Dissertation 13.10 - 3 COPYS

Dissertation
Business Continuity Management and Perceptions of

Impact: An Exploratory Study of Perceptions among
Professionals and Practitioners within the Field
Camilla Amundsen
Presented for MSc Business Management
September 2014
This project is entirely the original work of student registration number 1308828. Where material is
obtained from published or unpublished works, this has been fully acknowledged by citation in the main
text and inclusion in the list of references. Word count: 12 421
ABSTRACT
Currently business continuity management (BCM) is a field that is growing rapidly, within both the public
and private sector. The literature review (Chapter 2) identified four main streams within the relevant
literature. However, there is only a small amount of the articles within the field that are being critical of
the field. In addition, little empirical research is being conducted in relation to BCM. This is an exploratory
study using the grounded theory approach, in which eight participants were interviewed using the semi-
structured interview approach. The interviews were then transcribed and coded using the qualitative
analysis software NVivo. Twenty categories were identified during open coding, and were then grouped
into five themes during axial coding. The analysis is the researchers own interpretation of data, and some
of the main aspects found are that research into the field should concentrate on researching current
practices and that an effort should be made to incorporate BCM into all business related studies within
higher education. The final Chapter within this dissertation presents a summary of the findings by drawing
conclusions in relation to each of the individual research objectives. The key elements found are that the
impact of BCM within organisations is reliant upon a number of factors, such as the implementation
timeline and organisational learning. The profession is driven forward by regulations and basic knowledge
is still absent, thus, research is needed. The criticisms identified in Chapter 2, were found to have merit.
A recommendations section was also made in relation to each research objective. Based on the findings,
the researcher recommends that all organisation be aware that implementing a BCM program is an
organisational changing process. Practitioners and professionals should strive to be more open about
practices in addition, to the discipline being more reflective over practices.
i
ACKNOWLEDGMENTS
I would like to take this opportunity to thank my supervisor, Dr. Karen Blakeley, for her advice,
encouragement, understanding, and support throughout this project.
Furthermore, gratitude is due to all the participants and the Business Continuity Institute, who all helped
create this dissertation.
I must also thank my fianc, Henrik, for making this possible by moving to another country so I could take
a Masters degree and for his moral and practical support during the project.
Lastly, I would like to acknowledge my family, and especially Kristoffer Amundsen for his input.
ii
TABLE OF CONTENTS
Abstract ................................................................................................................................................... i
Acknowledgments ................................................................................................................................... ii
List of Figures .......................................................................................................................................... 1
List of Tables ........................................................................................................................................... 1
Glossary .................................................................................................................................................. 2
1 Introduction .................................................................................................................................... 3
1.1 Background .............................................................................................................................. 3
1.2 Research Focus ........................................................................................................................ 4
1.3 Overall Research Aim and Objectives ....................................................................................... 5
1.4 Value of this Research .............................................................................................................. 6
1.5 Structure of the Paper .............................................................................................................. 7
2 Literature Review ............................................................................................................................ 9
2.1 Introduction ............................................................................................................................. 9
2.2 The History and Development of Business Continuity Management ......................................... 9
2.3 Discussions Within the Field ................................................................................................... 14
2.3.1 Focus within the Literature of the Field .......................................................................... 14
2.3.2 State of the Knowledge .................................................................................................. 16
2.4 Summary and Conclusion ....................................................................................................... 18
3 Methodology ................................................................................................................................. 20
3.1 Introduction ........................................................................................................................... 20
3.2 Research Strategy .................................................................................................................. 21
3.3 Data Collection....................................................................................................................... 23
3.3.1 Data Quality ................................................................................................................... 25
3.4 Framework for Data Analysis.................................................................................................. 26
3.5 Ethical Considerations with Interview Research...................................................................... 26
3.6 Limitations and Potential Problems ........................................................................................ 27
4 Research Findings: description and analysis ................................................................................... 29
4.1 Introduction ........................................................................................................................... 29
4.2 Interview Results.................................................................................................................... 30
4.2.1 Preliminary Findings within the Theme Meanings and Definitions................................. 31
4.2.2 Preliminary Findings within the Theme Benefits ........................................................... 33
iii
4.2.3 Preliminary Findings within the Theme Practice ............................................................ 37
4.2.4 Preliminary Findings within the Theme Understanding ................................................. 42
4.2.5 Preliminary Findings within the Theme Examples ......................................................... 47
4.3 Analysis .................................................................................................................................. 49
4.3.1 Analysis of the Theme Meanings and Definitions .......................................................... 49
4.3.2 Analysis of the Theme Benefits ..................................................................................... 50
4.3.3 Analysis of the Theme Practice ..................................................................................... 51
4.3.4 Analysis of the theme Understanding ........................................................................... 53
4.3.5 Analysis of the Theme Examples ................................................................................... 54
4.4 Conclusion ............................................................................................................................. 54
5 Conclusions ................................................................................................................................... 56
5.1 Introduction ........................................................................................................................... 56
5.2 Summary of Findings and Conclusions .................................................................................... 57
5.3 Recommendations ................................................................................................................. 59
6 references ..................................................................................................................................... 61
Appendices............................................................................................................................................ 68
Appendix A Project Information Sheet and Consent Form ............................................................... 68
Appendix B Interview Guide............................................................................................................ 71
Appendix C Interview Transcripts .................................................................................................... 74
i) Participant 2........................................................................................................................... 74
Appendix D Code Themes and Categories ....................................................................................... 85
i) Meanings and Definitions....................................................................................................... 85
ii) Benefits.................................................................................................................................. 95
iii) Practice ................................................................................................................................ 118
iv) Understanding ..................................................................................................................... 148
v) Examples.............................................................................................................................. 192
Appendix E MSc Dissertation Supervisory Meetings Record .......................................................... 199
Appendix F Dissertation Proposal Form......................................................................................... 201
Appendix G Ethics Forms .............................................................................................................. 204
iv
LIST OF FIGURES
Figure 1: The Business Continuity lifecycle. ............................................................................................ 14
Figure 2: BCM and examples of possible sub-diciplines within organisations. ........................................ 49
Figure 3: Management practices within organisations that may lead to business resiliency. .................. 50
Figure 4: BCM and organisational structure and ownership. .................................................................. 52
LIST OF TABLES
Table 1: Overall research aim and individual research objectives ............................................................. 5
Table 2: The historical phases and the development of BCM. ................................................................ 11
Table 3: Suggestion of how the field has developed since 2010 and up until today ............................... 12
Table 4: Three categories of disasters and hazards that threaten an organisations ability to operate..... 13
Table 5: Overall research aim and individual research objectives ........................................................... 19
Table 6: Overall research aim and individual research objectives. .......................................................... 29
Table 7: Description of the categories and themes identified................................................................. 30
Table 8: The table shows some selected quotes from the theme Meanings and Definitions. ............... 31
Table 9: The table shows some selected quotes from the theme Benefits. ........................................... 34
Table 10: The table shows some selected quotes from the theme Practice. ......................................... 38
Table 11: The table shows some selected quotes from the theme Understanding............................... 43
Table 12: The table shows some selected quotes from the theme Examples. ....................................... 48
Table 13: Overall research aim and individual research objectives ......................................................... 55
Table 14: Overall research aim and individual research objectives ......................................................... 56
Table 15: Description of the categories and themes identified. .............................................................. 57
1
GLOSSARY
Acronym
BC Business Continuity
BCI Business Continuity Institute
BCM Business Continuity Management
BCP Business Continuity Planning
BCS Business Continuity Strategy
BIA Business Impact Analysis
BR Business Resilience
BSI British Standards Institution
DR Disaster Recovery
ERM Emergency Risk Management
MTO Maximum Tolerable Outage
ROI Return on Investment
RPO Recovery Point Objective
RTC Recovery Time Capability
RTO Recovery Time Objective
2
Chapter 1
1 INTRODUCTION
1.1 BACKGROUND
Currently the top economic entities in the world are increasingly becoming organisations (White, 2010,
2011, 2012). In addition, increasing economic, technological, human, and natural uncertainties presents
organisations with the possibility that a crisis could suddenly arise (Baker, 2012; Herbane, 2010). Thereby
threatening the organisations ability to operate and ultimately, its survival (Herbane, 2010; The Nova
Scotia Business Journal, 2011). Therefore, it is no longer enough to only prevent and plan for a known
threat or a likely crisis that might interupt an organisation (Baker, 2012). It is becoming more important
to ensure that vital services and operations continue, within a timeframe that secures revenue and the
continuation of the bussiness (Speight, 2011). According to Murrey (2013), after hurricane Sandy hit New
York in 2012, academics felt that that business is not yet taking sufficient protective measures in advance
of potential climate-related disasters.
Business continuity is a managmement approach concerned with an organisations physcical threats

(Speight, 2011). Within the field of business continuity management, or BCM, there is a consensus that
predetermined all inclusive plans are not useful when a real crisis impacts a business (Bland, 2013; Smith,
2013). Thus, a strategic approach to planning is practiced, concerning building outage, IT outage, vendor
outage, and staff outage (Smith, 2013). The field concentrates on how to restore vital services and
operations within the business if an interruption should occur (Baker, 2012). Thus, BCM can be seen as a
security of revenue (Baker, 2012).
According to Herbane (2010) and Turulja & Bajgori (2012), research within the field increased
substantially after the 9/11 terrorist attacks in 2001. However, Copenhaver and Lindstedt (2010) argue
that the literature within the discipline mainly contains anecdotes and case studies, which lack a focused
discussion. Thus, the positive effects of BCM implementation are well known within the profession, due
to articles describing experiences and case studies (e.g. Stewart, 2010; Martin & Williams, 2014). However,
the literature contains little empirical evidence that tests BCMs influence and efficiency within
organisations (Copenhaver & Lindstedt, 2010).
3
1.2 RESEARCH FOCUS
As mentioned above there, is little empirical research conducted within the field of BCM (Copenhaver &
Lindstedt, 2010). In addition, there is only one peer-reviewed journal concerned with the subject, in which
there is little to none discussion or review of past suggested theories and models. In fact, the researcher
searched through the seven volumes of the journal and failed to find a critique or an answer to any of the
previously published articles. Adding to this, there are few articles that analyse or review the current
practices within the field in a critical manner.
Only a handful of practitioners and professionals have raised issues with the current state of the literature
and body of knowledge within the discipline, and thus, the research conducted has focused on these. This
study intends to focus on people working within the field, practitioners and professionals, in an effort to
gain insight and understanding regarding their views of the current state of the discipline. Thereby,
investigating if the critiques of the field have grounds in practice and what they think is needed to improve
and develop the discipline.
This area is important to study because the field is growing (Copenhaver & Lindstedt, 2010; Adamou,
2013) and it is receiving increasing governmental support, in the form of regulations, in an effort to
strengthen infrastructure resilience (Cabinet office, 2013a). Furthermore, there is currently little empirical
research being done on the discipline, even though this is viewed as something that is needed. To the
researchers knowledge this type of study has not been conducted within the field to date and by exploring
perceptions among practitioners and professionals, a unique insight into the current working environment
will be presented.
The overall research goal will be reached through completing the individual research objectives. Each
research objective is set out in an effort to enlighten different areas within the discipline. The first
concerns the organisational aspect of BCM, the second the disciplinary aspect of the field, the third is
concerned with the literary aspect, and the fourth is concerned with possible paths for future research.
These four qualities were selected in an effort to gain a holistic view of the field. There is a need for study
into these basic areas because currently the research does not exist, and the discipline is in need of a
stronger foundation.
4
1.3 OVERALL RESEARCH AIM AND OBJECTIVES
This study will critically explore perceptions among practitioners and professionals within the field of BCM.
It will consider perceptions regarding strengths, weaknesses and the future direction of the discipline.
This context has been selected because there is little systemised research done into the field, and this
may help guide future study into the field. Two main research strategies are used to guide the study; these
are an in-depth review of literature and the collection and analysis of empirical data. The specific research
aim and objectives are set out in Table 1 below.
Table 1: Overall research aim and individual research objectives

To critically evaluate the field of BCM by identifying practitioner and professional perceptions
regarding its impact, strengths, and weaknesses, and its future in light of current academic and
practitioner critiques.
1. To investigate the perceived impact of BCM on organisations, by exploring views among
professionals and practitioners within the field.
2. To investigate participant perceptions on the current state of the discipline, its
strengths, weaknesses, and its future.
3. To evaluate participant perceptions in light of current critique of the field.
4. To analyse professional perceptions of BCM in order to build recommendations for
future research.
The term practitioner will within this study mean people without a certification within the field, but that
currently or in the past have worked on a very basic level with BCM. The term professional is used to
describe participants that are managers or consultants concerned with implementing BCM within
organisations or maintain the program within organisations.
5
1.4 VALUE OF THIS RESEARCH
According to The Cabinet Office small and medium-sized enterprises (SMEs) in the UK account for 99.9
percent of all private sector enterprises, this puts them in a unique position to impact the economy if
disrupted (Sterling, 2011). Furthermore, the UK government advice that business continuity should form
a key part of thinking in businesses of all sizes (Sterling, 2011, p. 138). As a part of the UK governments
efforts to increase resilience in society, BCM has been featured as one of the main tools used, and states
that the government aims to ensure all organisations have a clear understanding of BCM (Cabinet Office,
2013a [Online]). Furthermore, BCM is legislated within the Civil Contingencies Act, which states that all
Category 1 responders (the emergency services, local authorities, and NHS bodies (Cabinet Office, 2013b
[Online])) are required to have a BCM program in place. According to Adamou (2013), the field of BCM is
growing exponentially, and governmental support and market demand can be seen as the main drives
behind this development (see Chapter 2). In light of the statements above, it is reasonable to assume that
the discipline will continue to grow in coming years.
According to Copenhaver & Lindstedt (2010, p. 165-166) recent events and public legislation have pushed
the profession to centre stage, perhaps before practitioners were ready. Furthermore, it is stated that
little research has been conducted in an effort for discovering and quantifying the efficacy of BCM.
Consequently, research into the basic understanding surrounding the discipline may have value for both
professionals and practitioners; it may also bring value and understanding to future research.
6
1.5 STRUCTURE OF THE PAPER
Chapter 1 Introduction
This chapter provides the reader with information regarding the background behind the choice of BCM as
a study field and by describing its importance within society and organisations. The focus of the study is
discussed and justified and the overall research aim and objectives are identified. The concluding sections
of this chapter are concerned with the value of the research and the structure of the paper as a whole.
Chapter 2 A Review of Literature
This chapter starts with introducing the history and development of BCM; it also explores past and
possible current drivers behind the development within the profession. It then moves on to indicate key
discussions within the literature, such as identifying the main streams within the articles and the state of
the knowledge. It ends with a summary of the key points made and conclusions.
Chapter 3 Methodology
This chapter provides the reader with information regarding the research strategy used, that is, the
research philosophies and approaches used. Information is provided about the strategies for the data
collection and the method used to collect empirical evidence, semi-structured interviews. Furthermore,
the collection and analysis of the data is discussed and the ethical consideration relevant to the study is
outlined. Lastly, possible limitations and problems within the methodology used are defined.
Chapter 4- Research Findings: Description and Analysis
This chapter offers the reader information about the preliminary findings within each of the themes
identified and shows some selected quotes from the participants. Furthermore, the analysis also considers
each theme and when possible compares with the findings from the literature review.
Chapter 5 Conclusions
This chapter provides the reader with a summary of the findings in Chapter 4 and conclusions. Additionally,
recommendations are made for further study into the field and possible actions that can be made to make
this particular study more reliable, if repeated by other researchers.
7
Chapter 6 References
This chapter contains an alphabetical listing of the sources referred to in this dissertation. The Harvard
system for referencing (author, date) is used in text and the Faculty Guide to Harvard Referencing
(provided by the University of Winchester) is used for end of text referencing.
8
Chapter 2
2 LITERATURE REVIEW
2.1 INTRODUCTION
This literature review will present the history and development of Business Continuity Management
(BCM). In addition, the main drives behind the field in the past are recognised, and a suggestion is made
as to what the current drives are within the field. Moreover, the review will examine the main streams
found within the literature of the field, namely regulated sectors, management focused, IT and cyber
focused, and model and methodology focused. The current state of the knowledge is then discussed and
evaluated, and a few articles critical to the knowledge receive extra attention. The chapter concludes with
a summary, and the findings are tied into the individual research objectives.
The main theme found within this literature review is that the scope and definition of BCM is currently
disagreed upon. There is currently no agreed upon methodology within the field, to one degree or another.
Additionally, the field is dominated by informal sharing of individual lessons learned and there is a lack
of discussion and systematic research (Copenhaver & Lindstedt, 2010, p. 165).
2.2 THE HISTORY AND DEVELOPMENT OF BUSINESS CONTINUITY MANAGEMENT

According to Herbane (2010) the origins of BCM can be traced back to the contingency planning and
disaster recovery planning approaches used by organisations from the 1970s. Business Continuity
Management emerged as a response to the technical and operational risks that threaten an organisations
recovery from interruptions (Herbane, 2010). The most notable contextual pressure that led to the
development of BCM was the technological revolution in the 1970s (Elliott, Swartz & Herbane, 2010).
Recovery plans rather than actions to prevent a failure from occurring were developed, with a special
focus on Information Systems (IS). This emphasis remained in the 1980s and into the 1990s (Herbane,
2010; Elliott, Swartz & Herbane, 2010).
Herbane (2010) identifies three distinct phases of management practice that have impacted business
continuity management, along with four phases of development (Table 2). The first phase of development
was from the 1970s to the mid-1990s, when Disaster Recovery Planning (DRP) started to evolve into
9
Business Continuity Management (BCM). The second phase was from the mid-1990s to 2001. Here, BCM
was influenced by the emergence of standards intended for use across a variety of economic sectors. The
third phase was 2002 to 2005, when the post 9/11 period prompted a re-evaluation of organisations
business continuity and disaster preparedness. The fourth phase was 2006 to 2010, and was marked by
the introduction of standards and guidelines that transcended both industry and national boundaries
(Herbane, 2010).
10
Table 2: The historical phases and the development of business continuity management- periods, drives,
and practices (adapted from Herbane, 2010).
Period Drives of Management Nature of Notes
Development Practice Progress
Mid-1970s- Emerging Disaster Recovery Development The scope of DRP was
mid-1990s legislation Planning (DRP) extended to include
Arrival by evolves into facilities and soft
stealth Business Continuity systems to increase
Planning (BCP) resilience.
Mid 1990s- Emerging Business Continuity Development Leading practitioners of
2001 Standards Management BC embedded the
Broader activity as an ongoing
influence management process.
2002-2005 Acceleration Business Continuity Diffusion Market acceleration.
Post 9/11 and focus Management Greater focus on
Phase guidelines, standards
and legislation. Diffusion
of practices into
different industries and
national contexts.
Revision of standards.
2006-2010 Competing Business Continuity Standardisation Introduction of
International standards, Management standards and guidelines
isation certifications that transcend industry
Phase and breakout or national boundaries.
Recognise the
importance of
collaboration.
11
In the last 30 years, many industries and organisations have invested in business continuity management
as a systematic process to manage the impact of crises and disruptions, as well as to improve their
operations (Adamou, 2013). In addition, over the last ten years an increasing number of standards and
practices have emerged. This is because BCM has become an area of professional interest and a field of
work that is growing exponentially in all sectors (Adamou, 2013). In some countries, especially the UK and
the US, some aspects of BCM are covered by legislation, or industry safety standards (Speight, 2011).
Business continuity associations have done much to define a common body of knowledge for
professionals, through certifications and certifying exams. However, the recognition of these are primarily
internal to the profession and traditionally legitimacy to those outside a profession has come from higher
education (Orlando, 2009 [Online]). By looking at these points, one can suggest that the market demand
for BCM professionals, driven by regulations, has been prioritised over further development of the field.
The profession has leaned on earlier theoretical work and overlooked further development, while
standards and certifications has had the main focus of development. Table 3 is the researchers own
analysis of the period the field has been in since 2010 and up until today. It suggests that market demand
and regulations have been driving the field, but that the further development of the field has stagnated
to some degree.
Table 3: Suggestion of how the field has developed since 2010 and up until today (Amundsen, 2014).
Period Drivers Practice Nature of Progress Notes

2010-2014 Market demand Business Continuity Stagnation of BCM is growing
and regulations Management development exponentially in all
sectors, with the
exception of
academic
development.
As the name implies, business continuity is a management process concerned with an organisations
physical threats (Speight, 2011; Herbane, 2010). Rike (2003) identified three cathorories that threats to
an organisation can be put into, these are: natural or environmental threats; technical or mechanical
hazards; and human activities or threats (Examples of what each category includes can be found in Table
4).
12
Table 4: Three categories of disasters and hazards that threaten an organisations ability to operate
(adapted from Rike, 2003; Guy & Lownes-Jackson, 2011).
Category Examples
Natural or environmental threats or hazards Fire, flood, hurricane, earthquake, lightning
strike, wind storm, snow and ice storms, tidal
wave, typhoon, mould and mildew, insects and
rodents
Technical or mechanical hazards Power outages, gas leaks, software failures,
sewage failure, building structural failure, toxic
spills, radiation contamination, loss of physical
access to resources, train derailments, airplane
crashes
Human activities or threats Computer error, lost or misfiled documents,
vandalism, theft, bomb threat, terrorism, civil
disorder, strikes, kidnapping, sabotage, loss of
key personnel, epidemic, computer error
BCMs focus within organisations should be on ensuring the continuity of operations, with a special
emphasis on critical business processes (Herbane, Elliott & Swartz, 1997; Turulja & Bajgori, 2012).
However, a predominant view among practitioners is that this should be done in a strategic manner,
rather than a comprehensive, all-inclusive plan for all likely and unlikely disruptions that may occur (Smith,
2013).
An important aspect of business continuity is that it should be viewed as an ongoing process. This was
first demonstrated with the business continuity lifecycle developed for the British Standard on BCM
(BS25999), published between 2006-2007, and again in the ISO standard of BCM, published in 2012 (ISO
22301) (Cabinet Office, 2013 [Online]; Business Continuity Institute, n.d. [Online]). The model is widely
accepted in the field.
13
Figure 1: The Business Continuity lifecycle (Business Continuity Institute, n.d. [Online]; Cabinet Office,
2013 [Online]).
2.3 DISCUSSIONS WITHIN THE FIELD
2.3.1 Focus within the Literature of the Field

There is only one peer-reviewed journal within the field of business continuity, i.e. Journal of Business
Continuity and Emergency Management. The focus within the journal can be divided into four main
streams; regulated sectors (particularly health (e.g. Roberts & Molyneux, 2010; Wapling & Mooney, 2011;
Hardie & Kitchen, 2014; Martin & Williams, 2014), and finance (e.g. Collins, 2007; Harvey, 2007; Alonaizan,
2009), management focused (e.g. Messer, 2009; Muffet-Willett & Kruse, 2009; Mcalister, 2011; Higgins
& Freedman, 2013; Olson, 2014) IT and Cyber focused (e.g. Hult & Sivanesan, 2013a & 2013b, Borrett,
Carter & Wespi, 2013; Putte & Verhelst, 2013; Scully, 2011 & 2013) and model and methodology focused
(e.g. Tinker & Galloway, 2009; Lindstrm, Samuelsson & Hgerfors, 2010; Epstein & Kahn, 2014)
These streams within the literature are natural themes to emphasise for practitioners, and for the most
part, these areas are in need of further research. Regulated sectors may be viewed as a drive in the growth
of business continuity and is therefore a central part of its development. Furthermore, Copenhaver &
Lindstedt (2010) identify executive management as the primary customer to business continuity, and
management support is viewed as essential in the implementation process, but managers often complain
of being confused (Copenhaver & Lindstedt, 2010). Additionally, there is wide agreement within the field
14
that managerial involvment is an important factor in the success of a BCM programme (Speight, 2011;
Baker, 2012; Bland, 2013; Smith, 2013). However, managerial support is hard to gain, and risk mitigation
strategies take centre stage (Ramakrishnan & Viswanathan, 2011). Management is generally unable to
see a direct Return on Investment (ROI) within BCM, and the activities are not considered to add value or
enhance earnings (Ramakrishnan & Viswanathan, 2011).
Since BCM evolved from DR, it is expected that this continue to be a part of the literature today. In addition,
organisations are increasingly becoming dependent on technology and cyber threats are growing (Hult &
Sivanesan, 2013a). Thus, the combination of a growing level of technological interdependence within
organisations, combined with the increasing use of just-in-time business strategies, makes a delay in the
supply chain or absence of information systems (IS) devastating for most organisations (Ramakrishnan &
Viswanathan, 2011). Model development is also an area where it is normal for a discipline to focus.
However, currently there are no agreed upon methodologies (Copenhaver & Lindstedt, 2010) to business
continuity. In addition, the models that are developed are very specific in nature, and after being
published, no discussion or further development can be found.
However, a significant portion of the articles are based on experience, and often takes the form of case
studies (e.g. Kahn & Draper, 2014; Loop, 2013) and anecdotal stories (e.g. Stourac, 2014; Nuttall, 2013)
with limited to no referencing. In addition, the articles are very specific in the area they talk about, a
possible example here is the articles concerning pandemics (e.g. the SARS virus (Hollands, Lauriola & Jaffer,
2007; Johanis, 2007; Rosenbluth, 2010), the Avian virus (or bird flu) (Anastario & Lawry, 2007; Deluca &
Pinchot, 2007), and the H1N1, 2009 virus (Cleary et al, 2010; Danforth, Doying, Merceron & Kennedy,
2010; Rosenbluth, 2010; Spriggs, 2013)). Even though this area is of great importance, planning or
preparing for a specific virus within the context of business continuity is beside the point, as this approach
is about preparing a tactical plan for building outage, IT outage, vendor outage, or staff outage (Smith,
2013). Hence, a reasonable deduction would be that the specific virus that caused a limited amount of
employees to be available to work is not of significance, the emphasis should be on what to do when there
is a limited amount of employees available to work. Thus, one of the most emphasised benefits to BCP,
strategic planning, is lost within the literatures specific nature.
In addition to being theme specific, the literature is lacking a discussion amongst its practitioners. The
researcher has gone through the Journal of Business Continuity and Emergency Management, from cover
to cover without finding a single review or critique of previous work published.
15
2.3.2 State of the Knowledge
A definition and the scope of Business Continuity Management are still disagreed upon (Copenhaver &
Lindstedt, 2010), but a commonly used definition of BCM was created by the British Standards Institution
(BSI) in 2006:
[A] holistic management process that identifies potential threats to an organization and the
impacts to business operations that those threats, if realized, might cause, and which provides a
framework for building organizational resilience with the capability for an effective response that
safeguards the interests of its key stakeholders, reputation, brand and value-creating activities
(as cited in Herbane, 2010, p. 981; Sawalha, 2013, p. 363; Cabinet Office, 2013 [Online]; Business
Continuity Institute, n.d. [Online])
This definition is firmly rooted in a crisis management approach, and it is broader in its scope than more
traditional approaches (Elliott, Swartz & Herbane, 2010). Lansley and McAtee (2009, p. 1) are a little more
specific in their definition of BCM:
The integration of the disciplines of:
Crisis Management (Corporate issues);

Business Continuity (Process contingencies);
Disaster Recovery (IT system availability);
To identify potential impacts that threaten an organisation and provides a framework for building
resilience and the capability for an effective response that safeguards the interests of its key
stakeholders, reputation, brand and value creating activities.
This definition clearly builds on the BSIs definition from 2006. However, by incorporating the disciplines
of its heritage (Copenhaver & Lindstedt, 2010) some of the confusion surrounding the field is addressed.
This is because when the focus of Information Technology Disaster Recovery (IT DR) shifted and
broadened to critical business operations and became BCM, confusion grew around terms used by
practitioners (Jacobson & Kerr, 2011). Lansley and McAtees (2009) definition is shared by Jacobson and
Kerr (2011), but with a few additions. Jacobson and Kerr (2011) see Crisis Management, Emergency
Management, Contingency Planning and Disaster Recovery all as sub-fields to BCM. However, it is noted
that these terms are often used interchangeably adding to the confusion outside the field, but that those
who use the terms in professional practice see each as unique segments or activities within the overall
BCM discipline (Jacobson and Kerr, 2011). Unlike Jacobson and Kerr (2011), Copenhaver and Lindstedt
16
(2010) argue that it is difficult to isolate business continuity from the discipline of its heritage, and
Lindstedt (2007) argues that the separation between BCP and other approaches within the discipline are
not clear.
In addition to confusion around terminology associated with BCM, Lindstedt (2007) and Copenhaver and
Lindstedt (2010) argue that a theoretical grounding of the discipline is much needed. Copenhaver and
Lindstedt (2010) list several central problems within the field that need to be explored further. These
problems can shortly be described as; the efficacy of business continuity is yet to be proven; what kind of
return on investment (ROI) is to be expected of business continuity; an accepted adaptable methodology
is absent; and what can customers expect from certified experts within the profession? These are all
questions of a fundamental importance to the disciplines further development (Copenhaver & Lindstedt,
2010).
Within both of the definitions listed above, building resilience is a key concept. Business Recilience (BR)
is a term that is often linked with BCM (e.g. Duchek, 2014) and this is another area where there is
confusion within the dicipline. Descriptions of activities within BR often overlap with activities within BCM
(e.g. Trollope, 2014). The question is therefore if BR is a new dicipline competing with BCM or something
else entirely. Academic interest in organisational resilience has grown over the last few years, however,
Duchek (2014, p. 861) states that existing research inadequately address questions of what resilient
organisations actually do and how resilience can be developed.
Copenhaver & Lindstedt (2010) argue that BR should be characterised as the full range of aspects and
efforts made by organisations to protect and continue an operational organisation and that business
continuity should be seen as a subset of BR. They go on to state that BR migth look something like:
BR = BC + IT DR + EM + ERM + [and so on] (Copenhaver & Lindstedt, 2010, p. 166).
Peter Speight also talks about organisational resiliency in his 2011 article, and lists, not surprisingly, BCP,
Risk Management, and Crisis Management as core parts of BCM. However, Speight (2011) takes resiliency
a step further and lists training, organisation safety culture, and organisational learning as fundamental
practices when trying to ensure that organizations are prepared and resilient (Speight, 2011, p. 529).
Thereby widening the term even further, however, this is still within the limits defined by Copenhaver and
Lindstedt (2010) as all efforts undertaken should be considered as BR.
There are many issues within relating disciplines and within the discipline of BCM itself. Several
professional practitioners within the field has suggested that higher education could provide clarity and
17
structure to these confusions and issues (Lindstedt, 2007; Orlando, 2008 [Online], 2009 [Online];
Copenhaver & Lindstedt, 2010). Orlando (2009) argues that graduate programs are forward thinking, and
students would not only learn the current knowledge, but also question it. Furthermore, graduate
programs engage the students in research that in itself would advance understanding within the discipline.
This view is in part echoed by Copenhaver and Lindstedt (2010), in that students within higher education
have the possibility to improve the field with research, because they have time and resources available,
implying that practitioners do not have the time available or that it is not prioritised. However, a specific
business continuity graduate program is not suggested.
In addition to the confusion in the field, evidence of the impact the approach has on organisations is also
something that is missing. Both research into the quantitative and qualitative benefits or disadvantages
that business continuity management could provide an organisation are currently limited (Copenhaver &
Lindstedt, 2010). Consequently, a reoccurring theme in the ongoing discussions surrounding the field is
about Return on Investment (ROI) (Copenhaver & Lindstedt, 2010; Security Directors Report, 2007).
Furthermore, the field is surrounded by statistics regarding survival rates among businesses that do or do
not have business continuity. One amongst these are that 80 percent of businesses affected by a major
incident close within 18 months (Gosling, 2007 [Online]). However, Gosling (2007 [Online]), recently
brought these statistics into question, stating that despite extensive research he had never managed to
find the original source of these statistics. In a follow up piece, by Gosling & Hiles (2009[Online]), it is
concluded that there is not sufficient evidence to support the statistics currently being used, and that new
objective and disciplined surveys are needed (Gosling & Hiles, 2009 [Online]).
2.4 SUMMARY AND CONCLUSION

