Professional Documents
Culture Documents
State of Maryland
Dissertation Manuscript
by
ProQuest 10636023
Published by ProQuest LLC (2017 ). Copyright of the Dissertation is held by the Author.
All rights reserved.
This work is protected against unauthorized copying under Title 17, United States Code
Microform Edition © ProQuest LLC.
ProQuest LLC.
789 East Eisenhower Parkway
P.O. Box 1346
Ann Arbor, MI 48106 - 1346
Approval Page
Exploring Strategic Business Continuity Planning Methods for Small Businesses in the
State of Maryland
By
Approved by:
9/20/17
Certified by:
Dean of School: Dr. Peter Bemski, Ph.D. Date: September 20, 2017
Abstract
plans that provide for normal continuation of operations with real-time backup of
events to business continuity in the state of Maryland include severe winter storms,
processes and mitigating risks. The problem under investigation was that some small
management measures for BCP necessary to resolve problems of disasters that disrupt
continuity of business services. The purpose of this exploratory embedded multiple case
study was to explore strategic business continuity planning methods for small businesses
in the state of Maryland as perceived by senior managers, the unit analysis of the study.
Multiple case study is the proposed research design that utilized a semi-structured
interview format to collect data from participants at onsite or offsite business settings,
continuity plan (BCP) implementation by the small businesses with BCP and without
BCP in the state of Maryland. The participants in this multiple case study were six senior
managers selected from different business industries that meet the criteria of a small
business in Maryland. The results of the study represented the outcome of the analysis of
the responses from the interviewees, which formed the basis of the prevailing perceptions
of BCP among the managers of the small businesses in the state of Maryland. The final
ii
findings of the study formed the framework for further research in business continuity
iii
Acknowledgements
professors and research participants who supported me and contributed immensely to the
Nelson, whose patience and solemn scholastic intellect were beyond reproach. Without
her guidance and persistent support, this dissertation would not have been possible.
I would also like to deeply thank my Subject Matter Expert, Dr. Tanya Settles,
contribution and steadfast focus that consistently aligned my thinking and writing
In addition, I wish to sincerely and faithfully thank my wife, Zipora, and my sons
Andrew and Alex for the encouragement and support throughout my doctoral program.
Their irreplaceable support, prayers to our Lord, and unwavering patience towards my
inadvertent diversion from them during the final stages of this dissertation remain
priceless forever.
discontent. This doctoral certificate is dedicated to Mr. Joshua Kerretts, Mr. Wilson
Chepkoit, and Mrs. Esther Chepkoit, who laid the first stone of foundation in both my
iv
Table of Contents
v
References.......................................................................................................... 127
vi
List of Tables
vii
Chapter 1: Introduction
strategic plans that provide for normal continuation of operations with real-time backup
2011). Common disruptive events to business continuity include power blackout, fire,
water system problems, mergers, economic events, political activities, pandemic diseases,
process designed to identify business operational risks and vulnerabilities, and to provide
processes and mitigating risks that effectively respond to disruptive events (Jones, 2011).
The primary drivers that are necessary for management to create, activate, and
carry out BCP or a crisis management plan entail a holistic focus on the customers’ needs
and the prioritization of senior management to prevent or shorten the length of business
management (Bobcock, 2011). Business continuity and disaster planning emphasize the
processes that include the establishment of operational backup data centers for main
facilities and lay down strategies to support critical business elements against hurricanes,
fires, storms, tornadoes, and public health pandemics (Krizner, 2011). Jacques (2007)
observed that research on disaster prevention must include sustainable risk models that
provide business management with crisis preparedness and crisis processes that include
1
Background
Human-made and natural disasters have implications for the survival of small
potential disaster impact (Duncan, Yeager, Rucks, & Ginter, 2010). In most instances,
small business managers fail to develop and implement BCP due to low priority or lack
of budget for up-front costs for BCP, the possibility of little to no return on BCP
(Duncan, Yeager, Rucks, & Ginter, 2010). Small businesses encounter compounded risks
from human-made and natural disasters that are becoming increasingly common in
today’s world (Duncan, Yeager, Rucks, & Ginter, 2010). The Federal Emergency
compared to 2009 disasters, each time affecting small businesses significantly and
resulting in only 40% of the firms affected re-opening operations, while 60% failed and
remained shuttered for two or more years (Duncan et al., 2010). Small and mid-size
companies do not prioritize nor develop a BCP, which increases the level of risk during
disruptive events that have higher probability of damage to business operations (Duncan
et al., 2010).
barriers and challenges when prioritizing, developing, and implementing a BCP because
business risk analysis, training, and awareness, BCP documentation, and information life
cycle management (Karim, 2011). Brody (2012) stated that 44% of small businesses
2
operate without continuity business plans while 56% of business owners spend less than
minimize costs on BCP, small business management must develop scenario planning that
BCP, and facilitates opportunity to identify gaps while strategizing solutions in real-time
have business continuity plans (Watkins & Barnett, 2008). The problem under
investigation was that some small businesses in Maryland had not established nor
downtime, increasing response time, and deploying rapid resources (Petersen, 2010).
Management of small businesses must align risk management initiatives and systems
preparedness, and mitigation of business uncertainties, risks and threats (Byrnes et al.,
2012).
exposed to threats of radiological dispersion devices, high travel capacity, and evacuation
storms, snowstorms, hurricanes, and other threatening natural disasters annually, such as
the storms of December 2009 and February 2010 that prompted FEMA to disburse to
3
Maryland more than $15.4 million dollars in 2009 through 2010 to mitigate disaster
Management Agency (MEMA) reported that while bombs and fires capture the headlines,
2003 from Hurricane Isabel that destroyed many towns along the Chesapeake Bay and
tornadoes, blizzards, computer viruses, and technology failures have caused major
disruptions (MEMA, 2009). The effect of disasters in Maryland in 2012 prompted Small
injury disaster loans for small businesses, small agricultural cooperatives, and small
businesses in Carroll and Frederick counties, the most affected counties in Maryland
(SBA, 2012).
The purpose of this exploratory embedded multiple case study was to explore
strategic business continuity planning methods for small businesses in the state of
Maryland as perceived by senior managers, the unit analysis of the study. The state of
which is not a subsidiary of another business and not dominant in its field of operation.
4
The research design proposed was a multiple case study approach that utilized a
data analysis, and interpretations of relevant data in order to understand strategic business
continuity plan (BCP) implementation by the small businesses with BCP and without
BCP in the state of Maryland. The participants in this multiple case study were six senior
managers selected from various different business industries that met the criteria of a
small business in Maryland. The sampling of six senior managers from six small
businesses is within the typical range for case study research, where Yin and Zhang
characteristics in age, size, and ownership in order to allow for valid comparison.
The proposed study utilized triangulation to examine BCP documents for the
businesses with BCP, with a focus on best practices that included BCP processes,
systems and records (Nollau, 2009). The businesses without a BCP provided existing
vision and values, and strategy business plan. A multiple case study approach with
triangulation provided a richness of information which, upon analysis within and across
cases, can reveal a number of commonalities and some limited diversity (Stavros & Kate,
2009). The use of methodological triangulation (MT) allows the application of a within-
method approach for collecting data that entails interviewing management personnel
under reduced bias and improved validity of BCP data on operational processes and
5
procedures where BCP is already implemented (Lloyd, 2011). Where management had
not adopted a BCP practice, the additional data gathered for triangulation was based on
procedure instructions. Computer assisted application for data analysis was used to
facilitate data storage, coding, retrieval, comparing, and data modeling when computing
interview results.
Research Questions
participants to the research questions that were designed to explore the implementation or
state of Maryland.
Q1. How is strategic Business Continuity Planning (BCP) perceived by the senior
Q2. How do senior managers of small businesses with BCP perceive that Business
Continuity Planning (BCP) provides value to the small businesses operating in the state
Q3. How do senior managers of small businesses perceive managerial responsibility for
Q4. How does small businesses’ management in Maryland perceive risk management
6
Q5. Why do senior managers of small businesses in Maryland with BCP perceive that
critical success factors for business operations are important to achieving a sustainable
BCP?
Q6. Why do senior managers of small businesses in Maryland without BCP perceive that
critical success factors for business operations can be achieved without a sustainable
BCP?
study approach that explored strategic business continuity planning methods for small
managers of the recruited small businesses were the unit analysis components of the
study in each selected small business. Qualitative case study research is an emergent
approach suitable for the proposed research study because the method allows the
without depending on numerical measurements (Zikmund, Babin, Carr, & Griffin, 2010).
recommendation (Yin, 2013) that examined the study's questions, propositions, units of
analysis, logic linking data to the propositions, and criteria for interpreting the findings.
Senior managers recruited from six small businesses in Maryland responded to interview
questions that were devised to answer the perception of BCP by managers of small
businesses that have or have not developed and implemented BCP in their operations.
Data was collected from managers through interviews and analyzed in order to
understand the perception of managers on BCP and to discover how they have
7
incorporated BCP in the overall corporate strategy. In addition, construct validity factors
analysis by confirming the collected data under analysis (Ho & Merrilees, 2008). I
gathered and utilized descriptive and reflective notes to record participants’ behavior
during the interview, including the recording of personal thoughts, speculations, feelings,
the significance of BCP within small businesses category (Kelly & Yin, 2007). In order
to mitigate any bias against case study research, data triangulation, precise documentation
of interview responses, and maintaining the chain of evidence were used to develop
validity for the study (Yin, 2013). Validity measures the trustworthiness of the interview
responses from participants by cross-checking the findings against the research questions.
The triangulation approach of cross-checking the interview findings from the senior
necessary to validate the trustworthiness of the findings (Yin, 2013). The credibility of
the interview responses was achieved by comparing the managers’ in conjunction with
their experiences, knowledge and perceptions of BCP with the best practices and
standards generally accepted for disaster prevention (Golafshani, 2003). The analysis of
collected data and employment of explanations associated with interviews collected from
management that validated the certainty about possible claims in the research study
provided the status of BCP among small businesses in Maryland (Kelly & Yin, 2007).
8
Significance of the Study
delivery, resulting from corporate best-practices in disaster recovery plan framework and
contingencies, and uncertainties (Low, Liu, & Kumaraswamy, 2010). The ability of
emerging crises, contingencies, and uncertainties is driven by the extent to which the
organization has established an embedded BCP that identifies and protects critical
business processes and resources in times of business disruptions (Low et al., 2010).
organizational resilience with the capability for an effective response that safeguards the
activities (Heng, Hooi, Liang, Yap, Azizie, & Tze, 2012). Business continuity
management (BCM) process allows management to review potential risks it faces, keep a
register of the identified risks, and produce a variety of scenarios of disruption to the
business (Heng et al., 2012). BCM equips management teams from different departments
with the ability to operate an integrated BCP that accounts for minor incidents and
occurrences that it otherwise results in disruption to the business. The use of BCM as a
tool to execute BCP enables managers and employees to collaborate in providing input
and feedback to the corporate BCP, facilitating an opportunity to every department to list
down services that are critical to the organization and determine the criticality of the
9
Management planning for operational continuity and recovery is an urgent
downtime risks (Bozman & Eastwood, 2011). BCP requires that management processes
and information systems are available by safeguarding existing systems and /or arranging
2009). In the event of a disaster, management should anticipate disaster occurrences that
may result in casualties and deaths amongst employees, reconciliation of work with the
family needs and concerns of staff, and the execution of appropriate crisis management
collection of real-time data backup services that provide offsite protection across multiple
locations, replacing labor-intensive functions with accurate and efficient technologies that
save time and virtually eliminate physical storage requirements (Bobcock, 2011).
management and employees in both public and private sector organizations. BCP is part
Business disruptive events. For the purpose of this study, business disruptive
events were defined as unanticipated events that disrupt business processes, procedures,
people, and technology. Business disruptive events included power blackout, fire, water
10
pandemic diseases, global price escalations, or cyber technology disruptive attacks such
systems designed and tested for the performance of individual business units and the
entire tenets of the corporation, resulting in a concrete system that would withstand wide-
strategy, processes, and procedures that require scenario planning management to identify
potential weaknesses in critical business units operations (Worthington, Collins, & Hitt,
2009).
when assessing the state of current business operations that provide framework of
identifying critical areas, non-essential sectors and units, risk benchmarking, peer
Disaster recovery systems. Disaster recovery systems are tools used to recover
and covers the recovery-facility (on-site, hot site, or cold site), computer hardware,
11
FEMA. The Federal Emergency Management Agency (FEMA), which is part of
U.S. Department of Homeland Security Agency, charged with the mission to support our
citizens and first responders to ensure that as a nation we work together to build, sustain,
and improve our capability to prepare for, protect against, respond to, recover from, and
mitigate all hazards. FEMA was founded in 1978 under Presidential Reorganization Plan
and implemented by two Executive Orders on April 1, 1979. Disasters include hurricane,
terrorism. Disasters may build over days or weeks, or hit suddenly, without warning.
Every year, millions of Americans face disaster, and terrifying consequences of these
agency organized within the Maryland Military Department to coordinate federal, state,
local, and private resources throughout the state during times of disasters and
emergencies.
Summary
2010 increased by 30% compared to 2009 disasters, each time affecting small businesses
significantly and resulting in only 40% of the firms affected re-opening operations, while
60% failed and remained shuttered for two or more years (Duncan et al., 2010). The
mitigate unanticipated events that disrupt business processes, procedures, people, and
technology. The senior management required appreciation of investment risks that arose
from unpreparedness to mitigate disasters, and needed to prioritize business strategies and
12
resources that included quality time and effort for substantive implementation of BCP
and continuously upgrading management systems across all business operational units.
On the contrary, the absence of BCP exposed business operations to various risks and
threats that included internal and external factors, resulting in catastrophic effects on
The proposed study utilized triangulation process examined BCP documents for
the businesses with BCP, with focus on best practices that included BCP processes,
networking, and data recovery-facilities. The sampling of six senior managers from six
small businesses was within the typical range for case study research, where Yin and
characteristics in age, size, and ownership to allow for valid comparison. The multiple
case study research was designed to utilize a semi-structured interview format to collect
data from participants, perform data analysis, and interpretations of relevant data to
13
Chapter 2: Literature Review
(BCP) for small businesses in the state of Maryland focused on research in business
disruptive events. BCP provides effectiveness for the small businesses in Maryland to
reviewed provided the framework for BCP best practices required for small businesses in
systems accessibility, disaster recovery planning and auditing, training of employees, and
continuous preparedness and testing of BCP functional activities and networking (Wan,
2009).
Chapter 2 contains research literature related to the anatomy of BCP and related
best practices that enable management to adapt a business culture of sustained continuity
of business operations across the organization. BCP framework provided processes and
vulnerabilities and risks, and planning how to mitigate, accept, or assign such risks
without disrupting business operations (Karim, 2011). The incorporation of BCP into
organizational values and beliefs enables seamless practice of BCP best practices in the
The primary citations in the literature review included scholarly articles, peer-
review journals, books, reports, and dissertations. The websites and links sources
14
originated from institutional research sites, peer-review journals and the government of
the state of Maryland on literature related to BCP and small businesses statistical data.
