The State of Business Continuity Preparedness 2023

Forrester Research and the Disaster Recovery Journal have partnered to annually field market studies on business continuity (BC) and disaster recovery (DR) trends to gather data for company comparison and benchmarking, guide research, and for the publication of best practices and recommendations. This study, which focuses on BC maturity and preparedness, was first fielded in 2008 and again in 2011, 2014, 2018, and 2021. That first study provided a baseline for BC preparedness we can now compare to all the subsequent studies to see how BC maturity and preparedness are trending across time. These trends are more important than ever as 2022 was a year to settle into the “new normal” of heightened risk events post-COVID-19. Specifically, we designed this study to determine the following:

• To what extent have companies formalized ongoing BC management programs with executive-level sponsorship? To which executive does the head of BCM report?
• How frequently, if at all, do companies conduct a business impact analysis (BIA) and risk assessment?
• To what extent are business owners involved in the BC management lifecycle?
• How well do companies document, keep up-to-date, and test their BC plans? What types of tests do companies run, and how frequently do they run these tests? What tools do companies use to manage plans?
• What is the scope of BC plans? What threat scenarios do they address? Do they include components for workforce continuity? Do they include components for crisis and emergency communication?
• How many times have companies invoked their BC plans in the past five years? What was the cause? How successful was the invocation?

Overall BC Executive Sponsorship Remains High, Risk Jumps as A Reporting Structure

Organizations who hoped to return to “normal” post-pandemic were met instead with a “new normal” of continuing supply chain issues, work at home embraced by an average of 23% rather than 5% pre-pandemic, a war in Ukraine, and financial uncertainty which has kept business continuity top of mind. In this survey, we found:

• Executive sponsorship remained high. In our 2023 survey, executive sponsorship stayed high at 96% after the leap in 2021 to 94% from a consistent 88% in both 2018 and 2014 (see Figure 1). Proving the “new normal” keeps business continuity front and center, of the 96% who report executive support 42% report it’s “significant,” up from 38% in 2021 and 30% in 2018.
• BCM programs’ biggest mover is a reporting line into risk. BCM programs are slightly more likely to report to IT than the business. According to our study, 32% of BCM programs report into IT such as the CIO or CISO – a decrease from 2021 (26%) but an increase from 2018 (30%) and 2014 (26%) (see Figure 2). Programs that report directly into business line executives (CEO, COO, CFO, HR, board, etc.) are holding steady at 28% from 2021 (29%). But the biggest move was those programs reporting into the chief risk officer (CRO) or head of enterprise risk. In 2021, only about 9% of BCM programs reported into a CRO (a decrease from 14% in 2018) but respondents from this year’s survey reported 23% now report directly into the CRO. As many businesses rely on technology, the CIO and CISO wield power and influence which BC programs can benefit from, but the constant barrage of headlining risk events puts more pressure on risk to own business continuity.
• The variety of reporting structures continues to fall. The “other” response into which department or office ahead of business continuity reports fell again this year to the sixth most common response from fourth in 2021 and second in 2018 and 2014. When we prompted respondents to specify other, we discovered “legal” was the most common response. Legal lingers as the home for risk programs overall with 4% of all respondents saying risk management reports into general counsel/legal when the organization does not have a chief risk officer.

BCM Program Funding Remains the Same for A Majority of Firms

BC budgets jumped in 2021 unsurprisingly, but now the majority of firms expect their BC funding in the next 12 months to hold steady along with the number of full-time equivalents dedicated to BCM. More specifically, Forrester found:

• Many respondents expect increased funding, but not quite the majority. According to our study, 47% of respondents expect funding for their BCM program to increase in the next 12 months. This is a decrease over the 52% who expected more funding in 2021, but an increase over 2018 numbers (36%) which was largely unchanged from 2014. Now, 52% expect their funding to stay the same versus 42% in 2021 and 50% from 2018. The good news is respondents who expected their funding to decrease has fallen to 2% which is below the 2021 level of 5% and the 2018 level of 11% (see Figure 3-1). When asked what prompted the increased funding, respondents unsurprisingly cited – by far – to mitigate increasing or evolving risk to the organization (9 out of 22 respondents).
• Staffing varies by company size, but the median is three full-time staff equivalents. According to our study, the median number of full-time equivalents (FTEs) supporting the BCM program is three, which is the same as 2021 and 2018. The mean is 9 FTEs but the number from very large enterprises drags up the mean. Staffing always varies by size. In Forrester’s experience, companies with fewer than 1,000 employees typically have only one or two FTE(s) supporting BC (4.46 mean, 2 median from this study), while enterprises with 1,000 to 4,999 employees have between two and three FTEs (10.27 mean, 3 median from this study). Enterprises with 5,000 to 20,000 have three to five FTEs (6.07 mean, 2 median from this study), and those with more than 20,000 employees often have distributed BCM programs with five to eight FTEs (21.13 mean, 8.5 median from this study) establishing standards and oversight at corporate headquarters and dozens of local BCM leads in region or by business unit responsible for local planning and execution.
• Staffing continues to represent the largest portion of the BCM budget. So much of BC maturity and preparedness depends on planning, so it’s no surprise staffing represents 34% of the BCM budget – only slightly larger than the 30% from 2021 (see Figure 3-2). Technology services for IT recovery fell drastically from 2021 numbers (19%) but still come in second at 10%. Other areas for investment including IT support for workforce recovery, IT support for crisis and emergency communication, software for BCM program and planning, and software for crisis emergency command remain steady from 2021 numbers. 

Even Though BIAs and Risk Assessments Are Popular, Practice Has Room to Grow

Our study found the vast majority of companies conduct a BIA and risk assessment in advance of BCP strategy development and plan documentation. More specifically, Forrester’s survey found:

• An even larger majority of companies conduct a BIA. Eighty-one percent of respondents reported having conducted a BIA; higher than 2021 (71%), 2018 (74%), and 2014 (75%) (see Figure 4-1). As the new normal of heightened risk events settles in, the BIA is seen as even more crucial as a method of identifying critical business functions which support the mission of the business, dependencies, and recovery objectives. Although inspiring, there is a difference between performing a BIA and collecting detailed information. For example, many companies Forrester engages with do not have a detailed mapping from critical business functions to the services, applications, IT components, and critical employees who support those functions. Additionally, cost of downtime is a rough estimate rather than a true quantification of cost.
• Conducting a risk assessment leapt from an already high percentage. 2018 saw a huge jump in those companies conducting a risk assessment as 72% of respondents reported conducting a risk assessment – a 15-point increase. That remained statistically remained unchanged in 2021 (71%). However, in this study, 83% of respondents reported performing a risk assessment. Once again, while inspiring, in Forrester’s experience there is still room for improvement. For example, risk events are sometimes not increased in likelihood until too late such as ransomware (a type of cyberattack) is given high impact but low probability until another company in the same industry has a similar event happen even though in general ransomware attacks have increased dramatically since 2021.
• Risk is increasing, and cyberattacks drive the increase. Sixty-five percent of respondents believe the level of BC or operational risk is increasing as compared to 61% in 2021 (see Figure 4-2).When asked what was driving the increase, respondents once again cited cyberattacks as the top driver (13 out of 22 respondents).

A Mix of Scenario- and Impact-based BCPs Are the Norm, BCM Tools Bounce Back

As of the 2014 study, the percentage of organizations with documented BCPs jumped to 93% and held steady since (respondents this year reported at 94%). Resilience during a crisis doesn’t come with luck but starts with planning and a BC program without BCPs is in dire straits. Forrester found the following in this survey:

• Preference for scenario-based plans leapt again.  How a company responds to an IT outage is different than a weather event. Generic plans by impact (e.g., loss of IT services) are helpful because they help to prepare for any unforeseen event, but they can lack the specifics necessary to respond appropriately to some events. Dealing with the unstable normal of today, companies now much prefer a mix of scenario-based and impact-based plans. Sixty-nine percent now report a mix (versus 49% in 2021) while only scenario-based fell from 2021 numbers at 20% to only 6% this year (see Figure 5-1). Scenario-specific BCPs are important because it shows an organization understands the detailed differences between how a business must respond such as the differences between an IT failure versus a ransomware attack.
• The majority still update BCPs only once per year. Fifty-one percent of respondents report updating their BCPs once per year, down from 54% in 2021. The goal should be to continuously update BCPs as business functions and their underlying services change constantly. Unfortunately, those who report they update their BCPs continuously have fallen to 11% from 13% in both 2021 and 2018 and 15% in 2014 (see Figure 5-2).
• Organizations are turning back to commercial software to manage BCPs. In 2021, the backslide away from commercial software to manage BCPs was concerning and prompted Forrester to predict because staffing was flat, executive support increased, and COVID-19 raised the visibility of BC to business operations and strategy levels. BCM tools would be recognized as essential for mid- to large-sized firms. Happily, in this year’s study only 38% of respondents reported using internal tools (i.e., documents, spreadsheets, etc.) versus a whopping 64% in 2021 and even 51% in 2018 (see Figure 5-3). An additional 20% of respondents plan to use commercial BCM software in the next 12 months to the already 42% who already use it.

BCPs Are Still Not Tested Frequently, Partner Involvement Remains Static

Even though we say it every year we do this study, it’s worth repeating– if you aren’t testing your BCPs, you are not prepared. Only through testing do any of the people expected to respond to an incident practice their actions and interactions. Despite years of urging from industry experts and consultants (including us), testing remains a major area for improvement across organizations of all sizes and industries. More specifically Forrester found the following:

• Most organizations only test their BCPs once per year with simple tests. Unfortunately, the situation is largely unchanged from 2008. For all test types (walk-through, tabletop exercises, plan simulations), the majority of organizations only test once per year. As tests become more extensive, test frequency declines to the point where 56% (up from 47% in 2021) of respondents never perform a full simulation (see Figure 6-1). Simulations test not only the incident actions, roles, responsibilities, and interactions between teams but also allows for timing of the various plan steps. Timing gives a sense of whether recovery targets are realistic and where to pinpoint improvements to the plan.
• Managing third-party risk remains a critical issue. In Forrester’s 2022 Business Risk Survey, after financial instability at 35%, 34% of respondents said the increased reliance on third parties is a primary driver of risk. Fifty percent of respondents report they have a formal program for assessing the BC readiness of critical third parties (up from 48% in 2021 but down from 56% in 2018) (see Figure 6-2). Due to the increased risk from third parties, we reformulated the responses in our survey about what steps are taken to assess and validate the BCP readiness of critical third parties. On the positive side, the highest number of respondents (19 out of 24) said they negotiate SLAs for specific uptime/availability as well as recovery time, recovery point capabilities, and associated penalties for SLA violations. Unfortunately, only 12 out of 24 respondents reported they use the detailed audit/assessment of a third party’s program and readiness as a decision-making tool to determine whether to begin/continue the partnership.

The Business Needs to Take a More Active Role in the BCM Lifecycle After The BIA

For a BCM program to truly be successful, not only do you need executive-level support, but you need line of business owners and employees involved in the entire BCM lifecycle as they are the ones who understand the inner workings and priorities of the business. Unfortunately, again this year, we found participation from these business owners is too limited. Business owners are more likely to be involved in the BIA: 54% of respondents report business owners are very involved – a significant increase from 2021 (38%) (see Figure 7). However, other areas such as awareness and training, risk assessment, and plan development need much more business involvement.

Strategies For Workforce Continuity and Communication Rely on Remote Workers

Fundamentally, workforce continuity strategies changed during and after COVID-19. Employees dispersed from main sites and many embraced “work anywhere” opportunities when an organization offered it. On the surface, not much has changed as remote access continues its popularity as a workforce contingency plan, but how plans are invoked and which employees should be notified now needs to include geographic regions, not just sites. In this survey, Forrester found the following:

