J Transp Secur (2013) 6:209–220 DOI 10.1007/s12198-013-0112-4
A model for improving organizational continuity Simon Véronneau & Yan Cimon & Jacques Roy
Received: 4 March 2013 / Accepted: 11 March 2013 / Published online: 3 April 2013 # Springer Science+Business Media New York 2013
Abstract Regardless of organizations’ purposes, one thing is common to all: they must strive for organizational continuity. As globalization increases the exposure of organizations to various risks, many of them unknowingly leave their operations exposed to breakdown, thereby jeopardising the continuity of their organization. With the recent heightened awareness of possible crises and disasters, it is becoming increasingly important for many organizations to find good management solutions to these potentialities. Integrating known concepts like business continuity planning, crisis management, and resilience would yield better organizational continuity. It is also essential that tools be developed to enable managers to successfully manage crises and disasters. This paper addresses the issue of organizations’ fragility to crises and disasters and proposes a conceptual model designed to increase organizational robustness and, ultimately, yield better organizational continuity.
S. Véronneau (*) : J. Roy Supply Chain Research Group (CHAÎNE), HEC Montréal, 3000, Ch. de la Côte-Ste-Catherine, Montréal, QC, Canada H3T 2A7 e-mail:
[email protected] J. Roy e-mail:
[email protected] Y. Cimon Faculty of Business Administration, Université Laval, Pavillon Palasis-Prince, Local 1513, Québec, QC, Canada G1V 0A6 e-mail:
[email protected] S. Véronneau : Y. Cimon : J. Roy Interuniversity Research Centre on Entreprise Networks, Logistics and Transportation (CIRRELT), PO Box 6128, Station Centre-ville, Montréal, QC, Canada H3C 3J7
210
S. Véronneau et al.
Keywords Crisis Management . Disaster management . Continuity planning . Resilience . Organizational continuity
Introduction Today’s organizations are operating in tumultuous waters (Lapointe and Cimon 2009). Though corporations face an increasing number of threats from various sources, corporations’ managers are often unprepared for a major crisis. This lack of company preparedness, as Andriole (1983) reported, is not a new phenomenon. Concern over potential crises has been evident for years, but it has remained marginalized. However, attitudes are changing as a result of the research on business continuity that emerged in the 1970s and that has evolved into its current high level of sophistication (see Herbane 2010). Currently, among political and business practitioners, there seems a genuine interest in assuring organizational continuity, especially in light of recent work reporting similar preoccupations, notably, the evaluation of risk factors that affect businesses (Momani 2010). Firms also need active procedures for securing their supply chains (Autry and Bobbitt 2008), procedures which may be achieved through the implementation of a business continuity program (Gibb and Buchanan 2006). Additionally, though the implementation of operation risk management practices is strongly dependent on organizational context, they too are closely related to business continuity (Vaid 2008). Lastly, continuity also impacts organizational learning (Engestrom et al. 2007). These and other factors make a strong case for a tool that will provide managers and academics alike a holistic view of continuity and its attendant challenges. One obvious example of a risk to organizations is the threat of terrorism. After September 11th the U.S. government called for studies of terrorism’s impact on organizations. One notable result identified what is perhaps the biggest threat to a country’s economic welfare: the shutdown of maritime ports (Australian Government Department of Foreign Affairs and Trade 2003). This necessary disruption of maritime trade is a primary emergency response measure to any significant act of terrorism (Heinrich 2002). However, not all risks to organizational continuity are so obvious or so drastic. Other, more subtle risks also pose threats to organizational continuity, risks such as the overreliance on an aging workforce coupled with the under-preparedness of key processes to ensure continuity beyond a specific worker’s retirement. A second example is the current trend in competitive corporations for logistics planners “to reduce replenishment cycle times and inventory carrying costs, provide immediate logistics support in new international markets, and outsource non-core or low-value-added functions ”(Rondinelli and Berry 2000: 400). The surrendering of control over the operations to the benefit of third-party managers contributes to organizational fragility, yet even the most prudent companies are not bucking this trend, for the cost savings of these techniques are too considerable to revert to the old paradigm, which would not be advantageous in the long run. The purpose of this paper is to put forth a comprehensive model to improve organizational continuity. This paper is structured as follows: first, we introduce the issues related to organizational fragility and take a structured view of disasters and
Improving organizational continuity
211
what they entail; second, we examine failures and their prevention by examining business continuity planning, crisis management, and resilience; fourth, we present the corporate recovery prism, which synthesizes these issues and facilitates a more comprehensive understanding of risk factors and their management.