This review of literature has demonstrated that BCM is a growing discipline (Adamou, 2013), however,
there is still a great deal of confusion surrounding the field and systematic research of concepts and issues
is absent (Copenhaver & Lindstedt, 2010). The review of literature raises more questions than it answers,
and this can be seen as an indication of the state of the knowledge within the field.
Four main streams within the Journal of Business Continuity and Emergency Management were identified,
all deemed to be a natural place to focus development. However, the specific nature of the articles,
contradict the strategic nature of business continuity.
18
There are many questions within the field that are without a firm answer and Orlando (2008 [Online],
2009 [Online]) suggests that a graduate program is needed to further develop the discipline. Copenhaver
& Lindstedt (2010) also suggest that further research into the field would be of benefit. This is because
the potential properties, both good and bad, that business continuity can bring organisations are for the
most part not researched. The potential benefits business continuity could bring organisations are of both
qualitative and quantitative quality, but there is a need to investigate them. Further research into the field
is needed to give the discipline and its practitioners a firm footing.
Because only a handful of articles could be found that critically analyse or review the discipline and its
practices, these have been one of the main focuses throughout this review. The literature found is
predominantly positive towards current practices and body of knowledge, despite the lack of empirical
research.
The literature review relates to the research objectives (Table 5) in a variety of ways. Research objective
one (Table 2.4) set out to evaluate what the practitioners and professionals within the field see as
advantages and disadvantages of BCM. Both positive and negative impacts were identified in the
literature review and these will be explored further during data collection and data analysis. To answer
research objective two (Table 2.4) the researcher will use the critique found in the literature review to
help structure the interview guide and evaluate if practitioners and professionals agree or disagree with
them. The results of objective one and two will feed into objective three.
2. To investigate participant perceptions on the current state of the discipline, its
future research.
19
Chapter 3
3 METHODOLOGY
3.1 INTRODUCTION
The research objectives set out to be answered in this project are as follows: (1) to investigate the
perceived impact of BCM on organisations, by exploring views among professionals and practitioners
within the field, (2) to evaluate participant perceptions in light of current critique of the field, and (3) to
analyse professional perceptions of BCM in order to build recommendations for future research (as set
out in Chapter 1- Introduction).
The research objectives set out for the study have a number of interrelated objectives within the context
of business continuity. A possible valuable aspect of the research lies in objective one, because little
research is conducted within the field (Orlando, 2009 [Online]; Copenhaver and Lindstedt, 2013).
Uncovering views of advantages and disadvantages among the fields practitioners relates to objective two,
and the researcher can evaluate the critiques of the field found in Chapter 3 (Literature Review) with
current views within the field. The result of the research feeds into objective three, which may be valuable
for future research.
Orlando (2009, [Online]) stated that academia has just started to take notice of business continuity; this
despite the rapid growth the sector is experiencing (Adamou, 2013). Lindstedt (2007), Orlando (2009
[Online]) and Copenhaver & Lindstedt (2010) all have discussed how academic study of the field might be
of benefit, in terms of developing a clear definition and scope, body of knowledge and methodology. At
present, there is only one peer-reviewed journal within the field, and an open discussion around practices
is absent. The uncertainty regarding the fields scope and unclear benefits, are echoed in articles regarding
confusion and unwillingness among executive management to implement business continuity. The
researcher views the field to be intuitive and logical in that it is there to help critical operations continue
in the event of a disruption. This sets it apart from other approaches like Disaster Recovery for IT and
Crisis Management. The review of literature left the researcher with more questions at the end than in
the beginning. This is one of the motives behind the researchers choice to do a grounded theory approach.
20
This Chapter, will provide details of the research strategy adopted to address the issues identified above
and why this specific strategy had been selected. In addition, the means of collecting data for analysis
and the analysis approach used is addressed. The issues surrounding the research strategy and potential
limitations will be discussed in the end of the chapter.
3.2 RESEARCH STRATEGY

The purpose of this study is exploratory in nature because of the limited theoretical foundation the
researcher can use. Saunders, Lewis and Thornhill (2007) identify three principal ways of conducting
exploratory research: (1) literature search, (2) interviewing experts in the subject, and (3) conducting
focus group interviews. The second approach is relevant to this study and was met through interviewing
professionals and practitioners within the field of business continuity. Saunders et al (2007, p. 598) define
exploratory research as research that aims to seek new insights into phenomena, to ask questions and to
assess the phenomena in new light. The focus of this research was therefore on a micro scale, as peoples
personal perceptions are researched.
The social world of business and management is too complex to only theorise by definite laws in the same
way as the physical sciences and these complexities may be lost if reduced to law-like generalisations.
According to Saunders et al (2007, p. 600) interpretivism is an epistemological position that advocates the
necessity to understand differences between humans in their roles as social actors. This means that the
emphasis is on conducting research among people and not objects (Saunders et al, 2007). The
interpretivist perspective is highly appropriate to investigate business and management, because these
are complex social situations. Therefore, the perspective seemed appropriate to investigate business
continuity as this is a management process (Speight, 2011) and because the investigation concerns
perceptions and comparing them against the literature in the field.
The subjectivist view is that social phenomena are created from the perceptions and consequent actions
of social actors. This view follows the interprevist position that it is necessary to explore the subjective
meanings motivating social actors in order for the researcher to be able to understand these actions. This
view is relevant to this study because it will be the researchers role to develop understanding of the
subjective reality of the participants. This was done so that sense can be made of and understanding can
be built around the subjects motives, actions and intentions, in a way that will be viewed meaningful. A
subjectivist view on the culture around business continuity would be that it is a result of a process of
21
continuing enhancement by its practitioners. Investigated here is the meaning that these phenomena are
given by the actors within the field, to understand the culture.
The central effort in the context of the interpretive paradigm is to understand the subjective world of
human experience (Cohen, Manion & Morrison, 2011). Saunders et al (2007, p. 600) define this paradigm
as a philosophical position which is concerned with understanding the way we as humans make sense of
the world around us. In this paradigm, it is common that researchers work directly with experience and
understanding to build theory on them. Hence, theory should not precede research, but follow it (Cohen
et al, 2011). This paradigm relates to all the objectives set out for the study, but particularly objectives
one and three.
Typical of the interpretive paradigm is inductive reasoning (Hennik et al, 2011). However, Hennik et al
(2011) argues that it is common to use both inductive and deductive reasoning in different stages of a
study. However, the research strategy selected here, grounded theory, has a strong implication on the
reasoning used. This is because grounded theory offers an implicitly inductive approach to data analysis,
where the codes, concepts and theory are derived from the data (Hennik et al, 2011). This reasoning
strategy corresponds well with the grounded theory approach in that the empirical evidence provides a
framework for understanding phenomena.
Hayes (2000) notes that the theory produced using this analysis approach may sometimes be very context-
specific. However, because it is grounded in data from the real world, it can serve, as a strong basis for
further investigation and at the same time be a research finding in its own right (cited in Bell, 2005). This
approach was deemed appropriate for this study because of the lack of theory within the field. Therefore,
the researcher hopes that the project will be relevant for academic and non-academic audiences. Strauss
and Corbin (1998, p. 6) states that this is possible because the methodology enjoins taking with great
seriousness the words and actions of the people studied.
In this study, a purely qualitative research approach was used. This means that a single data collection
technique and corresponding analysis procedures were used to answer the research question. Cohen et
al (2007) states that a key element in selecting instruments for data collection is to select fitness for
purpose. In this study a mono-method was chosen because of the time constraint the project presented.
In addition to the limited time schedule, limited resources were available.
The research conducted is cross sectional in nature. Cross sectional research is the study of a particular
phenomenon at a particular time, or a snapshot of the population at a particular point in time (Saunders
22
et al, 2007, p. 595; Cohen et al, 2007, p. 211). This is the most common form of academic studies as they
are often time constrained (Saunders et al, 2007). This held true for this study as well. Cross-sectional
studies require that attention is given to the sampling, so as to ensure that the information on which the
sample is based upon is comprehensive. Further, there is a risk that potential participants decline to take
part, thereby weakening the sample. Another problem is that respondents may not answer specific
questions or give incorrect answers (Cohen et al, 2011).
3.3 DATA COLLECTION

The approach used in this study was problem driven rather than methods driven (Layder, 2013). This
means that the strategies for data collection were adopted and used to build understanding around
specific problems and topics, rather than a commitment to specific methods or types of data (Layder,
2013). Three main types of research design can be used; purely qualitative research, purely quantitative
research, or a mixed methods approach (Layder, 2013).
The collection method used was qualitative interviews. According to Gall, Gall and Borg (2003) there are
three formats for interview design; (a) informal conversational interview, (b) general interview guide
approach, and (c) standardized open-ended interview (as cited in Turner, 2010). Here the interview guide
approach was adopted, more conventionally known as semi-structured Interviews (Saunders et al, 2007).
The interview guide was used to help structure the interviews, and to help ensure that they had a clear
direction and theme. The guide also gave the researcher the opportunity to move outside the structure if
it was deemed relevant for the research (Kvale, 1996) (see Appendix B to view the interview guide).
According to Saunders et al (2007, p. 313) semi-structured interviews can be very helpful in exploratory
studies because they try to find out what is happening [and] to seek new insights. Therefore, this
approach was deemed appropriate. In addition, the interview as a technique presents many advantages.
Bell (2005) lists that one of the major advantages in interviews are their adaptability. It gives the
researcher opportunity to follow up on ideas, probe responses given and investigate motives and feelings.
The interviews often also yield rich material for analysis (Bell, 2005).
According to Bell (2005), interview research can also present disadvantages that must be considered in
advance. Interviews are time consuming, and with a restricted timeframe, only a relatively small number
of people could be interviewed. In addition, the technique is highly subjective, and there is constantly the
danger of bias (Bell, 2005).
23
The concept of subjectivity has partially been addressed by the diversity in the sample chosen, operating
from five different countries, covering a variety of age groups, and varying experience within the field.
However, the profession seems to be male dominated and this was also reflected in the sample. The
subjectivity of the researcher must also be considered. As BCM was unknown to the researcher six months
ago and since the literature in the field is somewhat incoherent, ideas had time to form but not to take
root before the interviews started. Therefore, preconceived ideas formed by the researcher changed with
each interview and may not have affected the interview situation significantly.
All participants were viewed by the researcher to have a positive bias toward business continuity before
the interviews. However, the interviews uncovered that not all participants had such a strong positive bias
as expected (e.g. Participant 2 and 4).
Another criticism to semi- structured interviews is the sample. One of the most fundamental tasks when
designing research is to obtain an adequate sample (Marshall, Cardon et al. 2013). Since this was a
grounded theory approach, the concept of theoretical sampling had to be considered. Within theoretical
sampling analysis takes place as the data is collected. As the research proceeds, there will be more data
collection and more analysis and this continues until theoretical saturation is reached. At this stage new
data is not showing any new theoretical elements, but rather confirming what has already been found
(Punch, 1998, p. 167 as cited in Bell, 2005, p. 19-20). However, since this was a time confined study it
relied on the findings by Guest, Bunce and Johnson (2006), who found that saturation occurred within the
first twelve interviews and that basic elements for themes where present within six interviews. Thus, the
study aimed to obtain a minimum of six interviews and a maximum of twelve. The final number of
interviews was eight, and theoretical saturation was deemed reached by the sixth interview.
As mentioned earlier, an exploratory study can be answered by interviewing experts in the subject
(Saunders et al, 2007). Therefore, the sought after characteristics the study required meant that the
researcher had to use problem sampling (Layder, 2013) or non-probability sampling (Biggam, 2011).
According to Layder (2013, p.113-114) problem sampling means choosing people to serve as the data or
evidence for a research project in terms of their relevance to key problem questions. Therefore, the
participants selected for the project all have experience within the field to one degree or another. Not all
the participants can be viewed as experts, but certainly they can be viewed as people with experience
within the field. As Layder (2013) recommends, the participants were selected because they had
information relevant to the research questions.
24
When the data was analysed it was compared with the findings in the review of literature, in an effort to
answer objective three. This gave an indication to whether the criticism directed towards the field had
merit or not. The collection of evidence was done online, with video conferencing as the means of
collection, i.e. Skype and FaceTime. This study site was selected because of the narrow field participants
had to be selected within. Participants in the project were spread over three continents and five time
zones. Therefore, an online interface for the interviews was deemed suitable as this still provided the
face-to-face element.
3.3.1 Data Quality

As grounded theory has its own concepts of reliability and validity, these are the concepts that will be
explored further here, i.e. objectivity and sensitivity, and validating.
A key strategy that can be used to promote quality when using grounded theory methods is to maintain
an audit trail (Birks & Mills, 2011). Birks & Mills (2011) recommend using memos, because this can be a
useful way to maintain an audit trail. Therefore, the author wrote memos within NVivo during the coding
process. Memos included reflections on the codes, categories and the developing theory.
Within grounded theory, the concepts of objectivity and sensitivity must be addressed. Objectivity is
defined by Strauss and Corbin (1998) as:
The ability to achieve a certain degree of distance from the research materials and to represent
them fairly; the ability to listen to the words of the respondent and to give them a voice
independent of that of the researcher.
Objectivity is necessary to arrive at an impartial and accurate interpretation of events. However, a state
of complete objectivity is impossible and in every piece of research, there is an element of subjectivity
(Strauss and Corbin, 1998). Certainly, an element of objectivity was present within this project. However,
the researcher constantly tried to be aware of any bias, thereby addressing objectivity.
Sensitivity is defined as the ability to respond to the subtle nuances of, and cues to, meanings in data
(Strauss and Corbin, 1998, p. 35). Sensitivity is required to perceive the subtle nuances and meanings in
the data and to recognise the connections between concepts. This was addressed by reviewing the codes
within the themes made. When all open codes had been gathered under a theme or axial code, the open
coding content was reviewed again in an effort to determine if the theme was suitable. If on second or
third review they did not fit as anticipated with the initial theme, they were moved to another more
suitable theme.
25
When talking about validating within grounded theory, it is not like testing in the quantitative sense of
the word. There are several ways of validating. Here, the assumptions reached from the data were then
compared a second time with the raw data to see if the assumptions reached were correct.
3.4 FRAMEWORK FOR DATA ANALYSIS

The interviews were conducted in a time period of three weeks and two cycles. The first interview cycle
was five interviews in four days, leaving limited time to transcribe and code. However, after each interview,
notes where made of possible points that ought to be investigated further by listening to the audio
collected before the next interview. By doing this, the researcher could identify gaps or themes that were
not explored sufficiently, and investigate them further in the next interview.
The second interview cycle was over a period of two weeks with three interviews, allowing ample time to
transcribe and start analysis in-between the interviews and the open coding process and axial process
already underway. Further gaps and insufficiently explored themes were identified and addressed, in an
effort to achieve theoretical saturation.
All the interviews were transcribed; however, the last interview was transcribed in a semi-note form
because of limited time (see Appendix C-i-viii). Anonymity and confidentiality was guaranteed to
informants and this was upheld by taking out names, organisational names and names of specific places
from transcriptions, [brackets] indicate words that have been redacted by the researcher.
The transcripts were imported to NVivo and each was open coded line for line into the categories that
emerged. When the open coding was finished, twenty categories were identified. During the axial coding,
relationships between the categories were explored and four overall themes were identified. The creation
of the categories were influenced by the fact that the researcher used semi-structured interviews. Already
after four interviews, most of the categories had been identified. This is viewed to be a direct result of the
use of semi-structured interviews. The advantages this brought to the analysis was that the interviews
focused on problems identified in the literature review. A possible disadvantage is that the interviews may
have been too focused and unknown problems within the field may not have been uncovered.
3.5 ETHICAL CONSIDERATIONS WITH INTERVIEW RESEARCH

The topic of informed consent and anonymity was also something that had to be addressed; these were
not only important during data collection but also had to be considered throughout the analysis process
26
(Bell, 2005). Informed consent was reached in this study through sending an information sheet and
consent form by mail to all respondents describing the project, as well as explaining what steps would be
taken to ensure anonymity and confidentiality (Appendix A). This was also reinforced by the briefing and
debriefing stages in the beginning and at the end of the interview (Kvale, 1996) where respondents were
reminded that they were recorded and that their anonymity and confidentiality would be upheld.
Confidentiality issues were significantly considered in the transcribing and reporting stages of the study.
Thus, all participants were notified before the interview, textually and orally, about what participating
meant.
3.6 LIMITATIONS AND POTENTIAL PROBLEMS

The general semi-structured interview or interview guide approach that was selected here is quite flexible
in its composition (Saunders et al, 2007; Turner, 2010). Therefore, one of the obvious issues with this type
of interview is the lack of consistency in the way the researcher poses the questions. The researcher can
interchange the way questions are posed and consequently the respondents may not consistently answer
the same questions (Turner, 2010). However, Birks and Mills (2011) suggests that in order to reach
theoretical sampling it is important to pursue clues that arise during analysis, thereby implying that
questions should change and vary as the study progresses.
Another limitation that may influence the study is that the researcher did not perform a pilot study.
According to Turner (2010), a pilot test would assist the researcher in determining flaws, limitations, or
other weaknesses within the interview design prior to the implementation of the study. This, allows the
researcher to make necessary revisions. Consequently, revisions that had to be done came after
implementation, and thus changed the interview structure from participant to participant further (Turner,
2010). However, Birks and Mills (2011) suggest that a grounded theory study is a process between the
information obtained and the information to be obtained. Thus, they imply that a project is a learning
process, novice researcher or no.
The research interview is furthermore not a conversation between equal partners, as the researcher
defines and controls the situation (Kvale, 1996). Moreover, the knowledge obtained is not objective, but
a subjective view of the world that the subject presents (Kvale, 1996).
In addition to the limitations concerning the approach selected, the nature of the research design itself
also presents limitations. The reason for this is that it is a mono method study, despite numerous authors
advocating for mixed methods studies (Saunders et al, 2007; Cohen, et al, 2011) or using the interview
27
approach together with other qualitative approaches (Layder, 2013). However, Tashakkori and Teddli
(2003) argue that multiple methods are only useful if they provide a better opportunity to answer the
research questions and underpin the trustworthiness and possible inferences that can be made from them
(cited in Saunders et al, 2007).
Lastly, in this chapter, it must be noted that the strength of the general interview guide approach lies in
the ability of the researcher (Turner, 2010), and that in this study a novice researcher with experience
primarily in quantitative research conducted the study. This is also echoed by Miles and Hubberman (1994,
p. 10) who states that the strengths of the qualitative data rests very centrally on the competence with
which their analysis is carried out. Corbin and Strauss (2008) identify a number of conditions that can
affect quality in research, the majority of which relate to personal and professional researcher
characteristics (as cited in Birks & Mills, 2011). Thus, the success and quality of a grounded theory study
can be very subjective.
28
Chapter 4
4 RESEARCH FINDINGS: DESCRIPTION AND ANALYSIS
4.1 INTRODUCTION
This chapter will present the initial findings and analysis of the empirical data collected. The analysis was
carried out by using open coding to find categories that surfaced within the data, and then by
implemented axial coding to group the similar categories under themes. The purpose of the analysis was
to answer the research aim and individual research objectives set out for the study.
Table 6: Overall research aim and individual research objectives.
2. To investigate participant perceptions on the current state of the discipline, its strengths,
weaknesses, and its future.
future research.
The chapter has been divided into four parts; the first section is the introduction. The second section
describes the findings of each category and some selected quotes from the participants are presented.
The third analyses the findings from the interviews and compares them to the findings from the literature
review, to discover if any unexpected categories were revealed. The chapter is then concluded with a
short summary, along with the researchers recommendations.
29
4.2 INTERVIEW RESULTS
The analysis identified twenty categories in the initial coding process. These were then grouped into five
themes through axial coding, namely: (1) meanings and definitions; (2) benefits; (3) best practice; (4)
understanding; and (5) examples (see Table 3.1). Every reoccurring category within the data was identified
during the analysis. All participants mention some themes and categories; others were just mentioned
by a few.
Table 7: Description of the categories identified during open coding and the groups that the themes
were arranged in during axial coding.
Open and Axial Coding Index and Summary
Categories identified Theme
Business Resilience 1. Meanings and Definitions

Differentiation
Benefits
Brand Protection 2. Benefits
Costumer Trust
ROI
Activities
Bad Practice
Best Practice 3. Practice
Centralised vs. Decentralised
Processes
The Plan
Certification Agencies
Drives
Future 4. Understanding
Knowledge
Management
Organisational Learning
Experience 5. Examples
Interruptions
30
4.2.1 Preliminary Findings within the Theme Meanings and Definitions
Within this theme the categories business resilience, BCM, and differentiation were identified. These
categories were found to have relationships because they all describe participants perceived meanings
and understanding around terms that there is confusion surrounding the field.
Within the category Business Resilience the main elements found were that professionals view business
resilience (BR) and practitioners as a much wider term than BCM. The term is concerned with the
resilience throughout the entire organisation and BCM is only one practice that may help build resilience.
The category Differentiation contains the participants view on BCM and related disciplines. The main
elements found were that BCM is viewed as the overall management approach to a range of other
management disciplines relating to planning for disruptions, disaster, and recovery.
Table 8: The table shows some selected quotes from the categories Business Resilience and
Differentiation (see Appendix D-i for all quotes in this category).
Categories Quotes
Business Resilience - Resilience is a much much larger question; it is going to get into questions
of leadership, its going to get into questions of psychology, of business
market share, time to market, and supply chains, and efficiency and
basically resiliency is how do I build a business for success. My answer to
that question is a very large one, and Im not sure we will ever get a
consensus on that.
- If I just want to define business resiliency you mean in terms of building a

solid foundations for doing business. BCM is one element, its not enough.
- So business resiliency is not just about BCM, its about people, its about
how we learn from our mistakes. Because if you do not learn from your
mistakes and what went wrong, then BCM is a complete failure to some
extent, its not necessary, its just a paper in a drawer. So business
resiliency is; (1) BCM, but (2) people engaged, and (3) learning from
31
lessons.
- My department, at least initially was named Business Resiliency, which I

think is even a better term, although everybody looks at it differently. And
then BC is just one aspect of it as well as disaster recovery, as well as
facilities, hardening, and safety and all these other things you know.
- Everything from, you know, fire drills which is, you know, facilities and
that sort of stuff. Everything you can do to make your business more
resilient. And including then as you outsource and offshore in any area
that is ever growing, and that is making sure that the vendors you are
relying upon have big, have good BC programs and that youre, you know,
and that they are living up to that, and that there are good service level
agreements between everybody. Internally and externally so everybody
knows what they can expect during a crisis from other people, thats all
business resiliency.
Differentiation - We would roll any sort of business process and sort of the risks associated
with it into this broader category.
- Disaster recovery is all about bringing the computers back up and running,
while BC is really everything else. Its bringing all the back office operation
back arranged, keeping the money flowing, keeping revenues and
customer service continuing, thats what BC is all about.
- Currently I focus a lot on interfaces on BCM, operational risk, information

security management, corporate security management and so on. And
again we are finding lots of things that are similar on those management
systems, of course, but those interfaces are not fully developed yet. And
BCM is currently the drive behind aligning those interfaces so showing for
example the people from operational risk management, how much they
do is similar to what, for example, corporate security does.
32
- In my view BCM is there to give the basic structure, those other
management disciplines work in so the fundament [] or the base should
be offered by BCM,
4.2.2 Preliminary Findings within the Theme Benefits

Within this theme, the categories benefits, brand protection, customer trust, and ROI were identified.
These categories were found to have relationships because they all describe different benefits BCM can
provide an organisation.
The category Benefits is more general than others within this theme because, several elements were
found. That is, that BCP helps identify key processes, BCM helps organisations keep running in the event
of a disruption or crisis. In addition, problems do not become as impactful as they may have, and
snowballing is prevented.
In the category Brand Protection the main elements found were that a practiced and calm response to
incidents reassures customers and can increase the brand loyalty. BCM can also be used as a differentiator
and for marketing purposes.
The category Customer Trust found that if customer basic needs are not protected and operational
during a disruption or a crisis, this may have a bigger impact on customer trust, than public relations
problems. In addition, customers generally view BCM positively as management is proactive against
disruptions and disasters.
The category ROI found that return on investment within BCM could be both quantitative and qualitative.
However, it is viewed to be subjective and something that is very hard to measure in qualitative or
monetary terms. One specific example of monetary return is that organisations receive a discount on
business interruption insurances when BCM is implemented. The many qualitative benefits are very
subjective and may depend on the willingness of organisations to learn. The debate around ROI and BCM
is viewed to have started as a result of preparedness managers struggle to show benefits, and ROI being
a metric most manager know and understand. Furthermore, participants think BCM should be viewed as
a normal business process.
33
Table 9: The table shows some selected quotes from the categories Benefits, Brand Protection,
Customer Trust and ROI (see Appendix D-ii for all quotes in this category).
Category Quotes
Benefits - And if BC helps you categorize what those processes are, which we have
to run internally in order to give people accesses to those services
externally then clearly there are very valuable things you get from it.
- The advantage would be obviously the continuing operations, which is

critical for any organisation, even if its not for profit organisation, its still
critical.
- The advantage of BCM is if done correctly, big problems, big crises turn
out to be not as impactful, but also medium problems dont turn into a
crisis, in fact they get resolved. And become less of a problem for an
organisation. So its not just planning for the big catastrophic event, its
improving your overall business processes to a point that minor
disruptions become non-events, rather than snowballing into a bigger
problem.
- That is something a lot of BC people look to, is involving marketing. To

say, look, we are better than them because we are more resilient, we will
be there when the chips are down.
Brand Protection - very positive and calm and relaxed response to the incidents, and weeks
later they received letters from people who had been there, saying what a
great job they had done with the incident and how everyone felt very
comfortable with the way they had handled it and that they would
certainly come back again and stay again. And so we definitely saw, you
know, an initial loss of revenue, because there were no other way to
avoid that loss of revenue, on the other hand we saw definitely a very big
increase in the brand and the loyalty, customer loyalty and the return rate
34
that these customers would come back. So definitely was well handled a
lot of advantages came up.
- We had 3 companies in Chicago who at the time of the fire, were looking
for a new bank to do business with, Fairly large companies. And they went
to us and 2 other banks in Chicago and all 3 banks bid. And they all had
similar product lines and all had similar costs, and so was, there was, they
came back to all of us at the time and they said we need a differentiator,
we need to know why we should go with you and not those other 2
people well, as luck would have it, the fire occurred. And all of our
critical. It happened 630 on a Monday night, and by 630 Tuesday morning,
all critical processes were up and running, and we were in the press and
we were making statements to all of our customers and clients that their
money was safe, and banking as usual was on and all this. And we, then
those, all 3 of those customers came to us. Thats the differentiation, so
all three of them signed on with us. From that point moving forward, Ive
always used my preparedness and exploiting, if thats the right word, real
issues with the marketing team and involving them. That is something a
lot of BC people look to, is involving marketing. To say, look, we are better
than them because we are more resilient, we will be there when the chips
are down.
Costumer Trust - And all our research suggests that those very practical issues have a far
bigger impact on peoples trust in [the other bank] as an organisation.
Than all the countless front page media stories day after day about [my
bank]
- But this sort of highlighted that, its a bit like, sort of Maslow hierarchy,
there are all these higher order things like brand perception, and the
things we talk about in terms of [inaudible] like our brand, and
understanding customer needs, and developing new products, and all the
things we are trying to do. Although those things do matter, the things
35
that actually matter the most, the hygiene practice if you like, are to do
with can I get access to my money can I get it will my salary be paid
will I have access to it. So I think it was, is interesting, when BC was first
talked about, I wouldnt probably have made that connection.
- I think BC plan or having BC plan is very positive sign for customers or

investors I think. Because it means that the company is very proactive for
future risk, and the having BC plan is one of the great evidence that the
top management think about the companys strategy, including BC.
ROI - return on investment is dependent upon two things, the creativity of the
preparedness planners and the receptiveness of the organisation to do
the recommendations, to undertake the recommendations, and the ideas
of the BC planner
- I think the drives is that the executive leadership doesnt understand the
value, so in trying to understand the value of expenditure of the money
and time and the resources, that is something that they understand, they
understand return of investment. That is a, whats the right word, thats a
metric, a measure they understand, so if we could put BC in those terms
they would get it and they would say okay, now I understand the value. So
I think its more the struggle for the preparedness planners to show, to
demonstrate to prove the value of what they are doing.
- Its a very difficult thing to prove what the return on, the direct return on
investment are going to be. Because all the benefits are indirect.
- [] the ting with soft facts is that the way of each is very subjective, so it
is something that is important to you, but might not be important to me.
36
4.2.3 Preliminary Findings within the Theme Practice
Within this theme the categories bad practice, best practice, centralised/ decentralised, the plan, and
processes were identified. These categories were found to be related because they all describe different
practices within the field.
In the category Activities information about key activities within BC were coded. The main elements
found were that BCM departments within organisations belong where it is most effective. In addition,
training is key to raise awareness within organisations and the plan should prepare for three scenarios.
Within the category Bad Practice two main sub-categories were found, bad practice within the
organisation and within the discipline. Within organisations, several things were found; implementation
is done within a short time period, and not as a long-term investment, also, that organisations prepare for
disaster and call it BCP or BCM, but it is not. Furthermore, the BCP is not easily accessible within
organisations and senior leadership has a hard time finding their place within the response. Within the
sub-category discipline, the main elements found were that practitioners have restraints around sharing
experience and practices and that there are no proven universally applicable practices.
The category Best Practice contains information about what is viewed as advantages of BCM within
organisations. Some of the main elements found are that planning and training of the plan is viewed to
prepare organisations in addition to reducing silo thinking, i.e. it increases communication, within the
organisation. Furthermore, it is important to find roles for senior leadership, implement for the long term,
and share knowledge within the organisation.
In the category Centralised/Decentralised, views regarding where BCM should have ownership within
organisations were coded. The main element found was that a combination of both central and
decentralised ownership is best.
The category The Plan contains information about examples given of the specific plans participants work
with. A common feature is templates created by the organisations headquarter.
Within the category Processes the main element found was that BC helps review processes in
organisations.
37
Table 10: The table shows some selected quotes from the categories Activities, Bad Practice, Best
Practice, Centralised/Decentralised, The Plan and Processes (see Appendix D-iii for all quotes in this
category).
Category Quotes
Activities - So essentially you want to come up with scenarios that the three most
likely, that the effects of a disaster are going to be people, resources and
location, so I can mix and match at time of disaster
- Training is the key issue to raise awareness to have people prepared, its
very important.
- When I think of BC and the scenarios, I always think about loss of building,
loss of people, loss of IT or infrastructure, or loss of external service
provider, so these are always the scenarios I focus on when I think about
BC.
- And most of the companies exist, this is a matter of fact, most companies
exist, and you have to find some way to implement BCM in an existing
organisation. This is what I say, what it makes so difficult in implementing
BCM because its an organisational changing process. As other
organisational changing project, there are a lot of burden to implement
these things
Bad Practice - So typically the only time where they go badly, is when senior leadership
comes in and tries to take control of the tactical response, and changes all
the rules, and changes the roles and responsibilities, changes whats going
to happen.
- So why do we do a risk assessment, well its you know, strictly something

we have always done so lets do it again. And we can count it, and we can
come up with nice numbers and it looks very scientific, ok. So is that best
practise, is that a proven practise? What percentage of organisations that
38
do a risk assessment are more likely to recover from disasters? Who
knows, we dont have any of this research.
- Because there is big misunderstanding about BCM. [] So many

companies think about disaster mitigation plan instead of BC plan, so in
many cases they have BC plan, but the content is not BCP but disaster
mitigation plan. So in such a case, their BCP is not focusing on essential
activity or creative activity.
- The restraints from the people within the business to be to open about
what they do, because they are afraid of telling other companies their
weaknesses, and quite funny, what theyre strong at.
Best Practice - Typically if a group has gone through the planning, has done some of the
exercising, has really prepared for incident. By large theyre going to go
well, youre going to have little, you know, no plan survives first contact
with the enemy, so its always changing, but people know in general what
their roles and responsibilities are in regard to coming back from the
incident, responding to the incident.
- So in short you got a group that typically works together, that comes up
with the plan, that executes the plan, it is by and large the tactical
response team, and they use senior leadership for policy and broad
strategic decisions, like are we going to open tomorrow or not, are we
going to have classes tomorrow or not, should we send people home or
not. These very large policy decision. But the tactical responses should be
within the group that has undergone the planning, the group that will
execute the plan.
- There should be things called proven practises not necessarily best

practises
39
- a proper BCP doesnt look at the threats and the causes, a proper BCP
looks at what the effects would be, which is essentially I dont have the
right people, I dont have the right stuff, I dont have the right location
anymore, and plan for people, stuff and location, people resources and
location.
- For me BCM is a tool, in my humble view its only a tool because its a tool
that can function only when there are people behind it to implement it.
- But I think testing and exercising is very, very good opportunity. Because
you have to do it anyway, and why not doing it in a way that involve most
or all of the organisation. And for example create a special intranet site or
in the company magazine, whatever, and talk about this exercise, so the
people really do see what you are doing.
- BCM is not something for one project, something you only do once. It only
makes sense that ones you implement its there to stay, it doesnt go
away.
Centralised/ - But in the scheme of things doing the plans, because we do them by each
decentralised department it doesnt take an awful lot of any one persons time, and you
have a relatively small number of people in the centre who are probably
the BCM experts so I wouldnt imagine that even with the tests
particularly now when its so automated, that its really, that its a big
overhead on the business
- You can either go centralised or decentralised, but usually the best is a

mix of both.
- BC plan should be developed by the local staff, factory or subsidiary

company or satellite office and so on. But headquarter should provide a
policy or guideline or some template to make it easy.
40
The Plan - The forms that we would typically fill in would ask us: what the key
processes were planned on, and whos responsible for them. And what
the minimum of that period of time could be, or indeed the maximum
period of time for which the business could survive without carrying out
those functions, and what the minimum resources would need to be in
order to continue to carry them on.
- You go to the standard disaster recovery institute or any of these others,

there are templates out there on the internet and these templates are
meant to be all things to all people. And Ive walked into companies, and
this one is also one of them, and the template, just the template of the BC
plan was 60 or more pages, well this is insane, this is insane. I got my job
because, theres two schools of thought, there are those who say, you
know, lets put everything you can possibly think of into the plan, and
then there are others that say, lets put as little as possible into the plan,
only what you need at that first moment of impact, for the first 40-24
hours. And Im more towards the latter
- Well the standards, and the process descriptions, and the guidelines are
created within the holding, and then sent out to the subsidiaries.
Processes - And thats not just a BC theme, but its also the market research we have
done in recent years have been focused on customer processes which
people are most reliant on
- The BC plan or the preparedness planner going through a business impact

analysis might uncover ways that the department can be more efficient,
now we have opportunities for six sigma, we have opportunities for
business process reengineering, we have opportunities to get more
effective and efficient, we have opportunities to bring in other stake
holders all these things.
41
- That is what BC does, it takes a look at all your business processes and
says, are they flawed in production? Because if they are flawed in
production youre not going to be able to have a good recovery of those
processes, so that was a case of that.
- The business is what you should focus on. Whatever the business is.
Basically it is who makes money and how do we make money in the
company and what processes does support it.
4.2.4 Preliminary Findings within the Theme Understanding

