International Business Continuity Program … by BC Management and the BC Management International Benchmarking Advisory Board -2012 International Business Continuity Program Management

Prepared by BC Management

and the BC Management

International Benchmarking

Advisory Board

- 2012

International Business Continuity Program

Management Benchmarking Report

- An Exclusive Board Review

Trending in Business Continuity

Benchmarking. Plan Ahead. Be Ahead.

Copyright ©2012 BC Management, Inc. An Exclusive Board Review Confidential to BCM Study Respondents Page 2

Table of Contents

Welcome 3

Summary of Data Findings 3-5

Trends of Interest within the Business Continuity Profession 6-26

Corporate Integration of Business Continuity

IT/ disaster recovery & business continuity strategies adequately supporting organizations 6

Disciplines managed within the business continuity program 7-8

Integration of program with other organizational disciplines 9-10

Status of current program 11-12

Budgeting

Budgeting of expenses within organization 13

Approximate annual budget for contingency related program expenses 13

Budget revisions 14

Personnel

Current dedicated personnel 14

Hiring initiatives for the next year 15

Reduction of full-time, permanently employed personnel in the next year 16

Primary reason behind a reduction in force in the next year 16

Organizational Reporting Structure

Reporting structure – department owner for business continuity 17

Is the business continuity program positioned for maximum visibility by department owner 18

Program Sponsor

Assessment by job title on who is totally engaged and sponsoring the program 19

Sponsor’s level of engagement if a chief officer level or above 20

Technology Recovery Solutions

Utilization of third-party hot site/ alternate site technology providers 21

Considering an internal recovery capability 22

Vendor Utilization

Utilization of software planning tools, automated notification tools and/or mobile recovery solutions

22

Reasons for Planning, Regulatory Requirements & Organizational Certification

Primary reasons for developing and maintaining a program – “Priority” or “High Priority” 23

Regulatory requirements and/or standards to model program after – “Priority” or “High Priority”

24

Achieved certification in an organizational standard 25

Organizational standard achieved certification in 26

Participant Data & Respondent Characteristics ~ An overview of international respondent characteristics. 26-31

Reporting History, Study Methodology, Assessment of Data & Reporting 32-33

Thank you to BC Management’s International Benchmarking Advisory Board 33-37

Thank you to our Sponsors and those Organizations who Distributed the Study and/or Report 37-40

About BC Management, Inc. & Where to Download Complimentary Business Continuity Management Compensation Reports

40

Customize a Report Exclusively for your Organization 41-42

This is a complimentary report that is exclusive only to those professionals who

contributed to BC Management’s 10th Annual Business Continuity Management

study. This report is not meant for general distribution. Any distribution of this

report or reference to any information enclosed within this report is prohibited

unless approved by BC Management, Inc.

We invite you to learn more about BC Management’s customized business

continuity benchmarking data assessments. Please contact a BC Management

associate at [email protected] for details.

mailto:[email protected]


WELCOME

This report is a complementary service of BC Management, Inc. for members of the Business Continuity industry and related fields.

It is solely distributed to professionals who participated in the program management section of BC Management’s 10th

Annual

Business Continuity Management study (2011). The Board Summary that follows is an analysis of the results of our study by the BC

Management International Benchmarking Advisory Board. The report’s focus and relevant supporting data were selected by the

board to assist professionals in addressing some of their most pressing issues today. While this report provides a wealth of

information, it is not fully representative of the depth of data that our study collected. If your organization is in need of more

specific or customized data, BC Management offers a range of benchmarking services that can meet your needs. More detail on

these services is included at the end of this report. We hope you find this report useful in strengthening your program, and feel free

to submit any feedback on it to us.

SUMMARY

How to Read the Report

The Internat ional Business Continuity Program Ma nagement Benchmarking Report – An Exclusive Board

Review is designed to provide a summary of the wealth of data col lected from nearly 3000 respondents to BC

Management’s International Business Continuity Management survey as i t perta ins to trend analysis . This

report wi l l serve as a resource in assessing and understanding the direct ion of the business cont inuity

management profession .

Highlighted throughout this report are a var iety of business cont inuity program management init iat ives that

showed the most noteworthy changes between 2009 and 2011. This is the f irst report of i ts kind and BC

Management is able to offer such a report as a result of data analysis from three consecutive years of an

identical survey.

Findings Business Continuity Management Program Advancements

In assessing the data results between 2009 and 2011 we noticed the following business continuity management program

advancements that indicate a shift to an enterprise-wide resiliency focus with increased executive support and acknowledgement of

increased standards that will more than likely continue to evolve the profession in the future.

More respondents indicated that the business continuity program and/or the disaster recovery program is meeting the

organizational needs of the corporation.

Increase in the number of disciplines managed within the business continuity management program with crisis

management, emergency management and risk management showing the greatest increase.

Improved integration of the business continuity management program with other corporate functions with security-

information, information technology, emergency management, disaster recovery (IT focus) and crisis management showing

the greatest improvement.

Adding more full-time, permanent personnel dedicated to the program and a decrease in downsizing of personnel in the

next year.

The business continuity office showed the most significant gain of where to position the program when assessing the

department owner and organizational structure.

Risk management and the business continuity office received the highest approval ratings of where to position the program

from a department/ organizational structure review.


Increased awareness seems to be evident at the chief officer level as more respondents indicated a shift in program

sponsor from mid management/ management to the chief officer level/ board committee.

The chief level program sponsors are stepping up their level of engagement with the business continuity management

program.

More respondents noted several standards/ regulations to model their business continuity program after as a high priority.

Advancement of organizational certifications as more respondents noted to obtaining multiple organizational certifications.

Business Continuity Management Program Deteriorations

Our study pointed to a few disappointing data points that center on budgeting of the business continuity management program. We

can assess that this is more than likely due to the deep recession, especially since this trend analysis is between the timeframe of

2009 to 2011. Corporations around the world are understandably cost conscious, thus the following data findings were not

surprising.

A shift was indicated as to how business continuity is being budgeted within corporations from being allocated

independently to having no defined budget.

Severe cuts in business continuity management program budgets were noted between 2009 and 2011.

The most significant budget decrease was for those respondents who tied their business continuity management budget to

other corporate departments.

Other Business Continuity Management Program Notable Trends

Our data analysis indicated other noteworthy business continuity management trends. These trends could be viewed as having a

positive, negative or neutral impact to the future of the business continuity management profession.

The 2011 study showed that more respondents indicated no change to the business continuity management program

budget in the next year.

There was a significant decrease in the number of part-time dedicated personnel to the business continuity management

program while full-time dedicated personnel showed consistency.

Those corporations who are downsizing the dedicated business continuity personnel indicated increased drivers between

2009 and 2011 to be a change in priorities, reduction in scope of work and transfer of functions. The most significant

drivers in 2009 (financial pressures and organizational restructuring) did diminish substantially, although the data results

still indicated these factors as considerable.

Increase of respondents who noted a mix recovery solution between a third party hot site/ alternate site vendor and

internal recovery solution as well as an increase of respondents who noted an internal solution at an alternate site. At the

same time, those respondents who noted an exclusive use of a third party hot site/ alternate site vendor for their recovery

solution declined.

Slight increase in utilization of software and notification provider tools between 2009 and 2011.

More respondents noted the following as a high priority for reasons to develop and maintain a business continuity

management program.

o Ensure safety of employees

o Be compliant with good corporate governance

o Response to audit results/recommendations

o History of business interruptions


Using the Data How Can this Report Benefit Your Program and Your Organization?

What is the take away?

This report is a compilation of all the data provided in the 2009, 2010 and 2011 studies. Our summary is a broad analysis of a

segment of the data offering an illustration of how the business continuity profession is viewed and what we can learn from these

study results. This is simply a baseline of the trends in our industry. Our hope is that you can use it as a starting point, if not a guide

as you work towards gaining executive support and establishing metrics to better measure the effectiveness of your program. The

report can be leveraged to provide you with facts to present to your executive management to help justify continued emphasis in

key areas of your business continuity program. But don’t forget, as professionals in this industry, the report also offers insight into

career development opportunities that you should use to identify areas to further develop your own skills.

