Emergency Planning and Business

Continuity Management and how they

relate to and may be integrated with

Security Risk Management

20th August 2010

Gregory Way

Gregory Way 2

Abstract

This essay will seek to examine how Emergency Planning and Business

Continuity Management are related to and may be integrated with Security

Risk Management.

In today‟s business world, all organisations face some degree of risk to their

assets. Failing to identify and mitigate these risks will have a serious effect on

an organisation‟s success, leaving them vulnerable to the multitude of threats

they face.

Security risk management is a significant contributor to any organisations risk

management framework. Businesses have a moral, corporate and legal

responsibility to manage the risks to their employees and other assets and

any risk mitigation measures should be complimented by contingency plans

such as emergency planning and business continuity management.

These functions share similar and parallel activities that have already been

looked at by other areas of business risk. These synergies need to be

recognised by the organisation as functioning in isolation could result in

wasted resources. With effective communication, co-operation and co-

ordination, these three disciplines can be effectively integrated within a wider

risk management framework.

A positive approach to building resilience demonstrates to stakeholders,

customers and suppliers that a business is proactively mitigating risk and fully

prepared for disruption, recovery and return to normal business operations.

This enhances reputation, adds value to the organisation and will allow them

to take advantage of opportunities to gain the competitive edge and ultimately

increase profits.

As well as being complimentary and synergistic, security risk management,

emergency planning and business continuity management are crucial

functions to the continuing success of an organisation and an essential part of

any resilience strategy.

Gregory Way 3

All businesses have a reason for existing. Whether it is to buy and sell

products or provide a service, businesses cannot afford serious disruption,

interruption or the destruction of their capabilities (HM Treasury, 2004). In

order for organisations to succeed in today‟s fast paced business

environment, they must fully analyse the multitude of risks that they face and

plan accordingly in the event that those risks are realised turning unplanned

events into planned response‟s. This will enable organisations to survive,

reassure stakeholders and safeguard their reputation and brand name. This

essay will seek to examine how the disciplines of Emergency Planning (EP)

and Business Continuity Management (BCM) relate to and may be

successfully integrated with Security Risk Management (SRM).

This essay begins with a brief description on the individual disciplines

and then continues with their relevance to the modern organisation and how

EP, BCM are related and linked to SRM. The essay will then move on to the

key points of how Emergency Planning and Business Continuity

Management can be effectively integrated with Security Risk Management,

the benefits and detrimental effects of integration, common misconceptions of

these functions and their relevance to the security industry.

In order to understand the disciplines of Emergency Planning, Business

Continuity Management and Security Risk Management, it is necessary to

briefly describe the principles behind them.

The management of security risks is one of several risk management

disciplines and identifies the critical assets that need protecting, identifies and

assesses both the threats to those assets and any existing vulnerabilities

before assessing the overall risk with subsequent recommendation of cost

Gregory Way 4

effective measures to mitigate risk to those assets. SRM is an ongoing

process as the business environment is constantly changing producing new

threats and risk exposure.

Emergency Planning is often referred to as Crisis Management Planning or

Incident Planning. The U.S. Federal Emergency Management Agency (FEMA,

1993) defines Emergency Planning as “the management process of

anticipating and preparing for emergency situations, thereby allowing a timely

response that will mitigate the effects and allow an organisation to recover”.

EP is a set of first aid response actions. It does not represent a failure of risk

management as risk cannot be totally eliminated and emergencies or crises

will occur at some time or another during an organisation‟s lifetime.

An effective BCM strategy will allow an organisation to continue providing its

critical functions and processes after a disruptive event from crisis to major

emergency through effective planning and managed procedures. Recovery

and restoration after a disruption may continue for days, weeks or even

months. Phillip Wood (2008), wrote that “Risk Management, Emergency

Planning and Business Continuity Management are complimentary and

synergistic”. He goes on to say that “the planned and successful combination

of all 3 is essential for the ability of any major organisation to survive and

continue its operational functions”.

So why are these three disciplines relevant to the modern organisation? In the

financially challenging and highly competitive world of business, an

organisation requires effective risk mitigation measures for all of their

business functions, whether they be financial, security or reputational to

protect itself from the various threats that it faces, whether they be actual or

Gregory Way 5

conceptual. These risks are dependent on the corporate culture, sector of

business and geographical location. Organisations will take their own unique

steps to defend against the potential threats that confront them (Lyons, 2009).

