The ancient joke states that standards are such a good thing that everyone wants their own one. However, the new BS25999 standard for business continuity corrects a glaring omission and should be welcomed by firms as a useful badge for demonstrating a diligent approach to what happens when it all goes wrong.

Let me say right away that I do not believe PR-driven surveys purporting to show that “Almost Nobody Backs Up Data ­ Most Companies Run Risk of Losing Critical Data”. Backup routines might be scarce among consumers and even mid-sized firms but that is not the case at large businesses. Sure, there are instances of data being lost because of missed backup slots and disk or tape corruption, but the idea that firms just don’t bother or don’t have a strategy is laughable. Blame poor research, desperate marketing, complaisant journalists or bored recipients of questionnaires, but don’t believe this nonsense.

The truth is more complicated. Companies almost always have a business continuity plan but its execution is often fallible. Based on anecdotal evidence, the main reason for this would appear to be a lack of ongoing review procedures, compounded by a failure to address disruptive changes, such as people leaving the company, and the inevitability of new and adapted roles.

The often-heard complaint is that disaster recovery and business continuity processes tend to be created with a big bang, and then are left alone. Very often they will be triggered by a powerful stimulus. This can be a data loss or systemic breakdown at a peer organisation, an Act of God such as an earthquake, or else a terrorist atrocity such as 9/11. Frequently driven by the chief executive, companies will then go pell-mell for a new business continuity plan that ticks all boxes. A Swat team of the brightest and best is appointed. A highly efficient process is created. The plan is communicated. People think: great, everything that can be done, we have done, based on the best possible data we could get and apply at the time.

The problem is with those last few words. As staff leave the company, as the organisation morphs into new areas of activity, as memories of the last big outage regress, the situation changes. As with a fire-alarm procedure, it’s no good having a one-off approach. Instead, that approach must be communicated, reviewed and repeated so that all staff members and supply-chain partners know where they stand in the event of a problem.

Outside of financial services and a few other areas where IT virtually runs the organisation and budgets are not a problem, I don’t know too many firms that can say they have that kind of optimal plan.

Hardware and software can only do so much, although there are some very interesting initiatives, such as Citrix and IBM’s Project Kent, which creates a real-time alerting and communication system in the event of a disaster. But what is needed is a broadly recognised rigorous framework, and that’s where BS25999 comes in. Any company that wants to demonstrate that its people are prepared for the worst should be investigating the standard now.