Organization’s fragility Organizations have grown more fragile over the years. This fragility is due in large part to the increasing geographic dispersion of value chains as they become ever more global. Lean systems favour low inventory, which results in efficiency gains but at the same time increases the risk of disruption because of reduced slack in the system (Barry 2004). Thus, as organizations have grown more fragile, they have become vulnerable to both internal and/or external threats (Svensson 2004), which means they are more vulnerable to failures and disasters. Furthermore, evaluating and managing vulnerability are exercises fraught with complications (Kalliopi 2005). Failures and disasters Organizations are subject to many failures. Rice and Caniato (2003) have identified six basic failure modes: supply, transportation, freight breaches, facilities, communications and human resources. These are described in Table 1. Understanding these failure modes allows for preparation efforts critical to organizational continuity. Once an organization has achieved an acceptable level of response for a given failure mode, it should move on to identify the different disruption types. Doing so will enable the tailoring of particular responses to each disruption type, thereby increasing response effectiveness. For example, a growing number of organizations are establishing a parallel or secondary network of suppliers located closer to their production facilities or markets in order to protect themselves against the potential failure of their foreign, lowTable 1 The basic failure modes
(Rice and Caniato 2003)
Failure mode
Type of anticipated disruption
Supply
Delay or unavailability of materials from suppliers
Transportation
Delay or unavailability of the transportation infrastructure or various modes
Freight breaches
Tempering with the freight, pilferage or contamination of the goods
Facilities
Delay or unavailability of plants, warehouse, office building facilities used in converting products
Communications
Delay or unavailability of the information and communication infrastructure
Human resources
Delay, loss or unavailability of human resources to continue operations
212
S. Véronneau et al.
cost supply source; other organizations have prepared emergency plans in case their human resources are hit by a sudden and severe epidemic such as the bird flu. Apart from failures, organizations need to plan responses for potential disasters, however improbable some may be. While disasters have been studied in a variety of settings (Anthony 1990), the Council of Logistics Management (now called Council of Supply Chain Management Professionals) has established a disaster classification profile (Helferich & Cook 2002). In line with the failure modes reported above, this profile (see table 2) can be used by corporations to identify and classify the types of failures and disruptions they could experience and to plan accordingly. While the above profile does not identify the disruption type specific to a given company, it nevertheless defines it so as to better focus the response. To identify the disruption type, the organization needs to conduct an exhaustive brainstorming session involving employees from the shop floor to the top management; everyone must come together to identify potential internal and external disruptions. Since the firm usually has better control over its internal operations, it would do well to start by tackling internal challenges and then to move outwards toward external operations and suppliers. That being said, it is important to note that, even though the easiest task for management might be to implement a robust organization design inside the company, the failure mode and disruption type with the highest potential magnitude and the highest risk of occurrence should be addressed first. This approach is analogous to the principle of prioritizing the resolution of bottleneck areas. The importance of disruption analysis is illustrated by a company that is strictly focused on a failure mode and thus adopts a flexibility strategy of splitting its supply requirement between two suppliers. These two suppliers might be exposed to the same disruption type, but without a forthcoming disruption-type analysis, it is impossible to make a fully informed determination.
