USA: +1(669)289-8683 
Sign in
I HAVE ATTACH PDF. PLEAS USE AS REFERENCE …APA FOMAT NO PLAGARIZM
Objective: Assess the issues, procedures, and techniques involved in IT resource contingency planning.
Competencies: Critical thinking
Instructions: In approximately 10-12 double-spaced pages discuss the planning steps, possible recovery options, and recommended testing requirements needed to support a successful business contingency/continuity of operations environment. Finally, the paper should include your recommendation for a proposed 24-month cycle business contingency testing plan — what should be tested and how the test should be conducted. Perhaps ranking possible critical corporate assets with the type of testing (i.e., plan reviews, table-top exercises, or perhaps up to and including full blown backup and recovery tests) You should take into consideration costs associated with the recommended testing process — not only personnel and equipment but also production costs.
Prepare your paper in Word. Include a minimum of 5 sources. The citations and the reference list in the paper should be formatted in accordance with APA 6th edition guidelines. Note: Also include a cover page, a one-paragraph abstract, a table of contents and any appendix (if necessary), which do not count toward the regular length of the paper.
Mak ing Leaders Successful Ever y Day
February 26, 2009
Businesses Take BC Planning More
Seriously
by Stephanie Balaouras
for Security & Risk Professionals
www.forrester.com
© 2009, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available
resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar,
and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. To
purchase reprints of this document, please email clientsupport@forrester.com. For additional information, go to www.forrester.com.
For Security & Risk Professionals
E x E C u T i v E S u M M a R y
Business continuity (BC) planning consists of three critical phases: business impact analysis (BIA),
risk assessment (RA), and plan documentation. In our Forrester/Disaster Recovery Journal Business
Continuity Preparedness Survey, Q4 2008, we found that businesses are taking the time to complete
each phase and regularly update BIAs, RAs, and plans. This is due in part to the increasing priority
that businesses place on BC readiness, but it’s also due to the increasing scrutiny businesses are under
from both internal auditors and external parties such as regulatory bodies, strategic partners, and even
customers. Security and risk management professionals, particularly CISOs and BC directors and
managers, must ensure that their own planning efforts are on par with those of their peers and pay close
attention to the areas where businesses are struggling: testing more thoroughly and frequently, involving
business owners in the process from start to finish, and ensuring the BC readiness of strategic partners.
Ta B l E o F C o n T E n T S
Internal And External Audiences Now
Demand Proof Of BC Readiness
Before You Can Plan, You Need To Understand
Your Business And Your Risks
You Must Document BC Strategies In Plans
And Keep Plans Current
You Must Include Business Owners From Start
To Finish
R E Co M M E n daT i o n S
Focus On Incremental Improvements
Supplemental Material
n o T E S & R E S o u R C E S
This report contains data from an online survey
that Forrester Research and the Disaster Recovery
Journal (dRJ) conducted in october 2008 of
295 business continuity decision-makers and
influencers at global businesses.
Related Research Documents
“More Businesses now institutionalize Business
Continuity Management”
January
13
, 200
9
“CiSos Must Take The lead on Business
Resiliency”
october 21, 200
8
“Case Study: vodafone uK uses Business
Continuity as a Competitive advantage”
october 8, 2008
“inquiry insights: Business Continuity, Q3 2008”
September 22, 2008
February 26, 2009
Businesses Take BC Planning More Seriously
But Take The BC Readiness of Strategic Partners For Granted
This is the second document in the “State of Enterprise Business Continuity” series.
by Stephanie Balaouras
with Simon yates and allison Herald
2
3
5
10
12
13
mailto:clientsupport@forrester.com
www.forrester.com
www.forrester.com
http://www.forrester.com/go?docid=46481&src=47924pdf
http://www.forrester.com/go?docid=46481&src=47924pdf
http://www.forrester.com/go?docid=46137&src=47924pdf
http://www.forrester.com/go?docid=46137&src=47924pdf
http://www.forrester.com/go?docid=47201&src=47924pdf
http://www.forrester.com/go?docid=47201&src=47924pdf
http://www.forrester.com/go?docid=47152&src=47924pdf
© 2009, Forrester Research, inc. Reproduction ProhibitedFebruary 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
2
INTERNAl AND ExTERNAl AUDIENCES NOw DEMAND PROOF OF BC READINESS
At one time, you might have been able to pass an internal BC audit with a few hastily prepared plans
and supporting documentation. Today, whether you’re a private or public entity, BC readiness is no
longer just an internal concern. You must provide proof of BC readiness to multiple external parties.
