Professional Documents
Culture Documents
BC Resources Benchmarking Report 2022
BC Resources Benchmarking Report 2022
Contents
3 Introduction/Executive summary
4 Main findings
9 Banking and finance
13 Information technology
17 Public administration and healthcare
21 Annex
Introduction/Executive summary
This report looks at the resources dedicated to Business Continuity worldwide, with the goal to
benchmark the size of the teams, the support they receive, and their consideration at the highest
levels of the organization. The findings are based on a global survey of over 370 organizations,
across over 10 different industries and functional roles. In this executive summary it is possible
to find an overview of what to expect in the report:
The next section reports on the main findings of this research, followed by a specific analysis for the largest sectors represented in this sample,
namely banking and finance, information technology, and public administration and healthcare.
Main findings
How many Full Time Employees (FTEs) are there in your Business Continuity team?
0 7%
1 to 2 50%
3 to 5 20%
6 to 10 9%
11 to 20 7%
21 to 50 5%
51 to 100 1%
Participants revealed that Business Continuity teams tend to be rather small, as most organizations in the sample (70%) have a maximum of 5
full time dedicated resources. This is the case regardless of the size of the organization, especially since the vast majority of participants (88%)
belong to large enterprises and 41% of them operate in over 6 countries. However, this is not necessarily bad news, since Business Continuity
professionals can rely on different allies within an organization to make sure that continuity and resilience principles are cascaded through the
ranks. These include:
1
Champions, internal stakeholders and coordinators that can help the full-time division raise
awareness and embed key principles;
2
Top management, whose contribution is at the very foundation of a Business Continuity
management programme;
3
External consultants that can support internal staff for a period of time.
This report investigates all these metrics, to provide a better picture of the commitment of the organizations that took part to the survey
and a benchmarking analysis for readers to compare their own internal practices with those of the respondents.
0 10%
1 to 5 22%
6 to 10 9%
11 to 20 16%
21 to 50 17%
51 to 100 11%
101 to 500 2%
Does your Business Continuity team use external support e.g. consultant?
Yes 31%
No 69%
If your Business Continuity team uses external support, what is the budget allocated?
£1 - £999 11%
How much budget does your organization allocate to Business Continuity (not including salaries)?
£0 - £9,999 30%
£250,000 - £499,999 9%
£500,000 - £999,999 3%
£1,000,000 + 8%
Only a minority (31%) of the organizations in this sample employ external support as part of their Business Continuity efforts. Out of those that
do so, 65% have a budget of £25,000 or lower for consultants, with nearly half the sample (44%) staying below £10,000. Similarly, when looking
at overall budgets for Business Continuity, nearly a third of all the organizations (39%) have less than £10,000, with an additional 38% who do
not reach £100,000. Half of the participants to this study also remark that their budget will likely stay the same in the upcoming year, with the
other half divided between an increase (41%) and a reduction (9%). Considering that most respondents belong to large, global enterprises this
type of budget might probably not be enough to cover all their Business Continuity requirements. To give some perspective, this type of budget
pales in comparison to cybersecurity, where organizations that have between 1,000 and 5,000 employees spend on average nearly
£5 million a year1. Overall, the ongoing pandemic seems to have been a partial wake-up call, as some organizations are increasing their efforts
and investment in Business Continuity, while others still struggle to fully commit.
1
https://calculator.kaspersky.com/app/all-all-5000?eml=1000&budget=0
6 Find out more www.thebci.org
Business Continuity Resources Benchmarking Report 2022
No engagement 4%
How far removed from the Board/Exec level is Head of Business Continuity/Business Continuity Manager?
1 level 21%
1 levels 28%
3 levels 30%
Engaging top management is at the foundation of a sound Business Continuity management programme. These high-level executives help
understand the scope of the programme and the policy and they set the tone for the rest of the workforce. If those belonging to the C-suite
make it clear that Business Continuity and resilience are a priority, then everybody else will have to pay attention. Resilience principles need
to be cascaded from the top down, otherwise general commitment might be unsatisfactory, hindering a range of activities. For instance,
conducting business impact analyses (BIAs) with middle management will be easier if process owners know this is a priority for the most
senior people in the organization. This type of awareness makes it easier to schedule meetings, obtain accurate information and get access
to the right documentation.
