Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
38 DISASTER RECOVERY JOURNAL WINTER 2010
M A R K E T S T U D Y
Crisis Communication and Risk Management in Business Continuity Preparedness
By STEPHANIE BALAOURAS
F orrester Research and the Disaster Recovery Journal have partnered to field a number of market studies in business continuity (BC) and disaster recovery (DR) in order to gather data for company comparison and bench-marking, to guide research, and for the pub-
lication of best practices and recommendations for the industry. This is the third annual joint survey. This particular study focused on the role of crisis commu-nication in business continuity and the relationship of business continuity to risk management.HowmuchiscrisiscommunicationvaluedinBCpreparedness?
Howdocompanieshandlecrisiscommunication?HowfrequentlydocrisismanagementandBCmanagementteams
meettodevelopanddocumentcrisiscommunicationstrategies?ArethesestrategiespartofstandaloneplansorsubsetsofBCplans?Howfrequentlyareplanstested?
Whatmodesofcommunicationdocompaniesrelyon?Dotheyhavebackupplansintheeventoftelecommunicationfailure?
Docompaniesautomatecommunicationorrelyonmanualprocedures?Docompaniessetupacrisismanagementcenter?
Isthereadequatetrainingandawarenessforcrisiscommunication?Howeffectivewerecrisiscommunicationplansinrecentinvocations?
Howdoorganizationstypicallystructuretheirriskmanagementfunctions?HowdoesBCmanagementinteractandworkwithriskmanagementprograms?HowdocompaniesprioritizeinvestmentsinBC?
The Importance Of Crisis Communication In BC Planning Is Not Universally Recognized
According to our 2009 study, approximately 54 percent of com-panies indicated that crisis communication was very or extremely important in BC planning while approximately 45 percent of companies indicated its importance was moderate, low or not at all important (see Figure 1). While the majority of companies do recognize the importance of crisis communication, it’s surprising that such a large percentage of companies do not. This partially explained by the fact that many people view crisis communica-tion as strategy for protecting corporate reputation carried out by public relations and legal – not as a strategy for rapid decision-
making amongst executives and decision-makers and the rapid mobilization of response teams.
Source: Forrester Research, Inc.
“How seriously is crisis communication taken at your organization?”
Not at all
Low
Moderately
Very
Extremely
3%
14%
29%
38%
16%
Base: 345 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
1-1
There Is No Prevailing Approach To Crisis Communication
The fact that there is no prevailing approached in how compa-nies handle crisis communication in BC planning is another indica-tion that companies have wildly different views of its importance and role (see Figure 2-1). In this survey, we found that: Approximately42percentofcompanieshaveanindependent
crisiscommunicationteamthatworkscloselywithBCmanagementteams.Crisiscommunicationmayberelevanttoseveraldifferentaspectsofriskmanagement,andmanycompaniesrecognizetheimportanceofitscoordinationwithBCplanning.Notsurprisingly,only18percentofthesecompaniessaythatthecrisiscommunicationteammeetswithBCplanningteamwhenevertheBCplanningteammeets.Almost42percentofthesecompaniessaythattheymeetatleastfourtimesayearwiththeBCplanningteam,whichshowsastrongcommitmenttocooperation(seeFigure2-2).
Approximately14percentofcompanieshaveanindependentcrisiscommunicationteamwithnodirectlinktoBCmanagementteams.Crisiscommunicationatthesecompaniesmayworkwithvariousfunctionsrelatedtoriskmanagement,buttheyarelesslikelytohaveatightcoordinationwithBCplanningteams.Thereisprobablysomehigh-levelguidanceprovided,butforthemostpartBCplanningteamshandlecommunicationontheirown.Notsurprisingly,thesecommunicationteamsmeetfarlessfrequentlywiththeBCplanning,typicallyonlyonceortwiceayear.
Approximately32percentofcompaniesrelyontheBCMteamtodoitsbesttoaddresscrisiscommunication.Atthesecompanies,crisiscommunicationisnotviewedasitsowndiscipline.Ifsuchafunctionexistsatthesecompanies,itmaybepartofotheraspectsofriskmanagementorpublicrelations,whichmeanstheBCplanningteamislikelyonitsown.
Almost13percentofcompaniesdonothaveanykindofcrisiscommunicationstrategy.Thesecompanieshavenoformalapproachtocrisiscommunicationandlikelyhandlecommunicationhaphazardlyasincidents,crises,businesscontinuitythreats,orotherriskeventsoccur.
