Information Age: News, analysis & insight for IT & business leaders

The keyword in business continuity management today is 'holistic'. A well-prepared business will have thought about every area in which it may be exposed to a risk, and will have practical policies and plans for preventing problems and for minimising the impact when they do occur.

This is a time consuming and expensive process, but, as one specialist puts it, "it is not rocket science". The challenge has as much to do with a willingness to address the issue as it has to do with complexity.

Research has shown that almost all large companies have a disaster recovery or business continuity plan. But these plans are frequently outdated, are over-simplistic, or are tested too infrequently.

Two businesses that attempted to put on their emergency power suppliers after the US blackouts in 2003, for example, found that their diesel supplies had been unused for so long they had gelatinised. And one UK bank, when carrying out its audit, found that many of the computers it had set aside for emergency back up had been commandeered for local applications.

Garry Growns, managing director of ImperaData, which specialises in business continuity for SMEs, says that many of his clients have thought hard about the back up, but not about restoration. He cites an example where one company could not make its tape back ups work - and nor could the company that supplied them.

Philip Carter, head of professional services at SunGard Availability Services, the business continuity specialist, says that businesses think restoring data will be relatively fast and simple. But sometimes it has taken two to three days to recover all the data - and in that time, they have lost access to key applications.

Sometimes, the failure in planning is not about the technology at all, but about policy. Tony Reid, head of enterprise business solutions for Hitachi Data Systems, says that, faced with a crisis, managers can sometimes be slow to make decisions. "We try to get them to think about 'what is a disaster?' If a recovery takes two hours, but they take four hours to make a decision, clearly they've blown it."

This reticence to 'invoke' a disaster is common - even though the suppliers of disaster recovery back-up suites are never likely to question the decision. One justifiable fear is that moving out and moving back is disruptive. "One company took five goes to move back successfully," says Reid.

Hamish Macarthur of analyst company Macarthur Stroud, says that many plans are not tested for fear of disrupting users. "The IT people are worried they will impact the users - and they don't have the confidence that their back-up systems are sufficient."

The solution to all these problems is for executive level management to take responsibility, to invest, and to develop a corporate culture that understands the challenges of business continuity. This is, in any case, increasingly being forced on many organisations - by legislation and by commercial pressure from partners.

Many business continuity specialists point out that in most companies, business continuity is the responsibility of a few specialists, rather than the entire workforce. And much like security, this does not work. John Sharp, CEO of the Business Continuity Institute, writes: "The successful embedding of a business continuity management culture within an organisation is primarily dependent upon it becoming an integral part of the organisation's strategic and day-to-day management ethos."

In the mid 1990s, disaster recovery was a much simpler matter - now business continuity management, especially as it relates to complicated, inter-dependent IT networks, has become an advanced discipline in its own right. A prepared company needs to assess and grade the threats to all its systems, to those of its key partners, to its data, its processes, to its staff, its brand, its shareholders.

Only then can it begin to work out clear plans and policies for business continuity, which systems to protect and how, and which suppliers to use. It will also need to develop a continuity culture to support this, with regular reviews, education and testing.

Many independent organisations - such as the Business Continuity Institute and the British Standards Institute - have recognised the complexity of the tasks and offer help with methodologies, templates and benchmarks. The role of external disaster recovery suppliers may also be key. Many have adapted their offerings to provide a full range of support services.