• Remote access remains the dominant strategy for workforce continuity. Remote access was the most common strategy even in 2008 (86%), hit a peak in 2018 (88%), and now sits at 82% (see Figure 8-1). The use of another internal site as an alternate site decreased notably in popularity from 2018 (75%) to 62% this year. Remote access procedures became popular to support employees who wanted to work from home or who travel frequently but became a necessity during the pandemic. They are effective when power and internet services are still available or when employees can travel outside of an affected area. However, when wide swaths of a geographic region (rather than sites) suffer a loss of power or loss of internet services, BC pros will need to monitor how this affects the ability to deliver a service and possibly invoke a plan depending on the concentration of workforce in that region and the services they support.
• Email surpasses both text messaging and phones for communication. Now, companies can assume their employees not only have mobile phone access but also computer access. As a result, email is the most popular communication mode (87%), text messaging falls to second place (82%), and phone is third (78%) (see Figure 8-2). We also found using an automated software is much more the norm with 64% reporting they have already adopted this software (versus 45% in 2021) and other 7% planning to adopt in the next 12 months.

Invocations Are More Frequent; Communication Is Key to Successful Invocations

In previous reports, we highlighted plans are invoked more frequently than organizations would expect as in each of the years we have fielded this study, more than half of respondents had invoked a BCP during the previous five years: 2008 (50%), 2011 (61%), 2014 (53%), 2018 (75%), and 2021 (69%). But to see proof organizations are feeling the barrage of risk events, look no further than to the 81% of respondents who said they have invoked a BCP during the previous past five years – the highest reported number we have ever seen (see Figure 9-1). Consider that:

• After pandemics, natural disasters/extreme weather and IT failure top the list again. Seventy-six percent of organizations invoked a plan due to a pandemic/epidemic which we can easily attribute to COVID-19. However, after pandemics/epidemics, the next are the same common causes of extreme weather and natural disasters and followed closely by IT failures and power outages as in 2008, 2011, 2014, and 2021 (see Figure 9-2). In our last report, we noted the importance of organizations not making the mistake of focusing solely on catastrophic disasters because in reality, extreme but not catastrophic weather such as winter storms, can be the culprit behind the frequency of power outages. Shortly after the completion of the 2021 report, the February 2021 Texas Electric Grid Blackouts caused a loss of power for more than 4.5 million homes and served as a great reminder of this.
• Communication and collaboration beat long-term duration as top lesson learned. Many organizations were caught off guard when the COVID-19 pandemic required a BC plan which accounted for not only a long-duration but needed to change over time based on local infection rates and hospital capacity. This year, the first top lesson learned was plans did not adequately address organization-wide communication and collaboration (see Figure 9-3). With regional risk events such as political instability and extreme weather, employees expect their employers to tailor their communication to the specific event while also allowing for self-reporting as to their status.  The other top five lessons learned focus on the need for plans to account for long-term duration of events, employee health and safety, are not out of date or untested (Update your plans! Test your plans!), and adequately address workforce recovery requirements. 

Study Methodology

In the months of October, November, and December 2022, Forrester Research and the Disaster Recovery Journal (DRJ) conducted an online survey of 58 business continuity decision-makers and influencers. In this survey:

• All respondents indicated they were decision-makers or influencers concerning business continuity.
• Respondents were from a range of company sizes: 27% had 1 to 999 employees; 27% had 1,000 to 4,999 employees; 29% had 5,000 to 19,999 employees; and 17% had 20,000 or more employees.
• Respondents were from companies with a range of revenues: 33% of respondents were from companies with revenues of less than $500 million; 4% were from companies with revenues of $500 million to $999 million; 34% were from companies with revenues of $1 billion to $4.99 billion; 6% were from companies with revenues of $5 billion to $10 billion; and 19% were from companies with revenues of more than $10 billion.
• Respondents were from a variety of industries.
• Respondents worked in North America, Europe, and Asia Pacific: 77% of respondents worked in North America; 8% worked in EMEA; and 14% worked in Asia Pacific.

This survey used a self-selected group of respondents (predominantly DRJ members and Forrester clients) and is therefore not random. These respondents are more sophisticated than the average. They read and participate in business continuity and disaster recovery publications, online discussions, etc. They have above-average knowledge of best practices and technology in BC/DR. While nonrandom, the survey is still a valuable tool in understanding where advanced users are today and where the industry is headed.