As you continue on your journey consider benchmarking your organization against your peers. Enclosed you will find a great deal of

data, though it is impossible to display everything, which is why the customized reporting by organization will be essential if an

organization wants to obtain a clear understanding of other “similar” organizations. A feature of the customized reports is providing

a detailed analysis specific to your industry which not only allows you to benchmark your own program against very mature

programs specific to your demographics, but also is an opportunity to create a roadmap for your program based on effective peer-

based models and supporting data.


0%

10%

20%

30%

40%

50%

60%

2009 2010 2011

IT/DR Strategies Meet Organizational Needs

No

Yes

0%

10%

20%

30%

40%

50%

60%

70%

2009 2010 2011

BC Strategies Meet Organizational Needs

No

Yes

7% Increase from

2009 to 2011.

6% Increase from

2009 to 2011.

Corporate Integration of Business Continuity

Study Question - To your knowledge, do you feel your current IT/Disaster Recovery and Business

Continuity strategies adequately support the needs of your organization? (An assessment of all

study respondents.)


BC Management’s study inquired on how many and which disciplines are managed within the business continuity

management program. The purpose of this question is to assess how business continuity is managed within

organizations, meaning which disciplines are commonly paired within a business continuity/ disaster recovery

management program and how many functions is a business continuity/ disaster recovery manager commonly

overseeing.

0%

10%

20%

30%

40%

50%

60%

70%

1 2 3 4 5+

Number of Disciplines in the Program

2009

2010

2011

18% Increase

It is not surprising we are seeing an 18% increase in the number of disciplines associated with BCM programs as

BCM is increasingly being managed as part of broader Enterprise and Operational Risk Management initiatives,

given its rising importance. Along with this comes greater regulation, more demands for internal and external

audits and closer working relationships with other critical functions as is evidenced in the graphic below.

- Thomas Wagner

Study Question – Please specify all the disciplines that you personally manage within your

program. Select all that apply. (An assessment of study respondents.)


0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Other

Security - Physical

Security - Information

Risk Management - Operational

Risk Management - Insurance

Risk Management - Enterprise

Records Management

Pandemic Planning

Information Technology

Health & Safety - Environmental

Health & Safety - Occupational

Facilities Management

Emergency Management

Disaster Recovery Process (IT Focus)

Crisis Management

Compliance

Business Continuity Process (Business Focus)

Audit

Discplines Managed in the Program

2011

2010

2009

7% Increase

8% Increase

8% Increase

2% Decrease

4% Decrease

Question not included

in the 2009 BCM Study.

In addition, given the significant rise in the number of major events over the past ten years due to

terrorism and natural disasters we are definitely seeing much closer integration with Crisis and

Emergency Management as strategies, plans and protocols must be tightly coordinated with Business

Continuity and Disaster Recovery efforts accounting for the 7% increase shown above.

This decrease in IT as a managed discipline can partially be explained by the maturation of ITIL Service

Continuity programs in large companies whereby IT is taking on more BCM-like responsibilities for

applications and infrastructure. We are also seeing a large migration of applications, infrastructure and

DR services to “cloud” vendors who are typically managed by the IT organization.

The decrease in Pandemic Planning is not too surprising. In many firms, Pandemic Planning was

managed by business-led committees with BCM playing a supporting role since the many legal, human

resource and medical dimensions that must be handled. This could be a continuation of the overall

trend whereby as the overall importance of BCM is increasing at an enterprise level, the business are

beginning to step-up and take on many of the challenges and responsibilities for keeping the enterprise

up and running.

- Thomas Wagner


The two data graphs below highlight the percent of respondents who indicated “No Integration” and “Completely

Integrated” in 2009, 2010 and 2011 for the disciplines noted. Several categories were not included in the 2009 BCM

Study (Business Unit Participation, Change Management, Executive Protection, Media Crisis Management, Pandemic

Planning, Privacy, Senior Management Participation/ Sponsorship and Strategic Plan/ Corporate Mission Statement). In

reviewing the results from the previous three previous studies, we discovered that the following disciplines showed

improvement: Security- Information, Information Technology, Emergency Management, Disaster Recovery (IT Focus)

and Crisis Management.

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Strategic Plan/ Corprate Mission Statement

Senior Management Participation/ Sponsorship

Security - Physical





Records Management

Privacy

Pandemic Planning

Media Crisis Management





Executive Protection


Disaster Recovery (IT Focus)

Crisis Management

Compliance

Change Management

Business Unit Participation

Audit

Disciplines - No Integration with Program

2009

2010

2011

4% Improvement from 2009





Study Question - How well integrated are the following within your organizational program?

Please rate on a scale of 1 to 5 with 1 meaning NO INTEGRATION and 5 meaning COMPLETELY

INTEGRATED. (An assessment of all study respondents.) *All related enterprise discipl ines are l isted within the study to accommodate a variety of discipline expertise .


0% 20% 40% 60% 80% 100% 120%

Strategic Plan/ Corprate Mission Statement

Senior Management Participation/ Sponsorship

Security - Physical





Records Management

Privacy

Pandemic Planning

Media Crisis Management





Executive Protection


Disaster Recovery (IT Focus)

Crisis Management

Compliance

Change Management

Business Unit Participation

Audit

Disciplines - Completely Integrated with Program

2009

2010

2011


18% Improvement

from 2009


16% Improvement

from 2009

There has been a relentless need, for BCM Program sponsors & stakeholders, to realize the value-addition BCM

program brings along, provided, given the right mix of recognition. On a positive note, we are beginning to see

convergence of disciplines, which indeed, has increased significance, effectiveness and efficiency of BCM to the

organization and elevated it to its justified position. Above data graphs noticeably highlight the fact that BCM Program

excels when all its related disciplines and functions are well integrated as an enterprise-wide resiliency initiative.

Bridging proactive and reactive zones are always rewarding as we can see below that while disciplines being

integrated, there is 15% improvement in Crisis Management compared to 2009 and there is also a substantial increase

in Emergency Management, which demonstrates BCM as an enterprise-wide domain and not just a discipline focused

on survivability of the organization. As we can see in the above data graphs, there seems a tremendous improvement

in DR (IT focus) as this not only exemplifies the maturity in IT discipline but also highlights a steady and well-

coordinated relationship between IT and BCM, which at times, poses the biggest challenge.

It is indeed promising to see that BCM discipline has started to make a paradigm shift from ‘continuity’ to ‘resiliency’

notion.

- Sohail Khimani, CBCP, MBCI


The table below indicates all study respondents and their current status of the continuity program, regardless of

program maturity or how long the program has been in existence.

In a review of the responses for overall status of the program, variances were minimal in both a positive and

negative direction. This is not surprising with the business climate over the past few years. From a positive view, it

is significant that during the financially stressed business environment, programs have successfully managed to

sustain, or minimally decrease their business continuity program. The largest change was a growth by 7% (since

2009) in those organizations implementing a corporate-wide BC program. One could read into the results that

simple point solutions are now being replaced by corporate-wide for on Business Continuity.

A few categories did indicate a step backward in planning, such as the following: A full functioning

executive/leadership transition is in place (-3%), A full functioning pandemic preparedness policy is in place (-2%),

Maintain an exercise schedule in order to identify new potential vulnerabilities or weaknesses in the current BCM

program (-1%), Maintain an assessment and audit schedule of the BCM program to ensure the program is up to

date and complete (-2%), Implemented an awareness and training program to promote and educate the entire

organization on the BCM program (-3%) and Policies and procedures are in place to interact and coordinate with

external agencies in times of a disaster (-3%). These are small variances and therefore may not indicate a trend.

