Magic Quadrant for Business Continuity Management Planning Software

Magic Quadrant for Business Continuity Management Planning Software 26 August 2013 ID:G00217265 Analyst(s): Roberta J. Witty, John P Morency

VIEW SUMMARY The 2013 business continuity management planning market, in which there is no perfect product, has a 2012 revenue estimate of $130 million, 30% more than our 2010 estimate. This Magic Quadrant ranks 18 enterprise-class vendors.

Market Definition/Description BCMP products have been in the market for more than 20 years, growing from word-processing templates to sophisticated, interactive decision support products. The increased need for usable recovery plans of all types (see Note 1), as well as for a consistent and repeatable plan development process, has resulted in increased sophistication in the products. In addition, they now integrate with other BCM products, such as emergency or mass notification service (EMNS) and crisis/incident management (C/IM), GIS/geospatial, IT asset management, change and configuration management database (CCMDB), and more. Mature BCM programs use BCMP products for business and program management analysis, with a goal of building more resilience into the day-to-day business process. A BCMP product will typically include the following components: Risk assessment for BCM (more clearly differentiated from the business impact analysis [BIA] due to governance, risk and compliance [GRC] product influence) BIA — a core BCM activity Business process and IT dependency mapping Resource libraries of business and IT equipment, processes, personnel, facilities, third parties (suppliers/vendors), etc. Plan development and management Workflow management for plan development and maintenance actions Analytics capability to provide BCM program metrics so that the appropriate investments can be made in risk mitigation controls, day-to-day operations and recovery operations Some products include additional features, such as: A modeling capability that lets the organization assess the impact on the business as a result of an outage — whether it be an application, location, business process, third party, etc. An exercising capability that assists organizations when they test the functionality of their recovery plans A lighter-weight C/IM function that can be used when the organization experiences a business disruption and, therefore, needs to execute its recovery plans; this function should not be confused with pure-play C/IM products in the market that provide a much richer set of functions than those described in this research With over 30 vendors, the BCMP market has a 2012 revenue estimate of $130 million, a 30% growth since our 2010 estimate of $100 million. Average revenue growth for 2009 to 2010, 2010 to 2011, and 2011 to 2012 is 33.3%, 18.6% and 19%, respectively. Pricing for this market remains very competitive for the simpler implementation; pricing for large, multinational implementations can be in the six figures or higher. Large or regulated enterprises, as well as government agencies, are typical users of these products, while small and midsize firms are increasingly looking to use them so they can provide structure and standardization to a BCM program, even one just starting out. The financial services market and organizations with complex business operations lead in the number of implementations and vendor marketing efforts. The significant growth in adoption of BCMP products, as measured in our annual security and risk management survey — 23.8% from 2010 to 2011; 8.5% from 2011 to 2012 and 51% from 2012 to 2013 — is an indication that organizations are realizing the importance of the use of these products to help standardize and manage recovery plan development, as well as management of the BCM program itself. (Note: The question response option in the 2013 survey was combined with risk assessment and BIA. In prior years, the survey question response options were separated.) Having current, effective and exercised recovery plans is the key to success during a disaster, and these products are essential for effective BCM response, recovery and restoration activities. We anticipate adoption to continue to grow during the next five years, given the increased focus from government agencies — federal, state and local — as well as private-sector preparedness initiatives. Some of this additional growth will come through the GRC product market: more GRC vendors are providing BCMP capability as part of a broader operational risk management program.

STRATEGIC PLANNING ASSUMPTION By 2015, 80% of organizations at a Level 4 maturity level for their business continuity management (BCM) program will be using BCM planning (BCMP) products to help them perform recovery plans and exercise management, as well as to analyze and manage BCM program metrics.

EVIDENCE 1 Gartner provided the 18 vendors included in this Magic Quadrant with a survey resembling an RFP (see "Toolkit: Business Continuity Management Planning Software RFP Template, 2012"), with multiple questions for each evaluation criteria. The completed surveys were returned in December 2012 and January 2013. In addition to the vendor survey, in-depth vendor briefings regarding product, portfolio, strategy and messaging were conducted with each vendor. Sixty-two customer reference checks were conducted — 59 through a 23-question online survey and three through phone calls. 2 Gartner takes hundreds of call annually regarding the BCMP market; it made up 18.5% of our call volume from July 2010 through April 2013. These calls also inform our understanding of the market and vendor capabilities.

NOTE 1 TYPES OF BUSINESS CONTINUITY MANAGEMENT/RECOVERY PLANS Following are the various types of BCM/recovery plans: Damage assessment Emergency response C/IM Crisis communications External communications Business process/department recovery Location logistics Evacuation procedures Insurance support Travel support Legal support Procurement/vendor management Customer/partner support Shelter in place IT recovery Business recovery Business resumption Third-party availability management Restoration Stand-down Devolution/resolution

NOTE 2 GARTNER HYPE CYCLE BENEFIT RATING SCALE

Table 3. Hype Cycle Benefit Rating Four-Point Scale

Benefit Rating

Definition

Transformational

Enables new ways of doing business across industries that will result in major shifts in industry dynamics

High

Enables new ways of performing horizontal or

vertical applications that

In "Hype Cycle for Business Continuity Management and IT Disaster Recovery Management, 2013," we moved the BCMP market position by one spot to post-trough 15%, from the 2012 BCM Hype Cycle position of post-trough 10%, and placed BCMP as early mainstream adoption with 20% to 50% penetration of the target audience and as having a benefit rating of high out of a four-point scale (see Note 2).

will result in significantly increased revenue or cost savings for an enterprise Moderate

Provides incremental, but significant,

This BCMP product Magic Quadrant is a market snapshot that ranks vendors according to competitive buying criteria. Vendors in any sector of the Magic Quadrant, as well as those not ranked on the Magic Quadrant, may be appropriate for your enterprise's needs and budget.

improvements to established processes that will result in increased revenue or cost savings for an

Return to Top

Magic Quadrant

enterprise Low

Slightly improves processes (for example, improved user experience) that will be

Figure 1. Magic Quadrant for Business Continuity Management Planning Software

difficult to translate into increased revenue or cost savings

Source: Gartner (August 2013)

EVALUATION CRITERIA DEFINITIONS Ability to Execute Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products. Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Source: Gartner (August 2013) Return to Top

Vendor Strengths and Cautions Avalution Consulting Avalution Consulting is headquartered in Cleveland, Ohio. It is a privately held company with an employee head count of 15 dedicated to the BCMP product. The BCMP product version evaluated for this Magic Quadrant was The Planning Portal (TPP) version 2012; the current version is TPP 2013. With a BCMP offering in place since 2005, the reported number of BCMP product customers for this evaluation period was 28. The key markets supported are financial services (including insurance), life sciences, healthcare and nonprofits. TPP is offered only in a vendor-hosted delivery model. The product architecture for TPP is based on Microsoft SharePoint 2010. Strengths Avalution's BCM consulting practice is recognized as strong in the market. The vendor's consulting lead is the U.S. representative to the International Organization for Standardization (ISO) for ISO 22301:2012 standard development. Customer references report a very strong customer service capability, ease of implementation and total cost of ownership. Avalution was the only vendor that reported that its BCM operations — located in a SAS 70 Type II data center — are BS 25999-certified. All development work is subject to a formal quality assurance and testing process, including product beta testing with the customer. TPP operations recovery is tested on a quarterly basis. Customer support is through a toll-free help line with a two-hour response time 24/7 for emergency issues. In terms of specific product features, TPP has average capability for workflow management, strong ease of reporting, very good ease of use experience and average customization capability. The offering has a risk register and a preloaded set of risks against which a risk

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements. Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes

assessment can be performed. TPP shows the last approved version of a document versus the current document being worked on. AES-256 is used to encrypt data at rest in the database and uses TLS 1.0 for data encryption during transit. C/IM is a built-in component of TPP. TPP has a mobile Web application that enables users to access their recovery plans and the live C/IM portal on TPP via their iOS, Android or BlackBerry device. Recovery plans can be printed in more than PDF format. Single sign-on is supported. TPP offers the best price comparison — coming in at less than half of the median pricing example. Its pricing model is based on the number of plans and BIAs; Avalution offers a multiyear discount and a small or midsize business (SMB) pricing option. Cautions All internal staff for sales, customer call centers and support engineers is U.S.-based only. Production availability service levels are managed only to a 99.99% service guarantee level with a recovery time objective (RTO) of four hours and a recovery point objective of four hours. Data centers are in the U.S. only — in Virginia and Illinois. Partnerships with other BCM vendors, professional services, resellers/value-added resellers (VARs) are limited, compared with other BCM product vendors, thereby limiting Avalution's market penetration and sales performance. Drag-and-drop support for customization is not provided. The BIA capability does not automatically calculate RTOs. Suppliers/vendors are considered a resource managed as all other resources. The vendor's internally provided EMNS capability is limited to phone, email and SMS endpoint support. The user interface supports English only. Return to Top

