Each volume of Journal of Business Continuity & Emergency Planning consists of four 100-page issues both in print and online. Articles currently published in the volume are:.
Volume 17 Number 4
Operational resilience lies between operational risk and business continuity. This paper provides a view on the implementation of the operational resilience framework, and its relationship with operational risk and business continuity. It analyses the similarities and differences between these exercises and how management information from these exercises can be leveraged and aligned. The paper also provides answers to three important questions: (1) What pushed the international regulators to add additional oversight? (2) What benefits and challenges are brought by operational resilience? (3) Why is it important to harmonise operational resilience within the international regulatory landscape?
Keywords: operational resilience; critical functions; technology risks; third-party risk; systems disruption; contingency planning; AI; digitisation
Cyber attacks have a significant business impact, with the potential to escalate into crises if poorly managed. A recurring pattern is strategic dilemmas that cannot be resolved satisfactorily. Some dilemmas are more pronounced, others less so, and therefore often catch decision-makers unprepared, leaving only bad options for decision-making. Something that all dilemmas have in common is that the associated decisions can have a lasting impact on relationships with stakeholders. This paper introduces four recurring dilemmas; shows the typical considerations; lists options for mitigating these dilemmas; and describes the basic requirements for implementing mitigations. The dilemmas and options, in turn, are rooted in the organisation-specific design of: cyber security incident management and response; IT service continuity and disaster recovery management; business continuity management; and crisis management and communication.
Keywords: crisis management; crisis communication; strategy; cyber security; cyber attack; resilience
There have been a large number of masscasualty incidents in recent years, including climate change-related disasters, mass shootings, terrorist attacks, transportation accidents and a global pandemic. Communities, families and friends have suffered grief and loss, while nations continue to bear the scars of trauma. Disasters caused by acts with criminality, although necessarily managed by the police for the investigative aspect, must be planned for, and responded to with victim-centred practices by the police, local government and other relevant community stakeholders for the duration of the response and recovery. Inconsistency and confusion over terminology and language in emergency management can lead to a lack of understanding about which stakeholders or agencies should be engaged in, and responsible for different aspects of the planning, preparedness, mitigation and response to a community disaster — regardless of what type of disaster it is, and irrespective of the disaster being caused by a person or persons with ill-intent. This paper discusses how a wholeof- community and victim-centred approach to criminal act disaster response should be applied to support those persons most adversely affected by the incident. It also promotes the application of victim-centred practices to ensure that the needs of victims are regarded ethically, and with compassion following any disaster caused by an act of criminality. The term ‘mass victimisation incident’ will be introduced and applied through a case study.
Keywords: disaster; mass casualty incident; mass fatality incident; mass victimisation incident; victim; victimcentred approach
The impact of every crisis has the potential to cascade throughout an organisation’s operations, supply chain and market ecosystem. To properly understand and mitigate this ripple of dynamic risk, business continuity, security and risk management leaders need to know where to focus their attention. Looking at historical threat data provides a clearer picture of the risk landscape, helping leaders better anticipate and plan for the future. To date, however, there have been challenges in this process. As the volume of data about critical events continues to grow at an alarming rate, sifting manually through data puts organisations — and business continuity — in jeopardy. This paper discusses the value of historical threat data and innovations in data-mining technology that can unlock the true power of historical data for informed, strategic decision-making and better outcomes during a crisis.
Keywords: historical threat data; historical reporting; risk management; historical risk data; threat and vulnerability assessment; TVA; dynamic risk; data mining
Enterprise security risk management (ESRM) has continued to gain global acceptance as a management philosophy for the development and implementation of an enterprise-wide corporate security programme. As organisations continue to rebuild and recover from COVID-19, the value of assessing the resilience of an organisation through regular testing of its response to events has gained prominence. There are opportunities to link the development and implementation of a risk-based approach for designing a security programme, to assessing an organisation’s resilience to future events. Organisations can benefit from the complementary approaches of ESRM and organisational resilience once the commonalities are identified and embraced. This paper expands upon the ESRM management approach, linking the concepts of ESRM to the design of a resilient enterprise.