However, emergencies, crises and incidents do occur from time to time as

risk cannot be completely eliminated, so contingency measures need to

planned, implemented and managed in order to make an organisation more

resilient to change brought about by any disruptive event. In the words of

Charles Darwin “It is not the strongest of the species that survive, nor the

most intelligent, but the one most responsive to change” (Brainyquote, 2010).

Survival is critical after any major disruption, whether it be to the business

itself or to a customer or supplier. For example, a reputation may take

decades to build up but only a very short time to damage if plans are not put

in place to deal with crisis, recovery and the return to normal operations.

Organisations have a corporate responsibility to ensure that everything so far

as reasonably practicable has been done to ensure the security of their

assets in line with corporate governance and legislation. One aspect of

corporate governance is its system of internal control. The Turnbull Report

(1999) stated that “the prime objective of the report is to establish a system of

risk management and internal controls in order to safeguard shareholders

investments and the company‟s assets” (ACAA, 2000). This includes

identifying all sources of risk, evaluating their significance and managing

each risk to reduce probability of occurrence.

These three disciplines are more relevant today during a period of recession

where businesses make cutbacks and the threat of unemployment increases

the risk of asset theft and workplace violence. The morale of employees can

be severely affected due to rumours of cutbacks and job losses whether it be

Gregory Way 6

internal or within the media. Both customers and suppliers may suddenly

disappear due to cutbacks or bankruptcy. A businesses own cutbacks,

especially in maintenance costs can cause equipment failure and disruption

(Bell, 2009). This is why, especially in today‟s climate, that EP, BCM and SRM

are so important. To become effective though, they need to be complimentary

and synergistic and not function in isolation of each other. Within many

organisations EP, BCM, SRM and other areas of risk management are insular

disciplines referred to by some security practitioners as operating within „silos‟,

separated, covered and obscured from each other when they should in fact be

complimentary functions.

How do the disciplines of Emergency Planning and Business Continuity

Management relate to Security Risk Management? Firstly, there has to be

some form of wider risk management framework as security risks are just one

aspect of risk faced by the modern organisation. The security function cannot

in isolation manage or advise on all of these operational, strategic or financial

risks. They just do not have the knowledge or the experience to take the lead

on all types of business risk or carry out risk assessment across the entire

business spectrum. Both emergency planning and business continuity

management require input from other areas of the business, not just from the

security function, although it is a very important aspect of the risk

management framework within any organisation.

A benchmarking survey and white paper by ASIS entitled „Enterprise Security

Risk Management: How great risks lead to great deeds‟ (2010), asked

Company Security Officers in the USA the question, “what terminology is used

in your organisation for risk management”. More than a third of Chief Security

Gregory Way 7

Officer‟s (CSO) replied that their program was called Enterprise Risk

Management! The survey also stated that most CSO‟s describe this risk

management approach as invaluable to their organisations.

Enterprise Risk Management (ERM) is a holistic approach to the management

of risk within an organisation where the traditional barriers of insulation are

broken down because if the risk programmes are managed in isolation it could

result in gaps or wasted resources through overlaps (Oldfield,2008). ERM is

a management decision making framework for the identification and

assessment of all risks that face an organisation, risks that could potentially

affect the brand name or impact on reputation. Documenting risk assessment

from all disciplines creates a risk profile. Those risks can then be prioritised

and strategies implemented to mitigate those risks. The organisation‟s

management will decide on risk budgets for managing these strategies,

requiring careful monitoring to ensure that the correct amount of resources

are allocated to those risk strategies and the correct decisions are made. All

facets of an organisation should play a part in the identification of risk. “In the

battle of risk, doesn‟t it make sense to have a whole army on your side”

(Osborne, 2007)

Many of the aims and objectives of Emergency Planning and Business

Continuity Management are similar and complimentary to that of Security

Risk Management. The British Standards Institute 2009 whitepaper entitled

Business continuity management and risk stated that “BCM is an integral part

of an organisation‟s risk management strategy” and that “business continuity

has developed from security and emergency/crisis management

arrangements”

Giles (2010), quoting British Standard 25999-1 stated “A business continuity

Gregory Way 8

programme may reside in many areas of an organisation dependant on its

size, scale and complexity (...) that proactively improves an organisation‟s

resilience against disruption

Business continuity management is a fairly young discipline, so is it

subordinate to risk management in general or vice versa? In a recent article

(Power, 2010) observed that many BCM practitioners believe that risk

management is subordinate to BCM. “This is still the view of the Business

Continuity Institute, but BCM is considered subordinate to risk management

in every boardroom I‟ve ever been in”. Perhaps co-ordination and co-

operation between the functions would be more effective than subordination.