BOLDplanning BOLDplanning is headquartered in Nashville, Tennessee. It is a privately held company with 21 employees dedicated to BCMP. The BCMP product version evaluated for this Magic Quadrant was BCplanner.com v.6.8; the current version is 10.4. With a BCMP offering in place since 2004, the reported number of BCMP product customers for this evaluation period is 170. The key markets supported are state, local and municipal government agencies (including municipal airports); higher education institutions; courts and healthcare. The product is offered only in a vendor-hosted delivery model. The product architecture is based on Windows 2003 Server, Internet Information Services 6.0, Adobe ColdFusion v.7 and Microsoft SQL Server 2005. Strengths BOLDplanning has a very strong focus on government, including continuity of operations (COOP), Department of Homeland Security's (DHS's)/Federal Emergency Management Agency's (FEMA's) National Incident Management System (NIMS)/Incident Command System (ICS), the U.S. National Response Framework, and Federal Continuity Directives 1 and 2. BCplanner.com is the best product for government organizations. Customer references report that the product is cost-competitive for the functionality and that BOLDplanning has very good customer service. Customer references also report that the product is easy to use. The vendor has very strong partnerships with emergency management consultancies, strengthening its market penetration and sales performance. In terms of specific product features, the user interface makes the product more easily usable by a broader community. The product has strong reporting capability, strong customization with drag-and-drop support, very good workflow capability and very good risk assessment capability with a preloaded set of risk content. It also has a comprehensive help facility. BCplanner.com has an excellent built-in C/IM module. The online chat room feature is a nice addition for a BCMP product — something usually only found in EMNS products. BCplanner.com has the best set of plan templates — both in terms of breadth and depth, including COOP, continuity of government (COG) planning and emergency operations planning (EOP). BOLDplanning provides template text preloaded into the templates — a unique feature that the other vendors in this Magic Quadrant do not support due to a perceived liability risk if a customer uses a vendor-populated recovery plan and fails in the process. AES-256 encryption is used for data encryption at rest for both database and file storage. BOLDplanning uses 256-bit SSL for encryption in transit, although they allow users to downgrade their encryption in transit security in support of government agency customers. BOLDplanning has separate product versions for government versus the private sector. Recovery plans can be printed in more than PDF format. The user interface supports English and Spanish only. For the BCMP vendor-hosted/software as a service (SaaS) delivery model, BOLDplanning offers a 99.999% service-level guarantee. The vendor's server infrastructure was upgraded in mid-2012 to utilize multiple servers in Virginia and Oregon with automatic failover. Data center operations failover times are on the order of a few minutes and do not result in the loss of customer data. The vendor's data center operations are audit-tested by a third party on a quarterly basis. Upon request from existing customers, complete and full audit reports are provided. Pricing is based on organization head count. Comparison pricing was on target with the median pricing example. BOLDplanning offers a "try before you buy" option, as well as a multiyear discount. Cautions All internal staff for sales and customer call centers, as well as support engineers, are U.S.based only. Currently, the product has very limited multilanguage support. The vital record data object can be used to represent too many different resources, such as business processes, applications and data; instead, it should break out resources (IT, form, report, facility, etc.) as discrete boxes with a comment field to help manage and report impact data in a more structured way. The vendor's BIA capability does not automatically calculate RTOs and it should break out the

differentiation, functionality, methodology and feature sets as they map to current and future requirements. Business Model: The soundness and logic of the vendor's underlying business proposition. Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes. Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

business impacts into separate data entry fields. In addition, peak time frames are not supported, impact time frames are predetermined by BOLDplanning and adding questions to BIA surveys is not always possible by the customer — the customer may need BOLDplanning intervention to accomplish this task. The vendor's internally provided EMNS capability is limited in endpoint support. Suppliers/vendors are considered a resource managed as all other resources. There is no single sign-on support. Training fees apply. Return to Top

Business Protector Business Protector, a Metric One Company, is headquartered in Irvine, California. It is a privately held company with a total employee head count of 17. The BCMP product version evaluated for this Magic Quadrant was Business Protector version 5.0; the current version is 6.0. With a BCMP offering in place since 1986, the reported number of BCMP product customers for this evaluation period was 212. The key markets supported are financial services, including insurance; discrete manufacturing; and energy firms. The product is offered using SaaS and on-premises delivery models. The product architecture is based on Microsoft Windows Server (up to 2008 R2), IIS (up to 7.5) and SQL Server (up to 2008 R2). Version 6.0 of Business Protector was released in May 2013 and supports SQL 2012. Note: The vendor did not provide revenue numbers, but did provide the percent revenue change year over year. Strengths The acquisition by Metric One offers Business Protector a stronger data center operations environment — one based on cloud computing. It also offers a larger professional services arm that can take the Business Protector product to a larger and broader set of customers. Customer references report that a key reason for choosing this product is the vendor's flexibility in customizing the product to meet its BCM need as well as the cost competitiveness of the product. For the BCMP vendor-hosted/SaaS delivery model, the vendor offers a 99.999% service-level guarantee. Data center operations are split across two continents: California in the U.S. and London in the U.K., significantly reducing the impact on the customer if Business Protector incurs a disruptive event. Security and recovery audits are conducted on an annual basis. In addition, strong customer data protection controls are in place and are evolved as needed. Partnerships for sales execution are very good, with an interesting one for organized labor risk management assessments for events such as strikes and workplace violence. In terms of specific product features, there is very good ease of reporting capability, very good ease of use, and good ease of customization, with drag-and-drop support. EMNS partnerships are through top-tier EMNS vendors. Suppliers/vendors are considered a resource managed as all other resources. The product supports good workflow capability, very good risk assessment capability and very good BIA capability. SAML single sign-on support is available. Customer data is encrypted at rest using SQL 2010 encryption support. Data is encrypted in transit using 256bit encryption. The user interface supports multiple languages through Unicode support. Industry-specific versions of the product are available. Comparison pricing is very good — lower than the median pricing example. The vendor's pricing model is based on both concurrent and named users — those requiring a user ID and password. The vendor offers a multiyear discount as well as SMB and nonprofit pricing options. Cautions Currently, there are limited customer networking and information sharing forums outside of special forums at the national BCM conferences in the U.S. Major product releases do not occur as frequently as releases from competitors. There is no native mobile device app for plan access. The BIA capability does not automatically calculate RTOs. The vendor charges a setup fee for product implementation. Return to Top

Continuity Logic Continuity Logic is headquartered in Fairfield, New Jersey. A privately held company, it has an employee head count of 29 dedicated to its BCMP product. The evaluated BCMP product version was Front Line Live 4.6; the current version is 4.9. The reported number of BCMP product customers for this evaluation period was 50. The key markets supported are consumer services, financial services, healthcare, insurance and healthcare. The product is offered using SaaS and on-premises delivery models. Its architecture is based on Microsoft SharePoint 2007, IIS 7.0 (or greater) and SQL Server 2008 R2. Strengths Continuity Logic is one of the newest vendors to the BCMP market, with a long-term focus on governance, risk and compliance. Customer service and support engineers are split between the U.S. and the Asia/Pacific region. Customer references report that a key reason for choosing this product is its cost versus the competition. Data center operations are globally decentralized (New Jersey, Dallas, Texas and India), facilitating a high degree of flexibility for supporting international customers. Operations can be failed over between data centers. A performance management system is in place that supports near-real-time alerting of the operations team when predefined packet latency thresholds are exceeded. Quality assurance (QA) environments that mirror the intended production environment are internally maintained. Users are provided with access to the QA environment

for testing purposes prior to formal production turnover. A dedicated QA team is in place for quality testing and customer support. In terms of specific product features, the vendor's risk assessment capability is good, with the additional capability of populating the risk register via a third-party offering, such as the Unified Compliance Framework (UCF). The product has very good reporting capability and very good ease of use. Its ease of customization is strong, with drag-and-drop support. EMNS is good (partnerships could improve with top-tier EMNS vendors). The vendor's C/IM and third-party management capabilities are two of the strongest for a BCMP product. Workflow capability is very good. Through the Compliance Manager module, Continuity Logic has a very good standards compliance capability, supporting the most (30) BCM standards/frameworks of all the vendors in this Magic Quadrant. Secure File Transfer Protocol (SFTP) is used to encrypt data in transit. Recovery plans can be printed in more than PDF format. Comparison pricing was on target with the median pricing example. Base pricing complexity is good (based on the number of plan administrators and product administrators). The vendor has an excellent multiyear pricing option. Cautions From the customer reference point of view, the areas that Continuity Logic can improve in are customer service and training. Production availability service levels are managed only to a 99.996% service guarantee level. Partnerships with a few large consulting firms help to scale the business and expand sales performance, but Continuity Logic needs to add more partners for this benefit to be realized. There is no native mobile device app available for plan access for the evaluated version; however, the vendor reports that the current version of the product supports native apps for the Apple iPad and Android devices. The product has limited capability to customize the look and feel to align with the customer's branding. There is no single sign-on support, and no encryption for data at rest. The user interface supports English only. The vendor charges a setup fee for product implementation. Return to Top

Coop Systems Coop Systems is headquartered in Herndon, Virginia. A privately held firm founded in 2002, it has an employee head count of 25 dedicated to the BCMP product. The BCMP product version evaluated for this Magic Quadrant was version 6.11; the current version is 6.14. myCOOP has been a product offering since 2005. The reported number of BCMP product customers for this evaluation period was more than 150. The key markets supported are higher education, financial services, state/local government, insurance and professional services (not including IT). The product is offered hosted/SaaS and on-premises delivery models. The product architecture is based on SQL Server, SharePoint, Visual Studio and Microsoft .NET. Strengths The vendor supports both a user group and an advisory group. Partnerships for sales execution include large technology and consulting firms in the U.S. and Japan. Data centers are located in the U.S. (Atlanta) and Canada (Toronto, with failover to Vancouver). Operations service-level guarantees include 99.9% for service availability. SaaS operations are managed in Tier 4 data center facilities. Active-active operations are supported with recovery times on the order of minutes. In terms of specific product features, the reporting capability is very good and the user interface can be tailored to align with ISO 22301 and other BCM standards/frameworks. myCOOP has a very good built-in C/IM capability. Coop Systems' hosted services use only SHA-1 hashing functions to encrypt all sensitive information, including passwords. As an option, data at rest can be encrypted using AES-256. All sensitive data encrypted for transit over the Internet uses SSL v.3. myCOOP's native mobile device app delivery approach is unique — the vendor works through a third-party vendor that ports the app to all devices. Supplier/vendor management is a separate module. The vendor's BIA capability is very good. Dependency mapping supports a graphical representation. The user interface supports English, Japanese and Thai. Importing data from organizational sources of record to the added-on myCOOP database has been resolved with the introduction of its data synch feature. Recovery plans can be printed in more than PDF format. Coop Systems has built automated capability to import recovery plans and data from other BCMP products. The pricing model is based on named users — those requiring a user ID and password. The vendor offers a strong multiyear pricing option. Cautions All internal staff for sales and customer call centers, as well as support engineers, are U.S.based only. In some overseas markets, partners provide local support. Some customer references report a concern over the vendor's customer support services. Customer references also report that there have been some challenges in balancing the upgrades and keeping up with customer desires/demands. myCOOP requires more vendor intervention for aligning the product to customer requirements, especially those of larger clients. In terms of specific product features, myCOOP could see expanded sales if it had partnerships with more than one top-tier EMNS vendor (currently, MIR3). There is no support for single signon. The basic workflow capability has some limitations; the purchase of Advanced Workflow is required to perform an unlimited number of steps in a defined workflow process. Comparison pricing was slightly higher than the median pricing example. The vendor charges a setup fee for product implementation.