According to the Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, Q4
2008, almost 80% of respondents tell us that their firms have had to provide proof of BC readiness to at
least one — but sometimes more — external parties in the past 12 months, including (see Figure 1):
· Regulatory auditors who enforce readiness mandates. A number of government regulations
expressly mandate BC planning. The Health Information Portability and Accountability Act
(HIPAA), for example, mandates BC planning for organizations that either provide healthcare
or support other healthcare providers. Financial institutions must comply with guidelines set
out in the Federal Financial Institutions Examination Council (FFIEC) Business Continuity
Planning Booklet in the US and Basel II in Europe.
· First responders who want you to participate in coordinated exercises. In the UK, the
transportation and utility companies that the government considers critical to the national
infrastructure are subject to the UK Contingencies Act. Category 2 responders must take part in
coordinated exercises with Category 1 responders like emergency services and local authorities.1
Mobile communications provider Vodafone UK is considered a Category 2 responder and is
subject to the provisions of the UK Contingencies Act.2
· Strategic partners who won’t just take your word for it. If you’re the sole supplier of a
particular product or service to a business, expect that business to demand proof of your
readiness. Repligen Corporation, a small US-based biotech company, is the sole provider of
a protein compound for several large pharmaceutical firms, and not surprisingly, Repligen’s
BC readiness is a major concern to its partners. To ease these concerns and more readily
provide proof of its readiness, Repligen became the first North American company to achieve
certification to BS 25999, the British standard for business continuity management.3
· Customers who demand uninterrupted service. In some industries like online retail and
brokerage, service interruption is an excuse to jump to a competitor. In some cases, customers
rely on timely delivery of products or uninterrupted service to conduct business. In the case
of infrastructure, telecommunication, and IT-related services, customers such as financial
institutions will demand to see proof of your BC readiness since the delivery of your services is
crucial to their business operations.
© 2009, Forrester Research, inc. Reproduction Prohibited February 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
3
Figure 1 Who Wants To Know That you are Ready?
BEFORE YOU CAN PlAN, YOU NEED TO UNDERSTAND YOUR BUSINESS AND YOUR RISKS
Given the cost and complexity of business continuity and disaster recovery (BC/DR) solutions, you
can’t take any shortcuts in the planning process. You must commit to completing the critical phases
of BIA, RA, strategy development, and plan documentation.
More Businesses will Conduct A BIA, But Not All will Refresh It Regularly
During a BIA, businesses classify their business processes by criticality (i.e., mission-critical,
business-critical, business-important), determine the cost of downtime, and map all dependent
resources. Resources may include IT assets, non-IT assets (i.e., physical facilities and other physical
resources), manual business procedures, paper documents, people, business partners, suppliers, and
service providers. In our study we found that:
· Most businesses will conduct a BIA . . . Our study found that most businesses do take the time
to conduct a BIA before they embark on BC strategy development and plan documentation.
Approximately 68% of respondents have conducted a BIA, and 19% plan to do so in the next 12
months (see Figure 2).
· . . . but not all will take the time to refresh it. Our survey also uncovered that only 50% of these
respondents refresh the BIA annually, while almost 26% refresh it every two years. Businesses
need to commit to refreshing the BIAs more regularly. In today’s dynamic business environment,
businesses routinely merge, acquire other companies, divest parts of the business, launch new
products and services while they end-of-life others, and continuously change relationships with
partners. An out-of-date BIA means that your BC plans are likely out-of-date as well.
Source: Forrester Research, Inc.4792
4
“In the past 12 months, have any external parties demanded proof of your company’s business
continuity readiness? If so, which ones?”
Base: 295 global business continuity decision-makers and influencers
(multiple responses accepted)
4
2%
42%
3
8%
2
3%
8%
5%First responders (i.e., police, fire, etc.)
Other
Strategic partners (i.e., suppliers)
Customers
Regulatory auditors — industry
Regulatory auditors — government
Source: Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, Q4 2008
© 2009, Forrester Research, inc. Reproduction ProhibitedFebruary 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
4
Figure 2 Have you identified your Most Critical Business Processes?