The government agencies mandated to provide disaster relief services at national and
emergency plans to hedge against risks and to reduce the associated impacts and losses,
with the disaster situation once the consequences are known (Low et al., 2010). Business
continuity planning (BCP) increases value in service delivery and provides disaster
recovery framework and preparedness to minimize loss in emerging disruptive events and
contingencies that abort business continuity (Low, Liu, & Kumaraswamy, 2010). The
organizational BCP framework entails internal factors that include business processes,
business infrastructure, resources, and people that are essential for the effective
functioning of the company. External factors that can contribute to catastrophic effects
and the disruptive incidents to the business include accidents, criminal activities,
disruptions in electricity and water supplies or natural disasters such as earthquakes and
tsunamis. Thus, the successful operation of a BCP is not only solely dependent on the
internal factors, but also on the external risks (Low et al., 2010). The management of a
small business should implement a BCP that ensures the existence of a well-structured
15
processes; and activates a pro-reactive plan to accelerate the recovery and minimize the
negative impact after the occurrence of a disruptive event (Low et al., 2010).
review current and future risks it faces, while documenting risks, effects, potential
intangible and tangible damages, while producing resolution simulations for business
continuity (Heng et al., 2012). Douglas (2009) study confirmed that medium to large
companies account for about 90% of business enterprises that fail to resume business
normalcy and continuity within five days of emergency, and increased the risk
and procedures for managing crisis and transitions between routine and crisis operations
as well as providing analysis for the kind of losses and level of disruption the business
may have to contend with (Douglas, 2009). It is crucial for small business management to
prepare for prolonged loss of utilities such as power, water, and gas, and the capability to
conduct core operations away from the central center of operations (Douglas, 2009). The
management of preventive and protective measures ensures that the staff and all business
stakeholders can fulfill disaster continuity roles as well as deal with high demands over
prolonged periods. Disaster planning requires management to plan relevant sets of BCP
implementations for each anticipated disaster in order to align readiness with the
appropriate for disaster levels of impact-size and distribution (Prochazkova, 2012). The
that influence expected mitigating outcome such as the rate of disaster start-levels,
16
warnings, preparation time, size of danger, risks for participants of intervention,
practices require that the executive management be composed of managers who are
intervention, space location, and required decision, such as routine, known, complex or
identifies potential risks to the business core objectives and susceptibility to natural
hazards (Douglas, 2009). The business continuity management process should have the
ability to conduct of a business impact analysis to assess risk and how such risk is
enables management to understand the critical processes required for prompt supply of
goods and services to customers; focus on generating income for the business; and
The accountability for management to execute the best practices for effective BCP best
practices requires that management should consider strategies and options available
throughout the organization to mitigate identified risks to the business such as increasing
the amount of insurance to transfer the risk; improving the structure of the building to
withstand severe weather; and installing efficient backup systems at remote locations
(Douglas, 2009). In addition, management must draw up a business continuity plan that
defines the processes and procedures necessary for execution in the event of a disaster,
train staff to embrace a culture of BCM within the business, facilitate communication
17
between key groups and individuals within the business, and provide procedures for risk
business practices or the external environment over time. Further research is needed to
ascertain scientific methodologies for measuring monetary value of loss resulting from
business unpreparedness, including patents, intellectual property, and legal rights to lost
deliverables.
success factors for continuity of services across risk sectors, business units, and market
technologies during the disasters that occurred between 2005 and 2007 that included
hurricanes, fires, storms, tornadoes, and public health pandemics. Krizner observed that
of operational backup data centers that support business main facilities and management
strategies for critical business units. Krizner (2011) cited healthcare organizations that
include Blue Cross Blue Shield (BCBS) of Los Angeles that have contracted backup data
centers and disaster recovery systems to recover stored data in case of business disruptive
events. Lack of established business continuity planning can be costly and damaging to
leading, and controlling the activities of a company in order to minimize the effects of
risk on the company's capital and earnings, creating a framework for BCP (Byrnes,
18
Williams, Kamat, & Gopalakrishnan, 2012). ERM ensures management complies with
proactive measures against risks that threaten business continuity and enables
and corporate governance (Byrnes et al., 2012). ERM is an essential element that allows
management to achieve business goals and deliver sustaining benefits through the
to implement BCP and disaster preparedness required to assess and mitigate major risks
to business operations, processes, people, and physical assets (Byrnes et al., 2012).
monitoring, and reporting risks across the organization (Byrnes et al., 2012). ERM
framework provides management with the base from which risk management is ingrained
into BCP and enables the flow of decision-making process from senior management to
employees (Byrnes et al., 2012). Management employs ERM to align risk management
initiatives and risk management systems with corporate strategic objectives, resulting in
The implementation of ERM evolves the training of all employees and contractors
entails process ownership, corporate governance, and business continuity best practices
structure, and ability by government to legally enforce tax collection. Duncan et al.
19
(2010) observed that small businesses encounter compounded risks from human-made
and natural disasters that are becoming increasingly common in today’s world.
with opportunities through proactive actions, resulting in enhanced brand value and
profitability (Byrnes et al., 2012). ERM enables management to identify and select
alternative risk responses such as risk avoidance, reduction, transfer, and acceptance,
which result in fewer risks, fewer business challenges, and improved management styles
and strategies (Byrnes et al., 2012). Proactive initiative involves continuous monitoring
of risk and developing applicable corrective actions that enable management to locate,
confine, and correct the source of inaccuracies (Byrnes et al., 2012). The process of
continuously monitoring risks complements BCP initiatives, provides feedback for future
identifying both threats and opportunities, and assesses probability and possible impact
the disaster recovery plan framework, including the technological component of the
business, emphasizing advanced planning and preparations to minimize loss and ensure
continuous performance of critical business units (Duncan, Yeager, Rucks, & Ginter,
2010). Duncan et al. (2010) established that despite motivating factors to establish BCP,
most small and mid-size companies do not prioritize nor develop BCP, which increases
20
level of risk during disruptive events with higher probability of damage to assets, entity’s
widespread (Douglas, 2009). Small businesses encounter barriers that delay the
assumes low probability of disastrous event, lack of budget for up-front costs for
imminent short-term issues within the organization (Douglas, 2009). Douglas observed
that lack of business preparedness accounted for about 25 percent of the $40 billion lost
because of the September 11 terrorist attacks in New York, highlighting greater emphasis
continuity (Worthington, Collins, & Hitt, 2009). BCP preparedness must be driven by
planning strategy, processes, and procedures that require scenario planning management
Collins, & Hitt, 2009). Corporations continue to recognize the urgency in the importance
and value of BCP because of corporate value inherent in disaster readiness. Bozman and
21
The urgency of instant decision turn-around is critical for management when
deploying solutions required for overcoming downtime risks (Bozman & Eastwood,
2011). The study critical systems sustainability of several organizations by Bozman and
Eastwood showed that even one hour of downtime could result in a severe business
impact for 48% of studied businesses, a business disaster for 7%, and a business
discontinuity for 55%. The authors researched organizations across diverse industries and
established that planning for operational continuity and recovery from outages is rapidly
business processes, and inefficient delivery of goods and services to customers (Bozman
for small businesses entails full support and commitment of corporate senior management
continuity methodology emphasized that corporate senior management must own and
care for the continuous planning process and strategic planning that leads to sustainable
cases that utilized staircase capability maturity model for testing and confirmation
22
(Lindstrom et al., 2010). The commitment of the senior management leads to increased
awareness and understanding of issues crucial to developing and implementing BCP that
guarantees perpetual services to customers and stable job security to the employees. BCP
and disaster recovery planning form a crucial part of core management priority when
executing training programs for all employees across the organization for overall BCP
success (Lindstrom et al., 2010). A successful training program that incorporates BCP
from the corporate policy level provides the employees with comprehensive
understanding and acceptance of uncertainties that exist in the business operations, and
prepares them to effectively execute the BCP processes and procedures while minimizing
maintain a BCP is crucial for all the employees during training programs, where real
experiences from other organizations are used to demonstrate how BCP works and how
the management and employees can avoid post-crisis blaming of individual employees
(Lindstrom et al., 2010). Corporate training programs provide systematic and continuous
learning process that is vital for successful execution and improvement of BCP
throughout the business functional units (Lindstrom et al., 2010). Systematic and
Senior management commitment provides the corporate basis for setting BCP
objectives and limitations using corporate business plan, organizational vision, strategy
and objectives, and involvement in the continuous process to develop and maintain
23
sustainable BCP (Lindstrom et al., 2010). A crisis occurs when an organization's critical
processes are seriously affected or possibly, if a very serious event affecting the
organization has occurred, hence the capability of the management in identifying and
crucial (Lindstrom et al., 2010). The implementation of BCP should span throughout the
processes and standards for BCP best practices with all stakeholders throughout the
organization (Lindstrom et al., 2010). The established BCP processes and procedures
require continuous monitoring, updating, and instituting measures that indicate the levels
of crisis severity that guide management when deciding appropriate BCP solutions
whenever there is a crisis (Lindstrom et al., 2010). The research findings on multi-usable
interactive process of monitoring and updating BCP because most changes and signs of
deficiencies occur at the lower level of operational units (Lindstrom et al., 2010). In a
study on business continuity management and interactive processes, Cansiz and Pakdil
(2012) found that an effective interaction of business units and processes across business
operations entailed obtaining management support and developing a BCP and business
24
teamwork, adaptation to easy changes, discovery of improvement opportunities, and
investment initiative to protect company assets in the time of crisis, complete company
transactions during and after disasters, protect jobs and benefits for employees, sustained
operations and production of products and services, and flawless communication across
business units and between customers and the business (Clas, 2008). Small businesses
nationally and within the states risk core investments due to lack of disaster preparedness
established in study by Hewlett Packard that found 18% of enterprises and 31% of small
businesses lacked BCP necessary for emergency response operations that include fire
drills, equipment shutdown procedures, and technology redundancy for hot and cold sites
continuous executive level support from key stakeholders and continuous exposure to
existence of disparity and disagreements among the managers on the effectiveness of pre-
disaster planning (Morrison & Oladujoye, 2013). The organizational leadership showed a
25
wider disparity on the company’s degree of preparedness in supporting the individual
medical, financial, and social needs of the employees and their families in a post-disaster
period (Morrison & Oladujoye, 2013). Using a random sample of 1000 managers from
American Business National Base (ABNB) database, Morrison and Oladujoye collected
data sets from 120 managers (12%). Morrison and Oladujoye found that there was a
general disagreement among most managers on the perception of leadership role by their
CEOs on natural disaster preparedness. The findings also indicated that the CEO was
with workers and respective families, getting assistance directly to those in need, and
and compliance to disaster regulations by authorities (Morrison & Oladujoye, 2013). The
resources for disaster preparedness (Morrison & Oladujoye, 2013). In addition, the
companies, leading to the conclusion that organizations appear to presently have a mixed
26
(NPPA 1600) model for public-sector preparedness (Clas, 2008). The universal standard
on BCP and plan management consist of program initiation and management; risk
evaluation and control; business impact analysis; and business continuity strategies (Clas,
2008). The standards also include final phase that include emergency response and
senior management to obtain full support of all managers and employees. The initiation
continuity, operational risk, and crisis management plans (Clas, 2008). Management
utilizes risk evaluation and control technique to determine internal and external risks
within the business that would affect the business operations, employees, facilities, and
Business Process Reengineering (BPR), six sigma, and business process simulation.
identify the impact of business interruptions and determine best techniques required to
quantify and qualify the magnitude of such impacts (Clas, 2008). A BIA also helps
overall standing operating procedures that can be activated during disasters. In addition,
27
strategies for business continuity processes and emergency response procedures provide
communication, and stabilizing situations while concrete solutions are executed (Clas,
2008).
consequences that defective processes may have on performance, and lack of risk impact
analysis (Cansiz & Pakdil, 2012). Small businesses management achieves sustained BCP
Disruptive events and uncertainties often exist in business operations, which management
must address by performing thorough assessment of the impacts to the processes and
possibility of risk occurrence and the effects to the process, and continuous analysis of
available remote access facility (Heng et al., 2012). Management’s failure to implement a
28
disaster responders to access critical security and recovery data (Heng et al., 2012). The
small business organization to align BCP with corporate strategies and culture within
budget and minimal training (Payam, Morteza, & Javad, 2009). The development and
implementation of business best processes and practices involve the internal and external
customer’s view on how the organizational business operations have been implemented
and when such operations were implemented (Payam et al., 2009). The operational view
on how the best practices have been implemented examine the level of relation between
BCP tasks and operation activities, the task’s nature, and the consistency in which
management execute business operations as aligned to BCP tasks. The operational view
related to the timing of business process focus on the management’s behavior view on the
task’s sequence, activities targeted, and scheduling of processes at the business unit level
(Payam et al., 2009). Best business practice for effective and efficient business processes
29
strategies through recognizing and implementing emerging best strategic practices
center as a best practice that will allow management to execute continuous operations
during disruptive events (Omar, Alijani, & Mason, 2011). A BCP plan should be
developed in a logical sequence and written in a standard and understandable format that
reflects effective documentation, processes, and procedures that can be executed at ease
and without complexities (Omar, Alijani, & Mason, 2011). BCP seeks to allow small
and establishment of a disaster recovery plan (DRP) within an overall BCP for disaster
prevention, data recovery, and data restoration are essential practices in ensuring the
protection of critical business units are safeguarded while guaranteeing the goal to
replicate data and information technology processes and procedures for business
operations critical applications (Omar et al., 2011). Management should ensure that data
loss does not occur; data replication capability is more efficient, less expensive, and
better optimized for data protection; and that a successful BCP is implemented
The employment of BCP as a business best practice entails the establishment and
of practices that promote BCP (Tsohou, Kokolakis, Lamrinoudakis, & Gritzalis, 2010).
30
common understanding, and agreement in functional and non-functional requirements for
compatibility, and compliance with globally accepted rules and practices (Tsohou et al.,
associated risks, providing a framework for building resilience for business operations,
facilities, processes, and business units for effective responses to disasters and failures
management guidelines for both in-house and outsourced disaster recovery services that
focus on disaster recovery guidelines and physical facilities. Disaster recovery guidelines
activation and deactivation of disaster recovery plan, and training, while disaster recovery
facilities refer to the basic requirements for secure physical operating environments that
The effect of disruptive events on businesses without BCP best practices threaten
the corporate reputation (CR) because of damages to corporate image, leading to broken
links of customer trust and unintended negative exposure within a relatively short amount
of time (Kronis & Ponis, 2012). The aftermath of disasters on businesses could lead to a
continuity (RC) necessary for the organizations to preserve positive reputation in the
post-crisis period (Kronis & Ponis, 2012). The incorporation of CR in business continuity
31
practices enables embrace reputation continuity as a process of maintaining trusted links
from reputation losses, after the crisis has emerged (Kronis & Ponis, 2012).
best practices evolves into an important asset for organizations that inject continuity
problems throughout the organization (Kronis & Ponis, 2012). Organizational crises
corporations' efficiency and viability, negative reputation crisis, and negative cognitive
association (Kronis & Ponis, 2012). The RC practice is the integrated ability of
flow of trust while preserving the pre-crisis perceptions of stakeholders (Kronis & Ponis,
practices that protect CR in order to minimize the effects of crises and ensure business
continuity and recovery. The absence of a plan for reputation proactive protection
external factors and mediating agents, given the scarcity of information and the stress and
pressure imposed on individuals and teams during disaster period (Kronis & Ponis,
assessment of the business units, clarify the planning scope, identify staff roles and
ensure a complete buy-in of the plan across the organization (Taylor, Artman, & Woelfer,
2012). Utilizing Risk Spider Chart to assess levels of risks, Taylor, Artman, and Woelfer
32
(2012) established that contingency approaches revolved around reducing uncertainty and
higher levels of planning and oversight, while less-risk operations were subjected to
identify, categorize, and standardize each critical business function that is necessary for
the business to survive in an event of a disaster (Aggelinos & Katsikas, 2011). In order to
discover the business critical functions, management must perform a business impact
detailed organization chart with all the business units or departments; and the
development of all the processes that the business units execute in a form of input-output
for each process (Aggelinos & Katsikas, 2011). Management is also required to classify
according to their critical nature to the business; identify legal responsibilities from a
possible disaster; and estimate potential loss revenue for the period of disaster disruption
(Aggelinos & Katsikas, 2011). BCP provides the platform from which management can
estimate the impact a disaster could have to the organization's business goals, corporate
objectives, and the reputation of company stakeholders and employees (Aggelinos &
Katsikas, 2011). In the event that management has to develop a specific disaster recovery
plan in order to execute a business continuity operation, management should define the
business units that have to be covered in an emergency operation; the applications that
33
will function in disaster conditions; the necessary physical equipment to cover the needs;
and the required related security of systems in operation (Aggelinos & Katsikas, 2011).
The operation of a BCP is crucial to be aligned with processes and procedures established
for a normal operation system in order for the organization to benefit from same
between the normal operation processes and the emergency operation system. The
development of a system for emergency operations at the departmental level should align
to the corporate strategic plan required for mitigating organizational disaster risks, for a
certain recovery period and at a cost-effect budget (Aggelinos & Katsikas, 2011).
