by Roberta J. Witty | March 18, 2014 | 6 Comments
Some Observations for BCI’s Business Continuity Awareness Week (Click here to see the full set of FlashBlog posts)
Gartner has been covering business continuity management (BCM) for many years, and we’ve learned a lot of important lessons from our research and from our client interactions. For BCI’s Business Continuity Awareness Week, we asked the Gartner analysts and consultants who specialize in this area — John Morency, Robert Naegle, Belinda Wilson, Roberta Witty and Werner Zurcher — for some top-of-mind thoughts on BCM.
“When your business is down — and only your business — you’ve got a very serious problem on your hands.” Sometimes operational failures are spread across an industry, or a geographical area. When that happens, stakeholders — customers, clients, employees, whoever — are likely to accept operational delays. But it’s a different story when your enterprise, and only yours, is down. That’s why you’d better have a good recovery plan for business disruptions that impact only you.
“Getting a new job is easier than getting a new family.” Your family is more important to you than the company you work for, isn’t it? Well, the same is true for everybody else, so you can’t expect people to come to the aid of the business when they’re impacted by the same event. That’s why you need redundancy built into your recovery plans, so that you have workforce “bench strength.” And that’s why you have to be aware of your employees’ personal needs and allow them the time to take care of their personal lives — before, during and after an event. Red Cross personal preparedness training, or something similar, should be a part of every BCM program’s awareness and education program.
“Recovery, restoration and resilience cost money. Get over it.” All of your BCM efforts mean some level of redundancy, and that inevitably leads to increased costs. Backups, data replication, retainer contracts, spare inventory, cross-training — they all cost money to implement. But without them, all you have to look forward to is single points of failure all over the business. That’s not a good operational model, or a good career plan.
“BCM is part of risk management. You can’t separate them, and you shouldn’t try.” BCM is increasingly seen as a component of the broader operational risk management (ORM) function. We’re seeing more and more cross-pollination of risk management practices between BCM and other ORM domains, and more and more long-overdue acknowledgment of the value of BCM programs. One important observation: Nothing delivers better business impact analysis than a good BCM program.
“Poor contract management quality can be fatal to the business. Not just damaging. Fatal.” Your business — every business — needs to pay much more attention to the contractual commitments you make to your customers. (For one thing, they can dictate your internal recovery needs.) You also need to be able to document and enforce the service delivery recovery needs specified in supplier and partner contracts – those you depend upon.
Now, those are all words to live by. But BCM professionals also need to understand the business and IT trends and issues impacting BCM in their industries and their enterprises — and their benefits and costs. Here are two quick-reference charts that show how Gartner sees BCM today.
Category: Advisory BCM Process Event ITScore for BCM Standards/Frameworks Technology Tags: BCAW, BCI, BCM, BIA, Business Continuity Management, Business Continuity Planning, Business Impact Analysis, Business Resiliency, IT Disaster Recovery, IT Service Continuity Management, ITIL, Operational Risk Management
by Roberta J. Witty | February 26, 2014 | 2 Comments
The Gartner Business Continuity Management and IT Disaster Recovery Management agenda has been set for 2014 and we are excited to bring to our clients the following branded research reports.
- Q1/2014: Magic Quadrant for Emergency/Mass Notification Services
- Q2/2014: Cool Vendors in Business Continuity Management, 2014
- Q3/2014: Hype Cycle for IT Service Continuity Management, 2014
- Q3/2014: Hype Cycle for Business Continuity Management and IT Disaster Recovery Management, 2014
- Q3/2014: Magic Quadrant for Business Continuity Management Planning Software
- Q3/2014: Recovery Orchestration Automation Market Guide
- Q4/2014: Predicts 2015: Business Continuity Management and IT Disaster Recovery Management
- Q4/2014: Magic Quadrant for RaaS
Every year, Gartner published a number of spotlight reports. Our BCM and IT DRM research areas have been participating in these spotlights since 2009. These reports include: Cool Vendors, Hype Cycles and Predicts. We will again participate in these annual spotlights and add a new Hype Cycle for IT Service Continuity Management.
