Way Greg - BCM - Final
-
Upload
greg-way-csc-msyidip -
Category
Documents
-
view
30 -
download
4
Transcript of Way Greg - BCM - Final
Emergency Planning and Business
Continuity Management and how they
relate to and may be integrated with
Security Risk Management
20th August 2010
Gregory Way
Gregory Way 2
Abstract
This essay will seek to examine how Emergency Planning and Business
Continuity Management are related to and may be integrated with Security
Risk Management.
In today‟s business world, all organisations face some degree of risk to their
assets. Failing to identify and mitigate these risks will have a serious effect on
an organisation‟s success, leaving them vulnerable to the multitude of threats
they face.
Security risk management is a significant contributor to any organisations risk
management framework. Businesses have a moral, corporate and legal
responsibility to manage the risks to their employees and other assets and
any risk mitigation measures should be complimented by contingency plans
such as emergency planning and business continuity management.
These functions share similar and parallel activities that have already been
looked at by other areas of business risk. These synergies need to be
recognised by the organisation as functioning in isolation could result in
wasted resources. With effective communication, co-operation and co-
ordination, these three disciplines can be effectively integrated within a wider
risk management framework.
A positive approach to building resilience demonstrates to stakeholders,
customers and suppliers that a business is proactively mitigating risk and fully
prepared for disruption, recovery and return to normal business operations.
This enhances reputation, adds value to the organisation and will allow them
to take advantage of opportunities to gain the competitive edge and ultimately
increase profits.
As well as being complimentary and synergistic, security risk management,
emergency planning and business continuity management are crucial
functions to the continuing success of an organisation and an essential part of
any resilience strategy.
Gregory Way 3
All businesses have a reason for existing. Whether it is to buy and sell
products or provide a service, businesses cannot afford serious disruption,
interruption or the destruction of their capabilities (HM Treasury, 2004). In
order for organisations to succeed in today‟s fast paced business
environment, they must fully analyse the multitude of risks that they face and
plan accordingly in the event that those risks are realised turning unplanned
events into planned response‟s. This will enable organisations to survive,
reassure stakeholders and safeguard their reputation and brand name. This
essay will seek to examine how the disciplines of Emergency Planning (EP)
and Business Continuity Management (BCM) relate to and may be
successfully integrated with Security Risk Management (SRM).
This essay begins with a brief description on the individual disciplines
and then continues with their relevance to the modern organisation and how
EP, BCM are related and linked to SRM. The essay will then move on to the
key points of how Emergency Planning and Business Continuity
Management can be effectively integrated with Security Risk Management,
the benefits and detrimental effects of integration, common misconceptions of
these functions and their relevance to the security industry.
In order to understand the disciplines of Emergency Planning, Business
Continuity Management and Security Risk Management, it is necessary to
briefly describe the principles behind them.
The management of security risks is one of several risk management
disciplines and identifies the critical assets that need protecting, identifies and
assesses both the threats to those assets and any existing vulnerabilities
before assessing the overall risk with subsequent recommendation of cost
Gregory Way 4
effective measures to mitigate risk to those assets. SRM is an ongoing
process as the business environment is constantly changing producing new
threats and risk exposure.
Emergency Planning is often referred to as Crisis Management Planning or
Incident Planning. The U.S. Federal Emergency Management Agency (FEMA,
1993) defines Emergency Planning as “the management process of
anticipating and preparing for emergency situations, thereby allowing a timely
response that will mitigate the effects and allow an organisation to recover”.
EP is a set of first aid response actions. It does not represent a failure of risk
management as risk cannot be totally eliminated and emergencies or crises
will occur at some time or another during an organisation‟s lifetime.
An effective BCM strategy will allow an organisation to continue providing its
critical functions and processes after a disruptive event from crisis to major
emergency through effective planning and managed procedures. Recovery
and restoration after a disruption may continue for days, weeks or even
months. Phillip Wood (2008), wrote that “Risk Management, Emergency
Planning and Business Continuity Management are complimentary and
synergistic”. He goes on to say that “the planned and successful combination
of all 3 is essential for the ability of any major organisation to survive and
continue its operational functions”.
