We had a rather unpleasant surprise a couple of weeks ago when we tried to log on to the Citibank site (www.citi.com) - normally one of the most reliable and accessible online-banking destinations.
 
    The site wouldn't let us enter critical account areas or get access to ancillary services, like the help system or even the link that lets you report problems. This occurred on both Wednesday and Friday, Feb. 25 and 27.
 
    The system slowly revived during the course of that Friday.

A Citibank spokesman told us that the outages weren't a result of hackers or viruses, and that the system hadn't been compromised in any way. Instead, he said, it had been crippled by technical difficulties that forced Citibank's staff to take it down and then reboot it.
 
    Such outages are scary, especially when they involve something that holds the keys to your finances.

    Information technology is taking an ever more prominent role in company disaster recovery plans.
 
    But expensive kit is being let down by lack of proper management, focus on the wrong types of emergencies, and insufficient review and testing.
 
    IT disaster recovery is no longer the province of tech-heavy companies alone. As the so-called "e-business" model spreads throughout all different kinds of companies, the corporate IT system has come to be seen as the life-blood of a business.
 
    Businesses increasingly run their databases over office-wide networks, link employees' computers via office-wide wireless-lan (local area network) connections, sell goods and run support services over the internet and rely on receiving customer commissions by e-mail.
 
    For any part of this network to fail could have wide-ranging consequences. Recent research by the Business Continuity Institute and the Chartered Management Institute found most businesses considered IT systems their priority when preparing for a disaster.
 

Losses from damage to key IT systems can be extremely punishing.
 
    According to IBM, one hour of IT downtime during which a bank is unable to trade could cost $6.5m. Collapse of a credit card handling system can cost $2.6m, and even a travel agent taking airline bookings could lose $90,000 an hour if the reservation system fails.
 
    Statistics from the National Archives and Records Administration in the US suggest 93 per cent of companies that lose their data centre for 10 days or more due to a disaster tend to file for bankruptcy within one year.
 
    New regulations are also throwing a particular spotlight on IT business continuity issues. The Basel II rules for the European banking sector, for example, stipulate banks must have a resilient back office structure by 2007, and this, says Simon Mingay, analyst at Gartner, the technology research house, has become one of the key factors pushing banks to update their IT business continuity systems.

    Spending, therefore, is robust, with the public sector and regulated industries, such as the financial sector, pharmaceuticals and utilities, leading the way.
 
    Even in the small-to-medium size enterprise sector, which is typically slow to spend on business continuity, vendors such as IBM are reporting 10 per cent growth in sales. Gartner estimates that companies put about 2 to 4 per cent of their IT budgets into business continuity planning.
 
    For a big bank, spending could be in the region of $20m to $40m according to Philippe Jarre, IBM's business continuity and recovery services executive with responsibility for Europe, the Middle East and Africa. When it comes to failures of computer hardware and software, companies are very well prepared, and tend to recover extremely quickly and well, says CMC's Debbie Rosario.
 
    Recent massive power cuts in the US and Europe have also heightened awareness of utility failures, and most companies tend to be well-braces for these, with uninterruptible power supplies installed. Ms Rosario's study found that 75 per cent of companies had a business continuity plan in place for these. However, they are less aware of more human risks - error, deliberate malicious action, and security breaches. Only about a third of companies had prepared for these risks, although they emerged in the Compass survey as the third most likely cause of an IT disaster. "Companies really focus on hardware, but most organisations don't think enough about the information that is walking around in people's heads," says Ms Rosario.
 
    A key employee who has accumulated a great deal of knowledge about the business, can become a data loss for the company if they leave without making that knowledge accessible to the rest of the business.

    Companies are also focusing too much on hardware, and not looking at the architecture of their software applications, says Mr Mingay at Gartner.
 
    Many applications are inter-connected these days - back office stock inventories linked to front-office transaction software and so on - and the failure of one can easily take down the other systems as well.
 
    Companies would do better, he says, to spend time making their software applications more resilient, rather than being concerned about building a remote site. Lack of management skills may also be part of the issue, says Mr Jarre at IBM.
 
    "In the past two or three years companies have done a lot of recovery work themselves, but they don't necessarily have the skills to manage the programme," he says. "The IT is 40 per cent of success in disaster recovery, the rest is how you manage the people and processes during the disaster."
 
    Above all, it seems companies are not spending enough time testing and reviewing IT recovery plans.
 
    According to a recent survey by the UK's Department of Trade and Industry, only 8 per cent of companies bothered to test their IT recovery plan. Chris Potter, the PricewaterhouseCoopers partner who led the survey, says: "Many businesses think they have good back-up systems in place, but then discover they are unreliable when needed." Ms Rosario adds that such plans must be checked constantly: "Risk is dynamic. We need a cultural change, for people to realise this is not a one-off exercise."