Organisations who implement BCM have to place ownership of this resilience

strategy somewhere within the business. The responsibility may already lie

within the security function, however an annual survey by the Chartered

Management Institute entitled Disruption & Resilience, showed that the

top three stakeholders in business continuity planning were Human

Resources, IT and Risk Management. Only a small percentage of businesses

have dedicated BCM practitioners. Risk managers came in 4th position with

the security function in 6th place on the stakeholder list (Woodman &

Hutchings, 2010)

Only 49% of organisations in the UK have specific business continuity plans in

place with large organisations twice as likely to have them than small

businesses (Woodman & Hutchings, 2010) For enterprises looking to

implement a framework for building organisational resilience, many aspects

of business continuity management planning are already related to SRM. One

can see that both disciplines have key roles, however consideration should

be given to conducting business continuity planning in conjunction with

Gregory Way 9

security risk management, saving on resources as some of the required

ground work has already been carried out.

BCM requires the identification and analysis of risks faced by the organisation

and well thought out strategies to mitigate those risks. This is carried out by

means of a business impact analysis. The security department should

therefore be the first stop for BCM practitioners as many of the risks facing

an organisation‟s assets have already been assessed including the impact of

a loss event in terms of time and cost. After all, contingency planning is a risk

treatment, one of the processes of risk management and an integral part of

corporate governance. (Hiles et al, 2007 p.94) Both discipline practitioners

should compare the results of their analysis as this may be highly beneficial

to both parties as well as being essential in building a good working

relationship.

In conducting his own risk analysis, the security risk manager would have

effectively forged strong links within the organisation, having spent time with

key decision makers, influencers and stakeholders within other departments

and disciplines. These relationships are vital as those persons can provide

support with security risk management business cases and proposals. The

BCM stakeholders also require a similar understanding of the organisation, its

mission, goals, vision and objectives in order to effectively plan for business

continuance in the event of disruption. The security risk manager will

have a good understanding of a businesses critical assets and processes,so

the BCM practitioner should take advantage of this knowledge during the

planning stages. The security risk manager may be heavily involved in the

planning, implementation and testing of emergency or crisis response

procedures. The security function has traditionally played a key role during

Gregory Way 10

emergencies and crises by controlling access, preserving evidence, securing

property and assisting the emergency services when required. Again, the

BCM planner should engage the SRM practitioner in order share the common

aim of the continuance of critical operations after the initial stages of a

disruptive event. Another area where SRM and BCM share common ground

is in the exercising and testing of existing drills and procedures in response to

emergencies and crises. Business continuity plans also require regular

testing and exercising to similarly ensure the plans work, that personnel are

aware of their responsibilities and that infrastructure is in place to ensure

continuance of operations. There is no reason why an emergency response

exercise cannot include elements of the business continuity plan. This will

reduce lost working time, man hours and any debrief will benefit both

functions by ensuring that plans to deal with a short term emergency

response and longer term recovery and restoration are seamless. Policies

implemented by the security risk manager require support from senior

management. This is also a requirement for business continuity management

to ensure that both functions have the support of the organisations executive

players. In order to communicate an awareness of the security policies and

subsequent plans and procedures to all employees there is a requirement for

some formal training and education. This communication method of security

awareness along with printed literature, goes along way to the development of

a successful security culture within an organisation. What better way to make

employees aware of the business continuity framework that is in place within

the enterprise and highlight their role and responsibilities within it, making

BCM another discipline important to the culture of the business ? (Giles, 2010)

These are just some areas where BCM is already related and complimentary

Gregory Way 11

to SRM but what about emergency planning and its relationship to SRM? Any

enterprise or organisation, no matter the size, has critical assets. These

assets need to be protected from those man made or natural threats that

could cause damage, harm, loss or denial, resulting in a crisis or emergency.