So why are these three disciplines relevant to the modern organisation? In the
financially challenging and highly competitive world of business, an
organisation requires effective risk mitigation measures for all of their
business functions, whether they be financial, security or reputational to
protect itself from the various threats that it faces, whether they be actual or
Gregory Way 5
conceptual. These risks are dependent on the corporate culture, sector of
business and geographical location. Organisations will take their own unique
steps to defend against the potential threats that confront them (Lyons, 2009).
However, emergencies, crises and incidents do occur from time to time as
risk cannot be completely eliminated, so contingency measures need to
planned, implemented and managed in order to make an organisation more
resilient to change brought about by any disruptive event. In the words of
Charles Darwin “It is not the strongest of the species that survive, nor the
most intelligent, but the one most responsive to change” (Brainyquote, 2010).
Survival is critical after any major disruption, whether it be to the business
itself or to a customer or supplier. For example, a reputation may take
decades to build up but only a very short time to damage if plans are not put
in place to deal with crisis, recovery and the return to normal operations.
Organisations have a corporate responsibility to ensure that everything so far
as reasonably practicable has been done to ensure the security of their
assets in line with corporate governance and legislation. One aspect of
corporate governance is its system of internal control. The Turnbull Report
(1999) stated that “the prime objective of the report is to establish a system of
risk management and internal controls in order to safeguard shareholders
investments and the company‟s assets” (ACAA, 2000). This includes
identifying all sources of risk, evaluating their significance and managing
each risk to reduce probability of occurrence.
These three disciplines are more relevant today during a period of recession
where businesses make cutbacks and the threat of unemployment increases
the risk of asset theft and workplace violence. The morale of employees can
be severely affected due to rumours of cutbacks and job losses whether it be
Gregory Way 6
internal or within the media. Both customers and suppliers may suddenly
disappear due to cutbacks or bankruptcy. A businesses own cutbacks,
especially in maintenance costs can cause equipment failure and disruption
(Bell, 2009). This is why, especially in today‟s climate, that EP, BCM and SRM
are so important. To become effective though, they need to be complimentary
and synergistic and not function in isolation of each other. Within many
organisations EP, BCM, SRM and other areas of risk management are insular
disciplines referred to by some security practitioners as operating within „silos‟,
separated, covered and obscured from each other when they should in fact be
complimentary functions.
How do the disciplines of Emergency Planning and Business Continuity
Management relate to Security Risk Management? Firstly, there has to be
some form of wider risk management framework as security risks are just one
aspect of risk faced by the modern organisation. The security function cannot
in isolation manage or advise on all of these operational, strategic or financial
risks. They just do not have the knowledge or the experience to take the lead
on all types of business risk or carry out risk assessment across the entire
business spectrum. Both emergency planning and business continuity
management require input from other areas of the business, not just from the
security function, although it is a very important aspect of the risk
management framework within any organisation.
A benchmarking survey and white paper by ASIS entitled „Enterprise Security
Risk Management: How great risks lead to great deeds‟ (2010), asked
Company Security Officers in the USA the question, “what terminology is used
in your organisation for risk management”. More than a third of Chief Security
Gregory Way 7
Officer‟s (CSO) replied that their program was called Enterprise Risk
Management! The survey also stated that most CSO‟s describe this risk
management approach as invaluable to their organisations.
Enterprise Risk Management (ERM) is a holistic approach to the management
of risk within an organisation where the traditional barriers of insulation are
broken down because if the risk programmes are managed in isolation it could
result in gaps or wasted resources through overlaps (Oldfield,2008). ERM is
a management decision making framework for the identification and
assessment of all risks that face an organisation, risks that could potentially
affect the brand name or impact on reputation. Documenting risk assessment
from all disciplines creates a risk profile. Those risks can then be prioritised
and strategies implemented to mitigate those risks. The organisation‟s
management will decide on risk budgets for managing these strategies,
requiring careful monitoring to ensure that the correct amount of resources
are allocated to those risk strategies and the correct decisions are made. All
facets of an organisation should play a part in the identification of risk. “In the
battle of risk, doesn‟t it make sense to have a whole army on your side”
(Osborne, 2007)
Many of the aims and objectives of Emergency Planning and Business
Continuity Management are similar and complimentary to that of Security
Risk Management. The British Standards Institute 2009 whitepaper entitled
Business continuity management and risk stated that “BCM is an integral part
of an organisation‟s risk management strategy” and that “business continuity
has developed from security and emergency/crisis management
arrangements”
Giles (2010), quoting British Standard 25999-1 stated “A business continuity
Gregory Way 8
programme may reside in many areas of an organisation dependant on its
size, scale and complexity (...) that proactively improves an organisation‟s
resilience against disruption
Business continuity management is a fairly young discipline, so is it
subordinate to risk management in general or vice versa? In a recent article
(Power, 2010) observed that many BCM practitioners believe that risk
management is subordinate to BCM. “This is still the view of the Business
Continuity Institute, but BCM is considered subordinate to risk management
in every boardroom I‟ve ever been in”. Perhaps co-ordination and co-
operation between the functions would be more effective than subordination.
