Business Continuity Planning Methods

Exploring Strategic Business Continuity Planning Methods for Small Businesses in the
State of Maryland
Dissertation Manuscript
Submitted to Northcentral University
Graduate Faculty of the School of Business and Technology Management

in Partial Fulfillment of the
Requirements for the Degree of
DOCTOR OF BUSINESS ADMINISTRATION
by
BENJAMIN KIBET CHEPKOIT
San Diego, California

August 2017

ProQuest Number: 10636023

All rights reserved

INFORMATION TO ALL USERS
The quality of this reproduction is dependent upon the quality of the copy submitted.

In the unlikely event that the author did not send a complete manuscript
and there are missing pages, these will be noted. Also, if material had to be removed,
a note will indicate the deletion.

ProQuest 10636023

Published by ProQuest LLC (2017 ). Copyright of the Dissertation is held by the Author.

All rights reserved.
This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.

ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
Approval Page
Exploring Strategic Business Continuity Planning Methods for Small Businesses in the
State of Maryland
By
Benjamin Kibet Chepkoit
Approved by:
9/20/17
Chair: Dr. Deborah Nelson, Ph.D. Date: September 20, 2017
Certified by:
Dean of School: Dr. Peter Bemski, Ph.D. Date: September 20, 2017
Abstract
Business continuity planning (BCP) is the preparation and implementation of strategic
plans that provide for normal continuation of operations with real-time backup of
processes and procedures in an event of natural or human error disasters. Disruptive
events to business continuity in the state of Maryland include severe winter storms,
snowstorms, hurricanes, fires, pandemic diseases, technology threats, and threatening
natural disasters. BCP is part of a business continuity management (BCM) process
designed to identify business operational risks and vulnerabilities, and to provide
processes and mitigating risks. The problem under investigation was that some small
businesses in Maryland had not established nor implemented sustainable crisis
management measures for BCP necessary to resolve problems of disasters that disrupt
continuity of business services. The purpose of this exploratory embedded multiple case
study was to explore strategic business continuity planning methods for small businesses
in the state of Maryland as perceived by senior managers, the unit analysis of the study.
Multiple case study is the proposed research design that utilized a semi-structured
interview format to collect data from participants at onsite or offsite business settings,
data analysis, and interpretations of relevant data to understand strategic business
continuity plan (BCP) implementation by the small businesses with BCP and without
BCP in the state of Maryland. The participants in this multiple case study were six senior
managers selected from different business industries that meet the criteria of a small
business in Maryland. The results of the study represented the outcome of the analysis of
the responses from the interviewees, which formed the basis of the prevailing perceptions
of BCP among the managers of the small businesses in the state of Maryland. The final
ii
findings of the study formed the framework for further research in business continuity
planning for small business enterprises in the state of Maryland.
iii
Acknowledgements
I would like to express and share my deepest appreciation and gratitude to my
professors and research participants who supported me and contributed immensely to the
success of my doctoral program, leading me throughout the tedious but fulfilling
academic accomplishment. I wish to sincerely thank my Dissertation Chair, Dr. Deborah
Nelson, whose patience and solemn scholastic intellect were beyond reproach. Without
her guidance and persistent support, this dissertation would not have been possible.
I would also like to deeply thank my Subject Matter Expert, Dr. Tanya Settles,
whose diligent evaluation of my dissertation was invaluable. I appreciated her expert
contribution and steadfast focus that consistently aligned my thinking and writing
processes in the right direction towards this accomplishment.
In addition, I wish to sincerely and faithfully thank my wife, Zipora, and my sons
Andrew and Alex for the encouragement and support throughout my doctoral program.
Their irreplaceable support, prayers to our Lord, and unwavering patience towards my
inadvertent diversion from them during the final stages of this dissertation remain
priceless forever.
The achievement of this Doctoral Degree is a fulfilment in my personal drive to
optimize my potential and strive through a personal principle of consistent constructive
discontent. This doctoral certificate is dedicated to Mr. Joshua Kerretts, Mr. Wilson
Chepkoit, and Mrs. Esther Chepkoit, who laid the first stone of foundation in both my
spiritual and human life.
iv
Table of Contents
List of Tables......................................................................................................... vii
Chapter 1: Introduction ............................................................................................ 1

Background....................................................................................................... 2
Statement of the Problem .................................................................................... 3
Purpose of the Study .......................................................................................... 4
Research Questions ............................................................................................ 6
Nature of the Study ............................................................................................ 7
Significance of the Study .................................................................................... 9
Definition of Key Terms ................................................................................... 10
Summary ........................................................................................................ 12
Chapter 2: Literature Review .................................................................................. 14

Theoretical and Conceptual Framework ............................................................. 15
Senior Management Commitment ..................................................................... 22
Business Continuity Planning Best Practices....................................................... 29
Risk Management Contingencies ....................................................................... 39
BCP Business Units Impact .............................................................................. 47
BCP Corporate Social Responsibility Impact ...................................................... 53
Summary ........................................................................................................ 58
Chapter 3: Research Method .................................................................................. 60

Research Methods and Design(s) ....................................................................... 60
Population....................................................................................................... 63
Sample Process ............................................................................................... 64
Interview Preparation ....................................................................................... 64
Data Collection, Processing, and Analysis .......................................................... 66
Assumptions ................................................................................................... 69
Limitations...................................................................................................... 70
Delimitations................................................................................................... 71
Ethical Assurances ........................................................................................... 71
Summary ........................................................................................................ 72
Chapter 4: Findings ............................................................................................... 74

Results ........................................................................................................... 76
Evaluation of Findings ..................................................................................... 95
Summary ...................................................................................................... 104
Chapter 5: Implications, Recommendations, and Conclusions .................................. 106

Implications .................................................................................................. 109
Recommendations for Practice ........................................................................ 120
Recommendations for Future Research ............................................................ 123
Conclusion .................................................................................................... 125
v
References.......................................................................................................... 127
Appendixes ........................................................................................................ 138
Appendix A: Interview Participant Letter .............................................................. 139
Appendix B: Interview Permission Letter .............................................................. 140
Appendix C: Interview Protocol ........................................................................... 141

Interview Protocol Guide ................................................................................ 143
Appendix D: Interview Briefing and Questions ...................................................... 144

Experience at your Organization...................................................................... 145
Interview Questions ....................................................................................... 145
Appendix E: Consent Form .................................................................................. 147
vi
List of Tables
Table 1 Demographic Profiles of the Participants ……………………………………….77

