Business resilience: Ensuring continuity in a volatile environment

1,020 views

Published on

The Economist Intelligence Unit surveyed 181 executives around the world in January 2007 about the challenges and opportunities they face in their efforts to increase business resilience. The survey was sponsored by ACE, IBM and KPMG. Respondents represent a wide range of industries and regions, with roughly one-third each from Asia and Australasia, North America and Western Europe. Approximately 65% of respondents represent businesses with annual revenue of more than US$500m. All respondents have influence over, or responsibility for, strategic decisions on risk management at their companies. Our editorial team conducted the survey and wrote the paper. The findings expressed in this summary do not necessarily reflect the views of the sponsors. Our thanks are due to the survey respondents for their time and insight.

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,020
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Business resilience: Ensuring continuity in a volatile environment

  1. 1. Business resilienceEnsuring continuity in a volatileenvironmentA report from the Economist Intelligence UnitSponsored by ACE, IBM and KPMG
  2. 2. Business resilience Ensuring continuity in a volatile environmentAbout the surveyThe Economist Intelligence Unit surveyed 181executives around the world in January 2007 aboutthe challenges and opportunities they face in theirefforts to increase business resilience. The survey wassponsored by ACE, IBM and KPMG. Respondents represent a wide range of industriesand regions, with roughly one-third each from Asiaand Australasia, North America and Western Europe.Approximately 65% of respondents representbusinesses with annual revenue of more thanUS$500m. All respondents have influence over,or responsibility for, strategic decisions on riskmanagement at their companies. Our editorial team conducted the survey and wrotethe paper. The findings expressed in this summary donot necessarily reflect the views of the sponsors. Ourthanks are due to the survey respondents for theirtime and insight. © The Economist Intelligence Unit 2007 1
  3. 3. Business resilience Ensuring continuity in a volatile environment Executive summary the survival of the entire company. This finding is corroborated by other surveys: according to the US National Archives and Records Administration, 25% of The success of a company depends on its ability to the companies that experienced an IT outage of two to identify and manage successfully the risks associated six days went bankrupt immediately. with running its operations. These risks—which can be grouped under the heading operational risk—refer ● Commitment to a business-wide approach. There to any type of risk a company faces that is neither is widespread acknowledgement that operational risk financial nor market-related in nature. For example, and business continuity issues should not be confined this category might include risks associated with the to individual functions or departments. Seventy-six supply chain, IT systems or business processes. percent of respondents agreed that operational risk In the past few years, business continuity should be an issue that involves all business units, management has emerged as one of the key tools and 69% took a similar view about business continuity that companies use to manage operational risk. At planning. the same time, the discipline has evolved from being one that is focused on the way in which companies ● Strengths and weaknesses of communication. respond to an unforeseen event, to one that is used Respondents are reasonably confident about the to increase their preparedness and overall resilience. processes they use to identify risks and to ensure In this report we look at areas of operations in which that the board is made aware of significant problems, executives say they feel most threatened, explore with 61% saying that they conduct risk assessment some of the tools that they use to mitigate these successfully, and 52% giving themselves a similar risks, and highlight areas of particular strength and rating for reporting on key risks to the board. weakness in companies’ consideration of operational Communication with employees, and with the risk management and business continuity. extended enterprise, tends to be less successful, Key findings from this research include the however. Only 31% of respondents say that they following: communicate successfully on operational risk issues with employees, and just 19% give themselves a ● Data are the key concern. Our survey of 181 risk similar rating for their communication with the executives underlines the importance of information extended enterprise. technology (IT) to the smooth running of the organisation. When asked what they considered to be ● Stakeholders pile on the pressure. Although the most important threat in their consideration of many companies will doubtless recognise the need for operational risk management, 36% selected loss of robust business continuity plans for their own benefit, data and 31% selected systems failure. Human error, pressure to strengthen planning also comes from a another key concern for operational risk managers, variety of external sources. When questioned about was cited by 35% of respondents. the influence that stakeholders have on decisions about business continuity, 59% cited customers as ● A day is all it takes. Just under half of all being a significant source, 58% cited regulators and respondents—47%—said that they could endure less 50% cited investors. than a day of downtime from their IT systems before the disruption became serious enough to jeopardise2 © The Economist Intelligence Unit 2007