Keywords: enterprise security risk management; ESRM; organisational resilience; risk-based
Disruption to our daily business and functional lives is becoming more frequent, complex and costly. As leaders, what do we do with what we know, the support and tools we have, and our knowledge regarding the resources we need to acquire to navigate this disrupted world? One thing is clear: no one can do it alone. This is not a new concept — the ancient Greeks understood the power of the group. This paper argues that collaboration is the key to amplified knowledge, ability, energy, foresight and innovation, as there is obvious synergy when individuals, groups or organisations join together in a shared vision and with a dedicated purpose. This paper describes a process model developed by the Mid-Atlantic Center for Emergency Management & Public Safety to transform operational functions and spark quality engagement, the synergy of ideas and outcomes, and enhanced sustainability of purpose. This model uses a blend of new knowledge and experiences to build on collaboration models of the past, and has proven to be a success.
Keywords: engagement; collaboration; initiate action; organise for impact; sustain for success
Grey rhino risks are high-impact but seemingly low-probability risks that get shuttled to the sidelines, often due to a misguided hope that the risk will not materialise in the near term, so mitigation planning can be delayed or dismissed. As the author has argued previously in this journal, it is time to change the way we look at risks in order to reassess and re-prioritise our grey rhino risks. We must stop shrugging our shoulders and treating grey rhinos as 'unforeseeable' and therefore absolving ourselves from doing anything about them. The author's previous paper, ''Rhinos and risk assessments: Adjusting risk assessment methodologies to account for "unforeseeable' events"'1 provided a methodology for pulling grey rhinos into the spotlight, so that we can see them more easily and recognise that their high-impact status requires both acknowledging and planning for. The present paper takes the methodology a step further - demonstrating how to plan for grey rhino risks that have been identified. Rather than continuing to tag grey rhinos as 'unforeseeable', we can and must prepare our organisations for them.
Keywords: crisis leadership; crisis management; executing crisis; gray rhino; grey rhino; risk assessment methodology
Volume 17 Number 3
One of the many concerns of disaster recovery specialists is how to create disaster recovery scenarios, strategies and related solutions that meet the vision of management while building solutions for the critical business process within budget, with refined technical resources and operational and maintenance processes and procedures similar to those utilised in production. Rather than consider disaster recovery as a separate environment from production, this paper suggests that there are areas where the disaster recovery solution can map more closely to production solutions to better manifest the critical business process, avoiding the decreased sales forecasts and reputational impacts resulting from an outage. There is no magic here — just ideas for designing a solution and enhancements to the disaster recovery programme that may help to meet business expectations. A disaster recovery site based on similar production technical solutions and overall corporate IT vision can provide such benefits as: faster recovery time objective; faster availability of the data while maintaining data integrity; fewer manual procedures during switch/failover; ability to utilise similar resources to work both environments resulting in a smaller training programme; similar operational and maintenance processes and procedures; ability to switchover components rather than declaring disaster recovery; and an environment that supports production by running critical business process while production suffers an outage or requires maintenance. This paper provides readers with ideas to take back to their disaster recovery solution and how it manifests the critical business process during an outage.
Keywords: disaster recovery; business continuity; recovery time objective; recovery point objective; risk assessment; risk mitigation; business impact analysis; disaster recovery scenario; disaster recovery solutions
While organisational crisis theory posits a predictable set of stages involving pre-planning and preparation, acute crisis response, adaptation and recovery, the prolonged and cyclical nature of public-health restrictions related to COVID-19 presented new challenges for institutions of higher education and conditioned students, faculty and staff to adopt a crisis mindset as their baseline. Consequently, moving from crisis to recovery posed unique obstacles at both individual (eg anxiety, exhaustion and post-traumatic stress) and organisational levels (eg transition logistics, labour market changes and student preparation). This paper describes an effort at a large, urban, research-intensive university to directly address the evolution from pandemic crisis to recovery and future resilience. The University Resilience Project recruited a team of senior staff charged with identifying and adopting promising practices created during the pandemic and decommissioning or archiving less useful policies, procedures and activities, with a view to strengthening the university’s resilience. Over the course of more than 300 meetings with academic leaders, staff leaders and student leaders, team members created a space to share the experiences of COVID-19, reflect on successes and challenges over the crisis, and identify opportunities to enhance the resilience of the university. This work raised critical insights into the process of adapting to change in an institution of higher learning.
