Disaster Recovery Journal Spring 2023

Technology services for IT recovery fell drastically from 2021 numbers (19%) but still come in second at 10%. Other areas for investment including IT support for workforce recovery, IT support for crisis and emergency communication, software for BCM program and planning, and software for crisis emergency command remain steady from 2021 numbers. Even Though BIAs and Risk Assessments Are Popular, Practice Has Room to Grow Our study found the vast majority of companies conduct a BIA and risk assessment in advance of BCP strategy develop ment and plan documentation. More specifically, Forrester’s survey found: n An even larger majority of companies conduct a BIA . Eighty one percent of respondents reported having conducted a BIA; higher than 2021 (71%), 2018 (74%), and 2014 (75%) (see Figure 4-1). As the new normal of heightened risk events settles in, the BIA is seen as even more crucial as a method of identifying critical business functions which support the mission of the business, dependencies, and recovery objectives. Although inspiring, there is a difference between performing a BIA and collecting detailed information. For example, many companies Forrester engages with do not have a detailed mapping from critical business functions to the services, applications, IT components, and critical employees who support those functions. Additionally, cost of downtime is a rough estimate rather than a true quantification of cost. n Conducting a risk assessment leapt from an already high percentage . 2018 saw a huge jump in those companies conducting a risk assessment as 72% of respondents reported conducting a risk assessment – a 15-point increase. That remained statistically remained unchanged in 2021 (71%). However, in this study, 83% of respondents reported performing a risk assessment. Once again, while inspiring, in Forrester’s experience there is still room for improvement. For example, risk events are sometimes not increased in likelihood until too late such as ransomware (a type of cyberattack) is given high impact but low probability until another company in the same industry has a similar event happen even though in general ransomware attacks have increased dramatically since 2021. n Risk is increasing, and cyberattacks drive the increase . Sixty five percent of respondents believe the level of BC or operational

risk is increasing as compared to 61% in 2021 (see Figure 4-2). When asked what was driving the increase, respondents once again cited cyberattacks as the top driver (13 out of 22 respondents). A Mix of Scenario- and Impact-based BCPs Are the Norm, BCM Tools Bounce Back As of the 2014 study, the percentage of organizations with documented BCPs jumped to 93% and held steady since (respondents this year reported at 94%). Resilience during a crisis doesn’t come with luck but starts with planning and a BC program without BCPs is in dire straits. Forrester found the following in this survey:

12 DISASTER RECOVERY JOURNAL | SPRING 2023