The business best practices for BCP management entail consistent practice of
BCP life cycle plan that includes the collection and the storage of critical documents and
systems at backup servers in a secure off-site location (Omar, Alijani, & Mason, 2011).
Best business practices require the management to create and communicate records and
information management plan for critical business functions (Omar, Alijani, & Mason,
2011). With modern sophisticated electronic and mobile devices for communication,
management should be able to instantly reach out to colleagues and other stakeholders in
identify and organize functional areas that support business processes and operations;
perform risk assessment, impact analysis, personnel access to original documents and
physical facility safety; and conduct annual document audits to establish the level of
disaster preparedness (Omar, Alijani, & Mason, 2011). In addition, the BCP business best
practice for establishing a secure off-site location that is equipped with capabilities to
store critical documents and systems required to support operations during disaster events
34
such as seamless network infrastructure controlled by the business management, internal
communication network, and third party vendors that are carefully documented within
BCP along with external storage data (Omar, Alijani, & Mason, 2011). The life cycle
plan of an established BCP best practice creates a sustained business environment that
functions throughout the business operations with the ability to generate, retrieve, and
communicate accurate and complete copies of records (Nollau, 2009). The management
restoration in the case of a disaster. The BCP life cycle plan include the requirement that
performed based on risk level of the affected system, level of change, and planned
organize functional areas that support business processes and operations that cover all
aspects of the business to keep the business viable in the event of a disaster (Nollau,
2009). The plan must include disaster identification, notification and coordination
return to normal operations, and BCP testing and maintenance procedures (Nollau, 2009).
process that is focused keeping a specific business unit operational in the event of a
35
disaster such as facilities, human resources, safety, equipment and furniture, internal and
Management utilizes functional BC plans for critical business processes and cover
involve the use of logbooks, cell phones, hardcopy documents, employee manuals, or
outcomes such as non-compliance with regulations and lack of alignment with a parent
company and partners (Nollau, 2009). Failure to sustain an effective functional BC could
result in lost revenue from inability to ship product, loss of sales from delayed
submissions, loss of worker productivity, or damaged credit rating from inability to pay
bills. In addition, the company's business and professional reputation with customers,
Small businesses with best practices for an implemented BCP drive management
original documents and ensure safety for physical facilities (Omar, Alijani, & Mason,
choose a location that will likely not be affected by disaster, assure accessibility to
storage areas within reasonable travel distance, time, and effort, and assure availability of
BCP processes and procedure manual stored at the company facility and recovery site
(Nollau, 2009). Establishing a disaster response team as a BCP best practice within a
disaster recovery plan (DRP) functional process that operates all of the processes required
36
to restore technology, and it must have a defined owner responsible for maintenance of
the plan on an ongoing basis. The disaster recovery team facilitates the disaster recovery
process, ensures the workability of the plan by working through assigned teams maintains
and distributes the final copy of the plan, conducts impact studies, develops recovery
strategies and responses procedures, coordinates testing, and monitors team response in
actual disaster situations (Nollau, 2009). The disaster response owner collects and
maintains information about all technology elements, performs triage activities, and
resolves any conflicts in the case of systems with dependencies or the same uptime
business area systems team allows the organization to successfully align everyone with a
Establishing scenario planning, annual audits, and testing BCP as a best business
practice enable managements’ preparedness and define scenario planning for BCP as
exogenous shocks that guide firms with corporate innovation capabilities to create novel
recovering procedures, recovering functions, and simulating various disasters (Chow &
Ha, 2009).
37
ensure the continuing existence of the enterprise and to minimize harmful impacts on
society, including but not limited to the environment (MacDonald, 2011). Enterprise
sustainability best practices involves the aligning of corporate social responsibility (CSR)
incorporate shared values with the community (MacDonald, 2011). The business risk of
aligning community shared values with customer interests arise when there is unforeseen
economic stability of the customer base and reduced sales (MacDonald, 2011). The use
of BCP allows businesses to analyze the impacts it has on society and to mitigate those
Many enterprises with business continuity best practices and mitigation initiatives
Risk management practices enable managers to assess the impact of disasters on the
business as well as on the society. As part of assessing its impact on society, a business
should include an assessment of the amount of risk mitigated for the business at the cost
of increasing risk and the economic instability mitigated for customers (MacDonald,
2011). Enterprises that align business interests with customer interests mitigate enterprise
sustainability risk by promoting the economic stability of its customer base while
fulfilling its CSR obligations (MacDonald, 2011). Aligning business interests with
socially shared values creates valued relationship between businesses, not just customers
and investors, but also employees, suppliers, communities, regulators, special interest
groups, and society as a whole. CSR is the continuing commitment by business to behave
38
improving the life of the workers and their families as well as the local community and
society at large (Fontaine, 2012). In a study that focused on CSR at The Royal Dutch
Shell (BP), a global energy and petrochemical company that advocates for a less risk
environment for both business and society, Fontaine observed that the socially
and Earnings Per Share (EPS). CSR demands that businesses manage the economic,
social, and environmental impacts of their operations to maximize the benefits and
minimize the downsides on environment and the society. Organizations that align
business interests with the interests of the society they operate define CSR as a risk-
mitigating tool to manage financial risk, reputation risk, environmental risk, and supply
management. Eriksson and McConnell (2011) studied contingency planning for crisis
management and concluded that the relationship between crisis planning and crisis
management outcomes is more complex because the success in the pre-crisis stage does
not guarantee a successful crisis response nor do pre-crisis situations lead to flawed crisis
planning enables managers to acquire the knowledge and innovation necessary to respond
39
The development of a successful BCP is built on a business contingency process
that is intertwined with the business vision, strategy, business objectives and business
its operations at any incident. Lindstrom (2012) explained that BCP provides an
assurance to management and all business stakeholders that the organization's critical
must recognize that when planning and developing a BCP with a crisis management
perspective, it is most helpful to have a common terminology and use a simple and
business process contingency entail a situation assessment team that decides on the level
of the crisis management using the BCP to mitigate the problems, control the problems,
and re-instate a normal state of business operation without losses (Lindstrom, 2012).
hurricane seasons. During Hurricane Ike, Continental Airlines moved all domestic and
international flight operations seamlessly to the bunker business continuity mode when
the hurricane was 100 miles away from regular operations center, allowing the airline to
operate continually throughout the storm, achieving 89% domestic on-time flight
40
performance (Worthington et al., 2009). The success of implementing scenario plans
embedded in BCP, and facilitated the opportunity to identify gaps and strategize solutions
communication process within the organization and between all levels of management
and employees helps to mitigate risks during disasters (Veil & Husted, 2012).
Communication best practice entails planning for a prompt response, establishing a crisis
business stakeholders, and continually evaluating and updating a crisis plan (Veil &
Husted). A crisis communication plan framework forms part of a corporate BCP, and
designate responsibilities for managers and team members throughout the organization.
Veil and Husted (2012) emphasized that establishing a crisis communication network
includes the collaboration of internal information sources and actors at all levels of the
organization, outside agencies, and the media. Continuous assessment and evaluation of a
review each specific communicative practice within the BCP rather than trying to
management with a tool for planning and for post-crises assessment (Veil & Husted,
2012).
41
Small and medium enterprises (SMEs) form an important segment in the business
community and are highly vulnerable to disruptions compared to larger businesses, hence
require higher priority of contingency planning for natural disasters and better
contribution towards policy making on risk adaptation that informs policy makers and
practitioners (Wedawatta & Ingirige, 2012). However, SMEs often tend to underestimate
business risks and adaptation measures to the risks such as business continuity
business continuity and resilience measures (Wedawatta & Ingirige, 2012). SMEs require
measures such as land use planning policy, responsibility of implementing the measures,
and resilient property construction that can withstand most disasters (Wedatta & Ingirige,
2012).
The SMEs decision makers and management should implement BCP and risk
business continuity plan, using a business data backup system, and obtaining business
interruption insurance (Wedawatta & Ingirige, 2012). Wedatta and Ingirige undertook a
research study in the United Kingdom (UK), titled the “Community Resilience to
responses to flood risk, and what measures have been undertaken to manage the risk of
flooding. The investigation focused on the how SMEs adapted to the risk of flooding,
study found that most SMEs fail to implement disaster adaptive measures because of the
42
perceptions of high cost, assumption that physical properties are adequately protected by
business agendas. The adaptation of measures requires cost and time commitments to
implement; hence, the SMEs could execute the implementation of measures that best
serve respective business continuity and survival (Wedawatta & Ingirige, 2012).
does not necessarily guarantee an assurance against a disruptive event nor does it produce
a successful crisis response during a disruptive disaster (Eriksson & McConnell, 2011).
management planning when staging a disaster scenario because the initiative for
contingency planning involves strong elements of foresight and certainty, while crisis
management planning is surprising and generates high levels of uncertainty (Eriksson &
McConnell, 2011). Some robust pre-crises contingency plans fail to effectively respond
to disasters because the management neglected the mandates recommended in the plan by
experts in disaster management (Eriksson & McConnell, 2011). However, some of the
contingency plans developed for specific disasters such as pandemic diseases can
effectively protect, rescue, and restore critical services, for instance vaccinations and
The contingency plans that fail to guide management at times of crisis are
43
responsibilities and decision guiding rules (Eriksson & McConnell, 2011). The failure of
management is partly attributed to the nature of crises that may vary in terms of the speed
of threat arrival, threat intensity, level of complexity, level of uncertainty and the
2011). Some of the ever evolving, unpredictable crises include hostage crises, rail
crashes, critical infrastructure breakdowns, oil spills, and pandemic virus. Contingency
plans are more suitable for crises with relatively familiar and linear contingencies that
allow management to learn under conditions of low uncertainty such as airline disasters
(Eriksson & McConnell, 2011). The management requires embracing the understanding
that contingency plans for unfamiliar and complex episodes are liable to have a high
objective, but less useful because the nature of the crises produce high levels of confusion
and improvisation, such as terrorist biological attacks (Eriksson & McConnell, 2011).
management analysis, create redundant systems, testing them frequently and prepare
employees on what actions to follow in the event of disasters (Karim, 2011). BCP is a
crucial component of overall corporate planning necessary for the preparation of the
extraordinary threats, whether they are predicted or not, in order to protect employees,
and execute a successful risk management plan, assess risk probabilities, or prevent
44
probabilities to compare risk plans and real performance enables management to detect
2009). The success of risk management planning requires the creation of senior
management role such as Chief Risk Officer (CRO) with responsibilities to oversee
deployment of risk management plan, maximize value when setting strategic goals,
balance between performance goals, targets and business risks, and evaluate various
strategic business alternatives (Fraser & Simkins, 2010). The senior risk management
role requires leaders with intimate business knowledge, political flair, communication,
and well-chosen allies developed over time at corporate level (Fraser & Simkins, 2010).
Planning for business risks is an initiative that entails an undertaking and consideration of
future risks, threats, and unpredictability, which require the senior risk manager to
balance the conflicting objectives of producing an aggregate review of risks and retaining
case-by-case business knowledge to inform expert judgment (Fraser & Simkins, 2010). A
complete management planning at the corporate level or unit level entails the
the stream of an information system's data from creation to the time improvement is
required for next generation planning (Karim, 2011). The consequences for failure to
The best practices in BCP require benchmarking, which is the continuous process
of measuring quality for products, services and practices against the toughest competitors
or those companies recognized as industry leaders (Hong, Hong, James, & Park, 2012).
45
through ongoing processes of measurement, comparison, improvement, continuity, and
disruptive events create turbulent business environment that engage management to focus
on organizational identity, purpose, mission, and direction with vigor and intensity (Hong
BCP best practices related to sharing knowledge throughout the organization, managing
between departments, and developing expertise in various settings such as the team, the
practices that include functionality of business units, response time to a disruptive event,
business operations (Hong et al., 2012). The use of technology to successfully effect
measures that enable management to achieve accurate and improved quality of outcomes
for specific functional requirements related to business continuity (Hong et al., 2012).
systems that are compatible, adaptable, collaborative, and communicable (Hong et al.,
46
manage stakeholders’ relationships, and integrate dispersed skills and expertise necessary
BCP impact on business units, concrete systems, and corporate tenets. Man-
made and natural disasters have implications for the survival of small business
spending resources on low-probability events, regardless of the potential impact, and the
agencies and corporate governance best-practices (MEMA, 2012). Duncan et al. (2010)
cited findings by Center for Disease Control and Prevention (CDC) that underscore the
impact of disease outbreaks such as pandemic influenza as disasters that create fear and
individual business units, concrete systems, and the entire tenets of the corporation that
could withstand wide-scale business disruptions in the event of a disaster (Slater, 2011).
United States Army Automobile (USAA) studied the contingency plans implemented by
corporations such as FedEx, First Union, Merrill Lynch, Wachovia, and Fleishman-
Hillard. The study found that the corporations were able to sustain operations while fully
recovered the systems, applications and all the third-party vendor connections during
47
disaster disruptions (Slater, 2011). Disaster recovery simulations with employees across
the business units demonstrated that the employees who walked through the simulation
were in a position to observe flaws in the contingency plans, less likely to panic during
disasters, more likely to remember the contingency plan, and offered mitigating
the overall organizational exposure to risks and threats (Slater, 2011). Businesses may
recover business data and sustain operations during disasters; however, there could be no
plans for alternative work places. In a disaster awareness exercise after the September 11,
2011 (9/11), the Oppenhiemer Holdings established that most clients were able to able to
recover data, but had no plans for alternative work places (Slater, 2011). The World
Trade Center had provided more than 20 million square feet of office space, and after
9/11 there was only 10 million square feet of office space available in Manhattan for
staging operations recovery (Slater, 2011). When developing contingency plans, business
assemble immediately after a disaster and where they will be housed during recovery
(Slater, 2011). The failure to implement sustainable BCP and robust disaster recovery
system by most businesses result from management mistakes that include inadequate
prioritization of critical and non-critical systems, failure to simulate and test recovery
efforts, failure to gain buy-in support from senior management, lack of in-depth business
impact analysis, failure to allocate adequate funding for BCP, and inadequate analysis of
48
recovery time objective, critical systems and applications, vital documentation, and plans
sustainable policies and practices can be expensive; however, multi-layer model of units
viability. Business continuity planning allows open mindedness, dynamics, and flexibility
The sustainability of business operations between and across critical units requires
procurement, production, distribution, the market place, and consumers (Svensson &
corporate and judicial boundaries, allowing all sources of each unit to interconnect to all
sources while enhanced towards a common goal of planned, implemented, and evaluated
efforts toward business sustainability as in BCP (Svensson & Wagner, 2011). Utilization
49
The long-term effect of natural disasters on business units could adversely affect
areas with disasters aggravated by climate change (Begum, 2010). In 2009, about 335
natural disasters were reported worldwide that killed 10 655 persons, affected more than
119 million others and caused over US$ 41.3 billion economic damages (Begum, 2010).
Asia experienced the largest share of the disasters, reporting 40.3% of natural disaster
occurrence, accounting for 89.1% of global reported natural disaster victims and 38.5%
of total reported economic damages from natural disasters (Begum, 2010). Natural
disasters are catastrophic events that include socio-technical disasters such as floods,
landslides, and mudslides. Momani (2010) observed in the study that featured American
Telephone and Telegraph (AT&T) and Cisco Systems that 12% of companies had to
suspend key business operations because of human related errors in disasters. In addition
monetary, mortality and morbidity losses for business operations such as activities,
specific business units and systems due to negligent, intentional, and criminal behavior of
employees. Human behavior may damage or destroy the business' property or resources
50
eliminated by most industries using labor to reduce human errors such as pharmaceutical
Business risks related to natural and human-made disasters are caused by factors
estimate potential business disruptions for specific activities, processes, and products that
could prevent businesses, suppliers, distributors, and other stakeholders from maintaining
normal operations (Momani, 2010). The implementation of BCP requires the utilization
measures and business continuity strategies against technology related risks that could
damage businesses and form part of overall risks and threats to business operations
(Momani, 2010). The strategies that management could implement against technology
risks include the capability and resources to protect media that stores important business
records and back it up daily, keeping a copy in secure location away from the business
location and to identify the equipment that the business will use if its own equipment are
trained and equipped with proactive solutions for frequent failures and maintenance
issues to minimize down time and to perform regular and scheduled maintenance for
The management should align BCP strategy with the overall mission critical
strategic role of the business that include planning processes, capability development and
socio technical approaches, rapid response to client needs, and disaster recovery strategy
(Momani, 2010). Strategies to resolve human risk include protection against bodily injury
51
and property damage through identifying important business safety issues; training of
employees on common dangers, legal restrictions, and risks; protection against personal
injury claims; and, establishment of internal controls to discourage and detect employee
responsibility to identify activities that may damage business property through fire,
save the lives of employees or other stakeholders, and business property (Momani, 2010).