Preventing failures What the above demonstrates is that failure prevention is an important element of organizational continuity. Combining the failure modes and the various disaster classification profiles yields a failure causality structure, which is presented in Fig. 1. This failure causality structure can be used by all employees in the organization to generate Table 2 Disaster classification profile Primary cause
An intentional illegal act, an accident or a natural disaster
Agent responsible for destruction
Biological, chemical, explosions, tampering, failures, extreme temperatures, tremors water, and wind
Magnitude of impact
Severity, duration, scope, detect ability, and frequency
Organization resource impact
Human, product, private physical infrastructure, public physical infrastructure, information, or financial
Council of Logistics Management (Helferich & Cook 2002)
Improving organizational continuity
213
FAILURE CAUSALITY STRUCTURE
Failure
Supply
Supply
Transportation
Freight Breaches
Facilities
A
B
A
A
A
A
A
Primary Cause
Primary Cause
Primary Cause
Primary Cause
Primary Cause
Primary Cause
Primary Cause
Agent Responsible
Agent Responsible
Agent Responsible
Agent Responsible
Agent Responsible
Agent Responsible
Agent Responsible
Magnitude
Magnitude
Magnitude
Magnitude
Magnitude
Magnitude
Magnitude
Impact on SCM
Impact on SCM
Impact on SCM
Impact on SCM
Impact on SCM
Impact on SCM
Impact on SCM
ICT
Human Resources
Fig. 1 Failure causality structure
scenarios to be used as illuminating starting points in evaluating weaknesses as the employees perceive them from their internal perspectives. In this failure causality structure, each failure is given a scenario label; for example, in the case of supply failure, we can use scenario A (i.e., inbound supply) and then expand to “B” (i.e., outbound supply) and so on. Taking the example of the transport node as a failure mode, we can further divide it into the five-transport mode road, air, pipeline, rail, and maritime (i.e., node ABCDE). Doing so would allow for each mode to be analysed for primary cause, the agent responsible, etc. (e.g., maritime: terrorism, piracy, storm and so on). The employees should start by focusing on one scenario at a time to identify possibilities through brainstorming and then expand as far as their knowledge and creativity allow. This type of integration is somewhat similar to the Failure Modes and Effects Analysis (FMEA) developed by the United States military in 1949 as a military procedure but later widely adopted in industrial settings, as reported by the Robust Lean Supply Networks (RLSN Project Team 2003). An organization is only as resilient as its least resilient element. Therefore, no matter how strong some elements of the failure tree mode become, the success of an organization still depends on its weakest elements. The best solution, once the scenarios are generated, is to schedule the improvement according to the following protocol: priority one, address the scenarios and failure vulnerability with the highest magnitude of impact; priority two, determine the shortest processing time, as described in (Stevenson 2007). The decision matrix proposed by Veronneau and Cimon (2007) could also be useful in determining which problem to address first. The protocol expedites problem solving, thereby maximizing the number of failure possibilities to be addressed and reducing the number of weak links and exposures. The above discussion suggests that understanding causality structure, identifying potential organizational weak links (in terms of failure potential), and mastering efficient decision processes are assets for business continuity planning.
214
S. Véronneau et al.
Business Continuity Planning (BCP) Because business continuity planning is contingent on failure prevention, two classical methods for preventing failures are used to ensure continuity. The first is built-in redundancy. Redundancy involves maintaining capacity to respond to disruption (Rice and Caniato 2003). This common concept, applied widely in the military, uses many systems in parallel to ensure continuity. The second method for preventing failure is flexibility, or organizational responsiveness, which involves creating certain capabilities within the organization (Rice and Caniato 2003). For example, flexibility might mean having contracts for outsourcing on short notice with certain preferred competitors or partners in order to mitigate supply chain disruption (see Skipper and Hanna 2009). The simultaneous pressures to implement both redundancy and flexibility need to be reconciled through careful business continuity planning. A major issue behind business continuity planning (BCP) is “to ensure that the company’s critical business activities are restored and maintained as quickly as possible following any major disaster or failure that affects essential services and/or facilities” (Hinde 1997: 2). Contingency planning, on the other hand, is focused on specific issues of the organization which address specific weaknesses and threats. Therefore, we can define BCP as a holistic view of the measures necessary for the survival of an organization, measures which encompass many contingency plans and thus bridge with emergency planning activities (e.g., Forbes 2009). In line with the empirical findings of Svensson (2004), contingency planning in companies must address both internal weaknesses and strengths, and external threats and opportunities. In the case of the United Kingdom, business continuity has become increasingly relevant for public organizations like the National Health Service (Roberts and Molyneux 2010). The same may be said for the private sector: Devargas (1999) reported that more than 90 % of UK companies do not have a business continuity plan and that 80 % of UK small businesses fail to recover after a major fire. Despite the marked unpreparedness of companies in 1999, one would expect that the number of unprepared companies would have decreased in light of the heightened awareness following the 9/11 attacks. However, according to a recent Accenture survey of 151 supply chain executives in large U.S. companies, only 17 % of respondents are formally identifying, assessing and quantifying supply chain risks in spite of the fact that 73 % of the participating companies experienced supply chain disruptions during the previous 5 years (Keenan Jr 2006). Though companies do react to disasters by managing crises, they do not necessarily learn from them by developing strategies over the long term. Brunninge (2009) found that building an internal historical narrative as part of the strategy of firms may actually help address issues that pertain to continuity, in turn providing a better chance of successfully managing a crisis. Crisis management Much literature is available on crisis management, which has been researched for years. A crisis, as defined by Pauchant and Mitroff (1992), is a “disruption that physically affects a system as a whole and threatens its basic assumptions, its subjective sense of self, its existential core” (Pauchant and Mitroff 1992: 12).
