Magic Quadrant untuk Business Continuity Management Planning


Magic Quadrant for Business Continuity Management Planning Software

27 August 2014 ID:G00261175
Analyst(s): Roberta J. WittyJohn P Morency

VIEW SUMMARY

Most BCMP tools meet customer needs for recovery plan management, and a consistent and repeatable plan development process. The growing focus on BCM program analytics and integration into the operational risk management initiative has resulted in increased sophistication of BCMP tools.

Market Definition/Description

Business continuity management planning (BCMP) software is the key tool used to manage the business continuity management (BCM) program process from risk assessment to business impact analysis (BIA) through recovery plan development, exercising and invocation. BCMP tools can greatly benefit organizations by jump-starting their BCM programs and quickly improving their overall continuity capability, as long as senior management is committed to the process. Mature and progressive BCM programs — including those that have a strong link to operational risk management — are starting to use BCMP tools for business and program management analysis, with a goal of building more resilience into day-to-day business operations. The biggest competitors to using a BCMP tool are ad hoc approaches that use Microsoft Office tools and SharePoint for document management.
A BCMP tool will typically include the following components:
  • Risk assessment for availability — now more clearly differentiated from the BIA due to the influence of governance, risk and compliance (GRC) risk management.
  • BIA — assessing the business impact of the loss of people, IT, facilities and suppliers.
  • Business process and IT dependency mapping.
  • Resource libraries of business and IT equipment, processes, personnel, facilities, third parties (suppliers/vendors) and so on.
  • Plan development and management.
  • Workflow management for plan development and maintenance actions.
  • An analytics capability to provide senior executives and boards of directors with BCM program status, effectiveness and risk-based metrics so that the appropriate investments can be made in risk mitigation controls, day-to-day operations and recovery operations.
  • A modeling capability that enables the organization to assess the impact on the business as a result of an outage.
  • An exercising capability that assists organizations when they test the effectiveness of their recovery plans.
  • A crisis/incident management (C/IM) function that can be used when the organization experiences a business disruption and, therefore, needs to invoke its recovery plans. This function is a natural extension of BCMP tools, since they already have the recovery plan details and can easily transition from a "plan view" to an interactive capability for real-time event management. The C/IM function in the BCMP tool is often good enough for most organizations. Pure-play C/IM tools typically provide a much richer set of functions than those found in a BCMP tool, especially if they need strong U.S. Federal Emergency Management Agency (FEMA) National Incident Management System/Incident Command System (NIMS/ICS) support; however, some organizations do not need to use pure-play C/IM tools. A few BCMP tools do provide FEMA NIMS/ICS support, but most don't. A few BCMP tools also support GIS and geospatial tools, creating an ecosystem for real-time situational awareness during an actual disaster.
  • Emergency/mass notification services (EMNS) support, either through delivering basic notification through voice, email and SMS from built-in functionality, or through partnerships with full-fledged EMNS tools.
The BCMP market has a 2013 revenue estimate of $162 million — 24% more than our 2012 estimate. As an overall assessment of this market in 2014, there are many good tools that are meeting customer needs for usable recovery plans of all types, from response to restoration as well as a consistent and repeatable plan development process. They all have an adequate ability to deliver the core functions of risk assessment, BIA and recovery plan management. Also, in many organizations, the growing focus on BCM program analytics and integration into the broader operational risk management initiative has resulted in increased sophistication in BCMP tools. Therefore, the features that distinguish the vendors from each other and form their position in this Magic Quadrant are:
  • Ease of configuration and customization (the same feature as in 2013)
  • Ease of use (the same feature as in 2013)
  • Depth of data analytics, C/IM and exercise management (a new feature for 2014)
  • Level of real-time interactive action of their mobile device apps (a new feature for 2014)
  • Plan management aides, such as built-in workflow procedures for BIA and recovery plan creation and maintenance (a new feature for 2014)
Note: Most of the vendors have addressed the concern with ease of reporting from the 2013 "Magic Quadrant for Business Continuity Management Planning Software."
Pricing for this market remains competitive for the simpler implementations; however, pricing for large, multinational implementations can be in the high six figures or higher. Large or regulated enterprises, as well as government agencies, have been the early adopters of BCMP tools, while small and midsize firms are increasingly looking to do so. The financial services market and organizations with complex business operations lead the pack in implementations and vendor marketing efforts.
The value of a BCMP tool is only as good as the data being managed by it; therefore, before you start the BCMP tool selection process, you must define a continuity delivery framework that aligns with the delivery model of your organization's production operations. A critical part of your framework development is the BCMP tool data model, which will define part of your BCMP tool purchasing criteria (see "The Continuity Delivery Framework Is Essential for Ensuring Measurable and Sustainable BCM Planning Tool and Program Benefits").

Future of BCMP Software

"BCP is not about manuals and procedures; it's about organizational culture, behavior and attitude." This comment from a Gartner client supports our often-stated perspective that the future of the BCMP software market depends on how easily BCMP tools can be used on a daily basis within production business operations and operational risk management activities. The view that BCMP tools are used only at the time of a disaster is one that is drastically outdated and does not recognize that BCM is a strategic and business-enabling initiative within the organization. We make this statement after reflecting on the government emergency management marketplace, which is rapidly changing from one with many disparate systems that are used only on an incident-based basis (and, therefore, are often not functional when you most need them), to one in which there is a single solution that integrates with the tools that first responders and regular operational staffs use on a daily basis. This "practice while you play" approach enables emergency managers to manage production activities (for example, traffic, port activity, weather events, parades and other special events) along with the disaster event.
Progressive BCMP tools are moving away from a static recovery plan document to a real-time, interactive experience for planning, exercising and plan invocation activities, as well as strong data analytics and visualization for BCM program management that can be integrated into an operational risk management program. Also, C/IM functionality needs current-state modeling and future-state modeling, consequence analysis and management on the fly using data analysis from many disparate data feeds, as well as collaboration and communications capabilities as key functions. This approach does not mean that a recovery plan in "printed" form is unavailable in the BCMP tools (on the contrary, all BCMP tools can deliver the traditional "recovery plan" in Word or PDF format). Rather, it means a more interactive access capability is needed.
Finally, a BCMP capability is being developed and successfully marketed by the GRC vendor marketplace. This expansion on the part of the GRC vendors is a natural extension of their customers' operational risk management activities. However, GRC tools tend to be highly configurable and not purpose-built for a BCMP capability at the same level as a pure-play BCMP tool. We also see some of the pure-play BCMP vendors expanding their offerings to include more GRC/operational risk management capabilities.
For the next three years, we expect a large number of BCMP sales to continue to come from the BCMP pure-play market. However, this position can easily change if there are more large-scale and regional disasters that result in more damage than expected by the boards of directors/trustees of midsize to large-scale organizations, resulting in a laser focus on overall operational risk management in these firms. Small businesses will likely buy pure-play BCMP tools because they don't have the broader focus on operational risk management, or the funding to purchase the typically more expensive GRC toolsets.

Magic Quadrant

Figure 1. Magic Quadrant for Business Continuity Management Planning Software
Figure 1.Magic Quadrant for Business Continuity Management Planning Software
Source: Gartner (August 2014)

Vendor Strengths and Cautions

Avalution Consulting

The Avalution Consulting BCMP tool version evaluated for this Magic Quadrant was Catalyst 2013; the current version is Catalyst 2014. The Catalyst product is a significant improvement over the product we reviewed last year — The Planning Portal. There are three versions of Catalyst, each having different customization and configuration options: (1) Enterprise on a customer-dedicated platform (customization by the vendor only); (2) Pro on a shared customer platform (customer configuration to recovery plans, reports and BIA; no customization); and (3) Basic (on a shared customer platform with configuration limited to recovery plans and reports). The product is offered in the following delivery models: shared multitenant, dedicated client application instance and dedicated client database instance. Avalution's implementation size sweet spot is for organizations with 1,001 to 5,000 employees that do not have complex BCM program needs, since many customizations need to be made by the vendor, not the customer. Avalution's Catalyst BCMP tool is a Challenger due to good product innovation and current product capability, and to strong marketing execution and customer experience.
Strengths
  • Avalution had the highest customer reference product/operations performance score, and a very high product implementation professional services score.
  • Its average three-year revenue growth rate was the third highest in this report.
  • Navigation is very easy and the user interface (UI) is very clean. It has an excellent and unique dashboard called Catalyst Insights — an overall BCM program rating board showing status metrics for BIA completion, plan completion, exercise completion and a recovery time objective (RTO) capability. It also has a multiphase recovery plan completion guide workflow. Avalution has interactive task tracking during plan invocation via its C/IM functionality. Its exercise orchestration template is very nice. The vendor has a basic built-in emergency notification capability for an additional fee. Avalution has very strong support for BCM standards and frameworks (plan or report templates out of the box), including Federal Financial Institutions Examination Council (FFIEC), Health Insurance Portability and Accountability Act (HIPAA)/Health Information Technology for Economic and Clinical Health (HITECH), ISO 22301:2012, ITIL V3 and FEMA NIMS/ICS.
  • Avalution had the best price point comparison score. This is due to its low cost overall (which is why it doesn't discount) and its Catalyst Basic tool being offered for free to organizations with five or fewer users. Even though its user pricing complexity is higher than other vendors, its overall cost is so low that it negates the complexity factor.
  • Avalution uses five production and five recovery data centers (located in the U.S., Europe and Asia/Pacific) from Amazon Web Services (AWS). It has certification under ISO 22301:2012 for internal operations as well as Catalyst data center operations. Its contractually guaranteed service level for system availability is 99.99% (better than the median), and its measured uptime over the past 12 months has been 100%.
Cautions
  • Customer references report that its weakest performance is in product training, technical support and documentation.
  • Customization beyond recovery plan, report and BIA configuration requires the Catalyst Enterprise version and must be done by the Avalution team. Data import for resource loading is only done through an Excel or CSV file import. Avalution's risk assessment capability is not as robust as other vendors'. Additional workflow levels beyond the two-step workflow can't be changed without vendor assistance. Access control functionality is not as robust as other BCMP tools; vendor assistance is required to create a new role and change the permissions assigned to a role — however, granular access can be controlled via each plan and BIA.
  • Mobile device access to recovery plans is limited to mobile-optimized Web pages.
  • There is no Safe Harbor certification for its data centers running the BCMP tool.

BOLDplanning

The BOLDplanning BCMP tool version evaluated for this Magic Quadrant was 14.01; the current version is 14.04. BOLDplanning was tied for the most complex implementation, based on the number of employees, plan administrators, business units/departments, and locations and recovery plans supported. Its average three-year revenue growth rate was average compared with all vendors in this report. BOLDplanning's three-year product road map is to provide a single BCMP platform from which it can configure and customize to its industry focus needs for small or midsize businesses (SMBs), education, public health, government and the military. The product is offered in the following delivery models: on-premises, shared multitenant, dedicated client application instance and dedicated client database instance. The vendor's implementation size sweet spot is for organizations with 1,001 to 5,000 employees that want a content-rich BCMP tool. BOLDplanning's position as a Challenger is due to its strong customer experience and operations, but its product innovation and current product capability are lower than other Challengers.
Strengths
  • Customer references report very good product/operations performance and very high product implementation professional services scores.
  • BOLDplanning offers a nonprofit and SMB pricing discount.
  • BOLDplanning provides customers with a "starter kit" version for ease of implementation, and the customer can change it after initial implementation. BOLDplanning offers a recovery plan completion dashboard and the most complete set of recovery plan templates, based on content from NFPA 1600:2013 and the U.S. government's Continuity of Operations (COOP), FEMA NIMS/ICS, and critical infrastructure and presidential directives. It also supports the U.S. Homeland Security Exercise and Evaluation Program (HSEEP) exercise management approach with built-in templates, reports and processes. BOLDplanning has excellent tool training resources.
  • BOLDplanning uses two production data centers and one recovery data center (located in the U.S.) from AWS. Its contractually guaranteed service level for system availability is 99.99% (better than the median). Operations failover from the primary production data center to the secondary facility is completely automated. AWS has the following data center certifications and attestations: U.S. Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Management Act (FISMA), Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), HIPAA/HITECH, ISO/IEC 27001:2013, Statement on Standards for Attestation Engagements No. 16 (SSAE 16)/International Standard on Assurance Engagements No. 3402 (ISAE 3402), Service Organization Control (SOC) 2 and SOC 3.
Cautions
  • BOLDplanning had a lower-than-average price point comparison score. It does not offer an industry pricing discount.
  • Source code changes are common for implementing customer requirements. BOLDplanning does not support the following BCMP functions: risk or criticality rating calculations, RTO conflict identification, visualization support for risk assessment, a BIA or program management capability, built-in support for exercise or C/IM functionality, or partnerships for EMNS or BCM program dashboarding.
  • Data import for resource loading is done only through an Excel or CSV file import. BOLDplanning's access control capability is not as in-depth as its competitors'. Users have access to the entire system and cannot be restricted to tool functions, and new roles cannot be created by the customer, although permissions within a role can be modified. The vendor does not support ISO 22301:2012.
  • Mobile device access to recovery plans is limited to a Web browser.
  • BOLDplanning's AWS BCMP tool data center operations have no BCM certifications.