We also produce market-based reports and in 2014, we will again provide such research in 2014.
- Three magic quadrants (emergency/mass notification services (EMNS), BCM planning software (BCMP) and Recovery-as-a-Service (RaaS)) where we compare vendors in a market according to the Ability to Execute and Completeness of Vision.
- A Market Guide for Recovery Orchestration Automation. A Market Guide provides a definition of a market, market dynamics and a view of the market participants. More specifically, a Market Guide provides coverage for markets in which vendors cannot be rated or ranked because the market:
- Is still in the early stages of its development cycle and can be described as:
- Still evolving, with purchasing decisions not yet common
- Being characterized by disruption
- Not having a stable set of vendors
- Not having vendors with established, distinct capabilities that can be rated or ranked yet
- Or, is mature enough to begin evaluating and ranking vendors; however, there is not sufficient coverage or priority to conduct the significant primary research needed, but client interest or impact warrants some coverage.
Some documents may not be available as part of your current Gartner subscription.
Category: BCM Process Standards/Frameworks Technology Tags: BCM, Business Continuity Management, Business Resiliency, IT Disaster Recovery, IT Service Continuity Management, ITIL, RaaS
by Roberta J. Witty | August 8, 2013 | Comments Off
After researching BCM for so long, it’s making me think of the exact opposite: what does it mean to be safe, free, happy. It’s the same reaction as when you stare at something yellow for a minute: when you look away, you see purple. Same thing for red and green. There is always a flip side to every thing. So, I’ve started thinking about what it means to be happy in an IT environment, an IT company – the whole IT experience. I’m calling it “Bliss Management.”
So I’m starting with: What’s a happy app? I had an experience of a ‘not so happy’ app the other day when ordering an item on the Internet via my mobile device. When you are requested to enter the expiration date for your credit card information, why does it have to start at January, or worse 01? Why not start the drop down menu in the middle of the year – June or July? It is much more efficient as you only have to scroll through 6 or fewer entries rather than 11 if you are a December expiration. Also, when the app requests you to enter your email address or a number, why does it not provide you the right keyboard layout with numbers and the @ sign?
Is there some technical reason why it doesn’t happen? Or are programmers just that lazy? Or do they just not think about the human experience? Both of these minor changes can make the end user happy. Isn’t that what online retailers want?
Category: Bliss Management Technology Tags: Appdev, Application Development, BCM, bliss management, happiness, mobile recovery, mobile Technology, online buying, Roberta Witty
by Roberta J. Witty | February 20, 2013 | 3 Comments
On 12 February 2013, emergency/mass notification services (EMNS) vendor xMatters purchased the intellectual property of Bamboo, an enterprise-level incident management mobile app from Deloitte Australia, for an undisclosed amount. Members of Deloitte’s risk practice are assisting in the full transition as are application developers from the Bamboo team employed in the build-out. This acquisition of Bamboo, a mobile app for incident management, should appeal to companies looking to integrate emergency/mass notification services and offline access to recovery plans in a mobile platform.
Bamboo has now found a software development home to enhance its business continuity management software. Gartner believes xMatters has the most opportunity to grow Bamboo adoption by supporting the importation of Microsoft Word and Excel files as well as a SharePoint Web service API for those who do not use business continuity management planning (BCMP) tools now. Gartner also believes xMatters should consider evaluating its EMNS pricing strategy to make it more competitive with the rest of the market for increased adoption of Bamboo by prospects that do not already have an EMNS tool.
xMatters adds a mobile app that supports push technology for recovery plan updates, role-based and offline recovery plan access, and GIS-enabled tracking of all capabilities used for real-time incident management. Integration with the xMatters IT alerting system may be a future enhancement.
Before this acquisition, Gartner observed limited Bamboo adoption by our clients, who cited additional costs compared to perceived benefits; Australia-only product support with uncertain future support from Deloitte (which is not known for mobile application development); and limited business continuity management tool integration.
