The State of Business Continuity Preparedness 2021

Forrester Research and Disaster Recovery Journal have partnered to field a number of market studies on business continuity (BC) and disaster recovery (DR) trends in order to gather data for company comparison and benchmarking, to guide research, and for the publication of best practices and recommendations. This study, which focuses on BC maturity and preparedness, was first fielded in 2008 and then again in 2011, 2014, and 2018. That first study provided us with a baseline for BC preparedness we can now compare to all the subsequent studies to see how BC maturity and preparedness are trending across time. These trends are more important than ever as 2020 was the year to be resilient and 2021 looks to follow in the same vein. Specifically, we designed this study to determine:

• To what extent have companies formalized ongoing BC management programs with executive level sponsorship? To which executive does the head of BCM report?
• How frequently, if at all, do companies conduct a business impact analysis (BIA) and risk assessment (RA)?
• To what extent are business owners involved in the BC management lifecycle?
• How well do companies document, keep up-to-date, and test their BC plans? What types of tests do companies run, and how frequently do they run these tests? What tools do companies use to manage plans?
• What is the scope of BC plans? What threat scenarios do they address? Do they include components for workforce continuity? Do they include components for crisis and emergency communication?
• How many times have companies invoked their BC plans in the past five years? What was the cause? How successful was the invocation?

Overall BC Executive Sponsorship Jumps but Reporting Structure Remains Steady

No matter how organizations felt about their BC maturity going into the COVID-19 pandemic, BC plans fell short for most. In a recent survey, only 23% of purchase influencers felt very confident that their organization’s business continuity plan will meet their needs during COVID-19.* In this survey, we also found that:

• Executive sponsorship jumped but there is still room for improvement. In our 2021 survey; executive sponsorship unsurprisingly jumped to 94% after being relatively unchanged in our previous surveys in 2018 (88%), 2014 (88%), and 2011 (87%). Of those 94% that do report executive support only 38% report it’s “significant”; this has increased from 30% in 2018.
• BCM programs are slightly more likely to report IT than the business. According to our study, 36% of BCM programs report into IT such as the CIO or CISO – an increase from 2018 (30%), 2014 (26%), and 2011 (35%). About 9% of BCM programs report into an enterprise risk department or CRO (a decrease from 14% in 2018) while approximately 29% report directly into business line executives (CEO, COO, CFO, HR, board, etc.) – this is an increase from 2018 when it was 25% but a a decrease from 2014 when it was 32% (see Figure 2). Many clients tell us that as businesses become more digital and technology dependent, the CIO and CISO wield more power and influence and more BC programs are once again reporting into IT.
• There is a decrease in the variety of reporting structures but still a difference. In both the 2018 and 2014 studies, “other” was the second most common response, but this year it is the 4^th most common response. When we prompted respondents to specify other, we discovered chief security officer and legal were the most common responses. Chief security officer is often a role that has both physical and information security responsibilities combined and bears watching as a good future reporting structure for BCM.

BCM Program Funding Will Increase for A Majority of Firms

There is good news when it comes to BC budgets, the majority of firms expect an increase in funding in the next 12 months while the number of full-time equivalents dedicated to BCM has held steady. More specifically, Forrester found that:

