See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/227608980

The Evolution of Business Continuity Management: A Historical

Review of Practices and Drivers

Article · October 2010

DOI: 10.1080/00076791.2010.511185 · Source: RePEc

CITATIONS READS

222 12,922

1 author:

Brahim Herbane
De Montfort University
38 PUBLICATIONS 1,672 CITATIONS

SEE PROFILE

All content following this page was uploaded by Brahim Herbane on 26 August 2021.

The user has requested enhancement of the downloaded file.

Business History
Vol. 52, No. 6, October 2010, 978–1002

The evolution of business continuity management: A historical review of

practices and drivers
Brahim Herbane*

Department of Strategy and Management, De Montfort University, Leicester, UK

As a form of crisis management, business continuity management (BCM) has

evolved since the 1970s in response to the technical and operational risks that
threaten an organisation’s recovery from hazards and interruptions. This paper
examines the development of business practices related to crisis management
alongside the emergence of legislation, regulations and standards (drivers)
requiring organisations to implement specific business continuity activities. From
the resulting historical review, three distinct phases of management practice and
four phases in the development of drivers are identified, revealing the influence of
events over governance, the internationalisation of influence, and organisational
resilience as a meta-institution.
Keywords: business continuity management; disaster recovery planning;
international standards; organisational resilience; crisis management

Introduction
Economic, technological and human uncertainties have long since presented
organisations with the possibility that crises could arise, thereby impeding their
ability to operate and, ultimately, survive. As a formal activity within businesses,
crisis management is characterised by the paradox that organisations are planning
for events that they do not wish to occur but that are often known possibilities. Such
planning may also require organisations to commit to an investment in resources
that may not be used and whose ‘value’ or ‘return’ cannot be ascertained with the
levels of certainty that accompany other strategic investment decisions. This has
resulted in crisis management being, for many organisations, ad hoc reactions to
events rather than a predetermined management processes. Moreover, since for
many organisations crisis management has not traditionally been formally required
in the same way as an accounting or health and safety department, or even sales,
marketing and procurement departments, its absence might not be regarded as
necessarily unusual.
This paper examines the transition from a period of self-regulation in which
organisations largely took the decision to invest in crisis management activities
voluntarily, to a period of regulation in which organisations are increasingly

*Email: [email protected]

ISSN 0007-6791 print/ISSN 1743-7938 online

Ó 2010 Taylor & Francis
DOI: 10.1080/00076791.2010.511185
 Business History 979

required to have predetermined crisis management plans, resources and activities.

This transition has been driven by the introduction of legislation, along with
regulation, and national and international business standards that have in turn
arisen in response to, and in the aftermath of, important historical events. The
analysis presented in this paper highlights the roles that historical events and
changing management practices play in becoming the fulcrum in changing the
regulatory environment for organisations, and shows that the transition observed
in the context of crisis management is influenced by cultural and operational
differences between organisations, counterbalancing the pressures of isomorphism
and mimetic adoption. The paper also provides support for the notion of fluid
business evolution influenced by post-Chandlerian factors such as accountability
and governance.
The paper begins with a review of crisis management as a discipline of academic
study and is followed by a review of how management practice in the form of
business continuity management (BCM) has developed from its predecessors in the
form of its earliest incarnation as disaster recovery planning and its subsequent
transformation into a business continuity planning approach driven by the
introduction and adoption of information technology. BCM has been cited as a
process through which organisations can recover from the disruption caused by
storms, earthquakes, building fire, flooding, utility failure, terrorism, disease
outbreaks, facilities loss, systems failure and supply chain interruptions (Hiles,
2007). This paper traces how practices in organisations have changed and the
commercial and technological drivers that have influenced such changes. The paper
then identifies and evidences the presence of four distinct phases in the development
of legislation, regulations and standards since the mid-1970s (when disaster recovery
planning became a formal business activity). The four phases are emerging
legislation and its arrival by stealth (mid-1970s to mid-1990s), emerging standards
and broader influence (mid-1990s to 2001), the post-9/11 landscape – acceleration
and focus (2002–05), and internationalisation – competing standards and breakout
(2006–10). Whilst these phases are distinct, there are overlaps and transitions
between them. The phases become shorter and indicate an acceleration in activities
designed to articulate, certify or prescribe good BCM practices which in themselves
are one way in which organisations can articulate a crisis management capability.

The formalisation of crisis management in organisations

Crisis management theory
Crisis management is the organisation and coordination of activities in preparation
for, and response to, events that prevent or impede normal organisational operations
(thereby threatening its most important goals). These events may be characterised by
low probability, high consequence, ambiguity and little time to respond (Mitroff,
Pauchant, & Shrivastava, 1988; Pearson & Clair, 1998; Weick, 1988). In this context,
the word crisis has been found to be used interchangeably in the literature with the
terms disaster, business interruption, catastrophe, emergency or contingency
(Herbane, 2010). Since Hermann (1963) defined a crisis in an organisation as an
unexpected event that threatens high-level priorities and allows little time for
managers to respond, a crisis management literature has gathered pace to examine
the genesis, manifestation and impact of crises in the context of organisations’
varying levels of vulnerability, cultures, and management styles. The crisis
980 B. Herbane

management literature has matured in the form of thematic evolvement in areas such
as:

. Organisational learning from crisis (Elliott, 2009; Turner, 1976; Weick &
Sutcliffe, 2003);
. Crisis causation – from socio-technical approaches (e.g. Pauchant & Mitroff,
1990), to glide path and defence layers (Reason, 1997), to epidemiological
perspectives (Ash & Ross, 2004);
. Examination of the pre-, trans- and post-crisis phases of the crisis chronology
(Fink, 1986; Seymour & Moore, 2000; Smith, 1990; Turner, 1976, 1994);
. The understanding and impact of differing threat perceptions (Ashmos,
Duchon, & Bodensteiner, 1997; Billings, Milburn, & Schaalman, 1980;
Lemyre, Turner, Lee, & Krewski, 2006);
. Crisis typologies (Burnett, 1998; Gundel, 2005; Mitroff et al., 1988).

The crisis management field has not been without it polemics. In the case of the
competing paradigms about organisational resilience, the normal accident theory
(NAT) has been pitched against the high reliability theory (HRT) approach as
alternative views of whether full organisational resilience can be achieved. In
Perrow’s (1984) normal accident theory, a system’s complexity increasingly gives rise
to the normality of an accident arising and this should be considered normal given
the nature of the system. The inevitability of an accident rises with certain system
specifics and the passage of time. These system specifics are tight coupling (where
there is no slack, problems snowball quickly and there is little opportunity to react)
and interactive complexity (in which connections between system parts are many,
sometimes not visible, and may not be linear or expected). NAT reflects the idea that
crises and business interruptions are inevitable and thus organisations must be
compelled (through legislation and regulations) to have provisions in place to deal
with such events, whereas the concept of high reliability organisations echoes the
idea that organisations can set about to drastically improve their resilience against
the likelihood and impact of crisis by achieving the leading practices in crisis
prevention and recovery. The NAT approach has attracted criticism from advocates
of the HRT approach (see for instance Dain, 2002; Hopkins, 2001; La Porte, 1996;
La Porte & Consolini, 1991; La Porte & Rochlin, 1994). In contrast to NAT, the
high reliability theory approach to organisational design means that ‘although
human beings cannot behave with perfect rationality, intelligently designed
organizations can do so by compensating for human frailty. In doing so,
organizations behave more rationally and effectively than individual human beings’
(Smart et al., 2003, p. 736). High reliability organisations aspire and (may become)
failure free as a result of lowering complexity, placing totemic importance on safety,
building in redundancy balancing centralisation and engaging in deep learning from
accidents and near misses (Rijpma, 2003).
The crisis management literature has been increasingly self-critical of late with
questions raised about the place and isolation of the field in theory and practice,
about the place of crisis management within broader management theory (Roux-
Dufort, 2007), inter-agency cooperation (Birkland, 2009; Lodge, 2009) and the
boundaries between setbacks and crisis management (Roe, 2009). Kouzmin (2008)
and Lagadec (2009) have both called for revaluations of what is meant by ‘crisis’
since the scope of the definition influences the scope of activity of crisis management.
 Business History 981

Lagedec characterises twenty-first-century crises in terms of greater scale, speed,

management ignorance, hyper-complexity, alongside an inability to conceive of
unique crises and the challenge of ‘category-5 media’ storms. At the more
pragmatic end of the crisis management spectrum, a more secure future has been
identified within the literature in studies that have examined the use of crisis
management techniques in a broad variety of contexts, including small businesses
(Herbane, 2010; Keller, Powell, Horstmann, Predmore, & Crawford, 2005; Lynch
& Sheahan, 2009; Runyan, 2006; Spillan & Hough, 2003), marketing (e.g. Elliott,
Harris, & Baron, 2005; Mattila, 2001; Priluck, 2003; Smith, 2005), and the public
sector (Boin & Smith, 2006; Drennan & McConnell, 2007; Fone & Young, 2000;
Lodge, 2009).