In both current and combined forms, Bamboo powered by xMatters lacks many of the capabilities of the larger BCMP market, particularly related to planning functions, including:
- Business impact analysis
- Risk assessment
- Recovery plan development, maintenance and exercising
But the offering could appeal to xMatters customers that lack a mobile app for real-time incident management.
BCMP tool customers: If you are looking for EMNS and enhanced real-time incident management capabilities through a mobile device, encourage your BCMP vendor to integrate with xMatters.
EMNS tool prospects: Consider xMatters because it now has an enhanced mobile app for offline recovery plan access, emergency contact list dialing and GIS for resource tracking — all used for real-time incident management support.
BCMP vendors that only have mobile Web browser access: If you are looking for an EMNS tie-in, either integrate with xMatters or enhance your mobile app to provide push technology for recovery plan updates, role-based and offline access to plans through the mobile device, and EMNS integration.
xMatters EMNS competitors: Enhance your mobile app to support push technology for recovery plan updates, role-based and offline recovery plan access and GIS-enabled resource tracking. (EMNS leaders currently support GIS-enabled resource tracking.)
Existing Bamboo customers: Discuss with your EMNS vendor whether it will continue supporting Bamboo, as it may be a direct competitor to xMatters.
“Best Practices: EMNS Implementation Advice” — EMNS implemented without a well-considered plan can hurt the constituencies that rely on these services for everything from basic safety to basic survival. By Roberta Witty and John Girard
“Market Analysis in Depth: EMNS Magic Quadrant” — Buyers of EMNS should use this research to guide their vendor selection projects. By Roberta Witty, John Girard and Catherine Goldstein
Category: Event Technology Tags: Bamboo, BCM, BCM planning, BCMP, Business Continuity Management, Business Continuity Planning, Business Impact Analysis, Emergency Notification, EMNS, Gartner, Mass Notification, Recovery Planning, Recovery Plans, Roberta Witty, xMatters
by Roberta J. Witty | February 8, 2013 | Comments Off
Not many of us paid a lot of attention to the weather forecasting systems that the meteorologists use. When we did in the U.S., we were very cynical because the meteorologists just didn’t seem to get it right, almost to the point of the forecasts being a joke. But Superstorm Sandy quickly brought the problem to light: the European system predicted a direct hit on NYC 3 days before the U.S. system did, which was the same day of the storm – a bit too late I would say. WOW! Why?
There is a rather significant difference between the two: the European system has faster computers, more data and better initialization data. This blog post from www.accuweather.com and video from the Today Show explains it all.
Fortunately for the U.S., the Europeans are allowing us to use their data, and have helped us figure out why the U.S. model isn’t performing as well. But it will take time and money to fix. So when planning your next outdoor party, make sure the forecast you consult is from the European model.
Category: Advisory BCM Process Event Technology Tags: BCM, Business Continuity Management, Business Continuity Planning, Crisis Management, ECMWF, Gartner, GFS, NOAA, Roberta Witty, weather, weather forecast
by Roberta J. Witty | February 4, 2013 | Comments Off
Friday’s Bank of America outage reminded me of an increasingly frequent question we receive on third party liability due to an operating outage. The use of cloud service providers is making this question top-of-mind for many organizations. But it’s not just cloud providers that you need to worry about: it’s all of your third party providers: business processors, IT SPs et al. Nearly all contracts have a force majeure clause in them that exclude outages such as acts of God, war, terrorism, civil disturbance, court order, 3rd party performance or nonperformance, strike, work stoppages et al. But another interesting twist we’ve started to see in contracts is a $0 valuation of the data being held or processed by the 3rd party.
I nor Gartner is a legal advisor, so you need to consult with your own legal advisor for how to address the liability issue in your contracts. Our findings from recent research about 3rd party liability and data valuation might provide some background for those discussions.
- Data valuation is a highly unaddressed, very difficult thing to do.
- Since few if any of us have perfect foresight into the future uses of data, the most that one can do is estimate the probable maximum value of data elements – which is no way to do risk management.
