EY s Africa Resilience Survey 2016

Transcription

1 EY s Africa Resilience Survey 2016

2 For more information, please visit: ey.com/za Follow us on B EY s Africa Resilience Survey 2016

3 Foreword Welcome to EY s Africa Resilience Survey 2016, our first annual survey, which investigates the status of the African resilience landscape. We are pleased to release the survey, with participants drawn from all major industries across Africa. This report is based on insights from our Africa experience of working with clients on improving their resilience solutions. The report looks to explore the changes to the African risk landscape, the status of resilience, and the interdependencies on other associated initiatives within resilience environments. The objective of the survey was to obtain the views of business continuity and resilience professionals and we believe the results will contribute to an enhanced understanding of sector, country, regional, and continental resilience practices in Africa. Although all areas of resilience are interlinked, the outcomes of the survey have been categorised into the following three areas; governance, business continuity management programme and investment. The responses received have highlighted that there is a growing awareness and appreciation across different sectors and industries on the continent regarding the value of developing and maintaining robust resilience programmes and capabilities. There are also visible strides towards the appropriation of the necessary resources towards resilience. However, these positive gains are not consistently spread across the entire institutional landscape, and as such there is still significant commitment and effort required, particularly at strategic echelons, to ensure the embedding of a resilience culture within the different organisations. Risk is a much more risky proposition than it used to be. New risks emerge every day as markets get disrupted, political instability interrupts supply chains and new technology pushes boundaries across the risk landscape. Yet, while many organisations see risk as a negative, a good resilience programme can actually help companies become more effective. As defined in the Business Continuity Institutes Good Practice Guideline (GPG) resilience is defined as an adaptive capacity of an organisation in a complex changing environment. While Business Continuity Management (BCM) is a holistic management process that identifies potential threats to an organisation and the impacts to business operations, should an incident occur, and further provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Edward Okaro Africa Cyber Security Leader edward.okaro@za.ey.com Resilience, as a whole, cannot be the responsibility of any one department or member of the board. Unforeseen events have the potential to impact every level of an organisation in different, and often not easily recognisable ways. The aim of any business should be to continue towards a mature resilience programme, creating valuable techniques that assist the organisation in preparing to the best of it s abilities. We would again like to thank the respondents for devoting their time to completing the survey. C EY s Africa Resilience Survey 2016

4 Gaining an overview of the Africa resiliency environment EY conducted an Africa Resilience survey over the last several months to explore the current Africa resilience landscape and the interdependencies on other associated initiatives within resilience environments. Initially, organisations develop capabilities that help them react to disruptive threats. Over time, many become adept at proactively applying controls to prepare and mitigate disruptive events. Ultimately, organisations that develop capabilities to resist unknown threats, and are able to return to normal activity after disruption, achieve resilience. Resilience BCM IT DR Resiliance Business Continuity Management IT Disaster Recovery Resilience: The sources of risk extend beyond the scope of traditional risk approaches, including Information Technology Disaster Recovery (ITDR) and Business Continuity Management (BCM). Constant innovation is required by organisations to prepare for, and insure against unknown material disruptive events. A resilient organisation constantly seeks to explore its potential vectors of vulnerability and establish mechanisms to eliminate them. Business Continuity Management: Organisations begin to deal with a wider range of unpredictable consequences from traditional threat types (e.g. loss of premises, loss of utilities, third party or personnel) and due to increased complexity and challenge they develop processes to manage business continuity. IT Disaster Recovery: Limited by the knowledge and experience of previous types of known and foreseeable technology threats (system failure, viruses, etc.). Therefore its value is limited in some contexts. Governance BCM programme Investment 1 EY s Africa Resilience Survey 2016