Organisations who implement BCM have to place ownership of this resilience
strategy somewhere within the business. The responsibility may already lie
within the security function, however an annual survey by the Chartered
Management Institute entitled Disruption & Resilience, showed that the
top three stakeholders in business continuity planning were Human
Resources, IT and Risk Management. Only a small percentage of businesses
have dedicated BCM practitioners. Risk managers came in 4th position with
the security function in 6th place on the stakeholder list (Woodman &
Hutchings, 2010)
Only 49% of organisations in the UK have specific business continuity plans in
place with large organisations twice as likely to have them than small
businesses (Woodman & Hutchings, 2010) For enterprises looking to
implement a framework for building organisational resilience, many aspects
of business continuity management planning are already related to SRM. One
can see that both disciplines have key roles, however consideration should
be given to conducting business continuity planning in conjunction with
Gregory Way 9
security risk management, saving on resources as some of the required
ground work has already been carried out.
BCM requires the identification and analysis of risks faced by the organisation
and well thought out strategies to mitigate those risks. This is carried out by
means of a business impact analysis. The security department should
therefore be the first stop for BCM practitioners as many of the risks facing
an organisation‟s assets have already been assessed including the impact of
a loss event in terms of time and cost. After all, contingency planning is a risk
treatment, one of the processes of risk management and an integral part of
corporate governance. (Hiles et al, 2007 p.94) Both discipline practitioners
should compare the results of their analysis as this may be highly beneficial
to both parties as well as being essential in building a good working
relationship.
In conducting his own risk analysis, the security risk manager would have
effectively forged strong links within the organisation, having spent time with
key decision makers, influencers and stakeholders within other departments
and disciplines. These relationships are vital as those persons can provide
support with security risk management business cases and proposals. The
BCM stakeholders also require a similar understanding of the organisation, its
mission, goals, vision and objectives in order to effectively plan for business
continuance in the event of disruption. The security risk manager will
have a good understanding of a businesses critical assets and processes,so
the BCM practitioner should take advantage of this knowledge during the
planning stages. The security risk manager may be heavily involved in the
planning, implementation and testing of emergency or crisis response
procedures. The security function has traditionally played a key role during
Gregory Way 10
emergencies and crises by controlling access, preserving evidence, securing
property and assisting the emergency services when required. Again, the
BCM planner should engage the SRM practitioner in order share the common
aim of the continuance of critical operations after the initial stages of a
disruptive event. Another area where SRM and BCM share common ground
is in the exercising and testing of existing drills and procedures in response to
emergencies and crises. Business continuity plans also require regular
testing and exercising to similarly ensure the plans work, that personnel are
aware of their responsibilities and that infrastructure is in place to ensure
continuance of operations. There is no reason why an emergency response
exercise cannot include elements of the business continuity plan. This will
reduce lost working time, man hours and any debrief will benefit both
functions by ensuring that plans to deal with a short term emergency
response and longer term recovery and restoration are seamless. Policies
implemented by the security risk manager require support from senior
management. This is also a requirement for business continuity management
to ensure that both functions have the support of the organisations executive
players. In order to communicate an awareness of the security policies and
subsequent plans and procedures to all employees there is a requirement for
some formal training and education. This communication method of security
awareness along with printed literature, goes along way to the development of
a successful security culture within an organisation. What better way to make
employees aware of the business continuity framework that is in place within
the enterprise and highlight their role and responsibilities within it, making
BCM another discipline important to the culture of the business ? (Giles, 2010)
These are just some areas where BCM is already related and complimentary
Gregory Way 11
to SRM but what about emergency planning and its relationship to SRM? Any
enterprise or organisation, no matter the size, has critical assets. These
assets need to be protected from those man made or natural threats that
could cause damage, harm, loss or denial, resulting in a crisis or emergency.
