According to a new survey report released today by Continuity Insights and sponsored by KPMG LLP, the U.S. audit, tax and advisory firm, there are varied levels of business continuity management (BCM) program maturity across organizations as well as significant opportunities for improvement through more effective governance and deeper integration with other disciplines.
The 2013-2014 Continuity Insights and KPMG LLP Global Business Continuity Management Program Benchmarking Study, which surveyed 434 executives from over 22 countries, is a comprehensive analysis of the current state of BCM programs and the drivers for further program development. The 2013-2014 survey revealed that organizations have increased oversight of BCM activities with only 71% of respondents indicating they have a senior management advisory or steering committee in place, up from 65% in the 2011-2012 survey. While that is an improvement from the past study, approximately 30% of the respondents indicated that no such governance capability is currently in place in their organization.
“Having a formal oversight function, like a steering committee, that is visible and provides guidance in the development and maturity of the BCM Program, is a key success factor for organizations that get BCM right,” said Tony Buffomante, Principal, Information Protection and Business Resilience, KPMG. “More frequently than ever before, organizations are experiencing incidents or interruptions that require activation of one or more business continuity plans, particularly around IT or cyber security, social media and data privacy, requiring they remain vigilant in the development, maintenance and monitoring of their business continuity programs”.
The survey showed there is a significantly higher level of BCM Program integration with key functional organizations, third parties and public authorities where a steering committee is in place. The survey revealed that those with this oversight in place reported higher success rates in a number of BCM facets, including an increase in conducting periodic Business Impact Analysis (BIAs), achieving recovery time objectives, an increased rate of adopting global standards such as ISO 22301 and a noticeable rise in addressing cyber security in their BCM programs and related plans.
The study captured program development and performance data, including the various methods and frequency of measuring program performance, the financial impacts of adverse events, BCM leadership structures, budgets, headcounts, technology deployment, plan exercises and training.
Despite a rise in cyber-related threats, 36% of organizations reported that they do not address cyber terrorism in their BCM program and related plans. Study results revealed that organizations with steering committees are more likely to include cyber terrorism in their BCM program and related plans - 46 percent of those respondents versus 32 percent for those without steering committees.
“Cyber threats are a concern for many respondents, but more than a third still do not include them in planning,” said Mike Janko, Manager, Global Business Continuity, The Goodyear Tire & Rubber Co. “Since cyber threats are reported by government officials as a top threat in 2014, those who choose not to include them in their strategy will need to be prepared to defend themselves if there is a loss of intellectual property, privacy issues and other related incidents.”
The research also found:
- 42% of organizations now report using International ISO 22301 to support their BCM program.
- Only 16% of organizations reported a high level of integration with all mission-critical third-party service providers.
- A significant increase in the number of organizations that experienced an incident or interruption in the past year that caused them to activate one or more business continuity plans, crisis management plans or IT disaster recovery plans for: Weather related incidents (59% vs. 50% in prior study); Power related outage (52% vs. 47% in prior study); and IT Security (37% vs. 31% in prior study).
- Business continuity plan exercises are still the most widely-used method to measure the performance of BCM programs (64%), followed by audit findings (50%).
- 20% of the respondents do not know the financial impact of a five-day disruption or outage.
- 41% of respondents do not know how much of the organization's application data is currently stored in the cloud.
For the full report, which contains analysis, commentary from subject-matter professionals, and links to the full results and custom reports, go to 2013-2014 Continuity Insights and KPMG LLP BCM Program Benchmarking Study.
About Continuity Insights
Continuity Insights (www.continuityinsights.com) is continuity from management's perspective. It speaks directly to the strategic view, embracing the issues and concerns of senior-level managers. The annual Continuity Insights Management Conference is the centerpiece of Continuity Insights' educational offerings, which also include webinars, regional events and virtual (online) events.
The weekly CI Bulletin and monthly eReport e-newsletters deliver compelling in-depth features, best practices, industry and vendor news, Q&As with the industry's most influential players, blogs, podcasts, and new products and services. For a free subscription, visit www.continuityinsights.com/subscribe.
About KPMG LLP
KPMG LLP, the audit, tax and advisory firm (www.kpmg.com/us), is the U.S. member firm of KPMG International Cooperative (“KPMG International”). KPMG International’s member firms have 155,000 professionals, including more than 8,600 partners, in 155 countries.