Disaster recovery and business continuity management

Organisations can face a wide variety of crises ranging from physical crises such as
accidents, product failures or loss of utilities (gas, power supply, water,
telecommunications), personnel crises such as large scale staff illness or death,
industrial action or staff criminality, external criminal crises such as terrorism and
product tampering, information crises such as cybercrime or information theft,
natural disasters such as flood and storms, economic crises such as economic
recession, and reputational crises such as internet defacement or malicious rumours
(Mitroff & Alpaslan, 2003). Each of these crises may be addressed within an
organisation’s business continuity plans that are an outcome of business continuity
management. BCM has recently been defined as:

[A] holistic management process that identifies potential threats to an organization and
the impacts to business operations that those threats, if realized, might cause, and which
provides a framework for building organizational resilience with the capability for an
effective response that safeguards the interests of its key stakeholders, reputation, brand
and value-creating activities. (British Standards Institution, 2006, p. 1)

This organisation-wide, resilience focused and stakeholder and strategy conscious

crisis management approach undergirds the 2006 British Standard (BS 25999) for
business continuity management and is the culmination of three decades in the
development of planning and management practices devoted to prevention and
recovery from business interruptions. Conceptually, business continuity manage-
ment reflects the much wider crisis management literature that has burgeoned since
the 1970s with its prevention focus, decision making orientation and socio-technical
systems perspective. Likewise, the origins of business continuity management can be
traced back to the contingency planning and disaster recovery planning approached
used by organisations from the 1970s. A number of studies (Gallagher, 2003; Pitt &
Goyal, 2004; Swartz, Elliott, & Herbane, 2003) have identified distinct phases in the
development of crisis planning and management within organisations. The initiation
of each phase has been attributed to a decade since the 1970s and is characterised by
what are considered to be the most important influences on the development and
implantation of new approaches to crisis planning and management, most notably;
technology, emergent compliance and value.
The most notable contextual pressure that led to the development of what today
is known as business continuity management was the technological revolution
triggered by the introduction of the IBM 360 in 1965 and model 370 in 1970 as
982 B. Herbane

pioneering general purpose business computer systems that provided businesses with
an integrated single management information system. With the advent of new
information technology in the 1970s, organisations began to focus attention on the
vulnerability of their electronic data processing (EDP) activities arising from the
novelty of the systems, and organisation and operator inexperience both in the
causes of and responses to a hardware failure (American Bankers Association, 2005;
Broadbent, 1979; Henneberry, 1988; Pritchard, 1976). The focus for planning was
the facility in which the technology resided, such as, for instance, a corporate data
centre (Krauss, 1980; Namel & Ward, 1983) or a university library (Penansky, 1981;
Wong, 1981; Wright, 1979). In this period of infancy, standby systems and critical
data backups represented the two foci of recovery plans rather than actions to
prevent a failure occurring. The US financial services sector led in its adoption of
disaster recovery planning (DRP) due to the need to protect corporate data centres
(Ginn, 1989), case law such as FJS Electronics v. Fidelity Bank 1981 (Schreider,
1996), and the requirements of the Foreign Corrupt Practices Act of 1977 (Kuong &
Isaacson, 1986). In the 1970s, with the creation of the Automated Clearinghouse
Association, seven Philadelphia banks set out to jointly address the loss of their
information systems through the development of disaster recovery planning
(InnoVest, 2003). Within the United Kingdom banking sector, information
technology developments led to a variety of operational intra- and inter-bank
innovations from the 1970s onwards. Notable in this regard are the Bankers’
Automated Clearing System (BACS) launched by National Giro in 1971, the Society
for World-wide Interbank Funds Transfer (SWIFT) introduced in 1973, the
development of electronic funds transfer at point of sale (EFTPOS) by Barclays
Bank in 1980, electronic corporate banking (Midland Bank) in 1982, and the
inauguration of Clearing House Automated Payments System (CHAPS) in 1984. In
the 1980s and 1990s, information technology influenced industry structures within
financial services, not least through the consolation and deregulation (known as ‘The
Big Bang’) of share dealing activities arising from the shift to an electronic exchange
system in the London Stock Market in 1986, and the product and service delivery
diversification that arose from direct telephone insurance (Direct Line) in 1990,
telephone banking (First Direct) in 1991, and internet banking in 1999 (Elliott,
Swartz, & Herbane, 1999a).
The technology focus within disaster recovery planning remained in the 1980s
and into the 1990s with the emergence of personal computers (leading to a larger
number of computer operators within organisational environments), the inter-
connectedness of systems and data, and an increase in the pace of transactions as
processes such as share dealing were computerised and automated. The compliance
phase began to emerge in the 1980s. It has been suggested (Swartz et al., 2003) that
changes arose because of an ‘auditing mindset’ in which organisations initiated crisis
management activities because of the need to comply with a limited number of legal
requirements and regulations (it should be noted that the influence of such
requirements only grew significantly the 1990s and 2000s). Computer systems
remained as one of the key strategic resources that required protection through the
development and use of disaster recovery plans, but by this time familiarisation with
points and modes of failure had increased so that disaster recovery planning could
seek to prevent rather than simply guide recovery. A disaster recovery industry
(suppliers of emergency recovery centres, telecommunications, data backup and
restoration, salvage services, etc.) had now emerged although a lack of DRP in
 Business History 983

organisations was more often the case than not. Tarkington and Ulrich (1983, p. 47)
found that ‘25%–30% of the Fortune 1,000 companies were estimated to have
disaster recovery plans, even though the typical company would lose over 40% of
its operational effectiveness by the fourth day of a major computer outage’. Even
in the presence of disaster recovery the investments would vary greatly. For
instance, Walker (1985) found that General Electric’s disaster recovery facilities
cost 1% of the value of the resources that they were intended to protect. In his
practitioner account of business continuity planning (BCP), Bowman (2008, p. 6)
recounts that a shared infrastructure approach was used in the 1980s to lower
mainframe computer costs and this gave rise to large data centres that were
‘underfunded afterthoughts of the corporate world’ which represented an
increasingly vulnerable asset.
A functional rather than strategic approach characterised the compliance phase,
so whilst there was a continued need for organisations to protect their vital IT assets,
without the stewardship of senior management, the need and importance of disaster
recovery would fail to reach a wider constituency of those who depend upon and
might need to support data processing and security management (Namel & Ward,
1983). Tuira (1983), echoed by Phelps (1986), also pointed to senior management
myopia as an impediment to the introduction of DRP and indicated that the inability
to demonstrate the value of disaster recovery approaches could be perceived to be a
deterrent to its adoption (unless an organisation was compelled to introduce DRP)
yet an understanding of what was deemed to be an acceptable level of downtime
(time and income) against the costs of a disaster recovery provision could, he argued,
be a first step in persuading managers to make these risk reduction investments. By
this time, annualised loss expectancy methods (the annually expected quantifiable
loss to an asset arising from the manifestation of a specific threat) had become
routine in IT investment decision making.
By the mid-1980s, the limitations of a computer centre focused DRP approach
was called into question. Dugan (1986) suggested that the typical location of DRP
teams within the IT function meant that human resource issues such as managers
participating in planning and testing were limited. Moreover, banks, as early
adopters of DRP, had begun to emphasise the user-driven needs of their own
departments and to prioritise these (rather than the generic system as a whole) in
decisions to relocate activities to an emergency facility (Burger, 1988). The Illinois
Bell Hinsdale central office fire on 8 May 1988 served as a reminder that computer
systems were vulnerable to the loss of external third party infrastructure (Harrison,
1988; Pauchant, Mitroff, & Ventolo, 1992) and prompted a more outward-looking
and strategic approach to crisis management planning along with a move beyond
‘technical’ recovery to service recovery, making the transition from the compliance-
led disaster recovery phase to the emergence of business continuity planning in the
1990s.
Early references to business continuity referred to an outcome (i.e. the continuing
operation of a business) rather than a planning methodology or management
approach (Gallup, 1989; Moretz, 1989), but with the impact of terrorist events in the
early 1990s (such as the London Stock Exchange in 1990, World Trade Centre in
1993 and the London financial district in 1992 and 1993), came a recognition that an
organisation- and process-wide approach to crisis management planning was needed
to support and take precedence over IT focused and function-specific disaster
recovery planning. Rodetis (1999, p. 27) argued that Certified Public Accountants
984 B. Herbane

(CPA) could have a core role in business continuity planning due to their ‘experience
with risk identification and management and . . . a big-picture financial perspective’.
Such an organisation-wide view also necessitated a value-chain view of an
organisation’s critical functions, from product development to procurement to
warehousing to marketing (Vogler & Perkins, 1991). Events such as the 1990
Manhattan power blackout also served as a reminder that organisations needed to
incorporate procedures for improved decision making and communications in a
crisis with outside agencies such as insurance companies (Bradford, 1992) and utility
providers. Business continuity planning emerged as a response to the need to protect
and restore the critical value-generating activities of an organisation. Since these
activities comprise of combinations of facilities, human resources, equipment,
intellectual property and supply chain linkages, a trans-functional process (e.g.
manufacturing) and facilities (e.g. headquarters) driven approach lay at the heart of
BCP. Smith and Sherwood’s (1995) seminal article advocated that BCP could and
should preserve essential customer services, revenue generation, essential support
services, customer, shareholder and employee confidence, and the public image of
the company.
A number of studies (Elliott, Swartz, & Herbane, 1999b; Heng, 1996; Herbane,
Elliott, & Swartz, 1997) supported the notion that organisations could protect and
enhance value through the adoption of business continuity planning although
many organisations had, in practice, become focused on planning for the potential
Y2K millennium bug and had either incorporated Y2K preparations within their
business continuity plans or had introduced BCP in order to address Y2K issues
more widely across the organisation in terms of how IT failure could leave
processes and activities vulnerable to interruption (Donovan, Rosson, & Eichstadt,
1999; Wheeler, 1999; Wichman, 1999). The formation of the US Disaster Recovery
Institute (DRI) in 1988 and the UK-based Business Continuity Institute (BCI) in
1994 were important milestones in the development of business continuity as a
management discipline with formal membership criteria, certification standards
from practitioners, and training guidelines subsequently emerging. By the mid-
1990s, the field of business continuity had begun to attract the attention of
academic researchers who began to examine crisis-orientated planning and
management systems from phenomenological and multi-disciplinary perspectives
(Swartz, Elliott, and Herbane, 1995; Herbane et al., 1997) whilst publications such
as Strohl Systems (1995), Hiles and Barnes (1999) and Elliott, Swartz, and Herbane
(2002) continued to formalise a business continuity management methodology
comprising of activities such as project initiation, risk identification, business
impact analysis (BIA), plan development, risk reduction measures and recovery
resource requirements, implementation through training, awareness, and the
maintenance and testing of plans. By the late 1990s, business continuity as an
ongoing embedded management process was heralded as the leading exemplar or
business continuity activity within organisations giving rise to an eclectic mix of
peer-reviewed studies of business continuity management in a wide variety of
applications, from aerospace (Castillo, 2004) to zero stock supply chains (Zsidisin,
Melnyk, & Ragatz, 2005). The terrorist attacks of 11 September 2001 also marked
a change in BCM practices to incorporate the notion of enterprise/organisation-
wide resilience in which there are shared notions about resilience by employees and
greater flexibility in the plans developed to respond to large-scale disaster scenarios
(Alesi, 2008).
 Business History 985