5 Governance The resilience model includes the programme structure, communications, policies, standards, compliance measures and reporting necessary to successfully measure and control process and systems. The Horizon Scan Report 2016 results demonstrated that the broad adoption of standards for governance assists in providing supplier and customer assurance, as well as protecting reputation and brand, reducing business interruption and building greater resilience against disruption. 23% 6% 3% 45% 23% Figure 1: Most organisations require a good resilience programme to ensure that they are able to recover their critical functions in the event of a disaster. However, this study has shown that only 23% of organisations are able to regain all critical functionality within the approved Recovery Time Objectives (RTOs). This is due to the existence of a resilience programme implemented to some degree. Figure 1: How mature is your organisation s resilience programme? Level 1 - Cannot recover from or survive a disruption (BCM programme does not exist) Level 2 - Can recover limited business processes via information and undocumented methods Level 3 - Can recover some critical functions within approved RTOs Level 4 - Can recover all critical functions within approved RTOs 3% 16% 19% 62% Figure 2: More than 62% of organisations have reported aligning their Resilience programme with the ISO Standard [Societal Security Business Continuity Management Systems Requirements], and a further 19% implement their solution in accordance with the Business Continuity Institute (BCI) Good Practice Guidelines (GPG) These statistics align to those reported in the BCI s Horizon Scan Report 2016, showing that more than half (51%) of organisations globally report using ISO as a framework for their BCM programmes. Figure 2: What framework are you using to implement your resilience solution? BCI Good Practice Guidelines 2013 ISO None Other EY s Africa Resilience Survey

6 38% 9% 6% 47% Figure 3: The key to a successful resilience programme within an organisation often depends on the amount of Executive involvement. Based on responses received, 47% of participants report having full Executive involvement, with resilience featuring on Executive agendas and executive participation throughout implementation, and a further 38% of organisations having partial involvement. The lack of Executive (6%) involvement or even only having partial Executive (38%) involvement can impact the buy-in and success of a resilience solution, affecting the pace at which the resilience programme matures. Figure 3: Does your resilience programme have Executive involvement- i.e. Does resilience feature on the Executive agenda and are they involved in the implementation of the resilience programme. Full Executive involvement No Executive involvement Partial Executive involvement Figure 4: In accordance with the BCI Good Practice Guidelines 2013, Business continuity professionals are responsible for raising awareness throughout the organisation in order to better understand, plan, and execute a response to challenges and risks arising from rapidly changing laws, regulations, policies, and standards. BCM awareness has the potential to deliver significant value across an organisation, including awareness of the programme and an employee s specific role within the business continuity efforts, ensuring plans are implemented effectively and efficiently, and growing the programme maturity through in-depth review and revision. Across organisations awareness at Strategic (33%), Tactical (27%) and Operational (33%) levels are lower than anticipated, as depicted in Figure 4 below. Effective awareness initiatives will certainly enhance an organisation s ability to respond to an incident. 33% 27% 33% 7% Strategic Tactical Operational Figure 4: At which levels within your organisation does BCM awareness exist? 3 EY s Africa Resilience Survey 2016

7 BCM Programme As defined by the Business Continuity Institute in the Good Practice Guidelines 2013, a Business Continuity Management Programme is an ongoing management and governance process supported by Top Management and appropriately resourced to implement and maintain Business Continuity Management. 30% 10% 33% Figure 5: Occupational Health and Safety (OHS) is a crucial component of an effective BCM programme, however, this is not reflected through the statistics provided in Figure 5, as only 33% of organisations have a certified programme in place, with 27% having implemented an uncertified OHS programme, and 30% having partially implemented an OHS programme. 27% Figure 5: What is the current status of your Occupational Health and Safety programme? Certified Implemented, but not certifiable Partially implemented Figure 6 & 7: As defined in BS [Crisis Management Guidance and Good Practice], Crisis Management is the development and application of the organisational capability to deal with crises, which includes the need for, and execution of, an effective crisis communication plan. Only 48% of organisations currently conduct crisis simulations, which are tested annually (50%), every six months (14%) and every two years (7%). The lack of crisis simulations at Executive level (42%) is concerning, as ineffective media communication could have negative financial and reputational impacts on an organisation during an incident. 10% 42% 48% 50% 14% 7% 29% Annually Every six months Every second year Figure 6: Are crisis simulations currently conducted at executive level? Figure 7: If crisis simulations are conducted, how often are they conducted? Yes No EY s Africa Resilience Survey

