Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
JÖNKÖP I NG INT ERNA T I ONAL BU S IN E S S SCHOOL JÖNKÖPING UNIVERSITY
The need for a developed Business Continuity Plan
Paper within Bachelor Thesis in Informatics
Author: Peter Gneist
Robert Kiersz
Omid Osman
Tutor: Jörgen Lindh
Jönköping June 2009
i
Abstract
In order for an organization to stay as resilient as possible a Business Continuity Plan
(BCP) can be of importance. Today many advanced technologies are being imple-
mented into organizations which are leading to a higher degree of risks and vulnerabili-
ties. Organizations therefore need to focus on identifying problems in order to work
more efficiently in order to succeed with their business.
The report is using the framework of Business Continuity Planning approach and is em-
phasizing on how to prepare a plan in order to make organizations more resilient. The
research is conducted in a deductive way which includes testing theories and their prop-
ositions against data which have been collected. Therefore the theories found from the
literature were applied on a case and appropriate data was collected to suit our purpose.
Moreover, problems were analyzed and suggestions proposed of how to deal with them.
Many critical organizational components were revealed but the main findings can be
summarized as how organizations can identify and evaluate problems. This is an impor-
tant part of the BCP and is of need when preparing the plan. Other important sugges-
tions which need to be considered when preparing the plan is to; obtain top management
support, assigning a steering committee, a clear communication strategy and a docu-
mentation plan.
ii
Table of Contents
Abstract ........................................................................................... i
1 Introduction ............................................................................... 1
1.1 Background............................................................................................ 1
1.2 Problem Discussion ............................................................................... 2
1.3 Research Questions .............................................................................. 3
1.4 Purpose ................................................................................................. 3
1.5 Perspective ............................................................................................ 3
1.6 Delimitations .......................................................................................... 3
1.7 Definitions .............................................................................................. 4
1.8 Interested parties ................................................................................... 4
2 Methodology .............................................................................. 5
2.1 Scientific approach ................................................................................ 5
2.2 Research philosophy ............................................................................. 5
2.3 Research approach ............................................................................... 5
2.4 Research strategies ............................................................................... 6
2.5 Time horizon .......................................................................................... 6
2.6 Literature search strategy ...................................................................... 6
2.7 Literature review .................................................................................... 8
2.8 Reliability and validity ............................................................................ 9
2.9 Generalizability .................................................................................... 10
2.10 Objectivity ............................................................................................ 10
2.11 Data collection techniques ................................................................... 11
2.11.1 Defining research ideas ....................................................................... 11
2.11.2 Observation strategy ............................................................................ 11
2.11.3 Interview strategy ................................................................................. 11
2.11.4 Analyzing techniques of interviews ...................................................... 12
2.11.5 Questionnaire strategy ......................................................................... 12
2.11.6 Analyzing techniques of questionnaire ................................................ 13
3 Theoretical Framework ........................................................... 14
3.1 Steps in creating a successful Business Continuity Process ............... 14
3.2 Training ................................................................................................ 15
3.3 Risk Management ................................................................................ 16
3.4 Soft systems methodology ................................................................... 21
3.5 Reflections from the theoretical framework .......................................... 23
4 Empirical findings ................................................................... 24
4.1 Case observation ................................................................................. 24
4.2 Interviews............................................................................................. 24
4.2.1 Interview 1 ........................................................................................... 25
4.2.2 Interview 2 ........................................................................................... 25
4.2.3 Interview 3 ........................................................................................... 26
4.2.4 Interview 4 ........................................................................................... 27
5 Analysis ................................................................................... 29
iii
5.1 Categorization of problems .................................................................. 30
5.2 Risk Evaluation .................................................................................... 31
5.3 Problem relation analysis ..................................................................... 32
5.4 Suggested components to become resilient ........................................ 35
6 Conclusion ............................................................................... 37
6.1 Fulfilling the purpose ............................................................................ 37
6.2 Future research ................................................................................... 37
References .................................................................................... 38
Appendix ....................................................................................... 40
Appendix 1 ....................................................................................................... 40
Appendix 2 ....................................................................................................... 42
Appendix 3 ....................................................................................................... 44
Appendix 4 ....................................................................................................... 46
Appendix 5 ....................................................................................................... 47
Appendix 6 ....................................................................................................... 52
1
1 Introduction
“Business survival depends on the assured continuity of core business activities and
supporting services: business continuity (BC)” (Morwood, 1998)
Today most organizations are exposed to some kind of risks that can damage their busi-
ness in different ways and threaten its survival.
Therefore it can be vital to organize a plan to prevent the risks, to be able to recover
from disasters, and to minimize the damage when a risk occurs as well. The approach of
business continuity management (BCM) will be used in this report to work as a frame-
work. Today more and more organizations are using a BCM approach due to the large
amount of risks existing but at the same time many are not putting enough efforts in
BCM as they should.
The BCM covers numerous of organizational issues. However, this research paper will
mainly focus on the working processes around IT/IS. Since an IT system can be very
complex many organizations fail in identifying existing vulnerabilities. A system related
problem can be devastating for an organization since IT is in many cases closely aligned
with the business. When a system is down for a longer period of time, the business
might stop functioning properly and in the long run this can lead to a major catastrophe.
According to Doughty (2000), statistics indicate that having the IT system down for
more than 5 days would put 90 percent of all organizations out of business within a
year.