Improving organizational continuity
215
Therefore, this paper defines crisis management as follows: the ability to manage efficiently a severe disruption in a system by preventing a worsening of the situation and restoring normal operation. It is important to distinguish between a crisis and disaster: a crisis is induced by the action or inactions of the organization; a disaster is induced by a natural phenomenon or external human action (Faulkner 2001). According to Faulkner’s differentiation, the recent Tsunami in Asia was a disaster, and Chernobyl was a crisis. Classification becomes more complicated with terrorism. Faulkner (2001) classifies the Lockerbie incident as a disaster. The 9/11 attacks, it seems, could be argued either way: 9/11 was the result of an organization’s inaction and failure to protect its systems (the U.S. Government), but it was also an external human action. Finally, Ritchie ( 2004) calls for a strategic approach to crisis management and suggests a model which includes three main phases in managing crises: prevention and planning, implementation, and evaluation and feedback. Resilience We could trace the notion of resilience to Darwin’s The Origin of Species. Darwin demonstrated that the fittest species endure (Darwin 1998). One measure of fitness is resilience in the face of ecological change. The resilient species and genes are the ones we see today, and over time, only the fittest will reproduce, strengthening a species’ genes in the process. Another kind of resilience is found in material physics, where it is defined as the ability of materials to return to their original shape. The concept of resilience has been studied extensively (Bhamra et al. 2011) through various individual and organizational lenses. Individual resilience Individual resilience is defined as an individual’s ability to overcome adversity and grow from the experience. It is more than surviving an ordeal; it is truly gaining from having gone through the ordeal (Luthar et al. 2000). Three characteristics are necessary for one to be defined as truly resilient: “A staunch acceptance of reality, a deep belief, often buttressed by strongly held values that life is meaningful, and an uncanny ability to improvise” (Coutu 2002: 48). Resilience outcomes vary along three axes: the type of adversity faced, the time period during which adversity occurs, and the environment and temperament of the individuals (Luthar et al. 2000). This axial description of resilience is partly why resilience researchers are moving away from viewing resilience holistically. Luthar et al. (2000) have suggested three specific types of resilience: educational resilience, emotional resilience and behavioural resilience (Luthar et al. 2000). Such an analytical view of resilience could prove useful for corporations, many of which now deploy resilience as a fix-all term, thereby risking the loss of its more nuanced and potentially useful meanings. Organizational resilience Organizational resilience can be defined as corporate resilience applied specifically to the organization. Just as the psychology community has moved away from a general
