MARKET STUDY Crisis Communication and · 2019-11-26 · 42 DISASTER RECOVERY JOURNAL WINTER 2010 Companies Rely On Wireless Communication Companies rely on multiple modes of crisis

38 DISASTER RECOVERY JOURNAL WINTER 2010

M A R K E T S T U D Y

Crisis Communication and Risk Management in Business Continuity Preparedness

By STEPHANIE BALAOURAS

F orrester Research and the Disaster Recovery Journal have partnered to field a number of market studies in business continuity (BC) and disaster recovery (DR) in order to gather data for company comparison and bench-marking, to guide research, and for the pub-

lication of best practices and recommendations for the industry. This is the third annual joint survey. This particular study focused on the role of crisis commu-nication in business continuity and the relationship of business continuity to risk management.HowmuchiscrisiscommunicationvaluedinBCpreparedness?

Howdocompanieshandlecrisiscommunication?HowfrequentlydocrisismanagementandBCmanagementteams

meettodevelopanddocumentcrisiscommunicationstrategies?ArethesestrategiespartofstandaloneplansorsubsetsofBCplans?Howfrequentlyareplanstested?

Whatmodesofcommunicationdocompaniesrelyon?Dotheyhavebackupplansintheeventoftelecommunicationfailure?

Docompaniesautomatecommunicationorrelyonmanualprocedures?Docompaniessetupacrisismanagementcenter?

Isthereadequatetrainingandawarenessforcrisiscommunication?Howeffectivewerecrisiscommunicationplansinrecentinvocations?

Howdoorganizationstypicallystructuretheirriskmanagementfunctions?HowdoesBCmanagementinteractandworkwithriskmanagementprograms?HowdocompaniesprioritizeinvestmentsinBC?

The Importance Of Crisis Communication In BC Planning Is Not Universally Recognized

According to our 2009 study, approximately 54 percent of com-panies indicated that crisis communication was very or extremely important in BC planning while approximately 45 percent of companies indicated its importance was moderate, low or not at all important (see Figure 1). While the majority of companies do recognize the importance of crisis communication, it’s surprising that such a large percentage of companies do not. This partially explained by the fact that many people view crisis communica-tion as strategy for protecting corporate reputation carried out by public relations and legal – not as a strategy for rapid decision-

making amongst executives and decision-makers and the rapid mobilization of response teams.

Source: Forrester Research, Inc.

“How seriously is crisis communication taken at your organization?”

Not at all

Low

Moderately

Very

Extremely

3%

14%

29%

38%

16%

Base: 345 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009

1-1

There Is No Prevailing Approach To Crisis Communication

The fact that there is no prevailing approached in how compa-nies handle crisis communication in BC planning is another indica-tion that companies have wildly different views of its importance and role (see Figure 2-1). In this survey, we found that: Approximately42percentofcompanieshaveanindependent

crisiscommunicationteamthatworkscloselywithBCmanagementteams.Crisiscommunicationmayberelevanttoseveraldifferentaspectsofriskmanagement,andmanycompaniesrecognizetheimportanceofitscoordinationwithBCplanning.Notsurprisingly,only18percentofthesecompaniessaythatthecrisiscommunicationteammeetswithBCplanningteamwhenevertheBCplanningteammeets.Almost42percentofthesecompaniessaythattheymeetatleastfourtimesayearwiththeBCplanningteam,whichshowsastrongcommitmenttocooperation(seeFigure2-2).

Approximately14percentofcompanieshaveanindependentcrisiscommunicationteamwithnodirectlinktoBCmanagementteams.Crisiscommunicationatthesecompaniesmayworkwithvariousfunctionsrelatedtoriskmanagement,buttheyarelesslikelytohaveatightcoordinationwithBCplanningteams.Thereisprobablysomehigh-levelguidanceprovided,butforthemostpartBCplanningteamshandlecommunicationontheirown.Notsurprisingly,thesecommunicationteamsmeetfarlessfrequentlywiththeBCplanning,typicallyonlyonceortwiceayear.

Approximately32percentofcompaniesrelyontheBCMteamtodoitsbesttoaddresscrisiscommunication.Atthesecompanies,crisiscommunicationisnotviewedasitsowndiscipline.Ifsuchafunctionexistsatthesecompanies,itmaybepartofotheraspectsofriskmanagementorpublicrelations,whichmeanstheBCplanningteamislikelyonitsown.

