ACP International / Gartner Business Continuity Management

CONFIDENTIAL AND PROPRIETARYThis presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.

October 24, 2015

Roberta Witty

ACP International / Gartner

Business Continuity Management

Survey 2015

1 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.

Gartner is the world’s leading information technology research and advisory company.

We deliver the technology-related insight necessary for our clients to make the right decisions, every day.

Who we are and why clients use Gartner Inc.

IT is critical to every organization, but harder to manage successfully due to its increasing complexity.

Since 1979, Gartner has guided clients through difficult decisions — providing independent, actionable advice on how and where to reduce cost, deploy IT to add value, drive innovation and manage risk.


Who we serve

CIOs, CTOs, CFOs, senior IT executives and their

teams/associates

IT End-User Professionals

High-Tech & Telecom

Professionals

InvestmentProfessionals

Supply Chain ProfessionalsHeads of supply chain,

senior supply chain executives and

functional teams

Executives, product leaders and marketing/sales professionals in high-tech and telecom companies, and their teams/associates

Buy-side investment professionals, including those in public equity, venture capital, private equity and investment banking

Marketing Professionals

Digital marketing professionals, CMOs, chief customer officers, chief marketing technologists, heads of multichannel

marketing, marketing analytics, digital commerce and their teams/associates


How clients use Gartner

Learn From Research

Deep vertical coverage in nine industries

111,700 research docs across 1,230 topics covering all aspects of IT

Targeted to your role, key initiatives and purchasing decisions

Talk to an Expert

Proprietary methodologies and interactive models applied to provide clear insight and actionable advice

1,000 analysts engaging in over 215,000 client interactions a year in 85 countries

Specific advice on your challenges, opportunities and projects

Network With Peers

Exchange ideas, expertise and best practices with peers

Connect with a growing community of peers drawn from our clients in 9,100 distinct enterprises

World’s largest community of CIOs and senior IT executives

Attend Conferences

Content specific to your role, key initiatives and purchasing decisions

70+ yearly conferences worldwide attracting 50,000 attendees

Access to analysts, industry peers and top solution providers

Initiate an Engagement

Leverage industry research and unmatched market data

500 experienced consultants withindustry-specific expertise

Measure and improve performance using data from 5,500 benchmarks


Contents

Project summary- Study objectives and Methodology - Respondent profile

Overview of survey results

Recommendations


Project Objectives and Methodology The purpose of this survey is to explore the perspectives of Business Continuity Management (BCM) professionals

on BCM program management, business resilience and the impact of information security and IT outages on

production and recovery activities. Results to be presented to the ACP member community at the National Business

Continuity Summit and Leadership Conference in October 2015.

In March/2015, ACP management asked the membership for “What keeps you up at night?” The results were the

basis of the joint ACP/Gartner survey

Gartner surveyed ACP members in the U.S. between July 10, 2015 and August 5, 2015 to help Gartner understand

the perspectives of Business Continuity Management (BCM) professionals on business resilience and the impact of

IT on production and recovery activities.

156 respondents participated. Organizations from all industries qualified.

Qualified participants must report being involved in and able to give detailed feedback on BCM activities at

their organizations.

Interviews were conducted online. The sample universe was drawn from ACP membership list.

The survey was developed collaboratively by a team of ACP personnel and Gartner analysts who follow these IT

markets and was reviewed and tested by Gartner's Research Data Analytics team and administered by ACP.


9%

2%

2%

3%

3%

4%

5%

6%

7%

8%

9%

10%

11%

21%

All other

Telecommunications

Media

Education

Healthcare Providers

Transportation

Retail

Investment Services

Manufacturing

Government

Services

Utilities, energy

Insurance

Banking

<$500M, 22%

$500M - $10B47%

$10B +30%

SMB <1,000,

21%

Large 1,000-9,99935%

XL10,000 +

42%

Respondent Profile: Organization Characteristics n=156

Annual Revenue (USD)

