Global Business Continuity Management (BCM) Program Benchmarking Study. Continuity Insights & KPMG LLP Present The

(1)

(2)

©2012 Continuity Insights/KPMG LLP

2011-2012 Continuity Insights & KPMG LLP Global Business Continuity

Management Program Benchmarking Study

Executive Summary

The complex environment in which businesses operate today creates the need for sophisticated business continuity management (BCM) programs that address a wide range of threats, including natural disasters, technology issues and manmade incidents. It is also important that these programs stay in sync with the

strategic goals of the organization. The 2011-2012 Continuity Insights & KPMG LLP Global Business Continuity

Management Program Benchmarking Study is a comprehensive look at the current state of BCM programs and the drivers

for further program development.

Data used in this report is based on anonymous survey responses from 685 executives in public and private companies, government agencies and authorities, educational institutions, and not-for-profit entities. Respondents come from over 40 countries with approximately one-third working for organizations with headquarters outside the United States. The online survey, conducted by Continuity Insights between November 2011 and January 2012, explores changes to the global risk landscape, supply chain interdependencies, the emergence and increased usage of cloud computing, mobile applications, and social media. Business continuity professionals should use this report to target underdeveloped capabilities within their own BCM programs. In addition to the report, readers can view the full collection of survey responses on the Continuity Insights Web site (www.continuityinsights.com).

Research Methodology

Respondents for the 2011-2012 Continuity Insights & KPMG LLP Global Business Continuity Management Program

Benchmarking Study were obtained from the Continuity Insights subscriber base by way of its publications, Web site, and

email deployments, as well as from other professional organizations that supported the study. The 20-minute online survey comprised 52 questions and was fielded from November 2011 through January 2012. Data was collected from 958 respondents, of which 685 respondents completed the entire survey. An average of 785 responses was collected for each question. KPMG business continuity professionals developed the survey questionnaire. Mint Jutras prepared the resulting tabulation and supplied analysis for select data points. For more information on the study methodology, please contact Mint Jutras at [email protected].

Requests For Benchmarking Reports & Key Contacts

If you would like to benchmark your organization by leveraging the 2011-2012Continuity Insights and KPMG LLP Business

Continuity Management (BCM) Program Benchmarking Study or custom reports, please provide the following information

to Bob Nakao at [email protected]: • Your name

• Your organization • Your title

• Your e-mail address

• The complete study and/or custom report(s) you would like to receive: industry, type of entity, region of HQ operation, number of employees or annual revenue. You will be provided the custom report(s), if available, generally within five (5) business days of the receipt of your request.

Other custom reports are available by type of entity include public companies, private companies, government agencies and authorities, and not for profits. Custom reports for industries include education, financial services,

(3)

©2012 Continuity Insights/KPMG LLP

Survey Questions

1 Does your organization use survey results to enhance and/or generate executive support for your Business Continuity Management (BCM) Program?

2 How would you describe your organization's industry?

3 How many people are employed by your organization at all locations? 4 Which best describes your organization, type of entity, or enterprise? 5 How would you describe the geographical range of your operations? 6 Please indicate the location of your organization's global headquarters. 7 What are your company's approximate annual revenues in U.S. dollars? 8 Which best describes your primary job function?

9 How long has the BCM Program been in place at your organization?

10 What are the primary reasons for the establishment of the BCM Program at your organization? 11 Does your organization measure performance of the BCM Program?

12 How does your organization measure performance of the BCM Program?

13 What Business Continuity Standards are used by your company to support the BCM Program? 14 Has your organization incorporated capabilities to utilize social media in your current Business

Continuity Management Plans, Disaster Recovery Plans and/or Crisis Management Plans?

15 Does your organization have a Senior Management Advisory or Steering Committee that provides input and assistance to the lead BCM Program Coordinator and BCM Program Coordination Team?

16 Does your organization have a designated full-time or part-time lead BCM Program Coordinator authorized to administer and keep the BCM Program current?

17 Which best describes the job title of the lead BCM Program Coordinator?

18 Which best describes the job title of the executive sponsor for the BCM Program?

19 Which best describes the C-Level executive with ultimate reporting responsibility for your BCM Program?

20 Please estimate the number of Full-Time Equivalent (FTE) employees who are dedicated to the BCM Program in your Corporate Program Office AND in your various Business Units/Functions (including contractors).

21 Please estimate the total budget for all staff in U.S. dollars (including contractors).

22 Please estimate the budget for the following components of your BCM Program in U.S. dollars. 23 Which of the following choices best describe how your organization's funds are allocated for BCM

Program initiatives?

24 What BCM-related software packages has your organization implemented or plans to implement in the next year?

25 Which best describes your organization’s current BCM Program status? 26 How would you rate the maturity of your organization's BCM Program?

27 Do you agree that your organization maintains and fosters relationships with external agencies to ensure the recovery of your organization during a disaster?

(4)

©2012 Continuity Insights/KPMG LLP

29 How are 3rd party service providers (Utilities, Information Technology, or Business Process Service Providers) integrated within your BCM Program?

30 How are key supply chain stakeholders that you rely on to deliver your products or services to market integrated within your BCM Program?