The proactive strategies required from senior management for effective implementation
of BCP involve preparation to prevent, avoid, minimize, and mitigate losses throughout
general or specific risk insurance coverage once specific risks are identified after business
minimize movements which could cause destruction or death or injury for workers and
Other recommended mitigating measures from the study (Momani, 2010) include
installation of proactive and protection measures such as smoke detectors and fire
extinguisher against fire hazards; securing items that could be carried away by tornado
52
reducing or eliminating the use and the storage of environmentally hazardous materials
(Momani, 2010). Additional recommendations from the study included emphasis for
management to provide easy access to disaster plan or BCP, undertake frequent drills and
plan procedures, and train employees in safety procedures that will help them avoid
community livelihood and habitation that include humanity during disasters through an
enabled environment to provide products and services as well as health and job
performance of the people (Karim, 2011). Disaster occurrences often affect the habitat of
communities that include the confidence, personalization, family life, and people
strategic management, business risk analysis, BCP resources, training and awareness, and
improve from any type of disaster or disruptive event that may cause deficit in business
ownership in consequences arising from disaster events is more demanding with the ideas
53
of globalization, where managers could be held personally responsible for a business
deficiency if they did not adopt right actions on right time to avoid this type of loss
(Karim, 2011).
environment to a global business environment (Hall, Skipper, Hazen, & Hanna, 2012).
The expansion of communication media and Internet accessibility, combined with the
globalization of the world economy, bring the impact of what once might have been
considered a local, isolated event into the purview of businesses and living rooms
operating environment. Continuous planning for disruptive events evolves from a tactical,
on-site reaction to strategic preparedness and readiness for organizations with inter-
and increase organization's ability to react to disruptions with minimum impact (Hall et
al., 2012). Effective plans enables management to react more quickly to problems and to
respond more appropriately to the situation than organizations without such plans,
54
implementing integrated contingency procedures to handle unexpected events and
organizational belief that, by working together, outcomes are more effective and
acceptable to all parties (Hall et al., 2012). The cooperation among employees and
cooperative attitude that ensures all management components are focused on the same, or
very similar, process outcomes (Hall et al., 2012). The compatibility of multiple
that jointly achieves mutual BCP goals. The support from senior management facilitates a
cooperative behavior from other parties involved in the contingency planning and
provides a foundation for the development of mutual goals for the achievement of
integrated planning activities and plays an important role in enforcing planning efforts
throughout the organization, where all parties work closely together to create mutually
beneficial outcomes for the business (Hall et al., 2012). Collaboration between
that include joint knowledge creation, expertise sharing, and understanding of the other
party's intentions and strategic approaches (Hall et al., 2012). The collaborative activities
55
throughout the organization include exchanging BCP related information such as risk
requires a mechanism for transfer of knowledge among planning partners (Hall et al.,
business relationship, resulting in effective contingency planning and BCP (Hall et al.,
2012).
communities because most small businesses were found or descended from founders that
have local involvement in the day-to-day business and community activities (Ibrahim,
Angelidis & Parsa, 2008). BCP creates interchangeable influence of business and
that surround businesses with BCP. Clive (2010), in a study on disasters related to
climate change, observed that significant number of public sector authorities who lacked
56
integrated disaster management plans nor had business continuity plans necessary to
assess risks and develop strategies that mitigated the effects of natural disasters and
severe weather events. Disasters continue to threaten both organizations and human life
worldwide, a trend observed to escalate since 2008 when the number of reported natural
disasters was 326 worldwide, with some 235,736 people reported killed, at a cost of US$
181 billion (Clive, 2010). Severe economic effects, as opposed to the threat to life, of
major disasters are more often felt within developed countries principally because of
regions, mainly disasters related to natural events that cover climate-caused disasters,
hydrological disasters and geographical events (Clive, 2010). Geographical events are
mostly caused by earthquakes, but also include mass earth movements and rock fall,
climate change, with two main categories of hydrological and meteorological disasters
accounting for over 80 percent of the top ten largest disasters in the past decade (Clive,
2010).
incidences that would result in disruption to the business due to lack of clarity in
assessing critical activities by management teams from different departments and failure
to use business continuity management determine the criticality of the service in a given
disruptive scenario (Heng, Hooi, Liang, Yap, Azizie, & Tze, 2012). Failure to implement
a crisis management plan as a business continuity best practice lead to the inability by
57
disaster recovery processes, and lack of data security with regards to the use of personal
devices to access organization’s network during disruptive events (Heng et al., 2012).
Summary
the extent to which the organization has established an embedded BCP. The success of a
sustained BCP is rooted in the organizational management culture that includes business
best processes, policy, procedures, and practices. The long-term impact of natural
disasters on business units could adversely affect wider-corporate tenets with profound
climate change.
of practices that promote BCP. Corporate Reputation (CR) is illustrated in the literature
evolves into an important asset for organizations that inject continuity through effective
preventing a crisis does not necessarily guarantee an assurance against disruptive event
58
nor does it produce a successful crisis response during a disruptive disaster. The literature
reviewed affirmed that a successful BCP is built on a business contingency process that is
intertwined with the business vision, strategy, business objectives and business plan in an
organizational perspective model that defines the ability of an organization to continue its
operations in case of disruptive events. Some robust pre-crises contingency plans fail to
effectively respond to disasters, except the contingency plans developed for specific
disasters can effectively protect, rescue and restore critical business services.
The literature reviewed raised fundamental concerns and calls for further research
in processes, methods, and policies that would bolster interest in small businesses to
prioritize BCP in the corporate vision and mission commitments. A BCP should be fully
integrated across the organization and incorporate major departments that include
finance, information technology, human resources, and property asset plans. It is not
sufficient to just plan for disaster events but that the BCP must be communicated widely
59
Chapter 3: Research Method
The purpose of this qualitative, exploratory embedded multiple case study was to
explore strategic business continuity planning methods for small businesses in the state of
Maryland as perceived by senior managers, the unit analysis of the study in each selected
small business. This proposed study focused on data collection through interviews of
a BCP to mitigate risks that threaten business continuity and sustainability within
business critical units. As a best practice methodology, BCP was applied as perceived by
The use of qualitative analysis allows the researcher to compare findings of each
case study and directly compare to the ultimate outcome as represented by research
questions (Onwuegbuzie & Leech, 2009). The subject matter expert (SME) in BCP on
researcher interview skills before and after data collection. The review of research
procedures as well as the assessment of responses from the six participants, and the
analysis of interview findings ensured validity and verifiability of the proposed study
design was appropriate for the proposed study on business continuity planning because
the research questions focused on the business events within small business firms and
60
examined business functions, individuals involved, or entities (Zikmund, Babin, Carr, &
Griffin, 2010). Multiple case studies enable the accumulation of knowledge across
compounded subject matter and complexities for practitioners, policy makers, and
researchers to draw a conclusion about a phenomenon (Kelly & Yin, 2007). Multiple case
studies allow the researcher to understand the how and the why of contemporary events,
problems, and situations in ways that do not require control over the events or problems
prevent situations that are beyond human control. The implementation of BCP improves
the perception of the manager’s real workplace preparedness and provides deliberate
awareness of how to react during real events that disrupt business operations.
Research design. The case study research approach on BCP utilized a semi-
structured interview format to collect data from participants recruited from mailing list
for a site permission. The potential participants received recruitment fliers directly from
the researcher. Semi-structure interview allows for standardized questions that enable
detailed data analysis and interpretations of relevant data to understand strategic business
continuity plan (BCP) implementation by the small businesses with BCP and without
BCP in the state of Maryland. A case study research examines the interview questions,
propositions, units of analysis, logic linking of data to the propositions, and criteria for
interpreting the findings (Yin, 2013). The purpose of the interview was to explore the
61
perception of senior managers of small businesses on BCP. The interview aimed at
lack of preparation required for preventing disasters that would disrupt normal continuity
Ethnography was not appropriate research method for this study because the
2010). In comparison with multiple case study, design-based research method (DBR) was
not appropriate as well because DBR aimed to generate more usable knowledge for
principles and theories (Luo, 2011). In addition, DBR was not appropriate for a BCP
study because the target data could be sourced from a collaboration of researchers,
contrary to multiple-case study where data can be collected directly from managers and
Grounded theory involves the discovery of theory from data in which the
researcher seeks to create a theory about issues of importance in people's lives and
specifically focuses on human interaction or aims to explore new territory emerging from
empirical data rather than from inferences or existing theories (Tan, 2010). Grounded
theory was not appropriate in this research study because examining BCP implementation
for small businesses in Maryland was not an exploration of new territory from empirical
data nor was the research designed to generate theory from systematic collection and
analytic procedures that are grounded on empirical reality. The study on BCP did not
62
entail memo writing for the formulation and revision of theory throughout the research
Population
organizations in the state of Maryland and included the following: America’s Small
business that employs less than 50 persons in its wholesale operations; has gross sales
that is not exceeding an average of $2,000,000 in its most recently completed three fiscal
years; and, if the business is a retail operations merchant, it must employ less than 25
persons (State of Maryland Small Business Reserve Program, 2012). Small businesses
involved in manufacturing must employ less than 100 persons in its manufacturing
division, while the services division of the same business must employ at least 100
businesses engaged in construction industry with less than 50 employees and whose gross
sales average is less than $7,000,000 in its most recently completed three fiscal years,
qualify for small business status (State of Maryland Small Business Reserve Program,
2012). The managers from the small businesses that met the small businesses criteria
63
Sample Process
Purposive sampling method was conducted on senior managers from six selected
small businesses of different industries in Maryland that were members of one or more
business groups. The small businesses were recruited from various businesses of the
private sector. Maryland posts 19 major business industries from which small businesses
represent 21.05% of all the industries (Maryland Department of Business and Economic
Development, 2014). The justification of the sample size was founded on the principle of
drawing a limited number of small businesses’ industries from a larger pool of small
businesses within the typical range for a case study research (Kelly & Yin, 2007). A
letter, requesting managers to participate in the study interview was dispatched directly to
the potential participants who participate in the activities of a small business association
or network group (Appendix B). Where the membership of the small businesses with the
association/network group was requested through an email letter (Appendix A). The
Interview Preparation
thematizing the purpose of the interview and the description of topic concepts before the
start of the interview stated on the interview protocol (Appendix C). Interview protocol
allowed the researcher to formulate, structure, probe, and sequence the interview (Harrell
& Bradley, 2009). The recruitment of the senior managers of small business companies
64
America’s Small Business Development Centers, Baltimore County Chamber of
have profound knowledge and experience in the field of the study (Harrell & Bradley,
2009).
The senior managers were briefed of the purpose of the study and the guidelines
knowledge, and skills on the preparation or lack of preparation required for preventing
disasters that would disrupt normal business operations. The interview was framed by a
briefing before the start of the interview (Appendix D). The explanation of research
senior manager of selected small businesses. The analysis of the responses from the
interviewees provided the basis of the prevailing perceptions of BCP among managers of
the small businesses. The interview responses enabled the researcher to gather insights
into how the interviewees viewed the future direction of the organization, while
disclosing their own mirror of reality as well as their vision of the future relevant to the
65
Data Collection, Processing, and Analysis
Data collection. The data collection was based on a selection of six small
businesses from diverse industries that included but not limited to transportation,
electrical services, banking, commercial cleaning services, film, and photography. The
distinct businesses selected in this study were the major leading industries that maximize
Business & Economic Development, 2014). Data collection commenced with formal
Internal Review Board (NCU IRB). Senior managers of small business companies were
asked to participate in the study (Appendix A). The interviewing stage focused on the
senior managers of six selected small businesses. The participant senior managers had
responsibilities or duties that directly affect daily business operations such as finance,
responsible for decisions that affect service delivery processes. Once the interview
request was granted, interview questions were emailed to the research participant. The
confidentiality and the anonymity of the participants was maintained in two forms. First,
the names of the companies were coded with abbreviation of their company names.
Secondly, email communication was dispatched using NCU’s email portal, which is
formulated on the interview protocol for the exploratory embedded multiple case study
(Appendix C). The next step entailed the processing of the collected data.
66
Data processing. Semi-structured interview design provided the conversational
interaction through appropriate medium, which Kvale and Brinkmann (2009) explained
as necessary in order for the interviewee and interviewer to learn about their experiences,
feelings, attitudes, and the world they live. Data analysis process entailed using codes to
reorganize the disassembled fragments of data into different groupings and sequences by
arraying the data in tabular forms (Yin, 2011). The collected data was disassembled,
stating whether the company has implemented BCP or not, then respective company’s
participating manager, manager’s role and responsibility, and the data collected from that
company.
Data analysis. The analysis of the responses from the interviewees provided the
basis of the prevailing perceptions of BCP among managers of the small businesses. The
of BCP within small businesses category (Kelly & Yin, 2007). Data analysis involved the
findings (Kvale & Brinkmann, 2009). The BCPs that have been developed and
implemented by the selected organizations were discussed during the interview and
analyzed in order to determine how the BCP was incorporated into the overall
organizational best practices. The collected data was analyzed in order to establish
thematic patterns on levels of proactive and mitigating measures that guided management
The breakdown step of coding the data entailed the labeling and the assigning of a
code representing the core topic of each category of data after removing case
67
organization’s identity from the interview responses. An open coding approach was used
to break down the collected data into segmented but discrete parts, closely examined, and
compared for similarities and differences among small businesses of different industries.
Open coding was conducted by analyzing the texts and distinguishing different themes
and concepts found in the data. The segmented data collected from the senior managers
of all the six small businesses was regrouped based on their relevant content into
categories of perceptions from the managers of small business with BCP and from the
managers of small businesses without BCP. Finally, selective coding was conducted by
making logical connections between the core categories in order to state the final findings
of the interviews. The discrete parts of data included backup servers; records and
information management plan; functional areas that support business processes and
documents and status of physical facility safety (Omar, Alijani, & Mason, 2011).
The computer assisted application tools and tables, such as Excel and Microsoft
Word, captured a variety of expanded data and enabled flexibility to change data analysis
and presentation during the course of data collection in efforts to achieve lower errors and
costs (Axinn, Link, & Groves, 2011). Software applications such as NVivo enable the use
of systematic coding of data and facilitate the ability to collect, organize, and analyze
these varied data types, including the importation of data noted in other applications such
as Microsoft Word, Portable Document Format, and Excel. Almost any form of audio,
photo, and video files could be imported along with Excel spreadsheets and Access
68
The ethics concerns about anonymity and confidentiality were omitted while data
coding was performed to identify information for data analysis; transcribe oral speech to
written text if applicable; and for comparison of findings between the small businesses
using comparative analysis method (Wahyuni, 2012). Data was stored in a safe system
that enabled easy retrieval for various data formats of collected data and complied with
ethics requirements for conducting field research such as the use of locked filing cabinets
for hard copies and password-protected computer systems for electronic copies.