- Ann Pickren

While trying to engineer justifications to get senior management support, business continuity discipline was used to

be considered as a ‘back-burner’ for years. This was changed prior to financial meltdown where much focus and

resources were dedicated to business continuity discipline. However, currently, in the time of financial distress,

companies are scrutinizing their spending cautiously. While the significance and criticality of having an enterprise-

wide business continuity process has been acknowledged, managers now seem reluctant to commit resources and

it seems like business continuity discipline has been put into intensive care.

This is evident from the data graph below, where majority of data points indicates no significant improvement in

the program status whereas in few categories, we can see a negative impact in areas such as, exercising plans (-1%)

and BCM training investments (-3%), which are critical towards the success of BCM efforts.

Given the global statistics, the need for a solid BCM Program is evident and imperative. However, with the

pressures on managers due to austerity and cost conservatism, it can be difficult to convince management that

reinforcement of BCM is prudent, at the time, when global recession is treating companies very harshly.

- Sohail Khimani, CBCP, MBCI

Study Question - Please choose all that apply to describe your organization’s current continuity program status under your direction and management. Please check all that apply. (An assessment of all study respondents.) * “% of Resp” column will exceed 10 0% due to multiple selections.


0% 50% 100% 150% 200% 250%

A full functioning executive/leadership transition is in place.

Currently implementing an executive/leadership transition plan.

Currently developing an executive/leadership transition plan.

A full functioning pandemic preparedness policy is in place.

Currently implementing a pandemic preparedness policy.

Currently developing a pandemic preparedness policy.

Maintain an exercise schedule in order to identify new potential vulnerabilities or weaknesses in the current BCM program. Analyze findings to elevate the program.

Maintain an assessment and audit schedule of the BCM program to ensure the program is up to date and complete.

Implemented an awareness and training program to promote and educate the entire organization on the BCM program.

Implemented a full functioning, corporate wide BCM program that meets the organization’s contingency, resiliency, risk management, emergency management

and crisis management needs.

Incorporated a full enterprise risk management program with controls in place to avoid or mitigate potential risks.

Currently conducting an enterprise risk assessment for the board and/ or senior management.

Considering conducting an enterprise risk assessment for the board and/ or senior management.

A Crisis Communications program is in place.

A Crisis Management process and plan is in place.

Policies and procedures are in place to interact and coordinate with external agencies in times of a disaster.

A full functioning Emergency Operations Center is in place.

Currently implementing an Emergency Operations Center.

Currently assessing an Emergency Operations Center.

Currently developing and implementing BC and/or IT DR plans that meet the needs of the organization.

Currently conducting BIA or risk assessments.

Currently obtaining or have management support and formulating the BCM program framework to include contingency strategies, resiliency needs, recovery objectives,

operational and enterprise risk management and crisis management plans.

Some departments/divisions have business continuity plans.

There are contingency plans in place for IT DR functions only.

Off-site data recovery only.

There are no business continuity and/or IT disaster recovery plans in place.

Status of Program

2009

2010

2011

7% Improvement

from 2009

4% Improvement

from 2009

4% Improvement

from 2010

Questions not included in the

2009 BCM Study.

4% Improvement

from 2009

5% Improvement

from 2009

4% Improvement

from 2009


0%

10%

20%

30%

40%

50%

60%

Program Expenses Allocated

Independently

Program Expenses Allocated to Other

Departments

No Defined Budget

Budgeting of Program Expenses

2009

2010

2011

$0

$1,000,000

$2,000,000

$3,000,000

$4,000,000

$5,000,000

$6,000,000

$7,000,000

Program Expenses Allocated

Independently

Program Expenses Allocated to Other

Departments

No Defined Budget

2009 $2,233,235 $5,527,214 $756,463

2010 $2,277,273 $6,670,751 $955,137

2011 $1,515,813 $2,528,585 $805,521

Average Expenditures by Budgeting of Program

8% Decrease from 2009

While it seems logical to blame the struggling economy on the decrease of expenses allocated independently and an

increase in no defined budgets, other important factors likely influence these trends. These factors are also critical in

defining how money will be spent in the near future.

During the above time period, there has been a shift of pushing technology and service solutions to fulfillment by external

third parties. With this shift, it is up to the third party to package the solution with recovery costs built in, which lessens

the budget necessity and dollars needed for an organization’s internal BC Program. However, organizations are quickly

realizing that they cannot contract out the risk to third parties. Regulations such as TB-82A are requiring organizations to

increase their oversight of critical third party BC compliance, which may result in an increase of budgets defined to

manage these new controls that need to be managed by an organization’s BC program.

- Philip Bigge

Budgeting

Describe how continuity program expenses are budgeted under your direction and management?

(An assessment of all study respondents.)

Study Question – What is your company’s approximate annual budget for contingency related

program expenses? (An assessment of all study respondents.)


0%

10%

20%

30%

40%

50%

60%

70%

Increase Decrease Unchanged Not Sure

Budget Revisions for the Next Year

2009

2010

2011

0

10

20

30

40

50

60

Full-time Staff Part-time Staff

Dedicated Personnel to Program

2009

2010

2011

Data figure above indicates that more respondents are indicating no changes in the program budget versus decreasing

the budget. This would seem to indicate that those corporations that are cutting budgets are doing so drastically since

the budgets decreased in the previous graph.

Study Question - Please specify budget revisions for the next year for each budget line item –

Increase, Decrease, Unchanged, or Not Sure. (An assessment of all study respondents.)

Personnel

Study Question - Please indicate how many full -time employees (FTE) and/ or part-time

employees (PTE) you have dedicated to your continuity program? Please confirm that the

number below is the total FTE and PTE headcount for all locations und er your direction and

management. (Auto-sum function built into study.) (An assessment of all study respondents.)


0

0.5

1

1.5

2

2.5

3

3.5

4

4.5

Full-time Staff Part-time Staff

Hiring Dedicated Personnel to Program

2009

2010

2011

Given the earlier findings on the increase in the number of disciplines associated with BCM and closer integration of these

disciplines towards an enterprise-wide resiliency focus, it is not surprising to see an increase in the number of dedicate

personnel to continuity programs with a corresponding reduction to part-time personnel. This is a significant testament

that organizations are seeing value in BCM and recognizing the fact that the function is important enough to warrant

dedicated resources in order that it received the attention it deserves.

- Kenny Seow, CBCP

The finding indicates that the trend of dedicating resources to BCM is set to continue, giving credence that the increase

in the number of dedicated full-time personnel to BCM from the previous graph may not be a one-off phenomenon.

This is perhaps one reflection of the increasing maturity of BCM in organizations and organizations are planning for

growth in this area.

- Kenny Seow, CBCP

Study Question -How many full-time employees (FTE) and/ or part-time employees (PTE)

dedicated to the continuity program you plan to hire in the next year? Please confirm that the

number below is the total number of proposed new personnel for all locations under your

direction and management. (Auto-sum function built into study.) (An assessment of all study

respondents.)


0%

10%

20%

30%

40%

50%

60%

70%

80%

Not Sure

None 1 2 3 4 5 6-10

2009 31% 63% 3% 1% 1% 0% 0% 0%

2010 20% 77% 3% 0% 0% 0% 0% 0%

2011 20% 79% 1% 0% 0% 0% 0% 0%

Reduction of Full-time Dedicated Staff

2009

2010

2011

0%

10%

20%

30%

40%

50%

60%

70%

80%

Reason for Reduction in Dedicated Program Personnel

2009

2010

2011

Study Question - Will you be reducing your full -time dedicated continuity program staff in the

next year under your direction and management? (An assessment of all study respondents.)

Study Question - If yes, what are the reasons for reducing your dedicated contin uity program

staff in the next year? Please select all that apply. (An assessment of all study respondents.) * Total percent may exceed 100% due to multiple selections .


