Spending, therefore, is robust, with the public sector and regulated industries, such as the financial sector, pharmaceuticals and utilities, leading the way.
Even in the small-to-medium size enterprise sector, which is typically slow to spend on business continuity, vendors such as IBM are reporting 10 per cent growth in sales. Gartner estimates that companies put about 2 to 4 per cent of their IT budgets into business continuity planning.
For a big bank, spending could be in the region of $20m to $40m according to Philippe Jarre, IBM's business continuity and recovery services executive with responsibility for Europe, the Middle East and Africa. When it comes to failures of computer hardware and software, companies are very well prepared, and tend to recover extremely quickly and well, says CMC's Debbie Rosario.
Recent massive power cuts in the US and Europe have also heightened awareness of utility failures, and most companies tend to be well-braces for these, with uninterruptible power supplies installed. Ms Rosario's study found that 75 per cent of companies had a business continuity plan in place for these. However, they are less aware of more human risks - error, deliberate malicious action, and security breaches. Only about a third of companies had prepared for these risks, although they emerged in the Compass survey as the third most likely cause of an IT disaster. "Companies really focus on hardware, but most organisations don't think enough about the information that is walking around in people's heads," says Ms Rosario.
A key employee who has accumulated a great deal of knowledge about the business, can become a data loss for the company if they leave without making that knowledge accessible to the rest of the business.
Companies are also focusing too much on hardware, and not looking at the architecture of their software applications, says Mr Mingay at Gartner.
Many applications are inter-connected these days - back office stock inventories linked to front-office transaction software and so on - and the failure of one can easily take down the other systems as well.
Companies would do better, he says, to spend time making their software applications more resilient, rather than being concerned about building a remote site. Lack of management skills may also be part of the issue, says Mr Jarre at IBM.
"In the past two or three years companies have done a lot of recovery work themselves, but they don't necessarily have the skills to manage the programme," he says. "The IT is 40 per cent of success in disaster recovery, the rest is how you manage the people and processes during the disaster."
Above all, it seems companies are not spending enough time testing and reviewing IT recovery plans.
According to a recent survey by the UK's Department of Trade and Industry, only 8 per cent of companies bothered to test their IT recovery plan. Chris Potter, the PricewaterhouseCoopers partner who led the survey, says: "Many businesses think they have good back-up systems in place, but then discover they are unreliable when needed." Ms Rosario adds that such plans must be checked constantly: "Risk is dynamic. We need a cultural change, for people to realise this is not a one-off exercise."