continuity insights & 2011-2012 - amazon web services · 2011-2012 continuity insights &...
TRANSCRIPT
Continuity Insights & KPMG LLP Present The
2011-2012 Global Business Continuity Management (BCM) Program Benchmarking Study
US HeadquartersSegment Report
(Final Results)
Sponsored by:
2011-2012 Global Business Continuity Management Program Benchmarking Study
©2012 Continuity Insights/KPMG LLP
2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study Executive Summary The complex environment in which businesses operate today creates the need for sophisticated business continuity management (BCM) programs that address a wide range of threats, including natural disasters, technology issues and manmade incidents. It is also important that these programs stay in sync with the strategic goals of the organization. The 2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study is a comprehensive look at the current state of BCM programs and the drivers for further program development. Data used in this report is based on anonymous survey responses from 685 executives in public and private companies, government agencies and authorities, educational institutions, and not-for-profit entities. Respondents come from over 40 countries with approximately one-third working for organizations with headquarters outside the United States. The online survey, conducted by Continuity Insights between November 2011 and January 2012, explores changes to the global risk landscape, supply chain interdependencies, the emergence and increased usage of cloud computing, mobile applications, and social media. Business continuity professionals should use this report to target underdeveloped capabilities within their own BCM programs. In addition to the report, readers can view the full collection of survey responses on the Continuity Insights Web site (www.continuityinsights.com). Research Methodology Respondents for the 2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program Benchmarking Study were obtained from the Continuity Insights subscriber base by way of its publications, Web site, and email deployments, as well as from other professional organizations that supported the study. The 20-minute online survey comprised 52 questions and was fielded from November 2011 through January 2012. Data was collected from 958 respondents, of which 685 respondents completed the entire survey. An average of 785 responses was collected for each question. KPMG business continuity professionals developed the survey questionnaire. Mint Jutras prepared the resulting tabulation and supplied analysis for select data points. For more information on the study methodology, please contact Mint Jutras at [email protected]. Requests For Benchmarking Reports & Key Contacts If you would like to benchmark your organization by leveraging the 2011-2012Continuity Insights and KPMG LLP Business Continuity Management (BCM) Program Benchmarking Study or custom reports, please provide the following information to Bob Nakao at [email protected]: • Your name • Your organization • Your title • Your e-mail address • The complete study and/or custom report(s) you would like to receive: industry, type of entity, region of HQ operation, number of employees or annual revenue. You will be provided the custom report(s), if available, generally within five (5) business days of the receipt of your request. Other custom reports are available by type of entity include public companies, private companies, government agencies and authorities, and not for profits. Custom reports for industries include education, financial services, computers/information technology/ telecommunications, government, healthcare, manufacturing, professional services, and utilities.
2011-2012 Global Business Continuity Management Program Benchmarking Study
©2012 Continuity Insights/KPMG LLP
Survey Questions
1 Does your organization use survey results to enhance and/or generate executive support for your
Business Continuity Management (BCM) Program?
2 How would you describe your organization's industry?
3 How many people are employed by your organization at all locations?
4 Which best describes your organization, type of entity, or enterprise?
5 How would you describe the geographical range of your operations?
6 Please indicate the location of your organization's global headquarters.
7 What are your company's approximate annual revenues in U.S. dollars?
8 Which best describes your primary job function?
9 How long has the BCM Program been in place at your organization?
10 What are the primary reasons for the establishment of the BCM Program at your organization?
11 Does your organization measure performance of the BCM Program?
12 How does your organization measure performance of the BCM Program?
13 What Business Continuity Standards are used by your company to support the BCM Program?
14 Has your organization incorporated capabilities to utilize social media in your current Business
Continuity Management Plans, Disaster Recovery Plans and/or Crisis Management Plans?
15 Does your organization have a Senior Management Advisory or Steering Committee that provides input
and assistance to the lead BCM Program Coordinator and BCM Program Coordination Team?
16 Does your organization have a designated full-time or part-time lead BCM Program Coordinator
authorized to administer and keep the BCM Program current?
17 Which best describes the job title of the lead BCM Program Coordinator?
18 Which best describes the job title of the executive sponsor for the BCM Program?
19 Which best describes the C-Level executive with ultimate reporting responsibility for your BCM
Program?
20 Please estimate the number of Full-Time Equivalent (FTE) employees who are dedicated to the BCM
Program in your Corporate Program Office AND in your various Business Units/Functions (including
contractors).
21 Please estimate the total budget for all staff in U.S. dollars (including contractors).
22 Please estimate the budget for the following components of your BCM Program in U.S. dollars.
23 Which of the following choices best describe how your organization's funds are allocated for BCM
Program initiatives?
24 What BCM-related software packages has your organization implemented or plans to implement in the
next year?
25 Which best describes your organization’s current BCM Program status?
26 How would you rate the maturity of your organization's BCM Program?
27 Do you agree that your organization maintains and fosters relationships with external agencies to
ensure the recovery of your organization during a disaster?
28 Do you require your mission critical 3rd party service providers to provide evidence that they have a
viable BCM Program?
2011-2012 Global Business Continuity Management Program Benchmarking Study
©2012 Continuity Insights/KPMG LLP
29 How are 3rd party service providers (Utilities, Information Technology, or Business Process Service
Providers) integrated within your BCM Program?
30 How are key supply chain stakeholders that you rely on to deliver your products or services to market
integrated within your BCM Program?
31 How well integrated is your BCM Program with the following capabilities?
32 How often does your organization conduct Risk Assessments?
33 How often does your organization conduct a Business Impact Analysis (BIA)?
34 How much would you estimate business disruptions have cost your organization in both outlays and
internal (soft) costs in the past 12 months?
35 What would you estimate the total financial impact would be of a major disruption or outage that lasts
for 5 business days?
36 Has your organization experienced an incident or interruption in the past year that caused you to
activate any documented BCM Plans, Crisis Management Plans, or Disaster Recovery Plans?
37 For the most recent interruption that required you to activate one or more BCM Plans, how well was
your recovery time objective met?