Employees Worldwide

Primary Industry

38%Financial Services


3%

1%

1%

2%

2%

3%

5%

6%

8%

12%

13%

42%

Other

Advisor/Analyst/Specialist, Risk

Administrator/Coordinator/Planner, Emergency…

Director/Manager, Risk

Administrator/Coordinator/Planner, IT DRM

Director/Manager, Emergency Management-Safety

Director/Manager, IT DRM

Director/Manager, IT

Advisor/Analyst/Specialist, IT DRM

Administrator/Coordinator/Planner, BCM

Advisor/Analyst/Specialist, BCM

Director/Manager, BCM

Responsible for my

organization's BCM activities

54%

Responsible for BCM activities in

at least one area, region,

department or business unit at my organization

35%

BCM team member

11%

Respondent Profile: Roles and BCM Responsibility n=156

Role (rationalized job titles) BCM Responsibility


Information Technology

Equipment

Vital Records

External Stakeholders

Facilities

Suppliers/Partners

IT Service Continuity

Management

Business Recovery

Governance and

Program

Management

Supplier

Contingency

Business Process

Workforce

Customers

Devolution/

Resolution Planning

Crisis/Incident

Management

How Gartner Defines BCM


Key Findings

• BCM Program Management

• Business Resilience: What Is It?

• Information Security and BCM Program Alignment

• IT Disaster Recovery Management


Findings Summary• There is a large (38%) Financial Services skew (banking, investment services and insurance)

• The enterprise risk management (ERM) function is becoming the natural home for all BCM activities except IT DRM and Supplier Contingency

• Survey participants believe senior management is not always making the financial investments needed for BCM, even though they do understand its importance (64% important vs 37% investing)

• “Business Resilience” seems to be the new name for Business Continuity Management

• There is a high level of maturity (69% have a formal program in place) regarding “business resilience”

• 41% report they haven’t experienced a cyber-attack – THAT THEY KNOW ABOUT!

• 41% report that their cyber security and BCM plans are fully integrated

• The majority of IT outages (76%) do not result in a disaster declaration

• An in-house or co-location based warm site is the most common recovery sourcing strategy (35% for critical IT infrastructure and 29% for extremely critical IT services)

• Only 28% report using outsourced IT Services for data processing. Of those, 59% are involved in the back-up of data processed by outsourced IT service providers.


Key Findings






Primary Reporting Responsibility for BCM Activities

BCM Program Function

Role

Crisis/

Incident

Mgmt

n=137

IT Disaster

Recovery

Mgmt

n=140

Business

Recovery

n=139

Supplier

Contingency

n=72

Program

Facilitation/

Mgmt

n=131

Pandemic

Planning

n=106

Emergency

Mgmt/

Public Safety

n=76

CEO or equivalent (1) 15%

COO or equivalent (4) 14% 17% 10% 11%

CIO or equivalent (1) 41%

CTO or equivalent (1) 21%

Enterprise or Corporate Risk

Management (6)25% 25% 17% 28% 27% 25%

Procurement or Supply

Chain Director (1)29%

Director/Manager,

Emergency Mgmt-Safety (1)

11%

Director/Manager, BCM (1) 13%

Human Resources (1) 13%


13%

8%

50%

28%

37%

64%

Adequately funds activitiesto support BCM

Understands the importanceand business value of BCM

1-2 rating 3-5 rating 6-7 rating

Average Rating

The Degree to Which Senior Management Values and Funds BCMn=156

1. Strongly disagree 7. Strongly agree

5.6

4.9

Adequately funds activities

to support BCMSMB (100 to 999

Employees)

Large (1,000 to

9,999 employees)

X-Large

(10,000+

employees)

Rating 1,2 [bottom box) 14% 13% 11%

Rating 3-5 (middle box) 32% 65%* 48%

Rating 6, 7 (top box) 54%* 22% 38%*

Respondents at large-size orgs are less satisfied with BCM funding than respondents at smaller

(SMB) or extra-large (XL) orgs.

No other significant difference by company employee size or revenue.

[See appendix for org size and revenue breakdowns]

*statistically significant difference


Key Findings






Maturity of the Business/Operational Resilience Programn=156

Formal program69%

Implementing a formal program 17%

Defining the implementation plan

2%

Developing a strategy and scope 8%

Do not have and not developing a formal

program 2%


n=137, base= current, implementing or defining a program; multiple responses allowed

