Apa kata Gartner soal Business Continuity Management (2014 BCM Survey)




2014 BCM Survey Provides Program Posture and Maturity Improvement Actions for BCM Leaders in 2015

30 January 2015 ID:G00262240
Analyst(s): Roberta J. WittyJohn P Morency

VIEW SUMMARY

Program scope and organization are the most mature components of BCM programs. The transition to IT service continuity is growing, but measuring program effectiveness is very low. BCM leaders' planned increases in spending and staffing should spur sizable improvements.

Overview

Key Findings

  • Organizations continue to plan for too short of an outage: Seventy-five percent plan for seven days or less.
  • Eighty-six percent of organizations report that they have had to use a recovery plan within the last 24 months.
  • The majority of organizations have little ability to determine if their BCM program is effective. The amount of program effectiveness measurement is low: Only 35% use exercise results, only 30% use status metrics, and only 27% use scorecards. Almost half rely on a weak approach: audit reports.
  • Full interruption test/exercise with multiple applications and staff movements to recovery locations was the exercise type with the highest percentage (26%) for Tier 0 IT services.

Recommendations

BCM leaders should:
  • Build a three-year BCM program improvement road map based on annual maturity assessments.
  • Assess your BCM program to understand what the longest time frame is that your organization can support if under disaster conditions. Review your business disruption insurance policy(ies) to align your planned outage time frame with what you are covered for by insurance.
  • Establish an investment plan for phased BCM and IT DRM to IT SCM transitions that are defined by specific service improvements, supporting mechanisms, target benefits and implementation timetables.
  • Investigate the use of BCM program monitoring and management tools as they help to standardize program activities, as well as provide real-time analytics and a common operating picture for better decision making during an actual crisis or disaster.

TABLE OF CONTENTS

CONTENTS
TABLES
FIGURES

Survey Objective

Gartner conducts periodic end-user surveys of organizations that are responsible for privacy, IT risk management, information security, business continuity or regulatory compliance. This research summarizes the results of the questions on business continuity management (BCM), and it also includes BCM maturity data from the Gartner ITScore for Business Continuity Management online maturity self-assessment tool (see "ITScore for Business Continuity Management").

Data Insights

This Gartner survey was addressed to employees who are responsible for privacy, IT risk management, information security, business continuity or regulatory compliance. In many cases, respondents are responsible for more than one of these areas. The survey was structured such that certain key questions (regarding responsibility and budget) were answered by all, after which the survey branched into five sections assigned, based on the respondent's prime responsibility areas. Every respondent was allowed to answer two of the five sections (for example, "privacy" and "business continuity management"). Fifty-four percent of all respondents are extremely involved in BCM and/or have primary organizational responsibility, 36% are involved in BCM or are a team member, 8% have some familiarity but no organizational responsibility, and only 2% are not involved in BCM at all.

Overall BCM Program Status

BCM Program Maturity

The increase in and impact of more frequent occurrences of disruptive events are graphically depicted in findings from the Swiss Re "Sigma 1/2014 - Natural Catastrophes and Man-Made Disasters 2013"report. From its analysis of catastrophic events from 1970 through 2013, we see that the annual number of both natural and man-made disasters started to spike in 1986, going from less than 100 from 1970 through 1985 to an average of 150 from 1986 to 2013, with 2005 being the most active year with more than 250 events.
The need for BCM can also be seen in how often organizations need to use their recovery plans (see Figure 1). Eighty-six percent of organizations report in the Gartner survey that they have had to use a recovery plan (business recovery, crisis/incident management [C/IM], IT disaster recovery management [IT DRM], pandemic recovery or supplier/third-party availability). Within the last 24 months, only 14% of organizations have never needed to invoke a recovery plan. Note: Figure 1 shows results of plan usage, regardless of which event occurred (C/IM, IT DRM, business recovery, supplier/third-party availability or pandemic planning).
Figure 1. Last Event Occurrence That Necessitated the Use of a Recovery Plan
Figure 1.Last Event Occurrence That Necessitated the Use of a Recovery Plan
n = 332
Source: Gartner (January 2015)
Both sets of data clearly show that organizations need to become much more proactive in the management of their responses to such events, thereby increasing the maturity of the overall BCM program.
The average maturity level reported for 530 ITScore BCM surveys — completed from September 2010 through June 2014 via the Gartner ITScore for Business Continuity Management program maturity self-assessment tool — is rather low, at 2.45 (see Figure 2). Highlights from completed ITScore for Business Continuity Management surveys to date follow:
  • Overall maturity remains at 2.45; there has been no change since the last update in June 2014.
  • Eighty-three percent of companies are at Levels 1 and 2 for overall maturity.
  • Program organization continues to be the most mature (2.90). Awareness, training and exercising is now the lowest (2.51). Previously, the lowest scoring dimension was architecture guidelines and framework.
Figure 2. ITScore for BCM: Discipline and Overall Program Mean Scores
Figure 2.ITScore for BCM: Discipline and Overall Program Mean Scores
n = 530
Source: Gartner (January 2015)
Action Item: Assess your BCM program maturity on an annual basis, and build a three-year improvement road map.

