case study on business continuity management

Business Continuity Plan Case Study: Lessons Learned from a Real-World Example

February 1, 2024

A real-world example that provides a case study on lessons learned from a business continuity plan (BCP) can be found in the experiences of Puerto Rico’s manufacturers during Hurricane Maria. The National Institute of Standards and Technology (NIST) reported that having a BCP already in place was essential for the initial response to a disruptive event.

Moreover, the COVID-19 pandemic has provided numerous lessons for business continuity planning. For instance, it highlighted the need for businesses to be adaptable and have plans that are not overly prescriptive but flexible enough to address unforeseen challenges.

The significance of a well-documented plan that is clearly communicated across the organization is also a key takeaway. The PULSE Network case study emphasizes the importance of creating the correct “tone at the top” and identifying emergency response and business recovery teams in advance.

These examples highlight the necessity of proactive planning, the value of an adaptable and comprehensive BCP, and the importance of clear communication and leadership in ensuring business continuity during and after a crisis.

Business continuity planning is the process of creating a strategy to ensure that an organization can continue to operate during and after a disruption. This disruption could be caused by various factors, such as natural disasters , cyberattacks, pandemics, or other unexpected events.

A BCP typically includes information about the organization’s critical functions, the key personnel responsible for implementing the plan, and the procedures for activating and maintaining the plan.

It may also include information about communication protocols, data backup and recovery procedures, and other important aspects of the organization’s operations.

Key Takeaways

Understanding business continuity, defining business continuity and its importance.

Business continuity is the process of creating a plan to ensure that essential business functions can continue during and after a disruption.

This can include natural disasters, cyber-attacks, or other unexpected events that can disrupt normal business operations. The goal of business continuity is to minimize the impact of a disruption on the business and its customers.

The Role of Business Continuity in Managing Disruptions

The role of business continuity in managing disruptions is to ensure that critical business functions can continue during and after a disruption.

This can include ensuring that employees have access to the resources they need to work remotely, that essential systems are available, and that customers are able to access the products and services they need.

In summary, business continuity is an essential process for organizations to ensure they can continue operating during and after a disruption.

Organizations can minimize the impact of a disruption on their business and its customers by identifying potential risks, developing strategies to manage them, and ensuring that critical business functions can continue.

Elements of a Business Continuity Plan

Key components, risk assessment.

The first step in creating a BCP is to conduct a risk assessment . This involves identifying potential risks and hazards that could impact the business, such as natural disasters, cyber-attacks, or pandemics.

Once risks have been identified, the next step is to assess each risk’s likelihood and potential impact.

Business Impact Analysis

Recovery strategies.

Recovery strategies are developed Based on the risk assessment and BIA results. These strategies outline the steps that will be taken to recover critical business processes in the event of a disruption.

Recovery strategies can include backup and recovery procedures, alternate site locations, and communication plans.

Plan Development

The BCP should include detailed instructions for responding to different types of disruptions and contact information for key personnel.

Testing and Maintenance

Once the BCP has been developed, testing and maintaining the plan is important. Testing helps to identify any gaps or weaknesses in the plan, while maintenance ensures that the plan remains up-to-date and relevant.

The Planning Process

The process of creating a BCP typically involves the following steps:

The planning process should be collaborative, involving key stakeholders from across the organization. It is important to ensure that the BCP is reviewed and updated on a regular basis to ensure its effectiveness in the event of a disruption.

Risk Assessment and Business Impact Analysis

Identifying potential risks.

The first step in risk assessment is identifying potential disruptions that may affect the organization. This can be done by analyzing internal and external factors that may cause disruptions. .Internal factors can include IT system failures, power outages, or employee strikes. External factors can include natural disasters, pandemics, or cyber-attacks.

Once potential disruptions are identified, it is important to assess the likelihood of each event occurring and its impact on the organization.

Conducting the Business Impact Analysis

The next step is to conduct a BIA to determine the critical functions and resources required to maintain operations during a disruption.

The BIA should identify the maximum tolerable period of disruption (MTPD) and the minimum business continuity objective (MBCO) for each critical function.

The BIA should also identify the resources required to maintain operations during a disruption, such as personnel, equipment, and facilities. This information can be used to develop recovery strategies and prioritize recovery efforts.

In conclusion, conducting a thorough risk assessment and BIA is essential to developing a comprehensive BCP. By identifying potential risks and critical functions, organizations can develop effective recovery strategies and minimize the impact of disruptions.

Developing Response Strategies

When developing a Business Continuity Plan (BCP), it is essential to include strategies that will help the organization respond to disruptions.

These response strategies should be designed to ensure the organization can continue operating during and after a disruption.

Crisis Management

Crisis management refers to the process of managing a crisis, such as a cyber-attack, natural disaster , or other emergency situation. It involves identifying potential crises, developing a crisis management plan, and implementing the plan when a crisis occurs.

When developing a crisis management plan, it is essential to identify the key stakeholders involved in the response. These stakeholders should include senior management, IT staff, legal counsel, and public relations staff.

The plan should also include a communication strategy that outlines how the organization will communicate with stakeholders during a crisis.

Disaster Recovery Planning

Disaster recovery planning involves developing a plan to recover critical systems and data after a disruption. The plan should include procedures for backing up data, restoring systems, and testing the recovery process.

When developing a disaster recovery plan , it is essential to identify the critical systems and data that need to be recovered first. This may include customer data, financial data, and other sensitive information. The plan should also include procedures for testing the recovery process to ensure it works when needed.

Plan Implementation and Training

Once the business continuity plan is developed, it is essential to implement it effectively. This process involves training employees on the plan, conducting regular testing, and exercising to ensure its effectiveness.

Training Programs

Training programs are an essential part of the implementation process. Employees must be trained on the plan, their roles and responsibilities, and the procedures to follow in a disaster.

The training should be comprehensive and cover all aspects of the plan. It should include hands-on training, such as tabletop exercises, to help employees understand the procedures better.

The training should also be tailored to the employees’ roles, ensuring they are adequately prepared to handle their responsibilities during a disaster.

Exercising and Testing the Plan

It also helps ensure that employees are familiar with the plan and can implement it correctly in a disaster.

Various testing methods, such as tabletop exercises, functional exercises, and full-scale exercises, can be used. Tabletop exercises involve simulating a disaster scenario and discussing the plan’s response.

Regular testing and exercising of the plan ensures it is up-to-date and effective. It also helps build confidence in employees, ensuring they are prepared to handle any disaster.

In conclusion, implementing a business continuity plan requires effective training programs and regular testing and exercising. This process ensures that employees are adequately prepared to handle any disaster that may occur and the plan effectively mitigates its impact.

Case Study: Covid-19 Pandemic Response

The COVID-19 pandemic has disrupted businesses worldwide, and the need for a robust business continuity plan has become more apparent than ever.

The pandemic has forced organizations to adapt to new work-from-home models, presenting new business continuity challenges. This section will explore how some organizations responded to the COVID-19 pandemic and its impact on their business continuity plan.

Impact on Business Continuity

The COVID-19 pandemic significantly impacted business continuity , with many organizations struggling to maintain operations during the pandemic.

Adapting to Work-from-Home Models

One of the most significant challenges for organizations during the pandemic was adapting to work-from-home models. Many organizations had to quickly transition to remote work to comply with social distancing guidelines.

For example, Nissan had to implement new protocols to ensure employee safety while maintaining operations. The company had to adapt its business continuity plan to ensure it could continue operating effectively while employees worked from home.

The company had to invest in new communication tools, such as video conferencing software, to ensure that employees could work collaboratively while working remotely.

The COVID-19 pandemic has highlighted the need for a robust business continuity plan to adapt to new challenges. Organizations that were able to adapt quickly to new work-from-home models were able to maintain operations during the pandemic.

Technology and Data Protection

Securing technology infrastructure.

One of the key aspects of a business continuity plan is securing the technology infrastructure. This involves protecting the hardware, software, and network systems that are essential to the functioning of the organization. It is important to identify the critical systems and components that need to be secured and develop a plan to protect them.

To secure the technology infrastructure, organizations can implement a range of measures such as firewalls, intrusion detection and prevention systems, antivirus software, and regular security audits. These measures can help to prevent unauthorized access, protect against malware and other threats, and ensure that the systems are functioning as intended.

Data Backup and Recovery

There are various methods of data backup, including full backups, incremental backups, and differential backups. It is important to choose the right backup method based on the organization’s requirements and to ensure that the data is backed up securely.

In addition to data backup, organizations must also have a plan in place for data recovery. This involves identifying the critical data that needs to be recovered first and ensuring that the necessary resources are available to recover the data quickly and efficiently.

Compliance and Standards

Business continuity plans must adhere to legal requirements and international standards. This section will discuss how compliance and standards impact business continuity planning.

Meeting Legal Requirements

Organizations must comply with legal requirements when developing their business continuity plans . Failure to comply can lead to legal and financial consequences. Legal requirements may include data privacy laws, industry-specific regulations, and labor laws. Companies must ensure that their business continuity plans comply with these laws and regulations.

International Standards for Business Continuity

International standards provide guidelines for developing effective business continuity plans . One such standard is ISO 22301, which provides a framework for developing and implementing business continuity management systems .

Compliance with ISO 22301 can help organizations demonstrate their commitment to business continuity and improve their resilience to disruptions.

Adherence to international standards can help organizations improve their reputation, increase customer confidence, and reduce the risk of legal and financial consequences.

Maintaining and Reviewing the Plan

A Business Continuity Plan (BCP) is a living document that requires regular audits and updates to ensure it remains effective. In this section, we discuss the importance of regular audits and updates, as well as learning from disruptive incidents.

Regular Audits and Updates

During an audit, the BCP is reviewed to ensure that it still meets the needs of the organization. This includes reviewing the BCP’s objectives, scope, and assumptions, as well as the roles and responsibilities of those involved in the plan’s implementation.

Updates to the BCP should be made as necessary to reflect changes in the organization’s structure, processes, and systems. This includes updating contact information for key personnel, revising procedures to reflect changes in technology, and incorporating lessons learned from previous disruptive incidents.

Learning from Disruptive Incidents

The post-incident review should be managed by a designated individual or team who is responsible for ensuring that the review is conducted in a timely and effective manner.

The review should include an analysis of the incident, an assessment of the BCP’s effectiveness, and recommendations for improving the plan.

In conclusion, maintaining and reviewing a BCP is essential to ensuring its effectiveness. Regular audits and updates, as well as learning from disruptive incidents, are key components of this process.

By managing this process effectively, organizations can ensure that their BCP remains relevant and effective in the face of new threats and challenges.

Special Considerations for Small Businesses

Tailoring plans to scale.

When it comes to business continuity planning, one size does not fit all. Small businesses need to tailor their plans to their scale, resources, and unique needs.

This means that they need to identify their critical business functions and prioritize them accordingly. They also need to identify the potential risks and threats that could impact their business and develop plans to mitigate them.

Leveraging Limited Resources

Small businesses may have limited resources, but they can still develop effective business continuity plans by leveraging their strengths. For example, small businesses can rely on their close-knit teams to coordinate their response to a crisis.

They can also leverage their relationships with local vendors and suppliers to ensure that they have the resources they need to keep their business running.

In conclusion, small businesses face unique challenges when it comes to business continuity planning. However, by tailoring their plans to their scale and leveraging their limited resources, they can develop effective plans that help them weather any crisis.

