Beruflich Dokumente
Kultur Dokumente
2014 Report
Re-examine and improve your
IT-BCP efforts
42%
Companies that experienced
unexpected downtime of critical
information systems in the past
12 months
26%
Companies that can identify all of
the information systems critical in
maintaining business continuity and
timely recovery
www.pwc.com/jp
Introduction
Today, more companies are working actively with Business
Continuity Planning (BCP) after experiencing the Great East
Japan Earthquake. Ensuring continuity and timely recovery of
business-critical information systems is becoming increasingly
important. Since measures to improve continuity of information
systems, and backup centers, often require a huge investment,
companies therefore need to consider cost-effectiveness of each
measure they plan to take. In particular, it is critical to establish
recovery requirements for each information system based on the
policies regarding which/how business should be continued and
timely recovered based on BCP, and decide on the appropriate
measures.
In this survey, we aim to find out what type of technical
measures are adopted for each recovery requirement in addition
to tracking the progress of measures to improve continuity of
information systems since last year. We hope the results of this
survey will provide you with useful reference for better security
and help you to choose efficient and effective measures to
improve continuity for your information systems.
PwC would like to take this opportunity to express our sincere
appreciation and gratitude for participating in this survey.
PricewaterhouseCoopers Co., Ltd.
Decemver 2013
Methodology
This survey was conducted from September 2, 2013, to October 13, 2013.
The departments responsible for IT-BCP from 1,816 companies were asked to
respond to this survey by mail or e-mail. The results discussed in this report are
based on the responses by 131 companies (response rate of 7.2%). All figures
and graphics in this report were sourced from survey results.
Number of
Percentage
Respondents
Manufacturing
53
41%
Commerce
21
16%
Service
13
10%
6%
3%
32
24%
131
100%
Others
Total
Electricity, gas,
information and
telecommunications
3%
Finance and
insurance
6%
Other
24%
Manufacturing
41%
Service
10%
Commerce
16%
Number of
Percentage
Respondents
> 1 trillion
6%
2%
11
8%
13
10%
43
33%
49
37%
< 10 billion
2%
Unknown
2%
131
100%
Total
Over
Unknown 1 trillion
Below
6% 700 billion 2%
10 billion
1 trillion
2%
2%
500 billion 700 billion
8%
300 billion 500 billion
10%
Table of contents
1. Overview 3
1-1. Executive summary
2. In-depth discussion 9
2-1. Experience of unexpected downtime
10
13
16
20
23
31
3. Glossary 37
4. About PwC 38
5. PwCs IT-BCP services
40
1. Overview
The adoption rate of IT-BCP has been stagnant since last year. Less than
half of all companies provide their employees with regular training and
exercises, checkup, or review after they develop and implement IT-BCP. The
companies are decelerating their efforts for IT-BCP rather than accelerating
them, even though they suffered from frequent natural disasters such as
strong earthquakes, flood, and tornados in the areas around Tokyo after the
Great East Japan Earthquake. In particular, the percentage of respondents
who include measures against electrical power outages, system failures,
and pandemic in IT-BCP grows at a slower pace. Many companies tend
to start developing IT-BCP when a problem occurs. This could be due to
the difficulties in justifying an appropriate budget and introducing new
technologies such as cloud and virtualization.
RTO and RPO understanding have deepened since the Great East Japan
Earthquake. But on the contrary, over 40% of respondents information
systems have yet to define and establish such requirements. One of
the reasons for such slow correspondence may be that RTO and RPO
requirements cannot be decided solely by the Information Systems
Department. As an example, recovery handling needs upper management
to decide on which operation is critical to their business and how severe the
impact is in case of system failure. Also, for the respondents who have set
RTO to less than 1 hour only 20% of systems are on hot-standby (server
ready for immediate switching), which is not an ideal state. We recommend
companies to set RTO and RPO if not already set, and for the companies
who have set requirements to take proactive measures in order to consider
applying new technologies such as cloud to meet the set objectives.