In the case of this sample, it is interesting to see that the Business Continuity division does speak directly to the board in some cases, with 75%
that do so either sometimes or rarely. While this is not regular communication and it could be improved, it is more encouraging than the remaining
25% who never report to top management. This somewhat fragmented picture finds confirmation in the fact that roughly one in five have (21%)
only 1 level between Business Continuity and top management, while exactly the same number have four or more levels in between. Once again,
with no particular incidence of organizational size or sector, there are different levels of maturity spread across the sample. On a brighter note,
most respondents state that they find their top management to be either fully engaged (39%) or somewhat engaged (47%) in Business Continuity;
however, as seen consistently across previous figures, there is also a 14% that has to deal with little or no engagement at all.
The reason why a significant part of the sample feels represented at the highest levels of the organization is because they have an executive
acting as a champion of Business Continuity, which emerges from the fact that 63% say they have an advocate among top management. This is
a revealing piece of information, connecting with the premise of this report that underlined the importance of key allies within an organization for
the Business Continuity unit. If Business Continuity becomes part of the discussions among senior leaders, it is more likely to be accepted and
embedded across all levels of the workforce, making the whole process smoother.
What level of planning does your Business Continuity team get involved with?
Is your Business Continuity team involved in and/or manage Incident Management and Crisis
Response within your organization?
Yes 84%
No 16%
Is your Business Continuity team responsible for elements of Information Security/Cyber Security?
Yes 57%
No 43%
To contextualize the importance of the Business Continuity teams examined in this sample, it is interesting to look at figures regarding their tasks
and responsibilities. In line with the general size of the organizations in this survey, which are large and global, most respondents are involved with
strategic planning for enterprise risks (23%), global Business Continuity plans (17%) and national Business Continuity plans (22%). These results
show the importance of having an adequate amount of resources for full time as well as external support from facilitators or possibly consultants.
Additional responsibilities such as incident management and crisis response (84%) and cyber security (57%) emphasize the role of Business
Continuity management as a facilitator of organizational resilience across different key areas within the organization.
250 to 500 6%
The financial sector is one of the most regulated when it comes to organizational resilience. This is often the case across several regions, with
a more stringent focus on areas such as Europe, North America, and Asia. Therefore, zooming in on the financial sector can provide interesting
findings on the shape and size of mature Business Continuity teams and the way they operate. In this sample, participants generally came from
large organizations, with only a minority (6%) belonging to small and medium enterprises (SMEs). Most participants (73%) belonged to very
large financial institutions, with a workforce of at least 5,000 employees.
1 to 2 35%
3 to 5 28%
6 to 10 15%
11 to 20 10%
21 to 100 7%
Most organizations have Business Continuity teams with 5 people or less, revealing that the members of full-time staff dedicated to Business
Continuity management stays relatively small for the financial sector and confirming a general trend. While this might lead readers to think teams
are under resourced, it is also worth considering the number of champions and facilitators within the company, who can provide a significant
boost in embedding Business Continuity principles through the workforce.
Number of facilitators
1-5 13%
101 - 500
6 - 10 28%
6%
11 - 20 19%
21 - 50 24%
51 - 100 11%
501 - 1,000 6%
Facilitators and champions within the organization are precious if not necessary allies for Business Continuity managers, even for mature and
well-established teams. Especially in the case of the banking and finance sector, where most organizations include over 5,000 members of staff
spread over different countries, it is of the utmost importance that multiple people at different levels support and promote Business Continuity
principles. Most participants reported relying on a significant number of champions, with only a minority (18%) having less than 10. Differently,
half the sample (50%) has between 11 and 100 champions, with an additional 25% having more than 100. These figures show a holistic and
decentralised approach to embedding Business Continuity. As according to the Business Continuity management lifecycle, defining the scope
of the policy and programme and embedding Business Continuity should be the very first two priorities, which set the foundations for building
resilient processes.