Future Trends in Business Continuity

As technology continues to evolve and new threats emerge, businesses must keep up with the latest trends in business continuity planning to ensure they are prepared for any potential disruptions.

Emerging Threats and Technologies

As the world becomes more interconnected, businesses must be prepared for a wider range of potential threats. Cybersecurity threats , natural disasters, and supply chain disruptions are just a few examples of the types of disruptions that businesses may face in the future.

Emerging technologies such as artificial intelligence and the Internet of Things (IoT) also introduce new risks that must be taken into account.

They must also invest in the latest technologies and tools to help them detect and respond to disruptions more quickly and effectively.

Evolving Best Practices

As businesses gain more experience with business continuity planning , best practices continue to evolve. For example, many businesses are now focusing on developing more resilient supply chains that can withstand disruptions such as natural disasters or geopolitical events.

To stay ahead of evolving best practices, businesses must be willing to adapt their business continuity plans on an ongoing basis. They must also be willing to invest in the latest tools and technologies to help them stay ahead of potential gaps in their planning.

Businesses must be prepared for an uncertain future by staying up-to-date with emerging threats and evolving best practices in business continuity planning.

Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.

Reach out to understand more about Enterprise Risk Management, Project Management and Business Continuity.

• (888) 244-1912
• [email protected]

• Understanding Business Continuity vs BDR: A Guide
• About Invenio IT
• Business Continuity

7 Real-Life Business Continuity Plan Examples You’ll Want to Read

• May 13, 2024
• 11 min read

It’s no secret that we believe in the importance of disaster preparedness and  business continuity  at every organization. But what does that planning actually look like when it’s put to the test in a real-world scenario?

Today, we look at 7 business continuity examples to show how organizations have worked to minimize downtime (or not) after critical events.

Business Continuity Examples & Failures

1) ransomware disrupts ireland’s healthcare system.

For years, healthcare organizations have been a top target for ransomware attacks. The critical nature of their operations, combined with notoriously lax IT security throughout the industry, are a magnet for ransomware groups looking for big payouts.

But despite the warnings, healthcare orgs still remain vulnerable. A prime example was the 2021 ransomware attack on Ireland’s healthcare system (HSE) – the fallout from which was still being felt nearly a year later.

According to reports, the attack had a widespread impact on operations:

• Dozens of outpatient services were shut down
• IT outages affected at least 5 hospitals, including Children’s Health Ireland (CHI) at Crumlin Hospital
• Employee payment systems were knocked offline, delaying pay for 146,000 staff
• Covid-19 test results were delayed and a Covid-19 vaccine portal went offline
• Appointments were canceled across numerous facilities and medical departments
• Near-full recovery and restoration of all servers and applications took more than 3 months

All told, the attack was projected to cost more than $100 million in recovery efforts alone. That figure does not include the projected costs to implement a wide range of new security protocols that were recommended in the wake of the attack.

Like several of the business continuity examples highlighted below, the Ireland attack did have some good disaster recovery methods in place. Despite the impact of the event, there were several mitigating factors that prevented the attack from being even worse, such as:

• Once the attack was known, cybersecurity teams shut down more than 85,000 computers to stop the spread.
• Disaster recovery teams inspected more than 2,000 IT systems, one by one, to contain the damage and ensure they were clean.
• Cloud-based systems were not exposed to the ransomware.

However, there was some luck involved.

As HSE raced to contain the damage from the attack and secured a High Court Injunction to restrain the sharing of its hacked data, the attackers suddenly released the decryption key online. Without that decryption, HSE would  not  have had adequate data backup systems to recover from the attack. As the group concluded in its  post-incident review :

“It is unclear how much data would have been unrecoverable if a decryption key had not become available as the HSE’s backup infrastructure was only periodically backed up to offline tape. Therefore it is highly likely that segments of data for backup would have remained encrypted, resulting in significant data loss. It is also likely to have taken considerably longer to recover systems without the decryption key.”

2) The city of Atlanta is hobbled by ransomware

There has been no shortage of other headline-making ransomware attacks over the last few years. But one that stands out (and whose impact reverberated for at least a year after the incident) was the March 2018 SamSam  ransomware attack on the City of Atlanta .

The attack devastated the city government’s computer systems:

• Numerous city services were disrupted, including police records, courts, utilities, parking services and other programs.
• Computer systems were shut down for 5 days, forcing many departments to complete essential paperwork by hand.
• Even as services were slowly brought back online over the following weeks, the full recovery took months.

Attackers demanded a $52,000 ransom payment. But when all was said and done, the full impact of the attack was projected to cost more than $17 million. Nearly $3 million alone was spent on contracts for emergency IT consultants and crisis management firms.

In many ways, the Atlanta ransomware attack is a lesson in inadequate business continuity planning. The event revealed that the city’s IT was woefully unprepared for the attack. Just two months prior, an audit found 1,500 to 2,000 vulnerabilities in the city’s IT systems, which were compounded by “obsolete software and an IT culture driven by ‘ad hoc or undocumented’ processes,” according to  StateScoop .

Which vulnerabilities allowed the attack to happen? Weak passwords, most likely. That is a common entry point for SamSam attackers, who use brute-force software to guess thousands of password combinations in a matter of seconds. Frankly, it’s an unsophisticated method that could have been prevented with stronger password management protocols.

Despite the business continuity missteps, credit should still be given to the many IT professionals (internal and external) who worked to restore critical city services as quickly as possible. What’s clear is that the city did have  some  disaster recovery procedures in place that allowed it to restore critical services. If it hadn’t, the event likely would have been much worse.

3) Fire torches office of managed services provider (MSP)

Here’s an example of business continuity planning done right:

In 2013, lightning struck an office building in Mount Pleasant, South Carolina, causing a fire to break out. The offices were home to Cantey Technology, an IT company that hosts servers for more than 200 clients.

The fire torched Cantey’s network infrastructure, melting cables and burning its computer hardware. The equipment was destroyed beyond repair and the office was unusable. For a company whose core service is hosting servers for other companies, the situation looked bleak. Cantey’s entire infrastructure was destroyed.

But ultimately, Cantey’s clients never knew the difference:

• As part of its business continuity plan, Cantey had already moved its client servers to a remote data center, where continual backups were stored.
• Even though Cantey’s staff were forced to move to a temporary office, its clients never experienced any interruption in service.

It was an outcome that could have turned out very differently. Only five years prior, the company had kept all of its client servers on site. But founder Willis Cantey made the right determination that this setup created too many risks. All it would take is one major on-site disruption to wipe out his entire business, as well as his clients’ businesses, potentially leaving him exposed to legal liabilities as well.

Cantey thus implemented a more comprehensive business continuity plan and moved his clients’ servers off-site. And in doing so, he averted disaster. This makes for an excellent business continuity plan case study that demonstrates how proper planning can significantly reduce the risk of a major operational disruption.

4) Computer virus infects UK hospital network

In another  post , we highlighted one of the worst business continuity examples we saw in 2016 – before ransomware had become a well-known threat in the business community.

On October 30, 2016, a nasty “computer virus” infected a network of hospitals in the UK, known as the Northern Lincolnshire and Goole NHS Foundation Trust. At the time, little was known about the virus, but its impact on operations was devastating:

• The virus crippled its systems and halted operations at three separate hospitals for five days.
• Patients were literally turned away at the door and sent to other hospitals, even in cases of “major trauma” or childbirth.
• In total, more than 2,800 patient procedures and appointments were canceled because of the attack. Only critical emergency patients, such as those suffering from severe accidents, were admitted.

Remarkably, a report in Computing.co.uk speculated that there had been  no  business continuity plan in place. Even if there had been, clearly there were failings. Disaster scenarios can be truly life-or-death at healthcare facilities. Every healthcare organization must have a clear business continuity plan outlined with comprehensive measures for responding to a critical IT systems failure. If there had been in this case, the hospitals likely could have remained open with little to no disruption.

The hospital system was initially tight-lipped about the attack. But in the year following the incident, it became clear that ransomware was to blame – specifically, the Globe2 variant.

Interestingly, however, hospital officials did not say the ransomware infection was due to an infected email being opened (which is what allows most infections to occur). Instead, they said a misconfigured firewall was to blame. (It’s unclear then exactly how the ransomware passed through the firewall—it may have come through inboxes after all.) Unfortunately, officials knew about the firewall misconfiguration before the attack occurred, which is what makes this incident a prime example of a business continuity failure. The organization had plans to fix the problem, but they were too late. The attack occurred “before the necessary work on weakest parts of the system had been completed.”

5) Electric company responds to unstable WAN connection

Here is another example of well-executed business continuity.

After a major electric company in Georgia  experienced failure  with one of its data lines, it took several proactive steps to ensure its critical systems would not experience interruption in the future. The company implemented a FatPipe WARP at its main site, bonding two connections to achieve redundancy, and it also readied plans for a third data line. Additionally, the company replicated its mission-critical servers off-site, incorporating its own site-failover WARP.

According to Disasterrecovery.org:

“Each office has a WARP, which bonds lines from separate ISPs connected by a fiber loop. They effectively established data-line failover at both offices by setting up a single WARP at each location. They also accomplished a total site failover solution by implementing the site failover between the disaster recovery and main office locations.”

While the initial WAN problem was minimal, this is a good example of a company that is planning ahead to prevent a worst-case scenario. Given the critical nature of the utility company’s services (which deliver energy to 170,000 homes across five counties surrounding Atlanta), it’s imperative that there are numerous failsafes in place.

6) German telecom giant rapidly restores service after fire

Among the better business continuity examples we’ve seen, incident management solutions are increasingly playing an important role.

Take the case of a German telecom company that discovered a dangerous fire was encroaching on one of its crucial facilities. The building was a central switching center, which housed important telecom wiring and equipment that were vital to providing service to millions of customers.

The company uses an incident management system from Simba, which alerted staff to the fire, evaluated the impact of the incident, automatically activated incident management response teams and sent emergency alerts to Simba’s 1,600 Germany-based employees. The fire did indeed reach the building, ultimately knocking out the entire switching center. But with an effective incident management system in place, combined with a redundant network design, the company was able to fully restore service within six hours.

7) Internet marketing firm goes mobile in the face of Hurricane Harvey

Research shows that 40-60% of small businesses never reopen their doors after a major disaster. Here’s an example of one small firm that didn’t want to become another statistic.

In August 2017, Hurricane Harvey slammed into Southeast Texas, ravaging homes and businesses across the region. Over 4 days, some areas received more than 40 inches of rain. And by the time the storm cleared, it had caused more than $125 billion in damage.

Countless small businesses were devastated by the hurricane. Gaille Media, a small Internet marketing agency, was  almost one of them. Despite being located on the second floor of an office building, Gaille’s offices were flooded when Lake Houston overflowed. The flooding was so severe, nobody could enter the building for three months. And when Gaille’s staff were finally able to enter the space after water levels receded, any hopes for recovering the space were quickly crushed. The office was destroyed, and mold was rampant.

The company never returned to the building. However, its operations were hardly affected.

That’s because Gaille kept most of its data stored in the cloud, allowing staff to work remotely through the storm and after. Even with the office shuttered, they never lost access to their critical documents and records. In fact, when it came time to decide where to relocate, the owner ultimately decided to keep the company decentralized, allowing workers to continue working remotely (and providing a glimpse of how other businesses around the world would similarly adapt to disaster during the Covid-19 pandemic three years later).

