Upload
sylvia-norris
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
Mature Business Continuity ProgramsMature Business Continuity Programs
What do they have that others struggle with….?What do they have that others struggle with….?
February 19, 2014Cheyene Marling, Hon. MBCI
Topics of Presentation• What Distinguishes “Very Mature”• Present Findings for “Very Mature” and “Very
Immature” Programs• Intangible Skills Needed to Elevate Programs• Stay Ahead of the Game?• Be a Top Talent• Achieve It
Mature Programs -Distinguishing Factors
• Increased Visibility• Executive Driven• Corporate Culture• Multiple Disciplines• Highly Integrated• Frequent Assessments/ Audits/Exercises• Controls/ Standardization/ Metrics•Strategic Top Talent – Sought After Intangible Skills
0%
5%
10%
15%
20%
25%
30%
35%
40%
Very Immature
Immature Average Mature Very Mature
Program Maturity - Self Rating
2009
2010
2011
2012
Very Immature, 5.65% Immature,
13.62%
Average, 36.20%
Mature, 30.56%
Very Mature, 13.98%
Program Maturity - Self Rating
8% increase in study respondents indicating “Mature” and “Very Mature” since 2009.
45% of the study respondents noted a “Mature” or “Very Mature” program in 2012.
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
A full functioning executive/leadership transition is in place.
Currently implementing an executive/leadership transition plan.
Currently developing an executive/leadership transition plan.
A full functioning pandemic preparedness policy is in place.
Currently implementing a pandemic preparedness policy.
Currently developing a pandemic preparedness policy.
Maintain an exercise schedule in order to identify new potential vulnerabilities or weaknesses in the current BCM program. Analyze findings to elevate the program.
Maintain an assessment and audit schedule of the BCM program to ensure the program is up to date and complete.
Implemented an awareness and training program to promote and educate the entire organization on the BCM program.
Implemented a corporate wide program meeting contingency, resiliency, risk mgmt, emergency mgmt and crisis mgmt needs.
Incorporated a full enterprise risk management program with controls in place to avoid or mitigate potential risks.
Currently conducting an enterprise risk assessment for the board and/ or senior management.
Considering conducting an enterprise risk assessment for the board and/ or senior management.
A Crisis Communications program is in place.
A Crisis Management process and plan is in place.
Policies and procedures in place to coordinate with external agencies in times of a disaster.
A full functioning Emergency Operations Center is in place.
Currently implementing an Emergency Operations Center.
Currently assessing an Emergency Operations Center.
Developing and implementing BC and/or IT DR plans that meet the organization needs.
Currently conducting BIA or risk assessments.
Currently formulating the BCM program framework to include contingency, resiliency, operational and enterprise risk mgmt and crisis mgmt plans.
Some departments/divisions have business continuity plans.
There are contingency plans in place for IT DR functions only.
Off-site data recovery only.
There are no business continuity and/or IT disaster recovery plans in place.
Status of Business Continuity Program by Program Maturity
1- Very Immature 2 3 4 5 - Very Mature
Since 2009 study respondents have indicated that IT/Disaster Recovery and Business Continuity strategies have increasingly supported organizational needs, 8% and 6% respectively.
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Very Immature 2 3 4 Very MatureDR Strategies Yes 1.6% 5.9% 31.1% 41.2% 20.1%
DR Strategies No 11.6% 23.5% 43.8% 17.4% 3.7%
BC Strategies Yes 1.7% 5.0% 32.2% 41.4% 19.7%
BC Strategies No 12.4% 26.3% 43.0% 15.1% 3.2%
Do IT/Disaster Recovery & Business Continuity Strategies Adequately Support the Needs of Your Organization?