216
S. Véronneau et al.
definition of resilience, so the corporate community must reinterpret resilience to pertain to specializations in key areas, for a company could be resilient in its human resources but not in its organizational management. The new corporate environment calls for an organizational network that is both secure and resilient. A secure network is not necessarily resilient and vice versa, so a company must now strive for both (Rice and Caniato 2003). Attaining organizational resilience secures the organization against breakdown and is therefore in itself a competitive asset. Since “resilient people and companies face reality with staunchness, make meaning of hardship instead of crying out in despair” (Coutu 2002 : 55), it could be argued that a significant competitive advantage accrues to those companies that strive to employ resilient people. As most companies go through ups and downs, “resilience [refers] to their capacity for continuous reconstruction” (Hamel and Välikangas 2003: 55). The term “prompt reconstruction” could be added to fit with this paper’s definition of resilience, since a mere reconstruction would not be enough to achieve better than the status quo. If a corporation is only as resilient as its people (Coutu 2002 #26), then the question arises as to how a company could measure the resilience of its employees. One possibility might be to use the emotional quotient (EQ) as a proxy for resilience. One of the main concerns regarding corporate resilience is that it is currently portrayed as a holistic approach in the business context, whereas in individual resilience theory, resilience manifests in one area at a time. According to Luthar (1997), an individual can be resilient in one area or domain but rarely in all. Like intelligence, resilience can be developed (Luthar et al. 2000); likewise, a corporate culture can be developed. Companies are not born with a strong culture but develop one over time. Furthermore, Hamel and Välikangas (2003: 53–54) note that “It’s not about rebounding from a setback. It’s about continuously anticipating and adjusting to deep secular trends that can permanently impair the earning power of a core business.” This position strays from the definition of resilience proffered by psychology, where adversity has to be present. What Hamel and Välikangas (2003) are calling for is something akin to a proactive form of resilience. The question is really at which point we consider the firm to be affected by adversity. Is it at the time the adversity is perceived or only when it has a devastating impact? We think that in the former case the term resilience is appropriate. Because resilient people tend to understand complex events quickly and respond effectively, their having experienced no dramatic failures does not mean that the firm was not affected by some adversity. Therefore, a simple definition for resilience is appropriate, for any attempt to transform the term resilience dilutes its meaning and will likely reduce it to just another passing buzzword rather than provide a scientific definition of a phenomenon. Resilience revisited: the case of cities It is now being argued that cities must become resilient if they want to cope with threats from both natural causes and terrorism (Godschalk 2002). While no current literature focuses exclusively on resilient cities and populations, it is possible to look to history to find populations that overcame adversity. Londoners, for example, endured extreme adversity during repeated bombings of their city, and yet London has certainly bounced back to its pre-war vibrancy. Of course, it could be argued that
Improving organizational continuity
217
the proper focus is not on the resilience of a city, but on the resilience of its people. To truly understand what made a given city’s people resilient would require extensive research into the differences between their culture and traits and those of other populations that failed to rebound from adversity. Reconciling crisis management and resilience A common concern is whether corporate resilience is appreciably different from “good” crisis management. The question is relevant, as many practitioners do not perceive a difference between the two. The response of Morgan Stanley to the attacks of September 11th 2001 is informative here. As reported by Coutu (2002), the company had twenty- seven hundred employees working in the south tower on the twenty-two floors between the 43rd and the 74th. When the first plane hit the north tower at 08:46; employees at Morgan Stanley began evacuating at 08:47 and most of them took less than fifteen minutes to get to a secure location. When the second plane hit, its offices were nearly empty. Some might claim that Morgan Stanley’s responsiveness is not an example of resilience but of good crisis management. However, the efficiency of Morgan Stanley’s emergency response alone demonstrates the efficacy of its business continuity and contingency planning (Kolich and Wong-Reiger 1999). One important dimension of Morgan Stanley’s response effectiveness can be attributed to its vice-president of security, who had drilled employees on what to do in an emergency and, using a bullhorn, coordinated the evacuation while most of the other companies encouraged employees to remain calmly inside the building (Coutu 2002 #26). What’s more, Morgan Stanley’s employees were immediately redirected to backup sites. That the vice-president of security not only recognized the extent of the adversity but also defied the consensus of the collective, which had failed to acknowledge the gravity of the situation, is evidence of strong individual resilience; that that the employees recognized the gravity of the situation and carried on business operations at backup sites is evidence of a general corporate culture of resilience. This coordination of responses to adversity on two levels, the individual and the corporatecultural, is what differentiates “good” crisis management from “true” resilience.
The corporate recovery prism Integrating the aforementioned concepts yields the corporate recovery prism, which integrates the concept of resilience with Business Continuity Planning (BCP), Crisis Management (CM), and strategy. In doing so, the corporate recovery prism provides a method for enhancing organizations’ preparedness by formalizing a framework for planning so as to maximize the likelihood of organizational continuity. The following Fig. 2 depicts the prism from a top-down-view. The prism concisely illustrates the role and scope of each concept described above. At the uppermost level (in the center) is BCP, which involves top management on a strategic horizon. At the next level down is crisis management, which is orchestrated by operations managers on a tactical horizon. Finally, at the last level is resilience, which involves all employees on an operational horizon. The integration and