Had the company kept all its data stored at the office, the business may never have recovered.

Examples of business continuity failures

Some of the real-life business continuity examples above paint a picture of what can go wrong when there are lapses in continuity planning. But what exactly do those lapses look like? What are the specific mistakes that can increase a company’s risk of disaster?

Here are some examples of business continuity failures due to poor planning:

• No business continuity plan: Every business needs a BCP that outlines its unique threats, along with protocols for prevention and recovery.
• No risk assessment: A major component of your BCP is a risk assessment that should define how your business is at risk of various disaster scenarios. We list several examples of these risks below.
• No business impact analysis: The risk assessment is useless without an analysis of how those threats actually affect the business. Organizations must conduct an impact analysis to understand how various events will disrupt operations and at what cost.
• No prevention: Business continuity isn’t just about keeping the business running in a disaster. It’s about risk mitigation as well. Companies must be proactive about implementing technologies and protocols that will  prevent  disruptive events from occurring in the first place.
• No recovery plan:  Every disaster scenario needs a clear path to recovery. Without such protocols and systems, recovery will take far longer, if it happens at all.

Examples of threats to your business continuity

It’s important to remember that business-threatening disasters can take many forms. It’s not always a destructive natural disaster. In fact, it’s far more common to experience disaster from “the inside” – events that hurt your productivity or affect your IT infrastructure and are just as disruptive to your operations.

Example threats include:

• Cyberattacks
• Malware and viruses
• Network & internet disruptions
• Hardware/software failure
• Natural disasters
• Severe weather
• Flooding (including pipe bursts)
• Terrorist attacks
• Office vandalism/destruction
• Workforce stoppages (transportation blockages, strikes, etc.)

The list goes on and on. Any single one of these threats can disrupt your business, which is why it’s so important to take continuity planning seriously.

Business continuity technology

Within IT, data loss is often the primary focus of business continuity and disaster recovery (BC/DR). And for good reason …

Data is the lifeblood of most business operations today, encompassing all the emails, files, software and operating systems that companies depend on every day. A major loss of data, whether caused by ransomware, human error or some other event, can be disastrous for businesses of any size.

Backing up that data is thus a vital component of business continuity planning.

Today’s  best data backup systems  are smarter and more resilient than they were even just a decade ago. Solutions from Datto, for example, are built with numerous features to ensure continuity, including hybrid cloud technology (backups stored both on-site and in the cloud), instant virtualization, ransomware detection and automatic backup verification, just to name a few.

Like other BC initiatives, a data backup solution itself won’t prevent data-loss events from occurring. But it does ensure that businesses can rapidly recover data if/when disaster strikes, so that operations are minimally impacted – and that’s the whole point of business continuity.

Examples of business continuity plan

By now, you’re starting to get the picture: business continuity planning is crucial. But how do you actually create the plan? What does the document look like?

While each business’s BCP is unique to its needs, the foundation of the plan is generally the same for most organizations. The core goal is to document a company’s risks and outline what is needed to avoid an operational disruption.

Here are some examples of business continuity plan components to include in your documentation:

• Objective: Outline the key goals of the plan, especially as they relate to specific business units or systems.
• Contact Information: Include communication information for the people responsible for overseeing continuity planning or for those who will manage disaster recovery efforts.
• Risk Assessment: Outline the specific disaster scenarios that put the business at risk of an operational disruption and their likelihood of occurring.
• Business Impact Analysis: Document in clear terms how each type of disaster will affect the business, including impact on various operations, estimated recovery time and associated financial losses.
• Preventative Measures: Outline the procedures, plans and systems that will help the company minimize the risk of various disasters from occurring.
• Disaster Response Plan: Document the specific protocols that should be followed immediately following a disruption to minimize the impact.
• Business Continuity & Disaster Recovery Systems: Outline the systems and procedures that should be used to maintain continuity or recover from an outage.
• Backup Locations & Contingency Assets: Identify any secondary resources that should be leveraged if primary resources are unavailable, such as backup office spaces, servers, devices, office furniture and so on.
• Communication Plan: Outline how the organization will distribute information to employees or between recovery teams if primary communication lines are unavailable.
• Continuity Testing: Document how recovery procedures and systems in the plan should be tested to confirm they are effective, and the frequency for conducting those tests.
• Continuity Gaps & Recommendations: Be clear about any limitations in the current planning and what steps are recommended to fill those gaps.
• Plan Review & Update Schedule: Create a schedule for reviewing and updating the business continuity plan to ensure the documentation remains accurate and relevant.

Examples of business continuity plans can differ by industry, but most companies will want to incorporate all of the components above, regardless of business size or sector.

Business continuity plan case study

In February 2023, a ransomware attack struck Karmak – a prominent technology solutions provider for the trucking industry. However, the company acted quickly to contain the attack before it disrupted its operations or customers, providing a solid case study for how to maintain continuity during a cyberattack.

Karmak’s business continuity planning played a key role in averting disaster. According to an industry trade publication, Karmak had a “detailed cyberattack response plan, which went into effect immediately after the attack.” The company used security monitoring solutions to detect and thwart the attack. Plus, employees had been rigorously trained on cybersecurity and knew how to respond.

End result: Karmak contained the attack within hours, preventing customer data from breached and minimizing the impact on internal systems.

Frequently Asked Questions

1. what is an example of business continuity.

Any scenario in which a business can continue to operate through a disruptive event is an example of business continuity. For example, a company facing a ransomware attack might maintain business continuity by restoring infected files from a data backup.

2. What are examples of business continuity plans?

An example of a business continuity plan is a comprehensive document that assesses a business’s risk for operational disruptions and outlines the steps for avoiding such disruptions. Example components of the plan include a risk assessment, business impact analysis, communications plan and disaster recovery plan.

3. What is a real-life example of business continuity?

The Covid-19 pandemic illustrated many real-life examples of business continuity. Companies took several measures to continue operating during the health crisis, such as allowing employees to work from home, instituting physical distancing and providing protective equipment to critical workers.

Avert disaster with the technology your business needs

Avoid a major operational disruption with today’s best technology for business continuity, disaster recovery and cybersecurity. Schedule a meeting with one of our data-protection specialists at Invenio IT or contact us by calling (646) 395-1170 or by emailing  [email protected] .

Join 23,000+ readers in the Data Protection Forum

Related articles.

Do you know what makes Datto Encryption So Secure?

The Truth about All Datto SIRIS Models for BCDR

Where’s My Data? 411 on Datto Locations around the Globe

2023 Guide to Datto SaaS Protection for M365 and Google Workspace

5 Datto Competitors to Compare (Plus Some Free Alternatives)

Cybersecurity.

© 2023 InvenioIT. All rights reserved.

Being prepared, ready and resilient

• Call for Change
• When Tech Meets Human Ingenuity
• A Valuable Difference
• Meet the Team
• Related Capabilities

Call for change

While risk is a fact of life for any business, there are times when even those that have learned to expect the unexpected can be taken by surprise. Accenture’s approach to business resilience demonstrates that, with the right plans, processes and people in place, it is possible to be ready for anything.

Business continuity can be affected by many different situations. From natural disasters to cybersecurity incidents, civil unrest to turbulent financial markets—not to mention unexpected health and humanitarian events such as the global pandemic—businesses are under pressure to minimize disruption and be more resilient.

Accenture’s experience of managing disruption is based on years of preparedness. We have introduced intelligent tools that enable us to be agile and adapt, with robust plans that validate and recalibrate our approach so that we can be prepared for whatever comes our way.

But it’s not all about preparation. We have changed the way we manage and deliver services, internally and externally, to counter shockwaves of change. And we have invested in technologies and enabled a digital workforce so that we are flexible and ready to make the impossible, possible.

Any business is only as resilient as its weakest link. With a robust business resilience capability embedded across the organization, we can not only continue to serve our clients but also work with them to help them do the same.

"We are prepared for the worst by being ready with the best of our systems and services—not forgetting our people performing on their best day, every day." — MARGARET SMITH , Senior Managing Director – Corporate Services & Sustainability and Business Operations, Accenture

When tech meets human ingenuity

Our business resilience strategy supports how we operate as a company, starting with our global client base of leading household names, underpinned by our internal functions (such as Global Asset Protection, Travel, Procurement, Workplace, Technology , Finance , Information Security , Legal and Human Resources) and supported by the collaborations of our third-party ecosystem.

With a business landscape that is constantly changing, it’s important to make sure that technologies are working in harmony with our people so that we can align to industry leading practices and overcome challenges.

The focus of our global approach includes first to be prepared so challenges do not overwhelm our organization. We take steps to secure the safety and well-being of our people who, in turn, embrace the business resilience program through education and ongoing awareness. We ensure that continuity plans are developed consistently and integrated with response and crisis processes. Exercises are used to validate our plans. A range of exercise scenarios (including pandemic) are performed at least annually, and results capture improvement actions so that the implemented strategy remains effective. 

Second, we are ready by identifying priorities and making sure we are able to respond if threats become a reality. Accenture resilience processes support robust emergency response and crisis management. Preventative and contingency measures are taken to minimize the impact on people and services. Our operational teams identify essential and business-critical processes for vital functions such as employee payroll and supply chain to keep goods moving. And our Global Asset Protection team offers 24/7 monitoring to keep pace with changing conditions around the world.

Finally, we focus on being resilient in the long term. We are proactive, with sustainable plans that mitigate the impact of volatility, backed by strong leadership, integrated processes and ongoing collaboration.

In addition, our business resilience programs are supported by policies and we align methods to industry standards and practices so we can grow and evolve our capabilities relevant to the changes around us.

Like many global organizations, Accenture depends on a range of activities being performed extensively across Accenture’s locations around the world. For example,  70% of our Finance team’s services  are performed in  intelligent operations  centers and many involve complex accounting, business and tax advisory activities—making business continuity a priority.

We rely on the simplicity, automation and preparedness that comes from technology transformation. For example, we have deployed cloud-based business resilience management software that sits on the Salesforce platform and provides greater analytics and insights.

In this way, we invest in and draw on best-in class technologies to automate and integrate, so that we can work faster and smarter. And also, we make sure we realize the full value from these technologies, so that we can disrupt and innovate the processes that we run to help future-proof our business.

"Our dedicated professionals are working across our business to drive out leading practices—the bedrock of being prepared, ready and resilient." — ERIN HARRIS , Managing Director – Corporate Services & Sustainability, Business Resiliency Services, Accenture

Our strategy Three core plans make up the business resilience program:

Business continuity focuses on developing and implementing processes to support continued business operations. Accenture employs a range of capabilities to support business continuity planning that use our own methodology, following industry guidelines and standards. We undertake standardized analysis and reviews to identify critical business processes and the resources they rely on. We develop and implement solutions based on risks and requirements, conducting training (in-house and with vendors) and maintaining and measuring compliance.

Technology continuity focuses on the technology required to continue mission-critical systems. Our capabilities to support technology continuity include geographic distributions of data centers and service providers across multiple locations, data backup to maintain data integrity, specialist support teams with 24x7x365 coverage, standardized processes and testing and exercising programs to validate effectiveness.

Crisis management focuses on Accenture people and facilities—preventing, mitigating, preparing for, responding to and recovering from conditions that threaten life, property, or operations. Our people are our first priority—but in taking care of our people, we are also taking care of our business continuity for our clients. Accenture supports crisis management with dedicated teams; for example, the Global Asset Protection team was a huge part of our early and swift response to the global pandemic, setting up a Pandemic Task Force in China and surrounding areas in January 2020. We also created a global people emergency communication system and a 24x7 Accenture Security Operations Center (ASOC)—a global watch program to advise our people on safety, security, health and travel and specialist risk intelligence that is shared across the world.

