Metrics and reporting, business continuity and enterprise risk management, succession planning, alternate sites, defining DR? We’ll tell you what certified professionals had to say about these topics and what we make of their answers.
You may be wondering what these surveys are and where these statistics came from. So, let’s start with a little context and explanation. In each edition of DRI International’s weekly e-newsletter called Drive (which you should be getting every Friday…if you’re not, let us know and we’ll hook you up!), we run a one-question survey. That’s right. We ask one question, you take one minute (or less!) to give us your answer. The following week, we report the results on our DRI International LinkedIn (join that group, if you haven’t already) and host an online discussion on
But wait, there’s more! Next, we ask a few DRI officials and certified professionals to do a little analysis, letting us know what they think all these facts and figures mean. And that’s what you’re reading right now. Below you’ll find commentary from the following:
• DRI International President Al Berman
• DRI International Professional Development
Committee Member Michael Janko
• DRI International Professional Development Committee Chair Randy Jouben
• DRI International Strategic Advisor Dan Newton
• DRI International Chair of the Commission Ray Seid
Before we get to what the surveys said, we’d like to encourage you to let your voice be heard. Be sure to take the weekly surveys, share your thoughts, and send us your ideas for survey questions (email
firstname.lastname@example.org). And now to the numbers…
Enterprise Risk Management
and Business Continuity
This survey explored the relationship between enterprise risk management (ERM) and business continuity. Thirty-seven percent of respondents reported that business continuity is a subset of risk management in their organizations, while only four percent identified enterprise risk management as a subset of BCP.
Fourty-four percent reported that business continuity and risk management exist as separate entities that work well together. And 11 percent said that business continuity and risk management
exist as separate entities but do not work well together.
Berman: This is indicative of the general integrated reporting and management of risk. As we start to approach an amalgamated risk reporting model, we should see an indication in the increase in
effective communication of risk.
Janko: There is no “right” or “wrong” answer when discussing ERM, BC and how they interrelate. The concept of having a risk register with all facility, operational, and financial risks is excellent, and that can be achieved whether one is a subset of another or not. What is needed is management support and funding to make it work.
Jouben: Over 80 percent of all respondents have linked BCM and ERM, and although over half of all BCM departments do not report directly to the risk function, they are closely aligned to cooperate with each other. Organizations are still trying to get a handle on what exactly ERM is, and as they develop along the risk maturity model, the link between these two roles will be more evident. Since there clearly is organizational overlap within the two areas, it only makes sense to have BCM and ERM team up to produce the best analysis of risks and their impacts to an organization.
Newton: The scoring and comments provide a telling story that risk management and business continuity efforts within a company are becoming increasingly dependent upon each other as they should. This drives the overall program to a higher level of maturity and ensures that appropriate level of response and mitigations are in place—regardless of your focus, disaster recovery, or risk.
Seid: The results had a large percent of respondents leaning towards living with the two areas as separate groups but understanding inherently and culturally they need to overlap. As continuity professionals, if we aren’t linked to the risk management group within our company the way we need to be, we tend to forget that. It is in the best interests of service continuity, business continuity management, enterprise resiliency, (or any name someone with enough clout within the organization decides to call the group) to reach out and understand the charter, scope, or creed that the risk management team is delivering to or plans to deliver to. Leverage it and incorporate it into the business continuity dashboard
Metrics and Reporting a
Survey respondents were asked to rank their success in using metrics to report the true nature and potential consequence of
risk to top management. See Figure 1, this page, for results.
Janko: Not surprisingly, most respondents have not figured out how to quantify and report on BC metrics. What is helpful is to tie it back to the DRI International Professional Practices, NFPA 1600, and benchmark internally. Once you get that underway and everyone speaks a common language you will be able to implement process improvement.
Jouben: Although management matrix are critical to help assess how an organization is doing, most organizations feel they are less than successful in their measurement and reporting to upper management. One of the major difficulties appears to be not only how to measure the data in a quantitative and qualitative manner but also how to present the data so it gets noticed and provides focus on vulnerabilities. Although the majority of organizations are not happy with their matrix models, they are continuing to tweak and evolve their programs to achieve better reporting.
Newton: The ability to articulate the effectiveness of a program in a meaningful way to the right audience seems like a moving target for many of us as the comments and percentages suggest, with 52 percent of respondents rating their metrics at five or below. It conveys a concern that it’s just not a matter of hitting a particular color or number and calling it a day. But it’s being able to track the right data at the right level to determine true capability and uncover the larger issues so that they’re addressed in a timely manner so that our companies, our customers are protected.