Return to Top

eBRP Solutions eBRP Solutions is headquartered in Toronto, Canada. An employee-owned firm, it has an employee head count of 40 dedicated to the BCMP product. The BCMP product evaluated for this Magic Quadrant was the eBRP Suite version 4.1.04; the current BCMP product version is 4.1.08. With a BCMP offering in place since 2002, the reported number of BCMP product customers for this evaluation period was more than 120. The key markets supported are the broadest of all vendors analyzed in this research, with a focus on financial services, energy (oil and gas), discrete manufacturing, and utilities. The product is offered using hosted/SaaS and on-premises delivery models. The product architecture is based on Microsoft Windows Server 2008 (or newer), Microsoft IIS and SQL Server 2008. Strengths During the past five years, eBRP has focused on developing an operational risk management product, including BCM and third-party management. There is strong global staff distribution between the U.S., Canada, Europe, India and Australia. Operations data centers (Tier 3/Tier 4) are distributed across six separate geographical locations: the U.S. (Washington, D.C. and Santa Clara, CA), Canada (Toronto, Ontario and Vancouver, British Columbia) and the U.K. (London and Slough). For the BCMP vendorhosted/SaaS delivery model, eBRP Solutions offers a 99.995% service-level guarantee. Operations failover is tested once every two weeks. The maximum amount of time in which customer data could be lost is 15 minutes. In terms of specific product features, the third-party management and dependency mapping capabilities are the best among all the vendors in this Magic Quadrant. EMNS support is provided through top-tier vendors. The built-in exercise management and C/IM capability is very good. There is an integrated GIS capability (allowing all facility, employee and vendor locations to be mapped). Mobile device capability for plan access is through the C/IM capability. Workflow capability is very good. Support for Gantt charts to visually display recovery procedures is a key product differentiator. Encryption for data in transit is very good, with support for PGP, SSL v.3 and SFTP. Encryption for data at rest is available upon request by the customer. Single sign-on is supported. The user interface supports multiple languages. The product has not been developed to align with any specific BCM standard, but BCM standards self-assessment compliance tracking support is available through configuration. Strong password controls and role-based access control. The product has strong training capabilities. eBRP has built automated capability to import recovery plans and data from other BCMP products. Comparison pricing is competitive, coming in slightly under the median pricing example. The vendor has an unlimited user pricing model. The vendor offers a multiyear discount. Cautions eBRP has specific and long-held beliefs about how risk assessments, BIAs and recovery plans are to be developed. For example, the product does not show risk impact over a range of time frames; this is a professional decision made by eBRP founders about how to conduct a risk assessment — assessing risk impact is not much more than a guess and providing such capability only takes bad data and compounds it. Although eBRP has updated the look and feel of the product, it is still limited by the .NET infrastructure on which the product is developed. Some report data is not accessible through an online feature, such as a URL link; eBRP considers this to be a security concern and will not provide the capability. This last point means that there is more work to be done to complete some steps — for example, you can look up people on a team, but you have to go back into the product's administrative interface to make changes to that person, rather than clicking on the person's name in the generated report. Tool administration could be easier to perform and more intuitive; you usually have to go back to the administrative interface, and go through the asset infrastructure model to do most actions. Training fees apply. Return to Top

EMC (RSA) RSA, The Security Division of EMC, is headquartered in Bedford, Massachusetts. A public company, RSA acquired Archer Technologies in 2010. Archer has a BCMP solution available within its eGRC Suite. The BCMP product version evaluated for this Magic Quadrant was Archer Business Continuity Management v.4.5.2; the current BCMP product version is 5.2. With a BCMP offering in place since September 2008, roughly 25% of RSA Archer customers have deployed the BCM module. The key markets supported are financial services; insurance; government (federal, national and provincial); business/consumer services; and professional, scientific and technical services (not including IT). The product is offered in hosted/SaaS and on-premises delivery models. The product architecture is based on .NET, Windows Server 2003/2008 Microsoft SQL Server for its RDBMS and IIS 7.0 for its Web server. Note: RSA did not provide answers to survey questions regarding revenue by year or region, nor for staff head count. We used Gartner's internal vendor rating process to provide an overall financial viability score for RSA. Strengths BCMP capability is integrated with the vendor's enterprise and IT GRC management platform for broader integration into the operational/enterprise risk management process. RSA has a better and more well-established delivery ecosystem than the other GRC products included in this research. Customer support staff are in the U.S. and the U.K. Support engineers are in the U.S., U.K. and the Asia/Pacific region. The vendor has a well-developed network of reseller and professional services partners,

including its own EMC Consulting practice. There is a very strong user group process, including the number and size of user forums that facilitate peer networking, information sharing and product requirements capture across all its product modules. In terms of specific product features, ease of reporting is very good. Ease of use and the user interface are excellent, with strong graphical support. Ease of configuration is excellent with drag-and-drop capability. There is an excellent use of graphics. The product leverages a thirdparty partner for loading risk statistics into the product. Data at rest is encrypted using AES256. Data in transit is protected using SSL 256-bit encryption. The vendor offers one of the best native mobile device apps for the iPhone and iPad. EMNS support is through one top-tier EMNS vendor. Exercise management is good, as is C/IM capability. Supplier/vendor management is available. There is a strong BCM standards self-assessment compliance tracking capability, including alignment to key BCM standards/frameworks. Recovery plans can be printed in more than PDF format. Single sign-on is supported. The user interface supports English, French, Spanish, German and Japanese. Comparison pricing is on target with the median pricing example. The vendor's pricing model is based on employee head count and the number of modules needed to be purchased. An SMB pricing option is offered. Cautions Availability service-level guarantees are 99.9%, lower than many of RSA's competitors. Only one data center supports production BCMP service operations in Phoenix, with a "warm spare"; the backup site is in Marlborough, Massachusetts. IT service operations failover is not automated. IT service recovery testing results are not currently audited by independent third parties. The vendor has indicated that this is due to the newness of the vendor-hosted offering and that such auditing is planned for the near term. Generation and distribution of a recovery plan to a designated plan owner is a bit complicated; the plan is generated through the use of Microsoft Word templates, mail merge and notifications. Also, the only file format supported as an attachment that can be printed along with the plan is Word. Other file formats will be forthcoming. RSA is the only vendor to not offer a multiyear pricing discount. It charges a setup fee for product implementation. Training fees apply. Return to Top

Factonomy Factonomy is headquartered in Edinburgh, Scotland, and New York City. Factonomy is a privately held company that is venture-capital-backed. The vendor's head count is approximately 50. The BCMP product version evaluated for this Magic Quadrant was Factonomy ResilienceXT v.3.0; the current version is 3.21. Factonomy has 14 customers using its technology for BCMP purposes — all having implemented the product within their own data centers. The key markets supported are financial services, manufacturing and professional services. The product is offered via on-premises and SaaS/hosted delivery models. The product architecture is based on Windows 2008 Server R2 (64-bit) Microsoft .NET (v.3.5 or above), Microsoft IIS Application Server and SQL Server (either 2005 or 2008). Strengths One of the newest entrants to the BCMP market, the FactonomyXT application engine is based on a declarative XML application engine. Customer references report that Factonomy is intuitive and easy to manage, and that the look and feel is clean, streamlined, not cumbersome, and can be customized even more. Staff for customer call center and sales, as well as support engineers, are in the U.S., U.K. and India. Separate development, user acceptance testing (UAT) and production environments are established for each client. Additionally, internal test platforms are used for early-stage configuration. Operations failover to a separate physical server and to another physical location is supported, consistent with the client's data storage policy. Factonomy supports Amazon Web Services (AWS) GovCloud (US) and is able to offer U.S. federal government customers the ability to host its services on AWS GovCloud, which is compliant with the FISMA Act and the FedRAMP initiative. In terms of specific product features, Factonomy has converted its declarative XML application engine from one that required extensive vendor-based configuration to one in which customers can do much of the customization themselves. This makes the product accessible to organizations of all sizes, not just the large, multinational organizations that Factonomy had been pursuing. The user interface is very modern and easy to use. Business rules for plan development and management can be unique to a business unit, region, etc. The vendor has a scenario modeler feature that takes BIA results to produce scenarios that rank the impact to the business from different and varied interruptions. Due to the product operating in the Microsoft Azure cloud environment, 2048-bit SSL is used to encrypt data in transit. There is very strong ease of reporting. EMNS support is through one top-tier EMNS vendor. Role-based access control is very strong. Single sign-on is supported. The pricing model is based on employee head count. Cautions Partnerships for sales execution are few, although those that Factonomy has — IBM and Deloitte — are strong partners. The vendor currently does not support a formal user group. The SaaS/hosted offering has highly resilient and scalable operations run in Microsoft's Azure cloud computing infrastructure, although no customer has implemented the product in this delivery model as of the evaluation time frame. Factonomy offers Microsoft Azure services as a

managed service. For its vendor-hosted/SaaS delivery model, Factonomy offers a 99.95% service-level guarantee only. The vendor's recovery plans are not tested on a regular basis. Little to no regular vendor testing of system performance. No encryption support currently exists for data at rest. The product does not come with built-in support for any BCM standard/framework. There is no native mobile device app support, and no C/IM capability. The user interface supports multiple languages through the use of the translate feature. English, German, Russian and simplified Chinese are the standard options offered, but any language can be supported. In all cases, the client is responsible for making and maintaining the translation. Comparison pricing is noncompetitive to the median pricing example. Most implementations are fixed-price. Return to Top