Table 2 Themes and Sub-Themes Associated with Senior Management’s Perception
of BCP………………………………………………………………………………………......79
Table 3 Themes Associated with the Perceived Values Arising from implemented
BCP…………………………………………………………………………………...83
Table 4 Themes on managerial responsibility over BCP decisions ………………….....86
Table 5 Themes on critical success factors associated with sustainable BCP………....92
vii
Chapter 1: Introduction
Business continuity planning (BCP) is the preparation and implementation of
strategic plans that provide for normal continuation of operations with real-time backup
of processes and procedures in an event of natural or human error disasters (Karim,
2011). Common disruptive events to business continuity include power blackout, fire,
water system problems, mergers, economic events, political activities, pandemic diseases,
or global price escalations. BCP is part of a business continuity management (BCM)
process designed to identify business operational risks and vulnerabilities, and to provide
processes and mitigating risks that effectively respond to disruptive events (Jones, 2011).
The primary drivers that are necessary for management to create, activate, and
carry out BCP or a crisis management plan entail a holistic focus on the customers’ needs
and the prioritization of senior management to prevent or shorten the length of business
interruption during a crisis, including appointment of a senior recovery manager in
management (Bobcock, 2011). Business continuity and disaster planning emphasize the
fundamental importance of remedial measures that implement business continuity
processes that include the establishment of operational backup data centers for main
facilities and lay down strategies to support critical business elements against hurricanes,
fires, storms, tornadoes, and public health pandemics (Krizner, 2011). Jacques (2007)
observed that research on disaster prevention must include sustainable risk models that
provide business management with crisis preparedness and crisis processes that include
establishing crisis planning, assigning roles, and enforcing responsibilities.
1
Background
Human-made and natural disasters have implications for the survival of small
business organizations, which are aggravated by the tendency of small business
management to resist spending resources on low-probability events, regardless of the
potential disaster impact (Duncan, Yeager, Rucks, & Ginter, 2010). In most instances,
small business managers fail to develop and implement BCP due to low priority or lack
of budget for up-front costs for BCP, the possibility of little to no return on BCP
investment, and prioritization of imminent short-term issues within the organization
(Duncan, Yeager, Rucks, & Ginter, 2010). Small businesses encounter compounded risks
from human-made and natural disasters that are becoming increasingly common in
today’s world (Duncan, Yeager, Rucks, & Ginter, 2010). The Federal Emergency
Management Agency (FEMA) estimated that disasters in 2010 increased by 30%
compared to 2009 disasters, each time affecting small businesses significantly and
resulting in only 40% of the firms affected re-opening operations, while 60% failed and
remained shuttered for two or more years (Duncan et al., 2010). Small and mid-size
companies do not prioritize nor develop a BCP, which increases the level of risk during
disruptive events that have higher probability of damage to business operations (Duncan
et al., 2010).
The management, shareholders, and stakeholders of small businesses encounter
barriers and challenges when prioritizing, developing, and implementing a BCP because
of organizational competing factors that include budget allocation, strategic management,
business risk analysis, training, and awareness, BCP documentation, and information life
cycle management (Karim, 2011). Brody (2012) stated that 44% of small businesses
2
operate without continuity business plans while 56% of business owners spend less than
10% of business time in identifying and preventing operational risks. In order to
minimize costs on BCP, small business management must develop scenario planning that
provides testing platforms for management to improve dynamic capabilities embedded in
BCP, and facilitates opportunity to identify gaps while strategizing solutions in real-time
business operations (Worthington, Collins, & Hitt, 2009).
Statement of the Problem
In Montgomery County, Maryland, 40 out of 50 (80%) small businesses do not
have business continuity plans (Watkins & Barnett, 2008). The problem under
investigation was that some small businesses in Maryland had not established nor
implemented sustainable crisis management measures for BCP necessary to resolve
problems of disasters that disrupt continuity of business services, while minimizing
downtime, increasing response time, and deploying rapid resources (Petersen, 2010).
Management of small businesses must align risk management initiatives and systems
with corporate strategic objectives, resulting in sustainable BCP, proactive disaster
preparedness, and mitigation of business uncertainties, risks and threats (Byrnes et al.,
2012).
Maryland state forms a significant part of the Washington District of Columbia
(DC) transportation and operational system, comprised of a 600-segment network that is
exposed to threats of radiological dispersion devices, high travel capacity, and evacuation
impracticality (Lambert et al., 2012). Maryland experiences frequent severe winter
storms, snowstorms, hurricanes, and other threatening natural disasters annually, such as
the storms of December 2009 and February 2010 that prompted FEMA to disburse to
3
Maryland more than $15.4 million dollars in 2009 through 2010 to mitigate disaster
hazards for businesses and individuals (FEMA, 2012). Maryland Emergency
Management Agency (MEMA) reported that while bombs and fires capture the headlines,
almost 90% of emergencies are quiet catastrophes, illustrated by flooding in Maryland in
2003 from Hurricane Isabel that destroyed many towns along the Chesapeake Bay and
submerged downtown Baltimore and Annapolis. Transportation accidents, lightning,
tornadoes, blizzards, computer viruses, and technology failures have caused major
disruptions (MEMA, 2009). The effect of disasters in Maryland in 2012 prompted Small
Business Administration (SBA) to provide funding up to $2,000,000 in federal economic
injury disaster loans for small businesses, small agricultural cooperatives, and small
businesses in Carroll and Frederick counties, the most affected counties in Maryland
(SBA, 2012).
Purpose of the Study
The purpose of this exploratory embedded multiple case study was to explore
strategic business continuity planning methods for small businesses in the state of
Maryland as perceived by senior managers, the unit analysis of the study. The state of
Maryland defines a small business as an independently owned and operated business,
which is not a subsidiary of another business and not dominant in its field of operation.
Maryland Emergency Management Agency (MEMA) collaborates with small businesses
through the Maryland Retailers Association (MRA) in providing guidelines along
continuity of operations program (COOP) for effective preparedness towards disasters
(Snyder, Donoho, Menzies, & Davidson, 2012).
4
The research design proposed was a multiple case study approach that utilized a
semi-structured interview format to collect data from research participants, performed
data analysis, and interpretations of relevant data in order to understand strategic business
BCP in the state of Maryland. The participants in this multiple case study were six senior
managers selected from various different business industries that met the criteria of a
small business in Maryland. The sampling of six senior managers from six small
businesses is within the typical range for case study research, where Yin and Zhang
(2012) recommended sampling criteria based on participants with heterogeneous
characteristics in age, size, and ownership in order to allow for valid comparison.
The proposed study utilized triangulation to examine BCP documents for the
businesses with BCP, with a focus on best practices that included BCP processes,
procedures, risk management preparedness, computer systems accessibility and
networking, and data recovery-facilities, employees’ rescue strategy, and preservation of
systems and records (Nollau, 2009). The businesses without a BCP provided existing
documentation for examination, such as management manuals on processes related to
standard operating procedures, training, human resources, technical operations, business
vision and values, and strategy business plan. A multiple case study approach with
triangulation provided a richness of information which, upon analysis within and across
cases, can reveal a number of commonalities and some limited diversity (Stavros & Kate,
2009). The use of methodological triangulation (MT) allows the application of a within-
method approach for collecting data that entails interviewing management personnel
under reduced bias and improved validity of BCP data on operational processes and
5
procedures where BCP is already implemented (Lloyd, 2011). Where management had
not adopted a BCP practice, the additional data gathered for triangulation was based on
review of existing operations standing procedures, policies, process manuals, and
procedure instructions. Computer assisted application for data analysis was used to
facilitate data storage, coding, retrieval, comparing, and data modeling when computing
interview results.
Research Questions
An exploratory multiple case study approach examined responses by research
participants to the research questions that were designed to explore the implementation or
lack of implementation of business continuity planning (BCP) by small businesses in the
state of Maryland.
Q1. How is strategic Business Continuity Planning (BCP) perceived by the senior
management of small businesses in the state of Maryland?
Q2. How do senior managers of small businesses with BCP perceive that Business
Continuity Planning (BCP) provides value to the small businesses operating in the state
of Maryland? Why do senior managers of small businesses without BCP perceive
differently or that there is no value in BCP?
Q3. How do senior managers of small businesses perceive managerial responsibility for
establishing sustainable Business Continuity Plan for small businesses in Maryland?
Q4. How does small businesses’ management in Maryland perceive risk management
while prioritizing sustainable BCP?
6
Q5. Why do senior managers of small businesses in Maryland with BCP perceive that
critical success factors for business operations are important to achieving a sustainable
BCP?
Q6. Why do senior managers of small businesses in Maryland without BCP perceive that
critical success factors for business operations can be achieved without a sustainable
BCP?
Nature of the Study
The qualitative exploratory study design employed an embedded multiple case
study approach that explored strategic business continuity planning methods for small
businesses in the state of Maryland as perceived by senior managers. The senior
managers of the recruited small businesses were the unit analysis components of the
study in each selected small business. Qualitative case study research is an emergent
approach suitable for the proposed research study because the method allows the
researcher to provide detail and elaborate interpretations of the research objectives
without depending on numerical measurements (Zikmund, Babin, Carr, & Griffin, 2010).
The case study research approach on BCP was modeled on Yin’s
recommendation (Yin, 2013) that examined the study's questions, propositions, units of
analysis, logic linking data to the propositions, and criteria for interpreting the findings.
Senior managers recruited from six small businesses in Maryland responded to interview
questions that were devised to answer the perception of BCP by managers of small
businesses that have or have not developed and implemented BCP in their operations.
Data was collected from managers through interviews and analyzed in order to
understand the perception of managers on BCP and to discover how they have
7
incorporated BCP in the overall corporate strategy. In addition, construct validity factors
such as comparing interviews from different participants provided completion of research
analysis by confirming the collected data under analysis (Ho & Merrilees, 2008). I
gathered and utilized descriptive and reflective notes to record participants’ behavior
during the interview, including the recording of personal thoughts, speculations, feelings,
ideas, hunches, impressions, and prejudices.
The data analysis relied on item-response methodology to support or not support
the significance of BCP within small businesses category (Kelly & Yin, 2007). In order
to mitigate any bias against case study research, data triangulation, precise documentation
of interview responses, and maintaining the chain of evidence were used to develop
validity for the study (Yin, 2013). Validity measures the trustworthiness of the interview
responses from participants by cross-checking the findings against the research questions.
The triangulation approach of cross-checking the interview findings from the senior
managers enabled the identification of invalid responses and subsequent corrections
necessary to validate the trustworthiness of the findings (Yin, 2013). The credibility of
the interview responses was achieved by comparing the managers’ in conjunction with
their experiences, knowledge and perceptions of BCP with the best practices and
standards generally accepted for disaster prevention (Golafshani, 2003). The analysis of
collected data and employment of explanations associated with interviews collected from
management that validated the certainty about possible claims in the research study
provided the status of BCP among small businesses in Maryland (Kelly & Yin, 2007).
8
Significance of the Study
Business continuity planning (BCP) increases reliability and value in service
delivery, resulting from corporate best-practices in disaster recovery plan framework and
emphasis on advanced planning and preparedness to minimize loss in emerging crises,
contingencies, and uncertainties (Low, Liu, & Kumaraswamy, 2010). The ability of
organization management to implement a sustainable BCP and to successfully react to
emerging crises, contingencies, and uncertainties is driven by the extent to which the
organization has established an embedded BCP that identifies and protects critical
business processes and resources in times of business disruptions (Low et al., 2010).
The implementation of BCP provides a framework for management to build
organizational resilience with the capability for an effective response that safeguards the
interests of organization’s stakeholders, reputation, product brand, and value-creating
activities (Heng, Hooi, Liang, Yap, Azizie, & Tze, 2012). Business continuity
management (BCM) process allows management to review potential risks it faces, keep a
register of the identified risks, and produce a variety of scenarios of disruption to the
business (Heng et al., 2012). BCM equips management teams from different departments
with the ability to operate an integrated BCP that accounts for minor incidents and
occurrences that it otherwise results in disruption to the business. The use of BCM as a
tool to execute BCP enables managers and employees to collaborate in providing input
and feedback to the corporate BCP, facilitating an opportunity to every department to list
down services that are critical to the organization and determine the criticality of the
service in a given disaster situation (Heng et al., 2012).
9
Management planning for operational continuity and recovery is an urgent
priority required for enterprises to remain proactive and preventive in overcoming
downtime risks (Bozman & Eastwood, 2011). BCP requires that management processes
and information systems are available by safeguarding existing systems and /or arranging
for substitutes in order to facilitate continuity of core business operations (Douglas,
2009). In the event of a disaster, management should anticipate disaster occurrences that
may result in casualties and deaths amongst employees, reconciliation of work with the
family needs and concerns of staff, and the execution of appropriate crisis management
systems and procedures.
Definition of Key Terms
Backup data centers. Backup data centers are availability of a comprehensive
collection of real-time data backup services that provide offsite protection across multiple
locations, replacing labor-intensive functions with accurate and efficient technologies that
save time and virtually eliminate physical storage requirements (Bobcock, 2011).
Business continuity planning (BCP) methodology. Business continuity
planning methodology is suitable for explaining business continuity planning to senior
management and employees in both public and private sector organizations. BCP is part
of an organization's business and information technology security program (Lindstrom,
Samuleson, & Hagerfors, 2010).
Business disruptive events. For the purpose of this study, business disruptive
events were defined as unanticipated events that disrupt business processes, procedures,
people, and technology. Business disruptive events included power blackout, fire, water
system problems, terrorism, mergers, economic events, draught, political activities,
10
pandemic diseases, global price escalations, or cyber technology disruptive attacks such
as on recovery-facilities (on-site, hot site, or cold site), computer hardware, operating
systems, networking, and other infrastructure, application software, databases, and
records (Karim, 2011).
Concrete systems. Slater (2011) defined concrete systems relative to BCP as
systems designed and tested for the performance of individual business units and the
entire tenets of the corporation, resulting in a concrete system that would withstand wide-
scale business disruption.
Crisis management model. A crisis management model used on BCP
preparedness is comprised of planning-prevention success factors that include planning
strategy, processes, and procedures that require scenario planning management to identify
potential weaknesses in critical business units operations (Worthington, Collins, & Hitt,
2009).
Critical success factors. Critical success factors impact-oriented influencers
when assessing the state of current business operations that provide framework of
identifying critical areas, non-essential sectors and units, risk benchmarking, peer
organizations, and scope of changes necessary to implement affordable, manageable, and
sustainable business continuity plan (Krizner, 2011).
Disaster recovery systems. Disaster recovery systems are tools used to recover
business operating systems focused on processes, procedures, people, and technology,
and covers the recovery-facility (on-site, hot site, or cold site), computer hardware,
operating systems, networking, and other infrastructure, application software, databases,
and records (Nollau, 2009).
11
FEMA. The Federal Emergency Management Agency (FEMA), which is part of
U.S. Department of Homeland Security Agency, charged with the mission to support our
citizens and first responders to ensure that as a nation we work together to build, sustain,
and improve our capability to prepare for, protect against, respond to, recover from, and
mitigate all hazards. FEMA was founded in 1978 under Presidential Reorganization Plan
and implemented by two Executive Orders on April 1, 1979. Disasters include hurricane,
an earthquake, a tornado, a flood, a fire or a hazardous spill, an act of nature or an act of
terrorism. Disasters may build over days or weeks, or hit suddenly, without warning.
Every year, millions of Americans face disaster, and terrifying consequences of these
events (FEMA, 2012).
MEMA. The Maryland Emergency Management Agency is a state of Maryland
agency organized within the Maryland Military Department to coordinate federal, state,
local, and private resources throughout the state during times of disasters and
emergencies.
Summary
The Federal Emergency Management Agency (FEMA) estimated that disasters in
2010 increased by 30% compared to 2009 disasters, each time affecting small businesses
significantly and resulting in only 40% of the firms affected re-opening operations, while
60% failed and remained shuttered for two or more years (Duncan et al., 2010). The
implementation of sustainable BCP provided assurance to small business in Maryland to
mitigate unanticipated events that disrupt business processes, procedures, people, and
technology. The senior management required appreciation of investment risks that arose
from unpreparedness to mitigate disasters, and needed to prioritize business strategies and
12
resources that included quality time and effort for substantive implementation of BCP
and continuously upgrading management systems across all business operational units.
On the contrary, the absence of BCP exposed business operations to various risks and
threats that included internal and external factors, resulting in catastrophic effects on
business operations, performance, and stability of processes.
The proposed study utilized triangulation process examined BCP documents for
the businesses with BCP, with focus on best practices that included BCP processes,
procedures, risk management preparedness, computer systems accessibility and
networking, and data recovery-facilities. The sampling of six senior managers from six
small businesses was within the typical range for case study research, where Yin and
Zhang (2012) recommended sampling criteria based on participants with heterogeneous
characteristics in age, size, and ownership to allow for valid comparison. The multiple
case study research was designed to utilize a semi-structured interview format to collect
data from participants, perform data analysis, and interpretations of relevant data to
understand strategic business continuity plan (BCP) implementation by the small
businesses with BCP or without BCP in the state of Maryland.
13
Chapter 2: Literature Review
The literature review on the context of assessing business continuity planning
(BCP) for small businesses in the state of Maryland focused on research in business
continuity planning and adoption of BCP as a business best practice methodology
required in order to ensure continuity of business operations during disasters or other
disruptive events. BCP provides effectiveness for the small businesses in Maryland to
sustain business continuity operations and enables businesses to implement BCP
processes as corporate best practice throughout organizational operations. The literature
reviewed provided the framework for BCP best practices required for small businesses in
Maryland that included business processes, risk management procedures, network
systems accessibility, disaster recovery planning and auditing, training of employees, and
continuous preparedness and testing of BCP functional activities and networking (Wan,
2009).
Chapter 2 contains research literature related to the anatomy of BCP and related
best practices that enable management to adapt a business culture of sustained continuity
of business operations across the organization. BCP framework provided processes and
procedures necessary to mitigate risks through proactive discipline of identifying
vulnerabilities and risks, and planning how to mitigate, accept, or assign such risks
without disrupting business operations (Karim, 2011). The incorporation of BCP into
organizational values and beliefs enables seamless practice of BCP best practices in the
manner in which the business is operated and managed (Karim, 2011).
The primary citations in the literature review included scholarly articles, peer-
review journals, books, reports, and dissertations. The websites and links sources
14
originated from institutional research sites, peer-review journals and the government of
the state of Maryland on literature related to BCP and small businesses statistical data.
The government agencies mandated to provide disaster relief services at national and
state levels are also cited in the study.
Theoretical and Conceptual Framework
Business continuity planning (BCP) management concept, and significance.
Small business organizations require BCP as a strategy of carrying out systematic
emergency plans to hedge against risks and to reduce the associated impacts and losses,
including the internalization of management’s ability to have a focused response to deal
with the disaster situation once the consequences are known (Low et al., 2010). Business
continuity planning (BCP) increases value in service delivery and provides disaster
recovery framework and preparedness to minimize loss in emerging disruptive events and
contingencies that abort business continuity (Low, Liu, & Kumaraswamy, 2010). The
organizational BCP framework entails internal factors that include business processes,
business infrastructure, resources, and people that are essential for the effective
functioning of the company. External factors that can contribute to catastrophic effects
and the disruptive incidents to the business include accidents, criminal activities,
disruptions in electricity and water supplies or natural disasters such as earthquakes and
tsunamis. Thus, the successful operation of a BCP is not only solely dependent on the
internal factors, but also on the external risks (Low et al., 2010). The management of a
small business should implement a BCP that ensures the existence of a well-structured
business process contingency system throughout the organization; provides greater
confidence in identifying and managing fatal risks inherent in essential business
15
processes; and activates a pro-reactive plan to accelerate the recovery and minimize the
negative impact after the occurrence of a disruptive event (Low et al., 2010).
Business continuity management (BCM) is the tool that enables management to
review current and future risks it faces, while documenting risks, effects, potential
intangible and tangible damages, while producing resolution simulations for business
continuity (Heng et al., 2012). Douglas (2009) study confirmed that medium to large
companies account for about 90% of business enterprises that fail to resume business
normalcy and continuity within five days of emergency, and increased the risk
discontinuing business within five years of experiencing a disaster event. The
effectiveness of sustained BCP is enhanced by the availability of management systems
and procedures for managing crisis and transitions between routine and crisis operations
as well as providing analysis for the kind of losses and level of disruption the business
may have to contend with (Douglas, 2009). It is crucial for small business management to
prepare for prolonged loss of utilities such as power, water, and gas, and the capability to
conduct core operations away from the central center of operations (Douglas, 2009). The
management of preventive and protective measures ensures that the staff and all business
stakeholders can fulfill disaster continuity roles as well as deal with high demands over
prolonged periods. Disaster planning requires management to plan relevant sets of BCP
implementations for each anticipated disaster in order to align readiness with the
determination, specification, and realization of preventive and mitigation measures
appropriate for disaster levels of impact-size and distribution (Prochazkova, 2012). The
management decision-making process entails the consideration of disaster characteristics
that influence expected mitigating outcome such as the rate of disaster start-levels,
16
warnings, preparation time, size of danger, risks for participants of intervention,
casualties, and risk assessment (Prochazkova, 2012). In addition, management best
practices require that the executive management be composed of managers who are
knowledgeable in disaster intervention, stage of disaster development, sufficiency or
insufficiency of equipment for intervention, knowledge of disaster site, time of
intervention, space location, and required decision, such as routine, known, complex or
unknown disruptive levels (Prochazkova, 2012).
Management relies on an effective business continuity management process that
identifies potential risks to the business core objectives and susceptibility to natural
hazards (Douglas, 2009). The business continuity management process should have the
ability to conduct of a business impact analysis to assess risk and how such risk is
distributed over critical operations (Douglas, 2009). Effective management process
enables management to understand the critical processes required for prompt supply of
goods and services to customers; focus on generating income for the business; and
maintain sustainable employment and corporate social responsibilities (Douglas, 2009).
The accountability for management to execute the best practices for effective BCP best
practices requires that management should consider strategies and options available
throughout the organization to mitigate identified risks to the business such as increasing
the amount of insurance to transfer the risk; improving the structure of the building to
withstand severe weather; and installing efficient backup systems at remote locations
(Douglas, 2009). In addition, management must draw up a business continuity plan that
defines the processes and procedures necessary for execution in the event of a disaster,
train staff to embrace a culture of BCM within the business, facilitate communication
17
between key groups and individuals within the business, and provide procedures for risk
assessment and identify realistic mitigation strategies (Douglas, 2009). Continuous
monitoring, updating, testing, and re-designing BCP strategies in collaboration with
overall business mission allows management to accommodate changes in personnel,
business practices or the external environment over time. Further research is needed to
ascertain scientific methodologies for measuring monetary value of loss resulting from
business unpreparedness, including patents, intellectual property, and legal rights to lost
deliverables.
The establishment of a BCP framework that enables implementation of critical
success factors for continuity of services across risk sectors, business units, and market
territories is paramount. Krizner (2011) assessed business preparedness using modern
technologies during the disasters that occurred between 2005 and 2007 that included
hurricanes, fires, storms, tornadoes, and public health pandemics. Krizner observed that
an increased focus on disaster planning and business continuity resulted in establishment
of operational backup data centers that support business main facilities and management
strategies for critical business units. Krizner (2011) cited healthcare organizations that
include Blue Cross Blue Shield (BCBS) of Los Angeles that have contracted backup data
centers and disaster recovery systems to recover stored data in case of business disruptive
events. Lack of established business continuity planning can be costly and damaging to
business operations (Krizner, 2011).
Enterprise resource management (ERM) is the process of planning, organizing,
leading, and controlling the activities of a company in order to minimize the effects of
risk on the company's capital and earnings, creating a framework for BCP (Byrnes,
18
Williams, Kamat, & Gopalakrishnan, 2012). ERM ensures management complies with
proactive measures against risks that threaten business continuity and enables
management to have an effective linkage between business strategy, risk management,
and corporate governance (Byrnes et al., 2012). ERM is an essential element that allows
management to achieve business goals and deliver sustaining benefits through the
integration of business practices, processes, and technology. Organizations utilize ERM
to implement BCP and disaster preparedness required to assess and mitigate major risks
to business operations, processes, people, and physical assets (Byrnes et al., 2012).
Management utilizes ERM to formulate risk-management and business continuity
programs that consists of identification, evaluation, assessment, management,
monitoring, and reporting risks across the organization (Byrnes et al., 2012). ERM
framework provides management with the base from which risk management is ingrained
into BCP and enables the flow of decision-making process from senior management to
employees (Byrnes et al., 2012). Management employs ERM to align risk management
initiatives and risk management systems with corporate strategic objectives, resulting in
company-wide collaboration of business continuity best practices (Byrnes et al., 2012).
The implementation of ERM evolves the training of all employees and contractors
throughout the organization to embrace risk management as personal responsibility that
entails process ownership, corporate governance, and business continuity best practices
(Byrnes et al., 2012).
Business continuity planning is crucial to prevent disruptions of business
operations, lives, and functioning of employees, suppliers, customers, organizational
structure, and ability by government to legally enforce tax collection. Duncan et al.
19
(2010) observed that small businesses encounter compounded risks from human-made
and natural disasters that are becoming increasingly common in today’s world.
Management prioritization of BCP is necessary to minimize the level of risk during
disruptive events while maximizing higher probability of securing business assets,
entity’s reputation, and organizational performance (Duncan et al., 2010). Risk
management measures evolve management’s pragmatic initiatives that associate risks
with opportunities through proactive actions, resulting in enhanced brand value and
profitability (Byrnes et al., 2012). ERM enables management to identify and select
alternative risk responses such as risk avoidance, reduction, transfer, and acceptance,
which result in fewer risks, fewer business challenges, and improved management styles
and strategies (Byrnes et al., 2012). Proactive initiative involves continuous monitoring
of risk and developing applicable corrective actions that enable management to locate,
confine, and correct the source of inaccuracies (Byrnes et al., 2012). The process of
continuously monitoring risks complements BCP initiatives, provides feedback for future
improvements to the ERM infrastructure or processes, provides BCP framework for
identifying both threats and opportunities, and assesses probability and possible impact
The implementation of BCP involves establishing critical functions embedded in
the disaster recovery plan framework, including the technological component of the
business, emphasizing advanced planning and preparations to minimize loss and ensure
continuous performance of critical business units (Duncan, Yeager, Rucks, & Ginter,
2010). Duncan et al. (2010) established that despite motivating factors to establish BCP,
most small and mid-size companies do not prioritize nor develop BCP, which increases
20
level of risk during disruptive events with higher probability of damage to assets, entity’s
reputation, and organizational performance.
Unpreparedness by the small businesses to survive disaster-related disruptions is
widespread (Douglas, 2009). Small businesses encounter barriers that delay the
development and implementation of BCP, including the corporate complacency that
assumes low probability of disastrous event, lack of budget for up-front costs for
planning, possibility of little or no return on BCP investment, and prioritization of
imminent short-term issues within the organization (Douglas, 2009). Douglas observed
that lack of business preparedness accounted for about 25 percent of the $40 billion lost
because of the September 11 terrorist attacks in New York, highlighting greater emphasis
on importance of developing seamless management capacity adaptable to seamless
business sustainability against interruptions and disaster activities.
Establishing disaster preparedness measures are not enough to guarantee business
continuity (Worthington, Collins, & Hitt, 2009). BCP preparedness must be driven by
crisis management model comprised of planning-prevention success factors that include
planning strategy, processes, and procedures that require scenario planning management
to identify potential weaknesses in critical business units operations (Worthington,
Collins, & Hitt, 2009). Corporations continue to recognize the urgency in the importance
and value of BCP because of corporate value inherent in disaster readiness. Bozman and
Eastwood (2011) stated that mission-critical computing requires 24x7x365 reliability to
sustain uninterrupted business operations and processes, supported by seamless system’s
availability, security, data space, and monitoring.
21
The urgency of instant decision turn-around is critical for management when
deploying solutions required for overcoming downtime risks (Bozman & Eastwood,
2011). The study critical systems sustainability of several organizations by Bozman and
Eastwood showed that even one hour of downtime could result in a severe business
impact for 48% of studied businesses, a business disaster for 7%, and a business
discontinuity for 55%. The authors researched organizations across diverse industries and
established that planning for operational continuity and recovery from outages is rapidly
becoming an urgent priority for commercial and government entities. Unplanned
downtime affects business-critical functions that result in lost revenue, reduced
productivity levels, disrupted customer base, damaged reputational image, ineffective
business processes, and inefficient delivery of goods and services to customers (Bozman
& Eastwood, 2011).
Senior Management Commitment
Senior management commitment in BCP. Successful implementation of BCP
for small businesses entails full support and commitment of corporate senior management
involvement in planning, developing, inculcating corporate culture, and totally embracing
the importance of business continuity on delivery of services to customers. Lindstrom,
Samulesson, and Hagerfors’ (2010) research presentation on multi-usable business
continuity methodology emphasized that corporate senior management must own and
care for the continuous planning process and strategic planning that leads to sustainable
strategic business decisions for overall business performance of a business enterprise.
The research on multi-usable business continuity methodology involved three business
cases that utilized staircase capability maturity model for testing and confirmation
22
(Lindstrom et al., 2010). The commitment of the senior management leads to increased
awareness and understanding of issues crucial to developing and implementing BCP that
guarantees perpetual services to customers and stable job security to the employees. BCP
and disaster recovery planning form a crucial part of core management priority when
executing training programs for all employees across the organization for overall BCP
success (Lindstrom et al., 2010). A successful training program that incorporates BCP
from the corporate policy level provides the employees with comprehensive
understanding and acceptance of uncertainties that exist in the business operations, and
prepares them to effectively execute the BCP processes and procedures while minimizing
risks in the event of a disaster (Lindstrom et al., 2010).
The understanding of the methodology used by the business to develop and
maintain a BCP is crucial for all the employees during training programs, where real
experiences from other organizations are used to demonstrate how BCP works and how
the management and employees can avoid post-crisis blaming of individual employees
(Lindstrom et al., 2010). Corporate training programs provide systematic and continuous
learning process that is vital for successful execution and improvement of BCP
throughout the business functional units (Lindstrom et al., 2010). Systematic and
continuous training programs across the organization provides employees with
opportunities to systematically acquire new knowledge, skills, rules, best practices
concepts, or attitudes that result in improved overall performance of the business.
Senior management commitment provides the corporate basis for setting BCP
objectives and limitations using corporate business plan, organizational vision, strategy
and objectives, and involvement in the continuous process to develop and maintain
23
sustainable BCP (Lindstrom et al., 2010). A crisis occurs when an organization's critical
processes are seriously affected or possibly, if a very serious event affecting the
organization has occurred, hence the capability of the management in identifying and
resolving increasingly serious situations within the organization in a controlled manner is
crucial (Lindstrom et al., 2010). The implementation of BCP should span throughout the
departmental levels of the organization to enable effective coordination of departments to
work together in the processes of mitigating risks. The involvement of departmental
management groups provides a mechanism to ensure implementation of a uniform set of
processes and standards for BCP best practices with all stakeholders throughout the
organization (Lindstrom et al., 2010). The established BCP processes and procedures
require continuous monitoring, updating, and instituting measures that indicate the levels
of crisis severity that guide management when deciding appropriate BCP solutions
whenever there is a crisis (Lindstrom et al., 2010). The research findings on multi-usable
business continuity methodology included emphasis on the importance of departmental
interactive process of monitoring and updating BCP because most changes and signs of
deficiencies occur at the lower level of operational units (Lindstrom et al., 2010). In a
study on business continuity management and interactive processes, Cansiz and Pakdil
(2012) found that an effective interaction of business units and processes across business
operations entailed obtaining management support and developing a BCP and business
processes management (BPM) strategy, identifying the business processes, performing
process analysis and deliverables measurement, implementing process improvement, and
ensuring continuity of business systems. In the study, interactive business continuity
strategy between business units and departments resulted in encouragement for
24
teamwork, adaptation to easy changes, discovery of improvement opportunities, and
identification of possible risks inherent in the improvement of continuity processes
(Cansiz & Pakdil, 2012).
Senior management and shareholders of small businesses must view BCP as an
investment initiative to protect company assets in the time of crisis, complete company
transactions during and after disasters, protect jobs and benefits for employees, sustained
operations and production of products and services, and flawless communication across
business units and between customers and the business (Clas, 2008). Small businesses
nationally and within the states risk core investments due to lack of disaster preparedness
established in study by Hewlett Packard that found 18% of enterprises and 31% of small
businesses lacked BCP necessary for emergency response operations that include fire
drills, equipment shutdown procedures, and technology redundancy for hot and cold sites
(Clas, 2008). The commitment of senior management to sustainable BCP requires
continuous executive level support from key stakeholders and continuous exposure to
intensive training necessary to increase the importance of BCP throughout organizational
culture as a best practice.
Chief Executive Officers (CEOs) surveyed across various organizations from
Delaware-Pennsylvania-New Jersey regions demonstrated diverse perceptions on BCP
and employed varied methods of developing and implementing disaster preparedness at
respective businesses (Morrison & Oladujoy, 2013). The perception of disaster
preparedness among a cross section of the CEOs of leading organizations indicated an
existence of disparity and disagreements among the managers on the effectiveness of pre-
disaster planning (Morrison & Oladujoye, 2013). The organizational leadership showed a
25
wider disparity on the company’s degree of preparedness in supporting the individual
medical, financial, and social needs of the employees and their families in a post-disaster
period (Morrison & Oladujoye, 2013). Using a random sample of 1000 managers from
American Business National Base (ABNB) database, Morrison and Oladujoye collected
data sets from 120 managers (12%). Morrison and Oladujoye found that there was a
general disagreement among most managers on the perception of leadership role by their
CEOs on natural disaster preparedness. The findings also indicated that the CEO was
perceived as being ineffective when attending to human needs related to communicating
with workers and respective families, getting assistance directly to those in need, and
attending to psychological personal issues when a natural disaster strikes, despite
sufficient compilation of disaster information on disaster risks, allocation of resources,
and compliance to disaster regulations by authorities (Morrison & Oladujoye, 2013). The
management of larger organizations appeared more prepared for disaster events
compared to managers of medium or small size companies who disagreed on prioritizing
resources for disaster preparedness (Morrison & Oladujoye, 2013). In addition, the
management of relatively newer companies was more positive in meeting the
requirements necessary for disaster preparation, compared to the management of older
companies, leading to the conclusion that organizations appear to presently have a mixed
record of pre-event planning (Morrison & Oladujoye, 2013).
In the absence of generally accepted principles of business continuity
management, organizational commitment to invest in BCP initiative could commence