Keywords: emergency planning; higher education; crisis response; resilience
From 2017 to 2023, British Columbians experienced four record-breaking wildfire seasons, resulting in reduced air quality, mass evacuations and the destruction of homes, properties and livelihoods. Wildfire risk reduction is vital to breaking the sequence of disaster that has befallen such communities as Kelowna, BC in 2003, Ft. McMurray, AB in 2016, and Lytton, BC in 2021. As the City of Penticton (‘the City’) is located in a wildfire-prone environment, its Fire Department, FireSmart Team and Emergency Program have worked closely together to facilitate a proactive and comprehensive approach towards reducing the impacts of wildfire on Penticton’s neighbourhoods, businesses and residents through a variety of wildfire mitigation initiatives. This paper discusses the City’s efforts to achieve a holistic wildfire risk management plan through alignment with the seven disciplines of FireSmart and the four pillars of emergency management, namely: the use of education; land use planning and development considerations; vegetation management; emergency planning; and cross training and interagency cooperation. The paper describes the challenges the City has faced, as well its successes, and provides recommendations to help other local authorities reduce the risk of wildfire in their communities.
Keywords: wildfire; FireSmart; wildfire risk reduction; wildfire and emergency management; wildfire and fire services
Continuity of operations for government is an evolving philosophy, much like exercises and after-action reports. Continuity continues to identify areas for growth and improvement as more people become involved in the conversation. This paper briefly describes the evolution of continuity in the USA and its application in the State of Texas. Moving forward, it discusses the application of the concept of ‘whole community continuity’ as the driving force of the Continuity Council in Texas, which focuses on preparedness at all levels, from individuals to private industry, to all levels of government.
Keywords: continuity of operations; continuity of government; business continuity; whole community continuity; cross-sector collaboration
Emergencies intensify existing vulnerabilities and create new ones for people in their impact areas. In the case of transportation, for example, disasters have the capacity to isolate individuals from the services on which they rely not for only their health and wellbeing, but for their very lives. This paper discusses the Regional Alliance for Resilient and Equitable Transportation (RARET) — a coalition-based model created to address non-life-saving transportation coordination needs during emergencies. RARET focuses on the provision of lifesustaining transportation, serving vulnerable individuals who may require first-responder assistance if their unaddressed needs remain unmet. Using examples from the COVID-19 pandemic as well as seasonal and regional disasters, the paper highlights how leveraging a coalition built to break down the sector and geographical silos leads to better outcomes for the public and bolsters regional resiliency. The paper underlines how the novel nature of RARET delivers ongoing process improvements via a new emergency transportation provider network. Lastly, the paper suggests methods to adapt this model to other jurisdictions.
Keywords: transportation; coalition; emergency; accessibility; mobility; disability
Superapps (ie apps that integrate the features of multiple applications for a more convenient user experience) have become pervasive among Internet users. This case study examines a recent disruption to one such application: KakaoTalk — the most widely used messaging application in South Korea. Specifically, the case study examines a fire incident at the SK C&C data centre, which caused an extended outage for one of South Korea’s leading tech companies — Kakao Corp. The review of this event reveals how ineffective disaster readiness resulted in inadequate fire response, leading to serious ripple effects across the data centre. During the outage, cyber-security threats rose. As a result of these disruptions, Kakao users turned to competitor apps, resulting in changing market dynamics. This case study highlights the unforeseen costs and socio-economic influences caused by such interruptions, highlighting the importance of holistic risk management strategies.
