Business Continuity

A member of the Gartner Blog Network

Roberta J. Witty
Research VP
11 years at Gartner
33 years IT industry

Roberta Witty is a research VP in Gartner Research, where she is part of the Compliance, Risk and Leadership group. Her primary area of focus is business continuity management and disaster recovery. Ms. Witty is the role specialty lead for… Read Full Bio

The 2014 Magic Quadrant for Business Continuity Management Planning Software is Published!

by Roberta J. Witty  |  August 28, 2014  |  1 Comment

Most BCMP tools meet customer needs for recovery plan management, and a consistent and repeatable plan development process. The growing focus on BCM program analytics and integration into the operational risk management initiative has resulted in increased sophistication of BCMP tools.  Read it here: http://www.gartner.com/document/2833119?ref=shareSummary.

1 Comment »

Category: Uncategorized     Tags:

Gartner’s 2014 BCM and IT DRM Hype Cycle is Published!

by Roberta J. Witty  |  July 31, 2014  |  1 Comment

Supported by many of research colleagues at Gartner, John Morency and Roberta Witty recently completed our Hype Cycle for Business Continuity Management and IT Disaster Recovery Management, 2014. This year’s Hype Cycle demonstrates that increasing deployments of cloud-based solutions and the adoption of the ISO 22301:2012 BCM standard are redefining the technology and process foundations of continuity and recovery management. Technologies found on this Hype Cycle provide the response, recovery and risk insights that are needed to create strategies to build successful BCM and IT DRM programs.

Details on all of the BCM and IT DRM processes and technologies represented in this year’s Hype Cycle can be found in our latest report, “Hype Cycle for Business Continuity Management and IT Disaster Recovery Management, 2014“.

1 Comment »

Category: Uncategorized     Tags:

The Gartner Analyst Perspective: The Benefits and Costs of Business Continuity Management

by Roberta J. Witty  |  March 18, 2014  |  6 Comments

Some Observations for BCI’s Business Continuity Awareness Week (Click here to see the full set of FlashBlog posts)

Gartner has been covering business continuity management (BCM) for many years, and we’ve learned a lot of important lessons from our research and from our client interactions. For BCI’s Business Continuity Awareness Week, we asked the Gartner analysts and consultants who specialize in this area — John Morency, Robert Naegle, Belinda Wilson, Roberta Witty and Werner Zurcher — for some top-of-mind thoughts on BCM.

“When your business is down — and only your business — you’ve got a very serious problem on your hands.” Sometimes operational failures are spread across an industry, or a geographical area. When that happens, stakeholders — customers, clients, employees, whoever — are likely to accept operational delays. But it’s a different story when your enterprise, and only yours, is down. That’s why you’d better have a good recovery plan for business disruptions that impact only you.

“Getting a new job is easier than getting a new family.” Your family is more important to you than the company you work for, isn’t it? Well, the same is true for everybody else, so you can’t expect people to come to the aid of the business when they’re impacted by the same event. That’s why you need redundancy built into your recovery plans, so that you have workforce “bench strength.” And that’s why you have to be aware of your employees’ personal needs and allow them the time to take care of their personal lives — before, during and after an event. Red Cross personal preparedness training, or something similar, should be a part of every BCM program’s awareness and education program.

“Recovery, restoration and resilience cost money. Get over it.” All of your BCM efforts mean some level of redundancy, and that inevitably leads to increased costs. Backups, data replication, retainer contracts, spare inventory, cross-training — they all cost money to implement. But without them, all you have to look forward to is single points of failure all over the business. That’s not a good operational model, or a good career plan.

“BCM is part of risk management. You can’t separate them, and you shouldn’t try.” BCM is increasingly seen as a component of the broader operational risk management (ORM) function. We’re seeing more and more cross-pollination of risk management practices between BCM and other ORM domains, and more and more long-overdue acknowledgment of the value of BCM programs. One important observation: Nothing delivers better business impact analysis than a good BCM program.