Implementing and using a contingency plan, as the Business Continuity Plan (BCP), can
help the organization to understand the risks and vulnerabilities associated with the IT
system and at the same time provide solutions to deal with these issues. Critical compo-
nents in the perspective of IT issues are not only IT components itself but also people,
equipment, location, data and communication networks which can make the plan rather
comprehensive (McCrackan, 2004).
The plan can even, if implemented properly, lead to a more efficient and profitable or-
ganization in the long run (Reuvid, 2006). Impact and risk analysis is a part of the BCP
and an important tool which will be handled in our research.
1.1 Background
The perceived level of threats and risks has increased since the start of the computer era.
This has put the business continuity management processes at a higher level of priority
in order to become more preventive and resilient towards organizational wounds.
“The main purpose of BCM is to ensure that the organization has a response to major
disruptions that threaten its survival” (Reuvid, 2006).
A threat towards the organization can occur from many different sources, everything
from unintentional causes to intentional causes. Therefore a BCM approach takes into
account a large range of aspects which are caused by several different factors. Analyz-
ing the risks and threats can lead to a more cautious way of working with less disrup-
tions and a more resilient organization. Identifying requirements and knowing how to
deal with disruptions can also eliminate inefficient ways of working. Having a BCM
that benefits an organization will assure that there is a more stable business environ-
ment. The BCM is a concept which has been written a lot about in recent years and
2
many different authors provided a high number of different ideas which can be useful
for an organization.
Implementing a BCM approach can though require essential changes in the organiza-
tions structure and culture, due to the need of alignment between business processes and
the BCM (McCrackan, 2004). Hence, a BCM approach can be very time consuming and
require lots of resources in order to be implemented in the business. Preparing a busi-
ness continuity approach involves the construction of a Business Continuity Plan
(BCP). The BCP goes through the steps required in order to deal with the issues around
continuity management.
Complex IT infrastructures within businesses can be very vulnerable and have to be
managed very thoroughly to eliminate and deal with its risks. Some organizations or
departments might become extensively damaged when their computers are down. There
is not always room for a system downtime; the business can lose customers to their
competitors while it is down. This in turn can lead to decrease in profits. An example is
the case of Union Bank of Switzerland, when their computers crashed for only several
minutes they experienced losses that could fund their entire network a number of times.
The Executive Vice President of the Bank argues that the bank would collapse in case
the computer systems would be down for more than 2 days (Doughty 2000).
Processes around IT/IS can have many vulnerabilities and risks which might need to be
considered and dealt with. A resilient IT infrastructure is of great importance to stay
competitive. A well formulated guide specified for processes around IT/IS can lead to a
better work efficiency is therefore of huge interest.
1.2 Problem Discussion
Today’s organizations have to compete in an ever growing and faster moving economy.
Generally, managers have to make complex decisions much faster and mistakes can
have huge impacts on an organization’s performance and overall well being.
Due to the fact that more and more critical and value producing business processes are
based on information technology, it is crucial for organizations to ensure a high level of
system reliability and availability. Morwood (1998) argues in the same direction when
he says that business survival is depending on the assured continuity of core business
activities and supporting services.
However, problems with information technology and information systems are just a
matter of time. In order to respond to the occurring problems in the best way, every or-
ganization would need to have a Business Continuity Plan.
Unfortunately, not many organizations are aware of the fact how crucial a business con-
tinuity plan is to their operating business and internal affairs. Botha and von Solms
(2004) state that resources and staff involved in Business Continuity Management is li-
mited, especially when it comes to smaller organizations. Another problem identified by
Weems (1999) is that the business continuity planning project is a non-revenue produc-
ing project and therefore it is not seen as a high priority project for most organizations.
In comparison, Business Continuity Plans ensure that the organization has a plan in
place prior to a disaster occurring. This can help and facilitate a speedy and cost-
3
effective recovery of core business activities following a disaster (Morwood, 1999). If a
company does not have any Business Continuity Plans the impacts on the company can
be immense.
1.3 Research Questions
Focusing on the nontechnical side of the organizational IT/IS environment is our main
target to conduct this research.
� How can an organization assess its IT/IS related problems?
� What could be done in order to achieve efficient solutions to IT/IS related prob-
lems?
� How can an organization achieve a resilient way of working in order to be pre-
pared for upcoming IT/IS related problems?
1.4 Purpose
The purpose of this research paper is to show how problems can be assessed and rela-
tionships among these problems can be drawn. This research paper will also focus on
how to improve problem related working processes. Through analyzing the current situ-
ation of one service-oriented organization we intend to provide suggestions of what to
include in a BCP in order to deal effectively with problem and risks.
1.5 Perspective
A perspective statement is necessary for the internal agreement, which is a process of
analyzing and developing different hypotheses and understandings about what involves
in the research area (Goldkuhl, 1998). This study will be focused on system related
problems in a department of a large service-oriented organization located in Sweden.
The problem will study two perspectives, from the managers and the employees
(agents) point of view. The agents’ perspective is assumingly more about the ease of use
and usefulness since they are working with the system on a daily basis. In contrast, the
perspective of the managers can be seen more as a strategizing perspective where the
focus is more on the IT contribution towards the business. Moreover, the manager pers-
pective is influenced by cost issues as well.
