Risky business: BCM 2008 report exposes vulnerability of organisations across the UK

UK plc failing to protect their people, property and data

The threat of disaster continues to hang over organisations across the UK, as many fail to provide adequate protection for their key assets. The latest annual report published by the CMI and supported by the Cabinet Office and the Continuity Forum reveals that organisations recognise a need to guard against disruption and face increasing pressure to do so.

However, attempts to protect 'business operations' are often haphazard and untested.

Complacency not caution

The survey, now in its ninth year, shows that only 47 per cent of organisations across the UK have a business continuity plan (BCP), a figure that has barely changed since 2002 (45 per cent). Major differences also exist between organisation types, with BCPs most apparent in the public sector (62 per cent) and amongst listed companies (55 per cent), compared to only 40 per cent of private and voluntary organisations.

The low level of protection is surprising and suggests organisations are still only paying lip service to contingency planning. It comes, despite a significant majority of managers (76 per cent) reporting that business continuity is 'important' or 'very important' to their employer, with 66 per cent claiming responsibility for implementation rests at senior management level.

Pressure to protect

The study indicates, however, that employers are coming under increasing pressure to develop BCPs. Asked to identify what influenced the adoption of a business continuity management strategy, most respondents with a plan cited corporate governance as the key driver (60 per cent). Amongst PLCs, this figure rises to 76 per cent and is 69 per cent in the public sector. Central Government was listed as the second highest driver (33 per cent) followed by customer demand (32 per cent). The results also show that calls for contingency planning are increasing from auditors (30 per cent, up from 24 per cent in 2007) and insurers (30 per cent, up from 28 per cent in 2007). Bitter experience is also becoming a solid driver for business continuity planning.

The survey indicates that 94 per cent of organisations which had invoked their plan in the past 12 months felt that it had been effective in reducing disruption. Haphazard and untried Yet, despite the obvious benefits, even those organisations adopting BCPs are haphazard in their approach. For example, only 29 per cent address the potential loss of people, but 35 per cent experienced disruption as a result of this in the past year. And, despite 73 per cent suggesting that 'IT downtime ' would have a significant impact on costs and revenue, only 39 per cent of organisations focus on loss of technology.

Russell Price, chairman of the Continuity Forum says that "Whilst the benefits of BCM are very clear this research shows that far too few organisations have really addressed the issue effectively and are facing much greater risks as a result. Continuing he states "Organisations without effective BCM procedures in place are exposing their investors, employees and customers to a lot of unnecessary risk and need to take a long look at themselves and their management values. In 21st century business these attitudes just are not acceptable."

Jo Causon, director, marketing and corporate affairs at the Chartered Management Institute, says: “Some hard questions need to be asked about why the mismatch between planning and protection is allowed to exist. It doesn’t matter whether the turbulent times we face are caused by economic or security concerns; the simple fact is that failing to provide safeguards for business operations does not make sense. The ability to manage risk is a critical skill and unless it is taken seriously businesses and jobs will remain at risk.

Although there is some improvement, 33 per cent of organisations with a BCP still do not undertake any form of exercise to test their plan (down from 37 per cent, last year). A high proportion (78 per cent) of those who do exercise at least once each year said shortcomings had been revealed, enabling them to make improvements. However, 9 per cent admitted that no steps were taken to address the weaknesses that had been uncovered. The evidence also suggests that staff training relating to BCPs remains limited. Among those with a BCP, 35 per cent include BCP training on induction courses (rising from 30 per cent in 2007). However, with an annual staff turnover rate of 12.9 per cent there is a clear need for increased levels of training to build resilience.

Bruce Mann, Director of Civil Contingencies at the Cabinet Office, says: “Whilst this year 's survey shows organisations taking steps to improve their business continuity arrangements it also shows, starkly, that there is much more to be done. Too many organisations still do not have effective business continuity arrangements in place. This view is echoed by the findings from Sir Michael Pitt 's review of the 2007 floods. It is bad news for employees, shareholders, customers and communities. Lessons need to be learnt, and acted upon, to strengthen business and national resilience, as a whole.