More Businesses Recognize The Importance Of A Risk Assessment
It’s also important that you identify the most probable, high-impact risks, and not spend your time
and your money trying to address every possible risk. Some risks might have an enormous impact
but are highly improbable, like an accident at a nearby nuclear power plant that has no history of
accidents. Other risks have moderate impact but are highly probable and frequent, like severe winter
storms in the Northeast US. Forrester’s study found that:
· Risk assessments have become commonplace . . . In the past, businesses often focused their
BC/DR efforts on natural disasters and overlooked mundane events that actually cause most
disruptions, like power outages, IT failures, and human error. But businesses have come to
realize that they must take the time to conduct a more comprehensive risk assessment that will
identify all probable risks. Approximately 59% of respondents have conducted a risk assessment,
and 25% plan to conduct one in the next 12 months (see Figure 3).
· . . . and will be refreshed every one to two years. Like the BIA, risks are changing all the time,
and businesses of all sizes need to be sure their risk assessments are current. It’s not necessary to
conduct the risk assessment from scratch each year, but there needs to be a process in place that
examines the current assessment to determine if probabilities and frequencies have changed
Source: Forrester Research, Inc.
47924
Yes
68%
No, but we plan
to conduct one
in the next 12
months
1
9%
No, and we don’t
have plans to do so
in the next 12 months
13%
Once a
year
50%
Every
two years
2
6%
We haven’t updated our BIA
in more than five years
5%
Every three to
five years
19%
Base: 295 global business continuity
decision-makers and influencers
Base: 201 global business continuity
decision-makers and influencers who
have conducted a formal BIA
Source: Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, Q4 2008
“How often do you refresh the business
impact analysis?”
2-2“Have you conducted a formal business
impact analysis (BIA) to support business
continuity strategy development and
planning?”
2-1
© 2009, Forrester Research, inc. Reproduction Prohibited February 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
5
and whether there are new risks that the business has not considered. Approximately 54% of
respondents refresh the risk assessment annually, and 22% refresh it every two years.
Figure 3 do you Know What Risks your Business Will likely Face?
YOU MUST DOCUMENT BC STRATEgIES IN PlANS AND KEEP PlANS CURRENT
Once you understand your business processes, dependencies, business resumption requirements,
and risks, you can devise specific business continuity strategies that address the threat scenarios
identified in the risk assessment. These strategies include components for crisis and emergency
communication, workforce continuity, IT, and network continuity. Once strategies are devised they
must be implemented as well as documented in actionable plans. These plans must be:
· Documented. Seventy-seven percent of both small and medium-size businesses (SMBs) and
enterprises in our survey have documented BCPs. Within one year, an additional 16% of SMBs
and 19% of enterprises will have documented BCPs (see Figure 4). Having documented BCPs is
BC 101: If you don’t have them, you don’t have anything.
Source: Forrester Research, Inc.47924
“How often do you refresh the risk
assessment?”
3-2“Have you conducted a formal risk
assessment (RA) to support business
continuity strategy development
and planning?”
3-1
Yes
59%
No, but we plan
to conduct one
in the next 12
months
25%
No, and we don’t
have plans to do so
in the next 12 months
16%
Once a
year
5
4%
Every
two years
22%
We haven’t updated our RA
in more than five years
5%
Every three to
five years
19%
Base: 295 global business continuity
decision-makers and influencers
Base: 175 global business continuity
decision-makers and influencers who
have conducted a formal RA
Source: Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, Q4 2008
© 2009, Forrester Research, inc. Reproduction ProhibitedFebruary 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
6
· Actionable. Without actionable plans, the most sophisticated and expensive strategies are
useless. Plans must list roles, responsibilities, resources, pertinent information (like the
emergency number for your disaster recovery service provider), and what specific actions need
to be taken and in what sequence to resume or continue business operations.
· Up-to-date. Once plans are documented, it’s not easy to keep them up-to-date. Plans must be
updated whenever there are changes to business or IT operations. Forrester recommends that
BCPs be updated continuously, but few businesses reach this goal. According to our survey, only
26% of respondents update BCPs continuously.
Figure 4 do you document your BC Plans and Keep Them up-To-date?