8 Figure 8 & 9: Effective business continuity plans can assist in the efficient recovery of an organisation s critical functions. Most organisations currently have continuity plans in place (77%), with 75% of organisations referring to their implemented plans during an incident. Organisations without plans in place (19%) face greater financial, reputational and stakeholder risk. 19% 4% 17% 8% 77% 75% Figure 8: Does your organisation currently have continuity plans? Figure 9: If your organisation experiences an incident impacting its operations, do you refer to your implemented plans? Yes No Yes No Figure 10 & 11: Continuity plans should be tested often to ensure that they are at all times relevant to the business and can effectively recover operations. Plans are tested annually (25%), every six months (17%), every two years (17%) or on request from business (8%). A variety of testing methods are used by respondents to ensure the validity of the plan, namely scenario-based testing (32%), component testing (24%), integrated testing (17%), live runs (12%) and unannounced testing (15%). 33% 25% 12% 15% 32% 8% 17% 17% 17% 24% Figure 10: How often do you test your continuity plans? Figure 11: What level of testing is conducted in your organisation? Annually Every six months Every second year Only on request from business Scenario Component Integrated Live runs Unannounced 5 EY s Africa Resilience Survey 2016

9 Figure 12: A crucial component to continuity plans and the ability to recover critical functions is ensuring that IT disaster recovery (ITDR) / IT service continuity (ITSC) is in place for the recovery of all systems and data. Only 29% of organisations currently have ITDR / ITSC plans in place for all of their critical activities, with 10% of organisations only having plans for some of their critical functions. A further 10% of organisations do not have any plans in place and 51% are not aware as to whether plans exist within their organisation. 29% 10% 10% 51% Yes, for all Yes, but only for critical activities some critical activities No Figure 12: Do you have ITDR / ITSC plans? Figure 13: Cyber attacks remain one of the primary concerns globally, as confirmed in the BCI Horizon Scan Report Only 28% of respondents organisations in the EY Africa Resilience survey reported having a Cyber solution in place, indicating this as an area requiring immediate attention. 28% 36% 36% Yes No Figure 13: Does your organisation currently have a Cyber solution? EY s Africa Resilience Survey

10 Investment A good resilience programme is necessary to protect an organisation, and in particular, its future. Increased investment can have an impact on financial returns, as well as non-financial returns, including achieving integration and efficiency, competitive advantage and team building by creating a strong Business Continuity culture. Figure 14: Trend analysis is utilised by many organisations to understand how the business is performing, and to predict where current operations and practices will take the company. Currently only 11% of organisations perform a longer-term trend analysis, 22% have different functions performing their own trend analysis and 52% are not performing or utilising any trend analysis. 11% 22% 52% 15% Yes, this is performed by an in-house corporate function Yes, however many different functions conduct their own analysis No, we do not perform/utilise trend analysis Figure 14: Is trend analysis performed/utilised in your organisation? Figure 15 & 16: As the potential risks that could impact an organisation increase, so does the necessity for investment in a resilient solution that will protect and recover its critical functions. Organisations are most likely to invest in BCM implementation (46%) and ITDR / ITSC solutions (35%) to recover their business than on process refinement (13%). With these investments, 46% of organisations are likely to increase their spend on resilience, with 18% maintaining the same amount as in 2015 according to project scope, a further 7% decreasing the resilience budgets, and 7% leaving resilience out of their budgets. 13% 6% 35% 46% Figure 15: What would your organisation be likely to invest in? ITDR / ITSC Solutions BCM Implementation Process Refinement 7 EY s Africa Resilience Survey 2016

11 46% 18% 7% 7% 22% Maintain the same Don't have a Increase resilience Maintain the same Cut resilience Do not have a spend in 2016 to amount of spend as budgets in 2016, Resilience budget spend in 2016 to amount of spend as budgets in 2016, resilience budget meet the needs of in 2015 for the limiting the scope meet the needs of in 2015 for the limiting the scope new requirements project scope and progress of the new requirements project scope and progress of the programme programme Figure 16: Is your organisation likely to invest more in resilience? 7% 3% 55% 32% 3% Figure 17: Resilience programmes are owned and implemented through various methods, however, organisations need to ensure that the programme is tailored to their requirements and can effectively recover operations. Based on the outcomes of this survey, organisations are still relying on the assistance of an external service provider to implement their BCM programmes (58%), yet still ensuring they own the solution internally. Only 32% of organisations own and implement their own resilience solutions. Figure 17: Is your resilience solution implemented through your internal capability resources or through an external service provider? Owned and implemented internally Owned in-house, but implemented in full through an outsourcer (Full reliance on an outsoucer) Owned in-house, but implemented with the assistance of an external service provider Resilience Solution not implemented EY s Africa Resilience Survey

