Business Continuity and Crisis Management

Protected by Copyscape
open_access_plos-svg

‘Crisis Management, Disaster Response, Emergency Management, Business Continuity Management: these are all names for the same process.’ Discuss the validity of this statement, referring to the theoretical models and the literature. Throughout the assignment you should discuss the practical implementation of strategies, plans and procedures.

This question requires the terms ‘crisis management, disaster response, emergency management, and business continuity management’ to be defined and also discuss how they interact and if at all they do. The author believes that Crisis Management, Disaster Response, Emergency Management are all overarched by Business Continuity Management (BCM). This can be demonstrated by the hypothesis that crisis is divided into three events: emergencies, crisis and disaster. These three events are sub-disciplines with the overarching response being dictated by the BCM. This statement is therefore stating that neither of them have any independence but are all internally involved within the newly evolving discipline BCM to which they follow.

Organisations must no longer merely rely upon the ‘emergency response plan’ or ‘disaster management activities’, they must also engage within a comprehensive process described as Business Continuity.  This response will allow them to anticipate naturally, accidentally or intentionally caused disaster or emergency scenarios.

Borodozicz (2005) states “the terms ‘emergency’, ‘crisis’ and ‘disaster’ are methodologically problematic, if only because of the pluralistic accounts of reality offered by the many informants attending public inquiries. The liturgy of disaster and crisis management is less well-defined theoretically and finds its expression as a reactive response to incidents, usually in terms of ‘best practice’. It has proven difficult to establish quantified measures of risk management for these types of incidents. In this context, understanding the complex relationship between risk, crisis and a disaster as a single defined area of study is argued here to be of significance”. Elliot et al (2002) described that the evolution of BCM can be split into three different phases: technology, auditing and value based. It would seem obvious that prevention is better than responding to it after the event has occurred. It is apparent that theorists and practitioners rely upon their own thought process and various techniques before introducing their models that are recognised within the business arena.

BCM is a new and evolving discipline. Its roots lie in Information Systems (IS) protection, although it is argued that it has evolved significantly from this. BCM is not the same as Disaster Recovery, Emergency Management, Disaster/Crisis Management or Contingency Management. All of these different approaches are dimensions of ‘Major Incident Management’ (managing those catastrophic but rare events that require special arrangements in the mobilisation of human, financial, physical and informational resources). “Business continuity is times defined as a dynamic process that has changed dramatically over the past ten years” Reynolds (2004). It is also a process that offers a prioritised key business processes; identifying significant threats to normal operation and enabling a plan mitigation strategy to ensure effective and efficient organisational responses to challenges (ASIS Business Continuity Guideline). Reynolds (2004) also portrayed that in the modern world business continuity has become a management process that is constantly reviewed, updated and tested so it accurately reflects the business environment.

What is crisis management? Fink (2002:18-19), describes a crisis management as “any measure that plans in advance for a crisis or turning point… any measure that removes the risk and uncertainty from a given situation and thereby allows you to be more in control of your own destiny”. The term ‘crisis’ has aroused considerable debate among risk theorists. It can be broadly described as a paper plan that on appearance fits the bill but has never been tried or tested to confirm its validity. It would have been written whilst individuals had been gathered around a table but should provide what the team should do prior, during and after the event has occurred. “Crisis is any global, regional or local natural or human-caused event or business interruption that runs the risk of intensifying or causing damage to an organisation not only financially but also with its reputation”  ASIS Business Continuity Guideline(….).

Crisis is a question of semantics that will cover thousand of titles that all have different meanings. It has been debated at length but has been agreed upon that it consists of emergencies, crisis and disaster that follow in this order. Also it recognises the social and technical characteristics of business interruptions, emphasising the contribution that managers may make to aid the resolution of interruptions. This action would then allow the managers to build a resilience to prevent the business interruptions through processes and changes to the normal operating and practices that the organisations themselves may play a major role in ‘incubating the potential for failure’. If managed properly, interruptions do not inevitably result in crises but acknowledges the impact, potential or realized of interruptions upon a wide range of stakeholders. In generalised terms a crisis is the differentiation feature between emergencies and disasters. A crisis is often misjudged as an emergency with the concern that cannot plan for it.  Borodzicz (2005:79), “crisis requires a rapid response….but difficult to define owing to an ill-structure…” Emergency is simply defined as the most basic dangerous event that any individual or organisation can plan for and give a known response. It also requires an immediate response and intervention to minimise the loss to people, property and profit.  An emergency could give rise to a crisis, which in turn could become a disaster. Borodzicz (2005:79), “emergencies can be defined as situations requiring a rapid and highly structured response where the risks for critical decision makers can, to a relative degree, be defined”.