Fusion Risk Management Fusion Risk Management is headquartered in Rolling Meadows, Illinois. It is a privately held company with investors that include Fusion's founders and selected angel investors. The head count of the company is approximately 15. The BCMP product version evaluated for this Magic Quadrant was the Fusion Framework Risk Management & Contingency Planning System v.1.4; the current version is 1.5. The Fusion Framework System runs on the cloud-based Force.com application platform and hosting environment provided by salesforce.com. As an independent software vendor (ISV) application partner of salesforce.com, Fusion provides the Fusion Framework System and underlying Force.com embedded OEM licenses as a single integrated solution to its enterprise customers. Fusion Risk Management currently has more than 30 customers. The key markets supported are manufacturing, financial services, telecommunications, energy, services, retail and distribution. Because it is a layered service within the salesforce.com cloud, the only delivery model supported by Fusion Risk is SaaS. Strengths The newest and fastest-growing BCMP vendor, Fusion has some of the strongest BCM professional experience in its management team. Fusion Risk Management is the only BCMP vendor that utilizes cloud-based platform as a service (PaaS), specifically through salesforce.com. Customer reference feedback indicates ease of use and expanse of customization capability. Fusion Risk Management offers a 99.9% service-level guarantee. The product platform (Force.com) supports several million concurrent users. Client-specific QA is performed to validate user access models, workflows and navigation. Service availability and performance is measured and continuously reported on the public-facing portal. Salesforce.com has a very robust IT disaster recovery management (DRM) capability with ongoing component testing, failover testing and multiple layers of backup. Full recovery test data is provided to clients as part of the BITS Shared Assessment reports and SSAE 16, among other assessments. The vendor also regularly tests its internal BCM plans via a mandatory work-from-home strategy every six weeks. In terms of specific product features, Fusion Risk Management has some of the best reporting, ease of use and configuration capabilities. It provides mobile device support for plan access, incident response, reports and dashboards, and comprehensive enterprise collaboration via the integrated salesforce.com Chatter application included with the Fusion Framework System. Chatter Mobile is supported on iOS, Android and BlackBerry, and Chatter runs within the Fusion Framework System and as a stand-alone desktop application. Encryption of data in transit is done through standard HTTPS/TLS 128-bit encryption using RC4-128, with SHA1 for message authentication and RSA as the key exchange mechanism. Encryption of data at rest is optional using the industry standard AES algorithm and 128-bit master keys. Very good C/IM is built into the product. Workflow capability is very good, with integrated workflows across all plans and features of the product. BCM standard compliance self-assessment tracking is available through configuration to follow many BCM standards. There are very good role management and access control capabilities. Single sign-on is supported via SAML 2.0 and 1.1. Recovery plans can be printed in more than PDF format. The user interface can support more than 25 languages. The pricing model is based on named users — those requiring a user ID and password. The vendor offers a multiyear discount and has an SMB pricing option called Fusion Essentials. Cautions All internal staff for customer call centers and support engineers are U.S.-based only. There is a small sales presence in Canada. Because it is a new vendor in the BCMP market, partnerships are currently very limited. The use of Tier 2 partners is planned for expansion purposes into EMEA, Latin America and the Asia/Pacific region. All data centers are in the U.S. — in Northern and Southern California, Illinois, and Virginia. To run the Fusion Framework System application in a non-U.S. salesforce.com data center, Fusion must make an application to salesforce.com for its review and acceptance. The BIA capability does not automatically calculate RTOs as an out-of-the-box feature, but the product can be configured to do so. Comparison pricing is noncompetitive to the median pricing example. Training fees apply. Return to Top

MetricStream MetricStream is headquartered in Palo Alto, California. A privately held company, it has an employee head count of 1,100 of which 35 to 40 are dedicated to the BCMP product. The evaluated BCMP product version was MetricStream 6; the current version is 6.1. With a BCMP offering in place since

2010, the reported number of BCMP product customers for this evaluation period was 15. Key vertical markets supported are energy, financial services (including Insurance), government (federal, national and provincial), life sciences, discrete and process manufacturing, and utilities. The product is offered using SaaS/hosted and on-premises delivery models. The product architecture is based on openstandard Java Platform, Enterprise Edition (Java EE) and XML. Note: Revenue numbers were not provided by the vendor. Strengths BCMP capability is integrated with the vendor's enterprise and IT GRC management platform for broader integration into the operational/enterprise risk management process. In addition, the BCMP module is packaged and sold separately from MetricStream's GRC offerings. Staff for customer call centers and sales are on every continent, and support engineers are in the U.S., Europe and Asia. For the BCMP vendor-hosted/SaaS delivery model, MetricStream offers a 99.999% service-level guarantee. Data center operations are located on three separate continents: the U.S., India and EMEA. In terms of specific product features, the customization capability is the strongest of all vendors in this research. Ease of reporting is very good, and ease of use is above average. A very good and flexible workflow capability is supported by the Process Flow Designer product — a Visio-like interface. A strong track record is in place for both IT operations control management and regulatory compliance, with the second-highest number (22) of BCM standards/frameworks supported. Data at rest is encrypted using 256-bit PGP, and 256-bit HTTPS is used to encrypt data in transit. A native mobile device app is available for plan access in offline mode. MetricStream has one of the best third-party management capabilities of all the vendors included in this research, although it is a separately purchased module. Role management and access control capabilities are also the best among all vendors in this Magic Quadrant. Single sign-on is supported. The vendor has added a few interesting features to its offering, such as virtualization risk management and live situational awareness tracking. The user interface supports multiple languages through Unicode support. MetricStream offers a multiyear pricing discount. Cautions Strong partnerships with business and technology firms are in place for sales execution, but they are not focused on BCM, which means that they are not recognized in the marketplace as a strong BCMP vendor. For the product version analyzed for this Magic Quadrant, service operations recovery plan testing frequency was unclear, and application performance and scalability testing was only performed in response to a customer request. According to the vendor, it has since changed these cautions as follows: service operations recovery plan, application performance and scalability are now tested annually and with every new release. The BIA capability does not automatically calculate RTOs, nor does it show business interruption impact over a range of time frames. The internally provided EMNS capability has limited endpoints. There is no C/IM capability; the vendor has indicated that this module is currently under development. Comparison pricing is noncompetitive to the median pricing example. The pricing model is based on the number of users and their type: heavy (e.g., product administrators), medium (e.g., plan administrators) and light (everyone else, including read-only users). There is a setup fee charged for product implementation. Return to Top

Modulo Modulo is headquartered in Atlanta. It is a privately held company with a total employee head count of 400, including 70 employees focused on the development of the Modulo Risk Manager product and 15 employees dedicated to the BCMP module. The evaluated BCMP product version was the BCM module of the Modulo Risk Manager software v.8.1; the current version is 8.2. With a BCMP offering in place since 2006, the reported number of BCMP product customers for this evaluation period was approximately 50 (all internally hosted in customer data centers). The key vertical markets supported include energy, financial services, federal and state government agencies, transportation, and utilities. The product is offered via SaaS/hosted and on-premises delivery models. The product architecture is based on Microsoft Windows Server 2008, Microsoft .NET Framework 64 and Microsoft SQL Server 2008. Strengths The BCMP capability is integrated with the vendor's enterprise and IT GRC management platform for broader integration into the operational/enterprise risk management process. Customer references report that a key reason for choosing this product is its cost versus the competition, as well as vendor certifications in ISO 20000 and ISO 27000. Customer service, sales and support engineers are located in the U.S., U.K., Brazil and India. Modulo has a highly experienced consulting and professional services team. The vendor has a strong reseller network with over 70 companies reselling the Risk Manager and BCMP modules. For the BCMP vendor-hosted/SaaS delivery model, Modulo offers a 99.9999% service-level guarantee with data centers located in the U.S. (production and recovery) as well as Brazil. A strong track record is in place for both IT operations control management. A large test and QA management team (of 20) is in place. In terms of specific product features, there is a very flexible user interface, although it has the most technical feel of all the BCMP products. There is a very good ease of reporting capability, including an SQL query to create any dashboard report. There is strong standards/frameworks compliance tracking support with alignment to key BCM standards/frameworks. Google Maps is

used to view the impact of natural events (such as weather) on asset availability. There is good workflow and risk assessment capability. Graphics support is excellent throughout the product, including graphical plan dependency mapping support. Data at rest is encrypted using AES-256. Data in transit is encrypted using IIS-level certified HTTPS, which supports SSL v.3.0. There are very good role management and access control capabilities. Single sign-on is supported. The user interface supports English, Portuguese and Spanish. Comparison pricing is competitive, coming in slightly under the median pricing example. The vendor offers a multiyear pricing discount. Cautions The areas in which Modulo can improve, from a customer reference point of view, are features/functions and maintenance/upgrades. The SaaS-based delivery model was a new offering at the time of this evaluation; therefore, customers who have implemented the BCMP capability in SaaS were not included. Ease of customization needs improvement, as customers are not able to change terminology to their terms and there is limited ability to change the look and feel of the product to meet the customers' branding requirements. Plan components are fixed and are not easily modifiable by customers. There are limited built-in EMNS and C/IM capabilities. Exercise management capability is available, but only through configuration through workflow. BIA capability does not automatically calculate RTOs, nor does it easily support modifications to facilitate time-based impact assessments; instead, a separate BIA must be initiated and populated. There is no native mobile device app for plan access. Because Modulo's focus is GRC, pricing is based on the number of IT assets being managed by the Risk Manager module, which is a nonintuitive approach for BCM professionals. The BCM module is not sold separately from the Risk Manager module and is 20% of the base Risk Manager cost. The vendor charges a setup fee for product implementation. Return to Top