31 How well integrated is your BCM Program with the following capabilities? 32 How often does your organization conduct Risk Assessments? 33 How often does your organization conduct a Business Impact Analysis (BIA)?

34 How much would you estimate business disruptions have cost your organization in both outlays and internal (soft) costs in the past 12 months?

35 What would you estimate the total financial impact would be of a major disruption or outage that lasts for 5 business days?

36 Has your organization experienced an incident or interruption in the past year that caused you to activate any documented BCM Plans, Crisis Management Plans, or Disaster Recovery Plans?

37 For the most recent interruption that required you to activate one or more BCM Plans, how well was your recovery time objective met?

38 When was your company's most recent Business Continuity Plan exercise?

39 What elements of your BCM Program were utilized during your most recent exercise?

40 What external companies or agencies have been involved with your most recent BCM Program exercise?

41 What percentage of your IT budget does your organization spend on disaster recovery capabilities? 42 What is your organization's current IT recovery strategy?

43 Which elements of your organization's current IT recovery strategy are undergoing change?

44 Is cyberterrorism included in your organization's current BCM Plans, Disaster Recovery Plans, and/or Crisis Management Plans?

45 What percentage of your organization's application data is currently stored in the cloud?

46 When did your organization last conduct a test(s) of the IT Disaster Recovery Plans with representatives from other key stakeholder companies or agencies?

47 How frequently does your organization carry out full scenario testing of its Disaster Recovery Plan? 48 Please indicate which of the following are utilized by your organization, and have an IT Disaster

Recovery Plan with documented procedures and written guidelines.

49 Did your organization’s employees receive sufficient Business Continuity Management training in the past year?

50 What was your organization’s investment in Disaster/Emergency Management and BCM training this past year in comparison to the year before?

51 What types of ongoing BCM training are utilized by your organization?

Twenty seven (27) responses were received from respondents that identified they work in the retail industry. The reader should consider the results in this custom report as directionally correct.

(5)

QUESTION 1 81.48% 18.52% QUESTION 2 Aerospace/Defense 0.00% Automotive 3.70% Biotechnology 0.00% Chemical/Petroleum 3.70% Communications/Media 0.00%

Computer/Information Technology Telecommunications 3.70% Computer/Information Technology Software 7.41% Computer/Information Technology Services 11.11%

Education 0.00%

Entertainment/Media 3.70%

Financial Services/Banking 7.41%

Financial Services/Brokerage 0.00%

Financial Services/Credit Card 7.41%

Financial Services/Credit Union 0.00%

Financial Services/Investment 0.00%

Financial Services - Mortgages 0.00%

Government/City/Municipality 0.00%

Government - County 0.00%

Government/State/Providence 3.70%

Government (Federal) 0.00%

Healthcare Medical/Hospital 0.00%

Healthcare Medical/Service Provider 3.70%

Human Resources 0.00%

Insurance 0.00%

International Non Government Organization (NGO) 0.00%

Logistics 0.00%

Manufacturing - Consumer Goods 3.70%

Manufacturing - Industrial Goods (Non-technology) 0.00% Manufacturing - Medical Devices/Other Healthcare Products 0.00%

Not for Profit Organization 3.70%

Pharmaceuticals 0.00%

Power (Production/Transmission) 0.00%

0.00% Professional Services (IT/Business Process Outsourcing) 0.00%

Professional Services - Legal 0.00%

Professional Services (Other) 3.70%

Retail 100.00% Transportation/Aviation 3.70% Transportation/Mass Transit 0.00% Transportation/Shipping 3.70% Transportation - Trucking 3.70% Utilities/Energy 0.00% Utilities/Water 0.00% Wholesale Distributors 3.70%

Other (please specify) 7.41%

Professional Services (Business Continuity/Operational Risk Consulting)

Does your organization use survey results to enhance and/or generate executive support for your Business Continuity Management (BCM) Program?

Yes No

(6)

QUESTION 3

How many people are employed by your organization at all locations? (select one)

Less than 25 0.00% 25 to 99 0.00% 100 to 499 3.70% 500 to 999 0.00% 1,000 to 4,999 11.11% 5,000 to 9,999 18.52% 10,000 to 19,999 11.11% 20,000 or more 55.56% QUESTION 4

Which best describes your organization, type of entity, or enterprise? (select one)

Public Company 62.96%

Privately-Held Company 29.63%

Government Agency or Authority 3.70%

Education 0.00%

Not-for-Profit Organization 3.70%

QUESTION 5

How would you describe the geographical range of your operations? (select one)

Local - Single site operation in one location 3.70% Regional - Multi-site operations in one region of one country 11.11% 37.04% Global - Multi-site operations worldwide 48.15%

QUESTION 6 Australia 0.00% Austria 0.00% Bahrain 0.00% Belgium 3.70% Brazil 0.00% Canada 11.11% Chile 0.00%

China (Hong Kong and Macau) 0.00%

Columbia 0.00% Costa Rica 0.00% Denmark 0.00% France 0.00% Hungary 0.00% India 0.00% Israel 0.00% Italy 3.70% Japan 3.70% Germany 0.00% Malaysia 0.00% Mexico 0.00% The Netherlands 3.70% New Zealand 0.00% Poland 0.00%