Further examples of what are crisis events are defined and discussed within the publication ‘Managing a Crisis a Practical Guide (2005), produced by Tom Curtain, Daniel Hayman and Naomi Husein. The authors argue that there are three main types of crisis event; “First there are those such as plane crashes, accidents, spillages of chemicals, product defects and so on which befall a company.  Second there are those that are manufactured, for example the Brent Spar would have caused no controversy for Shell had Greenpeace not become involved.  Finally, these are the crises which escalate from an accident”. Within their definitions the authors are of the opinion that the crisis produced by manufactured cause the most damage and are longer lasting often because they are difficult to predict. There is an argument that many would suggest that an accident such as Chernobyl had more of a lasting effect in terms of damage. This is due to the radioactive contamination estimated to last tens of thousands of years and the damage to World’s agricultural markets the result of widespread contamination.  It is argued that the Chernobyl crisis should have been easy to predict due to the large number of prodromal stage indicators or as the authors of this book would describe as ‘Pre-tremor Warnings’. These warnings are defined as the first stage of the ‘Evolution of a Crisis’ model.

The term disaster is an unanticipated incident or event that includes not only natural catastrophes, technological accidents of human events that can cause widespread damage to any organisation including injuries to personnel, damage to property and even more importantly death. Disaster is distinct from both emergency and crisis only in that it physically represents the product of the former. Importantly disasters are typically irreversible and regularly an overwhelming result of a mishandled emergency and crisis. “Disasters do not cause effects. The effects are what we call a disaster”, Dombrowsky (1995:242).  Turner (1978) defines disasters as an “overturning of the cultural norms for dealing with hazards”. It can be argued that when an organisation deals with small crises or emergencies then they are typically dealing with a ‘disaster’. Literature defines disasters differently because it states that a disaster is an overwhelming situation that costs human lives and financial loss or damage to the social structures. In this context disasters can be seen as ‘social vulnerability’ Gilbert (1995) or a ‘lack of capacity’ Dombrowsky (1995).

When the author describes the various processes that are overarched by BCM, a disaster recovery plan is mainly focused upon a system continuity that is present during disasters. However since the tragic events of September 2011 organisations where hit with realisation that not only could disasters disable their critical business system but can more importantly eradicate vital assets. Therefore a simple disaster recovery plan was not sufficient to provide support that it would allow for business continuity. A BCM does not only revolve around crisis management, disaster response and or emergency management it is a business issue that if followed correctly can be an excellent aid in conducting reviews of your organisations processed and how they performed. Another dimension to consider with the BCM is that is can have an additional advantage because it allows the organisation to respond to any incident in a planned and rehearsed manner whilst dealing with any incident. Reynolds (2004) stated “what disaster plan accounted for the possibility of total facility, equipment, and/or personnel loss?” It would also be fair to say that not many business continuity planners looked outside of their regional risk factors or ‘worst case scenarios’ when they developed and implemented their plans.

BCM is defined by the Disaster recovery Institute International (DRII) as a business continuity plan that “the process of developing advance arrangements and procedures that enable an organisation to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change”. It can be seen that by developing a good diverse continuity plan the organisations are essentially maintaining their desired service levels. With the introduction of conducting a process of testing and updating the plans, the organisations are ensuring that they remain functional and fit for purpose. However, until recently over the last ten years governmental regulations did not play a part in the production or regulation of BCM’s. It can now be seen that various regulations have been implemented and cover numerous categories. Therefore nearly every organisation or company will be covered by a regulation in relation to BCM. Reynolds states “Business Continuity management is a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response which safeguards the interests of its key stakeholders, reputation, brand and value creating activities”. Within the BCM process it is separated into three significant major components. These are made up of crisis management, business resumption planning and IT disaster recovery planning. This we can see covers the disaster, emergency and crisis areas so underlines the author’s opinion that BCM is the overarching management of all the same processes.

