CONFIDENTIAL AND PROPRIETARYThis presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other intended recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
October 24, 2015
Roberta Witty
ACP International / Gartner
Business Continuity Management
Survey 2015
1 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Gartner is the world’s leading information technology research and advisory company.
We deliver the technology-related insight necessary for our clients to make the right decisions, every day.
Who we are and why clients use Gartner Inc.
IT is critical to every organization, but harder to manage successfully due to its increasing complexity.
Since 1979, Gartner has guided clients through difficult decisions — providing independent, actionable advice on how and where to reduce cost, deploy IT to add value, drive innovation and manage risk.
2 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Who we serve
CIOs, CTOs, CFOs, senior IT executives and their
teams/associates
IT End-User Professionals
High-Tech & Telecom
Professionals
InvestmentProfessionals
Supply Chain ProfessionalsHeads of supply chain,
senior supply chain executives and
functional teams
Executives, product leaders and marketing/sales professionals in high-tech and telecom companies, and their teams/associates
Buy-side investment professionals, including those in public equity, venture capital, private equity and investment banking
Marketing Professionals
Digital marketing professionals, CMOs, chief customer officers, chief marketing technologists, heads of multichannel
marketing, marketing analytics, digital commerce and their teams/associates
3 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
How clients use Gartner
Learn From Research
Deep vertical coverage in nine industries
111,700 research docs across 1,230 topics covering all aspects of IT
Targeted to your role, key initiatives and purchasing decisions
Talk to an Expert
Proprietary methodologies and interactive models applied to provide clear insight and actionable advice
1,000 analysts engaging in over 215,000 client interactions a year in 85 countries
Specific advice on your challenges, opportunities and projects
Network With Peers
Exchange ideas, expertise and best practices with peers
Connect with a growing community of peers drawn from our clients in 9,100 distinct enterprises
World’s largest community of CIOs and senior IT executives
Attend Conferences
Content specific to your role, key initiatives and purchasing decisions
70+ yearly conferences worldwide attracting 50,000 attendees
Access to analysts, industry peers and top solution providers
Initiate an Engagement
Leverage industry research and unmatched market data
500 experienced consultants withindustry-specific expertise
Measure and improve performance using data from 5,500 benchmarks
4 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Contents
Project summary- Study objectives and Methodology - Respondent profile
Overview of survey results
Recommendations
5 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Project Objectives and Methodology The purpose of this survey is to explore the perspectives of Business Continuity Management (BCM) professionals
on BCM program management, business resilience and the impact of information security and IT outages on
production and recovery activities. Results to be presented to the ACP member community at the National Business
Continuity Summit and Leadership Conference in October 2015.
In March/2015, ACP management asked the membership for “What keeps you up at night?” The results were the
basis of the joint ACP/Gartner survey
Gartner surveyed ACP members in the U.S. between July 10, 2015 and August 5, 2015 to help Gartner understand
the perspectives of Business Continuity Management (BCM) professionals on business resilience and the impact of
IT on production and recovery activities.
156 respondents participated. Organizations from all industries qualified.
Qualified participants must report being involved in and able to give detailed feedback on BCM activities at
their organizations.
Interviews were conducted online. The sample universe was drawn from ACP membership list.
The survey was developed collaboratively by a team of ACP personnel and Gartner analysts who follow these IT
markets and was reviewed and tested by Gartner's Research Data Analytics team and administered by ACP.