“Poor contract management quality can be fatal to the business. Not just damaging. Fatal.” Your business — every business — needs to pay much more attention to the contractual commitments you make to your customers. (For one thing, they can dictate your internal recovery needs.) You also need to be able to document and enforce the service delivery recovery needs specified in supplier and partner contracts – those you depend upon.

Now, those are all words to live by. But BCM professionals also need to understand the business and IT trends and issues impacting BCM in their industries and their enterprises — and their benefits and costs. Here are two quick-reference charts that show how Gartner sees BCM today.

BCI BCAW Business Issues Editted

BCI BCAW IT Issues Editted

6 Comments »

Category: Advisory BCM Process Event ITScore for BCM Standards/Frameworks Technology     Tags: , , , , , , , , , , ,

Gartner Sets its 2014 Business Continuity Management and IT Disaster Recovery Management Agenda

by Roberta J. Witty  |  February 26, 2014  |  2 Comments

The Gartner Business Continuity Management and IT Disaster Recovery Management agenda has been set for 2014 and we are excited to bring to our clients the following branded research reports.

  • Q1/2014: Magic Quadrant for Emergency/Mass Notification Services
  • Q2/2014: Cool Vendors in Business Continuity Management, 2014
  • Q3/2014: Hype Cycle for  IT Service Continuity Management, 2014
  • Q3/2014: Hype Cycle for Business Continuity Management and  IT Disaster Recovery Management, 2014
  • Q3/2014: Magic Quadrant for Business Continuity Management Planning Software
  • Q3/2014: Recovery Orchestration Automation Market Guide
  • Q4/2014: Predicts 2015: Business Continuity Management and IT Disaster Recovery Management
  • Q4/2014: Magic Quadrant for RaaS

Every year, Gartner published a number of spotlight reports. Our BCM and IT DRM research areas have been participating in these spotlights since 2009. These reports include: Cool Vendors, Hype Cycles and Predicts. We will again participate in these annual spotlights and add a new Hype Cycle for IT Service Continuity Management.

We also produce market-based reports and in 2014, we will again provide such research in 2014.

  • Three magic quadrants (emergency/mass notification services (EMNS), BCM planning software (BCMP) and Recovery-as-a-Service (RaaS)) where we compare vendors in a market according to the Ability to Execute and Completeness of Vision.
  • A Market Guide for Recovery Orchestration Automation. A Market Guide provides a definition of a market, market dynamics and a view of the market participants. More specifically, a Market Guide provides coverage for markets in which vendors cannot be rated or ranked because the market:
    • Is still in the early stages of its development cycle and can be described as:
      • Still evolving, with purchasing decisions not yet common
      • Being characterized by disruption
      • Not having a stable set of vendors
      • Not having vendors with established, distinct capabilities that can be rated or ranked yet
      • Or, is mature enough to begin evaluating and ranking vendors; however, there is not sufficient coverage or priority to conduct the significant primary research needed, but client interest or impact warrants some coverage.

Some documents may not be available as part of your current Gartner subscription.

2 Comments »

Category: BCM Process Standards/Frameworks Technology     Tags: , , , , , ,

What’s a Happy App?

by Roberta J. Witty  |  August 8, 2013  |  Comments Off

After researching BCM for so long, it’s making me think of the exact opposite: what does it mean to be safe, free, happy.  It’s the same reaction as when you stare at something yellow for a minute: when you look away, you see purple. Same thing for red and green.  There is always a flip side to every thing. So, I’ve started thinking about what it means to be happy in an IT environment, an IT company – the whole IT experience. I’m calling it “Bliss Management.”

So I’m starting with: What’s a happy app?  I had an experience of a ‘not so happy’ app the other day when ordering an item on the Internet via my mobile device. When you are requested to enter the expiration date for your credit card information, why does it have to start at January, or worse 01?  Why not start the drop down menu in the middle of the year – June or July? It is much more efficient as you only have to scroll through 6 or fewer entries rather than 11 if you are a December expiration. Also, when the app requests you to enter your email address or a number, why does it not provide you the right keyboard layout with numbers and the @ sign?