Having retrospective knowledge is of little use to decision makers unless it can be available at the time of deciding. The systemic models of Turner and Perrow appear to suggest inevitability for organizational failure. The homeostatic model (Adams, 1995) suggests that an unconscious or instinctual need to create risk will always balance out against those that are eliminated (Borodzicz). Problems with risk, irrationality and the complexities of social communication and regulation again point to the need for more resources applied to response, rather than prevention. The focus of risk management in corporate contexts has moved forward, particularly following initiatives in corporate governance and health and safety practice. However, there is a lack of practical understanding about crisis events and how these should or could be controlled. Organizations are becoming increasingly complex and interdependent, in a world of ‘just in time’ processing and rapid communications. Prevention where possible is always better than response after things have gone wrong. In the complex world we now inhabit, a failure to be able to respond to failure is of equal concern.

When writing any plan or model to implement a management structure, it is difficult to imagine, understand the phenomena or theorize it more difficult than ever. Historically, disasters were popularly conceived of as ‘freak’ events, ‘acts of God’ (Toft and Reynolds, 1994: 1) or ‘abominations’ (Douglas, 1970). However, this has now been examined and it is believed that all events, accidents are preventable with the correct risk structure.

Various experts within the field of this subject have introduced and developed their own definitions of various events and the stages that are to be followed to prevent them from affecting organisations. Henizen (1996:16) introduces that crisis are three distinct events, this was discussed nine years before Professor Borodzicz introduced his own definition. His opinion was that crisis had four characteristics: 1) series of events, 2) caused by a disaster, 3) comprises unclear source and 4) unclear what action needs to be taken.  It is unclear as to what actually Henizen was trying to define when he introduced the four characteristics to determine what constituted a crisis. In 2005 Curtin defined that crisis consisted of three types; those which befall an organisation, those which are manufactured and those which escalate from an accident, Curtin (2005:3). This definition of a crisis is an over complicated one because it uses terminology that is not widely anticipated or acknowledged within organisations.

One main model that is constantly utilised to determine crisis management response is the ‘Crisis Management Typology’ that was developed by Finks in 2002. This model is defined into four separate stages of which all have defined parameters. The first stage that Fink introduces is that any prodromal situation or warning stage that runs the risk of: escalating in intensity, falling under close media/government, interfere with normal business, bad reputation, damage organisation in bottom line. If various actions had taken place during this phase then the crisis may have been avoided. This can be shown by the Kings Cross Rail Disaster 1987 during which small fires were a constant issue for the London transport staff. However, due to the staff dealing with them on a regular basis and the organisation not introducing any safety measures their mind-set became that of one of a poor safety culture. Due to their lapses this resulted in a small fire escalating and causing 31 deaths.  The second phase of Fink’s model is the acute crisis stage which is where Fink states that the crisis is going to hit the organisation with no return to normality afterwards otherwise described as the ‘hell on earth stage’. This stage is all to do with damage limitation and how or even what the organisation can do to prevent the inevitable from happening. Fink’s third stage is similar in all aspects to that of Augustine’s fifth stage of his six model of Crisis Management, Augustine (1995:149). This stage is known as chronic crisis stage which entails how the organisation can move forward. This stage is parallel to the isomorphic learning which has been previously discussed. The final stage of Fink’s model is the crisis resolution stage whereupon the organisation can try and produce a positive outcome form the crisis and even if possible drive their profit margins to an increase. A good example of this stage was discussed during the ‘Tylenol Crisis’ which hit the Johnson & Johnson Company in 1982 this was highlighted by Elliot et al in 2002 because it portrayed a ‘strong caring image’ to the general public in the way that they dealt with the crisis. This incident allowed the organisation to implement a mass media campaign to communicate with stakeholders.  Also another interesting crisis that occurred in 2010 was the automotive manufacturer Toyota recalling various top selling models because of potential serious defects. This is apparent because since 2007 Toyota had experienced a series of car model recalls that had escalated into a major crisis. However this had not really caught the public eyes until January 2010 when the seriousness of the crisis was highlighted within the media world.

As discussed Augustine devised a six stage model which offered a more proactive approach to crisis management which included how to avoid or prevent the crisis.  With the introduction of this aspect, it is more beneficial and possibly a more effective way of dealing with crisis. Also the model offers the organisation an option of trying to profit from the crisis after they have recognised, contained and resolved the crisis. This model offers an all-round product to ensure that the organisation is fully conversant when dealing with crises.  The theorist Fink introduced a ‘Crisis Impact Value’ when producing a probability/impact diagram in 2002. This crisis impact value assigns a numerical value to the crisis impact and also allows us to understand if whether or not the crisis may be damaging by offering an impact scale from low to high, Fink (2002:37).