In the past 15 years, we have seen many extreme events in various corners of the world that had the potential to seriously impact business continuity. From the volcanic ash eruption in Iceland that caused enormous disruption to air travel across western and northern Europe in 2010, to a major hurricane in the United States in 2016 or a global cyberattack in 2017, we have seen and dealt with our fair share of crises. In each situation, our crisis management teams were not only prepared to handle the event, but also skilled in understanding the specific needs of those circumstances, through effective collaboration, agile response and being able to manage uncertainty.

One of the areas of specialty that has proved especially helpful in the last year has been our team handling infectious disease outbreaks. Accenture has a global Infectious Disease Plan (IDP) which provides preventative measures and recommends pre-planning for, and responses to, situations such as COVID-19.

The plan includes inputs from leading health authorities (such as the World Health Organization (WHO), Centers for Disease Control (CDC) and respective regional and local health agencies. We adjust global and location actions based on developing situations and support regional and local business resilience teams following a defined crisis management process.

As a result, our ability to manage the fallout from the pandemic was eased by a robust and well-informed team. It was able to put in place the plans and people to deliver a timely and response that was right for us and our business. For instance, we enabled 95% of Accenture people to work from home, including 350,000 delivery center people, while completing 42 acquisitions and establishing 100 Return to Office Workplace protocols.

"Now, our corporate functions and client projects can manage disruption using their business continuity assessments and plans—enabling end-to-end business resilience." — PENELOPE PRETT , Chief Information Officer, Accenture

A valuable difference

Accenture uses multiple methods to support business resilience. But at the heart lies our strategies around people (running award-winning learning programs on remote working), infrastructure (deploying uninterrupted power supplies and secure connectivity) and technology (providing soft phones and privacy screens).

Our business continuity planning isn’t limited to how we provide our client services. We also bake in business continuity for our functions and facilities that support those client services. With such a comprehensive, end-to-end strategy in place, we can realize business resilience for more than a single corporate function. We include every aspect of how we operate, serve and run—and are able to do all those things quickly and easily.

Two elements are helping us to respond in such an agile manner. First, we have modified our technology approach toward a “one person, one machine” strategy. This means we have 710,000 people, all using workstations and mobiles that can communicate securely and reliably in every corner of the world.

Second, Accenture IT infrastructure runs in the  hybrid cloud . That not only means we’re saving cost by spending half as much as our legacy delivery models, but also gives us new IT potential through flexible and resilient capabilities.

Above all, we are successful in executing business resilience because we work together, better than ever. We bring together specialists in various disciplines across the organization to deliver an integrated, cross-functional strategy and enjoy the shared success of a more robust, resilient business.

What we do for clients We use the same framework that we use for ourselves to support resilience for our clients. We are able to apply lessons learned around agile workforces and flexible plans to support clients’ business continuity.

Accenture’s agility-first approach includes three core options that help businesses be more resilient:

Remote work

An agile workforce that is able to work remotely. What’s involved? The workforce must use laptops. Connectivity over the public internet must be possible. Security controls, public services stability and regulations will all influence remote working.

Redirect work

A distributed workforce that provides location resilience. What’s involved? Multiple locations need to be used for service delivery and time zones taken into account. Languages, skills and access to applications need to be agreed when the plan is activated.

Relocate work

A flexible workforce that is able to physically move from one location to another. What’s involved? Only used when Remote and Redirect is not an option. Involves laptop-enabled users for greater agility and consideration of physical security controls (restricted work area vs open area).

Continuity from collaboration

A combination of resilience options could offer a more agile response and continuity of services; for example, combining remote and redirect or redirect and relocate.

The Accenture business resilience program is aligned to the industry standards (ISO22301, ISO20000, ISO 27001) and certified in all India and Philippines locations, plus the China and United Kingdom Advanced Technology Centers.

Although we recognize that no one can guarantee 100% continuity in the event of a crisis due to the uncertain nature of situations, we have seen that bringing together effective collaboration with robust continuity plans is helping our organization to not only build resilience, but also help our clients to manage change.

Business resilience professionals around the globe supporting our clients

Clients supported globally

Countries supported with business continuity plans

Continuity plans implemented

Meet the team

Margaret Smith

Arlin Pedrick

Erin Harris

Tony Leraris

Gary Cooper

Traci Stewart

Related capabilities, corporate services & sustainability.

These teams are enabling innovation, growth and business continuity for Accenture.

How Accenture does IT

Finance at accenture.

More From Forbes

Business continuity management lessons from the pandemic.

• Share to Facebook
• Share to Twitter
• Share to Linkedin

Head of Market Lab Operations at  Ericsson .

Until a year ago, operations managers charged with business continuity predominantly focused on natural disasters, human error, cyberattacks and insider threats. In 2017, for instance, the top reasons cited for a business continuity plan were: minimizing downtime, protecting what's important, communicating with confidence, resuming operations and ensuring full recovery — all of which superseded the imperative to ensure employees' physical and mental well-being over an unprecedented period of time.

With a jolt and scarce previous experience, 2020 brought the sharp need to manage a pandemic and its potential impact of large-scale global business disruption.

A year into the Covid-19 pandemic, the havoc to lives continues to take its toll, and we are finding ourselves continually re-defining normalcy of business operations while prioritizing the well-being of company employees. While there is controversy in comparing this pandemic to WWII , the sense of what we are experiencing in the global community is that every one of us will eventually know firsthand of casualty and loss — be that a family member, friend or colleague.

Undoubtedly, in years to come, we will learn more to help businesses be better equipped to deal with a global pandemic. This article is an aggregation of firsthand experience and observations over the past year, intended to provoke thinking toward a more refined and structured approach to business continuity management (BCM) during a global pandemic.

As the pandemic grew worldwide, business operations had to quickly minimize potential impacts while rapidly enabling a remote workforce and implementing safe practices. Because of these shifts, physical access controls had to be doubled-up and synchronized with country and local regulations. In the midst of information (or lack thereof), decisions on mitigation steps had to be rationalized in the context of what, at best, minimized the risk of infection. Machine redundancy became secondary to ensuring each employee with critical skills or roles had a backup and were physically isolated.

Best High-Yield Savings Accounts Of 2024

Best 5% interest savings accounts of 2024.

Management required quick and practical training on how to keep their employees healthy, as well as how to communicate appropriately. The need for real-time and parallel interdepartmental communication became paramount. Close internal engagements with human resources, security and environment, health and safety functions became the priority. Traditional external partnerships with suppliers had to be augmented with more engagement in interest groups looking at common challenges, such as deep cleaning solutions for technical environments and long-term effects of cleaning methods on sensitive equipment. Connectivity became king, and a mobile workforce was no longer optional. 

In this environment, volume partnerships with communication providers ensured uninterrupted productivity for remote workers. Clear, frequent and transparent communication and reporting have never become more essential or required more consistency. Written words often lend themselves to multiple interpretations while answers to questions lead to a plethora of sub-questions. Real-time group and individual engagements preempt the weaknesses of multiple interpretations of mass emails.

Nothing has made the world a smaller place than this pandemic. Awareness and detailed knowledge of the differences in intra-country and global regulations have become a priority wherever any aspect of the business had interdependencies outside its immediate geography. Operating decisions for the short- and long-term called for gathering perspectives in discussion groups along with using instinct and insight for dealing with unknowns. As many of us experienced firsthand, dealing with conventional disasters using associated documentation left large gaps between the questions of "what to do?" and "how to do it?"

Because of this experience, organizations need to rethink their approach for BCM with focus on at least the following elements:

• Infrastructure enhancements and security hardening for large-scale remote working

• Process development for physical access with appropriate restrictions in the workplace

• Synchronization of regular and emergency communications for extended periods of time

• Workforce lifeboat analysis and development of competence redundancies

• Detailed short-term and flexible succession plans to maintain "command" and "control"

• Development and inclusion of external partnerships in the areas of health science

Modification of BCM documentation to handle multiple disasters given the pandemic has been in a continuum, and businesses have had to also manage through disruptions, for example, as those caused by severe weather events.

As for any type of business disruption, the cost of preparation and minimization of impact could be driven by cost-benefit analyses. We should always remember that the impacts are protracted over an unknown extended period and that the benefits of prioritizing our humanity are not so easy to quantify. Adding more machine and technical redundancy solutions does not take care of the human requirements. Our resilience as humans has never been put more to the test or required more mutual support than during this time.

The views in the article do not represent or reflect Ericsson and are the sole views of the author. 

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

• Editorial Standards
• Reprints & Permissions

The browser you are using is not supported by this website. All versions of Internet Explorer are no longer supported, either by us or Microsoft (read more here: https://www.microsoft.com/en-us/microsoft-365/windows/end-of-ie-support ).

Please use a modern browser to fully experience our website, such as the newest versions of Edge, Chrome, Firefox or Safari etc.

Evaluation of Business Continuity Management - A case study of disaster recovery during the Covid-19 pandemic

• Fredrik Tegström
• Filip Nilsson

Summary, in English

Department/s

• Engineering Logistics
• Department of Industrial Management and Logistics

Publishing year

• Available as PDF - 9 MB
• Download statistics

Document type

Student publication for Master's degree (two years)

• Business and Economics
• Business continuity
• Disaster recovery
• Continuity planning
• Andreas Norrman

Scientific presentation

• Popular Summary - Evaluation of Business Continuity Management

You are using an outdated browser. Please upgrade your browser or activate Google Chrome Frame to improve your experience.

• Thought Leadership

Browse all Knowledge

Get the latest thinking in business continuity and resilience. From in-depth, sector-by-sector analysis and opinion to case studies, reports and webinars – you can find it all here.

BCI World Hybrid 2024 - ROI Guide

• Reference and Guides

Operational resilience: beyond theory

• The organisational environment
• The business continuity environment

The BCI Update Series: Cyber Resilience Report 2024

• Research Report
• Policy and programme management

BCI Operational Resilience Report 2024 EMEA Launch

BCI Operational Resilience Report 2024 APAC Launch

BCI Operational Resilience Report 2024 Americas Launch

BCI Operational Resilience Regional Outlook 2024 Middle East

BCI Operational Resilience Regional Outlook 2024 Australasia

BCI Operational Resilience Regional Outlook 2024 Europe

• Disaster recovery planning and management

Free1970 - stock.adobe.com

Real-life business continuity failures: 4 examples to study

Business continuity failures are costly and can significantly harm a company's reputation. These four high-profile examples demonstrate what can go wrong when a plan fails.

• Stuart Burns

The best business continuity planning happens before an incident takes place, but IT teams can use examples of others' failure to bolster their own planning.

No one likes publicizing their mistakes, and organizations that experience a business continuity crisis are no different. Because each business continuity failure presents a learning opportunity for other businesses, it's unfortunate that real-life examples can be hard to track down -- that is, unless the organization has a high-enough profile for the issue to make the news.

Although IT teams won't be able to read a news article and understand a particular company's business continuity plan and how it helps critical business functions continue in the event of serious disruption or disaster, they can use such failures to see the aspects of a company's plan that were likely missing or followed incorrectly.

Below are four examples of major business continuity failures, how they happened and what IT teams can do to prevent the same thing from happening at their organizations.