38 When was your company's most recent Business Continuity Plan exercise?
39 What elements of your BCM Program were utilized during your most recent exercise?
40 What external companies or agencies have been involved with your most recent BCM Program
exercise?
41 What percentage of your IT budget does your organization spend on disaster recovery capabilities?
42 What is your organization's current IT recovery strategy?
43 Which elements of your organization's current IT recovery strategy are undergoing change?
44 Is cyberterrorism included in your organization's current BCM Plans, Disaster Recovery Plans, and/or
Crisis Management Plans?
45 What percentage of your organization's application data is currently stored in the cloud?
46 When did your organization last conduct a test(s) of the IT Disaster Recovery Plans with representatives
from other key stakeholder companies or agencies?
47 How frequently does your organization carry out full scenario testing of its Disaster Recovery Plan?
48 Please indicate which of the following are utilized by your organization, and have an IT Disaster
Recovery Plan with documented procedures and written guidelines.
49 Did your organization’s employees receive sufficient Business Continuity Management training in the
past year?
50 What was your organization’s investment in Disaster/Emergency Management and BCM training this
past year in comparison to the year before?
51 What types of ongoing BCM training are utilized by your organization?
2011-2012 Global Business Continuity Management Program Benchmarking Study
QUESTION 1
53.86%
46.14%
QUESTION 2
Aerospace/Defense 1.83%
Automotive 0.30%
Biotechnology 0.81%
Chemical/Petroleum 0.30%
Communications/Media 0.91%
Computer/Information Technology Telecommunications 1.72%
Computer/Information Technology Software 3.45%
Computer/Information Technology Services 5.07%
Education 2.64%
Entertainment/Media 1.72%
Financial Services/Banking 8.11%
Financial Services/Brokerage 4.16%
Financial Services/Credit Card 3.14%
Financial Services/Credit Union 2.13%
Financial Services/Investment 6.90%
Financial Services - Mortgages 4.16%
Government/City/Municipality 0.61%
Government - County 1.42%
Government/State/Providence 1.72%
Government (Federal) 3.14%
Healthcare Medical/Hospital 2.64%
Healthcare Medical/Service Provider 2.94%
Human Resources 0.30%
Insurance 7.00%
International Non Government Organization (NGO) 0.61%
Logistics 0.71%
Manufacturing - Consumer Goods 2.43%
Manufacturing - Industrial Goods (Non-technology) 1.42%
Manufacturing - Medical Devices/Other Healthcare Products 0.71%
Not for Profit Organization 2.54%
Pharmaceuticals 0.81%
Power (Production/Transmission) 0.51%
4.56%
Professional Services (IT/Business Process Outsourcing) 2.13%
Professional Services - Legal 0.61%
Professional Services (Other) 2.03%
Retail 1.62%
Transportation/Aviation 0.61%
Transportation/Mass Transit 0.20%
Transportation/Shipping 0.61%
Transportation - Trucking 0.71%
Utilities/Energy 2.43%
Utilities/Water 0.61%
Wholesale Distributors 0.81%
Other (please specify) 6.19%
Professional Services (Business Continuity/Operational Risk Consulting)
Does your organization use survey results to enhance and/or generate executive support for your
Business Continuity Management (BCM) Program?
Yes
No
How would you describe your organization's industry? (select all that apply)
US Headquarters ©2012 Continuity Insights/KPMG LLP 1
2011-2012 Global Business Continuity Management Program Benchmarking Study
QUESTION 3How many people are employed by your organization at all locations? (select one)
Less than 25 7.03%
25 to 99 3.77%
100 to 499 8.92%
500 to 999 5.66%
1,000 to 4,999 20.58%
5,000 to 9,999 16.12%
10,000 to 19,999 10.29%
20,000 or more 27.62%
QUESTION 4Which best describes your organization, type of entity, or enterprise? (select one)
Public Company 43.22%
Privately-Held Company 32.25%
Government Agency or Authority 9.61%
Education 2.57%
Not-for-Profit Organization 12.35%
QUESTION 5How would you describe the geographical range of your operations? (select one)
Local - Single site operation in one location 9.78%
Regional - Multi-site operations in one region of one country 22.81%
20.93%
Global - Multi-site operations worldwide 46.48%
QUESTION 6
Australia 0.00%
Austria #DIV/0!
Bahrain 0.00%
Belgium 0.00%
Brazil 0.00%
Canada 0.00%
Chile 0.00%
China (Hong Kong and Macau) 0.00%
Columbia 0.00%
Costa Rica 0.00%
Denmark 0.00%
France 0.00%
Hungary 0.00%
India 0.00%
Israel 0.00%
Italy 0.00%
Japan 0.00%
Germany 0.00%
Malaysia 0.00%
Mexico 0.00%
The Netherlands 0.00%
New Zealand 0.00%
Poland 0.00%
National - Multi-site operations throughout the country of the organization’s
operations
Please indicate the location of your organization's global headquarters. (select one)
US Headquarters ©2012 Continuity Insights/KPMG LLP 2
2011-2012 Global Business Continuity Management Program Benchmarking Study
Portugal 0.00%
Romania 0.00%
Saudi Arabia 0.00%
Singapore 0.00%
South Africa 0.00%
South Korea (Republic of Korea) 0.00%
Spain 0.00%
Switzerland 0.00%
Taiwan 0.00%
Turkey 0.00%
United Arab Emirates 0.00%
United Kingdom 0.00%
United States 100.00%
Venezuela 0.00%
Other (please specify) 0.00%
QUESTION 7
Less than $10 million 9.95%
$10 million to $50 million 4.97%
$50 million to $100 million 1.89%
$100 million to $500 million 6.17%
$500 million to $1 billion 7.72%
$1 billion to $5 billion 16.12%
$5 billion to $10 billion 10.46%
More than $10 billion 18.52%
Not applicable 9.78%
Do not know 14.41%
QUESTION 8Which best describes your primary job function? (select one)
44.64%
Business Continuity Coordinator in Business Unit/Site/Support Group 8.82%
Compliance/Internal Audit 1.21%
Crisis Management/Emergency Management 5.54%
Enterprise Risk Management 3.11%
Employee Health and Safety 1.56%
Facilities Management/Real Estate 0.87%
Finance/Accounting 0.69%
Insurance/Liability Management 0.17%
IT Disaster Recovery (IT DR) Planning 11.25%
Legal 0.52%
Security Management 4.33%
Consultant/Analyst 7.96%
Other (please specify) 9.34%
Business Continuity Management or BC Coordinator in Corporate Program Office
What are your company's approximate annual revenues in U.S. dollars? (select one) (Government
agencies, please select Not Applicable)
US Headquarters ©2012 Continuity Insights/KPMG LLP 3
2011-2012 Global Business Continuity Management Program Benchmarking Study
QUESTION 9How long has the BCM Program been in place at your organization? (select one)
Less than 1 year 4.07%
1 year to 3 years 13.10%
3 years to 5 years 19.65%
5 years to 10 years 32.21%
10 years to 20 years 20.71%
More than 20 years 5.13%
Do not know 5.13%
QUESTION 10
Address audit finding(s) 12.22%
Continuity of business operations 33.55%
Customer request or requirement 8.88%
Federal government regulations/required by law 14.57%
Reputation 15.64%
Required by law 6.47%
Unique competitive advantage 6.04%
Other (please specify) 2.63%
QUESTION 11Does your organization measure performance of the BCM Program?