Historical phases
Emerging legislation phase – arrival by stealth (mid-1970s to mid-1990s)
Whilst the Flood Disaster Protection Act of 1973 dealt with a specific natural
disaster and the expansion of the United States’ national flood insurance
programme, the introduction of the US Foreign Corrupt Practices Act (FCPA) in
1977 initiated a series of drivers that would implicitly or explicitly require the
introduction of DRP and BCM in organisations. Although FCPA was enacted
mainly to prevent and prosecute instances of corporate bribery of foreign officials, it
has also been cited as an early piece of legislation that required organisations to
make specific arrangements for keeping and protecting vital company records from
destruction (Gallagher, 2003; Meier, 2005; Ozier, 1999). The Act reflected the idea
(emerging in the crisis management literature) of soft-systems interaction in crisis
causation in which human error or malice rather than a technical or mechanical
failure would result in a crisis for an organisation. Gallagher (2003) observed that
the FCPA was a fillip to the emerging information technology disaster recovery
industry since records were increasingly stored in electronic form, thereby
necessitating processes for data backup and restoration.
With the Office of Comptroller of Currency’s Banking Circular BC-177 of 1983,
US banks were obliged to have formal disaster recovery plans that included off-site
provisions and testing procedures and its 1987 revision extended the scope of
contingency planning and disaster recovery activities into broader operational
areas. The US Expedited Funds Availability Act (1989) set down the legal
requirement for federally chartered financial institutions to ensure next day
availability of deposits and have a business continuity plan in place. With the
Financial Services Modernization Act (Gramm–Leach–Bliley Act) of 1999 financial
institutions were,

(1) to insure the security and confidentiality of customer records and information; (2) to
protect against any anticipated threats or hazards to the security or integrity of such
records; and (3) to protect against unauthorized access to or use of such records or
information which could result in substantial harm or inconvenience to any customer.
(Gramm–Leach–Bliley Act, 1999, s. 501b)

Sector-specific legislation, requiring organisations to introduce measures to protect

resources and activities in the event of a serious operational interruption was not
confined to the US financial services sector. With the Health Insurance Portability
and Accountability Act (HIPAA) (1996) and Telecommunications Act (1996) two
further sectors were required to introduce IT disaster recovery provisions to ensure
the availability of systems and the security of customer records respectively. In
parallel, during this period, the continuity of government and critical infrastructure
operations in the US was undergirded with the publication of Executive Order 12656
(1998) which created an obligation that ‘the head of each federal department and
agency shall ensure the continuity of essential functions in any national security
emergency by providing for: succession to office and emergency delegation of
authority in accordance with applicable law; safekeeping of essential resources,
facilities, and records; and establishment of emergency operating capabilities’ (s.
202). The Office of Management and Budget (OMB) Circular A-130 (1993) specified
the need for an incident response capability, continuity of support, and contingency
planning within a system security plan designed to augment the security of federal
986 B. Herbane

automated information resources. Shortly after, Presidential Decision Directive 63

set out to ‘to assure the continuity and viability of critical infrastructures’ such as
telecommunications, energy, banking and finance, transportation, water systems and
emergency services whilst the focus of Presidential Decision Directive 67 was the
continuity of operations plan (COOP) and continuity of government operations.

Emerging standards phase – broader influence (mid-1990s to 2001)

Whilst the emerging legislation phase was characterised by the predominance of US-
based legislation in the finance, health and government sectors of the economy, the
emerging standards period was marked by the emergence of standards intended for
use across a variety of economic sectors. With the publication of Internal control:
Guidance for directors on the combined code (known as the Turnbull Report) in 1999,
operational risk management issues were directly linked with good corporate
governance for organisations listed or seeking to be listed on the London Stock
Exchange (Institute of Chartered Accountants in England & Wales, 1999). In an
entirely different context but still in the United Kingdom, Joint service publication
503 – business continuity management (Ministry of Defence, 2000) provided detailed
guidance on the implementation of the Ministry of Defence’s continuity manage-
ment policy and good practice in accordance with prevailing British Standards
(originally the Business Continuity Institute’s BCM model and more recently the BS
25999 standard). In addition, the emerging standards phase saw the development of
the COBIT 4.0 guidelines. Jointly developed by the IT Governance Institute (ITGI)
and the Information Systems Audit and Control Association, Control objectives for
information and related technology [COBIT] version 4.0 (Information Systems Audit
and Control Association, 1992) good practices guidelines was driven by a series of
high level control objectives which includes the need to ‘ensure continuous service’
using BCM as a recognised solution. Additionally, the National Fire Protection
Association’s (NFPA) 1600 Standard on disaster/emergency management and
business continuity programs built on its role as a non-profit organisation which
develops codes, procedures, standards and training practices for both US and
international organisations. NFPA 1600 was originally published as a set of
guidelines in 1995 but became a standard in 2000 bringing together both emergency
management and business continuity management (through collaboration with the
US Disaster Recovery Institute International and the UK Business Continuity
Institute). By 2004, the American National Standards Institute (ANSI) recom-
mended that NFPA 1600: Standard on disaster/emergency management and
business continuity programs should be recognised as the national standard for
emergency and disaster preparedness (National Fire Protection Association, 2004,
2007).
Two notable characteristics can be observed about the standards introduced at
this time. First, they have proceeded to revised versions, indicating that they were
standards that could be revised and modernised rather than replaced. Secondly, local
standards have transformed into international standards through the formal
development of a ISO/IEC standard. For instance, BS 7799 Information security
management (British Standards Institution, 1995) evolved into ISO/IEC 17799
Information security management (2000) and latterly now ISO/IEC 27002 (Interna-
tional Organization for Standardization, 2005). In each of these incarnations, BCM
has been one of the main titular elements of the standard. Similarly, the BS 15000 IT
 Business History 987

service management (British Standards Institution, 2000) included service continuity

and availability management as one of its IT service delivery processes and this is
replicated in the international standard ISO/IEC 20000 Information technology –
service management (British Standards Institution, 2005) that superseded it. Further
afield, the Australian and New Zealand AS/NZ4360 Risk management standard was
first published in 1992 (Standards Australia, 1992) and has become popular general
Risk management methodology internationally, particularly in the Asia-Pacific
region. Its 2004 incarnation was intended to be the last revision since the standard
was set to be replaced by the ISO 31000 Risk management (principles and guidelines)
standard (International Organization for Standardization, 2009). Also during this
period, a preponderance of legislation requiring organisations to protect personal
data was introduced (e.g. Data Protection Act 1998 in the United Kingdom,
Personal Information Protection and Electronic Documents Act (PIPEDA) 2000 in
Canada, and the Transmission of Personal Data: Directive 2002/58/EC within the
European Union), providing a further impetus for organisations within these
jurisdictions to consider their preparations for data loss, theft or damage.

The post-9/11 phase – acceleration and focus (2002 to 2005)

The terrorist attacks in New York and Washington in September 2001 presented
governments, businesses and other organisations with one of the most acute crises
that they had yet faced, due to a combination of mass casualties and fatalities, wide
denial of access to buildings, loss of connectivity with telecommunications and
information systems, and lost facilities, suppliers and clients. The events of 9/11 had
an impact on a wide range of organisations and sectors beyond financial services and
government agencies, including telecommunications and other utility providers,
print and electronic media, business recovery service suppliers, and the aviation
sector.
The events and aftermath of 9/11 prompted re-evaluations of organisations’
business continuity and disaster preparedness from the perspective of the large
human losses, heightening psychological impacts, and vulnerabilities arising from
multi-function sites (Castillo, 2004). Furthermore, the high density of businesses that
were affected within the World Trade Centre (WTC) buildings highlighted the
challenges faced by providers of business recovery centre services that found that
multiple clients had activated their business continuity plans within a short time. In
one case, it was reported that 68 clients in the area of the WTC requested support
from a single specialist data systems company almost simultaneously (Foremski,
2001). The policies and practices for disaster-based business continuity management
have notably changed since 9/11 in areas such as assessments of the public impact of
risk (Lodge, 2009), decision making for extreme events (Santella, Steinberg, & Parks,
2009), public–private crisis management links (Boin & Smith, 2006), crisis typology
development (Gundel, 2005), raising awareness of the need for disaster recovery and
business continuity (Spillan & Hough, 2003), links between human resource
management and business continuity activities (Mainiero, 2002; Meisinger, 2006;
Perry & Mankin, 2005), and risk analysis (Jablonowski, 2006).
The post-9/11 landscape can be characterised by a notable acceleration in the
introduction of guidelines and regulations for organisations operating within the
financial services sector, public authorities, stock exchanges and utilities. In the early
part of this period, guidelines and regulations emanate strongly from the USA and
988 B. Herbane