BCM Program Component Reporting Responsibilities

Gartner defines a BCM program as having seven key components: C/IM; IT service continuity management (IT SCM) that includes IT DRM; business recovery; supplier contingency; community recovery; devolution/living will planning; and governance and program management. Our survey asked about the reporting responsibility for BCM program components within the organization. In Figures 3 through 7, we removed the "other" category as well as any category that had a reported percentage of 2% or less because those low levels are not all that meaningful in the overall BCM profession.
For C/IM responsibility (Figure 3), there are several small changes since 2013: An additional 7% of organizations have the CIO primarily responsible for C/IM activities, and an additional 2% more are reporting to the COO. The shift from the CIO being a technician to a manager of investments is well underway, so perhaps this change, along with IT driving more of the business than ever before, explains the additional increase in the CIO reporting relationship in 2014. However, Gartner continues to recommend that C/IM report to a non-IT executive.
Figure 3. C/IM Reporting Responsibility
Figure 3.C/IM Reporting Responsibility
Source: Gartner (January 2015)
The 7% increase for IT DRM reporting to the CIO (see Figure 4) makes sense. That's where it should report.
Figure 4. IT DRM Reporting Responsibility
Figure 4.IT DRM Reporting Responsibility
Source: Gartner (January 2015)
The large increase of 18% of business recovery functions reporting to the CISO or equivalent (Figure 5) can be explained in the growing inclusion of BCM, especially the non-IT components, reporting into a risk management role. In fact, as the CISO takes on more risk management responsibilities, the role should be redefined as the operational risk manager/officer. Gartner sees this as a growing trend, especially in the state government sector.
Figure 5. Business Recovery Reporting Responsibility
Figure 5.Business Recovery Reporting Responsibility
Source: Gartner (January 2015)
Supplier contingency (see Figure 6) has the most varied set of reporting responsibility of the four BCM components represented in this report. With the CIO having the largest percentage of those reporting to it — even though this position decreased by 8% from 2013 — this finding leads Gartner to believe that supplier contingency is still very IT-oriented (a scope that would need to be expanded for full BCM coverage to improve overall maturity). An increase of 4% for reporting responsibility to the COO is moving in the right direction for ensuring a strong supplier contingency program. Based on Gartner's ITScore maturity model, the highest percentage of participants (22%) do not address supplier contingency directly. For those BCM programs that do, they assign responsibility through the COO (21%) or procurement (20%) to provide controls, accountability and consistency. Our survey data suggests that the supplier contingency disciplines among respondent organizations are less mature than our ITScore for Business Continuity Management participants.
Figure 6. Supplier Contingency Reporting Responsibility
Figure 6.Supplier Contingency Reporting Responsibility
CAO = chief administration officer
CISO = chief information security officer
Source: Gartner (January 2015)


Source: Gartner (January 2015)
Action Item: Review your overall BCM program and individual component reporting responsibilities, and align them with the organizational department that best supports the function — not just component expertise implementation but also the knowledge — to navigate organizational politics to best meet recovery needs.

Organizations' Planned-for Longest Outage Time Frame

With the number of organizations that have had to invoke a recovery plan, and due to the increase in large-scale disasters that result in long-term outages for both businesses and residences, it is surprising that the majority (75%) expect to be out for less than seven days (see Figure 7). Only 3% of organizations plan for an outage that might last for one month or more.
Figure 7. Organizations' Planned-for Longest Outage Time Frame
Figure 7.Organizations' Planned-for Longest Outage Time Frame
n = 359
Source: Gartner (January 2015)
Variations are interesting to point out: Employee count, geographic region or revenue size do not seem to influence the organizations' planned for outage time frame. However, the industry that the organization operates in does provide insight (see Figure 8): Banking (16%) has the highest percentage of organizations planning for up to a one-month outage. Not all numbers by industry are statistically significant due to the low number of organizations in each sector.
Figure 8. Organizations' Planned-for Longest Outage Time Frame by Industry
Figure 8.Organizations' Planned-for Longest Outage Time Frame by Industry
Source: Gartner (January 2015)
Action Item: Assess your BCM program's expectations, strategies and recovery plan exercise results to understand what the longest time frame is that your organization can successfully support if under disaster conditions. Review your business disruption insurance policy(ies) to align the time frames — especially important if the policy(ies) have a shorter time frame than what you have planned for.