The accuracy and validity of the data collected was verified through the
credibility method of data triangulation, which is concerned with whether the study
actually measures or tests what is intended (Wahyuni, 2012). The interpretation of the
data involved reassembling of data and checking for completeness, fairness, and accuracy
by having participants review interim results of the research (Yin, 2011). The interim
results were emailed to the research participants as an array of validating the consistency
of data as well as identify other perspectives on BCP which may have been overlooked in
Assumptions
The assumption made was that qualitative multiple case study was the most
appropriate choice of this study. A qualitative multiple case study produces a logical
sequence that relate the research data to the study’s research questions, and ultimately to
the conclusion (Yin, 2013). The utilization of data analysis software deduces technical
presumption of the accuracy of the data output (Harrell & Bradley, 2009). The results
from interviews conducted were analyzed using thematic analysis technique, where the
accuracy of the data analysis was partially based on the assumption that thematic patterns
69
provided the most accurate and optimum data analysis. A reconfirmation of emerging
themes on the results provided assurance of the results from the data analysis.
In order to mitigate any bias against case study research, utilization of techniques
such as data triangulation process was applied, which entailed the precision of
companies and managers and the research questions covered for each manager. Complete
documentation included checklist procedure assuring that all appendices were covered.
Secondly, all interview responses from all managers were cross-checked the research
to identify and correct potential obstacles to the validity and explanation of the findings
(Yin, 2013). Thirdly, the responses from all the managers were compared using thematic
which provided validity of the commonly shared perceptions of BCP among the
participants provide the same response to the same question (Guion, Diehl, & McDonald,
2012).
Limitations
include low participation turnout which could result in inadequate representation of total
population of the study (Keller, 2008). Low participation was resolved by improvising
face-to-face approach with telephonic or email interviews. There were no response that
was incomplete nor lacked detailed information to limit the success of the interview.
70
Rescheduling for secondary interview with participant was not required because there
was no limitation to mitigate. Each participant was provided with a copy of respective
Delimitations
The delimitations of the interview design in the study included the possibility that
the measures instituted for BCP would vary from one disaster type to another across the
winter storms, snowstorms, hurricanes, and other threatening natural disasters annually
across some counties. The six companies that participated in the study were not selected
based on specific geographical criteria because disasters would strike at any location
The cost associated with the implementation BCP was a delimitation that cannot
be estimated uniformly across all the companies in the study because of the variation in
(Heng, Hooi, Liang, Yap, Azizie, & Tze, 2012). Small business managers fail to develop
and implement BCP due to low priority or lack of budget for up-front costs for BCP and
the possibility of little to no-return on BCP investment (Duncan, Yeager, Rucks, &
Ginter, 2010).
Ethical Assurances
The research study commenced upon the approval of the research by the
In compliance with ethical assurance, the participant managers from the six selected
small businesses provided voluntary consent to participate in the interview (Appendix D).
71
The participants were informed of the interview process, role of researcher, how the
interview data would be used, and their basic rights, including withdrawal of consent at
any time or refusal to answer any questions (Qu &Dumay, 2011). The interviewees had
full participation in the study, understood the interview instructions, comprehended the
interview questions, and that the interview responses were monitored, and progress
recorded throughout the study (Drost, 2011). The interviewees were provided with a
consent form which was signed off by both the participant and the researcher. The
Summary
small businesses in the state of Maryland that was necessary as a best practice to resolve
natural and manmade disasters. Such disasters would disrupt continuity of business
of data and information related to business continuity planning from small enterprises in
Maryland entailed descriptive and contextual analysis that examined the implementation
of BCP or lack of it, and the critical importance to sustain business operations during
disasters. Research questions were utilized in the exploratory multi case study that target
arise from BCP experiences collected from research participants. Small businesses in the
72
state of Maryland require a corporate culture of preparedness that includes fiduciary
industries that included but not limited to transportation, banking, consulting, technology,
health, education, and utilities industries. I examined small businesses that have fully
73
Chapter 4: Findings
The purpose of this exploratory embedded multiple case study was to explore
strategic business continuity planning methods for small businesses in the state of
Maryland as perceived by senior managers, the unit analysis of the study. Maryland state
forms a significant part of the Washington District of Columbia (DC) transportation and
The chapter on results consists of the data collection and analysis used to evaluate
the 10 research questions discussed in Chapter 3. The results of this qualitative case study
affirmed the perceptions held by managers and business owners of small businesses in
Maryland state on business continuity planning (BCP). The findings of the study will
present the research questions and interview themes. The findings include the perceptions
of the senior managers on BCP and the sub-themes that include the mechanisms
developed to prevent minor or major disasters that may disrupt business operations. The
replication of interview responses from six business owners and managers provided
confirmability for the study (Yin, 2013). The evaluation section of the findings of this
chapter facilitates the interpretation of the results and analysis of the BCP conceptions
relayed by small business owners and managers during the interview. The conclusion of
established and maintained by the physical meetings with each of the participants, and
subsequently reviewing their responses individually. Each participant was provided with
74
a copy of his or her respective responses for confirmation. The collection, integration,
and presentation of data from different sources and respondents affirmed the credibility
and trustworthiness of data (Yin, 2013). Triangulation was achieved through multiple
data sources collected during the semi-structured interviews, which enabled the
Credibility was established through prolonged engagement with each participant when
2016). The themes to the research questions emanated from business owners that
owners on BCP as a strategic tool limited to preventing the loss of business continuity
operations in an event of a disaster (Yin, 2013). The limited amount of data collected
replicable responses with unique codes, and storing collected data in a secured database
(Anney, 2014). The consistency in all responses on the importance of BCP to the
and confirmability of the research results (Moon et al., 2016). The de-identified codes of
respondents and data collection detail were collected and will be made available, upon
request, for verification of findings and future research (Moon et al., 2016).
75
Results
The macro level research questions for the study focused on the significance of
BCP to small businesses in the state of Maryland. The investigation under study was
BCP. Six research questions were utilized to probe the perceptions of the senior
managers.
Research questions. The purpose of the multiple case study was to explore the
strategic business continuity planning methods for small businesses in the state of
strategy for establishing resilience and prevention against business crises (Kronis &
Ponis, 2012). The research questions explored the perceptions of BCP by business
owners or managers selected from various sectors of businesses. The research relied on
six participants who composed of four business owners and two managers. A semi-
research questions (Harrell & Bradley, 2009). The interview protocol (Appendix C)
entailed: (a) the opening introduction and invitation to the participant to discuss
responsibility roles at the business; (b) the opportunity to the participant to discuss any
internal threats to the business; and (c) the opportunity to discuss any external threats.
Table 1 shows the demographic profiles of the six participants that were
76
Table 1
Held Operations
EB Owner Photography
Table 1 illustrates that four out of six participants or 66.67% were business
organizations.
Q1. How is strategic Business Continuity Planning (BCP) perceived by the senior
Q2. How do senior managers of small businesses with BCP perceive that Business
Continuity Planning (BCP) provides value to the small businesses operating in the state
Q3. How do senior managers of small businesses perceive managerial responsibility for
77
Q4. How does small businesses’ management in Maryland perceive risk management
Q5. Why do senior managers of small businesses in Maryland with BCP perceive that
critical success factors for business operations are important to achieving a sustainable
BCP?
Q6. Why do senior managers of small businesses in Maryland without BCP perceive that
critical success factors for business operations can be achieved without a sustainable
BCP?
The research questions are restated below, along with responses of participants
about perceptions of BCP. The results of the study are collated by restated interview
Maryland?
The question sought to establish the overall holistic view of BCP by the
management leadership within their organizations. Table 2 illustrates the themes and sub-
themes generated because of analysis of coding the responses to question 1, which were
businesses: (a) essential element of daily business operations, (b) protection of data
privacy for stakeholders and customers, and (c) assurance of data integrity to
78
management. The sub-themes explain the perception by specific participant or
Table 2
Themes Strategy
element of daily business operations. The theme emerged from the perception of BCP as
79
management to embrace the strategy of implementing instant back-up of live data across
long term plan. Management is constantly evaluating back up plans for every
Vendors are also required to provide information about their BCPs to ensure safe
operations.
backup management, perform periodic databases restoration testing, and keep knowledge
and know-how on database as well as operating systems backup and recovery tools up to
date (Akhta et al., 2012). The perceived importance of BCP resulted in management’s
initiatives to set up off-site servers or cloud technologies that minimized risks during
server off-site as well as 2-sets of data drivers, one onsite and another at personal storage
access data at ease, rapid elasticity of storage capabilities, and dynamic scalability that
enables instant demand for data or information (Mao & Humphrey, 2016).
Education was supported by statements by EK that business planning “involves all the
80
We have to align our plans with Department of Education schedules”. The phenomenon
regulators required that the business managers must align the internal security systems
with the oversight external big data systems, by relaxing data minimization and consent
The analysis of responses to question 1 also yielded theme 3 (T3), which was a
perceived assurance of data integrity and resilience as supported by response from MS:
Programs Division (NPPD). I conduct exercises and workshops for all 16 critical
Data integrity strategy require that the processing, preserving, and sharing of data
involve establishing and adopting common standards best practices (Vallance, Freeman,
& Stewart, 2016). Participants had taken initiatives that included creating awareness of
81
Results: Research question 2. How do senior managers of small businesses with
BCP perceive that Business Continuity Planning (BCP) provides value to the small
three themes, with four respondents or 66.67% (DE, EB, MS, and SP) affirming they had
implemented BCP while two or 33.37% respondents (EK and HD) had partially
managers that BCP (a) increased growth in business operations, (b) created trust and
confidence from customers and partners, and (c) enabled adaptability to new technologies
even the two businesses that had partially implemented BCP. Table 3 illustrates the
82
Table 3
Themes Associated with the Perceived Values Arising from implemented BCP
enabler arising from the assurance that running of business operations is secured from
disruptive events. The response from DE, a senior manager in the banking industry
83
Most clients don't realize that the bank makes substantial investments into BCP,
yet in an emergency they expect to be able to process transactions and have access
to cash. Therefore, the value of a well-designed and reliable BCP cannot be under
would have severe negative consequences for the institution for a very long time.
The implementation of BCP by the bank ensured that the customers would be able
disaster.
resulting from the perception of trust and confidence in BCP (Theme 5). The respondent
EK, who operated school children transportation system, was a custodian of personal
records that contained the private data of children and parents, stating,
children that should be secured at all times. Commutations applications are also
that is adaptable to emerging technologies. MS stated that “BCP [is] a living document of
BCP are optimized through scalable environment that allows easy access to data in usable
84
formats, creative powers, and transparency on data for new innovative uses (Tene &
Polonetsky, 2013).
(EK and HD) that had partially implemented BCP. The second part of the research
while strengthening research validity. The theme (t7) exhibited the importance of BCP in
providing an enabled and secured environment for business data and information even
when it was partially implemented. HD stated that despite being partially implemented,
BCP “…is critical for safeguarding business documents and customer information”. The
BCP is a must. Organizations who do not build and shape a BCP may find
themselves victim to events and situations that could either be avoided or could
significant BCP responsibilities of the business owners and senior managers of small
businesses in Maryland, necessary to establish and maintain sustainable BCP, namely (t8)
85
continuous evaluation of risks and threats to business operations, (t9) guarantee safety of
Table 4
Themes Responsibility
systems
Theme 8 (t8) on continuous evaluation of risks and threats associated to BCP was
supported by responses from DE and MS, which represented two of the six participants
prevent loss of business during disruptive events (t8.1). DE emphatically stated that:
86
As an advocate for the client, I am constantly looking for anomalies in daily
etc., that could potentially be a threat. Threats are also evaluated during strategic
technology.
External systems to ensure optimum performance as well as identify and resolve potential
ensuring that BCP was running on optimum performance and safe from risks and threats.
MS stated that “it is my responsibility and duty to build a business continuity plan and to
shape it to fit my organization. I perceive this as very important and the core of
preparedness”.
business systems in their organizations was emphasized in all responses. The execution
of the theme was inherent in the responsibility of business owners and managers to make
decisions that ensure implementation of modern and safe systems across all units of
business operations (t9.1). Five out of six participants or 83.33% of the respondents
87
DE: As an advocate for the client, I am constantly looking for anomalies in daily
behavior.
HD: Outsource of services…. but decisions on pricing and services come from
our management.
shape it to fit my organization. I perceive this as very important and the core of
preparedness.
The process of decision making for any business operation is an inherent vital
aspect not only for the organization but also for individuals who make daily decisions
because the ultimate responsibility stops at them as owners or managers (Nowduri, 2013).
techniques for maximizing the benefits of BCP (t9.1). DE and MS, representing 33.33%
of the participants, supported the theme through deliberate initiatives within their
businesses that ensured that deliberate plans to test BCP were embedded in the holistic
BCP must be tested routinely to ensure the plan can be put into action in the time
frames required. The results of the tests must be reviewed to identify weak
88
processes within the plan and make improvements. It is also critical to have
service level agreements with key vendors and have them provide test results that
demonstrate their BCP can be executed in concert with the bank. In some cases,
affect systems running time and performance metrics (Muslu, Brun & Meliou, 2013). The
BCP testing architecture could be designed to allow users and programs to interact with
and make changes to the system that are non-intrusive while executing queries to identify
The theme (t10) was also supported by MS, emphasizing that “I would maximize
the BCP by testing and exercising our procedures, operations, and resiliency. I would
continue shaping the BCP to touch all aspects of my company’s continuity.” Continuous
training of personnel ensured that BCP administrators and planners were informed of
emerging changes in technology as well as new initiatives and innovations that affect
The perception of risk by the six senior managers crystalized into two themes,
(t11) perception of risk management as crucial component of BCP, and (t12) perception
89
Risk management plan compliments BCP as a daily management function
management meeting or exceeding business goals. DE stated that risk management was
The bank has an enterprise wide risk management plan of which disaster
insignificant part of the risk management plan, disaster recovery is just one
and improved.
BCP enables execution of risk management plan that allows business operations
(Dushie, 2014).
Theme t11 was also supported by MS, who stated that risk management
I perceive risk management at the top of the pyramid for the continuity of my
company. Taking a look at the risks that a business has can help you shape your
Theme t12 – perception of risk management as important but low due to BCP
implementation
Four out of six or 66.67% of respondents to question four believed that BCP had
reduced management risks and threats in their business operations, and therefore,
90
perceived risk management as a low priority in their business objectives. The low-priority
offsite.
Maryland with BCP perceive that critical success factors for business operations are
Responses to research question five generated two themes that associated the
drivers of critical success factors of daily business operations with the benefits of BCP
for small businesses in the state of Maryland. The integrated themes are illustrated on
Table 5, namely (t13) effective business operations, and (t14) secured systems security.
91
Table 5
critical success factors that include prompt delivery of services, transactions accuracy,
management confidence, and profitability growth (t13.1). DE from the banking industry
stated that:
DE: As explained above, the bank manages thousands of processes each day to
ensure client transactions are processed promptly and that security protocols are
followed to protect data and assets. While complex and poorly understood by
consumers, these processes are essential to the community and broader economy.
sustainability. Even in volatile or even disastrous times, the bank must be able to
92
perform these functions at a reasonable level or face a failure in confidence
BCP. Three out of six participants or 50% expressed confidence in the effectiveness of
their systems security secured by BCP, which led the reliability of data (t14.1) and
We have secured backup of data, and reports are generated monthly for our
On critical success factors related to data retrieval and recovery (t14.2), MS believed that
BCP had been an enabler for efficiency in business operations. MS stated “BCP can
allow for a smoother recovery from events and situations that would normally be
devastating to your business”. Similar response was echoed by SP who stated that BCP
had improved critical success factors in business operations related to “…customer data,
Tracker Program, proposals, or contracts. All costs are [efficiently] captured in overall
business costs”.
93
Results: Research question 6. Why do senior managers of small businesses in
Maryland without BCP perceive that critical success factors for business operations
who had not implemented BCP, generating two themes: t(15) and t(16). The responses
from HD and EK were in line with the question framework because they had not fully
implemented BCP.
and frequent backups provided by professional server services that include off-site data
operations”.
businesses without fully implemented BCP in the state of Maryland without, and
technology service providers for offsite data-backup, secured services and information
effective and efficient collaboration requires homogenous systems that allow businesses
to communicate and transfer live data in real-time that include strategies and recovery
plans during disastrous events (Mische & Wilkerson, 2016). EK stated that without a
fully implemented BCP, the use of external BCP providers for instant communication
94
with parents, transportation drivers, and after-school activities’ providers was critical. EK
Evaluation of Findings
The six research questions provide the framework for investigations, data
collection, and analysis of the research findings. The results from the multiple case study
research affirm the outcome of the examined interview questions, propositions, units of
analysis, logic linking of data to the propositions, and criteria for interpreting the findings
(Yin, 2003). The purpose of the interview was to explore the perception of business
owners or senior managers of small businesses in the state of Maryland on BCP, where
four business owners and two senior managers were interviewed and responded to the
investigation.