  4. 4. Business resilience Ensuring continuity in a volatile environment● Putting plans into action. Evidence for theimportance of business continuity comes from the Introductionvariety of incidents that have caused respondents toput their plans into action. A total of 27% said that Risk has always been part and parcel of doingthey had implemented business continuity plans business, and every company seeks in some way tobecause of power outage, 23% because of an attack prepare for damaging incidents and to respond tofrom a virus or worm, and 21% as a result of supply them as best it can. But in recent years, the needchain disruption. to demonstrate resilience has been given greater urgency as a result of a number of powerful trends.● Reputation is the biggest concern. Failure to First, a series of high impact, low probability eventsput in place robust business continuity plans can has alerted executives to the need for precautions.have a variety of negative impacts, including loss of Beginning with the Y2K scare at the turn of therevenue and decline in shareholder value. But among new millennium, and followed by the devastatingrespondents questioned for this survey, damage to September 11th attacks, the 2005 hurricane seasontheir reputation is seen as the biggest threat, with in the US and a number of other catastrophes, the43% of respondents saying that this is their greatest vulnerability of business to unforeseen events hasconcern. never been more evident. In the same period, the trend in business has been● Small companies lag behind larger peers. towards greater leanness and efficiency. CompaniesRespondents from companies with annual revenue have stretched their supply chains to the limit,of less than US$500m were much less likely than sourcing goods from ever more distant destinationslarger companies to consider themselves successful and reducing levels of inventory to a matter of days.at specific aspects of operational risk management. They have stripped layers of management in anFor example, just 18% consider themselves to be attempt to streamline their organisations and reducesuccessful at actively testing business continuity costs, and they have outsourced non-core businessplans, compared with 31% of companies with revenue processes to external providers. Finally, they havein excess of US$1bn. come to rely so heavily on their IT systems that, even if they suffer just a few hours of downtime, the survival of the entire organisation could be threatened. This powerful combination of highly visible threats, reduced redundancy and greater reliance on IT has pushed the need for business resilience to the top of the agenda. Business continuity and disaster recovery, which were hitherto seen as dull but necessary adjuncts of doing business, have drawn boardroom attention and intense scrutiny from investors, customers, regulators and other stakeholders. Across industries and regions, executives are asking themselves about the threats they face, and what they should do to prepare for and recover from a wide range of potentially devastating incidents. © The Economist Intelligence Unit 2007 3
  5. 5. Business resilience Ensuring continuity in a volatile environment The threat from “business other factories. Ericsson, meanwhile, assumed that the fire was a minor technical glitch and waited for as usual” normal business to be resumed. By the time it realised the magnitude of the problem, it was too late. The Media coverage of the threat from global terrorism company was unable to find alternative supplies and and pandemic bird flu has done much to focus the production of its new generation of handsets was minds of executives on the need to make their severely affected. At the end of 2000, Ericsson posted organisations more resilient. But while high- a loss of US$2.34m, much of which could be attributed impact events of this nature should certainly be to the disruption in chip supplies caused by the New considered with great care, they are just the tip of Mexico fire. Nokia, meanwhile, went on to increase its the iceberg in terms of the real risks that companies share of the handset market from 27% to 30% in the face. Although lacking the immediate impact of a six months that followed the incident. major catastrophe, a whole range of other, more The different responses of Nokia and Ericsson to mundane incidents can be just as damaging to the what initially seemed a minor disruption illustrate wellbeing of an organisation. Power outage, data an important point about the need for businesses to loss, application failure and human error may not prepare effectively for a wide range of incidents. In grab the headlines, but they can have devastating order to demonstrate that they are resilient in the face consequences. According to the US National Archives of the full range of threats that they face, companies and Records Administration, 25% of the companies need much more than a “disaster recovery” plan. Far that experienced an IT outage of two to six days went more important is a clear understanding of the threats bankrupt immediately. The same study shows that the company faces, its vulnerabilities and weak spots, 93% of companies that lost their data centre for ten and the steps required to formulate a quick and days or more filed for bankruptcy within a year. effective response. The way in which a company prepares for and responds to an incident—whether major or Perceptions of risk and mundane—can make a dramatic difference to its long-term performance and reputation. In 2000, threat for example, a minor fire at a semiconductor It is often said that the world is becoming a riskier manufacturing plant in New Mexico operated by place, but among the 181 executives questioned Philips, the electronics company, led to very different for this report, there are contrasting views as to outcomes for the factory’s two main customers, whether this is the case. Just over half of respondents, Scandinavian handset manufacturers Nokia and 56%, think that the severity of threats they face Ericsson. Philips initially told its customers that the has increased over the past three years, while 52% factory would resume production within a week, but think that the volume of threats has increased. This it greatly underestimated the scale of the disruption leaves a sizable minority who think that the volume caused by smoke and debris to the sterile environment and severity of threats has either stayed the same or required for chip production. In the end, it took many declined. months to restore the factory and resume production. Respondents may disagree about whether the Nokia responded to the fire by immediately nature and extent of threats have changed, but there sourcing other supplies and putting pressure on is little doubt that recent years have seen a substantial Philips to provide alternative sources of chips from increase in the attention devoted to preparing for4 © The Economist Intelligence Unit 2007