ClearView Continuity

The ClearView Continuity BCMP tool version evaluated for this Magic Quadrant was v.4.4; the current version is v.4.4.1. The product is offered in the following delivery models: on-premises or shared multitenant with dedicated client application instance and dedicated client database instance. The vendor, which is part of the Bis-Web group, did not report new deal signings in 2013. Its implementation size sweet spot is for organizations with 1,001 to 5,000 employees that have basic to complex BCM planning needs. ClearView Continuity's position as a Challenger is due to its strong current product capability and good customer experience; however, its product innovation, market responsiveness/record and marketing execution are lower than other Challengers.
Strengths
  • Customer references report good product/operations performance and high product implementation professional services scores.
  • Its average three-year revenue growth rate was the second highest in this report.
  • ClearView Continuity offers government, higher education and nonprofit pricing discounts.
  • The tool has very good BIA functionality, with the default RTO being a calculated value. It also has a unique nonconformance risk and impact analysis feature called staff ramp-up reporting. The workflow setup is very detailed and includes allowance time, warning day and days to danger. It has very good graphical representation for dependency mapping. It supports interactive task tracking during C/IM plan invocation and very good exercise orchestration. It has a very unique review and approval procedure — that is, the customer can customize the procedure with questions that the reviewer/approver must answer, with one purpose being to capture statements regarding alignment with BCM standards. It has a very in-depth access control capability, customized by users for all functions in the tool and for user group assignments directly imported from LDAP.
  • Native mobile device apps are available for the Android, BlackBerry and iOS with an offline cache. The apps are interactive for C/IM task management. Notifications can be sent directly from the mobile app.
  • ClearView Continuity has four production and three recovery partner data centers located in the U.K. and Asia/Pacific. Its contractually guaranteed service level for system availability is average at 99.95%. Because it is a European firm, ClearView Continuity must comply with the EU Data Protection Directive for data center operations. It also has ISO/IEC 27001:2013 certification and SOC 3 attestation through Rackspace for its BCMP data center operations.
Cautions
  • Customer references report that the vendor's performance on product training, technical support and documentation could be improved.
  • There is a single version of the application, so customer-side customization at the database level is limited to application configurations, while other changes must go through the vendor.
  • Administrative navigation through the tool is more hierarchical than other BCMP tools. The customer cannot change the administrative UI for terminology or layout. Recovery plan templates are customizable for content, but not on-screen layout. The vendor has support for neither timeline visualization nor scenario or resource modeling visualization. Dashboarding is limited to two built-in templates for workflow monitoring and corrective actions. Data at rest is not encrypted. Workflow task completion timing can be changed, but steps cannot be added or modified.
  • ClearView Continuity had the third lowest price point comparison score.

Continuity Logic

The Continuity Logic BCMP tool version evaluated for this Magic Quadrant was FrontLine Live 4.6; the current version is 4.9. The product is offered in the following delivery models: hybrid, shared multitenant, dedicated client application instance and dedicated client database instance. Continuity Logic had the second most complex implementation based on the number of employees, plan administrators, business units/departments and locations, and recovery plans supported. Its implementation size sweet spot is for organizations with more than 5,000 employees that want strong BCM program management, C/IM and visualization. Continuity Logic's position as a Leader is due to its strong product innovation and current product capability, and to its revenue growth rate and customer experience; however, it has lower market responsiveness/record and operations than its competitors.
Strengths
  • Customer references report very good product/operations performance, and very high product implementation professional services scores.
  • Its average three-year revenue growth rate was the highest in this report.
  • FrontLine Live is a very configurable BCMP tool with excellent navigation. Data import for resource loading is done through Microsoft's SSIS and secure FTP. Continuity Logic has a unique "guide me" wizard to package tool functions so that the user can be guided through risk assessment, BIA and plan completion according to the organization's approach. It has a very good risk assessment capability with a geographic display of risks, and one of the best calculated and customer-customizable RTO algorithms. Its workflow is very flexible and comprehensive. Continuity Logic has a strong big data/analytics vision with excellent dependency mapping and dashboarding, with drill-downs through iMindMap. It has a unique geographic display capability of BCM plan status. It has one of the best real-time and interactive C/IM modules, as well as by-default plan exercising, with Google Maps support, elapsed time, plus a running calculation of RTO versus recovery time capability and costs incurred. Discussion boards are available for team/group communication during an event. Built-in emergency notification is provided through Ifbyphone. It has very good access control, with permissions controlled at the module and activity levels, and unique roles at the entity, business unit, and primary and secondary plan section content owner levels. It has strong compliance support through its compliance manager self-assessment module for BCM frameworks/standards, including NFPA 1600:2013, ASIS SPC.1-2009, BS 25999-2:2007 and ISO 22301:2012.
  • Native mobile device apps are available for the Android, iOS and Windows with an offline cache. Continuity Logic exposes all data so that customers can create their own mobile device apps, or integrate with another mobile device app. Data is encrypted in the mobile device app.
  • Continuity Logic had a better-than-average price point comparison score.
  • Safe Harbor certification has been obtained for European Union-U.S. and Switzerland-U.S. for their data centers running the BCMP tool. Continuity Logic has a help desk option that directs the call to the customer instead of the vendor — the customer can customize the help desk feature for its own use and culture. This feature alleviates a lot of calls going to the vendor, and allows the customer to do better tool usage management.
Cautions
  • Continuity Logic had a lower-than-average number of new contract signings in 2013.
  • Encryption of data at rest is not supported.
  • The vendor's mobile device app does not support interactive task management.
  • Continuity Logic has only two production and recovery Tier 3 partner data centers, all located in the U.S. Its contractually guaranteed service level for system availability is lower than the median at 99.9%. It does not have any BCM or information security certifications or attestations for these data centers. BCMP tool technical support service descriptions were not provided.

COOP Systems

The COOP Systems BCMP tool version evaluated for this Magic Quadrant was myCOOP version 6.14, which is also the current version. The product is offered in the following delivery models: on-premises, dedicated client application instance and dedicated client database instance. The vendor's implementation size sweet spot is for organizations with more than 5,000 employees that have more complex BCM needs and want their own application instances. COOP Systems' position as a Niche Player is due to its lack of responses to vendor survey questions — including financial information (which translates to a lower revenue growth rate), new deal signings, industry alignment, and certain data center security controls and other operations questions — and also due to lower product innovation than its competitors.
Strengths
  • Customer references report a good product implementation professional services score.
  • Page layout changes can be done via drag-and-drop. Help and training resources are very comprehensive. Its BIA capability is very flexible with an automatically calculated criticality rating by default. myCOOP has a good dashboarding capability with good visualization. It also has segregated plan sections at the enterprise and local levels. Its C/IM capability supports interactive task tracking during plan invocation. COOP Systems has very good support for BCM standards/frameworks (plan or report templates out of the box) for FFIEC, HIPAA, ISO 22313:2012 and FEMA NIMS/ICS.
  • COOP Systems has one of the best BCMP tool mobile device apps reviewed for this report. Native mobile device apps are available for the Android, BlackBerry, iOS and Windows in online mode only. COOP Systems also can restrict the view of the plan to the user's profile. Interactive C/IM is supported through the mobile device app. Notifications can be sent directly from the mobile app.
  • The vendor's contractually guaranteed service level for system availability is 99.99% (better than the median). It has ISO/IEC 27001:2013 certification and ISAE 3402/SOC 2 attestation for its partner data center operations. Tens of thousands of concurrently active users can be supported.
Cautions
  • Customer references report lower-than-average performance in the following areas: product training, technical support and documentation, quality and reliability of the vendor's sales team, perceived viability/financial strength, and ongoing software development activities and innovation.
  • Because COOP Systems did not provide financial information, its average three-year revenue growth rate was calculated based on revenue reported in prior years and on the median growth rate for 2013, and it resulted in a below-average rate.
  • Its BCMP tool's administrative navigation is not as streamlined as other BCMP tools. There is no visualization support for dependency mapping. Exercise management functionality covers orchestration only. There are four out-of-the-box access control roles, and additional client-controlled roles can be configured under special agreement. An approver can edit a recovery plan rather than just approve it. COOP Systems' three-year product road map is not as clearly defined for strategy or specifics as its competitors' are.
  • COOP Systems had a lower-than-average price point comparison score. It offers a multiyear pricing discount, but only if prepaid. It does not have pricing discounts for SMBs, for nonprofits or by industry.
  • COOP Systems has only two production partner data centers in the U.S. and Canada, and one recovery partner data center in Canada. Audits by an independent party of IT service continuity procedures are not conducted.

eBRP Solutions

The eBRP Solutions BCMP tool evaluated for this Magic Quadrant was version 4.4.2. The product is offered in the following delivery models: on-premises, shared multitenant, dedicated client application instance and dedicated client database instance. Its implementation size sweet spot is for organizations with more than 1,000 employees that don't have their own defined BCM processes. Its position as a Niche Player is due to lower product innovation and revenue growth rate, as well as a lack of product customization, flexibility and operations than its competitors.
Strengths
  • Customer references report good product/operations performance and high product implementation professional services scores.
  • eBRP has good visualization and drill-down for dependency mapping. For IT disaster recovery management (IT DRM) support, it has an application impact analysis (AIA) function available through the BIA capability. Plan template sections can be locked so that edits cannot be made to them. Its CommandCentre C/IM functionality is excellent, including FEMA NIMS/ICS compliance, although this is an additional charge. eBRP supports a GIS capability for geocoding of assets, it can produce a Gantt chart for plan invocation timeline and procedural sequencing, and it supports interactive task tracking during plan invocation.
  • eBRP is one of only two vendors that offers flat-rate pricing for unlimited users for its BCMP tool. It also offers multiyear, SMB, nonprofit and strong industry pricing discounts.
  • Native mobile device apps are available for the Android, BlackBerry and iOS, along with an offline cache (iOS only) and online mode support. The mobile app supports interactive C/IM task management. Notifications can be sent directly from the mobile app.
  • eBRP has four production and recovery data centers — all CenturyLink sites acting as primary and backup sites for each other — located in the U.S., Canada and the U.K. Partner data center operations that run the BCMP tool are ISO/IEC 27001:2013-certified, and eBRP has obtained a satisfactory FISMA audit for NIST SP 800-53. Safe Harbor certification has been obtained for its internal and partner data centers running its BCMP tool; however, eBRP did not provide the countries to which the certification applies. Data center operations failovers are tested once per quarter.
Cautions
  • Customer references report that eBRP's pricing model and/or overall total cost of ownership (TCO) could be improved.
  • eBRP makes it very clear that it is not the BCMP tool for every organization. Its asset-based approach (rather than a business process approach) to BCM planning is unique, and eBRP does not waiver from it. This approach results in a longer evaluation time frame to compare its BCMP tool to a competitor's.
  • It had a lower-than-average number of new contract signings in 2013, and its average three-year revenue growth rate was below average.
  • Its BCMP tool has less-than-intuitive tool navigation. Data import for resource loading is done only through an Excel or CSV file import. Recovery plan creation is very sequential, and plan templates cannot be changed by the customer. Page and plan layouts cannot be changed for appearance purposes. Customizable workflow is not available. Most dashboarding is through reporting — there is no real-time dashboarding and little visualization support. Because of eBRP's asset-based approach to recovery planning, assigning access control permissions is not intuitive, but rather is more complicated than its competitors' processes — for example, permissions cannot be assigned to a user, only via a "team"; access controls are not very granular; and roles cannot be created by the customer, although permissions within a role can be modified. eBRP does not support any specific BCM standard/framework out of the box, and the customer cannot configure the product to do so.
  • eBRP had a lower-than-average price point comparison score. The C/IM module pricing was not included in our pricing sample analysis, so if the customer wants it, there will be an additional charge.
  • eBRP's contractually guaranteed service level for system availability is lower than the median at 99.5%. It has no BCM certification for its data centers running the BCMP tool. No formal third-party security audits are currently performed, although customer-specific audit requests are accommodated to the extent that is possible.

