How Organizations Are Effectively Leveraging BCM Benchmarking Data. October 7, 2014

Transcription

1 How Organizations Are Effectively Leveraging BCM Benchmarking Data October 7, 2014

2 Study Methodology Respondents for the study were obtained from the Continuity Insights subscriber base by way of its publications, Website and deployments, as well as from other professional organizations that supported the study. The online survey was comprised of 56 questions and was fielded from January 2014 to February Data was collected from 434 respondents, of which 305 respondents completed the entire survey. The study questions were developed by Robbie Atabaigi, Manager, KPMG LLP and Marty Plevel, Director, KPMG LLP. Tri-Media Group prepared the resulting tabulation and supplied analysis for selected data points. As in previous years, a major focus of the study is BCM program integration with other disciplines and third parties. This year we focused on the impact of a Steering Committee has on a BCM program. In order to tease out the most compelling and more subtle results from the study, a panel of subject-matter professionals reviewed and commented on the raw data collected.

3 Acknowledgements Association of Contingency Planners (ACP) Association of Sacramento Area Planners (ASAP) BC Management USA Chapter of the Business Continuity Institute (BCI-USA) Business Continuity Institute (BCI) (International Headquarters in the U.K.) Business and Industry Council for Emergency Planning and Preparedness (BICEPP) Business Resumption Planning Association (BRPA) Canadian Security Partners Forum Contingency Planners of Ohio (CPO) Contingency Planning Exchange (CPE) Continuity Central Continuity Planning Association of the Carolinas (CPAC) Disaster Recovery Journal (DRJ) Disaster Resource Guide Forbes Calamity Prevention (Singapore/Asia) Global Conference on Disaster Management Mid Atlantic Disaster Recovery Association (MADRA) New England Disaster Recovery Information Exchange (NEDRIX) Risk & Insurance Management Society (RIMS DRI International Rothstein Business Survival Southeastern Business Recovery Exchange (SEBRE) Southeast Continuity Planners Association (SCPA) Continuity Insights and KPMG LLP would like to acknowledge the following organizations for their contribution in helping raise the awareness and the value of the Continuity Insights & KPMG LLP Global Business Continuity Management (BCM) Program Benchmarking Study. In addition, we would like to acknowledge the subject matter professionals that reviewed the survey results and provided their point of view for use in this presentation, the study report and the companion article.

4 Key Takeaways Establishment of a Senior Management Advisory or Steering Committee and focused resources from the organization s Program Management Office are critical considerations in driving program capabilities and effectiveness. Regulatory compliance moved up from the third most frequently provided response to the second most frequently provided response, replacing reputation as the second most frequent response to the question What are the primary reasons your organization has established a BCM Program? There is a significant difference in the number of organizations that measure program performance, achieve recovery time objectives, complete a Business Impact Analysis, Risk Analysis and other program related work streams where a steering committee is in place.

5 Panelists Our three panelists will discuss how the study results can be used to improve BCM programs, the steps required to implement these improvements, lessons learned during the benchmarking process, and how they leveraged the results with leadership and other stakeholders. Panelists: Moderator: Tim Mathews Executive Director, Enterprise Resiliency ETS Ken Otis Director, Business Continuity Management CVS Caremark Doug Weldon President BCI (Business Continuity Institute) Robbie Atabaigi Information Protection & Business Resilience KPMG

6 BCI Doug Weldon The Business Continuity Institute ( Established in 1994, the BCI has established itself as the most preeminent global membership and certifying organization for business continuity professionals with over 8,000 members and 90 partners in more than 100 countries worldwide. The BCI seeks to promote and facilitate the adoption of good business continuity practice worldwide by: Raising standards in business continuity Undertaking industry research Driving thought leadership in business continuity Facilitating the sharing of best practice in business continuity Training and certifying BC professionals Raising the value of the BC profession Developing the business case for business continuity.

7 Benchmarking Doug Weldon Benchmarking Considerations: The value of benchmarking in identifying trends and best practices cannot be overemphasized. That said, a benchmark must be driven by frequently and statistically justified data collection techniques and expert analysis. The rise of compliance as a BCM driver is not surprising, and more emphasis on compliance is ahead. Compliance applies to all stakeholders. Cyber security, as the most important threat of our time, will change the way we manage BC and Risk as a whole. Which came first, an effective Steering Committee driven BCM Program or strong topdown senior leadership support?

