Paradoxically, for many of them it is also a major blind spot. Many will abdicate responsibility to the IT department, then they will tick boxes on forms with an uneasy conscience whenever asked, to tell the auditors everything's OK.
That approach all too often results in the IT department trying to keep track of critical applications and business priorities as they chop and change. This is a thankless and impossible job, with IT directors struggling to second-guess the business.
It is only slowly dawning on many companies that disaster recovery does not necessarily equate to business continuity.
I know of one user which has decided to install a mirror storage area network at huge expense, simply because it is easier than keeping a list of business-critical applications.
Current approaches to business continuity cluster towards unsatisfactory extremes. There is either indifference in business departments, or everything is planned to death. The first approach leads to the anxious abdication discussed above. The second micro-plans in far too much detail to be practicable in an emergency. One business continuity plan I came across even specified the type of pens to be used.
Having a plan, however unworkable, is an important first step. The only workable business continuity plans draw on military practice: you plan to keep things going for 24 hours regardless while having the lateral people and the basic processes in place to live off your wits after that - not an easy box to tick.
Read more on IT risk management
Security Think Tank: Shift to outcomes-based security by focusing on business needs
Security Think Tank: Start outcomes-based security with asset identification
Security Think Tank: Security governance key to outcomes-based approach
Business not taking cyber security seriously enough, says Dido Harding