BCM-Trends-Report-2022-–-Riskonnect-formerly-Castellan.pdf

BCM Trends
Report
An Assessment of Program
Maturity Resiliency
13TH EDITION

Contents
4 Executive Summary
7 Program Characteristics
14 Organizational Reporting Structure +
Program Sponsorship
23 Current Program Status
28 Program Assessment, Audit +
Exercising Plans
33 Program Budgeting
38 Program Staffing
42 Consulting Initiatives
45 Estimated Financial Loss by Hour
48 Program Management +
Compliance/Standards
54 Demographics
60 BCM Research Overview
62 Advisory Board + Distributing
Organizations

BCM TRENDS REPORT © BC MANAGEMENT
3
BCM TRENDS REPORT 3
ABOUT RISKONNECT
Riskonnect is the leading integrated risk management
software solution provider. Our technology empowers
organizations with the ability to anticipate, manage, and
respond in real-time to strategic and operational risks across
the extended enterprise. More than 1,300 customers across
six continents use our unique risk-correlation technology
to gain previously unattainable insights that deliver better
business outcomes. Riskonnect has more than 700 risk
management experts in the Americas, Europe, and Asia.
To learn more, visit riskonnect.com.
Study Partner ABOUT THE REPORT
This report focuses on business continuity and resiliency program trends, including
reporting structures, the current status of programs, dedicated program budgets
and staffing in addition to standards and program metrics. An overview of the
data findings along with a correlation to program maturity highlights several
differentiating factors to obtain operational resiliency. The data highlighted
throughout this report was gathered in BC Management’s 13th Edition BCM Trends
Study between April 8 through June 12, 2022.
This report is available as a complimentary report.
As a thank you to all of our study respondents we provided each participant with
a complimentary, customized BCM Peer Benchmarking Data Dashboard, of which
all study participants could choose their top three preferences by either industry
sector or by organizational revenues. If you haven’t participated in this study and
you’d like to receive a customized dashboard, you may still participate via our online
study. Our dashboards highlight a tremendous amount of data points that are not
included within this complimentary report.
Like our research analytics?
Be sure to visit our website to download other complimentary reports and sign up
for our study alerts. All study participants will receive customized peer dashboards
for the corresponding studies they contribute to.
Please feel free to direct any inquiries to info@bcmanagement.com. We hope you
enjoy this report.

5
EXECUTIVE SUMMARY 5
Executive Summary
The BCM Trends Report is designed to provide a
summary of the wealth of data collected from our 13th
edition of this study assessment. In addition, this report
highlights the most significant trends from over 10 years
of researching Business Continuity program management
initiatives and we’ve included program maturity resiliency
insights and tips throughout the report to help you in
elevating your program.
The findings this year highlighted several noteworthy program resiliency
advancements. Not only has there been a continued shift in increasing
the scope of Resilience Management capabilities and driving executive
engagement. Now more than ever before, a majority of organizations have
consolidated ownership of the Business Continuity program, along with other
risk and resilience related disciplines, under Risk Management. Additionally,
the data also indicated an increase in program investment strategies along
with increasing personnel and outside support to assist in meeting program
resiliency goals. Let’s take a closer look at some of these program maturity
resiliency trends.
For several years the span of enterprise Resilience Management has
expanded outside of the traditional Business Continuity/Disaster Recovery
planning efforts. Most programs include a combination of several different
disciplines, including Crisis Management, Risk Management, Governance,
Risk, and Compliance (GRC), Physical Security, Supply Chain Resiliency and/
or Vendor Continuity. This year the data showed on average that programs
include a combination of 6.7 different disciplines (up from the 4-5 disciplines
that have been reported since 2018). In addition to 44% of the respondents
noting Resilience Management within their program, Pandemic Planning
and Cyber Resilience have both increasingly been included within the
program capabilities (up 8% and 9% respectively from 2021). This continued
convergence of disciplines not only improves efficiency in breaking down the
silos within an organization, but it also impacts executive participation and
support.
Similar to the convergence of disciplines, the department owner and
program sponsor also greatly impacts the visibility and commitment to the
Resilience Management strategies. Since 2009 our data has shown that
the Business Continuity program (regardless of industry, size, or program
maturity) has increasingly been moving away from Information Technology
to Risk Management. IT has decreased as a department owner from 27%
in 2009 to 10% in 2022 while Risk Management increased from 11% to 24%
over the same timeframe. Risk Management received the highest approval
ratings with 75% of the respondents noting they either agreed or strongly
agreed that their program was positioned for maximum effectiveness.
This reflects an increased focus on enterprise-level resilience as well as
the interdependencies between resilience disciplines in identifying and
INSIGHTS
of Business Continuity programs report into a Risk
Management department
of organizations note the Chief Risk Officer as the BCM
program sponsor
embed Resilience Management within the culture of the
organization
of organizations noted a BCM program budget in excess
of $1 Million USD+
24%
15%
30%
25%

6
EXECUTIVE SUMMARY 6
managing organizational risk. Similar to the department owner, we've also
noticed the program sponsor shift away from Information Technology to
Risk Management over the last 10+ years. In fact, this is the first year that
a majority (15%) of participants noted the CRO as the program sponsor.
It’s also important to note that regardless of program maturity, 74% of the
respondents noted that their program sponsor was at the CXO level or
higher.
The most notable of the data findings, though, is the constant theme of
increased investment in Resilience Management strategies. The data
highlighted that a quarter of the respondents noted a budget of a $1M+
USD, which is an increase of 4% from 2021. Additionally, organizations are
adding to their dedicated program personnel and tapping into third-party
service providers at a record pace. The most significant increase in program
investment strategies include:
 37% of study participants anticipate hiring additional staff in the next
year. This is a significant increase from 14% reported in 2018 and 25%
reported in 2021.
 17% of organizations are either planning to utilize, or they are considering
engaging, large consulting firm assistance (up 7% from 2021) while 19%
noted the same for independent consultants (up 6% from 2021).
 20% are either planning to utilize, or they are considering engaging,
a third-party provider to audit their program in the next year, which is
consistent to the 2021 data.
 19% are either planning to utilize, or they are considering outsourcing,
the administration of their BCM software systems in the next year (up 5%
from 2021).
 14% are either planning to utilize, or they are considering outsourcing, the
administration of their BCM program in the next year (up 8% from 2021).
 More organizations are currently employing multiple consultants. 39%
currently utilize 2-3 consultants while 27% noted 4+ consultants.
How can this report benefit your program and organization? This report is
a broad analysis of a segment of the data, offering an illustration of how the
Business Continuity profession is viewed and what we can learn from these
study results. Although, this is simply a baseline of the trends in our industry
we hope you leverage this report to present data findings to your executive
management to increase the visibility and commitment of your program.
Enclosed you will find a great deal of data, though it is impossible to display
everything, which is why customized reporting specific to your organization
is essential to obtain a clear understanding of other “similar” organizations.
A feature of the customized reports is providing a detailed analysis specific
to your industry or by organizational revenues, which not only allows you to
benchmark your own program specific to your demographics, but also its an
opportunity to create a roadmap for your program based on effective peer-
based models and supporting data.
Since 2001, we’ve been conducting data research to increase the
understanding of the analytical underpinnings of our profession. As we
continue our efforts to advance the knowledge, insights and value our
business provides to the maturity of our profession, we know that to that
end, the understanding on how to increase resiliency and better understand
how the profession is evolving is of key importance. Thank you to all who
responded to this survey, our advisory board, and to the Castellan team
for their efforts in developing this valuable report. We hope you enjoy this
report, and we are available to discuss customized versions to meet your
needs.
Cheyene Marling, Hon MBCI
Managing Director,
BC Management
cmarling@bcmanagement.com

8
PROGRAM CHARACTERISTICS 8
INSIGHTS
 Mature programs tend to be more holistic
with 53% of programs equally focused on
business and IT planning initiatives while
only 21% of immature programs indicate the
same. When taking a deeper dive into the data
we also discovered that those programs that
are more focused on IT planning initiatives that
26% of the programs have been in existence for
over 10 years. In comparison, more respondents
indicated tenured programs (10+ years) if focused
on business planning initiatives (33%) or equally
focused on business and IT planning initiatives
(42%).
Program Definition (Manage or Work Within)
As individual programs and the industry as a whole evolves, practitioners who had
previously and primarily focused on business vs. IT/DR (or vice versa) will find
the gap between the time spent on one as opposed to the other to narrow. Today’s
leaders are expected to be able to be nimble in their approach to operational
resiliency and will necessitate subject matter expertise in both physical and
technology recovery.
— Kevin Cunningham (Advisory Board)
Completely business focused 14%
More focused on business 33%
Equal on business and IT 40%
More focused on IT 12%
Completely IT focused 2%

9
INSIGHTS
 Additionally, the data highlighted a correlation
between program maturity and the length of
the program’s existence with 52% of mature
programs indicating that the program has
been in existence for over 10 years while only
13% of immature programs noted the same.
The duration of a program’s existence doesn’t
necessarily equate to a program’s maturity level,
but it was interesting to see the data report
that 0% of programs in existence for less than
6 months rated themselves as very mature while
7% of programs in existence for 6 months-2
years, 10-11% of programs in existence for 2-15
years, and 32% of the programs in existence for
over 15 years indicated the same.
 The data also highlighted that a majority of
programs with greater longevity tended to be
equally focused on both business and IT planning
initiatives (55% of programs in existence for
20 years or more were equally focused on both
business and IT).
Length or Program Existence (With or Without Your Involvement)
No BCM program 1%
Currently developing 8%
Less than 6 months 2%
6 - 12 months 4%
1 - 2 years 5%
2 - 4 years 15%
4 - 8 years 16%
8 - 10 years 11%
10 - 15 years 15%
15 - 20 years 14%
Over 20 years 9%