0%

5%

10%

15%

20%

25%

30%

Reporting Structure - Department Owner

2009

2010

2011

The reporting structure of a Business Continuity Management group can often define the direction and success of the

overall program. It is therefore important when establishing a program to carefully understand the unique business

activities of an organization and appropriately define the reporting structure. Information Technology (IT) continues to

command the largest percentage of reporting structure for organizations. However this may hinder the success of the

overall program since IT is a support function and Business Continuity Management is a business driven program. From

the 2009 to 2011 time period, the Business Continuity Office experienced a 6% increase (representing the largest

percentage change in any 2-year comparison). This may be the result of an organization moving up the maturity model

and understanding the significant role of Business Continuity Management in the overall Enterprise Risk Management

(ERM) program.

- Jerome P. Ryan, CBCP

Organizational Reporting Structure

Study Question - Which department best describes the reporting structure of your program

under your direction and management? Please select the best response from the following

departments. (An assessment of all study respondents.)


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Disagree Agree Disagree Agree Disagree Agree

2009 2010 2011

Positioning of Program for Maximum Visibility

Business Continuity Office

Corporate Offices


Operations

Risk Management

Security- Information

The change is negligible. The consensus shows that BCM should report up through RM, which is where “leading

practices” indicate it should be. Bottom line: BCM is a function/component of ERM, thus, the placement within RM

makes the most sense given its (RM and ERM) strategic and functionally independent (similar to Internal Audit)

role/visibility within an organization. Using this rationale, it does not surprise me that the other responses have

waned/decreased over the years.

- Jeff Dato, MBCP

Study Question – Under the current department ownership, do you agree that the continuity

program is best situated within your organization for maximum visibility? Selection choices

include strongly disagree, disagree, neutral, agree and strongly agree. (An assessment of all

study respondents.)


0%

2%

4%

6%

8%

10%

12%

14%

16%

18%

20%

Program Sponsor

2009

2010

2011

I believe this shift in oversight is directly attributed to recent high-visibility events that have rocked/slayed numerous

global organizations. With the S&P mandating ERM from creditworthiness standpoint, BODs are taking ERM/BCM

more seriously than ever. The increase of Risk Committees is on the upswing, pushing oversight into the BOD suite.

- Jeff Dato, MBCP

Program Sponsorship

Study Question - Please specify by job title who is totally engaged and sponsoring the continuity

program functions. Please select the best response. (An assessment of all study respondents.)


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Not Involved Involved Not Involved Involved Not Involved Involved

2009 2010 2011

How Engaged is Sponsor

Board/ Executive Committee

CEO - Chief Executive Officer

CIO/CTO - Chief Information Officer

CFO - Chief Financial Officer

COO - Chief Operating Officer

CRO - Chief Risk Officer

Tying back to the last two charts, this is not surprising. The increase in executive oversight is tied directly the

aforementioned high profile/trigger events – data breaches (IT), increased regulatory and shareholder scrutiny

(Board/CEO), economic decline/lower profitability (CFO), intensified interest in ERM following predatory lending

and increased natural disasters/events (CRO), etc. BCM has become “accepted” as a part of doing business – not

a luxury.

- Jeff Dato, MBCP

Study Question - If the program is being sponsored by a Chief Officer or above, is this person

really engaged in your opinion? Rate on a scale of 1 to 5 with 1 meaning Very Little Involvement

and 5 meaning Very Involve. (An assessment of all study respondents.)


0%

5%

10%

15%

20%

25%

30%

Yes, exclusively at

vendor

Yes, mixed between multiple

vendors

Yes, mixed between

vendor and

internal recovery

No, internal solution at

primary site

No, internal solution at

alternate site

No, currently considering

recovery

solution

No recovery solution in

place

Doesn't apply to program I

manage

Contract with a Third-Party Hot Site/ Alternate Site Provider

2009

2010

2011

Over the past decade we’ve seen a continued decrease of alternate site contract with third party vendors. As our study

shows, this trend has continued over the last three years showing decrease of 4% from 2009 to 2011. Some key

underlying reasons for this trend include:

a) More stringent continuity requirements for heavily regulated industries (i.e. banking, healthcare, and energy)

prompted organizations bring solutions in-house.

b) As requirement became more stringent, some third party solutions turned out to be to cost prohibitive.

c) Improved technologies (such as virtualization) facilitate deployment of dedicated, internal solutions,

traditionally dependent on third party sites.

On the other hand, as organization bring BC/DR solutions for their most business critical functions/systems in-house;

they are also expanding the scope of these capabilities to the next levels of criticality. Additionally, market forces such as

globalization and tight, interconnected supply chains have raised the need for BC/DR capabilities in industries such as

retail and manufacturing. All of these factors contribute to an increase in solution that require a combination of internal

and vendor solutions. As shown in the graph this combined solution architecture grew by 3% between 2009 and 2011.

- Alberto Jimenez, CBCP,PMP

Technology Recovery Solutions

Study Question - Do you contract with a third-party hot site/ alternate site technology

recovery vendor under your direction and management? (An assessment of all study

respondents.)

.


0%

10%

20%

30%

40%

50%

60%

70%

2009 2010 2011

Considering Internal Recovery Capability

Yes

No

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Yes No Yes No Yes No

2009 2010 2011

Software 46% 54% 56% 44% 50% 50%

Notification Alerts 60% 40% 71% 29% 69% 31%

Mobile Recovery 24% 76% 19% 81% 21% 79%

Utilization of Vendors

As organizations require more sophisticated solutions, they are also looking for better tools to support the development

and continuous improvement of these capabilities. We can see this trend in the graph which shows an increase in software

utilization (4%) and notification alerts (9%) between 2009 and 2011. Conversely, we can also see a decrease in the use of

Mobile Recovery (-3%), as this type of solutions is generally seen as less sophisticated and difficult to test.

- Alberto Jimenez, CBCP, PMP

Vendor Utilization

Do you utilize software planning tools , automated emergency notification tools, or mobile

recovery solutions to assist with your Business Continuity Management program initiatives under

your direction and management? (An assessment of all study respondents.)


0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

History of business interruption(s)

Minimize future impact

Protect stakeholders

Comply with regulations or laws

In response to audit results/recommendations

Good business sense

Right thing to do

Customer requirement

Contractual agreements/service-level agreements

Insurance policy recommendation

Organization wants to be globally competitive and must comply with international standards.

Organization wants to be perceived to be compliant with good Corporate Governance.

Organization wants to ensure safety of their employees.

Organization wants to protect and increase its economic value.

Protection of reputation and brand of organization.

Reasons for Developing and Maintaining a Program - Percent of Respondents Indicating "Priority" or "High Priority"

2011

2009

Reasons for Planning, Regulatory Requirements & Organizational Certification

Study Question - Please rate the following primary reasons for developing & maintaining a

program on a scale from 1 to 5 with 1 meaning LOW PRIORITY and 5 meaning HIGH PRIORITY.

(An assessment of all study respondents.)


0%

10%

20%

30%

40%

50%

60%What Regulatory Requirement and/or Standard is the Program Modeled After -Percent of Respondents Indicating "Priority" or "High Priority"

2009 2011

In the period under consideration, ie between 2009-2011, the top 5 regulatory organizations have are: DRI

International Professional Practices, NFPA 1600, Sarbanes Oxley, BS 25999 Part 2, Business Continuity

Management Systems. During this period the highest growth (increase) was witnessed by BS25999 Part 2 –

Business Continuity Management Systems (12%) and HIPPA (10%). SEC (-9%) and OSHA (-6%) recorded the

biggest decline during this period.

Unfortunately, there is no annotation or indication that gives an indication or explanation as to the increase in

and decline in some of the institutional organizations.

- Gideon For-mukwai, CBCP, CEM

Study Question - What regulatory requirement and/ or standard do you model your Business

Continuity Management program after. Rate on a scale of 1 to 5 with 1 meaning LOW PRIORITY

and 5 meaning HIGH PRIORITY. Please include Not Applicable (N/A) if the regulatory

requirement and/or standard do not app ly to your organization. (An assessment of all study

respondents.)