- Organizations can buy data insurance but it is very expensive and there is no standard approach to assigning policy premiums by the insurance companies.
- We see it extremely unlikely that a vendor/service provider would take on business impact liability of an outage that is based on data valuation. One method might be to have customers pay a premium for the SP service and then that premium goes into a pool that the vendor would use for liability payout if an outage occurs.
- We do see some contracts (for cloud SPs) where there is a “per incident” minimum of how much the SP would pay the customer if there is an outage. Most of these outages are related to data loss, especially when the SP is processing personal information (PII). How these minimums are calculate is unknown, but what the organization should be doing is trying to get more money back from the SP than the fee return for the outage period, e.g. 12 months of fees max is one option, another is to craft contract terms that require that the fees returned to the customer are based on the amount of time of the outage.
- Customers require the SP to hold higher levels of liability insurance:
- Commercial general liability (CGL), example: no more than 1 million for each occurrence including death and 1 million for each property damage. This type of insurance coverage protects against all liability exposures of a business, except ones specifically excluded. Important to note that it is limited to bodily injury and property damage, and includes defence costs for defending against suits from third parties, and payment only if the insured is found liable for the loss.
- Liability Insurance for Professionals – example: the amount of One Million Dollars ($1,000,000) per occurrence and Three Million Dollars ($3,000,000) in the aggregate including coverage for X,Y and Z. The policies will name the client as an additional insured and be written as a primary policy, not contributing to any other policy client may have. The provider needs to provide certificates of insurance. This type of insurance coverage protects professionals in various fields i.e. lawyers professional liability insurance, manufacturers professional liability insurance, etc. This insurance essentially covers “errors and omissions” and is not limited to bodily injury or property damage.
- Umbrella (Excess) Liability Insurance – example: in an amount of not less than four million ($4,000,000) per occurrence. CGL and professional liability insurance is written on a “primary” basis, usually with a deductible or “self insured retention” and usually has a limit of liability of ~$1 million per occurrence. Excess liability policies are used to increase the limit of liability on specific CGL and professional liability policies. Umbrella liability policies are used to increase the limit of liability on several of these policies. Limits of liability in this market can go into hundreds of millions of dollars.
- Organizations can buy contingent business interruption insurance (CBII) to cover supplier outages. To buy CBII you first need to have a business interruption insurance (BII) policy in place. To buy BII you need to have a property insurance policy in place. BII and CBII are property insurance policies that cover primarily “loss of earnings” following a property insurance loss. Sometimes these coverage points are included in a company’s property insurance policy, and sometimes they are written separately. Casualty policies do not come into play.
- Valuing lost revenue (in the case of business interruption insurance) is a tricky calculation, and usually involves looking at the average revenue of a company for the three months prior to a loss, and adjusting for the seasonal revenue ups and downs of some businesses.
- We do not have data regarding a SP’s liability to all of its customers if the SP has an outage.
- After a negative impact to a SP outage, organization can sue the SP because the returned fees aren’t nearly enough to compensate the customer. Valuing losses in these cases sometimes depends on the creativity of the attorneys and case law. SPs and storage vendors provide remedies in contracts to limit their exposures, not to keep their customers whole. This also keeps insurance cost for the vendors lower than it would be if they were providing remedies based on the value of data lost and its impact on a company’s reputation, revenues, and future success.
Category: Advisory BCM Process Event Tags: Availability Risk, Backup and Recovery, BCM, BCP, Business Continuity Management, Business Continuity Planning, Business interruption insurance, Business Resiliency, Cloud Computing, Commercial general liability insurance, compliance, Contingency Planning, contingent business interruption insurance, Continuity of Operations, COOP, Data Protection, data protection insurance, Disaster Recovery, Gartner, Governance, Liability Insurance for Professionals, Operational Risk Management, Property and casualty insurance, Recovery Planning, Resiliency, Risk Assessment, Roberta Witty, Umbrella (Excess) Liability Insurance
by Roberta J. Witty | January 15, 2013 | Comments Off
For the first time in more than three decades, NYC is gearing up for a strike on Wednesday January 16, 2013 by the city’s largest school bus driver union: Local 1181 of the Amalgamated Transit Union: NYC Department of Education: Pupil Transportation and “School Bus Drivers’ Union Calls for Strike on Wednesday“. This strike announcement set off a rapid review of options for transporting students to NYC schools ranging from putting students on a city bus or subway to paying parents mileage when they drive their child to school.