A slight majority of companies prefer to embed a crisis com-munication strategy within their business continuity plans (BCPs) rather than have specific communication plans that complement each BCP (see Figure 2-3).
40 DISASTER RECOVERY JOURNAL WINTER 2010
Source: Forrester Research, Inc.
“How is crisis communications handled at your company?”
There is a dedicated crisis communication teamthat is independent but works with the BCmanagement (BCM) team to address crisis
communication within BC planning.
There is a dedicated crisis communication teamthat is independent and not linked to the BCM
team.
There is no dedicated crisis communication team,the BCM team does its best to address crisis
communication within BC planning
We have no crisis communication strategy atour company
42%
14%
32%
13%
Base: Base: 345 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide.
(percentages may not total 100 because of rounding)
Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
2-1
Source: Forrester Research, Inc.
(percentages may not total 100 because of rounding)
“How frequently does the crisis communication team meet with the BCM team?”
Base: 192 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with dedicated crisis communications teams.
Independent crisis communication teamthat works with BCM team to address
crisis communication within BCplanning (n = 144)
Independent crisis communication teamthat is not linked to the BCM team (n = 48)
18% 14% 16% 16%2%
2%2% 2%
26% 8%
8%38% 13% 36%
As frequently as theBCM team meets Once a year Twice a year
Three timesa year Quarterly
More than fourtimes a year Don't know
Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
2-2
Source: Forrester Research, Inc.
(percentages may not total 100 because of rounding)
“How do you address crisis communication within BC planning?”
There are specific crisis communicationplans that complement each business
continuity plan (BCP)
Crisis communication is a sub-plan orcomponent within each BCP
Our BCPs do not address crisiscommunication
Other
29%
51%
15%
6%
Base: 302 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with crisis communication strategies.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
2-3
BC Managers Often Take A Leadership Role In Crisis Communication
Even if you have a dedicated a crisis communication team, it’s very likely that a senior BC manager is as involved as even the head of public relations and communications (see Figure 3-1). The most senior business executives (Chairman, CEO, COO, CFO) are the least involved. According to our study: SeniorexecutivesofBCplanningandPRaremostlikelyto
leadcrisiscommunication.Iftheseindividualsarenottheteamlead,theywillstillplayamajorroleontheteam.Thesignificantinvolvementofthesetworolesrepresentsthecomplexityofcrisiscommunication.BCmanagersarelikelytounderstandthewide-rangeofrisksthattheorganizationmustprepareforaswellaswhatittakestomobilizearesponseforbusinessdisruptions,whilePRprofessionalsunderstandboththeneedandmethodstocommunicatebothinternallyandexternally(seeFigure3-2).
CIOsandCISO/CSOsalsoplayamajorroleincrisiscommunication.Whiletheserolesarenotaslikelytoleadthe
crisiscommunicationteam,theybotharelikelytoplayamajorrole.Inmanycompanies,theCIOortheCISO/CSOisthesenior-mostexecutiveultimatelyresponsibleforBCpreparedness.Inaddition,theCIOisoftentaskedwithenablingreliable,masscommunicationduringcrisisbywhatevermodenecessary.
Source: Forrester Research, Inc.
Not at allinvolved
Somewhatinvolved Involved
Veryinvolved
Teamleader
Notapplicable Don’t know
Base: 192 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with dedicated crisis communications teams.
“For each of the following positions, please indicate thelevel of involvement on the crisis communication team.”
Chairman of the Board
CEO
COO
CIO or senior executiveof IT
CSO, CISO, or seniorexecutive of Security
Senior executive ofPublic Relations/Communications
Senior executive ofHuman Resources
Senior executive ofFinance
Senior executive ofLegal Counsel
Senior executive ofFacilities
Senior executive of EnterpriseRisk Management or CRO
(Chief Risk Officer)Senior executive of
Business ContinuityPlanning
22%
22%
19%
19%
19% 9% 9%
9%
9%
9%
4%
4%
4%
4%
4%
18%
10%13%
13%
13%
13%
13%
11% 11%
11%
3%
3%
7%
7%
7%
7%
7%
7%
7%
22%41%17%8%
8%
8%
8%
26% 20%
2% 5%
5%
5%
5%5%
5% 12%
12%
7% 12%
25% 23%
23%
23%
39%
39%
27%
28%
28%
32%
3%10% 35% 14% 6%
6%
6%
6% 29%
29%
29%
29%
40% 1%
8%2%18% 26%
24%
16%
Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
3-1
Source: Forrester Research, Inc.