Section 1 of the Civil Contingencies Act (CCA) 2004 defines an emergency

as “An event or situation which threatens serious damage to human welfare;

an event or a situation which threatens serious damage to the environment; or

war, or terrorism, which threatens serious damage to security” (OPSI, 2010).

From this definition it is clear that traditionally, security has very strong

ties in protecting assets prior to and during emergency and crisis situations

and is often regarded as a natural location for leadership during these events.

The emergency or crisis response process brings the right people together to

manage the incident, which will include members of the SRM discipline.

There are several areas of emergency planning closely related to areas of

security risk management. EP requires the backing of senior management

before plans are implemented to ensure a top down approach. A planning

team needs to be organised to include key stakeholders such as the security

risk manager and representatives from disciplines such as legal, health &

safety, HR, IT, corporate affairs and finance in order to consider and agree on

all elements of emergency response, whether they be life or reputation

threatening events. As with BCM, the security risk management function

cannot in isolation manage and co-ordinate the emergency organisation

without input from other key stakeholders. However, although there are other

crucial stakeholders in emergency planning, the SRM element is a constant

in all emergency and crisis events. Even during a minor reputation threatening

event, SRM will play a vital role in preventing secondary negatives that may

Gregory Way 12

affect reputation or brand name. Like BCM, analysis already conducted by

the SRM team will be invaluable to the emergency planning team. Threat

specific information, along with the analysis of likelihood and consequences of

potential emergency events on people, property, material and information will

be invaluable. Emergency response procedures and employees roles and

responsibilities within those situations needs to be clearly communicated and

can be combined with security, BCM and health & safety awareness training.

To be effective, emergency plans need to be exercised and tested, a legal

requirement in most countries. Training drills and scenarios involving a

security related incident will test emergency response and highlight any

shortfalls in the planning stage and as previously mentioned can be

combined with BCP exercises to ensure response continuity (FEMA, 1993).

Effective business continuity is often reliant on those same people who plan

for response actions after a disruption and emergency or crisis management

plans will be an integral part of the business continuity plan and overall

resilience. Stakeholders of both emergency / crisis and business continuity

planning therefore have a vested interest in the in the activities conducted by

the security risk management function. Through effective co-ordination and

co-operation both areas of contingency planning can draw on the analysis

conducted by SRM and the wider risk management family to ensure effective

resilient strategies are developed and implemented.

As has already been shown, there are many parallel activities and

commonalities shared by EP and BCM that relate to those of SRM. Many of

the aims and objectives are very similar and complimentary. The reduction in

company budgets during the current financial climate, especially in the area of

Gregory Way 13

security would suggest that the integration of these functions is a way forward

(Charters, 2010)

Organisations face a broad risk spectrum. Keeping these risks at bay is a

fundamental aspect of success. Creating separate functions that work to their

own agenda‟s run the risk becoming less efficient and effective and reduce

business opportunities, not create them (Power, 2010). In order to create a

synergy between these three functions and effectively link them together to

produce a corporate resilience strategy requires communication, co-operation

and co-ordination.

Communication between the disciplines representatives and senior

management is imperative to ensure „buy in‟ and support for what they are

trying to achieve in creating resilience. They also require the commitment of

other business users. Without commitment, plans will gather dust, are not

updated to reflect change and will hardly ever be tested (Osborne, 2007)

Inter-departmental relationships are very important and making each area of

the business aware of what the other does will increase knowledge in other

areas of risk management. This is particularly important for organisations who

have adopted an ERM framework and will in time change the attitudes of

differing risk management practitioners and break down the barriers of

insularity. Emergency, crisis and business continuity planners will benefit

from a synergistic risk management framework who are willing to

communicate with them. Effective communication will ensure that employees

understand what SRM and the wider risk management functions are trying to

achieve; the relevance of EP in dealing with crises and how BCM will

endeavour to continue operations in the wake of a disruption.

Employees can also be made aware of their personal roles and

Gregory Way 14

responsibilities in regards to security, crises and the return and recover to

normal operations. This can be achieved through effective combined

induction and awareness training as well as exercising and practice drills.