The findings affirmed the theoretical and conceptual framework grounded on the
perception that BCP increases value in service delivery and provides disaster recovery
contingencies that abort business continuity (Low, Liu, & Kumaraswamy, 2010). The
organizational BCP framework entailed internal factors that include business processes,
business infrastructure, resources, and people that are essential for the effective
management of the small businesses to build organizational resilience with the capability
stakeholders, reputation, product brand, and value-creating activities (Heng, Hooi, Liang,
95
The findings established that senior management recognize and embrace the
benefits of BCP, contradicted existing literature that corporate management provide low
importance of BCP (Venclova, Urbancova, & Vydrova, 2013). Study by Dushie (2014)
that business managers fail to plan for disasters because of inadequate information, cost,
apathy, and low priority contrasted with the findings in this study. All the mangers I
interviewed, including the managers who had partially implemented BCP, pragmatically
The de-identification coding and theming of data collected from the business
owners and senior managers of six businesses resulted in the development of themes
decision making responsibilities. The themes that revolved around perceived BCP
strategies and critical success factors emerged from research questions one and five: (a)
essential tool or element of daily business operations and service delivery, (b) data
integrity assurance, and (c) routine review of BCP performance. The themes related to
secured systems resulted from research questions one, two, three, and six, include (a)
sustainable BCP emerged from research question three with themes that illustrate the
impact of influence by the business owners and senior managers in implementing and
96
evaluation of risks and threats to business operations, (b) guaranteeing safety of business
systems, (c) continuous testing of BCP, (d) consistent training of personnel on BCP and
disaster awareness, and (e) scrupulous selection of qualified BCP providers in case of
service outsourcing.
of BCP. The results from research question two generated themes related to value-added
benefits to the business productivity, hence (a) perceived growth in business operations
processes, (b) perceived trust and confidence from customers and partners, and (c)
themes out of research question four, namely (a) perception of risk management as
important but low in impact by the businesses that had partially implemented BCP (EK
and HD).
The triangulation was achieved by cross-checking the interview findings from the
business owners and senior managers of businesses that had fully implemented BCP
(66.67%) with responses from those that had partially implemented (33.37%). The results
of the data and related analysis strongly supported the data contained in the literature
review as well as illuminated areas that are potential for future research study such as risk
management and evolving technological tools necessary to protect personal private data
97
Research question 1. How is strategic Business Continuity Planning (BCP)
The responses collected for research question one resulted in three themes: (a)
essential element of daily business operations, (b) protection of data privacy for
stakeholders and customers, and (c) assurance of data integrity to management. The first
theme can be observed in the data collected from senior manager in the banking sector
that utilized BCP as an essential tool for constantly evaluating back up plans for every
major system implementation and processes important for daily operations. The
respondent emphasized the significance of an efficient and effective backup and recovery
The second theme emerged from the significance of protecting personal private
data of customers and the business stakeholders as illustrated by data collected from
business owner engaged in school transportation system. The data showed a closely
shared interest between business owner, customers, and external service providers in
maintaining secured data. The third theme focused on providing sustainable assurance on
the integrity of business data. The data collected illustrated deliberate initiatives
undertaken by the respondents to carry out collaborative exercises and workshops with
customers and vendors necessary to create awareness of data integrity to employees and
98
Research question 2. How do senior managers of small businesses with BCP
perceive that Business Continuity Planning (BCP) provides value to the small
Responses to research question two crystalized into four themes: (a) increased
growth in business operations, (b) created trust and confidence from customers and
partners, (c) enabled adaptability to new technologies even for the two businesses that
had partially implemented BCP, and (d) safeguarding business data and information by
The first and second themes emerged from business owners that had implemented
BCP. The theme on the perception of increased business growth was supported by
observations from the data collected that showed the ability of management to focus on
businesses devoid of imminent threats. The collected data supported the theme in
provide reasonable level of service during disruptive events. The result of the second
theme supported the reliability on the safety of communication systems required to alert
or inform customers of threats or any adverse events such as inclement weather. The
focus on this theme was more predominant from to the business owner engaged in
The third theme on enabled adaptability to new technologies emerged from data
collected from business owners who had partially implemented BCP. Despite partial
implementation of a functional BCP, the data collected exhibited the influence of BCP on
99
managers of small businesses in Maryland to value a business environment that is
adaptable to emerging technologies. The fourth theme of safeguarding business data and
importance of BCP to small businesses without BCP in the state of Maryland. The
absence of an internally implemented BCP did not impede the management of small
businesses from acquiring BCP services from external technology providers. The
observation from the themes confirmed the perception that BCP provided procedures and
guidelines required to optimize easy access to data in usable formats, creative powers,
The themes that emerged from responses to research question three evolve
internal or outsourced systems, and (c) continuous testing of BCP and training of
personnel. The first theme is observed from responses collected that indicate
prevent loss of business during disruptive events. The responses from the business sector,
100
The second theme illustrated the responsibility of small business management in
the state of Maryland to guarantee safe and secured business systems. The resulting
theme is supported by data collected from five out of six participants or 83.33%, who
responded that it was the responsibility of business owners and managers to make
decisions that ensure implementation of modern and safe systems across all units of
business operations. The theme extends the emphasis of the responsibility beyond
services. The theme affirmed the management’s responsibility to make decisions that
guarantee systems safety when acquiring services from professional service providers
outsourced from outside the organization. The third theme supported the management’s
responsibility to continuously test BCP and train personnel on disaster awareness in order
management with opportunity to ensure that the employees are informed on modern and
The responses to question four crystalized into two themes, (a) perception of risk
important but low in impact as result of BCP implementation. The first theme focused on
the responses from four out of six respondents or 66.67% of the participants on the role
101
perception of risk management as a function that compliments BCP, necessary to provide
response from the banking sector participant predominantly illustrated risks inherent in
the bank’s ability to make business profits in money lending, investing, and operations.
The theme supported the perception of BCP as an enabler risk management plan that
operations.
a result of implemented BCP. The theme exhibits the management’s confidence through
the perception that BCP had reduced management risks and threats in their business
operations, and therefore, perceived risk management as a low priority in their business
Maryland with BCP perceive that critical success factors for business operations are
Responses to research question five generated two themes that associated the
drivers of critical success factors of daily business operations with the benefits of BCP
for small businesses in the state of Maryland, namely (a) effective business operations,
and (b) secured systems reliability. The first theme evolved from collected responses that
factor to effective and efficient business processes and practices of small businesses in
102
the state of Maryland. Four out of six responders with fully implemented BCP exhibited
services.
The second theme, secured systems reliability, emerged from responses collected
from three out of six participants or 50% of participants that expressed confidence in the
effectiveness and reliability of their systems security attributed to BCP. The results
sustained BCP is critical to achieving data reliability and effective data retrieval
processes and practices. The theme exhibited observation of management that BCP
success factors.
Maryland without BCP perceive that critical success factors for business operations
The theme that emerged from research question six affirmed the importance of
BCP in safeguarding data off-site using servers and frequent backups. The theme resulted
from data collected from two out of six or 33.33% of participants who had not fully
implemented BCP. Despite partial implementation of a functional BCP, the data collected
exhibited the influence of BCP’s benefits on business owners and senior managers of
small businesses in the state of Maryland without BCP to create a business environment
103
that guarantees the safety of personal data, business documents, business information and
The response from HD was in line with the question framework because they had
not fully implemented BCP. Despite the absence of a fully implemented BCP, senior
implemented BCP was critical in safeguarding business documents, customers’ data and
Summary
The purpose of this qualitative multiple case study was to explore strategic
business continuity planning methods for small businesses in the state of Maryland as
perceived by senior managers, the unit analysis of the study. The data collected from six
semi-structured interviews, composed of four business owners and two senior managers,
were analyzed via the de-identification of codes and themes. The responses to the study
resulted in themes, which evolved around six expanded categories of perceptions about
BCP by senior managers and business owners of small businesses in the state of
managerial responsibilities, risk management impact, and critical success factors. Three
themes emerged from research question one, four themes from research question two,
three themes generated by research question three, two themes from research question
four, two themes from research question five, and two themes emerging from research
question six. Fourteen themes emerged from responses collected from the management of
businesses that had implemented BCP, while two themes were generated by responses
104
The analysis of the findings enabled a comparative performance of findings from
managers and business owners who had fully implemented BCP and those who had
partially implemented BCP. Research questions six was designed to establish if there
were dissenting perceptions on BCP from participants who had not fully implemented
BCP, of which the findings affirmed that despite the absence of a fully implemented
stakeholders’ information was crucial. The findings support the theoretical and
BCP in preventing and resolving the impact of disruptions caused by disasters on the
105
Chapter 5: Implications, Recommendations, and Conclusions
Background
Human-made and natural disasters have implications for the survival of small
potential disaster impact (Duncan, Yeager, Rucks, & Ginter, 2010). Small businesses
encounter compounded risks from Human-made and natural disasters that are becoming
increasingly common in today’s world (Duncan, Yeager, Rucks, & Ginter, 2010).
barriers and challenges when prioritizing, developing, and implementing a BCP because
business risk analysis, training, and awareness, BCP documentation, and information life
cycle management (Karim, 2011). Brody (2012) stated that 44% of small businesses
operate without continuity business plans while 56% of business owners spend less than
minimize costs on BCP, small business management must develop scenario planning that
BCP, and facilitates opportunity to identify gaps while strategizing solutions in real-time
This study examined the perceptions of four business owners and two senior
managers of small businesses in the state of Maryland, selected from different industries
and were members of one or more business network groups. The case study research
106
approach on BCP utilized a semi-structured interview protocol to collect data from
questions (Appendix D). Thematic analysis technique was utilized to pinpoint, examine,
and record patterns across the sets of responses from research participants, resulting in
themes, which formed the basis for the narrative analysis of the responses to the research
questions.
The themes that predominantly emerged from businesses that had implemented
BCP addressed the perceptions on BCP strategies: (a) essential tool or element of daily
business operations, (b) data integrity assurance, and (c) routine review of BCP
performance. The themes related to secured systems were: (a) protection of personal
private data, and (b) acquisition of modern technologies. Themes that underscored BCP
techniques: (a) continuous testing of BCP, (b) consistent training of personnel, and (c)
deliberate collaboration with business partners and stakeholders. Themes that embodied
value-added benefits of BCP: (a) perceived growth in business operations processes, (b)
perceived trust and confidence from customers and partners, and (c) enabled adaptability
implementation, namely (a) protection or safeguarding of personal private data, and (b)
low priority of risk management result of BCP. The detail responses and extensive spread
107
of the ten research questions as well as the lack of substantial new codes and themes
This chapter will provide the limitations in the study prevalent in the context of
small businesses, implications of the study in relation to the research questions, and
recommendations made from the study. The results are compared to existing literature
and recommendations are made for the practice of BCP as well as for the future research
on this topic. Conclusions are presented based upon key points identified through the
Limitations
The limitations of the study included the focus of the investigation on small
businesses which maintained proper context of the study. A broader population entailing
larger businesses could have resulted in greater depth of the study and expanded analysis
across more industries. The limited participation was resolved by achieving saturation
order to mitigate researcher bias, while maintaining credibility, the researcher utilized
questions, and maintaining the chain of evidence that provided validity in reconstructing
the study (Yin, 2013). Validity adequately measured the trustworthiness of the interview
responses from participants by cross-checking the findings against the research questions.
The data analysis relied on item-response methodology to support or not support the
significance of BCP within small businesses category (Kelly & Yin, 2007).
The approval of the research study was obtained from Northcentral University’s
Institutional Review Board prior to any recruitment or data collection. The recruitment
108
data, signed consent forms, and data collection approach methodology were submitted to
the Institutional Review Board for review and approval. In addition, the informed consent
form required of each research participant prior to data collection (Appendix E),
identified the nature of study, the researcher, the anonymity assured to the participant, the
ability of the participant to withdraw from the study at will and at any time without
clear disclosure to the participants that their participation was voluntary and no
The implications section of this chapter focus on the relevance of the research
problem under study as well as address the purpose of the study. The implications section
addresses each research question and draws logical conclusions (Patton, 2002). The
responses of the 10 questions were examined and analyzed, resulting in themes that
emerged from each response. The recommendation section presents new views of the
data analysis and related perceptions that emerged from the evaluation of findings as well
as forms the basis for greater and future research on BCP. The conclusion section will
Implications
The responses to the study resulted in 16 themes, which evolved around six
expanded categories of perceptions about BCP by senior managers and business owners
of small businesses in the state of Maryland: (a) strategies, (b) secured systems, (c) value-
added enabler, (d) managerial responsibilities, (e) risk management impact, and (f)
critical success factors. Three themes emerged from research question one, four themes
109
from research question two, three themes generated by research question three, two
themes from research question four, two themes from research question five, and two
themes emerging from research question six. Fourteen themes emerged from responses
collected from the management of businesses that had implemented BCP, while two
themes were generated by responses from the management of businesses that had
managers and business owners who had fully implemented BCP and those who had
partially implemented BCP. Research question six was designed to establish if there were
any dissenting perceptions on BCP from participants who had not implemented or who
had partially implemented BCP. The analysis of the findings affirmed that despite partial
information.
urgency in the importance and value of BCP because of the business value inherent in
disaster readiness. The senior managers, as stated by the banking sector manager in this
study, perceived BCP as an essential tool for constantly evaluating back up plans for
every major system implementation and processing important for daily operations. The
110
processes of mitigating risks. The involvement of departmental management groups
standards for BCP best practices with all stakeholders throughout the organization
(Lindstrom et al., 2010). The senior managers in the study established efficient and
systems as crucial for protecting personal private data of customers and the business
stakeholders. The importance was more prevalent from the managers who operated the
on the significance of BCP showed a closely shared interest between small business
Developing a BCP disaster recovery plan entails establishing a remote, off-site center as a
best practice that will allow management to execute continuous operations during
BCP provides sustainable assurance on the integrity of business data. The data
collaborative exercises and workshops with customers and vendors necessary to create
catastrophes. The collaborative initiatives indicated the influence and consistency of BCP
as a crucial component of overall corporate planning necessary for the preparation of the
111
extraordinary threats, whether they are predicted or not, in order to protect employees,
2011).
perceive that Business Continuity Planning (BCP) provides value to the small
growth in business operations, created trust and confidence from customers and partners,
respondents, and rate of full resumption of business operations (Hong et al., 2012). A
to realize increased business growth because of management’s ability to focus on the core
of business operations devoid of imminent threats or risks. The confidence and trust
during disruptive events. The management of a small business should implement a BCP
112
Small businesses’ management, as indicated by senior manager of school
inform customers of threats or any adverse events such as inclement weather. The
engaged in providing direct personal services such as the school transportation systems,
electrical services, or the banking sector. Optimized value of BCP is realized when
communication media and Internet accessibility, combined with the globalization of the
world economy, bring the impact of what once might have been considered a local,
isolated event into the purview of businesses and living rooms everywhere (Hall et al.,
2012).
ultimate responsibility to own and drive the processes of BCP. The predominant
responsibilities of the small businesses’ senior managers in the study included continuous
evaluation of risks and threats to business operations, and making decisions that
guarantee business systems safety and security, whether internal BCP or outsourced BCP
understand the critical processes required for prompt supply of goods and services to
customers; focus on generating income for the business; and maintain sustainable
113
employment and corporate social responsibilities (Douglas, 2009). The accountability for
management to execute the best practices for effective BCP best practices requires that
management should consider strategies and options available throughout the organization
to mitigate identified risks to the business such as increasing the amount of insurance to
transfer the risk; improving the structure of the building to withstand severe weather; and
initiatives and measures against business disruptions by prioritizing the safety of internal
and external business systems, resulting in perceived guarantee of secured data and
information to customers, vendors, and business partners. Predominantly in the study, the
system, and the cleaning solutions business exhibited initiatives intended to extend
systems to external systems in order to ensure systems security. The development and
implementation of BCP for business best processes and practices involve the internal and
external customer’s view on how the organizational business operations have been
implemented and when such operations were implemented (Payam et al., 2009).
