See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/305827861

An enhanced risk assessment framework for business continuity management

systems

Article  in  Safety Science · November 2016

DOI: 10.1016/j.ssci.2016.06.015

CITATIONS READS
117 4,715

3 authors:

S.A. Torabi Ramin Giahi

University of Tehran Iowa State University
178 PUBLICATIONS   6,651 CITATIONS    8 PUBLICATIONS   129 CITATIONS   

SEE PROFILE SEE PROFILE

Navid Sahebjamnia
University of Science and Technology of Mazandaran
47 PUBLICATIONS   1,039 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Supply Chain Network Design View project

Tire Supply Chain View project

All content following this page was uploaded by Ramin Giahi on 05 March 2017.

The user has requested enhancement of the downloaded file.

 An enhanced risk assessment framework for Business Continuity
Management Systems

Abstract

Every organization is exposed to several risks (e.g. cyber-attacks and disruptions caused by
natural disasters). To respond to these risks properly, an effective risk management system should
be implemented. Business continuity management is one of the most recent risk management
frameworks, which enables the organizations to improve their resilience in order to cope with the
identified risks. Risk assessment is one of the main parts of a business continuity management
system (BCMS). In this paper, an enhanced risk assessment framework is proposed within the
context of BCMS while accounting for specific steps and requirements of a BCMS. The proposed
framework benefits from a suite of analytic techniques to enhance and facilitate the risk
assessment and management within the well-known four-step framework (i.e. identifying,
analyzing, evaluating, and responding to risks). The results of applying the proposed framework
in a real case study demonstrate that it can effectively handle risk assessment and management
process when implementing BCMS in an organization.

Keywords: Risk Assessment, Business Continuity Management, Organizational Resilience, Best-Worst Method,
Resource Allocation, Benefit-Cost Analysis.

1. Introduction

The high rate of disruptive incidents, such as natural or technological ones, which take place
around the world, encourages organizations to design and implement their own customized
business continuity management system (BCMS) in order to get prepared for dealing with any
possible disruption. Through implementing a BCMS, suitable business continuity plans (BCPs)
are provided to respond to possible incidents (that could damage the organization’s resources) in
an efficient and effective way (Sahebjamnia, Torabi, & Mansouri, 2015). In this way, BCM
could be viewed as a risk management system that enables organizations to improve their
organizational resilience level.

According to (BS25999, 2007), the BCM life-cycle consists of six elements: BCM program
management, understanding the organization, determining and identifying BCM strategies,
developing and implementing BCM responses, embedding BCM in the organizational culture
and also training, exercising, maintaining and reviewing the BCM plan. Understanding the
organization is the key part of BCM. Business impact analysis (BIA) and risk assessment (RA)
are two major tools of understanding the organization in the context of BCM (BS25999, 2007;
Torabi, Rezaei Soufi, & Sahebjamnia, 2014). The purpose of BIA is to identify the critical
functions needed to deliver key products/services, impact of disrupted activities on the
organizations’ objectives, and those resources needed to resume the critical activities after a
crisis happens (BS25999, 2007). Also, RA is defined as the “overall process of risk
identification, risk analysis and risk evaluation”. The main objectives of RA in BCM are the
identification of risks threatening the organization, their analysis and evaluation, and preparation
for risk treatment and response planning (“ISO 22301,” 2012).

The World Economic Forum’s Global Risks 2015 report (Global Risks 2015,10th Edition,
2015) states that risks threaten the human lives and organizations’ activities. Organizations are
exposed to a number of risks, which may disrupt their activities and cause lots of damages. For
instance, a fire at a sub-supplier’s plant caused $400 million losses for Ericsson in 2000
(Norrman & Jansson, 2004). Therefore, risks should be managed regularly to prevent losing
resources and assets.

Owing to the fact that BCM is a kind of risk management it could be used as an appropriate
tool to deal with risks. BCM is implemented to ensure delivery of the key products of
organizations at any circumstances even after a risk occurs. However, BCM requires a
comprehensive RA framework by which those risks threatening the organizations’ activities
could be identified, analyzed, evaluated, and responded. An appropriate RA framework helps
organizations to make contingency plans to stop losing resources in the aftermath of a risk
occurrence. In this paper, some analytical techniques are suggested to enhance and facilitate the
risk assessment process within the BCMS context. For this, the literature of supply chain risks
and organizational risks is first interrogated to find out the potential risks in
service/manufacturing organizations. Then, risk factors (i.e. impact and likelihood of risks) are
exploited by studying some relevant papers introducing risk factors. Thereupon, two effective
methods are used to determine the impact and likelihood of risks (Feng, Wang, & Li, 2014;
Halliday, Badenhorst, & Von Solms, 1996; Kangas & Kangas, 2004; Kull & Closs, 2008;
Ritchie & Brindley, 2007; Samantra, Datta, & Mahapatra, 2014). Finally, after evaluating the
risks, appropriate response plans are proposed to cope with them effectively. The main
contributions of this paper can be outlined as follows:

• Conducting a comprehensive literature review to identify the most potential risks in the
manufacturing and service organizations.
• Suggesting some analytical techniques to enhance and facilitate the risk assessment in the
context of implementing the BCMS in an organization.
• Suggesting new sub-factors, which would help decision makers to measure the impact of
risks more accurately.
• Proposing a new method to evaluate and respond to the identified risks.
• Developing a new method to provide needed resources to respond to a happened risk with
regards to results of BIA and benefit/cost analysis.
• Applying the proposed framework and its suggested analytical tools in a real case study to
handle the risk assessment and management process when implementing BCMS in a
service organization.

In brief, the contributions of this paper are mainly related to proposing a suite of analytic
techniques to improve while facilitate conducting the risk assessment and management process
in the context of business continuity management systems within the well-known four-step
framework of RA (See ISO 31010 for general overview of risk assessment & management).
Noteworthy, this framework includes: (1) risk identification in which the potential risks of the
organization are identified; (2) risk analysis in which the risk factors (i.e. risk likelihood and
impact) are quantified and analyzed; (3) risk evaluation in which those risks needing treatment
are determined; and finally (4) risk response planning in which the suitable response plans are
developed."

The rest of the paper is organized as follows. Relevant literature is reviewed in Section 2. The
suggested analytical tools for enhancing while facilitating the risk assessment process in the
context of BCMS are elaborated in Section 3. In Section 4, applicability of the proposed
framework and its analytical tools is demonstrated through conducting a real case study. Several
managerial insights are derived from the numerical results in Section 5. Finally, Section 6
provides concluding remarks and directions for further research.
2. Literature review

Researchers have approached to RA in different ways. We group the literature review into the
two main related areas including the supply chain and organizational RA.

2.1 RA in supply chains

RA is the main element of different risk management approaches (ISO 31010, 2009). Several
works have been done to analyze, assess and manage supply chain risks [Hallikas et.al (2004),
Kleindorfer and Saad (2005) and Lockamy III (2014)]. Hallikas et.al (2004) propose a risk
management process for supply networks, which contains identification, assessment, treatment
and monitoring risks. The paper states that risks are originated from: too low or inappropriate
demand; problems in fulfilling customer needs; cost and prices; weakness in resources,
development and flexibility. Kleindorfer and Saad (2005) propose a conceptual framework to
manage disruption risks in supply chains. The paper categorizes the disruption risks as natural
disasters, labor strikes, economic disruptions and terrorist attacks. Their proposed framework
consists of three main steps including the identification of the sources of risks and
vulnerabilities, risk assessment and mitigation. Wu et.al (2006) present a methodology to
identify supplier-oriented risk factors and manage inbound supply risks. They classify the
inbound risks according to their internal or external sources and controllability. Lockamy III
(2014) proposes a methodology to model and assess the suppliers’ disaster risks in a supply
chain network. After identifying the suppliers’ risks, a Bayesian network is used to determine the
risks’ probabilities and the impact that a supplier could have on an organization using the Value-
at-Risk (VAR) measure by which managers can decide whether continue with a supplier or not.
The proposed methodology is also applied in an automotive company.

2.2 RA in organizations

There are some discrepancies with RA in manufacturing and service organizations (e.g.
banking, tourism, hospitals and airports). In manufacturing and service organizations, risks are
usually assessed by considering the delivery of products and services, respectively. It should be
noted that although some parts of manufacturing organizations are comprised of service
operations (e.g. customer relationship management and marketing operations), however, RA
methods for manufacturing organizations cannot be used for all kinds of service organizations. In
this section, the literature is reviewed in two separate but relevant streams, i.e., RA in
manufacturing and service organizations.

2.2.1 RA in manufacturing organizations

Although conducting RA in industrial firms is very important, many researchers have only
focused on safety analysis and occupational risk assessment. Fera and Macchiaroli (2010)
present a mixed qualitative-quantitative RA method for assessing the safety risks in the small and
medium enterprises (SMEs). The authors introduce three steps for safety RA including the: (1)
building a team to identify risks and comparing them with each other, (2) assessing them through
a quantitative model to calculate the frequency and consequences of each identified risk and, (3)
finally, providing improvement actions. Marhavilas and Koulouriotis (2012) present a
framework for safety risk assessment in the work sites. In this framework, potential hazards are
identified and their frequencies and consequences are analyzed using gathered relevant statistical
data. After evaluating the hazards’ quantities, suitable decisions about them are made (i.e.
whether accept or mitigate each hazard).

There are several RA techniques which are often used in manufacturing organizations.
Among them, failure mode and effect analysis (FMEA) (K.-H. Chang & Cheng, 2010; H.-C. Liu,
You, Lin, & Li, 2014; Song, Ming, Wu, & Zhu, 2014), fault tree analysis (FTA) (Lindhe, Rosén,
Norberg, & Bergstedt, 2009; Y. Liu, Fan, Yuan, & Li, 2014) , and hazards and operability study
(HAZOP) (Trammell & Davis, 2001; Vinnem, Aven, Husebø, Seljelid, & Tveit, 2006) are the
most practical approaches. Table (1) shows a brief description on these methods.

Table 1. Description of RA techniques

RA Description Reference
techniques
FMEA FMEA is a component driven approach for the system’s hardware analysis (H.-C. Liu et al., 2014;
to identify the potential failure modes, their causes and effects. Stamatis D.H. 2003)
FTA FTA shows potential events (i.e. faults) within a system producing (J.-R. Chang, Chang,
undesirable outcomes via a fault tree. It systematically shows the possible Liao, & Cheng, 2006)
propagation of a fault from basic events to a hazardous top event.
HAZOP HAZOP is a function driven approach for analyzing process operations in (Dunjó, Fthenakis,
order to identify operability problems within the system. Vílchez, & Arnaldos,
2010)
Several models and frameworks have been proposed to conduct RA process in manufacturing
organizations. Wulan and Petrovic (2012) present a framework for risk assessment within the
context of enterprise collaboration. In this framework, different risks in the life cycle of enterpise
collaboration including the pre-creation, creation, operation and termination are first identified.
Then, the probability and impact of each risk are determined by fuzzy linguistic terms. The
proposed framework is also tested in an automotive company. Lai and Lau (2012) present a risk
management model in order to manage the risks of a textile manufacturing company. In this
framework, the potential risks are first identified. Then, likelihood, consequence, and the amount
of risks are obtained. Afterwards, the risk assessment matrix is divided into the four regions
according to the impact and likelihood of risks. Finally, four actions are suggested as the risk
response plans according to these four regions. These plans include: accept the risk (for those
with low likelihood, low impact), avoid the risk (for those with high likelihood, low impact),
transfer (for those with low likelihood, high impact), and mitigate (for those with high
likelihood, high impact). Samantra et.al (2014) present a quantitative methodology in which
those risks related to information technology outsourcing are assessed. The authors introduce
four major steps for the methodology: (1) identifying the risks within the context of information
technology outsourcing, (2) collecting aggregated linguistic data about the likelihood and the
impact of risks from the experts’ opinions, (3) calculating the amount of each risk by multiplying
the respective likelihood and impact (4) developing suitable action plans for treating the risks.
Shafiee (2014) presents a methodology to select the most appropriate risk mitigation strategies
for offshore wind farms. In the proposed method, a mitigation strategy is chosen according to
some criteria using fuzzy analytic network process (FANP).

2.2.2 RA in service organizations

In the context of service organizations, there are limited works which holistically assess risks
in all aspects of an organization. Tsai and Chen (2010) propose some strategies (i.e. mitigation,
and transfer strategies) to cope with the earthquake risk in the tourism industry. The model is
also applied in a hotel case in Taiwan. Yang et.al (2013) present a method to assess information
security risks. In this paper, after identifying the risks, three multi criteria decision making
approaches, i.e., VIKOR, DEMATEL, and ANP, are combined to assess the identified risks. The
proposed method is also applied in an information technology company. Shafieezadeh et.al
(2014) present a decision framework which manages terrorism risk at airports. The proposed
framework allocates required resources to mitigate the risk of terrorism attack to civil
infrastructures. Liu et.al (2014) propose a novel FMEA approach and apply it within a hospital.
In this paper, risks are analyzed through the proposed approach whenever the failure modes of an
equipment are identified. Feng et.al (2014) propose a model to analyze security risks of
information systems. A Bayesian network is also utilized to determine risks and their associated
causal pathways. Finally, the proposed model is applied in a service company’s information
system.