6 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
9%
2%
2%
3%
3%
4%
5%
6%
7%
8%
9%
10%
11%
21%
All other
Telecommunications
Media
Education
Healthcare Providers
Transportation
Retail
Investment Services
Manufacturing
Government
Services
Utilities, energy
Insurance
Banking
<$500M, 22%
$500M - $10B47%
$10B +30%
SMB <1,000,
21%
Large 1,000-9,99935%
XL10,000 +
42%
Respondent Profile: Organization Characteristics n=156
Annual Revenue (USD)
Employees Worldwide
Primary Industry
38%Financial Services
7 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
3%
1%
1%
2%
2%
3%
5%
6%
8%
12%
13%
42%
Other
Advisor/Analyst/Specialist, Risk
Administrator/Coordinator/Planner, Emergency…
Director/Manager, Risk
Administrator/Coordinator/Planner, IT DRM
Director/Manager, Emergency Management-Safety
Director/Manager, IT DRM
Director/Manager, IT
Advisor/Analyst/Specialist, IT DRM
Administrator/Coordinator/Planner, BCM
Advisor/Analyst/Specialist, BCM
Director/Manager, BCM
Responsible for my
organization's BCM activities
54%
Responsible for BCM activities in
at least one area, region,
department or business unit at my organization
35%
BCM team member
11%
Respondent Profile: Roles and BCM Responsibility n=156
Role (rationalized job titles) BCM Responsibility
8 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Information Technology
Equipment
Vital Records
External Stakeholders
Facilities
Suppliers/Partners
IT Service Continuity
Management
Business Recovery
Governance and
Program
Management
Supplier
Contingency
Business Process
Workforce
Customers
Devolution/
Resolution Planning
Crisis/Incident
Management
How Gartner Defines BCM
9 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Findings
• BCM Program Management
• Business Resilience: What Is It?
• Information Security and BCM Program Alignment
• IT Disaster Recovery Management
10 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Findings Summary• There is a large (38%) Financial Services skew (banking, investment services and insurance)
• The enterprise risk management (ERM) function is becoming the natural home for all BCM activities except IT DRM and Supplier Contingency
• Survey participants believe senior management is not always making the financial investments needed for BCM, even though they do understand its importance (64% important vs 37% investing)
• “Business Resilience” seems to be the new name for Business Continuity Management
• There is a high level of maturity (69% have a formal program in place) regarding “business resilience”
• 41% report they haven’t experienced a cyber-attack – THAT THEY KNOW ABOUT!
• 41% report that their cyber security and BCM plans are fully integrated
• The majority of IT outages (76%) do not result in a disaster declaration
• An in-house or co-location based warm site is the most common recovery sourcing strategy (35% for critical IT infrastructure and 29% for extremely critical IT services)
• Only 28% report using outsourced IT Services for data processing. Of those, 59% are involved in the back-up of data processed by outsourced IT service providers.
11 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Findings
• BCM Program Management
• Business Resilience: What Is It?
• Information Security and BCM Program Alignment
• IT Disaster Recovery Management
12 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Primary Reporting Responsibility for BCM Activities
BCM Program Function
Role
Crisis/
Incident
Mgmt
n=137
IT Disaster
Recovery
Mgmt
n=140
Business
Recovery
n=139
Supplier
Contingency
n=72
Program
Facilitation/
Mgmt
n=131
Pandemic
Planning
n=106
Emergency
Mgmt/
Public Safety
n=76
CEO or equivalent (1) 15%
COO or equivalent (4) 14% 17% 10% 11%
CIO or equivalent (1) 41%
CTO or equivalent (1) 21%
Enterprise or Corporate Risk
Management (6)25% 25% 17% 28% 27% 25%
Procurement or Supply
Chain Director (1)29%
Director/Manager,
Emergency Mgmt-Safety (1)
11%
Director/Manager, BCM (1) 13%
Human Resources (1) 13%
13 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
13%
8%
50%
28%
37%
64%
Adequately funds activitiesto support BCM
Understands the importanceand business value of BCM
1-2 rating 3-5 rating 6-7 rating
Average Rating
The Degree to Which Senior Management Values and Funds BCMn=156
1. Strongly disagree 7. Strongly agree
5.6
4.9
Adequately funds activities
to support BCMSMB (100 to 999
Employees)
Large (1,000 to
9,999 employees)
X-Large
(10,000+
employees)
Rating 1,2 [bottom box) 14% 13% 11%
Rating 3-5 (middle box) 32% 65%* 48%
Rating 6, 7 (top box) 54%* 22% 38%*
Respondents at large-size orgs are less satisfied with BCM funding than respondents at smaller
(SMB) or extra-large (XL) orgs.
No other significant difference by company employee size or revenue.
[See appendix for org size and revenue breakdowns]
*statistically significant difference
14 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Findings
• BCM Program Management
• Business Resilience: What Is It?