FAA system failure causes U.S. ground stop

On Jan. 11, 2023, thousands of flights across the U.S. were grounded due to an hourslong Federal Aviation Administration (FAA) system outage of the Notice to Air Missions (NOTAM) database. NOTAM is a critical system that pilots must consult before takeoff to inform them of hazards and runway closures.

The NOTAM system is also old.

While the FAA said the root issue was a deleted file, the outage time could have been significantly reduced if the legacy infrastructure had offered the high availability of more up-to-date systems . It might be a tall order to replace a longstanding, internationally used system such as NOTAM, but organizations that are resistant to replacing existing systems can learn from this business continuity failure. Outdated systems that prevent implementing current standards and recovery times make business continuity more difficult than it already is.

Lessons: IT teams in organizations that -- for whatever reason -- cannot replace outdated legacy systems should prioritize business continuity strategies such as knowing how to test without interrupting operations, finding high availability processes and verifying backup integrity. They can also point to high-profile incidents such as the FAA system outage as evidence for new system needs.

Microsoft Azure/Office outage halts users internationally

Also in January 2023, Microsoft had a major outage that affected users across the globe, but especially in Europe .

The outage left many business and personal users unable to access email and files or manage Azure infrastructure. The root cause was eventually tracked down to a bad routing change Microsoft made to its core routing infrastructure.

Lessons: Unfortunately, no one-size-fits-all fix for cloud computing exists. Larger businesses can mitigate outages by using multiple zones. In that situation, each region has multiple data centers that are hundreds of miles away from each other and share no resources, so loss of a single zone does not take down the environment.

Smaller companies might find it is more useful to use built-in disaster recovery tools, such as those in Azure , to completely fail over and get back up running quickly. This does require some preplanning, but does not require the complexity and cost of a multizone setup with redundancy.

Larger organizations with higher availability requirements can instead use the availability features to handle a downed data center by having redundancy and rerouting of traffic.

Fire damages OVHcloud's data center -- and reputation

Not even the biggest companies with endless resources can prevent natural disasters from occurring. In the case of extreme weather, business continuity is a matter of being prepared. Unfortunately, OVHcloud was not.

In March 2021, one of the cloud provider's data centers caught fire, and the fire suppression measures were not up to the job. Many clients woke up to find their rented servers offline. To make things worse, one of the backup arrays was completely destroyed in the fire, losing critical backups that the service provider could have used to recover customer data.

This crisis did not only affect immediate business functions -- OVHcloud's reputation suffered due to the outage, and it was the subject of a $10 million class-action lawsuit from more than 140 of its clients.

Lessons: The OVHcloud business continuity failure illustrates the importance of the 3-2-1 rule of data backup . Multiple backups, on different hardware, in different locations is the most surefire way to ensure data is safe in a fire or natural disaster. That way, if the data center is destroyed, there is still a data backup elsewhere that the client can restore to get services working again.

Ransomware compromises NHS Foundation Trust

The National Health Service (NHS) is one of the largest employers in the U.K. Downtime costs significant money and endangers public healthcare, making the Aug. 4, 2022, ransomware attack on the NHS a prime example of a disastrous business continuity failure.

The attack, which targeted a major software provider for the NHS, took several months to remediate fully. During the initial stages, the front-line staff had to revert to pen and paper, and make do with whatever records they had that were not computer-based. Part of the delay in service restoration was the impact to legacy systems.

However, there was a bigger problem with this failure: hidden shadow IT systems installed by employees with little to no professional IT oversight.

Lessons: Legacy IT systems frequently incur a higher maintenance cost and are more likely to be neglected when it comes to maintenance and updates. It is easier said than done, but one way to avoid these issues is replacing legacy systems.

Organizations must also have strict policies regarding the acquisition and management of IT systems and software. Any purchase must be tightly managed and done in conjunction with IT staff approval, since they are often aware of issues that less technically savvy managers might not know about.

Dig Deeper on Disaster recovery planning and management

OVHcloud debuts ‘comprehensive’ carbon calculator for customers

OVHcloud opens India datacentre

FAA outage highlights importance of high availability

Understand risk landscapes and reduce potential disruptions through industry leading business continuity services, standards and support.

Rigorous business continuity review and planning is critical to ensure your operations remain secure in the face of unexpected events.

We can help you build operational stability through business continuity and quality standards, hybrid audit and expert training.

Global standards, training and qualifications to prepare you for the future

We are committed to providing our clients with impartial and independent certification services. Because of this, we are not able to provide management system or product consultancy services and certification services to the same client where there may be a conflict of interest. This message will appear as a reminder on future visits to our site.

Your continuity assured by a world-leading certifier, auditor and trainer

Lower and assess your risk with internal and supply chain hybrid audits, in-person or remotely.

Certification to ISO 22301 - Business continuity management and other key management standards.

Audit and verification services to help you continuously manage and improve your business.

Training for every aspect of business continuity from crisis management to impact assessments.

Advanced frameworks for threat prevention and management

Identify and manage current and future business threats with ISO 22301, which equips you to proactively minimize the impact of incidents and keep critical functions running during crises, minimize downtime, and improve recovery time.

Manage risk confidently through world-leading standards

Build operational, economic, and strategic certainty by implementing risk management and business continuity standards to ensure the long-term success of your organization. Popular options include ISO 22301 and ISO 31000.

Bringing together experts in business continuity

David bernstein, principal consultant, business continuity.

Mr. Bernstein has overseen emergency planning and response initiatives spanning individual hospitals to multi-facility health networks nationwide.

Your partner in your business continuity management journey

• Requirement
• Disruptive Incidents
• System Maintenance

We help you assess and explore your unique requirements

Whether you’re getting started, need some help moving through the process, or want to restructure your programme, we’re here to help. We use industry best practices and appropriate standards to develop plans and identify potential gaps.

Learn how to minimize the impact of disruptive incidents

With deep experience in developing, assessing, implementing, training and exercising plans, our team will review and improve your continuity planning through engaging with your leadership as well as internal and external stakeholders.

Get independent assessment, certification and help maintaining your system

Through the adoption of our Business Continuity Management Lifecycle, you'll get support from us to develop an understanding of your organization’s requirements, gaps and constraints and help you to design a tailor-made roadmap.

We continuously support and help train your teams on business continuity

We deliver and help implement a Business Continuity plan focused on your organization's mission and goals; this represents a proactive approach to support prevention and mitigation efforts alongside reducing overall operational impact from incidents.

Empowering your people and strengthening business continuity

We engage with you over business continuity on multiple fronts including auditing, training and helping you implement standards.

BSI Hybrid audit programme

Combining the best of in-person and remote audits, we help you to streamline processes, delivering audits efficiently for better business continuity.

Independent advisory services

Wherever you are on your business continuity journey, our expert team can advise and guide you, helping enhance your knowledge and capabilities.

Training with BSI Academy

From writing a plan to implementing and auditing ISO 22301, our training services are designed to help you maximize your potential

Standards implementation and certification

Whether you want to prepare for, implement, certify to or maintain a business continuity management framework, our experienced experts can help.

Talk to us about your business continuity requirements

For advice, assessment, training or our management systems certification, our experts are available to assist you in the next step of your journey.

Case Study: How a leading Australian financial institution achieved value from their business continuity system

GRC 20/20 has evaluated, and reviewed the deployment of the ReadiNow platform in a distributed, dynamic and disrupted financial institution.

This detailed case study covers how the organization accomplished the following objectives:

• Create a risk profile for an asset type with one or more relevant risk events, associated Key Risk Indicators (KRI’s) and Risk Controls.
• Manage and assign security risks to the institutions assets.
• Compare and analyze risk in order to determine the level of controls/treatment required for an asset.
• Analyze history and trends and provide insights into the emergence of risks and test the effectiveness of controls through modeling, analytics, and reporting.
• Integrate multiple data feeds from different sources to maintain data accuracy and relevance.
• Support the asset assurance process to ensure controls are implemented and maintained.
• Assess inherent and residual risk and feed this into the risk model.
• Establish the relationship between risks, controls, and asset types to ensure that controls applicable to the risk and asset type are available for selection.
• Measure of likelihood and impact reduction factors associated with the control.
• Record Risk acceptance for any recommended controls that are not implemented.

Download this 14 page case study and ensure that your governance, risk and compliance solution is agile enough to adapt at the speed that the business requires.

Download The Case Study

Readinow corporation.

Suite 202, Level 2 55 Clarence Street Sydney  NSW  2000

Call Us: 1800 153 153

Email Us: [email protected]

• The ReadiNow Platform
• The ReadiNow Difference
• Integrated Risk Management
• Business Solutions
• News & Blog
• Work With Us

• Publishing Policies
• For Organizers/Editors
• For Authors
• For Peer Reviewers

Critical Success Factors Of Effective Business Continuity Management: A Malaysian Case Study

This paper examines the critical success factors of effective Business Continuity Management (BCM) practiced by Malaysian organizations. The effectiveness of BCM is measured by the overall organizational performance which comprise of financial and non-financial performance indicators. For purpose of data collection, conventional and electronic survey questionnaires were deployed to a total of 147 organizations nationwide involving the private and public sectors. This study managed to obtain 77 usable responses from the respondents which reflecting 55 percent of effective response rate. Using the multiple regression analysis techniques, the study reveals that external requirement and embeddedness of continuity practices have significant relationships with the overall organizational performance. Meanwhile, the management support and organizational preparedness are not significantly related to overall organizational performance. Theoretically, the research framework is supported by the Resource Base View (RBV), crisis management and stakeholder theories. The study contributes in the theoretical framework for understanding the critical success factors that affect the establishment of effective BCM in an organization that eventually lead to superior performance. This study believes that by understanding the relationships, it could contribute to the betterment of the overall organizational performance. Furthermore, this paper also highlights the limitation of the study and recommendation for future researches. Keywords: Business continuity management critical success factors Malaysian case study

Introduction

In general, Business Continuity Management (BCM) is considered as an important component of the enterprise risk management. BCM comprises of proactive and reactive strategies of managing risk through business continuity planning. The strategies include either risk avoidance or risk mitigation, which is handled via risk sharing, reduction and transfer which are established before an unplanned disruptive event happens. Previous studies also revealed that a positive association between risk incidents and monetary loss ( Gatzert & Schmit, 2016 ). Generally, BCM strategy primarily focuses on the activities that take place after the occurrence of a disaster incident and it aims to resume the services to normalcy swiftly and efficiently.

The primary motivation for organizations to develop BCM strategy is to make sure that they already established a workable mitigation procedures prior to a crisis event so that it will facilitate the fast and effective recovery of critical business functions following a disastrous situation ( Morwood, 1998 ). It also aims at heightening the confidence level and developing a corporate wide resilience competency that will consequently enhance the organization’s defensive capability to counter various types of threats so that organizations could ensure its continuous survival ( Elliott, Swartz, & Herbane, 2010 ; Garcia, 2008 ). In addition, enterprise resilience is considered as a capability that supports organizations to withstand business disruptions in order to adapt and continue to remain relevant in the uncertain and rapidly changing business atmospheres ( Starr, Newfrock, & Delurey, 2003 ).

In Malaysia, the implementation of BCM varies in different types of industry. In general, industries with most comprehensive BCM program, in descending order, are financial services, telecommunication, multinational oil and gas companies, airline, and aerodrome operators ( Lin, 2008 ). Meanwhile, other industries are less structured and are more on ad-hoc basis.

