1、BCI Horizon Scan Report 2020 An examination of the risk landscape for resilience professionals Find out more www.thebci.org Contents 5 Executive Summary 9 Risk and threat assessment: past twelve months 16 Risk and threat assessment: next twelve months 22 Consequences of disruptions 25 The financial

2、cost of disruption 29 Benchmarking business continuity 36 Benchmarking longer-term trend analysis 44 Annex Foreword I am delighted to introduce the 2020 BCI Horizon Scan Report. As one of the BCIs most established annual reports, the results of the Horizon Scan are always anticipated. Id also like t

3、o thank the BSI for their continued support of the BCI Horizon Scan Report. It is revealing each year to discover the trends in actual incidents that organizations have experienced and compare this to the future threats they anticipate. Some of these results are often as we might expect. For example

4、, cyber-attack a target - as well as Brexit in the UK. So while we believe our IT systems are not the most vulnerable, they are the most prone to attack.” Business Continuity Manager, National Government, United Kingdom Whilst some incidences rank towards the lower end of the risk index this year, f

5、ollow-up research revealed that concerns such as political change and civil unrest are causing challenges for organizations who operate in certain regions. The situation in Hong Kong, for example, has affected many global corporations which have operations within the country. “We have an office in H

6、ong Kong where the protests are. You wish things can get solved quickly and we can move on. But that hasnt happened, and its been ongoing for a considerable time. We have to keep alerting staff and even on a global perspective, it does have an indirect impact on people. We have to be sensitive to th

7、e cultural and the political aspects of the issue and balance everything, by remaining entirely neutral and look out for staff wellbeing, which is the important issue.” Head of Business Continuity Management, Technology, United Kingdom One of the issues on many resilience professionals radars this y

8、ear is climate change. Whilst climate issues have long been part of the Corporate Social Responsibility sections of annual reports, it is now having real impact on the day-to-day business operations for many organizations. The Paris Agreement, for example, is forcing many organizations to re-evaluat

9、e their emissions which can have direct impact on supply chains. Other organizations have found themselves targeted by protest groups such as Extinction Rebellion and have had to temporarily close operations. The issues being encountered are entirely new for many organizations, meaning a high propor

10、tion of organizations do not have plans in place to deal with this contemporary issue. Third in this years risk index is safety incidents. 12.3% of organizations reported 11 or more safety incidents in the past year, although many of these were only minor: just 5.0% of safety incidents were classifi

11、ed as having a “major” or “extreme” impact and 75.0% were classified as “minor”; a higher “minor” figure than any of the other disruptions listed. This is likely to be influenced by how organizations approach incident reporting: many tend to record all safety-related incidents, regardless of the sev

12、erity. Extreme weather events are ranked in eighth place in this years report. All countries in the world are affected by extreme weather to varying degrees: sixth in the APAC risk index, sixth in the EMEA index and third in the Americas index, illustrated in the annex section of this report. In cou

13、ntries that face seasonal weather disruptions such as hurricanes in North America and typhoons in the Far East, organizations typically have well-rehearsed plans for such incidences. We once again note that cyber-attack and data breach is one of the top disruptions, placing fifth overall. Whilst the

14、 category ranks fourth in terms of frequency, the impact of cyber-attack and data breach is ranked 20th; third from bottom of the table. As noted in last years Horizon Scan Report, whilst organizations continue to be frequently targeted by cyber criminals, they are also getting better at responding

15、to attacks and having plans in place to recover from them. According to research by Microsoft and Marsh, 6% of organizations saw cyber risk as their primary threat in 2017. By 2019, this had increased to 22%2. Cyber security is now a priority on boardroom agendas and, as a result, the impact ratings

16、 suggest organizations are becoming better at managing the threat. 2. Marsh/Microsoft 2019, 2019 Global Cyber Risk Perception Survey, Marsh/Microsoft, viewed 7 February 2020 1312 Horizon Scan Report 2020 Find out more www.thebci.org Risk and threat assessment: past twelve months Figure 2. Risk and T

17、hreat Assessment: Past 12 MonthsFigure 1. Risk and Threat Index: Past 12 Months ORANGE ALERT: High impact, lower frequencyRED ALERT: Higher impact, higher frequency YELLOW ALERT: Lower impact, lower frequencyORANGE ALERT: Lower impact, higher frequency 2.4 2.3 2.2 2.1 2.0 1.9 1.8 1.7 1.6 2.4 2.3 2.2