are focused on the finance, public and utility sectors. Notable examples include the
Federal Reserve Board, Office of Comptroller of Currency, and Securities and
Exchange Commission (FRB-OCC-SEC) Guidelines for strengthening the resilience
of US financial system (Securities and Exchange Commission, 2002a), National
Institute of Standards and Technology Special Publications 800 Series (National
Institute of Standards and Technology, 2002), Security guidelines for the electricity
sector (North American Electric Reliability Council, 2002), National Association of
Securities Dealers (Securities and Exchange Commission, 2002b) Rules 3510/3520
and New York Stock Exchange Rule 446 (Securities and Exchange Commission,
2002b), Federal Financial Institutions Examination Council Business continuity
planning booklet (Federal Financial Institutions Examination Council, 2003), and
National Futures Association (NFA) Compliance Rule 2-38 (2003). Characteristic of
each of these is the requirement that members or user organisations should possess a
demonstrable business continuity/disaster recovery process within which are
minimum safeguards for highly interwoven sectors in terms of commerce and
technology.
Also during this period, legislation and guidelines for the financial sector
developed beyond the USA, and include, inter alia, the Hong Kong Monetary
Authority’s Supervisory policy manual TM-G-2: Business continuity planning (2002),
the Bank of Thailand’s Strategic risk manual: Risk assessment and information and
technology system department (2003), State Bank of Pakistan’s Risk management
guidelines for commercial banks and DFIs (2003), Monetary Authority of Singapore’s
Business continuity management guidelines (2003), The Australian Prudential
Regulation Authority’s Business continuity management standard (2005a, 2005b)
and the Reserve Bank of India’s Operational risk management – business continuity
planning guidance (Parthasarathi, 2005). Each requires financial institutions to
provide an attestation of their risk management/business continuity preparations to
their local supervisory body.
A number of novel and existing developments emerged in other jurisdictions. For
instance, the King report on corporate governance for South Africa (Institute of
Directors in Southern Africa, 2002) identified risk management and business
continuity requirements on listed companies that echo many of those set out in the
1999 Turnbull Report (Nielsen, 2006). Similarly, the UK Civil Contingencies Act
(2004) sought to develop some of the multi-agency coordination mechanisms and
powers that can be identified in the US Homeland Security Act of 2002. In the case
of Singapore, with its high reliance on the financial services sector, the introduction
of SS507 Singapore standard for business continuity/disaster recovery service providers
(Standards, Productivity and Innovation Board Singapore [SPRING], 2004) was the
first standard to focus exclusively on service suppliers and was a major contributor
to the International Standard ISO/IEC 24762 Security techniques – guidelines for
information and communications technology disaster recovery services published in
2008 (International Organization for Standardization, 2008a). Technical reference
(TR19:2005) on BCM was a framework published by SPRING designed to
synthesise risk management, disaster recovery and crisis management (SPRING,
2005). TR19 was replaced in 2008 by Singapore Standard SS540: 2008 Business
continuity management (Forbes, 2008).
With the publication of the Business Continuity Institute’s Good practice
guidelines (2002, 2003) came a reassertion of a case-study approach to the
identification of leading operational and strategic practices in relation to BCM.
 Business History 989

Coupled with the launch of the joint BCI/DRII 10 Standards of professional

competence (Business Continuity Institute, 2003), a new focus on individual (as well
as collective) specialist management skills could be seen as a precursor to the
development of general business continuity standards in a national context such as
the Australian BH 221: Business continuity management (Standards Australia, 2004)
and international domains such as the 2005 Information Security Forum’s standard of
good practice – the standard for information security (version 4.1) (Information
Security Forum, 2005). Influenced by the BCI’s good practice guidelines, Publicly
available specification (PAS) 56: Guide to business continuity management was
released by the British Standards Institution (BSI) in early 2003. Publicly available
specifications are described by the BSI as lacking in ‘the full breadth of agreement of
a standard’ (British Standards Institution, 2009b) but require shorter lead times for
implementation of practices that are likely to be the contents of a full British
Standard. PAS 56 set in motion the rapid standards development process that
resulted in the publication of the British Standard for Business Continuity
Management which comprises of two parts; the BS 25999-1 Code of practice for
business continuity management (2006) and BS 25999-2 Specification for business
continuity management (2007). BS 25999 is characterised by a life-cycle of six
constituent parts: 1) BCM programme management, 2) understanding the
organisation, 3) determining business continuity strategies, 4) developing and
implementing the BCM response, 5) exercising, maintaining and reviewing BCM
arrangements, and 6) embedding BCM in the organisation’s culture.
In the post-9/11 phase, regulations, legislation and standards continued to
emerge but their rate of introduction and their industry focus could notably be
attributed to the events that had affected the USA in September 2001 and the
urgency to improve organisational resilience. Furthermore, these governance and
control mechanisms could no longer be viewed as fragmented entities – rather as
constituent elements of a broader governance umbrella designed to protect entire
industries and their ancillaries. Standards (many of which were oriented towards an
information systems focus) and regulations could noticeably be seen to build on one
or more preceding versions whilst others reflected developments in other countries.
Most discernible, however, during this period is the emergence of a practices and
standards from non Anglo-centric origins.

Internationalisation phase – competing standards and breakout (2006–10)

The internationalisation phase is marked by the introduction of standards and
guidelines that transcend industry or national boundaries. Sector-specific legislation
was established in previous phases and international standards and guidelines were
introduced to reflect organisations’ wishes to move beyond compliance and develop
recognised capabilities. The standards and guidelines that have emerged in the
internationalisation phase recognise the importance of collaboration between
organisations in crisis responses and harmonise the quality and nature of practices
within them. Whilst international standards are a way of achieving compliance in
regulated industries by providing a ‘third-party’ methodology that organisations
must use to satisfy regulatory norms, they may also potentially fulfil a role in
providing certifiable capabilities in activities that are regarded as the minimum
competitive criteria for sectors such as the suppliers of business recovery centres (hot
and cold sites).
990 B. Herbane

Internationalisation has occurred in two ways; first in terms of national standards

breaking out and becoming international standards, and second in originating from
international bodies (such as the International Organization for Standardization).
International standards have been developed from national standards such as ISO
24762 Security techniques – guidelines for information and communications technology
disaster recovery services (2008a) that were derived from the SS507 Singapore
standard for business continuity/disaster recovery service providers (SPRING, 2004).
The international standard ISO/DIS 22399 Societal security – guidelines for incident
preparedness and operational continuity management (2008b) originated from what
was understood to be a lack of a single coherent national standard and the need to
develop an ‘‘‘umbrella’’-concept of societal security . . . aimed at countering the
threats and vulnerabilities in society that require comprehensive crisis management
and business continuity systems which are multi-sector, multi-national and multi-
continental’ (International Organization for Standardization, 2006, p. 1). This
standard originated largely from an international body (ISO) rather than a national
regulatory or standards body (which in turn are members of ISO and participate and
observe the standards development process within it). Specifically, in the case of ISO/
DIS 22399, the standard’s guidelines were from a synthesis of five existing standards:
NFPA 1600: Standard on disaster management and business continuity programs, BS
25999 Business continuity management, BH 221: Business continuity management, SI
24001 Security and continuity management systems – requirements and guidance for use
(Standards Institution of Israel), and work from the Japanese Industrial Standards
Committee (Tangen & Seigel, 2008).
Attempts to develop international standards during this period were marked by
some disagreement about whether there was a need for an international standard
(since many domestic standards already exist) and what form such a standard would
take. The period began with what appeared to be the front-runner in the race to
become the basis for an international standard in business continuity management in
the form of the British Standard BS 25999, having been derived from the work of the
UK-based Business Continuity Institute (publisher of the BCM Good practice
guidelines and PAS 56). With the announcement that ASIS (American Society for
Industrial Security) had submitted a Project Initiation Notification System (PINS)
form to notify the American National Standards Institute of the initiation of a
standards project (ASIS ANSI PINS Standards Project – Business Continuity
Management Standard BSR ASIS BCM.01-200X) in mid-2008 (American Society
for Industrial Security, 2008), disagreement emerged over which standards should
(or might) become the de facto international standard. The joint ASIS and British
Standards Institution initiative was argued to have been driven by user needs, US
Department of Homeland Security requirements, the absence of an American or ISO
standard that focuses on the management dimensions of business continuity
activities, and shortcomings of the NFPA 1600 standard. These shortcomings were
claimed to include a focus on first-responder rather than user organisation’s plans
and the absence of the Deming-inspired Plan-Do-Check-Act approach which
underpins ISO standards (American Society for Industrial Security, 2008). In
contrast, the Disaster Recovery Institute International opposed this development
since this would add a further standard ‘in an industry already beset with multiple
and often confusing standards’ (Disaster Recovery Institute International, 2008).
NFPA 1600, Disaster Recovery Institute International (DRII) claimed, was already
an established standard in the US and beyond, and had a focus that was not limited
 Business History 991

