BCM 2005 Survey - UK organisations are ‘sitting ducks’

Reseach finds that UK organisations are ‘sitting ducks’ as they fail to plan for major disruptions

07 March 2005

UK organisations admit they are failing to protect key assets and the ability to function in the face of major disruptions, according to research published today by the Chartered Management Institute. The 2005 Business Continuity Management Survey uncovered alarming inactivity, with organisations ignoring threats to their business, neglecting the needs of their managers, and not communicating plans with employees.

The research, published in association with the Continuity Forum and VERITAS Software, does, at least, reveal increased levels of awareness about potential dangers to business. More than half (51 per cent) have a business continuity plan (BCP) in place – a slight increase on each of the previous three years. However, the study also demonstrates varying attitudes to risk across business sectors and organisation size. Continuity management is most widespread amongst the banking sector and in organisations with a turnover of more than £11 million.

Threats to business

Managers were asked to identify the threats most likely to have an impact on their organisation. Almost three-quarters (70 per cent) suggested that loss of IT capability was their top concern. Reflecting the tight labour market, managers also identified loss of skills (56 per cent) and loss of people (55 per cent) as major threats to their business.

It has also become clear that UK businesses are ‘sitting ducks’ as most plans fail to cater for the disruptions being experienced by organisations. Despite an increase in incidents relating to loss of people (up to 41 from 25 per cent) and skills (up to 28 from 20 per cent) to hit organisations over the last twelve months, only a handful of BCPs cover staff issues.

Mary Chapman, chief executive of the Chartered Management Institute, commented: “It’s a matter of concern that many organisations still fall short when it comes to implementing thorough business continuity management strategies. However, the rising awareness of corporate governance responsibilities, and in particular the demands of the new Operating and Financial Review regulations should ensure that managers focus on the impact and cost that the loss of staff and services can have.”

Demands for continuity management

A significant shift has also occurred over the past year, with external drivers influencing the extent of business continuity management (BCM). Corporate governance is considered the key reason (34 per cent, up from 24 per cent in 2004), followed by demands from insurers (25 per cent), central government (22 per cent) and auditors (20 per cent).

Encouragingly, in 27 per cent of organisations, the Board leads business continuity management. Budgetary control has also shifted into mainstream business operations, with 38 per cent of organisations ensuring BCM budgets are held at director. The research indicates that now only 9 per cent of organisations give financial control of BCM to risk managers and 5 per cent to IT directors, recognising the need to prioritise business continuity.

Dr David J Smith, principal consultant at EMEA BCM Practice at VERITAS Software, says: “When the number of remote workers increases, IT departments are under more pressure to ensure that core systems are always available; or can be recovered quickly should a system failure occur. Whilst UK businesses are making investments in this area, surprisingly few are communicating business continuity plans to staff - even though they recognise the need to do so. VERITAS’ own Disaster Recovery research in 2004 highlighted that there was a lack of regular rehearsals completed by businesses to ensure that such plans are comprehensive enough and it appears from this survey that there is still a long way to go before this practice becomes standard.”

Inadequate preparation

Respondents expressed anxiety over the lack of a communication chain about business continuity plans. Of those organisations with a plan in place, only 58 per cent regard their employees as a key audience to share continuity details with. Only 1 in 4 organisations have an awareness programme for all staff and just over half (53 per cent) provide additional training for specific, relevant, employees.

The research also indicates that organisations do not rehearse the effectiveness of their BCPs. In 2005, one-fifth of organisations admitted they never test their plan and, of those with a plan in place, only 52 per cent meet the minimum recommended frequency of rehearsing BCPs once a year. The finance sector is most likely to ensure plans are robust, and the manufacturing sector comes bottom of this year’s BCM rehearsal ‘league table’.

Worryingly, the research indicates that business continuity management is still not part of UK organisation’s performance culture. A total of 86 per cent claimed their rehearsals revealed shortcomings and 13 per cent admitted these problems had not been addressed. Nearly two-thirds (58 per cent) do not even measure BCM performance and 40 per cent of organisations with turnover of less than £10 million do not audit their continuity programme.

John Sharp, policy and development director at the Continuity Forum, says: “The evidence suggests a small but consistent growth in business continuity management. Having a plan is not enough! Major steps still need to be taken as too many organisations are scraping by with inadequate and untested plans that expose them to unnecessary risk.”

You will need to be LOGGED IN and we recommend that you open the attachment in a new browser window.

NOTES TO EDITORS

The Continuity Forum is a member-focused organisation committed to building the resilience of organisations internationally, regardless of size or sector, through education and the promotion of best practice in Business Continuity Management and its related disciplines.

The Forum is dedicated to aiding the growth and the development of the Continuity sector and appropriate standards.