Combining training and awareness will also save on valuable resources.

Co-ordination between the disciplines is vital in ensuring the correct people

are available during disruptive events so that any event can be dealt with

effectively. All three functions can co-ordinate and take part in a combined

emergency response and BCP exercise or cost effective desktop exercise

that will benefit all concerned and provide feedback to improve plans. In the

words of Winston Churchill, “However beautiful the strategy, you should

occasionally look at the results” (Brainyquote, 2010)

Faced with limited resources in the current financial climate, co-ordination will

ensure that optimum responses are achieved to prevent any duplication in

the analysis phases common to all the disciplines and that only cost effective

solutions are adopted and resources allocated appropriately. Co-operation

between functions and the sharing of information is imperative. Business

opportunities for example, can create a gain but also introduce new risks.

Such information will assist the functions in preparing to mitigate those risks

and have contingency plans in place if the proactive measures fail.

Organisations need to co-operate with local authorities and first responders to

ensure that they are familiar with the security measures and emergency

responses that are in place and offer liaison visits to familiarise those who will

be called upon to respond to an emergency event.

These are just a few methods on how EP and BCM can be integrated with

SRM and a wider risk management strategy to create an effective resilience

strategy.

Gregory Way 15

The benefits of integrating EP and BCM with SRM and a wider risk

management framework are plentiful and far outweigh the detrimental effects.

This strategy towards resilience is a positive selling feature and encourages

communication, co-ordination and co-operation, breaking down the traditional

silos normally associated with insular disciplines. Although not a legal

requirement integration shows compliance with national and international

standards and fulfils moral, corporate and legal obligations by reducing

exposure to liability and litigation. By implementing risk mitigation strategies

and contingency plans an employer has ensured so far as is reasonably

practicable the safeguarding of employees and other assets as well as critical

functions and processes. This assurance will give a sense of security and

confidence and go along way to increased productivity and may also reduce

insurance premiums. Resilience will prove to customers, insurers and

investors that a business is robust enough to cope with disruption, crisis or

emergency – possibly giving them the edge over their competitors, Being

prepared for both the static and dynamic risks that arise as the result of taking

opportunities will enable an organisation to operate in environments that their

competitors cannot (Power, 2010).

This proof of resilience is often a pre-requisite in the bidding process

associated with some business opportunities. The end result is an enhanced

reputation, image and credibility as a market leader and a preferred

customer, adding overall value to the organisation. To every benefit there are

detrimental effects. For example, traditional practitioners of the various

disciplines may feel alienated by integration and averse to a wider risk

management strategy such as ERM and may find it difficult to adjust to the

change. Without the support of senior management the whole resilience

Gregory Way 16

programme may fall apart and the incorrect allocation of resources to the

differing risk management areas may create risk. However, effective

communication, co-operation and co-ordination will go along way to mitigating

the negative effects that may be encountered by any organisation

implementing a resilience strategy.

As has already been discussed, the effective management of risk is a

requirement of corporate governance, fulfils corporate responsibility and

assures stakeholders. The preparation of contingency plans to deal with any

crisis, recover and return operations to normal is essential for any

organisation to survive. However, there are some misconceptions over these

programmes that provide resilience to business assets and operations.

Osborne (2007) referred to one of these misconceptions, “they are only

for large businesses, it means more compliance, red tape and burocracy”.

Other misconceptions include the lack of tangible results. These functions

may not make money directly but they will certainly add value to an

organisation and will allow them to take advantage of opportunities because

they have the framework that has managed risk and planned to deal with any

disruptive events and their aftermath. Security risk management, emergency

planning and business continuity planning are relevant for all size businesses,

even more so for small enterprises who may not recover at all after a major

disruption. Is financing these functions difficult to justify during a time of

economic uncertainty? In order to put justification into perspective, attention

should be paid to events caused by major fire, terrorism and weather that

regularly affect business enterprises. According to an article by Continuum

Insurance Brokers (2010), 20% of all businesses will suffer fire, theft, flood or

Gregory Way 17

storm damage, power failure, terrorism or IT failure as no risk can be fully

eliminated. 40% will never re-open and 80% of those organisations without

contingency plans will fail within 13 months. According to the CMI 2010 BCM

survey, only 49% of businesses have a business continuity plan, only 27%

have a dedicated contingency budget and only 29% of small businesses

have plans in place to deal with disruption if risk mitigation measures fail

(Hutchings & Woodman). These statistics show how important security and

other risk management functions are, coupled with effective contingency

planning to provide corporate resilience.