While opinions differ to some degree within the industry, it is undisputable that resilience is everyone’s responsibility. This is precisely one of
the strengths of this discipline, a decentralised approach where the Business Continuity team has to make key figures within the organization
familiar with the principles and practices of Business Continuity management. Each critical division should then become able to run operational
Business Continuity tasks independently. This will free the central Business Continuity unit from having to run daily operations for each team
within the organization, which would be unsustainable in the long term. Also, a decentralised approach allows for a more strategic view of
resilience. Much like everyone is responsible for health and safety, physical, and cyber security within the organization, the same should apply
for Business Continuity.
1-5 9%
101
6 - 500
- 10 3%
11 - 20 26%
21 - 50 23%
51 - 100 9%
1-5 21%
101
6 - 500
- 10 8%
11 - 20 8%
21 - 50 29%
51 - 100 13%
Digging deeper into the results to the survey, it is possible to observe that for the finance and banking sector those who have a larger number
of champions also tend not to employ external consultants. This might be the result of well-embedded awareness practices that make sure that
several members of staff play their part in communicating and implementing resilience measures. It is reasonable to assume that this capillary
distribution of Business Continuity through the organization allows for the whole programme to be better managed in-house without a large
input from external consultants. As the figures reveal, a sound 39% of those who do not employ external support report having 51 champions
or more, while 66% of those who employ consultants have less than 50 of them.
Top management buy-in is instrumental to a successful Business Continuity management programme. In the finance and banking sector
this metric is rather satisfactory, since the majority of respondents (56%) stated that top management is fully engaged and an additional 39%
described it as somewhat engaged. Only a very small part of the sample reported very little engagement (5%). As according to the BCI Good
Practice Guidelines and ISO Standard ISO:22301:2019 on Business Continuity management, to establish true resilient processes it is necessary
to adopt a top-down approach. Top management must be the first part of the organization to buy into the programme and provide leverage to
run all the other activities of the lifecycle smoothly.
1 level 16%
1 levels 27%
3 levels 41%
Yes 84%
No 16%
Although 57% of the sample revealed that Business Continuity management is 3 or more levels away from the board, it is worth stating that a
whopping 84% said they have a representative supporting Business Continuity within the C-suite. This stresses once again the importance
of champions and other stakeholders in embedding a culture of continuity and resilience. The Business Continuity team should be viewed
as a supervisor, whose main goal is to embed best practices within the organization so that each division can develop continuity in their daily
operations. This obviously also applies to the board; hence, having a representative at the highest levels of the organization is very encouraging
for the future success of the programme. In this sense, the figures coming from the financial sector in this survey reveal satisfactory levels of
maturity and provide food for thought on how Business Continuity management should be implemented.
Information technology
Organizational size
1 to 20 6%
21 to 50 4%
51 to 100 2%
101 to 250 4%
251 to 500 2%
1,0001 to 5,000 4%
10,001 to 50,000 8%
The information technology (IT) sector has been one of the most tested during the last 24 months, as most organizations throughout the
world decided to amplify their digital services in response to local as well as national lockdowns. The role of IT service providers as critical
infrastructures suddenly became even more prominent to guarantee continuity for the vast majority of sectors, ranging from banking and finance
to hospitality, as consumers began to rely more and more on online purchases. This sample has sound representation from the IT sector, with
mostly large enterprises (84%). These include IT giants with over 50,000 employees worldwide (56%). Understanding the level of preparedness
of these organizations is necessary to understand how resilient modern societies are, since this sector acts as a critical supplier of a necessary
service to society as a whole and it can also be a very significant single point of failure in the absence of continuity measures or back-ups.