218
S. Véronneau et al.
Fig. 2 The corporate recovery prism
application of the concepts formalized in the prism will yield superior resilience to adversity, ultimately ensuring organizational continuity. The case of Morgan Stanley provides a revealing example for the application of the prism. The company’s effectiveness in the face of adversity was not the result of luck but of the seamless integration of the aforementioned concepts, an integration which can be readily understood through the categories and relationships provided by the prism. In order to have a robust organization that can face adversity, all members involved should apply this prism as a first step in making the organization conscious of and resistant to adversity, thereby minimizing the risk posed by extreme events. Managing risk The risk to organizations might be better controlled if security issues were considered alongside business continuity planning activities (see Shaw and Smith 2010). Knowing the risk exposure of the firm enables the organization’s managers to evaluate with confidence the trade-offs between the cost and the degree of risk exposure. Risk management is not a new science; it has been present for years in the financial and insurance sectors. Whereas in finance risk is generally calculated to maximize individual and corporate profit, in insurance it is calculated to ensure the profitability of the industry. Lessons can be learned from both sectors’ extensive experience in managing risks and their wide array of tools for measuring risk factors. Risk factors Firms seldom invest significantly in response to risks because of the dearth of tools to assess the risk, the probability, and the potential negative impact of adverse events and/or situations on the customers (Rice 2003).
Improving organizational continuity
219
However, there is an exception to this paucity, in the form of risk-modelling software; unfortunately, the software is only remotely applicable to an organization’s total risk. Rice (2003) reports that leaders in the field of risk management have developed modeling tools to help predict the likelihood of a terrorist attack from a particular militant group. The problem with this form of modeling is that it is highly focused on a specific threat and therefore fails to provide a holistic measurement of the total risk exposure of organizations. However, attempts are being made to resolve this issue (Strong 2010). Software designed to help decision-making, including risk assessment, has existed in other forms for years. The military was the first to experiment with such software as a decision support tool (Andriole 1983), and now the software is readily available on the market to any firm. Recently, researchers have proposed new design methodologies and mathematical models that take into account the uncertainty of an organization’s environment. For example, Klibi and Martel (2006) propose a supply chain network design methodology that recognizes three types of events that can affect an organization’s environment: random, hazardous and totally uncertain events.
Conclusion For a company to ensure its organizational continuity, it must recognize the risks it faces and act promptly to mitigate these risks using risk-management techniques. In this paper, we have reviewed some of the prevailing concepts in risk management— business continuity planning, crisis management and resilience—that would yield better organizational continuity. These concepts have been integrated into a conceptual framework named the corporate recovery prism. In this Darwinian and highly competitive market, the fittest will survive. The companies that apply most promptly the aforementioned prism will reap the reward of better organizational continuity. Furthermore, this prism may well be a tool that provides a more organized view of business continuity planning (Copenhaver and Lindstedt 2010), one capable not only of focusing the knowledge bases of practice and academia but also of bridging them so as to foster and facilitate a much-needed standardization in the field. References Andriole SJ (1983) High order corporate crisis management. Futures 15:79–86 Anthony O-S (1990) Post-disaster housing reconstruction and social inequality: a challenge to policy and practice. Disasters 14:7–19 Australian Government Department of Foreign Affairs and Trade (2003) Costs of Maritime Terrorism and Piracy, APEC High-Level Meeting on Maritime Security and Cooperation. Australian Government Department of Foreign Affairs and Trade, Makati City, p 15 Autry CW, Bobbitt LM (2008) Supply chain security orientation: conceptual development and a proposed framework. Int J Logist Manag 19:42–64 Barry J (2004) Supply chain risk in an uncertain global supply chain environment. Int J Phys Distrib Logist Manag 34:695–697 Bhamra R, Dani S, Burnard K (2011) Resilience: the concept, a literature review and future directions. Int J Prod Res 49:5375–5393 Brunninge O (2009) Using history in organizations How managers make purposeful reference to history in strategy processes. J Organ Chang Manag 22:8–26