YES 62.30%
NO 37.70%
QUESTION 12
Audit findings 13.21%
Benchmarking/comparison to industry norms 8.18%
Maturity modeling 6.25%
Metrics program (including executive reporting) 13.08%
BCM Program reviews 13.08%
Business Continuity Plan exercises 18.88%
Service level monitoring 4.19%
Review program capabilities vs. standards 7.54%
Technology recovery test results 12.76%
Cost/Benefit Analysis 2.45%
Other (please specify) 0.39%
What are the primary reasons for the establishment of the BCM Program at your organization?
(select all that apply)
How does your organization measure performance of the BCM Program? (select all that apply)
US Headquarters ©2012 Continuity Insights/KPMG LLP 4
2011-2012 Global Business Continuity Management Program Benchmarking Study
QUESTION 13
0.57%
0.57%
0.24%
0.08%
0.08%
Austria - ONR 49000 0.00%
Austria - ONR 49001 0.08%
Austria - ONR 49002-1 0.00%
Austria - ONR 49002-2 0.00%
Austria - ONR 49002-3 0.08%
Austria - ONR 49003:2008 0.00%
0.08%
Canada - CAN/CSA-Z 731-03 0.16%
Canada - CSA Z1600-08 0.16%
China (Including Hong Kong and Macau) - Refer to International List 0.08%
Denmark - DS 3001:2009 Organisatorisk Robusthed 0.00%
Germany - Refer to International List 0.08%
India - Refer to International List 0.00%
Israel - SI 24001:2007 0.08%
Japan - Refer to International List 0.00%
Malaysia - MS1970:2007 0.16%
Netherlands - NEN 7131:2010 Organizational Resilience 0.00%
New Zealand - SAA/SNZ HB221:2004 0.00%
New Zealand - AS/NZS 5050 0.16%
New Zealand - AS/NZS 4360 0.08%
Singapore - SS 540:20-08 0.08%
Singapore - SS 507:2004 0.08%
0.08%
0.08%
Singapore - TR19:2005 0.08%
South Korea - KS A ISO/PAS 22399 0.08%
8.62%
9.36%
UK - BS25777: 2008 ICT Service Continuity 0.24%
UK - BS31100:2009 Risk Management Standard 0.33%
"UK -PD 25111 Human Aspects of BCM published 2010" 0.08%
"UK -PD 25666 Exercising BCM published 2010" 0.24%
"UK -PD 25888 Guidance on Business Recovery (Estimated Q2, 2011)" 0.24%
0.16%
"USA -ASIS SPC.1-2009" 4.31%
"USA -ASIS BCM.01-2010" 6.43%
What Business Continuity Standards are used by your company to support the BCM Program?
(select all that apply)
Brazil - NC nº06/IN01/DSIC/GSIPR – Gestão De Continuidade de Negócios
Singapore - MAS Consultation Paper on Business Continuity Planning 9BCP)
Guidelines (10 Jan 2003)
Singapore - MAS Guidelines on Outsourcing – Section 6.6 BCM (Oct 2004)
UK - BS25999-1 : 2006 Code of Practice for Business Continuity management
UK - BS25999-2 : 2007 Specification for Business Continuity management
Australia - AS/NZS 5050:2010 Business continuity - Managing disruption-related risk
Australia - AS/NZS ISO 31000:2010 Risk management - Principles and guidelines
Australia - AS/NZS ISO/IEC 27001:2006 : Information technology - Security
techniques
Australia - AS/NZS ISO/IEC 27002:2006 : Information technology - Security
techniques
Australia - AS 3745-2002 : Emergency control organization and procedures for
buildings, structures and workplaces
"UK -PD 25222 Guidance on Supply Chain Continuity (Estimated Q3, 2011)"
US Headquarters ©2012 Continuity Insights/KPMG LLP 5
2011-2012 Global Business Continuity Management Program Benchmarking Study
"USA -ANSI/ARMA 5-2003" 2.03%
1.71%
"USA -NERC CIP 002-009 2006" 1.38%
"USA -NIST SP 800-34" 6.35%
26.53%
1.14%
USA - NFPA 232 : Standard on Protection of Records 4.48%
3.50%
"International - ITIL v.3 (international) – IT Infrastructure Library 3.58%
"International -ISO/IEM 22300" 0.57%
1.30%
"International -ISO PAS 22399" 0.65%
"International -ISO/IEC 27031" 0.24%
3.25%
3.34%
1.87%
0.98%
0.98%
"International -ISO 31000:2009 Risk Management Standard" 2.85%
QUESTION 14
Yes, included in current plans 19.82%
No, not included in current plans 57.09%
Plans are currently in development 23.09%
QUESTION 15
Yes 63.82%
No 23.45%
Committee under development 9.27%
Do not know 3.45%
QUESTION 16
Yes, full-time 68.36%
Yes, part-time 20.55%
No 11.09%
"International -COBIT – Control Objectives for information & related technology 4.1
(May 2007)
"International -ISO DIS 22301 Continuity Management System Requirements
(Estimated Q2, 2012)"
"International -ISO 9000 series Management Systems Standards “ Quality"
"International -ISO/IEC 27001:2005 Management Systems Standards “ Information
Security"
"International -ISO/IEC 27002:2005 Management Systems Standards “ Information
Security"
"USA -CTIA Telecommunication Industry BCM Standard and certification"
USA - NFPA Standard 1600 on Disaster/Emergency Management and Business
Continuity Programs
USA - NFPA111: Standard on Stored Electrical Energy Emergency and Standby
Power Systems
"International -ISO/IEC 24762 Management Systems Standards “ Information
Security"
"International -ISO/IEC 27035 Management Systems Standards “ Information
Security"
Has your organization incorporated capabilities to utilize social media in your current Business
Continuity Management Plans, Disaster Recovery Plans and/or Crisis Management Plans? (select
