IT sector business continuity planning below average, study says

IT suppliers are among the worst when it comes to implementing business continuity plans, according to a survey published by the Chartered Management Institute (CMI) and the Cabinet Office.

IT suppliers are among the worst when it comes to implementing business continuity plans, according to a survey published by the Chartered Management Institute (CMI) and the Cabinet Office.

The survey of more than 750 CMI members that found 39% of mainly UK organisations in the IT sector had a business continuity plan in place, compared with the national average of 47%.

Richard Swann, IT infrastructure manager at the Institute of Directors (IoD), said the results were surprising. "People in the IT sector should be more aware than most of the business impact of systems being unavailable, so they have got no excuse," he said.

But Russell Price, chairman of the Continuity Forum, said the findings were consistent with his experience.

"End-users are increasingly relying on IT for their business, but the infrastructure of suppliers is often not as resilient as it should be, and this would have a serious knock-on effect down the supply chain in the event of a failure," he said.

According to Price, many suppliers of IT services, including back-up and recovery, have not done enough work on business continuity and do not have robust plans in place.

The survey found that the public sector scored the best with 62% having a business continuity plan in place, followed by listed companies (55%) and private and voluntary organisations (40%).

John Hele, global product manager for BSI Management Systems, said the public sector's business continuty planning was mainly driven by the requirements of the Civil Contingencies Act.

Price said part of the problem in the IT sector was that there was no equivalent of the public sector's Civil Contingencies Act or the financial sector's FSA regulations, which had driven business continuity in these sectors.

The sector also naturally tended to focus any business continuity planning on IT, Price said. "Effective business continuity planning needs a more holistic approach that includes planning for people," he said.

The report said although 75% of organisations recognised that business continuity was a critical issue, attempts to protect business operations were often "haphazard" and "untested".

Only 29% of organisations with business continuity plans in place made allowances for loss of people and 33% did not test their continuity plans.

Over the past year, 43% of organisations were disrupted by loss of IT, and more than one in three (35%) experienced loss of people.

A high proportion (78%) of those organisations that did conduct tests at least once a year said shortcomings had been revealed, enabling them to make improvements.

Swann said business continuity was something the IoD took very seriously and that is tested its disaster recovery plans at least once a year.

The survey also found staff training relating to business continuity remained limited, with only 35% including such training in induction courses for new staff, up from 30% in 2007.

Swann said the IoD had a policy of cross training IT staff to ensure availability of mission-critical skills.

Bruce Mann, director of civil contingencies at the Cabinet Office, said although the survey showed organisations were taking steps to improve their business continuity arrangements, for example in relation to the impact of an influenza pandemic and supply chain resilience, there was still much more to be done.

"Too many organisations still do not have effective business continuity arrangements in place," he said.

Jo Causon, director of marketing and corporate affairs at the Chartered Management Institute, said, "It does not matter whether the turbulent times we face are caused by economic or security concerns, the simple fact is that failing to provide safeguards for business operations does not make sense."

The report recommends that senior management of all organisations should take responsibility for business continuity managment (BCM), including the development of robust, fully rehearsed and well-communicated plans that address the technological, physical, people and skills needs.

"For many organisations there remains a pressing need to address these aspects of BCM," the report said.

Read more on IT risk management