Within this theme the categories drives, future, knowledge, management, and organisational learning
were identified. These categories were found to be connected because they all describe areas that build
understanding within the field.
The category Certification Agencies contains information about participant views of the certifying
agencies in the field. The main elements found were that the agencies give a basic understanding of the
field and are good defining terms, however, this is not done consistently even within the same agency.
Furthermore, the certifications are viewed as checklists with a compliance mind-set, and they may not
even make the organisation more prepared for disasters. Practitioners may also differentiate between
real BC and documented BC. Lastly, the certification guidelines are used by some as a guide for
implementation, but not to actually certify the organisations.
In the category Drives participant views on drives in the field were recognised. The main element found
was that compliance to laws and regulatory requirements are one of the main drivers behind
organisational implementation. In addition, internal organisational compliance and industry can influence
if organisations implement or not.
The category Future contains data regarding participant views of how the discipline should develop. The
main elements found were that research into the basic assumptions within BCM is needed. There is a
need to explore the current practices and not to develop new practices. Currently practitioners in the field
are too busy to do this kind of research; therefore, the field should look to academia. In addition, most
participants thought that BCM is something that should be incorporated into all business studies, because
it should be viewed as a normal business process.
42
In the category Knowledge, information about participant views of the current knowledge within the
field were coded. The main elements found were that there are no proven practices within the field and
the best practice guidelines in existence are at times vague and exist mainly in the English language. In
addition, knowledge sharing is not common.
The category Management contains data regarding the participants perceptions on managers and their
resistance towards BCM. Several main elements were found, firstly that that most managers are viewed
to be educated people, but that most managers today had already educated before BCM became a topic
of interest, thereby implying a generation gap. Secondly, it is hard to get management support because
there is little to no evidence supporting the value of BCM (ROI, statistics, measurements, metrics),
therefore this is viewed to be an expense there is no evidence supporting. Thirdly, the head office
environment is not viewed as business critical in the event of a disaster or disruption; therefore BCM may
be something that is hard to get excited about. Management is also more worried about the strategic risk
the company takes (brand risks, marketing risks, next quarters result), than the physical one. Lastly, the
location of the company may have an impact on the awareness of physical risks.
In the category Organisational Learning, the main elements found were that the implementation of BCM
is an organisational changing process. In addition, learning throughout the process and from previous
events is important.
Table 11: The table shows some selected quotes from the categories Certification Agencies, Drives,
Future, Knowledge, Management and Organisational Learning (see Appendix D-iv for all quotes in
this category).
Category Quotes
Certification - A fascinating question might be, well okay, we have now undergone ISO
Agencies 22301, how much more prepared are we to recover from disaster? We
cant answer any of these questions.
- So sometimes when I talk to my colleagues we also differentiate between

the real BC where you are really able to survive a disaster for example and
the documented BC where you have a lot of documents and management
systems just to be compliant.
43
- I think that certification they, the boys, they use the knowledge like okay,
heres the audit or the check list, and you have to do this and this and
this but they dont develop it, at least not the fundamental knowledge
about it.
- I would say the internationally standards definitely do a good thing, even

if its only compliance, people have to think about BC right now, its just
like a snowball. You know, you start in one area, the financial area of
Germany, and this has an effect on the other areas.
Drivers - In Germany, the banking and finance sector, are the sector that are
mostly interested in BC right now, because they are regulated and they
have to do it by law
- The regulators right now are the main drivers. The reason why they are
doing it is because they want to improve the resilience or whatever you
want to call it, of the whole country for example.
- Many foreign invest companies has a Tokyo office or subsidiary company

in Japan and they have BC plan, is basically comply with global BC plan or
they arrange BCP with template provided from headquarter.
- Recently Japanese government is very positive to support BCM.

Future - I think the practitioners of preparedness planning are very busy, and I
think they dont have the time and often the inclination to step back from
what they are doing day to day to day and say, is this the right thing?[]
So the academic world have some of those tools, both in the physical
sense, methodological sense as well as the mental sense, right, they have
that proclivity to do that kind of research. [] So its difficult for them to
find the time, and to band with, again I think theres part of the proclivity
too. To try to think of new ways, and better ways, and right ways, and
effective ways to do continuity planning, and I definitely think that
44
academia could do that, absolutely theres a role for them to play, and a
role I would argue we desperately need.
- My opinion is that it should be incorporated into how to build a good

business model. Because stuff does happen, interruptions will occur, its
part of the business.
- It should be somewhere integrated in the business administration study

as a standard course
- I would say, instead of inventing new words, just like business resilience,
we should develop a more professional tool kit of BC, all this method
should be rethought, people should think about the different definitions.
We should make it crystal clear how it works
Knowledge - But what we have is a lot of guess work right now. We have guesswork
and habit, we are used to counting things that are easy to count, like
numbers of plans, numbers of documents, when the last time we updated
the plan, how many exercises have I had, how many people were at the
exercises. None of these things are true indicators of preparedness,
theyre just things that we can easily count. So I think our standards of our
methodology right now are based on some of the best guesses we can
come up with, some of the best habits that have lasted the longest over
time, but we dont have the research to prove that these are in fact
proven practises, things we ought to be doing.
- I think theres a lot of book knowledge, a tremendous amount. And I think

probably more than needs to be, theres a lot more people participating
about it than we need to hear from, if I may say so. However, theres is a
serious lack of people who actually have that kind of experience, from my
experience, that have been through a disaster and know how to write a
plan thats actually going to be viable. [].They get real specific with the
type of pandemic. Well the odds of us getting that exact type of pandemic
45
or you know, crisis. You need to understand how you are going to react to
it, because you dont know the particulars, you just dont know any of the
particulars of any kind of crisis.
- OK, if you do it is very high level, it is not as high level as the standards
would be, but still there is so much room to interpret that it is useful, but
it doesnt give you enough information to really learn what best practices
really means.
Management - if youre working in a head office environment, you tend to think more
about the brand risks, and the marketing risks, and the risk from mailing
people who you shouldnt be mailing or something like that, those are the
sort of things people think about a little bit.
- One of the significant root causes for that situation is that we dont have
the proper metrics, and the proper research to show to executives to
prove the worth and the improvement of continuity preparedness efforts
- Its only because we are in times of change and management were

already most of them professionals before BCM became a subject of
interest.
- A genuine lack of understanding by executive management, because

executive management is more worried, and this is a global issue these
days, with next quarters results, you know, and getting those numbers.
Organisational - What we werent doing was tracking lots and lots of different individual
Learning processes whereas now we are identifying what those key processes are,
we are identifying which customers have experienced those processes.
Rather than just in normal transaction in a bank you know, who has
actually had one, or gone through one of those key processes and then
we do a lot of NPS, promoter score measurements around those key
46
processes and so its obviously moving on from BC.
- Its about how we learn from our mistakes. Because if you do not learn
from your mistakes and what went wrong, then BCM is a complete failure
to some extent
- What it makes so difficult in implementing BCM because its an

organisational changing process.
4.2.5 Preliminary Findings within the Theme Examples

Within this theme the categories experience, interruptions and the plan were identified. These categories
were found to have relationships because they all describe specific examples of experience given by the
participants.
In the category Experience information about how long participants have worked with BCM was coded.
There were varying levels of experience, some had worked in the field since it started to develop from DR,
while others had just a couple of years experience.
In the category Interruptions, information relating to participants experience with crises and
disruptions was coded. In this category there were also varying levels of experience, some had been
through several disruptions and crises, while others had experienced only minor disruptions.
47
Table 12: The table shows some selected quotes from the categories Experience and Interruptions
(see Appendix D-v for all quotes in this category).
Category Quotes
Experience - However, theres is a serious lack of people who actually have that kind
of experience, from my experience, that have been through a disaster
and know how to write a plan thats actually going to be viable.
Interruptions - The sort of issues that weve had to contend with usually have been where
technical issues have meant we couldnt access some of that data for a
period of time, rather than actually a sort of a physical incident or
something.
- And we were able to get through 9/11, we had, one of our large
international trading operations in lower Manhattan, just a few blocks away
from ground zero. And then we had a big north east power outage here in
the north east section of the US lost power for several days, which
impacted our large operations we had in Detroit, Michigan. And then we
also had a situation, we also had minor issues, but these are the three
major things that happened in our company. Our headquarter had caught
fire in downtown Chicago, and at the time it was the largest skyscraper fire
in the history of the city. Gutted two floors, completely demolished two
floors, 55 million dollars US damage. But in all three of these we did not
have to file for business interruption insurance claim, because we were able
to keep running.
48
4.3 ANALYSIS
The purpose of this investigation was to identify the views among professionals and practitioners
regarding BCM and related disciplines, in an effort to gain insight and understanding around areas of
confusion within the field. In this section, the data collected is presented as the researcher interpreted
the data.
4.3.1 Analysis of the Theme Meanings and Definitions

The findings in the category Differentiation correlates with the findings in Chapter 2, that BCM should
be viewed as the overall management approach to a range of other management disciplines relating to
planning for disruptions, disaster, and recovery, as suggested in figure 2. These practices are a part of
what builds resiliency in organisations.
Figure 2: BCM and examples of possible sub-diciplines within organisations.
However, the term business resiliency (BR) should not be viewed as a practice within itself, but the
outcome from several management practices within an organisation (Participant 2 & 4). The term is
concerned with the whole organisations resilience and BCM is only one of many tools within this context
that helps build this, others are supply chain management, organisational culture, time to market, etc.
Practices that may help build BR are displayed in Figure 4. Therefore, BR should not be viewed as a new
practice or something that is concerned with preparing and planning for disruptions or crises as discussed
in Chapter 2, rather, it is the outcome of the strategy and practices within an organisation.
49
Figure 3: Management practices within organisations that may lead to business resiliency.
4.3.2 Analysis of the Theme Benefits

BCM has the possibility to provide organisations with a range of benefits. This study uncovered that in
addition to the obvious benefits, i.e. identifying key processes and being able to keep operating in the
event of a disruption or disaster, BCM may also help increase customer trust and loyalty and provide a
level of brand protection. However, most of the benefits BCM can bring to a business are seen as indirect
or non-measurable and therefore not measurable as a quantitative ROI. In addition, most benefits, if not
all, are dependent on the organisations willingness to commit to the BCM program and an element of
organisational learning (this will be discussed further under the theme Understanding).
50
4.3.3 Analysis of the Theme Practice
As mentioned in the theme above, the organisations willingness to learn is an important aspect when
looking at the benefits BCM can provide a business. This also holds true for the theme Practice. When
bad practice occurs within organisations, this can be viewed as the result of little or no organisational
learning around processes within the organisation. Best practice within organisations can be seen as the
result of an organisations willingness to learn and adapt (see the theme Understanding below for more).
When used correctly, the results provided from the practices within BCM can furthermore be used to
improve other organisational developing processes, such as six sigma and organisational learning
(Participant 2).
As discussed in Chapter 2, one of the most valuable aspects within BCM is that it is not used to plan for
specific disruptions or disasters, but rather to prepare strategically. The participants suggest that there is
only need to plan for three scenarios, or a combination of three scenarios, within organisations, i.e. people,
resources and location (Participant 2).
When combining elements from all the categories within the theme Practice it is possible to derive a
structure for BCM within organisations and the ownership and responsibilities within BCM can be divided
into four levels (see Figure 5 on the next page).
51
Figure 4: BCM and organisational structure and ownership.
The figure is an attempt to show what the different levels within organisations are responsible for and
have ownership over within the implementation and maintenance of BCM
52
4.3.4 Analysis of the theme Understanding
The participants recognise regulatory requirements as the primary drive behind the field. This is partially
in contrast to the findings in Chapter 2, which found both market demand and regulatory requirements
as the main drives.
In accordance with the findings in Chapter 2, regarding BCM and higher education, a significant number
of the participants in the study thought that academic research into the field would be of benefit. However,
in contrast with Orlando (2009 [Online]), most of the participants stated that BCM should be viewed as a
normal business process and therefore, be included in all business related studies within higher education,
and not as a specific graduate course. Murray (2013) reported that energy and climate issues have
received increasing attention in business related studies at universities in the US; this could also be a
possible strategy for the future development of BCM.
Rather than developing new terms and practices, current and future research into the field should focus
on developing and proving current practices (e.g. business impact analysis (BIA), maximum tolerable
outage (MTO), recovery time objective (RTO), recovery time capability (RTC), recovery point objective
(RPO) and risk assessment (descriptions can be found in Hotchkiss, 2010)). Even though this is not the
methodology suggested by Copenhaver & Lindstedt (2010), mentioned in Chapter 2, it still may provide
the discipline with the foundation needed. When the foundation of the discipline is set, current issues,
such as gaining management support and outlining benefits, will be naturally addressed. In the same way,
certifying agencies ought to be concentrating on further development of their current exams and
standards, and not developing new ones (such as the new ISO standard for BR).
Another important factor that was uncovered within this theme was that implementing BCM is viewed as
a process of organisational change. According to Kotter (1995), the majority of transformation efforts
within organisations fail or are only partly successful. The impressions established from the interviews is
that BCM implementation is most times a compliance based action by organisations. Thus, it may not
receive the support needed from employees and management. A presumption can be made that several
elements of BCM correlate to organisational learning. For example, Peter Senges theory of organisational
learning is primarily concerned with the human aspect of organisations to make them more efficient
(Kermally, 2004). However, individual processes within organisations may also influence an organisations
efficiency. Furthermore, the criticisms of Senges theory of organisational learning correlate to criticisms
of BCM. These elements are: organisations are interested in short-term results and organisations in
general are interested in quick fixes to satisfy their key stakeholders (Kermally, 2004). Another similarity
53
may be that organisations develop organisational learning in order to maximise the potential of the
companys resources (West, 2000).
4.3.5 Analysis of the Theme Examples

As discussed in Chapter 2, one of the problems within the fields literature is that it is very anecdotal. A
possible reason for this was found within this theme, i.e. the category Experience, in that there is a lack
of people that have actually experienced a disaster. Therefore, they do not know how to write a plan that
is going to be viable (Participant 4). Furthermore, findings from the theme Practice may be relevant here,
that is, practitioners are showing restraint in sharing experience and practices, because they are afraid to
show weaknesses and strengths (Participant 8). Another finding within the theme Practice was that best
practice guideline to implementation and maintenance of BCM are vague and give much room for
interpretation (Participant 8). Thus, unexperienced professionals within the field have limited in-depth
sources from which to learn.
4.4 CONCLUSION
This chapter relates mainly to research objective two (see Table XX), in that the analysis part of the section
tries to compare and contrast the data findings with the literature review findings in Chapter 2.
In this study, no particular theory was developed during the analysis and selective coding was not
conducted in an effort to provide readers with as much of the results as possible. Therefore, the research
conducted revealed several areas of study that may be of benefit to the field. Especially the development
and research into current practices within the field. In addition, analysis of the data collected uncovered
categories that were not identified through the literature review, and noticeably the category
Organisational Learning as a required element when implementing BCM for success was not found in
the literature, despite the extensive research done in Chapter 2.
A possible generation gap has been identified as one of the reasons behind managers today being
restrained in implementing BCM. Therefore, there is a need to create awareness among tomorrows
managers. Preferably, this should be done by introducing BCM as a module in higher education. This is
because BCM should be viewed as a normal business process on the same line as HR and marketing
amongst others, as highlighted by several of the participants. Heightened awareness of the field within
higher education will lead to more research and evaluation, thereby strengthening the foundation of the
discipline and possibly improving practices.
54
future research.
55
Chapter 5
5 CONCLUSIONS
5.1 INTRODUCTION
This dissertation project has investigated participant perceptions regarding BCM and its possible impacts
on organisations, discipline weaknesses, strengths, and the future. The overall purpose of this research
was to give insight and improve understanding around the field BCM and its practices. The specific
research aim and objectives are presented in Table 14.
future research.
The Chapter will revisit the research objectives above, summarise the findings of the research work, and
offer conclusions based on the findings. Chapter 4 was one of the most comprehensive within the
dissertation and therefore a summary was deemed appropriate. Recommendations for future research
and the discipline will be discussed, in terms of the findings within the study and how to progress with the
research. By adopting this structure, it is intended to show whether the research objectives stated at the
start of the paper have been met.
56
5.2 SUMMARY OF FINDINGS AND CONCLUSIONS
The open coding revealed twenty individual categories that contained distinctive information regarding
different topics. Some categories were recognisable through the topics within the interview guide (see
Appendix B), e.g. benefits, ROI, and BR, while others came as a surprise, e.g. organisational learning and
centralised vs decentralised. The categories that were found to have similarities or relationships were
then coded into five themes (see Table 15).
Table 15: Description of the categories identified during open coding and the groups that the themes
were arranged in during axial coding.
Open and Axial Coding Index and Summary
Categories identified Theme
Business Resilience 6. Meanings and Definitions

Differentiation
Benefits
Brand Protection 7. Benefits
Costumer Trust
ROI
Activities
Bad Practice
Best Practice 8. Practice
Centralised vs. Decentralised
Processes
The Plan
Drives
Future 9. Understanding
Knowledge
Management
Experience 10. Examples

Interruptions
57
The individual research objective set out for the study primarily concerned the data collection and analysis.
However, the review of literature was highly relevant in regards to the empirical research in that it guided
the structure and areas relevant for data collection.
Conclusions related to research objective 1 -
Key points found in the research analysis are that the impact of BCM within organisations is reliant on a
number of factors, such as implementation timeline and organisational learning. Most benefits related to
BCM within an organisation are viewed to be indirect, and qualitative in nature, thus not measurable.
Themes relating to this specific research objective are namely, Benefits and Practice.
Key elements found in the data relating to research objective two, relates to the current state of the
discipline, its strengths, weaknesses and its future. The current state of the discipline is that the profession
is growing and development is being driven forward by regulations. Even though there is a lot of
knowledge within the field, basic knowledge is still absent and this concerns the practitioners and
professionals. The discipline has many strengths related to it and they must not be forgotten within this
study. Among other things uncovered within the study is that BCM increases communication throughout
organisations and, of course, protects the bottom line. Key weaknesses identified within the discipline is
that the literatures (e.g. the best practice guidelines) is vague in its descriptions of implementation
strategies and maintenance. Furthermore, it was suggested that a current problem within the discipline
is that practitioners and professionals are reserved against knowledge sharing, in an effort to hide
weaknesses and strengths within organisations. All participants within the study thought that academic
research into the field would be of benefit. In addition, research and development of new practices or
methods was viewed as redundant. The specific theme within the analysis that especially relates to this
research objective is Understanding.
Key elements found in relation to this research objective are that much of the current criticism of the field
were found to have merit. During the analysis, the researcher made an effort to compare the data found
to the literature review when it was possible, and as a result, all the themes found were connected to the
literature in one degree or another.
58
Conclusion related to research objective 4 -
The category Future under the theme Understanding is particularly relevant to this research objective.
This category contains information regarding participant views on how the future development and
research within the discipline should progress. The conclusions made in relation to research objective two
is also relevant under this objective. A significant amount of the participants thought that BCM should be
incorporated as a module within all business related studies and that research should focus on developing
current practises, rather than developing new ones.
Whilst no particular theory regarding BCM was developed during analysis, several key elements were
found, regarding the current state of the discipline and its future. Furthermore, the results of this study
support previous articles that gave criticism to the field. The research was undertaken in an effort to gain
insight and understanding from participants that are working within the field. Because of this unique
aspect of the research, a contribution to the literature may be made. The literature review showed that
research into BCM is not frequent; therefore, an attempt has been made to show areas that are in need
of more study within the discipline. In several parts of the world BCM is increasingly becoming regulated,
e.g. Germany, the UK, and the US, in addition to the fact that the profession is growing rapidly. The
unstable market environment, increasing weather events, and an increasing reliance on IT show that it is
ever more becoming important that organisations prepare for the unexpected. A key strength within the
research is that it began with no preconceived theories or ideas in mind. It did rely on the literature within
the field for guidance, but the researcher strived to keep an open mind throughout the process.
5.3 RECOMMENDATIONS
If this study were to be repeated in the future, the researcher recommends that the limitations and
potential problems chapter is especially considered (Chapter 3, subsection 3.6). Particularly the
statement that an effort should be made to conduct a pilot study, thereby improving the overall structure
and flow of the interviews. In addition, more time and more interview subjects would be of benefit, in an
effort to make the study generalizable. As mentioned several times throughout the study, little empirical
research is being conducted within the field. The researcher is therefore confident that the discipline is in
need of a more comprehensive study and believes that a doctorate (PhD) would vastly benefit the field.
59
Recommendations concerning research objective 1 -
From the conclusions made relating to research objective one, the first recommendation is that
organisations preparing to implement BCM should be aware that it is an organisational changing process.
When setting the timeline, a longer period should be considered. In addition, if organisations are going to
acquire the possible benefits that comes with a BCM program, organisational change should be a goal
within the organisation.
From the conclusions made in regard to research objective two, the second recommendation is that
practitioners and professionals should strive to be more open about practices, knowledge sharing, and a
further development of the current literature on practices should be considered.
From the conclusions made relating to research objective three, the third recommendation is that the
discipline, its practitioners, its professionals, and relevant agencies should be more reflective of current
practices.
From the conclusions made in regard to research objective four, the fourth recommendation is that an
effort should be made to start incorporating BCM into business studies at programmes in higher education.
60
Chapter 6
6 REFERENCES
Adamou, C. (2013) Business continuity management in international organisations, Journal of Business

Continuity & Emergency Planning, 7, (3), 221-229.
Alonaizan, A. (2009) Developing a business continuity programme at Arab National Bank, Journal of
Business Continuity & Emergency Planning, 3, (3), 216-221.
Anastario, M. & Lawry, L. (2007) Bird flu -- understanding the employee-and country-specific social and
cultural factors that will impede the prevention, treatment and containment of an outbreak,
Journal of Business Continuity & Emergency Planning, 1, (4), 369-379.
Baker, N. (2012) Enterprisewide Business Continuity, Internal Auditor, 69, (3), 36-40.
Bazeley, P. (2007). Qualitative Data Analysis with NVivo. London: Sage Publications Ltd.
Birks, M. & Mills, J. (2011). Grounded Theory, A Practical Guide. London: Sage Publications Ltd.
Borrett, M., Carter, R. & Wespi, A. (2013) How is cyber threat evolving and what do organisations need
to consider?, Journal of Business Continuity & Emergency Planning, 7, (2), 163-171
Business Continuity Institute, (n.d.) What is BC?, The BCI [Online] n.d., Available from:
http://www.thebci.org/index.php/resources/what-is-business-continuity [Accessed:
01.07.2014].
Cabinet Office (2013a) Resilience in society: infrastructure, communities and businesses, Gov.uk
[Online] 20.02.2013, Available from: https://www.gov.uk/resilience-in-society-infrastructure-
communities-and-businesses#business-continuity [Accessed: 01.07.2014].
Cabinet Office (2013b) Preparation and planning for emergencies: responsibilities of responder agencies
and Others, Gov.uk, 20.02.2013, Available from: https://www.gov.uk/preparation-and- planning-
for-emergencies-responsibilities-of-responder-agencies-and-others [Accessed: 01.07.2014].
61
Cleary, V., Balasegaram, S., McCloskey, B., Keeling, D. & Turbitt, D. (2010) Pandemic (H1N1) 2009:
Setting up a multiagency regional response centre -- a toolkit for other public health
emergencies, Journal of Business Continuity & Emergency Planning, 4, (2), 154-164.
Cohen, L., Manion, L. & Morrison (2011). Research Methods in Education. Abingdon: Routledge.
Collins, S. P. (2007) The tripartite approach to business continuity in the UK financial sector, Journal of
Copenhaver, J. B. & Lindstedt, D. (2010) From cacophony to Symphony: How to focus the discipline of
business continuity, Journal of Business Continuity and Emergency Planning, 4, (2), 165-173.
Danforth, E. J., Doying, A., Merceron, G. & Kennedy, L. (2010) Applying social science and public health
methods to community-based pandemic planning, Journal of Business Continuity & Emergency
Planning, 4, (4), 375-390.
Deluca, J. & Pinchot, R. (2007) Pandemic preparedness and telecommunications resiliency: What should
contingency planners be considering?, Journal of Business Continuity & Emergency Planning, 1,
(4), 380-388.
Duchek, S. (2014) Growth in the face of crisis: the role of organizational resilience capabilities, Academy
of Management Annual Meeting Proceedings, 861-866.
Elliott, D., Swartz, E. & Herbane, B. (2010) Business Continuity Management, A Crisis Management
Approach, New York, NY: Routledge.
Epstein, B. & Khan, D. C. (2014) Application impact analysis: A risk-based approach to business
continuity and disaster recovery, Journal of Business Continuity & Emergency Planning, 7, (3),
230-237.
Gibbs, G. (2002). Qualitative Data Analysis, Explorations with NVivo. Buckingham: Open University Press.
Gosling, M. & Hiles, A. (2009) Business Continuity Statistics: Where Myth Meets Fact, Continuity Central
[Online] 24.04.2009, Available from: http://www.continuitycentral.com/feature0660.html
[Accessed: 01.07.2014].
Gosling, M. (2007) The 80 Percent Myth, Continuity Central [Online] 19.02.2007, Available from:
http://www.continuitycentral.com/feature0440.htm [Accessed: 01.07.2014].
62
Guest, G., Bunce, A. & Johnson, L. (2006) How many interviews are enough? An experiment with data
saturation and variability, Field Methods, 18, (1), 59-82.
Hardie, K. & Kitchen, T. (2014) Operation Crash and Surge: Lessons learned from a region-wide exercise,
Journal of Business Continuity & Emergency Planning, 7, (4), 302-311.
Harvey, A. (2007) International planning for continuity oversight: The need for forums for financial
authorities to share best practices, Journal of Business Continuity & Emergency Planning, 1, (3),
237-244.
Hennik, M., Hutter, I. & Bailey, A. (2011). Qualitative Research Methods. London: Sage Publications Ltd.
Herbane, B. (2010) The evolution of business continuity management: a historical review of practices
and drivers, Business History, 52, (6), 978-1002.
Herbane, B., Elliott, D. & Swartz, E. (1997) Contingency and continua: achieving excellence through
business continuity planning. Business Horizons, 40, (6), 19-25.
Higgins, G. & Freedman, J. (2013) Improving decision making in crisis, Journal of Business Continuity &
Emergency Planning, 7, (1), 65-76.
Hollands, J., Lauriola, R. & Jaffer, M. (2007) How Hewlett-Packard used lessons from its response to SARS
to develop a pandemic flu preparedness programme, Journal of Business Continuity &
Hult, F. & Sivanesan, G. (2013a) Introducing cyber, Journal of Business Continuity & Emergency Planning,
7, (2), 97-102.
Hult, F. & Sivanesan, G. (2013b) What good cyber resilience looks like, Journal of Business Continuity &
Jacobson, G. & Kerr, S. (2010) Crisis Management, Emergency Management, BCM, DR: Whats the
Difference and How do They Fit Together?, In: Hiles, A. (Ed.). The Definitive Handbook of
Business Continuity Management, 97-106, UK: John Wiley & Sons Ltd.
Johanis, D. (2007) How Toronto Pearson International Airport applied lessons from SARS to develop a
pandemic response plan, Journal of Business Continuity & Emergency Planning, 1, (4), 356-368.
63
Kann, D. F. & Draper, T. W. (2014) Plane down in the city: Operation Crash and Surge, Journal of Business
Kermally, S. (2004) Gurus on Managing People, London: Thorogood Publishing Ltd.
Kotter, J. P. (2000) Leading change: why transformation efforts fail, Harvard Business Review, 73, (2), 59-
67.
Kvale, S. (1996). InterViews, An Introduction to qualitative Research Interviewing. Thousand Oaks, CA:
Sage Publications.
Lansley, S. & McAtee, B. (2009) What is Best Practice Business Continuity Management? [Online],
Available from:
http://www.bcminabox.com/Portals/0/Whitepaper%20on%20BCM%20Best%20Practice%20V1.
pdf [Accessed: 22.02.2014].
Lindstedt, D. (2007) Grounding the dicipline of business continuity planning: what needs to be done to
take it forward?, Journal of Business Continuity & Emergency Planning, 2, (2), 197-205.
Lindstrm, J., Samuelsson, S. & Hgerfors, A. (2010) Business continuity planning methodology, Disaster
Prevention and Management, 19, (2), 243 255.
Marshall, B., Cardon, P., Poddar, A. & Fontenot, R. (2013) Does Sample Size Matter in Qualitative
Research?: A Review of Qualitative Interviews in IS Research, Journal of Computer Information
Systems, 54, (1), 11-22.
Martin, A. & Williams, J. (2014) Public-private partnership from theory to practice: Walgreens and the
Boston Public Health Commission supporting each other before and after the Boston bombings,
Journal of Business Continuity and Emergency Planning, 7, (3), 205-220.
Mcalister, J. (2011) The disruption management model, Journal of Business Continuity & Emergency
Planning, 5, (3), 231-236.
Messer, I. (2009) Taking the business continuity programme to a corporate leadership role, Journal of
Muffet-Willett, S. L. & Kruse, S. D. (2009) Crisis leadership: Past research and future directions, Journal of
Business Continuity & Emergency Planning,3, (3), 248-258.
64
Murray, S. (2013) Destructive storm offers constructive lessons, Financial Times [Online] 07.01.2013,
Available from: http://www.ft.com/cms/s/2/c15dd294-2f43-11e2-b88b-
00144feabdc0.html#axzz3FwJeMjuM [Accessed: 09.05.2014].
Nuttall, S. (2013) Supply chain management: Some lessons learned the hard way, Journal of Business
Olson, C. (2014) Lessons learned in crisis management, Journal of Business Continuity & Emergency
Planning, 7, (3), 245-252.
Orlando, J. (2009) The Value of Higher Education for the Continuity Professional. Disaster Recovery
Journal [online], 22, (2), 20-25. Available from: http://www.drj.com/journal/spring-2009-
volume-22-issue-2/the-value-of-higher-education-for-the-continuity-professional.html
[Accessed: 01.07.2014]
Putte, D. & Verhelst, M. (2013) Cyber crime: Can a standard risk analysis help in the challenges facing
business continuity managers?, Journal of Business Continuity & Emergency Planning, 7, (2), 126-
137.
Ramakrishnan, R. K. & Viswanathan, S. (2011) The Importance of Business Strategy in Business