Phoenix Phoenix is headquartered in Northampton, U.K., and is listed in the FTSE. The employee head count dedicated to the BCMP product is 102. The evaluated BCMP product version was 4.2; the current version is 4.2.4. With a BCMP offering in place since 2003, the reported number of BCMP product customers for this evaluation period was 75. Phoenix does not manage its business by industry vertical; rather, it does so by region and, therefore, we have no key industry verticals to list for the vendor. The product is offered using the vendor-hosted delivery model. The product architecture is based on the CentOS, vSphere infrastructure, JBoss Middleware, MySQL database and the JasperReports engine; client access is via a Web browser (PC, Mac or tablet) or mobile app (BlackBerry/RIM platform). Note: Phoenix did not provide information regarding its typical deployments. Strengths Phoenix has a high-quality professional services delivery capability. For the BCMP vendor-hosted/SaaS delivery model, the vendor offers a 99.997% service-level guarantee. A staffed 24/7 operations center continuously monitors applications and systems alarms. Operations data centers are distributed across four separate geographical locations: the U.K. — Aston (production), the U.K. — Farnborough (recovery) — Phoenix (the majority of Shadow-Planner clients are hosted in Phoenix's own U.K. data centers), and, for clients who wish to host their data outside the UK, Switzerland — Geneva — (production and recovery) and the U.S. — New York City. Recovery tests are conducted on a daily basis. In terms of specific product features, the opening screen is a dashboard of BCM program management. The user interface is very clean. The product has very strong ease of configuration, with drag-and-drop capability on most administrative features. Ease of reporting is very good. EMNS support is through top-tier EMNS vendors. Supplier/vendor management, workforce scheduling over time and recovery seat planning capability is available. Workflow can be built using multiple steps and can automatically populate the calendar of tasks to complete in the workflow process. Out-of-the-box BCM standards/frameworks alignment is to BS 25999 Parts 1 and 2. There is good risk assessment capability, and very good role management and access control capabilities. Single sign-on is supported. AES-256-bit encryption is used for encrypting data in transit. The user interface supports English, French, German, Spanish, Italian and Japanese. Comparison pricing was on target with the median pricing example. The pricing model is based on employee head count. The vendor offers a multiyear discount, as well as nonprofit and SMB pricing. Cautions Customer call centers, support engineers and sales are in the U.K. only. The area in which Phoenix can improve, from a customer reference point of view, is in the time and effort it takes to bring the product into production. Partnerships for sales execution are nonexistent. Phoenix needs to pick up a large business consulting firm to make inroads into the larger enterprise risk management area. Specific product features: native mobile device app available only on the BlackBerry. There is no exercise management, C/IM or compliance management support. BCM standard compliance selfassessment tracking is not available as an "out-of-the-box" feature. Data at rest is not encrypted. The vendor charges a setup fee for product implementation. Return to Top

Quantivate

Quantivate is headquartered in Woodinville, Washington. It is currently a privately held company. The evaluated BCMP product version was Quantivate Business Continuity December/2012. Quantivate does not publish version numbers because product updates are continuously made and rolled out to all customers. The product is offered via the SaaS/hosted delivery model only. The product architecture is based on Linux, Apache HTTP Server, open-source MySQL and PHP. Note: Quantivate did not provide answers to a number of questions in the vendor survey, including staffing size and distribution, revenue numbers by year, region and industry (however, it did provide the percent change in revenue year over year), the number of customers, pricing, and the number of new contract signings. The exclusions are the primary reason for its Niche Player placement in the Magic Quadrant. Strengths Quantivate provides an integrated platform for BCM, information security, enterprise risk management, audit management and third-party management. Customer references report that the key reasons for choosing this product are its intuitive user interface, experience with other products from this vendor, and Quantivate's "loss based" approach to BCM that matched the customer's internal approach. Operations are managed in Tier 4 private cloud infrastructure data center facilities located in Chicago and Dallas. Users can get a whole QA environment setup with their cloned data. The vendor has high-quality customer service support with a very repeatable service implementation and management process. In terms of specific product features, the native mobile device app for plan access is very good, with support for iOS and the Droid with synchronization to the phone for offline usage. The ease of use and user interface and the ease of reporting are very good. The ease of configuration is good, with drag-and-drop capability. EMNS capabilities are limited and C/IM capability is built-in. Quantivate's third-party management capability is excellent, although it is a separately purchased module. The BIA capability can report on RTO gaps in a very graphical and intuitive way. The product provides conversion support for a wide variety of different plan formats. There is custom help text online for every field. There is very good graphics support (e.g., heat maps on risk assessment) and a graphical view of plan procedures. Data at rest is encrypted using 256-bit AES. Data in transit is encrypted using multiple SSL and TLS versions. Quantivate has built an automated capability to import recovery plans and data from other BCMP products. Recovery plans can be printed in more than PDF format. The vendor offers a multiyear pricing discount. Cautions All internal staff for sales, customer call centers and support engineers are U.S.-based only. The areas in which Quantivate can improve, from a customer reference point of view, are training and maintenance and upgrades. Reseller and system integration partnerships are very limited, which impacts the vendor's market presence and sales performance. Quantivate supports a 99.9% IT service-level guarantee — lower than most vendors in this Magic Quadrant. IT service operations recovery plans are only tested once per year. IT service incident management procedures are not well-defined. Operations failover is managed manually. There is limited support for modifying the look and feel of the product to align with customers' branding requirements. There is a minimal BCM standards/frameworks self-assessment compliance tracking capability. Workflow is limited to two steps based on date. Roles and access management is not as robust as the other vendors in this research, and single sign-on is not supported. The user interface supports English only. Comparison pricing was not able to be calculated because Quantivate provided no pricing information. Pricing is not typically based on the number of users. Rather, the vendor uses a pricing model based on the industry of the customer. For example, banks and credit unions are charged by asset size, mortgage companies by outstanding loans, insurance companies by assets under management, and for some other industries, by the number of plans they want to produce. Return to Top

RecoveryPlanner RecoveryPlanner is headquartered in Trumbull, Connecticut. It is a privately held company with an employee head count of 28 that is dedicated to the BCMP product. The BCMP product version evaluated for this Magic Quadrant is RPX Enterprise, RPX Bank and RPX Credit Union Editions r.21.91; the current version is r.22.95. With a BCMP offering in place since 2001, the reported number of BCMP product customers for this evaluation period was 200. The key vertical markets supported for their BCMP offerings are financial services, insurance, higher education, and professional, scientific and technical services (not including IT). The product is offered using the following delivery models: SaaS/vendor-hosted, customer-hosted or a hybrid of these. The product architecture is based on Linux and Java. Strengths Customer call center staff are in the U.S., U.K., Brazil, the Dominican Republic and Bulgaria. Sales staff are in the U.S., U.K. and Brazil. Support engineers are in the U.S., U.K., Brazil and Argentina. A strong reseller partner program provides RecoveryPlanner with global, enterprisewide BCMP deployments. IT service availability is 99.99%. Data center operations are separately located in two countries (the U.S. and Canada) and spread between two data centers in each country — two in the U.S. (Chicago and Denver) and two in Canada (Toronto and Vancouver), and support automatic cutover. Failover processes have been audited and certified by several large clients. Customers can do their own testing and QA with their own production data optionally synchronized to the

staging area prior to production release. Portions of the IT operations recovery plan are tested on a quarterly basis. Penetration testing is conducted daily by a third party. The vendor has strong customer service. In terms of specific product features, there is very good ease of reporting and ease of use/user interface. The product has built-in support for C/IM. Support for Gantt charts to visually display recovery procedures is a key product differentiator. Sensitive data at rest (plan data, personnel data, revision history data and customer custom fields), as well as in transit, is encrypted using AES-256. RecoveryPlanner has specific versions for commercial banks and credit unions. EMNS capability is supported through partnerships with top-tier EMNS vendors, as well as built-in email and SMS alerts. Exercise management and third-party management capabilities are available. The user interface supports English, Spanish, Portuguese and French. RPX has a very good BCM standard self-assessment compliance tracking capability. Recovery plans can be printed in multiple formats. Single sign-on support is through SAML2. RecoveryPlanner has built an automated capability to import recovery plans and data from other BCMP products. Comparison pricing is competitive, coming in at approximately 25% less than the median pricing example. Pricing complexity is medium to low, with the pricing model based on head count or asset size or BCM program complexity with a determination of the expected use levels of the product. The vendor offers a multiyear discount as well as nonprofit and SMB pricing options. Cautions Security audit testing of IT service operations by a third party is performed once per year. Native mobile device support for plan access is not available. Workflow capability could be improved — it needs to be standardized across all BCMP product functions. The risk assessment capability does not show risk impacts over a range of time frames, but the customer can configure and report on risk impact in the risk survey. A setup fee is charged for product implementation, and includes training and assistance with data migration. Return to Top