Our basis for choosing more than one view is that it will provide us with a better and
comprehensive understanding of the problems at hand and permit us to conduct our re-
search from multiple views, rather than from one actor’s perspective.
1.6 Delimitations
The BCM concept will be the main focus area together with a larger case study. The ap-
proach will be conducted within processes around IT/IS. We will though exclude tech-
nical solutions in relation to the problems in this report.
The case to analyze is a department of a large service-oriented organization located in
Sweden. The focus will be narrowed down to this particular department. The employees
working at this specific department and the internal working processes will be of inter-
4
est. Their processes of handling the IT/IS environment will be in the spotlight which
therefore excludes other non-related working tasks.
1.7 Definitions
Agent: Employee who works at the operational level of the organization
Business Continuity Management (BCM): “A holistic management process that identi-
fies potential impacts that threaten an organization and provides a framework for build-
ing resilience and the capability for an effective response that safeguards the interests of
its key stakeholders, reputation, brand and value creating activities.” (Reuvid J. 2006)
Business continuity plan (BCP): “a series of procedures to restore normal operations
following a disaster — with maximum speed and minimal impact on operations. A
comprehensive plan will include essential information and materials for necessary
emergency action.” (Doughty K. 2000)
Resilience: “Defined as the ability to recover quickly from unpleasant or damaging
events.” (McCrackan A. 2004)
Risk: “A risk is an uncertain event or set of circumstances that, should it occur, will
have an effect of the achievement of one or more of the project’s objectives” (APM
PRAM Guide, 2006, p. 17).
Risk Assessment and management: “In the use of any technology, process, or procedure,
someone should determine where unexpected or undesired consequences are likely to
occur”. (Doughty K. 2000)
1.8 Interested parties
This thesis is intended to benefit a number of interested parties. The specific service-
oriented organization we investigate can therefore be considered as the main interest
party because of their direct involvement in our research. Due to this fact they are able
to apply our suggestion and findings at first hand and benefit from them.
Also other organizations that operate in the same field may benefit from this thesis.
Since the organization which we investigate does not have a Business Continuity Plan
we can assume that many other organizations in this sector will be in the same position
as well. Therefore, they could be interested in this paper when they decide to develop
and implement a BCP.
Other interested parties are academics that work with risk management. These research-
ers could find new insights or perspectives on Business Continuity Planning which
could influence their research or future research projects.
Moreover, decision-makers such as project managers, IT managers and IT strategists
can be interested in this paper due to the reason that this research will provide sugges-
tions of what to include in a BCP in order to deal effectively with problem and risks. It
also outlines aspects which are of importance to Business Continuity Planning and
could therefore be applied in their organizations.
5
2 Methodology
This chapter of the research paper will deal with methodology and data gathering tech-
niques. Methodology is concerned with the philosophical research approach, reliability
and validity aspects. Whereas, the data gathering techniques will describe how we col-
lect the data and develop the theoretical frame.
2.1 Scientific approach
Qualitative research is the art of involvement and deepening in a particular situation,
which therefore disregards a general objectivity (Potter, 2002). An example of a qualita-
tive research can be a face-to-face interview with one or two persons. On the other hand
the quantitative approach is concerned with the statistics and generalizations. Conduct-
ing a questionnaire for a wide range of people is an example of a quantitative research.
The research for this study will be approached and conducted mainly in a qualitative
manner. The qualitative approach is seen to be the most suitable one in order to deepen
our knowledge and understanding in the field of study. This approach is also helping us
building a rich detailed set of data from the situation which we are investigating and at
the same time to probe the answers to our research questions. People will be inter-
viewed and revealing their perspectives can widen our insights and knowledge.
2.2 Research philosophy
Researchers mostly distinguish between three different research philosophies – positiv-
ism, interpretivism, and realism. Realism argues that the senses are showing us the
truth. According to Saunders et al. (2007) interpretivism states that it is necessary for
the researcher to understand the differences between humans in our roles as social ac-
tors. In contrast, the positivistic philosophy takes the role as a natural scientist. In this
case the researcher prefers to work with an observable social reality and the results can
be seen as law-like generalizations (Saunders et al., 2007).
This research will follow a positivistic approach which is a part of the epistemological
research philosophy. Due to the fact that we have direct access to the organization, this
approach seems the most suitable for us. Since we are getting an understanding and fur-
ther knowledge through investigating one organization in detail, we will be able to draw
generalizations according to our findings and results. This is possible due to the nature
of the organization we are going to investigate, which is very similar to most other
companies in this business sector.
2.3 Research approach
In general, one can distinguish between two different research approaches, deductive
and inductive. The deductive research approach is a testing approach where a theoretical
frame will be built and a hypothesis will be tested against these theories. Whereas the
inductive approach follows the gathering of empirical data and developing a theory
based on the collected data.
In our research we will follow a deductive approach since we ought to use existing theo-
ries from the literature which will be tested by the use of our collected data. This re-
search approach suits our intentions to explain causal relationships between different
variables and their impacts on the organization.
6
2.4 Research strategies
There are different research strategies that can help to answer the research question of a
thesis such as experiment, grounded theory, case studies, action research, ethnography,
and surveys.
In this thesis, a case study will be used to gain empirical data from one organization in
order to answer the research questions. Moreover, a survey strategy will be used as well
to investigate the perspective of the employees in that particular organization.
