Lyndon Bird, technical services director at the institute, said firms had made good progress on technology recovery, but they needed to train staff in how to work in a disaster - a key lesson from the attacks on the World Trade Center.
Without trained staff, even the most automated operation will fail, said Bird. "Many organisations do not spend sufficient time or budget on staff training," he said.
Steve Salmon, business continuity consultant at professional services firm KPMG, said that post-9/11 he had seen more companies draft recovery plans and increase funding for business continuity projects.
However, many plans were flawed because of their emphasis on testing technology recovery, not how staff would use systems to maintain business practices, he said.
"More companies need to train employees to work with IT systems under live test conditions. They must also explain to staff what their responsibilities are in a crisis and train them to be multi-skilled so that they can keep key business processes going," said Salmon.
Jim Norton, senior adviser on ICT at the Institute of Directors, who was involved with drafting the BSI 25999 standard on business continuity, said the problem was particularly acute among small and medium-sized businesses.
"Despite the lessons of September 11, our research showed that 43% of SMBs do not test their business continuity or disaster recovery plans or train their staff, and we do not believe this is changing."
The London Chamber of Commerce, which represents 3,500 UK businesses, called on the government to offer financial incentives to encourage proper contingency planning by businesses. "For smaller firms, these incentives could cover the initial cost of setting up and testing a continuity plan, and larger firms could be rewarded if they form partnerships to advise smaller businesses," said a spokesman.
David Bason, IS director at law firm Shoosmiths, said, "IT disaster recovery in itself is not enough. Replication of business processes and testing people and processes is critical to successful business continuity."
David Walker, business continuity and information security manager at Guoman Hotels, said full testing could be expensive to conduct regularly and could disrupt normal business, but partial testing to see how people and processes interact with IT systems must occur.