National - Multi-site operations throughout the country of the organization’s operations

(7)

Portugal 3.70%

Romania 0.00%

Saudi Arabia 0.00%

Singapore 0.00%

South Africa 3.70%

South Korea (Republic of Korea) 0.00%

Spain 7.41%

Switzerland 0.00%

Taiwan 0.00%

Turkey 0.00%

United Arab Emirates 0.00%

United Kingdom 0.00%

United States 59.26%

Venezuela 0.00%

QUESTION 7

Less than $10 million 0.00%

$10 million to $50 million 7.41% $50 million to $100 million 0.00% $100 million to $500 million 7.41% $500 million to $1 billion 11.11% $1 billion to $5 billion 25.93% $5 billion to $10 billion 14.81%

More than $10 billion 22.22%

Not applicable 3.70%

Do not know 7.41%

QUESTION 8

Which best describes your primary job function? (select one)

50.00% Business Continuity Coordinator in Business Unit/Site/Support Group 3.85%

Compliance/Internal Audit 0.00%

Crisis Management/Emergency Management 7.69%

Enterprise Risk Management 3.85%

Employee Health and Safety 0.00%

Facilities Management/Real Estate 0.00%

Finance/Accounting 0.00%

Insurance/Liability Management 0.00%

IT Disaster Recovery (IT DR) Planning 23.08%

Legal 0.00%

Security Management 7.69%

Consultant/Analyst 0.00%

Business Continuity Management or BC Coordinator in Corporate Program Office

(8)

QUESTION 9

How long has the BCM Program been in place at your organization? (select one)

Less than 1 year 8.00%

1 year to 3 years 20.00%

3 years to 5 years 16.00%

More than 20 years 0.00%

Do not know 4.00%

QUESTION 10

Address audit finding(s) 8.33%

Continuity of business operations 50.00%

Customer request or requirement 6.25%

Federal government regulations/required by law 2.08%

Reputation 16.67%

Required by law 2.08%

Unique competitive advantage 4.17%

QUESTION 11

Does your organization measure performance of the BCM Program?

YES 72.00%

NO 28.00%

QUESTION 12

Audit findings 13.64%

Benchmarking/comparison to industry norms 10.61%

Maturity modeling 9.09%

Metrics program (including executive reporting) 12.12%

BCM Program reviews 15.15%

Business Continuity Plan exercises 19.70%

Service level monitoring 3.03%

Review program capabilities vs. standards 3.03%

Technology recovery test results 12.12%

Cost/Benefit Analysis 1.52%

What are the primary reasons for the establishment of the BCM Program at your organization? (select all that apply)

(9)

QUESTION 13 0.00% 0.00% 0.00% 0.00% 0.00% Austria - ONR 49000 0.00% Austria - ONR 49001 0.00% Austria - ONR 49002-1 0.00% Austria - ONR 49002-2 0.00% Austria - ONR 49002-3 0.00% Austria - ONR 49003:2008 0.00% 0.00% Canada - CAN/CSA-Z 731-03 0.00% Canada - CSA Z1600-08 0.00%

China (Including Hong Kong and Macau) - Refer to International List 0.00% Denmark - DS 3001:2009 Organisatorisk Robusthed 0.00% Germany - Refer to International List 0.00% India - Refer to International List 0.00%

Israel - SI 24001:2007 0.00%

Japan - Refer to International List 0.00%

Malaysia - MS1970:2007 0.00%

Netherlands - NEN 7131:2010 Organizational Resilience 0.00%

New Zealand - SAA/SNZ HB221:2004 0.00%

New Zealand - AS/NZS 5050 0.00%

New Zealand - AS/NZS 4360 0.00%

Singapore - SS 540:20-08 0.00%

Singapore - SS 507:2004 0.00%

0.00% 0.00%

Singapore - TR19:2005 0.00%

South Korea - KS A ISO/PAS 22399 0.00%

13.51% 16.22% UK - BS25777: 2008 ICT Service Continuity 0.00% UK - BS31100:2009 Risk Management Standard 0.00% "UK -PD 25111 Human Aspects of BCM published 2010" 0.00% "UK -PD 25666 Exercising BCM published 2010" 0.00% "UK -PD 25888 Guidance on Business Recovery (Estimated Q2, 2011)" 0.00% 0.00%

"USA -ASIS SPC.1-2009" 2.70%

"USA -ASIS BCM.01-2010" 2.70%

"UK -PD 25222 Guidance on Supply Chain Continuity (Estimated Q3, 2011)" Brazil - NC nº06/IN01/DSIC/GSIPR – Gestão De Continuidade de Negócios

Singapore - MAS Consultation Paper on Business Continuity Planning 9BCP) Guidelines (10 Jan 2003)

Singapore - MAS Guidelines on Outsourcing – Section 6.6 BCM (Oct 2004)

UK - BS25999-1 : 2006 Code of Practice for Business Continuity management UK - BS25999-2 : 2007 Specification for Business Continuity management