What is the relevance of this integration to the Private Security Industry? The

security risk management professional is tasked with the protection and

safeguarding of an organisation‟s assets but more often than not they already

have responsibilities in other areas such as reputation, corporate governance,

corporate social responsibility and information assurance (Briggs & Edwards

2006). They have a vital role in enabling a business to take risks and have

contingency plans in place to mitigate the consequences when things go

wrong. In order to do this effectively the security risk manager needs to move

away from the old assumption that security is a dis-enabler to business. The

security function must be capable of convincing senior management that they

are an integral and vital element of the business and play an extensive role

within the risk management framework. To do this, the modern security risk

manager needs to be articulate, an excellent communicator, able to manage

internal departmental relationships to ensure co-operation and co-ordination.

There needs to be a strong understanding of the business culture, the

mission, the aims and goals of all disciplines within the organisation so they

Gregory Way 18

can be accepted as a core business function. These business skills coupled

with interpersonal skills will convince other business users that they are no

longer an isolated function with an old fashioned fortress mentality, therefore

enabling business. In his 2004 article entitled „The Architects of Security‟,

Alex Chambers wrote that the security function “creates a safe, secure,

efficient corporate environment that contributes to any company‟s success

and corporate image”. The versatility of the modern security risk manager,

shows that they are not just security professionals but business men who are

able to make a valued contribution to mitigating complex security risks, align

security with business to keep pace with an ever changing environment and

play a crucial role in the development and implementation of contingency

planning, adding overall value to any business.

Conclusion

This essay has shown that SRM, EP and BCM are vital disciplines to any

organisation in the highly competitive world of business. Faced with a broad

spectrum of risks from both man made and natural threats, mitigating

strategies need to be developed and implemented to increase the resilience

of an organisation. SRM on its own cannot take the lead on all facets of

business risk, but it does play a crucial role in the protection of assets and a

key element in resilience.

EP and BCM are also significant contributors to overall resilience by providing

a response to a disruptive event, whether it be a crisis or emergency followed

by recovery and return to normal business operation. The EP and BCM

disciplines have many similar aims and objectives that run parallel to that of

SRM, such as the analysis of what could go wrong and what the

Gregory Way 19

consequences would be and how the impact could be mitigated. Both EP and

BCM require commitment from senior management, knowledge of the

organisation, testing, exercising and employee awareness. All of these

common activities have already been conducted by the SRM. Working

together during the planning stages will save on valuable resources and

ensure the foundation of a professional relationship and appreciation of what

each function is trying to achieve.

Integration of these disciplines can be achieved by communication, co-

operation and co-ordination to break down the barriers of insularity or silo‟s

that they often work within. This can ensure that resources are allocated

appropriately to provide cost effective solutions.

The successful integration of EP and BCM with SRM will bring many benefits

such as fulfilling corporate and legal obligations in line with corporate

governance and give assurance to stakeholders. It will enhance reputation,

credibility and adds value to the organisation. Integration may alienate old

school insular discipline practitioners who may be unable to adjust and

without „buy in‟ from senior management, further risks may be created.

However these detrimental effects can be mitigated with communication, co-

operation and co-ordination.

Similarly, misconceptions of integration such as expense and lack of tangible

results can be allayed by statistics that show how disruptive events can affect

an organisation in both the short and long term if they are not prepared.

Proper allocation of finance and time can ensure that these disciplines will

provide effective resilience during and after a disruptive event.

The Private Security Industry benefits greatly from professionals who are not

only experts in the field of security but also proficient in the world of business

Gregory Way 20

with responsibilities in other disciplines and if integrated, play a vital role in

the development and implementation of contingency plans, overall resilience

and become a valuable asset to any organisation enabling them to operate in

environments that their competitors cannot.