2.5 Time horizon
When undertaking research, there are two possible timeframes to choose from. When
conducting cross-sectional studies the researcher is taking a snapshot, at a particular
point of time, of a particular phenomenon. The second type is called longitudinal stu-
dies. This type of studies is more suitable when it comes to the study of change and de-
velopment over time (Saunders et al., 2007).
This research will follow a cross-sectional approach due to time and resource con-
straints. One major intention of the report is to reveal and find out about the current sit-
uation of the case which we explore in order to give suggestions of beneficial change
later. Therefore, a snapshot of the organization will be analyzed and serve as a base for
the analysis part.
2.6 Literature search strategy
When searching for appropriate literature for a research paper one need to have a clear
literature search strategy which helps to find the most sufficient information within a
field of study. A clear literature search strategy also helps to cover most parts of availa-
ble literature and ensures that one does not miss out on any important publications.
According to Saunders et al. (2007) the literature search strategy can be seen as a
process consisting of four steps. The first step would be to define the parameters of our
search. These parameters can include areas such as language of publication, subject
area, business sector, geographical area, publication period, and literature type.
We defined that the language of the publication we intend to search for should be Eng-
lish or Swedish. This is based on the facts that most research is published in English
language in order to provide it to a bigger audience, and since we are writing our own
research paper in English as well we would save lots of translation efforts. The reason
for including publications written in Swedish was that we are able to access a lot of stu-
dent theses written earlier by Swedish students. This would not only give us the advan-
tage of accessing a wider range of literature.
Since our research paper will be written within the field of informatics, the literature we
will be searching should be within the same field. Moreover, we are looking for litera-
ture that is written within management science – Business Continuity Management. Due
to the fact that we will not only have a look on information system issues but also
strongly focus on workflow and management issues we are in need to obtain literature
from these both areas.
Another parameter of our literature search strategy will be the choice of a business sec-
tor. In our case the business sector we intending to investigate is the service-oriented
7
sector. We will collect our empirical data from a service-oriented company; therefore
we are intending to obtain literature and knowledge about previous theories in this area.
This will deepen our understanding and also help us to have a better data collection
strategy in the end which will lead to better outcomes and findings.
There will not be any limits when it comes to the geographical area of our literature
search. Since most research papers, from all over the world, are written in English it
would not contribute to the overall quality of our work if we would only focus on one or
two geographic areas. In our case, focusing on only specific geographical areas would
enormously increase the risk of missing important theses and works within our field of
interest. Therefore, the geographical area of our literature will not be restricted.
Information systems are getting more and more complex. Today’s businesses have to
pay high attention to the integration of business and technology. Therefore, the litera-
ture which will serve as a base for our research paper must be relatively up to date. Lots
of old publications do not pay too much attention on integration and complex informa-
tion systems because these issues have not been really important from the beginning.
However, these aspects became more and more important during the last years. In order
to write a sufficient research paper we need up to date information and knowledge,
therefore we will focus in our literature search strategy on publications that were pub-
lished within the last 15 years.
The type of literature we will intend to search for will mostly be academic articles, thes-
es, and books. This is based on the possibilities we have with accessing different ma-
terial. Since we have the opportunity to use the university library we have access to nu-
merous books within our field of research. Moreover, there are a lot of theses available
written in the boundaries of Jönköping University. The university library also provides
access to several databases which help to find academic articles which can be of good
support for the research paper. However, our access to publications is also restricted.
Some specific material is only available when you pay a subscription fee or buy the
rights to access the material such as conference papers and publications.
The second step in the process of defining the literature search strategy is to explain and
define the key words and search terms we intend to use and how we came up with them.
Saunders et al. (2007) suggests different techniques to generate key words, these in-
clude discussions with colleagues, the project tutor and librarians, initial reading, dic-
tionaries, thesauruses, encyclopedia, handbooks, brainstorming, and relevance trees.
We approach this step through the use of discussions, initial reading, and brainstorming.
Discussions led to the result that we ended up with specific search terms and key words
in order to maximize our chances to find relevant literature for our research paper.
These discussions were within the project group and therefore really supportive in order
to eliminate insufficient key words and focus on the ones we thought will bring the best
search results. The internal discussions were also supportive in order to distribute the
different key words and search terms among the group members, therefore not every
group member used the same terms and it was possible to coordinate the workload in a
better way. Furthermore, we received good feedback on our pre-defined key words dur-
ing tutoring sessions and also got good hints on how to improve the already existing key
words and to find new ones as well.
8
Since one group member has read about and handled with Business Continuity Man-
agement before, we had a good understanding in which direction we should develop our
key words and search terms. The technique of brainstorming was mainly used during
discussions in order to develop and refine the pre-defined terms.
Our search terms and key words were:
� Risk Management
� Business Continuity Management
� Business Continuity Planning
� Soft System Methodology
� Resilience
In order to develop a good Business Continuity Plan, one needs to identify the existing
risks and problems. Therefore, risk management is one of our main search terms. It will
ensure that we find literature about how to identify, assess, and handle risks. Business
Continuity Management and Business Continuity Planning are important search terms
in order to find sufficient material about how to develop a Business Continuity Plan and
therefore essential for this research paper. The term resilience is used in order to find
publications about efficient workflows and approaches to strengthen a company’s prob-
lem handling procedures. In turn soft system methodology is a concept which is used to
support problem identification.