EMC (RSA)

The RSA (the Security Division of EMC) BCMP tool version evaluated for this Magic Quadrant was Archer Business Continuity Management 4.5.2; the current version is 5.2. The product is offered in the following delivery models: on-premises and shared multitenant. Due to EMC's corporate compliance requirements, RSA did not provide answers to survey questions regarding revenue by year or region, or regarding new deal signings in 2013. Therefore, we used Gartner's internal Vendor Rating process to provide an overall financial viability score for RSA. Its implementation size sweet spot is for organizations with more than 5,000 employees that want a strong GRC tool with good BCM planning functionality. EMC (RSA's) position as a Leader is due to its strong product innovation, geographic strategy and overall viability, but its customer reference scores made its customer experience score lower than other Leaders.
Strengths
  • A GRC vendor, EMC (RSA) has moved into the BCMP space (due to customer demand) with a purpose-built module.
  • It has very good graphics and dashboarding with the concept of global versus personal dashboards. It also has a strong BIA capability, including an automated criticality rating, RTO gap analysis, and a unique by-person business impact section question completion feature. EMC (RSA) has good built-in C/IM and exercise management capabilities. In addition, it offers a separate incident management module that models an operational incident management process, which can be used to supplement what is included in the BCM module. Its access control capability is very detailed: group, role, function and read/write/delete (RWD) change capabilities are available, and user group assignment can be directly imported from LDAP. EMC (RSA) has excellent compliance support through the Archer Policy Management module, and the concept of a control procedure for BCM standards/frameworks, including FFIEC, HIPAA, ISO 22301:2012 and ITIL V3.
  • Data is encrypted in the mobile device app. Notifications can be sent directly from the mobile app.
  • EMC (RSA) had a better-than-average price point comparison score. It offers a government pricing discount.
  • A native mobile device app is available for the iOS with an offline cache.
  • EMC (RSA) has two partner production data centers located in the U.S. and the U.K. It also has two partner-mirrored recovery data centers located in the U.S. and Europe. EMC's Safe Harbor certification applies to these data centers running the BCMP tool for the European Union-U.S. A complete and actionable set of procedures is in place to facilitate rapid recovery from incidents of data corruption.
Cautions
  • EMC (RSA) had the third lowest customer reference scores, with six out of 18 metrics coming in below average on a scale of 1 (extremely dissatisfied) to 7 (extremely satisfied). Its lowest scores were in ongoing software development activities and in innovation and customer service. It also was one of two vendors with the lowest product implementation professional services score.
  • The EMC (RSA) GRC platform is a more complicated tool than a BCMP pure-play tool. It has its own terminology that needs to be understood before any changes are made — for example, a plan is considered a record, a new database table is considered an application and a plan approver is considered a reviewer. All customization is done through the RSA Archer Application Builder wizard, which is not as easy as some of the pure-play customization capabilities. Printing a recovery plan, the results of a risk assessment, a BIA, an exercise report or a C/IM after-action report requires the use of Microsoft Office Mail Merge. Workflow notification setup is not easily edited. At the time of the evaluation, there was no visualization support for dependency mapping. C/IM support and exercise management are through EMC (RSA's) separate incident management module at an extra charge. There is no recovery plan invocation timeline.
  • EMC (RSA) does not offer SMB or nonprofit pricing discounts.
  • The vendor's contractually guaranteed service level for system availability is lower than the median at 99.5%. Its recovery point objective (RPO) is long at 48 hours. There are no BCM or information security certifications for its data centers running the BCMP tool. Neither recovery plans nor recovery test results are made available to prospects or customers, per EMC's corporate policy.

Fusion Risk Management

The Fusion Framework Risk Management & Contingency Planning System (Fusion) BCMP tool version evaluated for this Magic Quadrant was 1.5; the current version is also 1.5. The vendor's implementation size sweet spot is for organizations with 1,000 employees that want a strong customization capability as well as BCM program management. Its position as a Leader is due to its strong product innovation, customer experience and operations, but its revenue growth rate and sales execution/pricing were lower than other Leaders.
Strengths
  • Fusion had the highest customer reference and operations score of all vendors in this report. Customer references report a very good product/operations performance score and a very high product implementation professional services score.
  • The Fusion BCMP tool has very easy navigation. It also has excellent drag-and-drop configurability, as well as excellent customization for all aspects of the tool. Data import for resource loading options is comprehensive through Force.com, which is Fusion's underlying application development platform. There are excellent dashboarding, graphics and reporting capabilities, as well as very flexible risk assessment and a BIA capability. Fusion is the only vendor to support residual risk, to track resource requirements over time and to track color-coded process categories by criticality. It has a built-in private social media functionality through Salesforce Chatter. The vendor's workflow supports 99 levels of actions. It has very strong access control at all levels of the tool, including field-level permissions, and roles can be created by the customer. Shibboleth-based single sign-on is supported.
  • Fusion offers multiyear, SMB and nonprofit pricing discounts, as well as a light-usage user price point.
  • Native mobile device apps are available for the Android and iOS in online mode only by using the Salesforce1 mobile app suite. Interactive C/IM is supported through the mobile app. Notifications can be sent directly from the mobile app.
  • Fusion uses five salesforce.com production and recovery Tier 3 data centers — which act as primary and backup sites for each other — located in the U.S. and Japan. Salesforce.com, which is Fusion's partner, is also ISO/IEC 27001:2013-certified, and it has obtained a SOC 3 audit attestation, a Safe Harbor certification for European Union-U.S. and Switzerland-U.S., and a moderate Authority to Operate (ATO) rating for the FISMA NIST SP 800-53 audit.
Cautions
  • Fusion had a lower-than-average number of new contract signings in 2013.
  • Because Fusion is an application service built on the salesforce.com cloud platform, the only delivery model it supports is shared multitenant. In addition, although the Force.com application development platform provides flexibility, it also introduces complexity, because the application operations environment is not under the direct control of Fusion.
  • Fusion does not support visualization for dependency mapping. Its C/IM and exercise management support are orchestration only — the tool does not pull in all plan procedures/tasks for tracking during the invocation of a plan.
  • Fusion had a slightly lower-than-average price point comparison score. It does not offer industry discounting.
  • Its contractually guaranteed service level for system availability is 99.9%.

Global AlertLink

The Global AlertLink BCMP tool version evaluated for this Magic Quadrant was v.7.7.2; the current version is v.7.7.8. The product is offered in the following delivery models: on-premises, hybrid, dedicated hosted solution, and shared multitenant with a dedicated client application instance and dedicated client database instance. Global AlertLink did not provide revenue-by-industry information. Its implementation size sweet spot is for organizations with more than 5,000 employees that want a strong suite offering, including BCMP, EMNS and C/IM. Global AlertLink's position as a Leader is due to its strong product innovation and current product capability, revenue growth rate, and customer experience; however, because it did not provide information regarding customers by organization size or industry alignment, its market responsiveness/record was lower than other Leaders.
Strengths
  • Global AlertLink had the second highest product capability score in this report. Customer references report good product/operations performance and product implementation professional services scores.
  • Its average three-year revenue growth rate was the second highest in this report.
  • Global AlertLink is the only vendor that has an internally developed BCM software suite offering for BCMP, EMNS and C/IM.
  • Its BCMP tool's navigation is excellent. The vendor has a recovery plan guide wizard built through its visual modeler that steps plan administrators and other users through the risk assessment, BIA and recovery plan creation process. This is also the vendor's main way of delivering workflow with built-in review and approval steps. Page and report layouts can be customized through drag-and-drop. It support risks, RTO and criticality rating calculations. It has one of the best reporting capabilities and one of the best dependency mapping capabilities with interactive RTO, risk and other data points aligned with dependencies. C/IM functionality is excellent, as is interactive recovery plan task management. The vendor has very strong access control functionality — that is, user group assignments can be directly imported from LDAP, and roles can be created by the customer. Global AlertLink is the only vendor to use OpenID Connect-based single sign-on, which is a more advanced form of SAML.
  • Global AlertLink had the third best price point comparison score. It offers multiyear and nonprofit pricing discounts.
  • Global AlertLink has 13 production and 11 recovery Rackspace data centers — the largest number in this report — located in the U.S., the U.K. and Asia/Pacific, plus partners for sites in Canada, Europe, Asia/Pacific and Russia. Global AlertLink has obtained certification under ISO 22301:2012 for its data centers running the BCMP tool. It also has ISO/IEC 27001:2013 certification, ISAE 3402/SOC 2 audit attestation, and Safe Harbor certification for the European Union-U.S. and Switzerland-U.S. for its BCMP tool data center operations. It is an approved NIST hosting provider. Its contractually guaranteed service level for system availability is 99.99% (better than the median). The maximum number of concurrently supportable users is unlimited.
Cautions
  • Global AlertLink did not provide a complete three-year road map due to concerns over the security of the information.
  • It does not offer industry discounting.
  • Its BCMP tool does not support visualization on risk assessment, BIA and dashboards.
  • Mobile device access to recovery plans is limited to a Web browser.
  • Global AlertLink provided no details on the specifics of data center failover to an alternate facility.