Rentsys Recovery Services-EverGreen Rentsys Recovery Services-EverGreen is headquartered in College Station, Texas. At the time of evaluation, EverGreen Data Continuity was a privately held company, with an employee head count of 13 dedicated to the BCMP product. On 16 July 2013, Rentsys announced the acquisition of EverGreen. The BCMP product version evaluated for this Magic Quadrant was Mitigator 9.0.0; the current version is 9.0.1. With a BCMP offering in place since 2003, the reported number of BCMP product customers for this evaluation period was 259. The key markets supported are financial services, including insurance; K-12; higher education, healthcare and federal government agencies. The product is offered using the following delivery models: SaaS/hosted, on-premises and hybrid. The product architecture is based on Microsoft .NET and SQL Server (either 2005 or 2008). Strengths Rentsys-EverGreen has a strong focus on product quality and offers a guarantee to fix recovery plans if the customer fails an audit after using the product — a unique offering in the market. Support engineers are in the U.S. and EMEA. Customer references report that the key reasons for choosing this product are its cost versus the competition, ease of use, and the ease of managing and maintaining it. Partnerships are very good and international, but the vendor needs to pick up a large business consulting firm to make inroads into the larger enterprise risk management area. For the BCMP vendor-hosted/SaaS delivery model, Rentsys-EverGreen offers a 99.9999% service-level guarantee, with data centers in the U.S. and Canada. The vendor quotes a guaranteed product operations one-hour maximum recovery time. Well-defined operations failover procedures are defined between service provider facilities. QA and preproduction turnover test processes are well-defined and rigorously managed. In terms of specific product features, the product comes with preloaded content for risk assessments through recovery planning tasks. There is strong, integrated IT DRM support. Exercise management is supported. The product has a very broad and complete set of training services available to customers, such as online user guides and tutorial videos. The C/IM capability is very good. There is a strong workflow capability. BCM standards self-assessment compliance tracking support is through reports called survey summaries, which track percent compliance to industry best practices. There is above-average risk assessment and BIA capabilities are based on National Institute of Standards and Technology (NIST) best practices. There is a solid financial analysis capability, although it is rarely used by customers because the data needed to perform such an analysis is often not readily available to the customer. The product has good graphical capabilities. Standard 256-bit HTTPS is used to encrypt data in transit. Single sign-on support for Shibboleth and LDAP is available. The user interface supports only English and Italian. Comparison pricing is very competitive, coming in at approximately half of the median pricing example. The pricing model is based on employee head count. The vendor offers a multiyear discount, as well as SMB and nonprofit pricing options. Cautions Customer support personnel are in the U.S. only. There is limited mobile device capability for plan access. Ease of reporting and customization are the most limited of all the vendors in this research; customers cannot change any report or easily customize the product, and must go back to the vendor to do so, or export the data to Excel for report manipulation. Data is not encrypted at rest. The user interface should be modified for a more modern look. Customers cannot construct their own business impact time frames, although the vendor notes that it provides the most standard ones. The product does not support the concept of third parties — they are considered contacts only. The role and

access controls provided by the product cannot be modified by the customer. Training fees apply. Return to Top

Strategic BCP Strategic BCP is headquartered in Plymouth Meeting, Pennsylvania. A privately held company, it has an employee head count of 15 dedicated to the BCMP product. The BCMP product version evaluated for this Magic Quadrant was ResilienceONE v.6.0; the current version is 6.1. With a BCMP offering in place since February 2004, the reported number of BCMP product customers for this evaluation period was 137. The key vertical markets supported for the vendor's BCMP offering are financial services, including insurance; higher education and healthcare. The product is offered using the following delivery models: hosted/SaaS, on-premises and hybrid. The product uses an n-tier architecture and is written in .NET (C#). Note: Revenue numbers were not provided, but percent change year over year was provided. Strengths Strategic BCP is known for its BCP Genome offering, a built-in component of ResilienceONE that ensures a strong compliance tracking capability to over 20 BCM-related standards and frameworks, and allows customers to map their BCM program and BCMP components to them. The vendor also uses a business process modeling method when developing recovery plans — a unique approach. Customer references report that a key reason for choosing this product is its cost versus the competition. Strong partnerships with top consulting firms provide higher market presence and sales performance. An IT service availability level of 99.999% is supported. With Tier 4 data centers in Dallas (production) and Virginia (recovery), IT service operations can be automatically failed over from the primary to the secondary site. A separate user acceptance test URL is configured to enable customers to test any new code prior to going into production. Strategic BCP has strong customer service, with an online enhancement submission product that customers can use to submit product enhancement suggestions. Clients have the option to audit internal BCMP operations as part of the operations SLA. In terms of specific product features, the offering has the best ease of reporting capability — every field in the database has been mapped to the vendor's internal reporting product, and can be dragged and dropped to build custom reports on the fly. There is very good ease of use and a good user interface. There is a strong customization capability, with drag-and-drop support. EMNS capability is provided through top-tier EMNS vendors. There is a very good built-in C/IM capability included in the base price. Exercise management is provided through the C/IM module. There is good third-party management capability and good workflow capability. The risk assessment capability is also good. There is very good BIA capability, including the automatic calculation of RTOs. Role and access control management are very good. Data at rest is encrypted with either 3DES (an obsolete algorithm) or AES 256 (preferred). Single sign-on is supported. Recovery plans can be printed in more than PDF format. Comparison pricing is competitive — coming in at approximately 25% less than the median pricing example. The vendor offers nonprofit and SMB pricing options. Cautions All internal staff for sales and customer call centers, as well as support engineers, are U.S.based only. There is no native mobile device app support. Data in transit is encrypted using a weak algorithm (128-bit SSL). The user interface is in English only. Return to Top

SunGard Availability Services SunGard Availability Services is headquartered in Wayne, Pennsylvania, with its Continuity Management Solution (CMS) division headquartered in King of Prussia, Pennsylvania. A privately held company, it has an overall employee head count of over 3,000, with approximately 200 dedicated to the CMS software. The BCMP product version evaluated for this Magic Quadrant was LDRPS v.10.8, BIA Professional v.10.8, Risk Assessment v.10.8 and modules of CMS. The current BCMP product version is 10.8. With a BCMP offering in place since 1988, the reported number of BCMP product customers for this evaluation period was 2,051. The key markets supported are business/consumer services, energy, financial services, government (state, local and regional), healthcare, and insurance. The product is offered in hosted/SaaS and on-premises delivery models. The product architecture is based on Microsoft .NET. Note: Revenue numbers were not provided. Also, SunGard is actively addressing customer complaints about LDRPS (including v.10, which some customers have had a hard time migrating to) and the expanded CMS software suite by completely redesigning the product (called Assurance) from the ground up, including the core platform, database, user interface and other components, under the direction of a new product design team. The new solution, not evaluated for this Magic Quadrant, was announced in March 2013 and was made generally available on 31 May 2013. Strengths LDRPS has the largest product installed base and strong brand recognition, with very wellestablished customer/user forums. Because of its data center hosting business, SunGard has extensive experience in managing complex data center operations. Customer call centers are located in the U.S., U.K. and India, with support engineers available for global customer support 24/7. Call center, support engineers and other support personnel are required to have BCM professional certification.

Customer references report that a key reason for choosing this product is the functionality provided. The product is hosted in five geographically separate locations in Tier 4 data centers: Philadelphia, Atlanta, and Aurora, Colorado, in the U.S., and two data centers in the U.K. for customers wanting to host outside of the U.S. IT service operations recovery plans are internally tested once per quarter. A fully hosted UAT environment for testing and training is provided. Maintaining a database in a separate software staging environment enables customers to perform internal training or testing without impacting their production databases. SSAE 16 Type II certification for IT service operations has been obtained. In terms of specific product features, the new CMS framework has made the product more userfriendly and allows enhanced security features, such as single sign-on using the SAML standard. Built-in EMNS is provided through the vendor's NotiFind product (powered by Varolii). Supplier/vendor management is available through a separate module. C/IM capability is available through the built-in Incident Manager product (powered by WebEOC). AES-256 is used to encrypt data at rest. SSL v.3 is used to encrypt data in transit. SunGard has product versions for credit unions and healthcare organizations. Recovery plans can be printed in more than PDF format. The user interface supports Portuguese, French, English, Japanese, Spanish and Polish. Comparison pricing was on target with the median pricing example. The pricing model is based on the number of concurrent users. The vendor offers multiyear pricing discounts, as well as nonprofit and SMB pricing options. Cautions Some customer references report that the product is too expensive, too complex, not easy to use and too modular (not integrated as an entire BCMP product deliverable). The areas in which SunGard can improve, from a customer reference point of view, are pricing, installation and setup, and maintenance and upgrades. Note: SunGard had the lowest customer reference overall score of all the vendors in this Magic Quadrant. The vendor often has difficulty winning current competitive bids because of its prospects' assessment of complexity and price competitiveness for LDRPS. The perceived lock-in of the LDRPS BCM methodology and lack of flexible workflow is a recurring customer concern. Currently, all deviations require customization (through configuration) of the product, which further locks users into the product. For the BCMP vendor-hosted/SaaS delivery model, SunGard offers 99.9% (hosted) and 99.5% (SaaS) service-level guarantees, which are low compared with the other vendors in this research. Recovery plans are not made available in their entirety to customers; portions of these plans are considered confidential and, therefore, are not released. No native mobile device app is available for plan access. The ease of use and user interface are repeatedly mentioned by customers as being lacking, requiring strong IT knowledge to administer the product and being nonintuitive for end users. Ease of customization is the second lowest of all vendors included in this Magic Quadrant; drag-and-drop capability is not supported. Exercise management is provided through a separate module, not through the C/IM module. BCM standard self-assessment compliance tracking is not available as an out-of-the-box feature, but the product can be configured to align with many BCM standards. CMS does not have an internal reporting engine; it requires the use of SAP Crystal Reports. To use the survey capability for BIAs, users must buy the BIA Professional module (what SunGard calls BIA Lite is included in the core LDRPS product). There is no risk register, but risk views can be created via reporting. Return to Top