Most literature will be tried to identify through the use of several databases. In this case
we mainly use the search tool possibilities of the university library website. Through
different types of search functions one is able to cover a high number of different data-
bases. Databases that have provided us with the most sufficient results were
ABI/Inform, Springer Link, Academic Search Elite, and Business Source Premier.
In this research paper primary and secondary literature is the main kind of literature that
is used. The theoretical framework consists of primary literature such as academic re-
ports, and secondary literature such as books, and journals. This happens due to ease
and convenience of access.
The assessment of the relevance and sufficiency of the literature we found is based on
our own perspective, experience and judgmental values. Since we are three persons in
our research group, with three different points of views and perspectives, the literature
must have been agreed upon by every group member in order to be used within the re-
search paper.
To use the literature found in a sufficient way, recording the literature is an important
aspect. We recorded our literature in the way that we saved all the relevant articles we
found and also made notes about the most important facts within these articles. These
relevant notes became a base for our writings later on.
2.7 Literature review
To describe the context of a phenomenon when research is conducted, a vital part of the
research process consists of critically reviewing the literature. Critical literature review
is the process of a detailed and justified analysis and commentary of the merits and
faults of the literature within a chosen area, which demonstrates familiarity with what is
9
already known about the chosen research topic (Saunders et al., 2007). The sources used
in this research have been processed according to the approach suggested by Saunders
et al. (2007). They suggest thinking of the review as a funnel consisting of seven steps:
1. Initiate the review at a more general level before narrowing down to the specific
questions and objectives
2. Make a short overview of the key ideas and themes
3. Summarize, compare, and distinguish the research of the writers
4. Narrow down and emphasize previous work that is relevant to the research
5. Present a detailed description of the findings of the research and show how they
relate to each other
6. Underline aspects where your own research will provide fresh insights
7. Guide the reader into later sections of the report, which investigate these issues
Our literature review is following the guidelines of Saunders et al. We started by search-
ing the most relevant literature that deal with the purpose of our thesis. The literature
that we thought would be the most relevant was summarized and compared in order to
find the most appropriate key ideas and to further develop our understanding of the re-
levant subjects. Hence, Business Continuity Management (BCM), risk management and
soft systems methodology were the most appropriate topics to use as a theoretical
framework. Additionally the concept of training within the guideline of BCP was added.
The BCM is though the most important concept for our research which deals with the
research questions we have specified. Additionally, the risk management approach is
used to further develop a well founded BCM. To identify problems existing within an
organization and in order to develop an even more thorough BCM, we found the impor-
tance of soft system methodology, (SSM). The SSM is used as a framework and guide-
line in order to help us analyze and understand the situation which will be researched
upon. There is a lot of literature about the BCM and risk management concepts and we
therefore carefully chose the literature which is of most help to tackle our purpose and
research questions. This will be conducted by choosing the theory from the most ac-
knowledged and known authors.
We assume that by using the BCM approach we might get new insights of how to use it
as efficiently as possible when applying the concept to our researched case.
2.8 Reliability and validity
Reliability is a concept which is concerned about consistent findings. This means that
different researchers with different techniques will have the same results and findings.
We are trying to achieve a high degree of reliability through interviewing people in key
positions. These people are the local IT manager, the Nordic operating manager, and the
agents. These people will provide us with a comprehensive view on the organization
and on all system related problems. Therefore, we can eliminate biased views on the
working processes and the systems. Moreover, these persons know the organization best
and therefore adding the appropriate level of reliability to our research.
Through the use of different data collection and analyzing techniques, we are trying to
increase the level of reliability as well. Through the use of interviews and questionnaires
we are trying to show a comprehensive and complete picture of all the problems and
10
how to solve them. We also aim to show as clearly as possible how we collected and
analyzed our data in order to make this research paper as reliable as possible.
At the same time through a highly communicative research paper and a clear research
approach we try to achieve a high degree of validity. According to Saunders et al.
(2007) validity is about ensuring that the findings are about what they appear to be
about and if generalizations are possible. In order to achieve a high degree of validity
one has to eliminate as many threats to validity as possible. In order to ensure that the
findings are about what they appear to be about, we are using different data collection
techniques. This will support the development of a comprehensive view of the organiza-
tion. Another important factor for achieving a high degree of validity in our research is
to collect data from different people on different levels of the organization. This will al-
so guarantee that our findings are really about what we think they are about and no mi-
sinterpretations are possible.
We also minimized the threats of validity through making sure that we have a consistent
dialogue to the same people in the organization at all time during the research.
2.9 Generalizability
Generalizability is a concept which is about drawing predictions on recurring expe-
rience and findings. Frequency of occurrence is therefore of value. This means that a
particular phenomenon which is generalizable can be applied on many cases (Colorado
State University Department of English, 2009).
As mentioned before other organizations in this service-oriented business sector are
quite similar to the specific organization we investigate. We believe that this will lead to
possible generalizations of our research. Most call centers work with communica-
tion/contact management systems (CMS), top down approaches, and computer infra-
structures. The external validity is relative high since lots of organizations in this busi-
ness sector can actually use our findings and outcomes and display it on their own or-
ganization in order to improve their BCP or even start to develop one.