Program Maturity Trends
Reporting StructureReporting Structure•Placement of ProgramPlacement of Program• Increased VisibilityIncreased Visibility•Executive SupportExecutive Support•Corporate CultureCorporate Culture
0%
5%
10%
15%
20%
25%
30%
35%
Assurance/ Compliance
Audit -Internal
Business Continuity
Office
Corporate Offices
Emergency/ Crisis Mgmt
Facilities Mgmt
Finance Human Resources
Individual business
units
Information Technology
Legal Counsel
Operations Other Program Mgmt Office
Risk Mgmt Security -Information
Security -Physical
Strategic Planning
1- Very Immature 3.6% 0.0% 7.1% 10.7% 7.1% 0.0% 7.1% 0.0% 0.0% 32.1% 0.0% 3.6% 7.1% 0.0% 10.7% 10.7% 0.0% 0.0%
2 3.4% 0.0% 11.9% 5.1% 6.8% 3.4% 6.8% 1.7% 1.7% 25.4% 0.0% 3.4% 6.8% 0.0% 13.6% 3.4% 5.1% 1.7%
3 0.6% 1.1% 14.5% 5.6% 6.7% 5.0% 3.4% 1.7% 1.7% 25.7% 1.1% 6.7% 4.5% 1.7% 8.4% 7.3% 2.2% 2.2%
4 4.1% 0.0% 17.1% 8.9% 3.3% 2.4% 0.8% 1.6% 0.8% 24.4% 0.0% 8.1% 6.5% 0.8% 15.4% 1.6% 4.1% 0.0%
5 - Very Mature 5.0% 5.0% 25.0% 7.5% 5.0% 2.5% 7.5% 0.0% 0.0% 15.0% 0.0% 2.5% 0.0% 2.5% 15.0% 5.0% 0.0% 2.5%
Department Owner by Program Maturity
Top Department - All Respondents• Information Technology - 25%• Business Continuity Office - 15%• Risk Management - 15%
Top Department - “Very Mature”• Business Continuity Office - 25%• Information Technology - 15%• Risk Management - 15%
Highest Rating for Maximum Visibility – Agree & Strongly Agree• Risk Management - 84%• Business Continuity Office - 77%• Corporate Offices & Operations - both 64%• Finance, Information Technology and Information Security - each 50%
0%
10%
20%
30%
40%
50%
60%
Business Continuity Office
Corporate Offices Emergency/ Crisis Mgmt
Finance Information Technology
Operations Risk Mgmt Security -Information
Strongly disagree 12.9% 14.3% 0.0% 0.0% 2.8% 0.0% 0.0% 0.0%
Disagree 0.0% 7.1% 0.0% 25.0% 27.8% 36.4% 8.0% 50.0%
Neutral 9.7% 14.3% 16.7% 25.0% 19.4% 0.0% 8.0% 0.0%
Agree 38.7% 7.1% 50.0% 25.0% 27.8% 27.3% 40.0% 25.0%
Strongly agree 38.7% 57.1% 33.3% 25.0% 22.2% 36.4% 44.0% 25.0%
Is Program Situated for Maximum Visibility - Mature Programs
0%
5%
10%
15%
20%
25%
30%
Board/ General Council/
Executive Committee
President CEO - Chief Executive
Officer
CIO/ CTO -Chief
Information Officer/ Chief Technology
Officer
CSO/ CISO -Chief Security Officer/ Chief Information
Security Officer
CFO - Chief Financial
Officer
COO - Chief Operating
Officer
CAO - Chief Administrative
Officer
CRO - Chief Risk Officer
CCO - Chief Compliance
Officer
CCO - Chief Continuity
Officer
Other Chief Title
Executive VP, Executive Director, General Manager
Senior VP, Senior
Director, Senior
Manager
VP/ Director Assistant VP, Assistant Director, Manager
Specialist, Coordinator,
Planner
Other
1- Very Immature 3.6% 3.6% 7.1% 21.4% 3.6% 7.1% 0.0% 0.0% 3.6% 0.0% 0.0% 0.0% 0.0% 25.0% 14.3% 3.6% 7.1% 0.0%
2 6.8% 5.1% 5.1% 16.9% 5.1% 5.1% 1.7% 0.0% 6.8% 5.1% 0.0% 0.0% 11.9% 8.5% 5.1% 3.4% 3.4% 10.2%
3 9.3% 2.7% 7.1% 17.6% 4.9% 4.9% 8.2% 3.3% 4.4% 0.0% 0.5% 2.7% 4.4% 8.8% 12.1% 3.8% 2.2% 2.7%
4 4.7% 0.8% 9.4% 19.5% 2.3% 7.0% 17.2% 1.6% 10.9% 1.6% 0.8% 1.6% 4.7% 3.9% 7.0% 1.6% 0.8% 4.7%
5 - Very Mature 26.2% 2.4% 11.9% 7.1% 2.4% 7.1% 4.8% 0.0% 4.8% 0.0% 0.0% 2.4% 0.0% 9.5% 14.3% 4.8% 0.0% 2.4%
Program Sponsor by Program Maturity
Top Sponsor - All Respondents• CIO/ CTO - 17%• COO - 10%• VP/ Director - 10%• Board/ Executive Committee - 9%
Top Sponsor “Very Mature”• Board/ Executive Committee - 26%• VP/ Director - 14%• CEO - 12%• Senior VP - 10%
0%
10%
20%
30%
40%
50%
60%
0 1 2 3 4 5 6+1- Very Immature 25.0% 46.4% 17.9% 3.6% 3.6% 3.6% 0.0%
2 27.1% 42.4% 16.9% 3.4% 6.8% 3.4% 0.0%
3 43.3% 36.7% 10.0% 6.7% 1.7% 0.6% 1.1%
4 54.7% 25.8% 12.5% 4.7% 1.6% 0.8% 0.0%
5 - Very Mature 47.6% 21.4% 19.0% 7.1% 2.4% 2.4% 0.0%
Level of Separation from Executive Committee by Program Maturity
69% of the study respondents with “Very Mature” programs indicated that the program reported to a Board/ Executive Committee/Chief Level while 50% of the study respondents with “Very Immature” programs noted the same.