• More than one third of respondents expect increased funding. According to our study, 52% of respondents expect funding for their BCM program to increase in the next 12 months. This is an increase over the 36% who expected more funding in 2018, which was largely unchanged from 2014. Now, 43% expect their funding to stay the same versus 50% from 2018. The respondents who expect their funding to decrease has returned to 2014 levels of 5% of respondents versus the 11% in 2018 (see Figure 3-1). When asked what prompted the increased funding, respondents most often cited to mitigate increasing or evolving risk to the organization (not surprising considering COVID-19), the result of a prior crisis, event or incident, and to achieve regulatory compliance or comply with audit findings.
• Staffing varies by company size, but the median is three full-time staff equivalents. According to our study, the median number of full-time equivalents (FTEs) supporting the BCM program is three, which is the same as 2018, a decrease from 2014 (4.4) but an increase from 2011 (2). The mean is 22.2 FTE, but the number of very large enterprises in this study drags up the mean. Staffing always varies by size. In Forrester’s experience, companies with fewer than 1,000 employees typically have just one or two FTE(s) supporting BC, while enterprises with 1,000 to 5,000 employees have between two and three FTEs. Enterprises with 5000 to 19,000 have three to five FTEs, and those with 20,000 or more employees often have distributed BCM programs with five to eight FTEs establishing standards and oversight at corporate headquarters and dozens of local BCM leads in region or by business unit responsible for local planning and execution.
• Staffing represents the largest portion of the BCM budget. So much of BC maturity and preparedness depends on planning so it’s no surprise that staffing represents 30% of the BCM budget. Technology services for IT recovery comes in second at 19%. Generally, the cost of IT recovery is part of the overall cost for IT infrastructure and operations but when firms do require third-party IT DR services and the BC team reports into IT, it’s not unusual to have it as a line item in the BC budget. Budget for workforce recovery is often a gray area between IT and BC teams. IT supports work from home and remote access as part of their efforts to support employee productivity and flexibility, but BC teams may be responsible for strategies related to alternate sites, mobile recovery units, or flexible real estate options.

BIAs and Risk Assessments Are Ingrained Best Practices

Our study found the vast majority of companies conduct a BIA and risk assessment in advance of BCP strategy development and plan documentation. More specifically, Forrester’s survey found that:

• A large majority of companies conduct a BIA. Seventy-one percent of respondents reported having conducted a BIA; statistically unchanged from 2018 (74%) and 2014 (75%) but this is a notable increase from 2011 when it was 69% and from 2008 when it was 68% (see Figure 4-1). The BIA is critical because it helps organizations identify their critical business functions, dependencies, and recovery objectives. It’s heartening to see such a percentage of companies perform a BIA. However, in Forrester’s experience, there is still room for improvement. Not all companies truly perform a detailed dependency mapping, and few companies get to a point where they quantify the cost of downtime.
• More and more companies are now conducting a risk assessment. There has been a significant change in the percentage of organizations that conduct risk assessments. In 2014, 57% of respondents reported conducting one, essentially unchanged from 2008 (59%) and 2011 (60%). However, in 2018, 72% of respondents reported conducting a risk assessment – a 15% increase – and this has statistically remained unchanged this year (71%). Conducting risk assessments are crucial to BC planning because it helps organizations understand the most probable, high impact risks to the organization and either mitigate them through treatment efforts or prepare appropriate response plans. Generic plans by impact (e.g., loss of IT services) are beneficial because they help to prepare for any unforeseen event, but they can lack the specifics necessary to respond appropriately to some events. How you respond in the face of a pandemic is very different to how you respond to a power outage.
• Companies are concerned about cyberattacks, pandemics, and third parties. Sixty-one percent of respondents believe the level of BC or operational risk is increasing (see 4-2). When asked what was driving the increase, respondents once again cited cyberattacks as the top driver (see Figure 4-3). Tied for third, respondents cited increased frequency and risk of epidemics and pandemics – expected with firms worldwide dealing with the effects of COVID-19 – as well as increased reliance on third parties which was almost foreshadowing to the SolarWinds SUNBURST incident potentially affecting thousands of their customers.