Use of Software Tools to Monitor and Manage the BCM Program

Organizations that have a higher level of maturity typically use software tools to help them monitor and manage the BCM program. Through Gartner customer advisory calls, we have seen an increase in calls from customers wanting to implement a BCM planning (BCMP) tool to help them automate the risk assessment, business impact analysis (BIA) and recovery plan management process. The same is true for organizations wanting to implement an emergency/mass notification services (EMNS) tool that automates the organization's crisis communications call tree. Starting in the fourth quarter of 2014, we have seen an increase in the number of customer calls regarding the use of C/IM software: the tools used to help organizations manage the procedures when they have an actual disaster. The survey results (see Figure 9) show that, on average, 50% of organizations have bought one of these three tools within the last 12 months. Another tool that is gaining use by organizations is "hazards alerting services": alerting services for natural disasters (32%), weather (24%), geopolitical (23%) and other events that can cause a business disruption. In practice, these three types of events are provided through one tool.
Figure 9. BCM Monitoring and Management Tools Bought Within the Last 12 Months
Figure 9.BCM Monitoring and Management Tools Bought Within the Last 12 Months
n = 345
Source: Gartner (January 2015)
Action Item: Investigate the use of BCM program monitoring and management tools because they help to standardize program activities, as well as provide real-time analytics and a common operating picture for better decision making during an actual crisis or disaster.

Measuring the Effectiveness of, and Communicating About, the BCM Program

Two new questions in 2014 asked survey participants how they measure the effectiveness of the BCM program, and how they communicate about the BCM program. Each question allowed participants to select multiple choices, so clearly there is a variety of approaches used for measurement and communication.

Measuring the Effectiveness of the BCM Program

The majority of organizations have little ability to determine if their BCM program is effective (see Figure 10).
  • The most used method to measure the effectiveness of the BCM program is to rely on internal auditors (53%) and external auditors (42%). Relying only on audit reports can result in a false sense of security: Passing an audit may imply that you have the basic BCM program building blocks but not necessarily refer to any sense of the program's effectiveness. Using audit report findings is a fine approach as a double-check of your efforts, but the leaders of these programs should be proactive in measuring program activities and communicating them to management to ensure appropriate funding and staffing are allocated to recovery efforts.
  • Only 35% of survey participants report that they use exercise results as a way to assess the effectiveness of the BCM program. Exercise results and the resulting gap analysis showing expectation versus capability are key tools to use to measure and improve the effectiveness of your BCM program.
  • Status metrics are used by only 30% of survey participants.
  • Scorecards are used by only 27% of survey participants.
On the brighter side, the use of key risk indicators (49%) is a very good sign that BCM program leaders are making the connection between business continuity and business objectives. And, 48% of BCM program leaders are on the right track by using key performance indicators (which some may interpret as being status metrics).
Figure 10. Approaches Used to Measure the Effectiveness of the BCM Program
Figure 10.Approaches Used to Measure the Effectiveness of the BCM Program
n = 350
Source: Gartner (January 2015)

Communicating About the BCM Program

The approaches used to communicate about the BCM program — internally and externally — are many (see Figure 11). Internally, reporting to the board of directors/trustees (40%) and an internal BCM program portal (38%) are two excellent approaches. To give the workforce a single point of information for the BCM program, it would be good to see more organizations using an internal portal to promote and communicate about the BCM program. The lower number of organizations (35%) informing the BCM steering committee is surprising — we would have thought it would be the choice with the highest percentage.
Figure 11. Approaches Used to Communicate About the BCM Program
Figure 11.Approaches Used to Communicate About the BCM Program
n = 350
Source: Gartner (January 2015)
Action Item: Establish BCM program effectiveness and status reporting processes to inform management and the board of directors/trustees of successes, gaps and problems in program activities and investments. Have a summary report for key partners and customers so that they know you can continue to be a strong business partner.