Since the introduction of these processes various guiding principles have been suggested to offer a possible solution to organisations to be able to improve their processes. It is also proven that if organisations were to conduct isomorphic learning from previous incidents they could adapt and learn from earlier mistakes. Further development from previous incidents have also highlighted that a positive attitude instils confidence whilst dealing with any scenario that the organisation maybe dealing with. Also that by conducting some sort of action and communicating with the wider audience it can be shown that actions speak louder than words. Within organisations the structure has at times been to blame for a system failure in the handling of a risk or incident. This has since been examined and Perrow identified the ‘tightly coupled system’ in 1984 which tends to rigidly control from the centre of the operation within the organisation. He also argues that business strategies and policies are often pre-conditions to most accidents, therefore they should be called ‘Normal Accidents’. These he believes are the consequences of system malfunctioning, therefore he believes that the tightly coupled system would prevent this behaviour. Another human failure within the organisations could be the behaviour on management strategies and whether or not the structure and culture is flexible to cope with any situation. Otway and Von Winterfeldt (1982) conducted investigations into the irrationality by psychologists suggest that our judgements about risks are liable to influence by mitigating factors. The homeostasis model also suggests that if the handling or managing of a particular risk is not correctly handled the risk may move somewhere else. Toft and Reynolds (1994) introduced a simple but rarely used phenomenon in isomorphic learning which enables an organisation to learn from lessons learnt from successfully managed incidents or by implementing procedures that were not already in-situ.

Crime prevention through Design (CPTED) is a new tool that was introduced by the work conducted by Newman (1972) and Poyner (1983). This allows the organisation to look at the environment and approach it from a crime prevention angle. Another extremely beneficial method of allowing an organisation to test any procedures is to participate in training exercises ‘simulations’. These however need to be designed by trainers that fully understand the differences between ‘crisis’, ‘disasters’ and ‘emergencies’ as discussed by Borodzicz (1997, 1999a, 1999b).  These simulations can also evaluate key personnel and provide a testing environment for any equipment and facilities that is utilised and allow for a full in-depth report offering feedback on the outcome.

In 1978 the late Professor Turner was highly influential in arguing his opinion that both human and organisational systems formed the background precondition to most disasters. “…it is better to think of a problem of understanding disasters as a ‘socio-technical’ problem with social organisation and technical processes interacting to produce the phenomena studied”, Turner (1878:3). Since then Turner introduced a six stage model that is utilised in the understanding of socio-technical disasters. He was under the opinion that either externally or internally they were very similar even though they were different to crisis and the structural failure of foresight is crucial in the prediction of failures. Turner believed that plans to help deal with crisis or risks must remain dynamic and flexible.

It can be argued that it is not possible to control all risks and if we did however manage to reduce or even diminish those risks then the individual or organisation would be less aware of them and become complacent. Borodzicz called this ‘Risk Homeostasis’, which originally was introduced to pioneer the compulsory wearing of seatbelts under law for drivers of motor vehicles. This new law did reduce the number of deaths to drivers, but due to the feeling of a ‘safety blanket’ more deaths were being recorded to motorbike riders or pedestrians because drivers were becoming more reckless. This new finding by Adams in 1995 also highlighted that the numbers in general were similar to those of before the law had been passed. This theory highlighted that even though risk can be minimized, it is impossible to rule out certain key issues.

In contrast, scientific approaches to the study of disasters appear to suggest that all disasters should have causal agents and, further, that these could be identified and therefore prevented. Obtaining reliable data about incidents – in other words, learning through the experience of significant others – is often complicated by a number of conflicting accounts of events. Disagreements between those involved in responding to major incidents are notoriously difficult to reconcile and have become the subject of much media attention during public inquiries.

In conclusion to the initial question it can be seen that the author has shown that by the production of the BCM it overarches all of the naturally, accidentally or intentionally caused disaster or emergency scenarios. BCM is no longer just about minimising downside risks but also allowing the organisation to recognise that human and social risks are important. It can be argued that it is good business for a company to protect its assets and to allow for a business to secure the necessary sources and prevent the unthinkable or thinkable from happening. Organisations are also best to utilise simulation exercises to ensure that the best management processes are in-situ to prevent any damage from occurring to the organisation.


References

Adams, J. (1995). Risk. London, UCL Press.

ASIS Business Continuity Guideline, http://www.asisonline.org

ASIS Business Continuity Management Systems: Requirements with Guidance for use, http://www.asisonline.org/guidelines/ASIS_Standards_Procedures.pdf

Borodzicz, E. (2005). Risk Crisis & Security Management. West Sussex, England. John Wiley & Sons Ltd.