LockPath

The LockPath BCMP tool version evaluated for this Magic Quadrant was Keylight v.4.0; the current version is also v.4.0. The product is offered in the following delivery models: on-premises and multitenant with a dedicated client database instance for each client. A GRC vendor, LockPath has moved into the BCMP space due to customer demand. Its implementation size sweet spot is for organizations with more than 5,000 employees that want a streamlined GRC tool that includes BCM planning functionality. LockPath's position as a Niche Player is due to its lower current product capability, revenue growth rate and sales execution/pricing.
Strengths
  • Customer references report a good product/operations performance score and a high product implementation professional services score.
  • It has strong and easy navigation. Configuration also is easy; LockPath has a concept of a dynamic content framework for creating new database objects and fields. Calculated risk and criticality ratings are supported. It offers good visualization support for BIA data and dependency mapping, and good dashboarding on the tool's home page with external links for weather and so on. LockPath's workflow is very good and flexible with a unique serial or asynchronous execution capability. Its recovery plan procedures display via a grid, which is a unique feature; note that a procedure is not a task — tasks are handled via lists in an attachment. It has very strong access control functionality — that is, user group assignments can be directly imported from LDAP, and roles can be created by the customer. LockPath has strong compliance and control management support for BCM standards/frameworks, including FFIEC, HIPAA, ITIL V3 and FEMA NIMS/ICS.
  • LockPath offers multiyear and SMB pricing discounts.
  • LockPath has 12 production data centers and nine recovery partner data centers — acting as primary and backup sites for each other — located in the U.S., the U.K., Europe and Singapore. Its measured uptime over the past 12 months has been 99.98% (better than the median). LockPath indicated that some of its partners have ISAE 3402/SOC 2 audit attestations for their BCMP tool data center operations, but it did not specify which partners had which assignments.
Cautions
  • LockPath had a lower-than-average number of new contract signings in 2013. Its average three-year revenue growth rate was below average because it only started selling the BCMP capability in 2013, and, therefore, did not have a three-year revenue range to include in the calculation.
  • There are no out-of-the-box report templates. C/IM is only event management — it is not interactive for plan invocation, and LockPath does not have a recovery plan task timeline. In addition, C/IM is a separate module at an additional charge. Exercise management is orchestration only. Even though LockPath has a strong policy compliance capability, it does not support ISO 22301:2012.
  • LockPath had the lowest price point comparison score in this report. It does not offer industry discounting.
  • Mobile device access to recovery plans is limited to a Web browser.
  • LockPath does not provide contractual guaranteed service levels. It has no BCM certification for internal operations or its data centers running the BCMP tool. Recovery test results are not currently audited by an external third party.

MetricStream

The MetricStream BCMP tool version evaluated for this Magic Quadrant was MetricStream 6; the current version is 6.1. The product is offered in the following delivery models: on-premises, shared multitenant, dedicated client application instance and dedicated client database instance. MetricStream did not provide 2013 revenue, revenue by industry or new deal signings in 2013. It is one of only two vendors to report future support for Google Glass in its three-year product road map. A GRC vendor, it has moved into the BCMP space due to customer demand. Its implementation size sweet spot is for organizations with more than 5,000 employees that want a GRC platform (with BCMP functionality) that is strong in BCM program management, C/IM and visualization. MetricStream's position as a Leader is based on its excellent product innovation, current product capability and geographic strategy, and strong customer experience; however, its revenue growth rate and sales execution/pricing were lower than other Leaders.
Strengths
  • MetricStream had the highest current product capability and geographic strategy scores, and the second highest innovation score, in this report. Customer references report a good product/operations performance and very good product implementation professional services scores.
  • It has excellent navigation. Page, recovery plan and report layouts, and database drag-and-drop customization, are done by the customer through its Form Designer wizard. MetricStream has an excellent risk assessment capability with a very nice visual geographic representation of risk. Its BIA capability does automatic scoring if required as well as cumulative criticality scoring. MetricStream is one of two vendors that has RTO/RPO dependency mapping capabilities. Dependencies are managed via its business process modeler and shown in multiple views. Very strong workflow management supports drag-and-drop workflow creation and updating. Using MongoDB for unstructured and big data analysis, MetricStream has the best data analytics engine of all the vendors in this report (including excellent graphics for dashboarding with drill-downs). Its C/IM module has excellent functionality, including real-time task tracking status, a recovery plan invocation timeline in Gantt chart format, and exercise management support. It has an issues management capability with a heat map showing gap, risk and outstanding issues. It also has very strong access control functionality — that is, user group assignments can be directly imported from LDAP, and roles can be created by the customer. MetricStream has very strong compliance support for BCM standards/frameworks, including FFIEC, ISO 22301:2012 and ITIL V3.
  • MetricStream offers multiyear, industry and SMB pricing discounts. Its user naming approach is based on full product usage users versus light product usage users.
  • Native mobile device apps are available for the Android and iOS in online and offline modes. Interactive C/IM task management is supported. Attachments for evidence or other purposes are supported. Data is encrypted in the mobile device app.
  • MetricStream has seven production and six recovery Tier 4 partner data centers located in the U.S., the U.K., Europe, the Middle East and Singapore. It has certification under ISO 22301:2012 for data center operations. It also has the following data center certifications and attestations: Safe Harbor certification for European Union-U.S., ISO/IEC 27001:2013, HIPAA, FISMA and DIACAP. Each customer's data is on its own server(s). Physical, application and network security schemes prevent customers from accessing data other than their own.
Cautions
  • Customers report that MetricStream's weakest performance is in product training, technical support and documentation.
  • Its average three-year revenue growth rate was slightly below average.
  • MetricStream's BCM application is built and deployed on its GRC Platform; it is not a stand-alone BCM-specific module. Its GRC Platform is a more complicated tool than a BCMP pure-play tool, and, although highly configurable, it requires more training and technical skills than the average BCMP tool.
  • MetricStream had the second lowest price point comparison score.
  • Its contractually guaranteed service level for system availability is lower than the median at 99.5%.

Modulo

The BCMP tool version evaluated for this Magic Quadrant was v.8.4; the current version is also v.8.4. The product is offered in the following delivery models: on-premises (the majority of Modulo's customers fall into this delivery model), dedicated client application instance and dedicated client database instance. Modulo's average three-year revenue growth rate was average. Modulo is one of only two vendors that reports in its three-year road map to have plans to support Internet of Things (IoT) devices in BCMP planning (for example, sensors, video surveillance devices and others). As a GRC vendor, it has moved into the BCMP space due to customer demand. Its implementation size sweet spot is for organizations with 1,001 to 5,000 employees that want to add a good BCM planning capability along with strong situational awareness to their GRC offerings. Modulo is a Challenger due to its strong geographic strategy and current product capabilities; however, its sales execution/pricing, market responsiveness/record and customer experience were lower than other Challengers.
Strengths
  • Modulo had the second highest current product capability score in this report.
  • Modulo had the second largest number of new contract signings in 2013.
  • Page layout changes are customizable via a drag-and-drop capability. It has very good reporting options for risk assessment. RTO and criticality calculations are supported. Dependency mapping is shown in visualization mode. Modulo is the only vendor that has out-of-the-box production versus recovery asset assignments. It has very good workflow. Modulo has the best reporting, dashboarding and visualization support, delivered via the GRC Intelligence module through integration with Microsoft's Power View tool, which is available for an added fee. It has excellent C/IM functionality — its tool was selected for use by the Brazilian government for Smart Cities management. Modulo's C/IM capability supports interactive task tracking during plan invocation; it has a unique recovery timeline showing the best and worst possible outcomes, and it supports geocoding of assets through Google Maps, Esri, OpenQuest and Maplink (available for Brazilian locations only). Modulo has a very granular access control capability — that is, user group assignments can be directly imported from LDAP, and roles cannot be created by the customer, but permissions can be modified. Shibboleth-based single sign-on is supported. Modulo has very strong compliance support for BCM standards/frameworks, including FFIEC, HIPAA and ISO 22301:2012.
  • Modulo offers multiyear pricing discounts.
  • Modulo has three production partner data centers located in the U.S., South America and Asia/Pacific. It has two recovery partner data centers located in the U.S. and South America. Its contractually guaranteed service level for system availability is the highest of all vendors at 99.999%. Data from the Asia/Pacific data center is replicated to the U.S. production data center. Modulo has ISO/IEC 27001:2013 certification for its data center operations.
Cautions
  • Modulo had the lowest customer reference scores, with 12 out of 18 metrics coming in below average on a scale of 1 (extremely dissatisfied) to 7 (extremely satisfied). The vendor's lowest scores were on customer service and support, and on ease of implementing new software releases/version upgrades. It also was one of two vendors with the lowest product implementation professional services score.
  • As a GRC vendor, Modulo does not have a purpose-built, BCM-specific product; rather, it offers a BCM module that is integrated with the core GRC platform. It should be noted that Modulo does not intend to be a pure-play BCMP tool vendor. Its BCMP tool's administrative navigation is very technical, more so than other BCMP tools. The offline report editor adds extra steps to report creation. In order to capture the latest data changes, you must "publish" a new recovery plan for the plan to be updated. On the other hand, this step ensures the preservation of prior data field values.
  • Mobile device access to recovery plans is limited to a Web browser.
  • Modulo's pricing model, based on the number of "assets," is different from all other BCMP vendors' models. Modulo has a slightly lower-than-average price point comparison score. It does not offer industry pricing discounts.
  • It has no BCM certification or privacy assignment for its data center operations.

Phoenix

The Phoenix BCMP tool version evaluated for this Magic Quadrant was 4.3; the current version is 4.4. The product is offered in the following delivery models: on-premises, hybrid, shared multitenant, dedicated client application instance and dedicated client database instance. Phoenix has the second largest implementation of reported vendors, with a customer having more than 50,000 employees and 15,000 recovery plans. Phoenix's implementation size sweet spot is for organizations with up to 1,000 employees that want a solid BCM planning tool. Phoenix's position as a Niche Player is due to its lower product innovation and current product capability, revenue growth, and sales execution/pricing.
Strengths
  • Customer references report good product/operations performance and very good product implementation professional services scores.
  • Its BCMP tool's navigation is very easy. Phoenix has a unique feature in that drag-and-drop can be used to form relationships between database objects. There is very good risk assessment and a BIA capability, including support for risk and criticality ratings calculations, and also color-coded gap analysis and good reporting options. Also, drag-and-drop can be used to assign dependencies. Phoenix has a unique "RTO policy" concept that allows the customer to create different impact levels by region, business unit, regulation and so on. Recovery plan and report templates can be customized by the customer. Phoenix has a BCM program and recovery plan management dashboard, including external-link support on the overall BCM portal, but separate from the Shadow-Planner module. The vendor's work area recovery module is unique and robust, with a detailed allocation of people and other recovery resources, including an interactive floor plan layout. Phoenix has a built-in "EMNS lite" capability.
  • Native mobile device apps are available for the BlackBerry and iOS in online and offline modes. Notifications can be sent directly from the mobile app.
  • Phoenix has four production and recovery data centers — each acting as primary and failover sites for each other — located in the U.S. (partner), the U.K. (Phoenix) and Europe (partner). Phoenix has obtained certification under ISO 22301:2012 for its internal operations. Because it is a European firm, Phoenix must comply with the EU Data Protection Directive for data center operations. It also has ISO 20000-1 and ISO/IEC 27001:2013 certifications for its BCMP data center operations.
Cautions
  • Its vendor demo was conducted through an orchestrated process, not the live tool; therefore, its demo score was significantly downgraded. All other vendors performed their demos in real time using a live instance of their BCMP tools.
  • Its average three-year revenue growth rate was slightly below average.
  • There is no visualization support for dependency mapping. Workflow is limited to two steps and requires vendor intervention to add additional steps if needed by the customer. However, each component can have its own workflow attached to it with its own approval process. Currently, there are two reporting options: Jasper, an open-source reporting tool, and Microsoft Office. All reports are customizable when using Microsoft Office, not when using Jasper. C/IM is not interactive; it is mainly support for postincident reporting. Exercise management is orchestration only. Encryption for data at rest is not supported. Phoenix does not support any specific BCM standard/framework out of the box. Its three-year product road map is not as clearly defined for strategy or specifics as the road maps of its competitors.
  • Phoenix had a lower-than-average price point comparison score. It offers multiyear pricing discounts, but only for a five-year term versus the typical three-year term. It does not offer industry pricing discounts.
  • Its contractually guaranteed service level for system availability is lower than the median at 99.9%. There is no Safe Harbor certification for its data centers running the BCMP tool.

