01 Dec 2006, Ellen Davis, Operational Risk & Regulation
Although business continuity planning (BCP) has received much attention over the past five years, thanks to terrorist attacks, hurricanes, power outages and other events, the latest survey from OR&C Intelligence shows that the evolution of BCP remains fairly stagnant.
The new survey, conducted during October and November and sponsored by risk consulting firm Protiviti, shows that some 68% of respondents feel the failure of senior management or the board to take BCP seriously is a threat to the implementation of their business continuity programme. Nearly half of all respondents (49%) say they lack sufficient funds or resources for BCP preparedness, and 47% say the failure of staff to take BCP seriously as an issue.
Nearly a third of respondents (32%) say they are experiencing challenges in communicating BCP internally within the organisation, while almost a quarter (24%) say they are having difficulty in co-ordinating with utilities, transport services and other external stakeholders.
The survey also shows that BCP continues to be regarded primarily as a technology issue, despite the fact that other factors have been raised as key elements of BCP planning over the past 18 months. Nearly 89% of respondents indicated that they believed data risks - including data centre hardware/software failure, data security, and security/privacy breaches - should be considered in a BCP plan. And 56% said crisis management - which includes a lack of an emergency operations centre, and insufficient emergency communications - should be considered.
However, these two categories are the traditional focus of business continuity planning, which in many firms has grown out of IT and is only recently being explored by the risk management division. As a result, only 29% of respondents included people - having insufficient skilled staff - as a potential risk or threat to the development of their business continuity plan.
Another new area for BCP thinking - geo-political risk, which includes terrorism, foreign investing, and political unrest - was selected by only 38% of respondents. Bird flu, which has had more than its fair share of press coverage during the past 18 months, earned the concern of only 32% of respondents. The effects of global warming, which includes severe weather, was ticked by just 6%, despite the devastation wrought by Hurricane Katrina and other storms.
However, these answers aside, 48% of respondents said the primary reason for business continuity within their organisation was management's recognition of the importance of continuity. Another 22% cited risk management drivers, which is encouraging. And yet, 19% indicated that regulatory compliance was the primary reason, while 6% said public relations and corporate reputation was the primary driver for their BCP plan. Two respondents - who had ticked 'Other' - indicated that BCP plans are being demanded by their clients.
Responses to other questions show a more 'compliance' mentality to BCP than many firms would care to admit. Again, despite the events of the past five years, 31% of firms indicated that they were "Currently developing business continuity plans". Another 36% had progressed further, with "Enterprise-wide business continuity plans are operational and tested". Just 27% said they had an enterprise-wide business continuity management function involved in maintaining the availability of critical functions and resources.
Another cause for disappointment among advocates of business continuity and disaster recovery experts may be found in how often organisations review and update their business continuity plans. Some 46% of firms only update their plans annually. Another 4% said they updated their plans every two years, and 4% admitted that their firms "never" update their plans. For many firms, the plans are updated "as needed" - 20% said this was the case at their organisation. But this response could cut both ways - while it might indicate a more dynamic approach to BCP with plans being updated often as new threats or BCP tools arise, it could also indicate that firms do not have a structured approach to BCP and therefore don't update their plans very often at all.
Communication of BCP plans also seems to be a challenge for firms. Only 38% disseminate information through the firm's intranet, and the same percentage use internal email or a newsletter. Just 35% claim to hold regular meetings about BCP, and 21% say they hold occasional meetings. Surprisingly, a whopping 18% say their BCP plans are not consistently communicated within their organisation.
Firms have a variety of structures at the top of their organisation to push BCP down to the rank-and-file. Some 29% say there is "active executive involvement in setting and driving programme priorities", while 24% say their firm has established a steering committee that is engaged in BCP issues. Another 22% say that "information technology and business unit leadership are in alignment" over BCP management leadership and governance.
However, 19% of respondents admit that while their executives are aware that emergency plans exist, they say the firm's commitment to those plans is inconsistent. And another 6% confess that "board of directors and executive management attention is limited to audit cycles".
And when it comes to the new principles on business continuity, published by the Basel Committee on Banking Supervision in August 2006, firms seem relatively unfussed about implementing them. Just 20% of the respondents said their BCP plans will be updated to accommodate one or more of the principles, while 36% said the principles are currently being reviewed. A stunning 29% said their BCP plans will not change in spite of the update, and 15% said the principles do not apply to their institution.
Do these results indicate that firms are not taking business continuity as seriously as they once were? Quite possibly. BCP executives say scare stories in the media about situations such as bird flu have created a kind of 'cry wolf' scenario - board directors and senior managers are possibly overly discounting the hype. Also, IT resources - both budgets and staff - have come under pressure in recent months despite record spending at financial services firms because of the substantial number of regulatory compliance projects that are underway at the moment, including Mifid, Basel II, and continuing Sarbanes-Oxley issues. Those concerned about BCP and the impact another disaster could have on financial stability worry that it is being pushed aside at the moment in favour of other projects. OR&C
|The survey, conducted during October and November by an internet facility, questioned financial services firms globally about their BCP plans. Some 29% of firms were less than $1 billion in size, while 25% had between $1 billion and $9 billion in assets. On the higher end, 26% of respondents had more than $100 billion in assets.
While 38% of firms were located in the European Union, 23% were in North America, and 15% were from the Asia-Pacific region. Respondents hailed from a diverse range of financial services businesses, including commercial banking (17%), retail banking (15%) and integrated financial services groups (22%). More than 64% were based in the risk management function of their firm.