10
INSIGHTS
 35% of all respondents have gone through an
end-to-end program review and/or refresh in the
last 6 months to 2 years. 22% and 45% indicated
the same, respectively for immature and mature
programs.
 It seems that COVID-19, supply chain resiliency
issues, and cyber concerns have continued to
prompt organizations to review/refresh their
programs as 33% of respondents went through
such a review/refresh in the last 12 months
compared to 40% in 2021 and 25% in 2018.
Before COVID-19 a majority of organizations
would review/refresh their program every 1-2
years.
Last End-to-End Program Review and/or Refresh
Currently developing 23%
Updates as needed 13%
Less than 6 months 13%
6 - 12 months 20%
1 - 2 years 15%
2 - 4 years 9%
4 - 8 years 4%
8 - 10 years 1%
Over 10 years 1%
Annual review of a whole program is widely considered optimal, but a full end-to-
end review can be time consuming, so 1-2 years may be adequate. A longer interval
leads to neglect, while shorter times suggest micro-management. However, for some
individual program elements, semi-annual might be appropriate.
— Des O'Callaghan (Advisory Board)

11
Program Maturity – Self Rating
INSIGHTS
 Study participants self-rated the maturity of
their program and received a program maturity
score at the end of the study based on how they
answered various questions that were associated
with a scoring index logic.
 In reviewing this data point to previous years,
we noticed that the confidence level in the
maturity of the program continues to drop.
In previous years, 48% of the study participants
self-rated their program as a 4 or 5.
1 Reactive
11%
11%
2 Developing
22%
23%
3 Sustaining
30%
30%
4 Evolving
23%
32%
5 Capable
14%
4%
PROGRAM MATURITY KEY
Self Rating Index Score
KEY
Industry by Index Program Maturity Score
* Index scoring logic only include those study respondents who managed a program and completed the study.
Healthcare 137
Insurance 129
Financial 120
Biotech/Pharma 117
Utilities 115
Technology 98
Government 83
Manufacturing 74
Average 113
Definition Index Score
1=Reactive (chaotic, ad hoc, individual
heroics) - the starting point for the use of a
new or undocumented repeat process.
Below 46
2=Developing- the process is at least
documented sufficiently such that repeating
the same steps may be attempted
46 - 90
3=Sustaining - the process is defined/
confirmed as a standard business processes
91-135
4=Evolving - the process is quantitatively
managed in accordance with agreed-upon
metrics.
136 -180
5=Capable - process management
includes deliberate process optimization/
improvement.
Above 180

12
INSIGHTS
 For several years the span of enterprise
Resilience Management has expanded outside
of the traditional Business Continuity/Disaster
Recovery planning efforts. Most programs
include a combination of several different
disciplines, including Crisis Management, Risk
Management, Governance, Risk, and Compliance
(GRC), Physical Security, Supply Chain Resiliency
and/or Vendor Continuity.
 On average programs encompass a combination
of 6.7 different disciplines, which is a increase
from the 5.9 data point that was reported in 2021.
Disciplines Included in the Program (Exceeds 100% due to multiple selections)
Asset Protection/Loss Prevention 18%
Audit 14%
Business Continuity Process (Business Focus) 83%
Compliance 27%
Crisis Communications 44%
Crisis Management/Incident Management 75%
Disaster Recovery Process (IT Focus) 39%
Emergency Management 42%
Executive Protection 8%
Facilities Management 11%
Governance, Risk and Compliance (GRC) 18%
Health & Safety - Environmental 11%
Health & Safety - Occupational 11%
Pandemic Planning 61%
Media Crisis Management 13%
Resilience Management 44%
Records Management 9%
Security - Cyber 19%
Risk Management - Enterprise 17%
Risk Management - Operational 24%
Risk Management - Insurance 11%
Information Technology 18%
Security - Information 14%
Security - Physical 18%
Succession Planning 13%
Supply Chain Resiliency 18%
Third-Party Risk Management (Vendor Continuity) 22%
Other - Please indicate other responsibility. 2%
RESOURCES
Getting Started with
Operational Resilience
This guide is designed to help
you set a solid foundation for
operational resilience, get
traction with executives, and
boost confidence that your
organization has done all
that’s practical to prepare for
disruptions.
GET THE GUIDE

13
PROGRAM INSIGHTS
SCOPE BY ORG. REVENUES (USD)
300+ Plans 300+ Critical
Processes
<$500M 2% 8%
$500M-$10B 8% 16%
>$10B 16% 25%
SCOPE BY ORG. CLASSIFICATION
300+ Plans 300+ Critical
Processes
Public 12% 15%
Private 5% 12%
Regulated 7% 22%
Scope of Program
Not sure
4%
6%
Less than
20
21%
17%
21 - 50
25%
26%
51 - 100
16%
20%
101 - 300
25%
15%
301 - 500
5%
6%
501 - 1,000
2%
4%
More than
1,001
1%
5%
Number of Plans Managed
Number of Processes Deemed Critical

Organizational Reporting Structure
+ Program Sponsorship

15
ORGANIZATIONAL REPORTING STRUCTURE + PROGRAM SPONSORSHIP 15
Program Department Owner
Assurance/Compliance 4%
Audit - Internal 3%
Corporate Executive Offices 6%
Corporate Real Estate 0%
Emergency/Crisis Management 8%
Environmental Health & Safety 3%
Facilities Management 2%
Risk Management 24%
Finance 3%
Human Resources 1%
Information Technology 10%
Legal Counsel 3%
Operations 5%
Program Management Office - Corporate 3%
Program Management Office - IT 5%
Security - Information 7%
Security - Physical 5%
Strategic Planning 2%
Individual business units 3%
Other 8%
INSIGHTS
 Positioning of the program is crucial in obtaining
and maintaining executive support and 24% of
the respondents indicated that their program
reports into Risk Management followed by
Information Technology (10%).
 When cross referencing this data point by
program maturity we noticed that a majority still
indicated Risk Management, regardless of the
maturity of the program.
of immature programs report into Risk
Management
of mature programs report into Risk
Management
19%
24%
PRO TIP
Reporting structure will vary
based on industry. As an example,
government and utilities will tend to report into
Emergency/Crisis Management while the technology
and telecommunication sectors will more likely
report into Information Security. Financial and
insurance organizations will typically report into
Risk Management. Confidentially participate in
our study to receive a customized BCM Trends
dashboard by industry.

16
Rating of Program Department Positioning for Maximum
Effectiveness – Focusing on the Top Department Owners
Firms typically align Business Continuity
Programs according to the scope, scale,
organization structure and sometimes tradition.
The results indicate a broad spectrum of
alignment and more importantly, a move in
the right direction. The BC Programs with
the greatest opportunity for success are those
reporting into executive leaders such as COOs
and CAOs where they have leadership support
and can establish an independent presence.
However, BC Programs can achieve true
independence aligning under Risk Management
which provides access and visibility to executive
and board level forums. The Risk Management
alignment provides the support Continuity
professionals need to drive proper funding,
success and even create a culture of resilience.
Next steps would be to drive for “Regulatory
Guidance” on appropriate alignment for the
BC Program to achieve consistency across the
industry.
— Robert Fucito (Advisory Board)
Assurance/
Compliance
10% 50% 30% 10%
Corporate
Exec. Offices
38%
38% 25%
Emergency/
Crisis Mgmt.
5% 14% 19% 38% 24%
Information
Technology
16% 20% 28% 28% 8%
Operations 15% 15% 8% 38% 23%
Risk Mgmt. 5% 5% 15% 39%
36%
Security
Information
12% 24% 18% 41% 6%
Security
Physical
7% 36% 36% 14%
7%
Strongly
agree
Agree
Neutral
Disagree
Strongly
disagree

17
Program Sponsor
INSIGHTS
 In addition to the Business Continuity
department owner, the program sponsor also
greatly impacts the visibility and commitment
to the program. Similar to the department
owner, we've also noticed the program sponsor
shift away from Information Technology to Risk
Management over the last 10+ years. In fact,
this is the first year that a majority (15%) of
participants noted the CRO as the sponsor.
The CIO/CTO followed closely behind at 12%.
 When cross referencing this data point by
program maturity, we noticed an even larger
majority (24%) of respondents with mature
programs noting the CRO as the program
sponsor followed by the CIO/CTO (11%). The
response for the program sponsor for those
organizations with immature programs was quite
scattered with 12% noting a Vice President/
Director, CEO and CIO/CTO both received 11%
of the respondents while 10% noted the CRO.
 It's also important to note that regardless of
program maturity, 74% of the respondents
noted that their program sponsor was at the
CXO level of higher.
Chairman of the Board 1%
Board/General Council/Executive Committee 8%
President 1%
Chief Executive Officer 9%
Chief Info. Officer/Chief Tech. Officer 12%
Chief Information Security Officer 5%
Chief Security Officer 5%
Chief Financial Officer 4%
Chief Operating Officer 6%
Chief Administrative Officer 3%
Chief Risk Officer 15%
Chief Compliance Officer 2%
Chief Continuity Officer <1%
Chief Human Resources Officer <1%
Other Chief Title 2%
Exec. VP, Exec. Director, General Manager 4%
Senior VP, Senior Director, Senior Manager 4%
VP/Director 7%
Assistant VP, Assistant Director, Manager 3%
Specialist, Coordinator, Planner 1%
Other 7%

18
Rating of Program Sponsor Engagement – Focusing on the
Top Program Sponsors
(Responses with EVP or below did not receive this follow-up level of engagement question.)
INSIGHTS
 Ideally organizations strive to identify a program
sponsor who will be very engaged in championing
the Business Continuity program forward. While
only focusing on the top Business Continuity
program sponsors, we found that the CISO
received the highest approval ratings with
84% of the respondents indicating that their
program sponsor was involved or very involved
with the program followed by the Board/General
Council/Executive Committee (77%). Those who
noted COO seemed to be the most displeased
with their program sponsor as 28% indicated
little involvement or very little involvement.
 It's important to note that study participants who
noted a program sponsor of an EVP or below did
not receive this follow-up question on sponsor
engagement.
Very
involved
Involved
Neutral
Little
involvement
Very little
involvement
Chief Security Officer 8% 8% 33% 33%
17%
Chief Operating Officer 14% 14% 50% 21%
Chief Risk Officer 16% 16% 53% 16%
Chief Information Officer/
Chief Technology Officer
23% 16% 52% 10%
Chief Executive Officer 10% 24% 24% 43%
Board/General Council/
Executive Committee
12% 12% 65% 12%
Chief Financial Officer 30% 40% 30%
Chief Information
Security Officer
15% 46% 38%

