"There are some real challenges still ahead and true resilience and capability ultimately have to be measured through testing your ability to co-ordinate your activities with others," said Rick Cudworth, EMEA head of business continuity and resilience at Deloitte.
He said this would be one of the key messages he plans to communicate at next week's Business Continuity Expo in London.
It is becoming increasingly important, said Cudworth, for organisations to be able to co-ordinate business continuity activity with all stakeholders in the business, to do that a global scale, and to do it for non-physical events.
According to Deloitte, most organisations fail to recognise that non-physical events such as data leakage can damage the organisation, and consequently do not plan to deal with them in the same way as they do for physical events such as fire and flood.
Global organisations typically deal with about three natural disasters a year and frequently have to deal with minor events almost on a weekly basis, such as power failures in Johannesburg, fires in California and floods in the UK, but few have the processes in place for co-ordinating decision-making throughout their organisations.
"Setting up clear co-ordination and communication between their teams around the world remains a challenge for many global organisations," said Cudworth.
Outsourcing and offshoring is a challenge to business resiliency because it is often not clear in the event of a disaster who makes the decisions on invoking disaster recovery plans, said Cudworth.
Deloitte has found that many organisations have gone backwards instead of forwards in recent years in terms of IT disaster recovery capability.
"At a time where people are looking for increased speed of recovery and more confidence in being able to recover, fewer organisations are able to demonstrate either," said Cudworth.
He said this had been the result of a massive increase in data, which is impossible to recover using traditional approaches, and the fact that many organisations are confusing systems and service availability with disaster recovery.
"Organisations typically start building what they think is a disaster recovery plan by looking only at recovering their critical applications, but in a disaster, it is not about a single application - it can be about whole datacentre, but if all the interdependent applications have not been included, the recovery plan will not work," said Cudworth.
Finally, as regulators and customers place organisations under closer scrutiny, businesses are increasingly facing the challenge demonstrating their true business continuity capability, and not just their ability to draw up and manage a plan.
"Demonstrating true capability means that organisations have to move from merely assessing the continuity capabilities of key suppliers to integrating their continuity planning with those key suppliers and then conducting testing to ensure it all works together," said Cudworth.