Problem Statement

The September 11, 2001 and great Indian Ocean Tsunami in 2004 tragedies generally impacted many businesses negatively. It was a disastrous in which many organizations failed to recover their operations in timely manner. However, organizations which had comprehensive BCM program in managed to survive and recovered their critical services within a short time frame.

The available literatures uncover many researches that investigate the association between organizational performance and risk management. The studies highlighted that by understanding the possibility and potential effect of disastrous events, it may enhance business results ( Alesi, 2008 ; Bakar, Yaacob, & Udin, 2016 ; Herbane, 2010 ; Herbane, Elliott, & Swartz, 2004 ; Selden & Perks, 2007 ) However, the study also found that one of the key theoretical gaps in the existing literatures lies in the insufficient researches which examine the drivers that contribute to the effectiveness and success of BCM implementation in the organizations.

Research Questions

Based on the problem statement, in order to address the deficiency in current literatures, this research will examine the following research questions:

Does management support has significant effect to organizational performance?

Does external requirement has significant effect to organizational performance?

Does organization preparedness has significant effect to organizational performance?

Does embeddedness of continuity practices has significant effect to organizational performance?

Purpose of Study

The primary purpose of this research is to expand current literatures on the critical success factors of effective BCM in the context of Malaysian organizations. Theoretically, the framework of this study is supported by the RBV Theory, which postulates that organizations’ competitiveness and performance are influenced by the organizational resources such as intangible resources and competency ( Barney, 1991 ; Grant, 1991 ).

In summary, the research hypotheses are as follows:

H1: Management support is significantly related to organizational performance.

H2: External requirement is significantly related to organizational performance.

H3: Organization preparedness is significantly related to organizational performance.

H4: Embeddedness of continuity practices is significantly related to organizational performance.

Literature Review

Business continuity management.

BCM is “a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.”( ISO, 2012 ).

Woodman and Hutchings ( 2010 ) suggest that all organizations must incorporate BCM in their business plan regardless of its size. Similarly, Gallagher ( 2002 ) asserts that business resiliency should not only be a subject of concern to large corporations, but also to the medium and small size enterprises as both entities are constantly pressured by their key stakeholders i.e. shareholders and the consumers to deliver uninterruptable services. In addition, Gallagher ( 2002 ) also highlights that there are many glitches that can be caused by human errors or process failures in the small and medium size organizations. Hence, the implication of not establishing a comprehensive BCM practice in place may be threatening. Besides, the elements of BCM could be applied to any categories of organizations, in the private and public sectors. It is widely embraced in various industries such as financial institution, manufacturing, transportation, services, local authorities, telecommunication, healthcare, education and government agencies.

Previous researchers have identified several critical success factors which contribute to effective BCM implementation in different setting. However, some of these factors are overlaps in term of definition and usage of different terminology to represent the same factor. This issue arises as there is no standard terminology adopted by the researchers. Hence, this study will focus on four factors that are more dominant based on the previous studies. The following sections discuss in more details of each factors.

Management Support (MS)

The senior management commitment in ensuring business functions and services operating at an acceptable condition under crisis situation and managing an organization's risk exposure to service disruptions are crucial elements of the overall corporate strategy ( Laurent, 2007 ). Several researchers posited that it is essential that business continuity program to be initiated, sponsored and authorized by senior management from the preliminary phase of its implementation ( Arend, 1994 ; Chow, 2000 ; Yen, Chou, & Hawkins, 2000 ). In the context of BCM, it is a long term commitment that necessitates a substantial financial investment by an organization ( Cerullo & McDuffie, 1994 ; Chow, 2000 ). Hence, only strong engagement by the senior management can warrant the on-going provision of monetary support and other critical resources for developing and maintaining a BCM program. Recognizing the potential paybacks of BCM on the operational performance is crucial to give proper merits to BCM initiatives and gaining top management support ( Abu Bakar, Yaacob, & Udin, 2015 ).

External Requirement (ER)

In today’s competitive environments, BCM is no longer an optional task in large organizations in public and private sectors. The value preservation within an organization is increasingly becoming a matter of concern of external interested parties such as the legislators and regulators, who consequently oblige organizations under their purview to comply with business continuity provisions. The regulatory requirements enforced by the government authorities and sometime even by the customers will motivate the management to further enhance the service continuity of their Information Technology and systems ( Herbane et al., 2004 ).

Organization Preparedness (OP)

Organization Preparedness refers to familiarity with various recovery approaches and avoidance of risks, such as maintaining a business continuity plans, establishing crisis management teams, and developing key personnel redundancy ( Hägerfors, Samuelsson, & Lindström, 2010 ; Ruighaver, Ahmad, & Hadgkiss, 2012 ). The business continuity plans should be regularly updated, tested and improvised, even after the occurrence of major incidents ( Gibb & Buchanan, 2006 ). Herbane et al. ( 2004 ) added that the swiftness of recovery is the surface exposure of a more profound capability in the form of Organizational Preparedness, which includes readiness of alternative sites, well-executed recovery plans and redundancy of critical resources.

Embeddedness of Continuity Practices (ECP)

Embedding BCM in the culture of an organization might be time consuming ( Michael Gallagher, 2003 ). The effort necessitates corporate changes, enterprise-wide participation, and the involvement of all employees, as well as a variety of business units to work in teams that are capable of acting effectively during a crisis situation. Furthermore, it entails continuous training and awareness program, as well as updating and maintaining the business continuity plans and procedures ( Elliott et al., 2010 ). Past empirical studies reveal that there was a substantial degree of cross-functional effort in BCM and show different roles of almost all organization members to support BCM which include business units, including IT, operation, quality assurance, and facilities management ( Pitt & Goyal, 2004 ; Woodman, 2007, 2008).

Organizational Performance

For the purpose of measuring the effectiveness of the BCM, the study uses the overall organizational performance (OOP) as the indicators. BCM is a holistic risk management process that the extent to which these BCM implementations are effective is considered as part of the overall assessment of organisational performance ( Fischbacher-Smith, 2017 ). Instead of relying on a single dimensional measure of performance, this study considers a multidimensional approach that includes both financial performance (FP) and non-financial performance (NFP) measures is more appropriate, especially when measuring practices and performance ( Ketokivi & Schroeder, 2004 ). The performance indicators include revenue, market share, cost reduction, operational stability, competitive advantage, reputation, customer satisfaction, employee morale and productivity.

Theoretically, the research framework is supported by the Resource Base View (RBV) theory, which postulates that organizations’ competitiveness and performance are influenced by the organizational resources such as intangible resources and competency ( Barney, 1991 ; Grant, 1991 ). The study is also supported by the Stakeholder Theory which recognizes the stakeholders, in this context, the external requirements by the regulatory bodies and customers that may influence the achievement of superior performance.

Research Methods

Respondents.

The target population of study is 147 organizations that have obtained the ISO 27001 and ISO 22301 certifications from SIRIM. The organizations are selected to participate in this study as they are deemed to possess considerably high sense of commitment towards embracing BCM’s best practices to enhance their business resilience. The unit of analysis for this study is organization, whereas the managers or executive positions that involve directly in the implementation and operational of BCM within the organizations were chosen as the respondent of the survey.

Data Collection

For the purpose of data collection, a set of questionnaires is used. It is adapted from previous studies and all responses pertaining to dependent and independent variables are measured using 7-points Likert scales. The content and face validity assessments were carried out, in which selected academicians and industry professionals involved by reviewing the questionnaires to obtain their expert opinions on the relevancy of the questions to support the research objectives.

This study had employed multiple methods of data collection including conventional and electronic mails. At the end of data collection period, 77 usable responses have been obtained which represent 55 percent of effective response rate.

In summary, the study managed to gather almost equal balance of respondents from both public and private sectors. In total, there are 38 (49.4%) organizations representing the public sector while 39 (50.6%) organizations representing the private sector. Within the private sector, the highest percentage of the respondents are from the technology industry (13.0%) followed by telecommunication (9.10%), utilities (7.8%), and financial services (7.8%).

Validity Analysis

Factor analysis was conducted to test the construct validity of the measurement instruments. Construct validity for each factor was conducted using principal component analysis (PCA) approach. In summary, the factor solutions indicate that all items recorded loading of greater than 0.60, ranging from 0.675 and 0.956 using the Varimax rotation method. These factor loadings indicate good correlation between the items and the factor grouping they belong to. On the other hand, this study also removed several items due to low communalities value and loading less than 0.60. Those items have indicated failure to fit well with other items in their components. By removing the items, the total variance explained has increased significantly.

Reliability Analysis

A reliability analysis has been conducted on the scale to ascertain the applicability of the instrument. In regards to that, Nunally ( 1978 ) recommends 0.70 as the minimum acceptable Cronbach’s Alpha value. Based on the recommendation, this study has reliable constructs because the Cronbach’s Alpha values generated by reliability analysis as seen in Table 01 between 0.851 and 0.944. Hence, no item was deleted during reliability analysis.

Correlation Analysis

In order to determine the association between the critical success factors and firm performance, correlation analysis was performed where the correlation coefficient explains the relationship between the independent, and dependent variables.

The correlation procedure comprise of two-tailed statistical analysis that significant at p<0.01 and p<0.05 level. All of the BCM critical success factors’ dimensions indicate significant positive relationship with dimensions of organizational performance. Particularly, the strength of the correlations between Management Support and Organizational Performance is medium to strong (0.405 ≤ r ≤ 0.523), strong (0.678 ≤ r ≤ 0.742) between External Requirement and Organizational Performance, medium (0.442 ≤ r ≤ 0.472) between organizational preparedness and Organizational Performance, and medium to strong range (0.482 ≤ r ≤ 0.638) between Embeddedness of Continuity Practices and Organizational Performance. In general, the outcomes signify that all of the associations between the critical success factors and dimensions of organizational performance are significant at p<0.01. In comparison of the strength of the relationships, the strongest positive correlation lies in the linkage between the External Requirement and Overall Organizational Performance (r=0.742, p<0.01), where higher level of External Requirement is correlated with a high level of Overall Organizational Performance. The subsequent strongest positive association is between External Requirement and Financial Performance (r=0.720, p<0.01), followed by External Requirement and Non-Financial Performance (r=0.678, p<0.01). The result signifies that a higher level of External Requirement on BCM implementation is correlated with a higher achievement of Organizational Performance.

Multiple Regression Analysis (MRA)

Next, the MRA was performed to investigate the linkage between the identified critical success factors and the effectiveness of BCM implementation which is reflected by the overall organizational performance. The result is depicted in Table 03 below.

The results in Table 03 exhibits that the predictors is significant with R = 0.802, R2 = 0.643, R2 adj = 0.623, F (4, 72) = 32.386, P<0.001. The figures indicated that the multiple correlation coefficients between the predictors and outcome variables is 0.802; the critical success factors accounts for 64.3% of the variance in the overall organizational performance and its generalizability in other populations is 0.623. In detail, the R2 value drops to only 0.020 or 2.0% in the adjusted R2 that signifies the acceptable cross validity of this model. The F-test F (4, 72) = 32.386 at P<0.001 signifies significant association between the predictors and the outcome variables.