one)
Does your organization have a Senior Management Advisory or Steering Committee that provides
input and assistance to the lead BCM Program Coordinator and BCM Program Coordination
Team? (select one)
Does your organization have a designated full-time or part-time lead BCM Program Coordinator
authorized to administer and keep the BCM Program current? (select one)
US Headquarters ©2012 Continuity Insights/KPMG LLP 6
2011-2012 Global Business Continuity Management Program Benchmarking Study
QUESTION 17
13.15%
37.58%
Vice President, Risk Management 2.71%
Director or Manager, Risk Management 5.64%
Vice President of Information Technology 1.25%
Director or Manager of Information Technology 3.34%
CEO/President 1.88%
Chief Operating Officer 1.46%
Chief Financial Officer 0.63%
Chief Information Officer 0.84%
Chief Risk Officer 0.42%
Chief Security Officer, VP/Director 2.71%
Specific Department Director/Manager 8.14%
Other (please specify) 20.25%
QUESTION 18
CEO/President 17.72%
Chief Operating Officer 12.91%
Chief Financial Officer 9.41%
Chief Information Officer 19.04%
Chief Risk Officer 8.10%
Chief Continuity Officer 1.09%
Emergency Management 3.50%
Vice President, Information Technology 5.47%
Other Corporate/Executive Management 22.76%
QUESTION 19
CEO 14.87%
Chief Administrative Officer 4.46%
Chief Compliance Officer 2.04%
Chief Operating Officer 12.27%
Chief Financial Officer 12.83%
Chief Information Officer 13.38%
Chief Information Security Officer 3.35%
Chief Risk Officer 7.43%
Chief Security Officer 4.09%
Chief Technology Officer 5.58%
General Counsel 3.90%
President 3.35%
12.45%
Vice President, Business Continuity Management or Business Resilience
Director or Manager, Business Continuity Management or Business Resilience
Which best describes the job title of the executive sponsor for the BCM Program? (select one)
Which best describes the C-Level executive with ultimate reporting responsibility for your BCM
Program? (select one)
Other C-Level Executive (Please identify the corporate/executive management
title):
Which best describes the job title of the lead BCM Program Coordinator? (select one)
US Headquarters ©2012 Continuity Insights/KPMG LLP 7
2011-2012 Global Business Continuity Management Program Benchmarking Study
QUESTION 20
Corporate BCM Program Office - 0 to 2 FTEs 22.59%
Corporate BCM Program Office - 3 to 5 FTEs 6.75%
Corporate BCM Program Office - 6 to 9 FTEs 2.90%
Corporate BCM Program Office - 10 to 20 FTEs 2.25%
Corporate BCM Program Office - More than 20 FTEs 1.16%
Various Business Units/Functions - 0 to 2 FTEs 17.57%
Various Business Units/Functions - 3 to 5 FTEs 3.70%
Various Business Units/Functions - 6 to 9 FTEs 2.40%
Various Business Units/Functions - 10 to 20 FTEs 2.32%
Various Business Units/Functions - More than 20 FTEs 4.58%
Information Technology/Disaster Recovery - 0 to 2 FTEs 18.59%
Information Technology/Disaster Recovery - 3 to 5 FTEs 6.39%
Information Technology/Disaster Recovery - 6 to 9 FTEs 3.05%
Information Technology/Disaster Recovery - 10 to 20 FTEs 2.25%
Information Technology/Disaster Recovery - More than 20 FTEs 3.49%
QUESTION 21
Corporate BCM Program Office - Less than $250,000 23.61%
Corporate BCM Program Office - $250,000 to $500,000 6.05%
Corporate BCM Program Office - $500,000 to $1 million 3.74%
Corporate BCM Program Office - $1 million to $5 million 2.30%
Corporate BCM Program Office - $5 million to $10 million 0.10%
Corporate BCM Program Office - $10 million to $50 million 0.58%
Corporate BCM Program Office - More than $50 million 0.10%
Various Business Units/Functions - Less than $250,000 22.36%
Various Business Units/Functions - $250,000 to $500,000 3.65%
Various Business Units/Functions - $500,000 to $1 million 2.30%
Various Business Units/Functions - $1 million to $5 million 1.06%
Various Business Units/Functions - $5 million to $10 million 0.38%
Various Business Units/Functions - $10 million to $50 million 0.10%
Various Business Units/Functions - More than $50 million 0.19%
Information Technology/Disaster Recovery - Less than $250,000 17.27%
Information Technology/Disaster Recovery - $250,000 to $500,000 4.61%
Information Technology/Disaster Recovery - $500,000 to $1 million 5.18%
Information Technology/Disaster Recovery - $1 million to $5 million 4.51%
Information Technology/Disaster Recovery - $5 million to $10 million 1.15%
Information Technology/Disaster Recovery - $10 million to $50 million 0.48%
Information Technology/Disaster Recovery - More than $50 million 0.29%
Please estimate the number of Full-Time Equivalent (FTE) employees who are dedicated to the
BCM Program in your Corporate Program Office AND in your various Business Units/Functions
(including contractors). Please provide an estimate for all categories listed if you have an
understanding of the resources assigned for ALL of the groups noted. Otherwise, please skip this
question.