Keywords: service outage; data centre; critical infrastructure; business continuity; risk management; resilience
Volume 17 Number 2
The Maryland Department of Emergency Management was established in October 2021 after decades of reorganisation and relocation within state government. The elevation of the agency from under the Maryland Military Department to a cabinet-level department was a result of years of partnership building with stakeholders as well as two significant external pressures: the COVID-19 response and the interest in improving 911 delivery through the implementation of next-generation 911 technology. This case study examines the history of emergency management organisation in Maryland and highlights lessons learned and best practices for emergency managers seeking to elevate emergency management from a subagency level to a cabinet level or direct report to the highest elected official.
Keywords: emergency management; disaster management; public administration; organisational management; organisational leadership; government
Among the most vulnerable facilities to tsunami impacts are ports, harbours and marinas. The ability of maritime infrastructure to withstand a disaster and resume operations quickly plays a major factor in the recovery of the local community and economy in the short and long term. Despite this, little established guidance exists to assist the maritime community with addressing their tsunami risk in an actionable, site-specific manner. To close this gap and improve the resilience of its maritime community, Washington State has begun developing tsunami maritime response and mitigation strategies for major ports, harbours and marinas along its 3,200 miles of coastline. These strategies include detailed information about the location’s specific tsunami risk, recommended guidance for vessel operators in the area, and tsunami mitigation and response recommendations ranked by their implementation feasibility for the maritime entity in question. Most importantly, the strategies are created through close collaboration with local key stakeholders, subject matter experts, local emergency management and state agencies to ensure a final deliverable that is accurate, thorough and, above all, useful to the local maritime entity and its tenants and users. As this paper will discuss, the lessons learned during the planning and delivery of these strategies provide valuable insight for professionals in the maritime, business continuity and emergency management fields, including how to conduct effective and inclusive stakeholder engagement, identify gaps and opportunities in resilience planning, and establish a deeper understanding of tsunami maritime risk and hazards.
Keywords: maritime; emergency management; mitigation; response; stakeholder engagement; tsunami
This paper discusses how the experience and skill set developed within the field of business continuity management (BCM) provide a strong base from which organisations can leverage value in areas not traditionally considered within the remit of BCM. In particular, the paper examines the topic of climate-related financial disclosure, an important area that is gaining traction with investors and therefore senior executives too. Although, in itself, it is not an incident or event, this new area of focus has the potential to impact a company’s ability to thrive and prosper. This paper will discuss how the recommendations of the Financial Stability Board’s Task Force on Climate-related Financial Disclosure strengthen an organisation’s business continuity programme strategy, as well as sustainability objectives, by enabling executive-level conversations about the organisation’s operational and financial resilience, as well as actions with a positive outcome for the environment that will lead to competitive advantage. This paper argues that by facilitating these discussions, BCM helps to establish organisational priorities and develop specific action plans that can be validated through exercising.
Keywords: BCM; business continuity; enterprise risk; ESG; sustainability; disclosure; financial reporting
The Pacific Northwest heat dome of 2021 exposed the need for increased planning and response measures by local governments, and the value of collaboration in preparedness, planning and response to extreme heat events. Recognising that extreme heat is becoming an increasingly significant threat, the City of Victoria has taken steps to improve its response to future events with a focus on developing strategies that provide resources and support to those most vulnerable in the community. The Province of British Columbia and regional health authorities have since provided crucial direction, resources and expertise to municipalities to support response effort for extreme heat events. In recognition of the vital role of community involvement in adaptation planning, the City of Victoria is taking proactive measures to engage its residents in the development of adaptation strategies and disaster risk reduction measures. Building on the lessons learned from the 2021 heat dome and climate change projections for the region, the City is fostering close collaboration with local businesses, nonprofit organisations and community groups to strengthen efforts and ensure that those most at risk are well prepared. The experience in Victoria offers valuable insights and strategies for other municipalities seeking to develop effective disaster risk reduction and climate change adaptation strategies based on best practice for planning and responding to extreme heat events. This paper provides a case study of how the City of Victoria responded to the 2021 heat dome, the lessons learned, the practices that were adopted for future heat seasons and how working alongside the community will strengthen Victoria’s resilience to the changing climate conditions.