Among the 4 predictors, External Requirement (β=0.559, t=6.200, p=0.000) recorded highest standardized beta coefficient, which reflects that External Requirement is the most important variable in predicting Overall Organizational Performance. In descending order, the importance follows with Embeddedness of Continuity Practices (β=0.317, t=3.544, p=0.001). In contrast, Management Support (β=0.052, t=0.585, p=0.561) and Organization Preparedness (β=0.014, t=0.162, p=0.872) are not significantly related to Overall Organizational Performance. This implies that a better Overall Organizational Performance can be achieved when the organization has strong External Requirement and Embeddedness of Continuity Practices in place.

In this study, the effectiveness of BCM is measured through Overall Organizational Performance which represented by combination of Financial and Non-Financial Performances. Based on the descriptive statistics, this study discovered that the respondents perceive that their organizations have achieved a fairly good level of performance contributed by BCM implementation over the last three years (mean=5.52).

Nonetheless, the multiple regression analysis shows that only two BCM Factors namely External Requirement and Embeddedness of Continuity Practices have significant relationships with Overall Organizational Performance. Meanwhile, the other two BCM Factors namely Management Support and Organizational Preparedness are not significantly related to Overall Organizational Performance.

Firstly, in the Malaysian context, the External Requirements imposed by government authorities such as Bank Negara Malaysia for financial services industry and MAMPU for the government sector have motivated the organization’s top executives in enhancing the resiliency of their information systems and services. Based on the mean score of the descriptive statistics, the respondents perceive that their organizations have a fairly good level of External Requirement (mean=5.44). The result indicates that the External Requirement is related to Overall Organizational Performance. Such results provides is consistent with the past studies on BCM ( Bakar, Yaacob, Udin, Hanaysha, & Loon, 2017 ; Choudhuri, Maguire, & Ojiako, 2009 ; Herbane et al., 2004 ; Hoong & Marthandan, 2013 ; Järveläinen, 2013 ; Peterson, 2009 ; Woodman, 2008 ). Besides the corporate governance, the pressure from the customers who demand for uninterrupted services had also pushed the importance of BCM to a higher level. These findings are also supported by the Stakeholder Theory which recognizes the stakeholders, in this context, the external requirements by the regulatory bodies and customers that may influence the achievement of superior performance.

Secondly, as expected, the result shows that a higher level of Embeddedness of Continuity Practices would reflect higher achievement of Overall Organizational Performance. In addition, based on the mean score of the descriptive statistics, the respondents perceive that their organizations have a fairly good level of Embeddedness of Continuity Practices (mean=5.00). The findings are consistent with outcome of the study conducted by Järveläinen (2013a) on the significant relationship between Embeddedness of Continuity Practices and business performance

Thirdly, based on previous researches on the critical success factors of BCM posits that Management Support has a significant relationship with Overall Organizational Performance ( Chow, 2000 ; Chow & Ha, 2009 ; Hoong & Marthandan, 2013 ; Järveläinen, 2013 ). The mean score of the descriptive statistics indicates that the respondents perceive that their organizations have a fairly good level of Management Support (mean=5.58). However, this study discovers insignificant relationships between Management Support and Overall Organizational Performance. This finding contradicts with previous studies on the success factors of BCM. With such finding, this study evidences that Management Support does not directly influence Overall Organizational Performance of organizations. One plausible explanation is the fact that 22.1 percent of the respondents indicated that the highest responsibility of BCM program is held by the Head of IT instead of the senior management. The result is also in-line with previous researches that highlighted the lack of commitment by the top management may result in lack of corporate wide support which impedes the effectiveness of a BCM and eventually causing program failures ( Payne, 1999 ; Pitt & Goyal, 2004 ). Therefore, the senior management should involve themselves in the whole process of crisis management so that their staff would have confidence in their ability to lead them successfully through such critical times ( Moore & Lakha, 2006 ). Another possible reason might be due to weak inter-correlation values between variables. Sekaran ( 2003 ) postulates that this situation could cause insignificant result in the multiple regression analysis.

Lastly, the finding indicates insignificant relationship between Organization Preparedness and Overall Organizational Performance, which contradicts the expectation. In other words, any improvement in Organization Preparedness factors, such as business impact analysis, readiness of alternate sites and system, documentation, simulation exercises, communication procedures, and imposing BCM requirement on suppliers do not contribute significant effect on Overall Organizational Performance. Järveläinen (2013a) revealed that Organization Preparedness and alertness failed to yield significant effect on business performance. The study discovered that BCM procedures were not regularly tested in all organizations, which could reduce of the effectiveness of the plans ( Gibb & Buchanan, 2006 ). The finding is in agreement with this study which found insignificant relationship between Organization Preparedness and Overall Organizational Performance. Similarly, upon close examination of the questionnaires’ responses, this study also discovers about 26 percent of the respondents do not fully agree on regular testing of BCM plan may indicate lack of exercise conducted on the BCM plan. Moreover, BCM shall become out-dated if is not updated or regularly tested. Similar with Management Support factor, the insignificant relationship between Organization Preparedness and Overall Organizational Performance in the multiple regression analysis might also be due to weak inter-correlation values between variables ( Sekaran, 2003 ).

Theoretical and Practical Implications

Fundamentally, this study has established new insights for academics and practitioners that contribute to the existing body of knowledge. In response to the theoretical gaps in the current literatures, this study has established empirical evidences on the relationships between the critical success factors and effectiveness of BCM implementation, particularly in the Malaysian context.

The outcomes of this study have also revealed that factors namely External Requirement and Embeddedness of Continuity Practices contribute towards enhancing the effectiveness of BCM that eventually leads to superior organizational performance. Hence, it is essential that every organization, regardless of size and nature of business, to proactively enhance their capability in managing BCM so as to improve their readiness in dealing with disruptions more effectively.

Limitations and Recommendations

Although this study finds several encouraging results, it is acknowledged that the study also have several limitations, which opens-up for future enhancement. The recommendation relates to the methodological approach. As the study is conducted using cross-sectional approach, more efforts need to be carried out to ascertain the impacts of changes over a longer time period. Using a longitudinal approach on the similar group of participants may be better at drawing the BCM effects on organizational performance and perhaps could provide a better analysis on the interrelationships among the organizations under study. In other words, the primary benefit of longitudinal approach is that it allows researchers to observe changes that take place over time. Hair et al. ( 2007 ) argues that longitudinal study is a better way to seek the cause and effect relationship among variables at a different period of time. Thus, future researchers are suggested to conduct longitudinal studies to investigate the implementation of BCM and how it influences organizational performance.

The outcomes of this study have considerably contributes to the current literature on BCM and organizational performance particularly Malaysia. Drawing from Research Base View, Crisis Management and Stakeholder theories, the research model has provided a theoretical framework for recognizing the critical success factors that affect the establishment of effective BCM in an organization that eventually lead to superior performance. This study reveals that important BCM critical success factors such as the influence of External Requirement and Embeddedness of Continuity Practices have significant positive causal relationships with Overall Organizational Performance.

With considerations on the impact of the globalization and intense in the business competition nowadays, the outcomes of this study serve a strong basis for managers to invest in enhancing the BCM skills and infrastructure as the benefits are evident. This study believes that by understanding the critical success factors of effective BCM, it may contribute to the betterment of the organizational performance.

• Abu Bakar, Z., Yaacob, N. A., & Udin, Z. M. (2015). The Effect of Business Continuity Management Factors on Organizational Performance: A Conceptual Framework. International Journal of Economics and Financial Issues, 5(5), 128–134.
• Alesi, P. (2008). Building enterprise-wide resilience by integrating business continuity capability into day-to-day business culture and technology. Journal of Business Continuity & Emergency Planning, 2, 214–220.
• Arend, M. (1994). Time to dust off your contingency plan. ABA Banking Journal, 86(2), 56.
• Bakar, Z. A., Yaacob, N. A., & Udin, Z. M. (2016). The Influence of Business Continuity Management Factors on Organizational Performance: IT Capability as Moderating Factor. Labuan E-Journal of Muamalat and Society, 10, 16–29.
• Bakar, Z. A., Yaacob, N. A., Udin, Z. M., Hanaysha, J. R., & Loon, L. K. (2017). The adoption of business continuity management best practices among Malaysian organizations. Advanced Science Letters, 23(9), 8484–8491. https://doi.org/10.1166/asl.2017.9916
• Barney, J. B. (1991). Firm Resources and Sustained Competitive Advantage. Journal of Management, 17(1), 99–120.
• Cerullo, M. J., & McDuffie, R. S. (1994). Planning for disaster. CPA Journal, 64(6), 34. Retrieved from http://eserv.uum.edu.my/login?url=http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=9410052296&site=ehost-live&scope=site
• Choudhuri, B., Maguire, S., & Ojiako, U. (2009). Revisiting learning outcomes from market led ICT outsourcing. Business Process Management Journal, 15(4), 569–587. https://doi.org/10.1108/14637150910975543
• Chow, W. S. (2000). Success factors for IS disaster recovery planning in Hong Kong. Information Management & Computer Security, 8(2), 80–87. https://doi.org/10.1108/09685220010321326
• Chow, W. S., & Ha, W. O. (2009). Determinants of the critical success factor of disaster recovery planning for information systems. Information Management & Computer Security, 17(3), 248–275. https://doi.org/10.1108/09685220910978103
• Elliott, D., Swartz, E., & Herbane, B. (2010). Business continuity management: a crisis management approach (2nd ed.). New York, USA: Routledge.
• Fischbacher-Smith, D. (2017). When organisational effectiveness fails. Journal of Organizational Effectiveness: People and Performance, 4(1), 89–107. https://doi.org/10.1108/JOEPP-01-2017-0002
• Gallagher, M. (2002). Business Continuity Management: How To Protect Your Company From Danger. Pearson Education, Limited. Retrieved from http://books.google.com.my/books?id=rhoiPQAACAAJ
• Gallagher, M. (2003). Business Continuity Management: How to Protect your Company from Danger (1st ed.). London: Financial Times and Prentice Hall.
• Garcia, A. (2008). Business Continuity: Best Practices. eWeek, 25(33), 32–40.
• Gatzert, N., & Schmit, J. (2016). Supporting strategic success through enterprise-wide reputation risk management. The Journal of Risk Finance, 17(1), 26–45. https://doi.org/10.1108/JRF-09-2015-0083
• Gibb, F., & Buchanan, S. (2006). A framework for business continuity management. International Journal of Information Management, 26(2), 128–141. Retrieved from http://www.sciencedirect.com/science/article/B6VB4-4JN2P51-1/2/57980f789e3c81f88a500981a33a3b45
• Grant, R. M. (1991). The Resource-Based Theory of Competitive Advantage: ImpHcations for Strategy Formulation. California Management Review, 33, 37–40.
• Hägerfors, A., Samuelsson, S., & Lindström, J. (2010). Business continuity planning methodology. Disaster Prevention and Management, 19(2), 243–255. https://doi.org/10.1108/09653561011038039
• Hair, J., Money, A. H., Page, M., & Samouel, P. (2007). Editors, Research Methods for Business. West Sussex, England: John Wiley & Sons.
• Herbane, B. (2010). The evolution of business continuity management: A historical review of practices and drivers. Business History, 52(6), 978–1002. https://doi.org/10.1080/00076791.2010.511185
• Herbane, B., Elliott, D., & Swartz, E. M. (2004). Business Continuity Management: time for a strategic role? Long Range Planning, 37(5), 435–457. https://doi.org/10.1016/j.lrp.2004.07.011
• Hoong, L. L., & Marthandan, G. (2013). Enablers of Successful Business Continuity Management Process. Australian Journal of Basic and Applied Sciences, 7(10), 86–97.
• ISO. (2012). ISO 22301:2012. International Standard Organization.
• Järveläinen, J. (2013). IT incidents and business impacts: Validating a framework for continuity management in information systems. International Journal of Information Management, 33(3), 583–590. https://doi.org/10.1016/j.ijinfomgt.2013.03.001
• Ketokivi, M. A., & Schroeder, R. G. (2004). Perceptual measure of performance: Fact of fiction. Journal of Operation Management, 22(3), 247–264.
• Laurent, W. (2007). Business Continuity Dashboards. DM Review, 17(6), 30.
• Lin, O. A. (2008). Business Continuity Planning: A Global Overview & Status in Malaysia. In Pre-Conference for the 3rd Asian Ministerial Conference on Disaster Risk Reduction.
• Moore, T., & Lakha, R. (2006). Tolley’s Handbook of Disaster Management: Principles and Practice (Third). Oxford: LexisNexis.
• Morwood, G. (1998). Business continuity: awareness and training programmes. Information Management & Computer Security, 6(1), 28–32. https://doi.org/10.1108/09685229810207425
• Nunally, J. C. (1978). Psychometric Theory (2nd ed.). New York: McGraw-Hill.
• Payne, C. F. (1999). Contingency plan exercises. Disaster Prevention and Management Volume, 8(2), 111–117.
• Peterson, C. A. (2009). Business continuity management & guidelines. 2009 Information Security Curriculum Development Conference on - InfoSecCD ’09, 114. https://doi.org/10.1145/1940976.1940999
• Pitt, M., & Goyal, S. (2004). Business continuity planning as a facilities management tool. Facilities, 22(3/4), 87–99. https://doi.org/10.1108/02632770410527824
• Ruighaver, A. B., Ahmad, A., & Hadgkiss, J. (2012). Incident response teams – Challenges in supporting the organisational security function. Computers & Security, 31(5), 643–652. https://doi.org/10.1016/j.cose.2012.04.001
• Sekaran, U. (2003). Research methods for business: A skill building approach (4th ed.). New York, NY: John Willey & Sons.
• Selden, S., & Perks, S. (2007). How a structured BIA aligned business continuity management with Gallaher â€TM s strategic objectives. Journal of Business Continuity & Emergency Planning, 1(4), 348–355.
• Starr, R., Newfrock, J., & Delurey, M. (2003). Enterprise Resilience : Managing Risk in the Networked Economy. Strategy and Business, 30, 73–79.
• Woodman, P. (2007). Business Continuity Management. Chartered Management Institute.
• Woodman, P. (2008). Business Continuity Management 2008. London: Chartered Management Institute.
• Woodman, P., & Hutchings, P. (2010). Disruption & Resilience: The 2010 Business Continuity Management Survey. Chartered Management Institute.
• Yen, D. C., Chou, D. C., & Hawkins, S. M. (2000). Disaster recovery planning: a strategy for data security. Information Management & Computer Security. https://doi.org/10.1108/09685220010353150