0 5%
1 to 2 43%
3 to 5 19%
6 to 10 9%
11 to 20 9%
21 to 50 10%
50 to 100 5%
As in the case of the banking and finance sector, the general trend in the IT field is to have smaller teams of full-time employees dedicated to
Business Continuity. Nearly half respondents (48%) reported a maximum of two full-time resources, while an additional 19% have between 3
and 5 and only a small minority (15%) have more than 21. Similarly to other sectors, this is not necessarily a negative trend, provided that other
variables have an incidence on the effectiveness of Business Continuity management programmes, such as the number of other stakeholders
and champions and representation at the board level. In the case of the IT sector, it is especially important to embed Business Continuity through
the various levels of the organization, since 77% of the participants stated that Business Continuity teams also take on tasks related to cyber and
information security. This importance of this figure cannot be stressed enough as online malicious attacks have multiplied in the last 24 months,
revealing the sinister trend of cybercriminals taking advantage of the ongoing crisis by exploiting the confusion and the increase in the use of
online services.
Number of champions
0 13%
1-5 13%
101
6 - 500
- 10 6%
11 - 20 19%
21 - 50 24%
51 - 100 11%
501 - 1,000 6%
Analysing the data regarding the number of champions and external stakeholders involved in Business Continuity reveals somewhat mixed
results. The majority of respondents (54%) have at least 21 champions in the organization, including a sound 28% that have 50 or more. However,
one in ten (10%) do not count on any external stakeholders or champions to spread Business Continuity principles. It is also worth noting that
those organizations with zero champions also have small Business Continuity teams, ranging from 0 to a maximum of 5. An additional 18% report
between 1 and 10 champions, confirming that there is a significant and non-neglectable minority of organizations that show lower levels
of Business Continuity awareness.
External consultants
No 71%
Yes 29%
In the case of the IT sector, there is a limited adoption of external consultants as support to the Business Continuity function, as only 29% report
doing so. This trend applies to the whole sector regardless of team size or number of champions. In other words, this means that those teams
that have few full-time resources dedicated to Business Continuity and receive small support from other units do not rely on external consultants
either. This marks a negative trend, as some organizations might struggle to be truly resilient, since they do not have an appropriate number of
resources – of any kind – to support the Business Continuity function.
No engagement 2%
1 level 23%
2 levels 30%
3 levels 28%
Yes 71%
No 29%
In line with previous figures, results on top management buy-in are quite fragmented. On the bright side, 84% of respondents report
having either a very engaged or somewhat engaged top management. On the other hand, 47% of the sample are 3 or more levels away
from reporting directly to the board. While this might lead readers to think there is a lack of representativeness at the executive level, it is
also important to consider that 71% of participants feel they are represented at the highest levels of the organization. This is definitely a
positive trend, revealing that even though there is still work to do in embedding Business Continuity management in the IT sector, there
is already some kind of exposure at the board level.
101-250 9%
251 - 500 4%
501 - 1,000 6%
50,001 - 100,000 2%
Most public services throughout the world have been experiencing challenges like never before in the last 24 months. The ongoing
pandemic revealed the levels of maturity of public agencies when it came to Business Continuity and crisis management. In the case of public
administration and healthcare, establishing organizational resilience also means keeping citizens safe in the case of any emergency, let alone a
pandemic. International reports and risk analyses prior to Covid-19 highlighted the risk of disease outbreaks as a likely event with a far-reaching
impact, such as the annual BCI Horizon Scan Report, the World Economic Forum Global Risk Report and the UK National Risk Register. Whilst
the current pandemic has had consequences beyond imagination, it is still important to understand how ready public agencies were to face
it. In the case of this sample, respondents come from large divisions of government, with only 13% having less 250 employees. A vast majority
(81%) come from sections of public administration with over 1,000 employees, among which 16% have more than 10,000. The significant size
of these agencies places even more importance on their resilience levels, as both employees and citizens depend on them.
0 6%
1 to 2 62%
3 to 5 17%
6 to 10 3%
11 to 20 5%
21 to 50 5%
Business Continuity teams in the public and healthcare sectors tend to be rather small, which is in line with the general trend of this report
and it should be considered that there are multiple factors that determine the effectiveness of a Business Continuity management programme.