Please estimate the total budget for all staff in U.S. dollars (including contractors). Please provide
an estimate for all categories listed if you have an understanding of the approximate budgets for
ALL of the resources listed. Otherwise, please skip this question.
US Headquarters ©2012 Continuity Insights/KPMG LLP 8
2011-2012 Global Business Continuity Management Program Benchmarking Study
QUESTION 22
14.55%
1.03%
0.84%
0.20%
0.10%
0.00%
0.05%
13.86%
1.43%
0.84%
0.44%
0.20%
0.00%
0.05%
12.73%
1.38%
0.98%
0.34%
0.25%
0.05%
0.10%
7.86%
2.95%
BCM Program Third-Party Consultants (include program assessments, improving
capabilities, etc.) - $500,000 to $1 million
BCM Program Third-Party Consultants (include program assessments, improving
capabilities, etc.) - $1 million to $5 million
BCM Program Third-Party Consultants (include program assessments, improving
capabilities, etc.) - $5 million to $10 million
BCM Program Third-Party Consultants (include program assessments, improving
capabilities, etc.) - $10 million to $50 million
BCM Program Third-Party Consultants (include program assessments, improving
capabilities, etc.) - More than $50 million
Please estimate the budget for the following components of your BCM Program in U.S. dollars.
Please provide an estimate for all categories listed if you have an understanding of the
approximate budgets for ALL of the capabilities listed. Otherwise, please skip this question.
BCM Program Third-Party Consultants (include program assessments, improving
capabilities, etc.) - Less than $250,000
BCM Program Third-Party Consultants (include program assessments, improving
capabilities, etc.) - $250,000 to $500,000
BCM Software/Hardware (include plan-related document repository and
emergency notification solutions) - $10 million to $50 million
BCM Software/Hardware (include plan-related document repository and
emergency notification solutions) - More than $50 million
Work Area Recovery (include site costs, 3rd party service providers, etc.) - Less than
$250,000
Work Area Recovery (include site costs, 3rd party service providers, etc.) - $250,000
to $500,000
Work Area Recovery (include site costs, 3rd party service providers, etc.) - $500,000
to $1 million
BCM Software/Hardware (include plan-related document repository and
emergency notification solutions) - Less than $250,000
BCM Software/Hardware (include plan-related document repository and
emergency notification solutions) - $250,000 to $500,000
BCM Software/Hardware (include plan-related document repository and
emergency notification solutions) - $500,000 to $1 million
BCM Software/Hardware (include plan-related document repository and
emergency notification solutions) - $1 million to $5 million
BCM Software/Hardware (include plan-related document repository and
emergency notification solutions) - $5 million to $10 million
IT Disaster Recovery Costs (include hardware, software, internal recovery
capabilities, 3rd party service provider fees, etc.) - $250,000 to $500,000
Work Area Recovery (include site costs, 3rd party service providers, etc.) - $1
million to $5 million
Work Area Recovery (include site costs, 3rd party service providers, etc.) - $5
million to $10 million
Work Area Recovery (include site costs, 3rd party service providers, etc.) - $10
million to $50 million
Work Area Recovery (include site costs, 3rd party service providers, etc.) - More
than $50 million
IT Disaster Recovery Costs (include hardware, software, internal recovery
capabilities, 3rd party service provider fees, etc.) - Less than $250,000
US Headquarters ©2012 Continuity Insights/KPMG LLP 9
2011-2012 Global Business Continuity Management Program Benchmarking Study
2.06%
2.56%
0.69%
0.44%
0.15%
15.28%
0.88%
0.49%
0.10%
0.10%
0.00%
0.05%
14.55%
1.43%
0.54%
0.29%
0.10%
0.05%
IT Disaster Recovery Costs (include hardware, software, internal recovery
capabilities, 3rd party service provider fees, etc.) - $500,000 to $1 million
IT Disaster Recovery Costs (include hardware, software, internal recovery
capabilities, 3rd party service provider fees, etc.) - $1 million to $5 million
IT Disaster Recovery Costs (include hardware, software, internal recovery
capabilities, 3rd party service provider fees, etc.) - $5 million to $10 million
IT Disaster Recovery Costs (include hardware, software, internal recovery
capabilities, 3rd party service provider fees, etc.) - $10 million to $50 million
Training and Awareness Programs (include internal/external training, registration
fees, travel and living expenses for conference attendance, etc.) - $5 million to $10
million
Training and Awareness Programs (include internal/external training, registration
fees, travel and living expenses for conference attendance, etc.) - $10 million to $50
million
Training and Awareness Programs (include internal/external training, registration
fees, travel and living expenses for conference attendance, etc.) - More than $50
million
BCM Program Exercises (include planning, conducting exercises, 3rd-party
participation, travel and living expenses, etc.) - Less than $250,000
BCM Program Exercises (include planning, conducting exercises, 3rd-party
participation, travel and living expenses, etc.) - $250,000 to $500,000
IT Disaster Recovery Costs (include hardware, software, internal recovery
capabilities, 3rd party service provider fees, etc.) - More than $50 million
Training and Awareness Programs (include internal/external training, registration
fees, travel and living expenses for conference attendance, etc.) - Less than
$250,000
Training and Awareness Programs (include internal/external training, registration
fees, travel and living expenses for conference attendance, etc.) - $250,000 to
$500,000
Training and Awareness Programs (include internal/external training, registration
fees, travel and living expenses for conference attendance, etc.) - $500,000 to $1
million
Training and Awareness Programs (include internal/external training, registration
fees, travel and living expenses for conference attendance, etc.) - $1 million to $5
million
BCM Program Exercises (include planning, conducting exercises, 3rd-party
participation, travel and living expenses, etc.) - $500,000 to $1 million
BCM Program Exercises (include planning, conducting exercises, 3rd-party
participation, travel and living expenses, etc.) - $1 million to $5 million
BCM Program Exercises (include planning, conducting exercises, 3rd-party
participation, travel and living expenses, etc.) - $5 million to $10 million
BCM Program Exercises (include planning, conducting exercises, 3rd-party
participation, travel and living expenses, etc.) - $10 million to $50 million
US Headquarters ©2012 Continuity Insights/KPMG LLP 10
2011-2012 Global Business Continuity Management Program Benchmarking Study
0.05%
QUESTION 23
Do not know 23.72%
On a case-by-case basis based on individual needs 27.55%
As an individual line item in each functional budget 13.69%
3.28%
As a percentage of the IT budget 10.95%
As a percentage of the risk management budget 6.75%
As a percentage of the individual functional budget 6.75%
Other, please briefly describe how funds are allocated (BCM Funding): 7.30%
QUESTION 24
Business Continuity Management software 22.45%
Business Impact Analysis software 11.14%
Change Management software 5.83%
Emergency Notification software 24.02%
Enterprise Governance Risk and Compliance software 5.05%
Risk Assessment software 5.40%
MicroSoft© Office Tools (i.e., Word, Excel, etc.) 19.76%
Other (please specify) 6.35%
QUESTION 25
8.54%
5.63%
18.83%
60.19%
Other (please describe) 6.80%
Which of the following choices best describe how your organization's funds are allocated for BCM
Program initiatives? (select one)
On a hybrid chargeback basis with a base fee plus additional usage charges
What BCM-related software packages has your organization implemented or plans to implement
in the next year? (select all that apply)
Which best describes your organization’s current BCM Program status? (select one)
We are currently in the process of establishing a BCM Program, defining program
governance, scope, objectives, budgeting, and format for plans.