Source: Forrester Research, Inc.47924
Yes
77%
No, but we plan
to document our
business continuity
strategies in the
next six to 12
months
18%
No, we currently do not have
plans to document our business
continuity strategies
5%
Base: 295 global business continuity
decision-makers and influencers
Base: 227 global business continuity
decision-makers and influencers who
have documented BCPs in place
(percentages do not
total 100 due to rounding)
Continuously
Quarterly
Twice per year
Once per year
Every two years
I can’t remember the last
time we updated our BCPs 3%
9%
37%
12%
12%
26%
Source: Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, Q4 2008
“How often are your BCPs updated?”4-2“Do you have documented business
continuity plans (BCPs) in place?”
4-1
© 2009, Forrester Research, inc. Reproduction Prohibited February 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
7
Some Businesses will leverage Commercial Software To Manage Plans
Many, if not most, businesses will develop and manage their BCPs using everyday office tools such
as Word documents, spreadsheets, network shares, or team portals. This is probably fine if you’re a
small business with just a handful of plans to manage. It becomes much more difficult when you’re
an enterprise and you must manage hundreds of plans across different geographies or departments.
In this case, it does become worthwhile to consider the use of a commercial software application or
service.4 In our study we found that:
· Businesses have dozens of BCPs to manage . . . The larger and more geographically diverse
your business, the more BCPs you will have. BCPs must address a specific risk scenario in a local
geography. For example, you will have separate plans that address bird flu, terrorist events, and
extreme weather. According to our survey, 73% of SMBs have fewer than 20 BCPs, while 47% of
enterprises manage between 20 and 99 BCPs and 36% manage 100 or more (see Figure 5-1).
· . . . but most still manage BCPs manually. Only 35% of enterprises and 30% of SMBs use either
a commercial software application or service to manage BCPs (see Figure 5-2). Adoption is very
low, considering the benefits of BCP software. The software provides businesses with a centralized
repository for all their BCPs as well as a library of BCP templates for various risk scenarios that
can give them a jumpstart on their planning and also ensure that the plans are complete.
Figure 5 How do you Manage your BC Plans?
Source: Forrester Research, Inc.47924
*Base: 94 SMB BC decision-makers and influencers who have or will have documented BCPs
†Base: 186 enterprise BC decision-makers and influencers who have or will have documented BCPs
Source: Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, Q4 2008
73%
2
1%
4%
1%
0%
18%
32% 67%
17%
13%
3%
Enterprise†
SMB*
62%
24%
11%
3%
Enterprise†
SMB*
47%
24%
9%
3%
“How do you or will you create and manage
your BCPs?”
5-2“How many plans do you currently have or
plan to develop?”
5-1
More than 1,000
500 to 999
100 to 499
20 to 99
Fewer than 20
Other
We use or plan to subscribe to a
commercial BCP software service
We use or plan to use a commercial
BCP software application
We use or plan to use our
own internal methods
© 2009, Forrester Research, inc. Reproduction ProhibitedFebruary 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
8
Businesses Now Include Partners In Their BC Tests
One area that businesses of all sizes struggle with is testing BCPs. Testing is critical because it
ensures that everyone is comfortable with their roles and responsibilities, that nothing has been
overlooked, and that strategies and technology actually work. In this survey, Forrester found that
businesses are testing, albeit not as frequently as recommended, and they are including partners in
at least one test annually. However, Forrester also found that few businesses demand proof of BC
readiness from their partners. More specifically, Forrester found that:
· Scheduling and complexity affect the frequency of certain tests. Based on Forrester client
inquiries and consulting engagements, BC directors find it very difficult to schedule tests and
secure enough participation from key team members in business, IT, facilities, etc. Depending
on the nature of the test, it can disrupt business or IT operations. As a result, BC directors will
develop a test strategy that includes different types of tests, from simple plan walk-throughs to
full simulations. Survey data indicates that the more complex the test, such as a plan simulation
or a full simulation, the less frequently it’s conducted, and in some cases it’s never conducted at
all (see Figure 6-1). Forrester recommends that businesses make every effort to run these more
complex tests annually. While they may be complex, they’re the best way to validate capabilities.
· Partners will participate in at least one test per year. In addition to the frequency and
thoroughness of tests, CISOs and BC directors should include strategic partners in tests. In this
study, almost 47% of respondents include their business partners in at least one BC test annually
(see Figure 6-2). If you fall into the
41%
of respondents who don’t include partners, you must
be sure that your business operations are truly independent of your partners’ people, processes,
and technology, or you need to think about including them in at least one test.