Australia - AS/NZS 5050:2010 Business continuity - Managing disruption-related risk Australia - AS/NZS ISO 31000:2010 Risk management - Principles and guidelines Australia - AS/NZS ISO/IEC 27001:2006 : Information technology - Security techniques

Australia - AS/NZS ISO/IEC 27002:2006 : Information technology - Security techniques

Australia - AS 3745-2002 : Emergency control organization and procedures for buildings, structures and workplaces

(10)

"USA -ANSI/ARMA 5-2003" 0.00% 0.00% "USA -NERC CIP 002-009 2006" 2.70%

"USA -NIST SP 800-34" 0.00%

32.43% 0.00% USA - NFPA 232 : Standard on Protection of Records 0.00% 2.70% "International - ITIL v.3 (international) – IT Infrastructure Library 13.51% "International -ISO/IEM 22300" 0.00% 0.00% "International -ISO PAS 22399" 0.00% "International -ISO/IEC 27031" 0.00% 0.00% 5.41% 8.11% 0.00% 0.00% "International -ISO 31000:2009 Risk Management Standard" 0.00% QUESTION 14

Yes, included in current plans 17.39%

No, not included in current plans 52.17%

Plans are currently in development 30.43%

QUESTION 15

Yes 65.22%

No 21.74%

Committee under development 13.04%

Do not know 0.00%

QUESTION 16

Yes, full-time 73.91%

Yes, part-time 13.04%

No 13.04%

"International -ISO/IEC 24762 Management Systems Standards “ Information Security"

"International -ISO/IEC 27035 Management Systems Standards “ Information Security"

Has your organization incorporated capabilities to utilize social media in your current Business Continuity Management Plans, Disaster Recovery Plans and/or Crisis Management Plans? (select one)

Does your organization have a Senior Management Advisory or Steering Committee that provides input and assistance to the lead BCM Program Coordinator and BCM Program Coordination Team? (select one)

Does your organization have a designated full-time or part-time lead BCM Program Coordinator authorized to administer and keep the BCM Program current? (select one)

"International -COBIT – Control Objectives for information & related technology 4.1 (May 2007)

"International -ISO DIS 22301 Continuity Management System Requirements (Estimated Q2, 2012)"

"International -ISO 9000 series Management Systems Standards “ Quality" "International -ISO/IEC 27001:2005 Management Systems Standards “ Information Security"

"International -ISO/IEC 27002:2005 Management Systems Standards “ Information Security"

"USA -CTIA Telecommunication Industry BCM Standard and certification"

USA - NFPA Standard 1600 on Disaster/Emergency Management and Business Continuity Programs

(11)

QUESTION 17

0.00% 52.63%

Vice President, Risk Management 5.26%

Director or Manager, Risk Management 15.79% Vice President of Information Technology 0.00% Director or Manager of Information Technology 0.00%

CEO/President 0.00%

Chief Operating Officer 0.00%

Chief Financial Officer 0.00%

Chief Information Officer 0.00%

Chief Risk Officer 0.00%

Chief Security Officer, VP/Director 0.00% Specific Department Director/Manager 10.53%

QUESTION 18

CEO/President 0.00%

Chief Continuity Officer 0.00%

Emergency Management 0.00%

Vice President, Information Technology 10.53% Other Corporate/Executive Management 15.79%

QUESTION 19

CEO 4.55%

Chief Administrative Officer 0.00%

Chief Compliance Officer 0.00%

Chief Information Security Officer 4.55%

Chief Security Officer 0.00%

Chief Technology Officer 4.55%

General Counsel 9.09%

President 0.00%

0.00% Vice President, Business Continuity Management or Business Resilience

Director or Manager, Business Continuity Management or Business Resilience

Which best describes the job title of the executive sponsor for the BCM Program? (select one)

Which best describes the C-Level executive with ultimate reporting responsibility for your BCM Program? (select one)

Other C-Level Executive (Please identify the corporate/executive management title):

(12)

QUESTION 20

Corporate BCM Program Office - 0 to 2 FTEs 25.93% Corporate BCM Program Office - 3 to 5 FTEs 5.56% Corporate BCM Program Office - 6 to 9 FTEs 5.56% Corporate BCM Program Office - 10 to 20 FTEs 0.00% Corporate BCM Program Office - More than 20 FTEs 0.00% Various Business Units/Functions - 0 to 2 FTEs 20.37% Various Business Units/Functions - 3 to 5 FTEs 1.85% Various Business Units/Functions - 6 to 9 FTEs 3.70% Various Business Units/Functions - 10 to 20 FTEs 1.85% Various Business Units/Functions - More than 20 FTEs 0.00% Information Technology/Disaster Recovery - 0 to 2 FTEs 12.96% Information Technology/Disaster Recovery - 3 to 5 FTEs 16.67% Information Technology/Disaster Recovery - 6 to 9 FTEs 3.70% Information Technology/Disaster Recovery - 10 to 20 FTEs 0.00% Information Technology/Disaster Recovery - More than 20 FTEs 1.85%