7%

28%

45%

47%

47%

50%

53%

55%

66%

69%

70%

72%

75%

75%

91%

93%

97%

Other

Supply Chain only

Privacy

Audit Management

Insurance

Supplier Contingency

Financial Risk Management

IT Vendor Risk Management

IT Risk Management

Legal and/ or Compliance

Operational Risk Management

Physical Security

Facility Management and/ or Real Estate

Information Security

IT Disaster Recovery or IT Service Continuity

Crisis, Emergency, Incident Mgmt

Business Recovery

Disciplines Covered in a Business/Operational Resilience Program


Key Findings






60%

31%

8%

8%

19%

41%

12%

20%

IT outage

Cyber-attack orinformation security

breach

In last 3 years >3 years None Don’t know

39% have experienced

68% have experienced

Experience of Cyber-Attacks and IT Outagesn=156

Information Security and BCM Alignment


64%

49%

55%

18%

21%

17%

10%

21%

14%

8%

10%

14%

Crisis communicationsplans

Business recovery plans

IT disaster recovery plans

Currently included Plan to include in next 12 months Not planned within the next year Don’t know

Information Security and BCM Alignment

67%

67%

74%

16%

16%

10%

8%

8%

10%

9%

8%

5%

Crisis communications plans(n=100)

Business recovery plans(n=76)

IT disaster recovery plans(n=86)

Yes, performing exercises to test Developing exercises for test plan No, not currently testing Don't know

Information Security Incidents as a BCM Scenario

n=156

Perform Exercises to Test Information Security Incidents in Recovery PlansBase= Organization “currently included” information security incidents as a scenario (from above)


Fully integrated response

41%

Somewhat integrated—all

responded but not fully integrated

35%

No, response was not fully integrated

8%Don’t know

16%

n=49; base = organizations with a cyber-attack in last 3 years

Information Security and BCM AlignmentCyber-Attack Response Team Integration with BCM


Key Findings






12

17

9

2

5

1 1 1

3

12

1 IT outage 2 IToutages

3 IToutages

4 IToutages

5 IToutages

6 IToutages

7 IToutages

9 IToutages

10 IToutages

12 IToutages

15 IToutages

n=55; Base=IT outage in last three years, excluding don’t know

IT Outages and Declared Disasters

Number of Outages in the Last Three Years42

9

2 1 1

0 disaster 1 disaster 2 disasters 3 disasters 4 disasters

Number of Declared Disasters

One respondent noted 50 outages (with 3 declared disasters)

23 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.Multiple responses allowed

32%

45%

46%

48%

60%

67%

74%

Metro-area data mirroring

Tape backup

Middleware-based transactionreplication

Backup sent to disk

Storage-based replication

Virtual Machine replication

Database replication

25%

51%

38%

52%

65%

65%

70%

Critical IT infrastructure Extremely Critical IT Services Somewhat Critical IT servicesn=107, excluding 31% DKn=106, excluding 32% DK

28%

56%

28%

45%

31%

32%

32%

n=99, excluding 37% DK

Data protection solutions by recovery tier


4%

6%

7%

7%

10%

15%

16%

35%

Backup to remote disk only

In-house or colo-basedcold site

Backup to tape held offsite

Cloud-based recovery

Disaster recovery providercold site

Hot standby activeprocessing of data

Hot standby withautomated failover

In-house or colo-basedwarm site

Multiple responses allowed

Most-Used Recovery Approaches for IT Services

12%

7%

18%

7%

17%

7%

5%

18%

Critical IT Infrastructure Extremely Critical IT Services Somewhat Critical IT Servicesn=116, excluding 26% DK n=113, excluding 28% DK n=112, excluding 28% DK

5%

8%

9%

11%

14%

12%

9%

29%


Does your organization use outsourced IT services for data processing? By organization size

25%

40%

22%

68%

51%

57%

7% 9%

22%

0%

10%

20%

30%

40%

50%

60%

70%

80%

SMB Large X-Large

Yes No Don’t know

28% of survey participants use Outsourced IT Services for Data Processing

15% Don’t Know

Revenue n=112Employee Size n=148

32%34% 35%

60%57%

47%

8% 9%

18%

0%

10%

20%

30%

40%

50%

60%

70%

<$500 MM n=25 $500M-$10B n=53 >$10B n=34

Yes No Don’t know


Back-Up and Exercising of Outsourced IT Services

Outsourcer does backups of data and IT service components

38%

Outsourcer backup + org

does own backups

24%

Share backup responsibilities

16%

Org does back up, not the

outsourcer19%

Other3%

n=37, excluding 16% don’t know

Yes61%

No30%

Don’t know9%

Vendor participates in disaster

recovery exercisesn=44

Handling of IT Services Back up


Recommendations• Align your BCM program function reporting to the ACP best practice approach, where appropriate.