Section 1 of the Civil Contingencies Act (CCA) 2004 defines an emergency
as “An event or situation which threatens serious damage to human welfare;
an event or a situation which threatens serious damage to the environment; or
war, or terrorism, which threatens serious damage to security” (OPSI, 2010).
From this definition it is clear that traditionally, security has very strong
ties in protecting assets prior to and during emergency and crisis situations
and is often regarded as a natural location for leadership during these events.
The emergency or crisis response process brings the right people together to
manage the incident, which will include members of the SRM discipline.
There are several areas of emergency planning closely related to areas of
security risk management. EP requires the backing of senior management
before plans are implemented to ensure a top down approach. A planning
team needs to be organised to include key stakeholders such as the security
risk manager and representatives from disciplines such as legal, health &
safety, HR, IT, corporate affairs and finance in order to consider and agree on
all elements of emergency response, whether they be life or reputation
threatening events. As with BCM, the security risk management function
cannot in isolation manage and co-ordinate the emergency organisation
without input from other key stakeholders. However, although there are other
crucial stakeholders in emergency planning, the SRM element is a constant
in all emergency and crisis events. Even during a minor reputation threatening
event, SRM will play a vital role in preventing secondary negatives that may
Gregory Way 12
affect reputation or brand name. Like BCM, analysis already conducted by
the SRM team will be invaluable to the emergency planning team. Threat
specific information, along with the analysis of likelihood and consequences of
potential emergency events on people, property, material and information will
be invaluable. Emergency response procedures and employees roles and
responsibilities within those situations needs to be clearly communicated and
can be combined with security, BCM and health & safety awareness training.
To be effective, emergency plans need to be exercised and tested, a legal
requirement in most countries. Training drills and scenarios involving a
security related incident will test emergency response and highlight any
shortfalls in the planning stage and as previously mentioned can be
combined with BCP exercises to ensure response continuity (FEMA, 1993).
Effective business continuity is often reliant on those same people who plan
for response actions after a disruption and emergency or crisis management
plans will be an integral part of the business continuity plan and overall
resilience. Stakeholders of both emergency / crisis and business continuity
planning therefore have a vested interest in the in the activities conducted by
the security risk management function. Through effective co-ordination and
co-operation both areas of contingency planning can draw on the analysis
conducted by SRM and the wider risk management family to ensure effective
resilient strategies are developed and implemented.
As has already been shown, there are many parallel activities and
commonalities shared by EP and BCM that relate to those of SRM. Many of
the aims and objectives are very similar and complimentary. The reduction in
company budgets during the current financial climate, especially in the area of
Gregory Way 13
security would suggest that the integration of these functions is a way forward
(Charters, 2010)
Organisations face a broad risk spectrum. Keeping these risks at bay is a
fundamental aspect of success. Creating separate functions that work to their
own agenda‟s run the risk becoming less efficient and effective and reduce
business opportunities, not create them (Power, 2010). In order to create a
synergy between these three functions and effectively link them together to
produce a corporate resilience strategy requires communication, co-operation
and co-ordination.
Communication between the disciplines representatives and senior
management is imperative to ensure „buy in‟ and support for what they are
trying to achieve in creating resilience. They also require the commitment of
other business users. Without commitment, plans will gather dust, are not
updated to reflect change and will hardly ever be tested (Osborne, 2007)
Inter-departmental relationships are very important and making each area of
the business aware of what the other does will increase knowledge in other
areas of risk management. This is particularly important for organisations who
have adopted an ERM framework and will in time change the attitudes of
differing risk management practitioners and break down the barriers of
insularity. Emergency, crisis and business continuity planners will benefit
from a synergistic risk management framework who are willing to
communicate with them. Effective communication will ensure that employees
understand what SRM and the wider risk management functions are trying to
achieve; the relevance of EP in dealing with crises and how BCM will
endeavour to continue operations in the wake of a disruption.
Employees can also be made aware of their personal roles and
Gregory Way 14
responsibilities in regards to security, crises and the return and recover to
normal operations. This can be achieved through effective combined
induction and awareness training as well as exercising and practice drills.