Despite the importance of RA for developing an effective BCMS, according to our

knowledge, few works have been done to assess risks in the context of BCM. Halliday et al.
(1996) propose a framework for analyzing risks in information technology based organizations to
implement BCMS. This framework consists of several steps including the: identification of those
risks threatening the organization’s critical business processes, classification of risks according
to their primary effects, recording the frequency, impact and growth rate of each risk on business
processes, representing a three-dimensional chart consisting of impact, frequency, and growth
rate of risks, prioritization of risks, and recommendation of appropriate countermeasures
according to the proposed chart. Zsidisin et.al (2005) state the importance of BCM to manage
risks in the organizations through presenting a case study research. Gibb and Buchanan (2006)
propose a framework in which risks are managed in the organizations via applying BCM. Tjoa et
al. (2008) explain how risk-oriented process evaluation methodology enhances BIA and RA in
BCM. The paper introduces three steps for RA in BCM, which includes: identifying threats on
business activities, analyzing the likelihood of each threat and its impact on activities, and
prioritizing essential information for risk management. Wijnia and Nikolic (2007) consider risks
as a chain of causes and effects in the context of information technology business continuity.
They assume the information technology risk as a process that causes unavailability of resources,
process outage and business impact. Also, they present a mathematical formulation to find risks’
quantities.

The literature review about the current models and frameworks for conducting RA process
within the organizations, demonstrates the lack of a comprehensive RA framework comprising
of systematic (i.e. step-by-step) while quantified steps in the context of BCMS benefiting from
suitable analytical tools. To fill this gap, an enhanced framework equipped by some analytic
techniques is developed in this paper to conduct the RA process in the context of BCMS in an
effective while systematic manner.
3. Enhanced RA framework equipped with analytical tools

RA is a methodological way to use available information to find out which risks may occur
and how they may impact the organizations’ goals. This process involves assessing the
likelihood and impact of those risks, which threat the organization’s activities and preparing
response plans to those critical ones (Mahdevari, Shahriar, & Esfahanipour, 2014). Fig. (1)
shows the relationship between RA and other parts of a BCMS.

Organization’s goals Business Impact Analysis (BIA)

Risk Assessment (RA)

Risk Response Plans

Figure 1. Relationships between RA and other elements of a BCMS

As can be seen, RA and BIA have undeniable relationships with each other as the results of
RA and BIA are jointly used to develop suitable BC plans to cope with identified risks. In other
words, the outputs of BIA (i.e. the key functions, risk appetite, minimum business continuity
objective (MBCO), and maximum tolerable period of disruption (MTPD)) together with the
results of RA are jointly used to prepare the most suitable response plans. Furthermore, RA
should satisfy the organization’s goals and helps managers to attain their goals (Torabi, Rezaei
Soufi, & Sahebjamnia, 2014). In this paper, some analytical techniques are suggested for
conducting an effective RA process within the context of BCMS. In the first step, the most
potential organizational risks are identified form a comprehensive list drawn from the literature.
Then, identified risks are analyzed for which the impact of each risk is calculated by means of
the recently developed multi-attribute decision making (MADM) method, i.e., the best worst
method (BWM) (Rezaei, 2015); and the likelihood of each risk is also estimated based upon the
experts’ judgmental opinions. In the third step, the deviation of the organization’s achievements
from its pre-defined goals after the risk occurrence is calculated and compared with the risk
appetite (see Table 2 for a definition on risk appetite). Finally, the evaluated risks are responded
by allocating needed resources for resuming key functions to at least the so-called MBCO level.
Fig. (2) depicts the enhanced RA framework equipped with analytical tools whose steps are
elaborated in the next sections.

3.1 Risk identification

Risk identification is defined as “the process of finding, recognizing and recording risks”
(ISO 31010, 2009). Risk identification determines which risks might affect the organization
under consideration. In this manner, decision makers become aware about those events that may
disrupt the organization through the risk identification process (Hallikas, Karvonen, Pulkkinen,
Virolainen, & Tuominen, 2004). It is worth noting that there are several definitions for risk in the
related literature and international standards (e.g. ISO 31000). However, in this paper we adopt
the definition provided by ISO 22301 (the international standard for BCM) as “Negative effects
of uncertainties and disruptive threats on the objectives of the organization”. Furthermore, there
are several risk classification schemes in the literature, among them; we adopt the classification
of Tang (2006) in this paper. This classification is one of the most applied ones in the literature
of supply chain risk management, which classifies risks into the two broad classes, i.e.,
operational and disruption risks.

It should also be noted that the terms “operational risks” and “disruption risks” are actually
referring to threats or causes of risks (according to the traditional RM literature). Nevertheless, in
this paper, we simply name those threats as risks and also the multiplication of impact and
likelihood of each threat as the risk level/value. These terms are commonly used in the context of
supply chain risk management (see Tang, 2006). In other words, if the negative effects are
occurring due to decision making and business-as-usual uncertainties, such causes are simply
called as “operational risks” here. Similarly, the disruptive events affecting an organization or
supply chain drastically are simply named as “disruption risks”. Consequently, to avoid any
misunderstanding, we have simply used the “operational risks” and “disruption risks”
expressions instead of threats or causes of risks originating from uncertainties and disruptive
threats, respectively. Table 2 highlights some of risk related definitions, categories and concepts,
which have been used in this paper.
 Risk Identifying disruption risks according to Table 3 BIA outputs
Identification
Identifying operational risks according to Table 4 Determining the number of
resources

Estimating the risks’ impact BWM method Defining the organization’s

goals and their weights

Determining the best and worst Determining the key functions

Defining sub-factors and
calculating their weights
Estimating the identified
Risk Analysis risks’ sub-factors
criteria and their related weights in
each goal
Determining preference of the best
criterion over other criteria Determining MBCO and
MTPD of key functions
Determining preference of all
criteria over the worst criterion Determining the risk appetite

Computing the level of each

risk by WSM Calculating the weights of sub
factors

Estimating likelihood of
risks
Are statistical > risk
data available
Decision-making about risks about risks? appetite

Determining the
Risk vulnerability of resources to
Yes No
Yes No
Evaluation risks

Calculating the deviation of Computing the Creating

the goals after risk Computing the Accepting and
risk possibility set (preparing
occurrence by Eq.(3) risk controlling the
through experts’
probability suitable BC risk
opinion
plan for the
risk
Selecting BC plans

Calculating needed resources by Eq.(4) for

resuming key functions after occurrence

Risk Response
Calculating benefit-cost for each strategy by which
Planning
needed resources are prepared

Computing resources preparing time for resuming t* denotes the minimum time, before which preparing
key function at MBCO level (t* < t < min {MTPDj}) required resources is not economically feasible.

Selecting suitable BC plans according to resources

preparing times and benefit-cost analysis

Figure 2. The enhanced RA framework equipped with analytical tools

 Table 2. Risk related terms and their definitions
Term Definition Reference

Risk Negative effects of uncertainties and disruptive threats on the objectives of (BS25999, 2007;
the organization. “ISO 22301,” 2012)
Likelihood chance of risk occurring, whether defined objectively or subjectively, and (BS25999, 2007)
can be stated quantitatively or qualitatively
Impact results/outcomes of a risk that will have an impact on the organization’s (BS25999, 2007)
goals.
Vulnerability A weakness of an asset/ resource that can be exploited by one or more (ISO 27005, 2008)
threats
Disruption Any threat or event which may cause major disruption in the organization (Tang, 2006)
risk such as earthquake, terrorism attack, and strike.
Operational Any inherent uncertainty such as uncertainty in demand, supply, and (Tang, 2006)
risk environmental data that might lead to negative effects on the objectives of
the organization
Risk appetite Maximum amount of risks that an organization can tolerate to pursue or (“ISO 22301,” 2012)
retain in order to meet its objectives
In Tables (3) and (4), service and manufacturing related potential risks derived from our
thorough literature survey have been classified in two main categories including the operational
and disruption risks (Tang, 2006). Moreover, identified risks are sub-classified in some major
groups (e.g. natural and environmental disruption risks). This helps managers to find out
importance of each group of risks and get collective viewpoint about them (Wu, Blackhurst,
Chidambaram, 2006).

It is noteworthy that the essence of disruption and operational risks is different with each
other. Disruption risks originate from disruptive events caused by natural, man-made or
technological threats such as earthquakes, floods, terrorist attacks or employee strikes.
Furthermore, operational risks originate from inherent uncertainties in demand data (due to
inaccurate forecasting), cost rate, and also supply data that inevitably exist in supply chains
(Torabi, Baghersad, & Mansouri, 2015). In this paper, disruption risks are categorized in four
major groups, i.e., natural, environmental, technological, and man-made risks. Tables 3 and 4
show the potential disruption and operational risks in the service/manufacturing organizations,
respectively.
 Table 3. Potential disruption risks in service/manufacturing organizations
Disruption risks Description/Examples References
Natural Biological Epidemic and Insect infestation (Galindo & Batta, 2013; Holzmann &
Jørgensen, 2001; Olson & Wu, 2010),
(Hiles, 2010)
Climatological Drought, extreme temperature, (Bubeck, Botzen, & Aerts, 2012;
and wildfire Galindo & Batta, 2013; Holzmann &
Jørgensen, 2001; Kangas & Kangas,
2004)
Geophysical Earthquake, mass movement, (Ebrahim Nejad, Niroomand, &
volcano, subsidence, rock-falls, Kuzgunkaya, 2014; Heckmann, Comes,
expansive soils, landslides, & Nickel, 2014; Hiles, 2010; Holzmann
tsunamis, and avalanche & Jørgensen, 2001; Karimi &
Hüllermeier, 2007; Micheal Wallace,
2010; Park, Seager, Rao, Convertino, &
Linkov, 2013)

Hydrological Flood and storm (Asgary, Anjum, & Azimi, 2012; Hiles,
2010; Kleindorfer & Saad, 2005;
Knemeyer, Zinn, & Eroglu, 2009;
Micheal Wallace, 2010; Park et al.,
2013)
Atmospheric/ Hailstorms, hurricane, lightning, (Hiles, 2010; Kleindorfer & Saad,
Meteorological tornadoes, and tropical storms 2005; Knemeyer et al., 2009; Micheal
Wallace, 2010)

Environmental Social Those risks that are originated in (Craighead, Blackhurst,

the social activities/conditions
such as war, strike, riot,
revolution, demonstration, social
or labor unrest.
Competitor Those risks that are incurred by
competitors. Making disruption
in the joint supply chain by
changing the price and copying
the design of the service/ product
Supplier Purchasing the poor quality
products, delayed arrival of parts,
disruption in supplier activities,
and breaking the contract
Governmental Changes in legislations,
sanctions, disruptions in the
political relation between
countries, fluctuation in the
foreign exchange rates, inflation,
and changes in the interest and
tax rate
Regulation Changing environmental,
ecological, free trade, safety, and
labor rules
Market Changes in market condition and
new competitor entrants
Rungtusanatham, & Handfield, 2007;
Kleindorfer & Saad, 2005; Norrman &
Jansson, 2004; Sawik, 2011; Tang,
2006)
(Christopher, Mena, Khan, & Yurt,
2011; Olson & Wu, 2010)
(Christopher et al., 2011; Ganguly &
Guin, 2010; Lockamy III, 2014;
Trkman & Mccormack, 2009)
(Christopher et al., 2011; Clarke &
Varma, 1999; Hiles, 2010; Nocco &
Stulz, 2006; Trkman & Mccormack,
2009)
(K.-H. Chang & Cheng, 2010;
Christopher et al., 2011; Holzmann,
Sherburne-Benz, Tesliuc, & Unit, 2003;
Oke & Gopalakrishnan, 2009;
Samantra et al., 2014)
(Chopra, Reinhardt, & Mohan, 2007;
Christopher et al., 2011; Olson & Wu,
2010)
Disruption risks Description/Examples References
Technological Hardware Hardware failure, viruses, (Aagedal et al., 2002; Cerullo &
(Information worms, cyber-attack, amateur Cerullo, 2004; Gibb & Buchanan,
systems) hackers, disruption in the 2006; Nijaz, Mario, & Lejla, 2011;
communication ways (such as Olson & Wu, 2010)
phone, internet, wireless phone,
etc.), disruption in the ISP
(internet service provider), and
political hack or cyber protest
may cause losing hardware
facilities.
Software Wrong software loaded, Loss of (Cerullo & Cerullo, 2004; Gibb &
customer data privacy/ Buchanan, 2006; Olson & Wu, 2010)
confidentiality, software failure,
viruses, worms, cyber-attack,
amateur hackers, and political
hack or cyber protest may cause
losing software facilities.
Technological Losing the Power outage, explosions (such (Cerullo & Cerullo, 2004; Gibb &
(Equipment) equipment as gas explosion), pipes’ bursts Buchanan, 2006; Greenberg, Lahr, &
(water pipes), fires, machine Mantell, 2007; Shafiee, 2014)
failure, equipment failure
Man-made Terrorism All things that have been done in (Altay & Ramirez, 2010; Lavastre,
(Sabotage) attack order to destroy the assets of the Gunasekaran, & Spalanzani, 2014; Oke
organization; human and & Gopalakrishnan, 2009; Parnell,
financial resources, Smith, & Moxley, 2010; Tang, 2006)
transportation and information
systems such as bioterrorism,
bombing, and missile throwing.
Stealing The act of Stealing the assets of
the organization such as internet
thieving, and physical thieving.
Espionage The discovering of secrets of the (Aagedal et al., 2002; Cerullo &
organization Cerullo, 2004)
Bribe, Try to make employee(s) of the (Aagedal et al., 2002; Herbane, 2013)
embezzlement organization to do something
and tampering wrong by giving him (them)
money.
Man-made Human error, Something unplanned has been (Cerullo & Cerullo, 2004; Dunjó et al.,
(Insouciance) personnel done in the organization that was 2010; Skogdalen & Vinnem, 2011)
shortfalls and not intended by the actor or not
decision desired by rules.
making errors
Insufficient Acting not well because of (Cerullo & Cerullo, 2004; Samantra et
education and inadequate knowledge and al., 2014; Wreathall, 2004)
knowledge education about tasks.
Losing human Risks which cause losing human
resources resources in the organization
such as resignation, dismissal,
and absence of the employees.

