Envoy World Wide

Envoy World Wide

Envoy World Wide

Foreword

In the past twenty years, the numbers of disasters in the United States, and throughout the world, and the extent of their effects, have reached unprecedented proportions. Although there is some debate over whether the increase in natural disasters may be attributed to environmentally damaging acts committed by industry, there is little doubt that the aging infrastructure of major US cities is contributing to still another class of disasters. We see this in the floods caused by bursting water mains, the power failures caused by transformer explosions, overhead power lines falling in storms, and collapsing highways and bridges. We are also faced with the new threat of widespread terrorist activities including bombings and biochemical attacks that have become a constant cause for concern.

The threat of interruptions and the need to respond has manifested itself into two 21st century developments -- a vast increase in regulatory requirements (at the global, country and state levels) and business requirements of customers that mandate that there be actionable business continuity plans in place as a prerequisite for doing business. The net effects of both are to establish good business practices that add operational resilience and reliability in manufacturing, services and distribution industry segments and in the public and private sector. In these days of uncertainty, Business Continuity which was once a “nice to have” feature has become mandatory to maintain customer confidence and a competitive edge.

Compartmentalization of preparation, identification and responses has given way to a more efficient, integrated and holistic approach to dealing with disruptive events. Our capabilities have been put to the test in what seems like a series of never ending events; blackouts, hurricanes, earthquakes, flooding, terrorism, fire and less dramatic more local events created by accidents, man and nature. What has become abundantly clear, and is echoed in this recent survey of BC professionals, is that the lines that separated incident management, crisis management, emergency response, disaster recovery and business continuity are disappearing, and there is a movement toward an integrated approach under the umbrella of Business Continuity Management (BCM). Overlapping and dependencies within organizational structure roles and responsibilities, personnel assignments (especially in smaller organizations) and operational interfaces have made it imperative that all functions operate within a single BCM operating model.

Alan Berman
Executive Vice President
Risk Solutions International

EnvoyWorldWide’s second annual survey, Trends in Business Continuity and Risk Management, was conducted blindly among members of several business continuity organizations including the ACP Chapters in Washington and Utah, the Business Recovery Managers Association (BRMA), the Contingency Planning Exchange, the New England Disaster Recovery Information X-Change (NEDRIX), and the Three Rivers Contingency Planning Association (TRCPA). The survey was designed to leverage a regionally diverse group of business continuity professionals to identify business continuity and disaster recovery practices and trends. Secondarily, the survey sought to compare trends to those uncovered in the initial survey conducted in May 2004.

Commissioned by EnvoyWorldWide, in conjunction with Risk Solutions International, respondents were invited to participate in a Web-based survey from March 30 to April 30, 2005. A total of 145 questionnaires were completed and 140 served as the sample for this research.

Key Findings: Business Continuity Threats and Strategies

Companies continue to contend with an array of events that pose potential threats and disruptions to their businesses. With the increasing cost of downtime and frequency of events, the need for preparation for unplanned events of all types is imperative, yet most business continuity teams have been staffed at consistent levels since the baseline study in May 2004.

In comparison to last year’s trends, the mix of threats is consistent with a few notable changes. The threat of natural disasters characterized as extreme has increased 73% since last year. This can be attributed to recent unsettled weather conditions suffered across the country, and around the world. Data security remains the number one concern, demonstrating 11% growth over last year’s data.

Q: Listed below are types of events that may pose a threat to DR/BC at your company. Please rate the events on the threat level of each.

Business Continuity in the Organization

The management of the business continuity process has become much more of a collaboration within organizations than in the past. The business continuity team is now comprised of multiple disciplines, multiple lines of business, and is no longer working as a silo within the organization. Fifty seven percent of the respondents work in companies where an executive review board is in place to sign off on BCP plans and test results, and have done so in excess of two years.

Q: What groups are represented on the BCP team?

Of the respondents, 66% observe an increased interest in their business continuity plans from their respective customers, and 68% have seen specific BCP requirements appearing in RFPs and RFIs.

Q: Has your company taken a proactive approach to informing customers/clients about your BCP capabilities?

Business Continuity and the Regulatory Environment

Of the companies surveyed, 78% cite federal, state or industry specific regulations that directly affect business continuity.

• 81% work within the governance of Sarbanes-Oxley

• 47% work within the governance of HIPAA

• 36% work within the governance of Gramm-Leach-Bliley

• 36% work within the governance of NASD Rule 3510

• Other regulations cited include state specific insurance laws, Basel II, FERC, SEC regulations and European Union Privacy.

Fifty eight percent cite business continuity and disaster recovery personnel are responsible for staying current on regulatory issues. Only fifteen percent assign this responsibility to legal counsel.