Quantivate

The Quantivate Business Continuity BCMP tool version evaluated for this Magic Quadrant was 4.2; the current version is also 4.2. The product is offered in the following delivery models: on-premises and a SaaS solution with a dedicated client application instance and a dedicated client database instance for each client. A pure-play BCMP vendor, Quantivate has moved into the GRC space. Its implementation size sweet spot is for organizations with up to 1,000 employees that want a solid BCM planning tool as well as a GRC tool. Quantivate's position as a Challenger is due to its strong revenue growth rate and marketing execution, and to its good sales execution/pricing and customer experience; however, it has a lower current product capability and lower operations than other Challengers.
Strengths
  • Customer references report a good product/operations performance and very good product implementation professional services scores.
  • Its average three-year revenue growth rate was above average.
  • Quantivate Business Continuity's navigation and configuration are very good. Page and report layouts are customizable via drag-and-drop. Quantivate has very good risk assessment and a BIA capability, with support for risk and criticality ratings calculations and RTO gap identification. Quantivate has very good reporting and graphics for risk assessment, good reporting for BIA via Word documents, and good dashboarding. Quantivate's workflow capability is very good. The C/IM module supports FEMA NIMS/ICS and Hospital Incident Command System (HICS), it has interactive task management, and it integrates with Google's crisis response capability. Quantivate has strong support for BCM standards/frameworks (plan or report templates out of the box), such as FFIEC, HIPAA and HICS, and NFPA 1600:2013. It offers free recovery plan conversion services.
  • Native mobile device apps are available for the Android and iOS in online and offline modes. Users can be notified via push technology to sync their plans.
  • Quantivate had a better-than-average price point comparison score. It offers multiyear pricing discounts with a better-than-average discount percentage. It also offers nonprofit pricing on a case-by-case basis.
  • Quantivate's partner data center operations have SSAE 16 Type II/SOC 2 audit attestations. The average problem report response time is approximately 30 minutes. Urgent or critical requests must be responded to immediately by the on-call support technician.
Cautions
  • Visualization support for BIA reporting and dependency mapping is not supported. There is no recovery timeline in the C/IM capability. Quantivate's access control functionality is not as strong as its competitors'; roles cannot be created by the customer, and there isn't an approver role.
  • It does not offer industry pricing discounts.
  • Quantivate has only one production partner data center located in Chicago, and one recovery partner data center located in Dallas. Its contractually guaranteed service level for system availability is lower than the median at 99.9%. There are no BCM certifications for its data centers or privacy assignments. Operations failover to the secondary data center site is not contractually guaranteed.

RecoveryPlanner

The RecoveryPlanner BCMP tool version evaluated for this Magic Quadrant is version RPX 24.101; the current version is RPX 24.103. The product is offered in the following delivery models: on-premises and SaaS, with a dedicated client database instance. The vendor's implementation size sweet spot is for organizations with up to 1,000 users that want a strong BCM planning tool. RecoveryPlanner's position as a Leader is due to its strong sales execution/pricing, market responsiveness/record and customer experience, and to its good product innovation; however, it has a lower current product capability and a lower revenue growth rate than other Leaders.
Strengths
  • RecoveryPlanner had the second highest market responsiveness/record score in this report. Customer references report a very good product/operations performance score. They also report that RecoveryPlanner is one of three vendors with the highest product implementation professional services score.
  • RecoveryPlanner had the third largest number of new contract signings in 2013.
  • Its BCMP tool's navigation is good. Page and report layouts can be customized via up/down buttons and cut and paste, respectively. Its BCM portal home page can be customized by the customer. There is good risk assessment with risk rating calculation support, risk survey completion without logging onto the system, and good reporting, including a risk heat map. There is a very good BIA capability (including restricting who can complete the BIA at the question level), an AIA capability and deeper IT DRM drill-down than its competitors, and reporting options. It has a good workflow wherein tasks can be exported to Microsoft Office calendar. Plan templates have sections that can be locked from being edited. Dependency mapping, although not presented in a visualization format, is very good with support for drill-downs and extensions into C/IM what-if modeling for all supported resources. There is very nice C/IM functionality, including interactive task tracking, a Gantt chart for recovery timelines, and file attachments support (for example, expense report attachments). Built-in voice emergency notification is available for an additional charge. Access control functionality is good; users can be limited to core product areas (BIA, risk assessment and so on) and/or particular functionality through a predefined BCMP tool role and a user template. RecoveryPlanner has very strong compliance module support for BCM standards/frameworks, including FFIEC, COOP, HIPAA and HICS, ISO 22301:2012, ITIL V3, NFPA 1600:2013 and FEMA NIMS/ICS. The vendor also has commercial banking, credit union and COOP editions.
  • A native mobile device app is available for iOS in online and offline modes. Notifications can be sent directly from the mobile app.
  • RecoveryPlanner had the second best price point comparison score. All RecoveryPlanner clients have an unlimited concurrent user license, which allows all their personnel to have access to RPX, regardless of role. RecoveryPlanner offers multiyear and the most industry pricing discounts.
  • RecoveryPlanner has four production and recovery Tier 3 active/active-configured partner data centers located in the U.S. and Canada (two on the East Coast and two on the West Coast), with each region acting as primary and failover for the other data center in that country via continuous replication. RecoveryPlanner's measured uptime over the past 12 months was 99.997%. RecoveryPlanner has SSAE 16 Type II audits for its U.S. and Canadian data centers, and ISAE 3402/SOC 2 audit attestation for its Canadian data centers running the BCMP tool. It also has Safe Harbor certification for European Union-U.S. and Switzerland-U.S. for its data center operations running the BCMP tool.
Cautions
  • Its average three-year revenue growth rate was below average.
  • If a page layout is changed, then the change only shows up in the exported data, not on screen or in the PDF report. Customers can't add dashboard components. If custom fields are used by the customer, then they must be selected separately from core tool fields.
  • RecoveryPlanner's contractually guaranteed service level for system availability is 99.9%, which is lower than the median.

Rentsys Recovery Services

The Rentsys Recovery Services' BCMP tool version evaluated for this Magic Quadrant was v.2.1.3, which is also the current version. The product is offered in the following delivery models: hybrid, shared multitenant, dedicated client application instance and dedicated client database instance. Rentsys is one of three vendors that plans to make the most enhancements to its BCMP tool — including its strong support for IT DRM — as reported in its three-year product road map. The vendor's implementation size sweet spot is for organizations with up to 1,000 employees that want strong IT DRM capabilities. Rentsys' position as a Niche Player is due to its lower product innovation, current product capability, revenue growth rate and operations.
Strengths
  • Customer references report that Rentsys is one of three vendors with the highest product implementation professional services score.
  • Its BCMP tool's navigation is good. Page layouts can be changed by the customer, but not via drag-and-drop. Risk assessment templates can be edited by the customer. BIA functionality is good and includes RTO conflict identification, an AIA capability (better than its competitors), good visualization support for process and application RTOs, and good dependency mapping. Rentsys provides very detailed recovery plan templates and BIA survey content. It has a unique best practices analysis report for BCM program management. It also has a very good C/IM capability, with interactive task tracking and good plan exercise management orchestration. A GIS capability is available, but not in use by any customer.
  • Rentsys had a better-than-average price point comparison score. It offers multiyear pricing discounts at an above-average percentage as well as SMB, nonprofit, and industry pricing discounts.
  • Rentsys has three production data centers located in the U.S. (including Reynolds and Reynolds [the parent company of Rentsys Recovery Services] and Rentsys headquarters) and one partner data center in Canada. It has two recovery data centers located on the U.S. East Coast and West Coast (Rentsys Business Recovery Center). Its contractually guaranteed service level for system availability is 99.99% (better than the median). Measured uptime over the past 12 months has been 100%.
Cautions
  • Rentsys had the second lowest customer reference scores, with nine out of 18 metrics coming in under 5.5 on a scale of 1 (extremely dissatisfied) to 7 (extremely satisfied). Its lowest scores were in backup/recovery/failover performance to the service-level agreement (SLA), and in ongoing software development activities and innovation.
  • Due to its acquisition of EverGreen Data Continuity, Rentsys' revenue growth in 2013 was lower than its competitors. As a result, its average three-year revenue growth rate was below average.
  • Data import for resource loading is only done through an Excel or CSV file import. No risk templates or report changes can be made by the customer, and no additional components (such as database tables and new fields) can be added to the tool. Support for changing the tool branding, terminology or help text can be done only by the vendor. Its risk calculation is hard-coded and cannot be changed by the customer. Workflow is limited to plan approval, is hard-coded and can't be changed by the customer. Dashboarding components can't be customized by the customer, and there are no BCM program analytics. Exercise management does not support interactive task tracking. Access control functionality needs improvement for flexibility and depth; the customer cannot create additional roles, although there are 16 out-of-the-box roles and the only permissions are read and write. Encryption of data at rest is not supported.
  • Mobile device access to recovery plans is limited to a Web browser.
  • It has no BCM, information security or privacy certifications. Contractually guaranteed service levels for system availability are not currently offered. Procedures for data center rollover to an alternate facility after an outage were not supplied.

Strategic BCP

Strategic BCP's BCMP tool version evaluated for this Magic Quadrant was ResilienceONE v.6.1.3; the current version is 6.1.4. The product is offered in the following delivery models: hybrid, dedicated client application instance and dedicated client database instance. Revenue numbers were not provided, but the percent change year over year was provided. Strategic BCP had the third largest implementation of reported vendors, with a customer having more than 100,000 employees and 3,000 recovery plans. Strategic BCP also had the third most complex implementation, based on the number of employees, plan administrators, business units/departments and locations, and recovery plans supported. It is one of only two vendors to report future support for Google Glass. Its implementation size sweet spot is for organizations with more than 5,000 employees that want strong BCM planning, BCM program management and C/IM functionality. Strategic BCP's position as a Leader is due to its strong product innovation, current product capability, revenue growth rate, sales execution/pricing, marketing execution and customer experience.
Strengths
  • Strategic BCP had the highest innovation score and the second highest customer experience score in this report. Customer references report a very good product/operations performance score. They also report that Strategic BCP is one of three vendors with the highest product implementation professional services score.
  • Its average three-year revenue growth rate was above average.
  • Its BCMP tool's navigation is very good. Some page layouts can be customized by the customer, but not all. Recovery plan and report templates can be customized via drag-and-drop. Strategic BCP supports very detailed business process mapping with its "Operation Blueprint" function. The vendor has a master resource and recovery schedule report that documents all aspects of BCM data that are managed by the tool. RTO conflicts are identified, and Strategic BCP is one of two vendors that has RTO/RPO dependency mapping capabilities. Workflow is flexible, and it is used to build a project management guide that manages task completion associated with risk assessment, BIA and plan management; projects currently in process are shown on the user dashboard, and sequential completion of the steps in the guide is not required because customized workflows are easily created. Strategic BCP's what-if modeling is the best of all BCMP tools. Its C/IM module is very good, with a question-based workflow built-in to guide the customer through C/IM execution tasks, interactive task management, real-time status reporting and plan exercising. The access control capability is very detailed; it includes restricting access to each screen of the system, and roles can be created by the customer. Strategic BCP has the best compliance support for BCM standards/frameworks through its "BCP Genome" offering, including FFIEC, ISO 22301:2012, ITIL V3, NFPA 1600:2013, FEMA NIMS/ICS and NIST SP 800-34.
  • Strategic BCP has one of the best mobile device apps reviewed for this report. The mobile device app supports Android, iOS and Windows in online and offline modes. Interactive C/IM is supported even in offline mode (status syncs to the core system once connectivity is re-established). People involved in tasks can be notified through the app.
  • Strategic BCP is one of only two vendors that offers flat-rate pricing for unlimited users. It had a better-than-average price point comparison score. It offers multiyear pricing discounts at an above-average percentage, as well as SMB and nonprofit pricing discounts.
  • Its contractually guaranteed service level for system availability is 99.99% (better than the median), with 99.999% available for an added fee. It has ISAE 3402/SOC 2 audit attestation, as well as Safe Harbor certification for European Union-U.S. and Switzerland-U.S. for its data centers running the BCMP tool.
Cautions
  • Strategic BCP had the fifth largest number of new contract signings in 2013.
  • Strategic BCP has little dashboarding and visualization throughout the tool, including risk assessment, BIA reporting and dependency mapping.
  • Strategic BCP uses only one partner production data center located on the U.S. West Coast, and uses one recovery data center (from Rackspace) that is located on the U.S. East Coast. There are no BCM certifications for its data center operations running its BCMP tool.