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
70.00%
80.00%
Depends on executive commitment to BCM
Lack of interest in assessing the BCM program’s value
Necessary to gain executive approval
Part of corporate culture
Importance of Assessing the Value of the BCM Program by Program Maturity
All Respondents
Very Immature
Average
Very Mature
70%
36%40%
Program Maturity Trends
Enterprise IntegrationEnterprise Integration•Centralize the ProgramCentralize the Program•Multiple Disciplines within ProgramMultiple Disciplines within Program•Enterprise Driven - IntegrateEnterprise Driven - Integrate
0%
10%
20%
30%
40%
50%
60%
70%
80%
1- Very Immature
2 3 4 5 - Very Mature
No 42.9% 33.9% 31.1% 25.8% 23.8%
Yes 57.1% 66.1% 68.9% 74.2% 76.2%
Centralized Program with Budgeting & Staffing by Program Maturity
70% of all study respondents centralize their program with budgeting and staffing. 54% of those respondents with a centralized program believe it contributes to the success of their program.
61% of study respondents (16% increase since 2009) noted 5+ disciplines included in the program. Respondents with “Very Immature” programs indicted an average of 3.6 disciplines while those with “Very Mature” programs indicated an average of 4.9.
00.5
11.5
22.5
33.5
44.5
5
1- Very Immature
2 3 4 5 - Very Mature
Number of Disiplines in Program by Program Maturity
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Strategic Plan/ Corporate Mission Statement
Senior Management Participation/ Sponsorship
Security - Physical
Security - Information
Risk Management - Operational
Risk Management - Insurance
Risk Management - Enterprise
Records Management
Privacy
Pandemic Planning
Media Crisis Management
Information Technology
Health & Safety - Occupational
Health & Safety - Environmental
Facilities Management
Executive Protection
Emergency Management
Disaster Recovery
Crisis Management
Compliance
Change Management
Business Unit Participation
Audit
Integration of Program - Very Mature Programs
No Integration 1 2 3 4 Extremely Integrated 5
Program Maturity Trends
Assessment and AuditAssessment and Audit•FrequencyFrequency•ComprehensiveComprehensive• Leverage Outcome Leverage Outcome
0%
10%
20%
30%
40%
50%
60%
Every 6 months
Annually Every other year
Every three years
Less often than three
years
Never Every 6 months
Annually Every other year
Every three years
Less often than three
years
Never
Very Immature Very Mature
Review and Update BIA by Program Maturity
Critical Processes Non-Critical Processes
An overwhelming percent of study respondents with a “Very Immature” program never review and update the BIA for critical processes or non-critical processes, 33% and 50% respectively.
0%5%
10%15%20%25%30%35%40%45%
1-Strongly disagree
2 3 4 5-Strongly agree
Very Immature 25.9% 14.8% 22.2% 29.6% 7.4%
Very Mature 7.1% 0.0% 14.3% 40.5% 38.1%
Leverage the BIA and/or Risk Assessment Outcome by Program Maturity
There was an 8% increase of all respondents who agreed or strongly agreed that they are leveraging the outcome of the BIA and/or Risk Assessment compared to 2011.
0%
10%
20%
30%
40%
50%
60%
Quarterly Bi-annually Annually Every other year
Every three years
Never Quarterly Bi-annually Annually Every other year
Every three years
Never
Very Immature Very Mature
Internal and External Audit of Program by Program Maturity
Internal Audit External Audit
Resembling the previous BIA chart, study respondents with a “Very Immature” program indicated that they never conduct an internal or external audit, 44% and 50% respectively.