· Too many businesses don’t bother to validate partner readiness. Given that you’re making the
effort to conduct each phase of the BC planning life cycle, keep your plans up-to-date, and test
them on a regular basis, shouldn’t you make sure that the partners you rely on are just as ready as
you are? What if they’re not? According to our survey, 46% of respondents have never bothered
to validate the readiness of strategic partners (see Figure 6-3). Far too many businesses are taking
the readiness of their partners, suppliers, and service providers for granted. This is a major risk
exposure, particularly if you have sole suppliers for some of your inventory or services.
© 2009, Forrester Research, inc. Reproduction Prohibited February 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
9
Figure 6 BC Testing
Source: Forrester Research, Inc.47924
Full simulation: Using a scenario,
carrying out the response and recovery
activities for an entire organization
Plan simulation: Using a scenario,
carrying out the response and recovery
activities of a documented plan
Tabletop: Using a scenario,
discussing the response and recovery
activities of a documented plan
Plan walk-through: Reviewing the
layout and contents of a plan
Base: 295 global business continuity
decision-makers and influencers
Source: Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, Q4 2008
“How many times per year do you conduct the following types of tests on your BCPs?”6-1
Base: 227 global business continuity decision-makers
and influencers who have documented BCPs in place
(percentages may not total 100 due to rounding)
16% 10%62%
4%
10%
11%
Once a year Twice a year Three times a year Quarterly
70%
55%
6%
11%
13%
3% 3%
26%
33% 6%
1%
60%
Never
Base: 227 global business continuity decision-makers and influencers who have documented BCPs in place
(percentages may not total 100 due to rounding)
“Have you investigated/validated the
business continuity readiness of your
strategic partners?”
6-3“How often do your business partners
participate in your tests?”
6-2
Yes
46% No
54%
Never
Quarterly
Three times a year
Twice a year
Once a year 47%
8%
2%
2%
41%
© 2009, Forrester Research, inc. Reproduction ProhibitedFebruary 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
10
YOU MUST INClUDE BUSINESS OwNERS FROM START TO FINISh
If your business is serious about BC preparedness, there must be executive-level sponsorship of
BC as well as support and participation from senior managers, midlevel managers, and individual
contributors. Executives, managers, and individuals must participate in every phase of BC planning
so that strategies and documented plans reflect business requirements and deliver business results.5
Forrester found that:
· Business owners are most heavily involved in the BIA . . . Almost 62% of respondents
report that their business owners are involved or very involved in the BIA (see Figure 7). This
is not surprising; it would be impossible for a BC planner to document business process
and dependent resources without working closely with business owners to understand how
business is done. Our study also showed that business owners had solid involvement in plan
testing. Approximately 55% of respondents reported that business owners were involved or very
involved in plan testing.
· . . . and the least involved in training and awareness. Only 43% of respondents reported that
business owners were involved or very involved in training and awareness. While training can
be addressed through frequent testing, not everyone in the business can participate in BC tests;
there must be awareness initiatives so that all employees have a basic understanding of what
to do or what to expect during a major business disruption, particularly if BC plans require
employees to work from or report to an alternate site.
Figure 7 How involved are Business owners in The BC Planning life Cycle?
Source: Forrester Research, Inc.47924
“On a scale of 1-4, where 1 equals ‘not at all involved’ and 4 equals ‘very involved,’ what is the level
of business involvement from business owners in the following:”
Base: 295 global business continuity decision-makers and influencers
(percentages may not total 100 due to rounding)
Awareness and training
Plan testing
Plan documentation
Strategy and plan development
Risk strategy
Business impact analysis 33% 28%
16% 28%
4 (very involved) 3 (involved)
16% 33%
25% 25%
24% 32%
13% 30%
Source: Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, Q4 2008
© 2009, Forrester Research, inc. Reproduction Prohibited February 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
11
Businesses Don’t Report Readiness Efforts To Executives
To keep executives informed as well as demonstrate value to maintain or secure additional funding,
BC managers must regularly report on BC readiness efforts. According to our survey, however, only
33% of respondents report on readiness to executives on a quarterly basis (see Figure 8). If you only
report on readiness once or twice a year, it’s not likely that senior executives have an accurate picture
of the business’ readiness. To increase executive awareness and raise the profile and importance of
BC management, Forrester recommends that businesses:
· Develop a BC readiness “dashboard.” It should report by entity (i.e., subsidiary, business
unit, region, department), critical business operations covered by plans, plan maintenance, test
frequency, test results, training initiatives, and any actual invocations. This way, the business
can quickly see if there are any regions that are vulnerable and out of compliance with corporate
mandates for preparedness.