2. In-depth discussion
42%
30%
20%
40%
60%
100%
58%
Not occurred
23%
21%
10%
10%
6%
Power outage
5%
1%
Typhoon, flood-hazard
1%
Fire disaster
0%
0%
Cyber crime
0%
other
80%
3%
(Replied 126 companies)
6 hr - 24 hr
24%
Under 1 hr
20%
1 hr - 6 hr
50%
(Replied 57 companies)
Internal hardware
failure
50%
Internal software
bug
40%
Internal operational
error
30%
20%
External network
error
10%
Networking external
service/system
Power outage
0%
Under 1 hr 1 hr - 24 hr 6 hr - 24 hr Over 1 day
(Replied 52 companies)
20%
Delay in detecting
the trouble
14%
61%
6%
11%
3%
3%
2%
100%
6%
80%
17%
60%
29%
Delay in notifying
concerned personnel
Delay in arrival of handling
personnel (employee)
40%
6%
2%
21%
(Replied 66 companies)
42%
23%
20%
60%
Manufacturing
51%
26%
57%
Commerce
31%
80%
19%
58%
Overall
Service
40%
21%
2%
21%
2%
24%
15%
100%
19%
46%
8%
100%
75%
25%
69%
Other
9%
19%
3%
Planned
Planned within a year
Planned within couple years
Not planned
(Replied 131 companies)
20%
40%
60%
80%
Earthquake
66%
Typhoon, flood-hazard,
fire disaster
66%
34%
Power outage
45%
30%
100%
41%
11%
4%
(Replied 123 companies)
20%
40%
Manufacturing
80%
48%
23%
Overall
60%
29%
21%
36%
Commerce 13%
31%
69%
5%
44%
50%
7%
19%
56%
Service
100%
25%
13% 13%
100%
23%
Other
59%
18%
20%
Difficulty in coordinating
within the supply chain
Difficulty in coordinating with
business partners or contractors
60%
100%
12%
35%
18%
16%
31%
Shortage of manpower
51%
Shortage of skill
and know-how
52%
Shortage of budget
80%
32%
40%
43%
(Replied 118 companies)
41%
25%
Not performed
41%
Irregularly
performed
15%
(Replied 130 companies)
20%
40%
Factor analysis
31%
Start-up of information
system task force
31%
Coordinating with
company-wide task force
Determine the extent of
damage (analyze the root cause)
Switching handling
performed manually
System restore
(e.g. data restore)
80%
100%
25%
27%
Start-up/swithing to
alternate system
User release of
alternate system
60%
41%
24%
20%
45%
(Replied 71 companies)
20%
40%
60%
Tabletop review
80%
100%
57%
Walk through
37%
47%
Simulation
4%
Other
(Replied 68 companies)
20%
Upper Management
40%
60%
80%
100%
10%
User Departments
41%
Information Systems
Department
96%
Customers 0%
Business partners
Contractors
3%
33%
(Replied 69 companies)
20%
17%
Overall
40%
60%
3%
6%
21%
79%
74%
5%
100%
Service
50%
25%
16%
Other
within 1 year
100%
75%
Manufacturing 13% 2%
6%
Commerce
80%
50%
25%
25%
71%
6%6%
over 3 years
within 3 years
25%
Not performed
(Replied 126 companies)
20%
40%
21%
45%
17%
30%
45%
Shortage of skill
and know-how
Shortage of budget
100%
37%
Difficulty in coordinating
with multiple departments
Difficulty in coordinating
within the supply chain
80%
25%
Low awareness of
user department
Low awareness of
information system department
60%
51%
35%
(Replied 106 companies)
37%
51%
Not performed
(not planned)
20%
Not performed
(currently planned)
17%
Periodically
performed
23%
Irregularly
performed
40%
20%
Checked by Developing
Department
60%
80%
100%
89%