Almost13percentofcompaniesdonothaveanykindofcrisiscommunicationstrategy.Thesecompanieshavenoformalapproachtocrisiscommunicationandlikelyhandlecommunicationhaphazardlyasincidents,crises,businesscontinuitythreats,orotherriskeventsoccur.

A slight majority of companies prefer to embed a crisis com-munication strategy within their business continuity plans (BCPs) rather than have specific communication plans that complement each BCP (see Figure 2-3).



“How is crisis communications handled at your company?”

There is a dedicated crisis communication teamthat is independent but works with the BCmanagement (BCM) team to address crisis

communication within BC planning.

There is a dedicated crisis communication teamthat is independent and not linked to the BCM

team.

There is no dedicated crisis communication team,the BCM team does its best to address crisis

communication within BC planning

We have no crisis communication strategy atour company

42%

14%

32%

13%

Base: Base: 345 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide.

(percentages may not total 100 because of rounding)

Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009

2-1



“How frequently does the crisis communication team meet with the BCM team?”

Base: 192 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with dedicated crisis communications teams.

Independent crisis communication teamthat works with BCM team to address

crisis communication within BCplanning (n = 144)

Independent crisis communication teamthat is not linked to the BCM team (n = 48)

18% 14% 16% 16%2%

2%2% 2%

26% 8%

8%38% 13% 36%

As frequently as theBCM team meets Once a year Twice a year

Three timesa year Quarterly

More than fourtimes a year Don't know


2-2



“How do you address crisis communication within BC planning?”

There are specific crisis communicationplans that complement each business

continuity plan (BCP)

Crisis communication is a sub-plan orcomponent within each BCP

Our BCPs do not address crisiscommunication

Other

29%

51%

15%

6%

Base: 302 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with crisis communication strategies.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009

2-3

BC Managers Often Take A Leadership Role In Crisis Communication

Even if you have a dedicated a crisis communication team, it’s very likely that a senior BC manager is as involved as even the head of public relations and communications (see Figure 3-1). The most senior business executives (Chairman, CEO, COO, CFO) are the least involved. According to our study: SeniorexecutivesofBCplanningandPRaremostlikelyto

leadcrisiscommunication.Iftheseindividualsarenottheteamlead,theywillstillplayamajorroleontheteam.Thesignificantinvolvementofthesetworolesrepresentsthecomplexityofcrisiscommunication.BCmanagersarelikelytounderstandthewide-rangeofrisksthattheorganizationmustprepareforaswellaswhatittakestomobilizearesponseforbusinessdisruptions,whilePRprofessionalsunderstandboththeneedandmethodstocommunicatebothinternallyandexternally(seeFigure3-2).

CIOsandCISO/CSOsalsoplayamajorroleincrisiscommunication.Whiletheserolesarenotaslikelytoleadthe

crisiscommunicationteam,theybotharelikelytoplayamajorrole.Inmanycompanies,theCIOortheCISO/CSOisthesenior-mostexecutiveultimatelyresponsibleforBCpreparedness.Inaddition,theCIOisoftentaskedwithenablingreliable,masscommunicationduringcrisisbywhatevermodenecessary.


Not at allinvolved

Somewhatinvolved Involved

Veryinvolved

Teamleader

Notapplicable Don’t know

Base: 192 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with dedicated crisis communications teams.

“For each of the following positions, please indicate thelevel of involvement on the crisis communication team.”

Chairman of the Board

CEO

COO

CIO or senior executiveof IT

CSO, CISO, or seniorexecutive of Security

Senior executive ofPublic Relations/Communications

Senior executive ofHuman Resources

Senior executive ofFinance

Senior executive ofLegal Counsel

Senior executive ofFacilities

Senior executive of EnterpriseRisk Management or CRO

(Chief Risk Officer)Senior executive of

Business ContinuityPlanning

22%

22%

19%

19%

19% 9% 9%

9%

9%

9%

4%

4%

4%

4%

4%

18%

10%13%

13%

13%

13%

13%

11% 11%

11%

3%

3%

7%

7%

7%

7%

7%

7%

7%

22%41%17%8%

8%

8%

8%

26% 20%

2% 5%

5%

5%

5%5%

5% 12%

12%

7% 12%

25% 23%

23%

23%

39%

39%

27%

28%

28%

32%

3%10% 35% 14% 6%

6%

6%

6% 29%

29%

29%

29%

40% 1%

8%2%18% 26%

24%

16%


3-1


Base: 258 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with BCPs that address crisis communication.