to the needs of security professionals. It therefore publicly advocated that the

Institute’s members should oppose the filing of the PINS (DRII, 2008) and actively
lobby the Department of Homeland in relation to this (DRII, 2009). Moreover, a
new standard was not necessarily required since an inter-agency team that included
ASIS International, Disaster Recovery Institute International, National Fire
Protection Association, and Risk and Insurance Management Society, Inc.
(RIMS) had contributed to the Alfred P. Sloan Foundation Report (Sloan, 2008)
about Title IX of Public Law 110-53 (The Private Sector Preparedness Act
Implementing Recommendations of the 9/11 Commission Act of 2007) that had
initiated the creation of a voluntary private sector preparedness standards
programme. The report indicated that ‘any of the existing standards, guidelines,
best practices, or regulatory approaches can be used to meet the intent of Title IX of
PL 110-53’ (Sloan, 2008, p. 10). Standards cited in the study include NFPA 1600,
ISO/DIS 22399, ASIS (Organizational Resilience), BS 25999, CSA Z1600 and
TR19:2005, alongside regulations from Securities and Exchange Commission,
National Association of Securities Dealers (NASD), Health Insurance Portability
and Accountability Act (HIPAA), Federal Financial Institutions Examination
Council (FFIEC), and North American Electric Reliability Council (NERC).
Meanwhile, other national standards continued to emerge, including the
Canadian Standards Association CSA Z1600 Standard for emergency
management and business continuity programmes (Canadian Standards Association,
2008) which is based on the US NFPA 1600 standard (Professional Safety, 2009) and
BS 25777 Code of practice for information and communications technology continuity
management (British Standards Institution, 2009a), and draft Australia and New
Zealand standard AS/NZS 5050 Business continuity – managing disruption-related
risk (Standards Australia, 2009) that is based on the Standards Australia HB 292:A
Practitioners’ guide to business continuity management (Standards Australia, 2006).
The internationalisation of standards extends the life cycle of national standards and
offers organisations a way to achieve international certification based on the
enhancement (rather than replacement) of activities that were introduced to achieve
local/national certification. The supply side of standards has certainly been active in
the internationalisation phase but the demand side (in the form of organisations or
industries requiring organisations to be certified and compliant in a specified
standard) is less evident. Forbes (2008) notes in relation to the TR19 standard that
since commercial advantages to adopters of TR19 were not clear, ‘no one cared, no
one gained any advantage, no one lost business over it’. An increasing tendency that
can be observed since the emerging standards phase is the development of national
standards that are, from the outset, intended to become international standards
within a short period of time. During the internationalisation phase, this previously
assumed route of passage is now under challenge as industry bodies jockey for
position to install their own favoured standard as the international exemplar given
the economic and reputational advantages that would follow.

Discussion
The evolution of BCM practice and the drivers of its adoption identified in this paper
correspond to, and provide support for, new paradigms in business history and
institutional theory perspectives of organisational action and change. This paper has
presented and distinguished between three phases in the development of disaster
992 B. Herbane

recovery and business continuity practices within organisations, and four phases in
the introduction of legislation, regulations and standards relating to the adoption of
disaster recovery and business continuity. The gestation of the emerging legislation
period arose within the context of organisations formalising their disaster recovery
planning approaches to deal with new information technology. Within this period,
the scope of DRP was extended to include facilities and soft systems as both a cause
and a source of increased resilience. The emerging standards phase arose in the mid-
to late 1990s at the time that leading practitioners of business continuity had
embedded this activity as an ongoing management process. The events of 11
September 2001 served as a fulcrum for many of the changes to business continuity
management practices and the period that followed marked an acceleration in the
introduction of, and greater focus upon, guidelines, standards and legislation
requiring organisations to have and develop business continuity planning
capabilities. Indeed, by the start of the acceleration and focus phase, the nature of
BCM in scope and methodology was established (Figure 1) so whilst the emerging
legislation and standards phases were reflected in the development and transforma-
tion of DRP into BCM as an organisational activity, the acceleration and focus
phase involved the diffusion of practices into different industries and national
contexts. As this diffusion took hold, the national and sector-specific standards that
emerged earlier became candidates for both revision and conversion into
international standards. The diffusion of practice itself may have been problematic
in the internationalisation of existing national standards given the expansion of the
constituency of users and the wider stakeholder base such as industry associations
with responsibilities for business and economic resilience, crisis and business
continuity management. This has led to the candidature of national standards (such
as from Singapore, Australia and New Zealand) as the basis for new international
standards.
The transition from industry-specific to trans-industry function-specific regula-
tion that was observed in broader economic regulation in the 1970s (Reynolds, 1981)
took place from the 1990s as standards and regulations relating to risk, service,
security, business continuity and disaster management evolved alongside a

Figure 1. The development of business continuity management – periods, drivers and

practices.
 Business History 993

proliferation of influence across national boundaries and along supply chains. As

regulatory history at a specific industry level has ‘its own life story’ (Kling, 1988,
p. 198), so too does the regulatory and legislative history relating to specific
management practices such as BCM. As Kling continues, ‘what is really relevant is
how early or late, relative to a specific industry’s development, regulation occurred’
(1988, p. 198). In the context of this study, management practices relating to the
precursors to BCM emerged some time prior to legislation and yet further ahead of
explicit regulations and standards (Figure 1). Business continuity management has
become established as a formalised structure and expression of an organisation’s
crisis management values and practices with standards that had been developed in
the early 2000s. This echoes the assertion that governance and practice standards
may encourage innovation (change to rather than necessarily improvement) in
practices along with a diffusion within a social system (Zattoni & Cuomo, 2008).
Tracing the development of BCM and legislation, regulations and standards,
suggests that when organisational practices are established, practices are diffused
and meta-institutions (such as regulatory bodies and standards agencies) may seek
new opportunities to standardise these established known best practices.
From an institutional theory perspective, organisational resilience (to crisis)
might be considered to be a new mega-institution (Scott, 2001) that varies according
to the type of sector and the location of activities. Additionally within this
perspective, DiMaggio and Powell (1983) have argued that there may be normative
pressures on organisations to change their processes based on influences from
governments, regulatory agencies, and industry associations. Organisations from
within the same industry may give rise to mimetic influence (where, for instance, they
exhibit that their practices lead to a more effective recovery from an interruption)
and may provide exemplars of why business continuity management is needed. The
three elements of Scott’s (1995) institutions as social structures (cultural-cognitive,
normative, and regulative) can be observed in the development and adoption of
BCM practices. Cultural-cognitive elements may be represented by the perceived risk
and values of stakeholders such as governments, industry associations and
regulatory authorities arising from crisis events such as the SARS outbreak, 9/11,
the Y2K computer bug, and automotive product recalls. Events such as these (and
their outcome in terms of social, economic and legal impact) may influence the
mimetic adoption of BCM practices and organisations’ pursuit of isomorphism in
their structures and activities due to the influence by security, risk management and
resilience agendas emanating from these stakeholders. Normative elements
(certification, accreditation) are present in the form of good practice guidelines
and industry and function standards, and regulative elements (rules, laws and
sanctions) through industry regulations and legislation. These pillars of institutions
are, from an institutional theory perspective, necessary for an organisation’s
legitimacy and thus continued acceptance in the context within which it operates,
and may be seen as an indication of the wider adoption of BCM among
organisations that wish to reduce uncertainty and increase support within the
society in which they operate.
Building on the earlier work of Oliver (1992, 1997), Dacin, Goodstein, and Scott
(2002) assert that institutional theory literature supports the influence of functional,
political and social sources on changes to institutionalised traditions and activities.
Each of these three influences can be observed in the historical analysis developed in
this paper and explain why the push towards standardisation has not arrived at its
994 B. Herbane

destination. Functional pressures through the introduction and expansion in the use
of information technologies since the 1970s lowered the utility of practices relating to
recovery from an interruption, thereby leading to deinstitutionalisation and
institutional change in the form of emerging legislation and standards. Political
pressures that may challenge the legitimacy of extant practices (Dacin et al., 2002)
are notable in the post-9/11 period in which the absence of BCM in sectors closely
associated with the financial services sector became a primary concern for
professional associations, industry bodies and regulators, thereby stimulating and
legitimising organisational change. Cited within social influences on institutional
change are developments ‘in laws and social expectations’ (Dacin et al., 2002, p. 47).
Notable here are the national to international standards breakout and rivalries of
standards developers during the internationalisation phase that may impede the
trajectory of organisational practices (for instance the pursuit of a single unified
business continuity management standard). Furthermore the social expectations of
continuous availability of services delivered via the internet have presented
heightened pressure for organisations to improve their resilience to operational
interruptions.
The findings of this study lend support to Toms and Wilson’s (2003) extension of
the Chandlerian perspective that includes an explicit view of external stakeholder
accountability and corporate governance. These forces further illuminate their
suggestion that ‘business is always in transition, strategically and structurally’ (2003,
p. 2) in addition to classical scale and scope arguments. Within Toms and Wilson’s
(2003) nomenclature of transitional forces in business history, an identifiable
transition from low to high accountability is evident through elements such as the
influence of professional managers resulting from professionalisation/certification of
the management disciplines relating to BCM by organisations (Business Continuity
Institute, DRII, the Institute for Risk Management, and accounting bodies such as
the Chartered Institute of Management Accountants), external stakeholders such as
local and national governments, and customers in the promotion of accountability,
and alliance and network participants such as an organisation’s supply chain
partners, industry associations and technology service providers. The development
of standards, regulations and legislation relating to BCM provides a context in which
accountability, i.e. ‘the processes whereby the stewards of the business are held
accountable to its owners and other external stakeholders’ (Toms & Wilson, 2003, p.
3) is endogenous in nature and determined by forces that are external to the firm.
Within the financial services sector (from which business continuity practices
largely originate and continue to innovate today), the transition in accountability has
shifted from being endogenously determined to exogenously determined. Whilst
there are differences between Toms and Wilson (2003) and Lloyd-Jones and Lewis
(2007) about the logical core of the scale, scope and accountability paradigm of
business history, this study supports the idea that forms of accountability vary
between endogenous and exogenous sources across a given time period and that the
latter will give rise to transitions in standardised processes and practices of
organisations within a given industry. Organisations themselves remain undeniably
idiosyncratic, so that whilst the outcomes of the processes and practices may be the
same (greater resilience and more effective recovery from a crisis), the resources,
skills and experience of the organisation will differ from those of others, as might the
type and degree of threat that they face. Furthermore, we expect to observe
differences across industries in terms of the influence of accountability in relation to
 Business History 995

BCM, not least where external stakeholders and alliance/network participants do

not promote or require such business change. Accordingly, the study supports the
desire to reposition the study of business history ‘beyond the scale and scope
paradigm to incorporate accountability’ (Toms & Wilson, 2007, p. 109).
In its consideration of the development and diffusion of a specific business
practice (BCM) from a historical perspective, this study echoes a number of themes
that arose in Alfalla-Luque and Medina-López’s (2009) examination of how supply
chain management (SCM) research had developed since the 1980s. First, the concept
of BCM (and others that surround it such risk and crisis) has lacked clarity in its
meaning. Both BCM and SCM are ‘fledgling’ disciplines of academic research that
reflect a longer established body of practice within businesses where the terminology
in use may vary. Second, the elevation of SCM to a strategic level activity
championed by function-specific managers at the start of the twenty-first century is
also matched by the strategic role for BCM observed a study by Herbane, Elliott,
and Swartz (2004), stimulated by executives’ understanding of the vulnerabilities
arising from technology failure (e.g. Y2K computer bug and e-commerce),
pandemics (e.g. SARS and H5N1) and terrorism (e.g. 9/11). Third, the development
of praxis is observed through the more recent emergence of practitioner and
professional certification (such as the BCI/DRII 10 Standards of professional
competence), indicating the ‘importance and consolidation’ (Alfalla-Luque &
Medina-López, 2009, p. 212) of a management concept among businesses. The
adoption and study of BCM continues to grow from the roots identified in this study
and the influence of accountability, strategic importance and compliance seem likely
to maintain the trajectory in the evolution of this business and management practice.