Virtual Virtual is headquartered in Budd Lake, New Jersey. A privately held company, it has an employee head count of 28 dedicated to the BCMP product. The BCMP product version evaluated for this Magic Quadrant was Sustainable Planner v.2.6; the current version is 2.8. The vendor reports that version 3.0 is scheduled for 3Q13 release. With a BCMP offering in place since April 2005, the reported number of BCMP product customers for this evaluation period was 35. The key markets supported are healthcare, insurance, government and financial services. The product is offered using the following delivery models: hosted/SaaS, on-premises and hybrid. The product architecture is based on Microsoft ASP.NET and Visual Basic .NET, and an SQL Server or Oracle Database. Note: Virtual uses the term "templates" to refer to configuring Sustainable Planner for specific purposes (e.g., incident management, IT DRM, business recovery and other operational risk management capabilities), rather than just a form or report template. Strengths Virtual is very strong in understanding the BCM requirements of its key target industry sectors of healthcare, insurance and financial services, as well as in its overall BCM consulting practice. The vendor is also making headway into government, retail, research and academic BCM programs. In addition, Virtual is the creator of the Business Continuity Maturity Model (BCMM). Customer references report that a key reason for choosing this product is Virtual's Completeness of Vision and ease of configuration. Sales partnerships are many and across multiple geographies, with stronger support in Latin America. For the BCMP vendor-hosted/SaaS delivery model, the vendor offers a 99.999% service-level guarantee. Operations failover is fully automated. Recovery test results are audited by a third party. In terms of specific product features, ease of customization is high, with templates created to support unique requirements, such as alternate work site resource reservation and management. There is good BIA capability. Data in transit is encrypted using SSL v.3. EMNS capability is through top-tier EMNS vendors. The user interface supports French, Spanish, Portuguese, Italian and German. The multiple templates provided in Sustainable Planner align with NFPA 1600 2013 Edition, ASIS SPC.1-2009 and ISO 22301. The Sustainable Planner product includes two BCMM assessment templates supporting BCMP program metrics, including standards compliance.

Comparison pricing is on target with the median pricing example. The vendor's pricing model is based on the number of named users — those requiring a user ID and password. Virtual offers a multiyear pricing discount, as well as SMB and nonprofit pricing options. Cautions All internal staff for sales and customer call centers, as well as support engineers, are U.S.based only. The user interface is old looking; the vendor reports that version 3.0 has a new look and feel. The product does not support drag and drop. The product does not have an internal reporting engine; it requires the use of Crystal Reports. Data at rest is not encrypted. There is no native mobile device app for plan access. There is a very limited BCM standard self-assessment compliance tracking capability. A few of the navigation elements (e.g., Previous Page and Next Page) of the user interface are hard-coded and cannot be changed into local language. Reports are only in PDF format, although data can be exported to Excel, Word and RTF files for manipulation. Workflow needs improvement and automatic notifications for user action-taking. Return to Top

Vendors Added and Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor. Return to Top

Added Not applicable — this is the first Magic Quadrant for this market. Return to Top

Dropped Not applicable — this is the first Magic Quadrant for this market. Return to Top

Inclusion and Exclusion Criteria Inclusion in the 2013 BCMP Magic Quadrant was based on the following criteria: The product met the Gartner definition of a BCMP product (see "Hype Cycle for Business Continuity Management and Disaster Recovery Management, 2012"). Products must have been generally available as of 31 December 2012. Products must be deployed in at least 10 customer production environments (preferably one from North America, one from EMEA and one from the Asia/Pacific region) Each vendor had to supply at least five references available to contact. Value-added resellers and product distributors are not included. Exclusion was based on the following criterion: The vendor's BCMP product was developed and used primarily for small businesses. Return to Top

Evaluation Criteria Ability to Execute Ability to Execute is ranked according to a vendor's ability to provide a BCMP product to the market that meets customer feature/function capability requirements, as well as the vendor's ability to deliver and service the product with a high level of service guarantee and customer support. Product/Service compares the completeness and appropriateness of core BCMP technology capability as well as service delivery operations, except those noted in the Offering/Product Strategy evaluation criterion category. We weighted this category High. Overall Viability considers the vendors' demonstrated commitment in the market regarding staffing changes except for sales, company ownership and revenue growth between 2010 and 2012, as compared with the rest of the market using a median three-year revenue growth percentage of 17.5%. Sales Execution/Pricing compares the depth, breadth and strength of a vendor's sales channels, including direct and indirect geographic distribution channels, the change in sales and marketing staffing, current sales comparison for the percentage of prospects evaluating its BCMP product, the typical size of its customers, new contract signings, the deep and breadth of its sales channels, the largest and most complex customer implementation, the average revenue percentage for vertical industry coverage, and pricing, including the percent change in the vendor's deal size, its overall pricing complexity and a product pricing comparison.

Customer Experience is a combined rating of service-level agreement guarantees, the vendor's support and service process, the preparedness and completeness of the vendor in delivering the Magic Quadrant demo to Gartner analysts (a vendor's execution with Gartner is a direct reflection of its execution with customers), and customer reference feedback directly from the vendor and Gartner customers.

Table 1. Ability to Execute Evaluation Criteria Criteria

Weighting

Product/Service

High

Overall Viability

Standard

Sales Execution/Pricing

Standard

Market Responsiveness/Record

No Rating

Marketing Execution

No Rating

Customer Experience

Standard

Operations

No Rating

Source: Gartner (August 2013) Return to Top

Completeness of Vision Completeness of Vision is ranked according to a vendor's ability to show a commitment to BCMP technology developments in anticipation of user wants and needs that turn out to be on target with the market, as well as the ability to show integration into the broader BCM, EMNS and C/IM markets. Market Understanding is ranked through observation of the degree to which a vendor's products, road maps and missions anticipate leading-edge thinking about buyers' wants and needs. Included in this criterion are how the vendor supports specific industry verticals, how buyers' wants and needs are assessed and then brought to market in a production ready offering, and the vendor's competitive assessment of its own product in the market. Sales Strategy examines the vendor's strategy for selling products, including the role within the customer organization it typically sells to and its partnerships within the BCM marketplace, as well as in complementary markets. Offering (Product) Strategy is ranked through an examination of the product road map, investment back into the vendor's operations, product deployment support and the software development model. Also included in this criterion are an innovation score and the three features Gartner recognizes as those that BCMP product prospects and customers are seeking: the ease of customization of the product, the ease of use via the user interface and the ease of reporting. We weighted this category High. Geographic Strategy examines the vendor's strategy to direct resources for customer service and support engineers to meet the specific needs of geographies outside the home or native geography, either directly or through partners. In addition, data center geographic distribution was considered in this evaluation criterion.

Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria

Weighting

Market Understanding

Standard

Marketing Strategy

No Rating

Sales Strategy

Standard

Offering (Product) Strategy

High

Business Model

No Rating

Vertical/Industry Strategy

No Rating

Innovation

No Rating

Geographic Strategy

Standard

Source: Gartner (August 2013) Return to Top

Quadrant Descriptions Leaders Leaders have products that work well for Gartner clients in midsize and large deployments. They excel in the combination of market understanding, product features and functions, and overall viability as a firm. Their BCMP products may be well-known to clients and frequently found on RFP

shortlists, and have a presence at tradeshows. Leaders publish market-related white papers, conduct webinars and maintain high-quality information channels with their customers, etc. Return to Top

Challengers Challengers have competitive visibility and execution success — better developed than Niche Players. Challengers offer all the core features of BCMP, but typically their vision, road maps and/or product delivery is narrower than that of Leaders. Challengers may have difficulty communicating or delivering their vision in a competitive way outside of their core industry sectors. Return to Top

Visionaries Visionaries make investments in broad functionality and platform support, but their competitive clout, visibility and market share don't reach the level of Leaders. Visionaries make planning choices that will meet future buyer demands, and they assume some risk in the bargain because ROI timing may not be certain. Vendors that pursue visionary activities will not be fully credited as Visionaries if their actions are not generating noticeable competitive clout, and are not influencing other vendors. Return to Top

Niche Players A Niche Player ranking is assigned when the product is not widely visible in competition, and when it is judged to be relatively narrow or specialized in breadth of functions and platforms — or, for other reasons, the vendor's ability to communicate vision and features does not meet Gartner's prevailing view of competitive trends. BCMP Niche Players include stable, reliable and long-term players. Some Niche Players work from close, long-term relationships with their buyers, in which customer feedback sets the primary agenda for new features and enhancements. This approach can generate a high degree of customer satisfaction, but also results in a narrower focus in the market (which would be expected of a Visionary). Also, a Niche Player can be one that did not provide answers to all the questions asked in our vendor survey. Return to Top

Context In addition to a financial statement or strategic plan, a recovery plan is an organizational document that is most likely to result in lost revenue, damaged reputation or worse if it is not current or is unavailable (or nonexistent) at the time of a business disruption. And, like all organizational policies and procedures, the best recovery plan can rapidly become obsolete. Therefore, organizations must consider the recovery plan a living document that needs a continuous review and update process: At a minimum, annually for a cyclical program management best-practice review When there are major business or IT changes such as operational risk profile shifts, or business or IT process re-engineering When industry regulations change, requiring tightened focus on response and recovery capabilities When recovery plan exercise results or actual business disruptions show a gap in recovery capability versus current recovery expectations Many organizations look to automation to help them develop and maintain up-to-date recovery plans. There are two views of what such automation should provide. Some organizations want only a document management system that helps them manage their complex web of recovery plans. They are typically firms without a strong commitment to BCM program management, those that have developed their own highly customized BCM practices and think that BCM-specific automation cannot help them, or those that don't have the resources to manage a specialized tool for BCM purposes. These firms use office automation products (such as word processing, spreadsheets and flowcharts) and turn to a document repository approach such as SharePoint to store their recovery plans. Other organizations want an automation tool to manage the BCM program for the entire enterprise, as well as its parts, in a dynamic manner that allows for effective recovery plan creation and management as well as for in-depth BCM program data analysis. These firms will have a strong commitment to BCM, often due to regulatory compliance or an enterprise focus on risk management. It is this kind of organization that looks to implement a BCMP product. At its most basic level of implementation, a BCMP product can reduce the very real risk of out-of-date recovery plans by enforcing a regular update procedure. BCMP products can also benefit organizations that need to document and manage a comprehensive view of their response, recovery and restoration preparedness policies, expectations, capabilities, and procedures. Most well-managed BCM programs capture a lot of rich data about the organization and its recovery capabilities, but coordinating, analyzing and managing large amounts of availability information is almost impossible to do without automation. These BCM programs want to leverage this information and identify gaps in recovery capability; in essence, they want to make meaning of the data that they have so painstakingly obtained. BCMP products can also help to mature the BCM program faster (see "ITScore for Business Continuity Management, 2013," "ITScore for Business Continuity Management: Results Through January 2012 Show Midlevel BCM Program Maturity" and "Learn From the Experiences of Mature IT-DRM Leaders"). Gartner predicts that, by 2015, 80% of organizations at a Level 4 maturity level for their BCM program will be using BCMP products to help them perform recovery plan and exercise management as well as to analyze and manage BCM program metrics.