with corporate decision to establish a company-wide standard of preparedness that aligns
with the Standard on Disaster/Emergency Management and Business Continuity Program
26
(NPPA 1600) model for public-sector preparedness (Clas, 2008). The universal standard
on BCP and plan management consist of program initiation and management; risk
evaluation and control; business impact analysis; and business continuity strategies (Clas,
2008). The standards also include final phase that include emergency response and
operations; BCP development, training, audit, and maintenance; crisis communications;
and, coordination with external agencies (Clas, 2008).
The incorporation of BCP into overall organizational best practices requires
senior management to obtain full support of all managers and employees. The initiation
of BCP program starts with management establishing a framework of business continuity
management program that involves organizational recovery objectives, business
continuity, operational risk, and crisis management plans (Clas, 2008). Management
utilizes risk evaluation and control technique to determine internal and external risks
within the business that would affect the business operations, employees, facilities, and
supplies during a disruptive event (Clas, 2008). Establishing a technique to identify
potential risks is important to management. Cansiz and Pakdil (2012) recommended
business improvement tools such as total quality management, lean management,
Business Process Reengineering (BPR), six sigma, and business process simulation.
The use of a business impact analysis (BIA) methodology enables management to
identify the impact of business interruptions and determine best techniques required to
quantify and qualify the magnitude of such impacts (Clas, 2008). A BIA also helps
management to identify time-critical functions, as well as recovery priorities and
interdependencies so that recovery time objectives can be established and incorporated in
overall standing operating procedures that can be activated during disasters. In addition,
27
strategies for business continuity processes and emergency response procedures provide
management with the techniques for training employees on disaster management,
identifying company’s readiness to respond, estimating recovery time, coordinating
communication, and stabilizing situations while concrete solutions are executed (Clas,
2008).
Small businesses without continuous improvement of business continuity
processes, procedures, and result-oriented performance measures have higher risk of
encountering bottlenecks, disruptions and communication problems, including customer
dissatisfaction as a result of failure to identify defective processes, the effects or
consequences that defective processes may have on performance, and lack of risk impact
analysis (Cansiz & Pakdil, 2012). Small businesses management achieves sustained BCP
through continuous review of performance management, risk impact analysis, and
continuous improvement based on business processes and service delivery units.
Disruptive events and uncertainties often exist in business operations, which management
must address by performing thorough assessment of the impacts to the processes and
customers using techniques that include risk identification, determination of the
possibility of risk occurrence and the effects to the process, and continuous analysis of
customers’ needs (Cansiz & Pakdil, 2012).
The challenges encountered by small businesses in mitigating risks related to lack
of BCP include the unavailability of business continuity management to reduce or
eliminate operational disruption due to unforeseen events and lack of standardization of
available remote access facility (Heng et al., 2012). Management’s failure to implement a
business continuity management process for crisis communications results in inability of
28
disaster responders to access critical security and recovery data (Heng et al., 2012). The
use of secured mobile devices is crucial in minimizing or avoiding operational
disruptions in unforeseen events.
Business Continuity Planning Best Practices
Business continuity planning as a business best practice. Business continuity
entails sustained practice of BCP throughout organizational structure as a functional plan
that includes disaster identification, notification and coordination processes,
communication plans, alternate computing facilities management, return to normal
operations, plan testing, and maintenance procedures required to restore business to
normal operations during disruptive events (Nollau, 2009). Management’s adaption of
BCP as an organizational best practice provides successful experienced methods within a
small business organization to align BCP with corporate strategies and culture within
budget and minimal training (Payam, Morteza, & Javad, 2009). The development and
implementation of business best processes and practices involve the internal and external
customer’s view on how the organizational business operations have been implemented
and when such operations were implemented (Payam et al., 2009). The operational view
on how the best practices have been implemented examine the level of relation between
BCP tasks and operation activities, the task’s nature, and the consistency in which
management execute business operations as aligned to BCP tasks. The operational view
related to the timing of business process focus on the management’s behavior view on the
task’s sequence, activities targeted, and scheduling of processes at the business unit level
(Payam et al., 2009). Best business practice for effective and efficient business processes
involve consistent review and redesign of processes in order to fulfill organization
29
strategies through recognizing and implementing emerging best strategic practices
(Payam et al., 2009).
Developing a BCP disaster recovery plan entails establishing a remote, off-site
center as a best practice that will allow management to execute continuous operations
during disruptive events (Omar, Alijani, & Mason, 2011). A BCP plan should be
developed in a logical sequence and written in a standard and understandable format that
reflects effective documentation, processes, and procedures that can be executed at ease
and without complexities (Omar, Alijani, & Mason, 2011). BCP seeks to allow small
businesses to provide seamless delivery of business operations without inconveniencing
customers, suppliers, employees, and other stakeholders. Identification of critical data
and establishment of a disaster recovery plan (DRP) within an overall BCP for disaster
prevention, data recovery, and data restoration are essential practices in ensuring the
protection of critical business units are safeguarded while guaranteeing the goal to
replicate data and information technology processes and procedures for business
operations critical applications (Omar et al., 2011). Management should ensure that data
loss does not occur; data replication capability is more efficient, less expensive, and
better optimized for data protection; and that a successful BCP is implemented
throughout the organization as a business best practice culture.
The employment of BCP as a business best practice entails the establishment and
implementation of standardized corporate practices awareness and consistent compliance
of practices that promote BCP (Tsohou, Kokolakis, Lamrinoudakis, & Gritzalis, 2010).
Standardization provides conformity assessment mechanisms for ensuring that
management practices adopted by an organization have a consensus on terminology,
30
common understanding, and agreement in functional and non-functional requirements for
compatibility, and compliance with globally accepted rules and practices (Tsohou et al.,
2010). Business continuity management is a major component of BCP that enables
management to identify potential threats to the organization’s business operations and
associated risks, providing a framework for building resilience for business operations,
facilities, processes, and business units for effective responses to disasters and failures
(Tsohou et al., 2010). Corporate policy on standardization of BCP processes provides
management guidelines for both in-house and outsourced disaster recovery services that
focus on disaster recovery guidelines and physical facilities. Disaster recovery guidelines
drive managers to prioritize issues of environmental stability, asset management and
protection, proximity of operational sites, vendor management, contractual agreements,
activation and deactivation of disaster recovery plan, and training, while disaster recovery
facilities refer to the basic requirements for secure physical operating environments that
facilitate organization recovery efforts (Tsohou et al., 2010).
The effect of disruptive events on businesses without BCP best practices threaten
the corporate reputation (CR) because of damages to corporate image, leading to broken
links of customer trust and unintended negative exposure within a relatively short amount
of time (Kronis & Ponis, 2012). The aftermath of disasters on businesses could lead to a
temporary detachment of consumers or create more permanent business relations'
disruptions. A bad corporate reputation leads to an organizational crisis from the
problematic image of the organization, requiring management to establish reputation
continuity (RC) necessary for the organizations to preserve positive reputation in the
post-crisis period (Kronis & Ponis, 2012). The incorporation of CR in business continuity
31
practices enables embrace reputation continuity as a process of maintaining trusted links
and establishing a reputation resilient organization, instead of one struggling to recover
from reputation losses, after the crisis has emerged (Kronis & Ponis, 2012).
The incorporation of Corporate Reputation (CR) into organizational continuity
best practices evolves into an important asset for organizations that inject continuity
through effective leadership, alongside managerial practices, required to mitigate image
problems throughout the organization (Kronis & Ponis, 2012). Organizational crises
characterized by unpredictability and non-patterned recurrences lead to challenges on
corporations' efficiency and viability, negative reputation crisis, and negative cognitive
association (Kronis & Ponis, 2012). The RC practice is the integrated ability of
organizations to motivate available resources during crises and achieve an uninterrupted
flow of trust while preserving the pre-crisis perceptions of stakeholders (Kronis & Ponis,
2012). The organizational management requires employment of proactive communicative
practices that protect CR in order to minimize the effects of crises and ensure business
continuity and recovery. The absence of a plan for reputation proactive protection
explains the inability of organizational systems to handle a vast number of variant
external factors and mediating agents, given the scarcity of information and the stress and
pressure imposed on individuals and teams during disaster period (Kronis & Ponis,
2012). A comprehensive contingency plan enables management to execute risk
assessment of the business units, clarify the planning scope, identify staff roles and
responsibilities, reevaluate proposed solutions, and hold risk workshops necessary to
ensure a complete buy-in of the plan across the organization (Taylor, Artman, & Woelfer,
2012). Utilizing Risk Spider Chart to assess levels of risks, Taylor, Artman, and Woelfer
32
(2012) established that contingency approaches revolved around reducing uncertainty and
complexity inherent in business risks that included subjecting high-risk operations to
higher levels of planning and oversight, while less-risk operations were subjected to
lower levels of monitoring. Contingency planning allowed management to determine the
levels of project management oversight and identify complex dimensions of inherent
risks (Taylor, Artman, & Woelfer, 2012).
The implementation of a BCP best business practice requires management to
identify, categorize, and standardize each critical business function that is necessary for
the business to survive in an event of a disaster (Aggelinos & Katsikas, 2011). In order to
discover the business critical functions, management must perform a business impact
analysis that include a clear definition of a disaster to the organization; creation of a
detailed organization chart with all the business units or departments; and the
development of all the processes that the business units execute in a form of input-output
for each process (Aggelinos & Katsikas, 2011). Management is also required to classify
the processes into administrative, managerial, executive; categorize business processes
according to their critical nature to the business; identify legal responsibilities from a
possible disaster; and estimate potential loss revenue for the period of disaster disruption
(Aggelinos & Katsikas, 2011). BCP provides the platform from which management can
estimate the impact a disaster could have to the organization's business goals, corporate
objectives, and the reputation of company stakeholders and employees (Aggelinos &
Katsikas, 2011). In the event that management has to develop a specific disaster recovery
plan in order to execute a business continuity operation, management should define the
business units that have to be covered in an emergency operation; the applications that
33
will function in disaster conditions; the necessary physical equipment to cover the needs;
and the required related security of systems in operation (Aggelinos & Katsikas, 2011).
The operation of a BCP is crucial to be aligned with processes and procedures established
for a normal operation system in order for the organization to benefit from same
employees’ self-knowledge, personnel experience, response time, and in compatibility
between the normal operation processes and the emergency operation system. The
development of a system for emergency operations at the departmental level should align
to the corporate strategic plan required for mitigating organizational disaster risks, for a
certain recovery period and at a cost-effect budget (Aggelinos & Katsikas, 2011).
The business best practices for BCP management entail consistent practice of
BCP life cycle plan that includes the collection and the storage of critical documents and
systems at backup servers in a secure off-site location (Omar, Alijani, & Mason, 2011).
Best business practices require the management to create and communicate records and
information management plan for critical business functions (Omar, Alijani, & Mason,
2011). With modern sophisticated electronic and mobile devices for communication,
management should be able to instantly reach out to colleagues and other stakeholders in
case of a disaster. BCP best practices facilitate management’s proactive capability to
identify and organize functional areas that support business processes and operations;
perform risk assessment, impact analysis, personnel access to original documents and
physical facility safety; and conduct annual document audits to establish the level of
disaster preparedness (Omar, Alijani, & Mason, 2011). In addition, the BCP business best
practice for establishing a secure off-site location that is equipped with capabilities to
store critical documents and systems required to support operations during disaster events
34
such as seamless network infrastructure controlled by the business management, internal
communication network, and third party vendors that are carefully documented within
BCP along with external storage data (Omar, Alijani, & Mason, 2011). The life cycle
plan of an established BCP best practice creates a sustained business environment that
communicates records and information management processes for critical business
functions throughout the business operations with the ability to generate, retrieve, and
communicate accurate and complete copies of records (Nollau, 2009). The management
of small businesses in Maryland requires the capability to perform triage activity
necessary to deliver services during disaster events through activation of reliable
communication systems aligned to all responsible persons designated for business
restoration in the case of a disaster. The BCP life cycle plan include the requirement that
once the continuity environment is restored, some level of re-qualification must be
performed based on risk level of the affected system, level of change, and planned
sustainability of change (Nollau, 2009).
BCP best business practices enable management to continuously identify and
organize functional areas that support business processes and operations that cover all
aspects of the business to keep the business viable in the event of a disaster (Nollau,
2009). The plan must include disaster identification, notification and coordination
processes, communication plans, alternate computing facilities management, processes to
return to normal operations, and BCP testing and maintenance procedures (Nollau, 2009).
Functional business continuity (BC) is an element of BCP with specific business-area
process that is focused keeping a specific business unit operational in the event of a
35
disaster such as facilities, human resources, safety, equipment and furniture, internal and
external communications, and invocation of lower level plans (Nollau, 2009).
Management utilizes functional BC plans for critical business processes and cover
manual work environment measures necessary to keep operations in running while
technology is being recovered during disasters. Functional BC manual workarounds
involve the use of logbooks, cell phones, hardcopy documents, employee manuals, or
standard operating procedures necessary to sustain time sensitive processes such as
payroll, communications with stakeholders, or critical procedures that have residual
outcomes such as non-compliance with regulations and lack of alignment with a parent
company and partners (Nollau, 2009). Failure to sustain an effective functional BC could
result in lost revenue from inability to ship product, loss of sales from delayed
submissions, loss of worker productivity, or damaged credit rating from inability to pay
bills. In addition, the company's business and professional reputation with customers,
employees, partners, or other stakeholders may be damaged.
Small businesses with best practices for an implemented BCP drive management
to perform risk assessment, impact analysis, enable designated personnel access to
original documents and ensure safety for physical facilities (Omar, Alijani, & Mason,
2011). Management is required to identify an appropriate type of recovery facility,
choose a location that will likely not be affected by disaster, assure accessibility to
storage areas within reasonable travel distance, time, and effort, and assure availability of
BCP processes and procedure manual stored at the company facility and recovery site
(Nollau, 2009). Establishing a disaster response team as a BCP best practice within a
disaster recovery plan (DRP) functional process that operates all of the processes required
36
to restore technology, and it must have a defined owner responsible for maintenance of
the plan on an ongoing basis. The disaster recovery team facilitates the disaster recovery
process, ensures the workability of the plan by working through assigned teams maintains
and distributes the final copy of the plan, conducts impact studies, develops recovery
strategies and responses procedures, coordinates testing, and monitors team response in
actual disaster situations (Nollau, 2009). The disaster response owner collects and
maintains information about all technology elements, performs triage activities, and
resolves any conflicts in the case of systems with dependencies or the same uptime
requirements or conflicting priorities, and determines the overall order of restoration
required, including documentation of the plan (Nollau, 2009). Communication of
information by the restoration team back to business operations team as well as to
business area systems team allows the organization to successfully align everyone with a
planned order of restoration in the event of a disaster.
Establishing scenario planning, annual audits, and testing BCP as a best business
practice enable managements’ preparedness and define scenario planning for BCP as
exogenous shocks that guide firms with corporate innovation capabilities to create novel
strategic improvements (Worthington et al., 2009). Annual series of test programs on
effectiveness and efficiency of BCP allows management to identify deficiencies and
provide opportunity for upgrade and improvement by duplicating business processes,
recovering procedures, recovering functions, and simulating various disasters (Chow &
Ha, 2009).
Enterprise sustainability is the concept of business continuity that demands
businesses to develop and implement a broad approach in analyzing business practices to
37
ensure the continuing existence of the enterprise and to minimize harmful impacts on
society, including but not limited to the environment (MacDonald, 2011). Enterprise
sustainability best practices involves the aligning of corporate social responsibility (CSR)
with customer interests in the business long-term sustainability strategy created to
incorporate shared values with the community (MacDonald, 2011). The business risk of
aligning community shared values with customer interests arise when there is unforeseen
misalignment between business interest and customer interest, resulting in eroded
economic stability of the customer base and reduced sales (MacDonald, 2011). The use
of BCP allows businesses to analyze the impacts it has on society and to mitigate those
impacts where harmful (MacDonald, 2011).
Many enterprises with business continuity best practices and mitigation initiatives
have incorporated CSR policy in business sustainability practices (MacDonald, 2011).
Risk management practices enable managers to assess the impact of disasters on the
business as well as on the society. As part of assessing its impact on society, a business
should include an assessment of the amount of risk mitigated for the business at the cost
of increasing risk and the economic instability mitigated for customers (MacDonald,
2011). Enterprises that align business interests with customer interests mitigate enterprise
sustainability risk by promoting the economic stability of its customer base while
fulfilling its CSR obligations (MacDonald, 2011). Aligning business interests with
socially shared values creates valued relationship between businesses, not just customers
and investors, but also employees, suppliers, communities, regulators, special interest
groups, and society as a whole. CSR is the continuing commitment by business to behave
properly, fairly and responsibly and contribute to economic development while
38
improving the life of the workers and their families as well as the local community and
society at large (Fontaine, 2012). In a study that focused on CSR at The Royal Dutch
Shell (BP), a global energy and petrochemical company that advocates for a less risk
environment for both business and society, Fontaine observed that the socially
responsible corporate performance at BP could be associated with increased profitability
and Earnings Per Share (EPS). CSR demands that businesses manage the economic,
social, and environmental impacts of their operations to maximize the benefits and
minimize the downsides on environment and the society. Organizations that align
business interests with the interests of the society they operate define CSR as a risk-
mitigating tool to manage financial risk, reputation risk, environmental risk, and supply
chain risk (Fontaine, 2012).
Risk Management Contingencies
Contingency planning with risk management for proactive crisis
management. Eriksson and McConnell (2011) studied contingency planning for crisis
management and concluded that the relationship between crisis planning and crisis
management outcomes is more complex because the success in the pre-crisis stage does
not guarantee a successful crisis response nor do pre-crisis situations lead to flawed crisis
response. Business contingency planning strategy, processes, and procedures require
scenario planning management that aid top-level management in identifying potential
weaknesses in critical business units operations (Worthington et al., 2009). Scenario
planning enables managers to acquire the knowledge and innovation necessary to respond
effectively to unexpected business disruptions and to measure response pace, techniques,
and logistics required when actual disaster events occur.
39
The development of a successful BCP is built on a business contingency process
that is intertwined with the business vision, strategy, business objectives and business
plan in an organizational perspective model that defines the ability of an organization to
continue its operations in case of disruptive events (Lindstrom, 2012). Business
contingency planning comprises that an organization plans to have an ability to continue
its operations at any incident. Lindstrom (2012) explained that BCP provides an
assurance to management and all business stakeholders that the organization's critical
processes should be able to be restarted within a decided acceptable period. Management
must recognize that when planning and developing a BCP with a crisis management
perspective, it is most helpful to have a common terminology and use a simple and
straightforward business contingency process to build the BCP throughout the
organization as a culture of business best practice (Lindstrom, 2012). The assessment of
business process contingency entail a situation assessment team that decides on the level
of organization's critical processes, declaration of a business crisis, and commencement
of the crisis management using the BCP to mitigate the problems, control the problems,
and re-instate a normal state of business operation without losses (Lindstrom, 2012).
Worthington et al. (2009) established that scenario planning allowed Continental
Airlines to utilize an underground bunker developed after Hurricane Rita in 2006 to
control domestic and international flight operations without disruptions in subsequent
hurricane seasons. During Hurricane Ike, Continental Airlines moved all domestic and
international flight operations seamlessly to the bunker business continuity mode when
the hurricane was 100 miles away from regular operations center, allowing the airline to
operate continually throughout the storm, achieving 89% domestic on-time flight
40
performance (Worthington et al., 2009). The success of implementing scenario plans
provided testing platforms that enabled management to improve dynamic capabilities
embedded in BCP, and facilitated the opportunity to identify gaps and strategize solutions
in the existing plan.
Contingency planning for crisis communication is crucial to management for
successful execution of BCP best practices throughout the organization. An effective
communication process within the organization and between all levels of management
and employees helps to mitigate risks during disasters (Veil & Husted, 2012).
Communication best practice entails planning for a prompt response, establishing a crisis
communication network, accepting presence of uncertainty, forming partnerships with
business stakeholders, and continually evaluating and updating a crisis plan (Veil &
Husted). A crisis communication plan framework forms part of a corporate BCP, and
requires management to recognize potential hazards, identify needed resources, and
designate responsibilities for managers and team members throughout the organization.
Veil and Husted (2012) emphasized that establishing a crisis communication network
includes the collaboration of internal information sources and actors at all levels of the
organization, outside agencies, and the media. Continuous assessment and evaluation of a
crisis communication plan as a best practice provides management with an opportunity to
review each specific communicative practice within the BCP rather than trying to
examine communication as a whole throughout the organization, subsequently equipping
management with a tool for planning and for post-crises assessment (Veil & Husted,
2012).
41
Small and medium enterprises (SMEs) form an important segment in the business
community and are highly vulnerable to disruptions compared to larger businesses, hence
require higher priority of contingency planning for natural disasters and better
contribution towards policy making on risk adaptation that informs policy makers and
practitioners (Wedawatta & Ingirige, 2012). However, SMEs often tend to underestimate
business risks and adaptation measures to the risks such as business continuity
management, community-level measures, individual-level property protection, and
business continuity and resilience measures (Wedawatta & Ingirige, 2012). SMEs require
the support of government resources for the implementation of effective adaptation
measures such as land use planning policy, responsibility of implementing the measures,
and resilient property construction that can withstand most disasters (Wedatta & Ingirige,
2012).
The SMEs decision makers and management should implement BCP and risk
management strategies that include obtaining property insurance, having an effective
business continuity plan, using a business data backup system, and obtaining business
interruption insurance (Wedawatta & Ingirige, 2012). Wedatta and Ingirige undertook a
research study in the United Kingdom (UK), titled the “Community Resilience to
Extreme Weather (CREW)” research project that focused on identifying SMEs’
responses to flood risk, and what measures have been undertaken to manage the risk of
flooding. The investigation focused on the how SMEs adapted to the risk of flooding,
considered risk measures at business and community-level, protected property at
individual-level, and implemented business contingency and resilience measures. The
study found that most SMEs fail to implement disaster adaptive measures because of the
42
perceptions of high cost, assumption that physical properties are adequately protected by
community-level protection measures, and lack of prioritization of measures against other
business agendas. The adaptation of measures requires cost and time commitments to
implement; hence, the SMEs could execute the implementation of measures that best
serve respective business continuity and survival (Wedawatta & Ingirige, 2012).
The implementation of a contingency planning required for preventing a crisis
does not necessarily guarantee an assurance against a disruptive event nor does it produce
a successful crisis response during a disruptive disaster (Eriksson & McConnell, 2011).
Management requires distinctive understanding between contingency planning and crisis
management planning when staging a disaster scenario because the initiative for
developing contingency planning can be in contrast with crisis management planning
(Eriksson & McConnell, 2011). The management’s initiative for implementing
contingency planning involves strong elements of foresight and certainty, while crisis
management planning is surprising and generates high levels of uncertainty (Eriksson &
McConnell, 2011). Some robust pre-crises contingency plans fail to effectively respond
to disasters because the management neglected the mandates recommended in the plan by
experts in disaster management (Eriksson & McConnell, 2011). However, some of the
contingency plans developed for specific disasters such as pandemic diseases can
effectively protect, rescue, and restore critical services, for instance vaccinations and
virus control initiatives (Eriksson & McConnell, 2011).
The contingency plans that fail to guide management at times of crisis are
associated with a lack of effective contingency implementation processes composed of
inadequate allocation of resources, personnel, equipment, crisis control measures,
43
responsibilities and decision guiding rules (Eriksson & McConnell, 2011). The failure of
effective business contingency plans to produce successful outcomes expected by
management is partly attributed to the nature of crises that may vary in terms of the speed
of threat arrival, threat intensity, level of complexity, level of uncertainty and the
timescale within which interventions needed to be executed (Eriksson & McConnell,
2011). Some of the ever evolving, unpredictable crises include hostage crises, rail
crashes, critical infrastructure breakdowns, oil spills, and pandemic virus. Contingency
plans are more suitable for crises with relatively familiar and linear contingencies that
allow management to learn under conditions of low uncertainty such as airline disasters
(Eriksson & McConnell, 2011). The management requires embracing the understanding
that contingency plans for unfamiliar and complex episodes are liable to have a high
objective, but less useful because the nature of the crises produce high levels of confusion
and improvisation, such as terrorist biological attacks (Eriksson & McConnell, 2011).
Risk management initiatives for disasters are ineffective, unless there is a
management commitment to develop strategic management, build business risk
management analysis, create redundant systems, testing them frequently and prepare
employees on what actions to follow in the event of disasters (Karim, 2011). BCP is a
crucial component of overall corporate planning necessary for the preparation of the
extraordinary threats, whether they are predicted or not, in order to protect employees,
products and profitability and to guarantee continuity of business processes (Karim,
2011). Management’s overconfidence in managing risks results in failure to implement
and execute a successful risk management plan, assess risk probabilities, or prevent
human and system catastrophic consequences (Hubbard, 2009). The utilization of
44
probabilities to compare risk plans and real performance enables management to detect
overconfidence, evade underestimation of risks, and avoid near-miss outcomes (Hubbard,
2009). The success of risk management planning requires the creation of senior
management role such as Chief Risk Officer (CRO) with responsibilities to oversee
deployment of risk management plan, maximize value when setting strategic goals,
balance between performance goals, targets and business risks, and evaluate various
strategic business alternatives (Fraser & Simkins, 2010). The senior risk management
role requires leaders with intimate business knowledge, political flair, communication,
and well-chosen allies developed over time at corporate level (Fraser & Simkins, 2010).
Planning for business risks is an initiative that entails an undertaking and consideration of
future risks, threats, and unpredictability, which require the senior risk manager to
balance the conflicting objectives of producing an aggregate review of risks and retaining
case-by-case business knowledge to inform expert judgment (Fraser & Simkins, 2010). A
complete management planning at the corporate level or unit level entails the
development of information life cycle management that guide management in organizing
the stream of an information system's data from creation to the time improvement is
required for next generation planning (Karim, 2011). The consequences for failure to
implement BCP due to management’s negligence to prepare results in businesses risks
that could be stopped, avoided, or mitigated (Karim, 2011).
The best practices in BCP require benchmarking, which is the continuous process
of measuring quality for products, services and practices against the toughest competitors
or those companies recognized as industry leaders (Hong, Hong, James, & Park, 2012).
Benchmarking is essential in the achievement of sustainable learning and improvement
45
through ongoing processes of measurement, comparison, improvement, continuity, and
learning in the effort to gain sustainable competitive advantage. The occurrence of
disruptive events create turbulent business environment that engage management to focus
on organizational identity, purpose, mission, and direction with vigor and intensity (Hong
et al., 2012). The utilization of benchmarking enables management to pay attention to
BCP best practices related to sharing knowledge throughout the organization, managing
relationships between managers and employees, increasing the level of coordination
between departments, and developing expertise in various settings such as the team, the
organization, and the network.
The application of benchmarking required for measuring organizational
effectiveness of BCP best practices and deployment is targeted on operational-level
practices that include functionality of business units, response time to a disruptive event,
management’s communication to disaster respondents, and rate of full resumption of
business operations (Hong et al., 2012). The use of technology to successfully effect
business operations, processes, and management decisions is crucial to operating
organizations. Technology plays a crucial role in executing efficient benchmarking
measures that enable management to achieve accurate and improved quality of outcomes
for specific functional requirements related to business continuity (Hong et al., 2012).
The characteristics of shared technologies required for effective benchmarking include
systems that are compatible, adaptable, collaborative, and communicable (Hong et al.,
2012). Interactive technologies such as decision-making tools, collaborative technologies,
electronic media, and virtualization technologies enable management to share resources,
46
manage stakeholders’ relationships, and integrate dispersed skills and expertise necessary
for business continuity (Hong et al., 2012).
BCP Business Units Impact
BCP impact on business units, concrete systems, and corporate tenets. Man-
made and natural disasters have implications for the survival of small business
organizations, aggravated by the tendency of small business management to resist
spending resources on low-probability events, regardless of the potential impact, and the
complexity of the continuity of operations planning guidelines provided by government
agencies and corporate governance best-practices (MEMA, 2012). Duncan et al. (2010)
cited findings by Center for Disease Control and Prevention (CDC) that underscore the
impact of disease outbreaks such as pandemic influenza as disasters that create fear and
cause employees to disassociate from other workers, affecting significantly on team
production capacity, business continuity, and delivery of services. An exploratory
approach to building a critical foundation of knowledge towards a new paradigm in
disaster planning emanates from research on organizational resilience to establish
sustainable methods proactive to disasters (Somers, 2009).
Implementation of risk-mitigated processes provides resilient performance of
individual business units, concrete systems, and the entire tenets of the corporation that
could withstand wide-scale business disruptions in the event of a disaster (Slater, 2011).
United States Army Automobile (USAA) studied the contingency plans implemented by
corporations such as FedEx, First Union, Merrill Lynch, Wachovia, and Fleishman-
Hillard. The study found that the corporations were able to sustain operations while fully
recovered the systems, applications and all the third-party vendor connections during
47
disaster disruptions (Slater, 2011). Disaster recovery simulations with employees across
the business units demonstrated that the employees who walked through the simulation
were in a position to observe flaws in the contingency plans, less likely to panic during
disasters, more likely to remember the contingency plan, and offered mitigating
suggestions to risks (Slater, 2011).
Small business management requires proactive measures against operational risks
by implementing preventive best practices in business continuity initiatives that protect
the overall organizational exposure to risks and threats (Slater, 2011). Businesses may
recover business data and sustain operations during disasters; however, there could be no
plans for alternative work places. In a disaster awareness exercise after the September 11,
2011 (9/11), the Oppenhiemer Holdings established that most clients were able to able to
recover data, but had no plans for alternative work places (Slater, 2011). The World
Trade Center had provided more than 20 million square feet of office space, and after
9/11 there was only 10 million square feet of office space available in Manhattan for
staging operations recovery (Slater, 2011). When developing contingency plans, business
operations management should emphasize the importance of where the employees
assemble immediately after a disaster and where they will be housed during recovery
(Slater, 2011). The failure to implement sustainable BCP and robust disaster recovery
system by most businesses result from management mistakes that include inadequate
prioritization of critical and non-critical systems, failure to simulate and test recovery
efforts, failure to gain buy-in support from senior management, lack of in-depth business
impact analysis, failure to allocate adequate funding for BCP, and inadequate analysis of
48
recovery time objective, critical systems and applications, vital documentation, and plans
for post-disaster operational activities (Slater, 2011).
The strategy to sustainable business continuity includes the incorporation of all
business units towards an unknown or unpredictable future condition collaborated
between business departments, partners, stakeholders, and the environment in order to
achieve sustainable solutions (Svensson & Wagner, 2011). The implementation of
sustainable policies and practices can be expensive; however, multi-layer model of units
and network of resources provide proactive assurance of business continuity and
viability. Business continuity planning allows open mindedness, dynamics, and flexibility
of planning, implementation, and evaluation of efforts towards business sustainability
(Svensson & Wagner, 2011).
The sustainability of business operations between and across critical units requires
continuous and simultaneous interconnectedness between operational sources such as
procurement, production, distribution, the market place, and consumers (Svensson &
Wagner, 2011). Transformative business sustainability applies and extends beyond
corporate and judicial boundaries, allowing all sources of each unit to interconnect to all
sources while enhanced towards a common goal of planned, implemented, and evaluated
efforts toward business sustainability as in BCP (Svensson & Wagner, 2011). Utilization
of performance measurement and benchmarking before and after the introduction of
business sustainability initiatives are imperative in calculating the units’ sustainability.
Implementation management requires the support of corporate decision-making processes
for effective planning, implementation, and evaluation of business sustainability
49
The long-term effect of natural disasters on business units could adversely affect
wider-corporate tenets with profound global consequences, particularly in geographical
areas with disasters aggravated by climate change (Begum, 2010). In 2009, about 335
natural disasters were reported worldwide that killed 10 655 persons, affected more than
119 million others and caused over US$ 41.3 billion economic damages (Begum, 2010).
Asia experienced the largest share of the disasters, reporting 40.3% of natural disaster
occurrence, accounting for 89.1% of global reported natural disaster victims and 38.5%
of total reported economic damages from natural disasters (Begum, 2010). Natural
disasters are catastrophic events that include socio-technical disasters such as floods,
landslides, and mudslides. Momani (2010) observed in the study that featured American
Telephone and Telegraph (AT&T) and Cisco Systems that 12% of companies had to
suspend key business operations because of human related errors in disasters. In addition
to human devastating consequences, natural and human-made disasters could cause
monetary, mortality and morbidity losses for business operations such as activities,
products, and services (Momani, 2010).
Human related risks contribute to business operations disruptions that affect
specific business units and systems due to negligent, intentional, and criminal behavior of
employees. Human behavior may damage or destroy the business' property or resources
such as customers and suppliers, resulting in business interruptions, migration of
customers to competitors, and avoidable monetary losses, a phenomenon commonly
observed in businesses that depend heavily or lightly on human interactions (Momani,
2010). Business disruptions related to human negligence could be minimized or
50
eliminated by most industries using labor to reduce human errors such as pharmaceutical
industries, mail delivery, construction, or manufacturing (Momani, 2010).
Business risks related to natural and human-made disasters are caused by factors
aligned to physical, geological, and environmental resources. Management should
estimate potential business disruptions for specific activities, processes, and products that
could prevent businesses, suppliers, distributors, and other stakeholders from maintaining
normal operations (Momani, 2010). The implementation of BCP requires the utilization
of technology in the form of hardware, software, telecommunications, Internet, or other
emerging technologies throughout business processes. Management requires proactive
measures and business continuity strategies against technology related risks that could
damage businesses and form part of overall risks and threats to business operations
(Momani, 2010). The strategies that management could implement against technology
risks include the capability and resources to protect media that stores important business
records and back it up daily, keeping a copy in secure location away from the business
location and to identify the equipment that the business will use if its own equipment are