Keywords: emergency response; climate change adaptation; disaster risk reduction; community-based adaptation; extreme heat events; heat dome
This paper discusses ResilienceDirect — the UK’s strategic resilience platform for response and information sharing, designed to support the multi-agency aspects of emergency response. The paper will focus on the functionality of the system as well as the related challenges. The paper identifies a set of recommendations for addressing the challenges to improve usability and uptake. The recommendations will consider best practices from other multi-agency response platforms and feedback from ResilienceDirect users.
Keywords: ResilienceDirect; interoperability; emergency response; resilience; JESIP; communications
With the rise of climatic concerns and cybersecurity incidents comes the expectation that investments are made in business continuity measures. This expectation has legal teeth from the perspective of shareholders as well as regulatory bodies, contracting attorneys, vendors and supply chain entities. This paper explores the use of US legal system as a tool for enforcing liability and action from decision makers like the board of directors and C-suite officers, as well as between the parties of contracts. Shareholder derivative lawsuits, which occur predominately in the USA but have, as recently as 2020, started to include foreign-owned businesses, and breach of contract claims are two of the more prominent issues with business continuity tie-ins. This paper intends to arm the business continuity professional with a knowledge base about legal liability for failure to have a business continuity plan, an understanding of how disasters and disruptions will excuse the full performance of a contract and an ability to determine proper courses of action with respect to supply allocation after an incident.
Keywords: business continuity; shareholder derivative; force majeure; fiduciary duty; breach of contract; board of directors; cyber security; preparedness; supply allocation
This paper emphasises the importance of — and the complexity inherent in — the navigation of regulatory oversight and legal requirements in the area of electric utility performance. With a particular focus on utility companies in New York State, it discusses recent measures taken to adapt to the changing demands of regulatory compliance.
Keywords: regulatory compliance; emergency planning; emergency management; electrical utility infrastructure; legal requirements
Volume 17 Number 1
This paper explores the growing dependency of organisations on suppliers and the importance of supplier relationship management (SRM) in achieving sustainable competitive advantage. It highlights the various reasons organisations engage with suppliers, including accessing specialised expertise, cost savings, flexibility, risk mitigation and improved quality. The paper emphasises the need for organisations to adopt best practices in SRM to enhance their resilience to disruptions, particularly those caused by cyber attacks. It introduces a threat assessment process for organisations to evaluate the potential impact of supplier disruptions and proposes strategies for improving resilience through collaboration with suppliers. The article also discusses the significance of data sharing between organisations and suppliers, outlining different channels and methods for secure data exchange. It addresses the risks associated with data sharing, such as breaches, intellectual property theft, compliance violations and loss of control. Additionally, the article examines the impacts of supplier disruptions on organisations and emphasises the importance of establishing clear guidelines and policies for data sharing. It concludes by presenting a threat assessment process for supplier disruptions due to cyber attacks, including identifying critical suppliers, conducting risk assessments, analysing findings, developing mitigation strategies, implementing strategies and conducting ongoing monitoring.
Keywords: supplier disruption; supplier relationship management; supplier resilience; extreme disruption; cyber attack
The US Federal Emergency Management Agency (FEMA) National Exercise Division (NED) leads the nation in validating the capabilities of the whole community in support of the National Preparedness System. In response to the increased threat of climate change, the NED has developed new resources to help communities increase preparedness for severe weather and natural disasters in the long term. This paper provides an overview of two such resources to help communities identify and prepare for climate-related events: the Long-Term Community Resilience Exercise Resource Guide (ERG) and the Climate Adaptation Exercise Series (CAES). These resources help communities develop and conduct exercises to increase their climate literacy, develop climate adaptation and mitigation plans, and leverage data on future climate conditions to inform decision-making. Exercises provide an opportunity for communities to build resilience by discussing and better understanding climate change and to plan for, adapt to, and mitigate the associated risks and hazards. The ERG provides guidance, tools and resources, and the CAES provides a consistent framework that FEMA regions can tailor to address unique, region-specific climate concerns. The results collected from these exercises, in turn, identify strengths to leverage and areas to improve, informing plans of action for a path forward for the next 20, 30 and 50 years.