“Are the following addressed in your crisis communication plans?”

Mobilization of responseteams

Guidance and instructionto employees

Communication with firstresponders and law

enforcement

Communication withelected officials (i.e.

mayor, governor, etc)

Communication withexternal stakeholders (i.e.

customers, partners,students, parents)

Communication with thepress

Ongoing communication

Aftermathcommunication

Yes NoDon’tknow

85% 12% 3%

93% 6% 2%


70% 24% 6%

44% 44% 12%

85% 10% 5%

86% 11% 4%

90% 6% 4%

76% 16% 8%


3-2


Companies Rely On Wireless CommunicationCompanies rely on multiple modes of crisis communication

but wireless phones, email and landline phones dominate (see Figure 4.1). In addition, approximately 67 percent of companies will use a web site to facilitate communication. Our survey also found that:Approximately76percentofcompaniesalsohaveplansto

accountfortelecomloss.Email,landlinesandwebsitesareeffectivemodesofcommunicationwhentelecommunicationisavailable.However,whenamajorcatastrophesuchasahurricaneknocksoutlocaltelecommunicationforseveraldays,companieswillneedanothermodeofcommunication(seeFigure4-2).

Approximately66percentofcompanieswillleverageSMStxtintheeventoftelecomloss.Iflocaltelecomisunavailable,manycompanieswillturntowirelesstechnologiessuchasmobilephones,two-wayradiosandsatellitecommunication(seeFigure4-3).Inrecentdisasters,mobilenetworksareoftenoverwhelmed,makingvoicecallsimpossible;however,thesenetworksareoftenabletotransmittextmessagesbecausetheyrequiresignificantlylessbandwidth.


“On what modes of communication and devices do you relyfor crisis communication? Select all that apply.”

Landline phones

Cell phones

SMS text

Email

Web Site

Dedicated emergencyphone numbers

Employee hotlines

Satellite phones

Two-way radio

Broadcast radio

Other, please specify

Don't know

97%

90%

86%

67%

63%

55%

54%

30%

26%

14%

<1%

7%



4-1


“Do your crisis communication plans account for the potential loss oftelecommunication services during a disaster/disruption?”

Yes

No

76%

24%

Base: 258 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with BCPs that address crisis communication.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009

4-2


“On what modes of communication and devices do you rely duringa loss of telecommunication services? Select all that apply.”

Satellite phones

Two-way radio

SMS text

Other

66%

40%

39%

24%

Base: 195 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with BCPs that address crisis communication and account for loss of telecommunication services.


4-3

Training And Awareness Are No Longer OptionalIn last year’s “State Of Business Continuity” survey, when we

asked companies that had invoked a BCP in the past five years to identify and rank the top lessons learned from their invocations, lack of training and awareness came in at number one. It goes without saying that any response plan requires not only frequent testing but training and awareness across the company. In this year’s study, we found that 62 percent of companies with crisis communication plans have training and awareness programs in place and another 30 percent plan to implement training in the next 12 months (see Figure 5).


“Are there training and awareness programs in place so employees knowwhere to go for information and what to expect in a crisis?”

Yes

No, but we’re implementing a training andawareness program in the next 12 months

No, and we have no plans to implementanything

62%

30%

8%



5-1

BCP Invocations And Crisis CommunicationCompanies often believe that BCP invocations are rare occur-

rences, but according to our survey, more than 52 percent of the companies with crisis communication plans have invoked a BCP in the last five years (see Figure 6-1). There are a number of reasons for this. First, as prior surveys have identified, the most common cause of BCP and DRP invocations are commonplace events such as severe weather, power failures and IT failures. Second, companies with documented, up to date , and well-tested BCPs and DRPs likely feel more confident about invoking them.