It also highlights the need to be prepared for an outage – intentional or not – of all suppliers to your business processes not just your IT vendors. Organized labor must be considered as a supplier of business services and you better have a contingency plan in place well ahead of a strike. As additional guidance, do not announce a change of supplier or potential change of a supplier until that contingency plan is in place and tested – at least through a tabletop exercise.
It won’t be pretty tomorrow morning: disabled children and those too young to be on a city bus or subway seem to be particularly at risk of not getting to school. We could see the second largest workforce availability issue for city agencies and private enterprises since Superstorm Sandy in October/2012 as parents will be late to work or not show up at all because their kids will be home.
I hope you are prepared…somehow I think many aren’t.
Category: Event Tags: BCM, Business Continuity Management, Contingency Planning, crisis communications, Crisis Management, Department of Education, NYC, organized labor, strike, Workforce Continuity, workforce resilience
by Roberta J. Witty | November 16, 2012 | Comments Off
Over the last five years considerable attention has been paid to the rise of public social media as the dominant tool for communications during large scale disasters. In major crises such as the Queensland floods, Christchurch earthquake, Haitian earthquake, and the tsunami destruction of the Fukushima nuclear failures, individuals and organizations have leveraged a variety of social media outlets to make personal contact, broadcast data to the public and to correct misinformation. In the most recent major disaster, Hurricane Sandy’s march through the northeast of the United States, we again witnessed heavy use of social media.
This time though, it was different. No one was surprised by this or found the activity remarkable. Massive surge of tweets before, during and after Sandy hit? Sure, of course. People informing friends of their survival through FaceBook status updates? Meh. Thousands of YouTube videos of storm impact. Uh huh.
The predictability and casual acceptance of this pattern of reliance on public social media platforms is the important message that Sandy delivered. This is the new normal. When New Jersey and New York residents powered up their smartphones off of a free generator, they used the electrons to check and upload updates to Facebook, Twitter, YouTube and thousands of blogs. They did not open up web browsers to watch broadcast news. This is a clear indication of where consumers place their trust when it comes to critical communications.
If your organization has been hesitating to use social media to communicate with customers and employees it is time to wake up and smell the coffee. If you are not driving your corporate image and communications through social media, someone else is driving it for you and they may not have your interests in mind. Misinformation continues to appear in social media during disasters and normal life. Your customers and employees are looking for information in social media and you should make sure they are getting the correct information when they need and on the platforms that they have selected.
Category: Advisory BCM Process Event Technology Tags: #HurricaneSandy, Andrew Walls, BCM, Business Continuity Management, Business Continuity Planning, crisis communications, Crisis Management, Disaster, Disaster Recovery, Emergency Management, Emergency Notification, Emergency Preparedness, Facebook, Gartner, Sandy, social media, Twitter
by Roberta J. Witty | November 7, 2012 | 2 Comments
With BYOD and telework gaining in adoption in the U.S., the question arises as to how much the employer is willing to provide backup and recovery support for personal devices as well as home-based offices such as generators, backup devices for computers, iPads for easier field-level functioning, dual Internet connections, dual telcom connections et al?
I asked this question on LinkedIn and got only one response – it added the insurance angle. So I’m looking for what your organization is doing in supporting these two initiatives.
Respond with your ideas and feedback.