  6. 6. Business resilience Ensuring continuity in a volatile environmentIn the past three years, what change has there been to the number and severity of threats that the organisation faces, and whatchange has there been to the attention and resources devoted to operational risk and business continuity management?(% respondents) Increased substantially Increased slightly Stayed the same Decreased slightly Decreased substantiallyAttention and resources devoted to operational risk management 28 47 24 1 0Attention and resources devoted to business continuity management 23 48 27 2 0Severity of threats the organisation faces 12 44 37 6 1Volume of threats the organisation faces 7 45 43 3 2Source: Economist Intelligence Unit survey.0 20 40 60 80 100them. Of the respondents to our survey, 75% say that error are the most feared threats, with 36% and 35%they have increased the amount of time and resources respectively citing these two considerations as amongthey dedicate to operational risk management and their biggest worries. More catastrophic events, such71% have increased the time and resources they as natural disasters, terrorism and pandemics, comedevote to business continuity. further down the priority list, with 22%, 16% and In terms of the threats they face, respondents 13% respectively seeing these incidents as importantpoint to a wide range of concerns ranging from the concerns.spectacular to the mundane. Loss of data and human Given the current focus on bird flu and the concerns being expressed by governments and regulators, it isWhich of the following types of threats are seen to be mostimportant in your organisation’s consideration of operational perhaps surprising that the threat from pandemic isrisk management planning? seen as such a low priority. Broadly speaking however,(% respondents) the order of priorities expressed by respondentsLoss of data 36 reflects the reality of threats that their organisationsHuman error face. Companies should of course plan for major 35 catastrophes, but they should also recognise thatSystems failure 31 such events are, thankfully, comparatively rare. ItSupply chain disruption is far more likely that they will need to contend with 29Virus, worm or other malicious attack on IT systems a power cut or a systems failure caused by human 28 error, and this should be taken into account whenEmployee malfeasance (e.g. theft or fraud) 25 companies look at the operational risks they face.Natural disasters, such as fires or floods Indeed, when asked about events in the past three 22 years that had caused them to invoke their businessUnplanned downtime of online systems 22 continuity plans, the most common causes were powerTerrorism outage and unplanned downtime of online systems, 16 both of which were cited by 27% of respondents.Power outage 13Pandemic 13Application failure 12Industrial action 8Source: Economist Intelligence Unit survey. © The Economist Intelligence Unit 2007 5
  7. 7. Business resilience Ensuring continuity in a volatile environment In the past, organisations tended to ask their External drivers for greater suppliers only very basic questions about business resilience continuity but, in the past couple of years, the approach has become more sophisticated. Rather than Beyond any perception that the world may be simply asking whether the supplier has a business becoming a more dangerous place, there are several continuity plan in place, customers will now ask sources of external influence that are encouraging about the scope of the plan and request evidence of an increased focus on operational risk and business compliance with particular policies. continuity. According to respondents questioned for In addition to customers, pressure from regulators this report, customers are the stakeholder that is seen is also becoming more pronounced. Recent regulatory as most important in driving decisions about business activity, including the Sarbanes-Oxley Act in the continuity, with 59% citing them as a significant US, and the Basel II accord for financial services influence. companies, has focused attention on the need for As they take steps to increase the efficiency of their robust risk management, especially in the area supply chain, companies have become dependent on of information technology. Among respondents a highly complex network of suppliers and partners. questioned for this report, regulators are seen as Over time, they have also consolidated their supplier the second most important external influence over base, so that they are more reliant than ever on decisions about business continuity, with 58% seeing the ability of those companies to deliver on their them as significant in that regard. This figure rises promises. As a result, those responsible for sourcing to 72% when we consider only respondents from decisions are increasing the rigour with which they financial services companies. question suppliers about their level of preparedness. Simon Mingay, a research vice-president at How significant is the influence that the following external organisations have over your decisions about business continuity planning? Rate on a scale of 1 to 5, where 1=Very significant and 5=Not at all significant. (% respondents) 1 Very successfully 2 3 4 5 Not at all successfully Don’t know/Not applicable Regulators 37 21 17 12 14 Customers 23 36 20 12 9 Shareholders 21 29 27 11 12 Governments 17 29 22 13 17 Auditors 11 37 24 18 9 Insurance companies 10 21 39 21 8 Risk consultants 7 17 29 19 28 The media 5 17 29 25 24 Business continuity or security vendors 5 15 23 31 27 Emergency services 4 18 28 28 23 Source: Economist Intelligence Unit survey.6 © The Economist Intelligence Unit 2007