Conclusion
Whilst no single event or piece of legislation can be said to be explicitly attributable
to the rise of what organisations today carry out as business continuity management,
the historical analysis presented herein has traced seminal changes in practices
alongside the introduction of new information technologies, and legislation and
regulations, many of which reflected the impact of, and insights from, the 9/11
terrorist attacks. This event was the fulcrum of many organisational and supervisory
changes and further confirmed the presence and need for BCM in the finance, service
and utility sectors along with non-profit and public authorities. Moreover, in the
context of crisis management, 11 September 2001 is already an important event in
business history due to its influence on the consolidation of specific business practices
within and between organisations across many sectors of the economy, and its basis
as the rationale for legislation and regulation during the acceleration and focus phase.
An explanation for competing standards has been identified here as the preceding
diffusion of practices. As a non-traditional business discipline that has become
increasingly influenced by exogenous factors (crisis events and governance
mechanisms), this paper has identified that the formalisation of practices in
organisations has arisen in advance of the formalisation of its need by meta-
institutions. Furthermore, tracing the evolution of BCM through a historical review
of practices and legal, regulatory and best practice drivers contributes to recent
debates in this journal and others about the value of new paradigms in business
history and institutional theory perspectives of organisational action and change.
What began as an Anglo-centric, information technology focused activity whose
996 B. Herbane

need was implied within very specific industry contexts, has become a process that
has now become an expectation rather than luxury, and one which is emblematic of
the impartation of international leading practices that are intended to attenuate the
impact of a crisis.

Notes on contributor
Dr Brahim Herbane is a Principal Lecturer in the Department of Strategy and Management at
Leicester Business School, De Montfort University.

References
Alesi, P. (2008). Building enterprise-wide resilience by integrating business continuity
capability into day-to-day business culture and technology. Journal of Business Continuity
and Emergency Planning, 2(3), 214–220.
Alfalla-Luque, R., & Medina-López, C. (2009). Supply chain management: Unheard of in the
1970s, core to today’s company. Business History, 51(2), 202–221.
American Bankers Association. (2005). Business continuity planning, born in DP, needs
human element. ABA Banking Journal, (April), 46–48.
American Society for Industrial Security. (2008, 21 August). Open letter: Comments to ASIS
ANSI PINS Standards Project – BSR ASIS BCM.01-200X. In Continuity Central, ASIS
versus DRII. Continuity Central. Retrieved from http://www.continuitycentral.com/
news04105.html
Ash, S.R., & Ross, D.K. (2004). Crisis management through the lens of epidemiology.
Business Horizons, 47(3), 49–57.
Ashmos, D.P., Duchon, D., & Bodensteiner, W.D. (1997). Linking issue labels and managerial
actions: A study of participation in crisis vs. opportunity issues. Journal of Applied
Business Research, 13(4), 31–45.
Australian Prudential Regulation Authority. (2005a). Prudential standard GPS 222 business
continuity management. Sydney: Australian Prudential Regulation Authority.
Australian Prudential Regulation Authority. (2005b). Prudential standard APS 222 business
continuity management. Sydney: Australian Prudential Regulation Authority.
Bank of Thailand. (2003). Strategic risk manual: Risk assessment and information and
technology system department (financial institutions supervision). Bangkok: Bank of
Thailand.
Billings, R., Milburn, T., & Schaalman, M. (1980). A model of crisis perception.
Administrative Science Quarterly, 25, 300–316.
Birkland, T.A. (2009). Disasters, catastrophes, and policy failure in the homeland security era.
Review of Policy Research, 26(4), 423–438.
Boin, A., & Smith, D. (2006). Terrorism and critical infrastructures: Implications for public–
private crisis management. Public Money and Management, 26(5), 295–304.
Bowman, R.H., Jr. (2008). Business continuity planning for data centers and systems – a
strategic implementation guide. Hoboken, NJ: John Wiley & Sons.
Bradford, M. (1992). Banks told to be ready to handle a power loss. Business Insurance, 26(9),
10–11.
British Standards Institution. (1995). BS 7799 Information security management. London:
British Standards Institution.
British Standards Institution. (2000). BS 15000 IT service management code of practice and
specification. London: British Standards Institution.
British Standards Institution. (2003). Publicly available specification 56: Guide to business
continuity management. London: British Standards Institution.
British Standards Institution. (2005). BS ISO/IEC 20000-1:2005 information technology –
service management – specification. Retrieved from http://www.bsi-global.com/ICT/
Service/bs15000-1.xalter
British Standards Institution. (2006). BS 25999-1 Code of practice for business continuity
management. London: British Standards Institution.
British Standards Institution. (2007). BS 25999-2 Specification for business continuity
management. London: British Standards Institution.
 Business History 997

British Standards Institution. (2009a). BS 25777 Code of practice for information and
communications technology continuity management. London: British Standards Institution.
British Standards Institution. (2009b). What are standards? British Standards Institution.
Retrieved from http://www.bsigroup.com/en/ProductServices/About-Kitemark/Consumer-
Information/What-are-standards/PAS/
Broadbent, D. (1979). Contingency planning. Manchester: National Computing Centre.
Burger, K. (1988). Beyond DP: Banks expanding scope of disaster recovery. Bank Systems and
Equipment, 25(3), 43–47.
Burnett, J.J. (1998). A strategic approach to managing crises. Public Relations Review, 24(4),
475–488.
Business Continuity Institute. (2002). Good practice guidelines (1st ed.). London: Business
Continuity Institute.
Business Continuity Institute. (2003). The Business Continuity Institute 10 standards of
professional competence. Retrieved from http://www.thebci.org/certificationstandards.htm
Canadian Standards Association. (2008). CSA Z1600 standard for emergency management and
business continuity programmes. Mississauga, Ontario: Canadian Standards Association.
Castillo, C. (2004). Disaster preparedness and business continuity planning at Boeing: An
integrated model. Journal of Facilities Management, 3(1), 8–26.
Civil Contingencies Act. (2004). c.36. London: The Stationary Office.
Dacin, M.T., Goodstein, J., & Scott, W.R. (2002). Institutional theory and institutional
change: Introduction to the special research forum. Academy of Management Journal,
45(1), 45–57.
Dain, S. (2002). Normal accidents: Human error and medical equipment design. The Heart
Surgery Forum, 5(3), 254–257.
DiMaggio, P.J., & Powell, W.W. (1983). The iron cage revisited: Institutional isomorphism
and collective rationality in organizational fields. American Sociological Review, 48(2),
147–160.
Disaster Recovery Institute International. (2008). Immediate action is required. In Continuity
Central (2008) ASIS versus DRII, August 21, 2008. Retrieved from http://www.continuity
central.com/news04105.html
Disaster Recovery Institute International. (2009, 16 October). DHS requesting comments on
new proposed standards for business continuity management and preparedness (press
release). New York: Disaster Recovery Institute International.
Donovan, T., Rosson, T., & Eichstadt, B. (1999). Preparing carriers for Y2K. Telephony, 236,
180–184.
Doughty, K. (2001). Business continuity planning – protecting your organization’s life. London:
Auerbach.
Drennan, L.T., & McConnell, A. (2007). Risk and crisis management in the public sector.
London: Routledge.
Dugan, E. (1986). Disaster recovery planning: Crisis doesn’t equal catastrophe. Computer-
world, 20(4), 67–71.
Elliott, D. (2009). The failure of organizational learning from crisis – a matter of life and
death? Journal of Contingencies and Crisis Management, 17(3), 157–168.
Elliott, D., Harris, K., & Baron, S. (2005). Crisis management and services marketing. Journal
of Services Marketing, 19(5), 336–345.
Elliott, D., Swartz, E., & Herbane, B. (1999a). Just waiting for the next big bang: Business
continuity planning in the UK finance sector. Journal of Applied Management Studies,
8(1), 43–60.
Elliott, D., Swartz, E., & Herbane, B. (1999b). Business continuity management – preparing for
the worst. London: Incomes Data Services.
Elliott, D., Swartz, E., & Herbane, B. (2002). Business continuity management – a crisis
management approach. London: Routledge.
Executive Order 12656. (1998). Executive Order 12656 of November 18, 1988 Assignment of
Emergency Preparedness Responsibilities. Washington, DC: Government Printing Office.
Expedited Funds Availability Act, 12 U.S.C x4001 (1989).
Federal Financial Institutions Examination Council. (2003). Business continuity planning
booklet. Arlington, VA: Federal Financial Institutions Examination Council.
Fink, S. (1986). Crisis management: Planning for the inevitable. New York: Amacom.
998 B. Herbane

Flood Disaster Protection Act, 42 U.S.C. x 4002 et. seq (1973).

