Two out of five enterprises that suffer a disaster will go out of business in five years, according to research by the Garner Group, United Kingdom. An effective continuity management plan can improve your firm's chances of survival.

Business continuity management (BCM) is defined by the Business Continuity Institute as "the act of anticipating incidents that will affect mission-critical functions and processes for the organisation and ensuring that it responds to any incident in a planned and rehearsed manner".

This definition focuses on three key factors:

• The organisation must examine the risks to which it is exposed and consider how best to manage them if an incident occurs. The terminology is important: the word "disaster" conjures up images of fires or floods. "Incident" includes these occurrences but it can also relate to power cuts, telecommunication failures, fraud, contamination, the failure of key suppliers and other events that do not sit comfortably under the generally accepted meaning of disaster. It could even cover the inappropriate comments of an indiscreet senior executive at a public function.

• BCM is not about plans for the everyday things that go wrong – it is concerned with significant incidents that have a considerable impact on core business activities. It is too easy to divert effort into developing procedures to cope with the failure of day-to-day processes. While these must exist, BCM needs to focus on the big picture.

• Proper planning, the meaningful involvement of appropriate people and thorough testing are all prerequisites of an appropriate response.

BCM is largely the outcome of a process that started in the early 1970s as computer disaster recovery planning which documented the actions required to safeguard or re-establish IT operations. This was more concerned with restoring a firm's financial systems to working order, for example, than about whether there would be any offices left to house the finance staff who used them.

In the 1990s, the emphasis shifted from IT to an approach considering all aspects of an organisation's business. BCM is no longer seen as a project with a defined end date; it is now a continuous process. And since the terrorist attacks against the US on 11 Sep 2001, it has assumed a new importance. Firms realise that their survival could depend on it.

This heightened level of awareness means that a greater budget allocation may be available to BCM. More significantly, the message preached by business continuity practitioners for years that BCM principles should be an integral part of the business planning process is now more likely to be heard. This applies to capital projects, new processes and applications. BCM and risk-management considerations should be addressed in the "business requirements" phase of projects rather than as an add-on when completed. At that stage, such additions become expensive.

To a large extent, it was Y2K that provided the greatest boost to BCM. Fear and uncertainty about the implications of the change-over caused many firms to consider business continuity for the first time. It increased awareness of interruption issues, resulted in a better understanding of critical processes and improved co-operation between the public and private sectors on emergency management issues.

The work done to ensure that IT systems coped with the date change also significantly improved firms' control over their systems. User documentation was improved and, for the first time, some companies established a proper inventory of their data. Many of those people who had been responsible for the millennial changeover project were then given the task of building on the work they had done and of broadening it out into full-scale corporate BCM programmes.

There are many reasons why every organisation should have a BCM plan. In some cases, the initiative comes from pressure to respond to the recommendations and demands of auditors or insurers. Sometimes the driving force is the concern of non-executive directors, who are conscious of their responsibilities under the requirements for sound corporate governance. Regardless of these pressures, BCM should be seen as an integral element of good management practice. It is foolhardy for managers not to plan for business continuity and so minimise any business disruption that could be caused. But BCM is about more than this. It is concerned with:

• Safeguarding share value and the shareholders' interests;
• Demonstrating good management;
• Protecting jobs;
• Protecting the company's reputation and brand value.

Many organisations are starting to demand that their first-tier suppliers (and, in many cases, their second-tier suppliers) have documented business continuity plans. There are also regulatory and legislative requirements dictating that organisations have appropriate continuity practices in place. In the US, clearly influenced by the events of 11 Sep, the National Association of Securities Dealers recently proposed that all of its members operate viable business continuity plans as quickly and efficiently as possible.

In terms of responding to the crisis on 11 Sep, there were many examples of both successes and failures. One well-known bank based in the World Trade Centre simply switched to a site around 30 miles away with no data loss and minimal down-time. The computer systems of a major insurance company continued to function from a back-up data centre based 1,000 miles away with no loss of information.

On the other hand, two major law firms are reported to have gone out of business as a result of their failure to protect vital papers – an aspect that is often overlooked in continuity planning. Some organisations found that their plans were actually much too detailed and so proved less effective than they had anticipated. Other companies did not have enough alternative serviced office space available to continue their operations quickly. In certain cases, organisations found that their emergency operations centres for directing crisis-management activities were also unavailable.

Lehman Brothers had 6,000 employees in the World Trade Centre on 11 Sep. More than 600 information systems staff worked on floors 38 to 40 of Tower One. All but one of them came out alive. While they were descending the stairs they were already using their paging system to alert colleagues in New Jersey to activate the recovery plan. Despite all the devastation and trauma, the firm's treasury department became operational at the back-up site later the same day and was performing its cash-management functions. On the following day, the company was trading fixed-income products. By the time the New York Stock Exchange had reopened, it had around 400 traders on-line to handle equity business.

Lehman Brothers achieved this because it had dual data centres and had built adequate resilience into its communications networks. It had two identical data centres: one in Manhattan and one in New Jersey, linked by fibre-optic cable running under the Hudson River. Its wide-area links were also duplicated. In this way the firm could cope with losing either site and, when its Manhattan office was destroyed, it sill had access via New Jersey to all of its other branches.

Most business continuity plans did not take into account the potential for such wide-reaching disasters. The idea that two large, fuel-laden commercial aircraft would deliberately target the towers would, understandably, not have featured in many risk scenarios. The US Securities and Exchange Commission, in conjunction with a number of other bodies, has analysed events in the wake of the attacks with a view to strengthening the overall resilience of the financial systems.

The anthrax scares that followed soon after 11 Sep also highlight the extremely disruptive implications of bio-terrorism, whether real or threatened. Fears about anthrax-contaminated mail started when a photo editor working for an American newspaper died after being exposed to the toxin. Some major media organisations such as the New York Times, ABC, CBS, NBC and CNN shut down their post rooms for a period. Newspaper editors advised their readers that they would accept letters for publication only by email or fax. The US Congress urged constituents to communicate with politicians in similar fashion.

The vulnerability of the postal service to attacks of this type led to a rise in email and fax usage, but an ever-increasing dependency on e-communication means that an effective Internet virus attack would be all the more devastating. Security agencies warn that cyber-crimes against western economic targets are increasingly likely. In their view, terrorist groups are developing the technological expertise to achieve a strike that could have global repercussions. In this context, an organisation's information security policies and operations must be a key component of its business continuity activities.