What use is a BCP that won't work?

While contemplating the latest PwC security survey report, I was intrigued to read:

"At first glance, the nearly six out of every 10 (58%) respondents who report their organization has a contingency plan in place for security incidents is a healthy number. (Figure 15)  But when you factor this number by the percentage who report that their plan is effective (63%), the results are disheartening.  In effect, most organizations (63%) have no plan or the plan they have doesn’t work." 

I'm curious about the implication that about a third of organizations have nonfunctional contingency plans for information security incidents. Presumably they know their plans don't work because:

1. They have used the plans but they failed in operation. It's possible some such organizations are too busy trying to recover from the incidents, or conceivably they are too badly damaged, to work on their contingency plans right now. What are the others doing?;
   
   
2. They have tested the plans but the tests failed. Surely these organizations are in the process of re-working their plans? The alternative - failing to respond to the test failure - sounds to me like more than just a matter of incompetence or not knowing how to fix their broken plans. Isn't this a governance issue, verging on negligence?;  or
   
   
3. For some reason they assume their plans would not work, perhaps because they are clearly incomplete, unworkable or missing vital components. They believe they have an issue but are they doing anything about it? This assurance issue indicates poor governance again.

I could understand a small proportion (5 to 10%?) of organizations finding themselves caught in the act of checking and updating their plans at the time of the survey, but I would not have predicted the proportion would reach as high as one third, on top of the 42% without any plans at all (doh!).  Such is the value of surveys, I guess.

IMNSHO it's high time that contingency, or rather business continuity, planning came into the mainstream of business management, under professional leadership, as an expectation of every soundly-governed organization.  Having no workable plans is simply an untenable position for management, especially knowing that there is no such thing as perfect or complete information security, and given that serious incidents will certainly be costly and could easily destroy the business.  Standards such as BS 25999 and NFPA 1600 are already available with ISO/IEC 27031 and ISO 22301 on their way, while professional organizations such as the BCI support their members with information and guidance on good practices.  

An article for EDPACS that I wrote in conjunction with Rob Slade, currently 'in press', uses the earthquakes and tsunami in Christchurch and Sendai to highlight 40 valuable lessons for business continuity planning.  I'll let you know as soon as it's released  :-)