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

2009 2010 2011

Certified in a Standard

Yes

No

There wasn’t a significant increase in percent of respondents noting obtaining a certification in a standard

between 2009 and 2011 (noted in the graph above). One would assume that the corporations that are

obtaining certification in a standard are obtaining multiple certifications since the graph below notes an

increase in percent of respondents for several of the certifications. Several of the standards below were not

added to the study until 2010, regardless, many of these noted a significant increase between 2010 and

2011.

This general increase includes standards that are more or less related to BCM. This is probably due to the

increase of integration or management of other disciplines within the BCM program, as displayed in the

previous pages of this report. Of these standards we note a very significant increase for ISO 27001 and

SAS70 since 2009 probably because more and more organisations feel the pressure from their customers

who want to be reassured that good controls are in place.

With the coming of ISO 22301 in 2012, many countries will adopt this standard as their national standard

for BCM. In the coming years, it will be interesting to see how organisations will turn to this international

standard for certification and how it will replace some of the existing standards that are less international or

less of a BCM nature.

- Denis Goulet, CBCP, MBCI

Study Question - Has your organization achieved certif ication in a standard? (An assessment of

all study respondents.)


0%

10%

20%

30%

40%

50%

60%

Standard Achieved Certification In

2009

2010

2011

3,152 study participants from over 50 countries as of December 15, 2011. Incomplete/ partial study responses were included as

appropriate within the report. Study was divided into 2 sections.

Business Continuity Compensation – 1,783 professionals participated in the compensation section from 59 countries. Incomplete study responses were included within this report along with the completed responses.

Business Continuity Program Management – 904 professionals participated in the program management section from 37 countries. Incomplete study responses were included within this report along with the completed responses.

Complete responses were received from the following countries: Australia, Belgium, Brazil, Canada, Cayman Islands, China,

Colombia, Denmark, Egypt, France, Germany, Honduras, India, Ireland, Italy, Japan, Kuwait, Malaysia, Malta, Mexico, Netherlands,

New Zealand, Norway, Pakistan, Philippines, Portugal, Qatar, Saudi Arabia, Singapore, South Africa, Sweden, Switzerland, United

Arab Emirates, United Kingdom, United States of America and Venezuela.

International Respondent Characteristics = 3,152 Study Respondents

Company Revenues span from non-profit/ government to over $400 Billion USD.

Study respondents span over 45 industries.

Average Number of Company Locations (Corporate/ Operational) = 16-25 Company Locations span from 0-5 Locations to more than 10,000.

Average Number of Company Locations (Retail/ Customer Interfacing) = 26-50 Company Locations span from 0-5 Locations to more than 10,000.

Average Number of Employees = 5,000 – 10,000 Company Employees span from 0-5 to more than 400,000.

Majority of respondents (61%) managed 5+ disciplines within their program.

Study Question - If yes, please select which standard(s) your organization has achieved

certification. Please select all that apply. (An assessment of all study respondents.) - Total percent may exceed 100% due to multiple selections.

International Participant Data & Respondent Characteristics


Less than $10M, 17%

$10 - $50M, 7%

$50 - $100M, 3%

$100 - $500M, 10%

$500M - $1B, 8%$1 - $10B, 26%

$10 - $20B, 6%

$20 - $50B, 4%

Over $50B, 18%

Revenue in USD

International Participant Data & Respondent Characteristics Continued





Those respondents who noted “Do not

manage a program” were exited from

study.




6%

15%

40%

28%

12%

Program Maturity - Self Rating

Very Immature

Immature

Average

Mature

Very Mature



Since 2001 BC Management, Inc. has been gathering data on business continuity management programs and compensations to

provide professionals with the information they need to elevate their programs. Each year our organization strives to improve upon

the study questions, distribution of the study, and the reporting of the data collected. Below is a timeline detailing BC

Management’s eight years of business continuity reporting expertise.

* The advisory board is composed of 21 international thought leaders coming from the United States of America, Canada, Latin America, the United

Kingdom, Singapore, Australia, China, Japan, India, Middle East, Eastern Europe and Africa. Our board is comprised of professionals in not only business

continuity, but also risk management, emergency management, high availability and environmental health and safety.

The on-line study was developed by the BC Management team in conjunction with the BC Management International Benchmarking

Advisory Board. WorldAPP Key Survey, an independent company from BC Management, maintains the study and assesses the data

collected. The study was launched in May of 2011 and the study remained open through December 2011. Participants were

notified of the study primarily through e-newsletters and notifications from BC Management and from many other industry

organizations. A listing of participating organizations is included within this report. The study has been translated in five languages

and it accommodates professionals who are permanently employed on a full-time or part-time basis, self-employed as an

independent contractor or unemployed. Respondents receive a unique path of branching questions, which is dependent upon their

experience and employment status. The study is coded with extensive logic to ensure a correct question branching path and to

eliminate unintelligible data. It is comprised of two sections spanning over 100 questions. The first section focuses on the factors

that impact compensations within the business continuity and related professions. The second section focuses on business

continuity program management initiatives, which includes budgets, dedicated personnel, organizational reporting structure,

maturity of the program, exercises, auditing, vendor utilization, program activation during an event and much more. Respondents

to the study have the option to complete one or both sections. Only those respondents who manage a program within business

continuity or a related discipline qualify to complete the program management portion of the study. All participants are given the

option of keeping their identity confidential.

Reporting History

Study Methodology


BC Management is continuously reviewing and verifying the data points received in the study. Data points in question are confirmed

by contacting the respondent that completed that study. If the respondent did not include their contact information, than their

response to the study may be removed. With our eight years of expertise in collecting and assessing such data points, BC

Management has an exceptional understanding of what is considered questionable or unintelligible data. To date BC Management

has contacted over 200 professionals to confirm their individual study response. We then have the ability to log into the

respondent’s study and update their answers on their behalf to ensure valid data points.

WorldAPP Key Survey built a customized reporting tool for BC Management, which enables us to quickly assess data and prepare

reports. We have the ability to prepare reports with no data filtering or analyze the data in applying any combination of fi lters from

any of the study questions. Data findings in many of the figures were rounded to whole numbers, thus the total percent may not

equal 100%.

BC Management’s International Benchmarking Advisory Board was instrumental in reviewing the study to ensure it focused on the

topics that are of the greatest interest to continuity professionals today. The goal was to develop a credible reporting tool that

would add value to the business continuity profession.

BC Management’s International Benchmarking Advisory Board Clyde Berger, CBCP (USA Focus) - President, Imagine Continuity Enterprises Inc. (A Resiliency Management Consulting Company).

Director, Worldwide Business Continuity Management, Pfizer Inc. Global Business Continuity Program Director at Avaya Inc.

Business Continuity and IT Disaster Recovery Consultant. Americas Regional Director of BCP at Credit Suisse First Boston and

Deutsche Bank. Global Vice President of BCP & IT DR at Salomon Smith Barney / Citigroup. BCP Lead Program Manager at Chemical

Bank (prior to JP Morgan Chase mergers). Certified as a Business Continuity Professional in 1993 with the Disaster Recovery Institute

International (DRII). Currently active member in DRII, Contingency Planning Exchange of NYC, Association of Contingency Planners

NYC Chapter, member Worldwide Benchmark Study Group – BC Management. Frequent business continuity conference speaker:

Continuity Insights, Strohl User Group, Disaster Recovery Journal, Association of Contingency Planners.

Philip Bigge (USA Focus) – Philip Bigge is the Vice President for Business Continuity at OneWest Bank, FSB. Philip joined OneWest

Bank in May 2009, continuing his thirteen consecutive years as a leader of international business continuity programs. In his current

role, Philip is responsible for leading business continuity, crisis management, technology recovery, and safety at OneWest Bank. He

has spoken at numerous industry conferences demonstrating how companies can improve their business continuity practices while

decreasing cost to accomplish their goals. Philip holds a Bachelor’s degree from West Chester University of Pennsylvania and is a

Certified Business Continuity Planner (CBCP) from the Disaster Recovery Institute, International.