Is there some technical reason why it doesn’t happen? Or are programmers just that lazy? Or do they just not think about the human experience? Both of these minor changes can make the end user happy. Isn’t that what online retailers want?

Comments Off

Category: Bliss Management Technology     Tags: , , , , , , , ,

xMatters Acquisition Gives the Bamboo Incident Management Mobile App a Home

by Roberta J. Witty  |  February 20, 2013  |  3 Comments

On 12 February 2013, emergency/mass notification services (EMNS) vendor xMatters purchased the intellectual property of Bamboo, an enterprise-level incident management mobile app from Deloitte Australia, for an undisclosed amount. Members of Deloitte’s risk practice are assisting in the full transition as are application developers from the Bamboo team employed in the build-out. This acquisition of Bamboo, a mobile app for incident management, should appeal to companies looking to integrate emergency/mass notification services and offline access to recovery plans in a mobile platform.

Bamboo has now found a software development home to enhance its business continuity management software. Gartner believes xMatters has the most opportunity to grow Bamboo adoption by supporting the importation of Microsoft Word and Excel files as well as a SharePoint Web service API for those who do not use business continuity management planning (BCMP) tools now. Gartner also believes xMatters should consider evaluating its EMNS pricing strategy to make it more competitive with the rest of the market for increased adoption of Bamboo by prospects that do not already have an EMNS tool.

xMatters adds a mobile app that supports push technology for recovery plan updates, role-based and offline recovery plan access, and GIS-enabled tracking of all capabilities used for real-time incident management. Integration with the xMatters IT alerting system may be a future enhancement.

Before this acquisition, Gartner observed limited Bamboo adoption by our clients, who cited additional costs compared to perceived benefits; Australia-only product support with uncertain future support from Deloitte (which is not known for mobile application development); and limited business continuity management tool integration.

In both current and combined forms, Bamboo powered by xMatters lacks many of the capabilities of the larger BCMP market, particularly related to planning functions, including:

  • Business impact analysis
  • Risk assessment
  • Recovery plan development, maintenance and exercising

But the offering could appeal to xMatters customers that lack a mobile app for real-time incident management.

Recommendations:

BCMP tool customers: If you are looking for EMNS and enhanced real-time incident management capabilities through a mobile device, encourage your BCMP vendor to integrate with xMatters.

EMNS tool prospects: Consider xMatters because it now has an enhanced mobile app for offline recovery plan access, emergency contact list dialing and GIS for resource tracking — all used for real-time incident management support.

BCMP vendors that only have mobile Web browser access: If you are looking for an EMNS tie-in, either integrate with xMatters or enhance your mobile app to provide push technology for recovery plan updates, role-based and offline access to plans through the mobile device, and EMNS integration.

xMatters EMNS competitors: Enhance your mobile app to support push technology for recovery plan updates, role-based and offline recovery plan access and GIS-enabled resource tracking. (EMNS leaders currently support GIS-enabled resource tracking.)

Existing Bamboo customers: Discuss with your EMNS vendor whether it will continue supporting Bamboo, as it may be a direct competitor to xMatters.

Recommended Reading

“Best Practices: EMNS Implementation Advice” — EMNS implemented without a well-considered plan can hurt the constituencies that rely on these services for everything from basic safety to basic survival. By Roberta Witty and John Girard

“Market Analysis in Depth: EMNS Magic Quadrant” — Buyers of EMNS should use this research to guide their vendor selection projects. By Roberta Witty, John Girard and Catherine Goldstein

3 Comments »

Category: Event Technology     Tags: , , , , , , , , , , , , , ,

The Europeans Have It: More Power and Better Data Wins in Weather Forecasting

by Roberta J. Witty  |  February 8, 2013  |  Comments Off

Not many of us paid a lot of attention to the weather forecasting systems that the meteorologists use. When we did in the U.S., we were very cynical because the meteorologists just didn’t seem to get it right, almost to the point of the forecasts being a joke. But Superstorm Sandy quickly brought the problem to light: the European system predicted a direct hit on NYC 3 days before the U.S. system did, which was the same day of the storm – a bit too late I would say. WOW! Why?