220
S. Véronneau et al.
Copenhaver J, Lindstedt D (2010) From cacophony to symphony: how to focus the discipline of business continuity. JBus Contin Emerg Plan 4:165–173 Coutu DL (2002) How resilience works. Harv Bus Rev 80(5):46–55 Darwin C (1998) The origin of species. New York, NY, Oxford University Press Devargas M (1999) Survival is not compulsory: an introduction to business continuity planning. Comput Secur 18:35–46 Engestrom Y, Kerosuo H, Kajamaa A (2007) Beyond discontinuity. Manag Learn 38:319–336 Faulkner B (2001) Towards a framework for tourism disaster management. Tour Manag 22:135–147 Forbes N (2009) Contingency planning for earthquakes in Asia. J Bus Contin Emerg Plan 3:356–367 Gibb F, Buchanan S (2006) A framework for business continuity management. Int J Inf Manag 26:128–141 Godschalk DR (2002) Urban hazard mitigation: creating resilient cities. Nat Hazards Rev 4:136–143 Hamel G, Välikangas L (2003) The quest for resilience. Harv Bus Rev 81(9):1–13. Heinrich JH (2002) Maritime Security: A U.S. Customs Perspective, Marine Log Maritime Security Conference, Washington Helferich OK, Cook RL (2002) Securing the supply chain. Oak Brook, IL, Council of Logistics Management (CLM) Herbane B (2010) The evolution of business continuity management: a historical review of practices and drivers. Bus Hist 52:978–1002 Hinde S (1997) Business continuity planning. Comput Audit Updat 1997:2–5 Kalliopi S (2005) Coping with seismic vulnerability: small manufacturing firms in Western Athens. Disasters 29:195–212 Keenan Jr W (2006) The unexpected: is your supply chain prepared? Inbound Logistics 26(12):36–43 Klibi W, Martel A (2006) On the selection of effective and robust supply chain network designs. Incom 2006 St-Etienne, France Kolich M, Wong-Reiger D (1999) Emotional stress and information processing ability in the context of accident causation. Int J Ind Ergon 24:591–602 Lapointe A, Cimon Y (2009) Leveraging intangibles: how firms can create lasting value. J Bus Strateg 30:40–48 Luthar S (1997) Sociodemographic disadvantage and psychosocial adjustment: Perspectives from developmental psychopathology. In: Luthar SS, Burack JA, Cicchetti D, Weisz JR (eds) Developmental psychopathology: Perspectives on adjustment risk and disorder. Cambridge University Press, New York Luthar S, Cicchetti D, Becker B (2000) The Construct of resilience: a critical evaluation and guidelines for future work. Child Dev 71:543–562 Momani NM (2010) Business continuity planning: are we prepared for future disasters. Am J Econ Bus Adm 2:272–279 Pauchant TC, Mitroff II (1992) Transforming the crisis prone organization. Jossey-Bass Publishers, San Fransisco RLSN Project Team (2003) Robust lean supply networks : industry best practices. Retrieved July 15th 2006, 2006, from http://www.rlsn.org/ Rice JB (2003) Supply chain response to terrorism. MIT Center for Transport and Logistics, Boston, p 59 Rice JB, Caniato F (2003) Building a secure and resilient supply network. Supply Chain Manag Rev 22–28. Ritchie BW (2004) Chaos, crises and disasters: a strategic approach to crisis management in the tourism industry. Tour Manag 25:669–683 Roberts P, Molyneux H (2010) Implementing business continuity effectively within the UK National Health Service. J Bus Contin Emerg Plan 4:352–359 Rondinelli D, Berry M (2000) Multimodal transportation, logistics, and the environment: managing interactions in a global economy. Eur Manag J 18:398–410 Shaw S, Smith N (2010) Mitigating risks by integrating business continuity and security. J Bus Contin Emerg Plan 4:329–337 Skipper JB, Hanna JB (2009) Minimizing supply chain disruption risk through enhanced flexibility. Int J Phys Distrib Logist Manag 39:404–427 Stevenson W (2007) Operations management 9th Ed. New York, NY, McGraw-Hill Higher Education Strong B (2010) Creating meaningful business continuity management programme metrics. J Bus Contin Emerg Plan 4:360–367 Svensson G (2004) Key areas, causes and contingency planning of corporate vulnerability in supply chains: a qualitative approach. Int J Phys Distrib Logist Manag 34:728–748 Vaid R (2008) How are operational risk and business continuity coming together as a common risk management spectrum? J Bus Contin Emerg Plan 2:330–339 Veronneau S, Cimon Y (2007) Maintaining robust decision capabilities: an integrative human-systems approach. Decis Support Syst 43:127–140