• Use key performance indicators and BCM key risk indicators to educate senior management as to the importance of continuity of operations.

• Inventory how your organization manages and aligns its risk management disciplines to determine their fit in your business resilience program.

• Use Gartner’s ITScore online security and risk management maturity self-assessment tools to establish a baseline and maturity improvement roadmap.

• Work with your computer security incident response teams (CSIRT) to determine the integration points.

• Improve your coverage of information security incidents in all recovery plans, especially business recovery plans (49% & 21% respectively).

• Plan to exercise the information security incident scenario within the next six months.

• Maintain an inventory of all IT outages for root cause analysis and to support future recovery funding requests.

• Establish an application tiering model that maps recovery requirements and approaches to each tier.

• Review your IT outsourcing contracts to determine what you and the outsourcers are responsible for in regards to backup/data protection.

• Require that your IT outsourcers be part of IT DR exercises so that there are no surprises and delayed recovery efforts when disaster strikes.

28 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.28 © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.

Appendix


The purpose of this survey is to explore the perspectives of Business Continuity Management (BCM) professionals on business resilience and the impact of IT on production and recovery activities. Results to be presented to the ACP member community at the National Business Continuity Summit and Leadership Conference in October 2015.

Specifically, the survey is focused on risk mitigation, planning, exercising, responding, recovering and restoring activities in the following areas:

Crisis or Incident Management: Establishing command and control over the incident, ensuring life and/or safety, crisis communications (internal and external)

IT Disaster Recovery: Recovering IT services for the organization (internal and external)

Business Recovery: Recovering the business processes for the organization including the workforce, special equipment, non-electronic vital records et al

Supplier Contingency: Recovering from a supplier’s own outage

BCM Program Facilitation and Management: Managing and governing the BCM program and its components across the organization

Pandemic Planning: Pandemic planning is a unique scenario to manage. It may have different reporting responsibilities and tactics versus traditional BCM

Emergency Management and Public Safety: Ensuring the life and/or safety of the public by government agencies

Project Study Objectives


n=156

6%

24%

35%

49%

63%

67%

74%

57%

6%

46%

51%

68%

84%

88%

89%

90%

Other

Supplier Contingency

Emergency Management and Public Safety

Pandemic Planning

BCM Program Facilitation and Management

Crisis or Incident Management

Business Recovery

IT Disaster Recovery At org

Respondent able to give feedback

Multiple responses allowed

Respondent Profile: Respondent Involvement in BCM

31 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.9%

1%1%1%1%1%1%1%1%1%1%1%2%2%2%2%2%3%3%3%3%3%3%

6%6%7%7%8%

21%

All other

Government: Defense and Intelligence

Insurance: Life Insurance

Manufacturing: Heavy Industry

Manufacturing: IT Hardware

Media: Publishing or Advertising

Retail: General Retailers

Retail: Grocery

Transportation: Rail and Water

Manufacturing: Consumer Nondurable Products

Media: Broadcasting or Cable

Utilities: Water Utilities

Energy Resources and Processing

Insurance: Other

Manufacturing: Automotive

Manufacturing: Other

Telecommunications

Education: Higher Education

Retail: Specialty Retailers

Services: Other Business, Consulting or Consumer Services

Transportation: Warehousing, Couriers, Support Services

Healthcare Providers: Hospital or Integrated Delivery Network (IDN)

Insurance: Health Insurance (payer)

