If a disaster, man-made or natural, were to hit London's financial district, several large banks and investment companies would decamp to a squat, utilitarian, even ugly building on a scruffy back street just south of the Thames.
The owners prefer not to refer to the building's address, and customers' names are a closely kept secret. Yet the site, owned by the IT group SchlumbergerSema, is one of the UK's most important disaster recovery centres.
Even John Kersley, general manager for global recovery services at SchlumbergerSema, describes the building as having the "architectural merits of an armoured car".
Space in buildings such as this has been much in demand since the September 11 tragedy, as companies review their disaster recovery and business continuity plans. But only large companies - and companies that depend on continuous availability - can afford the type of dedicated stand-by trading floors and offices on offer from the disaster recovery specialists.
In some sectors, especially financial services and the oil and gas industries, disaster recovery and business continuity planning is second nature.
For some, including companies that depend heavily on internet infrastructure, the events of September 11 provided a wake-up call.
Others, however, have yet to consider their disaster recovery arrangements. And a further group of companies has looked at disaster recovery and decided, as they might with any insurance policy, that DR is not worth the premium.
Attitudes also vary by country. Prior to September 11, companies in the US lagged behind their European counterparts when it came to disaster recovery planning: SchlumbergerSema, for example, estimates that only one in five companies in the New York area had a disaster recovery plan.
A survey by Veritas, the storage company, found that in Europe, Swiss companies were the best prepared, followed by German and then British enterprises.
But a separate study by Ernst & Young found that as many as 47 per cent of global companies had no business continuity plan (BCP) at all. Researchers agree, however, that the trend is for companies to take business continuity and disaster recovery planning more seriously, and to take such decisions at a board level.
But so far this has not resulted in a cash bonanza for disaster recovery vendors. In fact, there has been a marked consolidation in the disaster recovery arena. Disaster recovery specialist SunGard has bought both rival Comdisco and UK-based Guardian IT.
"A lot of companies have been able to move forward on business continuity planning without blowing a lot of money on it," says Fons Kuijpers, a disaster recovery specialist with PA Consulting's management group.
The terrorist attacks on New York and Washington prompted companies and public sector bodies to review their disaster recovery arrangements, but these reviews take time to conduct.
For companies with no disaster recovery plans last year, it is probably still too early to see any significant spending increases as a result of new contingency plans.
And for many companies, the lack of a formal business continuity plan does not mean there is no disaster recovery in place.
"Bottom up" technical recovery measures, such as off site data mirroring and rigorous back-up policies, might be arranged on a department by department basis, or centred around individual data centres or even servers.
Bringing these arrangements into the scope of a wider business continuity plan is largely a paper exercise in co-ordination, rather than a question of massive extra spending.
The trend to run critical business applications, such as finance or customer relationship management (CRM), over the internet means that many companies are also better protected against disasters than they were five years ago.
Measures such as outsourcing data centres or web server operations also include an immediate degree of protection, while the growth in plentiful, reasonably cheap bandwidth makes hardware back-up techniques such as data mirroring to remote sites viable for a wider range of businesses.
Mirroring cuts the cost of maintaining redundant IT systems purely as a backup. Instead of a primary or "production" server and a back-up kept on standby, IT departments can run two parallel systems sharing processing.
Each server backs up the other, with the advantage that should one server fail, the other will be able to carry on operations with little or no interruption. As it is an automated process, mirroring cuts the scope for human error. As data is held on hard disks rather than tapes, recovery times are dramatically shorter.
For companies, this is fortunate as disaster recovery windows are narrowing. Companies do not have three or four days to recover their systems; they might not even have the night to back up or upgrade critical systems.
"We are certainly seeing a shrinking recovery window," says Thom Carroll, global director of business services at Computer Sciences Corporation. "It used to be the case that companies could recover in 48 to 72 hours, except in financial services. Now most recovery has to be intraday."
Over the last year thinking on disaster recovery locations has changed too. Since September 11, backing up to a different computer in the same building - or even to one in a building in the same block - looks risky.
This is driving up demand both for outsourced, remote recovery sites and for technologies that can connect computer systems over greater distances.
How great that distance should be is still a point for debate, however. Among some US and Asian companies, the thinking is that back-up data centres should be as much as 200km away from the main operational office.
But in Europe, according to Josh Krischner, enterprise computing and storage analyst at Gartner, 10km is an adequate distance. "Japan and California are earthquake zones, so an extended distance is understandable," he says. "But extending the distance between sites limits the technology and impacts on cost and performance. The larger the distance, the greater the potential for problems."
And technical systems recovery is just one part of the picture. Studies into major disasters show that recovering data and systems alone is not enough.
After September 11, the US authorities cancelled flights, so companies that relied on moving staff to an office in another city had to rethink their disaster recovery plans.
According to Mr Kuijpers at PA Consulting, IT departments sometimes focus on technical data recovery without linking this to wider business continuity planning.
This includes access to back-up buildings, telecommunications and transport arrangements: even a false alarm, such as a security alert on a public transport system, could make it impossible to move staff any distance for several hours.
Full business continuity planning also means planning for the human consequences of an incident, including loss of life.
Succession planning is vital: even the best technology solutions will be of little or no use if the chain of command is broken. Back-up communications play a part: in New York, companies found that hand-held wireless devices and text messaging services continued to work even as voice mobile traffic and the internet were disrupted.
But, as IDC, the IT research company, points out, businesses also need to prepare to function with fewer people, whether this is because of casualties or because, as after September 11, transport is disrupted. And, however big or small the event, companies need to take into account how staff will react.
“The way the human being reacts to a disaster varies,” agrees Chris Boorman, European vice-president at Veritas. “When faced with a disaster, the way you react will affect your ability to carry out procedural work. If you have a lot of tasks to do, the human element will make that harder.