QUESTION 21

Corporate BCM Program Office - Less than $250,000 18.37% Corporate BCM Program Office - $250,000 to $500,000 12.24% Corporate BCM Program Office - $500,000 to $1 million 4.08% Corporate BCM Program Office - $1 million to $5 million 4.08% Corporate BCM Program Office - $5 million to $10 million 0.00% Corporate BCM Program Office - $10 million to $50 million 0.00% Corporate BCM Program Office - More than $50 million 0.00% Various Business Units/Functions - Less than $250,000 22.45% Various Business Units/Functions - $250,000 to $500,000 2.04% Various Business Units/Functions - $500,000 to $1 million 4.08% Various Business Units/Functions - $1 million to $5 million 0.00% Various Business Units/Functions - $5 million to $10 million 0.00% Various Business Units/Functions - $10 million to $50 million 0.00% Various Business Units/Functions - More than $50 million 0.00% Information Technology/Disaster Recovery - Less than $250,000 10.20% Information Technology/Disaster Recovery - $250,000 to $500,000 12.24% Information Technology/Disaster Recovery - $500,000 to $1 million 0.00% Information Technology/Disaster Recovery - $1 million to $5 million 10.20% Information Technology/Disaster Recovery - $5 million to $10 million 0.00% Information Technology/Disaster Recovery - $10 million to $50 million 0.00% Information Technology/Disaster Recovery - More than $50 million 0.00% Please estimate the number of Full-Time Equivalent (FTE) employees who are dedicated to the BCM Program in your Corporate Program Office AND in your various Business Units/Functions (including contractors). Please provide an estimate for all categories listed if you have an understanding of the resources assigned for ALL of the groups noted. Otherwise, please skip this question.

(13)

QUESTION 22 15.89% 0.00% 0.00% 0.93% 0.00% 0.00% 0.00% 15.89% 0.93% 0.00% 0.00% 0.00% 0.00% 0.00% 10.28% 3.74% 0.00% 0.93% 0.00% 0.00% 0.93% 2.80% 3.74% IT Disaster Recovery Costs (include hardware, software, internal recovery

capabilities, 3rd party service provider fees, etc.) - $250,000 to $500,000 Work Area Recovery (include site costs, 3rd party service providers, etc.) - $1 million to $5 million

Work Area Recovery (include site costs, 3rd party service providers, etc.) - $5 million to $10 million

Work Area Recovery (include site costs, 3rd party service providers, etc.) - $10 million to $50 million

Work Area Recovery (include site costs, 3rd party service providers, etc.) - More than $50 million

IT Disaster Recovery Costs (include hardware, software, internal recovery capabilities, 3rd party service provider fees, etc.) - Less than $250,000 BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - $10 million to $50 million

BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - More than $50 million

Work Area Recovery (include site costs, 3rd party service providers, etc.) - Less than $250,000

Work Area Recovery (include site costs, 3rd party service providers, etc.) - $250,000 to $500,000

Work Area Recovery (include site costs, 3rd party service providers, etc.) - $500,000 to $1 million

BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - Less than $250,000

BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - $250,000 to $500,000

BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - $500,000 to $1 million

BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - $1 million to $5 million

BCM Software/Hardware (include plan-related document repository and emergency notification solutions) - $5 million to $10 million

BCM Program Third-Party Consultants (include program assessments, improving capabilities, etc.) - $500,000 to $1 million

BCM Program Third-Party Consultants (include program assessments, improving capabilities, etc.) - $1 million to $5 million

BCM Program Third-Party Consultants (include program assessments, improving capabilities, etc.) - More than $50 million

Please estimate the budget for the following components of your BCM Program in U.S. dollars. Please provide an estimate for all categories listed if you have an understanding of the approximate budgets for ALL of the capabilities listed. Otherwise, please skip this question. BCM Program Third-Party Consultants (include program assessments, improving

capabilities, etc.) - Less than $250,000

(14)

1.87% 5.61% 0.00% 0.00% 0.93% 16.82% 0.93% 0.00% 0.00% 0.00% 0.00% 0.00% 14.02% 1.87% 0.93% 0.00% 0.00% 0.93% BCM Program Exercises (include planning, conducting exercises, 3rd-party

participation, travel and living expenses, etc.) - $500,000 to $1 million BCM Program Exercises (include planning, conducting exercises, 3rd-party participation, travel and living expenses, etc.) - $1 million to $5 million BCM Program Exercises (include planning, conducting exercises, 3rd-party participation, travel and living expenses, etc.) - $5 million to $10 million BCM Program Exercises (include planning, conducting exercises, 3rd-party participation, travel and living expenses, etc.) - $10 million to $50 million Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - $5 million to $10 million

Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - $10 million to $50 million

Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - More than $50 million

BCM Program Exercises (include planning, conducting exercises, 3rd-party participation, travel and living expenses, etc.) - Less than $250,000 BCM Program Exercises (include planning, conducting exercises, 3rd-party participation, travel and living expenses, etc.) - $250,000 to $500,000 IT Disaster Recovery Costs (include hardware, software, internal recovery capabilities, 3rd party service provider fees, etc.) - More than $50 million Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - Less than $250,000

Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - $250,000 to $500,000

Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - $500,000 to $1 million

Training and Awareness Programs (include internal/external training, registration fees, travel and living expenses for conference attendance, etc.) - $1 million to $5 million

(15)