destroyed or become inaccessible (Momani, 2010). Managers and employees should be
trained and equipped with proactive solutions for frequent failures and maintenance
issues to minimize down time and to perform regular and scheduled maintenance for
equipment to minimize business processes interruption (Momani, 2010).
The management should align BCP strategy with the overall mission critical
strategic role of the business that include planning processes, capability development and
socio technical approaches, rapid response to client needs, and disaster recovery strategy
(Momani, 2010). Strategies to resolve human risk include protection against bodily injury
51
and property damage through identifying important business safety issues; training of
employees on common dangers, legal restrictions, and risks; protection against personal
injury claims; and, establishment of internal controls to discourage and detect employee
misuse and fraud (Momani, 2010). In addition, management requires implementation of
measures for the protection of financial resources and insurance of employees’
responsibility to identify activities that may damage business property through fire,
explosion, or other hazard (Momani, 2010).
The implementation of BCP requires a consistent strategic role of senior
management within an organization to enable prioritization of resources necessary to
save the lives of employees or other stakeholders, and business property (Momani, 2010).
The proactive strategies required from senior management for effective implementation
of BCP involve preparation to prevent, avoid, minimize, and mitigate losses throughout
the organization (Momani, 2010). The mitigation and preparedness measures
incorporated in BCP include transferring losses to an insurance company by having
general or specific risk insurance coverage once specific risks are identified after business
assessment; making the business properties more disaster-resistant by enhancing physical
structures; and, securing business valuables in disaster-prone areas to prevent or
minimize movements which could cause destruction or death or injury for workers and
occupants (Momani, 2010).
Other recommended mitigating measures from the study (Momani, 2010) include
installation of proactive and protection measures such as smoke detectors and fire
extinguisher against fire hazards; securing items that could be carried away by tornado
effects; and, changing of business processes to reduce disaster consequences such as
52
reducing or eliminating the use and the storage of environmentally hazardous materials
(Momani, 2010). Additional recommendations from the study included emphasis for
management to provide easy access to disaster plan or BCP, undertake frequent drills and
practices to test plan applicability, assign disaster responsibilities to management with
plan procedures, and train employees in safety procedures that will help them avoid
injury in case of a disaster (Momani, 2010).
BCP Corporate Social Responsibility Impact
Business continuity contingencies affect corporate social responsibility. Small
businesses’ implementation of BCP contributes constructively to non-business
community livelihood and habitation that include humanity during disasters through an
enabled environment to provide products and services as well as health and job
performance of the people (Karim, 2011). Disaster occurrences often affect the habitat of
communities that include the confidence, personalization, family life, and people
reliability on conventional accessibility to goods and services, thus there is no business
continuity without people, environment, security, and accessibility to necessities of
human habitat (Karim, 2011). Small businesses indirectly contribute value to
communities even when BCP development and implementation is directly driven by
strategic management, business risk analysis, BCP resources, training and awareness, and
BCP documentation and implementation of contingency plans. In the study, Karim
(2011) observed that it is indispensable to organize businesses to be able to react and
improve from any type of disaster or disruptive event that may cause deficit in business
operations and may inhibit business continuation. Management responsibility and
ownership in consequences arising from disaster events is more demanding with the ideas
53
of globalization, where managers could be held personally responsible for a business
deficiency if they did not adopt right actions on right time to avoid this type of loss
(Karim, 2011).
The impact of disaster-related disruptions varies in intensity from minor delay to
severe interruption, resulting in a broadly exacerbated impact from a business unit
environment to a global business environment (Hall, Skipper, Hazen, & Hanna, 2012).
The expansion of communication media and Internet accessibility, combined with the
globalization of the world economy, bring the impact of what once might have been
considered a local, isolated event into the purview of businesses and living rooms
everywhere (Hall et al., 2012). Organizations require implementing BCP to enable
management to continuously and consistently identify, measure, and evaluate a business
operating environment. Continuous planning for disruptive events evolves from a tactical,
on-site reaction to strategic preparedness and readiness for organizations with inter-
organizational collaboration, inter-organizational technology use, and cooperative
attitude (Hall et al., 2012). Organizations require implementing contingency planning
initiative that allows management to identify vulnerabilities, plan appropriate reactions,
and increase organization's ability to react to disruptions with minimum impact (Hall et
al., 2012). Effective plans enables management to react more quickly to problems and to
respond more appropriately to the situation than organizations without such plans,
underscoring the concept of BCP required to enhance an organization's ability to
effectively react to various contingencies (Hall et al., 2012). An effective contingency
plan must be understandable, comprehensive, and approved by all stakeholders affected
by the plan, resulting in full collaboration by all organizational decision makers in
54
implementing integrated contingency procedures to handle unexpected events and
increase responsiveness (Hall et al., 2012).
The success of forming, developing, and implementing contingency planning
process as a component of BCP involves setting up a culture of cooperation, which is an
organizational belief that, by working together, outcomes are more effective and
acceptable to all parties (Hall et al., 2012). The cooperation among employees and
between management reduces resistance to implementation of BCP at both individual and
organizational levels. The existence of cooperation as an organizational norm creates a
cooperative attitude that ensures all management components are focused on the same, or
very similar, process outcomes (Hall et al., 2012). The compatibility of multiple
functional activities among the organization's planning enables organizational teamwork
that jointly achieves mutual BCP goals. The support from senior management facilitates a
cooperative behavior from other parties involved in the contingency planning and
provides a foundation for the development of mutual goals for the achievement of
integrated planning activities and plays an important role in enforcing planning efforts
(Hall et al., 2012).
Business contingency measures that are necessary for successful implementation
of BCP entail collaborative interdependent relationship among all the stakeholders
throughout the organization, where all parties work closely together to create mutually
beneficial outcomes for the business (Hall et al., 2012). Collaboration between
organizational departments and among managers can result in company-wide benefits
that include joint knowledge creation, expertise sharing, and understanding of the other
party's intentions and strategic approaches (Hall et al., 2012). The collaborative activities
55
throughout the organization include exchanging BCP related information such as risk
assessment, identification, and mitigation practices, leading to increased contingency
planning effectiveness. The benefit of collaboration during any inter-organizational
process is often improved effectiveness of the process (Hall et al.).
The inter-organizational collaboration required for effective BCP mediates the
relationship between cooperative attitude and contingency planning effectiveness that
requires a mechanism for transfer of knowledge among planning partners (Hall et al.,
2012). Technology-driven factors that contribute to effective inter-organizational
collaboration include information sharing, type and frequency of information exchange,
and communication channels (Hall et al., 2012). Information technology is an enabler of
contingency planning effectiveness. The communication between managers and
employees through inter-organizational collaboration process mediates for a beneficial
business relationship, resulting in effective contingency planning and BCP (Hall et al.,
2012).
Small business continuity planning and implementation directly support
sustainable continuity of business operations as well as impart realizable impact on
communities because most small businesses were found or descended from founders that
have local involvement in the day-to-day business and community activities (Ibrahim,
Angelidis & Parsa, 2008). BCP creates interchangeable influence of business and
community convergence through the sustainable business operations, continuous
accessibility to utilities, telecommunication, or availability of amenities to communities
that surround businesses with BCP. Clive (2010), in a study on disasters related to
climate change, observed that significant number of public sector authorities who lacked
56
integrated disaster management plans nor had business continuity plans necessary to
assess risks and develop strategies that mitigated the effects of natural disasters and
severe weather events. Disasters continue to threaten both organizations and human life
worldwide, a trend observed to escalate since 2008 when the number of reported natural
disasters was 326 worldwide, with some 235,736 people reported killed, at a cost of US$
181 billion (Clive, 2010). Severe economic effects, as opposed to the threat to life, of
major disasters are more often felt within developed countries principally because of
greater density of population and investment in buildings and infrastructure in developed
regions, mainly disasters related to natural events that cover climate-caused disasters,
hydrological disasters and geographical events (Clive, 2010). Geographical events are
mostly caused by earthquakes, but also include mass earth movements and rock fall,
which can be a consequence of weather-related events and a potential consequence of
climate change, with two main categories of hydrological and meteorological disasters
accounting for over 80 percent of the top ten largest disasters in the past decade (Clive,
2010).
Small businesses without BCP risk occurrences of major as well as minor
incidences that would result in disruption to the business due to lack of clarity in
assessing critical activities by management teams from different departments and failure
to use business continuity management determine the criticality of the service in a given
disruptive scenario (Heng, Hooi, Liang, Yap, Azizie, & Tze, 2012). Failure to implement
a crisis management plan as a business continuity best practice lead to the inability by
management to eliminate unforeseen operational disruptions, lack of standardization of
57
disaster recovery processes, and lack of data security with regards to the use of personal
devices to access organization’s network during disruptive events (Heng et al., 2012).
Summary
The literature review indicated wide spread interest by small businesses to
establish sustainable BCP and management’s prioritization of recovery plans that
accommodate the interests of clients, stakeholders, shareholders, and community social
responsibilities through integration of business continuity planning with societal level
planning and facilitates of economic risk in the event of disasters or unexpected
disruptions. The ability of organizational management to implement a sustainable BCP
and to successfully react to emerging crises, contingencies, and uncertainties is driven by
the extent to which the organization has established an embedded BCP. The success of a
sustained BCP is rooted in the organizational management culture that includes business
best processes, policy, procedures, and practices. The long-term impact of natural
disasters on business units could adversely affect wider-corporate tenets with profound
global consequences, particularly in geographical areas with disasters aggravated by
climate change.
The implementation of BCP as a business best practice entails the establishment
and execution of standardized corporate practices awareness and consistent compliance
of practices that promote BCP. Corporate Reputation (CR) is illustrated in the literature
as a component of BCP incorporated into organizational continuity best practices that
evolves into an important asset for organizations that inject continuity through effective
management leadership. The implementation of contingency planning required for
preventing a crisis does not necessarily guarantee an assurance against disruptive event
58
nor does it produce a successful crisis response during a disruptive disaster. The literature
reviewed affirmed that a successful BCP is built on a business contingency process that is
intertwined with the business vision, strategy, business objectives and business plan in an
organizational perspective model that defines the ability of an organization to continue its
operations in case of disruptive events. Some robust pre-crises contingency plans fail to
effectively respond to disasters, except the contingency plans developed for specific
disasters can effectively protect, rescue and restore critical business services.
The literature reviewed raised fundamental concerns and calls for further research
in processes, methods, and policies that would bolster interest in small businesses to
prioritize BCP in the corporate vision and mission commitments. A BCP should be fully
integrated across the organization and incorporate major departments that include
finance, information technology, human resources, and property asset plans. It is not
sufficient to just plan for disaster events but that the BCP must be communicated widely
within the organization and emergency scenarios practiced on a continuous, sustainable
basis (Clive, 2010).
59
Chapter 3: Research Method
The purpose of this qualitative, exploratory embedded multiple case study was to
explore strategic business continuity planning methods for small businesses in the state of
Maryland as perceived by senior managers, the unit analysis of the study in each selected
small business. This proposed study focused on data collection through interviews of
senior managers on actions planned or implemented by small businesses with or without
a BCP to mitigate risks that threaten business continuity and sustainability within
business critical units. As a best practice methodology, BCP was applied as perceived by
different managers of different small businesses, rendering a qualitative research method
appropriate to enable a gradual process of unfolding discovery.
The use of qualitative analysis allows the researcher to compare findings of each
case study and directly compare to the ultimate outcome as represented by research
questions (Onwuegbuzie & Leech, 2009). The subject matter expert (SME) in BCP on
my Dissertation Committee reviewed the interview process and procedures, including
interview procedure preparation, interview questions posed to the managers, and
researcher interview skills before and after data collection. The review of research
procedures as well as the assessment of responses from the six participants, and the
analysis of interview findings ensured validity and verifiability of the proposed study
(Bleijenbergh, Korzilius, & Verschuren, 2010).
Research Methods and Design(s)
Research method. The qualitative exploratory-embedded multiple case study
design was appropriate for the proposed study on business continuity planning because
the research questions focused on the business events within small business firms and
60
examined business functions, individuals involved, or entities (Zikmund, Babin, Carr, &
Griffin, 2010). Multiple case studies enable the accumulation of knowledge across
compounded subject matter and complexities for practitioners, policy makers, and
researchers to draw a conclusion about a phenomenon (Kelly & Yin, 2007). Multiple case
studies allow the researcher to understand the how and the why of contemporary events,
problems, and situations in ways that do not require control over the events or problems
(Shaban, 2009). The research findings on BCP in Maryland provided an understanding of
the perception of BCP by business managers as a risk management tool required to
prevent situations that are beyond human control. The implementation of BCP improves
the perception of the manager’s real workplace preparedness and provides deliberate
awareness of how to react during real events that disrupt business operations.
Research design. The case study research approach on BCP utilized a semi-
structured interview format to collect data from participants recruited from mailing list
provided by small businesses’ associations, clubs, groups, or networks without seeking
for a site permission. The potential participants received recruitment fliers directly from
the researcher. Semi-structure interview allows for standardized questions that enable
researcher to collect detail information in a conversational style such as in policy research
(Harrell & Bradley, 2009). Responses to questions in semi-structured interview facilitated
detailed data analysis and interpretations of relevant data to understand strategic business
BCP in the state of Maryland. A case study research examines the interview questions,
propositions, units of analysis, logic linking of data to the propositions, and criteria for
interpreting the findings (Yin, 2013). The purpose of the interview was to explore the
61
perception of senior managers of small businesses on BCP. The interview aimed at
nuanced accounts of the manager’s experience, knowledge, and skills on preparation or
lack of preparation required for preventing disasters that would disrupt normal continuity
of business operations (Kvale & Brinkmann, 2009).
Ethnography was not appropriate research method for this study because the
design is employed in tandem with participant observation and document analysis as a
means of developing in-depth understanding of phenomena through triangulation (Talmy,
2010). In comparison with multiple case study, design-based research method (DBR) was
not appropriate as well because DBR aimed to generate more usable knowledge for
improving educational practices through iterative analysis, design, development, and
implementation of collaborated research with an objective to develop new design
principles and theories (Luo, 2011). In addition, DBR was not appropriate for a BCP
study because the target data could be sourced from a collaboration of researchers,
contrary to multiple-case study where data can be collected directly from managers and
employees of a small business.
Grounded theory involves the discovery of theory from data in which the
researcher seeks to create a theory about issues of importance in people's lives and
specifically focuses on human interaction or aims to explore new territory emerging from
empirical data rather than from inferences or existing theories (Tan, 2010). Grounded
theory was not appropriate in this research study because examining BCP implementation
for small businesses in Maryland was not an exploration of new territory from empirical
data nor was the research designed to generate theory from systematic collection and
analytic procedures that are grounded on empirical reality. The study on BCP did not
62
entail memo writing for the formulation and revision of theory throughout the research
process expected in grounded theory research design.
Population
The research population was recruited from small businesses’ membership
organizations in the state of Maryland and included the following: America’s Small
Business Development Centers, Baltimore County Chamber of Commerce, Frederick
Chamber of Commerce, Maryland Small Business Association, and Minority Business
Enterprises Maryland Department of Transportation. Additional organizations included
Business Online Networking, Baltimore Entrepreneur Meetup Group and Business
Acceleration Networking and Coaching. A small business in Maryland is defined as a
business that employs less than 50 persons in its wholesale operations; has gross sales
that is not exceeding an average of $2,000,000 in its most recently completed three fiscal
years; and, if the business is a retail operations merchant, it must employ less than 25
persons (State of Maryland Small Business Reserve Program, 2012). Small businesses
involved in manufacturing must employ less than 100 persons in its manufacturing
division, while the services division of the same business must employ at least 100
persons in order to be designated as small business in the state of Maryland. The
businesses engaged in construction industry with less than 50 employees and whose gross
sales average is less than $7,000,000 in its most recently completed three fiscal years,
qualify for small business status (State of Maryland Small Business Reserve Program,
2012). The managers from the small businesses that met the small businesses criteria
were the most appropriate for the research interview.
63
Sample Process
Purposive sampling method was conducted on senior managers from six selected
small businesses of different industries in Maryland that were members of one or more
business groups. The small businesses were recruited from various businesses of the
private sector. Maryland posts 19 major business industries from which small businesses
represent 21.05% of all the industries (Maryland Department of Business and Economic
Development, 2014). The justification of the sample size was founded on the principle of
drawing a limited number of small businesses’ industries from a larger pool of small
businesses within the typical range for a case study research (Kelly & Yin, 2007). A
letter, requesting managers to participate in the study interview was dispatched directly to
the potential participants who participate in the activities of a small business association
or network group (Appendix B). Where the membership of the small businesses with the
associations/network groups was not available in the public domain, the
association/network group was requested through an email letter (Appendix A). The
scheduling of the interviews was done via email.
Interview Preparation
The preparation of the semi-structured interview investigation that explored the
perception of senior managers of small businesses on BCP entailed formulating and
thematizing the purpose of the interview and the description of topic concepts before the
start of the interview stated on the interview protocol (Appendix C). Interview protocol
allowed the researcher to formulate, structure, probe, and sequence the interview (Harrell
& Bradley, 2009). The recruitment of the senior managers of small business companies
entailed contacting potential participants through small business associations such as
64
America’s Small Business Development Centers, Baltimore County Chamber of
Commerce, Frederick Chamber of Commerce, Maryland Small Business Association,
Frederick Small Business Roundtable Group, LeTip Frederick Network, Frederick
Economic Development, MD Electrician & Electrical Engineers, and Minority Business
Enterprises Maryland Department of Transportation. The interviewee was expected to
have profound knowledge and experience in the field of the study (Harrell & Bradley,
2009).
The senior managers were briefed of the purpose of the study and the guidelines
on pre-prepared questions that required responses based on the manager’s experiences,
knowledge, and skills on the preparation or lack of preparation required for preventing
disasters that would disrupt normal business operations. The interview was framed by a
briefing before the start of the interview (Appendix D). The explanation of research
ethics covered the interview confidentiality, anonymity, permission to record the
interview, and the voluntary nature of the study (Appendix E).
The interview questions were devised to respond to the perception of BCP by a
senior manager of selected small businesses. The analysis of the responses from the
interviewees provided the basis of the prevailing perceptions of BCP among managers of
the small businesses. The interview responses enabled the researcher to gather insights
into how the interviewees viewed the future direction of the organization, while
disclosing their own mirror of reality as well as their vision of the future relevant to the
subject matter (Qu & Demay, 2011).
65
Data Collection, Processing, and Analysis
Data collection. The data collection was based on a selection of six small
businesses from diverse industries that included but not limited to transportation,
electrical services, banking, commercial cleaning services, film, and photography. The
distinct businesses selected in this study were the major leading industries that maximize
Maryland’s strengths and assets in industry leadership, employment workforce, and
contribution to the state’s annual economic production (Maryland Department of
Business & Economic Development, 2014). Data collection commenced with formal
submission of an informed consent letter after approval by Northcentral University
Internal Review Board (NCU IRB). Senior managers of small business companies were
asked to participate in the study (Appendix A). The interviewing stage focused on the
senior managers of six selected small businesses. The participant senior managers had
responsibilities or duties that directly affect daily business operations such as finance,
procurement, information technology, human resources, or senior management personnel
responsible for decisions that affect service delivery processes. Once the interview
request was granted, interview questions were emailed to the research participant. The
confidentiality and the anonymity of the participants was maintained in two forms. First,
the names of the companies were coded with abbreviation of their company names.
Secondly, email communication was dispatched using NCU’s email portal, which is
relatively secure compared to personal emails. The investigation questions were
formulated on the interview protocol for the exploratory embedded multiple case study
(Appendix C). The next step entailed the processing of the collected data.
66
Data processing. Semi-structured interview design provided the conversational
interaction through appropriate medium, which Kvale and Brinkmann (2009) explained
as necessary in order for the interviewee and interviewer to learn about their experiences,
feelings, attitudes, and the world they live. Data analysis process entailed using codes to
reorganize the disassembled fragments of data into different groupings and sequences by
arraying the data in tabular forms (Yin, 2011). The collected data was disassembled,
indexed and labeled according to categories such as name of participating company,
stating whether the company has implemented BCP or not, then respective company’s
participating manager, manager’s role and responsibility, and the data collected from that
company.
Data analysis. The analysis of the responses from the interviewees provided the
basis of the prevailing perceptions of BCP among managers of the small businesses. The
analysis relied on item-response methodology to support or not support the significance
of BCP within small businesses category (Kelly & Yin, 2007). Data analysis involved the
breakdown, segmentation, and reassembling of data to form meaningful and informative
findings (Kvale & Brinkmann, 2009). The BCPs that have been developed and
implemented by the selected organizations were discussed during the interview and
analyzed in order to determine how the BCP was incorporated into the overall
organizational best practices. The collected data was analyzed in order to establish
thematic patterns on levels of proactive and mitigating measures that guided management
against risks or disruptive events on business operations.
The breakdown step of coding the data entailed the labeling and the assigning of a
code representing the core topic of each category of data after removing case
67
organization’s identity from the interview responses. An open coding approach was used
to break down the collected data into segmented but discrete parts, closely examined, and
compared for similarities and differences among small businesses of different industries.
Open coding was conducted by analyzing the texts and distinguishing different themes
and concepts found in the data. The segmented data collected from the senior managers
of all the six small businesses was regrouped based on their relevant content into
categories of perceptions from the managers of small business with BCP and from the
managers of small businesses without BCP. Finally, selective coding was conducted by
making logical connections between the core categories in order to state the final findings
of the interviews. The discrete parts of data included backup servers; records and
information management plan; functional areas that support business processes and
operations; records of risk assessment results, personnel accessibility to original
documents and status of physical facility safety (Omar, Alijani, & Mason, 2011).
The computer assisted application tools and tables, such as Excel and Microsoft
Word, captured a variety of expanded data and enabled flexibility to change data analysis
and presentation during the course of data collection in efforts to achieve lower errors and
costs (Axinn, Link, & Groves, 2011). Software applications such as NVivo enable the use
of systematic coding of data and facilitate the ability to collect, organize, and analyze
these varied data types, including the importation of data noted in other applications such
as Microsoft Word, Portable Document Format, and Excel. Almost any form of audio,
photo, and video files could be imported along with Excel spreadsheets and Access
databases (Castleberry, 2012).
68
The ethics concerns about anonymity and confidentiality were omitted while data
coding was performed to identify information for data analysis; transcribe oral speech to
written text if applicable; and for comparison of findings between the small businesses
using comparative analysis method (Wahyuni, 2012). Data was stored in a safe system
that enabled easy retrieval for various data formats of collected data and complied with
ethics requirements for conducting field research such as the use of locked filing cabinets
for hard copies and password-protected computer systems for electronic copies.
The accuracy and validity of the data collected was verified through the
credibility method of data triangulation, which is concerned with whether the study
actually measures or tests what is intended (Wahyuni, 2012). The interpretation of the
data involved reassembling of data and checking for completeness, fairness, and accuracy
by having participants review interim results of the research (Yin, 2011). The interim
results were emailed to the research participants as an array of validating the consistency
of data as well as identify other perspectives on BCP which may have been overlooked in
the past interviews.
Assumptions
The assumption made was that qualitative multiple case study was the most
appropriate choice of this study. A qualitative multiple case study produces a logical
sequence that relate the research data to the study’s research questions, and ultimately to
the conclusion (Yin, 2013). The utilization of data analysis software deduces technical
presumption of the accuracy of the data output (Harrell & Bradley, 2009). The results
from interviews conducted were analyzed using thematic analysis technique, where the
accuracy of the data analysis was partially based on the assumption that thematic patterns
69
provided the most accurate and optimum data analysis. A reconfirmation of emerging
themes on the results provided assurance of the results from the data analysis.
In order to mitigate any bias against case study research, utilization of techniques
such as data triangulation process was applied, which entailed the precision of
documentation of interview procedures checked against the complete list of participating
companies and managers and the research questions covered for each manager. Complete
documentation included checklist procedure assuring that all appendices were covered.
Secondly, all interview responses from all managers were cross-checked the research
questions outlined in the interview protocol, providing assurance of satisfactory
responses. The process of cross-checking responses against questions allowed researcher
to identify and correct potential obstacles to the validity and explanation of the findings
(Yin, 2013). Thirdly, the responses from all the managers were compared using thematic
patterns to establish any correlation of the responses or absence of such correlation,
which provided validity of the commonly shared perceptions of BCP among the
managers of small businesses. Validity is established when different interview
participants provide the same response to the same question (Guion, Diehl, & McDonald,
2012).
Limitations
The limitations encountered in face-to-face semi-structured interview design
include low participation turnout which could result in inadequate representation of total
population of the study (Keller, 2008). Low participation was resolved by improvising
face-to-face approach with telephonic or email interviews. There were no response that
was incomplete nor lacked detailed information to limit the success of the interview.
70
Rescheduling for secondary interview with participant was not required because there
was no limitation to mitigate. Each participant was provided with a copy of respective
interview responses for confirmation and validation of completeness.
Delimitations
The delimitations of the interview design in the study included the possibility that
the measures instituted for BCP would vary from one disaster type to another across the
state of Maryland. According to FEMA (2012), Maryland experiences frequent severe
winter storms, snowstorms, hurricanes, and other threatening natural disasters annually
across some counties. The six companies that participated in the study were not selected
based on specific geographical criteria because disasters would strike at any location
within the state of Maryland.
The cost associated with the implementation BCP was a delimitation that cannot
be estimated uniformly across all the companies in the study because of the variation in
the organizational resilience and resources to effectively respond to disaster activities
(Heng, Hooi, Liang, Yap, Azizie, & Tze, 2012). Small business managers fail to develop
and implement BCP due to low priority or lack of budget for up-front costs for BCP and
the possibility of little to no-return on BCP investment (Duncan, Yeager, Rucks, &
Ginter, 2010).
Ethical Assurances
The research study commenced upon the approval of the research by the
Northcentral University Institutional Review Board (IRB) through my Dissertation Chair.
In compliance with ethical assurance, the participant managers from the six selected
small businesses provided voluntary consent to participate in the interview (Appendix D).
71
The participants were informed of the interview process, role of researcher, how the
interview data would be used, and their basic rights, including withdrawal of consent at
any time or refusal to answer any questions (Qu &Dumay, 2011). The interviewees had
full participation in the study, understood the interview instructions, comprehended the
interview questions, and that the interview responses were monitored, and progress
recorded throughout the study (Drost, 2011). The interviewees were provided with a
consent form which was signed off by both the participant and the researcher. The
interview process employed the seven stages of interview investigation suggested by
Kvale and Brinkmann (2009) that included designing, interviewing, transcribing,
analyzing, verifying, and reporting.
Summary
This dissertation utilized exploratory multiple case study methodology to examine
the establishment and implementation of sustainable management measures of BCP by
small businesses in the state of Maryland that was necessary as a best practice to resolve
natural and manmade disasters. Such disasters would disrupt continuity of business
operations, services to suppliers, customers, government, and employees. The collection
of data and information related to business continuity planning from small enterprises in
Maryland entailed descriptive and contextual analysis that examined the implementation
of BCP or lack of it, and the critical importance to sustain business operations during
disasters. Research questions were utilized in the exploratory multi case study that target
on senior managers of small businesses as units of analysis in order to facilitate clear
identification of research methodology and provide direction to resolving questions that
arise from BCP experiences collected from research participants. Small businesses in the
72
state of Maryland require a corporate culture of preparedness that includes fiduciary
responsibility, compliance, prudence, and seamless identification of business
vulnerabilities and threats.
The researcher sampled six small businesses across various industries in
Maryland consisting of a mixture of businesses with or without BCP across various
industries that included but not limited to transportation, banking, consulting, technology,
health, education, and utilities industries. I examined small businesses that have fully
developed or partially developed BCP, and assessed their successes in meeting or
exceeding service delivery expectations of clients during disaster events, including
developing, acclimatizing, implementing, and practicing sustainable BCP.
73
Chapter 4: Findings
The purpose of this exploratory embedded multiple case study was to explore
Maryland as perceived by senior managers, the unit analysis of the study. Maryland state
forms a significant part of the Washington District of Columbia (DC) transportation and
operational system, comprised of a 600-segment network that is exposed to threats of
radiological dispersion devices, high travel capacity, and evacuation impracticality
(Lambert et al., 2012).
The chapter on results consists of the data collection and analysis used to evaluate
the 10 research questions discussed in Chapter 3. The results of this qualitative case study
affirmed the perceptions held by managers and business owners of small businesses in
Maryland state on business continuity planning (BCP). The findings of the study will
present the research questions and interview themes. The findings include the perceptions
of the senior managers on BCP and the sub-themes that include the mechanisms
developed to prevent minor or major disasters that may disrupt business operations. The
replication of interview responses from six business owners and managers provided
confirmability for the study (Yin, 2013). The evaluation section of the findings of this
chapter facilitates the interpretation of the results and analysis of the BCP conceptions
relayed by small business owners and managers during the interview. The conclusion of
the Chapter summarized the key points significant to the study.
Credibility, transferability, dependability, and confirmability. Credibility was
established and maintained by the physical meetings with each of the participants, and
subsequently reviewing their responses individually. Each participant was provided with
74
a copy of his or her respective responses for confirmation. The collection, integration,
and presentation of data from different sources and respondents affirmed the credibility
and trustworthiness of data (Yin, 2013). Triangulation was achieved through multiple
data sources collected during the semi-structured interviews, which enabled the
confirmation of information and discovery of divergent perceptions (Yin, 2013).
Credibility was established through prolonged engagement with each participant when
responding to the interview questions as well as the consistency in responses (DeVault,
2016). The themes to the research questions emanated from business owners that
represented divergent business operations and industries.
The transferability was achieved by examining the perceptions by business
owners on BCP as a strategic tool limited to preventing the loss of business continuity
operations in an event of a disaster (Yin, 2013). The limited amount of data collected
involved limited numbers of data collection units of business owners or managers,
accomplishing generalization of the results (Leung, 2015).
Dependability and confirmability was established through de-identification of
replicable responses with unique codes, and storing collected data in a secured database
(Anney, 2014). The consistency in all responses on the importance of BCP to the
continuity of business operations during disruptive events confirmed the dependability
and confirmability of the research results (Moon et al., 2016). The de-identified codes of
respondents and data collection detail were collected and will be made available, upon
request, for verification of findings and future research (Moon et al., 2016).
75
Results
The macro level research questions for the study focused on the significance of
BCP to small businesses in the state of Maryland. The investigation under study was
centered on exploring perceptions of senior managers or owners of small businesses on
BCP. Six research questions were utilized to probe the perceptions of the senior
managers.
Research questions. The purpose of the multiple case study was to explore the
Maryland as perceived by senior managers or business owners, a significant management
strategy for establishing resilience and prevention against business crises (Kronis &
Ponis, 2012). The research questions explored the perceptions of BCP by business
owners or managers selected from various sectors of businesses. The research relied on
six participants who composed of four business owners and two managers. A semi-
structured interview protocol was developed to allow open-ended responses to the
research questions (Harrell & Bradley, 2009). The interview protocol (Appendix C)
entailed: (a) the opening introduction and invitation to the participant to discuss
responsibility roles at the business; (b) the opportunity to the participant to discuss any
internal threats to the business; and (c) the opportunity to discuss any external threats.
Table 1 shows the demographic profiles of the six participants that were
interviewed in this research study.
76
Table 1
Demographic Profiles of the Participants
Participants Position Business
Held Operations
DE Vice President Banking
EB Owner Photography
EK Owner Chauffeur Services
HD Manager Electrical Engineering
MS Owner Cleaning Services
SP Owner Electrical Services
Table 1 illustrates that four out of six participants or 66.67% were business
owners while 2 out of 6 or 33.33% were senior managers of selected business
organizations.
The following research questions guided the study:
management of small businesses in the state of Maryland?
Q2. How do senior managers of small businesses with BCP perceive that Business
Continuity Planning (BCP) provides value to the small businesses operating in the state
of Maryland? Why do senior managers of small businesses without BCP perceive
differently or that there is no value in BCP?
Q3. How do senior managers of small businesses perceive managerial responsibility for
establishing sustainable Business Continuity Plan for small businesses in Maryland?
77
Q4. How does small businesses’ management in Maryland perceive risk management
while prioritizing sustainable BCP?
Q5. Why do senior managers of small businesses in Maryland with BCP perceive that
critical success factors for business operations are important to achieving a sustainable
BCP?
Q6. Why do senior managers of small businesses in Maryland without BCP perceive that
critical success factors for business operations can be achieved without a sustainable
BCP?
Responses to research questions. Patterns were examined to identify the themes
of responses from participants to research questions, leading the researcher to believe
saturation was achieved (Yin, 2013).
The research questions are restated below, along with responses of participants
about perceptions of BCP. The results of the study are collated by restated interview
question and emerging themes from each research question.
Results: Research question 1. How is strategic Business Continuity Planning
(BCP) perceived by the senior management of small businesses in the state of
Maryland?
The question sought to establish the overall holistic view of BCP by the
management leadership within their organizations. Table 2 illustrates the themes and sub-
themes generated because of analysis of coding the responses to question 1, which were
aggregated into three themes of BCP perception by senior management of investigated
businesses: (a) essential element of daily business operations, (b) protection of data
privacy for stakeholders and customers, and (c) assurance of data integrity to
78
management. The sub-themes explain the perception by specific participant or
participants within the main theme.
Table 2
Themes and Sub-themes Associated with Senior Management’s Perception of BCP
Themes Strategy
T1 Perceived as essential element of daily