  8. 8. Business resilience Ensuring continuity in a volatile environmentGartner, the business analyst, points out that it is not as the 2005 hurricane season. By demonstrating thatso much the existence of regulation, but the extent they have put in place well-planned measures to dealto which compliance is enforced, that is the driver with any potential disruptions, companies may befor more rigorous business continuity. “You may well able to expect to pay lower premiums. In our survey,find that a regulation spans a geographic region,” he 31% of respondents said that the influence wieldedexplains, “but in some areas the regulator is either by insurance companies over business continuity wasineffective or is just not doing their job. As a result, significant.lots of organisations largely ignore it.” Recognising that even minor disruptions can have Steps towards resiliencea dramatic effect on share price and reputation, The traditional approach to business continuityinvestors are also starting to scrutinise companies involved thinking through the steps that companiesfor evidence that they have planned accordingly. should take in response to a major incident, but as MrAs a result, more and more companies are including Mingay points out, this approach is both outmodedreferences to operational risk and business continuity and dangerous. “One of the things that people need toin their annual reports, in an attempt to reassure get into their heads is that business continuity is notinvestors. Among our survey respondents, 50% say just about the disaster recovery plan,” he explains.that their shareholders exert a significant influence “It’s also about how you do business, where you doon their business continuity decisions. business and where work gets done.” Finally, insurers are another important constituent The successful management of operational risk andthat is encouraging a sharper focus on business business continuity requires companies to conduct acontinuity, especially in the wake of huge losses such thorough assessment of the risks and vulnerabilitiesHow successfully do you think your organisation manages the following aspects of operational risk?Rate on a scale of 1 to 5, where 1=Very successfully and 5=Not at all successfully.(% respondents) 1 Very successfully 2 3 4 5 Not at all successfully Don’t know/Not applicableRisk assessment 17 44 27 11 1Obtaining management support (including budgetary) 15 34 36 15 2Reporting on key risks to board 13 39 34 13 0Assigning roles and responsibilities for business continuity 10 27 38 18 7Actively testing business continuity plans 7 23 31 26 13Risk quantification 6 39 27 22 7Regularly updating business continuity plans 5 28 34 24 10Communicating plans with employees 5 26 39 25 5Juggling the requirements and priorities of different business units 4 25 46 20 4Business impact analysis 4 39 35 19 3Communicating plans with extended enterprise 4 15 43 28 10Source: Economist Intelligence Unit survey.0 20 40 60 80 100 © The Economist Intelligence Unit 2007 7
  9. 9. Business resilience Ensuring continuity in a volatile environment they face in their day-to-day operations. Among How long could your organisation last before downtime of IT systems becomes an issue that could jeopardise the entire respondents to our survey, there is a relatively high company? degree of confidence in the ability to assess risks, with (% respondents) 61% considering themselves successful in this area. Less than four hours 13 “The first question companies need to ask Between four hours and 12 hours 20 themselves,” explains Charles Skinner, operations Between 12 hours and manager of Janusian Security, a subsidiary of the Risk 24 hours 14 Advisory Group, “is what is it that they do and what Between one day and one week 32 is mission critical to their company. Once they have Between one week understood this, they can then understand the critical and one month 12 More than one month 4 processes and deliverables that they have to guard Don’t know 6 against from an unexpected event.” Some risks will be common to all businesses—for Source: Economist Intelligence Unit survey. example, the need to prepare for possible pandemic flu outbreak or power outage—but others will be specific to the company’s industry or location. Careful and to think through areas where alternative risk and vulnerability assessment, perhaps using provisions need to be made. For example, if a tools such as scenario planning, can focus the minds company determined that a power outage of any kind of executives on the level of the threat that they face is absolutely unacceptable, then that company may and help them to decide where resources should be want to consider installing an emergency generator. allocated and where priorities should be set. A disaster recovery plan may be only a small part of Having determined what the risks are, companies ensuring business resilience, but it is nevertheless an then need to get to grips with the likelihood of those essential one. This sets out roles and responsibilities risks. Here, respondents to the survey demonstrate for getting systems and business processes back on slightly lower confidence, with 45% rating themselves track, documents the activities that are required as successful at risk quantification. to resume operations and determines acceptable The next step is to assess the effect that a range recovery times. of