BCM Program Exercises (include planning, conducting exercises, 3rd-party
participation, travel and living expenses, etc.) - More than $50 million
We are currently in the assessment phase (i.e., Risk Assessment, Business Impact
Analysis, Strategy Selection, etc.) for the first time in the program’s lifecycle.
We are currently developing BCM Plans, Crisis Management Plans, and Disaster
Recovery Plans.
We have a BCM Policy, Senior Management Steering or Advisory Committee,
Business Continuity, Crisis Management, and Disaster Recovery Plans in place and
have developed a process for updating those plans on a regular basis to reflect
changes in the business and lessons learned from exercises, tests, or real events.
US Headquarters ©2012 Continuity Insights/KPMG LLP 11
2011-2012 Global Business Continuity Management Program Benchmarking Study
QUESTION 26How would you rate the maturity of your organization's BCM Program? (select one)
11.46%
12.62%
27.18%
22.91%
17.86%
7.96%
QUESTION 27
Strongly Disagree 7.06%
Disagree 7.65%
Neutral 26.67%
Agree 43.92%
Strongly Agree 14.71%
QUESTION 28
Yes 63.14%
No 36.86%
QUESTION 29
Not integrated/not applicable 18.24%
In the process of being integrated 20.20%
Integrated for certain mission critical 3rd party service providers 40.00%
Integrated for all mission critical 3rd party service providers 17.45%
Integrated for all 3rd party service providers 4.12%
Level 3 (Centrally Governed) – A BCM Program Office or Department has been
established which centrally delivers BCM Program governance and support services
to the business units and other departments within the organization.
Level 4 (Enterprise Awakening) – Senior management understands and is
committed to the strategic importance of an effective BCM Program. All business
continuity plans are updated routinely.
Level 5 (Planned Growth) – A multi-year plan has been plan has been adopted to
“continuously raise the bar” for planning sophistication and enterprise wide state of
preparedness.
Level 6 (Synergistic) – Cross-functional coordination has led participants to develop
and successfully test upstream and downstream integration of their business
Do you agree that your organization maintains and fosters relationships with external agencies to
ensure the recovery of your organization during a disaster? (select one)
Level 1 (Self Governed) – The state of preparedness is generally low across the
organization.
Level 2 (Supported Self Governed) – Senior Management may see value in a BCM
Program but they are unwilling to make it a priority at this time.
Do you require your mission critical 3rd party service providers to provide evidence that they have
a viable BCM Program?
How are 3rd party service providers (Utilities, Information Technology, or Business Process
Service Providers) integrated within your BCM Program? (select one)
US Headquarters ©2012 Continuity Insights/KPMG LLP 12
2011-2012 Global Business Continuity Management Program Benchmarking Study
QUESTION 30
Not integrated/not applicable 29.02%
In the process of being integrated 24.12%
Integrated for certain supply chain stakeholders 41.57%
Integrated for all supply chain stakeholders 5.29%
QUESTION 31
Compliance/Audit - Completely Integrated 17.43%
Compliance/Audit - Well Integrated 30.26%
Compliance/Audit - Somewhat Integrated 34.67%
Compliance/Audit - Not at all Integrated 11.42%
Compliance/Audit - Not Applicable 6.21%
Corporate Security - Completely Integrated 21.24%
Corporate Security - Well Integrated 34.47%
Corporate Security - Somewhat Integrated 31.06%
Corporate Security - Not at all Integrated 9.02%
Corporate Security - Not Applicable 4.21%
Crisis Management - Completely Integrated 30.06%
Crisis Management - Well Integrated 35.67%
Crisis Management - Somewhat Integrated 26.25%
Crisis Management - Not at all Integrated 4.61%
Crisis Management - Not Applicable 3.41%
Employee Health and Safety - Completely Integrated 18.24%
Employee Health and Safety - Well Integrated 34.47%
Employee Health and Safety - Somewhat Integrated 34.07%
Employee Health and Safety - Not at all Integrated 8.82%
Employee Health and Safety - Not Applicable 4.41%
Enterprise Risk Management - Completely Integrated 15.63%
Enterprise Risk Management - Well Integrated 34.07%
Enterprise Risk Management - Somewhat Integrated 32.46%
Enterprise Risk Management - Not at all Integrated 10.82%
Enterprise Risk Management - Not Applicable 7.01%
Facilities/Real Estate Management - Completely Integrated 15.03%
Facilities/Real Estate Management - Well Integrated 37.68%
Facilities/Real Estate Management - Somewhat Integrated 32.87%
Facilities/Real Estate Management - Not at all Integrated 10.42%
Facilities/Real Estate Management - Not Applicable 4.01%
Information Technology Management - Completely Integrated 27.45%
Information Technology Management - Well Integrated 44.89%
Information Technology Management - Somewhat Integrated 22.04%