Continuity Planning, In: A. Hiles (Ed.) The Definitive Handbook of Business Continuity
Management, 31-36, Chichester: Wiley.
Rike, B. (2003) Prepared or Not...That Is the Vital Question. Information Management Journal, 37, (3),
25-33.
Roberts, P. & Molyneux, H. (2010) Implementing business continuity effectively within the UK National
Health Service, Journal of Business Continuity & Emergency Planning, 4, (4), 352-359.
Rosenbluth, J. M. (2010) Pandemic response: Developing a mission-critical inventory and cross-training

programme, Journal of Business Continuity & Emergency Planning, 4, (2), 126-131.
Salman Sawalha, I. H. (2013) Organisational performance and business continuity management: A

theoretical perspective and a case study. Journal of Business Continuity & Emergency Planning,
6, (4), 360-373.
Saunders, M., Lewis, P. & Thornhill, A. (2007). Research Methods for Business Students. Harlow: Pearson
Education Ltd.
65
Scully, T. (2013) The cyber security threat stops in the boardroom, Journal of Business Continuity &
Scully, T. (2011) The cyber threat, trophy information and the fortress mentality, Journal of Business
Security Director's Report (2007) Is Your Thinking About Business Continuity Wrong? 1st September, 7,
(9), 1-14.
Speight, P. (2011) Business Continuity, Journal of Applied Security Research, 6, (4), 529-554.
Spriggs, M. (2013) A study to identify winning strategies for the business community during the next
pandemic, Journal of Business Continuity & Emergency Planning, 6, (4), 329-346.
Stewart, R. (2010) Business recovery at an arson damaged office, Journal of Business Continuity and
Stourac, T. (2014) Wheels, hubs and spokes: Incorporating a scorecard into a business continuity
programme, Journal of Business Continuity & Emergency Planning, 7, (3), 260-269.
Strauss, A. & Corbin, J. (1998). Basics of Qualitative Research, Techniques and Procedures for Developing
Grounded Theory (2nd Ed.), Thousand Oaks, CA: Sage Publications Inc.
The Nova Scotia Business Journal (2011) Are you prepared for the unexpected?, The Nova Scotia
Business Journal, 26, (4), 17.
Tinker, T. L. & Galloway, G. E. (2009) How to communicate flood risks effectively, Journal of Business
Trollope, C. (2014) Business resilience: the best defense is an effective offense, Business in Calgary, 24,
(8), 31.
Turner III, D.W. (2010) Qualitative interview design: A practical guide for novice investigators, The
Qualitative Report, 15, (3), 754-760.
Turulja, L. & Bajgori, N. (2012) Being prepared for disaster? Implementation of business continuity
planning concept in B&H organisations, Conference Proceedings: International Conference of
the Faculty, 448-459.
66
Wapling, A. & Mooney, T. (2011) A resilient NHS for London 2012, Journal of Business Continuity &
Emergency Planning, 5, (1), 462-473
White, D. S. (2012) The Top 175 Global Economic Entities, 2011, [Online] Available at:
http://dstevenwhite.com/2012/08/11/the-top-175-global-economic-entities-2011/
[Accessed 23 April 2014].
http://dstevenwhite.com/2011/08/14/the-top-175-global-economic-entities-2010/
[Accessed 23 April 2014].
http://dstevenwhite.com/2010/09/13/the-top-175-global-economic-entities-2009-2/ [Accessed
23 April 2014].
67
APPENDICES
APPENDIX A PROJECT INFORMATION SHEET AND CONSENT FORM
Project Information Sheet
Study Title: Business Continuity Management and Perceptions of Impact: An Exploratory Study of
Perceptions among Professionals and Practitioners within the Field
Purpose
The purpose of this research is to gather information about your opinions, experiences and observations
regarding Business Continuity Management. Your response will remain anonymous and will only be used
for academic research purposes. The information collected will not be shared with any third parties,
apart from academic staff.
Chief Investigator
My name is Camilla Amundsen; I am currently a student at the University of Winchester studying for a
degree in MSc Business Management. This research project (described below) is a part of the MSc
Business Management dissertation. The research topic is Business Continuity Management and
therefore, I am inviting you to take part in this project. Before you decide to participate, it is important
you understand what the project involves and what you will have to do. So, please take time to read the
following information. Please ask if anything is unclear.
68
Participation
Participation is entirely voluntary and participants are free to withdraw at any time without giving
reason and without penalty. This information sheet is provided to ensure that you give informed
consent to participate in the study.
Procedure
There is no risk associated with the study. Participants are only required to partake in an interview. The
interview medium varies by agreement with the different participants (Skype, phone or face to face).
The questions that you are going to be asked will revolve around the individual participants experiences
and views regarding Business Continuity. There are no right or wrong answers and the interview will
take approximately one hour.
Confidentiality
The interviews of the participants will be recorded. These records will not be shared with other third
parties, apart from academic staff, and will be stored for the duration of the study only. The interviews
in the study will be confidential and unless otherwise exclaimed, the participants and their organisations
will not be identifiable in the event that the study is published.
For further information contact chief investigator Camilla Amundsen

E-mail: c.amundsen.13@unimail.winchester.ac.uk
Skype: camilla.amundsen1
Phone: +44 (0)7775 320 786
The Study
The study has been approved by Dr. Karen Blakeley. If you have objections about the study, you can
contact Chief Investigator, Camilla Amundsen or Dr. Karen Blakeley (Karen.Blakeley@winchester.ac.uk).
The dissertation can be made available, if requested, after the exam board has reviewed it in mid-
December.
Attached to this Information Sheet there is a separate consent slip. By signing this (physically or
electronically), participants confirm that they understand the nature of the project and the safeguards
to their privacy.
69
Business Continuity Management
Consent Form
I have read (or had clearly explained to me) and understood the information about the project. I
understand that my participation in this project is completely voluntary, and that I may withdraw
at any time during the project, without penalty.
I understand that my participation will be confidential and that the interview I give will be
recorded and stored for the duration of the project. Arrangements for secure storage of data,
and for its eventual disposal have been organised.
On this basis, I consent to take part in the project.
Signed. Date..
70
APPENDIX B INTERVIEW GUIDE
71
72
73
APPENDIX C INTERVIEW TRANSCRIPTS
i) Participant 2
BCM interview Participant 2

Duration: 31:50
Date: 10/09/14
Participants: Camilla Amundsen & Participant 2
Camilla Amundsen: Well I guess since we did the introduction last time, we can just jump to you
introducing yourself and talking about your history within BC.
Participant 2: OK, sure. So Ill try to give a summary level this time, and hopefully you can fill
in some of the gaps from memory. So basically I started working on BC for the [a
university] about 10 years ago, 9 years ago. In short there was the external
auditors were concerned the university did not have a BC program, so they
worked through our office of the chief information officers, through the IT side
of the house and set up a BCM program. And again I think that was pretty
standard for 10 years ago a lot of the BC programs come in through IT disaster
recovery just like something they do now, but not as many. So basically we were
charged with coming up with BC plans across the entire university, at that time
we had about 60.000 student, 30.000 employees, 600 buildings on 5 campuses,
and by the time about 7 years had passed, lets say 5-6-7 years, when I actually
left that program. We had done somewhere between 200 and 300 individuals
BC plans. Everything from a day-care centre to a hotel to an ice rink, centralised
purchasing, centralised IT, research, pretty much everything, steam generation,
everything you could possible, its like a small city there. And so we had done BC
plans across all of the, many many areas across the university. So thats a good
start, and then 2 years ago I left the enterprise continuity management program
and now doing something different.
C: So then lets just jump right into talking a little bit about the advantages with BC
and if you could tell me a story where BC had a contribution to the University.
74
P2: Sure, just like we talked about last time, perhaps the best example is with the
hotel that we have here on campus. And, so the hotel had a full BCP, we had
done at least one simulation exercise in addition to table top exercise, so they
were very prepared for BC incidents. And one event during the winter was that
very unexpectedly they lost power, and we wouldnt know it at the time, but it
ended up lasting over 48 hours before power was restored to the hotel, and so
they worked very quickly and efficiently to partner with all of the 151 guests
that were staying at the hotel for that weekend to hold their hands and get
them placed at other hotels across the area. At least one of the events they had
planned for that day, they did by candlelight, and they were able to bring in
some food from outside places and etc. etc. and very positive and calm and
relaxed response to the incidents, and weeks later they received letters from
people who had been there, saying what a great job they had done with the
incident and how everyone felt very comfortable with the way they had handled
it and that they would certainly come back again and stay again. And so we
definitely saw, you know, an initial loss of revenue, because there were no other
way to avoid that loss of revenue, on the other hand we saw definitely a very
big increase in the brand and the loyalty, customer loyalty and the return rate
that these customers would come back. So definitely was well handled a lot of
advantages came up.
C: And then a little about your experience regarding a time when BC didnt go as
planned.
P2: I think we talked a little about this last time in that, typically if a group has gone
through the planning, has done some of the exercising, has really prepared for
incident. By large theyre going to go well, youre going to have little, you know,
no plan survives first contact with the enemy, so its always changing, but
people know in general what their roles and responsibilities are in regard to
coming back from the incident, responding to the incident. So typically the only
time where they go badly, is when senior leadership comes in and tries to take
control of the tactical response, and changes all the rules, and changes the roles
and responsibilities, changes whats going to happen. So in short you got a
75
group that typically works together, that comes up with the plan, that executes
the plan, it is by and large the tactical response team, and they use senior
leadership for policy and broad strategic decisions, like are we going to open
tomorrow or not, are we going to have classes tomorrow or not, should we send
people home or not, these very large policy decision. But the tactical responses
should be within the group that has undergone the planning, the group that will
execute the plan. So again, typically when things dont go well, is because senior
leadership feel they need to come and be involved in the tactical decisions
without the background of how those decisions were made in the first place. So,
and we talked a little last time, so one of the ways we try to deal with that is to
have a very clear role for senior leadership in our BC plans. Either they are
involved in the planning and preparedness effort, which is great, they
understand how it all is going to work, they understand what their roles are,
what decisions they will need to know, thats fantastic. Or they dont want to be
involved, and then we write a role in for them and say, look, you dont want to
be here at the incident command centre, or the continuity response centre.
Where you need to be is out, and your the face of the organisation, youre the
face of the department, you need to be out and making policy decisions and
showing that everything is okay, and providing that face, providing the
interaction with the community. Thats your role, we will check in with you on
hourly basis or for hourly basis you check back in with us, we ask you policy
decisions, you can ask us for status updates. That works well, what doesnt work
well is the leadership that doesnt want to be involved during planning, but
wants to be involved at time for response.
C: We talked a little about this last time too, that theres some problems with getting
executive managers or leader commitment to BC. Could you talk a little about that
and the reasons behind, or your perceived reasons behind this.
P2: Yeah, so, basically one of the significant root causes for that situation is that we
dont have the proper matrix, and the proper research to show to executives to
prove the worth and the improvement of continuity preparedness efforts, so,
and obviously written about this a number of times, and you know theres a lot
76
of stuff out there about it, but look, its simple questions like, If I undertake
formal BC how much more prepared will my organisation be to recover from
disaster, or what percentage of organisations that undergo or undertake BC
planning are better off to survive disaster. So I took it vs. I did not undertook it
what percentage of those organisations are better at recovering from disaster
faster than other organisations. Those kinds of basic matrix dont exist, that
research doesnt exist. So the executives look towards our profession and says,
ok, tell me why, why are we undergoing BC planning? The best that we can tell
them is, well, you are probably more likely to recover from disaster if you do
this. And so, if they are not concerned about disaster, they are not going to be
convinced that this will be a worthwhile expenditure of their time and
resources. And even if they are concerned about recovering from disaster, we
cant give them a return on investment, we cant give them statistics, we cant
give them measurements, we cant give them reasons. And when we begin, we
dont have anything to show our progress, so a fascinating question might be,
well okay, we have now undergone ISO 22301, how much more prepared are
we to recover from disaster? We cant answer any of these questions. Well I
think we can, I think Ive developed the matrix to be able to do that, but those
are the questions we need to be asking, and we need to get out of the yes no
questions. Are we prepared to recover from a disaster or not? Thats not the
right way to ask that, its not a yes or no, were very much in the compliance
mind-set, and we talk about the ISO 22301, and we say, well, Im worried about
my supply chain vendor, Im worried about them being able to provide me with
the supplies I need if something were to go wrong on their side of the world, so
I know how we will fix this. We will go and have them ISO 22301 certified, well
thats not a guarantee it just means that they have certain aspects of a BC plan
in place, again its not measuring preparedness, so we need to ask the question,
how prepared is my organisation to recover from a physical or staffing loss to be
able to measure that cross time, and I think we can, but we havent. And so, to
summarise, I think executive leadership asks a very good question of why should
I be spending my time and money and resources on continuity planning, and we
dont have a very good answer for them.
77
C: Just going back to the ISO standards, just your personal views of it, and is it
common to implement it in the US?
P2: It is becoming increasingly common, I dont, and I think we dont have anything
else to look at. I think people are desperate for a way to measure preparedness,
I think they are desperate for a way to show some progress and to show some
effectiveness, and the closest thing we have to that is the standard ISO 22301, I
think its a very good next step over BS 25999 over NFP 1600 or some of the
other standards, its a better standard than we have had. But there are still
some very important gaps, the two biggest problems with this standard are that
they, its very much yes or no. Do you have executive leadership support or not,
is that really a yes or no question. Do we have enough money, is that a yes or no
question, shouldnt these be in circa percentages. But it measures what has
been easy to measure, executive leadership, have we done a BIA, yes or no,
have we done a risk assessment, yes or no, have we done. Well we can do
better and worse BIA and risk assessments, and then we can use them in better
or worse ways. So it counts these things and mostly it counts, so the first
problem is that its yes or no, and the second problem is that it really measure
the pieces you need to set up a program, but not effectiveness of that program.
But yes, its definitely becoming more common and widely adopted.
C: Do you think its becoming more common as a compliance to regulations?
P2: Yes
C: And, we talked a little about this, and you have written about it, but could we talk
a little about building a common methodology within BC and what the benefits
would be.
P2: Yeah I think we have lots of best practises, or as the call it in, they are starting to
call it in the Project Management Institute, a shift to proven practises, to some
extent there will be no such thing as a best practise because the landscape is
always shifting, we are always learning more, at least we should be, and there
should be things called proven practises not necessarily best practises, okay,
thats a side point. But what we have is a lot of guess work right now. We have
78
guesswork and habit, we are used to counting things that are easy to count, like
numbers of plans, numbers of documents, when the last time we updated the
plan, how many exercises have I had, how many people were at the exercises.
None of these things are true indicators of preparedness, theyre just things that
we can easily count. So I think our standards of our methodology right now are
based on some of the best guesses we can come up with, some of the best
habits that have lasted the longest over time, but we dont have the research to
prove that these are in fact proven practises, things we ought to be doing. The
easy example, well maybe not easy, but a good example of this is risk
assessment, we typically ask people, well, lets identify the threats, lets rate
them for which we think are going to be, which will happen more or less
frequently and lets rate them on which we think will be larger or smaller impact
and come up with a number at the end, is that scientific, is that based on
research? And what we do with that in the end, okay, so now I know that an
earthquake will be more devastating and roughly more likely than a mudslide,
do I come up with an earthquake plan now, and then the mudslide plan, and the
Ebola plan, and the strike plan and the flood plan? Well Im not doing that
anyway, a proper BCP doesnt look at the threats and the causes, a proper BCP
looks at what the effects would be, which is essentially I dont have the right
people, I dont have the right stuff, I dont have the right location anymore, and
plan for people, stuff and location, people resources and location. So why do we
do a risk assessment, well its you know, strictly something we have always
done so lets do it again. And we can count it, and we can come up with nice
numbers and it looks very scientific, ok. So is that best practise, is that a proven
practise? What percentage of organisations that do a risk assessment are more
likely to recover from disasters? Who knows, we dont have any of this research.
So I think our methodology, I think are profession if it is a profession, or
discipline if it is a discipline, is very undisciplined. We have not done our
homework and our methodology shows that.
C: Then, let us just talk a little about how you feel that academic study into the field
would benefit?
79
P2: Yeah, obviously I think it would have a lot of benefits, but lets begin with what
we sort of talked about last time. I think the practitioners of preparedness
planning are very busy, and I think they dont have the time and often the
inclination to step back from what they are doing day to day to day, and say, is
this the right thing, is this the most beneficial thing I could be doing for the
company, is this the most beneficial thing I could be doing to improve the
preparedness across the organisation. So the academic world have some of
those tools, both in the physical sense, methodological sense as well as the
mental sense, right, they have that proclivity to do that kind of research, so they
have the tool to do that, they have the time to do that, and they have some
inclination to do that, and they have the rigor to hopefully to be able to that
very well, and then inform the practising community about those results. Again I
think people that are doing continuity planning by and large are not getting paid
to do research, they are not getting paid to think about what they are doing and
try to come up with better ways to do experiments and do research and find
these types of things out. So its difficult for them to find the time, and to band
with, again I think theres part of the proclivity too. To try to think of new ways,
and better ways, and right ways, and effective ways to do continuity planning,
and I definitely think that academia could do that, absolutely theres a role for
them to play, and a role I would argue we desperately need.
C: I talked to another BC consultant earlier this week, and he is actually starting to

studying risk management, but he will do his dissertation on BC as well.
P2: Awesome, that fantastic, absolutely, thats great. And I think again, you and I
talked, we need to have people like you out there who are going to lay the
foundation and set the path for research in this area, I think its pretty... We
have people who have done risk management research, and thats sort of an
established field, and you can get a PHD in risk management, and that leads you
to insurance and being a fellow. And theres sort of a path there (inaudible). I
would argue that there are a similar but smaller path in the life safety, you could
probably appreciate you PHD in a life safety program, and talking about, whats
the best way to do crowd control, whats the best way to do evacuation. We
80
just dont have that track yet of research inside of BC. And we need people to, if
they cant go all the way and do the end stake research, at least lay the
foundation, lay the pathway for other people to follow to say, these are the kind
of questions we need to be asking, this is the kind of research that we need,
heres an hypothesis, go prove this or disprove this hypothesis, we need to
know these types of things. So that entire discipline, that approach, that
research approach is desperately needed.
C: Yeah, we talked a little bit about this last time as well, but I want to get you on
record, about where BC should be places within an organisation, and how
centralisation or decentralisation should play into that.
P2: I dont think we did actually talk about that one at all. And I think, at the end of
the day I dont care. Im not sure it matters, so this question, its an interesting
question, and I think it shows, I have to think more deeply on that, I think it
shows again the problems that we have in, how immature our discipline is, in
that the answer, the best way to answer that question, where does a BC
program belong inside an organisation. Well the answer to that is, well were it
can be most effective? Okay, well what makes for an effective BC program? Well
again, leadership support, and money, and okay. Well Ive done a BC program
without leadership support, you can do it, you just have to build it from the
ground up. Ive done it with a very small budget, Ive done it so. Im not sure the
standard beliefs are true, so should it be at IT, should it be at risk management.
Not sure it matters, what matters it is being effective. So the question what is an
effective BC program, I think we could start to tease some of these things out
quite quickly. Its a program thats going to be able to work with the subject
matter experts, now typically the best way to have that happen is leadership to
say, you will work with subject matter experts, okay we will, so now we can do
it. But its not necessary, we can certainly imagine other situations where we
can get that subject matter experts without a lot of, you know, so by offering
value and showing value of the BC program and what the participants get out of
it, thats a lot of what we did at the university, just say hey, you dont have to
meet with us, if you do meet with us this is what youre going to walk away
81
with, you will get a better understanding of your processes, you will be able to
continue your services after a disaster, you will be more likely to survive that
disaster and continue, lets talk about [another university] that cut programs out
of it, lets talk about [another university] that no longer have these types of
programs because they didnt survive the disaster and they had to all be cut,
blah blah blah. So I think you would look at what is most effective, and you
know, can I get the people in to the room that I need, can I get the money to get
the staffing I need, can I get the participation to run an exercise, can I get the
servers, and now we are talking about the IT world, can I get the backup servers
that I need to be able to back up the things, blah blah blah. But the answer is
well where its most effective within the organisation, and my instinct is there is
no one answer to that question. In organisation A, the power and the influence
might be in the office of the CEO, in organisation B it might be in risk
management, organisation C it might be from the bottom up, right. So I dont
think theres going to be a very clear answer to that, at least until we start to ask
the right questions again.
C: Then, I know we talked about this last time, return on investment in BC.
P2: Yes, so again, to summarise that discussion, return on investment is dependent