The responsibility of business owners and managers to make decisions that ensure
implementation of modern and safe systems across all units of business operations is
the small businesses that have not fully implemented BCP. Without a fully implemented
BCP, management still has the major decision making responsibility of ensuring that
quality, secured, and cost-effective services were procured from qualified professional
114
service providers outsourced from outside the organization. Implementation management
productive business operations across various business sectors. However, more emphasis
of the benefits of risk management planning in the study was exemplified by the
managers of the banking, photographic, electrical services, and cleaning solutions who
implied that BCP had reduced management risks and threats in their business operations.
The study affirmed that the implementation of BCP resulted in increased management’s
reduced at the same time. Management of small businesses must align risk management
initiatives and systems with corporate strategic objectives, resulting in sustainable BCP,
proactive disaster preparedness, and mitigation of business uncertainties, risks and threats
implemented by the managers of the small businesses that had partially implemented
BCP, namely the school transportation business and the electrical design firm. With
partial implementation of BCP, the senior managers perceived low risks on their business
115
realize reduced risks as the outcome of BCP related services procured from outside
services such as data backup and disaster recovery services. Procured technological
services, that include enterprise resource management services (ERM) allow management
to achieve business goals and deliver sustaining benefits through the integration of
business practices, processes, and technology required for disaster preparedness and
mitigation of major risks to business operations, processes, people, and physical assets
(Byrnes et al., 2012). The responses collected support the perception that the
incorporation of risk management plan in the overall execution of BCP provide the
interruptions.
Maryland with BCP perceive that critical success factors for business operations are
enhance the critical success factors for business operations. In the study, the banking,
success factors. Because of clear input of business decisions, small businesses realize
timely delivery of services, reliability of data security, and effective data retrieval
116
simulation, process mining, capacity management, and high-yielding production of
Effective, safe, and timely delivery of services is critical to the banking sector that
processed multiple transactions at any given time and was required to provide assurance
of trusted services to customers, other banks, and the Federal Reserve. The senior
manager interviewed from the banking sector recognized that without BCP, the bank
critical success factors for continuity of services across risk sectors, business units, and
market territories is paramount (Krizner, 2011). The bank management observed that
BCP enabled the critical function of instant retrieval of secured data, providing assurance
BCP enable customers of small businesses in the state of Maryland to access multiple
secured banking networks globally, retrieve accurate transactions and information, seek
instant customer services, and reinforce a positive perception of all services provided by
the bank.
BCP affected the success factors related to cleaning solutions business as well as
operational data backup systems that support business main functions and management
strategies for critical business units. BCP implementation create a greater impetus in
117
secured information as part of our business success. Lack of disaster preparedness affects
disrupted customer base, damaged reputational image, ineffective business processes, and
inefficient delivery of goods and services to customers (Bozman & Eastwood, 2011).
Maryland without BCP perceive that critical success factors for business operations
The study revealed that senior managers of small businesses in the state of
Maryland who have not implemented a fully operational BCP recognize and embrace the
impact of business benefits resulting from the minimal implementation of BCP processes.
Senior managers who have not fully implemented BCP rely on external technical service
and long-term initiatives are undertaken to prevent disaster interruptions and to safeguard
customer data as well as business documents and information. The response from the
electrical design firm, although without a fully implemented BCP, emphasized the
benefits of secured data and critical business documents realized from data backup
services provided by the procured professional services. Business best practices on BCP
management entail consistent collection and the storage of critical documents and
systems at backup servers in a secure off-site location (Omar, Alijani, & Mason, 2011).
measures, identify training, and organize functional areas that support business processes
and operations required to establish some level of disaster preparedness. The senior
118
managers who had partially implemented BCP recognized the functionality and
sourcing of BCP protective services from external service providers. Subsequently, the
creating a business environment that guaranteed the safety of personal data, business
documents, and business information assets. The findings contradicted existing literature
that businesses without BCP have a higher risk occurrences of major as well as minor
incidences that would result in disruption to the business operations due to lack of clarity
in assessing critical business activities (Heng, Hooi, Liang, Yap, Azizie, & Tze, 2012).
Recommendations
The review and explication of the study data and conclusions let to
measures for BCP necessary to resolve problems of disasters that disrupt continuity of
business services, while minimizing downtime, increasing response time, and deploying
gathered from managers and owners of small businesses on strategic BCP methods for
initiatives and systems with corporate strategic objectives, resulting in sustainable BCP,
proactive disaster preparedness, and mitigation of business uncertainties, risks and threats
119
Recommendations for Practice
planning (BCP) fall within three areas: (a) mandatory requirement for small businesses to
implement and comply with the universal ubiquitous uniform standards of BCP by
and strategies among trading businesses, customers, vendors, partners, and other business
International Organization for Standardization (ISO). Despite the global adoption of ISO
information across multiple systems because smallest businesses find it harder to adopt
With the exception of the banking sector, which had regulated procedures and
processes, the collaboration of businesses on BCP observed in this study relied mostly on
the trust inculcated over time in the business systems operated by respective trading
120
business partners, rather than compliance to standardized protocols. A seamless and
universal reliability and trust in the effectiveness of BCP managed by other organizations
can only be realized when businesses are mandated to comply to ubiquitous standards on
BCP, nationally as well as globally, which in turn could facilitate effective deployment of
interruptions across multiple systems. This study recommends that small businesses be
mandated to comply with ISO standards on BCP in order to establish impeccable trust
from large-scale natural disasters and acts of terror to technology-related accidents and
environmental incidents.
BCP, which increases the level of risk during disruptive events that have higher
probability of damage to business operations (Duncan et al., 2010). In the study, the
effectiveness and efficiency of BCP among the organizations that had fully implemented
BCP entailed consistent, systematic, and continuous training on BCP programs across
new knowledge, skills, rules, best practices concepts, or attitudes that result in improved
management to execute the best practices for effective BCP best practices requires that
management should consider strategies and options available throughout the organization
121
to mitigate identified risks to the business such as increasing the amount of insurance to
transfer the risk; improving the structure of the building to withstand severe weather; and
BCP and embracing sophisticated, modern technologies that enable the implementation
In most instances, small business managers fail to develop and implement BCP
due to low priority or lack of budget for up-front costs for BCP, the possibility of little to
no-return on BCP investment, and prioritization of imminent short-term issues within the
organization (Duncan, Yeager, Rucks, & Ginter, 2010). The managers from the banking
sector, photographic firm, transportation systems, the cleaning solutions, and the electric
services firm emphasized the importance of the imperative need to acquire modern
technologies necessary to allow effective data storage equipment, off-site servers, and
data recovery tools for effective BCP. Corporate management should prioritize budgetary
competing factors that include budget allocation, strategic management, business risk
analysis, training, and awareness, BCP documentation, and information life cycle
122
Recommendations for Future Research
Future research could include: (a) improving recovery and restoration techniques
restoration techniques and technologies of BCP with the objective of seamless restoration
of business operations that are continuously challenged by eminent risks, threats, and
theft, terror activities, natural disasters, and new unknown system attacks. Businesses are
increasingly subject to disruptions that are unpredictable in their nature, time, and extent.
effective plans for both short-term such as business continuity plans, and long term
restoration plans that include disaster recovery plans and proactive continuity plans
against loss of corporate reputation, market share, customer service, business failures,
regulatory liability, and increased resuming and restoring times (Yan, Yuan, & Huang,
2015). The future study would employ both instant-combating techniques during the
affect both the frequency and nature of the backup as well as the recovery schemes and
the linkage with database transaction logging, hence such synchronization of system
123
processes and procedures require consideration when designing the recovery and
infrastructure during disasters by enabling loans and funding facilities through Small
Business Administration (FEMI, 2017). However, there is need for future research in
order to persuade FEMA to consider the mitigation of costs incurred by small businesses
when executing BCP during disaster events as a primary component of its initiatives,
such as acquisition of new servers, computer equipment, and data storage technologies.
Small businesses encounter barriers that delay the development and implementation of
BCP, including the corporate complacency that assumes low probability of disastrous
event, lack of budget for up-front costs for planning, possibility of little or no return on
BCP investment, and prioritization of imminent short-term issues within the organization
(Douglas, 2009).
businesses at state level. The participants of the study were members of various business
network groups yet they did not share a common professional consultative body that
would embody a think-tank group with shared mission on BCP, including evaluation of
framework of how small businesses can collaborate to achieve higher leverage of BCP.
124
external information sources and actors at all levels of the organization, outside agencies,
and the media (Veil & Husted, 2012). Collaboration among small businesses create a
Conclusion
The multiple case study was designed to explore the perception of business
owners or senior managers of small businesses in the state of Maryland on BCP. The
fully or partially implemented. The implications of the findings generated themes that
evolved around the BCP success factors, mainly strategies, secured systems, techniques,
value-added enablers, and risk management impact. The business with fully implemented
BCP employed in-house strategies while businesses with partially implemented BCP
requirement for small businesses to implement and to comply with the universal
125
improvement of recovery and restoration techniques and technologies of BCP,
continuity plans and post-disaster restoration plans may provide for sustainable reliance
126
References
Aggelinos, G. & Katsikas, S. (2011). Enhancing SSADM with disaster recovery plan
activities. Information Management & Computer Security, 19(4), 248-261.
doi:10.1108/09685221111173067
Akhta, A. N., Buchholtz, J., Ryan, M., & Setty, K. (2012). Database backup and recovery
best practices. ISACA. Retrieved from
https://www.isaca.org/Journal/archives/2012/Volume-1/Pages/Database-Backup-
and-Recovery-Best-Practices.aspx
Anney, V.N (2014). Ensuring the quality of the findings of qualitative research: Looking
at trustworthiness criteria. Journal of Emerging Trends in Educational Research
and Policy Studies, 5(2), 272-281. Retrieved from
https://pdfs.semanticscholar.org/1419/f7b54e6b7f1215717a5056e0709f8946745b.
pdf
Axinn, W. G., Link, C., & Groves, R. (2011). Responsive survey design, demographic
data collection, and models of demographic behavior. Population Association of
America, 48, 1127-1149. Retrieved from
http://www.psc.isr.umich.edu/pubs/pdf/ng09-005.pdf
Begum, R.A. (2010, December 28-30). Linking green technology and disaster risk
reduction. Paper presented at International Conference on Biology, Environment
and Chemical: ICBEC 2010, Hong Kong. National University of Malaysia.
Bobcock, C. (2011). Global data center chains promise easier backup. Information Week,
1313, 10/2011, 18-20. Retrieved from
http://trove.nla.gov.au/work/157886938?versionId=172112668
Bombard, Y., Cox, S., & Semaka, A. (2010). When they hear what we say: Ethical
challenges in presenting research findings to the Huntington Disease Community.
Journal of Empirical Research on Human Research Ethics, 6(3), 47-54. Retrieved
from
http://www.jstor.org/discover/10.1525/jer.2011.6.3.47?uid=3739704&uid=2129&
uid=2&uid=70&uid=4&uid=3739256&sid=21102042637383
127
Brody, B. & Schmittlein, M. (2012). Business continuity 101. Risk Management, 59(1),
1-2. Retrieved from http://www.questia.com/library/1G1-279613627/business-
continuity-101
Byrnes, S. E., Williams, C., Kamat, S., & Gopalakrishnan, S. (2012). Making the case for
an enterprise risk management program. The Journal of Equipment Lease
Financing (Online), 30(2), B1-B10. Washington, DC: Equipment Leasing of
America.
Cansiz, S. & Pakdil, F. (2012). A proposed business process management model for
SMEs. The Business Review, Cambridge, 19(2), 57-63.
Chow, W.S. & Ha, W. O. (2009). Determinants of the critical factor of disaster recovery
planning for information systems. Information Management & Computer
Security, 17(3), 248-275. doi:10-1108/09685220910978103
Clas, E. (2008). Business continuity plans. Professional Safety, 53(9), 45-48. Retrieved
from http://www.asse.org/professionalsafety/indexes/2008.php
Clive, M. W. (2010). The role of public sector asset managers in responding to climate
change: Disaster and business continuity planning. Property Management, 28(4),
245-256. doi: 10.1108/02637471011065674
Douglas, P. (2009). Business continuity during and after disaster: Building resilience
through continuity planning and management. ASBM Journal of Management,
2(2), 1-16.
Duncan, W., Yeager, V., Rucks, A., & Ginter, P. (2010). Surviving organizational
disasters. Business Horizons, 54 (2), 135-142. doi: 10.1016/j.bushor.2010.10.005
128
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.663.9880&rep=rep1&t
ype=pdf
FEMA. (2012). $15.4 million in Federal funds to Maryland for December and February
storms. Retrieved from http://www.fema.gov/news-release/154-million-federal-
funds-maryland-december-and-february-storms
Fontaine, M. (2012). Corporate social responsibility and sustainability: The new bottom
line? International Journal of Business and Social Science, 4(4). Retrieved from
http://www.ijbssnet.com/journals/Vol_4_No_4_April_2013/13.pdf
Fraser, J. & Simkins, B. (2010). Enterprise Risk Management: Today’s Leading Research
and Best Practices for Tomorrow’s Executives. Retrieved from
http://books.google.com/books?id=OFEKL5Q2VOwC&lpg=PP1&dq=Enterprise
%20Risk%20Management&pg=PP1#v=onepage&q&f=false
Guion, L.A., Diehl, D. C., & McDonald, D. (2012). Conducting an in-depth interview
(FCS6012). Gainsville, FL: Department of Family, Youth, and Community
Sciences. Retrieved from https://edis.ifas.ufl.edu/pdffiles/FY/FY39300.pdf
129
Gulachek, B. (2005). Business continuity planning: Process, impact, and implications,
2005(13). Retrieved from
https://library.educause.edu/~/media/files/library/2005/6/erb0513-pdf.pdf
Hall, D. J., Skipper, J. B., Hazen, B. T., & Hanna, J. B. (2012). Inter-organizational IT
use, cooperative attitude, and inter-organizational collaboration as antecedents to
contingency planning effectiveness. International Journal of Logistics
Management, 23(1), 50-76. doi: 10.1108/09574091211226920
Heng, T.B., Hooi, S. C., Liang, Y.Y., Azizie, O., & Tze, S. O. (2012). Telecommuting for
business continuity in a non-profit environment. Asian Social Science., 8(12),
226-237. doi:10.5539/ass. v8n12p226
Hilton, L. & Voss, B. (2011). Irene/Katrina business continuity and disaster recovery. In
D. Oblinger (Editor), Educause. Presentation conducted at University of
Maryland. Abstract retrieved from
http://www.educause.edu/library/resources/irenekatrina-business-continuity-and-
disaster-recovery
Hong, P., Hong, S., James, J. R., & Park, K. (2012). Evolving benchmarking practices: A
review for research perspectives. Benchmarking, 19(4), 444-462. doi:
10.1108/14635771211257945
Ibrahim, N., Angelidis, J., P., & Parsa, F. (2008). Strategic management of family
businesses: Current findings and directions for future research. International
Journal of Management, 25(1), 95-110, 198.
130
relational construct. Public Relations Review, 33(2), 2007, 147-157. Retrieved from
http://www.issueoutcomes.com.au/Websites/issueoutcomes/Images/Relational%2
0model %20PRR.pdf
Jones, V. A. (2011). How to avoid disaster: RIM’S crucial role in business continuity
planning. Information Management Journal, 45(6), 36-47. Retrieved from
http://content.arma.org/imm/November-
December2011/rimfundamentalshowtoavoiddisaster.aspx
Keller, J. (2008). Examination of gender, pay, age, tenure, and flexible hours on
absenteeism. Retrieved from http://library.ncu.edu/ncu_diss/display_
abstract.aspx?dissertation_id=960
Kimweli, J. M. (2013). The role of monitoring and evaluation practices to the success of
donor funded food security intervention projects. International Journal of
Academic Research in Business and Social Sciences. 3(6). Retrieved from
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.685.2623&rep=rep1&t
ype=pdf
Kolowitz, B., Lauro, G. R., Barkey, C., Back, H., Light, K., & Deible, C. (2012).