• Information Security and BCM Program Alignment
• IT Disaster Recovery Management
15 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Maturity of the Business/Operational Resilience Programn=156
Formal program69%
Implementing a formal program 17%
Defining the implementation plan
2%
Developing a strategy and scope 8%
Do not have and not developing a formal
program 2%
16 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
n=137, base= current, implementing or defining a program; multiple responses allowed
7%
28%
45%
47%
47%
50%
53%
55%
66%
69%
70%
72%
75%
75%
91%
93%
97%
Other
Supply Chain only
Privacy
Audit Management
Insurance
Supplier Contingency
Financial Risk Management
IT Vendor Risk Management
IT Risk Management
Legal and/ or Compliance
Operational Risk Management
Physical Security
Facility Management and/ or Real Estate
Information Security
IT Disaster Recovery or IT Service Continuity
Crisis, Emergency, Incident Mgmt
Business Recovery
Disciplines Covered in a Business/Operational Resilience Program
17 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Findings
• BCM Program Management
• Business Resilience: What Is It?
• Information Security and BCM Program Alignment
• IT Disaster Recovery Management
18 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
60%
31%
8%
8%
19%
41%
12%
20%
IT outage
Cyber-attack orinformation security
breach
In last 3 years >3 years None Don’t know
39% have experienced
68% have experienced
Experience of Cyber-Attacks and IT Outagesn=156
Information Security and BCM Alignment
19 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
64%
49%
55%
18%
21%
17%
10%
21%
14%
8%
10%
14%
Crisis communicationsplans
Business recovery plans
IT disaster recovery plans
Currently included Plan to include in next 12 months Not planned within the next year Don’t know
Information Security and BCM Alignment
67%
67%
74%
16%
16%
10%
8%
8%
10%
9%
8%
5%
Crisis communications plans(n=100)
Business recovery plans(n=76)
IT disaster recovery plans(n=86)
Yes, performing exercises to test Developing exercises for test plan No, not currently testing Don't know
Information Security Incidents as a BCM Scenario
n=156
Perform Exercises to Test Information Security Incidents in Recovery PlansBase= Organization “currently included” information security incidents as a scenario (from above)
20 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Fully integrated response
41%
Somewhat integrated—all
responded but not fully integrated
35%
No, response was not fully integrated
8%Don’t know
16%
n=49; base = organizations with a cyber-attack in last 3 years
Information Security and BCM AlignmentCyber-Attack Response Team Integration with BCM
21 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Key Findings
• BCM Program Management
• Business Resilience: What Is It?
• Information Security and BCM Program Alignment
• IT Disaster Recovery Management
22 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
12
17
9
2
5
1 1 1
3
12
1 IT outage 2 IToutages
3 IToutages
4 IToutages
5 IToutages
6 IToutages
7 IToutages
9 IToutages
10 IToutages
12 IToutages
15 IToutages
n=55; Base=IT outage in last three years, excluding don’t know
IT Outages and Declared Disasters
Number of Outages in the Last Three Years42
9
2 1 1
0 disaster 1 disaster 2 disasters 3 disasters 4 disasters
Number of Declared Disasters
One respondent noted 50 outages (with 3 declared disasters)
23 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.Multiple responses allowed
32%
45%
46%
48%
60%
67%
74%
Metro-area data mirroring
Tape backup
Middleware-based transactionreplication
Backup sent to disk
Storage-based replication
Virtual Machine replication
Database replication
25%
51%
38%
52%
65%
65%
70%
Critical IT infrastructure Extremely Critical IT Services Somewhat Critical IT servicesn=107, excluding 31% DKn=106, excluding 32% DK
28%
56%
28%
45%
31%
32%
32%
n=99, excluding 37% DK
Data protection solutions by recovery tier