Fone, F., & Young, P.C. (2000). Public sector risk management. Oxford: Butterworth-
Heinemann.
Forbes, N. (2008, 1 December). Singapore BCM standard SS540: TR19 with a facelift, BCP
confidential. Retrieved from http://www.zdnetasia.com/blogs/bcp/0,3800011228,63007693,
00.htm
Foreign Corrupt Practices Act, 15 U.S.C. xx 78dd-1 et. seq (1977).
Foremski, T. (2001, 5 December). Key lessons learned in attack on New York: Disaster
recovery planning. The Financial Times, FT-IT Review, p. 3.
Financial Services Authority. (2006, July). Feedback statement on the resilience benchmarking
project discussion paper. London: Financial Services Authority.
Gallagher, M. (2003). Business continuity management – how to protect your company from
danger. London: FT Prentice Hall.
Gallup, J.G. (1989). Fire detection systems – the basics (part 1). Plant Engineering, 43(10), 62–
63.
Ginn, R.D. (1989). Continuity planning: Preventing, surviving and recovering from disaster.
Oxford: Elsevier Advanced Technology.
Gramm–Leach–Bliley Act, 15 U.S.C. x1811 (1999).
Gundel, S. (2005). Towards a new typology of crises. Journal of Contingencies and Crisis
Management, 13(3), 106–115.
Harrison, B. (1988). Planning for disaster. Networking Management, 6(9), 22–28.
Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. x1301 et seq
(1996).
Heng, G.M. (1996). Developing a suitable business continuity planning methodology.
Information Management and Computer Security, 4(2), 11–13.
Henneberry, C. (1988, 1 November). Banks broaden contingency plans to avoid disaster.
Bank Systems and Equipment, p. 53.
Herbane, B. (2010). Small business research – time for a crisis-based view. International Small
Business Journal, 28(1), 43–64.
Herbane, B., Elliott, D., & Swartz, E. (1997). Contingency and continua:
Achieving excellence through business continuity planning. Business Horizons, (November–
December), 19–25.
Herbane, B., Elliott, D., & Swartz, E. (2004). Business continuity management – time for a
strategic role? Long Range Planning, 37, 435–457.
Herman, C.F. (1963). Some consequences of crisis which limit the viability of organisations.
Administrative Science Quarterly, 12, 61–82.
Hiles, A., (Ed.). (2007). The definitive handbook of business continuity management (2nd ed.).
London: Wiley.
Hiles, A., & Barnes, P. (Eds.). (1999). The definitive handbook of business continuity
management. London: Wiley.
Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135 (25 November 2002).
Hong Kong Monetary Authority. (2002). Supervisory policy manual TM-G-2: Business
continuity planning. Hong Kong: Hong Kong Monetary Authority.
Hopkins, A. (2001). Was Three Mile Island a ‘normal accident’. Journal of Contingencies and
Crisis Management, 9(2), 65–72.
Information Security Forum. (2005). The Information Security Forum’s standard of good
practice – the standard for information security (version 4.1). London: Information
Security Forum.
Information Systems Audit and Control Association. (1992). Control objectives for information
and related technology [COBIT] version 4.0. Rolling Meadows, IL: Information Systems
Audit and Control Association.
Innovest. (2003). Banking industry and financial institutions disaster recovery planning.
Retrieved from http://www.theinnovestgroup.com/26.html
Institute of Chartered Accountants in England & Wales. (1999). Internal control: Guidance for
directors on the combined code. London: Institute of Chartered Accountants in England &
Wales.
Institute of Directors in Southern Africa. (2002). King report on the corporate governance for
South Africa. Parktown, South Africa: Institute of Directors in Southern Africa.
 Business History 999

International Organization for Standardization. (2005). ISO/IEC 17799 Information technology

– security techniques – code of practice for information security management. Retrieved from
http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html
International Organization for Standardization. (2006). Business plan ISO/TC 223 societal
security – executive summary. Geneva: International Organization for Standardization (ISO).
International Organization for Standardization. (2008a). ISO 24762 Security techniques –
guidelines for information and communications technology disaster recovery services.
Geneva: International Organization for Standardization (ISO).
International Organization for Standardization. (2008b). ISO/DIS 22399 Societal security –
guidelines for incident preparedness and operational continuity management. Geneva:
International Organization for Standardization (ISO).
International Organization for Standardization. (2009). ISO 31000 Risk management
(principles and guidelines). Geneva: International Organization for Standardization (ISO).
Jablonowski, M. (2006). Precautionary risk management – dealing with catastrophic
loss potentials in business, the community and society. Basingstoke: Palgrave
Macmillan.
Keller, S., Powell, A., Horstmann, B., Predmore, C., & Crawford, M. (2005). Information
security threats and practices in small businesses. Information Systems Management,
(Spring), 7–19.
Kling, R.W. (1988). Building an institutionalist theory of regulation. Journal of Economic
Issues, 22(1), 197–209.
Kouzmin, A. (2008). Crisis management in crisis? Administrative Theory & Praxis, 30(2), 155–
183.
Krauss, L.I. (1980). EDP contingency planning: How to survive a disaster. Management
Review, 69(6), 19–25.
Kuong, J., & Isaacson, J. (1986). How to prepare an EDP plan for business contingency.
Wellesley Hills, MA: Management Advisory Publications.
La Porte, T.R. (1996). High reliability organizations: Unlikely, demanding, and at risk.
Journal of Contingencies and Crisis Management, 4(2), 60–71.
La Porte, T.R., & Consolini, P. (1991). Working in practice but not in theory: Theoretical
challenges of high-reliability organizations. Journal of Public Administration Research and
Theory, 1, 19–47.
La Porte, T.R., & Rochlin, G.A. (1994). Rejoinder to Perrow. Journal of Contingencies and
Crisis Management, 2(4), 221–227.
Lagadec, P. (2009). A new cosmology of risks and crises: Time for a radical shift in paradigm
and practice. Review of Policy Research, 26(4), 473–486.
Lemyre, L., Turner, M.C., Lee, J.E.C., & Krewski, D. (2006). Public perception of terrorism
threats and related information sources in Canada: Implications for the management of
terrorism risks. Journal of Risk Research, 9(7), 755–774.
Lloyd-Jones, R., & Lewis, M.J. (2007). ‘A new paradigm of British business history’: A
critique of Toms and Wilson. Business History, 49(1), 98–105.
Lodge, M. (2009). The public management of risk: The case for deliberating among
worldviews. Review of Policy Research, 26(4), 395–408.
Lynch, A., & Sheahan, C. (2009). Taxonomy of a decision: Ranking operational decisions
within the SME. International Journal of Decision Sciences, Risk and Management, 1(1/2),
126–141.
Mainiero, L.A. (2002). Action or reaction? Handling businesses in crisis after September 11.
Business Horizons, (September–October), 2–10.
Mattila, A.S. (2001). The effectiveness of service recovery in a multi-industry setting. Journal
of Services Marketing, 15(7), 583–596.
Meier, N. (2005, 18–24 September). International regulations (privacy laws and data
protection). North America Regional Business Continuity Awareness Week. Retrieved
from http://www.thebci.org/RegulationsArticle.pdf
Meisinger, S. (2006). Crisis management and HR’s role. HR Magazine, 51(2), 12.
Ministry of Defence. (2000). Joint service publication 503 – business continuity management (1st
ed.). London: Ministry of Defence.
Mitroff, I.I., & Alpaslan, M.C. (2003). Preparing for evil. Harvard Business Review, 81(4), 109–
115.
1000 B. Herbane

Mitroff, I.I., Pauchant, T.C., & Shrivastava, P. (1988). The structure of man-
made organizational crises. Conceptual and empirical issues in the development of a
general theory of crisis management. Technological Forecasting and Social Change, 33, 83–
107.
Monetary Authority of Singapore. (2003). Business continuity management guidelines.
Singapore: Monetary Authority of Singapore.
Moretz, S. (1989, 1 August). Don’t let a fire put you out of business. Occupational
Hazards, p. 25.
Namel, P.F., & Ward, W.T. (1983). Disaster recovery planning: obligation or opportunity?
Risk Management, 30(5), 44–47.
National Fire Protection Association. (2004). NFPA 1600: Standard on disaster/emergency
management and business continuity programs. Quincy, MA: National Fire Protection
Association.
National Fire Protection Association. (2007). NFPA 1600: Standard on disaster/emergency
management and business continuity programs 2007 edition. Quincy, MA: National Fire
Protection Association.
National Futures Association. (2003). [5239] RULE 2-38. Business continuity and disaster
recovery plan. New York: National Futures Association.
National Institute of Standards and Technology. (2002). Contingency planning guide for
information technology systems – recommendations of the National Institute of Standards
and Technology, NIST special publications (SP) 800-34. Washington, DC: US Department
of Commerce.
Nielsen, J. (2006). BCM and corporate governance – the chicken or the egg? Continuity SA.
Retrieved from http://www.continuitysa.co.za/Article1.asp
North American Electric Reliability Council. (2002, 14 June). Security guidelines for the
electricity sector. Version 1.0. Princeton, NJ: North American Electric Reliability Council.
Office of Comptroller of Currency. (1983). BC-177 corporate contingency planning.
Washington, DC: Office of Comptroller of Currency.
Office of Management and Budget. (1993). OMB circular A-130 1993 Resources transmittal
memorandum no. 4. Memorandum for heads of executive departments and agencies, subject:
Management of federal information resources. Washington, DC: Office of Management
and Budget.
Oliver, C. (1992). The antecedents of deinstitutionalization. Organization Studies, 13(4), 563–
588.
Oliver, C. (1997). Sustainable competitive advantage: Combining institutional and resource-
based views. Strategic Management Journal, 18(9), 697–713.
Ozier, W. (1999). Disaster recovery and risk avoidance/acceptance. Disaster Recovery Journal,
3(1), 40.
Parthasarathi, P. (2005). Operational risk management – business continuity planning,
DBS.CO.IS Audit. No. 19/31.02.03/2004–05. Department of Banking Supervision.
Mumbai: Reserve Bank of India.
Pauchant, T.C., & Mitroff, I.I. (1990). Crisis management. Managing paradox in a chaotic
world. Technological Forecasting and Social Change, 38, 117–134.
Pauchant, T.C., Mitroff, I.I., & Ventolo, G. (1992). The dial tone does not come from God!
How a crisis can challenge dangerous strategic assumptions made about high technologies:
The case of the Hinsdale telecommunication outage. Academy of Management Executive,
6(3), 66–79.
Pearson, C.M., & Clair, J.A. (1998). Reframing crisis management. Academy of Management
Review, 23(1), 59–76.
Penansky, S.G. (1981). Capacity considerations in disaster recovery planning. Capacity
considerations in disaster recovery planning Library. Washington, DC: Arthur Young & Co.
Perrow, C. (1984). Normal accidents. New York: Basic Books.
Perry, R.W., & Mankin, L.D. (2005). Preparing for the unthinkable: Managers, terrorism and
the HRM function. Public Personnel Management, 34(2), 175–193.
Phelps, N. (1986). The role of top management in disaster recovery planning. Professional
Safety, 31(11), 15–19.
Pitt, M., & Goyal, S. (2004). Business continuity planning as a facilities management tool.
Facilities, 22(3/4), 87–99.
 Business History 1001