Keywords: adaptation; climate change; exercise; preparedness; resilience
The process of measuring the overall maturity of a disaster recovery programme can be accomplished by measuring the maturity of the individual processes that make up the programme, and then looking at the results in aggregate. For each process, two aspects require particular attention: the maturity of the process itself, and the extent to which the process is utilised through the organisation as a whole. This paper discusses the process of measuring process maturity, and outlines a practical methodology for applying that process to the appraisal of disaster recovery programmes. It discusses the importance of looking at how widespread different disaster recovery processes are in the business, and outlines a practical approach to conducting programme appraisals.
Keywords: disaster recovery; maturity; assessment; metrics; measurement; programme improvement
Given the numerous active shooter and hostile events (ASHE) happening each year, it is important for fire and emergency medical service (EMS) agencies to share the lessons learned from such events. This paper discusses the elements needed for an effective fire and EMS response, beginning with the unified command/collaboration approach with law enforcement that allows for the proper management of such events. The article further defines the command and control elements, as well as the proper staffing and actions needed from fire and EMS to remove, triage, treat and transport victims effectively.
Keywords: active shooter; unified command; rescue taskforces; ASHE; mass casualty
This paper describes how Hurricane Ida exposed gaps in emergency preparedness planning and coordination in New Orleans, particularly related to the health and safety of the residents of multi-storey independent living facilities designated for seniors and persons with disabilities, where at least ten lives were lost due to the power outages and extreme heat that occurred following the storm. As this paper discusses, New Orleans Health Department leaders responded by taking swift policy action, working with the mayor, city council and community stakeholders to ensure better coordination, preparation and accountability for owners and operators of certain independent living facilities. The article recommends that states and localities with individuals living in independent living facilities should consider similar policy interventions as part of their disaster cycle planning activities.
Keywords: emergency preparedness; public health; independent living facilities; access and functional needs
This paper discusses how Carnegie Mellon University launched a cyclical enterprise risk management framework that incorporates both emergency preparedness and response and business continuity into its purview, to deliver greater organisational resiliency. The paper goes on to describe the governance structure that defines roles and responsibilities throughout the organisation, before discussing how faculty, staff and students are engaged and educated to sense risks, and to collaborate with leadership at all levels in prioritising risks for deep-dive assessments and employing feedback loops to support continuous process improvement. As the paper will show, these cyclical practices support organisational resiliency and a greater sense of risk consciousness.
Keywords: enterprise risk management; organisational resiliency; business continuity planning; business impact analysis; three lines of defence; feedback loops; risk consciousness; risk sensing; risk assessment; risk prioritisation; risk profiles
This paper outlines the context of emergency management in Canada and identifies some of the key factors that have contributed to public emergency preparedness initiatives reaching a saturation point. Readers will gain insight and actionable suggestions from the proposed Community Resiliency Framework. Readers will learn how emergency management agencies can engage and collaborate authentically with communities and leverage existing preparedness initiatives with new methodologies to increase community resiliency.
Keywords: community; resiliency; trust; engagement; collaboration; empowerment
As rapid inflation, continuing supply chain disruptions and the war in Ukraine impact petroleum prices worldwide, fuel supply disruptions have become an increasing concern. This paper describes Washington State’s geographical, political and organisational context as it influences fuel disruption planning, as well as the history and philosophy of Washington’s fuel-planning programme. Finally, the paper discusses planning best practices and gives some examples of their real-world use.
Keywords: fuel; disruption; emergency; planning