Information Technology Management - Not at all Integrated 3.41%
Information Technology Management - Not Applicable 2.20%
Information Security Management - Completely Integrated 22.24%
Information Security Management - Well Integrated 37.47%
Information Security Management - Somewhat Integrated 29.46%
Information Security Management - Not at all Integrated 8.82%
Information Security Management - Not Applicable 2.00%
Strategic Sourcing/Procurement - Completely Integrated 8.42%
Strategic Sourcing/Procurement - Well Integrated 24.05%
Strategic Sourcing/Procurement - Somewhat Integrated 38.88%
How are key supply chain stakeholders that you rely on to deliver your products or services to
market integrated within your BCM Program? (select one)
How well integrated is your BCM Program with the following capabilities? (select a response for
each category listed)
US Headquarters ©2012 Continuity Insights/KPMG LLP 13
2011-2012 Global Business Continuity Management Program Benchmarking Study
Strategic Sourcing/Procurement - Not at all Integrated 20.84%
Strategic Sourcing/Procurement - Not Applicable 7.82%
Strategic Planning - Completely Integrated 10.42%
Strategic Planning - Well Integrated 22.24%
Strategic Planning - Somewhat Integrated 36.47%
Strategic Planning - Not at all Integrated 24.65%
Strategic Planning - Not Applicable 6.21%
Relationships with 3rd Party Service Providers - Completely Integrated 6.81%
Relationships with 3rd Party Service Providers - Well Integrated 24.65%
Relationships with 3rd Party Service Providers - Somewhat Integrated 47.29%
Relationships with 3rd Party Service Providers - Not at all Integrated 16.03%
Relationships with 3rd Party Service Providers - Not Applicable 5.21%
Relationships with Public Authorities - Completely Integrated 11.22%
Relationships with Public Authorities - Well Integrated 26.05%
Relationships with Public Authorities - Somewhat Integrated 39.68%
Relationships with Public Authorities - Not at all Integrated 17.43%
Relationships with Public Authorities - Not Applicable 5.61%
Management of Insurance Coverage - Completely Integrated 13.03%
Management of Insurance Coverage - Well Integrated 26.25%
37.47%
Management of Insurance Coverage - Not at all Integrated 14.23%
Management of Insurance Coverage - Not Applicable 9.02%
QUESTION 32How often does your organization conduct Risk Assessments? (select one)
In response to business changes 19.39%
Semi-annually 7.88%
Annually 41.41%
Every two years 7.68%
Every three years 6.67%
Never 7.68%
Other (please specify) 9.29%
QUESTION 33
In response to business changes 20.40%
Semi-annually 2.42%
Annually 32.32%
Every two years 16.57%
Every three years 8.08%
Never 8.89%
Other (please specify) 11.31%
How often does your organization conduct a Business Impact Analysis (BIA)? (select one)
Management of Insurance Coverage - Somewhat IntegratedManagement of
Insurance Coverage - Not at all Integrated Management of Insurance Coverage -
US Headquarters ©2012 Continuity Insights/KPMG LLP 14
2011-2012 Global Business Continuity Management Program Benchmarking Study
QUESTION 34
Do not know 48.08%
Less than $25,000 21.21%
$25,000 to $50,000 4.85%
$50,000 to $100,000 4.65%
$100,000 to $250,000 7.27%
$250,000 to $500,000 5.45%
$500,000 to $1 million 3.84%
$1 million to $5 million 2.02%
More than $5 million 2.63%
QUESTION 35
Do not know 39.19%
Less than $25,000 4.85%
$25,000 to $50,000 2.83%
$50,000 to $100,000 1.82%
$100,000 to $250,000 3.84%
$250,000 to $500,000 7.07%
$500,000 to $1 million 9.29%
$1 million to $5 million 13.13%
More than $5 million 17.98%
QUESTION 36
Civil Unrest - Yes 17.35%
Civil Unrest - No 82.65%
Earthquake - Yes 30.61%
Earthquake - No 69.39%
Fire - Yes 18.69%
Fire - No 81.31%
Flood - Yes 33.61%
Flood - No 66.39%
Indirectly Due to Supplier Issues or High Profile Neighbor - Yes 13.06%
Indirectly Due to Supplier Issues or High Profile Neighbor - No 86.94%
29.65%
70.35%
IT Related - Hardware/Software in Production - Yes 28.51%
IT Related - Hardware/Software in Production - No 71.49%
How much would you estimate business disruptions have cost your organization in both outlays
and internal (soft) costs in the past 12 months? (in U.S. dollars) (Include estimated costs of
delayed/cancelled product and service revenues from existing offers, new products and services
delayed/cancelled, lifetime cost of lost customers, and erosion/loss of brand value.)
What would you estimate the total financial impact would be of a major disruption or outage that
lasts for 5 business days? (In U.S. dollars)(Include estimated costs of delayed/cancelled product
and service revenues from existing offers, new products and services delayed/cancelled, lifetime
cost of lost customers, and erosion/loss of brand value.)
Has your organization experienced an incident or interruption in the past year that caused you to
activate any documented BCM Plans, Crisis Management Plans, or Disaster Recovery Plans?