Most respondents (62%) have up to 2 full time resources dedicated to Business Continuity, with an additional 17% that have between 3 and 5,
which means only 15% have 6 or more full time resources. Compared to banking and finance and IT, it appears that public sector agencies
tend to have smaller full-time Business Continuity teams.
Number of champions
0 10%
1-5 21%
101
6 - 500
- 10 16%
11 - 20 21%
21 - 50 9%
51 - 100 14%
101 - 500 7%
Similarly to IT, the sample is quite fragmented between those with large numbers of external stakeholders and champions raising awareness
through the organization and those who do not benefit from such support. It is particularly worrying to see that one in ten (10%) have zero
champions, with an additional 37% having a maximum of 10. Digging deeper into the 10% who have no campions, it is alarming to see that
these agencies also have a maximum of 2 full-time resources, no external support from consultants and most of them have a workforce of
over 5,000 employees. What this means for the general sample is that there are different organizations that move at very different speeds,
with a significant minority that is left far behind. This is not a detail that can be ignored, especially due to the central role public authorities
play in managing emergencies. On a brighter note, most participants (53%) still reported having more than 11 champions, showing steps
in the right direction.
External consultants
No 70%
Yes 30%
Most respondents (70%) from public administration and healthcare tend not to hire external consultants as part of their Business Continuity
function, with only 3 out of 10 who do so. It is worth stressing that those employing external consultants tend to be organizations that also
have larger Business Continuity teams and a wide number of champions, showing an opposite trend to banking and finance professionals.
1 level 17%
2 levels 23%
3 levels 29%
Yes 84%
No 16%
Levels of top management engagement are overall rather positive for the public sector, as 35% of respondents report full engagement
and additional 59% state their board is somewhat engaged, with only a very small minority (6%) reporting little engagement. However, the
Business Continuity function still tends to be quite far from reporting directly to the highest levels of the organization, as only 17% are 1 level
away from top management. Most respondents (83%) are 2 or more levels below, with 31% having 4 levels or more between Business
Continuity and the C-suite, although this could be offset by the presence of representatives at the executive level, which is the case for
75% of respondents in public administration and healthcare. It remains somewhat puzzling the fact that even though most respondents
affirm they are represented among top management, still one in four has no representation. This confirms previous figures that highlight a
small but significant number of organizations – responsible for public safety, among other things – that have very few resources and therefore
low levels of awareness and preparedness in Business Continuity. This is even more worrying if considering that 69% of the sample do not
feel they have the adequate resources to meet both current and future risks and threats. While some might argue that during such times of
emergency it common to feel overwhelmed and worried about the threat landscape, for a certain section of the sample this is very likely to
be the case as confirmed by the data.
Annex
Functional role
Crisis management 3%
IT disaster recovery 5%
Emergency planning 3%
Internal audit 2%
Operations 2%
Top management 2%
Quality/Business improvement 2%
Physical security 1%
The information technology (IT) sector has been one of the most tested during the last 24 months, as most organizations throughout the
world decided to amplify their digital services in response to local as well as national lockdowns. The role of IT service providers as critical
infrastructures suddenly became even more prominent to guarantee continuity for the vast majority of sectors, ranging from banking and finance
to hospitality, as consumers began to rely more and more on online purchases. This sample has sound representation from the IT sector, with
mostly large enterprises (84%). These include IT giants with over 50,000 employees worldwide (56%). Understanding the level of preparedness
of these organizations is necessary to understand how resilient modern societies are, since this sector acts as a critical supplier of a necessary
service to society as a whole and it can also be a very significant single point of failure in the absence of continuity measures or back-ups.
Sector
IT 14%
Professional services 8%
Insurance 7%
Manufacturing 5%
Healthcare 5%
Other 10%
Region
Europe 46%
Australasia 12%
Africa 9%
Latin America 4%
MENA 4%
Asia 3%
BCI
10-11 Southview Park, Marsack Street, Caversham, Berkshire, UK, RG4 5AF
bci@thebci.org www.thebci.org