18、 2.1 2.0 1.9 1.8 1.7 1.6 2.0 3.0 4.0 5.0 6.0 7.0 8.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 Frequency Health incident IT and telecom outage Lack of talent/ key skills Cyber-attack an increase of 6.5 percentage points on 2018. A further 7.2% plan to move towards certification in 2020, whilst 16.8% have no inten

19、tion of aligning to the standard over the next twelve months. Table 1: Percentage of organizations certified or aligning to ISO 22301 Year Percentage of organizations certified to ISO 22301 Percentage of organizations certified to ISO 22301 OR using it as a framework 201611.6%67.7% 20179.6%65.8% 201

20、813.8%69.2% 201920.5%71.0% 0% Do you use any other management system standards to manage risk? If yes, please specify which: Local/industry standard 5.8% BS 112000.5% ISO 140012.6% Other ISO1.8% ISO 450011.7% ISO 3100010.7% ISO/IEC 20000-1 0.8% ISO/IEC 270017.8% ISO/IEC 270050.5% ISO 90014.3% 246810

21、12 Figure 7. Other management system standards used to manage risk 3130 Horizon Scan Report 2020 Find out more www.thebci.org Benchmarking business continuity Getting certified to the ISO 22301 standard not only helps increase the resilience of an organization, but can also benefit the balance sheet

22、 Those who have obtained certification to ISO 22301 highlighted the following as their top reasons for certification: In addition, more than half reported that it helped to improve customer satisfaction, demonstrating the importance of using the standard within marketing and PR-related activity. Ove

23、r a quarter (27.5%) claimed that certification helped to reduce insurance costs, whilst 25.2% claimed it helped to support international trade. These three options combined suggest certification can help to boost the balance sheet of an organization. Organizations should investigate how these benefi

24、ts could be applied to their own organization, particularly where the benefits of certification need to be sold to management in order to get buy-in. “Weve realized significant benefit from being ISO 22301 certified. The certification provides assurance to our customers and our board of directors th

25、at we are able to sustain operations when disruptions occur. Our businesses provide critical services to our customers and as our customers supply chain management maturity has grown, the volume of enquiries has also grown. The certification simplifies our response process and has proven to be very

26、effective in meeting our customers expectations.” IT Resilience Manager, Publishing, United States “When we are dealing with incidents with companies who arent well-prepared from a business continuity standpoint, the costs and the amount of time and effort involved in handling those cases is signifi

27、cantly higher. So, when were assessing the risk, if a company can adequately demonstrate that they have good business continuity management processes in place, then that will lead to a reduction in premium. This is particularly the case for larger companies, and we routinely dig deeply to see what t

28、hey have in place around business continuity - which includes looking for certification to standards such as ISO 22301 and whether plans are regularly tested. The more evidence that the company is able to provide to back up what they do, the greater confidence we can have in that company and the mor

29、e likely we are to offer more favourable terms.” Stephen Ridley, Cyber Underwriting Manager, Hiscox 0% What benefits does certification provide to you and your organization? Supports international trade25.2% Helps to reduce insurance costs 27.5% Ensures alignment with industry peers 54.5% Other (ple

30、ase specify)10.8% Helps stakeholders to better manage risks 54.5% Increases our organizations resilience 85.0% Improves customer satisfaction 52.1% Enables consistent BCM measurement and monitoring 73.7% Improves communications and employee engagement 38.3% Enables faster recovery after a disruption

31、 59.3% 0807060 Figure 8. Benefits certification provides to organizations One of the reasons why organizations choose not to seek certification to ISO 22301 is because they align themselves to multiple standards and find they cannot justify the cost of certification to multiple standards.