upon two things, the creativity of the preparedness planners and the
receptiveness of the organisation to do the recommendations, to undertake the
recommendations, and the ideas of the BC planner, so some examples. The BC
plan or the preparedness planner going through a business impact analysis
might uncover ways that the department can be more efficient, now we have
opportunities for six sigma, we have opportunities for business process
reengineering, we have opportunities to get more effective and efficient, we
have opportunities to bring in other stake holders all these things. Ok, now, who
takes advantage of them, if the BC planner doesnt come up with these ideas or
the organisation isnt willing to adopt these ideas, we dont have an return on
investment, right. So across the board, we can look at IT, right. So we may
uncover opportunities to decrease the amount of backup that we are doing for
our systems, we may have the opportunity to use a development platform for
82
back up, so we have saved some money there, so theres all these possibilities
and ideas, but it depends on the continuity planner to come up with them and
the organisation to adopt them. And so whats interesting about the ROI
discussion, whats surprising about the ROI discussion is that it depends, there
isnt again, now were back to the yes and no, there isnt a yes or no answer to
the ROI question, the answer is that it depends on the person and on the
organisation. But there are many many many opportunities for ROI, there are
the opportunities inside of IT, inside of business process reengineering, and
quality improvement. There are advantages in team building, and so, if you look
through all the different areas, there are many many opportunities, but the only
one that we think is definite is that if you have done BC planning and if you had
a disaster you are more likely to recover, but now we come back to our first
conversation that we dont have the statistics of what the return on investment
might be.
C: Do you think the discussion of ROI have been focused on lately because businesses
are so profit oriented, so they want to see a return everywhere?
P2: I think thats part of it, but more, I think the driver is that the executive
leadership doesnt understand the value, so in trying to understand the value of
expenditure of the money and time and the resources, that is something that
they understand, they understand return of investment. That is a, whats the
right word, thats a matric, a measure they understand, so if we could put BC in
those terms they would get it and they would say okay, now I understand the
value. So I think its more the struggle for the preparedness planners to show, to
demonstrate to prove the value of what they are doing.
C: okay, so do you think that putting an insurance label on the ROI is to easy?
P2: Yes, yes I do, I think it does not get to the true nature of what you can get out of
a proper BC program.
C: And then just moving on to talking a little about..
P2: this will probably be the last question, cause I got people coming in for the next
meeting, so whatever the last question you need is what we will do.
83
C: Well, differences between BC and other approaches and like DR and business
resilience, and such.
P2: do you want to narrow that down a little bit?
C: lets just take BC and Business Resilience then.
P2: I think in short, and again just in the interest of time, I think that resilience is a
much wider question, a much, the question is much larger in scope, I think the
question of BC which ought to be, how do I better prepare an organisation to
recover from a significant physical or staffing loss. I think that is very
measurable, I think that can be the foundation of a discipline, we can find the
measures, we can find the answers, we can do the research in that, and I think
that will turn up defiantly manageable. Resilience is a much much larger
question; it is going to get into questions of leadership, its going to get into
questions of psychology, of business market share, time to market and supply
chains and efficiency and basically resiliency is how do I big build a business for
success, my answer to that question is a very large one, and Im not sure we will
ever get a consensus on that.
C: Just a last one, the last time we talked about that there are three types of plans,
site and for people, and I forgot the last one.
P2: So essentially you want to come up with scenarios that the three most likely,
that the effects of a disaster are going to be people, resources and location, so I
can mix and match at time of disaster, to say, okay how do I deal with not the
right people, how do I deal with not the right resources, and how do I deal with
not the right locations. Cool, got to run.
C: Thank you!
P2: Thanks a lot, we will talk soon
84
APPENDIX D CODE THEMES AND CATEGORIES
i) Meanings and Definitions
Business Resiliency
Name: Business Resiliency
Description: What does participants perceive BR to be
<Internals\\Participant 2> - 1 reference coded [3.43% Coverage]
Reference 1 - 3.43% Coverage
I think that resilience is a much wider question, a much, the question is much larger in scope, I think the
question of BC which ought to be, how do I better prepare an organisation to
recover from a significant physical or staffing loss. I think that is very
measurable, I think that can be the foundation of a discipline, we can find the
measures, we can find the answers, we can do the research in that, and I think
that will turn up defiantly manageable. Resilience is a much much larger
question; it is going to get into questions of leadership, its going to get into
questions of psychology, of business market share, time to market and supply
chains and efficiency and basically resiliency is how do I big build a business for
success, my answer to that question is a very large one, and Im not sure we will
ever get a consensus on that.
if I just want to define business resiliency you mean in terms of building a solid foundations for doing
business. BCM is one element, its not enough. For me BCM is a tool, in my
humble view its only a tool because its a tool that can function only when
there are people behind it to implement it. Its not a machine, its a process a
85
model for people to take the right decision at the right moment, so its and
through a certain framework that has been tested, monitored etc. so people
have to be fully engaged in committing and implementing the BCM and the
senior management and/or the leadership of the organisations has to be
completely on top of that issue and that has to be on top of the agenda. So
business resiliency is not just about BCM, its about people, its about how we
learn from our mistakes. Because if you do not learn from your mistakes and
what went wrong, then BCM is a complete failure to some extent, its not
necessary, its just a paper in a drawer. So business resiliency is one: BCM but
two: people engaged and three: learning from lessons.
<Internals\\Participant 4> - 4 references coded [4.86% Coverage]
My department, at least initially was named Business Resiliency, which I think is even a better term,
although everybody looks at it differently. And then BC is just one aspect of it as
well as disaster recovery, as well as facilities, hardening, and safety and all these
other things you know. So thats what I think is the difference, BC is back office,
non-computer stuff, and then disaster recovery is your computers.
Exactly, the bottom line would be, you know, taking all, you know, and everything from, you know, fire
drills which is, you know, facilities and that sort of stuff. Everything you can do
to make your business more resilient. And including then as you outsource and
offshore in any area that is ever growing, and that is making sure that the
vendors you are relying upon have big, have good BC programs and that your,
you know, and that they are living up to that, and that there are good service
level agreements between everybody, internally and externally so everybody
knows what they can expect during a crisis from other people, thats all business
resiliency.
86
And we have a company here, that Im not a part of, but [this hypermarket], the company has been
around, [this hypermarket] have been around for 150 years, but now, they are
only worried about tomorrows profit. And they have stripped all of their BC,
and consequently if the price of cotton goes up a nickel, they are toast. Because
they have no resiliency plan of what to do if their supply goes up a nickel. You
know, so, its just. If you dont think about the resilience aspect of it, youre just,
your, you know, you dont have a net, you are walking the tightrope of business
where profits and losses can be based on very minor things, and youre walking
it without a net, without business resiliency.
the more resilient you think it is, you turn a blind eye to where the single point of failure may be. You
know, its the same thing, if anything can happen, it will.
at least from a disaster point of view, there are fewer reasons that speak for implementing BCM, and
thats why the regulators right now are the main drivers. The reason why they
are doing it is because they want to improve the resilience or whatever you
I like the term resilience, because it opens up opportunities again for connecting different topics. I do
not think that business resilience is a whole new or different profession. Like
next to or above BCM or something.
87
In my experience there is nothing new, so the term resilience is used in a lot of professions like
phycology, ecology, engineering etc. From a BC point of view, I think if you, for
example, have a resilience manager, I think he, what he really does is more or
less the same as the BC manager.
You could simply argue that, okay, if you want to improve resilience we should make this and that
process more secure.
So thats something where BC has to be improved on a very basic level. And I think thats the main
challenge, and not to come up with something new like resilience
because there is no method to evaluate BCM, there is no way to evaluate the resilience of the
organisation.
Have you heard about the new buzz word BR?
88
Theres an upcoming ISO standard 22316 I guess, which is BR
The only thing that maybe the new resilience standard can bring is the attention on the management
board level to these things, because resilience sounds better than continuity.
Resilience is a, I would not say a management discipline, its the end results of
having BCM and other disciplines implemented, if the selling is better, because
it sounds better to the management, okay, then lets call it in the future
business resilience, I dont care.
Business resilience at the end, the word is it is a result of different other disciplines. Business resilience
as a management method is once again the wrong wording, because resilience
is a result, resilience on one hand is a result of having implemented and thought
about, how to say, have thought about building, business in a way that it is
reliable and not that vulnerable to whatever, a fire or a flood or things like this.
So you have done a lot of thinking before when you set out the company as well
as implementing all the required things to stabilise and make a company able to
react in such an event. Its not a, I think its not a management discipline. One
does now describe as the big differences, BCM is one discipline and then you
operational risk management and then you have whatever, ITSCM, IT service
continuity management, and a lot of other disciplines and the idea of this new
standard is to bring all these things together, in one standard and describe it.
Yeah, you can do it like this, but in real life you still have the burden in the
company, so we have the fact that business is not talking to IT.
89
the thing is that when I first came across the word BR I found it to be something of a well it looked like
something very old that simply has a new name to it. There is a very nice [] or
buzz word. But when you get those thoughts behind you that it is just
something old dressed like something new, then its just BCM called something
else.[] If you cut the plan creation away from BCM, whats left is BR. So all of
those preventive measures that you undertake to increase your BC skills but are
not plan creation, this is from my point of view the BR part.
So this thought, even though we call it BCM is BR. We try [] to stop the company from creating a
weakness.
I have talked with quite a few people about their thoughts and most of them focus on the life cycle, on
protecting the BIA, the strategic plan creation and testing, and they often
missed those other things. Like getting the basic idea of BCM, which you could
call business resilience, into the minds of the people and to influence their day
to day actions during business operations.
Differentiation
Name: Differentiation
Description: What is the difference between BC and other approaches
<Internals\\Participant 1> - 1 reference coded [?% Coverage]
Reference 1 - ?% Coverage
90
We would roll any sort of business process and sort of the risks associated with it into this broader
category.
For me BCM is a much more matured system, because its integrates all of the what you said, but also
involves stakeholders in a process, stakeholders such as buildings, security, HR,
etc. Assuming that there is an BCM expert coordinating the whole thing. But
even if that is not the case, the role is distributed among different people, so it
really involves more stakeholders of the organisations. I think that is what we
need in the case of a crisis, because everyone knows what to do in the right
moment.
disaster recovery is all about bringing the computers back up and running, while BC is really everything
else. Its bringing all the back office operation back arranged, keeping the money
flowing, keeping revenues and customer service continuing, thats what BC is all
about. My department, at least initially was named Business Resiliency, which I
think is even a better term, although everybody looks at it differently. And then
BC is just one aspect of it as well as disaster recovery, as well as facilities,
hardening, and safety and all these other things you know. So thats what I think
is the difference, BC is back office, non-computer stuff, and then disaster
recovery is your computers.
91
I just have to think about this one picture, theres like this umbrella, under a lot of different professions
and topics. And I personally think its not always easy to differentiate. Every
profession is there for a reason but from my point of view BCM, risk
management and security management are the three disciplines that are taking
like a leading role in the company, so I have not seen a department for disaster
recovery management. Thats something that someone under the BCM
umbrella does.
disaster recovery is about IT disaster recovery. For It disaster recovery the main profession or topic is IT
service continuity management.
The biggest difference between disaster mitigation and BC is timeframe I think. For the purpose, the
main purpose of disaster mitigation is, how to minimise the effect from first
impact from disaster. For example earthquake, if the earthquake occurred,
many people are injured or are dead, many buildings would be destroyed.
Usually you would say first impact, and the main purpose of disaster mitigation
is how to minimise the building damage or injured people or dead people. But
BC is not only the first impact, because the main purpose of BC, is how to
minimise the effect from the business interruption. It is not only the first impact,
it would continue 3 days or 1 week or 1 month or something. And if the business
interruption would be longer, by the effect would also be longer. So BC from the
aspect of BC real focus on not only the first impact, but also some long term. I
think it is the biggest difference I think.
92
So usually I have separated it, BC and disaster mitigation. So incident management plan would be a
common part between BC and disaster mitigation, because incident
management plan and a proper organisation to control crisis, it would be very
important for disaster mitigation and also the BC. So incident management
would be common part, I think, for BC and disaster mitigation.
currently I focus a lot on interfaces on BCM, operational risk, information security management,
corporate security management and so on. And again we are finding lots of
things that are similar on those management systems, of course, but those
interfaces are not fully developed yet. And BCM is currently the drive behind
aligning those interfaces so showing for example the people from operational
risk management, how much they do is similar to what, for example, corporate
security does. And both sent out spreadsheets for analysis [..], and they are
asking very similar questions, but the people that have to answer the
questioners they sent out have to do it twice, so instead of keeping the pressure
from the workload that comes from those governance principles low, as it
should be, and that the people that have to answer the questioners focus on
making money or business, they keep them from doing their work. And that we
try to decrease the amount of work that business people have to put in those
questioners, by talking to people that sent out those questionnaires, so again
its one of the benefits.
Again it depends on the area, if you are talking about the crisis management part, coming up with the
structure that deals with crisiss, thats more a tactical thing I think. Because if
93
you, of course you can consider all these areas, but in order to do good crisis
preparation you have to be risk oriented and be quite close to the base. But
BCM or the planning part, the life cycle, again it depends on the structure of
your company, because the things we are doing in the holding company,
preparing the guidelines and so on, thats a very strategic thing to do, but the
translation into action that has to go on in our subsidiaries is more of a tactical
ting.
Yes, BCM develops the, well in my view BCM is there to give the basic structure, those other
management disciplines work in so the fundament [or the base] should be
offered by BCM, but again the interface between BCM and disaster recovery, or
DR is from my point of view is only about the recovery of data services, so
theres an interface, we are talking about the loss of IT of course, but its a bit
more independent from BCM I think, than crisis management, because people
that have to do the daily business know nothing about IT, so IT can work quite
freely with DR management. Which I think is more of a disadvantage than an
advantage because if you let somebody too free then they might develop
thoughts that are too different from your overall approach, or from the
approach the rest of the company follows.
94
ii) Benefits
Benefits
Name: Benefits
Description: Perceived benefits of BC among participants
But I think the problems that other banks have had from time to time sort of underlines, you know, the
basic necessities the people rely on banks for. And if BC helps you categorise
what those processes are, which we have to run internally in order to give
people accesses to those services externally then clearly there are very valuable
things you get from it.
example, some years ago there were some very bad floods in the UK, and some of our more remote
branches were in areas that were affected by the floods and some branches had
to close for a period because of the floods or because of all the repair work that
had to be done afterwards. Now in those instances, because of BC, plans were
in place. Customers could be directed to the other branches in the neighbouring
area, we had mobile banking facilities to help people get their cash out, we
could call priority customers and help customers with special requirements to
reassure them about things or whatever so. Because thats very operational and
because its to do with the heart of what banks are about, its very clear that
those sorts of plans had to be in place. Whereas, as I said to you earlier, if our
department couldnt function for a few days its less apparent what the problem
is, and its only about working out where we sit in bigger processes with product
management teams or marketing teams or finance teams, or rather decision
95
makers. Only by thinking those things through can you really work out for how
long you could manage without the [X] team or analysts functioning, so its a bit
more complicated, because its obvious to everyone but its not quite as critical,
you have to look a little bit harder I think to work out what an acceptable level
of resources would be, and how long you could manage without them.
the advantage would be obviously the continuing operations, which is critical for any organisation, even
if its not for profit organisation, its still critical. I think even more critical
because we do have to report to [members], what we do, how we do and how
we monitor operations. So we are really accountable for the money that we use,
the resources of the organisation, resources in general. So BCM I think is a
critical partner for what we do, for this type of organisation. So thats one
advantage of continuing operations. The second is just to review on a regular
basis how we operate and the state of our resources and the readiness of staff
to deal with a crisis, or let me just call it an interruption of operations, its not
necessarily a crisis but interruption of operations. So what do you do from a
minor electricity down, break down, or when a terrorist comes in and holds the
whole building, and how do we work from home etc. You would be so surprised,
there are very very few people that actually know how to use the home based
interface which we have available for our staff, some of them dont even know
how to access their emails. This kind of things. And maybe if I could say a third
one, I think the advantage of having a very clear BCM plan out there, shows to
our stakeholder that we are a very mature organisation and very serious about
what we do and how we do it and how we want to improve it. To some extent
its like a card, a business card that we are managing the organisation in the
most efficient and active way.
96
it depends on how we define by marketing, if we define marketing with, its how we communicate to
seduce and being attractive, I would say for this type of organisation it is not
necessary. We dont need so much insist on the continuation of operation
because it is not critical to stakeholders. But I think it would be good to
communicate that we know we are doing in case of crisis, because we are so
much confronted to potential crises.
Marketing, like putting out that we have BCM, a mature BCM system in place, I wouldnt go that
extreme, but yes communicate to stakeholders that we are ready for
interruptions of operations.
For me BCM is a much more matured system, because its integrates all of the what you said, but also
involves stakeholders in a process, stakeholders such as buildings, security, HR,
etc. Assuming that there is an BCM expert coordinating the whole thing. But
even if that is not the case, the role is distributed among different people, so it
really involves more stakeholders of the organisations. I think that is what we
need in the case of a crisis, because everyone knows what to do in the right
moment.
we were able to get through 9/11, we had, one of our large international trading operations in lower
Manhattan, just a few blocks away from ground 0. And then we had a big north
east power outage here in the north east section of the US lost power for
several days, which impacted our large operations we had in Detroit Michigan.
And then we also had a situation, we also had minor issues, but these are the
97
three major things that happened in our company. Our headquarter had caught
fire in downtown Chicago, and at the time it was the largest skyscraper fire in
the history of the city. Gutted two floors, completely demolished two floors, 55
million dollars US damage. But in all three of these we did not have to file for
business interruption insurance claim, because we were able to keep running.
And most importantly what that meant was, at least in the case of 9/11, we
actually made a lot of money because we were the only financial institution in
lower Manhattan that was still processing during the event, until the closed the
market. And then, the same thing with the fire, we had gotten such good press
from what we did, we actually gained customers.
we of course couldnt be down for any amount of time because we would lose money immediately, and
more importantly in an internet world, if you go down and your competitors
dont, they are just a few clicks away, the client and youve lost that money. Not
only, and then if they have a better experience youve lost them not only for
that that trade or that transaction, but youve lost them permanently.
The advantage of BCM is if done correctly, big problems, big crises turn out to be not as impactful, but
also medium problems dont turn into a crisis, in fact they get resolved. And
become less of a problem for an organisation. So its not just planning for the
big catastrophic event, its improving your overall business processes to a point
that minor disruptions become non-events, rather than snowballing into a
bigger problem.
That is something a lot of BC people look to, is involving marketing. To say, look, we are better than
them because we are more resilient, we will be there when the chips are down.
98
Ah yes, most definitely! [use BC for marketing purposes]
BIA are one of the things that you know, what would you do if you lost this person or that person, and
you found within people had just gone through a major reduction in staff,
rightsizing you may call it or downsizing. And when you do that a lot of times
managers dont know how many single points of failure they have within the
people and by pointing those out, you know you are able to save the next guy
who quits and all of sudden theres no one to do all those jobs and pick up those
pieces.
The bottom line is, two things, the bottom line of BC is two things I have taken away from it. One, its
common sense, its all based on common sense. And two, if you have bad
business practises in production, youre not going to have a good Disaster
recovery program, your BC program will not allow your business to run better
than it does on a day to day basis. So if you dont have good business processes
today in production, then that needs to be fixed. And sometimes BC programs
can help make that happen, because it can highlight what the problems are.
getting rid of silos, getting people together, talking, understanding each other, making these
connections or these internal networks you could say. Thats a very nice
advantage in my point of view, and it also enables the organisation to, thats a
99
very positive way of seeing it, enable an organisation to maybe even improve
internal processes, I dont know, just developing new ideas, whatever.
I differentiate. There are like the walk through test, functional test, full-scale exercise test, simulation
test all different test types. If you do that, you get out of your business, you
literally get out of your office if you are in charge of this. Because in the real day
okay lets now exercise this and that. Thats a very important point in the BCM
lifecycle from my point of view. Because you really do interact with people and
you create a lot, a lot of awareness.
it does not influence the real business decisions, its not something that like shapes the future business,
but something that should secure the decision somebody makes in the past.
Like a business said where you want to go etc. etc. and now we secure it.
profession that also provides benefit to a normal business and not only for crisis situations.
Their benefit in this situation, they were able to work.
In this situation the benefits were that the traders, the financial traders can go on, otherwise they would
have lost a lot of money, so thats the benefit, they have a clear benefit in terms
100
of on-going business. In other cases what we see right now is that the insurance
companies change their contract, so if you can prove that you have a working
BCM then they reduce the insurance rates. This is also something that have
happened over the last 5 years I would say. Not before, before they dont care
about BCM, but right now they are asking for companies that have implemented
BCM and due to that, you reduce rates and save money. So BCM can save you
money. Other benefits also a 1000 times heard is, okay, you can find out that
the processes doesnt work that way, and you can change business processes.
well the most obvious reason is of course being prepared for crisiss. But another thats is a bit more
subtle is the fact that when you are implementing BCM youre turning the
whole company upside down, and look at already established processes from
another perspective. And give the opportunity to improve some things, that
have been just accepted as it is. Another thing is of course the[], it is that for
example, when youre planning for the scenario (inaudible) you can also use the
BCP that you created If the organisation has too much work, but not enough
people. Because this is the same thing, if I lose personnel I use BCP and also if I
have too much work and not enough people I can also use the same measures I
wrote down in the BCP.
talking about the different BCM strategies and one of them is the increasing number of service
providers. So that you in daily operations you have more than one service
provider for one service that supports one of your tangible business processes.
And then we came upon that this tactic is just good business, also from the view
of the colleges from the [outsources services]. Because [] usually you have
stronger competition among the service providers you use, and also your
101
business is more resilient, because you can easier switch from one service
provider to the another.
Brand protection
Name: Brand Protection
Description: How BCM can help brand protection
Well I dont think we would ever forget the brand side, and we have of course the media relations
department and marketing teams who are very focused on tracking consumer
sentiment about things. But I think perhaps it has helped us putting more
emphasis on getting the basics right.
very positive and calm and relaxed response to the incidents, and weeks later they received letters from
advantages came up.
102
it depends on how we define by marketing, if we define marketing with, its how we communicate to
seduce and being attractive, I would say for this type of organisation it is not
necessary. We dont need so much insist on the continuation of operation
because it is not critical to stakeholders. But I think it would be good to
communicate that we know we are doing in case of crisis, because we are so
much confronted to potential crises.
You know, in organisations where today we insist on a lot of process so I would say yes [a form of brand
protection]. We have a lot of framework. We have a framework, its there, we
have tested it, we monitor it on a regular basis so people feel really assured with
something like that. It is definitely not the main element for branding, of course
not. We can show that we have elements in place for what to do in the case of
unforeseen events.
We had 3 companies in Chicago who at the time of the fire, were looking for a new bank to do business
with, Fairly large companies. And they went to us and 2 other banks in Chicago
and all 3 banks bid. And they all had similar product lines and all had similar
costs, and so was, there was, they came back to all of us at the time and they
said we need a differentiator, we need to know why we should go with you and
not those other 2 people well, as luck would have it, the fire occurred. And all
of our critical. It happened 630 on a Monday night, and by 630 Tuesday
morning, all critical processes were up and running, and we were in the press
103
and we were making statements to all of our customers and clients that their
money was safe, and banking as usual was on and all this. And we, then those,
all 3 of those customers came to us. Thats the differentiation, so all three of
them signed on with us. From that point moving forward, Ive always used my
preparedness and exploiting, if thats the right word, real issues with the
marketing team and involving them. That is something a lot of BC people look
to, is involving marketing. To say, look, we are better than them because we are
more resilient, we will be there when the chips are down.
For b to b company the BCM is very great effect for brand and reputation but for b to c company it, Im
not sure the BCM is very good for brand protection and reputation or not.
because in order to protect your brand the crisis have to be quite major.
Customer Trust
Name: Costumer Trust
Description: What impacts costumers
104
we were obviously very sensitive to what type of events cause organisations to have problems with
customer trust and which ones dont.
And all our research suggests that those very practical issues have a far bigger impact on peoples trust in
[the other bank] as an organisation. Than all the countless front page media
stories day after day about [my bank]
it was almost as if those sort of bad publicity stories, it wasnt that they didnt believe them, it was that
they didnt impact them personally and so the extent to which they dented
confidence in us as an organisation was a lot less amongst our customers than
we imagined it would be.
To the extent that our market share throughout the period actually continued to grow, and there was
only the tiniest, sort of blip in our market share growth throughout that time,
whereas organisations like [the other bank], that had problems which you
would think on the face of it were less serious and they were just caused by a
technical problem, they were then resolved again. And then a few times
something else would happen but again it was resolved within a day or so. They
seemed to have a far bigger impact because they affected peoples ability to
move money around, get cash out of machines, to do all the things that people
rely on banks to do without usually thinking about it.
But this sort of highlighted that, its a bit like, sort of Maslow hierarchy, there are all these higher order
things like brand perception, and the things we talk about in terms of [inaudible]
105
like our brand, and understanding customer needs, and developing new
products, and all the things we are trying to do. Although those things do
matter, the things that actually matter the most, the hygiene practice if you like,
are to do with can I get access to my money can I get it will my salary be
paid will I have access to it. So I think it was, is interesting, when BC was first
talked about, I wouldnt probably have made that connection. But I think the
problems that other banks have had from time to time sort of underlines, you
know, the basic necessities the people rely on banks for. And if BC helps you
categorise what those processes are, which we have to run internally in order to
give people accesses to those services externally then clearly there are very
valuable things you get from it.
very positive and calm and relaxed response to the incidents, and weeks later they received letters from
advantages came up.
but, a lot of time when we are with our customers what we are trying to do is to keep the topic non-
academic, because in the end you can make it very complicated.
106
I think BC plan or having BC plan is very positive sign for customers or investors I think. Because it means
that the company is very proactive for future risk, and the having BC plan is one
of the great evidence that the top management think about the companys
strategy, including BC. It is very important for customer satisfaction, or securing
barrier for investors. So I think it is a very positive factor to have a BC plan or top
management commitment for BC.
ROI
Name: ROI
Description: Return on investment within BCM
Well I think a bit like [my department], its one of those things you could probably only measure by
imagining what the damage would be if you didnt have it. As you say, there is
an overhead for having all these plans in place, for producing all these cards and
bits of material for the time that people spend, and I guess its time that some
people might be in grudge in some departments, because when they are busy
doing their day to day jobs they might not think that its the most worthwhile
thing they could be doing. But I think you have to imagine what would happen
in the event of an incident and how quickly not having a plan in place would cost
an awful lot more than the time actually taken. I dont think theres, you may be
aware of one, but Im not aware of a particular formula for what that sort of
107
ratio ought to look like, for how much time planning you could justifying relative
to the risk of something happening and that type of thing. But in the scheme of
things doing the plans, because we do them by each department it doesnt take
an awful lot of any one persons time, and you have a relatively small number of
people in the centre who are probably the BCM experts so I wouldnt imagine
that even with the tests particularly now when its so automated, that its really,
that its a big overhead on the business, certainly not in respects to the
processes that I see and was responsible for. It might be that some of the
physical security and the site, the branch aspect of that might be rather bigger
issues or, you know, fall back sites, or computer databases and that type of
thing, clearly theres got to be a big cost associated with having those in place.
But I dont think, certainly in my experience, Ive never felt that there was so
much time being taken on them or time being planned that it wasnt quite easy
to see how that would be more than justified if an incident might actually take
place.
yes, I suppose thats quite a good way of putting it [insurance], yes I think it is. Parts of the processes
that you go through within your BCM planning are actually useful for wider set
of purposes. As I was saying in terms of working out what departments are
responsible for what and what the key processes are and who is reliant upon
them. But yes, it basically is a sort of insurance I suppose, and like any other
insurance its one you hope not to use, but you invest in it in case you do need it.
return on investment is dependent upon two things, the creativity of the preparedness planners and the
receptiveness of the organisation to do the recommendations, to undertake the
recommendations, and the ideas of the BC planner, so some examples. The BC
108
plan or the preparedness planner going through a business impact analysis
might uncover ways that the department can be more efficient, now we have
opportunities for six sigma, we have opportunities for business process
reengineering, we have opportunities to get more effective and efficient, we
have opportunities to bring in other stake holders all these things. Ok, now, who
takes advantage of them, if the BC planner doesnt come up with these ideas or
the organisation isnt willing to adopt these ideas, we dont have an return on
investment, right. So across the board, we can look at IT, right. So we may
uncover opportunities to decrease the amount of backup that we are doing for
our systems, we may have the opportunity to use a development platform for
back up, so we have saved some money there, so theres all these possibilities
and ideas, but it depends on the continuity planner to come up with them and
the organisation to adopt them. And so whats interesting about the ROI
discussion, whats surprising about the ROI discussion is that it depends, there
isnt again, now were back to the yes and no, there isnt a yes or no answer to
the ROI question, the answer is that it depends on the person and on the
organisation. But there are many many many opportunities for ROI, there are
the opportunities inside of IT, inside of business process reengineering, and
quality improvement. There are advantages in team building, and so, if you look
through all the different areas, there are many many opportunities, but the only
one that we think is definite is that if you have done BC planning and if you had
a disaster you are more likely to recover, but now we come back to our first
conversation that we dont have the statistics of what the return on investment
might be.
I think the driver is that the executive leadership doesnt understand the value, so in trying to
understand the value of expenditure of the money and time and the resources,
that is something that they understand, they understand return of investment.
That is a, whats the right word, thats a metric, a measure they understand, so
if we could put BC in those terms they would get it and they would say okay,
109
now I understand the value. So I think its more the struggle for the
preparedness planners to show, to demonstrate to prove the value of what they
are doing.
yes I do, I think it does not get to the true nature of what you can get out of a proper BC program.
I think there are two aspects of the return of investment. One is as you said, really the concrete cost
saving in case of an unforeseen event. Because staff who cannot work or
interrupted in their normal duties is time that is not properly used and then it is
a loss of money for the organisation. a loss of income, because we are paid for
results but we are mostly paid for the time which is spent. So that is one issue.
Then of course there maybe also some costs in term of just the resources, the
mature resources we have on the organisation. But that is something we cannot
really foresee, and it has to be planned. But if its properly planned with an
insurance for instance, in case of crisis where you have different scenarios or
different level of impact, you do have an opportunity to properly negotiate an
insurance contract coverage. So that would be a good return on investment. The
other aspect of it for me is to be able to create some sort of, let me say, a
commitment from staff to be fully aware, because I think BCM is not just a
matter of senior officials, its the matter of everyone, from the top to down,
how do you react, what do you do, how do you work from home. All those little
things that can actually help assure a smooth continuation of the operation, its
a participatory mechanism I would say, and it also creates more commitment
from staff to be able to understand that unforeseen events are not completely,
is not a big challenge, it is something that you can overcome, and it is
everyones, each and everyones responsibility to deliver service to the
110
organisation to that extent. So it really forces the commitment of staff towards
the organisation, especially in crisis plans. But its only possible if you see that
there are some guidelines, theres a framework.
for that I think you would need to review maybe in the last five years, all the kind of unforeseen events
that has happened in the last five years, and really try to measure in the terms
of staff time, or whatever can be measured for each event. And try to get some
statistic out of it, but Ive not done that to be honest. Its a huge work to do
actually.
It could be measured through service, you send a staff [person] to regarding basic steps to be taken in
case of an unforeseen event. And you can already measure how prepared the
staff is. Simple questions as are you aware of BCM, do you know where to find
it, do you know what to do in case of, do you know who to contact in the case of
emergency, do you know how to open you home based work interface, all
these sort of things.
Training is the key issue to raise awareness to have people prepared, its very important.
[RIO is ] always very very difficult, you know, I look at it as an insurance situation as well. And so you
know, you can look. Its a very difficult thing to prove what the return on, the
direct return on investment are going to be. Because all the benefits are
111
indirect. As problem tickets, if your helpdesk goes down, because you know
have more resiliency. These are not things that are easily put right down to
direct dollar and cents. So what you need to do, is do exactly the opposite of
what I do, and through the processes you are probably aware of called the
business impact assessment, a BIA. You can very concretely estimate what the
cost of an outage will be, and once you know what the cost of an outage is. Both
tangible and intangible when you talk about reputation, then you use that if you
will, to say, heres the expense avoidance rather than the return of investment.
that is one way people have done it in the past [audit of past events]. However, unless it had caused
significant damage, a lot of times executives would say, well we got through it,
we learned lessons and wont lose as much money the next time so why spend a
bunch of money if we got through the problem last time?
Because as a corporation, they werent willing to part with any money for BC, so this was done on a shoe
string budget, and yet we were able to circumvent the major catastrophe. And
so many people would think well jack! After you did that, obviously they start
throwing money your way so you can make the program even better. And the
answer is no they didnt. they said, obviously were spending enough, we got
through a major crisis without any business interruption, so were spending
plenty, you know. So they, if theres not a direct return on investment, if theres
not a dollar for dollar, especially if youre in a financial industry. Then youre
going to have a tough battle, and you have to look at it from my opinion, from a
negative perspective and say, this is how much we are going to try and avoid
losing if something bad happens. The good news to that, good news being in
quotes, because of just in time processing and the internet, and the increase in
the number of catastrophes that have been going on around the world, and
offshoring to third world countries who have got extremely poor infrastructure.
112
The opportunity for you to make your case as a BC person, in a real disaster is
getting better and better, where 10 years ago, you know, not many people had
issues, so it was all about, you know, keeping your computers backed up and
that was thought of as good enough.
again it depends, if one of our customers they have to get rid of a fining by the banking authorities, they
for budget, they invest the budgets in for example us consultants, and we go
there and fix it. So theres an return in investment yes.
There was only one customer that was not regulated and implemented BC in accordance with their
business strategy, so it was a customer call centre, something like that, in
eastern Europe. And their business strategy on one part was simply to say
okay, we want to improve the availability of the person or our services etc.
etc. and I think that was why they implemented BC. I think in that case they can
say, yes we have a return of investment, that we can also quantify somehow.
I think it will start to regulate more and more sectors. People become more aware, and us as BC
professionals also have to adapt to this new environment because I dont think
its enough to simply say well regulators say we have to do it so lets do it. I
think we also have to ask just this question, so I think this is a very good
question. What exactly is the return on investment? From my experience, very
very personal experience its so far its only a theoretical discussion, so I did not,
so far I did not see any quantified results like okay we because we have BCM
113
we invested X and because of that we made X more money I didnt see it yet,
but I would like to.
with BCM you can reduce your, or you can reduce the money you spend on business interruption
insurances for example.
organisation. So I think it is a very difficult question. If Investors find any value
for BC, it would be very good to show the return on investment for BC. In
Japanese industry there are. Most Japanese investors dont have any interest
for BC, or risk management. So even if the company work hard for BC, it would
not be evaluated by the investors. So my opinion is that Japanese investor has
to study about BCM or risk management, but in the current situation the BC is
not evaluated positively by investors, so discussing the return of investment of
BC is very difficult in Japanese industry.
some Japanese insurance company provide business interruption insurance, but currently it is not good
product for most Japanese companies, because Japanese business interruption
insurance doesnt cover the business interruption caused by earthquake.
Because insurance companies cannot cover such a big capacity. So BCM is not
linked to insurance. That means the reason because BCM do not affect your
insurance, so it makes us more difficult to explain the value of BCM. But on the
other hand, I would say there are various kinds of qualitative advantages for
BCM, it would be good for maintaining the relationship with customers, or
114
suppliers sometimes or, it would be part of It is based on my experience that
working for BC is sometimes means in culture to find the weak point of the
company. So BCM is very good to know the current situations and which area in
the company, or companies vulnerability or weak point, or which is strong
point. So sometimes our client find that value of BCM or especially value of
business impact analysis is to understand their situation. Its not only for BC but
also very good for managing their company. Other aspect from the supply chain,
you know, there is for some industries the big and long supply chain, like the
automotive industry or semi-conductor industry. So BC plan would be
communication too, between the supply and manufacture. Because it would be
good to see where is the bottleneck in the supply chain, it is not enough in
Japanese industry, but I believe that working for BC would be good to clarify the
weak points in the supply chain, and improve the supply chain resilience.
You can measure it quantitatively, its savings in insurance for example, and its in the financial
institutions here in Germany you save, I havent got the right word for that, in
Germany its a law, if youre in financial institution and you have a certain risk,
you have to put some money back for this certain risk. Lets say you have a risk
identified at 10 million then you have to put these 10 million and you are not
allowed to work with that money, so its kind of a reserve. And if you have good
BCM you can reduce it, so you can work with the money, you have less money
in an account, and you can work with the money. And this is also a direct
measurable result of BCM so the money you have to put in a safe, for the
identified risk is less. And if you can work with money, you can make money. So
theres a real return.
115
One is the financial return on investment, this is for example saving on insurance, having less money to
put in an account for positional risk corporation movements. What you also
have is reputational benefits, you can, I would recommend once you have
implemented BCM system, use it as a customer, or use it as a company. Start to
make it know by your clients that you have a BCM in place,
So you can use it for marketing purposes and in case of an real disaster you will save money definitely,
because you can go on with the most critical processes, and before that may
also can use it to win certain clients.
How often would a controller in a company being asked this question. Which you ask right now, a
controller, working in the company, what do you think, how often a controlling
department has to answer the question, what is the return of investment of
your department?
They have never been asked, but why is BC asked? Because this should be a completely normal process.
This is nothing you have to discuss with or argue with, you save this and this. It
should be a normal thing, if you have a business and you are more than two
people, you should think about BCM as a normal business process just like
controlling. And as long as controlling has not to judge, to argue about their
return of investment, BC also has not to argue about these things.
116
Finding hard figures is quite difficult, there are few bench marks on the market, but as of now I have not
found bench marks that I think are very reliable. [] the ting with soft facts is
that the way of each is very subjective, so it is something that is important to
you, but might not be important to me. And the same goes when I talk to
management, because they say well this thing is very important they might
have totally different feeling about this soft fact. So the question of ROI is not an
easy one to answer.
you get a comprehensive view of your company [], also when you are done with a few life cycles, [],
usually your company gets a, the governance of your company improves.
117
iii) Practice
Activities
Name: Activities
Description: How does different participants view the activities of BCM within organisations
We would roll any sort of business process and sort of the risks associated with it into this broader
category.
The thing I ran at [a different site], there would be site level BC plans in place as well as departmental
plans. And the department might be split over several different sites, so my
department might be split between the [a different site], or between the sites in
[a different place]. But the same processes would be gone through by the
people in both sites. In fact the fact that we were in multiple sites helped the BC
purposes, because it meant if something were to happen on one site, the very
first thing that we would do were to switch reliance to the other sites. But then
clearly there were plans in place at a site level as well, to govern things like
physical threats, bomb threats, things like that. Major security incidents or
issues where we had to get the police involved or things like that. Processes
would be written up. And managed on facility level as well. So we sort of
contract a lot of that facilities management and it was my role to be [the banks]
figure head to make sure that the facilities management people on site were
doing the role that they were supposed to be doing and that was as wide
ranging as whether the restaurant was open when it was supposed to be, or
whether security was maintained in an appropriate way. Being informed if there
118
were incidents of any description and being in communication with the rest of
the staff if things did happen and people needed to know about them. Again I
have to say that we were fortunate in that we didnt experience a major crisis of
some sort. And so while clearly I think there are lots benefits to be had from
having all these plans in place, I havent actually been in a situation where Ive
had to rely on the plans being there.
where does a BC program belong inside an organisation. Well the answer to that is, well were it can be
most effective? Okay, well what makes for an effective BC program? Well again,
leadership support, and money, and okay. Well Ive done a BC program without
leadership support, you can do it, you just have to build it from the ground up.
Ive done it with a very small budget, Ive done it so. Im not sure the standard
beliefs are true, so should it be at IT, should it be at risk management. Not sure
it matters, what matters it is being effective. So the question what is an
effective BC program, I think we could start to tease some of these things out
quite quickly. Its a program thats going to be able to work with the subject
matter experts, now typically the best way to have that happen is leadership to
say, you will work with subject matter experts, okay we will, so now we can do
it. But its not necessary
But the answer is well where its most effective within the organisation, and my instinct is there is no one
answer to that question. In organisation A, the power and the influence might
be in the office of the CEO, in organisation B it might be in risk management,
organisation C it might be from the bottom up, right. So I dont think theres
going to be a very clear answer to that, at least until we start to ask the right
questions again.
119
So essentially you want to come up with scenarios that the three most likely, that the effects of a
disaster are going to be people, resources and location, so I can mix and match
at time of disaster, to say, okay how do I deal with not the right people, how do
I deal with not the right resources, and how do I deal with not the right
locations. Cool, got to run.
There were no templates for [my previous organisation], I think that was missing actually, there was no
template, there was just what are the critical element you should find in a BC
plan, you know, the typical ones. You know, what to do in case of emergency
who to contact in Headquarter etc. etc. Because you need to report whatever
was happening to headquarter. So I think that templates were missing, it would
be so useful to have fill-in templates so it doesnt give any headache to
anybody.
Training is the key issue to raise awareness to have people prepared, its very important.
What they [US government] are supporting and what they are into, and its a good thing and they are
doing a pretty nice job with public private partnerships. So you know, and
making sure we are all pulling in the same direction.
120
BC is really everything else. Its bringing all the back office operation back arranged, keeping the money
flowing, keeping revenues and customer service continuing, thats what BC is all
about.
Usually, yes [DR process within BC]. And again, heres the, because otherwise you have the fox watching
the chicken coop as we say. If you have IT doing it, then they are conflicted,
But if you have the BC team overseeing the Disaster recovery and makes sure that the clients are
involved in it, and that they are testing their plans, and that their plans are easy
enough for even ansilure or non IT people to understand at least what they are
trying to do, because in a true crisis that may be the case. You may have non IT
people having to read them. Now you got something, you know. Then when
they cut their training back or their budget back, Ive been a BC person or a
disaster recovery person reporting in to IT, and guess what, my voice isnt
heard. If I see a problem, the voice isnt heard, they dont listen to me and say
thank you, have a good day. It wont get to the right people.
when I think of BC and the scenarios, I always think about loss of building, loss of people, loss of IT or
infrastructure, or loss of external service provider, so these are always the
scenarios I focus on when I think about BC.
121
I differentiate. There are like the walk through test, functional test, full-scale exercise test, simulation
test all different test types. If you do that, you get out of your business, you
literally get out of your office if you are in charge of this. Because in the real day
okay lets now exercise this and that. Thats a very important point in the BCM
lifecycle from my point of view. Because you really do interact with people and
you create a lot, a lot of awareness.
when I think about BCM I also think in 4 scenarios, loss of building, loss of people, loss of IT and loss of
external service provider
it does not influence the real business decisions, its not something that like shapes the future business,
but something that should secure the decision somebody makes in the past.
Like a business said where you want to go etc. etc. and now we secure it.
I think most people understand, when you say we want to secure business processes or we want to
enable you to survive crises, on a very very very basic level they understand. But
just when it comes to how do you design the business impact analysis, what
question do you ask, what kind of data do you assess, what do you do with the
data, what kind of metrics or whatever do you create. Thats the point where
most people go, ok, lets get an consultant or something.
122
I would say BC is not only for disasters, for example, most Japanese companies consider BCM against
earthquake, but there are various kind of causes of business interruption. Not
only the big disaster, like as telecommunication disruption, or supply is bankrupt
or compliance issue. There are various kind of social business interruption.
The good thing about BCM is wherever you go and whichever company you go, its completely new, its
the same methodology you are using, you are using, I would say, tools you have
developed and you are fitting these tools to the company. But in the end, the
challenging thing about BC is that you have to work with people. In every case
you have to work with people. And BCM is not only, BCM is something which
changes in organisations, so its not a project, its a process you have to
implement, and with every new process in the company you have to handle the
people which are not very happy to do the work right now. I never faced a
situation where people are happy to have a new BC process implemented,
because its something addition to their normal work. So you have to convince
them, and this is challenging. And the right portion of BCM for each company, if
you come and charge it through them and they did not understand it. What BC
managers job is, is to make it as easy as possible the BCM for the department
then you have probably failed.
So first of all you have to get a feeling of how this organisation works, this is the first thing you have to
understand, and then you should have a look in their day to day operations,
how they document things and so on, so understand the way they are doing
their jobs normally. So if they are keen to have whatever, a graphical look and
feel and everything is done in PowerPoint presentation, you cannot come and
present them 50 pages of BIA documentation, so we have to fit these things to
123
the organisation, its the only way to do it. So if you come with an idea, here I
am with my template and tools, and please implement it like this. It does not
work.
They are not normally implementing BCM on long, on a project phase which takes 5 years so they can do
it in a good manner, but all of them, the company have too much, they have
questions and things they have to do. They are waiting for the auditors to come,
doing 20 years nothing, then suddenly within 2 years they have to implement
everything that you have not done in 20 years in the past. This is a difficulty
here in Germany. And therefore some say this is so expensive, yeah, it is
expensive if you havent done your work in former times, if you havent invested
in data centre, if you havent invested in good documentation of your business
process, then you have suddenly to do a lot of things at the same time.
And most of the companies exist, this is a matter of fact, most companies exist, and you have to find
some way to implement BCM in an existing organisation. This is what I say, what
it makes so difficult in implementing BCM because its an organisational
changing process. As other organisational changing project, there are a lot of
burden to implement these things. Because people are talking like this, om my
goodness , whats coming up, they have, whatever, reduced the staff in this
department from 10 to 5 people, and now you are coming with BCM must be
crazy and so on and so on.
124
Bad Practice
Name: Bad Practice
Description: What is viewed as bad practice among the participants
So typically the only time where they go badly, is when senior leadership comes in and tries to take
and responsibilities, changes whats going to happen.
So again, typically when things dont go well, is because senior leadership feel they need to come and be
involved in the tactical decisions without the background of how those decisions
were made in the first place. So, and we talked a little last time, so one of the
ways we try to deal with that is to have a very clear role for senior leadership in
our BC plans.
what doesnt work well is the leadership that doesnt want to be involved during planning, but wants to
be involved at time for response.
I think we have lots of best practises, or as the call it in, they are starting to call it in the Project
Management Institute, a shift to proven practises, to some extent there will be
125
no such thing as a best practise because the landscape is always shifting, we are
always learning more, at least we should be, and there should be things called
proven practises not necessarily best practises, okay, thats a side point. But
what we have is a lot of guess work right now. We have guesswork and habit,
we are used to counting things that are easy to count, like numbers of plans,
numbers of documents, when the last time we updated the plan, how many
exercises have I had, how many people were at the exercises. None of these
things are true indicators of preparedness, theyre just things that we can easily
count. So I think our standards of our methodology right now are based on
some of the best guesses we can come up with, some of the best habits that
have lasted the longest over time, but we dont have the research to prove that
these are in fact proven practises, things we ought to be doing.
a good example of this is risk assessment, we typically ask people, well, lets identify the threats, lets
rate them for which we think are going to be, which will happen more or less
frequently and lets rate them on which we think will be larger or smaller impact
and come up with a number at the end, is that scientific, is that based on
research? And what we do with that in the end, okay, so now I know that an
earthquake will be more devastating and roughly more likely than a mudslide,
do I come up with an earthquake plan now, and then the mudslide plan, and the
Ebola plan, and the strike plan and the flood plan?
So why do we do a risk assessment, well its you know, strictly something we have always done so lets
do it again. And we can count it, and we can come up with nice numbers and it
looks very scientific, ok. So is that best practise, is that a proven practise? What
percentage of organisations that do a risk assessment are more likely to recover
from disasters? Who knows, we dont have any of this research.
126
And because there were not many experts, a lot of people were taking on these roles, which is maybe,
security would do a little bit, and it would be shared with management of
buildings and maybe the medical officer would provide some input etc. etc. So
the distribution of roles and responsibilities was really blurred,
the BCP should be out there on the intranet somewhere. But very often it is not there, or it is not easily
searchable. So thats the problem.
No [information is not easily accessible]. I dont think it is, no. Its not properly communicated, if its
there and available, there are few organisations that recognise that its not
properly communicated to all staff, to all concerned. And also I feel that we
should also be developing more partnership with, you know, either regional
offices or the private sector. And this is something that happens, but we are not
necessarily aware of it.
one of my customer told me, she said, their plan was not enough, because their plan doesnt have any
logistic, doesnt have any plan for logistics. Because their factory was affected
by the earthquake, so there was so much work, to fix machines or rebuild the
buildings and so on. And there are a lot of engineers and construction
companies, there are so many workers. But at the time there was not enough
127
place for them to sleep or rest, or not enough food or transportation, so it was
hard work for them to prepare such kind of logistic.
from my perspective, Japanese industry am very different from western countries, because there is big
misunderstanding about BCM. In Japanese industry there are many companies
that have their BC plan, but in most cases they are not focusing on essential
activity or creative activity because, earthquake is very popular in japan so most
Japanese companies worry about earthquake. So many companies think about
disaster mitigation plan instead of BC plan, so in many cases they have BC plan,
but the content is not BCP but disaster mitigation plan. So in such a case, their
BCP is not focusing on essential activity or creative activity.
In bigger organisations sometime company very positive to against big disaster or BC. But on the other
hand, in the companies, they dont worry about kind of crisis that, for small
company it might bankrupt after big disaster. Because they cant continue their
business and money might be short. For big company, famous company, listed
company, they will not get bankrupt in single disaster. Even if they cannot
continue their business, they have enough money or they can get money from
the various banks. So they are very financially strong, so they are not worried
about bankrupt.
They are not normally implementing BCM on long, on a project phase which takes 5 years so they can do
it in a good manner, but all of them, the company have too much, they have
questions and things they have to do. They are waiting for the auditors to come,
128
doing 20 years nothing, then suddenly within 2 years they have to implement
everything that you have not done in 20 years in the past. This is a difficulty
here in Germany. And therefore some say this is so expensive, yeah, it is
expensive if you havent done your work in former times, if you havent invested
in data centre, if you havent invested in good documentation of your business
process, then you have suddenly to do a lot of things at the same time.
in the companies I have worked in so far IT has developed from being a service provider, that simply
offer the business its services, to being a very strong and independent part of
the company, that sometimes forces the business to do as it wants to. Because
again I think it is a big disadvantage, because as you said, if BCM would be the
governing structure for those other management systems it would be a very
straight approach and there wouldnt be so many discrepancies between the
management systems, but if youve got , as I have experienced, such a strong IT
that rather goes along on its own, than to let some business head tell them
what to do youve got a bit of a problem in hand.
the restraints from the people within the business to be to open about what they do, because they are
afraid of telling other companies their weaknesses, and quite funny, what their
strong at.
Best Practice
Name: Best practice
Description: What is considered best practice
129
typically if a group has gone through the planning, has done some of the exercising, has really prepared
for incident. By large theyre going to go well, youre going to have little, you
know, no plan survives first contact with the enemy, so its always changing, but
people know in general what their roles and responsibilities are in regard to
coming back from the incident, responding to the incident. So typically the only
time where they go badly, is when senior leadership comes in and tries to take
without the background of how those decisions were made in the first place.
one of the ways we try to deal with that is to have a very clear role for senior leadership in our BC plans.
Either they are involved in the planning and preparedness effort, which is great,
they understand how it all is going to work, they understand what their roles
are, what decisions they will need to know, thats fantastic. Or they dont want
to be involved, and then we write a role in for them and say, look, you dont
want to be here at the incident command centre, or the continuity response
centre. Where you need to be is out, and your the face of the organisation,
youre the face of the department, you need to be out and making policy
130
decisions and showing that everything is okay, and providing that face,
providing the interaction with the community. Thats your role, we will check in
with you on hourly basis or for hourly basis you check back in with us, we ask
you policy decisions, you can ask us for status updates. That works well, what
doesnt work well is the leadership that doesnt want to be involved during
planning, but wants to be involved at time for response.
Yeah I think we have lots of best practises, or as the call it in, they are starting to call it in the Project
Management Institute, a shift to proven practises, to some extent there will be
no such thing as a best practise because the landscape is always shifting, we are
always learning more, at least we should be, and there should be things called
proven practises not necessarily best practises,
a proper BCP doesnt look at the threats and the causes, a proper BCP looks at what the effects would
be, which is essentially I dont have the right people, I dont have the right stuff,
I dont have the right location anymore, and plan for people, stuff and location,
people resources and location.
The BCM group mostly as, a typical [X] group, knowledge sharing group where all practitioners, or those
who had some responsibilities would meet on a maybe monthly or semester
basis. To share the experience with your resent crisis, or challenges in terms of
how to implement a BC plan, you know, getting support from leadership
managements, you know senior managements. So basically a forum for
131
discussion and make sure that we can share best practises. And with also some
very concrete examples
theres one point that was raised many times on the forums, on the interactive forums, because
normally the BCP should be out there on the intranet somewhere. But very
often it is not there, or it is not easily searchable. So thats the problem. But it
should be there on the intranet readily available, and also regularly
communicated to staff, not just posted somewhere and then leave it. It should
be, whenever for instance it is monitored or reviewed by the people responsible
for it, should also resend it in staff emails to everyone and then be sure that
they look at the BCM or the revised version or bla. Bla. bla.
my experience is that when you implement BC or improve BC, one of the things that are very central are
that you really work on reducing this silos of thinking within the company and
different departments.
There was only one customer that was not regulated and implemented BC in accordance with their
business strategy, so it was a customer call centre, something like that, in
eastern Europe. And their business strategy on one part was simply to say
okay, we want to improve the availability of the person or our services etc.
etc. and I think that was why they implemented BC. I think in that case they can
say, yes we have a return of investment, that we can also quantify somehow.
132
so theres also this awareness cycle, what exactly does it mean? On the one side you can just put some
posters on the wall and say BC and its so cool and we have to do it: But I think
testing and exercising is very, very good opportunity. Because you have to do it
anyway, and why not doing it in a way that involve most or all of the
organisation. And for example create a special intranet site or in the company
magazine, whatever, and talk about this exercise, so the people really do see
what you are doing.
BCM is not something for one project, something you only do once. It only makes sense that ones you
implement its there to stay, it doesnt go away.
but ministry of economy and industry provided much budget to support BC in the industries. And they
chose 30 cases for, as a best case, and provided money. And then, the
companies reported how they worked for BC and shared the knowledge and
experience of BC, It was a very good challenge for Japanese government. Some
of the cases are to get certification of ISO standards, ISO 22301 standard. And
the Japanese government provided money for them and required to report and
share their experience, and then they provide the report, and the report was
shared on a website, it would be a good example to know how to work for BC
for any other companies.
Of course it depends on the industry, or depends on the organisation. The BC should cover the short
term or the long term. But what I want to say is, not only the first impact.
133
To gain resilience as a company should be a normal thing to implement these BC processes in every
other business processes. So thinking always in terms of how can we make it
more reliable for us, for our customers, for my staff that the company also exists
tomorrow. And not making too fast decisions, maybe not overseeing what
results it may have.
it should not disturb the organisation in its daily operation. So this is the most critical thing, you have to
find a way how to implement BCM, to get the right information from the people
without disturbing them too much. And this makes it difficult, its much easier
to throw, whatever, 50 questions to a department than think about the right 10,
the 10 question you need to ask then you get the result that you can build the
BC strategy on, its much easier to ask much more questions.
And its important for example that you then in the beginning be very open and tell them, okay I dont
lie to you, you will never ever get off this BC as long as you are here in the
company, it is not a project. It will stay with you forever, as long as you are with
the company you will have to use this BCM. This must be very clear, because
most of them do the mistake of, ohh we have a project and then people think
okay, we answer the questions then we are done. Never done.
Centralised or Decentralised
Name: Centeralised or De-
134
Description: about the BC in different organisations. Is the effort decenteralised or centeralised?
We have a very small central team who will, I guess come up with policy around something in the first
place and then will coordinate the submission of and processes that come in
from all the other departments and are there as a point of reference to people
who got questions
it is a specialist function which itself is quite small. And having laid down sort of some policy to start with
and some frameworks,
the ownership is then on individual heads of departments to sort of fill in templates to decide, in
particularly with BC, just how business critical the things that they manage are
and how quickly in the events of a BC event of some sort, we would need to get
our arrangement in place so our work could be continued.
We used quite a lot of planning and control things at that sort of time, which meant that the impact on
the individual teams was that they had to find a champion of some sort to learn
about that thing, so we had record management champions and BCM
champion, I think I was the BCM champion actually for a while. It didnt really
involve an awful lot of work, except just understanding what the processes were
and then completing these forms, templates and every once a year or so
checking what youve written the previous year was still valid. Whether there
were new processes that had come or happened, whether everybody else in the
135
team was aware of what BC was, and what their responsibilities were in the
event of an incident. And making sure that it was one of the things we told new
joiners, when new people joined the department. As part of the initial brief they
were told what their responsibilities would be from BC.
But in the scheme of things doing the plans, because we do them by each department it doesnt take an
awful lot of any one persons time, and you have a relatively small number of
people in the centre who are probably the BCM experts so I wouldnt imagine
that even with the tests particularly now when its so automated, that its really,
that its a big overhead on the business,
on a regular bases we split the training that we have to do around things like, how to respond in the
event of an fire, or data privacy, or records management, lots of lots of things
staff needs to be trained for as its part of being in the working environment. We
split those up so they do a number every quarter so that its not all, that it
doesnt all come together. Its all computer based training and as part of that
there will be questions about do you know what to do in the event of this or
do you know what to do in the event of that and making sure that people
have contact numbers.
It is centralised, because we are only, mostly based in Geneva.
136
But other organisations, I used to work for [another organisation], [the organisation deals with
migration], it is field organisation, so we mostly have small headquarter and lots
of offices all over the world, it was very much decentralised, because you need
to be able in a delegation, in an office or in the field to be able to tackle issues,
but the guidelines were coming from the Headquarter. So there were guidelines
how to prepare a BC plan, what to do etc. and regional director, the head of the
delegation were supposed to actually implement a BC plan on the basis of the
guidelines provided by headquarters. But the problem is, because many of them
are not knowledgeable in this area, it was very much done in a matter of way,
but at least it was done.
Its decentralised [BC program], just if I can elaborate on that answer. Like any IT solution you can either
go centralised or decentralised, but usually the best is a mix of both. So right
now, here we got a company of 5000 people, and me, my department is me and
one other person. Which is absurd. Now that is totally decentralised, so now
each line of business has to have their own BC group, if you will, or people, with
a plural, Working on BC. And we just guide them on how we think they are to
be. A little too decentralised for my liking, so were trying to bring that in and
make it a little, so you have a centralised piece but it also needs to be
decentralised as well. But the client, the business must accept ownership,
because if its totally centralised, then the client just says, its someone elses
problem, Im not going to worry about that.
BCM should not be centralised, because, for example BC plan should be optimised for any work places,
like as factories, offices or shops. Sometimes it could be very difficult for a
137
headquarter to control the BC plan over each factory or offices, or business, or
work site. So as my opinion, BC plan should be developed by the local staff,
factory or subsidiary company or satellite office and so on. But headquarter
should provide a policy or guideline or some template to make it easy.
I would say, what you should have, you should have your company itself or someone else, you should
have an expert on board, that means someone who is really knowing the
methodology and has experience and so on. Who at the end leads the life cycle,
the process. So keep the process alive. But most of the work, the development
of the plans, testing of the plans and so on must be decentralised. You cannot
manage plans and things like this in a central function, how should it work, you
dont know the details of the business processes, you dont know the
requirement, the resource requirement, so how should it work. It may work in a
small company when you have 10 people, you may oversee everything, but in a
bigger company you must decentralise these things.
Yeah, depending on the size of the company, you should have a central, yeah, youre right, you should
have a central position someone who is an expert or to making the framework
of every single policy, develop of the templates you know, that not everyone
have created its own plan and suddenly it doesnt fit together. So it makes sense
to have one who is developing the framework and maintaining the process, but
department at least who are giving the details of their critical processes and
requirements and so on.
138
Processes
Name: Processes
And thats not just a BC theme, but its also the market research we have done in recent years have
been focused on customer processes which people are most reliant on, so not
just getting access to your money, but what happens in the event of a customer
reporting fraud on their debit card, or opening a new current account, or
applying for a mortgage or a loan. And so weve done quite a lot of work,
mapping out what the top 50 or 100 processes are that actually affect
customers experience in that way. I think its now true to say that we spend a
lot more time monitoring customer satisfaction and net promoter scores around
those individual processes than we ever did in the past.
What we werent doing was tracking lots and lots of different individual processes whereas now we are
identifying what those key processes are, we are identifying which customers
have experienced those processes, rather than just in normal transaction in a
bank you know, who has actually had one, or gone through one of those key
processes and then we do a lot of NPS, promoter score measurements around
those key processes and so its obviously moving on from BC.
because we havent really had incidents, its difficult to answer that question, I cant really think of the
specific, but what I do think is true is that as the whole bank focused more on
processes and understanding of roles and responsibilities in regard to them. I
139
think the plans we have had in place has got more detail to them and we sort of
thought harder about what actually had to be there in the first place,
<Internals\\Participant 2> - 3 references coded [?% Coverage]
The BC plan or the preparedness planner going through a business impact analysis might uncover ways
that the department can be more efficient, now we have opportunities for six
sigma, we have opportunities for business process reengineering, we have
opportunities to get more effective and efficient, we have opportunities to bring
in other stake holders all these things.
I looked at that situation when I first got the position, and saw that we had a lot of single points of
failure.
The advantage of BCM is if done correctly, big problems, big crises turn out to be not as impactful, but
also medium problems dont turn into a crisis, in fact they get resolved. And
become less of a problem for an organisation. So its not just planning for the
big catastrophic event, its improving your overall business processes to a point
that minor disruptions become non-events, rather than snowballing into a
bigger problem.
140
that is what BC does, it takes a look at all your business processes and says, are they flawed in
production? Because if they are flawed in production youre not going to be
able to have a good recovery of those processes, so that was a case of that.
The business is what you should focus on. Whatever the business is. Basically it is who makes money and
how do we make money in the company and what processes does support it.
its a kind of a completely normal business process. Why in business administration they learn about
controlling, that means about looking on figures of the past and making a future
judgement of, in which direction it makes sense to develop the company.
The Plan
Name: The plan
Description: What would the templates ask
The forms that we would typically fill in would ask us: what the key processes were planned on, and
whos responsible for them. And what the minimum of that period of time could
be, or indeed the maximum period of time for which the business could survive
141
without carrying out those functions, and what the minimum resources would
need to be in order to continue to carry them on.
how long the business can cope without us having access to that.
So I would sort of prioritise in that way. And how long I thought that we could manage without them
within the guidelines provided by the BC team.
The sort of issues that weve had to contend with usually have been where technical issues have meant
we couldnt access some of that data for a period of time, rather than actually a
sort of a physical incident or something.
Being a bank and obviously being in the public eye we have to plan for things like bomb threats for
example, or you know, security incidents, sites and that sort of thing. And so we
have contingency plans for those, have fall back locations where people could
go to. We have analysts who have access, and making sure that sufficient
people have laptops that they take home with them in the evening, and they
can log on remotely from home in order to keep access to systems if for some
reason the physical site was inaccessible.
we would fill in a template on a piece of paper, or more recently more probably on an excel spread
sheet and submitted electronically so that all would be kept in the same place.
142
We would have, something that Ive not talked to you about actually, but
cascades in place, an understanding of how people around the team would find
out if there were something. Initially that was managed on department level but
more recently its now migrated to a central control of that.
In recent years all that has been centralised so that the bank maintains a central database of peoples
home and mobile phone numbers. And then once a year or so we run tests so
that either people, a recorded message would be left for you on an answer
phone at home or a text would come out to you and you sort of acknowledge
that you received the text so they know that the process is working so they can
sort of test that communication.
So in terms of the things that people would have to remember, I guess that was quite a lot of it, the
other was knowing whether you had a specific responsibility in the event of an
incident, and obviously what that was. Was it that it was your role to make sure
you had a laptop at home so that you could have access to what was necessary.
Was it that you had a responsibility to speaking to somebody else about things
and keeping them up to date, or whatever your responsibility was. There wasnt
probably a lot more people work associated with it that everybody else had to
carry. But people did always have a little card with them, which was sort of an
incident hotline card, which was just to remind them of basic processes if
something did happen. Just some basic dos and donts, sort of steps that they
should follow.
Everybody at one of the branches would have one of these, I dont know if you can see this, but it has
some key numbers on it there, but it also has a little plan of the site where we
143
work, the campus site here. And some basic, telling you what would happen in
the event of incidents of various sorts, from fires to physical threats, security
alerts and things like that. Remind us about where assembly points are, what
not to do in the event of security alerts, not to re-enter buildings, employee
incident lines, film security numbers, anti-terrorist hotline numbers. So
everybody had a place on the back where staff could record other key numbers
that they needed.
Just sort of covering a range of things, and in that way providing everyone a little pocket science thing,
again I dont know how common those are or whether those types of things
people would do, but thats not a department thing thats a site level thing. And
we would have different approaches to those sorts, but that was one we used
quite a while.
now that we have been doing it for, for certain 15 years, although you think of new things to add to the
list, a lot of it is repeated checking of what youve done previous years is still
robust.
you go to the standard disaster recovery institute or any of these others, there are templates out there
on the internet and these templates are meant to be all things to all people. And
Ive walked into companies, and this one is also one of them, and the template,
just the template of the BC plan was 60 or more pages, well this is insane, this is
insane. I got my job because, theres two schools of thought, there are those
who say, you know, lets put everything you can possibly think of into the plan,
144
and then there are others that say, lets put as little as possible into the plan,
only what you need at that first moment of impact, for the first 40-24 hours.
And Im more towards the latter, because what happened here is, we had,
everybody had on their desk, plans that were 3 inches thick in a binder. I dont
know about you, but if the alarms are going off in a building, if theres a
catastrophe happening, something major going on. The last thing I have thinking
about is, Let me see what the biggest book in office is and open it up and see
whats happening. I actually saw one of the plans, and on page 89, what to do in
case of an earthquake. And the first thing it said was remain calm. And I assured
the author that by the time I got to page 89 it would be too late, I wouldnt be
calm anymore. So consequently, you know, the plan shouldnt be everything
possible under the sun in this big 3 ring binder. It would be too cumbersome
and too much time money and energy spent maintaining that type of
documents. Instead I think it should be 10 pages of BC plan. And before the title
page, on the front page, before, even, like I said, even before the title page.
Here is the top 5 6 7 things you need to do if something goes bad. You need an
automated call tree system, cause manual call trees wont work under, in a real
crisis, they just dont. And you need very simple easy to understand plans that
are written by the business, that are tested by the business and then they are
signed off by the executive management in the business.
get it on your smart phone so its there at the ready. And then the other thing that they have done is
with the automated call trees, is actually set up websites that you can go to, so
if the phone lines are down, even during the London bombings, the phone lines,
all the cell phones were jammed, but texts were going through, so if you have
an automated call tree system, it can automatically text people too. And you
can write back via text usually.
145
the trick is to write a plan that is actually going to be usable. And theres too much time spent on what-
ifs, and even though thats what our business is about in some cases, but they
get to specific when you talk about pandemic planning. They get real specific
with the type of pandemic. Well the odds of us getting that exact type of
pandemic or you know, crisis. You need to understand how you are going to
react to it, because you dont know the particulars, you just dont know any of
the particulars of any kind of crisis. You wont know the duration, and you wont
know how many people died, because it depends on the time of day that the
event occurs. Theres just too many variables, you have to focus more on
communication and how youre going to get the most current information into
the best peoples hands as possible to make the best business decisions of the
time.
its got to be almost a grassroots effort. Its not something you can offshore, outsource to somebody to
build you a BC program, its something your business people have to do, they
have to know which direction to run when the alarms go off, they have to know
what to do, they cant rely on somebody else doing it for them.
its not a cookie cutter, its not. The recipe is add to taste, its not exactly just one order.
what we do is that we develop for example templates for a BC plan, for a certain scenario. So together
with the customer we sit down and say, okay, how does the organisation look
like, what does the structure look like, what are the roles called, like, I dont
know. For example, in clear view we have this we have the BC director, BC
146
coordinator, and the people who really are doing things, who are executing. So
theres like a three step hierarchy. And thats a theory, and its mostly applicable
to customers, but the names are different. So what we do not do, is we do not
fill out the plans, we create like the, yeah, the templates that has different
requirements for the main events.
well the standards, and the process descriptions, and the guidelines are created within the holding, and
then sent out to the subsidiaries. Which they can adapt to their local needs,
because in some countries they have other or harder regulatory requirements,
which forces them to do requirements we are not asking of them. Another
thing the holding function does is checking the implementation, so sending out
self-assessments and travelling to the subsidiaries and asking people, well how
often do you test, do you know what BCM is, just asking random people and
so on. So the standard development processes of development is very
centralised, but the actual implementation is actually decentralised in the
subsidiaries we have. An in each subsidiary at least one person is responsible for
the implementation, and also one person in the board of management thats
also responsible for BCM.
147
iv) Understanding
Name: Certification Agencies
a fascinating question might be, well okay, we have now undergone ISO 22301, how much more
prepared are we to recover from disaster? We cant answer any of these
questions.
the questions we need to be asking, and we need to get out of the yes no questions. Are we prepared to
recover from a disaster or not? Thats not the right way to ask that, its not a yes
or no, were very much in the compliance mind-set, and we talk about the ISO
22301, and we say, well, Im worried about my supply chain vendor, Im worried
about them being able to provide me with the supplies I need if something were
to go wrong on their side of the world, so I know how we will fix this. We will go
and have them ISO 22301 certified, well thats not a guarantee it just means
that they have certain aspects of a BC plan in place, again its not measuring
preparedness,
[Standards] It is becoming increasingly common, I dont, and I think we dont have anything else to look
at. I think people are desperate for a way to measure preparedness, I think they
are desperate for a way to show some progress and to show some
effectiveness, and the closest thing we have to that is the standard ISO 22301, I
148
think its a very good next step over BS 25999 over NFP 1600 or some of the
other standards, its a better standard than we have had. But there are still
some very important gaps, the two biggest problems with this standard are that
they, its very much yes or no. Do you have executive leadership support or not,
is that really a yes or no question. Do we have enough money, is that a yes or no
question, shouldnt these be in circa percentages. But it measures what has
been easy to measure, executive leadership, have we done a BIA, yes or no,
have we done a risk assessment, yes or no, have we done. Well we can do
better and worse BIA and risk assessments, and then we can use them in better
or worse ways. So it counts these things and mostly it counts, so the first
problem is that its yes or no, and the second problem is that it really measure
the pieces you need to set up a program, but not effectiveness of that program.
But yes, its definitely becoming more common and widely adopted.
[Compliance] Yes
I think companies should stay away from the big accounting firms, the big [X] and all these people who
are going to come in and write the plans for them and show them. Because
thats what they will do, and its got to be almost a grassroots effort. Its not
something you can offshore, outsource to somebody to build you a BC program,
its something your business people have to do, they have to know which
direction to run when the alarms go off, they have to know what to do, they
cant rely on somebody else doing it for them.
149
thats what the certification is, its a rubber stamp to say youve gone through the basics. Ive given
those classes, you know, myself. And again, if you utilise common sense, those
classes just, they give you some good idea, they put everybody at least on, like
college, they put everyone at least on with a basic understanding of what the
issues are or what the processes are. The problem is though, is that too many
people, whether they are coming out of college or wherever they are studying,
or whether they are coming out of this institute with this certification, thinking
that that is a cookie cutaway, that must be how it is. And then they go into a
real business and they have culture shock, because thats not how the real
world goes. But loosely, yeah, thats how the real world yeah, theres some
good stuff there. But its not a cookie cutter, its not. The recipe is add to
taste, its not exactly just one order.
I think they [certification agencies] help develop standardisations of terms, which is something that was
always desperately needed 10 years ago, you know, just the difference
between, I think BC and disaster recovery you know, people were using those
two terms interchangeably. And I think that the institutions helped at least to
put some guidelines around that. And so I think that they had a role, and they
also had a nice role I think at least in the US with helping the government come
up with guidelines, federal guidelines for things. So I think that they do have
their place.
So sometimes when I talk to my colleagues we also differentiate between the real BC where you are
really able to survive a disaster for example and the documented BC where you
have a lot of documents and management systems just to be compliant. So
maybe thats a distinction one can make.
150
So certification yes, its a topic for customers. But so far, generally speaking more or less marketing wise,
you know?
So certification, in my point of view, not something that the company is focused on right now in
Germany.
Well they want to make money, so they will certify you. And, I mean, theres two way of seeing it. The
positive way is that you get the topic inside the organisation and people start
thinking about it etc. But if you stop with the topic after you are certified, like
okay, now I have the certificate on the wall, that doesnt make sense.
I think that the organisation that build knowledge are the BC Institute, the BCI or the disaster recovery
institute in the USA, these kind of organisations do build knowledge, if I
understand the question correct. plus I think that certification they, the boys,
they use the knowledge like okay, heres the audit or the check list, and you
have to do this and this and this but they dont develop it, at least not the
fundamental knowledge about it.
so If you take for example the good practice guidelines and you read one or two books of BCM, thats
more or less what most specialist courses or certifying courses will teach you.
151
My opinion is getting certification is not necessary, but it would be good as an evidence that top
management is aggressive or very positive for BCM. On the other hand, getting
certification is very hard work for companies sometimes, so usually I
recommend to our client, ISO standard, getting certification is not necessary,
but ISO standard would be a very good guideline for your company, or ISO
standard provides a very good framework for BC, so my recommendation is to
arrange the BCM based on ISO standard, but if the company finds some very
strict requirement, and if the company feel that the requirement is not
necessary for your company, just ignore it. So I recommend it as a guideline or
framework.
The biggest reason is that the ISO standard, the ISO 22301 is not so popular in Japanese industry, so
even if the company got certified, their customer doesnt know about ISO
22301, so it doesnt make sense.
I think it is based on history of ISO management system standards (inaudible). Many Japanese
companies, so many Japanese companies have experience of such kind of
management system standard, it was very hard work for them, and it was
reason of increasing operating cost. So most Japanese companies dont like such
kind of ISO standard.
152
BSI has two parts, the half of BSI is developing standard, and the other half is providing audit service.
And the developing part is very good for building knowledge of BC.
Theres an upcoming ISO standard 22316 I guess, which is BR
so far for me, I do not see any benefit. Because so far there is nothing new. The only new thing is putting
existing things like BCM, Operational Risk Management, and other management
disciplines, in one new standard.
I would say exactly that is a fact, because it comes now, due to the ISO standard, its not the fault of ISO
standard, it is more the fault of the people here in Germany. They are not really
implementing it, they implement because it is good to have an ISO standard, its
kind of compliance thing, even if the lawyers forces them to implement BCM
they do not do it by being self-convinced about benefits of BC is only fulfilling a
task, to tick a box that BCM is done. And they do it with a lot of other things as
well, for example, business process optimisation and things like this. All these
projects in Germany fails over the last years, all these compliance things are
compliance things. Of the business resilience, if its coming with a new ISO
standard, it will have the same results, then they will have a resilience standard
implemented but if you really look after the forefront there is nothing, they
havent implemented anything in reality.
153
I would say the internationally standards definitely do a good thing, even if its only compliance, people
have to think about BC right now, its just like a snowball. You know, you start in
one area, the financial area of Germany, and this has an effect on the other
areas.
Its okay, its conference for specialist, but there should be another one, maybe BCI should maybe
organise things like this, there should be another event only focusing on the
management level and, how to say, you have to find the right speakers for the
management, this is not that easy in this area. Because a lot of people coming
from the IT which is not, not a bad thing, but it is also maybe the wrong mind-
set which is not convincing managers about BCM.
Even though we have a new standard, they are even not talking to each other, so implementing a
standard doesnt mean you change the whole company once you have
implemented these things. So I think the idea behind business resilience is to
integrate all these different disciplines, thats a pretty good idea on end. But as
long as the standardisation institute, just like ISO, is not able to harmonise their
own standards, I mean, how useful is this? They have standards which in some
areas contradict each other, so though one say this, the other say this, and if
you bring them together, you see that they dont fit. And this is a ISO and this is
a ISO standard and it doesnt fit together, this is more a problem, instead of
producing new standards, they should think about, okay we have existing
standards, how can we harmonise them that it makes sense what is written in
these standards. For example, if you read the 27031, which is the IT service
continuity standard, ISO it service continuity standard, the definition of an
recovery time objective, in this standard, is completely different from the 22301
RTO, so the business RTO is a different thing from the IT RTO, for IT the RTO
starts when they have identified, okay, we have a big problem. For business it
154
starts when it doesnt work, so when you have the interruption. That means you
can have 2 or 3 hours difference, because the IT first do their investigation,
checking, okay, yes we have a problem, then they start their RTO which is a
different thing from a business point of view, if you know what I mean. And you
have written these goals in standards, so IT say okay, Ill follow these standard
RTO, and business say they follow the standard, and if they are not clever
enough and look in each others standards then both talking about RTO and
meaning completely different things, if he says 8 hours, it doesnt mean 8 hours
for IT, it maybe 3 hours plus 8 hours, so maybe its 11 or 12 hours. Because it is
not right defined right now and the same with the MTA, MTPOD or however you
will call it, this is a wrong concept. From a business administration point of view
it is a wrong concept, you cannot ask department of a MTPOD, and they come
with the idea okay, lets ask the top management about the practicality of
business process, which is also wrong. Because top management, imagine you
have a company lets say like Microsoft, and you go to the top management
level which is described in the good practise guide, and ask them, okay on the
process level of our main processes we have here, lets say 150 critical
processes to be identified, which is the MTPOD for each, what do you think you
will get for an answer? You are the expert, you tell me. That is the answer. They
dont care, then never think about the value changes on the top management
level, and even if they would think, the answer would be wrong. If you do that
on a process level, and you have three processes and you have three different
MTPOD, which are isolated completely correct, this is the MTPOD for this
process, pretty good. This is the MTPOD for, and due to a wonder you have
identified the right time slot. Together its wrong, because it happened at the
same time, all three processes happened at the same time, so the, lets say the
financial impact losing three process is different than losing one process. So the
assumption that this works is wrong,
155
Because even though we in those conferences and in the literature you receive from them does not
contain as much information as you would want, it is still valuable information.
And without them I think there would be many people that get called by the
management to implement something like BCM, emergency management or
what you would call it, and they all would all have to start something new, but
with the network the BCI offers you can quickly be connected with people that
have been through the same things or have solved the task you have to solve
yourself.
Because I now feel the need to say yes, because I have been told many times that yes this helps
because they could probably advertise the fact that they are ISO20301 certified
or BS certified, but as of now there are 4 companies in Germany that are ISO
certified and I have not yet seen an advertisement that advertises this fact.
Because if you are looking for someone who can implement in your company as an employer, you
should look for somebody that is ISO certified or has a BCI membership or
something similar, and also when you are looking for business partners,
especially for a service provider for critical services, you should look for this
certificate. And if you create need to have this certification you also increase the
want on the other side of the businesses and people that do not have the
certification. And force them to gain more knowledge and also bring their old
knowledge into the field, because people again would then come to those
networking events and maybe have a very different background, and maybe a
new view on already established thoughts, and force the people to think along
new lines.
156
Drives
Name: Drives
Description: What are the drivers of the field
[Compliance] Yes
in Germany, the banking and finance sector, are the sector that are mostly interested in BC right now,
because they are regulated and they have to do it by law, so most of the
customers are from the banking or insurance sector. So its easy to tell story
about how we implemented BCM systems just in order to comply to some
regulations, I mean, thats more or less most of the work that we do.
at least here in Germany, and in the regulated sector; banking and finance, is just to be compliant. So
sometimes when I talk to my colleagues we also differentiate between the real
BC where you are really able to survive a disaster for example and the
documented BC where you have a lot of documents and management systems
just to be compliant. So maybe thats a distinction one can make.
157
most Germans dont live in crisis prone regions
at least from a disaster point of view, there are fewer reasons that speak for implementing BCM, and
thats why the regulators right now are the main drivers. The reason why they
are doing it is because they want to improve the resilience or whatever you
in Germany there is a law on IT security, its not published or not official yet but will be in the course of
this year, and that will be the very first time that all companies that are within
the critical infrastructure will have to implement BCM. Because this law names
three topics for securing critical infrastructure.
My experience is that, I can only repeat that the main factor is just to be compliant,
the initial motivation is compliance, thats why we have to do it. But if you do it in a good way, lets say,
you also have for example to conduct number of tests and exercises. And that is
also something that the regulators want to see, so thats a good side of it.
So certification yes, its a topic for customers. But so far, generally speaking more or less marketing wise,
you know?
158
there are no regulations for BC, but in financial industry there are audit criteria for banks for any other
companies in financial industry. And audit criteria include BC requirement. Its
not regulation but very strict code for audit.
Many foreign invest companies has a Tokyo office or subsidiary company in Japan and they have BC
plan, is basically comply with global BC plan or they arrange BCP with template
provided from headquarter. So I think basically their plan in Japan is comply
with the headquarters plan. But sometimes the plan should be customised for
Japanese industry or Japanese environment. And sometimes I think headquarter
is worrying about the BCP in Tokyo office is valid or is it good enough for Japan.
So sometimes our company asked from foreign invest company how to prepare
the BC plan or how to do a good exercise for BC.
recently Japanese government is very positive to support BCM.
but ministry of economy and industry provided much budget to support BC in the industries. And they
chose 30 cases for, as a best case, and provided money. And then, the
companies reported how they worked for BC and shared the knowledge and
experience of BC, It was a very good challenge for Japanese government. Some
of the cases are to get certification of ISO standards, ISO 22301 standard. And
the Japanese government provided money for them and required to report and
share their experience, and then they provide the report, and the report was
shared on a website, it would be a good example to know how to work for BC
for any other companies.
159
In Germany in financially institution, it is very easy, because they are forced by law to implement BCM,
so there is not a decision to be made by the management.
So this is how it works in financial institutions, usually the laws we have here in the financial sector, you
have also suppliers which are forced by the financial institution they supply to
implement BCM. And the same in the insurance industry, so in the insurance
industry you have the same law, that is how it is in Germany. And now we are
planning to have a new law at the beginning of 2015, for all critical
infrastructure companies, which is called kritis in Germany, Kritis which is
new, that means every electricity company, every big supplier of food and so on
is forced to implement BCM by law, this is also the first time within a non-
financial area where we get a law for BCM, to implement BCM.
the banking sector also have those regulatory requirements, we got something that is call the minimum
requirements for risk management and those apply to all financial service
institutions. And it forces the financial services companies to implement, well
they call it emergency management, but what they describe is BCM. Another
driving factor is, when the mother company is based in England and they have
those regulatory requirements that forces them to implement BCM, but also
their subsidiaries. And in a few months or years, I dont know, a new law will be
activated, that forces all of the companies that are part of the infrastructure, so
health and airlines and so on, to have something like BCM. But it is still just a
160
draft for this law, but it is very probable that it will be implemented as it is
written right now.
again I feel that this is more of a culture thing; of course, it makes it more easy if youre coming with a
shield against incidents to companies that have already experience incidents.
But also companies that, because of their history or the field they are working in
are more risk aware, this makes it also makes it easier for them to accept the
idea. Because, and quite a few companies when you start implementing BCM
find that they are, more often than not, already have people doing something
like BCM, but they are not calling it BCM.
companies that work within the field that forces them to be aware of risk and how to treat them, simply
by the field they are working in are open to it. And again another factor are of
course regulatory requirements, because in Germany there is this federal
banking authority, which I thing about 3 or 4 years [], started conducting quite
a lot of audits on this requirement on risk management that I talked about at
the beginning. And the amount of audits at the companies that have been
audited have received a finding, made the other companies afraid of getting
find to, because those audits or the results of those audits can lead to fines, and
the loss of the banking licence, ultimately. And so, fears are a big motivator for
some companies.
Future
Name: Future
161
Description: How can practises be made better in the future
one of the significant root causes for that situation is that we dont have the proper matrix, and the
proper research to show to executives to prove the worth and the improvement
of continuity preparedness efforts
If I undertake formal BC how much more prepared will my organisation be to recover from disaster, or
what percentage of organisations that undergo or undertake BC planning are
better off to survive disaster. So I took it vs. I did not undertook it what
percentage of those organisations are better at recovering from disaster faster
than other organisations. Those kinds of basic metrics dont exist, that research
doesnt exist. So the executives look towards our profession and says, ok, tell
me why, why are we undergoing BC planning? The best that we can tell them is,
well, you are probably more likely to recover from disaster if you do this. And
so, if they are not concerned about disaster, they are not going to be convinced
that this will be a worthwhile expenditure of their time and resources. And even
if they are concerned about recovering from disaster, we cant give them a
return on investment, we cant give them statistics, we cant give them
measurements, we cant give them reasons. And when we begin, we dont have
anything to show our progress, so a fascinating question might be, well okay, we
have now undergone ISO 22301, how much more prepared are we to recover
from disaster? We cant answer any of these questions.
so we need to ask the question, how prepared is my organisation to recover from a physical or staffing
loss to be able to measure that cross time, and I think we can, but we havent.
162
And so, to summarise, I think executive leadership asks a very good question of
why should I be spending my time and money and resources on continuity
planning, and we dont have a very good answer for them.
I think the practitioners of preparedness planning are very busy, and I think they dont have the time
and often the inclination to step back from what they are doing day to day to
day, and say, is this the right thing, is this the most beneficial thing I could be
doing for the company, is this the most beneficial thing I could be doing to
improve the preparedness across the organisation. So the academic world have
some of those tools, both in the physical sense, methodological sense as well as
the mental sense, right, they have that proclivity to do that kind of research. So
they have the tool to do that, they have the time to do that, and they have
some inclination to do that, and they have the rigor to hopefully to be able to
that very well, and then inform the practising community about those results.
Again I think people that are doing continuity planning by and large are not
getting paid to do research, they are not getting paid to think about what they
are doing and try to come up with better ways to do experiments and do
research and find these types of things out. So its difficult for them to find the
time, and to band with, again I think theres part of the proclivity too. To try to
think of new ways, and better ways, and right ways, and effective ways to do
continuity planning, and I definitely think that academia could do that,
absolutely theres a role for them to play, and a role I would argue we
desperately need.
We have people who have done risk management research, and thats sort of an established field, and
you can get a PHD in risk management, and that leads you to insurance and
being a fellow. And theres sort of a path there (inaudible). I would argue that
there are a similar but smaller path in the life safety, you could probably
163
appreciate you PHD in a life safety program, and talking about, whats the best
way to do crowd control, whats the best way to do evacuation. We just dont
have that track yet of research inside of BC. And we need people to, if they cant
go all the way and do the end stake research, at least lay the foundation, lay the
pathway for other people to follow to say, these are the kind of questions we
need to be asking, this is the kind of research that we need, heres an
hypothesis, go prove this or disprove this hypothesis, we need to know these
types of things. So that entire discipline, that approach, that research approach
is desperately needed.
Definitely I think studies would always be helpful, because practitioners have one point of view, but you
do need maybe some more data. Like the question you asked me about what is
the return of investment, that you need some academic studies to do that. So I
definitely think that its always a good idea to go to the field and carry out more
in depth analysis of what is really happening. Because practitioners most of the
time are trying to prevent situations, they are very often in reaction mode, in
prevention mode. Because they do not have time to develop models, processes
and you know, very often unless they have this mandate. Very often, because
they are already doing their duties. So it maybe an opportunity for an academic
to go in the field and, its probably a huge mandate you probably need to get,
but you know. Yes, it would definitely bring something to the profession, It is a
very new area as well you know, BCM, it is time for, If there are people
interested in the subject, to write more about it.
in the last few years, practitioners tended to develop scenarios of incidents, and today I think it seems
that practitioners are more inclined to develop the level of impact. So I wonder
164
if theres a shift that could be interesting, and how to actually be able frame
that. What do we mean by level of impact etc. how do we define to what level
etc. rather than scenarios. Is it maybe an area we should go and how do we
assess a level of impact etc. Then I would say, what would be really beneficial,
because BCM, for me its some sorts of a, what do you call it, its an area which
has implemented different areas, you know, it has some element of HR, it has
some element of building management, it has some element of administration,
it has an element of leadership. Would it be helpful to actually show how BCM
also improves the operations of other departments or other elements. And that
could be from an academic point of view as well, something to explore, so thats
what I see. And definitely more models would be great.
But I would be interested if you could take one region, take Asia for instance, where they have a lot of
environmental issues, unforeseen events, crisis, political crisis. They have a lot
of everything. Environmental like hurricane etc. political issues and huge
population, I mean its very populated. So its very difficult if theres a crisis to
deal with. Maybe you could compare how different organisations in the face of
one event have been able to deal with this situation and what was the impact.
You could do that for instance. On the other hand you could also take, lets say,
one unforeseen event and look at different regions and how they dealt with it as
well, why not. And you can also take one region or one type of organisation,
either in private or public sector, because they also have different ways of
dealing with issues over the last five years and how theyve actually managed it,
where they successful every time to deal with the crisis.
165
My opinion is that it should be incorporated into how to build a good business model. Because stuff
does happen, interruptions will occur, its part of the business. So you should
always look at the resiliency of any operations, any change that a business goes
through, they should look at and just incorporating it up front to the cost that
we mentioned it before. The way to keep cost down and to keep your business
resilient is to think about the resiliency while you are designing your solution,
your initial solution. Not after its built, to go in to a company thats already
established and put an additional program of BC on top of it is the most
expensive way of doing it. The trick would be, is to take your, how to build your
business, how to build your business model and right in those steps, talk about,
okay, if you got a small business on main street in downtown London. Where
are you going to keep back up supplies, what are you going to do, and, what are
you going to do if the street goes down or you cant get to your building for
whatever reason. Do you have an internet presence or something else that will
be able to keep you from generating revenue? But also the one thing that a lot
of people, especially small businesses need to consider, what would you do if
your competitor wipes out? And thats not taught, now think about it, your
major competitor goes down, and all of a sudden people are coming to your
website or to your store front, and your business is increased by 40% over night
because your competitor is down. With people anxious to give their money to
someone, this is your golden opportunity to either make a lot of money, or lose
a lot of money. Because now, you might upset your current customer list as you
attempt to take down more and you cant service anybody. Because you didnt
plan or prepare for that. So a very sudden spurt of growth is also something to
plan or prepare for. So to answer your question, I think it should be part of
business management; it should be part of the standard best practise of how to
run a business.
Its the same kind of thing, now we have these new clouds and data continues to become more
centralised, well how do you back up that cloud, how is that cloud backed up?
166
Because the more resilient you think it is, you turn a blind eye to where the single point of failure may
be. You know, its the same thing, if anything can happen, it will. And I think
thats what some of these studies, you know, can bring to light is, lets take a
look at, as we get more technology, as technology expands and changes, how
does that feed into the whole resilience program, you know, what does that do
to overall resiliency. So yeah, I think thats a way that they can, because right
now, what they are trying to do is everything is mirrored everything is mirrored
so you dont have to worry about it. Yes you do, that just means you have to dig
a little deeper.
I think it will start to regulate more and more sectors. People become more aware, and us as BC
professionals also have to adapt to this new environment because I dont think
its enough to simply say well regulators say we have to do it so lets do it. I
think we also have to ask just this question, so I think this is a very good
question. What exactly is the return on investment? From my experience, very
very personal experience its so far its only a theoretical discussion, so I did not,
so far I did not see any quantified results like okay we because we have BCM
we invested X and because of that we made X more money I didnt see it yet,
but I would like to.
Especially because the professionals calls it Business continuity management, I think we really need
some kind of matrix or something to measure. But its not that easy.
167
theres this huge opportunity because if you do BC you get to know your business from a very
interesting point of view. Thats also why I think that the whole profession
should develop from being the guys who secure the business as it is right now to
a more strategic perspective.
So all the BC plans, all the testing all the exercises, all based on this very vague assumptions more or
less. So thats something where BC has to be improved on a very basic level. And
I think thats the main challenge, and not to come up with something new like
resilience.
I would like to get BCM out of the reactive point of view. Like we will only do something that matters if
something happens to, we can also do something before something happens.
what I would want to have, is that all MBA programs or business masters will teach the future managers
about BCM. Simply to create an awareness and to have it like a very normal
business process. So very easily speaking, I want BCM to be a just normal
business process like some HR process or IT process. Nothing that you have to
argue about and nothing that you have to fight for or something. Thats what I
want.
For the profession is the main challenge to do the arguments for the managements and say hey, we
have quantified data that says we should do this or this or this. Yeah? I mean,
that maybe the reason because I am not a top manager myself, but I think they
168
live, maybe you know more about that than me, but I think they live in the more
or less the quantified world more or less. And the only metrics we have right
now is, for example this year we had 5 BC pans, next year we are going to have
10, so what does that say about the business? So theres like this disconnection
in terms of how people think, and thats also why I said that I want future
managers to be educated in BC just to create a different awareness.
And now I really like to keep the practical knowledge, and we are able to say okay that is what is really
happening, and that is whats really driving the whole profession. And on the
other hand the academia, the academic side, because I think theres just a lot to
do, a lot of topics to learn about more, to research.
it should at least stay in the head of the professionals, because its very fundamental to understand the
organisation, how it works, how the people inside work. And not only the
processes because, the tools we have now in BC are the business impact
analysis and the risk assessment, that are the tools that the whole planning is
based on, thats it. Maybe thats also areas that could be improved.
It is very common for us to learn from history or learn from our experience, or learn from various cases.
But academic people are very good to find very essential things from various
cases, and they are good to explain, what is important, what is essential
program, or what is a very big issue to improve. So if the industry, including me,
provide so many cases to academic part, academic field, they can analyse, and
169
find the very essential things and build up something new knowledge or new
methodology or art for BC I think.
Yes, if there are various kinds of common methodology, it would be good for industry. For example, for
business impact analysis. Currently there is so many methodology for business
impact analysis. But if someone provide a standard methodology or very
common methodology used for various kinds of industry, it would be good I
think.
But I think what would be the only way to implement it in the future, not in the next 5 years, I say the
next 20 years, is what I do right now. I go to the universities where the people
learn business administration logistics and things like that, and tell it to the
students, the former and the future managers, so they have understood, okay
that is BCM is for. Thats the only chance to bring it in the hands of the
managers of tomorrow, not to try to teach the people today. This is okay, lets
say its an compliance exercise, but you will not, most of them you will not
convince. Because they are thinking in 4 year time slots, because thats their
contract, a normal contract, and they are looking for profit so that they get
more money out of it, and BCM normally is not a target within their 4 year
contract, just like politics.
it should be somewhere integrated in the business administration study as a standard course, maybe at
the grounding study, you know, the first semester when they start studying they
170
should have heard BC and later on in more detail. I think that would be very
useful.
What would help the industry is, instead of developing and inventing new kinds of BIAs and think, and
try to make this what we have right now more professional. So give them more,
in German we say, bring more flesh on the bones. That means, not only
throwing words around, make it more precise, we need a precise definition of
everything, we need to have formulas to calculate things. If you came up with
an idea like MTPOD, you have to give people a kind of help that they can
calculate these things. How will you compare different companies if you dont
have a method that is somehow valid. I would not say the standard should do
that, but I would say that the experts of the industry, just like BCI, should do
these things, they should define it. Sure, who else. And they should discuss
these things with people from business administration, with business
administration background, they should not sit in their little room and develop.
Think that they should talk to supplier, they should talk to people, to experts in
the industry and find things that work for all these people.
I think the problem within the BCI, the members of the BCI, just like me, we are some of experts in BC
area, but you have only these members there, and maybe these members also
have very small focus on these things. What you need to develop these BCM, is
people beside these expert areas, you need people from different department,
you need experts from financial department, you need experts from controlling,
you need to discuss things you have developed with management. So you have
to find different points of view for a good developing BCM, otherwise it is an
expert thing, Where the experts are happy with it, but no one else, I mean,
outside the industry.
171
Yes, I would say, instead of inventing new words, just like business resilience, we should develop a more
professional tool kit of BC, all this method should be rethought, people should
think about the different definitions. We should make it crystal clear how it
works, because based on this, what we are doing you may invest money in the
company. And the better it is, lets say, founded, grounded, defined, as better
help the decisions. If you have these gaps in the methodology, there is still the
risk that you for example spend too much money for things like BCM. And this
on long term is something which is a problem for the company. For example if
you have a potential loss of lets say half a million, and then you spend 50.000
for the solution, and these 50.000 you have to pay every year, then after 10
years you have created your own disaster. [Talks about the math behind it]
Because then you have spent 500.000 . This has to be better developed,
Mhm, yes, but then I would go back to the business resilience part, because I think that BCM or BRM or
what not should not only be part of risk oriented study fields but also for people
studying, lets say, supply chain management or finance.
Well I think the whole implementation process and the life cycle as it is used and perceived here in
Germany could use some research. Because I think, or I feel that when
implementing BCM with most people are not focusing enough on is the
psychology of the people who should use those measures and the awareness
part. I think, what would be useful is some literature or some new ideas that
that show us how we could cut cost from BCM and down to the main idea of
how to transform this main idea to the people. And by this allowing people to
have, that to this moment, did have nothing to do with BCM, to understand it
172
more easier. So what I am saying is that parts of getting the idea behind BCM or
BR into the heads of the people could use much work I think. Another part
would be the benefits, at the beginning of the interview we talked about
benefits from BCM and when I gave my answer I felt that, even though Ive been
working in this field for quite some time I still have difficulty listing all of the
other benefits than the obvious ones.
Knowledge
Name: Knowledge
Description: What does practitioners think about the current knowledge in the field
I think theres a lot of book knowledge, a tremendous amount. And I think probably more than needs to
be, theres a lot more people participating about it than we need to hear from,
if I may say so. However, theres is a serious lack of people who actually have
that kind of experience, from my experience, that have been through a disaster
and know how to write a plan thats actually going to be viable. Because I mean,
thats the trick, the trick is to write a plan that is actually going to be usable. And
theres too much time spent on what-ifs, and even though thats what our
business is about in some cases, but they get to specific when you talk about
pandemic planning. They get real specific with the type of pandemic. Well the
odds of us getting that exact type of pandemic or you know, crisis. You need to
understand how you are going to react to it, because you dont know the
particulars, you just dont know any of the particulars of any kind of crisis. You
wont know the duration, and you wont know how many people died, because
it depends on the time of day that the event occurs. Theres just too many
variables, you have to focus more on communication and how youre going to
get the most current information into the best peoples hands as possible to
173
make the best business decisions of the time. So I think that yeah, overall
theres plenty to read out there, The bottom line is, two things, the bottom line
of BC is two things I have taken away from it. One, its common sense, its all
based on common sense. And two, if you have bad business practises in
production, youre not going to have a good Disaster recovery program, your BC
program will not allow your business to run better than it does on a day to day
basis. So if you dont have good business processes today in production, then
that needs to be fixed. And sometimes BC programs can help make that happen,
because it can highlight what the problems are.
I think they [certification agencies] help develop standardisations of terms, which is something that was
always desperately needed 10 years ago, you know, just the difference
between, I think BC and disaster recovery you know, people were using those
two terms interchangeably. And I think that the institutions helped at least to
put some guidelines around that. And so I think that they had a role, and they
also had a nice role I think at least in the US with helping the government come
up with guidelines, federal guidelines for things. So I think that they do have
their place.
I think that the organisation that build knowledge are the BC Institute, the BCI or the disaster recovery
institute in the USA, these kind of organisations do build knowledge, if I
understand the question correct. plus I think that certification they, the boys,
they use the knowledge like okay, heres the audit or the check list, and you
have to do this and this and this but they dont develop it, at least not the
fundamental knowledge about it.
174
So from my point of view, the BC institute for example, plays a very important role in promoting and
also developing the whole topic, because there are a lot of people involved in it.
And I think its a nice mixture of theoretical and practical experience,
newspapers etc. etc. so yeah.
so If you take for example the good practice guidelines and you read one or two books of BCM, thats
more or less what most specialist courses or certifying courses will teach you.
the biggest problem in Japan for BC is there is not enough or good reference document or guidebook or
knowledge. For example, you know the BCIs, the good practice guideline, is
very good reference to learn about BC and develop the BCM in the company,
but it is not translated to Japanese properly, and Japanese government, on the
other hand, Japanese government issued BC guideline, but it is not a BC
guideline, but a disaster mitigation guideline I think. The opportunity to know
the knowledge of BCM is really limited in Japan, especially for small and medium
enterprises. They believe it is impossible for a small company to work, to endure
BCM. I think it is a very big misunderstanding, BCM is very effective for a small
company. Most company believe that BCM is impossible for us, or BCM is very
expensive, there is, they believe they need much money or very special
knowledge for BCM. So every time I have to explain that BCM is not so difficult,
or BCM is not so expensive or there are various ways to give BCM to a small
company or a Japanese company.
175
But in Japan there are not so many researchers, or people studying BC in academic field.
Recently we began the communication between industry and academic work about knowledge
exchange about crisis management, BC and risk management and so on. It is
very interesting and I believe it would be positive for improving the situation in
Japan, and usually I work as a consultant, but I am making effort to have
opportunity to talk with academic people and there is. And recently I feel it is
very good for, kind of give and take, and knowledge in academic field and
experience in industry, it is very good combination for collaboration I think.
but in my opinion, academic field is very good, they have strong ability, strong skill to analyse or find
something very essential things from various cases.
by having body of knowledge, we can find which area is enough or not enough. Which area should be
improved like that.
organisation.
176
BCM is a normal business process just like controlling or something else there which is not at the
moment you implement it generates benefits or money for the company. If you
have a controller presenting reports, it does not mean you earn more money,
its only presenting the figures.
OK, if you do it is very high level, it is not as high level as the standards would be, but still there is so
much room to interpret that it is useful, but it doesnt give you enough
information to really learn what best practices really means.
Management
Name: Management
Description: What does management do/feel about BCM
If youre in a head office department where the work you are doing is not seen as business critical, its
probably difficult for people to get very excited about it as a subject. And so
when youre handing out responsibilities around the team, becoming the data
privacy champion or the records management champion or the health and
safety champion, these are probably not the first thing people put their hands
up for, to volunteer for. And not because people dont in one way wont
recognise that they are important, but because its obviously planning for an
eventuality which shouldnt come up. And so I think when we first began
177
exercises like that, it was difficult for them to feel particularly real, maybe I
should work in a head office environment where youre a little bit cut off from
some of the perceived risks that you might have in a branch.
If youre working in a bank branch somewhere, and there is a real risk that there might be a raid on that
branch or a security incident or a bomb threat or somebody driving a tractor
through the glass window at the front in order to try and steal the cash
machine. Then your attitude to risk and incident or whatever, its just very
different than it is if youre working in a head office environment, you tend to
think more about the brand risks, and the marketing risks, and the risk from
mailing people who you shouldnt be mailing or something like that, those are
the sort of things people think about a little bit. So its been an evolution in how
departments where thought about, and I was saying because the financial
services industries had far more problems over the course of the last few years,
I think it has focused minds a lot more on and understanding of the basic
processes and what people do rely on us to do.
I think its, theres perhaps more need for people to champion it and to maybe think a little bit harder to
really work out what the processes are, because a lot of the things that when
we get involved, lots of other departments will be involved as well, so trying to
isolate the effect of on single department not being able to function properly, is
perhaps a little bit more difficult than working out what the implications of a
particular branch having to be closed for a few of days are.
178
think, if anything, perhaps a bigger risk is that because the teams that coordinate things a relatively
small it does rely on the heads of department doing a conscientious job, to
really think through what all the processes are that people rely on them for.
So typically the only time where they go badly, is when senior leadership comes in and tries to take
without the background of how those decisions were made in the first place.
one of the ways we try to deal with that is to have a very clear role for senior leadership in our BC plans.
Either they are involved in the planning and preparedness effort, which is great,
they understand how it all is going to work, they understand what their roles
are, what decisions they will need to know, thats fantastic. Or they dont want
to be involved, and then we write a role in for them and say, look, you dont
want to be here at the incident command centre, or the continuity response
centre. Where you need to be is out, and your the face of the organisation,
youre the face of the department, you need to be out and making policy
decisions and showing that everything is okay, and providing that face,
179
providing the interaction with the community. Thats your role, we will check in
with you on hourly basis or for hourly basis you check back in with us, we ask
you policy decisions, you can ask us for status updates. That works well, what
doesnt work well is the leadership that doesnt want to be involved during
planning, but wants to be involved at time for response.
one of the significant root causes for that situation is that we dont have the proper matrix, and the
proper research to show to executives to prove the worth and the improvement
of continuity preparedness efforts
If I undertake formal BC how much more prepared will my organisation be to recover from disaster, or
what percentage of organisations that undergo or undertake BC planning are
better off to survive disaster. So I took it vs. I did not undertook it what
percentage of those organisations are better at recovering from disaster faster
than other organisations. Those kinds of basic metrics dont exist, that research
doesnt exist. So the executives look towards our profession and says, ok, tell
me why, why are we undergoing BC planning? The best that we can tell them is,
well, you are probably more likely to recover from disaster if you do this. And
so, if they are not concerned about disaster, they are not going to be convinced
that this will be a worthwhile expenditure of their time and resources. And even
if they are concerned about recovering from disaster, we cant give them a
return on investment, we cant give them statistics, we cant give them
measurements, we cant give them reasons. And when we begin, we dont have
anything to show our progress, so a fascinating question might be, well okay, we
have now undergone ISO 22301, how much more prepared are we to recover
from disaster? We cant answer any of these questions.
180
so we need to ask the question, how prepared is my organisation to recover from a physical or staffing
loss to be able to measure that cross time, and I think we can, but we havent.
And so, to summarise, I think executive leadership asks a very good question of
why should I be spending my time and money and resources on continuity
planning, and we dont have a very good answer for them.
I think the driver is that the executive leadership doesnt understand the value, so in trying to
understand the value of expenditure of the money and time and the resources,
that is something that they understand, they understand return of investment.
That is a, whats the right word, thats a metric, a measure they understand, so
if we could put BC in those terms they would get it and they would say okay,
now I understand the value. So I think its more the struggle for the
preparedness planners to show, to demonstrate to prove the value of what they
are doing.
The other aspect of it for me is to be able to create some sort of, let me say, a commitment from staff to
be fully aware, because I think BCM is not just a matter of senior officials, its
the matter of everyone, from the top to down, how do you react, what do you
do, how do you work from home. All those little things that can actually help
assure a smooth continuation of the operation, its a participatory mechanism I
would say, and it also creates more commitment from staff to be able to
understand that unforeseen events are not completely, is not a big challenge, it
is something that you can overcome, and it is everyones, each and everyones
responsibility to deliver service to the organisation to that extent. So it really
forces the commitment of staff towards the organisation, especially in crisis
181
plans. But its only possible if you see that there are some guidelines, theres a
framework.
through a certain framework that has been tested, monitored etc. so people have to be fully engaged in
committing and implementing the BCM and the senior management and/or the
leadership of the organisations has to be completely on top of that issue and
that has to be on top of the agenda.
actually the director general just appointed a BC expert. Because there was nothing really done at this
time, so he made that decision to actually appoint somebody. To have a real
expert working on this and coordinating issues throughout the organisation.
I think its a big mistake but its only because we are in times of change and management were already
most of them professionals before BCM became a subject of interest. So they
have to be educated in that regard, through training. The leadership or
management has to help the organisation culture change through that way.
Well managers are always looking to cut cost, Managers are always looking to run lean and mean.
Especially when you are running in a risk industry like trading.
182
they had no backups at all, they didnt take any precaution and if they made a change, they made it
directly in production. Because they didnt want to spend the time, resources
etc. and actually having good solid practises. Now politics, this is, you know,
business politics being what they are. You could have an internal audit group,
but this internal audit group doesnt normally have any power if the department
they are auditing is making a ton of money. You know, tons of money
generation of that kind of money, trumps any rules that other departments may
have to follow for any reason. Audit will turn a blind eye to that in many cases in
many companies. So consequently they felt like they could run as lean as
possible. Said differently though, because they are risk based organisation, they
were making a lot of money that year, but a couple of years prior they lost a lot
of money, its the nature of risk. And what the guy said to me is, look, if we had
been down all year because of catastrophe, the company would have been
better of that year, because we lost money. And this is part of the whole risk
profile. So the first thing is you know, looking at what are the single points of
failure and why they exist, and really trying to convince management that you
need to do something about it, because they may accept that risk.
that is one way people have done it in the past [audit of past events]. However, unless it had caused
significant damage, a lot of times executives would say, well we got through it,
we learned lessons and wont lose as much money the next time so why spend a
bunch of money if we got through the problem last time? That has been my
experience, and I speak. Because even when I was with that building that burnt,
I mean, it was catastrophic to any other company. And up until then I had to
adopt this philosophy of having the business do it themselves and scaring the
individual businesses into doing the right thing. Because as a corporation, they
werent willing to part with any money for BC, so this was done on a shoe string
budget, and yet we were able to circumvent the major catastrophe. And so
many people would think well jack! After you did that, obviously they start
throwing money your way so you can make the program even better. And the
183
answer is no they didnt. they said, obviously were spending enough, we got
through a major crisis without any business interruption, so were spending
plenty, you know. So they, if theres not a direct return on investment, if theres
not a dollar for dollar, especially if youre in a financial industry. Then youre
going to have a tough battle, and you have to look at it from my opinion, from a
negative perspective and say, this is how much we are going to try and avoid
losing if something bad happens.
a genuine lack of understanding by executive management, because executive management is more