19
Program Sponsor Level of Separation from Executive
Committee INSIGHTS
 Aside from the job title of the program sponsor,
its important that this individual be closely
aligned to the executive management committee,
which is "0" level of separation. The data did
indicate that 38% of all respondents noted that
the program sponsor was embedded within
the executive committee, but this data point
did decrease from the 45% reported in 2021.
Interestingly though, those respondents with
immature and mature programs both noted 40%
for this data point while only 32% of sustaining
programs noted the same.
RESOURCES
Executive Support Amplifier
Leverage our proven process for building (and
keeping!) executive support for your business
continuity program. Worksheet included.
GET THE GUIDE
0 38%
1 31%
2 16%
3 8%
4 3%
5 2%
6+ 1%

20
Rating of Program Sponsor Level of Separation from Executive
Committee for Maximum Effectiveness INSIGHTS
 It wasn’t surprising that the data highlighted
that 78% of the respondents who noted a
"0" level of separation from the executive
committee either strongly agreed or agreed
that this positioning of the program sponsor
contributed to the effectiveness of the
Business Continuity program.
 While taking a deep dive into the data we noticed
that larger organizations were slightly more
likely to position the program sponsor at a
1 or 2 level of separation from the executive
committee, although the majority still indicated
a level of "0". Interestingly though, a majority
(33%) of organizations with $50B+ USD in
organizational revenues positioned the program
2 levels below the executives and 100% of those
respondents agreed this level of positioning led
to the program's effectiveness.
 It's important to note the percent of respondents
for each category on the previous page before
assessing this data chart. As an example, only 1%
noted 6+ levels of separation from the executive
committee.
Strongly
agree
Agree
Neutral
Disagree
Strongly
disagree
0
3 14% 5% 52% 24% 5%
2 7% 24% 27% 29% 12%
1 9% 11% 25% 32% 23%
3% 6% 12% 40% 38%
5 50% 33% 17%
4 22% 44% 33%
6+ 33% 33% 33%

21
Program Department Owner – Trending Data: 2009 to 2022
INSIGHTS
 Historically our data (collected since 2009) has
shown that the Business Continuity program
(regardless of industry, size, or program
maturity) has increasingly been moving
away from Information Technology to Risk
Management. A majority of organizations not
only increasingly positioned the program under
Risk Management as a department owner and
program sponsor, but also believe this placement
of the program contributes to its effectiveness
and visibility. This is especially true for the
financial and insurance industry sectors.
In addition to increased BCM organizational
alignment with Operational Risk disciplines,
we also see firms integrating BCM, Cyber
and Third-Party Resilience functions into an
integrated team. This structure can lead to better
overall risk identification and scenario testing
to ensure critical business functions can meet or
exceed their impact tolerances.
— Thomas Wager (Advisory Board)
0
5%
10%
15%
20%
25%
30%
2022
2019
2014
2009
Security - Information Information Technology
Security - Physical Operations
Risk Management Corporate Offices

22
Program Sponsor – Trending Data: 2009 to 2022
*Please note that prior to 2022 CISO and CSO were included in the same selection option
and the 2021 data findings highlighted that 9% of organizations noted CISO/CSO as the
program sponsor.
2022
2019
2014
2009
COO - Chief Operating Officer
CRO - Chief Risk Officer
CSO - Chief Security Officer
CIO/CTO - Chief Information Officer
CISO - Chief Information Security Officer
CEO - Chief Executive Officer
0
5%
10%
15%
20%
The trend noted here is indicative of maturing
independent risk programs. Gains in CRO
sponsor and ownership are a recognition of
Enterprise Risk Management accountabilities to
assess inherent and residual risks, and routinely
attest to operating risk tolerances with executives,
boards and regulators.
— Larry Chase (Advisory Board)

24
CURRENT PROGRAM STATUS 24
Current Program Planning Status (Exceeds 100% due to multiple selections)
Emergency Management/Crisis Management Planning Status
Currently assessing the need for an Emergency Operations Center. 13%
Currently implementing an Emergency Operations Center. 14%
A full functioning Emergency Operations Center is in place. 44%
Policies and procedures are in place to interact and coordinate with external
agencies in times of a disaster.
52%
A Crisis Management process and plan is in place. 65%
A Crisis Communications program is in place. 58%
Current Level of Program Status
Off-site data recovery only. 11%
There are contingency plans in place for IT functions only (i.e., Disaster Recovery only) 31%
Critical systems are either resilient or recoverable. 57%
Some departments/divisions have Business Continuity plans. 43%
Currently obtaining or have management support and formulating the
Business Continuity program framework to include chartering and governance
contingency strategies, resiliency needs, recovery objectives, operational and
enterprise risk management and crisis management plans.
44%
Currently developing and implementing Business Continuity and/or
IT Disaster Recovery plans that meet the needs of the organization.
45%
Currently conducting regular BIA or risk assessments. 56%
Implemented a full functioning, corporate-wide Business Continuity program
that meets the organization’s identified contingency, resiliency, risk management,
emergency management and crisis management needs.
44%
Pandemic Preparedness Planning Status

25
Policies and procedures are in place to interact and coordinate with external
agencies in times of a disaster.
52%
A Crisis Management process and plan is in place. 65%
A Crisis Communications program is in place. 58%
Pandemic Preparedness Planning Status
Currently developing a Pandemic Preparedness policy. 13%
Currently implementing a Pandemic Preparedness policy. 15%
A full functioning Pandemic Preparedness policy is in place. 71%
Assessment/Audit/Exercise/Awareness Status
Maintain an assessment and audit schedule of the Business Continuity
program to ensure the program is up to date and complete.
51%
Maintain an exercise schedule in order to identify new potential vulnerabilities or
weaknesses in the current Business Continuity program. Analyze findings to
elevate the program.
54%
Exercises involve multiple teams across the organization - not just a single
process/technology recovery.
57%
Joint information security and Business Continuity exercises are conducted. 42%
Implemented an awareness and training program to promote and educate the
entire organization on the Business Continuity program, including specified
roles and responsibilities.
50%
Recovery capability reports are shared on a regular basis with the pertinent
senior leadership of the organization.
34%
Resilience Management Status
My organization is struggling to understand what organizational resilience
management means.
26%
My organization is working towards a holistic organizational resilience approach. 39%
Resilience management is embedded within the culture of the organization. 30%
The executive management team understands the importance behind resilience
management and they are committed to continuous improvement.
43%
My organization has implemented a holistic organizational resilience approach
that includes preventive control, mindful action, performance optimization,
and adaptive innovation.
16%

26
Implemented an awareness and training program to promote and educate the
entire organization on the Business Continuity program, including specified
roles and responsibilities.
50%
Recovery capability reports are shared on a regular basis with the pertinent
senior leadership of the organization.
34%
Executive/Leadership Succession Planning Status
Currently developing an executive/leadership succession plan. 25%
Currently implementing an executive/leadership succession plan. 20%
A full functioning executive/leadership succession is in place. 41%
Resilience Management Status
My organization is struggling to understand what organizational resilience
management means.
26%
My organization is working towards a holistic organizational resilience approach. 39%
Resilience management is embedded within the culture of the organization. 30%
The executive management team understands the importance behind resilience
management and they are committed to continuous improvement.
43%
My organization has implemented a holistic organizational resilience approach
that includes preventive control, mindful action, performance optimization,
and adaptive innovation.
16%

27
Respondents by Rating of Check it on Your Program 0 1 2 3 4 5
Statement does not describe our
organization
Our organization very much
aligns to the statement
Our organization uses automation (software and other tools) to accomplish regular recurring
tasks, manage incidents, and analyze program performance.
20% 8% 12% 14% 26% 21%
Our core Business Continuity team (full-time resources leading the program) connects regularly
to discuss/ solve issues to move the program forward, tracks and follows up on action items, and
seeks improvement opportunities to strive for the right level of resiliency.
8% 6% 8% 14% 28% 35%
Our Business Continuity program is well integrated with other risk disciplines within the
organization (e.g., Information Security, Emergency/Incident Response, IT Disaster Recovery).
5% 11% 10% 18% 30% 25%
Our senior management understands the investment, agrees on the products and services the
Business Continuity program is working to protect, understands the maximum downtime tolerance
for each, and regularly reviews our ability to recover.
5% 13% 9% 26% 23% 25%
The program can effectively improve and adapt to the organization’s changing business strategy
and is appropriately funded to enable approved strategies, risk mitigation controls, and other
improvement opportunities.
6% 9% 10% 28% 28% 19%
Everyone with a role in our Business Continuity program understands expectations, wants to
participate in their role, meets regularly to be trained, and has the capacity (time and knowledge)
needed to execute their role well.
9% 7% 11% 20% 31% 22%
We have a cross-functional steering committee that meets regularly to review the recoverability
of in-scope products and services, prioritize corrective actions, and address strategic issues that
may be impeding our ability to achieve the right level of resiliency.
12% 13% 11% 22% 23% 20%
We have a process for how we perform Business Continuity activities, which is documented, simple
and straightforward, and followed by all program participants.
7% 7% 13% 15% 26% 32%
We have mapped in-scope products and services to their underlying department/activity
dependencies (facilities, technologies, equipment, people, and suppliers); all have downtime
tolerances.
8% 15% 10% 20% 30% 17%
Our Business Continuity plans include actionable content that describes what needs to be
recovered, by whom, how it will be recovered & communicated, when the plans should be used,
and everyone is trained and aware.
6% 10% 11% 14% 31% 27%