12 Addressing the gaps Significant socio-economic growth and development prospects have been identified and are being pursued across Africa. This, coupled with the continent s socio-political environment poses increased risks for organisations and institutions operating on the continent, thereby necessitating increased levels of resilience. The EY Africa Resilience survey has provided a snapshot into the current state of organisational resilience across the continent. From the survey it is clear that organisations across Africa are at differing resilience maturity levels, and as such, much more needs to be done from a governance, programme and investment perspective to achieve acceptable resilience levels across the continent. EY assists organisations across the continent to develop and maintain robust resilience programmes. Our methodology and approach is aligned to the international standard ISO 22301, which is the only certifiable standard of the ISO/IEC for Business Continuity and adopts the process model Plan-Do-Check-Act (PDCA), which is applied to the structure of all the processes in a Business Continuity Management System (BCMS). The figure below illustrates how a BCMS uses the requirements concerning business continuity and the expectations of the stakeholders as inputs, and how it produces the results that meet the requirements and expectations. The ISO Plan, Do, Check, Act process is depicted in the diagram below. Continual Improvement of Business Continuity Management System (BCMS) Interested Parties Plan Establish Interested Parties Act Maintain and improve Do Implement and operate Requirements for Business Continuity Check Monitor and review Managed Business Continuity 9 EY s Africa Resilience Survey 2016

13 The EY resilience approach helps build capability across the six phases of the Resilience Cycle: Sense; Resist; React; Adapt; Reshape; and Lead. The solution empowers organisations to be able to embed resilience within their organisational culture, and to maintain their programmes independently, thereby ensuring sustainability. ISO Sec. 4 (Context) ISO Sec. 5 (Leadership) Pre disruption Sense ISO Sec. 10 (Improvement) ISO Sec. 6 (Planning) Sec. 7 (Support) Post disruption Reshape Lead Resist Adapt React Disruption ISO Sec.9 (Performance Evaluation) ISO Sec.8 (Operation) EY has a footprint across a number of African countries, which allows for greater coverage and accessibility to our clients. EY s Africa Resilience Survey

14 Methodology Respondents were asked 19 questions based on their activitives and investment in the status of their resilience and interdependencies. As a first survey the main grouping of respondents were from South Africa (66%), from the rest of Africa (12%) and others were unknown (22%). Respondents included executives, senior management, management and support. 2% Other 4% Support 14% Executive 16% Management 24% Senior Management 38% Facilities Management Finance IT/ICT Operations Risk Strategy & Management Policy Other 2% 2% 12% 6% 44% 8% 4% 22% Our evaluation of the resilience landscape was conducted through a web survey tool to companies throughout Sub-Saharan Africa between July - September EY s Africa Resilience Survey 2016

15 About EY s Advisory Services In a world of unprecedented change, EY Advisory believes a better working world means solving big, complex industry issues and capitalising on opportunities to help deliver outcomes that grow, optimise and protect clients businesses. From C-Suite and functional leaders of Fortune 100 multinational to disruptive innovators and emerging market small and medium-sized enterprises, EY Advisory teams with clients from strategy through execution to help them design better outcomes and deliver long-lasting results. A global mindset, diversity and collaborative culture inspire EY consultants to ask better questions. They work with the client, as well as an ecosystem of internal and external experts, to co-create more innovative answers. Together, EY helps clients businesses work better. The authors Louise Theunissen Senior Manager Tel: louise.theunissen@za.ey.com Renata Lawton-Misra Associate Tel: renata.lawtonmisra@za.ey.com Acknowledgements We would like to thank the Business Continuity Institute (BCI) for supporting this first EY Africa Resilience research initiative. We also acknowledge and thank Laura Ferreria for assistance with the web survey technology.

16 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com EYGM Limited. All Rights Reserved Creative Services ref Artwork by Gumede. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice. ey.com