Checked by Audit
Department
22%
40%
11%
3%
(Replied 114 companies)
20%
Low awareness of
Upper Management
Low awareness of
User Department
Low awareness of Information
Systems Department
40%
60%
100%
20%
32%
23%
Shortage of manpower
67%
Shortage of skill
and know-how
Shortage of budget
80%
61%
30%
(Replied 102 companies)
6% - 10%
10%
2% - 5%
33%
1% and less
51%
26%
16%
20%
Other
60%
80%
55%
26%
21%
10%10%
62%
33%
10%
42%
50%
100%
8% 9% 2%
60%
29%
40%
17%
8%
50%
75%
28%
25%
47%
6%
13% 6%
Currently identifying
information systems
Planning to identifying
the information systems
Other
2%
Upper
Management
16%
Information System
Department
51%
Risk Management
Department 10%
User Departments
5%
20%
40%
42%
22%
18%
41%
33%
Commerce
100%
32%
4%
43%
6%
24%
58%
50%
80%
35%
33%
Service 8%
60%
50%
75%
22%
25%
41%
31%
6%
20%
40%
60%
80%
100%
30%
Virtualization
14%
2%
20%
82%
VPN/Remote Access
BYOD, BYOX
13%
30%
6%
(Replied 124 companies)
20%
Overall 10%
25%
Core corporate
systems 14%
40%
60%
10%
31%
27%
11%
80%
100%
21%
28%
18%
3%
2%
Internal management
systems 1% 22% 11%
38%
22%
5%
Information sharing
systems
16%
25%
9%
26%
24%
2%
Under 1 hr
Over 1 day
1 hr - 6 hr
Not set
6 hr - 24 hr
Unclear
20%
12%
12%
Core corporate systems
60%
80%
100%
34%
30%
18%
26%
33%
3%
10%
33%
21%
16%
31%
Internal management
systems
For definitions of hot-standby, warm-standby, and coldstandby, see glossary on page 40.
11%
14%
Information sharing
systems
8%
40%
19%
59%
31%
31%
55%
40%
20%
0%
17%
22%
23%
0%
RTO
20%
Under 1 hr
5%
11%
14%
20%
6 hr - 24 hr
5%
4%
25%
Over 1 day
1%
60%
13%
1 hr - 6 hr
0%
40%
28%
Other/Unclear
51%
None apply
20%
29%
40%
60%
1%
2%
43%
22%
100%
3%
2%
2% 16% 2%
(Replied 128 companies)
34%
18%
80%
45%
53%
2%
21%
6%
Information sharing
systems
36%
33%
2%
28%
2%
20%
40%
60%
21%
Core corporate
systems
9%
Internal management
systems
70%
30%
5%
12%
1%
24%
Information sharing
systems
3%
6%
8%
100%
64%
32%
8%
13%
1%
80%
47%
28%
None apply
20%
40%
12%
Core corporate
systems
37%
3%
9%
Internal management
systems
100%
46%
12%
7%
47%
1%
13%
Information sharing
systems
80%
50%
16%
12%
8%
5%
28%
44%
12%
Real time transport to alternalte site
Weekly transport to alternate site
60%
None apply
20%
40%
60%
31%
32%
23%
Restore to the
point of the
cause
80%
100%
5%
Restore to the
day before the
cause
59%
29%
(Replied 93 companies)
20%
18%
Core corporate
systems 15%
40%
24%
60%
25%
5%
26%
30%
7%
80%
25%
20%
100%
4%
2%
Internal management
systems
16%
23%
4%
23%
28%
5%
Information sharing
systems
24%
22%
3%
21%
27%
3%
Unclear
20%
Core corporate
systems
0%
Internal
management
systems
7%
8%
0%
Information sharing
systems
SaaS
9%
10%
40%
60%
80%
100%
23%
(Replied 125 companies)
17%
4%
6%
1%
PaaS
26%
(Replied 126 companies)
IaaS
RaaS
28%
62%
Percentage of inoperable
data centers
23%
28%
40%
77%
1 week
94%
Figure 2-6-1 Fuel stored for in-house power generation in the main
data center
How long can you operate your data center using in-house power
generator and stored fuel?