0.00%

QUESTION 23

Do not know 4.35%

On a case-by-case basis based on individual needs 30.43% As an individual line item in each functional budget 8.70% 4.35%

As a percentage of the IT budget 21.74%

As a percentage of the risk management budget 8.70% As a percentage of the individual functional budget 8.70% Other, please briefly describe how funds are allocated (BCM Funding): 13.04%

QUESTION 24

Business Continuity Management software 21.15%

Business Impact Analysis software 9.62%

Change Management software 7.69%

Emergency Notification software 25.00%

Enterprise Governance Risk and Compliance software 5.77%

Risk Assessment software 5.77%

MicroSoft© Office Tools (i.e., Word, Excel, etc.) 19.23%

QUESTION 25

4.76%

4.76% 14.29%

61.90%

Other (please describe) 14.29%

We are currently in the assessment phase (i.e., Risk Assessment, Business Impact Analysis, Strategy Selection, etc.) for the first time in the program’s lifecycle. We are currently developing BCM Plans, Crisis Management Plans, and Disaster Recovery Plans.

We have a BCM Policy, Senior Management Steering or Advisory Committee, Business Continuity, Crisis Management, and Disaster Recovery Plans in place and have developed a process for updating those plans on a regular basis to reflect changes in the business and lessons learned from exercises, tests, or real events.

Which of the following choices best describe how your organization's funds are allocated for BCM Program initiatives? (select one)

On a hybrid chargeback basis with a base fee plus additional usage charges

What BCM-related software packages has your organization implemented or plans to implement in the next year? (select all that apply)

Which best describes your organization’s current BCM Program status? (select one) We are currently in the process of establishing a BCM Program, defining program governance, scope, objectives, budgeting, and format for plans.

(16)

QUESTION 26

How would you rate the maturity of your organization's BCM Program? (select one)

4.76% 14.29% 42.86% 23.81% 9.52% 4.76% QUESTION 27 Strongly Disagree 0.00% Disagree 9.52% Neutral 4.76% Agree 76.19% Strongly Agree 9.52% QUESTION 28 Yes 61.90% No 38.10% QUESTION 29

Not integrated/not applicable 4.76%

In the process of being integrated 28.57% Integrated for certain mission critical 3rd party service providers 52.38% Integrated for all mission critical 3rd party service providers 14.29% Integrated for all 3rd party service providers 0.00% Do you require your mission critical 3rd party service providers to provide evidence that they have a viable BCM Program?

How are 3rd party service providers (Utilities, Information Technology, or Business Process Service Providers) integrated within your BCM Program? (select one)

Level 3 (Centrally Governed) – A BCM Program Office or Department has been established which centrally delivers BCM Program governance and support services to the business units and other departments within the organization.

Level 4 (Enterprise Awakening) – Senior management understands and is committed to the strategic importance of an effective BCM Program. All business continuity plans are updated routinely.

Level 5 (Planned Growth) – A multi-year plan has been plan has been adopted to “continuously raise the bar” for planning sophistication and enterprise wide state of preparedness.

Level 6 (Synergistic) – Cross-functional coordination has led participants to develop and successfully test upstream and downstream integration of their business

Do you agree that your organization maintains and fosters relationships with external agencies to ensure the recovery of your organization during a disaster? (select one)

Level 1 (Self Governed) – The state of preparedness is generally low across the organization.

(17)

QUESTION 30

Not integrated/not applicable 19.05%

In the process of being integrated 38.10% Integrated for certain supply chain stakeholders 42.86% Integrated for all supply chain stakeholders 0.00%

QUESTION 31

Compliance/Audit - Completely Integrated 20.00% Compliance/Audit - Well Integrated 15.00% Compliance/Audit - Somewhat Integrated 30.00% Compliance/Audit - Not at all Integrated 30.00%

Compliance/Audit - Not Applicable 5.00%

Corporate Security - Completely Integrated 30.00% Corporate Security - Well Integrated 25.00% Corporate Security - Somewhat Integrated 40.00% Corporate Security - Not at all Integrated 5.00% Corporate Security - Not Applicable 0.00% Crisis Management - Completely Integrated 40.00% Crisis Management - Well Integrated 25.00% Crisis Management - Somewhat Integrated 35.00% Crisis Management - Not at all Integrated 0.00% Crisis Management - Not Applicable 0.00% Employee Health and Safety - Completely Integrated 20.00% Employee Health and Safety - Well Integrated 35.00% Employee Health and Safety - Somewhat Integrated 40.00% Employee Health and Safety - Not at all Integrated 5.00% Employee Health and Safety - Not Applicable 0.00% Enterprise Risk Management - Completely Integrated 30.00% Enterprise Risk Management - Well Integrated 30.00% Enterprise Risk Management - Somewhat Integrated 25.00% Enterprise Risk Management - Not at all Integrated 10.00% Enterprise Risk Management - Not Applicable 5.00% Facilities/Real Estate Management - Completely Integrated 25.00% Facilities/Real Estate Management - Well Integrated 25.00% Facilities/Real Estate Management - Somewhat Integrated 40.00% Facilities/Real Estate Management - Not at all Integrated 10.00% Facilities/Real Estate Management - Not Applicable 0.00% Information Technology Management - Completely Integrated 35.00% Information Technology Management - Well Integrated 45.00% Information Technology Management - Somewhat Integrated 15.00% Information Technology Management - Not at all Integrated 5.00% Information Technology Management - Not Applicable 0.00% Information Security Management - Completely Integrated 15.00% Information Security Management - Well Integrated 55.00% Information Security Management - Somewhat Integrated 25.00% Information Security Management - Not at all Integrated 5.00% Information Security Management - Not Applicable 0.00% Strategic Sourcing/Procurement - Completely Integrated 0.00% Strategic Sourcing/Procurement - Well Integrated 30.00% Strategic Sourcing/Procurement - Somewhat Integrated 45.00% How are key supply chain stakeholders that you rely on to deliver your products or services to market integrated within your BCM Program? (select one)