Combining training and awareness will also save on valuable resources.
Co-ordination between the disciplines is vital in ensuring the correct people
are available during disruptive events so that any event can be dealt with
effectively. All three functions can co-ordinate and take part in a combined
emergency response and BCP exercise or cost effective desktop exercise
that will benefit all concerned and provide feedback to improve plans. In the
words of Winston Churchill, “However beautiful the strategy, you should
occasionally look at the results” (Brainyquote, 2010)
Faced with limited resources in the current financial climate, co-ordination will
ensure that optimum responses are achieved to prevent any duplication in
the analysis phases common to all the disciplines and that only cost effective
solutions are adopted and resources allocated appropriately. Co-operation
between functions and the sharing of information is imperative. Business
opportunities for example, can create a gain but also introduce new risks.
Such information will assist the functions in preparing to mitigate those risks
and have contingency plans in place if the proactive measures fail.
Organisations need to co-operate with local authorities and first responders to
ensure that they are familiar with the security measures and emergency
responses that are in place and offer liaison visits to familiarise those who will
be called upon to respond to an emergency event.
These are just a few methods on how EP and BCM can be integrated with
SRM and a wider risk management strategy to create an effective resilience
strategy.
Gregory Way 15
The benefits of integrating EP and BCM with SRM and a wider risk
management framework are plentiful and far outweigh the detrimental effects.
This strategy towards resilience is a positive selling feature and encourages
communication, co-ordination and co-operation, breaking down the traditional
silos normally associated with insular disciplines. Although not a legal
requirement integration shows compliance with national and international
standards and fulfils moral, corporate and legal obligations by reducing
exposure to liability and litigation. By implementing risk mitigation strategies
and contingency plans an employer has ensured so far as is reasonably
practicable the safeguarding of employees and other assets as well as critical
functions and processes. This assurance will give a sense of security and
confidence and go along way to increased productivity and may also reduce
insurance premiums. Resilience will prove to customers, insurers and
investors that a business is robust enough to cope with disruption, crisis or
emergency – possibly giving them the edge over their competitors, Being
prepared for both the static and dynamic risks that arise as the result of taking
opportunities will enable an organisation to operate in environments that their
competitors cannot (Power, 2010).
This proof of resilience is often a pre-requisite in the bidding process
associated with some business opportunities. The end result is an enhanced
reputation, image and credibility as a market leader and a preferred
customer, adding overall value to the organisation. To every benefit there are
detrimental effects. For example, traditional practitioners of the various
disciplines may feel alienated by integration and averse to a wider risk
management strategy such as ERM and may find it difficult to adjust to the
change. Without the support of senior management the whole resilience
Gregory Way 16
programme may fall apart and the incorrect allocation of resources to the
differing risk management areas may create risk. However, effective
communication, co-operation and co-ordination will go along way to mitigating
the negative effects that may be encountered by any organisation
implementing a resilience strategy.
As has already been discussed, the effective management of risk is a
requirement of corporate governance, fulfils corporate responsibility and
assures stakeholders. The preparation of contingency plans to deal with any
crisis, recover and return operations to normal is essential for any
organisation to survive. However, there are some misconceptions over these
programmes that provide resilience to business assets and operations.
Osborne (2007) referred to one of these misconceptions, “they are only
for large businesses, it means more compliance, red tape and burocracy”.
Other misconceptions include the lack of tangible results. These functions
may not make money directly but they will certainly add value to an
organisation and will allow them to take advantage of opportunities because
they have the framework that has managed risk and planned to deal with any
disruptive events and their aftermath. Security risk management, emergency
planning and business continuity planning are relevant for all size businesses,
even more so for small enterprises who may not recover at all after a major
disruption. Is financing these functions difficult to justify during a time of
economic uncertainty? In order to put justification into perspective, attention
should be paid to events caused by major fire, terrorism and weather that
regularly affect business enterprises. According to an article by Continuum
Insurance Brokers (2010), 20% of all businesses will suffer fire, theft, flood or
Gregory Way 17
storm damage, power failure, terrorism or IT failure as no risk can be fully
eliminated. 40% will never re-open and 80% of those organisations without
contingency plans will fail within 13 months. According to the CMI 2010 BCM
survey, only 49% of businesses have a business continuity plan, only 27%
have a dedicated contingency budget and only 29% of small businesses
have plans in place to deal with disruption if risk mitigation measures fail
(Hutchings & Woodman). These statistics show how important security and
other risk management functions are, coupled with effective contingency
planning to provide corporate resilience.