Linda Klug, MBCP (USA Focus) - Linda Cerni Klug, MBCP, has been in the disaster planning, response and recovery industry for 20

years. Her former employers include the American Red Cross, FEMA, and the United Nations, as well as EMC, Symantec, VERITAS,

and Comdisco. She has developed, implemented, and validated Disaster Recovery and Business Continuity programs for IT

environments, enterprises, and governments. Linda has supported several Fortune 500 clients including United Airlines, Nike,

Microsoft, Northwest Airlines, Charles Schwab, Wells Fargo, and Fidelity Investments.

Jeff Dato, MBCP (USA Focus) - Jeffrey M. Dato has been Vice President of Risk Management and Corporate Real Estate for Pinnacle

Airlines Corp. since January 2010. He is responsible for Enterprise Risk Management, Business Continuity and Emergency Response,

Dangerous Goods, Environmental Protection, Occupational Health and Safety, Workers Compensation, Records Management,

Corporate Real Estate, Physical Security, and Corporate Sustainability for the holding company and its operating subsidiaries Colgan

Air, Inc. Mesaba Aviation, Inc., and Pinnacle Airlines, Inc. Previously at Pinnacle Airlines, Jeff served as Vice President of Risk

Assessment of Data & Reporting

Thank you to BC Management’s International Benchmarking Advisory Board



Management and Information Technology from November 2006 to December 2009. Prior to joining Pinnacle, Jeff lead advisory

practices for several Big 4 accounting firms where he consulted over 100 domestic and international companies and governments

across a dozen industries in managing and monitoring financial, operational and technology risks. He holds a Bachelor of Business

Administration degree in Accounting and Finance from the College of William and Mary and is one of more than 100 professionals

globally to have obtained a Master Business Continuity Professional (MBCP) certification from the DRI International.

Renata Davidson, ABCP (Eastern Europe Focus) - The co-founder and President of Davidson Consulting LLP- company specializing in

Business Continuity, Risk Management and Business Process Modeling. She has worked with domestic and international companies

to develop business continuity and disaster recovery plans since 1998. Ms Davidson studied at the Warsaw University in Poland and

is one of less than 100 professionals globally to qualify for a Master Business Continuity Professional (MBCP) certification from the

Disaster Recovery Institute (application pending).

Angela Devlen (USA Focus) – Angela is the Managing Partner of Wakefield Brunswick, Inc. a healthcare management consulting firm

and President of Mahila Partnership, a non-profit organization she co-founded in 2008. She has worked with several universities

supporting curriculum development, research and instruction in emergency management and business continuity. A passionate

advocate for humanitarian, healthcare and women’s issues, she has served as an international healthcare disaster preparedness

expert for the ProVention Consortium, held leadership positions on the board of several non-profit organizations, and currently

advises US Federal Agencies, International NGOs, and large Healthcare Systems. Previously, she held positions leading emergency

management and business continuity at Partners Healthcare and Caritas Christi.

Greig Fennell, FBCI (USA Focus) – Director, Business Continuity, Comcast. Recognized leader in the development of enterprise-wide

operational risk and business continuity management programs, including disaster recovery, incident management and crisis

management. He has 20 years of hands-on experience in creating or enhancing management decision making frameworks to

identifying, assess and prioritize company risks and in developing cost effective strategies and solutions to minimize impacts to

supply chains, business operations and services. Greig has been both a consultant to companies and has created and lead ERM and

business continuity programs at three fortune 100 companies. His diverse background includes extensive involvement in

manufacturing, distribution and logistics, the apparel industry, healthcare and telecommunications. He is a results-driven executive

with experience in bringing management teams and technology enablers together to develop cost-effective and risk-tolerant

solutions designed to achieve positive results for companies.

Nathaniel Forbes, MBCI CBCP (Asia Pacific Focus – Based in Singapore) - Director, Forbes Calamity Prevention Pte Ltd

www.calamityprevention.com. Nathaniel is the author of the Calamity Prevention blog, consistently the most interesting online

source of fact and opinion about business continuity and emergency management in Asia. He is also a very controversial speaker and

presenter. He was President of the Asia Council of the International Association of Emergency Managers (IAEM)

www.iaem.com.sg, which administers the worldwide Certified Emergency Manager® (CEM

®) program. Nathaniel is certified as a

Member of the Business Continuity Institute (MBCI) www.thebci.org, and as a Certified Business Continuity Planner (CBCP) by the

DRII. He was President of the Singapore Computer Society’s Business Continuity Group from 1999 to 2001. Nathaniel manages

Forbes Calamity Prevention (FCP) Pte Ltd, which provides business continuity and emergency management training, consulting and

support to multinational companies outside the United States. He has lived and worked in Singapore since 1996.

Gideon For-mukwai, CBCP, CEM (Africa Focus – Based in USA) – Gideon For-mukwai is the founder and Chief Knowledge Facilitator

of XtraMile Solutions, LLC, a resiliency and crisis management training company that helps organizations to build and sustain a

culture of resiliency by understanding the human aspects of disasters. He has conducted training programs for organizations in the

Middle East, South East Asia, Southern Africa and Northern America. A former commissioned fire officer with the Singapore Civil

Defense Force, Gideon is a Certified Emergency Manager. He has worked with clients from industries such as petrochemicals,

pharmaceuticals, hospitality, banking and finance, professional associations and non-profit organizations. He is the immediate past

President of the International Council of the International Association of Emergency Managers (IAEM) and he is the author of Facing

Adversity with Audacity: Thriving in Odds, Obstacles and Opportunities.

http://www.wakefieldbrunswick.coml/

http://www.mahilapartnership.org/

http://www.calamityprevention.com/

http://www.iaem.com.sg/

http://www.thebci.org/


Denis Goulet, CBCP, MBCI (Canadian & European Focus) – Denis Goulet is the President and Founder of ContinuityLink. He is a

recognised expert in the Business Continuity Management field with over 24 years of experience. Since 1999, Denis has provided

BCM training and consulting services to a variety of customers, from all industries, in North America, the Middle-East and Europe.

Denis has the CBCP certification (1992) and the MBCI (2008). In 2007, Denis has created BCMIX, a virtual international Business

Continuity Management community with now over 10,000 members

Prashant Jha, CBCP, BS25999 LA, ITIL V2 service manager (Middle East & India Focus) - A BCM and resilience expert with 8 plus

years of experience in the field of business continuity and IT service management. Extensive exposure to financial/ banking domain.

Prashant recently served as the APAC Business Continuity Manager for Aon. Previously he spent significant time working on develop

a Business resilience frame work for organization to ensure the continuity of business and overall resilience. Prashant is a CBCP from

DRII and a BS25999:2 Certified Lead Auditor from BSI. He is also an ITIL V2 service manager certified by Exin. Recently completed the

assignment with the largest banking group in the United Arab Emirates and is on a look out for new projects.

Alberto Jimenez, CBCP, PMP (Latin America Focus – Based in USA) - Alberto is a Certified Business Continuity (CBCP), and project

management (PMP) professional with over fourteen years of experience in technology and risk management consulting. Alberto has

supported leading organizations in industries such as banking, insurance, energy, manufacturing, and telecommunications and has

helped organizations in several countries including USA, Mexico, Guatemala, Peru, Venezuela, Spain, Germany, Egypt and Thailand.

Alberto specializes in Business Continuity, Crisis Management, disaster recovery, pandemic preparedness, project risk management,

and audit solutions. Prior to joining SunGard, Alberto was the director and founder of MiaTomi, LLC; a former associate director with

Protiviti, and manager at Accenture

Takashi Kase (Japan Focus) – Takashi is an expert in business continuity and security solutions and he is an active professional in

growing the business continuity field throughout Japan. Prior to entering the business continuity profession, Takashi served as a

Senior Engineer for Japan Manned Space Systems and a Liaison, Flight Control Team Lead Trainee with NASA. He received his MBA

from the Thunderbird School of Global Management and his BS degree in Electrical Engineering from Shibaura Institute of

Technology.