Program Assessment, Audit
+ Exercising Plans

29
PROGRAM ASSESSMENT, AUDIT + EXERCISING PLANS 29
INSIGHTS
 Just over half of the study respondents indicated
that they conduct a BIA on an annual basis. When
taking a deeper dive into the data, though, we
noticed that those respondents with mature
programs were more likely to conduct an
annual BIA (72%) while those with immature
programs were less likely (25%) or they were still
developing their program (41%). Similarly, those
with mature programs also indicated that senior
leadership was more involved in reviewing and
approving the BIA results (51% noted C-Suite
and/or Steering Committee).
Review and update the BIA for processes, activities and
resources in-scope
Who is responsible for reviewing and approving BIA results
(Exceeds 100% due to Multiple Selections)
RESOURCES
Need help with your BIA?
Castellan offers a Business Impact Analysis (BIA)
Template to help you capture all the essential
information for a departmental BIA.
GET THE TEMPLATE
Annually 51%
Every 6 months 9%
On an as needed basis 7%
Still in development of program 16%
Never 3%
Less often than three years 2%
Every three years 4%
Every other year 8%
Does not apply 7%
Program manager 34%
Department leaders 52%
Division leaders 31%
C-Suite leader who supervises dept.
for which BIA was performed
16%
Business Continuity Steering
Committee
19%
Other Steering Committee 7%
C-Suite as an entity 5%

30
Frequency of Audit
Never
21%
8%
Still in development of program
13%
10%
Quarterly
4%
5%
Twice a year
8%
8%
Annually
23%
37%
Every two years
7%
11%
Infrequently
(every three years or less often)
10%
11%
Ad-Hoc
(on an as needed basis)
14%
9%
External Audit Internal Audit
INSIGHTS
 Organizations indicated that they were more
likely to conduct an internal audit on an annual
basis (37%) than an external audit. Additionally,
21% of respondents never conducted an external
audit of their program.
 Surprisingly, 26% of organizations with immature
programs noted that they have never conducted
an external audit of their Business Continuity
program and 18% noted the same for an internal
audit. Organizations with mature programs were
more likely to conduct annual audits (32% and
48%, respectively for external and internal).
Respondents currently utilizing a third-party
provider to audit their Business Continuity
Program indicated:
• 48%: Conduct an annual external audit
• 61%: Conduct an annual internal audit

31
Frequency of Exercises
Crisis
Management
Plans
Business
Continuity Plans
Critical*
Business
Continuity Plans
Non-Critical*
IT Disaster
Recovery Plans
Critical**
IT Disaster
Recovery Plans
Non-Critical**
Coordinated
w/Third-Party
Providers
Weekly 4% 1% 2% 1% 1% 1%
Monthly 1% 4% 2% 5% 2% 1%
Quarterly 7% 4% 3% 11% 5% 2%
Twice a year 8% 8% 3% 14% 5% 3%
Annually 59% 71% 47% 60% 39% 31%
Every two years 5% 6% 13% 3% 14% 3%
Infrequently
(every 3 years or less often)
3% 2% 8% 2% 9% 9%
Ad-Hoc
(on an as needed basis)
9% 3% 10% 4% 14% 23%
Never 3% 2% 12% 2% 12% 28%
*Functions / Departments ** Systems / IT Services
INSIGHTS
 While a majority of all respondents (71%) exercise their Business
Continuity program we discovered that those organizations with immature
programs were still developing their program (59%) and 6% have not
exercised their program. Furthermore, those respondents with immature
programs were more likely to exercise their crisis management plans and
business continuity/IT disaster recovery plans for the critical functions/
systems but never exercise business continuity/IT disaster recovery plans
for non-critical functions/systems (18% and 14%, respectively).
 The data also highlighted an area of improvement for the entire
profession – coordinating exercises with third-party providers.
Several respondents indicated that they either never (28%) or only
coordinate exercises with third-party providers on an ad-hoc basis as
needed (23%). Those organizations who noted mature programs were
more involved with coordinating such exercises on an annual basis
(43%) while those noting immature programs were significantly less
concerned (54% never).
STATS
All respondents:
Exercise
71%
Do not exercise
3%
Still developing
program
26%

32
Type of Exercises Implemented in the Last Year
(Exceeds 100% due to multiple selections)
Active shooter exercises 19%
Alternate worksite/Offsite exercises 48%
Automated notification/Emergency notification system 61%
Control & communications exercises 33%
Crisis management tabletop exercise 69%
Emergency evacuation 52%
Full fail over during off hours 28%
Full simulation - IT Disaster Recovery 36%
Full simulation - Business Continuity 28%
Live test (during business hours) - IT Disaster Recovery 24%
Live test (during business hours) - Business Continuity 21%
Outage - Building/Utility 39%
Surprise/unannounced test - IT Disaster Recovery 5%
Surprise/unannounced test - Business Continuity 9%
Telephone cascade/call tree exercise 30%
Terrorist attack 9%
Walkthrough 55%
Work from home validation 54%
Other 12%
INSIGHTS
 Utilizing different scenarios in exercising
Business Continuity plans can help in identifying
potential gaps or vulnerabilities. Our data
highlighted that the most commonly used
scenarios included crisis management tabletop
exercises, automated notification/emergency
notification systems, and walkthroughs.
After becoming more accustomed to working
from home in 2021, it wasn't surprising to see
work from home validation decrease 13% from
our previous edition of this report. Alternate
worksite, active shooter exercises, and
emergency evacuations also continued to drop
for the second year in a row (24%, 12%, and 11%,
respectively); presumably because less employees
were working in the office.
 When cross referencing this data point with
program maturity ratings, we discovered that
those organizations with more mature programs
were more likely to conduct a wide range of
multiple exercise scenarios. Additionally,
organizations with mature programs were
30%+ more likely to conduct work from
home validations, automated notification/
emergency notification systems, and control
& communication exercises. Those with
immature programs never conducted surprise/
unannounced tests for either IT Disaster
Recovery or Business Continuity in the last year.

34
PROGRAM BUDGETING 34
Manage a Program Budget to Account for Expenses
(Personnel, Consulting Services, Alternate Recovery Site, Emergency Operations Center,
Emergency Supplies, Hardware, Disaster Recovery Technology, Vendor Services, Exercises,
Training, Travel, People Development, and Other)
Approximate Annual Budget for Business Continuity Program
Expenses (You Own Budget)
Not sure 7%
Under $50,000 USD 10%
$50,000-$100,000 USD 12%
$100,000 - $200,000 USD 15%
$200,000 - $500,000 USD 19%
$500,000 - $1M USD 14%
$1 - $2M USD 9%
$2 - $5M USD 7%
$5 - $10M USD 7%
Over $10M USD 2%
YES 77%
NO 23%
INSIGHTS
 77% of those respondents who manage a
Business Continuity program indicated that they
do manage a budget to account for program
expenses. The majority of study respondents
noted a program budget of $200 - $500K while
25% indicated a budget over $1M, which is
an increase of 4% from 2021. When this data
point was cross referenced with organizational
revenues, we did notice that those organizations
with higher gross revenues budgeted more
for Business Continuity program expenses.
Additionally the program budget varied between
0.5 – 2.5% of the organizational gross revenues.
BCM BUDGET OF $1M USD +
• 15% of Organizations with $1-5B in Revenues
• 67% of Organizations with over $50B in Revenues

35
What is Accounted for within the Business
Continuity Program Budget (You Own Budget)
Percent for Each Budget Line Item in the Business
Continuity Budget (You Own Budget)
(Will not equal 100% - Each Category is an average for those who indicated
that budget line item)
Consultants/Contractors
(Business focus)
29%
Full Time Internal Staff 66%
(IT focus)
21%
Emergency Operations Center
(EOC)
15%
Emergency Supplies 26%
Hardware 9%
Hot-site/Outsourced
Alternate Site
17%
Internal Recovery Site 14%
Notification/Alerts 43%
Business Continuity Software 52%
Mobile Recovery 9%
DR Technology 18%
Exercises 56%
Training/Awareness 53%
Travel 52%
Personnel Development
(E.G. certifications, conferences, etc.)
52%
Other 2%
Consultants
(Business Focused)
10%
Full Time Internal Staff 44%
Consultants
(IT Focused)
4%
Hot-site/Outsourced
Alternate Site
7%
Emergency Operations Center 3%
Emergency Supplies 3%
Hardware 2%
Internal Recovery Site 3%
Business Continuity Software 12%
Notification/Alerts 5%
DR Technology 2%
Exercises 5%
Travel 5%
Personnel Development 5%
Training/Awareness 4%
Mobile Recovery <1%

36
Change in Budget Line Item in the Next Year (You Own Budget)
Increase Decrease
Remain
the Same
Not Sure
Full Time Internal Staff 29% 0% 55% 16%
(Business Focus)
8% 4% 58% 29%
Consultants/ Contractors
(IT Focus)
19% 13% 50% 19%
Emergency Operations
Center (EOC)
29% 0% 43% 29%
Emergency Supplies 6% 11% 67% 17%
Hardware 67% 0% 0% 33%
Hot-site/Outsourced
Alternate Site
0% 0% 70% 30%
Internal Recovery Site 11% 11% 56% 22%
Business Continuity
Software
22% 2% 63% 12%
Notification/Alerts 9% 0% 79% 12%
Mobile Recovery 20% 20% 20% 40%
DR Technology 67% 0% 22% 11%
Exercises 20% 5% 65% 10%
Training Awareness 20% 3% 60% 18%
Travel 21% 3% 61% 16%
Personnel Development 20% 0% 68% 12%
INSIGHTS
 Few respondents noted decreasing individual
budget line items and if so, the data indicated
that exercises and emergency supplies would
decrease by 25% and 17%, respectively.
Additionally, 29% are planning to increase
the budget line item for full time staff with
an average increase of 50%. This data point
aligns with the 37% of respondents who are
anticipating hiring more dedicated program
personnel in the next year and this is a sharp
increase from 2021.

