Goldman Sachs' latest shrewd investment was in sandbags and backup electricity generators.

As superstorm Sandy approached New York, the bags were stacked around its headquarters. It was one of the few offices in downtown Manhattan to remain dry and well-illuminated as "Frankenstorm" battered the city.

Meanwhile, a block farther down West Street, the headquarters of Verizon were awash with salty floodwater, soaking cables delivering phone and Internet services to millions of customers. The firm was able to reroute much of the traffic through other parts of its network, but local service was disrupted.

Sandy is the latest catastrophic event to test the readiness of the world's leading firms to cope with disaster. Most firms have improved "business continuity" preparations over the years. The Y2K scare at the turn of the century moved IT risk high up the list of worries. The Sept. 11 attacks warned firms of the danger of putting all their computers (and staff) in the same place.

Last year's Japanese tsunami reminded many companies that moving to "just in time" manufacturing through global supply chains, particularly when they involve outsourcing, can bring new risks. American carmakers found that they could not get essential parts made in Japan. Floods in Thailand the same year surprised many buyers of hard-disk drives, who found a large proportion of global supply comes from a rather small area near Bangkok.

A survey published on Wednesday by DHL, a logistics firm, reported that 23 percent of big companies did not include their entire supply chain in their business-continuity plan. If disaster risk-management stops at the borders of the "enterprise" and does not include, say, suppliers further down the chain, it may provide false comfort.

Each new disaster tends to surprise firms that thought they had good plans in place. Hospitals in New York that had moved their backup generators above ground nonetheless lost power during Sandy because they had not put fuel and pumps where floods could not reach. Running disaster-readiness drills regularly, it turns out, is a common-sense idea practiced all too rarely.

"Firms are increasingly reliant on networks, but often fail to understand the risks that networks bring," says Don Tapscott, a management guru. Global supply chains, just-in-time and shifting to the "cloud" tend to bind once unrelated activities ever closer together, making them more prone to failing at the same time. The current fad for moving data to the "cloud" may appear to reduce risk because there is so much spare capacity in the Web. Yet some firms offering cloud services have more concentrated operations than others.

Firms are starting to recognize their vulnerability to cyberattack, but few have much idea what they would do if it happened.

The best-laid plans

Dutch Leonard, a risk expert at Harvard Business School, says that the best-prepared firms use a combination of planning for specific events and planning to cope with specific consequences, such as a loss of a building or supplier, regardless of the cause. He also recommends copying an approach used by the armed forces: using a group of insiders to figure out how the firm could be brought down.

Sandy showed that when disaster hits, firms depend on how the various arms of government respond. Equally, government efforts can depend on the willingness of private firms to join in. Hurricane Katrina showed that the logistical capabilities of a big private firm, such as Wal-Mart, can deliver essential supplies better than the Federal Emergency Management Agency. Monopolistic utilities are often the least ready for disaster, as Sandy showed. But at least in New York and New Jersey, AT&T and T-Mobile put their rivalry on hold to improve cellphone availability after Sandy hit by sharing wireless masts.

The United States' poor physical infrastructure makes the problems worse. Firms should make lobbying government to invest heavily in upgrading that infrastructure a core part of their risk-management strategy, argues Irwin Redlener of the National Center for Disaster Preparedness at Columbia University.

Goldman Sachs has long been a leader in disaster planning because it understands that the situations in which it might not be able to function are exactly the sort of events when very large changes in the value of its investments could occur, said Leonard.

Yet too many firms underinvest in planning for disaster because they don't think it will pay, at least within the short-term timeline by which many now operate, reckons Yossi Sheffi of MIT.