How Organizations Are Effectively Leveraging BCM Benchmarking Data

October 7, 2014

Study Methodology• Respondents for the study were obtained from the Continuity Insights

subscriber base by way of its publications, Website and email deployments, as well as from other professional organizations that supported the study.

• The online survey was comprised of 56 questions and was fielded from January 2014 to February 2014.

• Data was collected from 434 respondents, of which 305 respondents completed the entire survey.

• The study questions were developed by Robbie Atabaigi, Manager, KPMG LLP and Marty Plevel, Director, KPMG LLP.

• Tri-Media Group prepared the resulting tabulation and supplied analysis for selected data points.

• As in previous years, a major focus of the study is BCM program integration with other disciplines and third parties. This year we focused on the impact of a Steering Committee has on a BCM program.

• In order to tease out the most compelling — and more subtle — results from the study, a panel of subject-matter professionals reviewed and commented on the raw data collected.

Acknowledgements• Association of Contingency Planners (ACP)• Association of Sacramento Area Planners (ASAP)• BC Management • USA Chapter of the Business Continuity Institute

(BCI-USA)• Business Continuity Institute (BCI) (International

Headquarters in the U.K.)• Business and Industry Council for Emergency

Planning and Preparedness (BICEPP)• Business Resumption Planning Association (BRPA)• Canadian Security Partners’ Forum • Contingency Planners of Ohio (CPO)• Contingency Planning Exchange (CPE)• Continuity Central

• Continuity Planning Association of the Carolinas (CPAC)

• Disaster Recovery Journal (DRJ)• Disaster Resource Guide• Forbes Calamity Prevention (Singapore/Asia)• Global Conference on Disaster Management• Mid Atlantic Disaster Recovery Association

(MADRA)• New England Disaster Recovery Information

Exchange (NEDRIX)• Risk & Insurance Management Society (RIMS DRI

International• Rothstein Business Survival• Southeastern Business Recovery Exchange

(SEBRE)• Southeast Continuity Planners Association (SCPA)

Continuity Insights and KPMG LLP would like to acknowledge the following organizations for their contribution in helping raise the awareness and the value of the 2013 – 2014 Continuity Insights & KPMG LLP Global Business Continuity Management (BCM) Program Benchmarking Study.

In addition, we would like to acknowledge the subject matter professionals that reviewed the survey results and provided their point of view for use in this presentation, the study report and the companion article.

Key Takeaways

• Establishment of a Senior Management Advisory or Steering Committee and focused resources from the organization’s Program Management Office are critical considerations in driving program capabilities and effectiveness.

• Regulatory compliance moved up from the third most frequently provided response to the second most frequently provided response, replacing reputation as the second most frequent response to the question “What are the primary reasons your organization has established a BCM Program?”

• There is a significant difference in the number of organizations that measure program performance, achieve recovery time objectives, complete a Business Impact Analysis, Risk Analysis and other program related work streams where a steering committee is in place.

PanelistsOur three panelists will discuss how the study results can be used to improve BCM programs, the steps required to implement these improvements, lessons learned during the benchmarking process, and how they leveraged the results with leadership and other stakeholders.

Moderator:Panelists:

Ken OtisDirector, Business Continuity Management

CVS Caremark

Tim MathewsExecutive Director, Enterprise Resiliency

ETS

Robbie AtabaigiInformation Protection & Business Resilience

KPMG

Doug WeldonPresident

BCI (Business Continuity Institute)

BCI – Doug Weldon

The Business Continuity Institute (www.theBCI.org) –

• Established in 1994, the BCI has established itself as the most preeminent global membership and certifying organization for business continuity professionals with over 8,000 members and 90 partners in more than 100 countries worldwide.

• The BCI seeks to promote and facilitate the adoption of good business continuity practice worldwide by:

• Raising standards in business continuity• Undertaking industry research• Driving thought leadership in business continuity• Facilitating the sharing of best practice in business continuity• Training and certifying BC professionals• Raising the value of the BC profession• Developing the business case for business continuity.

BenchmarkingDoug Weldon

Benchmarking Considerations:• The value of benchmarking in identifying trends and best practices cannot be over-

emphasized. That said, a benchmark must be driven by frequently and statistically justified data collection techniques and expert analysis.

• The rise of compliance as a BCM driver is not surprising, and more emphasis on compliance is ahead. Compliance applies to all stakeholders.

• Cyber security, as the most important threat of our time, will change the way we manage BC and Risk as a whole.

• Which came first, an effective Steering Committee driven BCM Program or strong top-down senior leadership support?