Program Maturity Trends
ExerciseExercise•FrequencyFrequency•MethodsMethods•Enhance ProgramEnhance Program
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1- Very Immature
2 3 4 5 - Very Mature
No 42.9% 17.2% 7.4% 1.6% 2.4%
Yes 57.1% 82.8% 92.6% 98.4% 97.6%
Exercise Plans by Program Maturity
0%
10%
20%
30%
40%
50%
60%
70%
Daily
Wee
kly
Mon
thly
Qua
rter
ly
Twic
e a
Year
Annu
ally
Ever
y O
ther
Yea
r
Less
Tha
n Ev
ery
Oth
er Y
ear
Nev
er
Daily
Wee
kly
Mon
thly
Qua
rter
ly
Twic
e a
Year
Annu
ally
Ever
y O
ther
Yea
r
Less
Tha
n Ev
ery
Oth
er Y
ear
Nev
er
Very Immature Very Mature
How Often Do You Exercise Your Plans by Program Maturity
Mission Critical IT Less Critical IT Mission Critical Business Less Critical Business
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Crisis mgmt tabletop exercise
Full simulation -IT disaster recovery
Full simulation -
business continuity
Live test (during
business hours) - IT disaster recovery
Live test (during
business hours) -
business continuity
Surprise/ unannounced
test - IT disaster recovery
Surprise/ unannounced
test -business
continuity
Telephone cascade/ call tree exercise
Walkthrough Other
Very Immature 64.3% 50.0% 28.6% 42.9% 21.4% 14.3% 7.1% 21.4% 57.1% 7.1%
Very Mature 82.9% 61.0% 58.5% 34.1% 46.3% 9.8% 17.1% 58.5% 68.3% 2.4%
Scenarios Implemented to Exercise Plans by Program Maturity
Program Maturity Trends
CertifyCertify•ControlsControls•StandardizationStandardization•MeasurementMeasurement
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1- Very Immature 2 3 4 5 - Very MatureNo 92.9% 84.5% 81.7% 83.3% 71.4%
Yes 7.1% 15.5% 18.3% 16.7% 28.6%
Is Your Organization Certified in a Standard by Program Maturity
0%
5%
10%
15%
20%
25%
30% Organizational Certification Achieved by Program Maturity
Immature Average Mature
0% 2% 4% 6% 8% 10% 12% 14% 16% 18%
Other
US Government NIST Standards
SSAE16 SOC2
SIFMA Business Continuity Practice Guidelines
SEC Regulations
SAS70-1
SAS70
Sarbanes Oxley
Patriot Act
OSHA Compliance
NYSE 446/NASD 3500
NFPA 1600
Local Banking Superintendency Requirement
Joint Commission (Hospitals)
ITIL v. 3 Service Continuity
ISO/IEC 24762 Information Technology - Security Techniques - Guidelines for Information & …
ISO 27001 Information Security
ISO 22301/313
ISO 14001 Environmental Management
ISO 9001 Quality Management
HIPAA
Gramm Leach Bliley Act (GLBA)
Good Practice Guidelines (BCI)
FINRA Guidelines
FFIEC
DRI International Professional Practices
CSA Z1600 (Canadian version of NFPA 1600)
COBIT
The Business Continuity Maturity Model - Virtual Corporation
BASEL II
BS 31100 (Risk Management)
BS25777
BS25999 Part 2 Business Continuity Management Systems
BS25999 Part 1 Business Continuity Management Systems
ASIS SPC.1-2009 - Organizational Resilience
ASIS/BSI BCM standard
Model Program off Which Regulatory Requirement and/or Standard - Percent of Respondents Indicating "High Priority" (Over 1%) by Program Maturity
Immature Mature
0%
2%
4%
6%
8%
10%
12%
14%
Reasons for Developing & Maintaining a Program - Percent of Respondents Indicating "High Priority" by Program Maturity
Immature Mature
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
History of business interruption(s)
Minimize future impact
Protect stakeholders
Comply with regulations or laws
In response to audit results/recommendations
Good business sense
Right thing to do
Customer requirement
Contractual agreements/service-level agreements
Insurance policy recommendation
Organization wants to be globally competitive and must comply with international standards.
Organization wants to be perceived to be compliant with good Corporate Governance.
Organization wants to ensure safety of their employees.
Organization wants to protect and increase its economic value.
Protection of reputation and brand of organization.
Reasons for Developing and Maintaining a Program - Percent of Respondents Indicating "Priority" or "High Priority"
2012
2011
2010
2009
Program Maturity TrendsTangible Skills – Top Talent ManagementTangible Skills – Top Talent Management• CertificationCertification• DegreeDegree• Real World ExperienceReal World Experience• Leader in ProfessionLeader in Profession• Global ExperienceGlobal Experience• Wide Array of Discipline ExpertiseWide Array of Discipline Expertise• Training ExpertiseTraining Expertise
Average Total FTE Compensation by Number of Certifications
Number of Certifications Avg 2011 % of Resp Avg 2012 % of Resp
1 Certification $108,283 26.10% $112,550 26.22%
2 Certifications $116,399 23.77% $121,484 23.91%
3 Certifications $115,295 16.54% $120,918 16.45%
4+ Certifications $122,818 14.34% $126,936 14.27%
Not Certified $112,885 19.25% $117,111 19.15%
Certification – Magic Number?