incidents would have on the company, using a “There are two key parameters that people manage business impact analysis. This is again an area where around business continuity management,” explains slightly less than half of respondents—43%—consider Mr Mingay of Gartner, “and those are recovery time themselves to be successful. objective (RTO) and recovery point objective (RPO).” A business impact analysis requires companies to The former, RTO, refers to the maximum amount of ask themselves what would happen if, for example, time that can be tolerated to resume a particular a power outage shut down the email server for six service or system to full operation, and the latter, hours, or what would happen if a police cordon RPO, refers to the historical point in time to which the shut off access to the head office. Is the company company aims to recover its data. more or less vulnerable than its peers to particular As companies rely more on their data and IT disruptions, perhaps because of its location or a quirk systems, both RTO and RPO are being squeezed down of its organisational structure? to a matter of hours. This concern about compressing This exercise helps companies to assess which recovery windows is one that appears to resonate services are critical to the running of the business, with our survey respondents. When asked how long8 © The Economist Intelligence Unit 2007
  10. 10. Business resilience Ensuring continuity in a volatile environmentthey think they could survive the downtime of their Who is primarily responsible for business continuity planning in your organisation?IT systems before the problem became one that (% respondents)threatened the survival of the company itself, 47% Chief executive officerthought that they would last less than 24 hours. 22 Chief operating officerManaging the plan Chief information officer 13Once a company has created a business continuity 11 No one has overall responsibityplan, it is essential that it is tested on a regular basis 11and updated at least every year in order to reflect Chief risk officer 9changes in the underlying business. Full simulations Risk committeeof particular incidents—possibly in collaboration with 8partners and customers—can also be a valuable way Chief financial officer 7of testing the resilience of a plan and pointing out Line manager or administratorweak spots that may need to be addressed as part of 7ongoing maintenance. Head of business continuity 4 Companies that fail to update their plans are in for Compliance officera shock should they ever have to use them, says Mr 1 An external providerSkinner of Janusian. “Within six months you’ll find 1that the plan is out of date because of things like staff Don’t know 1turnover, a change of business process or a move to a Othernew office,” he explains. 3 Source: Economist Intelligence Unit survey. Among respondents questioned for this survey,58% say that they actively test their businesscontinuity plans at least every year. However, 17% you find that it is very difficult for them to set asideeither see business continuity planning as a one-off the 20% of their time that they really need to manageexercise or do not have a plan at all. the plan effectively.” Mr Mingay believes that ineffective business Because business continuity focuses so much oncontinuity planning is often the fault of poor technology and people issues, there is a danger thatleadership. “The thing that distinguishes it can be seen to be primarily the responsibility oforganisations that do this well from those that don’t is those departments. This is a mistake, says Mr Mingay.leadership,” he explains. “The leadership team needs “Business continuity is no more or less an IT issueto show an interest in the process, ask questions, and than it is a marketing issue, an operations issue or anthen put in place the appropriate governance and anything else issue,” he explains. “The only way youcontrols to make sure it happens.” can manage this process effectively is by combining Another important responsibility for the leadership strong leadership with a distributed approach.”team is to ensure that sufficient resources are Among respondents questioned for the survey,allocated to the consideration of business continuity. there is widespread support for the idea that“In many companies today, everyone seems to be operational risk and business continuity should bedouble-hatted and this causes a huge problem,” business-wide issues driven by board-level executives.explains Mr Skinner. “You look at the day-to-day job of Just 27% say that they see business continuity asthe person who is tasked with business continuity and primarily an issue for the IT and HR departments, and © The Economist Intelligence Unit 2007 9
  11. 11. Business resilience Ensuring continuity in a volatile environment just 21% think similarly about operational risk. In updating those plans. Less than one-third, 31%, say addition, 58% say that a C-level executive, such as the that they use simulations or active testing of their chief executive officer, chief financial officer or chief business continuity plans, and just 25% say that they risk officer, has overall responsibility for operational communicate their plans and procedures regularly risk in their organisation, while 63% say that business with employees. continuity is their responsibility. As the costs of storage technology continue to This makes sense, especially given that decisions fall, the higher-end technologies are coming within about business continuity planning can have such a reach of a growing number of businesses, so they dramatic impact on a company’s future viability. When should not discount these options altogether. “From asked what they consider to be the biggest threats a technology point of view, costs have come way arising from poor business continuity planning, 43% down with things like disk storage, which makes that of respondents selected damage to their reputation. technology