Of the companies that have invoked, only 20 percent feel that their crisis communication was very effective (see Figure 6-2). The vast majority of companies, 72 percent feel that their crisis communication was somewhat effective to effective.


“Have you invoked a BCP in the last five years?”

No

Yes

52%

48%

Base: 258 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with BCPs that address crisis communication.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009

6-1



“How effective was your crisis communication during the most recent invocation?”

Not at all effective

Minimally effective

Somewhat effective

Effective

Very effective

3%

4%

33%

39%

20%

Base: 123 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with BCPs that address crisis communication that have invoked a BCP in the last 5 years.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009

6-2


Companies Are Reducing Risk Management SilosHistorically companies have approached risk management

disciplines such as operational risk management, business con-tinuity, disaster recovery, and information security as separate silos. In reality these risk management disciplines are closely related and not easily handled separately without creating gaps in preventative measures and responses. Understanding this, organi-zations are starting to show signs of more coordinated risk man-agement programs. In this survey we found that:Only20percentofcompanieshaveseparateriskmanagement

silosnotconnectedbyasingleprogram.Themajorityofrespondentsreportthattheirorganizationhaseitherachiefriskofficer(CRO)rolewithresponsibilityforriskdisciplinesacrosstheentireenterpriseoratleastaheadofriskmanagementoverseeinganumberofkeydisciplines(seeFigure7-1).

Approximately64percentofBCmanagementprogramshavearelationshipwithenterpriseriskmanagement.Ofthese,almost16percentofBCMprogramsreportdirectlytoriskmanagementandapproximately9percenthaveadottedlinerelationship.Another38percentreportworkingcloselywithriskmanagementtoshareinformationandefforts(seeFigure7-2).


“Which of the following best describes your organization's risk management program?”

We have a formal ERM program, includinga Chief Risk Officer or similar role, who

heads a risk team and reports to the boardand/or top executives.

We have a single director or head of riskthat is responsible for select areas of risk

management but doesn't have the broadreach of an enterprise program.

We have several silos of risk managementthat are not connected by a single

program.

We have no formal risk managementprogram or programs.

Don't know

37%

21%

20%

18%

4%

Base: 302 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with crisis communication strategies.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009

7-1



“How does your BCM team work with your risk management team?”

BCM reports directly to the riskmanagement function

BCM has dotted-line reporting tothe risk management function

BCM works closely with riskmanagement to share

information and efforts

BCM does not work with ourorganization's risk

management team

Don't know 10%

9%

16%

27%

39%

Base: 278 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide with crisis communication strategies and formal risk management programs.Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009

7-2

Companies Are Taking A Risk-Based Approach To Prioritizing BC Risks

When it comes to justifying investments in BC, ideally, com-panies should work with business owners and risk managers to understand which risks expose the organization to the greatest

potential losses. One basic formula companies use is Impact (e.g., $1,000) x likelihood (e.g., 1-in-10 or 10%) = expected loss (e.g., loss expectancy is $100). In this survey, we found that:Almost65percentofBCMteamsworkwiththebusinessto

determinetheimpactofrisks.SomeBCMteamsattempttoquantifytheimpactandprobabilityofrisksontheirown(34percentaccordingtothisstudy).Thisiscertainlynotthemosteffectiveapproach,butitistypicalofcompanieswhereit’sdifficulttofosterbusinessinvolvement(seeFigure8-1).

Almost57percentofBCMteamsprioritizeeffortsbasedonthelevelofrisk.Knowingthatitisimpossibletoaddresseverybusinesscontinuityrisk,themajorityofrespondentssaidtheyprioritizetheirplanningandmitigationeffortstoaddressthemostsignificantrisksfirst.Fewerorganizationsprioritizeeffortsbasedacost/benefitanalysis(34percent)ortheabilitytoleverageexistingprojectsandinvestments(19percent),whicharealsoreasonablestrategies.Surprisingly,almost23percentofcompaniesstilldonothaveaformalmethodforprioritizingefforts(seeFigure8-2)



“How does your organization assess the impact of business continuity risks? Select all that apply.”