IT Disaster Recovery Plan Testing/Exercising

We asked, "What is the most frequent type of testing your organization performs for each application tier?" The recovery tier definitions are as follows:
  • Tier 0 — IT infrastructure services, such as DNS and DHCP
  • Tier 1 — Mission-critical IT services
  • Tier 2 — Critical IT services
  • Tier 3 — Important IT services
  • Tier 4 — Deferrable IT services
Not surprisingly, full interruption test/exercise of multiple applications with staff movements to recovery locations was the highest percentage (26%) for Tier 0 (see Figure 12), although percentages for other recovery tiers were not far behind. This result reflects the fact that distributed Web-based applications cannot be successfully activated and then interoperate with other production applications (both internal and external), unless network address and logical name to the address mapping management is fully operational. Increasingly, Gartner is seeing more client organizations formally define and assign very low recovery time objective (RTO) targets for Tier 0 services for this very reason.
One exercise technique that is steadily growing in its usage is application cutover testing. During cutover testing, the operation for a select set of applications is shut down at the primary production data center and restarted at the secondary recovery site. Once the applications are restarted at the secondary site, they support production operations for a period of time that may range from a few days to as much as a month or more. As shown in the Figure 12 results, cutover testing is more frequently performed for higher-tier applications. Its main objective is to ensure that mission-critical applications can successfully operate at the secondary site in the presence of live production inquiry and transaction traffic, a benefit that typically cannot be realized by using isolated, offline test exercises, such as either component testing or review testing.
During the course of the past 18 to 24 months, Gartner has seen an increase in client use of production cutovers (also referred to as data center "role swapping") as a means to facilitate increased production operations assurance while at the same time reducing the time, resource and logistics investment that would otherwise be consumed by the use of traditional recovery exercising.
Figure 12. Most Frequent Type of Test Performed by Application Tier
Figure 12.Most Frequent Type of Test Performed by Application Tier
Source: Gartner (January 2015)
Action Item: Review your IT disaster recovery plan exercising program to ensure you are testing as much of your IT infrastructure to ensure RTO and recovery point objective (RPO) alignment with current capability. Always look to move to the next level of exercising complexity or completeness to test your strategies and implementations, striving to improve program maturity with every exercise.

RTOs, RPOs and Recovery Automation

With respect to IT DRM, a growing number of IT leaders are initiating projects in which the key objective is to reduce, if not eliminate, unplanned application downtime. The technical focus is the implementation of technology and process mechanisms that are equally effective in failing over the operation of a single application, a set of applications or an entire data center in response to the occurrence of a disruptive event.
Not all root causes of unplanned operations' downtime are the result of low-probability and high-impact disruptive events. Based on extensive feedback from Gartner clients, unplanned downtime (where there is a reasonable amount of redundancy built in) occurs, on average:
  • Forty percent: application failures (for example, bugs, performance issues and/or changes to applications that cause problems)
  • Forty percent: operations errors (for example, not performing an operations task or performing a task incorrectly)
  • Twenty percent: hardware (for example, server and network), OSs, environmental factors (for example, heating, cooling and power failures), and disasters
Collectively, these statistics show the operations importance of both establishing and maintaining a program with an overall focus on the reduction, if not minimization, of the duration and operations impact of unplanned downtime, irrespective of that source.

Recovery Time Objectives

An additional indicator of the increased focus on reduced downtime duration is shown in Figure 13. For 2014, 76% of survey participants said that they must be operational after a disaster within 24 hours. Further breaking down the time frame within 24 hours, 35% require recovery in less than four hours, and 41% require recovery within four to 24 hours. Both figures represent an increase compared with both 2013 and 2012. The addition of survey participants from Brazil and India (countries with a large IT services infrastructure) certainly influence the increases in organizations requiring shorter RTOs; however, this increase in short RTOs is consistent with those required by all Gartner customers and businesses in general to support 24/7 business operations.
Figure 13. Organizational RTOs: 2012-2014
Figure 13.Organizational RTOs: 2012-2014
Source: Gartner (January 2015)
In 2014, these numbers are consistent across countries, which implies that "business is business," no matter the location in regard to continuity of operations (see Figure 14).
Figure 14. 2014 Organizational RTOs by Country
Figure 14.2014 Organizational RTOs by Country
Source: Gartner (January 2015)
Action Item: Assess your RTOs through a BIA, and compare them with your organization's recovery capability in order to develop an investment and implementation road map.