32、 For those surveyed, the most cited standard used other than ISO 22301 was the Risk Management standard, ISO 31000 with 10.7% of respondents using this within their organization. The Information Security Systems standard (ISO/IEC 27001) was the second most popular alternative standard used (7.8% of

33、respondents) followed by Quality Management Systems (ISO 9001) at 4.3%. Many respondents reported either aligning or getting certified to appropriate country or industry-specific standards. “I use several ISO standards for guidance and reference, such as ISO 38000 for governance, ISO 27031 for more

34、detail on disaster recovery. ISO 31000 for risk management and ISO 20000 for ITIL. I therefore take all these into consideration with ISO 22301, and BCIs GPG 2018, when setting up the continuity management system and framework within the company.” Business Continuity Officer, Telecoms, North West Eu

35、rope said it increases the resilience of their organization said it enables consistent BCM measurement and monitoring said it enables faster recovery following a disruption 85.0% 73.7% 59.3% 3332 Horizon Scan Report 2020 Find out more www.thebci.org Benchmarking business continuity There was also so

36、me concern amongst organizations that whilst they could clearly see the value in aligning to a standard, the reputational risk of losing certification to that standard was considered too great by senior management with alignment being the preferred option. 0% What are your reasons for not being cert

37、ified or having no plans to be certified to ISO 22301? Please select all that apply. ISO is not aligned to our organization 5.8% We align to an alternative standard (please specify in the “other” box below) 6.8% No budget available28.3% Do not believe it adds any value to our organization 18.3% Othe

38、r (please specify)16.8% No external drivers35.1% We are too small9.0% No management commitment 28.3% 0 Figure 10. Reasons for not being certified or having no plans to become certified to ISO 22301 No business requirement 56.6% Most organizations value the ISO 22301 standard, but many cho

39、ose not to obtain certification The primary reason given by 56.6% of respondents for not obtaining certification to ISO 22301 is due to no business requirement. Just over a third (35.1%) cited there were no external drivers to warrant certification, whilst a lack of management commitment and lack of

40、 budget were selected by just under a third of respondents each (28.3%). As mentioned previously, some organizations in regulated sectors felt it unnecessary to adhere to the standard due to having to comply to strict industry regulations. “Being certified to ISO standards might get you more busines

41、s or it could be a prerequisite in getting new business but, for us in the financial services sector, that doesnt happen. Although we align ourselves to the standards, there are very few financial services organizations Ive worked in or know of that have seen the value in certification.” Business Co

42、ntinuity and Crisis Manager, Financial Services, United Kingdom Whilst many organizations may choose not to obtain certification to the standard, many organizations continue to use the standard as a framework, particularly where significant cost controls are in place. Given just 5.8% of organization

43、s feel that the standard is not aligned to their business, the standard is clearly valued and well aligned to organizations needs. “As a former certified implementer of ISO 22301 I am familiar with the requirements of the standard and we are aligning the processes here at the District Council to the

44、 standard. We use ISO 22301 as a framework as it shows and shares best practice in business continuity for an organization.” Resilience Analyst, Local Government, New Zealand Figure 9. Organizations business continuity management programs and their relationship to ISO 22301 5.1% 16.8% 7.2% 20.5% 50.

45、5% 50.5% We use ISO 22301 as a framework but dont get certified. 20.5% We use ISO 22301 as a framework and get certification to it. 7.2% We dont currently use ISO 22301 as a framework but we intend to move towards this during 2020. 16.8% We dont use ISO 22301 as a framework and have no plans to move

46、 towards this during 2020. 5.1% Unsure If you have a formal business continuity management program in place, how does it relate to ISO 22301? “We have our own internal audit function to carry out audits 3-4 times a year against what we say were going to do in our business continuity program with ref

47、erence to ISO 22301. We dont think that certification will add too much of an additional cost, but the bad thing for us would be the reputational risk of losing the certification. We therefore like the standard and use it to carry out audit measures against that, but we will not certify against it.”

48、 Business Continuity Manager, National Government, United Kingdom 3534 Horizon Scan Report 2020 Find out more www.thebci.org Benchmarking business continuity Benchmarking longer-term trend analysis Fewer organizations than last year claim to conduct longer-term trend analysis. Organizations are incr

49、easingly using multiple resources (both internal and external) to form a more holistic view of the threats facing their organizations. Some professionals report being denied access to the information they need to do effective long-term trend analysis. There has been no improvement in the number of organizations conducting longer- term trend analysis, with a total of 76.9% of respondents reporting they carried out this type of analysis compared to 78.0% in the 2019 report. The proportion of organizations conducting centralized analysis has fa