Journal of Business Continuity & Emergency Planning Volume 2 Number 2

Grounding the discipline of business

continuity planning: What needs to be
done to take it forward?
David Lindstedt
Received (in revised form): 8th October, 2007
The Ohio State University, 1121 Kinnear Road, Columbus, OH 43026, USA
Tel: 1 614 688 3086; E-mail: lindstedt.1@osu.edu
David Lindstedt is the Director of Enterprise
Continuity Management for The Ohio State
University. The Ohio State University is the
largest university in the USA with approximately
60,000 students and 38,000 employees in 928
buildings on five campuses. He administers
business continuity software for a BCP federation of nine Ohio universities, and serves as the
chair of the Ohio Regional Users Group. Prior to
his work in business continuity, he worked as an
IT consultant and the manager of a programme management office. David holds a PhD
from Tulane University, is a Certified Business
Continuity Professional (CBCP) and a Project
Management Professional (PMP).

ABSTRACT
Business continuity planning (BCP) is emerging as a profession unto its own. It is
separating itself from related fields such as
emergency management, IT, disaster recovery
and risk management. But can it attain the
status of an independent discipline? And if so,
what is, and is not, included in this new
discipline? What are the core competencies that
should be required of its practitioners? This
paper offers an approach to founding BCP as
a discipline, but with a narrower demarcation
than traditionally accepted. It presents three
criteria by which to delineate and ground BCP.
It discusses the difference between BCP and the
more encompassing business resilience, and
emphasises the need to clearly choose one or the
other of these contexts when discussing certifica-

tions, standards and other continuity practices. Finally, the paper outlines areas for
future research with an eye to proving the
efficacy of BCP, especially to executives and
stakeholders.
Keywords: business continuity, business resilience, certification, discipline,
profession, grounding
INTRODUCTION
If business continuity planning (BCP) is to
be an acknowledged discipline, it must be
placed on firm footing, from both a
theoretical and practical stance. Currently,
as anyone working in the field is likely to
say, it is not well defined by its practitioners and not well understood by its
customers.1 Its lines of responsibility are
blurry, bleeding into areas of IT disaster
recovery, risk management, crisis management and others. This paper offers an
approach to reverse this trend and more
firmly ground the discipline and profession of BCP.

WHAT IS AT STAKE?
The profession
What is expected of the business
continuity planner? Expertise of hazardous waste disposal? Ability to
configure a backup server? DRI Interna-

Journal of Business Continuity &

Emergency Planning
Vol. 2 No. 2, pp. 197205
Henry Stewart Publications,
1749-9216

Page 197

Grounding the discipline of business continuity planning

tionals Professional Practices publication

includes risk evaluation, emergency
response and crisis communications as
core BCP practices,2 while other
organisations cite different requirements.
Where does one draw the circle around
the discipline of BCP? This is not a
trivial matter. At the most fundamental
level, a profession that is not well defined
cannot ultimately prosper. Customers
cannot be expected to be satisfied with a
service they do not understand. Analysts
cannot hope to provide useful research if
the scope of their analysis is poorly
demarcated. Executives cannot be expected to support a BCP programme if
they consider it as simply part of another
function of the business, like emergency
services or risk management. The
profession as a whole may eventually be
in danger of either being swallowed up by
other disciplines or divided up and farmed
out to other areas.
Standardisation and certification
Proper standards cannot be established
without a clear understanding of the
profession it is standardising. To what
discipline should standards such as National
Fire Protection Association (NFPA) 1600
or BS25999 be applied? BCP alone? Some
combination of all professions involved in
a wider effort to protect the organisation?
Should a BCP professional be expected to
perform and comply with all areas of these
standards?3 If executives decide to adopt
one of these standards for their organisation, which area should be expected to
bring the organisation into compliance?
This may become a more pressing concern as more legislation regarding public
and private preparedness is introduced.
Before experts can argue the merit, details
and proper responses to legislation such as
the US Senate Bill S 4,4 they will first
have to identify the disciplines to which
the recommendations will apply.