more affordable for smaller organisations,” This finding illustrates how customers, the media and says Mr Mingay. “Because of falling costs, small and other stakeholders will have little sympathy for a lack mid-sized organisations are today using technological of robust planning in the face of an incident. It is now solutions to mitigate risk that, two years ago, were expected that companies should make appropriate only accessible to large organisations.” provisions, and failing do so will reflect badly on the Moreover, business resilience need not be about company’s long-term reputation. costly managed services and technological solutions. “You don’t have to spend lots of money,” continues Why small is not always Mr Mingay. “It’s more about allocating some time and people resources to pay attention to the issue, better to think about it and to factor it in as something Although many large companies have made you should consider. The fact that small companies business continuity a priority in recent years, sometimes don’t is less to do with resources and more smaller companies have often been slower in their to do with human nature. We all tend to believe that response. In large part, this is to do with knowledge bad things happen to other people.” and resources. There is a perception that business continuity solutions, such as risk consultancy, disk mirroring, digital vaulting and remote back-up centres, are only within reach of the deep pockets of the largest corporates. In addition, smaller companies may not have dedicated IT departments or risk managers who are tasked with putting these plans into place. As a result, they generally show much lower levels of preparedness than their larger peers. Respondents to our survey from companies with annual revenue of less than US$500m were much less likely to rate themselves highly for aspects of operational risk management. Just 18% considered themselves to be successful at actively testing business continuity plans, and only 20% at regularly10 © The Economist Intelligence Unit 2007
  12. 12. Business resilience Ensuring continuity in a volatile environmentConclusionThe minds of corporate executives have rarely been asfocused on the need for business resilience. The threatfrom major catastrophes, such as a terrorist attack orpandemic disease, has encouraged companies from allsectors and regions to think through their operationsand look for areas in which they may be vulnerable.In doing so, they also make themselves more resilientin the face of more mundane (and far more likely)interruptions, such as power outages and humanerror. There is widespread recognition among surveyrespondents that operational risk and businesscontinuity are business-wide issues that requireexecutive board attention. This is good news, as it isonly through the engagement of the senior leadershipteam that the appropriate resources, processes andcontrols can be put in place. But although most companies questioned takethe issue of business resilience seriously, there areimportant gaps in their planning and management.A minority of respondents rated themselves as beingeffective at regularly updating and testing businesscontinuity plans, and only small proportions sawthemselves as good at communicating with employeesor external partners. As external stakeholders, including regulators,investors and customers, become more vocal in theircalls for greater levels of resilience, there is a pressingneed for companies to maintain their focus in thisarea. The potential for loss that can ensue from failureto protect the company, in terms of damage to assets,lost revenue and tarnished reputation, is simply toogreat. © The Economist Intelligence Unit 2007 11
  13. 13. Appendix: Survey resultsBusiness resilienceReducing vulnerability and increasing preparedness Appendix: Survey results In January 2007, the Economist Intelligence Unit conducted a survey of 181 executives around the world. Our sincere thanks go to all those who took part in the survey. Please note that not all answers add up to 100%, because of rounding or because respondents were able to provide multiple answers to some questions. How significant a threat do the following risks pose to your company’s global business operation today? Rate on a scale of 1 to 5, where 1=Very high risk and 5=Very low risk. (% respondents) 1 Very high 2 3 4 5 Very low Don’t know/Not applicable Reputational risk (e.g. events that undermine public trust in your products or brand) 20 33 26 20 1 0 Regulatory risk (problems caused by new or existing regulations) 16 31 29 19 4 1 Human capital risks (e.g. skills shortages, succession issues, loss of key personnel) 15 41 29 13 2 0 IT risk (e.g. loss of data, outage of data centre) 11 32 33 22 2 0 Market risk (risk that the market value of assets will fall) 11 21 37 20 8 3 Political risk (danger of a change of government) 9 21 28 26 15 2 Credit risk (risk of bad debt) 8 29 24 23 12 4 Country risk (problems of operating in a particular location) 8 22 30 28 9 2 Terrorism 8 14 25 35 17 1 Foreign exchange risk (risk that exchange rates may worsen) 6 27 27 26 10 4 Financing risk (difficulty raising finance) 6 17 23 32 19 4 Crime and physical security 4 20 25 38 13 1 Natural hazard risk (e.g. hurricanes, earthquakes) 3 18 25 33 19 1 0 20 40 60 In each of the following regions, are the majority of risks to your business considered to be general (e.g. likely to affect many 80 100 other companies operating in the same location or industry) or specific (e.g. relating to your company’s internal systems, processes or people)? (% respondents) General Specific Not applicable/Don’t know Western Europe 55 21 24 Asia Pacific 54 21 25 North America 54 27 19 Africa/Middle East 50 11 38 Eastern Europe 44 21 35 Latin America 44 19 38 0 20 40 60 80 10012 © The Economist Intelligence Unit 2007