worried, and this is a global issue these days, with next quarters results, you
know, and getting those numbers.
Because they have no resiliency plan of what to do if their supply goes up a nickel. You know, so, its
just. If you dont think about the resilience aspect of it, youre just, your, you
know, you dont have a net, you are walking the tightrope of business where
profits and losses can be based on very minor things, and youre walking it
without a net, without business resiliency.
I think it depends on the man, certainly in the company Im in. Right now they have a strong sense of it,
why, because they are located in New York. And if there is a disaster in the US,
chances are pretty good, you know, it seems like it comes up the coast. You
know, or something happens in New York or (inaudible) some sort of
catastrophe. So they get it, they live it, they get it. Now you get to people out
here in the mid-West, Chicago. Its so so, they are pretty good. But we also have
a main headquarter out in Wisconsin, there are not a lot of crises or terrorist
attacks in Wisconsin. So consequently they are much more lackadaisical, they
184
leave their doors open at night, they dont even take the contingency of looking
the door at their homes, that kind of thing, Or bringing their PCs home so no
one will steal them. Because, you know, theyre out in the boonies and its just
not something they are confronted with so its not in their purview. So good
managers who, you know, it is front of mind, it is top of mind, but theres just, I
think, most managers are not that good. Good managers are hard to find.
most Germans dont live in crisis prone regions
what basically happens is that its a topic that If something happens, you have a small budget for it. And
then most of the time consultants come in and something. I think the
perceptions of managers that are higher in the hierarchy are I will invest once
and then lets move to the next topic, so its not something thats on the
managements agenda continuously, but only some points in time. And its also
something that I think its like something psychologically connected to disaster
and crisis. And that makes sense, because that is why we have it.
My point of view is that BCM is not associated with making money, its spending money forwards.
For the profession is the main challenge to do the arguments for the managements and say hey, we
have quantified data that says we should do this or this or this. Yeah? I mean,
185
that maybe the reason because I am not a top manager myself, but I think they
live, maybe you know more about that than me, but I think they live in the more
or less the quantified world more or less. And the only metrics we have right
now is, for example this year we had 5 BC pans, next year we are going to have
10, so what does that say about the business? So theres like this disconnection
in terms of how people think, and thats also why I said that I want future
managers to be educated in BC just to create a different awareness.
I think especially if you want to create management awareness, because management, as far as I know,
are most of the time very educated people. And at university they learned a
very specific way of thinking, so if you can create BCM matrix, reports or
whatever that is in line with their thinking. I think thats a good way of more or
less selling BCM within the company.
In some company top management is very positive to work for BCM because, for example There are
two kinds of companies, first type of company is owner company, president is
companys owner, or president family, the company, most of management
members is president family, its the first type. Second type is very public
company. And in japan, as far as I know, in my experience, the owner company
is very aggressive for BC because the BC the companys continuity is culture,
family continuity, president life continuity, so the president is very positive to
work for BC and they assign very important staff for BCM. But on the other
hand, in the very big company, very big and public company, the president is not
so positive for the BCM because, in Japan, most of the top management dont
know the value of BCM.
186
In Germany in financially institution, it is very easy, because they are forced by law to implement BCM,
so there is not a decision to be made by the management. And they are still
waiting, most of the financial institute wait until some auditor is coming and say
please implement BCM this is how it works in Germany.
so we still have to convince management we have first to tell them what is BCM,
If the top management does not recognise the importance of BCM, what does it mean for the company
if you are not prepared of such a situation, then things like, we have seen a few
years ago here in Germany can happen. We have this big, maybe you
remember, this big, the big flue, the worldwide spread virus, what was it called.
How was it called in the English word? Pandemic, that was the word, we had
this big pandemic where, I think, 2 people died in Germany, with a normal flue it
is 100 people in a year that die each year, but due to the pandemic we have 2
people which died. And what happened was, because the management was not
able to understand what are the threats, what are the risks, what are the riots
mitigation, they bought, the big ones, for million and millions of euros tammy
flue, and they put it in their ground year. So they invested money in something
they can throw away now. So its wasted money because what the industry, the
tammy flue industry did, is they scared them, so they misinformed them, so
they thought oh my goodness, tomorrow the world is coming to an end, we
have to prepare with tammy flue, and everything we find just like in a bad
movie. But that was true, because the management didnt understand the real
threats they invested in the wrong things, and this is a risk. And then, I have no
answer for that, BC right now is not yet on the management level. The only
187
thing that maybe the new resilience standard can bring is the attention on the
management board level to these things, because resilience sounds better than
continuity. Resilience is a, I would not say a management discipline, its the end
results of having BCM and other disciplines implemented, if the selling is better,
because it sounds better to the management, okay, then lets call it in the future
business resilience, I dont care.
The only thing is we have somehow to start to attack the management with the information about BC
and so on, and even if you go to the world conference in the UK, you find only
few people from top management level, you mostly find people who are
responsible in the company to implement these things, but you will not find a
lot of leaders which can inform themselves about the BC, this is also something
that has to change in the future. Not that the world conference a separate event
but, then they should be there, they should inform themselves about these
things.
One reason is often the BC area, dont get me wrong, we are talking in nerd language, we are talking
about MTPOD, MTPD and MTA, RTO and RPO and this and that. And if you are a
manager in the business administration and you have studied business
administration as main, then someone says, okay we have here maximum
period of disruption, then I ask, okay, explain it to me. And there is nothing they
can explain, its hot air what is describe in the practise guide, what is described
in all the standard. There is nothing rational behind it, it is a word for a
judgement, and this is nothing you can work with on a management level. If you
have to do with people thinking in figures, thinking in clear structures and you
come with an undefined word, not only one word, you change these words over
the years several times and confuse people and make it more complex. Now we
have the new good practise guide saying it is good idea to have four BIAs
188
instead of one, a strategic, tactical, operational and initial one. No this is not the
way to sell it.
No, there is a wrong selling about these things, you cannot convince someone with boring details in
nerd language, this is nothing you convince a board with, you have to tell them
the benefits of BCM, and they are not coming to the conference because it is
not interesting for them on the level where we discuss these things.
Its okay, its conference for specialist, but there should be another one, maybe BCI should maybe
organise things like this, there should be another event only focusing on the
management level and, how to say, you have to find the right speakers for the
management, this is not that easy in this area. Because a lot of people coming
from the IT which is not, not a bad thing, but it is also maybe the wrong mind-
set which is not convincing managers about BCM.
when you are telling them about the other advantages that are not as obvious, they usually get
convinced. Well they are often very afraid of the budget thing, because they are
afraid of spending such a lot of money on things that might never happen. But
again if you come back to those other advantages that come into place, even
without having an incident, this usually weighs up the necessary investment of
the implementation.
189
Name: Organisational Learning
What we werent doing was tracking lots and lots of different individual processes whereas now we are
identifying what those key processes are, we are identifying which customers
have experienced those processes. Rather than just in normal transaction in a
bank you know, who has actually had one, or gone through one of those key
processes and then we do a lot of NPS, promoter score measurements around
those key processes and so its obviously moving on from BC. But it sort of links
back to your understanding of what people really rely on you to do. I think its
probably true to say that the whole bank has been more focused around making
sure those basic things go right and working to improve those basic things over
the course, certainly, of the last, say 3 or 4 years, I would say, relative to my
experience in the bank and the period before that.
So business resiliency is not just about BCM, its about people, its about how we learn from our
mistakes. Because if you do not learn from your mistakes and what went wrong,
then BCM is a complete failure to some extent, its not necessary, its just a
paper in a drawer. So business resiliency is one: BCM but two: people engaged
and three: learning from lessons.
190
I think there is a learning buried for the organisation, they get more emphasis for risks, they get and
understanding,
And most of the companies exist, this is a matter of fact, most companies exist, and you have to find
some way to implement BCM in an existing organisation. This is what I say, what
it makes so difficult in implementing BCM because its an organisational
changing process.
191
v) Examples
Experience
Name: Experience
Description: When did the participants start working with BCM
I was first aware of it, Im trying to think, as I said Ive been working in [my department] since the
beginning of 1999 or something like that, and I probably became aware of it
around that sort of time, I would say, so it was about the late 1990s. That that
phrase, that I was aware of that phrase.
So basically I started working on BC for [a university] about 10 years ago, 9 years ago. In short there was
the external auditors were concerned the university did not have a BC program,
so they worked through our office of the chief information officers, through the
IT side of the house and set up a BCM program. And again I think that was
pretty standard for 10 years ago a lot of the BC programs come in through IT
disaster recovery just like something they do now, but not as many. So basically
we were charged with coming up with BC plans across the entire university, at
that time we had about 60.000 student, 30.000 employees, 600 buildings on 5
campuses, and by the time about 7 years had passed, lets say 5-6-7 years, when
I actually left that program. We had done somewhere between 200 and 300
192
individuals BC plans. Everything from a day-care centre to a hotel to an ice rink,
centralised purchasing, centralised IT, research, pretty much everything, steam
generation, everything you could possible, its like a small city there. And so we
had done BC plans across all of the, many many areas across the university. So
thats a good start, and then 2 years ago I left the enterprise continuity
management program and now doing something different.
I do not work directly in the field of BCM as I pointed out, I was part of a group which is called Business
Continuity group for the [organisation] in Geneva. So basically I could hear and
listen to what other practitioners were saying in particularly in the field.
I was asked to take over BC for a large international bank. For their North American division. So Ive
been doing this since 2000, so 14 years. And normally I handle all the BC as well
as oversee the disaster recovery, so in my tenor, programs Ive put together are
very business friendly, business centric.
I have my 3-year work anniversary, more or less. I studied risk and security management in Germany,
and roundabout, after half of the study I focused on BCM. So I wrote Bachelor
dissertation on the topic, had an internship during my studies and now work as
a consultant here in Germany on this topic. I worked in several industries so far,
so from banking, insurance, telecommunications, chemicals, administrations
193
and maybe something that I will remember later. So I saw a lot of different
views in the all. On top of that I just started a master program with [a university]
in England, its risk, crisis and disaster management.
currently I work for a consulting company, my companies business is various kinds of risk management.
And Im specialist in BCM. I have 8 years previous for BCM consulting, and in the
previous company, I work for manufacturing company, and I was the BC
manager. So I have both experience as BCM practitioner and consultant.
Yes, I started my professional work after Ive studied business administration here in [Germany], at [a
company]. Which was the first professional recovery centre here in Germany, it
was in the 80s. So this was where I started my work, and due to this first job I
came in touch with the disaster recovery of these BC, so in the 80s it was more
about disaster recovery, and later on it started to become BC.
<Internals\\Participant 8> - 1 references coded [?% Coverage]
Yes, it started during my studies when the representative from the BCI held a speech at my university,
and then I started talking to him because I found the topic interesting. And this ended up in starting a
practical training company it is called [a company], []. After my practical training I continued working
there part time during my studies. I then got involved with [a financial service company] also started
working there. Then I started working in [an airline] and I started working there as a business continuity
management officer. And implemented BCM at this airline. Then after some time I quit and then got
194
back, and this time full time at [the first financial service company]. I have been to a couple of
[conferences] on this topic. Of course I have read quite a few books. Talked to quite a lot of people
Interruptions
Name: Interruptions
Description: What sort of interruptions has the participants experienced?
because we havent really had incidents, its difficult to answer that question
The sort of issues that weve had to contend with usually have been where technical issues have meant
we couldnt access some of that data for a period of time, rather than actually a
sort of a physical incident or something.
change in reporting for Americans and residents, meant that the management part of our business,
suddenly had to produce an awful lot of information for the US government and
a lot of reporting requirements for the regulators. And so the data system we
work of off, or are supposed to be there for analytical purposes, rather than for
operational purposes, but such was the urgency for getting all this information
together. We had to use the analytic database to enable the regulatory reports
to be run, and that meant for a period of a couple of weeks where the analysts
195
couldnt get access to the Teradata, and the information they would normally
have.
And we were able to get through 9/11, we had, one of our large international trading operations in
lower Manhattan, just a few blocks away from ground 0. And then we had a big north east power
outage here in the north east section of the US lost power for several days, which impacted our large
operations we had in Detroit Michigan. And then we also had a situation, we also had minor issues, but
these are the three major things that happened in our company. Our headquarter had caught fire in
downtown Chicago, and at the time it was the largest skyscraper fire in the history of the city. Gutted
two floors, completely demolished two floors, 55 million dollars US damage. But in all three of these we
did not have to file for business interruption insurance claim, because we were able to keep running.