· Schedule frequent status check-ins with BC managers across the company. At many of the
large companies that Forrester has worked with, the BC director or senior executive responsible
for BCM will host monthly calls with BC managers across the business to update readiness
status, share best practices, and discuss local challenges. In addition, he or she meets with either
a C-level executive or the board of directors quarterly to report on efforts.
Figure 8 do you Report BC Preparedness Efforts To Executives?
Source: Forrester Research, Inc.47924
12%
3%
34%
“How many times per year do you report the status of business continuity readiness to executives?”
Base: 295 global business continuity decision-makers and influencers
Quarterly
Three times a year
Twice a year
Once a year
Never
Source: Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, Q4 2008
13%
38%
© 2009, Forrester Research, inc. Reproduction ProhibitedFebruary 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
12
R E C o M M E n d a T i o n S
FOCUS ON INCREMENTAl IMPROvEMENTS
Maybe you’re the business that hasn’t updated its Bia in five years or still doesn’t have
documented BCPs, but most businesses have taken at least the basic steps to devise, implement,
and document good BC strategies. Most businesses don’t have big gaping holes in their strategies.
instead, where they struggle is in keeping plans up-to-date with business changes and risks,
testing plans thoroughly, and including business and partners in the complete BCM life cycle. in
the tough economic climate of 2009, CiSos and BC directors should focus on a few incremental
improvements that will increase confidence in the ability to successfully invoke plans and
highlight areas for improvement:
· Consider a lower cost commercial software application or service for BCP management.
There are offerings in the marketplace that won’t break the bank, especially if you’re only
interested in the core planning module. if you still manage hundreds of BCPs in Word
documents and Excel spreadsheets, it’s time to upgrade. Standardizing BCP elements
and storing them in a central repository will help you keep them up-to-date, increase
collaboration, and improve reporting.
· Add more plan walk-throughs and tabletop exercises to your test strategy. one way to
identify deficiencies in plans is to identify plans that are out-of-date and increase training
and awareness by conducting more walk-throughs and tabletop exercises. Several Forrester
clients conduct these exercises on a quarterly basis. Walk-throughs and tabletop exercises
won’t replace running a plan simulation or a full simulation annually, but because they’re less
complex, you can schedule them more frequently.
· Don’t take partner readiness for granted. if you haven’t already done so, you must
immediately ask for proof of BC readiness from any strategic partner that would materially
impact your business or iT operations if their business was down. don’t be satisfied with
simple plan documentation; ask for a report on test frequency, test results, and the results of
any actual invocations. also ask to either observe or participate in tests where appropriate.
· Audit and report on BC readiness efforts corporatewide. For enterprises with multiple
geographic locations or entities, local BC managers must carry out their own planning efforts.
However, the CiSo and corporate BC director can set some standards. They can mandate
the use of a common BCP template, mandate minimum plan components, mandate
minimum number of tests, participate in test debriefs, and require reporting of actual
invocations. To ensure adherence to corporate policy, corporate BC managers will need to
periodically (annually in most cases) audit local efforts and local plans and provide guidance
for improvement. if your business has no central dashboard, then this is one area of focus,
because without it you won’t have an accurate picture of the business’ resiliency.
© 2009, Forrester Research, inc. Reproduction Prohibited February 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
13
SUPPlEMENTAl MATERIAl
Methodology
In October 2008, Forrester Research and the Disaster Recovery Journal (DRJ) conducted an online
survey of 295 DRJ members. In this survey:
· All respondents indicated that they were decision-makers or influencers in regard to planning
and purchasing technology and services related to business continuity.
· Respondents were from a range of company sizes: 33% had one to 999 employees; 27% had
1,000 to 4,999 employees; 17% had 5,000 to 19,999 employees; and 21% had 20,000 or more
employees.
· Respondents were from companies with a range of revenues: 44% of respondents were from
companies with revenues of less than $500 million; 9% were from companies with revenues of
$500 million to $999 million; 22% were from companies with revenues of $1 billion to $4.99
billion; 8% were from companies with revenues of $5 billion to $10 billion; and 17% were from
companies with revenues of more than $10 billion.
