ViewPoint Espresso How are companies tackling enterprise risks? # 2, October 2020 – Business Continuity snapshot
1
DNV GL ©
SAFER, SMARTER, GREENER
Espresso surveys - Enterprise Risk Management Pulse Check, 2020 The Espresso Survey is turning its focus to Enterprise Risk Management. What are companies struggling with these days and has the picture changed due to the “new normal”? Throughout this series of surveys, we check the pulse of companies on the following five topics: Environmental Management (June) Business Continuity (September) Infection Risk Management (October) Occupational Health and Safety (November) Information Security (planned 2021)
Energy Management (planned 2021) The topics selected are both new and returning ViewPoint survey topics. Where possible, we compare data to see what changes may have occurred over time. The objective is to provide insight on each topic as to what is top of mind for companies around the world when it comes to Enterprise Risk Management. 2
DNV GL ©
Setting the Scene
Topic in focus The second snapshot is of business continuity. The short survey was launched in September and results released in October 2020.
How do you know…? …if your organization is resilient enough to manage a crisis? Many do not know until the they are hit. Events like a pandemic, natural disaster or economic instability can have a devastating impact on organizations that are not prepared. It does not have to be this way. By implementing a business continuity framework and approach companies can manage, mitigate and thrive.
3
DNV GL ©
What did we ask?
What did we find?
▪ To what extent have companies implemented business continuity frameworks?
▪ A high number of companies are already quite advanced in their implementation of business continuity approaches.
▪ Does COVID-19 influence companies to move? ▪ What benefits are achieved from having a business continuity management system? ▪ Are companies benefitting from implementation of any ISO standard during the COVID-19 pandemic?
▪ The COVID-19 pandemic has accelerated adoption of business continuity (BC) approaches among companies which had no or very limited BC processes in place.
▪ Companies leverage on their ISO management systems to respond.
Question 1 – Business Impact Analysis Does your company execute a Business Impact Analysis for analysing business impacts and determine priorities during a crisis (i.e. identify key businesses, key customers, key suppliers, key processes, etc.)?
100%
▪ A significant number of companies (70%) have executed a Business Impact Analysis.
90%
▪ Only 11% are certified to the business continuity management system standard ISO 22301. Still a large number of companies conduct Business Impact Analysis, indicating a certain level of maturity. This could in part stem from certification to other ISO standards as the common High Level Structure (HLS) requires analysis of the context of the organization and expectations from interested parties.
80% 70% 69,6%
60%
51,3%
50% 40%
▪ It is positive to see that a consequence of the COVID-19 pandemic is that an additional 18% have implemented this analysis. If we also add those that have it in their short-medium term plan, then the percentage increases to 83%.
30% 18,3%
20%
13,5%
11,2% 5,7%
10% 0% Yes, already Yes, developed Not yet, but it is available/in during/after the in our shortplace from COVID-19 crisis medium term before the plan COVID-19 crisis
4
DNV GL ©
No
I don't know
▪ Only 1 in 10 does not conduct a Business Impact Analysis.
Question 2 – Risk assessment process Does your company implement and maintain a risk assessment process to identify risks of disruption, analyse them and determine treatments for the same?
100% 90%
▪ Risk assessment processes are even more prevalent than Business Impact Analysis (76% vs. 70%). This may be due to the new HLS requirement to identify, analyse and address risks.
75,6%
80% 70%
▪ If we also add those intending to implement and maintain risk assessment processes short-medium term, we see as similar picture as for Business Impact analysis. The number rises to an impressive 89%.
61,8%
60% 50%
▪ There seems to be an indication that the COVID-19 situation is accelerating the need and implementation of a business continuity management framework.
40% 30% 20%
13,7%
13,0% 7,6%
10%
3,9%
0% Yes, already Yes, developed Not yet, but it is available/in during/after the in our shortplace from COVID-19 crisis medium term before the plan COVID-19 crisis
5
DNV GL ©
No
I don't know
Question 3 – Business continuity strategies Has your company defined business continuity strategies/solutions, based on the outputs from the Business Impact Analysis and the risk assessment?
100%
▪ Following a business continuity analysis and risk assessment, the next step in a classic business continuity process is to define strategies and solutions. While fewer continue on to this next step, still 66% define strategies and solutions. A total of 16% felt pushed to do so as a result of the COVID-19 crisis.
90% 80%
66,3%
70%
▪ If including those companies that have development of business continuity strategies/solutions on their agenda short-medium term, the number rises to 83%.
60% 50,2%
50% 40%
30% 16,1%
20%
16,3% 10,3%
10%
7,0%
0% Yes, already Yes, developed Not yet, but it available/in during/after the is in our shortplace from COVID-19 crisis medium term before the plan COVID-19 crisis
6
DNV GL ©
No
I don't know
Question 4 – Formal Business Continuity Plans Does your company have formal/documented Business Continuity Plans addressing some specific disaster scenarios and activating specific business continuity strategies and solutions?
100%
▪ A high number of companies have a formal business continuity plan in place (60%).
90%
▪ Only 16% do not have or plan to develop documented Business Continuity Plans in the near future.
80%
70% 60%
▪ If we analyse the respondents to see who have a more mature approach, we see that a significant number follow all the steps in the classic business continuity process (Q1 through Q4).
59,7% 45,9%
50% 40% 30% 20%
13,8%
18,1%
15,6% 6,7%
10% 0% Yes, already Yes, developed Not yet, but it is available/in during/after the in our shortplace from COVID-19 crisis medium term before the plan COVID-19 crisis
7
DNV GL ©
No
I don't know
Question 5 – Business Continuity Plan contents What does your Business Continuity Plan address?