24 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
4%
6%
7%
7%
10%
15%
16%
35%
Backup to remote disk only
In-house or colo-basedcold site
Backup to tape held offsite
Cloud-based recovery
Disaster recovery providercold site
Hot standby activeprocessing of data
Hot standby withautomated failover
In-house or colo-basedwarm site
Multiple responses allowed
Most-Used Recovery Approaches for IT Services
12%
7%
18%
7%
17%
7%
5%
18%
Critical IT Infrastructure Extremely Critical IT Services Somewhat Critical IT Servicesn=116, excluding 26% DK n=113, excluding 28% DK n=112, excluding 28% DK
5%
8%
9%
11%
14%
12%
9%
29%
25 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Does your organization use outsourced IT services for data processing? By organization size
25%
40%
22%
68%
51%
57%
7% 9%
22%
0%
10%
20%
30%
40%
50%
60%
70%
80%
SMB Large X-Large
Yes No Don’t know
28% of survey participants use Outsourced IT Services for Data Processing
15% Don’t Know
Revenue n=112Employee Size n=148
32%34% 35%
60%57%
47%
8% 9%
18%
0%
10%
20%
30%
40%
50%
60%
70%
<$500 MM n=25 $500M-$10B n=53 >$10B n=34
Yes No Don’t know
26 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Back-Up and Exercising of Outsourced IT Services
Outsourcer does backups of data and IT service components
38%
Outsourcer backup + org
does own backups
24%
Share backup responsibilities
16%
Org does back up, not the
outsourcer19%
Other3%
n=37, excluding 16% don’t know
Yes61%
No30%
Don’t know9%
Vendor participates in disaster
recovery exercisesn=44
Handling of IT Services Back up
27 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Recommendations• Align your BCM program function reporting to the ACP best practice approach, where appropriate.
• Use key performance indicators and BCM key risk indicators to educate senior management as to the importance of continuity of operations.
• Inventory how your organization manages and aligns its risk management disciplines to determine their fit in your business resilience program.
• Use Gartner’s ITScore online security and risk management maturity self-assessment tools to establish a baseline and maturity improvement roadmap.
• Work with your computer security incident response teams (CSIRT) to determine the integration points.
• Improve your coverage of information security incidents in all recovery plans, especially business recovery plans (49% & 21% respectively).
• Plan to exercise the information security incident scenario within the next six months.
• Maintain an inventory of all IT outages for root cause analysis and to support future recovery funding requests.
• Establish an application tiering model that maps recovery requirements and approaches to each tier.
• Review your IT outsourcing contracts to determine what you and the outsourcers are responsible for in regards to backup/data protection.
• Require that your IT outsourcers be part of IT DR exercises so that there are no surprises and delayed recovery efforts when disaster strikes.
28 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.28 © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Appendix
29 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
The purpose of this survey is to explore the perspectives of Business Continuity Management (BCM) professionals on business resilience and the impact of IT on production and recovery activities. Results to be presented to the ACP member community at the National Business Continuity Summit and Leadership Conference in October 2015.
Specifically, the survey is focused on risk mitigation, planning, exercising, responding, recovering and restoring activities in the following areas:
Crisis or Incident Management: Establishing command and control over the incident, ensuring life and/or safety, crisis communications (internal and external)
IT Disaster Recovery: Recovering IT services for the organization (internal and external)