Recovery Point Objectives

In the 2014 survey, we asked, "Which data protection mechanism(s) does your organization currently use for its IT application recovery tiers?" (see Figure 15). The mix of technologies used by respondents to support data protection varied by recovery tier. However, these results collectively show that respondents were at least four times more likely to use disk-to-disk backup, storage replication, virtual machine (VM) replication or database replication for data protection rather than tape-based backup. These results reflect organizations' needs to reduce RPO targets, at least for mission-critical applications, to an order of hours versus an order of one or more days.
Figure 15. Data Protection Mechanisms Used by Recovery Tier
Figure 15.Data Protection Mechanisms Used by Recovery Tier
Source: Gartner (January 2015)
Gartner recommendations for data protection technologies as functions of an RPO target are shown in Table 1.
Table 1. Data Protection Approaches and Their RPO Implications
Target RPO
Recommended Data Protection Technology
Data Protection Risk That Is Addressed
Data Loss Due
to Constant Changes Not Captured
Relative Cost
Zero
Metro-area synchronous data mirroring
Disk/SSD device, network and controller failure, site failures (not user/admin/logic errors)
None*
$$$$
Zero
Synchronous data replication to regional "active" site
Disk/SSD device, network and controller, site (notuser/admin/logic errors)
None*
$$$$$
Near zero to minutes
Data replica with data log (to roll back/forward from snapshots) continuous data protection (CDP)
All except site failure if replica is local
Data loss proportional to log shipping delay
$$$$
Seconds to hours
Asynchronous or periodic replication
Disk/SSD device, network and controller, site; some user/admin/logic errors (depending on periodicity)
Data loss proportional to periodicity and/or replication delay
$$$
Minutes to hours
Local HW or SW data changes snapshot
User/administrator/logic errors, data corruption
Data loss proportional to snapshot frequency
$
Hours to day
"Backup" to disk or tape (locally stored)
All except site failure
Data loss proportional to backup frequency
$$
Hours to day
Backup to cloud storage
All
Data loss proportional to backup frequency
$$
Days (time since most recently sent backup)
Tape copy shipping/vaulting
All
Data loss proportional to remote backups frequency
$$
Hours to days
Periodic deduplicated backup data replication to remote site
All
Data loss proportional to backup frequency
$$
HW = hardware
SSD = solid-state drive
SW = software
*Synchronous replication does have one disadvantage. If production data is already corrupted, the synchronization mechanism will immediately replicate the corrupted data to the recovery facility.
Source: Gartner (January 2015)
Action Item: Develop a two- to three-year strategy for standardizing data recovery and protection targets, as well as the technologies and/or services that can most effectively support those targets.

BCM Program Financial and Staffing Investment

Implementing the required people, process and technology changes required to support short RTOs (as shown in Figure 13) and RPOs will require additional investment in people and finances. With 35% and more of organizations increasing their budget for both IT disaster recovery and business continuity, we believe that sizable improvements in recovery capability and maturity will be realized in 2016.