· Respondents were from a variety of industries.
· Respondents were primarily from North America: 92% of respondents were from North
America; 5% were from Europe, Middle East, or Africa; 2% were from Asia; and 1% were from
South America.
This survey used a self-selected group of respondents (DRJ members) and is therefore not random.
These respondents are more sophisticated than the average. They read and participate in business
continuity (BC) and disaster recovery (DR) publications, online discussions, etc. They have above-
average knowledge of best practices and technology in BC/DR. While nonrandom, the survey is still
a valuable tool in understanding where advanced users are today and where the industry is headed.
ENDNOTES
1 Part 1 of the UK Civil Contingencies Act establishes a clear set of roles and responsibilities for those
involved in emergency preparation and response at the local level. The Act divides local responders into two
categories. Category 1 organizations (e.g., emergency services, local authorities, National Health Service
bodies) are at the core of the response to most emergencies. Category 2 organizations (e.g., the Health and
Safety Executive, transport and utility companies) are less likely to be involved in the heart of planning
work but will be heavily involved in incidents that affect their sector. Source: UK Resilience (http://www.
ukresilience.gov.uk/preparedness/ccact.aspx).
© 2009, Forrester Research, inc. Reproduction ProhibitedFebruary 26, 2009
Businesses Take BC Planning More Seriously
For Security & Risk Professionals
14
2 Vodafone UK already had a solid approach to business continuity preparedness and ongoing management,
but the company wanted to assess itself relative to industry best practices as well as determine a way it could
more quickly comply with requests from customers and regulatory authorities for proof of preparedness.
See the October 8, 2008, “Case Study: Vodafone UK Uses Business Continuity As A Competitive Advantage”
report.
3 Source: “Presentation of North America’s First Certificate for BS 25999, the New Standard for
Business Continuity,” Reuters press release, July 8, 2008 (http://www.reuters.com/article/pressRelease/
idUS160957+08-Jul-2008+PRN20080708).
4 Firms typically do not have a centralized BC program office that enforces standards, consistency, and
quality across a distributed organization or across hundreds of localized BC plans, and these plans are rarely,
if ever, tested. To address these challenges, more firms are turning to Web-based software to transform their
static BC plans from Word documents and Excel spreadsheets into a more mature BC program. See the
May 30, 2007, “Market Overview: Business Continuity Planning Software” report.
5 In our Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey, Q4 2008, 89% of the
business continuity (BC) decision-makers and influencers we surveyed said that BC had executive-level
support. In addition, about two-thirds of respondents said that BC was a priority or critical priority for
senior executives. See the January 13, 2009, “More Businesses Now Institutionalize Business Continuity
Management” report.
http://www.forrester.com/go?docid=47201&src=47924pdf
http://www.forrester.com/go?docid=41360&src=47924pdf
http://www.forrester.com/go?docid=46481&src=47924pdf
http://www.forrester.com/go?docid=46481&src=47924pdf
Forrester Research, Inc. (Nasdaq: FORR)
is an independent research company
that provides pragmatic and forward-
thinking advice to global leaders in
business and technology. Forrester
works with professionals in 19 key roles
at major companies providing
proprietary research, consumer insight,
consulting, events, and peer-to-peer
executive programs. For more than 25
years, Forrester has been making IT,
marketing, and technology industry
leaders successful every day. For more
information, visit www.forrester.com.
Australia
Brazil
Canada
Denmark
France
Germany
Hong Kong
India
Israel
Japan
Korea
The Netherlands
Switzerland
United Kingdom
United States
Headquarters
Forrester Research, Inc.
400 Technology Square
Cambridge, MA 02139 USA
Tel: +1 617.613.6000
Fax: +1 617.613.5000
Email: forrester@forrester.com
Nasdaq symbol: FORR
www.forrester.com
M a k i n g l e a d e r s S u c c e s s f u l E v e r y d a y
For a complete list of worldwide locations,
visit www.forrester.com/about.
Research and Sales Offices
47924
For information on hard-copy or electronic reprints, please contact Client Support
at +1 866.367.7378, +1 617.613.5730, or clientsupport@forrester.com.
We offer quantity discounts and special pricing for academic and nonprofit institutions.
www.forrester.com
mailto:clientsupport@forrester.com