Business Recovery: Recovering the business processes for the organization including the workforce, special equipment, non-electronic vital records et al
Supplier Contingency: Recovering from a supplier’s own outage
BCM Program Facilitation and Management: Managing and governing the BCM program and its components across the organization
Pandemic Planning: Pandemic planning is a unique scenario to manage. It may have different reporting responsibilities and tactics versus traditional BCM
Emergency Management and Public Safety: Ensuring the life and/or safety of the public by government agencies
Project Study Objectives
30 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
n=156
6%
24%
35%
49%
63%
67%
74%
57%
6%
46%
51%
68%
84%
88%
89%
90%
Other
Supplier Contingency
Emergency Management and Public Safety
Pandemic Planning
BCM Program Facilitation and Management
Crisis or Incident Management
Business Recovery
IT Disaster Recovery At org
Respondent able to give feedback
Multiple responses allowed
Respondent Profile: Respondent Involvement in BCM
31 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.9%
1%1%1%1%1%1%1%1%1%1%1%2%2%2%2%2%3%3%3%3%3%3%
6%6%7%7%8%
21%
All other
Government: Defense and Intelligence
Insurance: Life Insurance
Manufacturing: Heavy Industry
Manufacturing: IT Hardware
Media: Publishing or Advertising
Retail: General Retailers
Retail: Grocery
Transportation: Rail and Water
Manufacturing: Consumer Nondurable Products
Media: Broadcasting or Cable
Utilities: Water Utilities
Energy Resources and Processing
Insurance: Other
Manufacturing: Automotive
Manufacturing: Other
Telecommunications
Education: Higher Education
Retail: Specialty Retailers
Services: Other Business, Consulting or Consumer Services
Transportation: Warehousing, Couriers, Support Services
Healthcare Providers: Hospital or Integrated Delivery Network (IDN)
Insurance: Health Insurance (payer)
Investment Services
Services: Information Technology Services and Software
Government: Local or Regional
Utilities: Electric or Gas Utilities
Insurance: Property and Casualty Insurance
Banking
Primary Industry: Full Listn=156
32 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
4%
1%
1%
1%
2%
2%
4%
4%
4%
5%
5%
6%
7%
14%
15%
25%
Primary responsibility for activity not clear
Other
Procurement or Supply Chain Director
Director/Manager Resilience
CTO or equivalent
Director/Manager, IT DRM
CFO or equivalent
Human Resources
CIO or equivalent
Director/Manager, Emergency Management-…
Director/Manager, BCM
CAO or equivalent
CISO (Chief Information Security Officer) or…
COO or equivalent
CEO or equivalent
Enterprise or Corporate Risk Management
Crisis or Incident Management n=137
Primary Reporting Responsibility for BCM Activities
3%
1%
1%
1%
1%
1%
1%
1%
1%
2%
3%
4%
9%
10%
21%
41%
Primary responsibility for activity not clear
Other
CEO or equivalent
CFO or equivalent
Procurement or Supply Chain Director
Advisor/Analyst/Specialist, IT DRM
Advisor/Analyst/Specialist, BCM
Director/Manager Resilience
Director/Manager, IT DRM
CAO or equivalent
Director/Manager, BCM
COO or equivalent
CISO (Chief Information Security Officer) or…
Enterprise or Corporate Risk Management
CTO or equivalent
CIO or equivalent
IT Disaster Recovery n=140
33 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
4%
1%
1%
1%
1%
1%
1%
1%
1%
3%
3%
3%
4%
5%
5%
7%
7%
8%
17%
25%
Primary responsibility for activity not clear
Other
Legal or Chief Counsel
Director/Manager, Risk
Director/Manager, Emergency Management-Safety
CTO or equivalent
Procurement or Supply Chain Director
Administrator/Coordinator/Planner, BCM
Director/Manager Resilience
Human Resources
Director/Manager, IT DRM
Line of business
CISO (Chief Information Security Officer) or…
CEO or equivalent
CIO or equivalent
CAO or equivalent
CFO or equivalent
Director/Manager, BCM
COO or equivalent
Enterprise or Corporate Risk Management
Business Recovery n=139
Primary Reporting Responsibility for BCM Activities