Presidential Decision Directive 63. (1998, 22 May). Presidential decision directive/NSC-63,

critical infrastructure protection.
Presidential Decision Directive 67. (1998, 21 October). Presidential decision directive/NSC-67,
enduring constitutional government and continuity of government operations.
Priluck, R. (2003). Relationship marketing can mitigate product and service failures. Journal
of Services Marketing, 17(1), 37–52.
Pritchard, J.A.T. (1976). Contingency planning. Manchester: National Computing Centre.
Reason, J. (1997). Managing the risks of organizational accidents. Aldershot: Ashgate.
Reynolds, L. (1981). Foundations of an institutional theory of regulation. Journal of Economic
Issues, 15(2), 641–656.
Rijpma, J.A. (2003). From deadlock to dead end: The normal accidents–high reliability debate
revisited. Journal of Contingencies and Crisis Management, 11(1), 37–45.
Rodetis, S. (1999). Can your business survive the unexpected? Journal of Accountancy, 187(2),
27–32.
Roe, E. (2009). Preventing transboundary crises: The management and regulation of setbacks.
Review of Policy Research, 26(4), 457–471.
Roux-Dufort, C. (2007). Is crisis management (only) a management of exceptions? Journal of
Contingencies and Crisis Management, 15(2), 105–114.
Runyan, R.C. (2006). Small business in the face of crisis: Identifying barriers to recovery from
a natural disaster. Journal of Contingencies and Crisis Management, 14(1), 12–26.
Santella, N., Steinberg, L.J., & Parks, K. (2009). Decision making for extreme events:
Modeling critical infrastructure interdependencies to aid mitigation and response
planning. Review of Policy Research, 26(4), 409–422.
Schreider, T. (1996). White paper: The legal issues of disaster recovery planning. Disaster
Recovery Journal, 9(2), 31.
Scott, W.R. (1995). Institutions and organizations. Thousand Oaks, CA: Sage.
Scott, W.R. (2001). Institutions and organizations. London: Sage.
Securities and Exchange Commission. (2002a). Interagency paper on sound practices to
strengthen the resilience of the U.S. financial system. Retrieved from http://www.sec.gov/
news/studies/34-47638.htm
Securities and Exchange Commission. (2002b). NYSE Rulemaking self-regulatory organiza-
tions; notice of filing of proposed rule change by the New York Stock Exchange, Inc. relating
to business continuity and contingency planning. Retrieved from http://www.sec.gov/rules/
sro/34-46443
Securities and Exchange Commission. (2003). NASD Rulemaking re: Business continuity plans
and emergency contact information. Retrieved from http://www.sec.gov/rules/sro/34-
48503.htm
Seymour, M., & Moore, S. (2000). Effective crisis management. London: Continuum.
Sloan. (2008). Framework for voluntary preparedness, briefing regarding private sector
approaches to Title IX of H.R. 1 and public law 110-53 implementing recommendations of
the 9/11 Commission Act of 2007. New York: Alfred P. Sloan Foundation.
Smart, P.K., Tranfield, D., Deasley, P., Levene, R., Rowe, A., & Corley, J. (2003). Integrating
lean and high reliability thinking. Proceedings of the Institution of Mechanical Engineers,
217 Part B: J, 773–739.
Smith, D. (1990). Beyond contingency planning: Towards a model of crisis management.
Industrial Crisis Quarterly, 4(4), 263–275.
Smith, D. (2005). Business (not) as usual: Crisis management, service recovery and the
vulnerability of organisations. Journal of Services Marketing, 19(5), 309–320.
Smith, M., & Sherwood, J. (1995). Business continuity planning. Computers and Security,
14(1), 14–23.
Spillan, J., & Hough, M. (2003). Crisis planning in small businesses: Importance, impetus and
indifference. European Management Journal, 21(3), 398–407.
Standards Australia. (1992). Australian and New Zealand AS/NZ4360 Risk management
standard. Sydney: Standards Australia Limited.
Standards Australia. (2004). BH 221: Business continuity management, second edition. Sydney,
NSW: Standards Australia.
Standards Australia. (2006). HB 292: A practitioners’ guide to business continuity management.
Sydney: Standards Australia.
1002 B. Herbane

Standards Australia. (2009). Draft for public comment: Australian/New Zealand standard AS/
NZS 5050 Business continuity – managing disruption-related risk (part 2: Practice).
Sydney: Standards Australia.
Standards, Productivity and Innovation Board Singapore (SPRING). (2004). SS507
Singapore standard for business continuity/disaster recovery service providers. Singapore:
The Standards, Productivity and Innovation Board.
Standards, Productivity and Innovation Board Singapore (SPRING). (2005). Technical
reference (TR19:2005) on BCM. Retrieved from http://www.spring.gov.sg/Content/
WebPage.aspx?id¼3179f0f0-0a7a-4142-905d-6f24bd7ddaa4
State Bank of Pakistan. (2003). Risk management guidelines for commercial banks and DFIs.
Karachi: State Bank of Pakistan, Central Directorate.
Strohl Systems. (1995). The business continuity planning guide. King of Prussia, PA: Strohl
Systems.
Swartz, E., Elliott, D., & Herbane, B. (1995). Out of sight, out of mind. The limitations of
traditional information systems planning. Facilities, 13(9/10), 15–22.
Swartz, E., Elliott, D., & Herbane, B. (2003). Greater than the sum of its parts? Business
continuity management in the UK finance sector. Risk Management – An International
Journal, 5(1), 65–80.
Tangen, S., & Seigel, M. (2008). ISO/PAS 22399 provides international best practice for
preparedness and continuity management. ISO Management Systems, (January–Febru-
ary), 5–9.
Tarkington, G., & Ulrich, W. (1983, 24 August). Disaster recovery planning: insuring against
the unthinkable. Computerworld, 17(31), 47–51.
Telecommunications Act, Pub. LA. No. 104-104, 110 Stat. 56 (1996).
Toms, S., & Wilson, J.F. (2003). Scale, scope and accountability: Towards a new paradigm of
British business history. Business History, 45(4), 1–23.
Toms, S., & Wilson, J.F. (2007). Scale, scope and accountability: A response to Lloyd-Jones
and Lewis. Business History, 49(4), 106–111.
Tuira, K. (1983). Disaster planning yields benefits. Computer Data, 8(5), 25.
Turner, B. (1976). The organizational and interorganizational development of disasters.
Administrative Science Quarterly, 21, 378–397.
Turner, B. (1994). Causes of disaster: Sloppy management. British Journal of Management,
5(3), 215–219.
Vogler, M., & Perkins, C. (1991, 12 August). Disaster plans must focus on more than data.
National Underwriter, 95(32), 17–19.
Walker, D.D. (1985). Disaster recovery planning inside General Electric. The Journal of
Information Systems Management, 2(4), 25–33.
Weick, K.E. (1988). Enacted sensemaking in crisis situations. Journal of Management Studies,
25(4), 305–317.
Weick, K., & Sutcliffe, K. (2003). Hospitals as cultures of entrapment: A re-analysis of the
Bristol Royal Infirmary. California Management Review, 45(2), 73–84.
Wheeler, R. (1999). Business continuity planning over the millennium. Insurance Brokers
Monthly and Insurance Adviser, 49(11), 7–8.
Wichman, M. (1999, 8 March). SIA gears up strategy for Y2K contingency plans. Wall Street
Letter, 31(10), 1–2.
Wong, K. (1981). Disaster recovery planning. Backup for a distributed system. Information
Privacy, 3(3), 86–88.
Wright, G.H. (1979). Fire! Anguish! Dumb luck! Or contingency planning. Canadian Library
Journal, 36(5), 254–260.
Zattoni, A., & Cuomo, F. (2008). Why adopt codes of good governance? A comparison of
institutional and efficiency perspectives. Corporate Governance, 16(1), 1–15.
Zsidisin, G.A., Melnyk, S.A., & Ragatz, G.L. (2005). An institutional theory perspective of
business continuity planning for purchasing and supply management. International
Journal of Production Research, 43, 3401–3420.

View publication stats