business operations.
T1.1 Back-up of daily processes and

operations
T1.2 Maintain sets of servers for data and
information
T2 Perceived sharing of information with external

partners.
T2.1 Align BCP systems with external

regulatory or governing authorities
T3 Perceived assurance of data integrity
T3.1 Conduct workshops on data security

awareness for vendors and customers
Theme t1 - perceived as essential element of daily

business operations.
Theme 1 (T1) outcome emphasized the significant role of BCP as an essential
element of daily business operations. The theme emerged from the perception of BCP as
a critical component of protecting and managing data in real-time mode, compelling
79
management to embrace the strategy of implementing instant back-up of live data across
operations (T1.1). Respondent DB stated,
BCP is considered an essential element of daily operations and any medium or
long term plan. Management is constantly evaluating back up plans for every
major system implementation and processes important for daily operations.
Vendors are also required to provide information about their BCPs to ensure safe
operations.
The implementation of efficient and effective backup and recovery procedures
required management to develop a comprehensive backup plan, perform an effective
backup management, perform periodic databases restoration testing, and keep knowledge
and know-how on database as well as operating systems backup and recovery tools up to
date (Akhta et al., 2012). The perceived importance of BCP resulted in management’s
initiatives to set up off-site servers or cloud technologies that minimized risks during
disaster interruptions (T1.2) as reiterated by EB that “we have strategized by maintaining
server off-site as well as 2-sets of data drivers, one onsite and another at personal storage
at home”. Separate sets of servers, including CLOUD computing allowed participants to
access data at ease, rapid elasticity of storage capabilities, and dynamic scalability that
enables instant demand for data or information (Mao & Humphrey, 2016).
Theme t2 - perceived sharing of information with external partners.
Theme 2 (T2) entailed perceived sharing of information with external partners.
The sharing of information with parents or government agencies such as Department of
Education was supported by statements by EK that business planning “involves all the
stakeholders – parents, after-school activities providers, and Department of Education.
80
We have to align our plans with Department of Education schedules”. The phenomenon
of sharing customer’s personal data with oversight government authorities or other
regulators required that the business managers must align the internal security systems
with the oversight external big data systems, by relaxing data minimization and consent
requirements (Tene & Polonetsky, 2013).
Theme t3 - perceived assurance of data integrity.
The analysis of responses to question 1 also yielded theme 3 (T3), which was a
perceived assurance of data integrity and resilience as supported by response from MS:
Strategic Business Continuity Planning (BCP) is key to our organizations day to
day operations and survival. I am assigned to the National Protection and
Programs Division (NPPD). I conduct exercises and workshops for all 16 critical
infrastructure sectors. A vast majority of my work exercises continuity business
plans for US companies. As the manager of the operations of my company I bring
my expertise and background to my company so that we can address our
vulnerabilities and stay resilient.
Data integrity strategy require that the processing, preserving, and sharing of data
involve establishing and adopting common standards best practices (Vallance, Freeman,
& Stewart, 2016). Participants had taken initiatives that included creating awareness of
data integrity importance to employees and stakeholders through workshops on risk
hazards such as internal threats, cyber-attacks, or cascaded effects caused by human-
made and natural catastrophes.
81
Results: Research question 2. How do senior managers of small businesses with
BCP perceive that Business Continuity Planning (BCP) provides value to the small
businesses operating in the state of Maryland? Why do senior managers of small
businesses without BCP perceive differently or that there is no value in BCP?
Responses to the research question on perceived value of BCP synthesized into
three themes, with four respondents or 66.67% (DE, EB, MS, and SP) affirming they had
implemented BCP while two or 33.37% respondents (EK and HD) had partially
implemented. The emerged themes demonstrated the perception by business owners or
managers that BCP (a) increased growth in business operations, (b) created trust and
confidence from customers and partners, and (c) enabled adaptability to new technologies
even the two businesses that had partially implemented BCP. Table 3 illustrates the
themes exhibited by responses to research question 2.
82
Table 3
Themes Associated with the Perceived Values Arising from implemented BCP
Themes Value-Added Enabler
T4 Perceived increase in business

growth.
T4.1 Business focus increased business

operations.
T5 Perceived trust and confidence by

customers and partners.
T5.1 Reliability on data integrity.
T6 Perceived adaptability to emerging

technologies.
T6.1 Communication systems and modes

of transmitting information.
T7 – safeguarding business data and
information by small businesses with
partially implemented BCP.
T7.1 Secured backup of data and business

information
Theme t4 - perceived increase in business growth.
Theme 4 (T4), the perception of increased business growth, is supported by the
ability of management to focus on the core of business operations as an value-added
enabler arising from the assurance that running of business operations is secured from
disruptive events. The response from DE, a senior manager in the banking industry
attributed, significant growth in business transactions and delivery of efficient services to
the assurance provided by BCP.
83
Most clients don't realize that the bank makes substantial investments into BCP,
yet in an emergency they expect to be able to process transactions and have access
to cash. Therefore, the value of a well-designed and reliable BCP cannot be under
estimated. Failure to provide a reasonable level of service in a large scale disaster
would have severe negative consequences for the institution for a very long time.
The implementation of BCP by the bank ensured that the customers would be able
to access cash and transact business without disruptions in an event of a disruptive
disaster.
Theme t5 - perceived trust and confidence by customers and partners.
The phenomenon of a secured personal private data is a value-added advantage
resulting from the perception of trust and confidence in BCP (Theme 5). The respondent
EK, who operated school children transportation system, was a custodian of personal
records that contained the private data of children and parents, stating,
BCP is valuable to us because we maintain personal data for parents and
children that should be secured at all times. Commutations applications are also
maintained to enable prompt communication to parents in case of emergencies,
after-school activities, or whenever needed.
Theme t6 - perceived adaptability to emerging technologies.
Theme 6 (T6) was attributed to the perception of BCP to create an environment
that is adaptable to emerging technologies. MS stated that “BCP [is] a living document of
procedures and guidelines as it is always changing as we grow and take on more
responsibility in handling client information”. The benefits of any technology such as
BCP are optimized through scalable environment that allows easy access to data in usable
84
formats, creative powers, and transparency on data for new innovative uses (Tene &
Polonetsky, 2013).
Theme 7 – safeguarding business data and information by small businesses with
partially implemented BCP
Theme 7 (t7) was grounded on responses from two participants or 33.33%
(EK and HD) that had partially implemented BCP. The second part of the research
question was aimed at senior managers without or partially implemented BCP in
strengthen research validity. Yin (2013) stated acceptability of counterintuitive direction
of correlation in research questions in order to address inadequacies in data collection
while strengthening research validity. The theme (t7) exhibited the importance of BCP in
providing an enabled and secured environment for business data and information even
when it was partially implemented. HD stated that despite being partially implemented,
BCP “…is critical for safeguarding business documents and customer information”. The
response from MS emphasized the importance of BCP. Stated MS:
BCP is a must. Organizations who do not build and shape a BCP may find
themselves victim to events and situations that could either be avoided or could
have been lessened by an effective business continuity plan.
Results: Research question 3. How do senior managers of small businesses
perceive managerial responsibility for establishing sustainable Business Continuity
Plan for small businesses in Maryland?
Three themes emerged from responses to research question to underscore the
significant BCP responsibilities of the business owners and senior managers of small
businesses in Maryland, necessary to establish and maintain sustainable BCP, namely (t8)
85
continuous evaluation of risks and threats to business operations, (t9) guarantee safety of
business systems, internal or outsourced systems. Table 4 provides list of themes.
Table 4
Themes on managerial responsibility over BCP decisions
Themes Responsibility
T8 Continuous evaluation of BCP risks

and threats
T8.1 Identify and resolve system
anomalies and threats
T9 Guarantee safety of business systems
T9.1 Implement modern and safe
systems
T10 Testing and training
T10.1 Continuous testing of BCP and