14%
1%
1%
3%
3%
4%
4%
4%
4%
6%
10%
17%
29%
Primary responsibility for activity not clear
Director/Manager, Risk
Director/Manager Resilience
CAO or equivalent
CFO or equivalent
CIO or equivalent
CTO or equivalent
Director/Manager, BCM
Director/Manager, Vendor Management
CISO (Chief Information Security…
COO or equivalent
Enterprise or Corporate Risk…
Procurement or Supply Chain Director
Supplier Contingency n=72
34 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
5%
2%
1%
1%
1%
1%
2%
2%
2%
2%
3%
3%
3%
4%
6%
6%
8%
9%
13%
28%
Primary responsibility for activity not clear
Other
CEO or equivalent
Legal or Chief Counsel
Director/Manager, Risk
Advisor/Analyst/Specialist, BCM
Procurement or Supply Chain Director
Director/Manager, IT DRM
Director/Manager Resilience
CFO or equivalent
Human Resources
Director/Manager, Emergency…
Administrator/Coordinator/Planner, BCM
CTO or equivalent
CAO or equivalent
CIO or equivalent
COO or equivalent
CISO (Chief Information Security Officer)…
Director/Manager, BCM
Enterprise or Corporate Risk Management
BCM Program Facilitation and Management n=131
Primary Reporting Responsibility for BCM Activities
3%
2%
1%
1%
1%
2%
2%
2%
2%
2%
2%
2%
4%
5%
5%
7%
9%
9%
13%
27%
Primary responsibility for activity not clear
Other
Legal or Chief Counsel
Administrator/Coordinator/Planner,…
Director/Manager, Risk
CEO or equivalent
CFO or equivalent
CIO or equivalent
Director/Manager, IT DRM
Administrator/Coordinator/Planner, BCM
Director/Manager Resilience
Line of business
CTO or equivalent
CAO or equivalent
Director/Manager, Emergency Management-…
CISO (Chief Information Security Officer) or…
COO or equivalent
Director/Manager, BCM
Human Resources
Enterprise or Corporate Risk Management
Pandemic Planning n=106
35 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
3%
3%
1%
1%
1%
3%
3%
3%
3%
3%
4%
5%
6%
6%
9%
11%
11%
25%
Primary responsibility for activity not…
Other
Legal or Chief Counsel
Admin/Coordinator/Planner, Emerg…
Director/Manager, Risk
CFO or equivalent
CIO or equivalent
CTO or equivalent
Director/Manager, BCM
Director/Manager Resilience
Human Resources
Facilities/Property Management
CEO or equivalent
CISO or equivalent
CAO or equivalent
COO or equivalent
Director/Manager, EM&S
Enterprise or Corporate Risk Mgmt
Emergency Management and Public Safety n=79
Primary Reporting Responsibility for BCM Activities
36 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Understands the importance
and business value of BCM
SMB (100 to
999
Employees)
Large (1,000
to 9,999
employees)
X-Large
(10,000+
employees)
Rating 1,2 [bottom box) 7% 9% 8%
Rating 3-5 (middle box) 21% 31% 29%
Rating 6, 7 (top box) 71% 58% 63%
Understands the importance and
business value of BCM <$500
million
$500 million-
$10 billion >$10 billion
Rating 1,2 [bottom box) 16% 16% 9%
Rating 3-5 (middle box) 24% 21% 27%
Rating 6, 7 (top box) 60% 62% 65%
Adequately funds activities to
support BCM
SMB (100 to
999
Employees)
Large (1,000
to 9,999
employees)
X-Large
(10,000+
employees)
Rating 1,2 [bottom box) 14% 13% 11%
Rating 3-5 (middle box) 32% 65%* 48%
Rating 6, 7 (top box) 54%* 22% 38%*
*statistically significant difference
Adequately funds activities to
support BCM <$500
million
$500 million-
$10 billion >$10 billion
Rating 1,2 [bottom box) 32% 21% 24%
Rating 3-5 (middle box) 28% 69% 35%
Rating 6, 7 (top box) 40% 28% 42%
Senior Management Values and Funds BCMn=156
37 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Maturity of the Business/Operational Resilience Program: By Company Size
Revenue n=112Employee Size n=148
0% 20% 40% 60% 80%
Do not have and not developing aformal program
Defining the implementation plan
Do not have the knowledge toanswer
Developing a strategy and scope
Currently implementing a formalprogram
Have a formal program in place
0%
4%
0%
4%
20%
72%
2%
0%
4%
4%
21%
70%
3%
0%
0%
12%
12%
74%
>$10 billion $500 million-$10 billion <$500 million
0% 20% 40% 60% 80%