Beyer and Sendhoff (2007) identified the sources of uncertainties in a system based on the
system perspective (see Fig. 3). Moreover, they introduced four sources of uncertainties, which
include: changing environmental and operational conditions, production tolerance and actuator
imprecision, uncertainty in the system’s outputs, and feasibility uncertainty.

Environmental Uncertainty

Input Uncertainty Output Uncertainty

System

Uncertainty in Decision Making and Internal Operations

Figure 3. Sources of uncertainties in a system (Adopted from Beyer and Sendhoff, 2007)

According to Beyer and Sendhoff’s (2007) definition of uncertainties and Tang’s (2006)
definition of operational risks, we define four major sources of operational risks (see Table 4)
including the suppliers' risks (as the input uncertainty), internal risks (as the uncertainty in the
decision making and internal operations), environmental risks (as the environmental uncertainty),
and market risks (as the output uncertainty).

Table 4. The potential operational risks in service/manufacturing organizations

Operational
Description/Examples References
risks
(Lockamy III, 2014;
Supplier risks Contractual risks with suppliers, transportation uncertainty,
Manuj & Mentzer, 2008)
misalignment of interests with suppliers, inflexibility in supply
(Finch, 2004; Harland,
Internal risks Credit uncertainty, labor uncertainty, inappropriate staffing, Low
Brenchley, & Walker,
efficiency and effectiveness, policy fluctuation, process changes,
2003; Ojala & Hallikas,
investment risks, changing in the senior managers, lack of technical
2006)
expertise, change in organization leadership, and financial
uncertainty
(Olson & Wu, 2010;
Environmental Changing social concerns, energy price, globalizations, changing the
Trkman & Mccormack,
risks government, fiscal and monetary reforms, innovation by
2009)
competitors, emerging technology, and negative media and news
(Lai & Lau, 2012;
Market risks Inadequate knowledge about people and their culture and needs,
Lavastre et al., 2014;
poor service/ product quality, shifts in markets, changes in customer
Lockamy III, 2014; Manuj
tastes, availability of substitute services/products, scarcity of
& Mentzer, 2008; Tuncel
complementary services/products, service/products obsolesces,
& Alpan, 2010)
increasing in service/products price, missing services/products,
delay in fulfilling a service/products, service/ products liability, error
in forecasting the demands, long replenishment times (lack of agility
in responding to demand), and lack of user commitment and
ineffective communications with customers
For sharpening up the meaning of uncertainty, it is worth noting that there are two types of
uncertainty: the one expressing the probability of the event, and the uncertainty in the values
used to calculate the impacts/consequences of the risk (see Section 3.2). In this way, the
magnitude of uncertainty directly relates to the magnitude of the risk. The higher the uncertainty,
the greater the degree of risk is. Nevertheless, if the level of each risk is properly estimated, the
risk assessment will be appropriately conducted. This highlights a main aspect of uncertainty,
which is modeling uncertainty (i.e. uncertainty in decision-making). If the system is
improperly/incorrectly modeled, the resulting output is not very useful. Model
validation/calibration, thus, is an important aspect in accounting for modeling uncertainty.

3.2 Risk analysis

In the risk analysis step, a numerical value is assigned for each identified risk as the level (i.e.
value) of that risk, which is the multiplication of risk likelihood and its impact/consequences.
This estimation might be qualitative, quantitative, or semi-quantitative. Finding the level of each
risk is an important issue that should be noticed accurately. As mentioned before, if the level of
each risk is properly estimated, the risk assessment will be appropriately conducted. For doing
so, suitable risk factors and their sub-factors should be defined first. In what follows, we explain
those factors and sub-factors that are used to measure the level of risks in this paper.

Likelihood and impact are two main factors that can describe the level of each risk
admissibly. Likelihood is defined as the “chance of risk occurring, whether defined objectively
or subjectively, and can be stated quantitatively or qualitatively” (BS25999, 2007). Therefore, in
order to estimate the likelihood, historical data and/or experts’ subjective judgments could be
applied. If enough while reliable historical data about the past occurrences of a risk is available,
it is better to fit a probabilistic distribution function (PDF) or at least calculate the past frequency
of the risk to estimate the probability of the risk occurrence. Marhavilas and Koulouriotis (2012)
define the frequency factor as f=N/t (where N is the number of similar events, which have
happened during the time period t) to estimate the frequency of hazards/threats in the industrial
environment. Furthermore, by counting frequencies of precursors (e.g. alarms, near misses),
putting up an event tree and processing data with Hierarchical Bayesian Analysis ( HBA), the
frequency factor of a rare final event can be estimated more accurately (Kelly and Smith, 2009).
Nevertheless, if it is not possible to find the probability of a risk using related PDF or frequency
factor due to lack of historical data, the subjective opinions of the experts can be exploited to
find out the possibility distribution of the risk occurring using the possibility theory as an
analogy to probability theory (see for instance Torabi et al., 2015 for more details about the
possibilistic data). Notably, in this case, the subjective probability could also be used as an
alternative method to possibility approach by casting experts’ subjective judgments directly into
subjective probability distributions when there is not enough historical data (see Cooke, 1991
and Goossens et al., 2008 for more details on methods and tools supporting the formal
application of experts’ judgments).

Furthermore, the consequence of a risk is defined as the “results/outcomes of a risk that will
have an impact on the organization’s goals” (BS25999, 2007). The impact and consequence of a
risk can be used interchangeably. In this paper, we use five sub-factors for calculating the impact
of a risk, which collectively can estimate the impact factor more accurate than the case they are
used separately. These include human and financial losses of the risk, required cost and time for
recovering the organization after the risk occurrence, capability to bring about other risks, non-
detectability degree of the risk, and growth rate of the risk. Since each risk may have an impact
on the resources of the organization and cause financial or human losses, the cost of risk
occurring is considered as one of the sub-factors of risk impact. Furthermore, each risk may lead
to disruption of the organization’s activities. The cost and time needed to return the critical
activities of the organization to the acceptable operating level should also be considered as
another sub-factor of risk impact. Ritchie & Brindley (2007) considered three dimensions for
each risk including the likelihood of an event, consequence of the event, and causal pathway
leading to the event. In contrast to the causal pathway of a risk, a risk might lead to occurrence of
other risks. Thus, the capability of risk to bring about other ones should be considered as another
sub-factor of risk impact. The World Economic Forum’s Global Risks 2015 report (Global Risks
2015,10th Edition, 2015) also considers the interconnection between risks in their report. If a risk
cannot be detected before occurrence, it might bring about a larger impact in comparison with a
risk that might be detected easily before occurrence. Detectability degree of each risk helps the
organization to react far more favorably. Therefore, it should be considered as another sub-factor
of impact. Halliday et al. (1996) considers the risk growth as another risk factor. Growth factor
shows possible future developments of a particular risk. A risk with a low growth factor may
diminish soon. On the other hand, a risk with low impact but a high growth factor would grow to
a larger one. Hence, the growth of a risk is one of the important sub-factors when estimating the
risk impact. Table 5 summarizes the considered factors and sub-factors when estimating the risk
impact of each identified risk.

Table 5. Risk factors and their sub-factors

Risk factors Risk sub-factors Description of the sub factor Reference
Human and The human and financial losses of risk occurring It is a new sub-
financial losses factor
(F1)
Recovery cost and The required cost and time to recover the disrupted It is a new sub-
time (F2) activities factor
Causal pathway The degree of bringing about other risks (Feng et al.,
Impact and bringing about 2014; Ritchie &
other risks (F3) Brindley, 2007)
non- detectability The inability to detect and explore the risk before FMEA approach
degree (F4) occurrence
Growth rate (F5) The rate of increasing or decreasing the impact of the (Halliday,
risk over time Badenhorst &
Solms, 1996)
Possibility (F6) The possibility level of risk occurring according to (Kangas &
Likelihood the subjective experts’ opinions when there is not Kangas, 2004;
enough historical data Samantra et al.,
2014)
Probability (F7) Probabilistic distribution function or frequency of (Kangas &
risk occurring according to the available historical Kangas, 2004;
data or subjective probability according to the Kull & Closs,
subjective experts’ judgments when there is not 2008)
enough historical data

In order to calculate the impact of each risk quantitatively, the amount of five aforementioned
sub-factors should be first calculated. We have also adopted an effective MADM technique
called Best-Worst Method (BWM), which has recently been developed by Rezaei (2015); to find
the weights of these sub-factors (see appendix A for more details about this approach and its
advantages over the well-known AHP method). After calculating the weights of these sub-
factors, the impact of each risk is calculated by the well-known weighted sum method (WSM)
through formulae (1).
5 (1)
I i   w j .aij
j 1

where Ii, wj and aij denote the impact of ith risk, weight of sub-factor j, and the score of ith risk in
respect to the sub-factor j, respectively. Notably, both wj and aij values are represented in the
interval of [0,1], thus Ii values are also calculated in this interval. After estimating the likelihood
and impact of each risk according to the aforementioned techniques and information, the risks
are then prioritized in the risk evaluation step, which is elaborated in the next section.

3.3 Risk evaluation

After analyzing the likely risks, suitable actions should be selected to tackle them. Generally,
there are limited resources to respond to risks in an organization. Therefore, the managers need
to know which risks have higher impacts on the organization’s goals in order to manage their
limited resources when responding the risks. In this stage, the results of the BIA and RA are
merged to identify those risks which may cause a deviation in the organization’s goals more than
the pre-determined maximum deviation (i.e. the risk appetite). In addition, finding the relation
between the key functions and the identified risks helps the organization to find those risks with
adverse effects on the goals and prepare the required action plans to cope with them.

When a risk occurs, it may cause loss of specific resource(s). When such resource(s) is/are
lost, the operational level of the key functions is decreased and some deviations from the
organization’s goals may occur. To calculate the amount of deviation from the goals, the risks’
impacts on resources are considered. A risk may have a high impact and likelihood, but it may
have no effect on the specific resource (e.g. earthquake may cause loss of human and financial
resources, facilities and equipment while a cyber-attack may only cause loss of equipment and
financial resources). Hence, the effects of identified risks on the organization’s resources depend
on the vulnerability of those resources. For example, earthquakes with the same impacts and
likelihoods may have different effects on the resources of two different organizations. According
to the nature of the organization and its geographical location and infrastructures, various
resources may be more or less vulnerable to the risks. Thus, the vulnerability of the resources,
which show the effects of risks (i.e. the magnitude of their impacts) on resources, should be
considered for evaluating the risks.

The effect of ith risk on the kth resource ( ik ) is obtained by multiplying three parameters
including the impact and likelihood of the ith risk, and the vulnerability level of the kth resource
to the ith risk. Therefore, the lost amount of the kth resource after occurrence of ith risk is
calculated by Eq. (2).

ik  ik .Ii .Li i, k (2)

where  ik , Ii and Li represent the vulnerability level of the kth resource to the ith risk, impact of
the ith risk and likelihood of the ith risk, respectively. Noteworthy, impact can be easily
misunderstood as comprising the damage to a receptor, but we assume it is restricted to a
potentially damaging mechanism.

Finding the key functions’ importance degrees is a critical activity in implementing BCMS in
an organization. Torabi et.al ( 2014) defined ten measures to identify key functions in an
organization. Also, they applied a combined technique of DEMATEL and ANP to consider the
interrelationships between them. Their approach can be applied as a tool to find the importance
degrees of the key functions. Furthermore, the importance degrees of the organization’s goals
can be estimated through applying the BWM method. For this, the organization goals are first
defined by top managers. Then, the best and the worst (i.e. the most and the least important)
goals are identified by using their opinions. Afterwards, the preference of the best goal over
other goals and the preference of all goals over the worst goal are gathered through their
opinions. Finally, the importance degrees of the organization’s goals are estimated by the BWM
method.