What is the relevance of this integration to the Private Security Industry? The
security risk management professional is tasked with the protection and
safeguarding of an organisation‟s assets but more often than not they already
have responsibilities in other areas such as reputation, corporate governance,
corporate social responsibility and information assurance (Briggs & Edwards
2006). They have a vital role in enabling a business to take risks and have
contingency plans in place to mitigate the consequences when things go
wrong. In order to do this effectively the security risk manager needs to move
away from the old assumption that security is a dis-enabler to business. The
security function must be capable of convincing senior management that they
are an integral and vital element of the business and play an extensive role
within the risk management framework. To do this, the modern security risk
manager needs to be articulate, an excellent communicator, able to manage
internal departmental relationships to ensure co-operation and co-ordination.
There needs to be a strong understanding of the business culture, the
mission, the aims and goals of all disciplines within the organisation so they
Gregory Way 18
can be accepted as a core business function. These business skills coupled
with interpersonal skills will convince other business users that they are no
longer an isolated function with an old fashioned fortress mentality, therefore
enabling business. In his 2004 article entitled „The Architects of Security‟,
Alex Chambers wrote that the security function “creates a safe, secure,
efficient corporate environment that contributes to any company‟s success
and corporate image”. The versatility of the modern security risk manager,
shows that they are not just security professionals but business men who are
able to make a valued contribution to mitigating complex security risks, align
security with business to keep pace with an ever changing environment and
play a crucial role in the development and implementation of contingency
planning, adding overall value to any business.
Conclusion
This essay has shown that SRM, EP and BCM are vital disciplines to any
organisation in the highly competitive world of business. Faced with a broad
spectrum of risks from both man made and natural threats, mitigating
strategies need to be developed and implemented to increase the resilience
of an organisation. SRM on its own cannot take the lead on all facets of
business risk, but it does play a crucial role in the protection of assets and a
key element in resilience.
EP and BCM are also significant contributors to overall resilience by providing
a response to a disruptive event, whether it be a crisis or emergency followed
by recovery and return to normal business operation. The EP and BCM
disciplines have many similar aims and objectives that run parallel to that of
SRM, such as the analysis of what could go wrong and what the
Gregory Way 19
consequences would be and how the impact could be mitigated. Both EP and
BCM require commitment from senior management, knowledge of the
organisation, testing, exercising and employee awareness. All of these
common activities have already been conducted by the SRM. Working
together during the planning stages will save on valuable resources and
ensure the foundation of a professional relationship and appreciation of what
each function is trying to achieve.
Integration of these disciplines can be achieved by communication, co-
operation and co-ordination to break down the barriers of insularity or silo‟s
that they often work within. This can ensure that resources are allocated
appropriately to provide cost effective solutions.
The successful integration of EP and BCM with SRM will bring many benefits
such as fulfilling corporate and legal obligations in line with corporate
governance and give assurance to stakeholders. It will enhance reputation,
credibility and adds value to the organisation. Integration may alienate old
school insular discipline practitioners who may be unable to adjust and
without „buy in‟ from senior management, further risks may be created.
However these detrimental effects can be mitigated with communication, co-
operation and co-ordination.
Similarly, misconceptions of integration such as expense and lack of tangible
results can be allayed by statistics that show how disruptive events can affect
an organisation in both the short and long term if they are not prepared.
Proper allocation of finance and time can ensure that these disciplines will
provide effective resilience during and after a disruptive event.
The Private Security Industry benefits greatly from professionals who are not
only experts in the field of security but also proficient in the world of business
Gregory Way 20
with responsibilities in other disciplines and if integrated, play a vital role in
the development and implementation of contingency plans, overall resilience
and become a valuable asset to any organisation enabling them to operate in
environments that their competitors cannot.