37
If Budget Line Item is Changing in the Next Year – What is the
Average Increase and Decrease? (You Own Budget)
Average Increase Average Decrease
Full Time Internal Staff 50% --
Consultants/Contractors (Business Focus) 30% --
Consultants/Contractors (IT Focus) 40% --
Emergency Operations Center (EOC) 15% --
Emergency Supplies -- 17%
Hardware 28% --
Hot-site/Outsourced Alternate Site -- --
Internal Recovery Site 5% --
Business Continuity Software 15% --
Notification/Alerts 10% --
Mobile Recovery 10% --
DR Technology 15% --
Exercises 7% 25%
Training Awareness 19% --
Travel 44% --
Personnel Development 32% --
In relation to the budget of the Business Continuity
Program, apparently, based on the responses
obtained in this survey, it is observed that companies
are raising Business Continuity as a priority,
authorizing the hiring of more full-time internal
personnel.
Probably, from the experiences lived during the
COVID-19 pandemic many organizations have
realized that a robust Business Continuity program
allows organizations to absorb and adapt to a
changing environment and allows them to achieve
their objectives, survive and thrive. The lessons of the
COVID-19 pandemic, as well as global supply chain
complications, should have had a positive effect
on organizations leading them to strengthen their
internal teams in this area.
Additionally, the responses indicate that more
outside help is also being sought from consultants
and contractors both focused on business and IT,
which reinforces the hypothesis that organizations
right now want a more robust continuity program.
Finally, and consequently, as new personnel and
new or more consulting and contractor services are
being hired, this probably explains the decrease in
the budget for exercises, which will be confirmed if
we see this budget line increasing in a subsequent
edition of this survey, when the internal and external
teams are already hired and formed, ready to enter
the exercise phase.
— Jorge Escalera Alcázar (Advisory Board)

39
PROGRAM STAFFING 39
INSIGHTS
 Obtaining the right level of resiliency staff is
essential to meet your program goals and is a
question we often receive inquiries on. Our study
assesses this staffing question from a couple
different perspectives. Study participants are
first asked to indicate the different disciplines
that are managed within their program, which
includes everything from Business Continuity
(business focus), Disaster Recovery (IT focus),
Crisis Management, Cyber Resiliency, Physical
Security, etc. The disciplines that are chosen
within the study then auto fill to the staffing
question and the study participant is prompted
to answer the following: the total number of
staff dedicated to the program across the
entire organization, number of staff under their
direction and management, and the total number
of staff involved, but not dedicated, to the
program planning initiatives.
• 71% of study respondents who manage
a program manage dedicated program
personnel.
 The data highlighted the following for total
program planning personnel:
• 10.7 - Average dedicated program personnel
• 6.1 - Average dedicated program personnel
under your management
• 141 - Average program personnel – not
dedicated, but involved with planning and
updates
Number of Program Personnel
Business Continuity
(Business Focus)
4
3
91
Crisis
Communications
3
8
3
Crisis/Incident
Management
4
22
2
Disaster Recovery
(IT Focus)
5
35
3
Emergency
Management
3
46
3
Pandemic
Planning
3
23
2
Avg. Dedicated Program Personnel
Avg. Personnel Under Your Management
Avg. Personnel Not Dedicated
KEY

40
PROGRAM STAFFING 40
Hiring Program Personnel in Next Year Reduction of Program Personnel in Next Year
YES
7%
NONE
73%
NOT SURE
21%
NOT SURE
32%
NO
31%
YES
37%
INSIGHTS
 The employment market for the Business Continuity/Resiliency/
Crisis Management profession has been surging since April 2020.
Not only are organizations needing extra staff to address the gaps
discovered as a result of the COVID-19 pandemic, supply chain issues
and geopolitical events, but they are also needing to pivot to quickly
address cyber concerns, natural events, and other technology
impacts as well as keep up with recurring BC/DR planning activities.
All of this while the program is receiving increased executive visibility.
The data reported that 37% of study participants anticipate
hiring additional staff in the next year. This is a significant
increase from 14% reported in 2018 and 25% reported in 2021.
Additionally, in 2021, 50% indicated "no" to hiring new program
personnel in the new year and this data point dropped to 31% in
these newest data results.
INSIGHTS
 The confidence level over the question of downsizing staff remained
consistent to the 2021 data findings (73% noted "none" compared
to 71% in 2021). 7% of the respondents did note that they would
be reducing dedicated program personnel in the next year, which is
comparable to the 2021 data point of 5%.
the average number of new program personnel being
hired for those who indicated yes to hiring in the next year,
YES
7%
NONE
73%
NOT SURE
21%
NOT SURE
32%
2.7

41
PROGRAM STAFFING 41
Reasons Behind Downsizing
Reduced scope of work 21%
Financial pressures 21%
Changes in priorities 37%
Organizational restructuring 32%
Positions eliminated 11%
Overstaffing 5%
Functions outsourced 21%
Functions transferred to other
parts of the organization
32%
Employee retirement and no
approval to backfill role
5%
Specific personnel issues 11%
Mergers/Acquisitions 0%
Other 0%
INSIGHTS
 Only 7% indicated a reduction in dedicated
program personnel in the next year, thus
it is important to note that few respondents
answered the follow-up question as to the
reasons behind the future downsizing. The
primary reasons behind the downsizing
included changes in priorities, organizational
restructuring, and that the functions were
transferred to other parts of the organization.
 In looking back to 2018, we did notice a
continued decrease in financial pressures as
a reason behind downsizing (63% in 2018 to
39% in 2021 to 21% this year). Additionally,
positions being eliminated dropped from 32%
in 2021 to 11% in 2022 and overstaffing dropped
from 16% to 5%.
 Interestingly, specific personnel issues increased
from 3% to 11% and functions being outsourced
increased from 16% to 21%.
PRO TIP
Review your goals. When considering
the number of dedicated program
personnel it’s important to review your short-term
and long-term program goals. There are a variety of
staffing options from managed services, consulting,
permanent employees to staff augmentation.
Contact a BC Management representative to
arrange a discovery call.


43
CONSULTING INITIATIVES 43
Outsource Administration of BC Software Systems
Not applicable
or don't know
Not using
Considering
Plan to utilize
Utilize today
Not applicable
or don't know
Not using 67%
Not applicable
or don't know
3%
Considering 12%
Plan to utilize 7%
Utilize today 11%
Not using 55%
3%
Considering 11%
Plan to utilize 9%
Utilize today 22%
14%
31%
8%
11%
9%
8%
68%
49%
2%
2% Big 4 Independent Consulting Services
Utilize 3rd Party to Audit BC Program
Not applicable
or don't know
Not using
Considering
Plan to utilize
Utilize today
Not applicable
or don't know
Not using 67%
Not applicable
or don't know
3%
Considering 12%
Plan to utilize 7%
Utilize today 11%
Not using 55%
3%
Considering 11%
Plan to utilize 9%
Utilize today 22%
14%
31%
8%
11%
9%
8%
68%
49%
2%
Utilize 3rd Party Consulting Services to Support Business
Continuity Planning Initiatives
Not applicable
or don't know
Not using
Considering
Plan to utilize
Utilize today
Not applicable
or don't know
Not using 67%
Not applicable
or don't know
3%
Considering 12%
Plan to utilize 7%
Utilize today 11%
Not using 55%
3%
Considering 11%
Plan to utilize 9%
Utilize today 22%
14%
31%
8%
11%
9%
8%
68%
49%
2%
INSIGHTS
 Although the majority of respondents indicated
that they are not currently utilizing third party
providers, we did notice some interesting trends.
When comparing consulting initiatives to the
2021 data findings, we discovered that more
organizations are currently utilizing consulting
assistance to support their Business
Continuity planning initiatives, an increase
by 6% for Big 4 firms and an increase of 5% for
independent consultants.
 Additionally, we can expect increased
engagement with BCM service providers in the
coming year.
of organizations are either planning
to utilize or they are considering
engaging Big 4 assistance (up 7% from
2021) while 19% noted the same for
independent consultants (up 6% from
2021).
are either planning to utilize, or they
are considering engaging, a third party
provider to audit their program in the
next year, which is consistent to the
2021 data.
are either planning to utilize, or they
are considering outsourcing, the
administration of their BCM software
systems in the next year (up 5% from
2021).
17%
20%
19%

44
CONSULTING INITIATIVES 44
Outsource Administration of Business Continuity Program
If Utilizing a Contractor/Consultant – How Many are Currently
Employed Under Your Direction & Management?
INSIGHTS
 While most organizations (81%) are not currently
leveraging an outsourced model to manage
the administration of their Business Continuity
program, the data did indicate an increased
interest in these services for the coming year.
 14% are either planning to utilize or they are
considering outsourcing the administration of
their BCM program in the next year (up 8% from
2021).
 In addition to increased engagement with
BCM service providers, more organizations are
currently employing multiple consultants. 39%
currently utilize 2-3 consultants while 27%
noted 4+ consultants.
 44% of organizations expect to engage
consulting assistance in the next year.
Not applicable or
don't know
5%
Not using 81%
Considering 7%
Plan to utilize 7%
Utilize today 1%
35%
1
22%
2
17%
3
8%
4
8%
5
7%
6-10
2%
11-20
2%
> 20
Not applicable or
don't know
5%
Not using 81%
Considering 7%
Plan to utilize 7%
Utilize today 1%
35%
1
22%
2
17%
3
8%
4
8%
5
7%
6-10
2%
11-20
2%
> 20
PRO TIP
Concider external support.
External support can add significant
value to resilience initiatives and augment internal
staff in maintaining the program. Outsourcing can
be used to provide insight into industry trends, add
specific subject matter expertise, and reduce some
of the administrative requirements associated with
program management.


Estimated Financial Loss by Hour

46
ESTIMATED FINANCIAL LOSS BY HOUR 46
Estimated Financial Loss by Hour of Downtime if the Most Critical
Products/Services were Inoperable
1 Hour 8 Hours 12 Hours 48 Hours 72+ Hours
Unable / Difficult to calculate 50% 38% 38% 39% 39%
< $5,000 9% 9% 3% 2% 2%
$5,000 - $10,000 10% 11% 9% 5% 2%
$10,000 - $25,000 7% 5% 9% 3% 6%
$25,000 - $50,000 6% 11% 9% 10% 2%
$50,000 - $100,000 5% 9% 10% 11% 12%
$100,000 - $500,000 2% 5% 6% 8% 6%
$500,000 - $1,000,000 4% 2% 6% 3% 9%
> $1,000,000 6% 11% 11% 19% 22%
INSIGHTS
 Many organizations struggle with calculating
estimated financial losses as a result of critical
functions being down. Although most study
respondents answered this question with
“unable/difficult to calculate”, the data did trend
upwards for more than $1 Million USD/hour in
estimated financial losses from being down 1 hour
(6%) to more than 72 hours (22%).
 This data point changes significantly by industry
sector or by size of the organization. As an
example, 25% of the respondents who noted
organizational revenues of $50B+ USD
indicated an estimated $1 Million+ USD/hour
in financial losses if critical products/services
were down for 72+ hours. Additionally, 50% of
large financial firms with organizational revenues
of $20B+ USD noted the same.