2.10 Objectivity
Objectivity is about the avoidance of personal interpretation and instead focusing on as-
sumptions equally agreed upon (Saunders et al., 2007). The concept is therefore the op-
posite of subjectivity which deals with personal interpretations. An objective approach
will avoid the subjective selectivity data gathering which helps making the research
more valid and reliable.
Our report will be of high concern to handle it as objective as possible. The fact that we
are three authors with different perspectives is increasing the value free level of the re-
port. The literature we use is created by many different authors with different theories,
opinions and suggestions which also improve the quality of objectivity.
Moreover we conduct in depth interviews with three different kinds of people in the or-
ganization where they freely air their opinions. This happens in order to give us a com-
prehensive picture of the situation. The data gathered from the conducted interviews can
in turn shape our perspective and secondly our thesis into a more objective direction.
The result from the use of this approach makes the report less bias.
11
2.11 Data collection techniques
In this part we will describe how we intended to achieve our research objective. At the
same time an explanation is provided why we choose to use these methods and how
these techniques helped us to write the report.
2.11.1 Defining research ideas
In order to come up with a research idea, rational thinking techniques were mainly used.
First of all, the group tried to find out the areas in which each group member is interest-
ed in. After identifying a couple areas of research, the group looked into old theses and
projects to get a better insight and new ideas within these areas. With the help of addi-
tional literature and electronic databases different topics were discussed in order to
come up with a final topic. Brainstorming, a creative thinking technique, also helped in
identifying the final research topic.
2.11.2 Observation strategy
In order to get a good picture of the organization, its structure, and its processes we used
the observation data gathering technique. This happened due to the reason that one
member of our research group is actually working for this specific company. Therefore,
we had rather free access and good insights into the organization.
Saunders et al. (2007) suggest different types of observation techniques. The differences
between those types are whether the identity of the observer is revealed or concealed
and whether the researcher takes part in the activity or just observes it.
In our case, we used the participant as observer approach. The researcher’s identity was
revealed since he is a regular employee (agent). Therefore, he knows most of the other
employees within the department as well which facilitated easier access and greater wil-
lingness in order to conduct a good questionnaire later on.
Moreover, as a regular employee of this organization he takes part in the activities of the
everyday work. Therefore, he can contribute a lot of knowledge of his own experiences
to this research. The fact that he is working there gives us as a group the advantage to
find the right people easily from which we want to conduct our data gathering activities.
2.11.3 Interview strategy
The main part of the empirical data will be collected through interviews. These inter-
views will be non-standardized. The way of conducting these interviews will be face-to-
face with employees in key roles in that particular organization. The group chose to go
with a semi-structured interview strategy which means that we have a number of pre-
defined questions and themes we want to ask and leave space for other issues and ques-
tions coming up during the interview. This is done, in order to cover our areas of inter-
est and leave space to upcoming and follow up questions which can give us a deeper
knowledge in certain areas.
The persons we will interview are the local IT manager at the local department, and the
Nordic operating manager. These two persons are in key positions for our research. The
local IT manager at the local department can provide us with the most common occur-
ring problems related to the information systems and how they are handled so far.
12
Moreover, he is able to give us a good overview about the work processes and the sys-
tem architecture and hierarchy.
The Nordic operating manager is of great value to our research since she is the connec-
tion between the local department and the headquarter. Moreover, she is attending board
meetings and reporting directly to members of the board. Therefore, she has a lot of
knowledge about the company itself and is mostly involved in strategizing new con-
cepts for the company. Furthermore, she is the system owner of one of the systems in
this organization. This interview will help us to achieve a comprehensive view of the
nature of the organization and the thinking about IT from a headquarter perspective as
well.
2.11.4 Analyzing techniques of interviews
The analysis is based on our notes from the interviews. These notes are ought to be seen
as the layer to create the valuable picture of the analysis. Our interviews will be record-
ed qualitatively and be completely available to the reader as an appendix. The collected
data will be analyzed by using Yin’s (2003) explanation building approach. This is a
deductively based analyzing approach which is in line with the overall deductive ap-
proach of the research paper. Moreover, we can explain the relation between the col-
lected data and the proposed theory which will help us to gain a thorough base for our
analysis section.
2.11.5 Questionnaire strategy
We also intend to gather valuable material by using a questionnaire. This questionnaire
will be distributed to a number of agents working for the organization in order to get an
understanding of their perspective on the existing issues. Since we want to keep the
number of respondents high, we will approach the agents with a self-administered ques-
tionnaire. This will also help us to save time. Due to the fact that we can access the or-
ganization directly, we will hand out the questionnaire to each respondent and collect it
later. Therefore, we are using a delivery and collection questionnaire strategy.
The types of variables we want to collect by using a questionnaire are opinion variables.
Opinion variables record how respondents feel about something or whether they think
or believe that something is true or false (Saunders et al., 2007). This will support our
vision of getting an insight on the employee perspective in this particular organization.
The style of question will be a mixture of open questions and closed questions. Saund-
ers et al. (2007) define open questions as questions that allow respondents to give an-
swers in their own way. In contrast, closed questions provide a number of alternatives
or suggested answers from which the respondent has to choose. This will lead to the fact
that we can ensure that some answer possibilities will not be too limited in order to not
miss out on any important information. The open questions will be used in order to find
out what the biggest problems are in the point of view of the agents. In contrast, closed
questions will ensure that we will just get the information and data we intend to collect.