Base: 258 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with BCPs that address crisis communication.
“Are the following addressed in your crisis communication plans?”
Mobilization of responseteams
Guidance and instructionto employees
Communication with firstresponders and law
enforcement
Communication withelected officials (i.e.
mayor, governor, etc)
Communication withexternal stakeholders (i.e.
customers, partners,students, parents)
Communication with thepress
Ongoing communication
Aftermathcommunication
Yes NoDon’tknow
85% 12% 3%
93% 6% 2%
(percentages may not total 100 because of rounding)
70% 24% 6%
44% 44% 12%
85% 10% 5%
86% 11% 4%
90% 6% 4%
76% 16% 8%
Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
3-2
42 DISASTER RECOVERY JOURNAL WINTER 2010
Companies Rely On Wireless CommunicationCompanies rely on multiple modes of crisis communication
but wireless phones, email and landline phones dominate (see Figure 4.1). In addition, approximately 67 percent of companies will use a web site to facilitate communication. Our survey also found that:Approximately76percentofcompaniesalsohaveplansto
accountfortelecomloss.Email,landlinesandwebsitesareeffectivemodesofcommunicationwhentelecommunicationisavailable.However,whenamajorcatastrophesuchasahurricaneknocksoutlocaltelecommunicationforseveraldays,companieswillneedanothermodeofcommunication(seeFigure4-2).
Approximately66percentofcompanieswillleverageSMStxtintheeventoftelecomloss.Iflocaltelecomisunavailable,manycompanieswillturntowirelesstechnologiessuchasmobilephones,two-wayradiosandsatellitecommunication(seeFigure4-3).Inrecentdisasters,mobilenetworksareoftenoverwhelmed,makingvoicecallsimpossible;however,thesenetworksareoftenabletotransmittextmessagesbecausetheyrequiresignificantlylessbandwidth.
Source: Forrester Research, Inc.
“On what modes of communication and devices do you relyfor crisis communication? Select all that apply.”
Landline phones
Cell phones
SMS text
Web Site
Dedicated emergencyphone numbers
Employee hotlines
Satellite phones
Two-way radio
Broadcast radio
Other, please specify
Don't know
97%
90%
86%
67%
63%
55%
54%
30%
26%
14%
<1%
7%
Base: 258 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with BCPs that address crisis communication.
Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
4-1
Source: Forrester Research, Inc.
“Do your crisis communication plans account for the potential loss oftelecommunication services during a disaster/disruption?”
Yes
No
76%
24%
Base: 258 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with BCPs that address crisis communication.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
4-2
Source: Forrester Research, Inc.
“On what modes of communication and devices do you rely duringa loss of telecommunication services? Select all that apply.”
Satellite phones
Two-way radio
SMS text
Other
66%
40%
39%
24%
Base: 195 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with BCPs that address crisis communication and account for loss of telecommunication services.
Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
4-3
Training And Awareness Are No Longer OptionalIn last year’s “State Of Business Continuity” survey, when we
asked companies that had invoked a BCP in the past five years to identify and rank the top lessons learned from their invocations, lack of training and awareness came in at number one. It goes without saying that any response plan requires not only frequent testing but training and awareness across the company. In this year’s study, we found that 62 percent of companies with crisis communication plans have training and awareness programs in place and another 30 percent plan to implement training in the next 12 months (see Figure 5).
Source: Forrester Research, Inc.
“Are there training and awareness programs in place so employees knowwhere to go for information and what to expect in a crisis?”
Yes
No, but we’re implementing a training andawareness program in the next 12 months
No, and we have no plans to implementanything
62%
30%
8%
Base: 258 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with BCPs that address crisis communication.
Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
5-1
BCP Invocations And Crisis CommunicationCompanies often believe that BCP invocations are rare occur-
rences, but according to our survey, more than 52 percent of the companies with crisis communication plans have invoked a BCP in the last five years (see Figure 6-1). There are a number of reasons for this. First, as prior surveys have identified, the most common cause of BCP and DRP invocations are commonplace events such as severe weather, power failures and IT failures. Second, companies with documented, up to date , and well-tested BCPs and DRPs likely feel more confident about invoking them.
