Continuity is the key

Firms do not seem to be taking business continuity planning as seriously as they should, or indeed even as much as they have done in the past. By Ellen Davis

Although business continuity planning (BCP) has received much attention over the past five years, thanks to terrorist attacks, hurricanes, power outages and other events, the latest survey from OR&C Intelligence shows that the evolution of BCP remains fairly stagnant.

The new survey, conducted during October and November and sponsored by risk consulting firm Protiviti, shows that some 68% of respondents feel the failure of senior management or the board to take BCP seriously is a threat to the implementation of their business continuity programme. Nearly half of all respondents (49%) say they lack sufficient funds or resources for BCP preparedness, and 47% say the failure of staff to take BCP seriously as an issue.

Nearly a third of respondents (32%) say they are experiencing challenges in communicating BCP internally within the organisation, while almost a quarter (24%) say they are having difficulty in co-ordinating with utilities, transport services and other external stakeholders.

The survey also shows that BCP continues to be regarded primarily as a technology issue, despite the fact that other factors have been raised as key elements of BCP planning over the past 18 months. Nearly 89% of respondents indicated that they believed data risks - including data centre hardware/software failure, data security, and security/privacy breaches - should be considered in a BCP plan. And 56% said crisis management - which includes a lack of an emergency operations centre, and insufficient emergency communications - should be considered.

However, these two categories are the traditional focus of business continuity planning, which in many firms has grown out of IT and is only recently being explored by the risk management division. As a result, only 29% of respondents included people - having insufficient skilled staff - as a potential risk or threat to the development of their business continuity plan.

Another new area for BCP thinking - geo-political risk, which includes terrorism, foreign investing, and political unrest - was selected by only 38% of respondents. Bird flu, which has had more than its fair share of press coverage during the past 18 months, earned the concern of only 32% of respondents. The effects of global warming, which includes severe weather, was ticked by just 6%, despite the devastation wrought by Hurricane Katrina and other storms.

However, these answers aside, 48% of respondents said the primary reason for business continuity within their organisation was management's recognition of the importance of continuity. Another 22% cited risk management drivers, which is encouraging. And yet, 19% indicated that regulatory compliance was the primary reason, while 6% said public relations and corporate reputation was the primary driver for their BCP plan. Two respondents - who had ticked 'Other' - indicated that BCP plans are being demanded by their clients.

Responses to other questions show a more 'compliance' mentality to BCP than many firms would care to admit. Again, despite the events of the past five years, 31% of firms indicated that they were "Currently developing business continuity plans". Another 36% had progressed further, with "Enterprise-wide business continuity plans are operational and tested". Just 27% said they had an enterprise-wide business continuity management function involved in maintaining the availability of critical functions and resources.

Another cause for disappointment among advocates of business continuity and disaster recovery experts may be found in how often organisations review and update their business continuity plans. Some 46% of firms only update their plans annually. Another 4% said they updated their plans every two years, and 4% admitted that their firms "never" update their plans. For many firms, the plans are updated "as needed" - 20% said this was the case at their organisation. But this response could cut both ways - while it might indicate a more dynamic approach to BCP with plans being updated often as new threats or BCP tools arise, it could also indicate that firms do not have a structured approach to BCP and therefore don't update their plans very often at all.

Communication of BCP plans also seems to be a challenge for firms. Only 38% disseminate information through the firm's intranet, and the same percentage use internal email or a newsletter. Just 35% claim to hold regular meetings about BCP, and 21% say they hold occasional meetings. Surprisingly, a whopping 18% say their BCP plans are not consistently communicated within their organisation.

Firms have a variety of structures at the top of their organisation to push BCP down to the rank-and-file. Some 29% say there is "active executive involvement in setting and driving programme priorities", while 24% say their firm has established a steering committee that is engaged in BCP issues. Another 22% say that "information technology and business unit leadership are in alignment" over BCP management leadership and governance.

However, 19% of respondents admit that while their executives are aware that emergency plans exist, they say the firm's commitment to those plans is inconsistent. And another 6% confess that "board of directors and executive management attention is limited to audit cycles".

And when it comes to the new principles on business continuity, published by the Basel Committee on Banking Supervision in August 2006, firms seem relatively unfussed about implementing them. Just 20% of the respondents said their BCP plans will be updated to accommodate one or more of the principles, while 36% said the principles are currently being reviewed. A stunning 29% said their BCP plans will not change in spite of the update, and 15% said the principles do not apply to their institution.

Do these results indicate that firms are not taking business continuity as seriously as they once were? Quite possibly. BCP executives say scare stories in the media about situations such as bird flu have created a kind of 'cry wolf' scenario - board directors and senior managers are possibly overly discounting the hype. Also, IT resources - both budgets and staff - have come under pressure in recent months despite record spending at financial services firms because of the substantial number of regulatory compliance projects that are underway at the moment, including Mifid, Basel II, and continuing Sarbanes-Oxley issues. Those concerned about BCP and the impact another disaster could have on financial stability worry that it is being pushed aside at the moment in favour of other projects. OR&C

The survey, conducted during October and November by an internet facility, questioned financial services firms globally about their BCP plans. Some 29% of firms were less than $1 billion in size, while 25% had between $1 billion and $9 billion in assets. On the higher end, 26% of respondents had more than $100 billion in assets.

While 38% of firms were located in the European Union, 23% were in North America, and 15% were from the Asia-Pacific region. Respondents hailed from a diverse range of financial services businesses, including commercial banking (17%), retail banking (15%) and integrated financial services groups (22%). More than 64% were based in the risk management function of their firm.

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe

You are currently unable to copy this content. Please contact info@risk.net to find out more.

Financial crime and compliance50 2024

The detailed analysis for the Financial crime and compliance50 considers firms’ technological advances and strategic direction to provide a complete view of how market leaders are driving transformation in this sector

Investment banks: the future of risk control

This Risk.net survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control

Op risk outlook 2022: the legal perspective

Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from Risk.net’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…

Emerging trends in op risk

Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…

Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a Risk.net webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…

Building resilience into ESG risk management

Risk and resilience continue to play an important role in the navigation of an increasingly uncertain world. Fusion Risk Management explores why it is equally crucial for technology to support organisations in addressing pertinent environmental, social…

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here