The way we chose to distribute our questionnaire was non-probability sampling. This
was the most sufficient method to reach the agents due to the fact that not all agents
work at the same time. We hand out the questionnaire to any agent possible since all
cases are equal due to the fact that all agents work with the same systems.
13
In our point of view, the most appropriate sampling technique was purposive sampling.
This means that the researcher uses his judgment to select cases that will best enable
him to answer the research questions and to meet the objectives.
Total number of responses 10
Total response rate = ------------------------------------------------ = ---------------
Total number in sample – ineligible 22 – 0
= 0.45 = 45%
Total number of responses
Active response rate = --------------------------------------------------------------------
Total number in sample – (ineligible + unreachable)
10
= ------------------------ = 0.45 = 45 %
22 – (0 + 0)
The total and actual response rate is about 45%. The reason for this is that we inter-
viewed ten out of 22 agents of the sales department. We achieved a 100% responds rate
from the agents we interviewed. We missed out on 12 agents due to the fact that most of
the agents are part-time employed. Therefore, the chance to meet all agents at the same
time is not given.
However, since all the agents work on identical tasks and with the same equipment the
number of agents interviewed can be seen as representative. Moreover, they all work on
the same level and their position within the company is the same. In our case, ten agents
was a sufficient number in order to identify the main part and most important aspects
and problems related to their work with the information systems of the organization.
2.11.6 Analyzing techniques of questionnaire
The questionnaire is analyzed by using qualitative and quantitative techniques. The re-
sults will be displayed in a bar chart according to how many respondents have men-
tioned particular problems. This will give the reader the advantage of getting a quick
overview of the problems identified by the agents and the most mentioned problems.
Moreover, to display the results in a more detailed way, the answers of the question-
naire are presented in a qualitative way. This is done partly in the analysis section and
the complete results of the questionnaire can be found in appendix 5. Therefore, we can
focus on the most important facts concerning our research without leaving any facts
away from the reader.
14
3 Theoretical Framework
This section will cover important literature and theories already written. Through our
research techniques we choose the following concepts to present: Steps in creating a
successful Business Continuity Process, Training, Risk Management and Soft Systems
Methodology. The displayed concepts will help to analyze our empirical data and draw
the conclusions.
3.1 Steps in creating a successful Business Continuity Process
To establish a Business Continuity Plan there is a guideline to follow developed by Ka-
rakasidis (1997) which consists of eleven components. These components are supposed
to be used in conjunction with a risk management process. Hereby a brief explanation of
the components will be presented:
1. Obtain top management approval and support.
The managers need to support the BCP with the required resources and funds. They also
need to fully understand and approve the plan in order to carry it out.
2. Establish a business continuity planning (BCP) committee.
The committee is supposed to deal with the objectives and scope together with the de-
velopment of the plan, but also to report, test, and maintain the business recovery
processes.
3. Perform business impact analyses.
The business impact analysis (BIA) is about the identification of the potential risks and
how to carry out a preventive plan, together with the most reasonable resources. In order
to perform an efficient impact analyses Wan (2009) suggests the following steps:
� Define assumptions and scope of project for which BIA is being conducted.
� Develop a survey or questionnaire to gather necessary information.
� Identify and notify the appropriate survey recipients.
� Distribute the survey and collect responses.
� Review completed surveys and conduct follow-up interviews with respondents
as needed.
� Modify survey responses based on follow-up interviews.
� Analyze survey data.
� Verify results with respondents.
� Prepare report and findings to senior management.
4. Evaluate critical needs and prioritize business requirements.
This stage is about the evaluation of processes and resources that are of need, in order to
continue the business operations.
15
5. Determine the business continuity strategy and associated recovery process.
This step is about reviewing the components and defining the recover strategy which
can help the organization to restore from a failure.
6. Prepare business continuity strategy and its implementation plan for executive man-
agement approval.
Creating a manual with the necessary information about the strategies which can be
rolled out for any department is of great importance. This will include the tasks, stan-
dards, and responsibilities together with other details in order to recover from a failure.
7. Prepare business recovery plan
With the help from a template all information and data concerning the recovery will be
put into a larger plan.
8. Develop the testing criteria and procedures.
This step can be seen as a plan for a training mechanism and is created to test and un-
derstand how well the recovery plan works.
9. Test the business recovery process and evaluate test results.
A key component is to have meetings regularly before, during, and after the implemen-
tation of the plan in order to evaluate the business continuity plan. In this step the test-
ing of the recovery procedures takes part.
10. Develop/review service level agreement(s) (SLAs).
To reach a balanced service level agreement between two parties, in order to function
synchronously.
11. Update/revise the business recovery procedures and templates.
The continuous maintenance is done in order to prevent that all the procedures have to
become redeveloped. Instead it is more efficient to continuously update the procedures
by responding to changes, keeping the staff updated, and having an ongoing testing of
the plan.
3.2 Training
Morwood (1998) distinguish between two different types of training best suited to busi-
ness continuity training. These types are awareness training and scenario training.
Awareness training intends to give all members of the organization an appropriate level
of understanding of the Business Continuity Plan. This type of training consists of two
sub-division, introductory awareness training and detailed awareness training.