Sungard Availability Services

The Sungard Availability Services (Sungard AS) BCMP tool version evaluated for this Magic Quadrant was Assurance Continuity Manager (AssuranceCM) Release 3; the current version is Release 4. AssuranceCM is Sungard AS' replacement tool for LDRPS, which it will no longer market; however, it will support existing LDRPS customers as needed. AssuranceCM is offered in the following delivery model: shared multitenant with a dedicated client database instance per customer. Sungard AS has the largest implementation of reported vendors, with a customer having more than 300,000 employees and 15,000 recovery plans. This implementation was tied for the most complex implementation. Sungard AS is one of only two vendors that has plans to support IoT devices in BCMP planning (for example, sensors, video surveillance devices and others). Its implementation size sweet spot is for organizations with more than 1,000 employees that want a BCM planning tool based on the latest technology, and with a brand new and very committed product team. Sungard AS' position as a Leader is due to its strong sales execution/pricing, market responsiveness/record, marketing execution, customer experience and operations; however, its product innovation and current product capability are lower than other Leaders.
Strengths
  • Sungard AS had the highest market responsiveness/record, marketing execution and customer experience scores, and the second highest geographic strategy, sales execution/pricing and operations scores in this report. Customer references report good product/operations performance and good product implementation professional services scores.
  • Its average three-year revenue growth rate was slightly above average. Sungard AS has an excellent three-year product road map for the AssuranceCM tool.
  • Sungard AS' BCMP tool has an excellent UI and excellent navigation. Page layout is customizable via drag-and-drop. Data import for resource loading, supplied by Dell Boomi's AtomSphere application integration platform, is excellent and under the control of Sungard AS. Dashboarding and graphics are excellent. RTO gaps are identified. Recovery plan templates have the concept of a "locked field" so that standard text can be cascaded across all plans using those templates; however, templates for HICS and continuity of government/COOP are also available. Sungard AS has an in-line reporting engine with all fields (including those carried through from LDRPS, if applicable) available for reporting. Sungard AS has a very strong focus on situational awareness that supports data mapping, geocoding and Google Maps. It has an exclusive partnership and direct integration with Send Word Now for an EMNS capability. Its access control and role management functionality is the best in this report for depth and breadth. User group assignment can be directly imported from LDAP. Sungard AS is the only vendor to support OAuth, a more advanced form of SAML for single sign-on.
  • Sungard AS had a slightly better-than-average price point comparison score. It supports a light-usage user price point. It offers multiyear pricing discounts with the best percentage, as well as SMB, nonprofit and limited industry pricing discounts.
  • Sungard AS — the only vendor to own all its data centers involved in BCMP tool operations — uses five Tier 4 active/active-configured data centers, each acting as primary and backup for the others located in the U.S. and the U.K. It considers the company-owned data center arrangement to be a security advantage. Its contractually guaranteed service level for system availability is 99.99% (better than the median). Sungard AS has ISO/IEC 27001:2013 certification and ISAE 3402/SOC 2 audit attestations for these data centers. It is also FFIEC-compliant. Sungard AS' support center is HDI-certified. Sungard AS has implemented physical, technical and administrative safeguards, and has instituted internal processes controlled by its security group to enable Sungard AS to deliver the services in compliance with the obligations required of business associates, pursuant to HIPAA/HITECH. Its data centers are ISO 9000-certified, and it has Safe Harbor certification for European Union-U.S. and Switzerland-U.S.
Cautions
  • There is limited risk assessment, BIA and workflow capability compared with its competitors. Although it supports situational awareness, it does not support full-fledged C/IM or exercise management.
  • At the time of the Magic Quadrant analysis, its mobile device app plan access was available only through a mobile Web browser. However, the Send Word Now relationship now provides mobile-device-specific apps.
  • It does not offer industry pricing discounts.1

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

The following vendors have been added to this year's Magic Quadrant: ClearView Continuity, Global AlertLink and LockPath.

Dropped

Business Protector (now Metric One) and Virtual Corporation were dropped because we did not have sufficient information to complete an evaluation of them for this report.
Factonomy was dropped from this Magic Quadrant because it could not supply the five required customer references.

Inclusion and Exclusion Criteria

Inclusion in this Magic Quadrant was based on the following criteria:
  • The product must meet the Gartner definition of a BCMP tool (see "Hype Cycle for Business Continuity Management and IT Disaster Recovery Management, 2014").
  • The BCMP tool must have been generally available as of 28 February 2014.
  • The BCMP tool must be developed, sold and implemented in small, midsize, large and enterprise-size organizations.
  • Products must be deployed in at least 10 customer production environments (preferably one from North America, one from EMEA and one from the Asia/Pacific region).
  • Each vendor must supply at least five references that are available to be contacted.2
Exclusion was based on the following criterion:
  • The vendor's BCMP tool was developed and used primarily for small businesses.
  • Value-added resellers and product distributors that sell a BCMP tool were excluded.
Twenty-two enterprise-level U.S. competitive vendor offerings were selected to be ranked. Nineteen companies returned the final vendor survey; one did not meet the inclusion criteria, and three did not provide a completed vendor survey or additional information for us to do a thorough analysis of them in 2014.3
After reading this Magic Quadrant report, consider the merits of all the BCMP vendors we have reviewed. These vendors have met inclusion criteria that ensure their products and services will meet the needs of most buyers. However, don't dismiss vendors that are not included here if they are a better match for your use cases. Give consideration to partnerships between BCMP and other vendors that are already in your portfolio.

Evaluation Criteria

Ability to Execute

Ability to Execute considers the vendor's ability to provide a BCMP tool that meets customer feature/function requirements, as well as the vendor's ability to operate the tool with a high level of service guarantee and customer support.
Product or service compares the completeness and appropriateness of the vendor's current BCMP technology capability.
Overall viability considers vendors' demonstrated success in the market by comparing each one's average three-year revenue growth rate percentage between 2010 and 2013 to the median of 16%.
Sales execution/pricing compares the depth, breadth and strength of a vendor's internal and external sales channels.
Market responsiveness/record is the ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change.
Marketing execution assesses the clarity, quality, creativity and efficacy of programs that are designed to deliver the organization's message to influence the market, increase awareness of the products, and establish a positive identification with the product/brand and the organization in the minds of buyers.
Customer experience considers SLA guarantees, the vendor's customer support and service process, the preparedness and completeness of the vendor demo to Gartner analysts, and feedback from vendor references and Gartner customers.
Operations is the organization's ability to meet its goals and commitments in operating its BCMP tool in a vendor-hosted delivery model. Factors include data center operations, geographic distribution of production and recovery data centers, and data center certifications and attestations.
Table 1. Ability to Execute Evaluation Criteria
Evaluation Criteria
Weighting
Product or Service
High
Overall Viability
Medium
Sales Execution/Pricing
Medium
Market Responsiveness/Record
Medium
Marketing Execution
Medium
Customer Experience
High
Operations
High
Source: Gartner (August 2014)

Completeness of Vision

Completeness of Vision considers the vendor's ability to show a commitment to BCMP technology developments in anticipation of user wants and needs.
Market understanding is ranked through observation of the degree to which a vendor's products, road maps and missions anticipate leading-edge thinking about buyers' wants, needs and challenges.
Marketing strategy is ranked through observation of the vendor's clear, differentiated set of messages that is consistently communicated to prospects and customers, as well as through examples of the vendor's brand awareness and marketing efforts.
Sales strategy examines the vendor's strategy for selling products globally; this also examines its partnerships within the BCM marketplace as well as in complementary markets.
Offering (product) strategy is ranked through an examination of the product road map, the vendor's BCM industry participation, the product upgrade deployment strategy, and high-level BCM component coverage of the vendor's BCMP tool.
Business model is ranked on the soundness and logic of the vendor's underlying business proposition for being and remaining a BCMP vendor.
Vertical/industry strategy assesses the vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual industry and market segments.
Innovation assesses the vendor's direct, related, complementary and synergistic layouts of resources, expertise or capital for investment to deliver a BCMP tool to the market.
Geographic strategy examines the vendor's strategy to direct resources for customer service, management, and technical and professional services to meet the specific needs of geographies outside the home or native geography, directly or through partners.
Table 2. Completeness of Vision Evaluation Criteria
Evaluation Criteria
Weighting
Market Understanding
Medium
Marketing Strategy
Medium
Sales Strategy
Medium
Offering (Product) Strategy
Medium
Business Model
Medium
Vertical/Industry Strategy
Medium
Innovation
High
Geographic Strategy
Medium
Source: Gartner (August 2014)

Quadrant Descriptions

Leaders

Leaders have products that work well for Gartner clients in midsize and large deployments. As firms, they excel in the combination of market understanding, product features and functions, and overall viability. Their BCMP tools may be well-known to clients and frequently found on RFP shortlists, and they have a presence at tradeshows.

Challengers

Challengers have competitive visibility and execution success that is better developed than Niche Players. Challengers offer all the core features of BCMP, but typically their vision, road maps and/or product delivery or component mix are narrower than Leaders'. Challengers may have difficulty communicating or delivering their vision in a competitive way outside their core industry sectors.

Visionaries

Visionaries make investments in broad functionality and platform support, but their competitive clout, visibility or market share don't reach the level of Leaders. Visionaries make planning choices that will meet future buyer demands, and they assume some risk in the bargain because ROI timing may not be certain. Vendors that pursue visionary activities will not be fully credited as Visionaries if their actions are not generating noticeable competitive clout, and are not influencing other vendors. There was little activity in this quadrant in 2013 (see "Magic Quadrant for Business Continuity Management Planning Software") and none this year. In general, companies that have very good vision and execute strongly become Challengers or Leaders.

Niche Players

A Niche Player ranking is assigned when the product is not widely visible in competition, and when it is judged to be relatively narrow or specialized in breadth of functions and platforms. A Niche Player may also be a vendor whose ability to communicate vision and features does not meet Gartner's prevailing view of competitive trends. BCMP Niche Players include stable, reliable and long-term players. Some Niche Players work from close, long-term relationships with their buyers, in which customer feedback sets the primary agenda for new features and enhancements. This approach can generate a high degree of customer satisfaction, but also results in a narrower focus in the market (which would be expected from Visionaries).

Context

This BCMP tool Magic Quadrant is a market snapshot that ranks vendors according to competitive buying criteria. Vendors in any quadrant, as well as those not ranked on the Magic Quadrant, may be appropriate for your enterprise's needs and budget. Every organization should consider BCMP software as part of its BCM program, so that managing availability and recovery risk are handled according to the needs of the organization before, during and after it has incurred a business interruption.
Readers should be aware of changes to this Magic Quadrant report compared with the 2013 version. In this 2014 iteration, we focus more on product innovation, product features/functions, customer experience, and BCMP tool data center operations. Therefore, the weights for these four evaluation criteria were higher than the other criteria. Also, the vendor survey was completely redone from the 2013 version and included questions for all evaluation criteria (instead of just eight from the 2013 version). Of particular note is that innovation and BCMP tool data center operations became their own criteria in 2014, rather than being part of offering (product) strategy and product or service, respectively, in 2013. Therefore, this year's Magic Quadrant is not a direct comparison to the 2013 iteration.