Of the companies that have invoked, only 20 percent feel that their crisis communication was very effective (see Figure 6-2). The vast majority of companies, 72 percent feel that their crisis communication was somewhat effective to effective.
Source: Forrester Research, Inc.
“Have you invoked a BCP in the last five years?”
No
Yes
52%
48%
Base: 258 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with BCPs that address crisis communication.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
6-1
Source: Forrester Research, Inc.
(percentages may not total 100 because of rounding)
“How effective was your crisis communication during the most recent invocation?”
Not at all effective
Minimally effective
Somewhat effective
Effective
Very effective
3%
4%
33%
39%
20%
Base: 123 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with BCPs that address crisis communication that have invoked a BCP in the last 5 years.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
6-2
44 DISASTER RECOVERY JOURNAL WINTER 2010
Companies Are Reducing Risk Management SilosHistorically companies have approached risk management
disciplines such as operational risk management, business con-tinuity, disaster recovery, and information security as separate silos. In reality these risk management disciplines are closely related and not easily handled separately without creating gaps in preventative measures and responses. Understanding this, organi-zations are starting to show signs of more coordinated risk man-agement programs. In this survey we found that:Only20percentofcompanieshaveseparateriskmanagement
silosnotconnectedbyasingleprogram.Themajorityofrespondentsreportthattheirorganizationhaseitherachiefriskofficer(CRO)rolewithresponsibilityforriskdisciplinesacrosstheentireenterpriseoratleastaheadofriskmanagementoverseeinganumberofkeydisciplines(seeFigure7-1).
Approximately64percentofBCmanagementprogramshavearelationshipwithenterpriseriskmanagement.Ofthese,almost16percentofBCMprogramsreportdirectlytoriskmanagementandapproximately9percenthaveadottedlinerelationship.Another38percentreportworkingcloselywithriskmanagementtoshareinformationandefforts(seeFigure7-2).
Source: Forrester Research, Inc.
“Which of the following best describes your organization's risk management program?”
We have a formal ERM program, includinga Chief Risk Officer or similar role, who
heads a risk team and reports to the boardand/or top executives.
We have a single director or head of riskthat is responsible for select areas of risk
management but doesn't have the broadreach of an enterprise program.
We have several silos of risk managementthat are not connected by a single
program.
We have no formal risk managementprogram or programs.
Don't know
37%
21%
20%
18%
4%
Base: 302 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with crisis communication strategies.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
7-1
Source: Forrester Research, Inc.
(percentages may not total 100 because of rounding)
“How does your BCM team work with your risk management team?”
BCM reports directly to the riskmanagement function
BCM has dotted-line reporting tothe risk management function
BCM works closely with riskmanagement to share
information and efforts
BCM does not work with ourorganization's risk
management team
Don't know 10%
9%
16%
27%
39%
Base: 278 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with crisis communication strategies and formal risk management programs.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
7-2
Companies Are Taking A Risk-Based Approach To Prioritizing BC Risks
When it comes to justifying investments in BC, ideally, com-panies should work with business owners and risk managers to understand which risks expose the organization to the greatest
potential losses. One basic formula companies use is Impact (e.g., $1,000) x likelihood (e.g., 1-in-10 or 10%) = expected loss (e.g., loss expectancy is $100). In this survey, we found that:Almost65percentofBCMteamsworkwiththebusinessto
determinetheimpactofrisks.SomeBCMteamsattempttoquantifytheimpactandprobabilityofrisksontheirown(34percentaccordingtothisstudy).Thisiscertainlynotthemosteffectiveapproach,butitistypicalofcompanieswhereit’sdifficulttofosterbusinessinvolvement(seeFigure8-1).
Almost57percentofBCMteamsprioritizeeffortsbasedonthelevelofrisk.Knowingthatitisimpossibletoaddresseverybusinesscontinuityrisk,themajorityofrespondentssaidtheyprioritizetheirplanningandmitigationeffortstoaddressthemostsignificantrisksfirst.Fewerorganizationsprioritizeeffortsbasedacost/benefitanalysis(34percent)ortheabilitytoleverageexistingprojectsandinvestments(19percent),whicharealsoreasonablestrategies.Surprisingly,almost23percentofcompaniesstilldonothaveaformalmethodforprioritizingefforts(seeFigure8-2)
Source: Forrester Research, Inc.