Workflow continuity – moving beyond business continuity in multisite 24-7
healthcare organization. Journal of Digital Imaging, 25(6), 744-750. Retrieved
from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3491149/
Krizner, K. (2011). Increases reliance on tech tools makes disaster planning a must.
Managed Healthcare Executive, 21 (2), 28-29. Retrieved from
http://managedhealthcareexecutive.modernmedicine.com/managed-healthcare-
executive/news/increased-reliance-tech-tools-makes-disaster-planning-must
131
http://books.google.com/books?id=Dz1mS4oe8qIC&lpg=PA89&dq=Kvale%20D
oing%20Interviews&pg=PR4#v=onepage&q&f=false
Lambert, J., Parlak, A., Zhou, Q., Miller, J., Fontaine, M., Guterbok, T., Clements, J., &
Thekdi, S. (2012). Understanding and managing disaster evacuation on a
transportation network. Elsevier. Retrieved from
http://www.ncbi.nlm.nih.gov/pubmed/22789430
Lindstrom, J., Samuelsson, S., & Hagerfors, A. (2010). Business continuity planning
methodology. Disaster Prevention and Management, 19(2), 243-355.
doi:10.1108/09653561011038039
Low, S. P., Liu, J. Y., & Kumaraswamy, M. (2010). Institutional compliance framework
and business continuity management in mainland China, Hong Kong SAR and
Singapore. Disaster Prevention and Management, 19(5), 596-614.
doi:10.1108/09653561011091922
132
http://mema.maryland.gov/memacommunity/Documents/COOP_manual-
Version_2_3.pdf
Mische, S. & Wilkerson, A. (2016). Disaster and contingency planning for scientific
shared resource cores. Journal of Biomolecular Techniques, 27(1), 4-17.
Retrieved from https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4736755/
Moon, K., Brewer, T.D., Januchowski-Hartley, S. R., Adams, V. M., & Blackman, D.A.
(2016). A guideline to improve qualitative social science publishing in ecology
conservation journals. Ecology and Society, 21(3), 17. Retrieved from
https://www.ecologyandsociety.org/vol21/iss3/art17/
Muslu, K., Brun, Y., & Meliou, A. (2013). Data debugging with continuous testing.
Retrieved from
http://people.cs.umass.edu/~ameli/projects/dataTesting/papers/Muslu13ni-fse.pdf
Omar, A., Alijani, D., & Mason, R. (2011). Information technology disaster recovery
plan [Case study]. Academy of Strategic Management Journal, 10(2), 127-141.
Retrieved from
http://www.alliedacademies.org/Publications/Papers/ASMJ_Vol_10_No_2_2011
%20p%20127-141.pdf
Omwuegbuzie, A.J., Leech, N., & Collins, K. (2010). Innovative data collection
strategies in qualitative research. The Qualitative Report, 15(3), 696-726.
Retrieved from http://www.nova.edu/ssss/QR/QR15-3/onwuegbuzie.pdf
133
Onwuegbuzie, A.J. & Leech, N. L. (2009). Generalization practices in qualitative
research: a mixed methods case. Quality and Quantity, 44(5), 881-892.
doi:10.1007/s11135-009-9241-z
Ostlund, U., Kid, L., Wengstromm, Y., & Rowa-Dewar, N. (2011). Combining
qualitative and quantitative research within mixed method research designs: A
methodological review. International Journal of Nursing Studies 48(3), 369-383.
doi: 10.1016/j.ijnurstu.2010.10.005
Paton, D. (2009). Business continuity during and after disaster: Building resilience
through continuity planning and management. ASBM Journal of Management,
2(2), 1-16. Retrieved from http://vlex.in/vid/business-during-building-
management-227842595
Patton, M. Q. (2002). Qualitative research & evaluation methods (3rd ed.). Thousand
Oaks, CA: Sage Publications.
Payam, H., Morteza, M., & Javad, B. (2009). Selecting the best strategic practices for
business process redesign. Business Process Management Journal, 15(4), 609-
627. doi:10.1108/14637150910975561
Peterson, P. B. (2010). Crisis during recovery: Lessons from 1904 Baltimore fire. Journal
of Management History, 16(30, 297-311. doi:10.1108/17511341011051216
Ponterotto, J. (2006). Brief note on the origins, evolution, and meaning of the qualitative
research concept “Thick Description”. Qualitative Report, 11(3), 538 – 549.
Retrieved http://www.nova.edu/ssss/QR/QR11-3/ponterotto.pdf
Qu, S. & Dumay, J. (2011). The qualitative research interview. Qualitative Research in
Accounting and Management, 8(3), 238-264. doi:10.1108/11766091111162070
Resnik, D. (2010). What is ethics in research & why is it important? Retrieved from
http://www.niehs.nih.gov/research/resources/bioethics/whatis.cfm
Reyna, V. & Rivers, S. (2008). Current theories of risk and rational decision making.
Department of Human Development and Psychology, Cornell University.
doi: 10.1016/i.drd.2008.01.002
134
Sala, E. & Lynn, P. (2009). The potential of a multi-mode data collection design to
reduce non-response bias: The case of a survey of employers. Qual Quant,
2009(3), 123-136. doi:10.1007/s11135-007-9148-5
Shaban, R. (2009). Robert K. Yin case study research: Design and methods. Australasian
Emergency Nursing Journal, 12(2), 59-60.
Slater, D. (2011). Business continuity and disaster recovery planning: The basics.
Retrieved from
http://www.csoonline.com/article/204450/business-continuity-and-disaster-
recovery-planning-the-basics?page=2
Small Business Administration (2012). SBA economic injury disaster loans available in
Maryland following Secretary of Agricultural Disaster Declaration. Retrieved
from http://www.sba.gov/about-offices-content/4/2818/news/297651
Snyder, K., Donoho, P., Menzies, J., & Davidson, O. (2012). Maryland business get their
stake in emergency response. Business Civic Leadership Center, 2012. Retrieved
from
http://bclc.uschamber.com/sites/default/files/documents/files/Role%20of%20Busi
ness%20in%20Disaster%20Response.pdf
State of Maryland Small Business Reserve Program. (2012). Small business reserve
program. Retrieved from http://www.mdstad.com/content/view/64/77/
Stavros, C. & Kate, W. (2009). Using triangulation and multiple case studies to advance
relationship marketing theory. Qualitative Market Research, 12(3), 307-320.
doi:10.1108/13522750910963827
135
Svensson, G. & Wagner, B. (2011). Transformative business sustainability. European
Business Review, 23(4), 334-352. doi:10.1108/09555341111145735
Tan, J. (2010). Grounded theory in practice: issues and discussion for new qualitative
researchers. Journal of Documentation, 66(1), 93-112.
doi:10.1108/00220411011016380
Taylor, H., Artman, E., & Woelfer, J. P. (2012). Information technology project risk
management: bridging the gap between research and practice. Journal of
Information Technology, 27(1), 17-34. doi:10.1057/jit.2011.29
Tene, O. & Polonetsky, J. (2013). Big data for all: Privacy and user control in the age of
analytics. Northwestern Journal of Technology and Intellectual Property, 11(5),
239. Retrieved from
http://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=1191
&context=njtip
Tsohou, A., Kokolakis, S., Lamrinoudakis, C., & Gritzalis, S. (2010). A security
standards’ framework to facilitate best practices’ awareness and conformity.
Information Management & Computer Security, 18(5), 350-365.
doi:10.1108/09685221011095263
Vallance, P., Freeman, A., & Stewart, M. (2016). Data sharing as part of the normal
scientific process: A view from the pharmaceutical industry. PLOS Medicine
Journal, 13(1), 137. Retrieved from
http://journals.plos.org/plosmedicine/article?id=10.1371/journal.pmed.1001936
Venclova, K., Urbancova, H., & Vyadrova, H. (2013). Advantages and disadvantages of
business continuity management. International Journal of Social, Behavioral,
Educational, Economic, Business and Industrial Engineering, 7(4), 2013.
Retrieved from https://waset.org/Publication/advantages-and-disadvantages-of-
business-continuity-management/5374
136
Wan, S. (2009). Service impact analysis using business continuity planning processes.
Wide Information Systems, 26(1), 20-42. doi:10.1108/10650740910921546
Wedatta, G. & Ingirige, B. (2012). Resilience and adaptation of small and medium-sized
enterprises to flood risk. Disaster Prevention and Management, 21(4), 474-488.
doi: 10.1108/09653561211256170
Worthington, W., Collins, J., & Hitt, M. (2009). Beyond risk mitigation: Enhancing
corporate innovation with scenario planning. Business Horizons, 52(5), 441-450.
Retrieved from
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1343393
Yang, C., Yuan, B., & Huang, C. (2015). Key determinant derivations for information
technology disaster recovery site selection by the multi-criterion decision making
method. Open Access Sustainability, 7(2015). doi: 10.3390/su7056149.
Yin, J. & Zhang, Y. (2012). Institutional dynamics and corporate social responsibility
(CSR) in an emerging country context: Evidence from China. Springer Science
and Business Media B.V. (111), 301-316. doi:10.1007/s10551-012-1243-4
Yin, R. K. (2011). Qualitative Research from Start to Finish (3rd Ed). New York, NY:
The Guilford Press
Yin, R. K. (2013). Case Study Research: Designs and Methods (3rd Ed). Thousand Oaks,
CA: Sage.
Zikmund, W., Babin, B.J., Carr, J.C., & Griffin, M. (2010). Business research methods
(8th ed.). Mason, OH: Thomson/South-Western.
137
Appendixes
138
Appendix A: Interview Participant Letter
I would greatly appreciate your assistance in a research study being conducted for
a dissertation at Northcentral University. The purpose of the proposed qualitative
multiple case study is to explore the perception of senior managers of small businesses in
the state of Maryland on the business continuity planning (BCP).
Information and data will be held in strict confidence and used only for the
purposes of this research. There are no direct benefits to you for assisting in this research
and no incentives are offered. The data collected in this study will be considered
confidential. All data will be coded such that names are not associated. In addition, the
coded data will be made available only to the researchers associated with this project.
I would be pleased to answer any questions that may arise about the study and would
appreciate correspondence (e-mail or letter) from your office acknowledging this letter.
My e-mail address is benchepkoit@gmail.com and telephone number is (240)344-4694.
Sincerely,
Benjamin Chepkoit
139
Doctoral Candidate, Northcentral University
Appendix B: Interview Permission Letter
I would greatly appreciate your assistance in a research study being conducted for
a dissertation at Northcentral University. The purpose of the proposed qualitative
multiple case study is to explore the perception of senior managers of small businesses in
the state of Maryland on the business continuity planning (BCP). If it is agreeable to you,
I would like to conduct an interview with you or your management on occasion to obtain
leading views and perspectives on business continuity planning.
Information and data will be held in strict confidence and used only for the
purposes of this research. There are no direct benefits to you for assisting in this research
and no incentives are offered. The data collected in this study will be considered
confidential. All data will be coded such that names are not associated. In addition, the
coded data will be made available only to the researchers associated with this project.
I would be pleased to answer any questions that may arise about the study and would
appreciate correspondence (e-mail or letter) from your office acknowledging this letter.
My e-mail address is benchepkoit@gmail.com and telephone number is (240)344-4694.
Sincerely,
Benjamin Chepkoit
140
Appendix C: Interview Protocol
Interview Theme
The goal of the interview is to explore the perception of senior managers of small
businesses in the state of Maryland on the business continuity plan (BCP). The interview
is to solicit the perceptions of senior managers on the setting up proactive measures that
protect their business operations from unexpected disasters or other events that could
The data collected during the interview will focus on themes that are aimed at enabling
the management of small businesses to understand the role that BCP plays in formulating
the processes and procedures necessary for keeping normal business operations running
The senior managers interviewed will be informed of the purpose of the study is
to explore strategic business continuity planning methods for small businesses in the state
The interview questions will require responses from senior managers based on their
experiences, knowledge, and skills on the preparation, or lack of preparation, required for
preventing disasters that would disrupt normal business operations. The briefing of the
participants before the interview will entail explanation of the investigation on the
such measures by small businesses in Maryland. The managers will be debriefed of the
outcome of the investigation, how the investigation analysis was concluded, how the
141
outcome could impact their organization, and explain possible further research that may
be required in the study. The senior managers are provided with an informed consent
letter that includes explanations of how the interview protocol will address research
ethics, interview confidentiality, anonymity, and the voluntary nature of the study. It will
142
Interview Protocol Guide
Checklist
B. Did the participant sign, date and return the informed consent form?
C. Did the participant sign, date and return the demographic form confirming
requisite criteria?
D. Did the participant authorize the recording of the interview verbally, recorded
prior to interview?
The introduction and questions are stated in the Interview Briefing (Appendix D).
143
Appendix D: Interview Briefing and Questions
Interview Briefing
You are invited to participate in a research study being conducted for a dissertation at
strategic business continuity planning methods for small businesses in the state of
importance of business continuity planning (BCP) and the impact of threats that arise
from lack of preparedness necessary for preventing business losses due to disasters
effects and disruptive incidents to the business operations that include accidents, criminal
informed of the importance of a sustainable BCP that ensures the existence of a well-
provides greater confidence in identifying and managing fatal risks inherent in essential
business processes and activates a pro-reactive plan to accelerate the recovery while
minimizing the negative impact after the occurrence of a disruptive event. Successful
operation of a BCP is not only solely dependent on the management’s ability to control
144
Through the questions provided, this interview attempts to understand your
The interview will start with your experience with your organization and tend to focus on
1. To start the interview, I’d like to learn about your beginnings with the organization.
2. Looking at the nature of your business operations, what are some of the internal threats
or risks that would hinder a normal, continuous flow of your normal business operations?
3. What are some of external disasters that would affect the continuous flow of your
business operations?
Interview Questions
As stated above, a business continuity plan (BCP) would enable management to institute
operations.
145
Q1. How is strategic Business Continuity Planning (BCP) perceived by the senior
Q2. If you have BCP already implemented in your organization, how do you perceive
that Business Continuity Planning (BCP) provided value to the businesses operations?
Q4. How would you maximize the benefits of BCP throughout your organization?
Q5. Provide an example of how a BCP could be used more effectively in your
organization.
Q6. If you have not implemented BCP, what is your perception of BCP in so far as
Q8. How do you perceive risk management for your business operations while
Q9. If you have implemented a BCP, why do you perceive that critical success factors in
Q10. If you have not implemented BCP, why do you perceive that critical success factors
for your business operations can be achieved without a sustainable BCP? And which area
146
Appendix E: Consent Form
Introduction:
Activities:
Eligibility:
Risks:
There are minimal risks in this study. Some possible risks include not feeling
comfortable answering the interview questions. If you are not comfortable, you may
withdraw at any time. You can also skip any question that you don’t feel comfortable
answering.
147
Benefits:
If you decide to volunteer, there are no direct benefits to you. The potential benefits
to the small business community in Maryland include increased awareness and
understanding by managers of how business continuity planning could reduce or
eliminate risks that result from disaster related events to business operations.
Confidentiality:
The information you provide will be kept private and secret to the extent allowable by
law. All identifying information will be recorded using numbers or figures, and will
be kept separate from the signed consent forms.
The people who will have access to your information are: myself, my dissertation
chair, and the dissertation committee.
I will keep your information safe by locking the hard copies of the interview
responses in a filing cabinet and securing the computer electronic file with a
password.
I will keep your data for 7 years. After that, the electronic data will be deleted and the
paper data will be destroyed.
Contact Information:
If you have questions about your rights in the research, or if a problem has occurred,
or if you are injured during your participation, please contact the Institutional Review
Board at: irb@ncu.edu or 1-888-327-2877 ext 8014.
Voluntary Participation:
Audiotaping:
I would like to use a voice recorder to record your answers. You can still participate if
you do not wish to be recorded.
148
Signature:
149