After finding the importance degrees of the organization’s goals, the maximum tolerability of
reduction in attaining each pre-defined goal is determined by the top managers’ professional
opinions. Then, the well-known WSM method is applied to find the risk appetite (in percentage).

Now according to the BIA outputs (i.e. key functions and their continuity measures), the risk
appetite and the key functions’ importance degrees, the deviation of the organization’s goals
after a risk occurrence are calculated by Eq. (3). In this equation,  i shows the deviation of the
organization’s goals after ith risk occurrence.

 i   vg' v jg .max{ik } i, k (3)

kK j
j g

where Kj is the set of required resources for performing the key functions that are needed to
achieve the pre-defined goals. Also, vg' and v jg are the importance degrees of gth organization’s

goal and the jth key function, respectively.

One of the important steps in the BIA process is to find the key functions of the organization
and their related activities. Losing the resources after risk occurrence leads to a degradation in
the operating level of the key functions which in turn leads to deviations of the organization’s
goals. Furthermore, organizations should determine the risk appetite for their goals which
indicates their maximum tolerability of reduction in attaining pre-defined goals. It means that the
deviation of organization’s goals is acceptable whenever it is less than the risk appetite. Fig. (5)
indicates the hierarchical relationships between the risks, organizational resources, key functions,
and the organization’s goals. Occurrence of any threat (which is defined as disruption or
operational risk in this paper), may cause loss of specific organization’s resource(s), which in
turn leads to reduction of those key functions’ operating levels that use these resources. Then,
according to the importance weights of the key functions, the organization’s goals may face with
considerable deviations after risk occurring. For example, a supplier risk (e.g. increasing the lead
time of supplying a raw material) may decrease the operating level of production line compared
to its pre-defined schedule. Thus, the organization may not fulfill the demand of customers
completely. Therefore, some goals of organization (e.g. increasing the satisfaction level of
customers and increasing the market share) would be deviated.

Organization

Goals G1 G2 …… Gg
..

v11 v21 vj1 v12 v22 vj2 v1g v2g vjg

Key
functions F1 F2 … Fj F1 F2 … Fj F1 F2 … Fj
. . .

Resources
Disruption and
operational
Risks R1 R2 R3 Ri

Figure 5. Relationships between operational and disruption risks, organizational resources, key functions, and the
goals of an organization
For those risks whose amount of  i is more than the risk appetite, suitable response (i.e.,
continuity) plans should be proposed. Other risks are accepted since they produce a tinier
deviation than the organization’s risk appetite. Nevertheless, these risks should be brought under
control to prevent a likely deviation. Doing corrective actions when needed, employees training,
process improvement, and utilization of new technologies are some examples for controlling
such risks.

3.4. Risk response planning

Risk response planning is the implementation of decisions (i.e. response plans) obtained from
the risk assessment/evaluation phase. Responding to the risks is divided into two stages. At the
first stage, those risks that might cause deviation in the organization’s goals and have great
effects on the key functions should be responded properly through invoking BCPs. Moreover, in
the second stage, risk response strategies (e.g. transfer and mitigation) can be applied to cope
with low-impact/medium- or high-likelihood risks.

BCPs (i.e. risk response plans) are being applied to resume and restore those critical functions
in the organization after occurrence of a risk, which may cause deviation in the organization’s
goals. Thus, these risks should be properly responded to ensure continuation of the key
operations at least at the minimum acceptable operating level (i.e., MBCO) immediately after a
risk occurrence within the maximum acceptable time (i.e., MTPD) through utilizing appropriate
BCPs. Noteworthy, MBCO is defined as the minimum acceptable operating level of key
functions of the organization. In addition, MTPD is defined as the maximum period of time in
which the key functions can be interrupted, after which the key functions should be resumed at
least at the level of MBCO (“ISO 22301,” 2012). Both MBCO and MTPD should be defined for
organization’s key functions. In order to present BCPs, two essential measures should be
considered; first, the minimum required resources to continue the key functions at the pre-
defined MBCO level, and second, the time required to prepare the needed resources. If the
remaining resources after risk occurrence are less than the amount of MBCO; thus the required
excess resources should be prepared by invoking appropriate plans. The minimum necessary
resources after a risk occurrence can be calculated by Eq. (4).

 ijk  max{0,(MBCO jk  ik .Ii 1). jk } j, k , i   i (4)

where  i is the set of the risks which cause deviation in the organization goals;  ijk denotes the

kth resource needed for resuming the jth key function at the level of MBCOjk after occurrence of
ith risk; MBCOjk denotes the minimum acceptable level of resuming the jth key function by
considering kth resource, and  jk designates the total amount of the kth resource for

accomplishing the jth key function. As mentioned earlier, the organization has the limited time to
recover the jth key function to the MBCO level (up to MTPDj). Therefore, before reaching
MTPDj, the required resources for jth key function should be prepared.

Cost-benefit analysis is one of the approaches that could be adopted to analyze the risks
response plans. Balancing between costs and benefits assists the organization in selecting the
appropriate strategies to provide the needed resources. In this way, according to the MTPDs and
the cost-benefit analysis, the best strategies for providing the required resources should be
selected among the candidate ones. The resources needed for resuming a specific key function,
when it is disrupted, should be prepared earlier than the related MTPD. So, when is the best time
for preparing the resources while considering the cost-benefit analysis? As mentioned before,
finding the optimal time for preparing the needed resources is the crucial question that should be
answered. Results of cost-benefit analysis regarding the candidate strategies help the BCM team
to find the best strategies to prepare the needed resources for disrupted key functions’ recovery.
Providing required resources immediately after a risk occurrence; needs high expenditure. For
this purpose, for example, organizations should consider the reserved (backup) skillful staff
members to be substituted with lost staff. It means the organization should consider two people
for a specific key function. This causes high expenditure and is an ineffective risk management
process. Therefore, finding the feasible time for preparing the required resources after the risk
occurrence is an important issue. Fig. (6) indicates that selecting the best response strategy to
cope with a specific risk depends upon the cost-benefit analysis of strategies and MTPD of the
affected key functions.

As strategies’ graph shows in Fig. (6), the amount of benefit-cost for some candidates is
negative. Therefore, these strategies cannot be used to prepare needed resources. Required time
for preparing resources is the key element in putting forward BCPs. Preparing needed resources
immediately after a risk occurrence is usually expensive, which is not economically feasible. In
this case, the required resources should be reserved earlier to some extent. Suppose that some of
the organization’s experts might be lost due to striking an earthquake with a high impact. In this
case, some of the following candidate strategies might be selected to provide needed human
resource in response to such risk.
 • Training reserved (backup) skillful staff members to be able to immediately substitute
them with the lost people.
• Recruiting new skillful staff and using them instead of lost people.
• Training semi-skilled people and substitute them with the lost people after a while.

Required time and cost for each aforementioned strategy differs from other choices. Benefit-
cost of the first strategy would be negative but the required time for resource preparation is
approximately zero. Furthermore, the benefit-cost of the second and third strategies would be
positive and the required time for resource preparation for both of them will be less than MTPD
of the key functions.

Benefit-cost analysis provides the minimum required time for preparing resources. As shown
in Fig. (6), t* indicates the time after which the benefit-cost of the candidate strategies are
positive. Therefore, those strategies whose required time for preparing resources is more than t*
could be considered as the appropriate choices. Also, MTPD of the key functions is considered
as the upper bound for the resources preparing time. Therefore, those strategies whose required
times for preparing resources are between t* and MTPD constitute the feasible choices.

Benefit-Cost Resource1
20

MBCO0.9
Needed Resource

15
0.8
10
0.7
5 Risk occurrence
0.6

0 0.5
Time
0 2 4 6 8 10 12 14 16 18
MTPD 0.4
-5 t* Accepted time for Strategy selection
0.3
-10 Strategies Resource
0.2
-15
0.1

-20 0

Figure 6. Selecting strategies based on the benefit-cost analysis and MTPD of key functions
 Transferring (e.g. insurance), mitigating (e.g. alleviating the likelihood and impact of the
risks), avoiding (e.g. removing the sources of risks) are some response plans to deal with risks
causing deviation in the organization’s goals; though the amount of  for these risks might be
zero. It means that after occurrence of these risks, the level of required resources to resume the
key functions do not remain less than MBCO. These types of risks have low impact while high or
medium likelihood and also affect the organization’s goals more than the risk appetite. Based on
the nature of the risks and the assigned budget to the risk management’s response plans, risk
response plans could be invoked to cope with them. Suppose that error in demand forecasting is
frequent and its impact on an organization’s goals is more than the risk appetite. Then, for coping
with this risk, avoiding strategy (e.g. changing or improving the current demand forecasting
approach) can be applied.

4. Case study

In this section, the proposed RA framework is calibrated through applying it for a real service
organization named as the organization X here (due to confidentiality), which is in charge of
disaster management services in city of Tehran. Noteworthy, validation requires more than just a
case study while calibration can be addressed via an application to a single case study (Campbell,
and Stanley, 1963).

This organization has around 100 employees. BCMS has recently been implemented in the
organization due to the importance of continuity of the organization’s key functions after any
risk occurrence. The proposed RA framework with its suggested analytical techniques is applied
to enhance and facilitate conducting the risk assessment process within the BCMS context in the
organization whose details are elaborated hereafter.

4.1 Identifying the risks

In order to identify the potential risks threatening the organization X, a questionnaire was
designed and eight experts including four top managers of the organization plus four experts
were asked to fill out the questionnaire. Identified risks were then categorized into two main
groups (i.e. disruption and operational risks). Among the potential disruption and operational
risks in service organizations which have already been presented in Tables 3 and 4, fifty risks
threatening the organization X have been presented in Table 6. As was confirmed by the
 organization’s managers, Tables 3 and 4 were so helpful in identifying the disruption and
operational risks in this organization.

4.2 Analyzing the risks

According to the organization’s conditions and the nature of identified risks, the impact and
likelihood of each risk can be different according to its scale of occurrence. For example, an
earthquake according to its scale may have low, medium or high impact. Therefore, three
scenarios including the optimistic, realistic, and pessimistic scenarios are generated to measure
the impact and likelihood of each risk at its different scale of occurrence (Sahebjamnia et al.,
2015). Defining these scenarios would help the top management to have comprehensive insight
about the likelihood and impact of risks at different situations. In order to analyze the risks, a
questionnaire was designed and eight experts including the four top managers and four middle
managers were asked to fill out the questionnaire. These experts’ judgments about the sub-
factors of the risks’ impacts and likelihoods in each scenario were gathered in the form of
linguistic terms which were then transformed to their numerical equivalents by associating each
linguistic term with a trapezoidal fuzzy number (TFN) (see appendix B for more details). Also,
the well-known center of area (COA) method was used to defuzzify these TFNs. After this
defuzzification and estimating the amount of each sub-factor, the impact of each risk was finally
calculated by the WSM method through formulae (1). Furthermore, the weights of the sub-
factors (including the F1 to F5 defined in Table (2)) were computed using BWM method as
(w1=0.33, w2=0.25, w3=0.18, w4=0.10, w5=0.14) (see appendix C). Table 6 shows the detailed
data pertaining to the risk factors of the identified risks in each scenario. Noteworthy, the values
of impact’s sub-factors in each scenario are the defuzzified ones of related linguistic terms.
Furthermore, among the possible risks, those related to human and industrial safety (such as
explosions, fires, human errors and decision making errors) could be of special attention when
implementing a BCMS within an organization.

