Disaster Recovery Journal Spring 2023

n Preference for scenario-based plans leapt again . How a company responds to an IT outage is different than a weather event. Generic plans by impact (e.g., loss of IT services) are helpful because they help to prepare for any unforeseen event, but they can lack the specifics necessary to respond appropriately to some events. Dealing with the unstable normal of today, companies now much prefer a mix of scenario-based and impact based plans. Sixty-nine percent now report a mix (versus 49% in 2021) while only scenario-based fell from 2021 numbers at 20% to only 6% this year (see Figure 5-1). Scenario-specific BCPs are important because it shows an organization understands the detailed differences between how a business must respond such as the differences between an IT failure versus a ransomware attack. n The majority still update BCPs only once per year . Fifty-one percent of respondents report updating their BCPs once per year, down from 54% in 2021. The goal should be to continuously update BCPs as business functions and their underlying services change constantly. Unfortunately, those who report they update their BCPs continuously have fallen to 11% from 13% in both 2021 and 2018 and 15% in 2014 (see Figure 5-2). n Organizations are turning back to commercial software to manage BCPs . In 2021, the backslide away from commercial software to manage BCPs was concerning and prompted Forrester to predict because staffing was flat, executive support increased, and COVID-19 raised the visibility of BC to business operations and strategy levels. BCM tools would be recognized as essential for mid- to large-sized firms. Happily, in this year’s study only 38% of respondents reported using internal tools (i.e., documents, spreadsheets, etc.) versus a whopping 64% in 2021 and even 51% in 2018 (see Figure 5-3). An additional 20% of respondents plan to use commercial BCM software in the next 12 months to the already 42% who already use it. BCPs Are Still Not Tested Frequently, Partner Involvement Remains Static Even though we say it every year we do this study, it’s worth repeating – if you aren’t testing your BCPs, you are not prepared. Only through testing do any of the people expected to respond to an incident practice their actions and interactions. Despite years of urging from industry experts and consultants (including us), testing remains a major area for improvement across organiza tions of all sizes and industries. More specifically Forrester found the following: n Most organizations only test their BCPs once per year with simple tests . Unfortunately, the situation is largely unchanged from 2008. For all test types (walk-through, tabletop exercises, plan simulations), the majority of organizations only test once per year. As tests become more extensive, test frequency declines to the point where 56% (up from 47% in 2021) of respondents never

perform a full simulation (see Figure 6-1). Simulations test not only the incident actions, roles, responsibilities, and interactions between teams but also allows for timing of the various plan steps. Timing gives a sense

14 DISASTER RECOVERY JOURNAL | SPRING 2023

Made with FlippingBook - Online catalogs