Gregory Way 21

References

ASIS International (2010) Enterprise Security Risk Management: How Great

Risks Lead to Great Deeds. ASIS. Available from:

http://www.asisonline.org/education/docs/CSORT_ERSM_Whitepaper_2010-

04.pdf [accessed 22 May 2010]

Bell, M. (2009) Business Continuity during a Recession. Risky Thinking.

Available from: http://www.riskythinking.com/articles/article38.php [accessed

15 May 2010]

Brainyquote (2010) Famous Quotes and Quotations. Brainyquote. Available

from http://www.brainyquote.com [accessed 22 May 2010]

Briggs, R & Edwards, C. (2006) The Business of Resilience-Security for the

21st Century. DEMOS. Available from:

http://www.demos.co.uk/files/thebusinessofresilience.pdf [accessed 24 May

2010]

Chambers,A (2004) Security Digest: The Architects of Security. Ian Johnson

Associates. Available from:

http://www.ija.co.uk/public/site/newsdocs209/Architects%20for%20security.pd

f [accessed 18 August 2010]

Charters. I (2010) Risk Management and Business Continuity Management:

Understanding the difference. Continuity Central. Available from:

http://www.continuitycentral.com/feature0769.html [accessed 14 August 2010]

Continuum Insurance Brokers (2010). Consider the Statistics. Continuum.

Available from: http://continuumib.co.uk/business-continuity.html [accessed 18

August 2010]

Federal Emergency Management Agency (1993) Emergency Management

Guide for Business and Industry. FEMA. Available from:

http://www.fema.gov/pdf/business/guide/bizindst.pdf [accessed 15 May 2010]

Giles, N. (2010) Business Continuity and Security-a perfect fit. Continuity: The

Magazine of the Business Continuity Institute. Available from:

http://thebci.org/ContinuityMarApril.pdf [accessed 25 May 2010]

Hiles, A. (2007) The Definitive Handbook of Business Continuity

Management. 2nd Edition. Chichester. John Wiley & Sons Ltd

HM Treasury (2004) Management of Risk – Principles and Concepts. HM

Treasury. Available from: http://www.hm-treasury.gov.uk/d/orange_book.pdf

[accessed 15 May 2010]

Gregory Way 22

Hutchings, P, Woodman, P. (2010) Chartered Management Institute. The

2010 Business Continuity Management Survey. CMI. Available from:

http://www.managers.org.uk/sites/default/files/u217/Disruption_Resilience_20

10.pdf [accessed 11 May 2010]

Lyons, S. (2009) Corporate Defence: Risk Management, Business Resilience

and beyond. The Business Continuity Journal. Available from:

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1280151 [accessed 15

May 2010]

Office of Public Sector Information (2010) The Civil Contingencies Act 2004.

OPSI. Available from:

http://www.opsi.gov.uk/acts/acts2004/ukpga_20040036_en_2 [accessed 06

August 2010]

Oldfield, R. (2008) Organisational Resilience. Continuity Central. Available

from: http://www.continuitycentral.com/feature0618.html [accessed 03 July

2010]

Osborne, A. (2007) Practical Business Continuity Management: Top Tips for

Effective, Real-World Business Continuity Management. Evesham.

Word4Word

Power.P (2010) Risk and Continuity: Convergence is in the air. Continuity

Central. Available from: http://www.continuitycentral.com/feature0765.html

[accessed 15 August 2010]

The Association of Chartered Certified Accountants (2000) Turnbull, Internal

Control and Wider Aspects of Risk. ACCA. Available from:

http://www.accaglobal.com/pdfs/environment/turnbull.pdf [accessed 13 May

2010]

Wood, P. (2008) Successful Risk, Crisis and Business Continuity

Management. Info 4 Security: Available from:

http://www.info4security.com/story.asp?storycode=4118356 [accessed 16

May 2010]

Gregory Way 23

Bibliography

Western Australian Government (2007) Business Continuity Management

Guidelines. WAG. Available from:

http://www.riskcover.wa.gov.au/riskmanagement/pdf/bcm_guidelines.pdf#pag

e=7 [accessed 13 May 2010]

Acknowledgements

Marcelo Hector Gonzalez, International and Institutional Relations Director at

ISACA, Buenos Aires Chapter

Derik Linde, Business Continuity Manager at First Rand Bank Ltd

Randy Schmidt, BCP specialist at Team-Quest Corporation

Total Word Count = 5047