ETS is devoted to Fair, Accurate and Meaningful Products and Services – from Research to Delivery

• Since 1947 serving Teachers, Employers, Policymakers and Learners at all levels

• Today nonprofit ETS develops, administers and scores more than 60 million tests annually in more than 180 countries at over 9,000 locations worldwide

• ETS is advancing the field of Measurement through Experience, Expertise and Excellence with more than 6,000 employees (850 with advanced degrees and 310 with doctorates)

• Products and services include: GRE, the Praxis Series, TOEFL and TOIEC - for more information visit www.ets.org

ETS – Tim Mathews

Growing Technology RisksCloud, Cyber and xAAS

Tim Mathews

• Business units and IT are embracing the Cloud. BCM programs need to understand this technology, the risks and the

potential impacts to build appropriate strategies and plans Before going to the cloud, develop an exit strategy

• Cyber breaches can do real damage to trusted brands (consider JPMorgan Chase, Home Depot and Target) Crisis management planning should include Cyber risks and response

• More and more risk is being “pushed” out to the supply chain and 3rd

parties. Add supply chain resilience audits and reporting to BCM

BCM Program Measurement and Certification

Tim Mathews

• Audit findings and exercise/test results continue to be the measures of choice for most BCMs Consider measuring BCM program impact on new and retained business

• BIA and Risk Assessments continue on a 1-3 year cycle Consider moving to a “perpetual” review model that leverages change

management and budget processes

• ISO 22301 has been identified as the standard supporting most BCM programs Incremental cost of certification is relatively low for mature BCM

programs

CVS – Ken Otis

• CVS Health’s Purpose: “Helping people on their path to better health”

• Headquartered in Woonsocket, RI

• More than 200,000 employees in 46 states, DC and Puerto Rico

• Through our 7,700 retail pharmacies, more than 900 walk-in medical clinics, a leading pharmacy benefits manager with more than 65 million plan members, and expanding specialty pharmacy services, we enable people, businesses and communities to manage health in more affordable, effective ways.

• Largest pharmacy health care provider in the U.S.

BCM Steering CommitteeKenneth Otis

Survey Question: “Does your organization have a Senior Management Advisory or Steering

Committee that provides input and assistance to the BCM Program Coordinator and Team in the preparation, implementation, evaluation and revision of the program?”

Results: 71% said Yes, up from 65% in the 2011-2012 survey

Building a BCM Steering Committee• Identify and executive sponsor; someone with reach to the CEO• Membership should include senior management from varying business units

• Members should be known and visibly support the BCM Program• Establish a charter:

• Mission, Purpose, Scope, Objectives & Responsibilities• Discuss the charter with membership before making it final

BCM Steering CommitteeKenneth Otis

Once in Place• Committee should draft the BCM policy

• BCM senior manager to facilitate the effort • Update the policy overtime, as the program matures

• Committee should support the implementation of your BCM program• Provide quarterly status updates of the BCM program

• BIAs completed• Percentage of plan updates• Test results

• Review exercises or plan activations• Highlight and share lessons learned• Track action items to completion

• Evaluate membership, annually• Changes to business operations• Participation in meetings

In Summary . . . • Thank you for your participation in today’s session.

• The quotes in this presentation were provided to Continuity Insights by business continuity practitioners that provided quotes for this presentation, the companion report and article published by Continuity Insights.

• Reprints of the article are available at www.continuityinsights.com

• Complete study results and custom reports that have been published are available upon request.

• For more information, contact Robbie Atabaigi at ratabaigi@kpmg.com or Bob Nakao at Robert.Nakao@advantagemedia.com.

Available custom reports based on type of entity, revenue, number of employees and various industries:

■ Annual revenue

■ Entity type (public companies, private companies, government agencies or authorities, and not for profits)

■ Governance (Entities with an Advisory Steering Committee, Entities with no Advisory Steering Committee)

■ Industries (Computers/IT hardware/software and services, Financial Services, Government, Healthcare, Manufacturing, Professional Services, and Utilities)

■ Number of employees

Contacts

Moderator:Panelists:

Ken OtisDirector, Business Continuity Management

CVS CaremarkKenneth.Otis@CVSCaremark.com

Tim MathewsExecutive Director, Enterprise Resiliency

ETSTMathews@ETS.ORG

Robbie AtabaigiManager, Information Protection & Business Resilience

KPMG

ratabaigi@kpmg.com

Doug WeldonPresident

BCI (Business Continuity Institute)douglasweldon1010@gmail.com