Table 6. The impact and likelihood of identified risks in organization X

Pessimistic scenario Realistic scenario Optimistic scenario
Risks Impact Likelihood Impact Likelihood Impact Likelihood
F1 F2 F3 F4 F5 F6 F1 F2 F3 F4 F5 F6 F1 F2 F3 F4 F5 F6
Epidemic (R1) 0.8 0.6 0.9 0.8 0.9 0.65 0.7 0.5 0.8 0.7 0.8 0.56 0.6 0.5 0.7 0.6 0.7 0.41
Earthquake (R2) 0.6 0.7 0.8 0.9 0.3 0.65 0.5 0.6 0.7 0.8 0.3 0.57 0.5 0.5 0.6 0.7 0.2 0.37
Flood (R3) 0.7 0.6 0.4 0.3 0.3 0.57 0.6 0.5 0.3 0.3 0.3 0.43 0.5 0.5 0.3 0.2 0.2 0.28
Lightning (R4) 0.5 0.4 0.3 0.8 0.3 0.48 0.4 0.3 0.3 0.7 0.3 0.38 0.4 0.3 0.2 0.6 0.2 0.13
 Pessimistic scenario Realistic scenario Optimistic scenario
Risks Impact Likelihood Impact Likelihood Impact Likelihood
F1 F2 F3 F4 F5 F6 F1 F2 F3 F4 F5 F6 F1 F2 F3 F4 F5 F6
Tornadoes (R5) 0.6 0.6 0.3 0.5 0.3 0.48 0.5 0.5 0.3 0.4 0.3 0.39 0.5 0.5 0.2 0.4 0.2 0.18
War (R6) 0.8 0.6 0.7 0.3 0.3 0.39 0.7 0.5 0.6 0.3 0.3 0.29 0.6 0.5 0.5 0.2 0.2 0.19
Strike (R7) 0.6 0.5 0.9 0.3 0.8 0.59 0.5 0.4 0.8 0.3 0.7 0.42 0.5 0.4 0.7 0.2 0.6 0.23
Riot (R8) 0.5 0.5 0.6 0.3 0.5 0.58 0.4 0.4 0.5 0.3 0.4 0.49 0.4 0.4 0.4 0.2 0.4 0.37
Labor unrest 0.6 0.6 0.5 0.3 0.6 0.49 0.5 0.5 0.4 0.2 0.5 0.39 0.4 0.4 0.3 0.2 0.4 0.27
(R9)
Breaking the 0.3 0.5 0.4 0.5 0.3 0.37 0.2 0.4 0.3 0.4 0.2 0.28 0.2 0.3 0.3 0.3 0.2 0.17
contracts by
suppliers (R10)
Purchasing poor 0.3 0.5 0.7 0.3 0.3 0.39 0.2 0.4 0.6 0.2 0.2 0.21 0.2 0.3 0.5 0.2 0.2 0.17
quality products
(R11)
Changes in 0.3 0.3 0.6 0.3 0.3 0.38 0.2 0.2 0.5 0.2 0.2 0.29 0.2 0.2 0.4 0.2 0.2 0.19
legislation (R12)
Sanctions (R13) 0.8 0.8 0.6 0.1 0.6 0.67 0.7 0.7 0.5 0.1 0.5 0.50 0.5 0.5 0.4 0.1 0.4 0.39
Fluctuation in 0.5 0.5 0.5 0.4 0.3 0.55 0.4 0.4 0.4 0.3 0.2 0.40 0.3 0.3 0.3 0.3 0.2 0.31
the foreign
exchange rates
(R14)
Inflation (R15) 0.6 0.4 0.5 0.3 0.5 0.59 0.5 0.3 0.4 0.2 0.4 0.45 0.4 0.3 0.3 0.2 0.3 0.22
Changing the 0.3 0.3 0.3 0.4 0.3 0.37 0.2 0.2 0.2 0.3 0.2 0.26 0.2 0.2 0.2 0.3 0.2 0.14
labor rules (R16)
Demands 0.4 0.3 0.6 0.6 0.4 0.77 0.3 0.2 0.5 0.5 0.3 0.51 0.3 0.2 0.4 0.4 0.3 0.36
fluctuation (R17)
Hardware 0.6 0.7 0.5 0.4 0.4 0.44 0.5 0.6 0.4 0.3 0.3 0.20 0.4 0.5 0.3 0.3 0.3 0.11
failure (R18)
Viruses (R19) 0.8 0.7 0.7 0.6 0.5 0.69 0.7 0.6 0.6 0.5 0.4 0.45 0.5 0.5 0.5 0.4 0.3 0.29
Cyber-attack 0.9 0.8 0.7 0.7 0.7 0.53 0.7 0.7 0.6 0.6 0.6 0.49 0.6 0.5 0.5 0.5 0.5 0.38
(R20)
Disruption in 0.4 0.3 0.3 0.3 0.5 0.78 0.3 0.2 0.2 0.2 0.4 0.50 0.3 0.2 0.2 0.2 0.3 0.38
the
communication
ways (R21)
Loss of 0.6 0.6 0.4 0.3 0.3 0.68 0.5 0.5 0.3 0.2 0.2 0.40 0.4 0.4 0.3 0.2 0.2 0.24
customer data
privacy (R22)
Power outage 0.8 0.7 0.7 0.4 0.4 0.49 0.7 0.6 0.6 0.3 0.3 0.32 0.5 0.5 0.5 0.3 0.3 0.18
(R23)
Explosions 0.7 0.7 0.6 0.5 0.4 0.39 0.6 0.6 0.5 0.4 0.3 0.28 0.5 0.5 0.4 0.3 0.3 0.16
(R24)
Fires (R25) 0.8 0.7 0.5 0.7 0.5 0.58 0.7 0.6 0.4 0.6 0.4 0.38 0.5 0.5 0.3 0.5 0.3 0.21
Equipment 0.5 0.5 0.5 0.3 0.3 0.58 0.4 0.4 0.4 0.2 0.2 0.45 0.3 0.3 0.3 0.2 0.2 0.28
failure (R26)
Bioterrorism 0.7 0.6 0.5 0.6 0.5 0.57 0.6 0.5 0.4 0.5 0.4 0.40 0.5 0.4 0.3 0.4 0.3 0.23
(R27)
Bombing (R28) 0.7 0.8 0.6 0.7 0.6 0.54 0.6 0.6 0.5 0.6 0.5 0.31 0.5 0.5 0.4 0.5 0.4 0.29
Stealing (R29) 0.6 0.4 0.3 0.4 0.3 0.69 0.5 0.3 0.2 0.3 0.2 0.43 0.4 0.3 0.2 0.3 0.2 0.32
Espionage (R30) 0.5 0.5 0.4 0.3 0.4 0.44 0.4 0.4 0.3 0.2 0.3 0.39 0.3 0.3 0.3 0.2 0.3 0.256
 Pessimistic scenario Realistic scenario Optimistic scenario
Risks Impact Likelihood Impact Likelihood Impact Likelihood
F1 F2 F3 F4 F5 F6 F1 F2 F3 F4 F5 F6 F1 F2 F3 F4 F5 F6
Bribe (R31) 0.4 0.3 0.4 0.3 0.5 0.38 0.3 0.2 0.3 0.2 0.4 0.29 0.3 0.2 0.3 0.2 0.3 0.16
Human error 0.7 0.6 0.5 0.4 0.3 0.89 0.6 0.5 0.4 0.3 0.2 0.59 0.5 0.4 0.3 0.3 0.2 0.37
(R32)
Decision 0.5 0.5 0.6 0.3 0.3 0.68 0.4 0.4 0.5 0.2 0.2 0.52 0.3 0.3 0.4 0.2 0.2 0.47
making errors
(R33)
Insufficient 0.5 0.4 0.4 0.4 0.5 0.48 0.4 0.3 0.3 0.3 0.4 0.36 0.3 0.3 0.3 0.3 0.3 0.28
knowledge
(R34)
Absence of the 0.4 0.4 0.4 0.3 0.3 0.79 0.5 0.3 0.3 0.2 0.2 0.55 0.4 0.3 0.3 0.2 0.2 0.34
employees (R35)
Resignation of 0.6 0.5 0.5 0.4 0.4 0.59 0.5 0.4 0.4 0.3 0.3 0.45 0.4 0.3 0.3 0.3 0.3 0.35
the employees
(R36)
Transportation 0.4 0.3 0.3 0.3 0.3 0.37 0.3 0.2 0.2 0.2 0.2 0.29 0.3 0.2 0.2 0.2 0.2 0.19
uncertainty
(R37)
Misalignment 0.3 0.3 0.4 0.5 0.4 0.39 0.2 0.2 0.3 0.4 0.3 0.21 0.2 0.2 0.3 0.3 0.3 0.15
of Interest with
supplier (R38)
Contractual 0.5 0.4 0.5 0.3 0.3 0.37 0.4 0.3 0.4 0.2 0.2 0.25 0.3 0.3 0.3 0.2 0.2 0.11
risks with
supplier (R39)
Inappropriate 0.4 0.5 0.7 0.4 0.5 0.59 0.3 0.4 0.6 0.3 0.4 0.35 0.2 0.3 0.4 0.2 0.3 0.17
staffing (R40)
Policy 0.5 0.4 0.6 0.4 0.3 0.69 0.4 0.3 0.5 0.3 0.2 0.45 0.3 0.2 0.4 0.2 0.2 0.25
fluctuation (R41)
Lack of 0.7 0.6 0.5 0.3 0.3 0.54 0.6 0.5 0.4 0.2 0.2 0.45 0.4 0.4 0.3 0.2 0.2 0.38
technical
expertise (R42)
Financial 0.5 0.4 0.4 0.3 0.3 0.48 0.4 0.3 0.3 0.2 0.2 0.36 0.3 0.2 0.2 0.2 0.2 0.23
uncertainty
(R43)
Poor service 0.4 0.3 0.3 0.3 0.4 0.64 0.3 0.2 0.2 0.2 0.3 0.47 0.2 0.2 0.2 0.2 0.2 0.37
quality (R44)
Shifts in 0.5 0.4 0.4 0.6 0.3 0.68 0.4 0.3 0.3 0.5 0.2 0.58 0.3 0.2 0.2 0.4 0.2 0.25
markets (R45)
Changes in 0.4 0.3 0.5 0.5 0.4 0.67 0.3 0.2 0.4 0.4 0.3 0.49 0.3 0.2 0.3 0.3 0.3 0.31
customer tastes
(R46)
Missing 0.4 0.3 0.3 0.5 0.3 0.59 0.3 0.2 0.2 0.4 0.2 0.31 0.3 0.2 0.2 0.3 0.2 0.20
services (R47)
Delay in 0.5 0.3 0.4 0.4 0.3 0.49 0.4 0.2 0.3 0.3 0.2 0.32 0.3 0.2 0.3 0.3 0.2 0.10
fulfilling a
service (R48)
Error in 0.6 0.4 0.5 0.5 0.5 0.64 0.5 0.3 0.4 0.4 0.4 0.43 0.4 0.3 0.3 0.3 0.3 0.20
forecasting the
demands (R49)
Ineffective 0.4 0.3 0.3 0.3 0.4 0.58 0.3 0.2 0.2 0.2 0.3 0.48 0.3 0.2 0.2 0.2 0.3 0.25
 Pessimistic scenario Realistic scenario Optimistic scenario
Risks Impact Likelihood Impact Likelihood Impact Likelihood
F1 F2 F3 F4 F5 F6 F1 F2 F3 F4 F5 F6 F1 F2 F3 F4 F5 F6
communications
with customers
(R50)

After estimating the importance degrees of impact’s sub-factors using BWM method, the
impact of each risk in each scenario is calculated through Eq. (1) (see Table 7).

Table 7. Impact of identified risks in each scenario

Risks Impact of the risk Risks Impact of the risk
Pessimistic Realistic Optimistic Pessimistic Realistic Optimistic
scenario scenario scenario scenario scenario scenario
R1 0.78 0.68 0.61 R26 0.45 0.35 0.28
R2 0.65 0.56 0.50 R27 0.60 0.50 0.40
R3 0.53 0.45 0.39 R28 0.69 0.57 0.47
R4 0.44 0.37 0.33 R29 0.43 0.33 0.30
R5 0.49 0.43 0.39 R30 0.45 0.35 0.29
R6 0.61 0.54 0.46 R31 0.38 0.28 0.27
R7 0.63 0.54 0.50 R32 0.55 0.45 0.38
R8 0.50 0.41 0.38 R33 0.47 0.37 0.29
R9 0.55 0.45 0.36 R34 0.45 0.35 0.30
R10 0.39 0.29 0.25 R35 0.44 0.34 0.31
R11 0.42 0.32 0.28 R36 0.51 0.41 0.33
R12 0.35 0.25 0.24 R37 0.33 0.23 0.23
R13 0.67 0.58 0.43 R38 0.35 0.25 0.24
R14 0.46 0.36 0.29 R39 0.43 0.33 0.28
R15 0.49 0.39 0.32 R40 0.49 0.39 0.28
R16 0.31 0.21 0.21 R41 0.46 0.36 0.27
R17 0.43 0.33 0.30 R42 0.54 0.44 0.33
R18 0.56 0.46 0.38 R43 0.41 0.31 0.23
R19 0.70 0.60 0.46 R44 0.35 0.25 0.20
R20 0.79 0.66 0.53 R45 0.44 0.34 0.25
R21 0.36 0.26 0.25 R46 0.40 0.30 0.28
R22 0.49 0.39 0.33 R47 0.35 0.25 0.24
R23 0.66 0.56 0.45 R48 0.39 0.29 0.26
R24 0.62 0.52 0.43 R49 0.51 0.41 0.33
R25 0.67 0.57 0.44 R50 0.35 0.25 0.25

4.3 Evaluating the risks

Four types of resources including the human resources, financial resources, facilities and
equipment are used in the organization X to undertake the activities. In this study, the
vulnerability of these resources to identified risks is obtained using experts’ opinions in the
intervals [0, 1]. Table 8 shows the amount of parameter ik for identified risks. These data were
gathered through conducting some interviews with the organization’s experts.
 Table 8. Vulnerability of the resources to the risks
Risks Vulnerability of the resources Risks Vulnerability of the resources
Human Financial Facilities Equipment Human Financial Facilities Equipment
resources resource resource resources
R1 1 - - - R26 - 0.6 - 1
R2 1 1 1 1 R27 1 - - -
R3 1 1 1 1 R28 1 1 1 1
R4 0.3 0.6 0.7 1 R29 - 1 - -
R5 0.1 0.7 0.3 0.3 R30 - 1 - -
R6 1 1 1 0.7 R31 - 1 - -
R7 1 1 - - R32 1 1 - 1
R8 1 1 - - R33 1 1 - 1
R9 0.7 0.8 - - R34 - 1 - -
R10 - 1 - - R35 1 0.5 - -
R11 - 1 - 0.5 R36 1 0.7 - -
R12 0.3 0.8 - - R37 - 1 - -
R13 - 1 - - R38 - 1 - -
R14 - 1 - - R39 - 1 - -
R15 - 1 - - R40 1 1 - 1
R16 0.6 0.5 - - R41 - 1 - -
R17 - 1 - - R42 1 0.6 - 0.3
R18 - 0.4 - 1 R43 - 1 - -
R19 - 0.7 - 1 R44 - 0.4 - -
R20 - 1 - 1 R45 - 0.6 - -
R21 - 0.7 - 0.6 R46 - 0.7 - -
R22 - 1 - - R47 - 1 - -
R23 - 0.5 - 1 R48 - 1 - -
R24 0.8 0.8 1 1 R49 - 1 - -
R25 1 1 1 1 R50 - 0.3 - -

The amounts of  jk , MTPDj, MBCOj, vjg, and v’g which are the outputs of BIA process are then

utilized to find out the impact of identified risks on the organization’s goals. Increasing customer
satisfaction (i.e. g1), market share (i.e. g2) and reducing overall costs (i.e. g3) are the three goals
of the organization which have been defined by the top managers. In this paper, BWM method is

used to find the importance degrees of the organization’s goals. The amount of  i for each risk
in each scenario is also calculated by Eq. (3). Table 9 shows the anticipated deviation of the
organization’s goals after occurrence of each risk.