(select yes/no for each type of incident/interruption)
IT Related - Change Management Issue, Data Corruption, Denial of Access, Virus,
Security, etc. - Yes
IT Related - Change Management Issue, Data Corruption, Denial of Access, Virus,
Security, etc. - No
US Headquarters ©2012 Continuity Insights/KPMG LLP 15
2011-2012 Global Business Continuity Management Program Benchmarking Study
IT Related - Telecommunications (i.e., Voice, Data, Converged) - Yes 29.53%
IT Related - Telecommunications (i.e., Voice, Data, Converged) - No 70.47%
IT Related - Upgrade/Scheduled Outage - Yes 25.10%
IT Related - Upgrade/Scheduled Outage - No 74.90%
Power - Yes 46.84%
Power - No 53.16%
Privacy - Yes 7.79%
Privacy - No 92.21%
Severe Weather (i.e., Hurricane, Tornado, Winter Weather) - Yes 58.57%
Severe Weather (i.e., Hurricane, Tornado, Winter Weather) - No 41.43%
Terrorist Attack - Yes 5.11%
Terrorist Attack - No 94.89%
Theft - Yes 8.59%
Theft - No 91.41%
Other - Yes 6.18%
Other - No 93.82%
If you selected "Other," please specify: 4.90%
QUESTION 37
Completely 31.16%
Mostly 28.72%
Somewhat 11.61%
Not at all 2.24%
Not applicable 20.16%
Do not know 6.11%
QUESTION 38
Within the past 6 months 61.63%
Within the past year 23.27%
Within the past 2 years 5.31%
We do not exercise our plans 9.80%
QUESTION 39
Call Tree/Notification Process 25.25%
23.75%
Entire site-specific business and technology recovery exercise 10.92%
Alternate site (work area recovery) exercise 16.50%
Mock crisis/emergency management exercise 18.92%
None/Not applicable 4.67%
For the most recent interruption that required you to activate one or more BCM Plans, how well
was your recovery time objective met? (select one)
When was your company's most recent Business Continuity Plan exercise? (select one)
What elements of your BCM Program were utilized during your most recent exercise? (select all
that apply)
Integrated people, process, and technology exercise for one or more processes
US Headquarters ©2012 Continuity Insights/KPMG LLP 16
2011-2012 Global Business Continuity Management Program Benchmarking Study
QUESTION 40
Public Sector Agencies 17.94%
Supply Chain Partners 7.99%
3rd Party Service Providers 27.18%
None/Not Applicable 46.89%
QUESTION 41
< 1% 11.59%
1% to 2% 13.46%
3% to 4% 10.97%
5% to 10% 9.11%
More than 10% 2.90%
Do not know 51.97%
QUESTION 42
Internal – Hardware and Software Solution 32.54%
External – Hardware and Software Solution 15.68%
Combination/Hybrid of Internal and External Solutions 35.50%
Move certain capabilities to a Public Cloud Vendor 4.59%
Move certain capabilities to a Private Cloud Solution 8.43%
Other (please specify) 3.25%
QUESTION 43
Internal – Hardware and Software Solution 30.12%
External – Hardware and Software Solution 17.00%
Combination/Hybrid of Internal and External Solutions 24.06%
Move certain capabilities to a Public Cloud Vendor 6.34%
Move certain capabilities to a Private Cloud Solution 15.13%
Other (please specify) 7.35%
QUESTION 44
Yes, included in current plans 43.48%
No, not included in current plans 34.58%
No, but plans to include are in development 21.95%
QUESTION 45
Do not know 43.27%
None 34.58%
< 10% 13.25%
What external companies or agencies have been involved with your most recent BCM Program
exercise? (select all that apply)
What percentage of your IT budget does your organization spend on disaster recovery
capabilities? (select one)
What is your organization's current IT recovery strategy? (select all that apply)
Which elements of your organization's current IT recovery strategy are undergoing change?
(select all that apply)
Is cyberterrorism included in your organization's current BCM Plans, Disaster Recovery Plans,
What percentage of your organization's application data is currently stored in the cloud? (select
one)
US Headquarters ©2012 Continuity Insights/KPMG LLP 17
2011-2012 Global Business Continuity Management Program Benchmarking Study
Between 10% - 24% 3.93%
Between 25% – 49% 2.90%
Between 50% - 75% 1.04%
>75% 0.62%
All 0.41%
QUESTION 46
Never 22.57%
In the past six months 33.13%
Within the last year 19.46%
Within the last two years 3.52%
More than two years ago 3.31%
Do not know 18.01%
QUESTION 47
Do not know 12.22%
Never 24.02%
In response to business changes 4.97%
Semi-annually 9.11%
Annually 37.89%
Every two years 6.00%
Every three years 1.24%
Other (please specify) 4.55%
QUESTION 48
Cloud Applications - Utilize - HAVE an IT DisasterRecovery Plan 30.02%
15.73%
Cloud Applications - Do NotUtilize 54.24%
Mobile Applications - Utilize - HAVE an IT DisasterRecovery Plan 43.48%
23.81%
Mobile Applications - Do NotUtilize 32.71%
Social Media - Utilize - HAVE an IT DisasterRecovery Plan 19.46%
Social Media - Utilize - DO NOT have an IT Disaster Recovery Plan 25.67%
Social Media - Do NotUtilize 54.87%
Mobile Applications - Utilize - DO NOT have an IT Disaster Recovery Plan
When did your organization last conduct a test(s) of the IT Disaster Recovery Plans with
representatives from other key stakeholder companies or agencies? (e.g., supply chain partners,
service providers, public sector agencies) (select one)
How frequently does your organization carry out full scenario testing of its Disaster Recovery
Plan? (select one)
Please indicate which of the following are utilized by your organization, and have an IT Disaster
Recovery Plan with documented procedures and written guidelines. (please provide a response
for each category)
Cloud Applications - Utilize - DO NOT have an IT Disaster Recovery Plan
US Headquarters ©2012 Continuity Insights/KPMG LLP 18
2011-2012 Global Business Continuity Management Program Benchmarking Study
QUESTION 49
YES 53.22%
NO 46.78%
100.00%
QUESTION 50
We spent significantly more money in 2011 than in 2010 17.26%
65.70%
We spent less money in 2011 than we did in 2010 17.05%
QUESTION 51
Attend industry conferences 21.77%
Attend association meetings 21.58%
Attend continuing education courses at colleges/universities 7.64%
Internal company training 19.40%
Training provided by third-party companies 8.73%
Pursue professional certification courses 14.90%
Undergraduate degree program 1.67%
Graduate degree program 2.12%
Other (please specify) 2.18%
Did your organization’s employees receive sufficient Business Continuity Management training in
the past year?
What was your organization’s investment in Disaster/Emergency Management and BCM training
this past year in comparison to the year before? (select one)
What types of ongoing BCM training are utilized by your organization? (select all that apply)
We spent approximately the same amount of money in 2011 as in 2010
US Headquarters ©2012 Continuity Insights/KPMG LLP 19