training of personnel.
Theme t8 – responsibility of continuous evaluation of BCP risks and threats
Theme 8 (t8) on continuous evaluation of risks and threats associated to BCP was
supported by responses from DE and MS, which represented two of the six participants
or 33.33%. Evaluating or monitoring of BCP systems provides an assurance to
management, customers, and business partners of a resilient system readily prepared to
prevent loss of business during disruptive events (t8.1). DE emphatically stated that:
86
As an advocate for the client, I am constantly looking for anomalies in daily
operations, computer systems, transactions, employee behavior, client behavior,
etc., that could potentially be a threat. Threats are also evaluated during strategic
planning as we consider client access channels, new products, information
technology.
Evaluation of systems risks and threats extends beyond internal systems to
External systems to ensure optimum performance as well as identify and resolve potential
threats (t8.1). The management uses evaluation or monitoring techniques of specified
indicators to provide corporate leadership and main stakeholders with assurance of
effective interventions necessary to address risks and threats (Kimweli, 2013).
As business owner, MS believed that he had the ultimate responsibility of
ensuring that BCP was running on optimum performance and safe from risks and threats.
MS stated that “it is my responsibility and duty to build a business continuity plan and to
shape it to fit my organization. I perceive this as very important and the core of
preparedness”.
Theme t9 – responsibility of guaranteeing safety of business systems.
The responsibility of guaranteeing the implementation of modern and safe
business systems in their organizations was emphasized in all responses. The execution
of the theme was inherent in the responsibility of business owners and managers to make
decisions that ensure implementation of modern and safe systems across all units of
business operations (t9.1). Five out of six participants or 83.33% of the respondents
directly or indirectly supported the theme by stating that:
87
DE: As an advocate for the client, I am constantly looking for anomalies in daily
operations, computer systems, transactions, employee behavior, and client
behavior.
EB: Main responsibility as owner and president.
EK: I make decisions on safety of systems, software for marketing and
communications, in ensuring personal private data of children and parents is
safeguarded at all times.
HD: Outsource of services…. but decisions on pricing and services come from
our management.
MS: It is my responsibility and duty to build a business continuity plan and to
shape it to fit my organization. I perceive this as very important and the core of
preparedness.
The process of decision making for any business operation is an inherent vital
aspect not only for the organization but also for individuals who make daily decisions
because the ultimate responsibility stops at them as owners or managers (Nowduri, 2013).
Theme t10 – testing of BCP and continuous training of personnel.
Theme 10 (t10) was grounded on the utilization of testing and training as
techniques for maximizing the benefits of BCP (t9.1). DE and MS, representing 33.33%
of the participants, supported the theme through deliberate initiatives within their
businesses that ensured that deliberate plans to test BCP were embedded in the holistic
corporate best practices. DE stated that:
BCP must be tested routinely to ensure the plan can be put into action in the time
frames required. The results of the tests must be reviewed to identify weak
88
processes within the plan and make improvements. It is also critical to have
service level agreements with key vendors and have them provide test results that
demonstrate their BCP can be executed in concert with the bank. In some cases,
joint testing may be required.
Continuous systems testing can discover multiple errors, including correctness
errors and performance-degrading errors, alerting systems administrators to changes that
affect systems running time and performance metrics (Muslu, Brun & Meliou, 2013). The
BCP testing architecture could be designed to allow users and programs to interact with
and make changes to the system that are non-intrusive while executing queries to identify
potentially harmful changes.
The theme (t10) was also supported by MS, emphasizing that “I would maximize
the BCP by testing and exercising our procedures, operations, and resiliency. I would
continue shaping the BCP to touch all aspects of my company’s continuity.” Continuous
training of personnel ensured that BCP administrators and planners were informed of
emerging changes in technology as well as new initiatives and innovations that affect
BCP and systems recovery technologies.
Results: Research question 4. How does small businesses’ management in
Maryland perceive risk management while prioritizing sustainable BCP?
The perception of risk by the six senior managers crystalized into two themes,
(t11) perception of risk management as crucial component of BCP, and (t12) perception
of risk management as important but low in impact as result of BCP implementation.
Theme t11 – perception of risk management as crucial component of BCP
89
Risk management plan compliments BCP as a daily management function
operation of small businesses in the state of Maryland, necessary to provide confidence to
management meeting or exceeding business goals. DE stated that risk management was
crucial element of sustained profitability of the bank:
The bank has an enterprise wide risk management plan of which disaster
recovery is an important part. Bank profitability depends on how well they
manage risks in lending, investing, and operations. While it may not be a
insignificant part of the risk management plan, disaster recovery is just one
component of this complex plan that is constantly measured, tested, evaluated,
and improved.
BCP enables execution of risk management plan that allows business operations
to continue under adverse conditions by the introduction of appropriate strategies,
recovery objectives, and identifying vulnerabilities and business operations risks
(Dushie, 2014).
Theme t11 was also supported by MS, who stated that risk management
augmented BCP functionality in his organization:
I perceive risk management at the top of the pyramid for the continuity of my
company. Taking a look at the risks that a business has can help you shape your
business continuity plan.
Theme t12 – perception of risk management as important but low due to BCP
implementation
Four out of six or 66.67% of respondents to question four believed that BCP had
reduced management risks and threats in their business operations, and therefore,
90
perceived risk management as a low priority in their business objectives. The low-priority
rating on risk management planning because of BCP implementation was supported by
the following responses on how they perceived risks in business operations:
EB: Minimum risks, if any.
EK: Important. We have minimum risk. We have a secured data protection
offsite.
HD: Important but no risks for our company.
SP: Risk management is important but we have low risks.
Results: Research question 5. Why do senior managers of small businesses in
Maryland with BCP perceive that critical success factors for business operations are
important to achieving a sustainable BCP?
Responses to research question five generated two themes that associated the
drivers of critical success factors of daily business operations with the benefits of BCP
for small businesses in the state of Maryland. The integrated themes are illustrated on
Table 5, namely (t13) effective business operations, and (t14) secured systems security.
91
Table 5
Themes on critical success factors associated with sustainable BCP
Themes Critical Success Factor
T13 Effective business processes
T13.1 Timely delivery of services
T14 Secured systems security
T14.1 Reliable data security
T14.2 Instant data retrieval
Theme t13 – effective business processes.
The implementation of BCP by the small businesses in the state of Maryland
created a focused business environment that empowered management to operate effective
business processes and practices (t13). Management experienced efficiency, leading to
critical success factors that include prompt delivery of services, transactions accuracy,
management confidence, and profitability growth (t13.1). DE from the banking industry
stated that:
DE: As explained above, the bank manages thousands of processes each day to
ensure client transactions are processed promptly and that security protocols are
followed to protect data and assets. While complex and poorly understood by
consumers, these processes are essential to the community and broader economy.
Failure to perform these functions jeopardizes the Bank's reputation and
sustainability. Even in volatile or even disastrous times, the bank must be able to
92
perform these functions at a reasonable level or face a failure in confidence
among its clients.
Confidence in management operations and processes result in holistic workflow
planning, process simulation, process mining, capacity management, and high-yielding
production of services or goods (Grau & Moormann, 2014).
Theme t14 – secured systems security.
Theme 14(t14) emerged from secured systems security because of sustainable
BCP. Three out of six participants or 50% expressed confidence in the effectiveness of
their systems security secured by BCP, which led the reliability of data (t14.1) and
effectiveness of instant data retrieval processes (t14.2). EB observed that BCP
implementation created greater impetus in “safeguarding personal data as part of our
business success.” Stated HD,
We have secured backup of data, and reports are generated monthly for our
management review. We continuously improve where necessary.
On critical success factors related to data retrieval and recovery (t14.2), MS believed that
BCP had been an enabler for efficiency in business operations. MS stated “BCP can
allow for a smoother recovery from events and situations that would normally be
devastating to your business”. Similar response was echoed by SP who stated that BCP
had improved critical success factors in business operations related to “…customer data,
personal financial information, business financials, job tracking applications or Job
Tracker Program, proposals, or contracts. All costs are [efficiently] captured in overall
business costs”.
93
Results: Research question 6. Why do senior managers of small businesses in
Maryland without BCP perceive that critical success factors for business operations
can be achieved without a sustainable BCP?
Responses to research question six was expected to further interrogate participants
who had not implemented BCP, generating two themes: t(15) and t(16). The responses
from HD and EK were in line with the question framework because they had not fully
implemented BCP.
Theme t15 – safeguarding of data off-site
HD response generated theme 15 (t15) of safeguarding data off-site using servers
and frequent backups provided by professional server services that include off-site data
protection services and CLOUD technologies. HD perceived that a fully implemented
BCP was critical in “safeguarding of business documents and customer data…now
secured at offsite servers. BCP is important in ensuring continuity of business
operations”.
Theme t16 – collaboration with external services providers.
Theme 16 (t16) was the outcome of business collaboration between small
businesses without fully implemented BCP in the state of Maryland without, and
technology service providers for offsite data-backup, secured services and information
systems security services. For small businesses without an implemented BCP, an
effective and efficient collaboration requires homogenous systems that allow businesses
to communicate and transfer live data in real-time that include strategies and recovery
plans during disastrous events (Mische & Wilkerson, 2016). EK stated that without a
fully implemented BCP, the use of external BCP providers for instant communication
94
with parents, transportation drivers, and after-school activities’ providers was critical. EK
emphasized BCP ensures “there is instant access to customer information, especially on
communications at times of bad weather”.
Evaluation of Findings
The six research questions provide the framework for investigations, data
collection, and analysis of the research findings. The results from the multiple case study
research affirm the outcome of the examined interview questions, propositions, units of
analysis, logic linking of data to the propositions, and criteria for interpreting the findings
(Yin, 2003). The purpose of the interview was to explore the perception of business
owners or senior managers of small businesses in the state of Maryland on BCP, where
four business owners and two senior managers were interviewed and responded to the
investigation.
The findings affirmed the theoretical and conceptual framework grounded on the
perception that BCP increases value in service delivery and provides disaster recovery
framework and preparedness to minimize loss in emerging disruptive events and
contingencies that abort business continuity (Low, Liu, & Kumaraswamy, 2010). The
organizational BCP framework entailed internal factors that include business processes,
business infrastructure, resources, and people that are essential for the effective
functioning of the company. The implementation of BCP provided a framework for
management of the small businesses to build organizational resilience with the capability
for an effective response to disasters that safeguarded the interests of organization’s
stakeholders, reputation, product brand, and value-creating activities (Heng, Hooi, Liang,
Yap, Azizie, & Tze, 2012).
95
The findings established that senior management recognize and embrace the
benefits of BCP, contradicted existing literature that corporate management provide low
support to business continuity management because of insufficient knowledge and
importance of BCP (Venclova, Urbancova, & Vydrova, 2013). Study by Dushie (2014)
that business managers fail to plan for disasters because of inadequate information, cost,
apathy, and low priority contrasted with the findings in this study. All the mangers I
interviewed, including the managers who had partially implemented BCP, pragmatically
and deliberately implemented proactive measures against disasters, either internally or
sourced services externally.
The de-identification coding and theming of data collected from the business
owners and senior managers of six businesses resulted in the development of themes
aggregated under theoretical and conceptual framework of BCP strategies, secured
systems, techniques, value-added enabled processes, risk management initiatives, and
decision making responsibilities. The themes that revolved around perceived BCP
strategies and critical success factors emerged from research questions one and five: (a)
essential tool or element of daily business operations and service delivery, (b) data
integrity assurance, and (c) routine review of BCP performance. The themes related to
secured systems resulted from research questions one, two, three, and six, include (a)
protection or safeguarding of personal private data, and (b) acquisition of modern
technologies. The responses that underscored management’s responsibility to maintain a
sustainable BCP emerged from research question three with themes that illustrate the
impact of influence by the business owners and senior managers in implementing and
operating BCP in sustainable management’s execution as exhibited by (a) continuous
96
evaluation of risks and threats to business operations, (b) guaranteeing safety of business
systems, (c) continuous testing of BCP, (d) consistent training of personnel on BCP and
disaster awareness, and (e) scrupulous selection of qualified BCP providers in case of
service outsourcing.
The interpretation of the conceptual framework was also embodied in the
effectiveness and efficiency of service delivery processes because of value-added benefits
of BCP. The results from research question two generated themes related to value-added
benefits to the business productivity, hence (a) perceived growth in business operations
processes, (b) perceived trust and confidence from customers and partners, and (c)
enabled adaptability to new technologies necessary to execute service delivery. Risk
management initiatives formed the theoretical implementation of BCP as exhibited by
themes out of research question four, namely (a) perception of risk management as
crucial component of BCP implementation, and (b) perception of risk management as
important but low in impact by the businesses that had partially implemented BCP (EK
and HD).
The triangulation was achieved by cross-checking the interview findings from the
business owners and senior managers of businesses that had fully implemented BCP
(66.67%) with responses from those that had partially implemented (33.37%). The results
of the data and related analysis strongly supported the data contained in the literature
review as well as illuminated areas that are potential for future research study such as risk
management and evolving technological tools necessary to protect personal private data
of customers, vendors, and business partners.
97
Research question 1. How is strategic Business Continuity Planning (BCP)
perceived by the senior management of small businesses in the state of Maryland?
The responses collected for research question one resulted in three themes: (a)
essential element of daily business operations, (b) protection of data privacy for
stakeholders and customers, and (c) assurance of data integrity to management. The first
theme can be observed in the data collected from senior manager in the banking sector
that utilized BCP as an essential tool for constantly evaluating back up plans for every
major system implementation and processes important for daily operations. The
respondent emphasized the significance of an efficient and effective backup and recovery
procedures in the industry to develop a comprehensive backup plan, perform an effective
backup management, perform periodic databases restoration testing, and maintain
scalable operating systems.
The second theme emerged from the significance of protecting personal private
data of customers and the business stakeholders as illustrated by data collected from
business owner engaged in school transportation system. The data showed a closely
shared interest between business owner, customers, and external service providers in
maintaining secured data. The third theme focused on providing sustainable assurance on
the integrity of business data. The data collected illustrated deliberate initiatives
undertaken by the respondents to carry out collaborative exercises and workshops with
customers and vendors necessary to create awareness of data integrity to employees and
stakeholders in areas of risk hazards, internal threats, cyber-attacks, or cascaded effects
caused by man-made and natural catastrophes.
98
Research question 2. How do senior managers of small businesses with BCP
perceive that Business Continuity Planning (BCP) provides value to the small
Responses to research question two crystalized into four themes: (a) increased
growth in business operations, (b) created trust and confidence from customers and
partners, (c) enabled adaptability to new technologies even for the two businesses that
had partially implemented BCP, and (d) safeguarding business data and information by
small businesses with partially implemented BCP.
The first and second themes emerged from business owners that had implemented
BCP. The theme on the perception of increased business growth was supported by
observations from the data collected that showed the ability of management to focus on
the core of business operations as a value-added enabler arising from operating
businesses devoid of imminent threats. The collected data supported the theme in
confidence spurred by management in a well-designed and reliable BCP required to
provide reasonable level of service during disruptive events. The result of the second
theme supported the reliability on the safety of communication systems required to alert
or inform customers of threats or any adverse events such as inclement weather. The
focus on this theme was more predominant from to the business owner engaged in
providing transportation to schoolchildren.
The third theme on enabled adaptability to new technologies emerged from data
collected from business owners who had partially implemented BCP. Despite partial
implementation of a functional BCP, the data collected exhibited the influence of BCP on
99
managers of small businesses in Maryland to value a business environment that is
adaptable to emerging technologies. The fourth theme of safeguarding business data and
information by small businesses with partially implemented BCP illustrated the
importance of BCP to small businesses without BCP in the state of Maryland. The
absence of an internally implemented BCP did not impede the management of small
businesses from acquiring BCP services from external technology providers. The
observation from the themes confirmed the perception that BCP provided procedures and
guidelines required to optimize easy access to data in usable formats, creative powers,
and transparency on data for effective business operations.
Research question 3. How do senior managers of small businesses perceive
managerial responsibility for establishing sustainable Business Continuity Plan for
small businesses in Maryland?
The themes that emerged from responses to research question three evolve
management’s responsibility on BCP, namely (a) continuous evaluation of risks and
threats to business operations, (b) guaranteeing of business systems safety, whether
internal or outsourced systems, and (c) continuous testing of BCP and training of
personnel. The first theme is observed from responses collected that indicate
management’s responsibility to evaluate or monitor BCP systems in order to provide
assurance to customers and business partners of a resilient system readily prepared to
prevent loss of business during disruptive events. The responses from the business sector,
photography organization, school transportation system, and the cleaning solutions
business exhibit initiatives to extend the responsibility of evaluating and monitoring
systems beyond internal systems to external systems to ensure systems security.
100
The second theme illustrated the responsibility of small business management in
the state of Maryland to guarantee safe and secured business systems. The resulting
theme is supported by data collected from five out of six participants or 83.33%, who
responded that it was the responsibility of business owners and managers to make
decisions that ensure implementation of modern and safe systems across all units of
business operations. The theme extends the emphasis of the responsibility beyond
internal systems to the selection of external systems provided through outsourced
services. The theme affirmed the management’s responsibility to make decisions that
guarantee systems safety when acquiring services from professional service providers
outsourced from outside the organization. The third theme supported the management’s
responsibility to continuously test BCP and train personnel on disaster awareness in order
to maintain a sustainable BCP. Management of small businesses in Maryland has the
responsibility of identifying deficiencies within BCP through continuous testing, which is
carried out by qualified personnel. Continuous training of personnel provides the
management with opportunity to ensure that the employees are informed on modern and
emerging BCP techniques.
Research question 4. How does small businesses’ management in Maryland
perceive risk management while prioritizing sustainable BCP?
The responses to question four crystalized into two themes, (a) perception of risk
management as crucial component of BCP, and (b) perception of risk management as
important but low in impact as result of BCP implementation. The first theme focused on
the responses from four out of six respondents or 66.67% of the participants on the role
of risk management in prioritizing BCP. The theme illustrated the management’s
101
perception of risk management as a function that compliments BCP, necessary to provide
confidence in management’s daily effort to meet or exceeding business goals. The
response from the banking sector participant predominantly illustrated risks inherent in
the bank’s ability to make business profits in money lending, investing, and operations.
The theme supported the perception of BCP as an enabler risk management plan that
allows business operations to continue under adverse conditions by the introduction of
appropriate strategies, recovery objectives, and identifying vulnerabilities in business
operations.
The second theme reinforced the perception of low-risks in business operations as
a result of implemented BCP. The theme exhibits the management’s confidence through
the perception that BCP had reduced management risks and threats in their business
operations, and therefore, perceived risk management as a low priority in their business
objectives. The theme supports management’s assertion to perceive risk management as a
function that augments rather than replaces BCP.
Research question 5. Why do senior managers of small businesses in
Responses to research question five generated two themes that associated the
drivers of critical success factors of daily business operations with the benefits of BCP
for small businesses in the state of Maryland, namely (a) effective business operations,
and (b) secured systems reliability. The first theme evolved from collected responses that
illustrated that a secured, enabled business environment contributes as a critical success
factor to effective and efficient business processes and practices of small businesses in
102
the state of Maryland. Four out of six responders with fully implemented BCP exhibited
confidence in effective management of operations and processes as a result of secured,
enabled business environment, leading to practical workflow planning, process
simulation, process execution, capacity management, and high-yielding production of
services.
The second theme, secured systems reliability, emerged from responses collected
from three out of six participants or 50% of participants that expressed confidence in the
effectiveness and reliability of their systems security attributed to BCP. The results
affirmed the perception of senior managers of small businesses in Maryland that
sustained BCP is critical to achieving data reliability and effective data retrieval
processes and practices. The theme exhibited observation of management that BCP
implementation created greater impetus in safeguarding data as part of business critical
success factors.
The theme that emerged from research question six affirmed the importance of
BCP in safeguarding data off-site using servers and frequent backups. The theme resulted
from data collected from two out of six or 33.33% of participants who had not fully
implemented BCP. Despite partial implementation of a functional BCP, the data collected
exhibited the influence of BCP’s benefits on business owners and senior managers of
small businesses in the state of Maryland without BCP to create a business environment
103
that guarantees the safety of personal data, business documents, business information and
reliable business operations.
The response from HD was in line with the question framework because they had
not fully implemented BCP. Despite the absence of a fully implemented BCP, senior
managers of small businesses in Maryland, such as HD, perceived that a fully
implemented BCP was critical in safeguarding business documents, customers’ data and
in ensuring continuity of business operations at times of disaster disruptions.
Summary
The purpose of this qualitative multiple case study was to explore strategic
business continuity planning methods for small businesses in the state of Maryland as
perceived by senior managers, the unit analysis of the study. The data collected from six
semi-structured interviews, composed of four business owners and two senior managers,
were analyzed via the de-identification of codes and themes. The responses to the study
resulted in themes, which evolved around six expanded categories of perceptions about
BCP by senior managers and business owners of small businesses in the state of
Maryland, namely BCP strategies, systems security, BCP as value-added enabler,
managerial responsibilities, risk management impact, and critical success factors. Three
themes emerged from research question one, four themes from research question two,
three themes generated by research question three, two themes from research question
four, two themes from research question five, and two themes emerging from research
question six. Fourteen themes emerged from responses collected from the management of
businesses that had implemented BCP, while two themes were generated by responses
from the management of businesses that had partially implemented BCP.
104
The analysis of the findings enabled a comparative performance of findings from
managers and business owners who had fully implemented BCP and those who had
partially implemented BCP. Research questions six was designed to establish if there
were dissenting perceptions on BCP from participants who had not fully implemented
BCP, of which the findings affirmed that despite the absence of a fully implemented
BCP, the importance of safeguarding customer data, business documents and
stakeholders’ information was crucial. The findings support the theoretical and
conceptual framework as well as the literature review surrounding the significance of
BCP in preventing and resolving the impact of disruptions caused by disasters on the
continuity of business operations.
105
Chapter 5: Implications, Recommendations, and Conclusions
Background
Human-made and natural disasters have implications for the survival of small
business organizations, which are aggravated by the tendency of small business
management to resist spending resources on low-probability events, regardless of the
potential disaster impact (Duncan, Yeager, Rucks, & Ginter, 2010). Small businesses
encounter compounded risks from Human-made and natural disasters that are becoming
increasingly common in today’s world (Duncan, Yeager, Rucks, & Ginter, 2010).
The management, shareholders, and stakeholders of small businesses encounter
barriers and challenges when prioritizing, developing, and implementing a BCP because
of organizational competing factors that include budget allocation, strategic management,
business risk analysis, training, and awareness, BCP documentation, and information life
cycle management (Karim, 2011). Brody (2012) stated that 44% of small businesses
operate without continuity business plans while 56% of business owners spend less than
10% of business time in identifying and preventing operational risks. In order to
minimize costs on BCP, small business management must develop scenario planning that
provides testing platforms for management to improve dynamic capabilities embedded in
BCP, and facilitates opportunity to identify gaps while strategizing solutions in real-time
business operations (Worthington, Collins, & Hitt, 2009).
This study examined the perceptions of four business owners and two senior
managers of small businesses in the state of Maryland, selected from different industries
and were members of one or more business network groups. The case study research
106
approach on BCP utilized a semi-structured interview protocol to collect data from
participants recruited from small businesses’ associations, clubs, groups, or networks,
utilizing interview protocol (Appendix C). Each participant responded to 10 interview
questions (Appendix D). Thematic analysis technique was utilized to pinpoint, examine,
and record patterns across the sets of responses from research participants, resulting in
themes, which formed the basis for the narrative analysis of the responses to the research
questions.
The themes that predominantly emerged from businesses that had implemented
BCP addressed the perceptions on BCP strategies: (a) essential tool or element of daily
business operations, (b) data integrity assurance, and (c) routine review of BCP
performance. The themes related to secured systems were: (a) protection of personal
private data, and (b) acquisition of modern technologies. Themes that underscored BCP
techniques: (a) continuous testing of BCP, (b) consistent training of personnel, and (c)
deliberate collaboration with business partners and stakeholders. Themes that embodied
value-added benefits of BCP: (a) perceived growth in business operations processes, (b)
perceived trust and confidence from customers and partners, and (c) enabled adaptability
to new technologies. Finally, themes that exhibited perceptions on risk management
entailed perception of risk management planning as a crucial component of BCP.
Comparatively, themes generated by businesses that had partially implemented BCP
(33.33%) illustrated perceived importance of BCP even at minimal level of
implementation, namely (a) protection or safeguarding of personal private data, and (b)
low priority of risk management result of BCP. The detail responses and extensive spread
107
of the ten research questions as well as the lack of substantial new codes and themes
convinced the researcher that saturation was achieved (Yin, 2013).
This chapter will provide the limitations in the study prevalent in the context of
small businesses, implications of the study in relation to the research questions, and
recommendations made from the study. The results are compared to existing literature
and recommendations are made for the practice of BCP as well as for the future research
on this topic. Conclusions are presented based upon key points identified through the
analysis and discussion of the study.
Limitations
The limitations of the study included the focus of the investigation on small
businesses which maintained proper context of the study. A broader population entailing
larger businesses could have resulted in greater depth of the study and expanded analysis
across more industries. The limited participation was resolved by achieving saturation
evidenced by the lack of new de-identification of codes and crystallization of themes. In
order to mitigate researcher bias, while maintaining credibility, the researcher utilized
data triangulation process, precise documentation of interview responses to ten research
questions, and maintaining the chain of evidence that provided validity in reconstructing
the study (Yin, 2013). Validity adequately measured the trustworthiness of the interview
responses from participants by cross-checking the findings against the research questions.
The data analysis relied on item-response methodology to support or not support the
significance of BCP within small businesses category (Kelly & Yin, 2007).
The approval of the research study was obtained from Northcentral University’s
Institutional Review Board prior to any recruitment or data collection. The recruitment
108
data, signed consent forms, and data collection approach methodology were submitted to
the Institutional Review Board for review and approval. In addition, the informed consent
form required of each research participant prior to data collection (Appendix E),
identified the nature of study, the researcher, the anonymity assured to the participant, the
ability of the participant to withdraw from the study at will and at any time without
consequences, the number of research questions, the approach of interaction as well as a
clear disclosure to the participants that their participation was voluntary and no
compensation, monetary or otherwise, was forthcoming.
The implications section of this chapter focus on the relevance of the research
findings supported by existing literature and conceptual framework as applied to the
problem under study as well as address the purpose of the study. The implications section
addresses each research question and draws logical conclusions (Patton, 2002). The
responses of the 10 questions were examined and analyzed, resulting in themes that
emerged from each response. The recommendation section presents new views of the
data analysis and related perceptions that emerged from the evaluation of findings as well
as forms the basis for greater and future research on BCP. The conclusion section will
summarize the significant points inherent in the overall chapter.
Implications
The responses to the study resulted in 16 themes, which evolved around six
expanded categories of perceptions about BCP by senior managers and business owners
of small businesses in the state of Maryland: (a) strategies, (b) secured systems, (c) value-
added enabler, (d) managerial responsibilities, (e) risk management impact, and (f)
critical success factors. Three themes emerged from research question one, four themes
109
from research question two, three themes generated by research question three, two
themes from research question four, two themes from research question five, and two
themes emerging from research question six. Fourteen themes emerged from responses
collected from the management of businesses that had implemented BCP, while two
themes were generated by responses from the management of businesses that had
partially implemented BCP.
The analysis of the findings provided comparative relationship of themes from
managers and business owners who had fully implemented BCP and those who had
partially implemented BCP. Research question six was designed to establish if there were
any dissenting perceptions on BCP from participants who had not implemented or who
had partially implemented BCP. The analysis of the findings affirmed that despite partial
implementation of BCP, management of small businesses in the state of Maryland relied
on BCP for safeguarding customer data, business documents, and stakeholders’
information.
Research question 1. How is strategic Business Continuity Planning (BCP)
perceived by the senior management of small business in the state of Maryland?
Senior managers of small businesses in the state of Maryland recognize the
urgency in the importance and value of BCP because of the business value inherent in
disaster readiness. The senior managers, as stated by the banking sector manager in this
study, perceived BCP as an essential tool for constantly evaluating back up plans for
every major system implementation and processing important for daily operations. The
implementation of BCP should span throughout the departmental levels of the
organization to enable effective coordination of departments to work together in the
110
processes of mitigating risks. The involvement of departmental management groups
provides a mechanism to ensure implementation of a uniform set of processes and
standards for BCP best practices with all stakeholders throughout the organization
(Lindstrom et al., 2010). The senior managers in the study established efficient and
effective backup, as well as recovery procedures required in order to develop a
comprehensive backup plan, perform an effective backup management, perform periodic
databases restoration testing, and maintain scalable operating systems.
Senior managers of small businesses prioritized backup of data and business
systems as crucial for protecting personal private data of customers and the business
stakeholders. The importance was more prevalent from the managers who operated the
banking business, transportation systems, and photographic technologies. The perception
on the significance of BCP showed a closely shared interest between small business
owners, customers, and external service providers in maintaining secured data.
Developing a BCP disaster recovery plan entails establishing a remote, off-site center as a
best practice that will allow management to execute continuous operations during
disruptive events (Omar, Alijani, & Mason, 2011).
BCP provides sustainable assurance on the integrity of business data. The data
collected illustrated deliberate initiatives undertaken by the respondents to carry out
collaborative exercises and workshops with customers and vendors necessary to create
awareness of data integrity to employees and stakeholders in areas of risk hazards,
internal threats, cyber-attacks, or cascaded effects caused by human-made and natural
catastrophes. The collaborative initiatives indicated the influence and consistency of BCP
as a crucial component of overall corporate planning necessary for the preparation of the
111
extraordinary threats, whether they are predicted or not, in order to protect employees,
products and profitability and to guarantee continuity of business processes (Karim,
2011).
Research question 2. How do senior managers of small businesses with BCP
perceive that Business Continuity Planning (BCP) provides value to the small
Implementation of BCP enabled a safe business environment that increased
growth in business operations, created trust and confidence from customers and partners,
and enabled adaptability to new technologies. The effectiveness of BCP deployment is
targeted on operational-level practices that include functionality of business units,
response time to a disruptive event, management’s communication to disaster
respondents, and rate of full resumption of business operations (Hong et al., 2012). A
successfully implemented BCP enables senior managers of small businesses in Maryland
to realize increased business growth because of management’s ability to focus on the core
of business operations devoid of imminent threats or risks. The confidence and trust
exuded in BCP by the management of small businesses in Maryland provided an
assurance that business operations could be relied on in case of service interruptions
during disruptive events. The management of a small business should implement a BCP
ensures the existence of a well-structured business process contingency system
throughout the organization; provides greater confidence in identifying and managing
fatal risks inherent in essential business processes (Low et al., 2010).
112
Small businesses’ management, as indicated by senior manager of school
transportation system, rely on the safety of communication systems required to alert or
inform customers of threats or any adverse events such as inclement weather. The
significance of reliability on effective BCP systems is more crucial to small businesses
engaged in providing direct personal services such as the school transportation systems,
electrical services, or the banking sector. Optimized value of BCP is realized when
management is flexible to adapt new scalable technologies such as in communication
systems necessary to relay warnings of business disruption threats. The expansion of
communication media and Internet accessibility, combined with the globalization of the
world economy, bring the impact of what once might have been considered a local,
isolated event into the purview of businesses and living rooms everywhere (Hall et al.,
2012).
Research question 3. How do senior managers of small businesses perceive
managerial responsibility for establishing sustainable Business Continuity Plan for
small businesses in Maryland?
Senior managers of small businesses in the state of Maryland recognize the
ultimate responsibility to own and drive the processes of BCP. The predominant
responsibilities of the small businesses’ senior managers in the study included continuous
evaluation of risks and threats to business operations, and making decisions that
guarantee business systems safety and security, whether internal BCP or outsourced BCP
systems. Effective and efficient accountability of processes enable management to
understand the critical processes required for prompt supply of goods and services to
customers; focus on generating income for the business; and maintain sustainable
113
employment and corporate social responsibilities (Douglas, 2009). The accountability for
management to execute the best practices for effective BCP best practices requires that
management should consider strategies and options available throughout the organization
to mitigate identified risks to the business such as increasing the amount of insurance to
transfer the risk; improving the structure of the building to withstand severe weather; and
installing efficient backup systems at remote locations (Douglas, 2009).
The management of small businesses in Maryland has undertaken preventive
initiatives and measures against business disruptions by prioritizing the safety of internal
and external business systems, resulting in perceived guarantee of secured data and
information to customers, vendors, and business partners. Predominantly in the study, the
responses from the banking sector, photography organization, school transportation
system, and the cleaning solutions business exhibited initiatives intended to extend
management’s responsibility of evaluating and monitoring systems beyond internal
systems to external systems in order to ensure systems security. The development and
implementation of BCP for business best processes and practices involve the internal and
external customer’s view on how the organizational business operations have been
implemented and when such operations were implemented (Payam et al., 2009).
The responsibility of business owners and managers to make decisions that ensure
implementation of modern and safe systems across all units of business operations is
underscored as of significant importance by senior managers of small businesses, even by
the small businesses that have not fully implemented BCP. Without a fully implemented
BCP, management still has the major decision making responsibility of ensuring that
quality, secured, and cost-effective services were procured from qualified professional
114
service providers outsourced from outside the organization. Implementation management
requires the support of corporate decision-making processes for appropriate technologies,
cost-effective planning, implementation, and evaluation of business sustainability
Research question 4. How does small businesses’ management in Maryland
perceive risk management while prioritizing sustainable BCP?
The importance of risk management planning and monitoring is perceived by
senior managers of small businesses in the state of Maryland as a crucial element of
productive business operations across various business sectors. However, more emphasis
of the benefits of risk management planning in the study was exemplified by the
managers of the banking, photographic, electrical services, and cleaning solutions who
implied that BCP had reduced management risks and threats in their business operations.
The study affirmed that the implementation of BCP resulted in increased management’s
confidence in reliability of business operations while risks on threats are subsequently
reduced at the same time. Management of small businesses must align risk management
initiatives and systems with corporate strategic objectives, resulting in sustainable BCP,
proactive disaster preparedness, and mitigation of business uncertainties, risks and threats
Risk management planning was also pertinent in the management initiatives
implemented by the managers of the small businesses that had partially implemented
BCP, namely the school transportation business and the electrical design firm. With
partial implementation of BCP, the senior managers perceived low risks on their business
operations in case of disaster disruptions. Managers of small businesses without BCP
115
realize reduced risks as the outcome of BCP related services procured from outside
services such as data backup and disaster recovery services. Procured technological
services, that include enterprise resource management services (ERM) allow management
to achieve business goals and deliver sustaining benefits through the integration of
business practices, processes, and technology required for disaster preparedness and
mitigation of major risks to business operations, processes, people, and physical assets
(Byrnes et al., 2012). The responses collected support the perception that the
incorporation of risk management plan in the overall execution of BCP provide the
management of small businesses with perceived confidence in the continuity of business
operations under disruptive, adverse conditions at times of unexpected business
interruptions.
The full implementation of BCP by small businesses in the state of Maryland
enhance the critical success factors for business operations. In the study, the banking,
photographic, cleaning solutions, and the electrical services sectors exhibited a
collaborated perception of improved management decisions that affect business critical
success factors. Because of clear input of business decisions, small businesses realize
timely delivery of services, reliability of data security, and effective data retrieval
services for management, employees, customers, and business stakeholders. Confidence
in management operations and processes result in holistic workflow planning, process
116
simulation, process mining, capacity management, and high-yielding production of
services or goods (Grau & Moormann, 2014).
Effective, safe, and timely delivery of services is critical to the banking sector that
processed multiple transactions at any given time and was required to provide assurance
of trusted services to customers, other banks, and the Federal Reserve. The senior
manager interviewed from the banking sector recognized that without BCP, the bank
jeopardized Bank's reputation, reliability of service, and sustainability of customer
satisfaction. The establishment of a BCP framework that enables implementation of
critical success factors for continuity of services across risk sectors, business units, and
market territories is paramount (Krizner, 2011). The bank management observed that
BCP enabled the critical function of instant retrieval of secured data, providing assurance
of data integrity and reliability to customers and stakeholders. Effective performance of
BCP enable customers of small businesses in the state of Maryland to access multiple
secured banking networks globally, retrieve accurate transactions and information, seek
instant customer services, and reinforce a positive perception of all services provided by
the bank.
BCP affected the success factors related to cleaning solutions business as well as
the photographic technologies as an enabler of service efficiency and confidence in
customer services. BCP enables management of small businesses to embrace increased
focus on business delivery through reliable disaster planning and establishment of
operational data backup systems that support business main functions and management
strategies for critical business units. BCP implementation create a greater impetus in
safeguarding personal data, acquisition of new technologies, and prompt retrieval of
117
secured information as part of our business success. Lack of disaster preparedness affects
business-critical functions that result in lost revenue, reduced productivity levels,
disrupted customer base, damaged reputational image, ineffective business processes, and
inefficient delivery of goods and services to customers (Bozman & Eastwood, 2011).
The study revealed that senior managers of small businesses in the state of
Maryland who have not implemented a fully operational BCP recognize and embrace the
impact of business benefits resulting from the minimal implementation of BCP processes.
Senior managers who have not fully implemented BCP rely on external technical service
providers to ensure BCP planning, development, monitoring, and execution of short-term
and long-term initiatives are undertaken to prevent disaster interruptions and to safeguard
customer data as well as business documents and information. The response from the
electrical design firm, although without a fully implemented BCP, emphasized the
benefits of secured data and critical business documents realized from data backup
services provided by the procured professional services. Business best practices on BCP
management entail consistent collection and the storage of critical documents and
systems at backup servers in a secure off-site location (Omar, Alijani, & Mason, 2011).
The management leadership of the small businesses with partially implemented
BCP strongly embraced their involvement and accountability to facilitate proactive
measures, identify training, and organize functional areas that support business processes
and operations required to establish some level of disaster preparedness. The senior
118
managers who had partially implemented BCP recognized the functionality and
importance of BCP in their business operations, compelling them to prioritize the
sourcing of BCP protective services from external service providers. Subsequently, the
managers reduced risks of threats and disruptions on continuous business operations by
creating a business environment that guaranteed the safety of personal data, business
documents, and business information assets. The findings contradicted existing literature
that businesses without BCP have a higher risk occurrences of major as well as minor
incidences that would result in disruption to the business operations due to lack of clarity
in assessing critical business activities (Heng, Hooi, Liang, Yap, Azizie, & Tze, 2012).
Recommendations
The review and explication of the study data and conclusions let to
recommendations for practice and recommendations for future research. These
recommendations can be used to establish and implement sustainable crisis management
measures for BCP necessary to resolve problems of disasters that disrupt continuity of
business services, while minimizing downtime, increasing response time, and deploying
rapid resources (Petersen, 2010). The recommendations emerge from perceptions
gathered from managers and owners of small businesses on strategic BCP methods for
small businesses. Management of small businesses must align risk management
initiatives and systems with corporate strategic objectives, resulting in sustainable BCP,
proactive disaster preparedness, and mitigation of business uncertainties, risks and threats
119
Recommendations for Practice
Recommendations for the practice of effective, sustainable business continuity
planning (BCP) fall within three areas: (a) mandatory requirement for small businesses to
implement and comply with the universal ubiquitous uniform standards of BCP by
International Organization for Standardization (ISO), (b) core accountability of corporate
management, and (c) Sustained funding for sophisticated technologies.
Recommendation for compliance to ubiquitous uniform standards. The study
espouses a systematic effort by the businesses to establish collaboration of BCP measures
and strategies among trading businesses, customers, vendors, partners, and other business
stakeholders in order to guarantee the effectiveness of implemented BCPs. An effective
collaboration and communication of information across different and separate secured
technological platforms globally require a universal standard of protocols achievable
through compliance to existing ubiquitous uniform standards of BCP as established by
International Organization for Standardization (ISO). Despite the global adoption of ISO
22301 standards, which provide a framework to plan, establish, implement, operate,
monito, review, maintain and continually improve business continuity management
system, businesses are concerned and cautious of unauthorized intrusiveness in systems
such as hacking and cyber-attacks as businesses perform transactions and share
information across multiple systems because smallest businesses find it harder to adopt
the standardized protocols (Gulachek, 2005).
With the exception of the banking sector, which had regulated procedures and
processes, the collaboration of businesses on BCP observed in this study relied mostly on
the trust inculcated over time in the business systems operated by respective trading
120
business partners, rather than compliance to standardized protocols. A seamless and
universal reliability and trust in the effectiveness of BCP managed by other organizations
can only be realized when businesses are mandated to comply to ubiquitous standards on
BCP, nationally as well as globally, which in turn could facilitate effective deployment of
universal remedial measures on mitigation of risks, threats, and adverse disaster
interruptions across multiple systems. This study recommends that small businesses be
mandated to comply with ISO standards on BCP in order to establish impeccable trust
among businesses when sharing information on business disruptive incidents, ranging
from large-scale natural disasters and acts of terror to technology-related accidents and
environmental incidents.
Recommendation for a core management accountability to BCP. Business
continuity planning should be incorporated in organizational corporate core realms of
accountability in order for management to prioritize the significance of BCP in overall
business operations. Small and mid-size companies do not prioritize implementation of
BCP, which increases the level of risk during disruptive events that have higher
probability of damage to business operations (Duncan et al., 2010). In the study, the
effectiveness and efficiency of BCP among the organizations that had fully implemented
BCP entailed consistent, systematic, and continuous training on BCP programs across
organizations and industries in order to provide employees with opportunities to acquire
new knowledge, skills, rules, best practices concepts, or attitudes that result in improved
overall performance of BCP as well as business operations. The accountability for
management to execute the best practices for effective BCP best practices requires that
management should consider strategies and options available throughout the organization
121
to mitigate identified risks to the business such as increasing the amount of insurance to
transfer the risk; improving the structure of the building to withstand severe weather; and
installing efficient backup systems at remote locations (Douglas, 2009).
Recommendation for sustained funding on modern sophisticated
technologies. The study established consistent correlation between operating effective
BCP and embracing sophisticated, modern technologies that enable the implementation
and execution of BCP.
In most instances, small business managers fail to develop and implement BCP
due to low priority or lack of budget for up-front costs for BCP, the possibility of little to
no-return on BCP investment, and prioritization of imminent short-term issues within the
organization (Duncan, Yeager, Rucks, & Ginter, 2010). The managers from the banking
sector, photographic firm, transportation systems, the cleaning solutions, and the electric
services firm emphasized the importance of the imperative need to acquire modern
technologies necessary to allow effective data storage equipment, off-site servers, and
data recovery tools for effective BCP. Corporate management should prioritize budgetary
allocations and investment on sophisticated, modern technologies. The management,
shareholders, and stakeholders of small businesses encounter barriers and challenges
when prioritizing, developing, and implementing a BCP because of organizational
competing factors that include budget allocation, strategic management, business risk
analysis, training, and awareness, BCP documentation, and information life cycle
management (Karim, 2011).
122
Recommendations for Future Research
Future research could include: (a) improving recovery and restoration techniques
and technologies of BCP, (b) incorporating BCP as primary component of Federal
Emergency Management Agency (FEMA) initiatives, and (c) setting up of BCP
consultative body for small businesses at state level.
Recommendation for future research on improvement of recovery and
restoration of services. Future research is needed to improve the recovery and
restoration techniques and technologies of BCP with the objective of seamless restoration
of business operations that are continuously challenged by eminent risks, threats, and
system vulnerabilities posed by ever evolving systems hacking, cyber-attack, identity
theft, terror activities, natural disasters, and new unknown system attacks. Businesses are
increasingly subject to disruptions that are unpredictable in their nature, time, and extent.
Organizational resilience requires businesses to innovate technologies and develop
effective plans for both short-term such as business continuity plans, and long term
restoration plans that include disaster recovery plans and proactive continuity plans
against loss of corporate reputation, market share, customer service, business failures,
regulatory liability, and increased resuming and restoring times (Yan, Yuan, & Huang,
2015). The future study would employ both instant-combating techniques during the
disruptive moments as well as restoration technologies that instantly enable continuity of
business operations following a disruption. Effective recovery and restoration techniques
affect both the frequency and nature of the backup as well as the recovery schemes and
the linkage with database transaction logging, hence such synchronization of system
123
processes and procedures require consideration when designing the recovery and
restoration methodologies (Yan, Yuan, & Huang, 2015).
Recommendation for incorporation of BCP as a primary component of
Federal Emergency Management Agency (FEMA) initiatives. FEMA supports small
businesses by providing awareness initiatives focused on risks and disaster preparedness
as well as provide resources for restoration of damaged physical structures and
infrastructure during disasters by enabling loans and funding facilities through Small
Business Administration (FEMI, 2017). However, there is need for future research in
order to persuade FEMA to consider the mitigation of costs incurred by small businesses
when executing BCP during disaster events as a primary component of its initiatives,
such as acquisition of new servers, computer equipment, and data storage technologies.
Small businesses encounter barriers that delay the development and implementation of
BCP, including the corporate complacency that assumes low probability of disastrous
event, lack of budget for up-front costs for planning, possibility of little or no return on
BCP investment, and prioritization of imminent short-term issues within the organization
(Douglas, 2009).
Recommendation for professional BCP consultative body for small
businesses at state level. The participants of the study were members of various business
network groups yet they did not share a common professional consultative body that
would embody a think-tank group with shared mission on BCP, including evaluation of
emerging technologies, collaboration of practices and processes, and development of
framework of how small businesses can collaborate to achieve higher leverage of BCP.
Establishing a crisis communication network requires the collaboration of internal and
124
external information sources and actors at all levels of the organization, outside agencies,
and the media (Veil & Husted, 2012). Collaboration among small businesses create a
technology-driven environment that contribute to effective inter-organizational
collaboration, including information sharing, type and frequency of information
exchange, and establishment of communication channels (Hall et al., 2012).
Conclusion
The multiple case study was designed to explore the perception of business
owners or senior managers of small businesses in the state of Maryland on BCP. The
research interview contacted resulted in commonly held perceptions regarding the
importance of BCP by management of small businesses, irrespective of whether BCP was
fully or partially implemented. The implications of the findings generated themes that
evolved around the BCP success factors, mainly strategies, secured systems, techniques,
value-added enablers, and risk management impact. The business with fully implemented
BCP employed in-house strategies while businesses with partially implemented BCP
employed out-sourced strategies; however, both methodologies resulted in a common
objective of enabling an effective business continuity during unexpected disruptions.
Recommendations were advanced for recommendations for practice and for
future research. The recommendations for practice focused on adoption of mandatory
requirement for small businesses to implement and to comply with the universal
ubiquitous standards of BCP enacted by International Organization for Standardization
(ISO), requirement for corporate management to embrace BCP as a function of core
accountability, and allocation of sufficient budget for sustainable acquisition of
sophisticated BCP technologies. Recommendation for future research include
125
improvement of recovery and restoration techniques and technologies of BCP,
incorporation of BCP as a primary component of Federal Emergency Management
Agency (FEMA) initiatives, and establishment of a professional BCP consultative body
for small businesses at state level.
In addition, a further research on the correlation between pre-disaster business
continuity plans and post-disaster restoration plans may provide for sustainable reliance
on the strategic methods utilized by management to retain continuity in business
operations during unpredictable business disruptions.
126
References
Aggelinos, G. & Katsikas, S. (2011). Enhancing SSADM with disaster recovery plan
activities. Information Management & Computer Security, 19(4), 248-261.
doi:10.1108/09685221111173067
Akhta, A. N., Buchholtz, J., Ryan, M., & Setty, K. (2012). Database backup and recovery
best practices. ISACA. Retrieved from
https://www.isaca.org/Journal/archives/2012/Volume-1/Pages/Database-Backup-
and-Recovery-Best-Practices.aspx
American History. (2012). State of Maryland. Retrieved from