There is a rather significant difference between the two: the European system has faster computers, more data and better initialization data. This blog post from www.accuweather.com and video from the Today Show explains it all.

Fortunately for the U.S., the Europeans are allowing us to use their data, and have helped us figure out why the U.S. model isn’t performing as well. But it will take time and money to fix. So when planning your next outdoor party, make sure the forecast you consult is from the European model.

Comments Off

Category: Advisory BCM Process Event Technology     Tags: , , , , , , , , , ,

Who Is Liable, and For How Much, When Your Third Party Isn’t Available?

by Roberta J. Witty  |  February 4, 2013  |  Comments Off

Friday’s Bank of America outage reminded me of an increasingly frequent question we receive on third party liability due to an operating outage.  The use of cloud service providers is making this question top-of-mind for many organizations. But it’s not just cloud providers that you need to worry about: it’s all of your third party providers: business processors, IT  SPs et al. Nearly all contracts have a force majeure clause in them that exclude outages such as acts of God, war, terrorism, civil disturbance, court order, 3rd party performance or nonperformance, strike, work stoppages et al. But another interesting twist we’ve started to see in contracts is a $0 valuation of the data being held or processed by the 3rd party.

I nor Gartner is a legal advisor, so you need to consult with your own legal advisor for how to address the liability issue in your contracts. Our findings from recent research about 3rd party liability and data valuation might provide some background for those discussions.

  • Data valuation is a highly unaddressed, very difficult thing to do.
    • Since few if any of us have perfect foresight into the future uses of data, the most that one can do is estimate the probable maximum value of data elements – which is no way to do risk management.
    • Organizations can buy data insurance but it is very expensive and there is no standard approach to assigning policy premiums by the insurance companies.
  • We see it extremely unlikely that a vendor/service provider would take on business impact liability of an outage that is based on data valuation. One method might be to have customers pay a premium for the SP service and then that premium goes into a pool that the vendor would use for liability payout if an outage occurs.
  • We do see some contracts (for cloud SPs) where there is a “per incident” minimum of how much the SP would pay the customer if there is an outage. Most of these outages are related to data loss, especially when the SP is processing personal information (PII). How these minimums are calculate is unknown, but what the organization should be doing is trying to get more money back from the SP than the fee return for the outage period, e.g. 12 months of fees max is one option, another is to craft contract terms that require that the fees returned to the customer are based on the amount of time of the outage.
  •  Customers require the SP to hold higher levels of liability insurance:
    • Commercial general liability (CGL), example: no more than 1 million for each occurrence including death and 1 million for each property damage. This type of insurance coverage protects against all liability exposures of a business, except ones specifically excluded. Important to note that it is limited to bodily injury and property damage, and includes defence costs for defending against suits from third parties, and payment only if the insured is found liable for the loss.
    • Liability Insurance for Professionals – example: the amount of One Million Dollars ($1,000,000) per occurrence and Three Million Dollars ($3,000,000) in the aggregate including coverage for X,Y and Z. The policies will name the client as an additional insured and be written as a primary policy, not contributing to any other policy client may have. The provider needs to provide certificates of insurance. This type of insurance coverage protects professionals in various fields i.e. lawyers professional liability insurance, manufacturers professional liability insurance, etc. This insurance essentially covers “errors and omissions” and is not limited to bodily injury or property damage.
    • Umbrella (Excess) Liability Insurance – example: in an amount of not less than four million ($4,000,000) per occurrence. CGL and professional liability insurance is written on a “primary” basis, usually with a deductible or “self insured retention” and usually has a limit of liability of ~$1 million per occurrence. Excess liability policies are used to increase the limit of liability on specific CGL and professional liability policies. Umbrella liability policies are used to increase the limit of liability on several of these policies. Limits of liability in this market can go into hundreds of millions of dollars.
  • Organizations can buy contingent business interruption insurance (CBII) to cover supplier outages. To buy CBII you first need to have a business interruption insurance (BII) policy in place. To buy BII you need to have a property insurance policy in place. BII and CBII are property insurance policies that cover primarily “loss of earnings” following a property insurance loss. Sometimes these coverage points are included in a company’s property insurance policy, and sometimes they are written separately. Casualty policies do not come into play.
  • Valuing lost revenue (in the case of business interruption insurance) is a tricky calculation, and usually involves looking at the average revenue of a company for the three months prior to a loss, and adjusting for the seasonal revenue ups and downs of some businesses.
  • We do not have data regarding a SP’s liability to all of its customers if the SP has an outage.
  • After a negative impact to a SP outage, organization can sue the SP because the returned fees aren’t nearly enough to compensate the customer. Valuing losses in these cases sometimes depends on the creativity of the attorneys and case law. SPs and storage vendors provide remedies in contracts to limit their exposures, not to keep their customers whole. This also keeps insurance cost for the vendors lower than it would be if they were providing remedies based on the value of data lost and its impact on a company’s reputation, revenues, and future success.