Program Financial Investment

Overall Perspective
Financial investment (see Figure 16) in the IT DRM program shows more promise than that of the BCM program, with half of survey participants reporting both an increase (48%) and no change (49%) for the IT DRM program. Investment in the BCM program (non-IT-related activities) will be less likely: 34% will see an increase versus 51% that will see no change.
Figure 16. Anticipated Change in Budget: 2014 to 2015
Figure 16.Anticipated Change in Budget: 2014 to 2015
n = varies by program
Source: Gartner (January 2015)
In some cases, the increased IT DRM financial investments are a reactive response to the impact of major disaster events, such as Hurricane Sandy. In other cases, they reflect a more fundamental shift from a response strategy of "recover everything" to one of "fail over when you can, and recover when you must," especially for mission-critical applications. In order to support the "failover when you can" strategy, the most significant IT infrastructure upgrades being implemented by Gartner client organizations include increased deployment of intra- and inter-site virtual and physical server failover, implementation of near real-time data replication, and increasing WAN bandwidth capacity as well as bandwidth management technology such as WAN optimization controllers (WOCs).
Country and Industry Perspective
A breakdown by country and industry provide additional insight (as shown in Figures 17 through 20). We provide this information for your organization's comparison with others in your industry and country. Data by country where the number of responses (n is more than 30) is statistically sound, whereas data by industry (n is less than 20) should be considered as directional findings. The education and media industries are not reported because there were too few survey participants to be meaningful.
Country Perspective
India and the U.S. (see Figure 17) lead all countries participating in the survey with the highest proportion of organizations (65% and 64%, respectively), increasing their year-over-year IT disaster recovery budget. India and the U.S. also emerge as having the smallest incidence of those countries decreasing spending (2% and 0%, respectively).
Figure 17. Change in IT Disaster Recovery Budget From 2014 to 2015: By Country
Figure 17.Change in IT Disaster Recovery Budget From 2014 to 2015: By Country
n = 271
Source: Gartner (January 2015)
India and the U.S. are also two of three leading countries in terms of the percentage of organizations increasing spending in the business continuity program (see Figure 18): India (58%) and the U.S. (40%). India is the only country where more organizations plan to increase the business continuity budget than keep it at the same level as in 2014. Germany is most likely to decrease spending in business continuity (19%).
Figure 18. Change in Business Continuity Budget From 2014 to 2015: By Country
Figure 18.Change in Business Continuity Budget From 2014 to 2015: By Country
n = 271
Source: Gartner (January 2015)
Industry Perspective
The industry view shows that organizations in five industries are more likely to increase their IT disaster recovery budget (see Figure 19) than to keep the same budget: healthcare providers (71%), communications (63%), transportation (56%), banking (54%) and retail (52%). Organizations in utilities and government have the highest incidence of a budget decrease in IT disaster recovery spending of 9%.
Figure 19. Change in IT Disaster Recovery Budget From 2014 to 2015: By Industry
Figure 19.Change in IT Disaster Recovery Budget From 2014 to 2015: By Industry
n = 271
Notes: Education and media excluded, so the total of shown industries does not equal 271.
Some columns do not add to 100% due to rounding.
Source: Gartner (January 2015)
The industry view for business continuity budget directions (see Figure 20) show that half of transportation organizations plan to increase their business continuity budget, whereas more than one-third of organizations in communications (38%) plan to decrease it. Organizations in banking (42%), retail (39%) and manufacturing (37%) have the next highest likelihood to increase spending. The communications industry is unique in that the percentage of organizations that plan to increase the business continuity budget is the same as is the percentage of organizations that anticipate a decrease (38%), perhaps indicating a majority readjustment between overspending and underspending in that sector.
Figure 20. Change in Business Continuity Budget From 2014 to 2015: By Industry
Figure 20.Change in Business Continuity Budget From 2014 to 2015: By Industry
n = 271
Notes: Education and media excluded, so the total of shown industries does not equal 271.
Some columns do not add to 100% due to rounding.
Source: Gartner (January 2015)
Action Item: Establish an investment plan for phased BCM and IT DRM to IT SCM transitions that are defined by specific service improvements, supporting mechanisms, target benefits and implementation timetables.