Table 9. The deviation of the organization’s goals after each risk occurrence
Risks The amount of  i in each scenario (%) Risks The amount of  i in each scenario (%)
Pessimistic Realistic Optimistic Pessimistic Realistic Optimistic
R1 2.54 1.90 1.25 R26 1.31 0.79 0.39
R2 2.11 1.60 0.93 R27 1.71 1.00 0.46
R3 1.51 0.97 0.55 R28 1.86 0.88 0.68
R4 1.06 0.70 0.21 R29 0.00 0.00 0.00
R5 0.35 0.25 0.11 R30 0.00 0.00 0.00
R6 1.19 0.78 0.44 R31 0.00 0.00 0.00
R7 1.86 1.13 0.58 R32 2.45 1.33 0.70
R8 1.45 1.00 0.70 R33 1.60 0.96 0.68
Risks The amount of  i in each scenario (%) Risks The amount of  i in each scenario (%)
Pessimistic Realistic Optimistic Pessimistic Realistic Optimistic
R9 0.94 0.61 0.34 R34 0.00 0.00 0.00
R10 0.00 0.00 0.00 R35 1.74 0.94 0.53
R11 0.41 0.17 0.12 R36 1.50 0.92 0.58
R12 0.20 0.11 0.07 R37 0.00 0.00 0.00
R13 0.00 0.00 0.00 R38 0.00 0.00 0.00
R14 0.00 0.00 0.00 R39 0.00 0.00 0.00
R15 0.00 0.00 0.00 R40 1.45 0.68 0.24
R16 0.34 0.16 0.09 R41 0.00 0.00 0.00
R17 0.00 0.00 0.00 R42 1.46 0.99 0.63
R18 1.23 0.46 0.21 R43 0.00 0.00 0.00
R19 2.42 1.35 0.67 R44 0.00 0.00 0.00
R20 2.09 1.62 1.01 R45 0.00 0.00 0.00
R21 0.84 0.39 0.29 R46 0.00 0.00 0.00
R22 0.00 0.00 0.00 R47 0.00 0.00 0.00
R23 1.62 0.90 0.41 R48 0.00 0.00 0.00
R24 1.21 0.73 0.34 R49 0.00 0.00 0.00
R25 1.94 1.08 0.46 R50 0.00 0.00 0.00

Figure 7 shows the likelihood and impact of identified risks in different scenarios. In this

figure, those risks whose  i values are more than the organization’s risk appetite and therefore
may cause a considerable deviation in the organization’s goals (i.e. beyond the risk appetite),
have been specified.

Those risks which may cause considerable deviation in the organization's goals
Impact

Pessimistic Scenario

Realistic Scenario

Optimistic Scenario

Likelihood

Figure 7. The impact and likelihood of identified risks

4.4 Responding to the risks

The key functions of the organization X are identified by conducting the BIA process
proposed by Torabi et.al (2014). In this way, ten key functions are identified. Table 10 shows
the amount of required resources, MBCO, and MTPD for these key functions.
 Table 10. The information about the key functions and their resources
Key MBCOj(%) MTPDj(week)  jk vjg v’g. vjg
functions
Human Financial Facilities Equipment g1(0.1) g2(0.6) g3(0.3)
resources resources
KF1 40 4 5 500 - - 0.07 0.09 0.06 0.08
KF2 62 3 - - 50 3 0.12 0.09 0.15 0.12
KF3 74 3 5 - 150 5 0.02 0.09 0.06 0.07
KF4 45 6 5 240 - - 0.06 0.08 0.12 0.09
KF5 61 5 - - 120 6 0.18 0.09 0.07 0.09
KF6 55 4 7 800 400 - 0.21 0.18 0.14 0.17
KF7 45 3 3 300 - 7 0.07 0.09 0.10 0.09
KF8 67 4 - 200 100 - 0.04 0.14 0.14 0.13
KF9 75 3 - 900 600 - 0.17 0.12 0.07 0.11
KF10 20 8 5 - - 4 0.06 0.03 0.09 0.05

The risk appetite of each goal has been identified by conducting some interviews with top
managers. Then, the overall risk appetite is calculated as 1.6% by considering the importance
degrees of goals which have already been determined using WSM method. Now, according to
Table 10, the amount of  i for R1, R2, R7, R19, R20, R23, R25, R27, R28, R32, R33, and R35 in the
pessimistic scenario are greater than the risk appetite. In the realistic scenarios, R1, R2, and R20
may cause considerable deviations in the organization’s goals (i.e. more than the risk appetite).
The needed resources to resume the key functions at their MBCO levels after occurrence of these
risks have been calculated by Eq. (4) and reported in Table 11.

The resources needed for continuing the key functions at least at their MBCO levels should be
prepared by suitable BCPs, considering MTPDs of the key functions and the cost-benefit
analysis. Notably, the cost-benefit analysis is conducted to select the proper strategy for
providing the required resources after occurrence of each risk.

Three factors (i.e. prevent losing reputation, lost sale, and internal dissatisfaction) are defined
for measuring the benefits of each candidate strategy. These factors help the BCM team to find
the benefits of the strategies in an accurate way. In Table 12, we have provided an example to
show how to use the benefit-cost analysis to estimate the benefits and cost of the candidate
strategies. The benefits and cost of providing human resources after an earthquake (e.g. in the
pessimistic scenario) are provided in Table 12. According to the results shown in Table 10, some
key functions are performed by using human resources. For these key functions, the estimated
MTPD is three weeks. Therefore, the upper bound for preparing human resources after risk
 occurrence is three weeks. After calculating the benefit-cost of candidate strategies for providing
the human resources to continuing the key functions at the level of MBCO, 1 t 3 weeks is
considered as the acceptable duration for preparing the needed resources after an earthquake (see
Table 12). Implementing a strategy to prepare needed resources has some benefits and costs.
Comparing the candidate strategies using this criterion helps top management to choose the best
one. The benefit-cost of training semi-skilled people and substituting them with lost people after
a while is more than that of recruiting new skillful staff and using them instead of lost people.
Therefore, it is selected as an appropriate strategy for providing human resources after risk
occurrence.

Table11. The resources needed for the key functions after risk occurrence
Scenario Risks  ijk
KF1 KF2 KF3 KF4 KF5
Pessimistic R1 0.9 0 0 0 0 0 0 0 2.6 0 0 0 1.15 0 0 0 0 0 0 0
R2 0.25 25 0 0 0 0 13.5 0.81 1.95 0 58.5 1.95 0.5 24 0 0 0 0 31.2 1.56
R7 0.15 15 0 0 0 0 0 0 1.85 0 0 0 0.4 19.2 0 0 0 0 0 0
R19 0 0 0 0 0 0 0 0.96 0 0 0 2.2 0 0 0 0 0 0 0 1.86
R20 0 95 0 0 0 0 0 1.23 0 0 0 2.65 0 57.6 0 0 0 0 0 2.4
R23 0 0 0 0 0 0 0 0.84 0 0 0 2 0 0 0 0 0 0 0 1.62
R25 0.35 35 0 0 0 0 14.5 0.87 2.05 0 61.5 2.05 0.6 28.8 0 0 0 0 33.6 1.68
R27 0 0 0 0 0 0 0 0 1.7 0 0 0 0.25 0 0 0 0 0 0 0
R28 0.45 45 0 0 0 0 15.5 0.93 2.15 0 64.5 2.15 0.7 33.6 0 0 0 0 36 1.8
R32 0 0 0 0 0 0 0 0.51 1.45 0 0 1.45 0 0 0 0 0 0 0 0.96
R33 0 0 0 0 0 0 0 0.27 1.05 0 0 1.05 0 0 0 0 0 0 0 0.48
R35 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Realistic R1 0.4 0 0 0 0 0 0 0 2.1 0 0 0 0.65 0 0 0 0 0 0 0

R2 0 0 0 0 0 0 9 0.54 1.5 0 45 1.5 0.05 2.4 0 0 0 0 20.4 1.02
R20 0 30 0 0 0 0 0 0.84 0 0 0 2 0 26.4 0 0 0 0 0 1.62
KF6 KF7 KF8 KF9 KF10
Pessimistic R1 2.31 0 0 0 0.69 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
R2 1.4 160 80 0 0.3 30 0 0.7 0 64 32 0 0 360 240 0 0 0 0 0
R7 1.26 144 0 0 0.24 24 0 0 0 60 0 0 0 342 0 0 0 0 0 0
R19 0 32 0 0 0 0 0 1.05 0 32 0 0 0 216 0 0 0 0 0 0
R20 0 272 0 0 0 72 0 1.68 0 92 0 0 0 486 0 0 0 0 0 0
R23 0 0 0 0 0 0 0 0.77 0 0 0 0 0 72 0 0 0 0 0 0
R25 1.54 176 88 0 0.36 36 0 0.84 0 68 34 0 0 378 252 0 0 0 0 0
R27 1.05 0 0 0 0.15 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
R28 1.68 192 96 0 0.42 42 0 0.98 0 72 36 0 0 396 264 0 0 0 0 0
R32 0.7 80 0 0 0 0 0 0 0 44 0 0 0 270 0 0 0 0 0 0
R33 0.14 16 0 0 0 0 0 0 0 28 0 0 0 198 0 0 0 0 0 0
R35 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Realistic R1 1.61 0 0 0 0.39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

R2 0.77 88 44 0 0.03 3 0 0.07 0 46 23 0 0 279 186 0 0 0 0 0
R20 0 168 0 0 0 33 0 0.77 0 66 0 0 0 369 0 0 0 0 0 0
 Table 12. The benefit-cost analysis for providing human resources
Time Strategy Benefits ($ per week): prevent losing Total Cost ($ per week)
(week) benefit
Reputation Lost Internal Cost of providing the human
(0.4) sale dissatisfaction resources
(0.4) (0.2)
t=0 Training 700 300 200 440 1000
reserved
(backup) skillful
staff members to
be able to
substitute them
instead with lost
people
immediately.

t=1 Recruiting new 500 200 150 310 250

skillful staff and
using them
instead of lost
people.

t=3 Training semi- 400 150 120 244 200

skilled people
and substitute
them with lost
people after a
while.
The same processes have been carried out to provide other resources (i.e. financial resources,
facilities, and equipment) after an earthquake occurrence. Table 13 shows the results of benefit-
cost analysis for providing the needed resources.

Table 13. Selected strategy for providing the required resources after an earthquake occurrence
Resources Selected strategy for providing resources
Human resources Training semi-skilled people and substituting them with lost people
after a while
Financial resources Borrowing money from bank with the lowest interest rate
Facilities Repairing the lost facilities and reusing them
Equipment Purchasing new equipment instead of the lost equipment

Similar procedures are often utilized to provide the resources needed to resume the key
functions after a risk occurrence. Noteworthy, the available strategies for providing the required
resources to cope with any occurred risk are often similar. For example, after an epidemic
disease occurs, the alternative human resources can be provided by training semi-skilled people
and substituting them with lost people after a while.
 When the risk named as the absence of the employees (R35) occurs, the resources needed for
resuming the key functions will not be less than MBCO of the key functions. As previously
mentioned, a strategy such as a transferring, avoiding, or a mitigating one can be used for coping
with this risk. For instance, avoiding strategy (i.e. eliminating the source of risk) can be applied
by substituting new staff instead of erratic staff member.