http://americanhistory.about.com/library/charts/blcolonial13.htm
Anney, V.N (2014). Ensuring the quality of the findings of qualitative research: Looking
at trustworthiness criteria. Journal of Emerging Trends in Educational Research
and Policy Studies, 5(2), 272-281. Retrieved from
https://pdfs.semanticscholar.org/1419/f7b54e6b7f1215717a5056e0709f8946745b.
pdf
Axinn, W. G., Link, C., & Groves, R. (2011). Responsive survey design, demographic
data collection, and models of demographic behavior. Population Association of
America, 48, 1127-1149. Retrieved from
http://www.psc.isr.umich.edu/pubs/pdf/ng09-005.pdf
Begum, R.A. (2010, December 28-30). Linking green technology and disaster risk
reduction. Paper presented at International Conference on Biology, Environment
and Chemical: ICBEC 2010, Hong Kong. National University of Malaysia.
Bobcock, C. (2011). Global data center chains promise easier backup. Information Week,
1313, 10/2011, 18-20. Retrieved from
http://trove.nla.gov.au/work/157886938?versionId=172112668
Bombard, Y., Cox, S., & Semaka, A. (2010). When they hear what we say: Ethical
challenges in presenting research findings to the Huntington Disease Community.
Journal of Empirical Research on Human Research Ethics, 6(3), 47-54. Retrieved
from
http://www.jstor.org/discover/10.1525/jer.2011.6.3.47?uid=3739704&uid=2129&
uid=2&uid=70&uid=4&uid=3739256&sid=21102042637383
Bozman, J. & Eastwood, M. (2011). Evaluation of mission-critical computing systems:

Key criteria for high-end systems customers [White paper]. Retrieved from
http://h30507.www3.hp.com/hpblogs/attachments/hpblogs/199/466/1/IDC%20wh
itepaper.pdf
127
Brody, B. & Schmittlein, M. (2012). Business continuity 101. Risk Management, 59(1),
1-2. Retrieved from http://www.questia.com/library/1G1-279613627/business-
continuity-101
Byrnes, S. E., Williams, C., Kamat, S., & Gopalakrishnan, S. (2012). Making the case for
an enterprise risk management program. The Journal of Equipment Lease
Financing (Online), 30(2), B1-B10. Washington, DC: Equipment Leasing of
America.
Cansiz, S. & Pakdil, F. (2012). A proposed business process management model for
SMEs. The Business Review, Cambridge, 19(2), 57-63.
Castleberry, A. (2012). NVivo 10 QSR International. American Journal of

Pharmaceutical Education, 78(1), 25. Retrieved from
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3930250/
Chow, W.S. & Ha, W. O. (2009). Determinants of the critical factor of disaster recovery
planning for information systems. Information Management & Computer
Security, 17(3), 248-275. doi:10-1108/09685220910978103
Clas, E. (2008). Business continuity plans. Professional Safety, 53(9), 45-48. Retrieved
from http://www.asse.org/professionalsafety/indexes/2008.php
Clive, M. W. (2010). The role of public sector asset managers in responding to climate
change: Disaster and business continuity planning. Property Management, 28(4),
245-256. doi: 10.1108/02637471011065674
DeVault, G. (2016). Establishing trustworthiness in qualitative research. Retrieved from

https://www.thebalance.com/establishing-trustworthiness-in-qualitative-research-
2297042
Douglas, P. (2009). Business continuity during and after disaster: Building resilience
through continuity planning and management. ASBM Journal of Management,
2(2), 1-16.
Drost, E. A. (2011). Validity and reliability in social science research. Education

Research and Perspectives, 38(1), 105-124. Retrieved from
http://www.erpjournal.net/wp-content/uploads/2012/07/ERPV38-1.-Drost-E.-
2011.-Validity-and-Reliability-in-Social-Science-Research.pdf
Duncan, W., Yeager, V., Rucks, A., & Ginter, P. (2010). Surviving organizational
disasters. Business Horizons, 54 (2), 135-142. doi: 10.1016/j.bushor.2010.10.005
Dushie, D. Y. (2014). Business continuity planning: An empirical study of factors that

hinder effective disaster preparedness of businesses. Journal of Economics and
Sustainable Development, 5(27). Retrieved from
128
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.663.9880&rep=rep1&t
ype=pdf
Education Encyclopedia. (2011). Protection of human subjects: Vulnerable population,

Institutional Review Boards, Informed Consent. Retrieved from
http://education.stateuniversity.com/pages/2073/Human-Subjects-Protection.html
Eriksson, K. & McConnell, A. (2011). Contingency planning for crisis management:

Recipe for success or political fantasy? Policy and Society, 30(2), 89-99. doi:
10.1016/j.polsoc.2011.03.004
FEMA. (2017). FEMA small businesses. Retrieved from https://www.fema.gov/small-

businesses
FEMA. (2012). FEMA Mission. Retrieved from http://www.fema.gov/about/index.shtm
FEMA. (2012). $15.4 million in Federal funds to Maryland for December and February
storms. Retrieved from http://www.fema.gov/news-release/154-million-federal-
funds-maryland-december-and-february-storms
Fontaine, M. (2012). Corporate social responsibility and sustainability: The new bottom
line? International Journal of Business and Social Science, 4(4). Retrieved from
http://www.ijbssnet.com/journals/Vol_4_No_4_April_2013/13.pdf
Fraser, J. & Simkins, B. (2010). Enterprise Risk Management: Today’s Leading Research
and Best Practices for Tomorrow’s Executives. Retrieved from
http://books.google.com/books?id=OFEKL5Q2VOwC&lpg=PP1&dq=Enterprise
%20Risk%20Management&pg=PP1#v=onepage&q&f=false
Gibb, F. & Buchanan, S. (2006). A framework for business continuity management.

International Journal of Information Management, 26 (2), 128-141. doi:
10.1016/j.ijinfomgt.2005.11.008
Golafshani, N. (2003). Understanding reliability and validity in qualitative research. The

Qualitative Report, 8(4), 597-607. Retrieved from
http://www.nova.edu/ssss/QR/QR8-4/golafshani.pdf
Grau, C. & Moormann, J. (2014). Investigating the relationship between process

management and organizational culture: Literature review and research agenda.
Management and Organizational Studies, 1(2), 2014. Doi:10.5430/mos.v ln2pl
Guion, L.A., Diehl, D. C., & McDonald, D. (2012). Conducting an in-depth interview
(FCS6012). Gainsville, FL: Department of Family, Youth, and Community
Sciences. Retrieved from https://edis.ifas.ufl.edu/pdffiles/FY/FY39300.pdf
129
Gulachek, B. (2005). Business continuity planning: Process, impact, and implications,
2005(13). Retrieved from
https://library.educause.edu/~/media/files/library/2005/6/erb0513-pdf.pdf
Hall, D. J., Skipper, J. B., Hazen, B. T., & Hanna, J. B. (2012). Inter-organizational IT
use, cooperative attitude, and inter-organizational collaboration as antecedents to
contingency planning effectiveness. International Journal of Logistics
Management, 23(1), 50-76. doi: 10.1108/09574091211226920
Harrell, M. C. & Bradley, M. A. (2009). Data collection methods: Semi-structured

interviews and focus groups (W74V8H-06-C-0002). Washington, D.C.: RAND
National Defense Research Institute. Retrieved from
http://www.rand.org/content/dam/rand/pubs/technical_reports/2009/RAND_TR71
8.pdf
Heng, T.B., Hooi, S. C., Liang, Y.Y., Azizie, O., & Tze, S. O. (2012). Telecommuting for
business continuity in a non-profit environment. Asian Social Science., 8(12),
226-237. doi:10.5539/ass. v8n12p226
Hilton, L. & Voss, B. (2011). Irene/Katrina business continuity and disaster recovery. In
D. Oblinger (Editor), Educause. Presentation conducted at University of
Maryland. Abstract retrieved from
http://www.educause.edu/library/resources/irenekatrina-business-continuity-and-
disaster-recovery
Ho, Y. W. & Merrilees, B. (2008). The performance benefits of being brand-orientated.

The Journal of Product and Brand Management, 17(6), 372-383.
doi:10.1108/10610420810904112
Hong, P., Hong, S., James, J. R., & Park, K. (2012). Evolving benchmarking practices: A
review for research perspectives. Benchmarking, 19(4), 444-462. doi:
10.1108/14635771211257945
Hubbard, W. (2009). The mind of “Aces”: Possible causes and consequences of

overconfidence. In the Failure of Risk Management: Why it’s Broken and How to
Fix It. Retrieved from http://books.google.com/books?id=e0IoQJcn1-
YC&lpg=PP1&dq=Risk%20Management%20Theory%20applied%20to%20IT&
pg=PA99#v=onepage&q=Risk%20Management%20Theory%20applied%20to%2
0IT&f=false
Ibrahim, N., Angelidis, J., P., & Parsa, F. (2008). Strategic management of family
businesses: Current findings and directions for future research. International
Journal of Management, 25(1), 95-110, 198.
Jacques, T. (2007). Issue management and crisis management: An integrated Non-linear,
130
relational construct. Public Relations Review, 33(2), 2007, 147-157. Retrieved from
http://www.issueoutcomes.com.au/Websites/issueoutcomes/Images/Relational%2
0model %20PRR.pdf
Jones, V. A. (2011). How to avoid disaster: RIM’S crucial role in business continuity
planning. Information Management Journal, 45(6), 36-47. Retrieved from
http://content.arma.org/imm/November-
December2011/rimfundamentalshowtoavoiddisaster.aspx
Karim, A. J. (2011). Business disaster preparedness: An empirical study for measuring

the factors of business continuity to face business disaster. International Journal
of Business and Social Sciences, 2(18). Retrieved from
http://www.ijbssnet.com/journals/Vol_2_No_18_October_2011/23.pdf
Keller, J. (2008). Examination of gender, pay, age, tenure, and flexible hours on
absenteeism. Retrieved from http://library.ncu.edu/ncu_diss/display_
abstract.aspx?dissertation_id=960
Kelly, A. E. & Yin, R. K. (2007). Strengthening structured abstracts for education

research: The need for claim-based structured abstracts. Educational Researcher,
36(3), 133-138. doi:10.3102/0013189x07300356
Kimweli, J. M. (2013). The role of monitoring and evaluation practices to the success of
donor funded food security intervention projects. International Journal of
Academic Research in Business and Social Sciences. 3(6). Retrieved from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.685.2623&rep=rep1&t
ype=pdf
Kolowitz, B., Lauro, G. R., Barkey, C., Back, H., Light, K., & Deible, C. (2012).
Workflow continuity – moving beyond business continuity in multisite 24-7
healthcare organization. Journal of Digital Imaging, 25(6), 744-750. Retrieved
from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3491149/
Kronis, E. & Ponis, S. T. (2012). Introducing corporate reputation continuity to support

organizational resilience against crises. Journal of Applied Business Research,
28(2). 283-290. Retrieved from
http://cluteonline.com/journals/index.php/JABR/article/viewFile/6850/6925
Krizner, K. (2011). Increases reliance on tech tools makes disaster planning a must.
Managed Healthcare Executive, 21 (2), 28-29. Retrieved from
http://managedhealthcareexecutive.modernmedicine.com/managed-healthcare-
executive/news/increased-reliance-tech-tools-makes-disaster-planning-must
Kvale, S. & Brinkmann, S. (2009). Conceptualizing the research interview. In Interviews:

Learning the Craft of Qualitative Research Interview. Retrieved from
131
http://books.google.com/books?id=Dz1mS4oe8qIC&lpg=PA89&dq=Kvale%20D
oing%20Interviews&pg=PR4#v=onepage&q&f=false
Lambert, J., Parlak, A., Zhou, Q., Miller, J., Fontaine, M., Guterbok, T., Clements, J., &
Thekdi, S. (2012). Understanding and managing disaster evacuation on a
transportation network. Elsevier. Retrieved from
http://www.ncbi.nlm.nih.gov/pubmed/22789430
Leung, L. (2015). Validity, reliability, and generalization in qualitative research. Journal

of Family Medicine and Primary Care, 4(3), 324-327.
doi: 10.4103/2249-4863.161306
Lindstrom, J. (2012). A model to explain a business contingency process. Disaster

Prevention and Management, 21(2), 269-281. doi:10.1108/09653561211220052
Lindstrom, J., Samuelsson, S., & Hagerfors, A. (2010). Business continuity planning
methodology. Disaster Prevention and Management, 19(2), 243-355.
doi:10.1108/09653561011038039
Lloyd, S. (2011). Triangulation to inform corporate theory and practice. Corporate

Reputation Review, 14(3), 221-233. doi:10.1057/crr.2011.16
Low, S. P., Liu, J. Y., & Kumaraswamy, M. (2010). Institutional compliance framework
and business continuity management in mainland China, Hong Kong SAR and
Singapore. Disaster Prevention and Management, 19(5), 596-614.
doi:10.1108/09653561011091922
Luo, H. (2011). Qualitative research on educational technology: Philosophies, methods

and challenges. International Journal of Education, 3(2), 1-16.
doi:10.5296/ije.v3i2.857
MacDonald, D. B. (2011). When risk management collides with enterprise sustainability.

