A good way to define business continuity management is: "The ongoing process of ensuring the continual operation of critical business processes through the evaluation of risk and resilience, and the implementation of mitigation measures."

It is important to understand that business continuity management is concerned with the whole business whereas disaster recovery tends to focus on information and communications technology recovery and back-up plans as a result of physical incidents such as fire and flood. Both are intricately linked.

Disaster can strike at any time, often from the least expected source in the least expected area. Indeed it is often that one thing that was not included in the risk management analysis, the one area that was not covered. "It could never happen to us" or "We could never have thought that would happen" are common remarks after such an incident.

Think Lehman Brothers, 9/11, volcanic ash, flu epidemics, a department syndicate winning the Lottery/football pools, fire in the building(s) next door, unauthorised access to building services, compromised air intakes, mineral water supply, cleaning and support staff, major oil spills, power supplies for ICT equipment, cyber attacks, data centre(s) being compromised, etc.

Many of these could not have been foreseen, and so were most unlikely to figure in a BCM strategy. In some of these, many companies did not survive the following 13 months.

There are over 50 active terrorist organisations scattered around the globe, meaning terrorist activity poses real threats. Any chaos resulting from a terrorist incident will not necessarily be attributed to a particular cause - "gas main explosion" could well cover "bomb blast" for example.

There are key compliance standards that need to be addressed, including ISO 27000 (formerly ISO 17799), Sarbanes-Oxley, PCI-DSS and HIPAA. Many hours of research and planning will be saved by doing everything suggested - even if the organisation is not governed by these compliance standards, it is in the best interests of the organisation to follow the best practices outlined.

Chris Smith, sales & marketing director of data centre management company on365, says: "We are seeing limits on power supplies for data centres as a combination of continued commercial development in London and the ring fencing of power supplies for the 2012 Olympic sites. There are trends emerging in the provision of data centres such as 3DC, where on two data centres are sited close together and operate as a mirrored pair, with the third located far away. These sites ensure better DR with minimal data losses with faster recovery time objectives (RTOs) and recovery point objectives (RPOs) as required by specific industries or market sectors."

With one in six - or 5.2 million - properties in the UK at risk of flooding, organisations need to make adequate preparation to minimise the risk to their premises from flooding and prepare an effective plan to stay in business if disaster should strike. This is not one to ignore - in England alone, the Department of the environment, farming, and rural affairs and the Environment Agency calculate the cost of flooding to businesses in an average year is over £400 million.

By law, all businesses should have a fire management plan drawn up, but few organisations have a flood management plan ready. The Environment Agency reckons the average cost incurred per flooded business was between £75,000 and £112,000, while the Association of British Insurers found that claims for storm and flood damages in the UK doubled to over £6 billion from 1998 to 2003, compared to the previous five years. By 2050 the figure is expected to be £18 billion.

The organisation Floodgate has drawn up advice to handle flood damage: switch off and relocate high-value stock, critical records and electronic systems to upper floors (and ensure the back-up data centre is active); hold back hazardous water as floodwaters are often contaminated with biohazards and other items; and take photos of the damage to the property and contents for insurance claims.

Now consider that phenomenon that is the BlackBerry, regarded more as a nuisance in some quarters. Despite the device's growing value to businesses, work done for Mimecast, a unified email management company offering Software-as-a-Service based email security, continuity, policy control and archiving, shows BCM plans often do not extend to the device.

While 48% of IT managers at the first day of the recent Infosecurity show reported BlackBerry downtime at least once a quarter, only 44% of those who have a BlackBerry Enterprise Server have any continuity for the service. This compares to 75% of all respondents having email continuity, which is arguably and equally a low figure considering the value of the technology to productivity.  

Most people dread email downtime. Indeed BlackBerry downtime is said to be in the top three most vocal complaints directed at IT managers. Other disruptors included internet access, file servers, databases and phones.

Mimecast founder and chief executive Peter Bauer says, "Despite a relatively new entrant in the enterprise IT department, the BlackBerry Enterprise Server is becoming ever more critical to smooth business operations because of the proven productivity gains the system brings. It's worrying that half the organisations coming to depend on the mobile solution have no continuity system to ensure downtime doesn't impact on the business - and some don't have an email continuity service at all."

Both new opportunities and new risks have been brought to business through personal, customised technology. The first generation to grow up in this era - dubbed generation Y, employee 2.0 and the New Millenials - work in an environment where there is a blurring of the line between business and personal activity, a changing nature of internet use in the workplace and changes in what businesses are doing today about trends in control over web access and usage.

There is potential disruption emanating from over-zealous usage of social websites and material input through memory sticks. All this puts a dampener on productivity and efficiency.

In its annual analysis of major causes of business disruption in the UK, SunGard Availability Services has discovered more business interruptions are being caused through workplace disruptions than by technology. In 2009, there were 42% more invocations than in 2008, and workplace disruption accounted for 56% of all business disruptions. This is the first time technology issues have been outnumbered. Indeed the number of technology invocations fell by 8%.

 What many people do not realise is that there can be business risk in success. Imagine a financial institution suffering significant losses in trade after its management team has shaken hands with the Prime Minister who proclaimed the organisation to be in a "league of the best of the best." What could possibly be the problem here? Simple - the directors became complacent, basking in glory, and accepted every invitation and opportunity to talk at business seminars about how they had achieved their fame. Of course, while they were busy doing this, the organisation was falling into difficulties. Both quality and risk need constant attention.

Digital risk is important, but few organisations view the cost of computer network security, for example, as a corporate requirement as opposed to an expensive option. Statistics and collated data are explicit that up to 2015 one organisation in five will suffer major disruption to its business through fire, flood, storm, power failure, terrorism, or hardware or software failure. After an event, four out of five of those who fail to offer a full business continuity plan will be out of business within 13 months, as noted earlier.

It seems hard to believe but most organisations make almost no effort to manage their level of digital risk. Glaring omissions include firewalls (four out of five with external electronic linkages do not have one), and virus protection (one in three apparently). Passwords and user names are a minefield - how many does any one person or department have? Are they written down on notepads, Post-It notes and/or backs of envelopes? Those who apply the highest levels of security will typically be considering palm print, voice recognition and iris scanning technologies (aka biometrics) to manage their digital risk.

The word ‘disaster' should be given to any incident that prevents the business of an organisation from operating as usual, be it company memory stick theft to a (computer) virus infection, and not just to large-scale incidents such as fires, floods, flu outbreaks or terrorist bomb threats.

Using the services of a DR specialist is a given in today's business environment. Having defined what it wants, the organisation will look for its DR firm to assess and respond to change, keep abreast of changes in technology, and provide regular testing for recovery plans.

BCM should properly be seen as an investment by an organisation. Rather than merely reducing the impact of a disaster on business, BCM can also increase employee, investor and shareholder confidence in the organisation.

This feature can only hope to scratch the surface of DR and BCM. Yet if organisations need to take one item away after reading these words, it is this: practice your plan at (ir)regular intervals. Don't be complacent. There has to be buy-in from the top of the organisation down. An up-to-date plan - developed alongside changes in technology, staff and the organisation's direction - can never be tested enough.

But do note that it will be that one event you had not planned for that could potentially cause the biggest disruption to your business. Is your organisation prepared?Finally, has the organisation realised the crucial difference between BCM and plain insurance - i.e. that the latter will at best replenish the value of the equipment lost, but at a time when it could already be too late.