5. Managerial highlights

In this study, an improved RA framework equipped with some analytical techniques is

developed to improve while facilitate conducting the RA process when implementing a BCMS in
an organization, which is a key part of any BCMS. To apply the suggested analytical techniques
within this framework, the following managerial tips should be highlighted:

• Risk identification: in this study, risks are categorized in two main categories including the
operational and disruption risks. Furthermore, several groups are defined within each category
to classify the potential risks accurately. This classification helps top managers to identify
their organization’s risks in a comprehensive while simple way.
• Risk factors and vulnerability: this study introduces several sub-factors to measure the risks’
impacts in a quantitative while inclusive manner. That is, in the risk analysis step, in order to
estimate the impact of each risk, some new sub-factors are considered, which can help BCM
team to calculate the identified risks’ impacts in an accurate way. In addition, one of the most
important hints is considering the vulnerability level of each resource type for each risk. When
a risk occurs it may not have an impact on some resources while affects other ones
considerably. Therefore, it is important to find the vulnerability level of each resource for each
risk. Therefore, finding the vulnerability of resources as well as the impacts will definitely
help managers to have a comprehensive insight about identified risks.
• Deviation of the organization’s goals: each organization attempts to achieve certain pre-
defined goals such as financial goals. Devising a technique to calculate the amount of
deviation in each goal after occurrence of any risk is a crucial task in every organization.
However, this paper presents a novel while simple method by which any deviation could be
calculated when a risk takes place. This calculation is performed through anticipating lost
resources, which may lead to some deviations in key functions’ operating levels.
• Resource allocation and benefit-cost analysis: responding to the identified risks through
providing the needed resources for key functions to ensure their continuation, is the proposed
approach in this paper to return the organization to an acceptable operating level in which the
key functions are resumed. For this, the minimum amount of required resources is determined
for continuing the key functions after a risk occurrence. Furthermore, according to the pre-
defined levels for MBCO and MTPD measures, needed resources can be provided by several
methods. Nevertheless, using the benefit-cost analysis can assist the top managers in selecting
an appropriate strategy for preparation of required resources.

6. Concluding remarks

RA is one of the important elements of a BCMS. In this article, an enhanced RA framework

equipped with a suite of analytical techniques is developed within the context of BCMS to assess
potential risks in manufacturing/service organizations. In this framework, the potential threats of
the organization under consideration are identified and sub-classified as disruption and
operational risks. For doing this, several papers were investigated to provide a comprehensive
list of risks, which can be used by organizations’ managers as a practical guide to identify their
potential risks. In the risk analysis step, seven sub-factors are defined to measure the impact and
likelihood of the identified risks more accurately than previous studies. More specifically, we use
five sub-factors for calculating the impact of each risk, which collectively can estimate the
impact factor more accurate than the case they are used separately. We have also adopted an
effective MCDM technique (i.e. BWM) to find the weights of these sub-factors. In order to find
the impact of risks on an organization’s goals, lost resources (e.g. human and financial resources)
after risk happening are taken into account. Finding the vulnerability level of resources as well as
the risks’ impacts will definitely help top managers to have a comprehensive insight about
identified risks by which the deviations of the organization’s goals are also calculated. Finally,
those risks causing considerable deviations in the organization’s goals (i.e. their risk values are
beyond the risk appetite) are responded by allocating the needed resources through appropriate
strategies to resume key functions at least at their respective MBCO levels. It is a new approach
to respond the risks by which needed resources are provided with regards to results of BIA and
the benefit-cost analysis.
 The proposed risk assessment and management framework is also applied in a real case study
whose results demonstrate that the enhanced RA framework and its suggested analytical tools
can effectively handle risk assessment process when implementing BCMS in an organization as
it comprehensively accounts for BCM requirements and prerequisites while conducting the well-
known four-step RA framework in a mixed quantitative-qualitative way.

There are several directions for further research to further improve the risk assessment and
management process in the context of BCMS among them we highlight the following ones:

• Applying some other techniques such as Bayesian networks in order to calculate the risk
factors’ values.
• Using other MADM techniques such as ANP and DEMATEL to reflect the interrelations
between risks factors.
• Designing appropriate mathematical models such as those to be used in the project
selection area (see for instance Shakhsi-Niaei et al., 2011) to find the best strategies to
prepare required resources for continuation of the key functions.
• Investigating different risk assessment techniques through a comprehensive literature
review from the perspective of modeling uncertainty due to high importance of such
uncertainty on the results of any RA process.

Acknowledgement

This research was supported by University of Tehran under the research grant number
8109920/1/17. The authors appreciate the constructive comments made by the anonymous
reviewers, which helped to improve presentation of the paper.

Appendices

Appendix A

In BWM, the best and worst criteria are first determined by the decision makers. Then, the
preference degrees of the best criterion over all other criteria along with the preference degrees
of all criteria over the worst criterion are obtained by the decision makers’ opinions through the
well-known Likert scale. Finally, the optimal weights of criteria are found by solving the
linearized version of model (A.1) (i.e. model (A.2)).

wB wj
min max{  aBj ,  a jW }
wj ww

s.t. (A.1)

w
j
j 1

w j  0, for all j

where:

aBj Indicates the preference degree of the best criterion B over criterion j
a jW Indicates the preference degree of criterion j over the worst criterion W.
wj is the final weight of criteria j, which is calculated by the BWM.

Model (A.1) is a non-linear programming model. Therefore, it is converted to its linear

counterpart (i.e. model (A.2)) as follows.

min  (A.2)
s.t
wB
 aBj   , for all j
wj
wB
 aBj   , for all j
wj
wj
 a jW   , for all j
ww
wj
 a jW   , for all j
ww

w
j
j 1

w j  0, for all j

By solving the linear model (A.2), the optimal weights (wj) can be obtained for concerned
criteria.
 One of the outstanding features of BWM is that it requires less comparison data compared to
other pair-wise comparison based methods like AHP. As shown by Rezaei (2015), this method
generates more reliable criteria weights than other MCDM methods while reduces the required
data (i.e. the number of required pair-wise comparisons) considerably.

Appendix B:

In order to deal with vagueness and impreciseness of the experts’ opinions about risks, it is
better to use linguistic terms. In this case, judgmental data provided by experts are first gathered
in the form of linguistic terms (see Table B.1). From the practical viewpoint, experts can
conveniently express their qualitative opinions in terms of linguistic terms (Ganguly & Guin,
2010). Then, each linguistic term is associated with a trapezoidal fuzzy number whose
membership function has been presented in Table B.1. Eq. (B.1) shows the membership function
of the trapezoidal fuzzy number (l, m, n, u) and Fig.(B.1) depicts its graph.

Table B.1. Applied linguistic terms to determine the value of impact’s sub-factors
Experts’ opinions about the impact’s sub-factors Corresponding trapezoidal fuzzy number (TFN)
Very low (0,0.1,0.2,0.3)
Low (0.1,0.2,0.3,0.4)
Medium (0.3,0.4,0.5,0.6)
High (0.5,0.6,0.7,0.8)
Very high (0.7,0.8,0.9,1)

 xl
m  l l  x  m

1 mxn
 u  x
 M ( x)   n xu
u  n
(B.1)
0 otherwise



 Fig (B.1). The membership function of the trapezoidal fuzzy number (l, m, n, u)

Appendix C:

After determining the amount of sub-factors regarding the impact of risks, these sub-factors
should be aggregated with a suitable function. For this, these sub-factors should be first
prioritized according to their importance degrees from the top managers’ viewpoints. According
to the experts’ opinion, human and financial losses and the non-detectability degree of risk are
considered as the best and the worst sub-factors, respectively. Then, the preference of the best
criterion (F1) over other criteria and the preference of all criteria over the worst criterion (F4) are
gathered by expert opinion as aBj=[1, 1.5, 2, 3, 2.5]and ajW=[3, 2.5, 2, 1, 1.5], respectively.
Finally, model (C.1) is solved to find the weights of the impact’s sub factors.
min  (C.1)
s.t
w1 w2
1   ,  2.5  
w1 w4
w1 w3
 1.5   , 2  
w2 w4
w1 w5
2   ,  1.5  
w3 w4
w1
3   ,
w4
w1
 2.5   ,
w5
w
j
j 1 w j  0, for all j

In this way, the weight vector is calculated as: w1=0.33, w2=0.25, w3=0.18, w4=0.10, w5=0.14.
Appendix D:

In order to facilitate reading the acronyms used in the paper, they are presented in Table D.1
associated with their meaning.
Table D.1. Acronyms and their meanings
Acronym Meaning

BC Business Continuity

BCM Business Continuity Management

BCMS Business Continuity Management System

BCP Business Continuity Planning

BCPs Business Continuity Plans

RA Risk Assessment

BIA Business Impact Analysis

MBCO Minimum Business Continuity Objective

MTPD Maximum Tolerable Period of Disruption

MCDM Multiple Criteria Decision Making

MADM Multiple Attribute Decision Making

ANP Analytic Network Process

AHP Analytic Hierarchy Process

DEMATEL Decision Making Trial And Evaluation Laboratory

References:

Aagedal, J. O., Den Braber, F., Dimitrakos, T., Gran, B. A., Raptis, D., & Stolen, K. (2002). Model-based risk
assessment to improve enterprise security. In Enterprise Distributed Object Computing Conference, 2002.
EDOC’02. Proceedings. Sixth International (pp. 51–62). IEEE.

Adner, R., & Zemsky, P. (2003). Disruptive Technologies and the Emergence of Competition.

Altay, N., & Ramirez, A. (2010). Impact of disasters on firms in different sectors: implications for supply chains.
Journal of Supply Chain Management, 46(4), 59–80.

Asgary, A., Anjum, M. I., & Azimi, N. (2012). Disaster recovery and business continuity after the 2010 flood in
Pakistan: Case of small businesses. International Journal of Disaster Risk Reduction, 2, 46–56.
Beyer, H., & Sendhoff, B. (2007). Robust optimization–a comprehensive survey. Computer Methods in Applied
Mechanics and Engineering, 196(33-34), 3190–3218.

BS25999, B. S. (2007). Business Continuity Management-Part2: Specification Business Continuity Management.

Bubeck, P., Botzen, W. J. W., & Aerts, J. C. J. H. (2012). A review of risk perceptions and other factors that
influence flood mitigation behavior. Risk Analysis : An Official Publication of the Society for Risk Analysis,
32(9), 1481–95.

Campbell, D.T., & Stanley, J.C. (1963). Experimental and Quasi-Experimental Designs for Research.

Cerullo, V., & Cerullo, M. J. (2004). Business Continuity Planning: A Comprehensive Approach. Information
Systems Management, 21(3), 70–78.

Chang, J.-R., Chang, K.-H., Liao, S.-H., & Cheng, C.-H. (2006). The reliability of general vague fault-tree analysis
on weapon systems fault diagnosis. Soft Computing, 10(7), 531–542.

Chang, K.-H., & Cheng, C.-H. (2010). A risk assessment methodology using intuitionistic fuzzy set in FMEA.
International Journal of Systems Science, 41(12), 1457–1471.

Chopra, S., Reinhardt, G., & Mohan, U. (2007). The importance of decoupling recurrent and disruption risks in a
supply chain. Naval Research Logistics, 54(5), 544–555.

Christopher, M., Mena, C., Khan, O., & Yurt, O. (2011). Approaches to managing global sourcing risk. Supply
Chain Management: An International Journal, 16(2), 67–81.

Clarke, C. J., & Varma, S. (1999). Strategic risk management: the new competitive edge. Long Range Planning,
32(4), 414–424.

Cooke, R.M. (1991). Experts in Uncertainty: opinion and subjective probability in science. New York: Oxford
University Press,

Craighead, C. W., Blackhurst, J., Rungtusanatham, M. J., & Handfield, R. B. (2007). The Severity of Supply Chain
Disruptions: Design Characteristics and Mitigation Capabilities. Decision Sciences, 38(1), 131–156.

Dunjó, J., Fthenakis, V., Vílchez, J. a, & Arnaldos, J. (2010). Hazard and operability (HAZOP) analysis. A
literature review. Journal of Hazardous Materials, 173(1-3), 19–32.

Ebrahim Nejad, A., Niroomand, I., & Kuzgunkaya, O. (2014). Responsive contingency planning in supply risk
management by considering congestion effects. Omega, 48, 19-35.

Feng, N., Wang, H. J., & Li, M. (2014). A security risk analysis model for information systems: Causal relationships
of risk factors and vulnerability propagation analysis. Information Sciences; Business Intelligence in Risk
Management, 256, 57–73.

Fera, M., & Macchiaroli, R. (2010). Appraisal of a new risk assessment model for SME. Safety Science, 48(10),
1361–1368.

Finch, P. (2004). Supply chain risk management. Supply Chain Management: An International Journal, 9(2), 183–
196.
Galindo, G., & Batta, R. (2013). Review of recent developments in OR/MS research in disaster operations
management. European Journal of Operational Research, 230(2), 201–211.