BCMP capabilities are offered from two types of vendors, both included in this Magic Quadrant research: Pure-play vendors that have been in the BCM market for some time, typically as BCM consultants, who developed a product for such purposes and then decided to turn it into a direct offering with development, implementation and sales support GRC vendors with customers that take an operational or enterprise view of their organizations' risks. Return to Top

Market Overview Methodology In the first edition of the BCMP Magic Quadrant, 24 vendors were contacted, including those surveyed in "MarketScope for Business Continuity Management Planning Software" (Note: This document has been archived; some of its content may not reflect current conditions.). After reviewing our inclusion criteria, 18 vendors were selected to be ranked. We used the following vendor rating approach. Vendors were evaluated on the basis that they were responding to an RFP, and were ranked on their ability to document and qualify their strengths and features. It is important to remember that the Magic Quadrant does not solely rate product quality or capabilities and features. A Magic Quadrant is not just about a vendor's product; it is also a scenario chart that maps a vendor's overall position in a specific market. While the product portfolio is an important part of the rating, the vendor's ability to acquire customers and expand its presence in the market is also important, as is its ability to grow product and service revenue. A vendor that offers a strong, technically elegant product, but is unable or unwilling to invest in marketing and sales to increase revenue and improve profitability, will find itself unable to invest in future development.1 Vendors that did not provide responses to critical questions were ranked, wherever possible, from other sources of information — supplemental public information sources, public records of projects and clients, and the opinions and experiences of the Gartner analyst community. In the detailed vendor comments, we highlight the major evaluation criteria for which the vendor did not provide a response. For those vendors that did not provide responses due to their judgment that the information is proprietary to them, we scored them lower on those questions. In addition to the vendor survey, in-depth vendor briefings regarding product, portfolio, strategy and messaging were conducted with each vendor. Customer reference comments were taken from the 62 completed surveys we sent to the customer references provided by the vendors themselves. In addition to the customer reference comments from the Magic Quadrant analysis, placement on the Magic Quadrant is influenced by the hundreds of conversations conducted annually with Gartner clients on the topic of BCMP.2 The vendor strengths and weaknesses noted in this Magic Quadrant cover those evaluation criteria where the vendor is above or below average. We did not provide commentary on every evaluation criteria nor for those where the vendor's capability did not stand out from the others; where no commentary is provided, prospects and customers should assume the capability is adequate for most organizations' needs. The key markets reported in the vendor introduction are those where the vendor reported 5% or more of revenue coming from that industry. Each vendor markets and sells into more industries than reported in this section. Our review was for the BCMP business only. Therefore, a vendor that is in multiple BCM software markets (EMNS, C/IM and BCMP) might have a better overall company rating when taking all products into account versus what has been provided for just the BCMP portion of their business. Gartner considers external partnerships to be very important for increasing market presence and sales performance. Partnerships with first tier and second-tier consulting firms are some of the best partnerships to have, as they take an enterprise approach to risk management and can leverage BCMP products into their engagements. Industry-specific partners are also excellent if the vendor is focusing on specific industries. BCMP vendors that sell only through their own channels — consulting, IT services, etc. — were given lower scores. As more organizations adopt BCMP products, vendors need to consider their geographic footprint for functions such as sales, customer call centers, support engineers and data center operations (geographic distribution of data centers is also important for resilience and privacy concerns). They also need to consider that users of the product will need to have the product displayed in their native language. We gave higher scores to vendors that had: (1) data centers in multiple locations, with a bonus for cross-coastal and cross-continent centers; (2) multilingual support of their user interface; and (3) sales, customer call center and support engineers located in multiple countries. We assessed this category for internal staff and external partners. Return to Top

Key Findings From the 2013 BCMP Magic Quadrant Analysis The BCMP product is a specific and detailed set of functionality that needs to manage complex business and BCM processes within all types, sectors and sizes of organizations (see "Toolkit: Business Continuity Management Planning Software RFP Template, 2012"). After listening to our clients on inquiry calls and reviewing the responses to the questions in the Magic Quadrant vendor survey, we recognized that there is no one perfect BCMP product. All BCMP vendors can provide most

of the basic functionality (such as business impact analysis, resource management, dependency mapping, custom fields for customer-specific requirements, some level of custom reports for customer-specific needs, recovery plans in multiple views and formats, etc.). Small to smaller midsize organizations will be quite happy with a product that provides basic functionality — they typically do not have a strong need to do a lot of customization to the product to accommodate organizationspecific BCM processes. However, larger midsize to large organizations tend to need more customization to the product to accommodate complex business processes as well as alignment to their current BCM program processes — the latter point being the major barrier to most organizations finding a BCMP product that is a close to perfect fit (and the reason why some organizations will continue to use office automation products or develop their own internal products and deal with the consequences of out-of-date plans, BIAs, risk assessments, dependency maps, etc.). Therefore, what became clear in our analysis is that the more important evaluation point was how the vendors provided the functionality. Based on that, we made the following criteria more important in the scoring process: The ease of use in the hands of business users, not IT or BCM professionals only The ease and extent of customization — through configuration (not code changes) by the customer, not the vendor — to your organization's production operations/continuity hierarchy, branding and terminology. The specific points we considered in this evaluation criteria are: The ability for the customer to customize the look and feel of the product to align with the organization's branding, etc. The extent of the need for vendor support in product configuration Terminology customization Drag-and-drop capability for report formatting The extent of database changes required for changes in the organizational hierarchy (a subset of the production operations/continuity hierarchy) The ease of reporting, including modifying report formats provided by the vendor and creating new report formats Native mobile device support (smartphone or tablet) for recovery plan access and execution at the time of a business disruption We made these criteria more important by (a) moving them to the Offering/Product Strategy evaluation criterion, as there are product/technology architecture decisions to be made in order to make these products easier to configure and implement; and (b) giving a higher scoring weight (3 rather than 1) to the Offering/Product Strategy criterion. To balance the product feature/function analysis, we gave Product/Service a higher scoring weight of 3 as well. BCMP product pricing is so varied that it is hard to do a detailed pricing comparison between vendors using the survey pricing model descriptions and examples. We only scored vendors for their SaaS offerings — some offer perpetual software licenses for organizations that want to buy the software and implement within their own IT infrastructure. Therefore, we scored vendors on their SaaS pricing in four ways. Average deal size growth between 2011 and 2012 — large growth rates improved the vendor's pricing scores Proximity to the median pricing of $48,100 for 50 plan administrators (which characterizes a large organization) — lower than the average improved the vendor's pricing score and higher than the average reduced the vendor's pricing score Overall pricing model complexity, which was scored on the following criteria: Base pricing (unlimited users, employee head count, named users [those requiring a user ID/password regardless of their role in using the product or the amount of time they use the product], read-only users, approvers and risk assessment/BIA users rarely use the product, so their usage is light; product administrators and plan owners tend be heavier users of the BCMP product) or a pricing model based on specific pricing components, such as a core system fee, the number of product administrators, plan administrators, concurrent users, plans, BIAs, sites/locations and others. Overall, the more simple the base pricing approach, the better the pricing complexity score Complicating factors (such as additional software licenses for things like Crystal Reports, a fee for a user that needs to submit help desk tickets, setup or training fees not included in the subscription fee); we increased the complexity score in these cases Pricing incentives, such as a multiyear pricing discount, nonprofit pricing and SMB pricing options, which improved the vendor's pricing score Based on customer reference feedback to a 23-question questionnaire, the top three reasons why organizations use a BCMP product are: Complexity of plan management is growing and plans cannot be managed in a manual mode any longer: 69% Internal requirement to mature the BCM program: 55% New management focus on BCM: 42% This feedback supports what Gartner has been reporting for a number of years: BCM is becoming a senior-management-level topic, and the complexity of the business means that recovery plans and BCM program management are no longer manageable through manual methods. A very important theme emerged from customer reference feedback — the two greatest barriers to implementing a BCMP product are lack of internal resources and commitment to the process; 52% of customer references reported this concern. Based on customer reference feedback, the top four reasons (two are tied at 13.5%) why a vendor's

product was not selected by prospects are: Too expensive: 23% Lack of ease of use (end user and admin): 14% Lack of flexibility/too much customization: 13.5% Lack of features/functions: 13.5% Return to Top

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity.”

About Gartner | Careers | Newsroom | Policies | Site Index | IT Glossary | Contact Gartner