Page 198

In the same vein, rigorous certification

standards cannot be created and applied
without a clear understanding of the discipline of BCP and the appropriate expectations of its practitioners.
Funding and authority
On the most practical level, BCP will not
receive the appropriate budgets, staffing or
authority if it cannot be shown to be of
value. Executives will not fund and
support BCP programmes without proof
that professionals can directly and positively impact the organisation. When
push comes to shove, BCP will never
achieve solid recognition and support
without the numbers to justify its undertaking.
As a recent study from the
EDUCAUSE
Center
for
Applied
Research summarised:

BC continues to be largely a backengineered process whose technical

aspects are left to IT and whose
business aspects are only investigated
after the fact. Once post hoc attention
is finally brought to bear on BC
questions, the familiar issues of uncoordinated action, unclear funding, and
ambiguous ownership of BC are
ready to flourish.5
In order to address the above concerns,
BCP must be placed on a firm foundation, both in theory and practice. The
remainder of this paper outlines how this
might best be accomplished.
THEORETICAL GROUNDING
The discipline of business continuity planning ought to be grounded on the following three criteria:

1. BCP is (narrowly) centred on the

continuity of processes and functions.

Lindstedt

It is the process of developing advance arrangements and procedures

that enable an organisation to respond
to an event in such a manner that
critical business functions continue with
planned levels of interruption or essential change.6 This means that the core
of BCP is the discipline of identifying and ensuring the continuity of
processes. One may wish to think of
BCP as process continuity planning.
2. Process continuity planning is valuable
work that needs to be undertaken.
While better research is required to
prove this point conclusively (see the
section on practical grounding, below),
there should at least be the correct
intuition that processes drive a business, businesses drive an economy and
support a nation, and it is worth the
time, money and effort to ensure the
continuity of most businesses. Hence,
there are fiscal, political, and potentially ethical arguments to be made as
to why continuity planning must be
performed and supported as a discipline unto itself.
3. No other profession can properly
provide the service of process continuity planning. This is the (mostly
unstated) assumption that there is
rightly a BCP discipline to be learned
and a methodology that can be
discovered and improved. Again, while
research needs to be directed to this
area, there is the instinct that there are
better and worse ways to perform
continuity planning, and those better
ways are chiefly accessible (and, it is
hoped, known) only to the BCP
professional.
These three criteria are not unique (save
for the content of criterion 1). Accounting is a profession because there is a body
of knowledge surrounding the tracking
and payment of monies, it has proven

value and trained accountants are its best

practitioners. Law is a discipline because
there is a body of knowledge centring on
the theory and practice of law, the work
has particular value and a lawyer is a
better practitioner than a layman. While
it is necessary to better define and defend
each criterion, they should serve as the
foundation for discussion.
THEORY: WHAT IS INCLUDED?
If it is right that BCP should be concerned with the continuity of processes,
that it is worth doing and that it is best
done by BCP professionals, then there is
a good position from which to understand
what ought to be included in the discipline. Based on the three criteria, the
following sub-areas should be included
under BCP:

business impact analysis;

recovery time objectives;
resources and locations;
process continuity plans/strategies;
incident management plans/strategies;
exercises.

While much can be said about each of

these sub-areas, the following comments
will be brief.
The staple of BCP to date has been
the business impact analysis (BIA), and
this is properly so. Naturally, if BCP is
going to ensure the continuation of business processes, the practitioner must know
what those processes are and why they
matter. BCP must therefore be able to
identify the processes of the business, the
functions they perform, the impact (quantitative and qualitative) of their loss, and
their upstream and downstream dependencies. The BCP practitioner must work
with leadership to drive and establish
recovery time objectives (RTOs) for each
process as well as upstream and down-

Page 199

Grounding the discipline of business continuity planning

stream dependencies, including IT systems.

Because processes need resources and
locations to recover, BCP should focus
on identifying and securing these relevant
resources. Identifying, making contact with
and securing the services of vendors may be
a necessary component of this work, as well
as obtaining, staffing and equipping on- or
off-site recovery locations.
If the processes are going to continue in
the wake of a disaster, BCP must work
with the owners of these processes to
develop (and exercise) appropriate continuity strategies. The BCP practitioner is
the proper person to situate each process
within the context of the entire business and to facilitate the development of
these plans/strategies, from response, to
recovery, to restoration. They are also one
of the persons best qualified to develop,
facilitate and judge the outcome of exercising these strategies.
Finally, BCP must ensure that the business is capable of reacting and responding
to a potential disaster incident. Incident
management plans/strategies are therefore
the proper purview of BCP, and they may
rightly go into some detail. If leadership
cannot guide the business through an
incident, it will be much more difficult (if
not impossible) to recover the individual
processes. Accurate and available contact
information for vendors, agencies and staff
is a must. The BCP practitioner must be
knowledgeable in many aspects of this
area to ensure that leadership can effectively respond to an incident. Other
aspects may include:
emergency responders protocol (eg the
US National Incident Management
System (NIMS) and Incident Command System (ICS), general police and
fire response activities, environmental
health and safety procedures);
HR requirements and concerns;