Program Staffing

Overall Perspective
In regard to adding recovery staff (see Figure 21), more organizations (42%) are planning to increase staff levels for the IT DRM program than for the BCM program (34%).
The IT DRM staffing growth is occurring for primarily two reasons. First, more client organizations, especially those with large numbers of applications (either on the order of hundreds or thousands) are finding it more challenging to successfully test the complete recovery of an entire data. As a result, it is often the case that more detailed analysis is required to determine the scope and type of exercising that should be done to ensure that, at a minimum, the most mission-critical applications can be successfully recovered. The scope and time needed for this analysis require much more of an IT staff resource commitment than would otherwise be the case for an approach in which recovery exercising is executed primarily by an ad hoc virtual team whose primary objective is the completion of a once or twice a year "check the box" exercise.
Second, the increased focus on support for IT service continuity (the consolidation of IT DRM and IT service availability management into a single cohesive discipline) requires the execution of more formalized projects to identify and implement the technology and management process improvements necessary in order to meaningfully reduce the impact of any form of unplanned downtime on business operations. Projects of this scope inevitably require full-time personnel who are both responsible and accountable for successful execution.
Figure 21. Anticipated Change in Staffing: 2014 to 2015
Figure 21.Anticipated Change in Staffing: 2014 to 2015
n = varies by program
Source: Gartner (January 2015)
The larger proportion of companies planning to decrease BCM staff is disconcerting. Diminishing the focus of the non-IT aspects of BCM will put the organization at risk when experiencing a non-IT disaster. We can understand a smaller increase in BCM staffing, especially for those organizations that use IT heavily for the delivery of their product/service and whose staff is highly technical and can perform work from home. But the number of firms in this category is not large, especially in India and Brazil, two countries included in the 2014 survey, in which national infrastructure is not as strong as the other countries. Therefore, we will conclude that it is the mix of countries in the 2014 survey that is causing this situation.
Country and Industry Perspective
A breakdown by country and industry provide additional insight (as shown in Figures 22 through 25). We provide this information for your organization's comparison with others in your industry and country. Data by country where the number of responses (n is more than 30) is statistically sound, whereas data by industry (n is less than 20) should be considered as directional findings. The education and media industries are not reported because there were too few survey participants to be meaningful.
Country Perspective
As with IT disaster recovery spending, India and the U.S. lead all countries participating in the survey with the greatest percentage of organizations planning to increase IT disaster recovery staffing levels (63% and 49%, respectively); see Figure 22. Only 2% of U.S. organizations (followed by 5% in the U.K. and 6% in India) anticipate staff levels to decrease.
Figure 22. Change in IT Disaster Recovery Staffing From 2014 to 2015: By Country
Figure 22.Change in IT Disaster Recovery Staffing From 2014 to 2015: By Country
n = 265
Source: Gartner (January 2015)
India (46%), Brazil (40%) and the U.K. (38%) lead all countries with the largest percentage of companies increasing staffing levels in business continuity (see Figure 23). The U.S. (9%) has the lowest proportion of companies decreasing staffing, while Germany (20%) has the highest.
Figure 23. Change in Business Continuity Staffing From 2014 to 2015: By Country
Figure 23.Change in Business Continuity Staffing From 2014 to 2015: By Country
n = 262
Note: Some columns do not add to 100% due to rounding.
Source: Gartner (January 2015)
Industry Perspective
The industry view shows that organizations in only three industries are more likely to increase their IT disaster recovery staffing levels (see Figure 24) than those that will keep the same budget: Communications (64%), transportation (53%) and government (50%). Organizations in healthcare providers (14%) and transportation (13%) are most likely to decrease IT disaster recovery staffing levels.
Figure 24. Change in IT Disaster Recovery Staffing From 2014 to 2015: By Industry
Figure 24.Change in IT Disaster Recovery Staffing From 2014 to 2015: By Industry
n = 265
Notes: Education and media excluded, so the total of shown industries does not equal 265.
Some columns do not add to 100% due to rounding.
Source: Gartner (January 2015)
The industry view for business continuity staffing (see Figure 25) show that communications (67%) and transportation (50%) (as with the business continuity budget) have the largest proportion of organizations planning to increase business continuity staffing levels. Organizations in insurance (33%) and services (30%) are most likely to decrease staffing levels.
Figure 25. Change in Business Continuity Staffing from 2014 to 2015: By Industry
Figure 25.Change in Business Continuity Staffing from 2014 to 2015: By Industry
n = 262
Notes: Education and media excluded, so the total of shown industries does not equal 262.
Some columns do not add to 100% due to rounding.
Source: Gartner (January 2015)
Action Item: If needed, identify opportunities for the select use of external professional services to help you develop more effective exercising strategies or the realization of a broader approach to business and IT service continuity, especially if internal staffing growth is likely to be the norm for the next few years.

Methodology

Gartner surveyed a total of 908 organizations in six countries between April 2014 and May 2014 to help Gartner understand how risk management planning, operations, budgeting and buying are performed, especially in areas such as risk management, information security, BCM, IT compliance and privacy.
The geographic makeup of the 908 organizations that participated is as follows:
  • U.S. — Number of respondents equals 148.
  • Canada — Number of respondents equals 153.
  • U.K. — Number of respondents equals 152.
  • Germany — Number of respondents equals 152.
  • India — Number of respondents equals 150.
  • Brazil — Number of respondents equals 153.
Country and risk management discipline area quotas were established to enable the comparison and contrasting of key trends. Organizations from all industries qualified.
Qualifying organizations were large organizations with at least $50 million equivalent in total annual revenue for fiscal year 2013. Qualified participants must be extremely involved in one of five risk management disciplines or be a team member in two of five areas.
Interviews were conducted online and in the native language (English, German and Portuguese). The sample universe was drawn from external panels of IT management professionals.
The survey was developed collaboratively by a team of Gartner analysts who follow the IT market, and it was reviewed, tested and administered by Gartner's Research Data Analytics team.