Ganguly, K. K., & Guin, K. K. (2010). Supply side risk assessment: an application of Yager’s methodology based
on fuzzy sets. International Journal of Business Continuity and Risk Management, 1(2), 136–150.

Gibb, F., & Buchanan, S. (2006). A framework for business continuity management. International Journal of
Information Management, 26(2), 128–141.

Goossens, L.H.J., Cooke, R.M., Hale, A.R., & Rodic-Wiersma, L.J. (2008). Fifteen years of expert judgment at
TUDelft. Safety Science, 46(2), 234-244.

World Economic Forum. (2015). Global Risks 2015 10th Edition. Retrieved from
http://www3.weforum.org/docs/WEF_Global_Risks_2015_Report15.pdf

Greenberg, M. R., Lahr, M., & Mantell, N. (2007). Understanding the economic costs and benefits of catastrophes
and their aftermath: a review and suggestions for the U.S. federal government. Risk Analysis : An Official
Publication of the Society for Risk Analysis, 27(1), 83–96.

Halliday, S., Badenhorst, K., & Von Solms, R. (1996). A business approach to effective information technology risk
analysis and management. Information Management & Computer Security, 4(1), 19–31.

Hallikas, J., Karvonen, I., Pulkkinen, U., Virolainen, V.-M., & Tuominen, M. (2004). Risk management processes in
supplier networks. International Journal of Production Economics, 90(1), 47–58.

Harland, C., Brenchley, R., & Walker, H. (2003). Risk in supply networks. Journal of Purchasing and Supply
Management, 9(2), 51–62.

Heckmann, I., Comes, T., & Nickel, S. (2015). A critical review on supply chain risk–Definition, measure and
modeling. Omega, 52, 119-132.

Herbane, B. (2013). Exploring Crisis Management in UK Small and Medium Sized Enterprises. Journal of
Contingencies and Crisis Management, 21(2), 82–95.

Hiles, A. (2010). The definitive handbook of business continuity management. John Wiley & Sons.

Holzmann, R., & Jørgensen, S. (2001). Social Risk Management: A new conceptual framework for Social
Protection, and beyond. International Tax and Public Finance, 8(4), 529–556.

Holzmann, R., Sherburne-Benz, L., Tesliuc, E., & Unit, S. P. (2003). Social risk management: The World Bank’s
approach to social protection in a globalizing world. World Bank Washington, DC.

International Federation of Red Cross and Red Crescent Societies, What is a disaster? Retrieved from
http://www.ifrc.org/en/what-we-do/disaster-management/about-disasters/what-is-a-disaster/

ISO 22301. (2012). Societal Security — Business Continuity Management Systems - Requirements. Switzerland:
International Organization for Standardization.

ISO 31010, (2009). Risk Management-Risk Assessment Techniques. International Organization for
Standardization.

ISO 27005, (2008). Information Security Risk Management. International Organization for Standardization.
Kangas, A. S., & Kangas, J. (2004). Probability, possibility and evidence: approaches to consider risk and
uncertainty in forestry decision analysis. Forest Policy and Economics, 6(2), 169–188.

Karimi, I., & Hüllermeier, E. (2007). Risk assessment system of natural hazards: A new approach based on fuzzy
probability. Fuzzy Sets and Systems, 158(9), 987–999.

Kelly, D. L., & Smith, C. L. (2009). Bayesian inference in probabilistic risk assessment - The current state of the art.
Reliability Engineering and System Safety, 94, 628-643.

Kleindorfer, P., & Saad, G. (2005). Managing disruption risks in supply chains. Production and Operations, 14(1),
53–68.

Knemeyer, a. M., Zinn, W., & Eroglu, C. (2009). Proactive planning for catastrophic events in supply chains.
Journal of Operations Management, 27(2), 141–153.

Kull, T., & Closs, D. (2008). The risk of second-tier supplier failures in serial supply chains: Implications for order
policies and distributor autonomy. European Journal of Operational Research, 186(3), 1158–1174.

Lai, I. K. W., & Lau, H. C. W. (2012). A hybrid risk management model: a case study of the textile industry.
Journal of Manufacturing Technology Management, 23(5), 665–680.

Lavastre, O., Gunasekaran, A., & Spalanzani, A. (2014). Effect of firm characteristics, supplier relationships and
techniques used on Supply Chain Risk Management (SCRM): an empirical investigation on French industrial
firms. International Journal of Production Research, 52(11), 3381–3403.

Lindhe, A., Rosén, L., Norberg, T., & Bergstedt, O. (2009). Fault tree analysis for integrated and probabilistic risk
analysis of drinking water systems. Water Research, 43(6), 1641–53.

Liu, H.-C., Li, P., You, J.-X., & Chen, Y.-Z. (2014). A Novel Approach for FMEA: Combination of Interval 2-
Tuple Linguistic Variables and Gray Relational Analysis. Quality and Reliability Engineering International,
In press.

Liu, H.-C., You, J.-X., Lin, Q.-L., & Li, H. (2014). Risk assessment in system FMEA combining fuzzy weighted
average with fuzzy decision-making trial and evaluation laboratory. International Journal of Computer
Integrated Manufacturing, In press.

Liu, Y., Fan, Z.-P., Yuan, Y., & Li, H. (2014). A FTA-based method for risk decision-making in emergency
response. Computers & Operations Research, 42, 49–57.

Lockamy III, A. (2014). Assessing disaster risks in supply chains. Industrial Management & Data Systems, 114(5),
755–777.

Mahdevari, S., Shahriar, K., & Esfahanipour, A. (2014). Human health and safety risks management in underground
coal mines using fuzzy TOPSIS. The Science of the Total Environment, 488-489, 85–99.

Manuj, I., & Mentzer, J. T. (2008). Global supply chain risk management strategies. International Journal of
Physical Distribution & Logistics Management, 38(3), 192–223.

Marhavilas, P. K., & Koulouriotis, D. E. (2012). Developing a new alternative risk assessment framework in the
work sites by including a stochastic and a deterministic process: A case study for the Greek Public Electric
Power Provider. Safety Science, 50(3), 448–462.
Micheal Wallace, L. W. (2011). The Disaster Recovery Handbook; A Step by Step Plan to Ensure Business
Continuity and Protect Vital Operations, Facilities, and Assets.

Nijaz, B., Mario, S., & Lejla, T. (2011). Implementation of the IT governance standards through business continuity
management: Cases from Croatia and Bosnia-Herzegovina. In Information Technology Interfaces (ITI),
Proceedings of the ITI 2011 33rd International Conference on (pp. 43–50). IEEE.

Nocco, B. W., & Stulz, R. M. (2006). Enterprise risk management: theory and practice. Journal of Applied
Corporate Finance, 18(4), 8–20.

Norrman, A., & Jansson, U. (2004). Ericsson’s proactive supply chain risk management approach after a serious
sub-supplier accident. International Journal of Physical Distribution & Logistics Management, 34(5), 434–
456.

Ojala, M., & Hallikas, J. (2006). Investment decision-making in supplier networks: Management of risk.
International Journal of Production Economics, 104(1), 201–213.

Oke, A., & Gopalakrishnan, M. (2009). Managing disruptions in supply chains: A case study of a retail supply
chain. International Journal of Production Economics, 118(1), 168–174.

Olson, D. L., & Wu, D. D. (2010). A review of enterprise risk management in supply chain. Kybernetes, 39(5), 694–
706.

Ou Yang, Y. P., Shieh, H. M., & Tzeng, G. H. (2013). A VIKOR technique based on DEMATEL and ANP for
information security risk control assessment. Information Sciences, 232, 482–500.

Park, J., Seager, T. P., Rao, P. S. C., Convertino, M., & Linkov, I. (2013). Integrating risk and resilience approaches
to catastrophe management in engineering systems. Risk Analysis : An Official Publication of the Society for
Risk Analysis, 33(3), 356–67.

Parnell, G. S., Smith, C. M., & Moxley, F. I. (2010). Intelligent adversary risk analysis: a bioterrorism risk
management model. Risk Analysis : An Official Publication of the Society for Risk Analysis, 30(1), 32–48.

Rezaei, J. (2015). Best-Worst Multi-Criteria Decision-Making Method. Omega, 53, 49–57.

Ritchie, B., & Brindley, C. (2007). Supply chain risk management and performance: A guiding framework for future
development. International Journal of Operations & Production Management, 27(3), 303–322.

Roland H. Bowman, J. (2008). Business Continuity Planning For Data Centers And Systems; A Strategic
Implemetation Guide.

Sahebjamnia, N., Torabi, S. A., & Mansouri, S. A. (2015). Integrated business continuity and disaster recovery
planning: Towards organizational resilience. European Journal of Operational Research, 242(1), 261–273.

Samantra, C., Datta, S., & Mahapatra, S. S. (2014). Risk assessment in IT outsourcing using fuzzy decision-making
approach: An Indian perspective. Expert Systems with Applications, 41(8), 4010–4022.

Sawik, T. (2011). Selection of supply portfolio under disruption risks. Omega, 39(2), 194–208.

Shafiee, M. (2015). A fuzzy analytic network process model to mitigate the risks associated with offshore wind
farms. Expert Systems with Applications,42(4), 2143-2152.
Shafieezadeh, A., Cha, E. J., & Ellingwood, B. R. (2014). A Decision Framework for Managing Risk to Airports
from Terrorist Attack. Risk Analysis : An Official Publication of the Society for Risk Analysis.

Shakhsi-Niaei, M., Torabi, S. A., & Iranmanesh, S. H. (2011). A comprehensive framework for project selection
problem under uncertainty and real-world constraints. Computers & Industrial Engineering, 61(1), 226-237.

Skogdalen, J. E., & Vinnem, J. E. (2011). Quantitative risk analysis offshore—Human and organizational factors.
Reliability Engineering & System Safety, 96(4), 468–479.

Song, W., Ming, X., Wu, Z., & Zhu, B. (2014). A rough TOPSIS Approach for Failure Mode and Effects Analysis
in Uncertain Environments. Quality and Reliability Engineering International, 30(4), 473–486.

Stamatis, D. H. (2003). Failure Mode and Effect Analysis: FMEA from Theory to Execution. ASQC Quality Press.

Tang, C. S. (2006). Perspectives in supply chain risk management. International Journal of Production Economics,
103(2), 451–488.

Tjoa, S., Jakoubi, S., & Quirchmayr, G. (2008). Enhancing Business Impact Analysis and Risk Assessment
Applying a Risk-Aware Business Process Modeling and Simulation Methodology. Third International
Conference on Availability, Reliability and Security, 179–186.

Torabi, S. A., Rezaei Soufi, H., & Sahebjamnia, N. (2014). A new framework for business impact analysis in
business continuity management (with a case study). Safety Science, 68, 309–323.

Torabi, S.A., Baghersad, M., & Mansouri, A. (2015). Resilient supplier selection and order lot-sizing under
operational and disruption risks. Transportation Research Part E: Logistics and Transportation Review, 79,
22–48.

Trammell, S. R., & Davis, B. J. (2001). Using a modified HAZOP/FMEA methodology for assessing system risk. In
Engineering Management for Applied Technology, 2001. EMAT 2001. Proceedings. 2nd International
Workshop on (pp. 47–53). IEEE.

Trkman, P., & Mccormack, K. (2009). Supply chain risk in turbulent environments — A conceptual model for
managing supply chain network risk. Intern. Journal of Production Economics, 119(2), 247–258.

Tsai, C., & Chen, C. (2010). An earthquake disaster management mechanism based on risk assessment information
for the tourism industry-a case study from the island of Taiwan. Tourism Management.

Tuncel, G., & Alpan, G. (2010). Risk assessment and management for supply chain networks: A case study.
Computers in Industry, 61(3), 250–259.

Vinnem, J. E., Aven, T., Husebø, T., Seljelid, J., & Tveit, O. J. (2006). Major hazard risk indicators for monitoring
of trends in the Norwegian offshore petroleum sector. Reliability Engineering & System Safety, 91(7), 778–
791.

Wijnia, Y., & Nikolic, I. (2007). Assessing business continuity risks in IT. 2007 IEEE International Conference on
Systems, Man and Cybernetics, 3547–3553.

Wreathall, J. (2004). Assessing risk: the role of probabilistic risk assessment (PRA) in patient safety improvement.
Quality and Safety in Health Care, 13(3), 206–212.
 Wu, T., Blackhurst, J., & Chidambaram, V. (2006). A model for inbound supply risk analysis. Computers in
Industry, 57(4), 350–365.

Wulan, M., & Petrovic, D. (2012). A fuzzy logic based system for risk analysis and evaluation within enterprise
collaborations. Computers in Industry, 63(8), 739–748.

Zsidisin, G. A., Melnyk, S. A., & Ragatz, G. L. (2005). An institutional theory perspective of business continuity
planning for purchasing and supply management. International Journal of Production Research, 43(16),
3401–3420.

View publication stats