Key Scoring Guidance

Below, we provide our approach to scoring the vendors' capabilities in key areas. We do not report scoring for all questions in the completed vendor survey:
  • Overall scoring was based on evaluation criteria (noted in the Evaluation Criteria section above) that assessed the overall vendor as an organization, as well as its BCMP tool capabilities and operations.
  • Extra consideration was given to vendors that had enhanced visualization of recovery data.
  • Extra consideration was given to vendors that had strong dashboarding, BCM program management and recovery plan orchestration.
  • Here is the component scoring approach:
    • The more BCM components included in the BCMP tool, the higher the score for BCM software suite completeness.
    • Vendors that saw BCMP as part of GRC were scored higher in the Offering (Product) Strategy section.
    • Due to the growing focus on C/IM, BCMP tools that offer the following capabilities were rated higher than their competitors:
      • Analysis and visualization of BCM program information
      • Application integration
      • Interactive exercise management and C/IM using the plan action items from the planning side of the tool
      • Notification (reminders to take an action, such as updating a BIA or plan [personal assistance] as well as messaging during an actual disaster)
      • A situational awareness capability through the use of GIS, geospatial and other real-time data analysis, and data source integration
  • Financial viability was scored based on each vendor's position in relation to the median percentage of the average three-year revenue growth rate of 16%.
  • Mobile device support for recovery plan access, C/IM and crisis communications is becoming a necessary capability for BCMP customers. It alleviates the need for a paper plan, and the most current version of a plan can be pushed out to the device as it is updated. Many BCMP customers are not ready for this capability, but Gartner considers it an innovative feature. Mobile device support was scored as follows:
    • No points were given for Web-browser-only access because this is considered a basic inclusion requirement. All vendors' BCMP tools can be accessed via a browser on the mobile device, with full access as defined by the user profile in the main system. Some vendors see mobile-browser-only access to recovery plans as a security advantage, because no customer data persists on a mobile device. We do not for the following reasons: (1) If there is no Internet access available, then recovery plans cannot be accessed via the mobile device; (2) if the organization is using enterprise mobility management software, then security concerns may be addressed; and (3) users prefer local apps that can take advantage of all usability features on a device.
    • The application has been optimized for mobile device access, such as using HTML5.
    • Native device app support was scored higher than Web-browser-only access, with more points given for more devices supported.
    • Extra consideration was given for a native device app that could access recovery plans in offline mode (they are cached in the app).
    • No extra consideration was given if the plans were downloaded to the device, but not integrated with the vendor's mobile device app.
    • Extra consideration was given if the native device app supported interactive C/IM actions.
    • Extra consideration was given if the native app supported notifications to contacts.
    • Extra consideration was given for mobile device apps that have encrypted recovery data. This issue helps to mitigate the risk of corporate data on a mobile device — a large concern for many organizations, and a reason why some choose to allow BCMP tool access only through a Web browser.
  • Ease of use was scored based on our experience from the vendor demos as follows:
    • How easy it was to navigate the system
    • If administrative and user interfaces are the same, and access to administrative functions is based on user profile access controls
    • How many ways help text can be managed in the tool, including whether customers can change the text based on their specific terminology needs (this data point was moved from the product or service evaluation criterion to the innovation criterion)
  • Ease of configuration and customization was scored as follows:
    • Through the execution of the vendor demo script, focusing on how the BCMP tool could be configured for customer branding, terminology and help text, recovery plan template and report configuration, risk assessment modifications, BIA modifications, application integration, and dashboarding.
    • Detailed responses to the vendor survey for the same vendor demo script categories noted in the above bullet.
  • Customer reference vendor satisfaction responses were scored in two ways:
    • Product-specific and company operational performance
    • Product implementation professional services

Market Overview

BCMP Market Profile

Coordinating, analyzing and managing large amounts of availability information are almost impossible to do without a tool. Therefore, the significant growth in the adoption of BCMP tools, as measured in our annual security and risk management survey, is an indication that organizations are recognizing the benefit of using these tools to help standardize and manage recovery plan development, and to manage the BCM program itself. The adoption rate of BCMP tools, as measured in our annual security and risk management surveys between 2010 and 2014, follows. Given the increased focus from government agencies, regulators and private-sector preparedness initiatives, we anticipate that adoption will continue to grow in the next five years to well over 51%:
  • 2010 to 2011: 24%
  • 2011 to 2012: 38%
  • 2012 to 2013: 42%
  • 2013 to 2014: 51%
Gartner's revenue estimates for 2011 through 2013 for the global BCMP market — including all vendors that meet our definition of a BCMP tool, not just those covered in this report (that is, approximately 30 vendors) — are based on vendor-supplied information, publicly available information, and projections based on our understanding of the market. Below, we present our revenue estimates by year and annual growth rate:
  • 2010: $100 million
  • 2011: $110 million (annual growth rate 10%)
  • 2012: $130 million (annual growth rate 18%)
  • 2013: $162 million (annual growth rate 24%)

Why Customers Are Using BCMP Tools

Based on the customer reference survey results, customers report that they use a BCMP tool for the following reasons:
  • Internal requirement to mature the BCM program: 33.0%
  • Complexity of plan management is growing and plans can no longer be managed in a manual mode: 24.3%
  • New management focus on BCM: 15.5%
  • Other: 10.7%
  • Regulatory requirement: 6.8%
  • Audit finding: 6.8%
  • Customer requirement: 1.9%
  • A disaster that exposed lack of recoverability readiness: 1.0%
The following are factors of importance to customers when choosing a BCMP tool vendor from their shortlists of providers. Note that the suite-buying approach was the third least important factor. The detailed results are below:
  • Functional capabilities: 6.56
  • Expected performance and/or scalability: 6.28
  • Demonstrated understanding of our business needs: 6.07
  • Innovative capabilities: 5.94
  • Pricing model and/or TCO: 5.86
  • Relevant industry experience: 5.84
  • Vendor reputation: 5.55
  • Quality of response to RFP or presentation of capabilities: 5.55
  • Project implementation methodology: 5.52
  • Perceived financial viability: 5.49
  • General IT risk management experience: 5.38
  • Proven successful implementation at peer organizations: 5.37
  • Viewed as a strategic partner: 5.12
  • Vendor offered a portfolio of other complementary solutions, such as EMNS or C/IM: 3.74
  • Previous experience with the product: 3.66
  • We already used other solutions from vendor: 2.72
We asked the vendors to identify the size of their implementations in two ways: plan administrator count and organization head count. Only a few vendors (as noted in their write-ups) don't track their implementations in this manner; however, most do and provided numbers. For implementations by organization head count, the percentages are so close in the top four levels that it is clear the large enterprise — 1,000 employees or more — is the typical BCMP customer. In each vendor write-up, we noted its "sweet spot" by organization size.

Percentage of Customers by Organization Head Count

  • More than 25,000 employees: 17%
  • 3,001 to 5,000 employees: 17%
  • 1,001 to 3,000 employees: 16%
  • 5,001 to 10,000 employees: 15%
  • 10,001 to 25,000 employees: 14%
  • Less than 50 employees: 13%
  • 501 to 1,000 employees: 12%
  • 101 to 500 employees: 11%
  • 51 to 100 employees: 7%

Use Case Analysis

The vendors were asked to identify the most common use cases that they see as drivers to the adoption of BCMP software. The analysis of their responses follows:
  • All vendors report that IT DRM is a core driver for using a BCMP tool, and many of them are reporting that it is increasing in influence as BCM and IT DRM program management become more aligned in the future. One concern with a few vendors' statements regarding the influence of the cloud and virtualization is that the IT DRM use case is decreasing in influence. This perspective is a concern for Gartner, because even if you outsource your IT, you still need an IT DRM plan, especially an IT DRM exercise plan with the outsourced IT vendor. Additional steps in an IT DRM plan might be as simple as, "call this person at the IT vendor" and "inform the business units to implement their business work-around plans" (that is, those plans that the department needs to continue without IT, to handle incoming transactions while IT is down, to deal with the backlog and so on).
  • Many vendors — not just the GRC primary vendors — report an increased desire to connect BCM efforts with the broader operational risk management discipline by leveraging the information and processes across BCM, IT DRM, C/IM, information security, operations risk, and other risk and compliance functions. Unless a vendor is using a GRC tool, the easiest way to integrate the BCM-related data is to do an export from the BCMP tool and import the data into a GRC/operational risk management tool.
  • All vendors report an increase in the C/IM use case. At its most basic request level, it includes only EMNS, but many vendors see the functionality as robust incident management along the lines of U.S. NIMS/ICS or another government emergency management standard; however, outside of government, such importance as a customer requirement is very low. An interesting industry data point is that convergence of BCMP and C/IM is growing in the manufacturing industry, where coordination with safety and operational programs is gaining momentum.
  • Supplier risk management or supplier contingency is a growing requirement as a BCMP tool function. However, the depth of support is split between two views: identifying and mapping suppliers through the BIA versus performing full supplier availability risk management, including the identification and mapping of suppliers, as well as analyzing single points of failure within the supplier network, due diligence on supplier BCM plans, and customer/supplier recovery plan integration for coordinated recovery efforts.
  • Other use cases include audit and issue management, exercise orchestration, and compliance management.
  • Pandemic planning is seen as a scenario and not a specific BCM discipline at this point in BCM program maturity. However, interest will dramatically spike when there is another influenza or other viral outbreak. Therefore, having a pandemic plan in place is a good preventive control.

Components of a BCMP Tool That Customers Think Are Important

Customer references ranked BCMP tool components according to their level of importance. We asked, "How would your organization rate the level of importance of the following BCMP-specific functionalities implemented for your BCMP implementation?" Not surprisingly, the BIA — the anchor tool for capturing recovery requirements — was the most important component, while recovery plan development and management was in second place. It is interesting that two operational functions (aka nontools) were in third (customer service support) and fourth (failover and backup/recovery capability) place. This last point indicates the increasing adoption of vendor-hosted implementations for the BCMP tool market. It is also interesting to note that resource modeling has the least importance of all functions. The detailed results are below, with the percentages listed in the order of high, medium and low:
  • BIA: 90%; 8%; 1%
  • Recovery Plan Development and Management: 88%; 12%; 0%
  • Customer Service Support: 84%; 16%; 0%
  • Failover and Backup/Recovery Capability: 83%; 18%; 0%
  • Emergency/Mass-Notification Functionality or Integration: 82%; 13%; 5%
  • C/IM Functionality or Integration: 80%; 17%; 4%
  • Management UI Usability/Ease of Use: 77%; 23%; 0%
  • SLA Commitment and Performance: 76%; 20%; 4%
  • Data Center Operations and Geographic Distribution: 75%; 25%; 0%
  • Dependency Mapping: 74%; 24%; 2%
  • Ease of Customization: 73%; 23%; 3%
  • Ease of Reporting: 71%; 29%; 0%
  • Key Risk Indicator Monitoring/Reporting: 69%; 31%; 0%
  • Recovery Plan Exercise Management: 69%; 26%; 5%
  • BCM Program Status and Effectiveness Metrics Reporting: 65%; 33%; 2%
  • Workflow: 60%; 33%; 6%
  • Mobile Device Access: 56%; 33%; 11%
  • Resource Modeling: 45%; 55%; 0%
Customers were also asked to rate their satisfaction level of component capability — on a scale of 1 (extremely dissatisfied) to 7 (extremely satisfied) — from their BCMP tool vendor. Below is a list of components, showing those that are most important (percent) compared to those with which the customer is most satisfied (decimal):
  • BIA: 90%; 6.08
  • Recovery plan development and management: 88%; 6.02
  • Customer service support: 84%; 6.70
  • Failover and backup/recovery capability: 83%; 5.85
  • Emergency/mass notification functionality or integration: 82%; 5.95
Clearly, the vendors have some work to do around:
  • BIA, which is the first most important function and the eighth in level of satisfaction. Based on our experience of client interest in best practices for conducting a BIA, this misalignment makes a lot of sense, and points to the frustration that BCM professionals have in creating and maintaining a viable BIA for their organizations.
  • Failover and backup/recovery capability is the fourth most important function, but the second least satisfied function from customer viewpoints.
  • Only 12% of the customer references reported that they integrate their BCMP tools with another BCM tool (for example, EMNS or C/IM). Of those, 75% integrate with EMNS tools, 25% with C/IM and 33% with "other" (multiple responses were allowed). The lower level for C/IM is likely because many BCMP tools already have a C/IM component and the customer is using it, or because the customer is not using automation at all for C/IM.
  • The focus on BCMP tool usage within the customer base is to simplify and reduce the cost of the BCM process/life cycle.

