From my viewpoint, the latest statistics reported in the Business Continuity Trends and Challenges 2018 report from continuitycentral.com look pretty alarming.
- The Disaster Recovery Preparedness Council found that nearly 75% of organizations worldwide aren’t properly protecting their systems and data to cope with the impacts of a disaster. Yet almost 70% of organizations surveyed say they will be making few if any changes to their business continuity plans for 2018.
- Although CIOs, CISOs and CROs all consistently put business continuity and disaster recovery at the very top of their priority lists, just 10.2% of respondents will be giving more attention to cyber security and cyber risks this year.
- A survey by Japan’s Ministry of Economy, Trade and Industry showed that fewer than 30% of small companies have plans in place to mitigate supply chain disruption following a natural disaster. Even so, a paltry 4.7% of companies will put an increased focus on supply chain continuity in 2018.
- It’s axiomatic that investing in employee training is vital to the success of your business continuity plan. But only 3.5% of organizations planning to roll out business continuity awareness programs in 2018.
Our ever-greater social and economic interdependence, the increasing volatility of our global weather and the relentless progression of cyber threats all point to recovery planning and information assurance being more important than ever. So why does the survey seem to illustrate complacency?
What is Driving Complacency?
The main challenges the survey cites are pretty predictable. Topping this list in order are: lack of budget and resources, lack of time available for business continuity tasks, and lack of top management commitment. 6.7% of respondents (nearly tripling from 2.5% in 2017) admitted that “general apathy about business continuity in the organization” was also a factor.
Further, 52% of firms will keep business continuity spending on par with last year’s level, while about 10% will cut BC budgets and 4.5% will cut them significantly. This indicates that business continuity spending is actually decreasing overall, despite the growing need to prioritize the function.
Key Drivers of Business Continuity Planning
In my experience, the pressure to develop a business continuity plan usually comes from external sources: e.g., auditors, clients, insurance companies and regulators. What’s interesting is that external drivers for these initiatives stimulate initial management buy-in and initial funding, but the effort quickly becomes difficult to sustain (see chart below).
Graph courtesy of Alan Trup
Yet if the motivation for recovery planning is internal to the organization, the challenges flip. Getting money and executive support is often a struggle, but the likelihood of ongoing success once the program gets off the ground and shows its value, is much higher.
Could it be that many/most business continuity efforts are externally driven (e.g., marketing-driven) and therefore floundering to various extents?
Another possibility is some companies are unsure about how to improve or optimize their business continuity or disaster recovery initiatives. Expert guidance can greatly support and accelerate many such programs.
Are You Planning to Fail?
One thing is for sure: disasters happen. A high percentage of firms that have business continuity plans have had to invoke them. And the grim consequences of “failure to plan” include increased recovery time and cost, lost customers and market share, and a damaged brand reputation. Depending on the nature of the disaster and that of your business, inadequate planning could even lead to loss of life.
Ben Franklin said it best 250 years ago: “Failure to plan is planning to fail.”
To start a conversation about your business continuity goals and how best to get there from where you are today, contact Pivot Point Security.