Over 1 week
6%
No private
power generator
is set 15%
Under 12 hr
8%
72 hr - 1 week
17%
12 hr - 24 hr
5%
24 hr - 48 hr
12%
48 hr - 72 hr
37%
20%
40%
60%
80%
62%
27%
26%
62%
Commerce 5%
29%
67%
Service 8%
25%
67%
38%
100%
50%
75%
13%
25%
72%
Hold or under contract for the backup site with the same specs
Hold or under contract for the backup site with limited functionality
Do not hold or under contract for a backup site
(Replied 130 companies)
20%
40%
60%
80%
6%
81%
50%
21%
21%
23%
13%
To avoid locations
with flight-path
To avoid locations with high impact
of electric/magnetic field
100%
6%
4%
10%
To locate nearby
public transportation
Other
21%
8%
(Replied 52 companies)
No time set
29%
Under 3 hr
24%
3 hr - 12 hr
18%
Over 72 hr
4%
48 hr - 72 hr
3%
24 hr - 48 hr
9%
(Replied 55 companies)
12 hr - 24 hr
13%
Over 72 hr
7%
No time is set
14%
48 hr - 72 hr
11%
Under 3 hr
16%
3 hr - 12 hr
27%
24 hr - 48 hr
13%
(Replied 56 companies)
12 hr - 24 hr
12%
Not used
periodically
18%
Not used
76%
(Replied 54 companies)
Not planned
79%
Maintained as
a document to
be compliant
23%
Not maintained
63%
Maintained as
a document to
be referenced
14%
(Replied 22 companies)
Headquarters to
centrally manage
22%
Other
36%
20%
40%
80%
100%
46%
60%
54%
15%
Difficulty in adjusting
to laws and rules
31%
Security approach
was unsatisfactory
15%
Other
15%
(Replied 13 companies)
3. Glossary
BCP/IT-BCP
BCP
(Business Continuity Plan)
A predefined action plan to continue or resume minimal business activities within the
recovery time objective in a situation where normal business activities cannot be performed because of any large-scale disasters or pandemic of new type of infection.
IT-BCP
An action plan to ensure continuity and timely recovery of relevant information systems
that are required to continue or resume critical business activities within the recovery
time objective when problems such as large-scale disasters or information system failures occur.
walk-through
simulation
Simulation means having participants move to the facilities specified in a BCP and actually operate the equipment. This enables companies to identify and assess the difference between the planned and actual activities.
RTO stands for Recovery Time Objective. This objective defines the time with
which you must be able to recover data to a specified level (RLO).
RLO
(Recovery Level Objective)
RLO stands for Recovery Level Objective. This objective defines the service level to
which you must be able to recover data within a specified period (RTO).
RPO
(Recovery Point Objective)
RPO stands for Recovery Point Objective. This objective defines the point in time to
which work should be restored following an incident.
A redundant method of having a secondary system running simultaneously with the primary (production) system so that the secondary system immediately takes over replacing the production system upon failure. This method enables companies to minimize the
service downtime (hours to seconds) and is very expensive.
warm standby
cold standby
A redundant method of having a secondary system as a backup for the primary (production) system so that the secondary system can be activated when the primary system
fails. This method is inexpensive but takes a few days or more than a week to bring
services back in operation.
PaaS
(Platform as a Service)
A mechanism in which a vendor provides its customers with a platform such as hardware and operating systems based on their needs through a network.
IaaS
(Infrastructure as a Service)
RaaS
(Recovery as a Service)
A mechanism in which a vendor provides its customers with a recovery function of application software and data based on their needs through a network.
IT-BCP Survey 2014 Report 37
4. About PwC
1. PwC Global
PwC is one of the largest professional services networks in the world.
PwC is one of the largest professional services networks
in the world.
PwC * helps organisations and individuals create the
value theyre looking for. Were a network of firms
in 157 countries with over 184,000**people who are
committed to delivering quality in assurance, tax and
advisory services. Tell us what matters to you and find
out more by visiting us at www.pwc.com.
Assurance/Advisory/Tax
Asia Pacific
59,103 people
79,509 people
45,623 people
Revenue
Locations
157
countrie
776
cities
US$
People **
184,235
32.1 billion
people
2. PwC Japan
We offer clients total service as One Firm
PwC Japan represents PricewaterhouseCoopers Aarata,
PricewaterhouseCoopers Co., Ltd., Zeirishi-Hojin
PricewaterhouseCoopers, and their subsidiaries. Each
entity is a member firm of the PwC global network
in Japan, or their specified subsidiary, operating as a
separate legal entity, and we are closely allied in the
work we do.
Given the increasing complexity and diversity of
issues faced by corporate managers, PwC Japan
offers a One Firm approach in which our unrivaled
expertise in assurance, advisory, and tax services are
seamlessly integrated and coordinated. With such
one-stop comprehensive services and an extensive
global network, PwC Japan with its partners and staff
of about 4,000* can provide the professional services
necessary to satisfy the needs of our clients.