Ray Seid: The proof is in the pudding? Only after you define the type of pudding, the ingredients, and if we are considering the gluten-free version. On a scale of 1 through 10 the largest number of respondents rated highest at 7. At least we all agree that we need metrics, and when sitting in a room with people who make double our salary, having metrics to support our cause, we are empowered (as though we could someday be them if they would just agree with
our depressing stats). Metrics fall in the same category as naming your disaster recovery group, there really isn’t an industry best practice, though we still leverage them more often than not. Though I apologize (up front) to those organizations that live by the metrics creed, keep pushing, you may someday be presented with metrics, which can only mean you are making too much money.
Alternate Site Resource
This questions asked “How did you determine the amount alternate site resource require by your organization?” Some 28 percent of respondents said their alternate site requirements are “determined by technology.” Sixty-four percent replied that they “use BIA results.” “Determined by operations” was selected by 14 percent, and 25 percent said “other” factors also were considered. Respondents were
allowed to choose more than one option.
Berman: The results are indicative of a move toward a holistic approach to continuity; i.e., maintaining the viability of the business operations, not just the technology Regulations are more and more specifying the need for business continuity to be more than IT recovery.
Janko: The response shows there is greater reliance in general on BIA results. Teams seem to understand there is need to identify, understand the importance of and support strategies that relate to critical processes. There is good opportunity to build upon that and educate the team on importance of other critical BC process components.
Jouben: Business Impact analysis is still the most significant factor in determining alternate site selection but IT still controls the selection ad configuration of data center requirements.
Seid: The results truly shocked me, in a positive way. Are we saying that we are following the industry on conducting an actual business impact analysis? I was so happy to read that I had to spell out business impact analysis (there I did it again)! Now, if we apply the BIA results to the alternate site contracts in place, we can have faith that they will be able to determine recovery priority order. That’s great news!
Succession Planning a Success?
This survey focused on succession planning, asking “How involved is your business continuity team with succession planning?” Thirteen percent said “We work closely with human resources on succession
planning.” Another 13 percent chose Other. Fourty-one percent reported that they “know human resources addresses succession planning, but we are not part of the planning.” And 33 percent “don’t know if our organization has formal succession plans.”
Berman: Succession planning is not something that can be defined without ensuring compliance with corporate policy and procedures. From a practical point of view, it is more important to have a delegation of authority in place to allow for a transition in management personnel responsibility.
Janko: Responses indicate that HR is not a critical partner in driving BC success. Many teams may think “the BC process relates to others, not my team.” This indicates an important challenge to overcome, since HR has ties to everything in your organization and if they have bought in, they can help to get others engaged.
Jouben: Although succession planning is an integral part of organization resilience, over 74 percent of responding organizations indicate that the BCM team is left out of the discussions and it is still approached in a silo fashion as it is seen solely as a HR function. Even in those cases where succession planning is known, it appears as if the planning is only done for upper management and does not appear to cover redundancies in operational roles or preservation of institutional knowledge.
Seid: Succession planning a success? The answer, absolutely not! This one scared me, I guess we need to go back and define succession planning and how it impacts the environment and culture we live in. Here we are living life as continuity professionals, knowing our livelihood is planning for the big one (the alien bomb that zaps our executives and makes them vaporize), yet we aren’t succession planning. Or are we, like typical managers, responding when we don’t know something related to Human Resources, with “We defer to HR”. I can’t imagine relying on an HR team in the event of a disaster to help without plans specifically being documented and exercised. By nature, the HR lifeline is to refer to a policy and move on. Overall, we need to get better at this.
Deﬁning Disaster Recovery
This time we asked respondents: How does your company define the scope of Disaster Recovery (DR)? Here are the results:
3 percent: Only Mission Critical Applications are on DR
56 percent: Only Mission and Business Critical Applications are on DR
8 percent: Only certain business processes are on DR, as defined by BIA
14 percent: Only certain RTOs are on DR, as defined by BIA
7 percent: Other
Michael Janko: The reality is that in the private sector you need to show business value and are always competing for budgeting/funding. DR has traditionally been approved for either mission critical or very short RTO applications. It should be viewed as a sign of success that 56 percent now have it approved for mission critical and business critical applications.
Newton: The vast majority are supporting the concept of what disaster recovery is all about. Critical mission and business processes are the primary focus at time of event. Whether the criticality is defined by the BIA or a management decision on what’s important, this demonstrates that a significant amount of thought and discussion are happening to come to these conclusions. It’s an effective use of resources, time, and money.
Seid: The results show that we are only concerned with mission and business critical applications (56 percent). Is one to believe that means we have a large number of companies with 44 percent of their DR or operations that have no plans and may never be recovered? That seems to be too large of a number. I would suggest that in the next round of surveying we ask “Since our last survey results show that 44 percent of your company will not recover, how will your company deal with losing 44 percent of the operation forever?” What are we missing in our professional practices that such a gap has been created? Or is the statistic nothing more than a direct result of how DR is typically implemented—which is based on the applications/business process that actually implemented it, a typical internal segmented approach? Did I just create another survey question?