47
ESTIMATED FINANCIAL LOSS BY HOUR 47
Who Verifies the Estimated Financial Loss
If Financial Losses are used to Evaluate Insurance Policies
& Coverages, which ones are Evaluated?
INSIGHTS
 The data highlighted that 39% of all
respondents indicated that estimated financial
losses are verified by either a C-Suite leader, a
steering committee, and/or the C-Suite as an
entity. 30% of organizations with an immature
program noted the same compared to 47% of the
respondents with mature programs.
 44% of the respondents use estimated
financial losses to evaluate insurance
policies and coverages maintained. Business
interruption and cyber were the most commonly
evaluated. In comparing to the 2021 report we
did noticed that property and contents dropped
in evaluation by 7% to 49% and directors and
officers dropped by 11% to 24%.
 Additionally, organizations with immature
programs were more concerned in evaluating
liability (60%) and business interruption (53%)
while organizations with mature programs
were focused on reviewing business
interruption (88%) and cyber policies (73%).
Excess Liability
Doesn't apply 32%
Program manager 16%
C-Suite leader* 19%
BC Steering Committee 15%
Other Steering
Committee
4%
Business Interruption 76%
Contingent Business
Interruption
45%
Property & Contents 49%
Liability 49%
29%
Cyber 60%
Directors & Officers 24%
Errors & Omissions 27%
Other 5%
*Who supervises deprtment for which BIA was performed.
Excess Liability
Doesn't apply 32%
Program manager 16%
C-Suite leader* 19%
BC Steering Committee 15%
Other Steering
Committee
4%
Business Interruption 76%
Contingent Business
Interruption
45%
Property & Contents 49%
Liability 49%
29%
Cyber 60%
Directors & Officers 24%
Errors & Omissions 27%
Other 5%
*Who supervises deprtment for which BIA was performed.

Program Management +
Compliance/Standards

49
PROGRAM MANAGEMENT + COMPLIANCE/STANDARDS 49
Management of Business Continuity Program at Remote
Offices/Sites
INSIGHTS
 Managing a global program with offices across
the world can cause stress on a team. Most
organizations with a program accounting for
offices outside of their current office location
either manage the BCM program from the
primary corporate offices with periodic travel
(57%) or the corporate team oversees policy
and program implementation with locally based
employees working on a part-time basis (37% -
up 5% from 2021).
 Some interesting trends were highlighted in
managing Business Continuity planning at remote
offices:
• Organizations with 200,000+ employees
either hire full-time, permanent BCM staff
to work locally at remote offices (57%)
and/or manage the program from the
headquarters with periodic travel (57%).
• Global organizations either manage the
program from the headquarters with periodic
travel (61%) and/or corporate team oversees
policy and program implementation with
locally based employees working part-time on
Business Continuity planning (41%).
For over 2 years, many client discussions have included addressing these major
staffing gaps in APAC, EMEA, LATAM and North America.
Hire full-time, permanent Business Continuity
professionals to work from the location(s).
16%
Manage program from headquarters
with periodic travel to location(s).
57%
Engage professional consulting services
to execute remote office program activities.
3%
Managed locally with existing resources
who are not experienced in the discipline.
28%
Place expatriate in facility
location for specified time period.
6%
Corporate team oversees policy and program
implementation while locally based
employees work part-time to establish plans.
37%
Other 5%

50
Measurement of Controls to Demonstrate an ROI
(Exceeds 100% due to Multiple Selections) INSIGHTS
 Similar to 2021, a majority of study respondents
indicated that their financial executives are aware
that Business Continuity planning is a prudent
management issue, not a revenue generation
initiative. This data point is up 7% from 2021 too.
 Other notable trends include:
• 75% of regulated organizations and 70% of
organizations with mature programs noted
that financial executives are aware that
Business Continuity planning is a prudent
management issue.
• 38% of regulated organizations use residual
risk versus risk evaluation criteria based on
enterprise risk appetite. 19% of organizations
with immature programs noted the same.
Financial executives are aware that BC
planning is a prudent management issue,
not a revenue generation initiative.
65%
Cost of doing nothing versus
potential impacts.
38%
Residual risk versus risk evaluation criteria
based on enterprise risk appetite.
32%
Cultural adoption 22%
Annual budget assigned to BC
planning versus potential impacts.
40%
Industry accreditation/recognition 17%
Business Continuity is part of Executive
annual performance objectives
22%
Other 3%

51
Level of Understanding for the Following Compliance/Standards
(Compliance/ Standards Highlighted Below are the Most Relevant from Recent Studies)
We understand
this item and are
prepared to answer
to auditors.
We understand this
item, but are not
prepared to answer
to auditors.
We are still learning
about this item.
Not aware of this
compliance topic.
Doesn't apply
e-CFR Part 29: Protected Critical Infrastructure Information (PCII) 33% 13% 10% 16% 28%
ANSI/ARMA 5-2010 Vital Records Programs: Identifying, Managing, and
Recovering Business-Critical Records
19% 26% 21% 12% 24%
ASIS/BSI BCM Standard 29% 26% 10% 9% 26%
ASIS SPC. 1-2009 Organizational Resiliency 18% 29% 9% 13% 32%
BS 25777 21% 16% 19% 12% 32%
BS 31100 (Risk Management) 29% 17% 14% 10% 31%
COBIT 30% 15% 12% 13% 32%
EU - GDPR 38% 16% 7% 5% 34%
FFIEC - Federal Financial Institutions Examination Council FINRA Rule
4370
39% 11% 9% 5% 38%
FINRA Guidelines - Financial Industry Regulatory Authority 27% 11% 6% 8% 47%
FISMA - Federal Information Security Management Act 19% 17% 10% 9% 45%
FRB - Federal Reserve Board 16% 9% 14% 7% 54%
FSA Business Continuity Practices Guide - Financial Services Authority 20% 10% 13% 5% 52%
Gramm Leach Bliley Act (GLBA) 34% 12% 8% 7% 39%
Health Insurance Portability and Accountability Act (HIPAA) 36% 16% 6% 5% 38%

52
We understand
this item and are
prepared to answer
to auditors.
We understand this
item, but are not
prepared to answer
to auditors.
We are still learning
about this item.
Not aware of this
compliance topic.
Doesn't apply
ISO 22301 Business Continuity Management Systems (BCMS) 55% 26% 9% 5% 5%
ISO/IEC 27031:2011 Information Technology - Security Techniques -
Guidelines for information and communications technology readiness
for business continuity
35% 33% 14% 5% 15%
ISO 9000 Fundamentals and Vocabulary of Quality Systems 21% 16% 14% 7% 43%
ISO 9001 Quality Management 31% 15% 8% 7% 39%
ISO 20000 IT Service Management 25% 20% 20% 6% 28%
ISO 27001 Information Security 51% 27% 6% 6% 10%
ISO/IEC 24762 Information Technology - Security Techniques -
Guidelines for Information & Communications Technology Disaster
Recovery Services
29% 23% 14% 13% 21%
ITIL v. 3 Service Continuity 31% 23% 15% 5% 30%
Joint Commission (Hospitals) 15% 9% 6% 9% 60%
NFPA 1600 41% 16% 3% 7% 33%
OSHA Compliance 59% 14% 10% 3% 14%
Patriot Act 33% 15% 9% 6% 37%
Sarbanes Oxley 47% 21% 8% 2% 23%
SEC Regulations 46% 14% 7% 4% 29%
SSAE16 SOC2 27% 25% 8% 8% 33%
US Government NIST Standards 42% 25% 12% 6% 17%

53
If Your Organization has Obtained a Certification, Which One?
(Exceeds 100% due to Multiple Selections) INSIGHTS
 Organizations seek guidance from third-party
certification bodies to better understand how
to model their Business Continuity program in
addition to being better prepared to address
audit reviews. Although there are over 50
different compliance/standards, this report
highlights the most popular according to
our most recent data findings. Compliance/
standards will also vary based on the industry
sector.
 The data findings highlighted that organizations
(regardless of industry, size, or program maturity)
are more aware and prepared to answer auditors
for the following standards.
• OSHA Compliance: 59%
• ISO 22301: 55%
• ISO 27001: 51%
 26% have obtained an organizational
certification.
 16% are working towards becoming certified.
 59% are not certificated in a standard.
ASIS/BSI BCM standard 5%
ASIS SPC.1-2009
Organizational Resilience
3%
ISO 9000 Fundamentals and
Vocabulary of Quality Systems
15%
ISO 9001 Quality Management 33%
ISO 14001 Environmental Management 5%
ISO 20000 IT Service Management 15%
ISO 22301/313 (Previously BS25999) 35%
ISO 22316: Organizational Resilience 3%
ISO 27001 Information Security 43%
ISO 28000 Specification for Security
Mgmt. Systems for the Supply Chain
3%
ISO 31000 Risk Management 8%
ISO 38500 Governance of IT for
the Organization
3%
SSAE16 SOC2 5%
US Government NIST Standards 3%
Other 13%

55
DEMOGRAPHICS 55
Respondents Level of Responsibility Level of Separation from Executive Management
(Number of People between You & Executive Team)
Executive sponsor of the
BCM program
6%
Leader or a member of the
BCM team
61%
Business leader with accountability
for a BCM plan
11%
Subject matter expert providing
input on BCM strategy and plan
17%
Third-party services providing
advice on a BCM program
2%
Other 2%
9%
0
29%
1
28%
2
18%
3
10%
4
4%
5
1%
6
1%
7+