The North East power outage took out the entire Detroit community as well as everything north and
east from there all the way up to New York, and we lost power. So we had a
couple of contingencies, we did some things really well. And thank god we took
all of these contingencies. So the first thing we did, we build an office space for
about 250 people, and put a generator in there on our own power supply. The
second thing we did is we had a contract with some major companies that, I
wont mention names but their initials are [X]. And as well as the other big
heavy hitter, both had recovery sites with generators that they would use for
such an incident. And then The third thing we did, the next thing we did was we
had, we worked with our facility team to take that building that we were in, our
headquarter in the suburbs of Detroit and take all critical processing and put it
on a UPS, on a brand new UPS, uninterruptable power supply, brand new
generators, we just made that building as rock solid as we could. Couple of
things happened between, and that was about a month before the power
outage so when the power outage occurred, both [X] and that other company,
both their generators failed. So both of their buildings were down, they couldnt
196
be used for recovery, our other site was able to be used, and it was 250 seats.
However, we had a problem with our main headquarters, the one we spent all
that money on getting retrofitted, because the project that facilities took on
after ours, was to take all of the bathrooms and make all of the toilets
automated flush. And they didnt have a manually override there was no
contingency plan, so consequently, they didnt put on the UPS system, they
didnt consider going to the restroom a critical process apparently. So when the
power went out, so did the ability to flush the toilet, and without running water
it is illegal for people to stay in the building, so the fire department kicked us
out. And we had to make due by just having a small hand of people running the
data centre that was there, with porter potties outside, and they let like 5
people in the building only, you know. So there was the best laid plans, you
know, sometimes can fail as well.
For example for a financial institution, they had a kind of a, I would not say really an incident, it was a
power, loss of power in one area of the city, and what they did they simply
move to the other location and worked on. Their benefit in this situation, they
were able to work.
So it started in the US, this occupy demonstration, so they occupied the Wall Street and they avoid that
people go to work. And this happened also in Frankfurt, so they tried to block
the financial centre of Frankfurt that the people of the big financial institution
reach their normal working place. And then, during this event they activated
their BC plan, and worked on. So it was no disruption, but no one was at their
normal work places, because they had prepared, they had all the nape sites
which was not known by the demonstrators so they had a chance to go on, so
actually there is a benefit.
197
Yeah, but, Ive seen this once in a time, so now in 20 years, I have seen this one time. One time they
implemented it in the very beginning. It was a company from Mexico starting a
shared service centre in Hungary. So they take over some companies in
Germany, and France and UK and they build up a shared service centre in
Hungary to do all the back office process, just like in invoicing and so on. And
when they start to build these shared service centre, they start with the idea of
hey, we are bringing together all the risk at one point, at one location, we have
to implement something for this case. And then they come, okay BCM as
discipline, and this was one of my first projects, so I started to implement the
BCM and this was one company in 20 years.
[Personnel crisis, accident I Egypt, happened right before he started in a company. Has not, experienced
any major disruption. Some IT down time.]
This incident was in the UK, where the idea of BCM is much more present than Germany, because I feel
it is older there[].
They dealt with the incident quite well, but still there where some things,
especially the communication between the subsidiary and the holding in
Germany is not as good yet as it could be. So the plans worked, but the
interfaces, and incident management did not work so well.
198
APPENDIX E MSC DISSERTATION SUPERVISORY MEETINGS RECORD
MSc Dissertation Supervisory Meetings Record