British Standards Institute 2011. Business Continuity Management and Risk Management. The role of standards.

Chartered Management Institute 2011. Managing Threats in a Dangerous World, 2011 Business Continuity management Survey.

DRII, http://www.drii.org/associations/1311/files/glossary.pdf

Elliot, D. Swartz, E. and Herbane, S (2002) Business Continuity Management: A Crisis Management Approach, London: Routledge

Elliot, D (2006) The Handbook of Security: Disaster and Crisis Management. Hampshire, UK. Palgrave Macmillan

Fink, S. (2002) Crisis Management: Planning for the Inevitable, New England, USA. iUniverse Inc.

Gonzalez-Herrero, A. and Smith, S. (2008) Crisis Communication Management on the Web: How Internet-Based Technologies are Changing the Way Public Relations Professionals Handle Business Crises. Blackwell Publishing Ltd 16(3), 143-153.

Gill M (2006). The Handbook of Security. Palgrave McMillan. P538.

Jarvis R. (2010). Strategic Change. The Modigliani-Millar Proposition After Fifty Years and Entrepreneurial Finance, Volume 19, Issue 1-2, Pages 91-95, (Feb 2010) John Wiley & Sons Ltd.

Perrow, C. (1984). Normal Accidents: Living with High-Risk Technologies. New York. Basic Books.

Pettinger, R. (2007). Introduction to Management, Fourth Edition. Hampshire, UK. Palgrave Macmillian.

Reynolds, J.W. (2004). Business Continuity Management: Developing a process, Not Just a Plan. GIAC Security Essentials Certification (GSEC). Version 1.4b, Option 1, UK. SANS Institute.

Sjoberg, L. (1995) Explaining Risk Perception: An Empirical and Quantitative Evaluation of Cultural Theory. Rhizikon Risk Reports, Stockholm School of Economics.

Swartz, E., Elliot, D. and Herbane, B. (1995). ‘Out of Sight Out of Mind: The Limitations of Traditional Information System Planning’, Facilities, Vol. 13, No.9/10.

Toft, B & Reynolds, S. (1994) Learning from Disasters: A Management Approach. Butterworth-Heinemann, Oxford

Trist, E.L.& Bamforth, K.W. (1951). Some social and psychological consequences of Longwall method of coalgetting. Human Relations, 4(1).

Woodman, P. (2007). Business Continuity Management, London, UK. Chartered Management Institute. London, UK.

Turner, B.A. (1976), The organizational and interorganizational development of disasters, Administrative Science Quarterly, Vol. 21 No.3, pp.378-97.

Turner, B.A., Pedgeon, N.F. (1997), Man-made Disasters, 2nd ed., Butterworth-Heinemann, Oxford.


Copyright | © 2017 Stephen Langley

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.


About the Author

Stephen Langley is an accomplished Senior Security Professional and Brand Protection Manager, who has expertise in compliance related investigations. Stephen holds a degree in UK Law (LLB) that he attained from the Open University and a MSc in Security Management that he obtained from the University of Portsmouth and also various Leadership and Management qualifications.


Author’s Full Profile.


Other Publications from Stephen

Langley S. (2016). ‘Insider Threat’ in M. Petrigh (ed.) Security and Risk Management: Critical Reflections and International Perspectives, Volume 1 (pp. 37-68). London: Centre for Security Failures Studies Publishing


View Publication


Subscribe to Stephen’s Articles

Readers who would like to receive an automatic notification every time Stephen Langley publishes a new Article on our Blog can subscribe via FeedBurner, either by email or RSS.


Follow Stephen Langley by Email


Follow Stephen Langley by RSS


Disclaimer

The opinions expressed in this Article are those of the author and do not reflect the opinions of the Centre for Security Failures Studies or its Editors or its Members. Neither the Centre for Security Failures Studies nor the author of this Article guarantee the accuracy or completeness of any information published herein and neither the Centre for Security Failures Studies nor the author shall be responsible for any error, omission, or claim for damages, including exemplary damages, arising out of use, inability to use, or with regard to the accuracy or sufficiency of the information contained in this Article.


Your Opinion Matters

Do you have anything to say about this article, the issues it revealed or the insights it gave you? Was it useful, did you like it?Interact with the author of this Article and other security and risk professionals by using the comment box and the “like button” placed just below.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s