Category: BCM Process Technology Tags: Business Continuity Management, Business Continuity Planning, Business Resiliency, BYOD, COOP, Disaster Recovery, Gartner, Hurricane Sandy, IT Disaster Recovery, Personal preparedness, Roberta Witty, Sandy, Superstorm, Telework, WAH, work at home
by Roberta J. Witty | November 7, 2012 | 2 Comments
Sandy’s impact on mobile wireless service was, if anything, a reminder that the best backup systems will never replace the need for redundant communications channels when it comes to standalone or lifeline services.
The FCC indicated that at one point last week up to 25% of the cell sites in affected areas of the region from Virginia to Massachusetts were not working. In hardest hit areas of New York and New Jersey that figure probably was a lot higher, although AT&T, Verizon Wireless, Sprint Nextel and T-Mobile USA have not detailed just how badly their network suffered in those areas.
Customers in areas that did have service often experienced differences in the apparent resiliency of different carrier networks. One Gartner colleague in Middlesex County, New Jersey reported significant disruption to his AT&T voice and mobile data service at home while his wife had no problems with her Verizon service.
That kind of disparity and the widespread loss of service in some areas highlighted the inherent weakness of the cellular network: Even with cell sites girded by backup batteries and diesel generators, the macro cellular system is not a very resilient network. Each Sandy-related site outage could have resulted from any or all of these factors:
- The site did not have an on-site backup generator to recharge batteries or supply power to the base station. Verizon claims all of its tower sites have at least eight hours of backup power, but any experiencing a power outage at the storm’s outset – say, from a tree falling on the local power line – easily would have exceeded the eight-hour threshold before the storm passed. By Nov. 6, Verizon was reporting that 99% of its towers in the affected storm area were operating while AT&T put its figure at 98%.”
- Major physical damage occurred, such as a tower toppling in high winds.
- Ancillary damage occurred due to flooding or falling debris, which may have knocked out of commission backup power supplies or the local optical backhaul network element. Any towers backhauling traffic through flooded Verizon central offices in lower Manhattan and other areas essentially were cut off, even if the tower itself maintained power.
- Regional factors such as roads blocked by fallen trees or flooding that made it impossible for fuel trucks to resupply backup generators or move portable cell sites – COWs or COLTs – into place once service went out.
The FCC has attempted to address the robustness of the backup power issue before, with a 2007 rule requiring a minimum of eight hours backup power for cell sites. A federal court effectively blocked the rule in 2008 amid objections by the Bush administration and mobile carriers, who objected to the purported cost of the mandate.
Carriers also raised the salient point that for some disasters such as Hurricane Katrina, it is virtually impossible to prevent some towers from going out of service. As Sprint Nextel noted in seeking a stay of the FCC rule: “Backup power supplies—whether they provide electricity for eight hours or eighty hours—are useless when sites and lines are submerged in flood waters.”
That will continue to be the reason why users, especially enterprises using mobile wireless for business-critical functions, need backup communications platforms, not just backup power. Where available, POTS lines that do not rely on a user power source still are a reliable backup, assuming the local central office – typically built like a fortress – - has not flooded or burned down.
Satellite systems also may provide backup for the most critical communications. For example, AT&T offers a specialized handset that can connect U.S. customers via the 3G cellular or satellite networks. AT&T also recently introduced its Remote Mobility Zone product, a portable kit that essentially provides an on-the-spot 2G cell site that will backhaul voice and data to the AT&T network via satellite.
In addition, ask your mobile service provider to substantiate their network resiliency measures in locations important to your business. If the carrier’s cell tower serving an important manufacturing facility does not have backup power, for example, factor that into your buying decision.
Category: Advisory BCM Process Event Technology Tags: 2G, AT&T, Bill Menezes, Business Continuity Management, Business Continuity Planning, Business Resiliency, cell phone, COOP, Disaster Recovery, Emergency Management, Emergency Notification, Emergency Preparedness, enterprise mobility, FCC, Gartner, Hurricane Sandy, IT Disaster Recovery, Personal preparedness, Remote mobility, Sandy, satellite phone, Sprint Nextel, T-Mobile, Telecommunications, Telework, TMobile, Verizon, Verizon Wireless, ]