The BCM team gets input from businessprocess owners to determine the

potential impact of risks

The BCM team makes an evaluation ofimpact based on its understanding of

the business

The BCM team uses industry guidanceor third parties to evaluate business

impact

The BCM team does not formallyevaluate the impact of business

continuity risks

Other

Don’t know

65%

35%

21%

16%

3%

3%

Base: 345 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide. Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009

8-1



“How does your organization prioritize its BC preparedness efforts? Select all that apply.”

We prioritize efforts that mitigatethe highest level risks

We prioritize efforts that havethe best cost/benefit ratio

We prioritize efforts that leverageother existing projects

We have no formal method forprioritizing efforts

Other

Don’t know

57%

34%

23%

19%

2%

2%

Base: 345 business continuity decision-makers, influencers, consultants, and participants at companiesworldwide. Source: Forrester/Disaster Recovery Journal Crisis Communication And Risk Management In Business ContinuityPreparedness Online Survey, Q4 2009

8-2

Study MethodologyIn the Fall of 2009, Forrester Research and the Disaster

Recovery Journal (DRJ) conducted an online survey of 345 DRJ members. In this survey:Allrespondentsindicatedthattheyweredecision-makersor

influencersinregardtoplanningandpurchasingtechnologyandservicesrelatedtobusinesscontinuity.

Respondentswerefromarangeofcompanysizes:36.5percent

DISASTER RECOVERY JOURNAL WINTER 2010 45

had1to999employees;18.8percenthad1,000to4,999employees;18.8percenthad5,000to19,999employees;and25.8percenthad20,000ormoreemployees.

Respondentswerefromcompanieswitharangeofrevenues:40.8percentofrespondentswerefromcompanieswithrevenuesoflessthan$500million;13.9percentwerefromcompanieswithrevenuesof$500millionto$999million;20percentwerefromcompanieswithrevenuesof$1billionto$4.99billion;7.8%percentwerefromcompanieswithrevenuesof$5billionto$10billion;and17.4percentwerefromcompanieswithrevenuesofmorethan$10billion.

Respondentswerefromavarietyofindustries.

RespondentswereprimarilyfromNorthAmericabuttherewasrepresentationfromEurope,theMiddleEast,AfricaandAsia.Manycompanieshadbusinessoperationsinmultipleregions:90.4percentofrespondentshadlocationsinNorthAmerica;33.5percenthad

locationsinEurope,MiddleEast,orAfrica;24.1percenthadlocationsinAsia;and15.7percenthadlocationsinSouthAmerica.

This survey used a self-selected group of respondents (DRJ members) and is therefore not random. These respondents are likely to be more sophisticated than peers who do not read and participate in business continuity and disaster recovery publications, online discussions, etc. They likely have above-average knowledge of best practices and technology in BC/DR. While nonrandom, the survey is still a valuable tool in understanding the char-acterists of current BC programs and to explore relevant industry trends.

vStephanieBalaouras isaprincipalanalystforForresterResearch.BalaourasprimarilycontributestoForrester’sofferingsforsecu-rityandriskprofessionals.Sheisaleadingexpert inhowcompaniesbuild resilient IT

infrastructures tosupport keybusiness initiatives.DuringherfouryearswithForrester,Balaourashasbeeninstru-mental in the development of Forrester’s research andofferings in business continuity, disaster recovery, andinformationstorageandprotection.

My RemarkableJourney

isanautobiographyofRichardL.Arnold,CBCP.ThebookdetailsRichard’sentirelifestory,thegoodtimesandbad.

Hehadonlybeeninahospitalonetimeasachild,onlytowakeupinanotheroneyearslaterwithnouseoftheentirerightsideofhisbody.Theycalleditastroke.

Fivespecialpeopleintroducethebookwithacertainamountofhumor–WilliamW.Worsley,CBCP;EdwardS.Devlin,

CBCP;BarneyF.Pelant,MBCP;JamesHammill,CBCP;andJohnA.Jackson.About50contributedstoriesandbiographiesfromindustryleaderswillalsobeincluded.

Thebookwillhavemorethan280pagesandbeavailableinhardback,paperback,anddigitaldownload.

Formoredetails,contactLauraBaugh,[email protected].

Documents

MARKET STUDY Crisis Communication and · 2019-11-26 · 42 DISASTER RECOVERY JOURNAL WINTER 2010 Companies Rely On Wireless Communication Companies rely on multiple modes of crisis