Copyright information

About this article

Publication date.

31 July 2018

Article Doi

https://doi.org/10.15405/epsbs.2018.07.02.34

978-1-80296-043-3

Future Academy

Print ISBN (optional)

Edition number.

1st Edition

Business, innovation, sustainability, environment, green business, environmental issues, industry, industrial studies

Cite this article as:

Bakar, Z. A., Yaacob, N. A., Udin, Z. M., Hanaysha, J. R., Loon, L. K., & Deraman, S. (2018). Critical Success Factors Of Effective Business Continuity Management: A Malaysian Case Study. In N. Nadiah Ahmad, N. Raida Abd Rahman, E. Esa, F. Hanim Abdul Rauf, & W. Farhah (Eds.), Interdisciplinary Sustainability Perspectives: Engaging Enviromental, Cultural, Economic and Social Concerns, vol 44. European Proceedings of Social and Behavioural Sciences (pp. 315-326). Future Academy. https://doi.org/10.15405/epsbs.2018.07.02.34

We care about your privacy

We use cookies or similar technologies to access personal data, including page visits and your IP address. We use this information about you, your devices and your online interactions with us to provide, analyse and improve our services. This may include personalising content or advertising for you. You can find out more in our privacy policy and cookie policy and manage the choices available to you at any time by going to ‘Privacy settings’ at the bottom of any page.

Manage My Preferences

You have control over your personal data. For more detailed information about your personal data, please see our Privacy Policy and Cookie Policy .

These cookies are essential in order to enable you to move around the site and use its features, such as accessing secure areas of the site. Without these cookies, services you have asked for cannot be provided.

Third-party advertising and social media cookies are used to (1) deliver advertisements more relevant to you and your interests; (2) limit the number of times you see an advertisement; (3) help measure the effectiveness of the advertising campaign; and (4) understand people’s behavior after they view an advertisement. They remember that you have visited a site and quite often they will be linked to site functionality provided by the other organization. This may impact the content and messages you see on other websites you visit.

To read this content please select one of the options below:

Please note you do not have access to teaching notes, the contribution of business continuity management (bcm) to supply chain resilience: a qualitative study on the response to covid-19 outbreak.

Continuity & Resilience Review

ISSN : 2516-7502

Article publication date: 17 December 2021

Issue publication date: 8 July 2022

This paper investigates the relationships between the core elements of a BCM system and SCRES constituents, i.e. visibility, agility, flexibility, velocity and collaboration. An explorative multiple case studies methodology was adopted, consisting of organizations in the retail, manufacturing and humanitarian sectors that had to withstand the impact of the first wave of the COVID-19 pandemic (January to June 2020).

Design/methodology/approach

The paper adopts an interpretative approach to understand organizational behavior through observations. The source of data comes from in-depth interviews as well as the scrutiny of available official documents for triangulation. The unit of analysis is the organizations internal supply chain with a specific focus on their BCM system and SCM arrangements.

This paper shows how core BCM practices have a direct impact on supply chain resilience constituents. Specifically practices such as establishing a crisis management committee and risk assessments boost constituents such as agility and flexibility. This advances the theoretical discussion on supply chain resilience, while providing practical examples for organizations to build a response to pandemic incidents.

Originality/value

This paper validates the contribution of business continuity management to supply chain resilience, a concept that has mainly been linked to practices such as risk management. In this regard, this paper enriches the discussion. Secondly, the analysis explains how specific BCM practices worked during the first wave of the pandemic and how they were implemented, providing a clear path for supply chain resilience.

• Supply chain resilience
• Business continuity management

Riglietti, G. , Piraina, M. and Trucco, P. (2022), "The contribution of business continuity management (BCM) to supply chain resilience: a qualitative study on the response to COVID-19 outbreak", Continuity & Resilience Review , Vol. 4 No. 2, pp. 145-160. https://doi.org/10.1108/CRR-08-2021-0030

Emerald Publishing Limited

Copyright © 2021, Emerald Publishing Limited

Related articles

All feedback is valuable.

Please share your general feedback

Report an issue or find answers to frequently asked questions

Contact Customer Support

Use Procurement Card Analytics for Increased Transparency in Government

July 24, 2024

Key insights

Procurement card analytics tools can provide valuable insights for state and local government purchases, enhancing financial oversight and operational efficiency.

P-card analytics tools offer features such as spending trends analysis, duplicate purchase notifications, and fraud risk mitigation.

Financial insights help in understanding purchasing behaviors, improving budgeting, and verifying procurement policies are being followed.

Develop better controls over your procurement card purchases.

Procurement card analytics for government can be valuable. In the complex landscape of state and local government procurement — efficiency, transparency, and fraud prevention are paramount.

Using procurement cards (P-cards) streamlines purchasing processes, allowing for quicker transactions and reduced paperwork. However, P-cards come with challenges, particularly in managing and monitoring expenditures.

Advanced P-card analytics can help your organization enhance financial oversight and operational efficiency.

The benefits of P-card analytics for government

 Procurement card analytics tools are designed to connect seamlessly with existing enterprise resource planning (ERP) systems or bank data, providing comprehensive financial analysis and insights into card usage. By leveraging data visualization platforms like Power BI, these tools offer both high-level overviews and detailed line-item analyses, enabling governments to gain a clear picture of spending patterns.

One advantage of using P-card analytics for government is the ability to identify spending trends. This includes analyzing expenditures by department, individual users, days of the week, and specific vendors. Granular insights help in understanding purchasing behaviors, improving budgeting, and verifying procurement policies are being followed.

Consider 3 key features of P-card analytics tools

Spending trends analysis.

Understanding where and how funds are being spent improves financial management and transparency. P-card analytics tools interact with your data dynamically to provide detailed reports on spending trends, broken down by various categories such as departments, users, days of the week, and vendors. This can help identify areas of excessive spending, cost-saving opportunities, and compliance with budgetary constraints.

Duplicate purchase notifications

One common issue with P-card transactions is duplicate purchases, which can cause financial discrepancies. P-card analytics tools automatically notify administrators of potential duplicates, enabling quick resolution and improved spending practices.

Fraud risk mitigation

Fraud is a significant concern in any financial system, and P-card transactions are no exception. Advanced analytics tools incorporate several techniques to detect and mitigate fraud. These include:

• Outlier detection — Identifying transactions deviating significantly from typical spending patterns.
• Benford’s Law — Leveraging a digital frequency test to detect anomalies in transaction data, such as avoiding spending approval limits.
• Geographic information systems — Mapping the locations of purchases to verify they align with known vendor addresses or travel locations.

Case study: enhancing procurement card efficiency and security

A mid-sized city recently implemented a P-card analytics tool, reducing costs and improving reporting. Before adopting the tool, the city struggled with managing its P-card transactions, including lack of transparency, budget overruns, duplicate purchases, and potential fraud, waste, and abuse.

The tool’s Power BI dashboards provide dynamic and interactive visualizations of spending trends, highlighting department and user spending patterns. Specific risks were addressed such as duplicate transactions, payment splitting, and fictitious vendors.

Other analytics include outlier detection, digital frequency testing, travel expenditure insights, and geolocation mapping of merchant activity.

The city reduced procurement costs and bolstered defenses against financial fraud. The enhanced transparency and efficiency gained from the P-card analytics tool fostered greater confidence among stakeholders and demonstrated the value of investing in advanced financial management solutions.

Moving forward with P-card analytics

For state and local governments looking to improve their procurement processes, adopting a P-card analytics tool can help. These tools offer a powerful combination of detailed financial insights, real-time notifications, and robust fraud detection capabilities. By integrating seamlessly with existing financial systems, they provide a comprehensive view of spending activities, verifying resources are used effectively and transparently.

Investing in P-card analytics not only enhances financial oversight but also supports better decision-making. With clear insights into spending patterns and potential risks, governments can better allocate budgets, negotiate better vendor terms, and comply with procurement policies.

How we can help

At CLA, we offer cutting-edge P-card analytics solutions tailored to the needs of state and local governments. Our tools connect effortlessly with your ERP or bank data, providing the actionable insights you need to manage your procurement activities effectively.

Mitch Thompson

Digital Growth Director

Featured articles

// $formatted_date_time

Preparing For the Next Global Outage: Review Your Business Continuity Plan

Use a digital strategic plan to drive growth in financial institutions, use a grants management system to meet arpa compliance requirements, experience the cla promise.

Sign up to receive custom information and insights delivered straight to your inbox.