(18)

Strategic Sourcing/Procurement - Not at all Integrated 20.00% Strategic Sourcing/Procurement - Not Applicable 5.00% Strategic Planning - Completely Integrated 0.00% Strategic Planning - Well Integrated 20.00% Strategic Planning - Somewhat Integrated 50.00% Strategic Planning - Not at all Integrated 20.00% Strategic Planning - Not Applicable 10.00% Relationships with 3rd Party Service Providers - Completely Integrated 5.00% Relationships with 3rd Party Service Providers - Well Integrated 15.00% Relationships with 3rd Party Service Providers - Somewhat Integrated 55.00% Relationships with 3rd Party Service Providers - Not at all Integrated 25.00% Relationships with 3rd Party Service Providers - Not Applicable 0.00% Relationships with Public Authorities - Completely Integrated 5.00% Relationships with Public Authorities - Well Integrated 10.00% Relationships with Public Authorities - Somewhat Integrated 60.00% Relationships with Public Authorities - Not at all Integrated 25.00% Relationships with Public Authorities - Not Applicable 0.00% Management of Insurance Coverage - Completely Integrated 30.00% Management of Insurance Coverage - Well Integrated 20.00% 30.00% Management of Insurance Coverage - Not at all Integrated 15.00% Management of Insurance Coverage - Not Applicable 5.00%

QUESTION 32

How often does your organization conduct Risk Assessments? (select one)

In response to business changes 50.00%

Semi-annually 15.00%

Annually 20.00%

Every two years 10.00%

Every three years 0.00%

Never 5.00%

QUESTION 33

Semi-annually 5.00%

Annually 15.00%

Never 0.00%

How often does your organization conduct a Business Impact Analysis (BIA)? (select one) Management of Insurance Coverage - Somewhat IntegratedManagement of

(19)

QUESTION 34 Do not know 45.00% Less than $25,000 20.00% $25,000 to $50,000 5.00% $50,000 to $100,000 0.00% $100,000 to $250,000 5.00% $250,000 to $500,000 5.00% $500,000 to $1 million 10.00% $1 million to $5 million 0.00%

More than $5 million 10.00%

QUESTION 35 Do not know 35.00% Less than $25,000 0.00% $25,000 to $50,000 0.00% $50,000 to $100,000 0.00% $100,000 to $250,000 5.00% $250,000 to $500,000 5.00% $500,000 to $1 million 5.00% $1 million to $5 million 20.00%

More than $5 million 30.00%

QUESTION 36

Civil Unrest - Yes 25.00%

Civil Unrest - No 75.00% Earthquake - Yes 25.00% Earthquake - No 75.00% Fire - Yes 42.11% Fire - No 57.89% Flood - Yes 40.00% Flood - No 60.00%

Indirectly Due to Supplier Issues or High Profile Neighbor - Yes 15.00% Indirectly Due to Supplier Issues or High Profile Neighbor - No 85.00% 30.00% 70.00% IT Related - Hardware/Software in Production - Yes 35.00% IT Related - Hardware/Software in Production - No 65.00% How much would you estimate business disruptions have cost your organization in both outlays and internal (soft) costs in the past 12 months? (in U.S. dollars) (Include estimated costs of delayed/cancelled product and service revenues from existing offers, new products and services delayed/cancelled, lifetime cost of lost customers, and erosion/loss of brand value.)

What would you estimate the total financial impact would be of a major disruption or outage that lasts for 5 business days? (In U.S. dollars)(Include estimated costs of delayed/cancelled product and service revenues from existing offers, new products and services delayed/cancelled, lifetime cost of lost customers, and erosion/loss of brand value.)