(percentages may not total 100 because of rounding)
“How does your organization assess the impact of business continuity risks? Select all that apply.”
The BCM team gets input from businessprocess owners to determine the
potential impact of risks
The BCM team makes an evaluation ofimpact based on its understanding of
the business
The BCM team uses industry guidanceor third parties to evaluate business
impact
The BCM team does not formallyevaluate the impact of business
continuity risks
Other
Don’t know
65%
35%
21%
16%
3%
3%
Base: 345 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide. Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
8-1
Source: Forrester Research, Inc.
(percentages may not total 100 because of rounding)
“How does your organization prioritize its BC preparedness efforts? Select all that apply.”
We prioritize efforts that mitigatethe highest level risks
We prioritize efforts that havethe best cost/benefit ratio
We prioritize efforts that leverageother existing projects
We have no formal method forprioritizing efforts
Other
Don’t know
57%
34%
23%
19%
2%
2%
Base: 345 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide. Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009
8-2
Study MethodologyIn the Fall of 2009, Forrester Research and the Disaster
Recovery Journal (DRJ) conducted an online survey of 345 DRJ members. In this survey:Allrespondentsindicatedthattheyweredecision-makersor
influencersinregardtoplanningandpurchasingtechnologyandservicesrelatedtobusinesscontinuity.
Respondentswerefromarangeofcompanysizes:36.5percent
DISASTER RECOVERY JOURNAL WINTER 2010 45
had1to999employees;18.8percenthad1,000to4,999employees;18.8percenthad5,000to19,999employees;and25.8percenthad20,000ormoreemployees.
Respondentswerefromcompanieswitharangeofrevenues:40.8percentofrespondentswerefromcompanieswithrevenuesoflessthan$500million;13.9percentwerefromcompanieswithrevenuesof$500millionto$999million;20percentwerefromcompanieswithrevenuesof$1billionto$4.99billion;7.8%percentwerefromcompanieswithrevenuesof$5billionto$10billion;and17.4percentwerefromcompanieswithrevenuesofmorethan$10billion.
Respondentswerefromavarietyofindustries.
RespondentswereprimarilyfromNorthAmericabuttherewasrepresentationfromEurope,theMiddleEast,AfricaandAsia.Manycompanieshadbusinessoperationsinmultipleregions:90.4percentofrespondentshadlocationsinNorthAmerica;33.5percenthad
locationsinEurope,MiddleEast,orAfrica;24.1percenthadlocationsinAsia;and15.7percenthadlocationsinSouthAmerica.
This survey used a self-selected group of respondents (DRJ members) and is therefore not random. These respondents are likely to be more sophisticated than peers who do not read and participate in business continuity and disaster recovery publications, online discussions, etc. They likely have above-average knowledge of best practices and technology in BC/DR. While nonrandom, the survey is still a valuable tool in understanding the char-acterists of current BC programs and to explore relevant industry trends.
vStephanieBalaouras isaprincipalanalystforForresterResearch.BalaourasprimarilycontributestoForrester’sofferingsforsecu-rityandriskprofessionals.Sheisaleadingexpert inhowcompaniesbuild resilient IT
infrastructures tosupport keybusiness initiatives.DuringherfouryearswithForrester,Balaourashasbeeninstru-mental in the development of Forrester’s research andofferings in business continuity, disaster recovery, andinformationstorageandprotection.
My RemarkableJourney
isanautobiographyofRichardL.Arnold,CBCP.ThebookdetailsRichard’sentirelifestory,thegoodtimesandbad.
Hehadonlybeeninahospitalonetimeasachild,onlytowakeupinanotheroneyearslaterwithnouseoftheentirerightsideofhisbody.Theycalleditastroke.
Fivespecialpeopleintroducethebookwithacertainamountofhumor–WilliamW.Worsley,CBCP;EdwardS.Devlin,
CBCP;BarneyF.Pelant,MBCP;JamesHammill,CBCP;andJohnA.Jackson.About50contributedstoriesandbiographiesfromindustryleaderswillalsobeincluded.
Thebookwillhavemorethan280pagesandbeavailableinhardback,paperback,anddigitaldownload.
Formoredetails,contactLauraBaugh,[email protected].