Sohail Khimani, CBCP, MBCI (Middle East Focus) - Sohail Khimani is a BCM/ERM expert and a dynamic professional in developing

the BCM/ERM disciplines throughout Pakistan and in the Middle East region. With over 12 years of industry experience both

nationally and globally within sectors ranging from banking and finance industry, telecommunications, IT & management

consultancy, pharmaceuticals and manufacturing, Sohail is currently heading BCP & DR implementation at KASB Bank – banking arm

of KASB Group – specializing primarily in investment banking, research, brokerage, asset management, Islamic finance and

commercial banking. In addition, Sohail is affiliated as specialist BCM Educator with various institutions and Country Representative

at International Association of Emergency Managers (IAEM). He is also a part of instructor cadre of Disaster Recovery Institute (DRI)

International and upholds CBCP and MBCI Certifications. He also actively contributes articles on BCM discipline, being published by

local and international associations. Sohail was awarded gold medal in his MBA (Finance) from Greenwich University in 2010.

Roger King, MBCI (Asia Pacific Focus – Based in Australia) - Roger V King is currently a Service Continuity Manager with BPAY and

previously a Solution Architect in Global Sales Support with EDS Australia (now HP), has a Bachelor of Information Technology

degree and has been a Member of the Business Continuity Institute since 2003. Roger is also certified to ITIL Foundations level and a

certified Quality Auditor. Since 2005 he has been working closely with the EDS sales team responding to new and add-on business

opportunities in the IT disaster recovery and business continuity disciplines. From 1997 to 2005 Roger was a Senior Consultant in

business continuity management with EDS Australia. Prior to 1997 Roger was a Program Manager in Commonwealth Bank of

Australia with responsibility for Operational Risk management and Smartcard implementation.

Ann Pickren (USA Focus) – With over 20 years of experience in business continuity and IT Disaster Recovery, Ann Pickren serves as

the Vice President of Solutions for MIR3. As an expert in business continuity/disaster recovery, crisis management and supply chain

management she brings her vast industry expertise to clients to advise them on the implementation of enterprise notification

solutions from MIR3. Previously, Ms. Pickren served as Executive VP at Firestorm Solutions, overseeing the development of business

continuity and crisis management methodology and delivery of client services. She also had responsibility for training and supporting

the Firestorm franchisees. Prior to Firestorm, Ann spent 20 years working with Comdisco and SunGard, in executive management


positions within consulting and software products. During her tenure at Comdisco and SunGard, Ann was an early adopter of

notification enablement for enterprise solutions. She is well-known for her achievements at SunGard, where she was responsible

for, business continuity application software solutions, business development, consulting engagement delivery and the management

of professional staff. Ms. Pickren is a member of the Organizational Resilience Maturity Technical Committee within ASIS

International and is member of the DRJ Executive Council. She earned her MBA from Georgia State University with a focus on math

and statistics in her undergraduate studies.

Jayaraj Puthanveedu, CISSP, CISA, MBCI, CGEIT, ITIL (India Focus) - Jayaraj Puthanveedu currently serves as a Head of Corporate

Security, Operational Risk and Business Continuity at Deutsche Bank and previously served as the Head of CSBC - India and Sri Lanka

at Deutsche Bank, responsible for a portfolio comprising Operational Risk, Business Continuity, Crisis Management, Corporate

Security, Anti Fraud Unit, Protective Intelligence and CERT. Prior to joining Deutsche Bank, he worked with Northern Trust Bank as

the APAC Head of Business Continuity with additional responsibilities for Corporate Operational Risk activities in India. In the past,

Jayaraj has held various senior management and technical positions at Goldman Sachs and Cable & Wireless in the areas of Business

Continuity, Information Security, and Technology Risk etc.

Wang Qi, CBCP (Asia Pacific Focus – Based in China) - Jason Wang (Wang Qi), Vice president and Principle Consultant of Global Data

Solutions Limited. first Certified Business Continuity Professional in China, author of several national and industrial BC/DR standards

and guidelines in China, years of experience in providing Crisis Management, Disaster Recovery and Business Continuity

Management for banks, insurance companies, securities firms, aviation, manufactory, multi-national enterprises and government

agencies in Asia.

Jerome Ryan, CBCP (USA Focus) - Jerome Ryan is a Senior Manager with Pfizer’s Worldwide Business Continuity Management

group. In this capacity he is responsible for partnering with Pfizer divisions to implement business continuity management programs

globally. Jerome has also worked at Marsh Inc. in their Risk Consulting Practice and PricewaterhouseCoopers in their Global Risk

Management Solutions (GRMS) consulting practice. He is currently the Vice Chairman and member of the Board of Directors at

Disaster Recovery Institute International (DRII) where he is responsible for promoting education, certification and awareness

globally. He has a Bachelor of Science degree with concentrations in Finance, Management Information Systems and Marketing from

Syracuse University. He is currently pursuing his Masters of Business Administration (MBA) degree at Syracuse University's Whitman

School of Management.

Kenny Seow, CBCP (Asia Pacific Focus – Based in Australia) - Kenny Seow has over 20 years of international experience in disaster

recovery, business continuity and crisis management in banking, securities, logistics and government. He runs his own consultancy

practice, Contingency Solutions Pty Ltd, and is presently contracted with the Western Australian (WA) Government to provide risk

management and business continuity support, training and advisory services to government agencies. Prior to this, Kenny was the

Director and Regional Head of BCM in Deutsche Bank AG with responsibilities for developing and implementing the bank’s BCM

program across 16 countries in Asia Pacific. He has also held senior positions in Sema Group Asia Pacific and Hitachi Data Systems

where he managed the services of a commercial disaster recovery facility, and in PricewaterhouseCoopers where he was responsible

for consulting services in disaster recovery and business continuity. He is the current BCI Area Representative for Western Australia

and volunteer with the WA State Emergency Service.

David Spinks (European Focus – Based in United Kingdom) – EMEA, Operational Risk Sales Support Executive. Responsibility for

Operational Risk (Security and Business Continuity) capabilities in the sales process including specification, design and

implementation of Security and Business Continuity Management in large scale complex global IT and BP Outsourcing deals. My

clients include Energy, Telecommunications, Transportation and Financial Services organisations. Our services in this area includes

provision of work area recovery sites across 40 countries, 200 data centres and another 400 service sites including business

operations from call centres to operation of emergency services and support for UK MoD and US DoD. Worldwide we have over

2,000 experienced and qualified security staff many of whom are also BCI or DRI certified.

Thomas Wagner, CBCP (USA Focus) Tom has over 25 years’ experience as a business continuity and risk management expert in the

Financial Services Industry. Tom is currently BCM Head at Direct Edge, the world’s fourth largest stock exchange. During his career,

Tom has worked with large global companies in over 25 countries around the world to build robust and sustainable risk


management and business continuity programs. Tom has extensive global experience in the public sector as well having served on

the White House Critical Infrastructure Protection Commission which explored ways to protect the financial services industry from

terrorism.

A special thanks to our sponsoring organizations that assisted in translating our study. Without these organizations the study may

not have been available in Chinese, Japanese and Spanish.

Distributing Organizations

BC Management also greatly appreciates the efforts of those organizations that assisted in this global effort. Below is a list of

participating organizations that assisted in distributing our annual study. The contribution of each individual organization does not

indicate an endorsement of the study findings or the activities of BC Management, Inc. This is NOT a complete list of distributing

organizations.

Associations

Business Recovery Association of Virginia

B.R.A.V.