Page 200

psychology of crisis situations;

facilities management and damage assessment;
workforce continuity;
general leadership and communications
activities.
This discussion of what ought to be
included in BCP is not meant to be
exhaustive. Analysts should be able to
evaluate other areas and activities to
determine their fit within the discipline.
Analysts should also be able to judge their
unfitness, as in the next section.
THEORY: WHAT IS EXCLUDED?
If the criteria presented above are used to
judge what activities best belong to BCP,
then many activities which are often included under BCP should be excluded.
At the top of the list are emergency
management, IT disaster recovery and risk
management. Each of these is a discipline unto itself, with its own body of
knowledge, certifications and programmes
of study. These should not be part of BCP
because they do not meet criterion 3;
each is best performed by its respective
discipline. Therefore they should not be
folded into the discipline of BCP.
Perhaps this is intuitive when it comes
to emergency management and IT disaster recovery. For example, the BCP
practitioner should not advise staff on
proper evacuation techniques, unless they
have been trained in the (separate)
discipline of emergency management.
Likewise, a detailed discussion of storage
area network options and mirroring
techniques does not belong in a course on
BCP but rather in a course on IT disaster
recovery.
But this line of thinking applies to risk
management as well. Counter to many
current beliefs, BCP should not involve
risk analysis. Risk analysis fails to meet

Lindstedt

criterion 1, namely, that it does not play

a part in planning for the continuity of
processes. The BCP practitioner should
not have to identify the entire theatre of
threats for related processes. Whatever it
is that interrupts normal operations needs
to be addressed. Identifying all possible
threats then calculating their probability
and impact affords no advantage. Little is
learned from such an effort with respect
to planning for processes to continue after
they have been affected by a cause.
This coincides with some thinking
within BCP to abandon specific threatbased contingency planning in favour of
flexible planning that focuses on effects
instead of causes (eg Johns Hopkins
reducing the results of their risk analysis
down to five all-encompassing scenarios).7
Continuity strategies should focus on
flexible responses to make sure that the
right people are available to continue
critical processes with alternative technologies. Continuity plans should not be
a manifold of individual threat-based
responses.
One might argue that a risk analysis is
necessary to BCP as the foundation for
risk mitigation. But risk mitigation does
not meet criterion 3. Risk mitigation is
properly performed within the context of
a complete risk management programme,
where there is a focus on the protection
of the business. Risks, both large and
small, need to be identified, scored and
prioritised. Work must be assigned and
progress tracked. Questions of liability,
litigation, regulations and insurance rise to
the fore. Such a programme is best led by
experts in other programmes, and does
not belong in BCP.
Moving on from these three areas, one
might also judge to exclude crisis communication from the discipline of BCP.
While it arguably meets criteria 1 and 2,
it is already a field of study unto its
own, and therefore fails to meet criterion

3. Many communications and journalism

programmes focus on this topic well apart
from the context of process continuity.
BCP practitioners can learn from this
separate discipline but while a good
continuity plan must include crisis communication placeholders, it should not be
a core competency of BCP.
An even greyer area is that of crisis
or reputation management, namely, effectively responding to a public event
in order to preserve the reputation and
branding of a product or company (eg the
textbook example of the Tylenol scandal).
To ensure continuity of processes, the
continuity of the business must be ensured, as argued above. Crisis management could arguably be part of incident
management, which is to be included in
BCP. However, this could be seen to
violate criterion 3, in that it is best
handled by experts of crisis communication. Perhaps there is a subset within crisis
management that is properly BCP.
The above list of what should be excluded from the discipline of BCP is by
no means comprehensive. Analysts should
be able to use the criteria presented above
to judge any area and activity as to
whether it should be part of the discipline
of BCP.
To close this section, here is a clarifying
point. This line of argument does not
mean that the BCP practitioner should be
restricted from performing the types of
activities excluded above. It would be
ridiculous, for example, to say that the
BCP practitioner could never create an IT
disaster recovery plan. But if the position is correct, then IT disaster recovery
should not be part of the core discipline
of BCP. Executives should not expect that
a certified BCP practitioner would be
trained to create an IT disaster recovery
plan any more than they should expect a
lawyer to perform surgery. If the BCP
practitioner is able to create such a plan,