  14. 14. Appendix: Survey results Business resilience Reducing vulnerability and increasing preparednessHow has your organisation’s assessment of risk in each of the following countries and regions changed over the past three months?(% respondents) 1 Very high 2 3 4 5 Very low Don’t know/Not applicableMiddle East 14 22 24 5 35Russia 8 23 23 10 1 35Latin America 6 20 30 6 1 37US 4 33 41 4 1 16China 3 22 33 13 2 27Overall global risk2 34 39 5 20Other Eastern Europe2 18 33 10 1 36India 2 13 38 9 3 34Rest of Asia-Pacific2 20 39 8 1 31France1 12 44 4 1 38UK1 20 46 8 1 25Other Western Europe1 8 53 5 2 31Japan1 8 49 8 2 33Germany1 5 50 7 1 36Canada1 4 56 3 2 35In the past three years, what change has there been to the number and severity of threats that the organisation faces, and whatchange has there been to the attention and resources devoted to operational risk and business continuity management?(% respondents) Increased substantially Increased slightly Stayed the same Decreased slightly Decreased substantiallyAttention and resources devoted to operational risk management 28 47 24 1 0Attention and resources devoted to business continuity management 23 48 27 2 0Severity of threats the organisation faces 12 44 37 6 1Volume of threats the organisation faces 7 45 43 3 20 20 40 60 80 100 © The Economist Intelligence Unit 2007 13
  15. 15. Appendix: Survey resultsBusiness resilienceReducing vulnerability and increasing preparedness Which of the following types of threats are seen to be most Who is primarily responsible for operational risk in your important in your organisation’s consideration of operational organisation? risk management planning? (% respondents) (% respondents) Chief executive officer Loss of data 18 36 Risk committee Human error 17 35 Chief risk officer Systems failure 17 31 Chief operating officer Supply chain disruption 11 29 Chief financial officer Virus, worm or other malicious attack on IT systems 9 28 No one has overall responsibity Employee malfeasance (e.g. theft or fraud) 8 25 Line manager or administrator Natural disasters, such as fires or floods 7 22 Chief information officer Unplanned downtime of online systems 3 22 Head of business continuity Terrorism 2 16 Compliance officer Power outage 1 13 An external provider Pandemic 1 13 Don’t know Application failure 1 12 Other Industrial action 5 8 Who is primarily responsible for business continuity planning Which of the following types of threats receive most attention in your organisation? in your organisation’s consideration of operational risk? (% respondents) (% respondents) Chief executive officer Loss of data 22 43 Chief operating officer Systems failure 13 37 Chief information officer Supply chain disruption 11 29 No one has overall responsibity Virus, worm or other malicious attack on IT systems 11 28 Chief risk officer Unplanned downtime of online systems 9 27 Risk committee Human error 8 27 Chief financial officer Natural disasters, such as fires or floods 7 21 Line manager or administrator Employee malfeasance (e.g. theft or fraud) 7 21 Head of business continuity Terrorism 4 15 Compliance officer Application failure 1 15 An external provider Power outage 1 13 Don’t know Pandemic 1 9 Other Industrial action 3 514 © The Economist Intelligence Unit 2007
  16. 16. Appendix: Survey results Business resilience Reducing vulnerability and increasing preparednessWhich of the following statements best describes your Which of the following statements best describes yourorganisation’s approach to operational risk planning? organisation’s approach to business continuity planning?(% respondents) (% respondents)We see operational risk as an issue that should involve all business We see business continuity planning as an issue that should involveunits, not just IT and HR all business units, not just IT and HR 76 69We see operational risk primarily as an IT issue We see business continuity planning primarily as an IT issue 9 13We see operational risk primarily as an HR issue We see business continuity planning primarily as an issue 6 for the IT and HR departmentsWe see operational risk primarily as an issue for the IT and HR departments 8 6 We see business continuity planning primarily as an HR issueWe do not have any operational risk plans 6 3 We do not have any business continuity plans 3How successfully do you think your organisation manages the following aspects of operational risk?Rate on a scale of 1 to 5, where 1=Very successfully and 5=Not at all successfully.(% respondents) 1 Very successfully 2 3 4 5 Not at all successfully Don’t know/Not applicableRisk assessment 17 44 27 11 1Obtaining management support (including budgetary) 15 34 36 15 2Reporting on key risks to board 13 39 34 13 0Assigning roles and responsibilities for business continuity 10 27 38 18 7Actively testing business continuity plans 7 23 31 26 13Risk quantification 6 39 27 22 7Regularly updating business continuity plans 5 28 34 24 10Communicating plans with employees 5 26 39 25 5Juggling the requirements and priorities of different business units 4 25 46 20 4Business impact analysis 4 39 35 19 3Communicating plans with extended enterprise 4 15 43 28 100 20 40 60 80 100 © The Economist Intelligence Unit 2007 15
  17. 17. Appendix: Survey resultsBusiness resilienceReducing vulnerability and increasing preparedness How significant is the influence that the following external organisations have over your decisions about business continuity planning? Rate on a scale of 1 to 5, where 1=Very significant and 5=Not at all significant. (% respondents) 1 Very significant 2 3 4 5 Not at all significant Don’t know/Not applicable Regulators 37 21 17 12 14 Customers 23 36 20 12 9 Shareholders 21 29 27 11 12 Governments 17 29 22 13 17 Auditors 11 37 24 18 9 Insurance companies 10 21 39 21 8 Risk consultants 7 17 29 19 28 The media 5 17 29 25 24 Business continuity or security vendors 5 15 23 31 27 Emergency services 4 18 28 28 23 How often do you update and actively test your business In the past year, which of the following incidents has caused continuity and disaster recovery plans? you to put into action your business continuity plans? (% respondents) (% respondents) Once a year Power outage 39 27 More than once a year Unplanned downtime of online systems 20 27 Once every two years Attack from virus or worm 11 23 We do not have any business continuity or disaster recovery plans Application failure 9 22 Once every three to five years Supply chain disruption 8 21 We see business continuity planning and disaster recovery as a one-off exercise Problem/failure caused by external vendor 8 17 Less than every five years Data loss 4 16 Flood or fire 0 5 10 15 20 25 30 35 40 15 Attack from hacker 8 Theft or fraud 8 Act of terrorism 7 Transport failure 7 Industrial action 6 None of the above 28 Other 316 © The Economist Intelligence Unit 2007