Thank you to our sponsors and organizations that assisted with this global effort

Global Data Solutions LTD

Sponsored the Chinese translation

Risk Managers and Consultants Association

Sponsored the Japanese translation

BCMIE Australia Inc. –

www.bcmie-australia.org

MiaTomi

Sponsored the Spanish translation

Business Recovery Association of Virginia

Association of Contingency Planners –

www.acp-international.com


Association of Risk Management - Japan –

www.arm.gr.jp/


Business Recovery Managers Association –

www.brma.com

www.bcmie-australia.org Business Recovery Planners Association of Southeastern Wisconsin –

www.brpasw.com


http://www.bcmie-australia.org/

http://www.acp-international.com/


http://www.arm.gr.jp/





Certifying Organizations

– www.thebci.org

BCI Asia BCI Australia BCI Brazil BCI Canada BCI India BCI Japan BCI Spain

– www.drii.org

– www.dri-australia.org – www.dri.ca – www.dri-malaysia.org – www.dri-singapore.org

Canadian Centre for Emergency Preparedness –

www.ccep.ca/


Contingency Planners of Ohio –

www.cpohio.org


TVBCP

Treasure Valley Business Continuity Planners –

www.tvbcp.org


Contingency Planning Exchange –

www.cpeworld.org


Disaster Recovery Information Exchange –

www.drie.org


MidAmerica Contingency

Planning Forum

Midwest Contingency Planners –

www.midwestcontingencyplanners.org


NorthEast Disaster Recovery Information X-Change –

www.nedrix.com


South East Business Recovery Exchange –

www.sebre.net


– www.eei.org

wworg

http://www.thebci.org/

http://www.drii.org/

http://www.dri-australia.org/

http://www.dri.ca/

http://www.dri-malaysia.org/

http://www.dri-singapore.org/


http://www.cpohio.org/



http://www.cpeworld.org/


http://www.drie.org/



http://www.nedrix.com/





– www.iaem.com – www.theicor.org

Business Continuity/Disaster Recovery Service Providers

– www.allhands.us – www.avalution.com

– www.bcpasia.com – www.continuityleadership.com

– www.continuitylink.com – www.sdr.com.mx

– www.ehdf.com – www.firestorm.com

– www.calamity.com.sg – www.fusionriskmgmt.com

– www.ketchconsulting.com

– www.sirius-tech.it

– www.rentsysrecovery.com

– www.wakefieldbrunswick.com

http://www.iaem.com/

http://www.theicor.org/

http://www.allhands.us/

http://www.avalution.com/

http://www.bcpasia.com/

http://www.continuityleadership.com/

http://www.continuitylink.com/

http://www.ehdf.com/

http://www.firestorm.com/

http://www.calamity.com.sg/

http://www.fusionriskmgmt.com/

http://www.ketchconsulting.com/


e-Groups

B2-ORM Yahoo e-group – Operational Risk Managers in Financial Services – http://groups.yahoo.com/group/B2-ORM/summary

– LinkedIn e-group – https://www.linkedin.com/e/gis/1471/63914B08AE56/

UK-BCP Yahoo e-group – http://finance.groups.yahoo.com/group/uk-bcp/

Periodicals/Media

– www.contingencyplanning.com – www.continuitycentral.com

– www.continuityinsights.com – www.drj.com

– www.disaster-resource.com

Universities/Colleges

– www.norwich.edu

BC Management, Inc., founded in 2000, is an executive staffing and research firm solely dedicated to the business continuity,

disaster recovery, risk management, emergency management, crisis management and information security professions. With

decades of industry expertise, our staff has a unique understanding of the challenges professionals face with hiring, benchmarking

and analyzing best practices within these niche fields.

BC Management’s Complimentary Research - BC Management has been collecting data on the factors that impact compensations

and business continuity programs since 2001. To download our current complimentary reports please visit

www.bcmanagement.com.

We Value Your Comments - Thank you for participating in our annual study. Your contribution adds value to our comprehensive

reporting and allows us the opportunity to assess industry trends. Please share any comments or suggestions on how we can

improve at [email protected].

About BC Management, Inc.

BCPDRPIndia – Yahoo e-group – http://finance.groups.yahoo.com/group/BCPDRPIndia/

http://groups.yahoo.com/group/B2-ORM/summary

http://finance.groups.yahoo.com/group/uk-bcp/

http://www.contingencyplanning.com/

http://www.continuitycentral.com/

http://www.continuityinsights.com/

http://www.drj.com/

http://www.disaster-resource.com/

http://www.norwich.edu/

http://www.bcmanagement.com/


http://finance.groups.yahoo.com/group/BCPDRPIndia/


As a result of our advancement in reporting technology with World APP Key Survey, BC Management is able to offer a true

benchmarking service exclusively for the business continuity management profession. Our benchmarking service includes a report

(similar to this report) customized to your specific filters used to drill down to the data points that compare to your compensations

or program planning initiatives. As a part of our benchmarking service, BC Management is also offering a business intelligence

dashboard technology in which you will receive all the data points (based on your filter specifications) for further independent

assessment. This technology will allow your organization to further assess the data within a flexible, intelligent, user friendly format.

COMPENSATION RESEARCH DATA:

Benefits of Our Customized Compensation Benchmarking Service

Saves time and money in assessing compensations for current and future personnel. Provides a fair comparison on compensation bands based on expertise, degree, certification and geography. Assists in retaining current personnel based on compensations in the same geography and job title.

Filters Available to Customize Your Compensation Report

Employment Status – may choose from full-time permanent, part-time permanent, independent contractor and unemployed.

Geography – may choose country, state/providence, or city.

Job Title/ Position – may choose from a selection of job titles.

Discipline – may choose multiple disciplines that are managed with the program (17 to choose from).

Years of Experience – may choose from an experience band of your choice.

PROGRAM MANAGEMENT RESEARCH DATA:

Benefits of Our Customized Program Management Benchmarking Service

Allows you to assess the maturity of your business continuity program focusing on industry best practices, dedicated staff, budget breakouts, reporting structure, vendor utilization, program activation and much more.

Provides assistance in presenting business case objectives to your executives to substantiate and expand your program. Prioritizes key initiatives in elevating the maturity of your programs. Assists in building a road map to advance your program and meet your goals. Makes you more efficient by eliminating the need to do research on your own. Provides an unbiased source on how your company compares to the industry; specifically other “like” organizations, which

can be used to support your recommendations.

Filters Available to Customize Your Program Management Report

Industry – may choose more than one industry. Company Revenue – may choose a revenue band of your choice. Number of Employees – may choose a selection from number of company employees. Number of Locations – may choose a selection from number of company locations in either operational and/or retail

interfacing. Geographic Distribution – may choose multiple countries as well as how the company locations are dispersed (global, multi-

country, one country, regionally within one country, statewide or citywide). Disciplines within program – may choose multiple disciplines that are managed with the program (17 to choose from). Scope of program – may choose a combination of the following: global, multi-country, one country or regionally within one

country. Maturity Rating of Program – may choose on a scale of 1 to 5 with 1 being Very Immature and 5 being Very Mature (please

note this is a self rating by the study participant).

Customize Your Compensation and/or Program Management Benchmarking Report


Names of Organization – may choose a list of company names that have participated in our study and completed the program management portion of the study. Please keep in mind that not all respondents indicated their company name. Many respondents kept their organizational name private. Also, not all study respondents qualified for the program management portion of the study. Only those respondents who managed a program were encouraged to participate in the second section of the study. ALL RESPONDENT CONTACT INFORMATION IS KEPT CONFIDENTIAL AND IS NEVER REVEALED!

Inquiries

For more information or to order a report please email us at [email protected] or call us at (714) 969-8006 or toll free

within the United States (888) 250-7001

Complimentary Report Exclusively for Study Respondents

This is a complimentary report that is exclusive only to those professionals who contributed to BC Management’s 10th

Annual

Business Continuity Management study. This report is not meant for general distribution. Any distribution of this report or

reference to any information enclosed within this report is prohibited unless approved by BC Management, Inc.


Documents

International Business Continuity Program … by BC Management and the BC Management International Benchmarking Advisory Board -2012 International Business Continuity Program Management