Page 201

Grounding the discipline of business continuity planning

it is because they have cross-discipline

training.
It might be thought that the BCP practitioner would be skilled in all related areas.8
When looking for the best help, one may
well prefer the surgeon with excellent
bedside manners, the lawyer who is a
Certified Public Accountant (CPA), and
the plumber who can tile. But that is not
the point. The issue surrounds the primary
qualifications of a BCP professional, not the
additional skills they can bring to the table.
When hiring a certified project manager, it
is expected that they will have the core
competencies to create a work breakdown
structure, an activity sequencing and duration diagram, etc. If we want them to
develop software too, that is a second
skill set that we are seeking in addition
to the skills of a project manager. Similarly, executives might desire a BCP practitioner who is a Certified Information
Systems Security Professional (CISSP) and
risk management certified with an MBA to
boot, but these should be considered additional competencies. The best BCP practitioners will be likely to draw from a
wealth of experience and competencies,
but this is not what should be expected of
a standard BCP professional.
Business continuity versus business
resilience
All the areas discussed in the last section,
including BCP, fall under the purview of
a larger discipline that might be called
business resilience or continuity of operations. It is concerned with the continuation of the business from start to finish,
from protection to restoration. For the
purposes of this paper, it will be referred
to as business resilience.9
It is of vital importance for any discussions on the nature of BCP or business
resilience to be clear on the scope. If the
discussion concerns the specific discipline

Page 202

of BCP, then only those activities which

meet the three criteria above should be
included. It should be narrowly focused.
If, on the other hand, the discussion is
casting a wide net around the proper
practices of business resilience, then it
needs to include all aspects of business
resilience, from emergency management
to risk management and all in-between.
When analysts evaluate the coherency,
completeness and content of BS25999 or
the NFPA 1600, for example, they need
to make clear whether they are talking
about BCP or business resilience. Under
a (properly) narrow definition of BCP, the
NFPA 1600 is much too broad; under
business resilience, it may not be broad
enough.
If a professional certification were to
be developed for an expert business
resilience practitioner, the qualifications
ought to be difficult indeed. It would
have to combine the theory of all areas
within business resilience, meaning that
the expert practitioner would have to be
an expert in each. It is likely that if
business resilience is finally well defined
as a coherent discipline, there would
have to be several levels of certification
to allow for the varying levels of study
and expertise.
Thus, quickly returning to the issue
raised at the end of the previous section, the BCP professional should not
be expected to be skilled in all business resilience related areas (assuming,
of course, that the range of all business resilience related areas could be
clearly defined a topic beyond the
scope of the present paper). Someone of
this calibre would be certified in business resilience, not BCP. An argument
that BCP ought to be more holistic
is misplaced; BCP ought to be clearly
delineated and deeply developed, while
business resilience should be expansive
and comprehensive.

Lindstedt

PRACTICAL GROUNDING: EFFICACY

One of the common complaints from
BCP practitioners is that they do not
have enough buy-in from executive
management.10 This seems perfectly understandable on both sides. The heart of
the problem is that there is no wellresearched evidence proving that business
continuity planning is beneficial. While
many believe BCP provides organisations
with the ability to survive disasters, this
belief is largely based on intuition and
anecdotal evidence.
One part of a much larger research
effort needs to be directed to the efficacy
of BCP. It is known that 43 per cent of
businesses experiencing a major disruption
fail, and that 51 per cent of those that
survive will fail within two years.11 It is
also known that shareholder value increases for companies that effectively survive crises.12 But what has yet to be
proven is that:

businesses that have and utilise a practised BCP plan in response to a major
disaster are n per cent more likely to
remain in business than those that do
not;
BCP plans that contain X, Y and Z
types of information are n per cent
more successful than those that do
not.
This research needs to be undertaken as
soon as possible.13 If it can be proven that
a certain approach to BCP is effective
for businesses to survive disasters, BCP
practitioners will have a very strong argument for taking their place in the
boardroom.14
By way of example, the discipline of
project management has been proven
to be efficacious and, therefore, indispensable for businesses which undertake
projects. Project success has been directly
correlated with formal project manage-

ment practices. While project management was not much considered as a

profession a few decades ago, it is now
one of the more sought-after certifications. The development of the project
management office (PMO) is perhaps the
current capstone of this maturing discipline, and PMO practitioners are working at higher and higher levels within
organisations.
This development of the project
management profession was built upon
the research of many individuals, perhaps
most notably that of Dr Harold Kerzner,
all of whom grounded the discipline on
thorough research and real-world results.
It was proven that a formal methodology
consisting of certain practices provided
bottom-line benefits. Likewise, researchers in BCP must strive to meet the same
challenge for BCP if it is to follow a
similar path and be placed on a secure
footing.
CONCLUSION
In sum, BCP can be a definable area of
work, concentrating on the creation of
plans to secure the continuity of business
processes. This work has value, and it is
best done by BCP practitioners. If any of
these three points are incorrect, then
the practice and discipline of BCP may
properly disappear. Obviously, if BCP
is not worth doing, the funding and
resources will eventually dry up. Similarly,
if it can be done by just anyone using just
any methodology, then there is nothing
special about the BCP professional, and
this function will simply be absorbed
by other areas of the business. As John
Copenhaver, president and CEO of DRI
International has challenged:

It is time for us to change. We must

have common definitions in our industry, and we must work with our

Page 203

Grounding the discipline of business continuity planning

colleagues in risk management and

security to better define our respective
roles in corporate governance.15
Discussion on the nature of BCP needs to
be properly focused. Participants in these
important discussions need to be sure they
are clear as to whether they are defining BCP, business resilience, or another
discipline. Work by the Financial Services Technology Consortium (FSTC) and
Carnegie Mellon University,16 standards
such as NFPA 1600 and other discussions
likewise need to be precise.
Business continuity planning should
continue to mature, if it can do so. If it is
going to be an acknowledged profession,
it needs to move beyond its roots of IT
disaster recovery and emergency management to establish itself firmly on its own
ground. Practitioners and researchers alike
should lend their voice to this worthy
discussion.
REFERENCES
(1) See, for example, Baker, B. (2006)
Who is the business continuity
professional, Continuity Insights, Vol. 4,
No. 4, pp. 1618; and Lewis, G. (2006)
Identity crisis: how resilient is the
resiliency profession, Continuity Insights,
Vol. 4, No. 4, pp. 4041.
(2) DRI International (2003) Professional
Practices for Business Continuity
Professionals, DRI International, Falls
Church, VA.
(3) See, for example, Shaw, G. L. and
Harrald, J. R. (2006) The core
competencies required of executive
level business crisis and continuity
managers, in 11th Annual Disaster
Resource Guide, pp. 6669,
Emergency Lifeline Corporation, Santa
Ana, CA.
(4) A bill to make the United States more
secure by implementing unfinished
recommendations of the 9/11
Commission to fight the war on terror

Page 204

(5)

(6)

(7)

(8)

(9)

(10)

(11)
(12)
(13)

more effectively, to improve homeland

security, and other purposes. This bill
includes recommendations on voluntary
private sector preparedness.
EDUCAUSE Center for Applied
Research (2007) IT and Business
Continuity in Higher Education,
ECAR Research Study 2, p. 155,
EDUCAUSE, Boulder, CO.
From the January 2005 edition of the
Business Continuity Glossary maintained
by the Disaster Recovery Journal and the
Disaster Recovery Institute (authors
italics). The 2007 edition has changed
Business Continuity Planning (BCP)
to Business Continuity Plan (BCP)
and modified their definition.
Cole, G. and Barnes, A. C. (2005) The
business continuity planning initiatives
at Johns Hopkins health system,
Continuity Insights, Vol. 3, No. 3, pp.
3240.
But here, already, one should see a red
flag: what should it mean to be skilled
in all areas related to BCP? What are
all the areas? Where does one draw
the line? IT disaster recovery and risk
management? Is an MBA, CEM, CPA
or PMP required?
BRP is not an accepted acronym, and
there is no widely-accepted definition
for either business resilience or
continuity of operations. Indeed, that
there are no clear definitions of these
terms is a good indicator of the very
problem at hand.
See, for example, Callahan, J. G. (2007)
Boardroom BIA Elevating our
profession, Disaster Recovery Journal, Vol.
20, No. 1, pp. 2630.
US Bureau of Labor and Statistics.
Knight and Pretty, 1998.
This research must be conducted in
addition to the discussion as to whether
BCP should be considered to have actual
return on investment for the company or
whether it should be considered more
akin to insurance. These are both
important discussions to the future of
BCP. For more on this issue see, for

Lindstedt

example, Stagle, J. M. (2007) The real

return on investment for BCP,
Continuity Insights, Vol. 5, No. 1, p. 58;
Wilson, B. (2006) Business continuity
cannot be an optional decision for
investment, Continuity Insights, Vol. 4,
No. 5, pp. 4041.
(14) Benchmarking studies like the kind
undertaken by Continuity
Insights/KPMG and Gartner/DRJ and
salary data like the kind provided by

BC Management are important, but

ought to take a back seat to the more
pressing concern to provide a practical
foundation for BCP.
(15) Copenhaver, J. (2007) Setting sails for
open seas, Disaster Recovery Journal, Vol.
20, No. 2, p. 80.
(16) See Owens, C. C. and Wallen, C. M.
(2006) A capability model for
enterprise resiliency, Disaster Recovery
Journal, Vol. 19, No. 2, pp. 2832.

Page 205