Delivery Model Profile

All vendors offer multiple delivery models. The specific model breakdown is as follows:
  • One hundred percent of BCMP vendors offer a vendor-hosted option. The specific option breakdowns follow below. Only two vendors, Phoenix and Sungard AS, offer their BCMP tools hosted in their own data centers; all others use third-party data center service providers for tool operations:
    • Multitenant delivery model: 74%
    • Dedicated application instance: 68%
    • Dedicated database instance: 84%
  • Sixty-three percent of vendors offer their BCMP tools in an on-premises delivery model.
  • Forty-two percent of BCMP vendors offer a hybrid delivery model (for example, the database or other component is on the customer side of the firewall).
Here is the breakdown by actual implementations:
  • Hosted at the vendor's facility: 85%
  • Internally managed by the customer: 14%
  • Hybrid implementation: 1%

BCMP Tool Pricing Analysis

As we did last year, we analyzed only vendor-hosted/SaaS-based BCMP tool pricing; some vendors offer on-premises pricing, but the majority of implementations are vendor-hosted/SaaS-based. BCMP vendor-hosted/SaaS-based pricing is a mix of options, including module pricing, user pricing, pricing based on the number of departments using the tool, pricing based on the number of recovery plans, pricing based on the asset value of the organization, setup fees and training fees — thereby making price point comparisons between vendors more complex than many other software products. Implementation fees (outside of setup fees) — which average 23% — are common, especially for application integration, product configuration and customization that the buyer does not want to do itself. Training fees apply for on-site training from most BCMP vendors. A few vendors offer free online training; a few others include it as part of their initial setup/implementation.
We computed the pricing score using the following three components:
  1. Pricing complexity: This includes the number of modules that are priced separately; pricing incentives (such as multiyear discount, industry discount, nonprofit pricing and SMB pricing); setup fee; training fee; user pricing complexity; the unique pricing options available; and other pricing considerations (such as report creation, custom workflow and application integration services fees). A vendor was given a lower score if it had more complex pricing.
  2. Price point comparison: This is the average pricing based on an organization's head count (less than 1,000 employees, 1,001 to 3,000 employees, and 3,001 to 10,000 employees). We also analyzed pricing for organizations with a head count of more than 10,000, but did not include that product pricing category in the price point comparison score. The more above the median price point the vendor was, the lower its score in this component.
  3. The percentage of a typical deal for product configuration and implementation services: The higher the percentage, the lower the score, because it can indicate that the BCMP tool is not as customer-customizable as another tool, or that the tool (especially GRC tools) is too flexible and requires more assistance from the vendor.
All vendors have a core system fee, with some charging extra for additional modules, such as risk assessment, BIA, supplier/vendor availability, GRC/operational risk management, mobile device application, and EMNS. EMNS is most often charged for separately because the BCMP vendor partners with a full-fledged EMNS vendor. Some BCMP vendors have basic notification capabilities (email, voice, SMS), but they do not compare to the full-fledged offerings.
User pricing models range from: (1) a single price, regardless of the number of users; (2) pricing based on the head count of the organization; (3) pricing based on named users, with some vendors considering read-only users and those who complete a BIA as named users — who get priced — while other vendors price these named users for free; (4) pricing based on plan administrators; (5) pricing based on product administrators; and (6) pricing based on "lite" or casual versus full product usage. If the vendor offers more than one user pricing option, then it is worth having quotes for each to find the least expensive option.
Multiyear discounting, industry discounting, nonprofit pricing and SMB pricing are incentives that some vendors offer to customers. Nonprofit pricing is often extremely discounted, and, in some cases (for example, life/safety and humanitarian aid organizations), it is offered to the organization for free.
Below are the median software subscription price points (based on a typical three-year contract) and implementation fees (not scored) for each category. The list displays head count, software fee and implementation fee:
  • Less than 1,000 employees: $23,700; $10,750
  • 1,001 to 3,000 employees: $40,000; $23,750
  • 3,001 to 10,000 employees: $55,700; $34,750
  • More than 10,000 employees: $69,000; $25,000

BCMP Tool Implementation Analysis

The main problems reported by customer references in their use of BCMP tools are as follows (multiple responses were allowed):
  • Internal lack of resources that can be dedicated to the product: 34.0%
  • No problem encountered: 34.0%
  • Internal politics: 19.4%
  • Inadequate training of users: 14.6%
  • Other: 14.6%
  • Complexity, cost or difficulties in version upgrades or migrations: 7.8%
  • Software bugs or unreliable technology: 6.8%
  • Difficult to implement and use: 6.8%
  • Difficult to integrate with other infrastructure tools or applications in our environment: 6.8%
  • Absent or weak functionality: 3.9%
  • Inability to support complex implementations: 3.9%
  • Difficult to get the vendor's multiple components/products working together: 1.9%
  • Inadequate performance and/or scalability: 1.0%
The total implementation budget for their BCMP tools — reported as percentages of customer references — is as follows:
  • Greater than $100,000: 29.1%
  • $25,000 to less than $50,000: 21.4%
  • $10,000 to less than $25,000: 16.5%
  • $50,000 to less than $75,000: 12.6%
  • Less than $5,000: 8.7%
  • $75,000 to less than $100,000: 7.8%
  • $5,000 to less than $10,000: 3.9%

BCMP Characteristics

  • There is a continued focus on ease of use; since most people developing recovery plans are not full-time BCM professionals, the BCMP tool must be intuitive with easy navigation. At the same time, it must provide depth and robustness for the BCM program manager to perform analysis and in-depth reporting of the overall BCM program, and across all lines of businesses or departments.
  • This year, there is a stronger focus on C/IM in a number of ways:
    • C/IM and exercise management are becoming highly important functions in the BCMP tool for large customers. Most vendors will create an "exercise incident" in the C/IM module for plan invocation exercising, instead of having two modules that manage incidents.
    • Situational awareness — including people management, GIS and geospatial integration, notifications to interested parties and stakeholders, hazard alerting, and so on — is being used to provide real-time information about the event for improved and more effective incident management.
    • When an actual disaster strikes, the BCMP tool already has the recovery plans and specific tasks to be completed, so it is the logical place for incident management to occur.
  • There is increasing interest in the use of mobile devices to access recovery plans and associated data, especially access for field personnel as part of their regular jobs or as members of a recovery team. There is not as much interest in mobile device access to the BCMP tool for administrative purposes.
  • The more progressive BCMP tools are moving away from a "plan document" approach for BCM planning to one that is focused on recovery data and analytics. When using a BCMP tool, one has to suspend the concept of seeing the entire plan on screen. Rather, the "plan" is a set of functionality/screens that a plan administrator completes.
  • While the focus on BCM program management is greatly needed, BCMP tools cannot abandon the recovery plan concept because, during an actual disaster, the information needs to be easily available to all recovery team members. It can be in the form of checklists, contact lists and so on, but the lowest common denominator must be a "printable" plan — whether on paper or in Word, Excel or PDF format.
  • In reality, the "data versus plan" controversy is really about being able to store the needed recovery data in a database so that it is available for a variety of purposes — one being plan generation, another being BCM program analytics. The truth is that most BCM planners still refer to their core recovery resource as a "plan," not a database table or section on a screen.
  • Reporting is still important, especially for recovery plan management and BCM program management. For example, BCM planners use reports to prioritize their workloads, to escalate the most critical gaps and to get internal sign-off/support for continuous resilience improvements/risk mitigations. Most vendors provide a reporting capability by exporting BCMP data to Excel spreadsheets. On the one hand, it seems like they provide a lot of flexibility to customers. On the other hand, it means that customers have to create the graphics and report format themselves. Some BCMP tools have graphics and report templates so that customers don't need to take on additional work to report on tool data. Progressive BCMP tools are extending reporting to include real-time dashboards that deliver traditional program status results as well as trend analysis.
  • Exercise management support in most BCMP tools lacks the combination of exercise workflow orchestration, automated run book script execution, and exercise task critical path analysis that is needed to most effectively improve exercise efficiency and effectiveness.
  • Product release time cycles have dramatically reduced for minor updates and enhancements, as well as for error corrections, due to agile development techniques. Major release cycles are still longer term — every six to 18 months was the range reported by vendors in this Magic Quadrant.
  • GRC tools have very broad risk management capabilities, and can perform most (if not all) BCMP needs. However, because of their broad and flexible framework — not being purpose-built for the BCM use case — they often require more time for the customer to configure than a pure-play BCMP tool. GRC tools are better at analysis, reporting, visualization and customization. BCMP tools typically have more content and depth of BCM functionality. Thus, it is easy to see how a pure-play BCMP tool can outperform the GRC tool when evaluating the ease of configuration and customization time.
  • It is not uncommon for customers to upload risk register information, employee data, an IT asset inventory, supplier data, location data and the organizational hierarchy through an Excel spreadsheet, or through Web service/API integration, to an existing source-of-record database (for example, a human resources application, change and configuration management database [CCMDB], vendor management application, LDAP and so on). Importing is done when configuring the BCMP tool for the first time, and to keep certain datasets up to date (for example, employee information, IT services, locations and organizational hierarchies).
  • Access control capability varies by vendor. Often, it is a mix of permissions assigned to a user directly, or to a role, group or profile to which the user is assigned. Permissions include access to tool functions (for example, update the BIA or create a new supplier) as well as traditional permissions, such as RWD of specific instances of tool components (for example, a risk assessment, a BIA, a recovery plan and a report). Access to components is sometimes assigned/restricted directly in the component; other times, it is assigned/restricted by the group or profile to which the user is assigned — and often, with this option, there aren't specific component restrictions (that is, a user has access to all recovery plans within the group). Also, not every BCMP tool allows customers to create their own roles. Some vendors can automatically assign BCMP tool users to a predefined role/profile based on user profile data that is imported from an enterprise directory, where groups are already defined and then mapped to groups in the BCMP tool's access control model. Gartner advises BCMP buyers to review the access control capability in detail to ensure that it is robust enough for their organizations' needs, but easy enough to implement and maintain.
  • Risk mitigation controls can be included in the risk rating calculation, but this is not always the default approach by every vendor.
  • Branding of the tool is available on almost every BCMP tool, except where noted: logo, terminology and help text.
  • Data import into the BCMP tool is often done for employees, IT assets and others. All vendors can support an Excel or CSV file import, and most support an API or Web service. A few support secure FTP.
  • All vendors can support the publication of a recovery plan to a PDF file.
  • Few BCMP tools support calendar integration for events such as an upcoming tabletop test, recovery plan review and approval, risk assessment or BIA review and update actions, and so on.

BCMP Tool Data Center Operations

  • The median contractually guaranteed SLA level is 99.95%.
  • The BCMP software market supports the recovery of business and IT operations. However, only four vendors (Avalution Consulting, Global AlertLink, MetricStream and Phoenix) have obtained certification under ISO 22301:2012. This seems incongruous to Gartner. Customers should demand that their BCM suppliers be certified under a recognized BCM standard; in addition, customers should obtain assurance through a third-party audit report of their vendors' SLA and RTO claims.