The current U.S. movement toward corporate accountability has driven many formerly divergent disciplines into the boardroom together. If you examine the business flow charts of top Fortune 1000 enterprises, you'll probably see the heading of risk management sporting subcategories never before seen there, including physical security. Bundled in this new protection package are business continuity, risk mitigation and disaster management. But how many companies are truly prepared to address the risk issues within their domains?
Recent studies conducted in the United States and the United Kingdom show surprisingly different results when it comes to business continuity and risk planning. A majority of businesses in the U.K.-70%, according to a March 2005 survey by the Business Continuity Institute-report that they have tangible business continuity plans on the books. That figure soars to more than 85% when referenced within the financial and banking sectors and around 81% in the retail community.
However, in the U.S., business continuity planning is not a high priority at one in three companies with more than $25 million in annual revenues. Only four in 10 officers who have responsibility for business continuity planning at companies in this bracket say business continuity has always been a priority for their company, while 25% say it has only become a priority in recent years due to security and terrorist threats. Twenty-six percent say business continuity planning is important but not a high priority, while 5% admit it isn't important at their company. And only 57% of American companies surveyed in the financial sector had business continuity plans, according to a national survey done in 2004 by the Opinion Research Corporation.
As irresponsible as it seems, a large number of American companies are placing their confidence in the systems they already have in place or gambling that disaster won't strike them. Many look at the fact that there hasn't been another major U.S. terrorist incident in four years and figure the odds are in their favor. Even among companies with business continuity plans, however, one in four have failed to update their plan in the past 12 months, and four in 10 haven't even tested it in the past year.
I suppose the ultimate results of these two surveys conclude that security professionals like those in the U.K., who are more prone to terrorist threats and have felt the wrath of man-made disaster, seem more likely than their counterparts across the pond to take threats seriously by budgeting for business continuity and risk planning.
My fear is that once the other shoe drops for American business, it may be too late for planning.
If you have any questions or comments for Steve Lasky regarding this issue or any other, please e-mail him at [email protected].

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive
Steve Lasky is Editorial Director of the Endeavor Business Media Security Group, which includes SecurityInfoWatch.com, as well as Security Business, Security Technology Executive, and Locksmith Ledger magazines. He is also the host of the SecurityDNA podcast series. Reach him at [email protected].