Gregory Way 21
References
ASIS International (2010) Enterprise Security Risk Management: How Great
Risks Lead to Great Deeds. ASIS. Available from:
http://www.asisonline.org/education/docs/CSORT_ERSM_Whitepaper_2010-
04.pdf [accessed 22 May 2010]
Bell, M. (2009) Business Continuity during a Recession. Risky Thinking.
Available from: http://www.riskythinking.com/articles/article38.php [accessed
15 May 2010]
Brainyquote (2010) Famous Quotes and Quotations. Brainyquote. Available
from http://www.brainyquote.com [accessed 22 May 2010]
Briggs, R & Edwards, C. (2006) The Business of Resilience-Security for the
21st Century. DEMOS. Available from:
http://www.demos.co.uk/files/thebusinessofresilience.pdf [accessed 24 May
2010]
Chambers,A (2004) Security Digest: The Architects of Security. Ian Johnson
Associates. Available from:
http://www.ija.co.uk/public/site/newsdocs209/Architects%20for%20security.pd
f [accessed 18 August 2010]
Charters. I (2010) Risk Management and Business Continuity Management:
Understanding the difference. Continuity Central. Available from:
http://www.continuitycentral.com/feature0769.html [accessed 14 August 2010]
Continuum Insurance Brokers (2010). Consider the Statistics. Continuum.
Available from: http://continuumib.co.uk/business-continuity.html [accessed 18
August 2010]
Federal Emergency Management Agency (1993) Emergency Management
Guide for Business and Industry. FEMA. Available from:
http://www.fema.gov/pdf/business/guide/bizindst.pdf [accessed 15 May 2010]
Giles, N. (2010) Business Continuity and Security-a perfect fit. Continuity: The
Magazine of the Business Continuity Institute. Available from:
http://thebci.org/ContinuityMarApril.pdf [accessed 25 May 2010]
Hiles, A. (2007) The Definitive Handbook of Business Continuity
Management. 2nd Edition. Chichester. John Wiley & Sons Ltd
HM Treasury (2004) Management of Risk – Principles and Concepts. HM
Treasury. Available from: http://www.hm-treasury.gov.uk/d/orange_book.pdf
[accessed 15 May 2010]
Gregory Way 22
Hutchings, P, Woodman, P. (2010) Chartered Management Institute. The
2010 Business Continuity Management Survey. CMI. Available from:
http://www.managers.org.uk/sites/default/files/u217/Disruption_Resilience_20
10.pdf [accessed 11 May 2010]
Lyons, S. (2009) Corporate Defence: Risk Management, Business Resilience
and beyond. The Business Continuity Journal. Available from:
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1280151 [accessed 15
May 2010]
Office of Public Sector Information (2010) The Civil Contingencies Act 2004.
OPSI. Available from:
http://www.opsi.gov.uk/acts/acts2004/ukpga_20040036_en_2 [accessed 06
August 2010]
Oldfield, R. (2008) Organisational Resilience. Continuity Central. Available
from: http://www.continuitycentral.com/feature0618.html [accessed 03 July
2010]
Osborne, A. (2007) Practical Business Continuity Management: Top Tips for
Effective, Real-World Business Continuity Management. Evesham.
Word4Word
Power.P (2010) Risk and Continuity: Convergence is in the air. Continuity
Central. Available from: http://www.continuitycentral.com/feature0765.html
[accessed 15 August 2010]
The Association of Chartered Certified Accountants (2000) Turnbull, Internal
Control and Wider Aspects of Risk. ACCA. Available from:
http://www.accaglobal.com/pdfs/environment/turnbull.pdf [accessed 13 May
2010]
Wood, P. (2008) Successful Risk, Crisis and Business Continuity
Management. Info 4 Security: Available from:
http://www.info4security.com/story.asp?storycode=4118356 [accessed 16
May 2010]
Gregory Way 23
Bibliography
Western Australian Government (2007) Business Continuity Management
Guidelines. WAG. Available from:
http://www.riskcover.wa.gov.au/riskmanagement/pdf/bcm_guidelines.pdf#pag
e=7 [accessed 13 May 2010]
Acknowledgements
Marcelo Hector Gonzalez, International and Institutional Relations Director at
ISACA, Buenos Aires Chapter
Derik Linde, Business Continuity Manager at First Rand Bank Ltd
Randy Schmidt, BCP specialist at Team-Quest Corporation
Total Word Count = 5047