Investment Services

Services: Information Technology Services and Software

Government: Local or Regional

Utilities: Electric or Gas Utilities

Insurance: Property and Casualty Insurance

Banking

Primary Industry: Full Listn=156


4%

1%

1%

1%

2%

2%

4%

4%

4%

5%

5%

6%

7%

14%

15%

25%

Primary responsibility for activity not clear

Other

Procurement or Supply Chain Director

Director/Manager Resilience

CTO or equivalent


CFO or equivalent

Human Resources

CIO or equivalent

Director/Manager, Emergency Management-…


CAO or equivalent

CISO (Chief Information Security Officer) or…

COO or equivalent

CEO or equivalent

Enterprise or Corporate Risk Management

Crisis or Incident Management n=137


3%

1%

1%

1%

1%

1%

1%

1%

1%

2%

3%

4%

9%

10%

21%

41%


Other

CEO or equivalent

CFO or equivalent


Advisor/Analyst/Specialist, IT DRM




CAO or equivalent


COO or equivalent



CTO or equivalent

CIO or equivalent

IT Disaster Recovery n=140


4%

1%

1%

1%

1%

1%

1%

1%

1%

3%

3%

3%

4%

5%

5%

7%

7%

8%

17%

25%


Other

Legal or Chief Counsel


Director/Manager, Emergency Management-Safety

CTO or equivalent




Human Resources


Line of business


CEO or equivalent

CIO or equivalent

CAO or equivalent

CFO or equivalent


COO or equivalent


Business Recovery n=139


14%

1%

1%

3%

3%

4%

4%

4%

4%

6%

10%

17%

29%




CAO or equivalent

CFO or equivalent

CIO or equivalent

CTO or equivalent


Director/Manager, Vendor Management

CISO (Chief Information Security…

COO or equivalent

Enterprise or Corporate Risk…


Supplier Contingency n=72


5%

2%

1%

1%

1%

1%

2%

2%

2%

2%

3%

3%

3%

4%

6%

6%

8%

9%

13%

28%


Other

CEO or equivalent







CFO or equivalent

Human Resources

Director/Manager, Emergency…


CTO or equivalent

CAO or equivalent

CIO or equivalent

COO or equivalent

CISO (Chief Information Security Officer)…



BCM Program Facilitation and Management n=131


3%

2%

1%

1%

1%

2%

2%

2%

2%

2%

2%

2%

4%

5%

5%

7%

9%

9%

13%

27%


Other


Administrator/Coordinator/Planner,…


CEO or equivalent

CFO or equivalent

CIO or equivalent




Line of business

CTO or equivalent

CAO or equivalent

Director/Manager, Emergency Management-…


COO or equivalent


Human Resources


Pandemic Planning n=106


3%

3%

1%

1%

1%

3%

3%

3%

3%

3%

4%

5%

6%

6%

9%

11%

11%

25%

Primary responsibility for activity not…

Other


Admin/Coordinator/Planner, Emerg…


CFO or equivalent

CIO or equivalent

CTO or equivalent



Human Resources

Facilities/Property Management

CEO or equivalent

CISO or equivalent

CAO or equivalent

COO or equivalent

Director/Manager, EM&S

Enterprise or Corporate Risk Mgmt

Emergency Management and Public Safety n=79



Understands the importance

and business value of BCM

SMB (100 to

999

Employees)

Large (1,000

to 9,999

employees)

X-Large

(10,000+

employees)


Rating 3-5 (middle box) 21% 31% 29%

Rating 6, 7 (top box) 71% 58% 63%

Understands the importance and

business value of BCM <$500

million

$500 million-

$10 billion >$10 billion



Rating 6, 7 (top box) 60% 62% 65%

Adequately funds activities to

support BCM

SMB (100 to

999

Employees)

Large (1,000

to 9,999

employees)

X-Large

(10,000+

employees)