  18. 18. Appendix: Survey results Business resilience Reducing vulnerability and increasing preparednessPlease indicate whether you agree or disagree with the following statements:(% respondents) Strongly agree Slightly agree Neither agree nor disagree Slightly disagree Strongly disagree Don’t knowActive testing of business continuity plans using mock scenarios is essential to ensure confidence in our planning 32 36 18 7 4 3Business continuity planning is taken seriously and given significant attention by the board 25 33 20 13 8 1The CRO should be involved in decisions regarding IT Service delivery 25 37 21 5 3 8We prefer not to outsource critical business continuity practices such as data back-up 21 27 14 17 19 2Our consideration of business continuity has provided useful insight into broader operational and strategic issues 20 45 20 9 4 2There is never enough budget or resources to ensure really effective business continuity planning 17 34 14 23 11 2Outsourcing IT to suppliers with greater levels of experience and skills in resilient systems can help reduce our operational risk 14 37 24 14 8 2Operational risk, disaster recovery and business continuity planning are seen as separate disciplines in our organisation 13 26 13 17 30 1The CRO tends to delegate IT risk to the CIO 13 28 27 11 12 9Our company conducts a systematic assessment as to how operational risk components relate to IT 12 43 20 15 7 2How long could your organisation last before downtime of IT What do you see as being the biggest threat arising from poorsystems becomes an issue that could jeopardise the entire business continuity planning?company? (% respondents)(% respondents) Loss of revenue 19Less than four hours 13 Reputational damage 43Between four hours and12 hours 20 Loss of data 10Between 12 hours and Defection of customers 1624 hours 14 Defection of suppliers 1Between one day and Higher insurance costs 1one week 32 Decline in shareholderBetween one week value 6and one month 12 Failure to protectMore than one month 4 employees 4Don’t know 6 © The Economist Intelligence Unit 2007 17
  19. 19. Appendix: Survey resultsBusiness resilienceReducing vulnerability and increasing preparedness Which of the following methods does your organisation use to develop and test its business continuity plans? Demographics (% respondents) Scenario planning 55 Compliance with standards 45 In which region are you personally located? Simulations or active testing of plans (% respondents) 42 Specialist training of employees (e.g. crisis management) 42 Asia-Pacific 28 Contract with managed service provider to supply data back-up and alternative premises Latin America 6 33 North America 29 Regular communication of plans and procedures with employees 32 Eastern Europe 6 Use of third party to evaluate business continuity plan Western Europe 27 29 Purchase of business interruption insurance Middle East & Africa 6 24 Contract with third party to audit business continuity plans 14 None of the above 10 Other 1 What are your main functional roles? Please choose no more than three functions. (% respondents) Risk 63 Finance 37 Strategy and business development 33 General management 31 Marketing and sales 10 Operations and production 9 IT 8 Information and research 8 Legal 7 Customer service 6 R&D 4 Other 4 Human resources 2 Procurement 2 Supply-chain management 118 © The Economist Intelligence Unit 2007
  20. 20. Appendix: Survey results Business resilience Reducing vulnerability and increasing preparednessWhat is your primary industry? What are your organisation’s global annual revenues(% respondents) in US dollars? (% respondents)Financial services 34 $500m or less 34Energy and natural resources 9 $500m to $1bn 17Professional services $1bn to $5bn 20 9 $5bn to $10bn 10Government/Public sector 7 $10bn or more 18IT and technology 7Healthcare, pharmaceuticals and biotechnology 4Manufacturing 4Entertainment, media and publishing 4Agriculture and agribusiness 3 Which of the following best describes your title?Construction and real estate (% respondents) 3Consumer goods Other C-level executive 3 27Education CEO/President/Managing director 3 17Chemicals CFO/Treasurer/Comptroller 2 15Transportation, travel and tourism SVP/VP/Director 2 15Aerospace/Defence Head of Department 2 11Logistics and distribution Head of Business Unit 2 6Retailing Board member 1 5Telecommunications CIO/Technology director 1 2Automotive Manager 1 2 © The Economist Intelligence Unit 2007 19
  21. 21. Whilst every effort has been taken to verify the accuracyof this information, neither The Economist IntelligenceUnit Ltd. nor the sponsor of this report can accept anyresponsibility or liability for reliance by any person onthis white paper or any of the information, opinions orconclusions set out in the white paper.
  22. 22. LONDON NEW YORK HONG KONG26 Red Lion Square 111 West 57th Street 60/F, Central PlazaLondon New York 18 Harbour RoadWC1R 4HQ NY 10019 WanchaiUnited Kingdom United States Hong KongTel: (44.20) 7576 8000 Tel: (1.212) 554 0600 Tel: (852) 2585 3888Fax: (44.20) 7576 8476 Fax: (1.212) 586 1181/2 Fax: (852) 2802 7638E-mail: london@eiu.com E-mail: newyork@eiu.com E-mail: hongkong@eiu.com

×