Only those respondents who managed a program were encouraged to participate in the second section of the study. ALL RESPONDENT CONTACT INFORMATION IS KEPT CONFIDENTIAL AND IS NEVER REVEALED!

Inquiries

For more information or to order a report please email us at [email protected] or call us at (714) 969-8006 or toll free within the

United States (888) 250-7001

Thank you

Thank you for purchasing BC Management’s Comprehensive Business Continuity Management Compensation Report. This report is not

meant for general distribution. Any distribution of this report or reference to any information enclosed within this report is prohibited

unless approved by BC Management, Inc. Direct inquiries to – [email protected]



International Business Continuity Program Management ... Management... · WorldAPP Key Survey, ......

Documents

Transcript of International Business Continuity Program Management ... Management... · WorldAPP Key Survey, ......