Comments Off

Category: Advisory BCM Process Event     Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Supplier Availability Management: Organized Labor – a Critical Workforce Supplier

by Roberta J. Witty  |  January 15, 2013  |  Comments Off

For the first time in more than three decades, NYC is gearing up for a strike on Wednesday January 16, 2013 by the city’s largest school bus driver union: Local 1181 of the Amalgamated Transit Union: NYC Department of Education: Pupil Transportation  and “School Bus Drivers’ Union Calls for Strike on Wednesday“.  This strike announcement set off a rapid review of options for transporting students to NYC schools ranging from putting students on a city bus or subway to paying parents mileage when they drive their child to school.

It also highlights the need to be prepared for an outage – intentional or not – of all suppliers to your business processes not just your IT vendors. Organized labor must be considered as a supplier of business services and you better have a contingency plan in place well ahead of a strike. As additional guidance, do not announce a change of supplier or potential change of a supplier until that contingency plan is in place and tested – at least through a tabletop exercise.

It won’t be pretty tomorrow morning: disabled children and those too young to be on a city bus or subway seem to be particularly at risk of not getting to school. We could see the second largest workforce availability issue for city agencies and private enterprises since Superstorm Sandy in October/2012 as parents will be late to work or not show up at all because their kids will be home.

I hope you are prepared…somehow I think many aren’t.

Comments Off

Category: Event     Tags: , , , , , , , , , ,

A Post from My Colleague Andrew Walls: The New Normal: Social Media for Corporate Communications

by Roberta J. Witty  |  November 16, 2012  |  Comments Off

Over the last five years considerable attention has been paid to the rise of public social media as the dominant tool for communications during large scale disasters. In major crises such as the Queensland floods, Christchurch earthquake, Haitian earthquake, and the tsunami destruction of the Fukushima nuclear failures, individuals and organizations have leveraged a variety of social media outlets to make personal contact, broadcast data to the public and to correct misinformation. In the most recent major disaster, Hurricane Sandy’s march through the northeast of the United States, we again witnessed heavy use of social media.

This time though, it was different. No one was surprised by this or found the activity remarkable. Massive surge of tweets before, during and after Sandy hit? Sure, of course. People informing friends of their survival through FaceBook status updates? Meh. Thousands of YouTube videos of storm impact. Uh huh.

The predictability and casual acceptance of this pattern of reliance on public social media platforms is the important message that Sandy delivered. This is the new normal. When New Jersey and New York residents powered up their smartphones off of a free generator, they used the electrons to check and upload updates to Facebook, Twitter, YouTube and thousands of blogs.  They did not open up web browsers to watch broadcast news. This is a clear indication of where consumers place their trust when it comes to critical communications.

If your organization has been hesitating to use social media to communicate with customers and employees it is time to wake up and smell the coffee. If you are not driving your corporate image and communications through social media, someone else is driving it for you and they may not have your interests in mind. Misinformation continues to appear in social media during disasters and normal life. Your customers and employees are looking for information in social media and you should make sure they are getting the correct information when they need and on the platforms that they have selected.

Comments Off

Category: Advisory BCM Process Event Technology     Tags: , , , , , , , , , , , , , , , ,