Financial services is widely acknowledged to be the part of the economy best prepared for a disaster. But a survey carried out earlier this year by insurers FM Global, the Financial Executives Research Foundation and the National Association of Corporate Treasurers, found that just 12 per cent of executives in the sector rated their chance of recovering from disruption as "excellent".
Move away from the highly competitive - and tightly regulated - world of financial services and the picture is worse still.
"We estimate that half of all businesses have not looked seriously at business continuity," warns Bob Zimmerman, an analyst at Forrester Research. "They are either too small, or they think they have it covered, and no-one has asked them when they last did a full recovery test."
Simon Mingay, research director for business continuity at Gartner Group is hardly more optimistic. He cites financial services, public sector bodies, the utilities and businesses based in New York, London and Washington as the best prepared.
Outside these areas, people have reverted to type, he says. They think it will not happen to them.
But incidents such as the outbreak of Severe Acute Respiratory Syndrome (Sars), which affected businesses in Hong Kong and Toronto as well as in China, show that no-one can predict where the next threat will come from.
"Sars is a really good example of how you cannot plan for everything," says Fons Kuijpers, a business continuity expert at PA Consulting. "It was a case study of the type of event you cannot foresee. At its most effective, business continuity planning is about expecting the unexpected, and having plans in place that are flexible enough to adapt to circumstances that no amount of rehearsals can test."
In the case of Sars, Mr Kuijpers cites examples of companies banning travel, and using business continuity facilities - such as standby trading floors - to segregate staff, reducing the risk of the disease spreading. Companies had to implement a variation of their normal plans, such as travel bans and evacuations, says Mr Kuijpers.
Companies that do not have clear business continuity plans and, critically, plans that are tested and kept up to date, remain very vulnerable. In the aftermath of the September 11 terrorist attacks in the US, IT industry insiders noted an upsurge in business continuity spending.
"There was a marked shift in interest, especially for high end solutions providing for no data loss or downtime," says George Ferguson, worldwide practice principal for business continuity services at Hewlett Packard. "It came six to nine months after 9/11, as it took that long for businesses to analyse their needs."
Analysts suggest that upswing has not translated into longer-term investment.
The poor state of the global economy is partially to blame, with many businesses reluctant to invest in measures that do not add to the bottom line.
"If it is a choice between enhancing an application that will increase profits, and something that will cover my butt, CIOs will often choose the former, says Mr Zimmerman at Forrester.
Companies are also realising that a one size fits all approach to business continuity is neither appropriate, nor cost effective.
This is apparent in the growing interest businesses are showing in using in-house resources, such as secondary offices, for low-end business continuity, alongside more conventional, outsourced options.
"Businesses should opt for the appropriate level of recoverability," says Jim Simmons, chief executive of SunGard Availability Services, the business continuity provider. "They don't want to pay for two hour recovery when two days will do."
Where businesses are investing new money, it is often because it is forced upon them. Basel II, Sarbanes-Oxley and the US health insurance act, HIPAA, are just some of the regulations that require better data integrity and business continuity.
"There is no doubt that regulatory influence has a major impact on management attention to business continuity," stresses Mr Mingay at Gartner.
Much of the regulatory attention, however, has focused on the resilience of computer systems and their recoverability. This is a trend that is reinforced by the increased role electronic commerce is playing in business.
As business models evolve, companies are thinking more about what it will cost if systems fail. "They are more dependent on this technology, and failure can destroy a brand," says Gregg Goble, worldwide vice president of resilience services at IBM.
The last two years have seen businesses strengthen their IT systems by bolstering provision for data mirroring to remote sites, putting more emphasis on off-site back-up and a move to technologies such as storage virtualisation and storage area networks (Sans), that make it easier to create multiple copies of data.
This need not be expensive: at IBM, Mr Goble suggests that businesses can achieve a great deal simply by specifying more resilient systems as part of their annual IT purchasing provisions.
There is a danger, however, in believing that more resilient IT systems equate to business continuity, a perception that IT hardware and software vendors are often only too keen to re-enforce.
The harsh truth is that, with a very few exceptions, IT alone is not the answer. "The technical vendors look to data centre recovery and recovery of central business systems," says Alastair MacWillson, global head of security at Accenture.
"But only 50 per cent of data is on these systems. The real point is not whether you can restore the information on central systems, but the intellectual property and logical data across workstations and departmental systems."
He adds that not all the data businesses rely on is even under their direct control: extended supply chains mean that another business failure should also be taken into account.
Some experts in business continuity go further, and warn that technical advances are creating a false sense of security for many companies. Although their systems are more resilient, they are neglecting the planning and testing that is the key to a strong business continuity strategy.
Worse still, they could underestimate the importance of human beings in any continuity plan. Data is of little use if staff are not around to access it, or if they are unable to reach the office because transport systems are disrupted.
A number of companies, particularly in the financial services sector, have measures that allow key employees to work from home or from the road.
One example is Barclays Bank, which has issued its management team with handheld computers connected over the GPRS mobile network.
If employees can access the company's IT infrastructure remotely, this gives companies vital extra flexibility, but again companies need to test this, and make provisions for otherwise reliable networks failing in a crisis.
The massive power grid failure which affected the eastern US and Canada last month provides a good example. Businesses were able to keep key systems running with standby power supplies. But the mobile phone networks overloaded as people made extra calls to their families after what was at first feared to be a terrorist attack.
Any amount of clinical planning cannot factor in human elements, especially trauma, warns Mr MacWillson at Accenture. "Most business continuity plans only nod towards the human resources involvement that is needed. Good recovery [from a disaster] is between 60 per cent and 70 per cent about people, processes and training."
Indeed, some of the most effective measures companies can take to protect themselves may cost little or nothing; even expensive hardware can often be redeployed in a more effective way, such as by reorganising storage and back-up devices. "The main weakness in business continuity planning is still one of management awareness," observes Mr Mingay at Gartner. "At the end of the day, there is nothing very complex about business continuity. If you do the basics well - and you do what you say you are going to do, so if you say you take your data off site within 24 hours, make sure you do - then you will be in an incredibly good position."