Do not have and not developing aformal program
Defining the implementation plan
Do not have the knowledge toanswer
Developing a strategy and scope
Currently implementing a formalprogram
Have a formal program in place
0%
7%
0%
11%
7%
75%
4%
0%
0%
5%
22%
69%
2%
2%
5%
9%
15%
68%
X-Large Large SMB
38 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Maturity of the Business/Operational Resilience Program: By Industryn=156
Mfg Utilities
Fin
Services
Pharma
& HC Govt Education Retail Transportation Media Communications Services
All
other
Base: All 13 13 62 5 12 4 6 5 3 3 14 14
Do not have and not developing a
formal program
8% - - - 8% - - - - 33% - -
Have a formal program in place 46% 77% 79% 20% 75% 50% 50% 40% 100% 67% 93% 50%
Currently implementing a formal
program
31% 8% 13% 40% 17% - 50% 60% - - - 21%
Program Planned (Net) 15% 15% 5% 40% - 25% - - - - 7% 29%
Defining the implementation plan 8% - 3% - - - - - - - - -
Do not have the knowledge to
answer
- - 3% - - 25% - - - - - -
Developing a strategy and scope 8% 15% 2% 40% - 25% - - - - 7% 29%
Employee Size
SMB:
100 to 999 Employees
Large:
1,000 to 9,999 employees
X-Large:
10,000+ employees
39 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Disciplines Covered in a Business/Operational Resilience Program: By Organization SizeBase: Currently organization is 'Defining/ Implementing/ Program in place' the business or operational resilience program; Multiple responses allowed
Total SMB Large X-Large
137 25 50 55
Information Security 75% 76% 70% 78%
IT Disaster Recovery or IT Service Continuity 91% 92% 90% 91%
Business Recovery 97% 92% 100% 98%
Physical Security 72% 60% 80% 73%
Insurance 47% 44% 50% 45%
Crisis, Emergency, Incident Management - including crisis communications 93% 96% 92% 95%
Facility Management and/ or Real Estate 75% 60% 74% 82%
Legal and/ or Compliance 69% 72% 70% 69%
Supply Chain only 28% 12% 24% 40%
IT Vendor Risk Management 55% 44% 54% 58%
Supplier Contingency 50% 32% 58% 55%
Audit Management 47% 44% 42% 51%
IT Risk Management 66% 64% 60% 75%
Privacy 45% 28% 42% 55%
Financial Risk Management 53% 44% 52% 60%
Operational Risk Management 70% 56% 64% 82%
Other 7% 4% 6% 9%
40 CONFIDENTIAL AND PROPRIETARY I © 2015 Gartner, Inc. and/or its affiliates. All rights reserved.
Disciplines Covered in a Business/Operational Resilience Program: By IndustryBase: Currently organization is 'Defining/ Implementing/ Program in place' the business or operational resilience program; Multiple responses allowed
Total Mfg. Utilities
Fin
Services
Pharma
& HC Govt Education Retail
Transportat
ion Media
Communi
cations Services
All
other
137 11 11 59 3 11 2 6 5 3 2 13 10
Information Security 75% 64% 91% 78% 100% 64% - 33% 80% 33% 100% 92% 80%
IT Disaster Recovery or IT Service Continuity 91% 82% 100% 93% 100% 100% 100% 67% 80% 67% 100% 92% 90%
Business Recovery 97% 100% 100% 97% 67% 91% 100% 100% 100% 100% 100% 100% 100%
Physical Security 72% 91% 100% 66% 67% 55% 50% 83% 40% 67% 100% 77% 70%
Insurance 47% 55% 18% 54% - 36% 50% 67% 20% - 100% 54% 40%
Crisis, Emergency, Incident Management - including
crisis communications
93% 82% 91% 95% 100% 91% 100% 100% 100% 100% 100% 92% 90%
Facility Management and/ or Real Estate 75% 64% 82% 69% 67% 82% 50% 100% 80% 67% 100% 85% 80%
Legal and/ or Compliance 69% 73% 73% 64% 33% 64% 50% 83% 80% 33% 100% 92% 70%
Supply Chain only 28% 27% 27% 27% 33% 18% - 50% 60% - - 31% 20%
IT Vendor Risk Management 55% 27% 45% 68% 33% 55% - 50% 20% - 50% 85% 30%
Supplier Contingency 50% 64% 45% 58% 33% 36% 50% 33% 60% - 50% 54% 30%
Audit Management 47% 36% 27% 54% 67% 45% 50% 33% 20% - 50% 69% 30%
IT Risk Management 66% 73% 55% 73% 33% 55% - 67% 40% 33% 50% 92% 60%
Privacy 45% 36% 27% 51% 67% 36% - 17% 20% - 50% 85% 30%
Financial Risk Management 53% 64% 64% 54% - 45% 50% 50% 20% - 100% 77% 30%
Operational Risk Management 70% 73% 91% 73% 67% 55% 50% 33% 80% - 100% 85% 60%
Other 7% 9% 9% 7% - - 50% - - - - 15% -