Nearly all of the respondents feel prepared to manage emerging regulations; yet, the pervasive trend is that the regulatory environment will have marginal impact on the BCP world over the next few years. Seventy five percent of those surveyed express a desire for a free tool that would keep them apprised of any regulatory changes programmatically.

Business Continuity Trends

According to the respondents, the top considerations in selecting a BC/DR provider are company stability, experience and features. Respondents feel that the most trusted vendors in disaster recovery are SunGard and IBM; and amongst business continuity providers, Strohl Systems is the primary choice with IBM and SunGard filling out the top three. Vendor rankings are consistent with the 2004 survey.

Q: Please rank the primary considerations in evaluating a DR/BC vendor.

Vendor continuity has emerged as a key concern in selecting BC and DR providers as these vendors are responsible for maintaining continuity of operations for their customers. Over 80% of the respondents require that vendors be able to deliver uninterrupted service. The overwhelming majority of responses cite evaluation of a service provider’s BC and DR plans, test results and third party accreditation as proof points.

Emergency Communications Trends

Eighty seven percent of those surveyed regard communications as a core component to their business continuity plan. Companies have built plans for communications with employees, customers, vendors, regulators and the media.

Gartner predicts that by year-end 2007, 75% of the Global 2000 will have emergency notification systems in place for employee communications in the event of a crisis (Automated Emergency Notification Will Speed Disaster Recovery, February 22, 2005).

Of the respondents, 41% report reliance on manual call trees. This is a substantial change from the 94% that relied upon manual solutions at this time last year.

In addition to automating their notification solutions, there is a noticeable trend towards implementing hosted notification services rather than on-premise or home-grown options. More than one third, or 34% of the respondents prefer that their notification solution be integrated into an enterprise data source, most often with applications from Strohl Systems or PeopleSoft.

There was consensus among respondents that testing of a notification system is imperative, though frequency varies.

Q: How often is your emergency notification solution tested?

Q: Please rank the primary considerations in evaluating an emergency notification vendor

Similar to DR and BC providers, respondents rank company stability, reputation and experience as priorities in selecting a notification provider. These traits speak to a provider’s inclination to be there when an unplanned event occurs. The least important considerations were identified as a connector to BCP software and customer references.

The Sample

This survey was posed to the members of ACP Chapters in Washington and Utah, Business Recovery Managers Association (BRMA), Contingency Planning Exchange, New England Disaster Recovery Information X-Change (NEDRIX), and Three Rivers Contingency Planning Association (TRCPA), representing an industry cross section.

Nearly half of the sample work at large companies (over 5,000 employees) with 26% at companies exceeding 20,000 employees. The average business continuity team is comprised of 24 members.

Conclusions

• While the spectrum of threats continues to expand, business continuity professionals report a 73% increase in the view that natural disasters are an extreme threat to businesses, and 11% growth in data security fears.

• Over 75% of the companies cite federal, state or industry regulations directly affected business continuity initiatives.

• Both regulations and customer requirements are driving companies to complete, test and distribute their business continuity plans.

• Business continuity teams are comprised of representatives from every business department; yet business continuity planners and managers are charged with planning and executing against plan in times of crisis, as well as staying current on emerging regulations.

• Eleven percent of the respondents are not testing their notification solutions; 41% are testing annually or less.

• Forty percent of those surveyed are still relying on manual notification processes; this demonstrates a dramatic increase in acceptance and deployment of notification systems as the 2004 survey reported over 90% relying on manual process.

• Companies are looking for BC/DR providers that are stable and experienced.

About EnvoyWorldWide

EnvoyWorldWide provides companies with proven and reliable notification applications for the delivery of time-sensitive and proactive notifications. Capable of automating and processing high-volume requests for message routing, status information and various other interactive functions, EnvoyWorldWide's patented enterprise notification and message delivery services allow organizations to facilitate business continuity initiatives, drive proactive customer interactions and streamline overall outbound communication efforts. EnvoyWorldWide communication-enables enterprises to facilitate personalized, fully interactive voice and text broadcasts to landline phones, faxes, email, pagers, SMS phones, PDAs, BlackBerrys and other wireless devices. More information is available by calling 888.252.7837 or at www.envoyworldwide.com .

About Risk Solutions International

Risk Solutions International LLC provides a full range of business continuity, emergency response, compliance, incident and crisis and other management services. The company provides its clients with world class solutions and thought leadership for assessing, mitigating and managing the impact of their operational risk. Risk Solutions International practitioners are widely experienced thought leaders who have achieved the highest levels of professional recognition. They maintain active certifications from the leading industry associations and boards and are members of key industry standard setting groups. For additional information on Risk Solutions International LLC see www.rsi-llc.com .