Has your organization experienced an incident or interruption in the past year that caused you to activate any documented BCM Plans, Crisis Management Plans, or Disaster Recovery Plans? (select yes/no for each type of incident/interruption)

IT Related - Change Management Issue, Data Corruption, Denial of Access, Virus, Security, etc. - Yes

(20)

IT Related - Telecommunications (i.e., Voice, Data, Converged) - Yes 35.00% IT Related - Telecommunications (i.e., Voice, Data, Converged) - No 65.00% IT Related - Upgrade/Scheduled Outage - Yes 20.00% IT Related - Upgrade/Scheduled Outage - No 80.00%

Power - Yes 45.00%

Power - No 55.00%

Privacy - Yes 5.00%

Privacy - No 95.00%

Severe Weather (i.e., Hurricane, Tornado, Winter Weather) - Yes 65.00% Severe Weather (i.e., Hurricane, Tornado, Winter Weather) - No 35.00%

Terrorist Attack - Yes 10.00%

Terrorist Attack - No 90.00%

Theft - Yes 15.00%

Theft - No 85.00%

Other - Yes 7.69%

Other - No 92.31%

If you selected "Other," please specify: 5.00%

QUESTION 37

Completely 25.00% Mostly 30.00% Somewhat 5.00% Not at all 0.00% Not applicable 20.00% Do not know 20.00% QUESTION 38

Within the past 6 months 85.00%

Within the past year 10.00%

Within the past 2 years 0.00%

We do not exercise our plans 5.00%

QUESTION 39

Call Tree/Notification Process 20.83%

22.92% Entire site-specific business and technology recovery exercise 12.50% Alternate site (work area recovery) exercise 20.83% Mock crisis/emergency management exercise 20.83%

None/Not applicable 2.08%

For the most recent interruption that required you to activate one or more BCM Plans, how well was your recovery time objective met? (select one)

When was your company's most recent Business Continuity Plan exercise? (select one)

What elements of your BCM Program were utilized during your most recent exercise? (select all that apply)

(21)

QUESTION 40

Public Sector Agencies 15.00%

Supply Chain Partners 10.00%

3rd Party Service Providers 20.00%

None/Not Applicable 55.00% QUESTION 41 < 1% 20.00% 1% to 2% 0.00% 3% to 4% 0.00% 5% to 10% 10.00% More than 10% 0.00% Do not know 70.00% QUESTION 42

Internal – Hardware and Software Solution 29.17% External – Hardware and Software Solution 20.83% Combination/Hybrid of Internal and External Solutions 45.83% Move certain capabilities to a Public Cloud Vendor 0.00% Move certain capabilities to a Private Cloud Solution 0.00%

QUESTION 43

Internal – Hardware and Software Solution 25.71% External – Hardware and Software Solution 11.43% Combination/Hybrid of Internal and External Solutions 28.57% Move certain capabilities to a Public Cloud Vendor 8.57% Move certain capabilities to a Private Cloud Solution 20.00%

QUESTION 44

Yes, included in current plans 35.00%

No, not included in current plans 40.00%

No, but plans to include are in development 25.00%

QUESTION 45

Do not know 40.00%

None 45.00%

< 10% 15.00%

What percentage of your organization's application data is currently stored in the cloud? (select one)

What external companies or agencies have been involved with your most recent BCM Program exercise? (select all that apply)

What percentage of your IT budget does your organization spend on disaster recovery capabilities? (select one)

What is your organization's current IT recovery strategy? (select all that apply)

Which elements of your organization's current IT recovery strategy are undergoing change? (select all that apply)

(22)

Between 10% - 24% 0.00% Between 25% – 49% 0.00% Between 50% - 75% 0.00% >75% 0.00% All 0.00% QUESTION 46 Never 30.00%

In the past six months 35.00%

Within the last year 15.00%

Within the last two years 0.00%

More than two years ago 5.00%

Do not know 15.00%

QUESTION 47

Do not know 0.00%

Never 30.00%

Semi-annually 15.00%

Annually 30.00%

QUESTION 48

Cloud Applications - Utilize - HAVE an IT DisasterRecovery Plan 20.00% 20.00% Cloud Applications - Do NotUtilize 60.00% Mobile Applications - Utilize - HAVE an IT DisasterRecovery Plan 45.00% 20.00% Mobile Applications - Do NotUtilize 35.00% Social Media - Utilize - HAVE an IT DisasterRecovery Plan 20.00% Social Media - Utilize - DO NOT have an IT Disaster Recovery Plan 25.00%

Social Media - Do NotUtilize 55.00%

Mobile Applications - Utilize - DO NOT have an IT Disaster Recovery Plan

When did your organization last conduct a test(s) of the IT Disaster Recovery Plans with representatives from other key stakeholder companies or agencies? (e.g., supply chain partners, service providers, public sector agencies) (select one)

How frequently does your organization carry out full scenario testing of its Disaster Recovery Plan? (select one)

Please indicate which of the following are utilized by your organization, and have an IT Disaster Recovery Plan with documented procedures and written guidelines. (please provide a response for each category)

(23)

QUESTION 49

YES 45.00%

NO 55.00%

100.00%

QUESTION 50

We spent significantly more money in 2011 than in 2010 30.00% 60.00% We spent less money in 2011 than we did in 2010 10.00%

QUESTION 51

Attend industry conferences 21.25%

Attend association meetings 23.75%

Attend continuing education courses at colleges/universities 7.50%

Internal company training 16.25%

Training provided by third-party companies 8.75% Pursue professional certification courses 15.00%

Undergraduate degree program 2.50%

Graduate degree program 3.75%

Did your organization’s employees receive sufficient Business Continuity Management training in the past year?

What was your organization’s investment in Disaster/Emergency Management and BCM training this past year in comparison to the year before? (select one)