Journal of Leadership, Accountability and Ethics, 8(3), 56-66. Retrieved from
http://www.na-businesspress.com/JLAE/macdonald_abstract.html
Mao, M. & Humphrey, M. (2016). Resource provisioning in the cloud: An exploration of

challenges and research. Retrieved from http://www.igi-
global.com/chapter/resource-provisioning-in-the-cloud/140893
Maryland Department of Business & Economic Development (2014). Business in

Maryland. Retrieved from
http://www.choosemaryland.org/factsstats/Pages/FAQs.aspx
Maryland Emergency Management Agency (2009). Maryland continuity of operations

manual. Retrieved from
132
http://mema.maryland.gov/memacommunity/Documents/COOP_manual-
Version_2_3.pdf
Mische, S. & Wilkerson, A. (2016). Disaster and contingency planning for scientific
shared resource cores. Journal of Biomolecular Techniques, 27(1), 4-17.
Retrieved from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4736755/
Momani, N. M. (2010). Business continuity planning: Are we prepared for future

disasters. American Journal of Economic and Business Administration, 2(3), 272-
279. doi:10.3844/ajebasp.2010.272.279
Moon, K., Brewer, T.D., Januchowski-Hartley, S. R., Adams, V. M., & Blackman, D.A.
(2016). A guideline to improve qualitative social science publishing in ecology
conservation journals. Ecology and Society, 21(3), 17. Retrieved from
https://www.ecologyandsociety.org/vol21/iss3/art17/
Morrison, J. L. & Oladujoye, G. T. (2013). CEO effectiveness for leading pre-event

natural disaster preparedness planning to meet the needs of employees and their
families. Journal of Business and Economics Research, 11(5), 203-212. Retrieved
from http://journals.cluteonline.com/index.php/JBER/article/view/7835
Muslu, K., Brun, Y., & Meliou, A. (2013). Data debugging with continuous testing.
Retrieved from
http://people.cs.umass.edu/~ameli/projects/dataTesting/papers/Muslu13ni-fse.pdf
Nollau, B. (2009). Disaster recovery and business continuity. Journal of GXP

Compliance, 13(3), Summer 2009, 51-58. Retrieved from
http://www.ivtnetwork.com/sites/default/files/DisasterRecovery_01.pdf
Northcentral University Documents Database (2014). Consent Form. Retrieved from

http://learners.ncu.edu/downloadable_documents_action.asp?doc_id=67.
Nowduri, S. (2013). Management information systems and business decision making:

Review, analysis, and recommendations. Journal of Management and Marketing
Research. Retrieved from http://www.aabri.com/manuscripts/10736.pdf
Omar, A., Alijani, D., & Mason, R. (2011). Information technology disaster recovery
plan [Case study]. Academy of Strategic Management Journal, 10(2), 127-141.
Retrieved from
http://www.alliedacademies.org/Publications/Papers/ASMJ_Vol_10_No_2_2011
%20p%20127-141.pdf
Omwuegbuzie, A.J., Leech, N., & Collins, K. (2010). Innovative data collection
strategies in qualitative research. The Qualitative Report, 15(3), 696-726.
Retrieved from http://www.nova.edu/ssss/QR/QR15-3/onwuegbuzie.pdf
133
Onwuegbuzie, A.J. & Leech, N. L. (2009). Generalization practices in qualitative
research: a mixed methods case. Quality and Quantity, 44(5), 881-892.
doi:10.1007/s11135-009-9241-z
Ostlund, U., Kid, L., Wengstromm, Y., & Rowa-Dewar, N. (2011). Combining
qualitative and quantitative research within mixed method research designs: A
methodological review. International Journal of Nursing Studies 48(3), 369-383.
doi: 10.1016/j.ijnurstu.2010.10.005
Paton, D. (2009). Business continuity during and after disaster: Building resilience
through continuity planning and management. ASBM Journal of Management,
2(2), 1-16. Retrieved from http://vlex.in/vid/business-during-building-
management-227842595
Patton, M. Q. (2002). Qualitative research & evaluation methods (3rd ed.). Thousand
Oaks, CA: Sage Publications.
Payam, H., Morteza, M., & Javad, B. (2009). Selecting the best strategic practices for
business process redesign. Business Process Management Journal, 15(4), 609-
627. doi:10.1108/14637150910975561
Peterson, P. B. (2010). Crisis during recovery: Lessons from 1904 Baltimore fire. Journal
of Management History, 16(30, 297-311. doi:10.1108/17511341011051216
Ponterotto, J. (2006). Brief note on the origins, evolution, and meaning of the qualitative
research concept “Thick Description”. Qualitative Report, 11(3), 538 – 549.
Retrieved http://www.nova.edu/ssss/QR/QR11-3/ponterotto.pdf
Prescott, F. J. (2011). Validating a long qualitative interview schedule. WoPaLP, (5), 16

– 23. Retrieved from http://langped.elte.hu/WoPaLParticles/W5Prescott.pdf
QSRInternational (2013). NVivo software. Retrieved from

http://www.qsrinternational.com/products_nvivo.aspx
Qu, S. & Dumay, J. (2011). The qualitative research interview. Qualitative Research in
Accounting and Management, 8(3), 238-264. doi:10.1108/11766091111162070
Resnik, D. (2010). What is ethics in research & why is it important? Retrieved from
http://www.niehs.nih.gov/research/resources/bioethics/whatis.cfm
Reyna, V. & Rivers, S. (2008). Current theories of risk and rational decision making.
Department of Human Development and Psychology, Cornell University.
doi: 10.1016/i.drd.2008.01.002
134
Sala, E. & Lynn, P. (2009). The potential of a multi-mode data collection design to
reduce non-response bias: The case of a survey of employers. Qual Quant,
2009(3), 123-136. doi:10.1007/s11135-007-9148-5
Santiago, N. (2010). What is a research question? San Jose Scholarly Research

Examiner, September 2010. Retrieved from http://www.examiner.com/scholarly-
research-in-san-
jose/what-is-a-research-question
Shaban, R. (2009). Robert K. Yin case study research: Design and methods. Australasian
Emergency Nursing Journal, 12(2), 59-60.
Slater, D. (2011). Business continuity and disaster recovery planning: The basics.
Retrieved from
http://www.csoonline.com/article/204450/business-continuity-and-disaster-
recovery-planning-the-basics?page=2
Small Business Administration (2012). SBA economic injury disaster loans available in
Maryland following Secretary of Agricultural Disaster Declaration. Retrieved
from http://www.sba.gov/about-offices-content/4/2818/news/297651
Snyder, K., Donoho, P., Menzies, J., & Davidson, O. (2012). Maryland business get their
stake in emergency response. Business Civic Leadership Center, 2012. Retrieved
from
http://bclc.uschamber.com/sites/default/files/documents/files/Role%20of%20Busi
ness%20in%20Disaster%20Response.pdf
Somers, S. (2009). Measuring resilience potential: An adaptive strategy for

organizational crisis planning. Journal of Contingencies and Crisis Management,
17(1), 12-23. Retrieved from http://onlinelibrary.wiley.com/doi/10.1111/j.1468-
5973.2009.00558.x/full
State of Maryland Small Business Reserve Program. (2012). Small business reserve
program. Retrieved from http://www.mdstad.com/content/view/64/77/
State of Maryland Department of Business and Economic Development. (2014). Business

legislative laws. Retrieved from
http://www.msa.md.gov/msa/mdmanual/12dbed/html/12agen.html
Stavros, C. & Kate, W. (2009). Using triangulation and multiple case studies to advance
relationship marketing theory. Qualitative Market Research, 12(3), 307-320.
doi:10.1108/13522750910963827
Sullivan, D. M. & Cameron, M. F. (2009). The alignment of measures and constructs in

organizational research: The case of testing measurement. Springer Science and
Business Modia. Doi: 0.1007/s10869-009-9147-8
135
Svensson, G. & Wagner, B. (2011). Transformative business sustainability. European
Business Review, 23(4), 334-352. doi:10.1108/09555341111145735
Talmy, S. (2010). Qualitative interviews in applied linguistics: From research instrument

to social practice. Annual Review of Applied Linguistics, 30, 128-148.
doi:10.1017/s0267190510000085
Tan, J. (2010). Grounded theory in practice: issues and discussion for new qualitative
researchers. Journal of Documentation, 66(1), 93-112.
doi:10.1108/00220411011016380
Taylor, H., Artman, E., & Woelfer, J. P. (2012). Information technology project risk
management: bridging the gap between research and practice. Journal of
Information Technology, 27(1), 17-34. doi:10.1057/jit.2011.29
Tene, O. & Polonetsky, J. (2013). Big data for all: Privacy and user control in the age of
analytics. Northwestern Journal of Technology and Intellectual Property, 11(5),
239. Retrieved from
http://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=1191
&context=njtip
Tsohou, A., Kokolakis, S., Lamrinoudakis, C., & Gritzalis, S. (2010). A security
standards’ framework to facilitate best practices’ awareness and conformity.
Information Management & Computer Security, 18(5), 350-365.
doi:10.1108/09685221011095263
Vallance, P., Freeman, A., & Stewart, M. (2016). Data sharing as part of the normal
scientific process: A view from the pharmaceutical industry. PLOS Medicine
Journal, 13(1), 137. Retrieved from
http://journals.plos.org/plosmedicine/article?id=10.1371/journal.pmed.1001936
Veil, S. R. & Husted, R. (2012). Best practices as an assessment for crisis

communication. Journal of Communication Management, 16(2), 131-145. Doi:
10.1108/13632541211217560
Venclova, K., Urbancova, H., & Vyadrova, H. (2013). Advantages and disadvantages of
business continuity management. International Journal of Social, Behavioral,
Educational, Economic, Business and Industrial Engineering, 7(4), 2013.
Retrieved from https://waset.org/Publication/advantages-and-disadvantages-of-
business-continuity-management/5374
Wahyuni, D. (2012). The research design maze: Understanding paradigms, cases,

methods and methodologies. Journal of Applied Management Accounting
Research, 10(1), 69-80.
136
Wan, S. (2009). Service impact analysis using business continuity planning processes.
Wide Information Systems, 26(1), 20-42. doi:10.1108/10650740910921546
Watkins, R. J. & Barnett, D. J. (2008). Corporate preparedness for pandemic influenza: a

survey of pharmaceutical and biotechnology companies in Montgomery County,
Maryland. Biosecur Bioterror, 6(3), 219-226. Retrieved from
http://www.ncbi.nlm.nih.gov/pubmed/18795831
Wedatta, G. & Ingirige, B. (2012). Resilience and adaptation of small and medium-sized
enterprises to flood risk. Disaster Prevention and Management, 21(4), 474-488.
doi: 10.1108/09653561211256170
Worthington, W., Collins, J., & Hitt, M. (2009). Beyond risk mitigation: Enhancing
corporate innovation with scenario planning. Business Horizons, 52(5), 441-450.
Retrieved from
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1343393
Yang, C., Yuan, B., & Huang, C. (2015). Key determinant derivations for information
technology disaster recovery site selection by the multi-criterion decision making
method. Open Access Sustainability, 7(2015). doi: 10.3390/su7056149.
Yin, J. & Zhang, Y. (2012). Institutional dynamics and corporate social responsibility
(CSR) in an emerging country context: Evidence from China. Springer Science
and Business Media B.V. (111), 301-316. doi:10.1007/s10551-012-1243-4
Yin, R. K. (2011). Qualitative Research from Start to Finish (3rd Ed). New York, NY:
The Guilford Press
Yin, R. K. (2013). Case Study Research: Designs and Methods (3rd Ed). Thousand Oaks,
CA: Sage.
Zikmund, W., Babin, B.J., Carr, J.C., & Griffin, M. (2010). Business research methods
(8th ed.). Mason, OH: Thomson/South-Western.
137
Appendixes
The following pages present the appendixes referenced in the study.
138
Appendix A: Interview Participant Letter
Letter to Management of a Small Business Membership Organization in Maryland
Mr. Benjamin Chepkoit

Doctoral Candidate, Northcentral University
1187 Schaffer Dr
Frederick, MD 21702
October 17, 2015
Attn: Business Association/Membership Group

Address:
Tel/Email Contacts:
Dear Sir or Madam:
I am a doctoral candidate at Northcentral University conducting research on

strategic Business Continuity Planning (BCP) Methods for Small Businesses in the State
of Maryland.
I would greatly appreciate your assistance in a research study being conducted for
a dissertation at Northcentral University. The purpose of the proposed qualitative
multiple case study is to explore the perception of senior managers of small businesses in
the state of Maryland on the business continuity planning (BCP).
Your assistance in this study will be appreciated, as it will offer valuable

information in understanding perceptions of senior managers on BCP in their
organizations. If it is agreeable to you, I would like to seek your assistance in contacting
the business members of your organization for an interview on occasion to obtain leading
views and perspectives on business continuity planning. Please email me a non-
confidential list and contacts of your members from diverse industries.
Information and data will be held in strict confidence and used only for the
purposes of this research. There are no direct benefits to you for assisting in this research
and no incentives are offered. The data collected in this study will be considered
confidential. All data will be coded such that names are not associated. In addition, the
coded data will be made available only to the researchers associated with this project.
I would be pleased to answer any questions that may arise about the study and would
appreciate correspondence (e-mail or letter) from your office acknowledging this letter.
My e-mail address is benchepkoit@gmail.com and telephone number is (240)344-4694.
Sincerely,
Benjamin Chepkoit
139
Appendix B: Interview Permission Letter
Permission Letter to Small Business Manager/President
Mr. Benjamin Chepkoit

Doctoral Candidate, Northcentral
University
1187 Schaffer Dr
Frederick, MD 21702
October 17, 2015

Potentially Participating Company
Attention: Manager/President
Address:
Tel/Email Contacts:
Dear Sir or Madam:
I am a doctoral candidate at Northcentral University conducting research on

strategic Business Continuity Planning (BCP) Methods for Small Businesses in the State
of Maryland.
I would greatly appreciate your assistance in a research study being conducted for
a dissertation at Northcentral University. The purpose of the proposed qualitative
multiple case study is to explore the perception of senior managers of small businesses in
the state of Maryland on the business continuity planning (BCP). If it is agreeable to you,
I would like to conduct an interview with you or your management on occasion to obtain
leading views and perspectives on business continuity planning.
Information and data will be held in strict confidence and used only for the
purposes of this research. There are no direct benefits to you for assisting in this research
and no incentives are offered. The data collected in this study will be considered
confidential. All data will be coded such that names are not associated. In addition, the
coded data will be made available only to the researchers associated with this project.
I would be pleased to answer any questions that may arise about the study and would
appreciate correspondence (e-mail or letter) from your office acknowledging this letter.
My e-mail address is benchepkoit@gmail.com and telephone number is (240)344-4694.
Sincerely,
Benjamin Chepkoit
140
Appendix C: Interview Protocol
Northcentral University, Arizona, United States
Interview Theme
The goal of the interview is to explore the perception of senior managers of small
businesses in the state of Maryland on the business continuity plan (BCP). The interview
is to solicit the perceptions of senior managers on the setting up proactive measures that
protect their business operations from unexpected disasters or other events that could
disrupt normal business operations.
The data collected during the interview will focus on themes that are aimed at enabling
the management of small businesses to understand the role that BCP plays in formulating
the processes and procedures necessary for keeping normal business operations running
even during unexpected event of disasters.
The senior managers interviewed will be informed of the purpose of the study is
to explore strategic business continuity planning methods for small businesses in the state
of Maryland as perceived by senior managers, the unit analysis of the study.
The interview questions will require responses from senior managers based on their
experiences, knowledge, and skills on the preparation, or lack of preparation, required for
preventing disasters that would disrupt normal business operations. The briefing of the
participants before the interview will entail explanation of the investigation on the
establishment of crisis management measures for business continuity strategy or lack of
such measures by small businesses in Maryland. The managers will be debriefed of the
outcome of the investigation, how the investigation analysis was concluded, how the
141
outcome could impact their organization, and explain possible further research that may
be required in the study. The senior managers are provided with an informed consent
letter that includes explanations of how the interview protocol will address research
ethics, interview confidentiality, anonymity, and the voluntary nature of the study. It will
also request permission for recording the interview.
142
Interview Protocol Guide
Checklist
A. Supplies and Equipment
x Paper and pens/pencils?
x Recording equipment functional?
x Water for participant and interviewer?
B. Did the participant sign, date and return the informed consent form?
C. Did the participant sign, date and return the demographic form confirming
requisite criteria?
D. Did the participant authorize the recording of the interview verbally, recorded
prior to interview?
The introduction and questions are stated in the Interview Briefing (Appendix D).
143
Appendix D: Interview Briefing and Questions
Northcentral University, Arizona, United States
Interviewed by: Ben Chepkoit, Doctoral Candidate, Northcentral University, AZ.
Interview Briefing
You are invited to participate in a research study being conducted for a dissertation at
Northcentral University in Prescott, Arizona. The purpose of this study is to explore
Maryland as perceived by senior managers, the unit analysis of the study.
This interview intends to establish perceptions by managers of small businesses on the
importance of business continuity planning (BCP) and the impact of threats that arise
from lack of preparedness necessary for preventing business losses due to disasters
outbreak. As a business manager, it is important to be aware of possible catastrophic
effects and disruptive incidents to the business operations that include accidents, criminal
activities, disruptions in electricity and water supplies or natural disasters such as
earthquakes, tornadoes, rain storms, snow storms, or tsunamis. Participants will be
informed of the importance of a sustainable BCP that ensures the existence of a well-
structured business process contingency system throughout the organization. A BCP
provides greater confidence in identifying and managing fatal risks inherent in essential
business processes and activates a pro-reactive plan to accelerate the recovery while
minimizing the negative impact after the occurrence of a disruptive event. Successful
operation of a BCP is not only solely dependent on the management’s ability to control
internal factors, but also preempt the occurrences of external risks.
144
Through the questions provided, this interview attempts to understand your
management’s perception of disaster planning required to plan relevant sets of BCP
implementations for any anticipated or unanticipated disaster in order to align readiness
with the determination, specification and realization of preventive and mitigation
measures appropriate to stop disasters from affecting normal business operations.
This interview is expected to take one hour.
The interview will start with your experience with your organization and tend to focus on
your perception of business continuity plan (BCP).
Experience at your Organization
1. To start the interview, I’d like to learn about your beginnings with the organization.
What attracted you to the organization?
What is your core responsibility or duty at the organization?
2. Looking at the nature of your business operations, what are some of the internal threats
or risks that would hinder a normal, continuous flow of your normal business operations?
3. What are some of external disasters that would affect the continuous flow of your
business operations?
Interview Questions
As stated above, a business continuity plan (BCP) would enable management to institute
a proactive plan against disasters or threats to a continuous running of your business
operations.
Please respond to the following questions regarding your perception of BCP:
145
management in your organization?
Q2. If you have BCP already implemented in your organization, how do you perceive
that Business Continuity Planning (BCP) provided value to the businesses operations?
Q3. What is your personal opinion on BCP?
Q4. How would you maximize the benefits of BCP throughout your organization?
Q5. Provide an example of how a BCP could be used more effectively in your
organization.
Q6. If you have not implemented BCP, what is your perception of BCP in so far as
adding value to your business operations?
Q7. How do you perceive of your managerial responsibility to establishing sustainable
Business Continuity Plan for your business operations?
Q8. How do you perceive risk management for your business operations while
prioritizing sustainable BCP?
Q9. If you have implemented a BCP, why do you perceive that critical success factors in
your business operations are important to achieving a sustainable BCP?
Q10. If you have not implemented BCP, why do you perceive that critical success factors
for your business operations can be achieved without a sustainable BCP? And which area
of your business would be critical to start BCP with?
Please state your personal opinion on BCP.
Interviewer Name: Benjamin Kibet Chepkoit
Date of Interview: ___________________________
146
Appendix E: Consent Form
Introduction:
My name is Benjamin Kibet Chepkoit, a doctoral student at Northcentral University

(NCU) in Arizona. I am conducting a research study to find out the views of
managers on business continuity planning or disaster preventive measures. All senior
managers in the study will be from small businesses in the state of Maryland. I am
completing this research as part of my doctoral degree. I invite you to participate.
Activities:
If you participate in this research, you will be asked to:
1. Give general information about yourself such as your title/position at your

company.
2. Answer 10 questions on why it is important to prevent disasters from
affecting the continuity of business operations for small businesses in the
state of Maryland. The interview will take about 1 hour.
Eligibility:
You can volunteer for this research if you are:
1. Above 18 years of age

2. Employee of a small business registered in the state of Maryland
3. A manager that makes decisions in his/her company and who has at least one
year experience in management
You cannot volunteer in in this research if you are:
1. Under 18 years of age

2. Employee of a company which is not a small business in the state of Maryland
3. Not a manager that makes decisions in your company, and if you have less
than one year experience in management.
I hope to include six participants in this research.
Risks:
There are minimal risks in this study. Some possible risks include not feeling
comfortable answering the interview questions. If you are not comfortable, you may
withdraw at any time. You can also skip any question that you don’t feel comfortable
answering.
147
Benefits:
If you decide to volunteer, there are no direct benefits to you. The potential benefits
to the small business community in Maryland include increased awareness and
understanding by managers of how business continuity planning could reduce or
eliminate risks that result from disaster related events to business operations.
Confidentiality:
The information you provide will be kept private and secret to the extent allowable by
law. All identifying information will be recorded using numbers or figures, and will
be kept separate from the signed consent forms.
The people who will have access to your information are: myself, my dissertation
chair, and the dissertation committee.
I will keep your information safe by locking the hard copies of the interview
responses in a filing cabinet and securing the computer electronic file with a
password.
I will keep your data for 7 years. After that, the electronic data will be deleted and the
paper data will be destroyed.
Contact Information:
If you have questions for me, you can contact me by email

atb.chepkoit4374@email.ncu.edu or by telephone at 301-575-9212
My dissertation chair’s name is Dr. Deborah Nelson. She works at Northcentral

University and is supervising me on the research. You can contact her by email at
dnelson@ncu.edu. or by telephone at 844-628-3312.
If you have questions about your rights in the research, or if a problem has occurred,
or if you are injured during your participation, please contact the Institutional Review
Board at: irb@ncu.edu or 1-888-327-2877 ext 8014.
Voluntary Participation:
Your participation is voluntary. If you decide not to participate, or if you stop

participation after you start, there will be no penalty to you.
Audiotaping:
I would like to use a voice recorder to record your answers. You can still participate if
you do not wish to be recorded.
148
Signature:
A signature indicates your understanding of this consent form. Your acceptance to

participate will be kept private and confidential by way of a pseudo name.
Researcher Signature Printed Name Date
Participant Signature Printed Name Date
149

Business Continuity Planning Methods

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Business Continuity Planning Methods

Uploaded by

Copyright:

Available Formats

Exploring Strategic Business Continuity Planning Methods for Small Businesses in the

Submitted to Northcentral University

Graduate Faculty of the School of Business and Technology Management

DOCTOR OF BUSINESS ADMINISTRATION

BENJAMIN KIBET CHEPKOIT

San Diego, California

Benjamin Kibet Chepkoit

Chair: Dr. Deborah Nelson, Ph.D. Date: September 20, 2017

Business continuity planning (BCP) is the preparation and implementation of strategic

processes and procedures in an event of natural or human error disasters. Disruptive

snowstorms, hurricanes, fires, pandemic diseases, technology threats, and threatening

natural disasters. BCP is part of a business continuity management (BCM) process

designed to identify business operational risks and vulnerabilities, and to provide

businesses in Maryland had not established nor implemented sustainable crisis

data analysis, and interpretations of relevant data to understand strategic business

planning for small business enterprises in the state of Maryland.

I would like to express and share my deepest appreciation and gratitude to my

success of my doctoral program, leading me throughout the tedious but fulfilling

academic accomplishment. I wish to sincerely thank my Dissertation Chair, Dr. Deborah

whose diligent evaluation of my dissertation was invaluable. I appreciated her expert

processes in the right direction towards this accomplishment.

The achievement of this Doctoral Degree is a fulfilment in my personal drive to

optimize my potential and strive through a personal principle of consistent constructive

spiritual and human life.

List of Tables......................................................................................................... vii

Chapter 1: Introduction ............................................................................................ 1

Chapter 2: Literature Review .................................................................................. 14

Chapter 3: Research Method .................................................................................. 60

Chapter 4: Findings ............................................................................................... 74

Chapter 5: Implications, Recommendations, and Conclusions .................................. 106

Appendixes ........................................................................................................ 138

Appendix A: Interview Participant Letter .............................................................. 139

Appendix B: Interview Permission Letter .............................................................. 140

Appendix C: Interview Protocol ........................................................................... 141

Appendix D: Interview Briefing and Questions ...................................................... 144

Appendix E: Consent Form .................................................................................. 147

Table 1 Demographic Profiles of the Participants ……………………………………….77

Business continuity planning (BCP) is the preparation and implementation of

of processes and procedures in an event of natural or human error disasters (Karim,

or global price escalations. BCP is part of a business continuity management (BCM)

interruption during a crisis, including appointment of a senior recovery manager in

fundamental importance of remedial measures that implement business continuity

establishing crisis planning, assigning roles, and enforcing responsibilities.

business organizations, which are aggravated by the tendency of small business

management to resist spending resources on low-probability events, regardless of the

investment, and prioritization of imminent short-term issues within the organization

Management Agency (FEMA) estimated that disasters in 2010 increased by 30%

The management, shareholders, and stakeholders of small businesses encounter

of organizational competing factors that include budget allocation, strategic management,

10% of business time in identifying and preventing operational risks. In order to

provides testing platforms for management to improve dynamic capabilities embedded in

business operations (Worthington, Collins, & Hitt, 2009).

Statement of the Problem

In Montgomery County, Maryland, 40 out of 50 (80%) small businesses do not

implemented sustainable crisis management measures for BCP necessary to resolve

problems of disasters that disrupt continuity of business services, while minimizing

with corporate strategic objectives, resulting in sustainable BCP, proactive disaster

Maryland state forms a significant part of the Washington District of Columbia

(DC) transportation and operational system, comprised of a 600-segment network that is

impracticality (Lambert et al., 2012). Maryland experiences frequent severe winter

hazards for businesses and individuals (FEMA, 2012). Maryland Emergency

almost 90% of emergencies are quiet catastrophes, illustrated by flooding in Maryland in

submerged downtown Baltimore and Annapolis. Transportation accidents, lightning,

Business Administration (SBA) to provide funding up to $2,000,000 in federal economic