PricewaterhouseCoopers Aarata
PricewaterhouseCoopers Kyoto
Assurance
Tax
Compliance
IFRS Conversion,
Internal Control,
Regulatory Compliance,
Sustainability,
IPO Advisory
Comprehensive services
for multiple issues
Tax
M&A,
Business Recovery,
Dispute Analysis
Advisory
Zeirishi-Hojin
PricewaterhouseCoopers
38 Re-examine and improve your IT-BCP efforts
PricewaterhouseCoopers
Co., Ltd.
15 June 1999
Representative
Staff
Approx. 1,300
Offices
URL
www.pwc.com/jp/e/advisory
Location Tokyo
Sumitomo Fudosan
Shiodome Hama-Rikyu Bldg. 8-21-1 Ginza,
Chuo-ku, Tokyo 104-0061
Tel: +81 3-3546-8480 Fax: +81 3-3546-8481
Osaka
Industries
Manufacturing
Solutions
Automotive
Industrial manufacturing
Chemicals
Pharmaceuticals &
life Sciences
Energy, utilities & mining
Engineering & construction
Communications
Media
Communications
Entertainment & media
Technology
Finance
Financial services
Banking & capital markets
Asset management
Insurance
Retail/Services
Government
Public services
Retail & consumer
Transportation & logistics
Hospitality & leisure
Trading/Healthcare
Government/Public Services
Deal Advisory
Business Recovery Service/Corporate Finance/Delivering Deal Value/
Transaction Services/Valuations & Modelling
Public Private Partnership(PPP) &Infrastructure
Consulting Service
Strategy/Operations (CRM/SCM)/People & Change /Finance & Accounting
Technology/Governance, Risk & Compliance
Description
Analyze business dependency on IT
Planning
assistance
IT-BCP
development
assistance
Building
assistance
IT-BCP
audit assistance
Internal audit
assistance
Contractor
audit
Effectiveness assessment
of IT-BCP
Survey of
current status
Selection, building,
and relocation of
data centers/
backup centers
Define criteria for selection and select data centers based on the defined
requirements
Estimate the required cost of relocation and building
Create a project plan for relocation
Implementation
assistance
Architecture Development
assistance to
improve the availability of
information systems
Create a plan and procedure for data center relocation and develop a
contingency plan
Relocate the system and conduct a test to ensure the relocated system can
operate successfully
advise on how your future data center should be transformed by using multiple
data centers, cloud computing, virtualization, mobile computing, thin client,
etc.
Implement the IT infrastructure that enables distributed offices and teleworking
Note: The services shown above are only a part of the IT-BCP services provided by PricewaterhouseCoopers Co., Ltd.
PwC can provide assistance in various forms that best match your specific needs.
Contact
Technology, Consulting Group
PricewaterhouseCoopers Co., Ltd.
Tel: +81 3-3546-8480
Maki Matuzaki
Partner
maki.matsuzaki@jp.pwc.com
Naoki Yamamoto
Director
naoki.n.yamamoto@jp.pwc.com
Motoki Sawada
Senior Manager
motoki.sawada@jp.pwc.com
Seigo Ichihara
Senior Manager
seigo.ichihara@jp.pwc.com
PwC firms help organisations and individuals create the value they are looking for. We are a network of firms in 157 countries with more than 184,000 people who are
committed to delivering quality in assurance, tax and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com.
PwC Japan represents PricewaterhouseCoopers Aarata, PricewaterhouseCoopers Kyoto, PricewaterhouseCoopers Co., Ltd., Zeirishi-Hojin PricewaterhouseCoopers
and their subsidiaries. Each entity is a member firm of the PwC global network in Japan, or their specified subsidiary, operating as a separate legal entity.
Japanese Version Published: December 2013 Control No: I201311-7 www.pwc.com/jp/ja/advisory/research-insights-report/it-bcp-survey2014.jhtml
English Version Published: May 2014 Control No: I201311-9 www.pwc.com/jp/ja/japan-knowledge/report.jhtml
2014 PwC. All rights reserved.
PwC refers to the PwC Network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.