Organizations Prefer a Mix of Scenario- And Impact-based BCPs

As of a 2014 study, the percentage of organizations with documented BCPs jumped to 93% and held steady. If you don’t have documented BCPs, your BCM program is clearly in a dire condition. Most firms weren’t ready for COVID-19, thinking the risk of a pandemic too remote to consider in their planning. But by failing to prepare, these firms were not preparing to succeed. Forrester found in this survey that:

• In the face of COVID-19, firms that prefer scenario-based plans leapt. Forty-nine percent have a mix of plan types which is relatively unchanged from 2018 (52%). However, 20% of respondents now prefer only scenario-based plans up for 8% in 2018 (see Figure 5-1). Scenario-specific BCPs are important because it shows an organization understands that one can’t respond to every event with a boilerplate BCP – some scenarios require customized responses (i.e., pandemic vs. IT outage vs. extreme weather). The most common scenarios include IT failure, natural disasters/extreme weather, cyber-attacks, and power outages.
• BCPs are updated once per year. One area which needs improvement is the maintenance of BCPs. In 2014 and 2018, it has remained flat at 15% and 13% respectively and this has not improved as this year the number stayed the same at 13% (see Figure 5-2). Most organizations continue to update their BCP once (54%) as part of an exercise. Forrester recommends that organizations strive for continuously updating plans.
• Organizations are turning away from commercial software to manage BCPs. This year marked a backslide of 64% of respondents using internal tools (i.e., documents, spreadsheets, etc.) versus 51% in 2018. In the past, BC teams have struggled to build the business case for commercial BCM tools given that it’s primarily used only by the BC team and prices can range from tens of thousands to hundreds of thousands of dollars. Because staffing remains flat, executive support is increasing, and COVID-19 is raising the visibility of BC to business operations and strategy. BCM tools should be recognized in coming years as essential for mid- to large-sized firms.

BCPs Are Not Tested Frequently, Partner Involvement Remains Static

We’ve said this every year, but it bears repeating; if you’re not testing your BCPs, you simply aren’t prepared—not to mention you’ve wasted significant efforts on BIAs, risk assessments, and plans that you will most likely be unable to execute. Despite years of urging from industry experts and consultants, testing remains a major area for improvement across organizations of all sizes and industries. More specifically Forrester found that:

• Most organizations only test their BCPs once per year with simple tests. Unfortunately, the situation is largely unchanged from 2008. For all test types (walk-through, tabletop exercises, plan simulations), most organizations only test once per year and as tests become more extensive, test frequency declines to the point where 47% of respondents never perform a full simulation (see Figure 6-1).
• Managing third-party risk remains a critical issue. Approximately 48% of respondents report that they lack a formal program for assessing the BC readiness of critical third parties which is down from 2018 (56%) (see Figure 6-2). With increasing reliance on third parties to conduct business, particularly with the rapid adoption of cloud services, this percentage needs to be much higher especially considering the concern over third-party risk. Moreover, even those that do have formal programs, most are relying on audits and the negotiation of specific SLAs to mitigate third-party risk. The good news is that 28% of firms are periodically participating in their tests and 30% ask their third party to participate in their firm’s tests (see Figure 6-3).

The Business Still Does Not Take an Active Role in The BCM Lifecycle

For a BCM program to truly be successful not only do you need executive-level support, but you need the line of business owners and employees involved in the entire BCM lifecycle. Unfortunately, their involvement remains limited. Business owners are more likely to be involved in the BIA: 38% of respondents report business owners are very involved – a significant decrease from 2018 (44%) but a significant increase from 2014 (28%) (see Figure 7). However, other areas such as plan development and maintenance, awareness and training, and especially risk assessments need much more business involvement.

Companies Use a Mix of Strategies for Workforce Communication

Organizations often go to extraordinary lengths to develop BC and DR plans which address power outages or the failover of IT systems to alternate sites but often neglect or underestimate the human aspects such as workforce crisis or emergency communication. In this survey, Forrester found that mobile phones have changed communication for a vast number of firms (see Figure 8). With mobile phones, organizations can try to reach employees by calling, emailing, texting, or even sending a mobile alert through a dedicated app. Email came in a close second with 88% of respondents using it for crisis or emergency communications. We also found that using an automated software is the norm with 45% reporting. They have already adopted this software and another 16% planning to adopt in the next 12 months.