▪ The alternatives listed are extracted from the management system standard on business continuity (ISO 22301).
100% 90% 75,7%
80%
▪ A high number of companies (66%) have a process in place to respond to a disruption, i.e. going beyond the first level of business continuity and addressing a crisis.
71,3%
65,9%
70%
59,5%
60%
▪ A total of 76% have plans for immediate actions and 71% have communication processes in place.
50%
▪ A total of 60% have plans for how to return to normal operations after the first response to an emergency.
40%
▪ This indicates a level of maturity among a large number of companies that is beyond expectation.
30% 20% 8,5%
10%
0% A crisis team to respond to the disruption
8
DNV GL ©
A set of External/Internal A plan to return immediate communication to a normal actions to processes to operation after respond to the customers/other the first disruption stakeholders response to the emergency
Other
Question 6 – Business continuity maturity On a scale from 1 to 5, how do you rate the maturity of your company’s business continuity management frame?
▪ There is a significant move in maturity when comparing to the situation before the COVID crisis. This may be due to a large number of companies being quite prepared when it comes to business continuity management. Before the COVID-19 crisis
▪ Moreover, the COVID-19 crisis seems to fuel companies’ further journey toward more mature and structured business continuity approach and framework.
3,15
Today
3,46
1
2
3
4
5
1. 2. 3. 4. 5.
9
DNV GL ©
Nothing implemented Starting Progressing Optimising Leading
Question 7 – Adoption of standards Did your company benefit during this COVID-19 crisis from the adoption of the following standards in order to effectively respond to needs/expectations of your stakeholders:
▪ A quality management system compliant to ISO 9001 has worked for 6 in 10 as a framework to effectively responding during the pandemic.
100% 90% 80% 70%
▪ Having an ISO 14001 (environmental) or an ISO 45001 (occupational health & safety) management system seems to benefit more than 1 in 3 for each of them.
61,6 %
60%
▪ The numbers above indicate that the role of a management system based on an ISO standard can be beneficial to support a company’s response during a crisis.
50% 36,6 %
40%
35,5 %
30% 20%
20,2 %
22,0 %
ISO/IEC 27001 - Information Security Management System
ISO 31000 Risk Management
14,8 %
10% 0% ISO 9001 Quality Management
10
DNV GL ©
ISO 14001 Environmental Management
ISO 45001 Occupational Health and Safety Management
IS0 22301 – Business Continuity Management
Note:
▪ The percentage distribution among the different standards is influenced by ratio of adoption by companies in the sample. A significant number of companies are certified to ISO 9001 compared to the other standards, for example.
Question 8 – Benefits from a business continuity management system Based on your experience and perception, please rate the relevance of benefits achieved from certification of your company’s business continuity management system.
1 Improved financial results (e.g. through reduced… Advantages with tax/banks/ insurance
2
3 2,83
Providing a competitive advantage Improving public image
3,23
2. Improved business continuity performance
2,88
3,17
3,43 2,93 3,38
Improve Identification/ management of risks
3,31
Top management commitment & engagement
Improved communication with stakeholders Improvement in management of suppliers
3,02 3,12 3,04 3,39
Business continuity performance improvement Safeguard property
11
DNV GL ©
▪ These are closely followed by top management commitment as well as the ability to meet legal requirements and achievement of strategic objectives.
3,23
Customer satisfaction/ meet customer needs
Enhanced employee engagement
3. Improved identification and management of risks.
3,12
Ability to meet legal requirements
Better relations with authorities
1. Effectiveness in meeting customer’s needs and satisfaction
2,48
Achievement of strategic objectives Creation of new market opportunities
▪ The top-3 benefits from implementing a business continuity management system are:
4
3,09
1. 2. 3. 4.
Not relevant A little relevant Somewhat relevant Highly relevant
Benefits from the Management Systems in managing risks, overall view The chart below shows the contribution of each of the areas in focus to the list of identified benefits. The chart will be progressively updated when a new requirement is analysed. When all areas will be investigated, the chart will be complete
◼ Highly relevant benefits
Environmental management
Benefits
Business continuity management
Improved financial results (e.g. reduced costs) Advantages with tax/banks/insurance Achievement of strategic objectives Creation of new market opportunities
Providing a competitive advantage Improving public image Ability to meet legal requirements
◼ ◼ ◼
Customer satisfaction/meet customer needs Better relations with authorities
◼
Improve identification/management of risks Top management commitment & engagement Enhanced employee engagement
◼ ◼
◼ ◼
Improved communication with stakeholders Improvement in management of suppliers Business continuity performance improvement Safeguard property
12
DNV GL ©
◼
…
…
…
Methodology and Sample
September
2020
This Espresso survey was conducted in September 2020.
1,197
It involved 1,197 professionals in companies across different industries in Europe, North America, Central & South America, and Asia. Most companies are certified to a quality or environmental management systems standard.
▪ The sample consists of customers of DNV GL – Business Assurance and does not claim to be statistically representative of companies worldwide. ▪ The questionnaire was administered using the CAWI (Computer Assisted Web Interviewing) methodology.
13
DNV GL ©
Thank you!
Want to access the results from other ViewPoint surveys? Read more here Not yet a Viewpoint member and want to join? Click here Interested in benchmarking the performance of your company Management System? Learn more here
www.dnvgl.com
SAFER, SMARTER, GREENER
14
DNV GL ©
The trademarks DNV GL®, DNV®, the Horizon Graphic and Det Norske Veritas® are the properties of companies in the Det Norske Veritas group. All rights reserved.