Certifications – Which One?
$-
$20,000
$40,000
$60,000
$80,000
$100,000
$120,000
$140,000
MBCI ABCP CBCP MBCP CERT NIMS CEM CISSP ITIL (Foundation)
PMP
Avg Comp $132,284 $101,092 $118,313 $136,465 $108,462 $108,774 $104,615 $133,951 $123,562 $122,334
% of Resp 19.50% 8.74% 71.14% 7.18% 15.60% 21.68% 4.99% 4.68% 17.63% 8.58%
Average Total Compensation by Leading Certifications (Over 4% of Study Respondents)
How Much Education?
Average Total Compensation and % of Respondents by Degree High
school Diploma
Associate degree or equivalent
Bachelors Degree or equivalent
Masters Degree or equivalent
Doctorate or PhD. or
equivalent2012 Comp
$106,231 $111,411 $117,859 $125,886 $137,182
% of Resp
7.86% 11.79% 46.01% 32.07% 2.28%
Continuity Degrees?
Program Activation
Average Total Compensation and % of Respondents by Number of Times Managed Program Activations
Never 1-5 6-10 11-15 16-25 26-40 40+2012 Comp $103,747 $115,337 $131,411 $134,288 $139,896 $136,349 $152,229
% of Resp 11.36% 12.63% 14.39% 14.70% 15.32% 14.93% 16.67%
Program Development
Average Total Compensation and % of Respondents by Number of Times Developed Program from Scratch
Never 1 2 3 4 5-7 8-1010+
2012 Comp $104,280 $115,075 $124,588 $126,653 $141,772 $119,330 $129,745 $128,833
% of Resp 10.53% 11.62% 12.58% 12.79% 14.32% 12.05% 13.10% 13.01%
Program Maturity TrendsIntangible Skills – Top Talent ManagementIntangible Skills – Top Talent Management• Ability to Engage All Levels.Ability to Engage All Levels.• Understanding a Culture Fit.Understanding a Culture Fit.• Diplomacy.Diplomacy.• Be a Leader.Be a Leader.• Delivering Business Cases to Executives.Delivering Business Cases to Executives.• Think Outside the Box.Think Outside the Box.• Consider Your Personal Brand.Consider Your Personal Brand.
Are You A Leader?
Average Total Compensation and % of Respondents by Years of Program Management Experience
Does not apply 1-3 4-6 7-10 11-15 16 - 20 21 - 25 26+
2012 Comp
$98,595 $93,553 $103,896 $118,838 $130,993 $126,955 $149,367 $143,438
% of Resp
10.21% 9.69% 10.76% 12.31% 13.57% 13.15% 15.47% 14.85%
Program Management
Average Total Compensation and % of Respondents by Times of Presenting
Does not apply 1-5 6-10 11-15 16 - 25 26 - 40 41+2012 Comp
$104,393 $116,644 $120,038 $130,782 $158,261 $157,000 $158,375
% of Resp11.04% 12.34% 12.70% 13.83% 16.74% 16.61% 16.75%
Presentation Experience
Average Total Compensation and % of Respondents by Times of Publishing
Does not apply 1-5 6-10 11-15 16 - 25 26 - 40 41 +
2012 Comp $110,140 $129,180 $152,963 $129,071 $136,143 $159,750 $162,000
% of Resp 11.25% 13.19% 15.62% 13.18% 13.90% 16.31% 16.54%
Publishing Experience
Behind the Numbers
• 2,260 study participants from over 50 countries• Study is composed of 2 sections – Compensation
& Program Management• Compensation: 2,215 participants from 58
countries.• Program Management: 1,106 participants from 35
countries.
Stay Ahead of the Game
• What Makes Sense for Your Organization?• Be Strategic!• What will get their focus?• Remember – Enterprise, Highly Integrated & Executive Driven
Be a Top Talent• Always Better Yourself.• Stay Ahead of the Game.• Be a Champion.• Be Strategic.• Take Initiative.• Evolve.• Always be Networking.• Don’t be Afraid to Ask fora Promotion.
Achieve It• Achieve Tangible Skills in
Demand.• SWOT.• Evaluate Your Skills.• Career Road Map.• Guard Your Brand.• Always Assess Goals.• Understand When to Seek a
New Employer. Don’t Just Jump!
Questions?
Cheyene Marling, Hon. MBCIBC Management, Inc.
(714) [email protected]
www.bcmanagement.com