Invocations Are Frequent; Training Is Key to Successful Invocations

Invocations of BCPs are more frequent than organizations would suspect. In each of the years that we have fielded this study, more than half of respondents had invoked a BCP during the previous five years: 2008 (50%), 2011 (61%), 2014 (53%), 2018 (75%), and 2021 (69%) (see Figure 9-1). In this survey, Forrester found:

• After pandemics, natural disasters/extreme weather, and IT failure top the list. Seventy-nine percent of organizations invoked a plan due to a pandemic/epidemic which is easily attributed to COVID-19. However, after pandemics/epidemics the next are the same common causes of extreme weather and natural disasters and followed closely by IT failures and power outages as in 2008, 2011, 2014, and 2021 (see Figure 9-2). During the last few years, catastrophic natural disasters have made the news once again. However, it’s important that organizations don’t make the mistake of focusing solely on catastrophic disasters. In reality, extreme, but not catastrophic weather such as winter storms, can debilitate a business if building facilities and data centers are unaffected but no one can get to work. Extreme weather may also be the culprit behind the frequency of power outages. With remote work being common for knowledge workers in 2020 and the beginning of 2021, storms like Zeta which knocked out power to 2 million people means loss of IT connection to work.
• Not accounting for long-term duration and lack of training are top lessons learned. The COVID-19 pandemic changed up the top list of lessons learned due to invocations from previous years (see Figure 9-3). This year, the first top lesson learned was that plans did not account for the long-term duration of the crisis/event/incident. Natural disasters, extreme weather, and IT failure are typically short-term events and organizations that focus on preparing for them were not ready for the months to years-long event that the pandemic created. The other top five lessons learned focus on the need for better training and awareness, increased organization-wide communication and collaboration, better tested/up-to-date plans, and reduced dependence on manual processes for plan execution.

Study Methodology

In the months of October, November, and December 2020, Forrester Research and Disaster Recovery Journal (DRJ) conducted an online survey of 97 business continuity decision-makers and influencers. In this survey:

• All respondents indicated they were decision-makers or influencers concerning planning and purchasing technology and services related to business continuity.
• Respondents were from a range of company sizes: 12.37% had 1 to 999 employees; 32.99% had 1,000 to 4,999 employees; 11.34% had 5,000 to 19,999 employees; and 30.93% had 20,000 or more employees.
• Respondents were from companies with a range of revenues: 31.18% of respondents were from companies with revenues of less than $500 million; 11.83% were from companies with revenues of $500 million to $999 million; 22.58% were from companies with revenues of $1 billion to $4.99 billion; 6.45% were from companies with revenues of $5 billion to $10 billion; and 20.43% were from companies with revenues of more than $10 billion. Finally, 7.53% of respondents were from non-profits (e.g., government agencies, academic institutions, etc.).
• Respondents were from a variety of industries.
• Respondents had substantial operations across North America, Europe, Middle East, Africa (EMEA), South America, and Asia Pacific: 73% of respondents had operations in North America; 48% had operations in EMEA; 37% had operations in Asia Pacific; and 23% had operations in South America.

This survey used a self-selected group of respondents (predominantly DRJ members and Forrester clients) and is therefore not random. These respondents are more sophisticated than the average. They read and participate in business continuity and disaster recovery publications, online discussions, etc. They have above-average knowledge of best practices and technology in BC/DR. While nonrandom, the survey is still a valuable tool in understanding where advanced users are today and where the industry is headed.

* Forrester surveyed 720 global purchase influencers (past 12 months/next 12 months) whose organizations have invoked their BCP in response to COVID-19: 23% were very confident, 44% were confident, 28% were neutral, and 4% weren’t confident about their business continuity plan. Source: Forrester Analytics Business Technographics^® Priorities and Journey COVID-19 Recontact Survey, 2020.

ABOUT THE AUTHOR

Amy DeMartine

Amy DeMartine is the research director of security and risk for Forrester Research.