8 ETS Tim Mathews ETS is devoted to Fair, Accurate and Meaningful Products and Services from Research to Delivery Since 1947 serving Teachers, Employers, Policymakers and Learners at all levels Today nonprofit ETS develops, administers and scores more than 60 million tests annually in more than 180 countries at over 9,000 locations worldwide ETS is advancing the field of Measurement through Experience, Expertise and Excellence with more than 6,000 employees (850 with advanced degrees and 310 with doctorates) Products and services include: GRE, the Praxis Series, TOEFL and TOIEC - for more information visit

9 Growing Technology Risks Cloud, Cyber and xaas Tim Mathews Business units and IT are embracing the Cloud. BCM programs need to understand this technology, the risks and the potential impacts to build appropriate strategies and plans Before going to the cloud, develop an exit strategy Cyber breaches can do real damage to trusted brands (consider JPMorgan Chase, Home Depot and Target) Crisis management planning should include Cyber risks and response More and more risk is being pushed out to the supply chain and 3 rd parties. Add supply chain resilience audits and reporting to BCM

10 BCM Program Measurement and Certification Tim Mathews Audit findings and exercise/test results continue to be the measures of choice for most BCMs Consider measuring BCM program impact on new and retained business BIA and Risk Assessments continue on a 1-3 year cycle Consider moving to a perpetual review model that leverages change management and budget processes ISO has been identified as the standard supporting most BCM programs Incremental cost of certification is relatively low for mature BCM programs

11 CVS Ken Otis CVS Health s Purpose: Helping people on their path to better health Headquartered in Woonsocket, RI More than 200,000 employees in 46 states, DC and Puerto Rico Through our 7,700 retail pharmacies, more than 900 walk-in medical clinics, a leading pharmacy benefits manager with more than 65 million plan members, and expanding specialty pharmacy services, we enable people, businesses and communities to manage health in more affordable, effective ways. Largest pharmacy health care provider in the U.S.

12 BCM Steering Committee Kenneth Otis Survey Question: Does your organization have a Senior Management Advisory or Steering Committee that provides input and assistance to the BCM Program Coordinator and Team in the preparation, implementation, evaluation and revision of the program? Results: 71% said Yes, up from 65% in the survey Building a BCM Steering Committee Identify and executive sponsor; someone with reach to the CEO Membership should include senior management from varying business units Members should be known and visibly support the BCM Program Establish a charter: Mission, Purpose, Scope, Objectives & Responsibilities Discuss the charter with membership before making it final

13 BCM Steering Committee Kenneth Otis Once in Place Committee should draft the BCM policy BCM senior manager to facilitate the effort Update the policy overtime, as the program matures Committee should support the implementation of your BCM program Provide quarterly status updates of the BCM program BIAs completed Percentage of plan updates Test results Review exercises or plan activations Highlight and share lessons learned Track action items to completion Evaluate membership, annually Changes to business operations Participation in meetings

14 In Summary... Thank you for your participation in today s session. The quotes in this presentation were provided to Continuity Insights by business continuity practitioners that provided quotes for this presentation, the companion report and article published by Continuity Insights. Reprints of the article are available at Complete study results and custom reports that have been published are available upon request. For more information, contact Robbie Atabaigi at ratabaigi@kpmg.com or Bob Nakao at Robert.Nakao@advantagemedia.com. Available custom reports based on type of entity, revenue, number of employees and various industries: Annual revenue Entity type (public companies, private companies, government agencies or authorities, and not for profits) Governance (Entities with an Advisory Steering Committee, Entities with no Advisory Steering Committee) Industries (Computers/IT hardware/software and services, Financial Services, Government, Healthcare, Manufacturing, Professional Services, and Utilities) Number of employees

15 Contacts Panelists: Moderator: Tim Mathews Executive Director, Enterprise Resiliency ETS Ken Otis Director, Business Continuity Management CVS Caremark Doug Weldon President BCI (Business Continuity Institute) Robbie Atabaigi Manager, Information Protection & Business Resilience KPMG