Student name: Camilla Amundsen Student ID: 1308828
Date of Key Issues Discussed Targets/Actions Agreed Signed/ Date
04.06.14 Proposal the focus of the Contact practitioners within
proposal was too big and the journal. CA 09.06.14
positivistic Need 5-6 Participants
Possible new areas of study: KB 09.06.14
o Managers and
practitioners
o Theory building
27.06.14 Aims and objectives Review a couple of issues
Participants within the journal to find key CA 27.06.14
Interviewing and interview problems, write draft and send
questions to KB KB
Literature Review problems Aims and objectives will have

to be tweaked after literature
review is done
Make interview question
suggestions and send to KB
Contact more participants
04.07.14- KB away on summer vacation
30.07.14
199
21.08.14 Went through the interview Redo interview questions (first
questions half experience based CA 23.08.14
Talked about the interview questions, second half
situation analytical questions) KB
Tweaked aims and Send literature review for

objectives feedback
Talked about the literature Redo aims and objectives
review and progress. Book interview times.
18.09.14 Progress Agreed on a time plan
Communication issues Daily updates via mail CA 20.09.14
Extension possibilities due Open communication

to personal issues Exploring extension KB
opportunities further
200
APPENDIX F DISSERTATION PROPOSAL FORM
The University of Winchester
Winchester
Business School
Masters Programmes
Dissertation Proposal Form
Student Number: 1308828 Student Name: Camilla Amundsen
Supervisor: Karen Blakeley
Proposed Title: Business Continuity Management and perceptions of impact: An exploratory

study of perceptions among professionals and practitioners within the field.
Focus: A brief description of the management issue and research objective(s):
Business continuity management is a growing profession. Both the UK and the US

governments support the use and development of BCM in the business environment. Thus,
increasing regulations is surrounding the field. However, little empirical study is currently
being undertaken within the field. Therefore, little is proven surrounding its efficacy and
benefits within organisations. Consequently, a consistent problem is that management has
reservations regarding implementing BCM within their organisations.
201
Research aim:
To critically evaluate the field of BCM by identifying practitioner and professional
perceptions regarding its impact, strengths, and weaknesses, and its future in light of current
academic and practitioner critiques.
Research objectives:
1. To investigate the perceived impact of BCM on organisations, by exploring views

among professionals and practitioners within the field.
2. To investigate participant perceptions of the current state of the discipline, its


future research.
Value: The value of addressing this management issue and research objective(s).
Because increasing sectors within the UK is affected by regulations surrounding BCM, this
field will continue to exist in years to come. Several authors suggest that fundamental
knowledge surrounding the field is missing today, and this research is much needed. Thus,
research that explores the current issues within the field and looks towards the future can
be of value.
Literature: An evaluation of the three most important literature sources that will underpin
this dissertation.
1. Copenhaver and Lindstedt (2010) Journal of Business Continuity and Emergency Planning
2. Orlando (2009) Disaster Recover Journal
3. Speight (2011) Journal of Applied Security Research
202
Research Design: A brief description of how you plan to fulfil the research objectives.
A exploratory study using interpretivism as an epistemological position. With grounded
theory as the research strategy.
The data collection method used will be semi-structured interviews. People working within
the field of BCM will be approached to be participants. 5-6 participants are needed.
Research Design: A justification in pragmatic and/or philosophical terms of why you have
chosen the methods in your research design.
Currently there little empirical research is being conducted within the field. The grounded
theory approach was selected because the empirical evidence provide a framework for
understanding phenomena.
Supervisors Comments:
This is a new area about which little is known. There is little academic research in this area
and the research will make a useful contribution to the field. The methodology is suitable to
the topic of study.
Supervisors Signature: Date: 11.10.14
203
APPENDIX G ETHICS FORMS
RKE ETHICS PROFORMA Students on Taught Programmes
SECTION 1
Project title/focus: Business Continuity Management and perceptions of its impact
Principal Investigator: Camilla Amundsen ............
INDIVIDUAL PROJECT APPROVAL
Please place tick

in each column
Does the research involve:
as appropriate
YES NO
If yes, please complete

Living human participants X
section 2
Living animals other than those being observed in their X If yes, please complete
natural habitat section 4
Documentary material that is not already in the public X If yes, please complete
domain section 5
204
Handling sensitive materials, including human remains X
section 6

Interventions in the natural or built environment X
section 7
Please refer to the University RKE Ethics policy for clarification of any of the above terms
DECLARATION A
For completion by those who have answered No to all the questions in Section 1.
Declaration: I have read the Universitys policy on ethics related to Research and Knowledge Exchange
and to the best of my knowledge and ability confirm that the ethical considerations noted have been
assessed. I am aware of and understand University procedures on ethics in Research and Knowledge
Exchange and Health and Safety. I understand that the ethical propriety of this project may be monitored
by the Faculty RKE Committee.
I will abide by the expectations of the University RKE ethics policy, and by the ethical guidelines
published by ..................................................................................(Please
insert name of relevant professional association)
Signature of Student: .....Date: ...................
I confirm that the project proposed is eligible for ethics release
Signature of Supervisor ..date..
205
SECTION 2: RESEARCH ETHICS CHECKLIST (WORK WITH HUMAN PARTICIPANTS)
Please place tick

in the
Research that may need to be reviewed by NHS NRES Committee or an external Ethics
appropriate
Committee (if yes, please give brief details as an annex)
column
YES NO
Will the study involve recruitment of patients or staff through the NHS or the use of X
1
NHS data or premises and/or equipment?
Does the study involve participants age 16 or over who are unable to give informed X
2
consent? (eg people with learning disabilities: see Mental Capacity Act 2005).
All research that falls under the auspices MCA must be reviewed by NHS NRES.
Research that may need a full review:
Does the research involve other vulnerable groups: children, those with cognitive X
3
impairment or those in unequal relationships eg your own students?
Will the study require the co-operation of a gatekeeper for initial access to the groups X
4 or individuals to be recruited? (eg students at school, members of self-help group,
residents of Nursing home?)
Will it be necessary for participants to take part in the study without their knowledge X
5
and consent at the time? (eg covert observation of people in non-public places)?
6 Will the study involve discussion of sensitive topics (eg sexual activity, drug use)? X
Are drugs, placebos or other substances (eg food substances, vitamins) to be X

7 administered to the study participants or will the study involve invasive, intrusive or
potentially harmful procedures of any kind?
8 Will tissue samples (including blood) be obtained from participants? X
9 Is pain or more than mild discomfort likely to result from the study? X
206
Could the study induce psychological stress or anxiety or cause harm or negative X
10
consequences beyond the risks encountered in normal life?
11 Will the study involve prolonged or repetitive testing? X
Will the research involve administrative or secure data that requires permission from X
12
the appropriate authorities before use?
Is there a possibility that the safety of the researcher may be in question (eg in X
13
international research: locally employed research assistants)?
Does the research involve members of the public in a research capacity (participant X
14
research)?
15 Will the research take place outside the UK? X
Will the research involve respondents to the internet or other visual/vocal methods X
16
where respondents may be identified?
Will research involve the sharing of data or confidential information beyond the X
17
initial consent given?
Will financial inducements (other than reasonable expenses and compensation for X
18
time) be offered to participants?
19 Are there problems with the participants right to remain anonymous? X
20 Is the right to withdraw from the study at any time withheld, or not made explicit? X
Does any part of the project breach any codes of practice for ethics in place within X
21
the organisation in which the research is taking place?
22 Is any of the material used likely to cause offence to any of the participants? X
23 Is a contract* needed between the researcher and the participants? X
Please refer to the University RKE Ethics policy for clarification of the above terms
* Contract includes requirement for written consent
207
DECLARATION B
For completion by those who have answered No to all the questions in Sections 1 & 2.
Declaration: I have read the Universitys policy on ethics related to Research and Knowledge Exchange
and to the best of my knowledge and ability confirm that the ethical considerations noted have been
assessed. I am aware of and understand University procedures on ethics in Research and Knowledge
Exchange and Health and Safety. I understand that the ethical propriety of this project may be monitored
by the Faculty RKE Committee.
208

Dissertation 13.10 - 3 COPYS

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Dissertation 13.10 - 3 COPYS

Uploaded by

Copyright:

Available Formats

Dissertation

Business Continuity Management and Perceptions of

Presented for MSc Business Management

Business continuity is a managmement approach concerned with an organisations physcical threats

Table 1: Overall research aim and individual research objectives

Chapter 2 A Review of Literature

Chapter 4- Research Findings: Description and Analysis

2.2 THE HISTORY AND DEVELOPMENT OF BUSINESS CONTINUITY MANAGEMENT

Period Drivers Practice Nature of Progress Notes

2.3 DISCUSSIONS WITHIN THE FIELD

2.3.1 Focus within the Literature of the Field

The integration of the disciplines of:

Crisis Management (Corporate issues);

BR = BC + IT DR + EM + ERM + [and so on] (Copenhaver & Lindstedt, 2010, p. 166).

2.4 SUMMARY AND CONCLUSION

Table 5: Overall research aim and individual research objectives

3.2 RESEARCH STRATEGY

3.3 DATA COLLECTION

3.3.1 Data Quality

3.4 FRAMEWORK FOR DATA ANALYSIS

3.5 ETHICAL CONSIDERATIONS WITH INTERVIEW RESEARCH

3.6 LIMITATIONS AND POTENTIAL PROBLEMS

4 RESEARCH FINDINGS: DESCRIPTION AND ANALYSIS

Table 6: Overall research aim and individual research objectives.

Open and Axial Coding Index and Summary

Categories identified Theme

Business Resilience 1. Meanings and Definitions

- If I just want to define business resiliency you mean in terms of building a

- My department, at least initially was named Business Resiliency, which I

- Currently I focus a lot on interfaces on BCM, operational risk, information

4.2.2 Preliminary Findings within the Theme Benefits

- The advantage would be obviously the continuing operations, which is

- That is something a lot of BC people look to, is involving marketing. To

- I think BC plan or having BC plan is very positive sign for customers or

- So why do we do a risk assessment, well its you know, strictly something

- Because there is big misunderstanding about BCM. [] So many

- There should be things called proven practises not necessarily best

- You can either go centralised or decentralised, but usually the best is a

- BC plan should be developed by the local staff, factory or subsidiary

- You go to the standard disaster recovery institute or any of these others,

- The BC plan or the preparedness planner going through a business impact

4.2.4 Preliminary Findings within the Theme Understanding

- So sometimes when I talk to my colleagues we also differentiate between

- I would say the internationally standards definitely do a good thing, even

- Many foreign invest companies has a Tokyo office or subsidiary company

- Recently Japanese government is very positive to support BCM.

- My opinion is that it should be incorporated into how to build a good

- It should be somewhere integrated in the business administration study

- I think theres a lot of book knowledge, a tremendous amount. And I think

- Its only because we are in times of change and management were

- A genuine lack of understanding by executive management, because

- What it makes so difficult in implementing BCM because its an

4.2.5 Preliminary Findings within the Theme Examples

4.3.1 Analysis of the Theme Meanings and Definitions

Figure 2: BCM and examples of possible sub-diciplines within organisations.

4.3.2 Analysis of the Theme Benefits

4.3.5 Analysis of the Theme Examples

Table 14: Overall research aim and individual research objectives

Open and Axial Coding Index and Summary

Categories identified Theme

Business Resilience 6. Meanings and Definitions

Experience 10. Examples

Conclusions related to research objective 1 -