As operational risk management gets more attention from banks and regulators, all the major banks claim to have successfully invoked their business continuity plans, according to research conducted by the University of Southern Queensland's Centre for Australian Financial Institutions for IT supplier Fuji Xerox.However, the picture is not so rosy among secondary and tertiary financial institutions.The CAFI business continuity management study found that one in five regional banks doesn't have a business continuity plan. Moreover, there is potentially a gap between management expectation and reality with 75 per cent confident their plans will handle a crisis or near-crisis situation, although only 40 per cent have successfully invoked the plan.Only two out of three building societies and credit unions have a plan, and 65 per cent think theirs can cope with a crisis even though only 40 per cent have got them to work.As major users of information technology, banks have allocated much of their business continuity spend to IT, but the survey found that less attention has been given to vital business information still contained in paper documents.Among the regionals, 60 per cent said they had not integrated paper document protection and recovery into their business continuity management. The situation is slightly better in the building societies and credit unions, with 50 per cent not catering for paper-based information.Few banks even seem to know the business value of their paper-based data. Half the major banks said they did not, while 60 per cent of the regionals and eighty per cent of building societies/credit unions know nothing about the information at risk.However, the weakest link for many banks relates to the increasing use of outsourcing for IT and other services, according to USQ's Glen Van Der Vyver."Seventy-five per cent of banks that outsource IT expect their service providers to have effective business continuity management, yet fewer than half actually verify that they do."Except in the majors, formal service level agreements are not universal and auditing of the provider's disaster recovery capabilities is particularly variable. Many institutions appear to be taking comfort from the providers' contractual obligations, even though a win in court is unlikely to be much compensation for a failed business.