Organisations of all sizes are failing to plan for possible disruption to their business operations caused by war and terrorism, according to the latest findings from the Chartered Management Institute.
Half of all managers say that the UK's preparedness for possible terrorist attacks is insufficient.
This fourth annual Chartered Management Institute survey, published in association with the Business Continuity Institute and the UK Government's Civil Contingencies Secretariat based in the Cabinet Office is released as part of Business Continuity Awareness Week (23-28 March 2003).
The results reveal that over the past few months, organisations are more likely to have addressed the possibility of disruption to their business by a fire-fighters' strike (44 per cent) than the war in Iraq (17 per cent). Alarmingly, they also gave 'increased threat of terrorist activity' (32 per cent) equal consideration with 'damage to their reputation/brand.'
A separate survey commissioned by information technology services company TDM Group has also revealed that around 360,000 businesses, mostly in the manufacturing sector, have no disaster recovery plans to get their IT systems up and running quickly in the event of a disaster.
The TDM survey found that only 79 per cent of firms say that they have back-ups in place that would have their systems up and running within minutes of a disaster.
"Not having disaster recovery provisions in place is a bit like driving a car without a seat belt," said Dennis Wijsmuller, Managing Director of TDM Group. And he added that the high number saying they are prepared was probably exaggerated.
The Chartered Management Institute found that more than half of all managers admitted that either they did not have any form business contingency plan or that they were unsure. Moreover, of the 46 per cent that did have a plan, only around half again had actually rehearsed its effectiveness during the past year.
Worryingly, there appears to be a strong correlation between the size of the organisation and their preparedness for war or terrorist attacks: large organisations (over £500 million turnover) are almost three times more likely to have a business continuity plan (68 per cent) than small businesses (up to £1 million turnover) with only 24 per cent having one in place.
"Organisations of all sizes should have a business continuity plan: not having one is cavalier at best, negligent at worst. Frighteningly, only one in two managers even know if their organisation has a plan," comments John Sharp, CEO of the Business Continuity Institute. "The good news is that recent developments in corporate governance, in particular the Turnbull Report, mean that risk management is now on the boardroom agenda.
"Equally, the recently published Higgs Report places greater responsibility on non-executive directors to ensure that their organisations are being managed prudently."
Are managers being complacent or realistic in their responses to possible business disruptions? Less than half (47 per cent) fear terrorist damage while only one in six (16 per cent) are concerned about the threat that military conflict would have on their business. Those threats which organisations fear the most are: loss of IT capacity (58 per cent) followed by loss of people and loss of site (both 54 per cent) with fire risk and loss of skills (both 51 per cent) considered less important.
Therefore, it is not surprising that the functions most likely to be included in organisations' business continuity plans are: IT (79 per cent), finance (57 per cent), facilities management and human resources (53 per cent) and security (51 per cent). However, it is surely worrying that such a large proportion of organisations are concerned about the impact of IT failure to the exclusion of so many other business risks.
The findings also lend weight to the view that an unrehearsed plan is not worth the paper it is written on. Of organisations that do carry out a dry run, more than four in five rehearsals revealed shortcomings, but of these one in six then failed to address them! Equally disturbing is the scope of business continuity rehearsals: only one in five organisations practise organisation-wide recovery while double this number limit it to IT.
"Business Continuity Management (BCM) needs to be a living, breathing operational process involving the whole organisation and its stakeholders - not just a heavy document in a big file," says Mary Chapman, chief executive of the Chartered Management Institute. "Furthermore, best practice recommends that companies should consider benchmarking their own processes against standards and plans in other organisations - as 40 per cent of the managers whose organisations have a plan claim they do."
Finally, when asked which other external drivers were forcing their organisation to take business continuity planning seriously, almost one in three managers (30 per cent) cited customers and one in four said that insurers (25 per cent) were pushing them to guard against business disruption.