56
DEMOGRAPHICS 56
Scope of Program Management (Exceeds 100% due to multiple selections)
Entire organization on a global basis 40%
Multiple lines of business on a global basis 10%
One line of business on a global basis 8%
Multiple lines of business on a regional (multi-country) basis 3%
One line of business on a regional (multi-country) basis 0%
Entire organization on a national basis 21%
Multiple lines of business on a national basis 8%
One line of business on a national basis 4%
Entire organization on a regional (within one country) basis 15%
Multiple lines of business on a regional (within one country) basis 3%
One line of business on a regional (within one country) basis 1%
Entire organization on a regional (multi-country) basis 15%
Note: Only those professionals
who managed a program
received questions on program
staffing and budgeting.
STATS
Do not manage a
program
44%
Manage a
program
56%

57
DEMOGRAPHICS 57
Percent of Respondents by Organizational
Distribution
Percent of Respondents by Number of
Organizational Locations
One Site 5%
Citywide 7%
Statewide/Province 9%
Regional
(within one country)
12%
National
(one country)
17%
Regional
(multi country)
14%
Global 37%
0-5
22%
36%
6-10
11%
7%
11-15
11%
6%
16-25
13%
8%
26-50
11%
9%
51-100
9%
6%
101-300
8%
7%
301-500
5%
4%
1,001-5,000
5%
4%
501-1,000
2%
3%
5,001-10,000
1%
2%
> 10,000
2%
6%
Corporate Operational Functions
(Operational, Financial, Manufacturing,
Distribution, etc)
Retail/Customer Interfacing
(Outlets, Call Centers, Stores, etc)
KEY

58
DEMOGRAPHICS 58
Percent of Respondents by Number of Employees
10,000 - 19,999 9%
5,000 - 9,999 12%
2,000 - 4,999 18%
1,000 - 1,999 10%
500 - 999 11%
100 - 499 8%
< 99 3%
20,000 - 24,999 5%
25,000 - 29,999 2%
45,000 - 59,999 3%
100,000 - 149,999 4%
150,000 - 199,999 1%
250,000 - 300,000 1%
30,000 - 44,999 4%
60,000 - 79,999 2%
80,000 - 99,999 2%
200,000 - 249,999 2%
> 300,000 2%
Percent of Respondents by Organizational
Revenues (Annual Gross Revenues – USD)
5%
$100-$250 Million
6%
$50-$100 Million
4%
$25-$50 Million
4%
$10-$25 Million
4%
$5-$10 Million
4%
< $5 Million
7%
Not applicable
(government/non-profit)
$250-$500 Million 7%
$500 Million-$1 Billion 11%
$1-$5 Billion 15%
$5-$10 Billion 9%
$10-$20 Billion 9%
$20-$50 Billion 8%
> $50 Billion 7%

59
DEMOGRAPHICS 59
Percent of Respondents by Industry
Top Industries
Classification of Organization
Publicly traded 51%
Public, but not listed 8%
Private 29%
Regulated 23%
Unregulated 1%
None of the above 5%
Financial 21%
Technology 13%
Insurance 9%
Manufacturing 6%
Government 6%
Healthcare/Medical 5%
Utilities 3%
Telecommunications 3%
Retail/Wholesale 3%
Pharmaceutical 3%
Consulting Services 3%

61
BCM RESEARCH OVERVIEW 61
BCM Research Overview
REPORTING HISTORY
Since 2001, BC Management has been gathering data on business continuity management
programs and compensations to provide professionals with the information they need to
elevate their programs. Each year our organization strives to improve upon the study questions,
distribution of the study and the reporting of the data collected.
STUDY METHODOLOGY
The online study was developed by the BC Management team in conjunction with Castellan
Solutions and the BC Management International Research Advisory Board. WorldAPP Key
Survey, an independent company from BC Management, maintains the study and assesses
the data collected. The study was launched on April 8, 2022 and it will remain open through
November 2022. Participants were notified of the study primarily through e-newsletters
and notifications from BC Management, Castellan Solutions, and from many other industry
organizations. All participants are given the option of keeping their identity confidential.
ASSESSMENT OF DATA & REPORTING
BC Management is continuously reviewing and verifying the data points received in the study.
Data points in question are confirmed by contacting the respondent that completed that study.
If the respondent did not include their contact information, then their response to the study
may be removed. Data findings in many of the figures were rounded to whole numbers, thus the
total percent may not equal 100%.
PARTICIPANT OVERVIEW
317 professionals participated in our 13th Edition
BCM Trends Study.
Responses were received from 39 countries.
The most significant responses are bolded and
associated with a response.
Australia (1.7%), Belgium, Botswana, Bulgaria,
Canada (5.5%), Costa Rica, Czech Republic,
Denmark, El Salvador, Germany, Hong Kong,
Hungary, India (1.0%), Iraq, Italy (1.0%), Jamaica,
Japan, Kenya, Malaysia (1.4%), Malta, Mauritius,
Mexico, New Zealand (1.0%), Nigeria, Peru,
Philippines, Portugal, Qatar, Russia, Rwanda,
Singapore, South Africa (1.4%), Spain (1.4%),
Switzerland, Taiwan, Trinidad and Tobago, United
Arab Emirates (1.0%), United Kingdom (1.7%),
and United States of America (69.8%).

Advisory Board + Distributing Organizations

63
ADVISORY BOARD & DISTRIBUTING ORGANIZATIONS 63
Thank you to BC Management’s
International Research Advisory
Board
BC Management’s International Research Advisory Board
was instrumental in reviewing the study to ensure it
focused on the topics that are of the greatest interest to
resilience management professionals today. The goal was
to develop a credible reporting tool that would add value
to organizational resilience management.
Larry Chase
CBCP, Comp TIA A+ (USA Focus)
Larry is the Director of Operational Resiliency Oversight in Citigroup’s
Operational Risk Management organization. An eight year United States Air
Force veteran, Larry is a recognized and an industry leader in Enterprise Risk
and Resiliency Management over the course of three decades. Credited with
establishing global programs at Pfizer, Motorola, and most recently with Humana
— His professional accomplishments include the 2017 BCI Continuity & Resiliency
Team of the Year, 2015 DRI Program Leader of the Year, 2010 BCI Asia Group
Excellence Award and the 2005 W.E Upjohn Award for Leadership. He spends
a good portion of his free time as a professional musician around the Tampa
Bay area and serving in different industry leadership roles; he is also credited
as the co-founding of DRI Foundation’s Veterans Outreach Program, providing
scholarships to 700+ of our returning heroes.
Kevin Cunningham
MS, CEM, CBCP (USA Focus)
Kevin is currently the Director of the Business Continuity Program Officer at
Equinix Inc. Previously, he had spent 4 years as Vice President and Head of
Global Business Continuity, Crisis Management and Emergency Services at
NBCUniversal. Until May of 2013, he was Americas Regional Head of Business
Continuity, Crisis Management for UBS AG. Prior to his tenure at UBS, Mr.
Cunningham worked for the City of New York as a Preparedness Specialist for the
New York City Office of Emergency Management.
Ing. Jorge Escalera
MBA, RM-31000, MBCP, CCRP, LA 22301 (Mexico)
Jorge Escalera Alcazar is President of the Organization Resilience Institute (IRO),
Practice leader of Enterprise Risk Management, Business Continuity Management
Systems, IT Disaster Recovery, Risk Management, and Insurance. More than 25
years of experience. Consultant for private sector multinational corporations
and public-sector institutions. Chemical Administrator Engineer from Tec de
Monterrey. MBA from EGADE Business School. Master Business Continuity
Professional (MBCP) and Instructor by Disaster Recovery Institute International.
Certified Risk Management Professional and Trainer (RM-31000) by IRO. Former
President of the Mexican Technical Committee ISO/TC262 Risk Management.
Coordinator of WG2 Business Continuity of ISO/TC292 Security and Resiliency.
Convenor of the Spanish Translation Task Force of ISO TC262/STTF – Risk
Management. First President and founder of the RIMS Mexico Chapter.

64
Robert Fucito
(USA Focus)
Experienced executive with a demonstrated history of working in the financial
services industry. Skilled in Crisis Management, Enterprise Risk Management,
IT Service Management, and IT Strategy. Strong professional with a Certificate
focused in Design Thinking & Problem Solving from Massachusetts Institute of
Technology - Sloan School of Management.
Guy Gryspeerdt
AMBCI (USA Focus)
Guy Gryspeerdt BA (Hons), AMBCI, has a strong experience in aligning the
risk, business resilience, and crisis management functions to the organization’s
strategic business goals and managing both the change process and subsequent
organizational systems. He is outcome focused and sees a robust resilience
program as a key business enabler to deliver a competitive advantage to the
organization and value to customers. He has worked internationally across industry
sectors, managing risk, business resilience, crisis management, and security in
the financial, retail, manufacturing, and government sectors and has managed
high level projects in these areas for leading organizations globally. Organizations
have included Ernst & Young, Goldman Sachs, Reinsurance Group of America, The
Westfield Group, and Bridgewater.
Gayle Hedgecock
(UK Focus)
Gayle has over 21 years experience in Business Continuity and Operational
Resilience in financial service, more recently in legal services. Covering the full
continuity lifecycle from completing BIA’s through to creating and implementing
BC, Crisis Management and Operational Resilience programme, policies and
standards. Gayle was the chair of the BCi London Forum for four years.
Ashley Helmick
MBCI (USA Focus)
Over the past six years, Ashley has worked with a variety of organizations to
implement and maintain successful Business Continuity and IT Disaster Recovery
Programs within several industries, including healthcare, manufacturing,
utilities, technology services/software, legal services, distribution/logistics,
and financial services. Many of Ashley’s recent clients have been global bio-
pharmaceutical research and manufacturing organizations. Ashley builds programs
for organizations, identifies risks, develops actionable plans at executive and
operational levels, and validates plans using plausible scenario exercising. Ashley
integrates business continuity and IT disaster recovery into organizations’ cultures
and drives clients to continually mature their programs.
Evan Hicks
CBCP (USA Focus)
Evan began his Business Continuity career in Blacksburg, VA implementing
Emergency Notification Systems across the United States for local government
agencies. Motivated by the events of the 2007 Virginia Tech shooting, Evan moved
to New York City to pursue a Master’s Degree in Emergency Management from
John Jay College of Criminal Justice. While completing his graduate studies, Evan
held positions at Goldman Sachs’ Crisis Management Center and NYC OEM’s
Training & Exercise division. This unique experience in both the public and private
sector, led him to Washington, DC where he held multiple roles across Fannie
Mae’s Corporate Incident Management Team, Business Continuity Office, Risk
and Controls, and Credit Portfolio Disaster Relief Team. In 2016, Evan pursued
an opportunity in Portland, OR to establish a Business Recovery program for
Nike’s world headquarters and global business operations. During his tenure with
Nike, Evan elevated Business Continuity to the Board of Directors, authored the
COVID-19 Return to Work Playbook, and implemented a global continuity planning
process inclusive of incident management, third party risk, technology recovery,
facility management, enterprise risk management, supply chain, HR, and other
enterprise partners. Today, Evan is applying his crisis management expertise to his
community in Portland where he’s helping local charities address and resolve the
social vulnerabilities revealed by COVID-19 and the BLM movement.