Rating 3-5 (middle box) 32% 65%* 48%

Rating 6, 7 (top box) 54%* 22% 38%*

*statistically significant difference

Adequately funds activities to

support BCM <$500

million

$500 million-

$10 billion >$10 billion



Rating 6, 7 (top box) 40% 28% 42%

Senior Management Values and Funds BCMn=156


Maturity of the Business/Operational Resilience Program: By Company Size

Revenue n=112Employee Size n=148

0% 20% 40% 60% 80%

Do not have and not developing aformal program


Do not have the knowledge toanswer

Developing a strategy and scope

Currently implementing a formalprogram

Have a formal program in place

0%

4%

0%

4%

20%

72%

2%

0%

4%

4%

21%

70%

3%

0%

0%

12%

12%

74%

>$10 billion $500 million-$10 billion <$500 million

0% 20% 40% 60% 80%

Do not have and not developing aformal program


Do not have the knowledge toanswer

Developing a strategy and scope

Currently implementing a formalprogram

Have a formal program in place

0%

7%

0%

11%

7%

75%

4%

0%

0%

5%

22%

69%

2%

2%

5%

9%

15%

68%

X-Large Large SMB


Maturity of the Business/Operational Resilience Program: By Industryn=156

Mfg Utilities

Fin

Services

Pharma

& HC Govt Education Retail Transportation Media Communications Services

All

other

Base: All 13 13 62 5 12 4 6 5 3 3 14 14

Do not have and not developing a

formal program

8% - - - 8% - - - - 33% - -

Have a formal program in place 46% 77% 79% 20% 75% 50% 50% 40% 100% 67% 93% 50%

Currently implementing a formal

program

31% 8% 13% 40% 17% - 50% 60% - - - 21%

Program Planned (Net) 15% 15% 5% 40% - 25% - - - - 7% 29%

Defining the implementation plan 8% - 3% - - - - - - - - -

Do not have the knowledge to

answer

- - 3% - - 25% - - - - - -

Developing a strategy and scope 8% 15% 2% 40% - 25% - - - - 7% 29%

Employee Size

SMB:

100 to 999 Employees

Large:

1,000 to 9,999 employees

X-Large:

10,000+ employees


Disciplines Covered in a Business/Operational Resilience Program: By Organization SizeBase: Currently organization is 'Defining/ Implementing/ Program in place' the business or operational resilience program; Multiple responses allowed

Total SMB Large X-Large

137 25 50 55

Information Security 75% 76% 70% 78%

IT Disaster Recovery or IT Service Continuity 91% 92% 90% 91%

Business Recovery 97% 92% 100% 98%

Physical Security 72% 60% 80% 73%

Insurance 47% 44% 50% 45%

Crisis, Emergency, Incident Management - including crisis communications 93% 96% 92% 95%

Facility Management and/ or Real Estate 75% 60% 74% 82%

Legal and/ or Compliance 69% 72% 70% 69%

Supply Chain only 28% 12% 24% 40%

IT Vendor Risk Management 55% 44% 54% 58%

Supplier Contingency 50% 32% 58% 55%

Audit Management 47% 44% 42% 51%

IT Risk Management 66% 64% 60% 75%

Privacy 45% 28% 42% 55%

Financial Risk Management 53% 44% 52% 60%

Operational Risk Management 70% 56% 64% 82%

Other 7% 4% 6% 9%


Disciplines Covered in a Business/Operational Resilience Program: By IndustryBase: Currently organization is 'Defining/ Implementing/ Program in place' the business or operational resilience program; Multiple responses allowed

Total Mfg. Utilities

Fin

Services

Pharma

& HC Govt Education Retail

Transportat

ion Media

Communi

cations Services

All

other

137 11 11 59 3 11 2 6 5 3 2 13 10

Information Security 75% 64% 91% 78% 100% 64% - 33% 80% 33% 100% 92% 80%

IT Disaster Recovery or IT Service Continuity 91% 82% 100% 93% 100% 100% 100% 67% 80% 67% 100% 92% 90%

Business Recovery 97% 100% 100% 97% 67% 91% 100% 100% 100% 100% 100% 100% 100%

Physical Security 72% 91% 100% 66% 67% 55% 50% 83% 40% 67% 100% 77% 70%

Insurance 47% 55% 18% 54% - 36% 50% 67% 20% - 100% 54% 40%

Crisis, Emergency, Incident Management - including

crisis communications

93% 82% 91% 95% 100% 91% 100% 100% 100% 100% 100% 92% 90%

Facility Management and/ or Real Estate 75% 64% 82% 69% 67% 82% 50% 100% 80% 67% 100% 85% 80%

Legal and/ or Compliance 69% 73% 73% 64% 33% 64% 50% 83% 80% 33% 100% 92% 70%

Supply Chain only 28% 27% 27% 27% 33% 18% - 50% 60% - - 31% 20%

IT Vendor Risk Management 55% 27% 45% 68% 33% 55% - 50% 20% - 50% 85% 30%

Supplier Contingency 50% 64% 45% 58% 33% 36% 50% 33% 60% - 50% 54% 30%

Audit Management 47% 36% 27% 54% 67% 45% 50% 33% 20% - 50% 69% 30%

IT Risk Management 66% 73% 55% 73% 33% 55% - 67% 40% 33% 50% 92% 60%

Privacy 45% 36% 27% 51% 67% 36% - 17% 20% - 50% 85% 30%

Financial Risk Management 53% 64% 64% 54% - 45% 50% 50% 20% - 100% 77% 30%

Operational Risk Management 70% 73% 91% 73% 67% 55% 50% 33% 80% - 100% 85% 60%

Other 7% 9% 9% 7% - - 50% - - - - 15% -

Documents

ACP International / Gartner Business Continuity Management