65
Alberto Jimenez
CBCP, PMP (USA Focus)
Alberto is a founder and director with MiaTomi, a provider of business continuity
management consulting services. Alberto has over 20 years of cross-industry
experience, helping clients meet their business continuity, risk, compliance, and IT
transformation needs. Prior to founding MiaTomi, Alberto was a national practice
director at Datalink, Senior Manager at SunGard, Associate Director at Protiviti,
and technology manager at Accenture.
Sohail Khimani
MBA, MBCP, AFBCI, OSSNHS, ISO 22301 LA
(Middle East Focus –Based in UAE)
An award-winning risk and resilience luminary with over 16 years of experience
in all facets of risk and resilience. He is considered as an expert in providing and
implementing bespoke end-to-end risk solutions and is a qualified and well-
versed risk and resilience thought leader assisting organizations survive and
thrive in challenging times.
Nicola Lawrence
BCom, MBCI (UK Focus)
Nicola Lawrence a business continuity professional that has worked in the
Banking and Finance industry for 18 years, involved all aspects of resilience from
planning and implementing BCM program to developing training and awareness
opportunities. She is an active member of both The Investing and Saving Alliance
(TISA) and Investment Association (IA) Operational Resilience Working Groups
with the purpose of developing guidance for its member firms regarding the
upcoming regulatory changes to Operational Resilience in the UK.
Irfan Mirza
(USA Focus)
Irfan Mirza leads the enterprise continuity and resilience program across
Microsoft. He has over 25 years of experience in the software and technical
services industries in roles ranging from policy and compliance leadership in
security, privacy, continuity, to software and service development, alongside
enterprise, system and business architecture. He lectures frequently on
technology topics and about policy design, implementation and measurement, as
well as delivering periodic university lectures in political sociology.
Desmond O’Callahan
FBCI (Canada Focus)
Des O’Callaghan, FBCI, is a practitioner with 30 years of experience in building,
leading, and assessing business continuity programs in Canada. Much of his
career has involved directing in-house programs in the financial sector. He also
has over 10 years of wide ranging consulting experience across multiple sectors.
Des has been an educator in BCM for over 12 years, teaching at George Brown
College in Toronto for 4 years and currently delivering Business Continuity
Institute courses across North America. Des became a Fellow of the BCI in 1996
and is presently Vice President and Secretary of the Canadian Chapter, He was
appointed as Lead Assessor for the BCI in 2018. Des frequently presents at
conferences and has received a national Canadian Award of Excellence in 2009
and a gifted grade Global BCI Achievement Award in 2015.

66
Jayaraj Puthanveedu
CISSP, MBCI, ISO Lead Auditor (UK Focus)
Jayaraj is a Senior Executive with over 21 years of experience in Cyber Security,
Risk Management and Resilience, primarily focused on helping board level and
CXO stakeholders in Tier1 Financial Services institutions in shaping their digital
strategy to improve their Cyber Security and Resilience posture. In his current
role as the Managing Director in BNP Paribas, he is the Global Head for Cyber
Fraud, Cyber Resilience, Third Party Tech Risk, Data Breach Management,
Business Continuity, IT Resilience, and overall Operational Resilience. Prior to this,
he has held various leadership roles in Deutsche Bank, Goldman Sachs, Northern
Trust etc. covering Operational Risk, Cyber & Technology Risk, and Resilience
areas.
M. Brian Reid
FBCI, CBCP, CPP, CFE (USA Focus)
M. Brian is a globally recognized, risk and resiliency thought leader. Among
his many accomplishments includes a national-level critical infrastructure
assessment. He has also led enterprise business continuity, security and risk
advisory engagements for large global organizations. Currently he leads the
Global Security Operations Center for one of the top Cyber security firms. M.
Brian is an Engineering graduate of the United States Military Academy at West
Point and holds Master's degrees from Norwich University (M.S. in Information
Assurance), Webster University (M.A. in Business and Organizational Security
Management) and the University of Reading (MBA). He is a Fellow of the Business
Continuity Institute, a Certified Business Continuity Professional, ISO 22301 Lead
Implementer Certified, Board Certified in Security Management and is a Certified
Fraud Examiner. M. Brian is a member of the Global board of Directors of ASIS
International and the BCI (USA) national chapter board.
Wong Tew Kiat
CBCP, FBCI, CITBCM(S), CITPM(S), COMIT(S), Fellow SCS (Asia Pacific
Focus – Based in Singapore)
More than 30 years of experience in IT Infra, Data Centre Infrastructure &
Operations, Business Continuity Management, Pandemic Preparedness, Crisis
& Incident Response, IT Disaster Recovery, Emergency Management, and Data
Centre (DC) Risk & Health Check. Managed a 100,000 sqft Data Centre for the
30 years. Currently appointed as Chairman for the Data Centre Special Interest
Group (DC SIG) by Singapore Computer Society (SCS) as a national platform
for DC professionals to network and share research & innovative ideas to meet
the changing trends of the DC landscapes. A CBCP by DRII(USA) since 1997
and Fellow of BCI-UK since 2005. Also a Certified IT Project Manager, Certified
Outsourcing IT Manager, and Certified ITBCM Manager (CITBCM) by SCS. He
was the President for the Business Continuity Group, a chapter in SCS from
2005–2008 & 2010–2011. In addition, he chaired the CITBCM Resource Panel to
develop the Body of Knowledge and also chairs the Board of Assessors and he is
also the authorised training provider for this CITBCM Certification Course.
Gilberto Tiburcio Freire
Junior (LATAM Focus)
More than 45 years of experience with solid business knowledge in Sales of
IT Services, with experience in IBM Brazil, IBM United Kingdom, and REGUS.
More than 20 years working as People Manager leading Services Organization
(Infrastructure Services, Business Resilience Services, Business Continuity,
Disaster Recovery, IT Security). He was responsible to implement a Business
Recovery Organization in a IBM Brazil, afterwards he was responsible for this
Business in all Latin America for more than 10 years. He is currently responsible
in REGUS (IWG Parental company) for Workplace Recovery services in Latin
America since 2016.

67
Sanjiv Tripathy
(India Focus)
Sanjiv is a senior Risk leader and has managed Resilience & BCM for a global
banks India set up (RBS Technology) comprising of ~15000 headcount size
distributed over multiple locations working with Senior management / Silver &
Gold global Incident management teams, partnering with businesses such as
Banking business, Operations, Financial services, and Risk services for India wide
organisation (~25000 team size). Conceptualized & implemented fit for purpose
Business Resilience, BC and Disaster Recovery strategies, reviewed them and
implemented improvements as part of major incident review and Regulatory
review. Fostered strong stakeholder relationships, developed specialised team,
managed Resilience & BC critical processes, reviewed BCM program framework
and standards, assessed large global critical 3rd party service providers BCM
capabilities, assessed organizations effectiveness of BC / Resiliency, and
presented BCM preparedness to Internal audit, External auditor and Regulators.
Thomas Wagner
CBCP, MBCI (USA Focus)
Tom is a recognized expert and innovative thought leader in the Business
Continuity Management space with over 25 years’ experience as a practitioner,
management consultant, and technology executive in the financial services
industry. Tom is currently the Managing Director for a major trade association
and he previously served in senior BCM roles at HSBC, Marsh, Gartner, Booz
Allen, and the NYSE. While at Booz Allen, Tom consulted to the President’s
Commission for Critical Infrastructure Protection (PCCIP), the White House
Critical Infrastructure Assurance Office (CIAO / Homeland Security), and
Intelligence Communities where he conducted risk assessments and helped
develop strategies to protect the financial services industry from terrorism and
natural disasters. Tom is also a recognized thought-leader in the IT Controls and
Risk Management space having served as a SME with ISACA ITGI for the on-going
development of CobiT and the IT Risk and Governance frameworks.
Kiyoshi Yoshikawa
(Asia Pacific Focus – Based in Japan)
Mr. Yoshikawa has been a BCM professional for over 15 years in the financial and
manufacturing industries. He started his career as an IT network engineer and
build backup data centers and sites. He brings a sound knowledge of the financial
regulations of the APAC countries and understands the residual risks in the
production lines and supply chain.

68
Thank you to those organizations that assisted with this global effort.
Distributing Organizations: BC Management also greatly appreciates the efforts of those organizations that assisted in this global
effort. Below is a list of participating organizations that assisted in distributing our annual study. The contribution of each individual
organization does not indicate an endorsement of the study findings or the activities of BC Management. This is NOT a complete list of
distributing organizations.

riskonnect.com
sales@riskonnect.com
1.770.790.4700

BCM-Trends-Report-2022-–-Riskonnect-formerly-Castellan.pdf

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a BCM-Trends-Report-2022-–-Riskonnect-formerly-Castellan.pdf

Semelhante a BCM-Trends-Report-2022-–-Riskonnect-formerly-Castellan.pdf (20)

Último

Último (20)

BCM-Trends-Report-2022-–-Riskonnect-formerly-Castellan.pdf