16
Introductory awareness training briefs all members of the organization who will have an
indirect role in the execution of the Business Continuity Plan. In general, a 60 minutes
session about the framework, strategies, and important procedures under the plan should
be enough to inform the staff.
Detailed awareness training, in contrast, is aiming to educate the members of the organ-
ization who will have a direct role in the execution of the business continuity plan.
Morwood (1998) suggests that a half-day session should be sufficient to educate the
staff about all aspects of the Business Continuity Plan. The information covered in this
session is almost the same as in the introductory session, only more detailed. Another
important part of the detailed awareness training is to focus on the precise roles and re-
sponsibilities each staff member will have under the Business Continuity Plan.
In general, awareness training should be conducted for all members of the organization
upon the establishment of the Business Continuity Plan or following significant changes
to it. Moreover, it should be conducted for all newly hired employees and for those
people who have moved into new positions or responsibility areas.
The second type of training is scenario training. Morwood (1998) suggests that this type
of training should be conducted as a follow up of the awareness training. Scenario train-
ing should be conducted at a level as appropriate as possible compared to the crisis or
disaster situation. In Morwood’s approach scenario training includes practical exercises
designed to confirm employees’ understanding of the Business Continuity Plan. Moreo-
ver, it is aimed to raise their skill levels in the execution of the tasks and to identify po-
tential weaknesses and issues relating to further development of the Business Continuity
Plan.
Morwood (1998) divides scenario training into three distinct variants of training - desk-
top exercises, call-out exercises, and operational exercises. Desk-top exercises are taken
place within the office environment and participants are just required to assess and
comment on how they would react to various scenarios. During call-out exercises par-
ticipants are required to contact key staff members with responsibilities under the Busi-
ness Continuity Plan and confirm their availability and recall time. Operational exercis-
es will be practiced with full operational response to the exercise scenario. The Business
Continuity Plan will be physically implemented by the exercise participants. Due to cost
issues, normally, the activation of outside resources is not involved in the training ses-
sions.
3.3 Risk Management
“A risk is a potential problem, a situation that, if it materializes, will adversely affect
the project. Risks that materialize are no longer risks, they are problems”. “All projects
have risks, and all risks are ultimately handled. Some disappear, some develop into
problems that demand attention, and a few escalate into crises that destroy projects and
careers. The goal of risk management is to ensure that risks never fall into the third cat-
egory”. (Hallows, 2005 p.96)
“A risk is a possible unplanned event. It can be positive or negative. In project man-
agement the success of our projects depends on our ability to predict a particular out-
come. Since risks are the unpredictable part of the project, it is important for us to be
17
able to control them as much as possible and make them as predictable as possible.”
(Newell & Marina, 2004 p.174)
Risks can be divided into two categories - known risks and unknown risks. Known risks
are risks that can be identified and unknown risks are those risks that cannot be pre-
dicted at all. A threat or a pure risk can only have a negative possibility as a result. In
contrast an opportunity is a risk that can only have positive outcomes. Business risks are
considered as normal risks of doing business and can both have good and bad outcomes.
Risks occur in all companies, therefore an important aspect of managing and minimiz-
ing risks is known as “Risk Management”. The International Federation of Risk and In-
surance Management Associations (IFRIMA), the international umbrella organization
for risk management associations throughout the world, says that risk management is a
central part of any organization’s strategic management (Reuvid, 2007). Risk manage-
ment is the process of identifying, categorizing, responding to risks strategically, and
managing the risks. This process is also known as enterprise risk management (ERM).
The initial focus in risk management should be on identifying the risks. These risks can
be factors that cause time delays or impede the usual way of working in an organization.
According to Hallows (2005), the most common risks that an organization can encoun-
ter are:
Staff Risks
� Key staff will not be available when needed
� Key skill sets will not be available when needed
� Staff will be lost during the project
Equipment Risks
� Required equipment will not be delivered on time
� Access to hardware will be restricted
� Equipment will fail
Client Risks
� Client resources will not be made available as required
� Client staff will not reach decisions in a timely manner
� Deliverables will not be reviewed according to the schedule
� Knowledgeable client staff will be replaced by those less qualified
Scope Risks
� Requirements for additional effort will surface
� Changes of scope will be deemed to be included in the project
� Scope changes will be introduced without the knowledge of project management
Technology Risks
� The technology will have technical or performance limitations that endanger the
project
� Technology components will not be easily integrated
18
� The technology is new and poorly understood
Delivery Risks
� System response time will not be adequate
� System capacity requirements will exceed available capacity
� The system will fail to meet functional requirements
Physical Risks
� The office will be damaged by fire, flood, or other catastrophe
� A computer virus will infect the development system
� A team member will steal confidential material and make it available to com-
petitors of the client
(Hallows, 2005 p.97)
Analyzing information available from previous cases will be valuable and helpful in
identifying risks in the current organization. A structured review of previous cases
should be done as a part of the identification process. Individuals both inside and out-
side the organization will also be useful for the risk identification process. Risk identifi-
cation process often involves large numbers of individuals, it is therefore recommended
to use different group techniques such as:
Delphi Technique: In the Delphi technique the participants are usually anonymous. By
having anonymous participants, problems such as negative effects of face-to-face dis-
cussions or individuals that dominate the process by using their authority or position are
avoided. In this technique the facilitator asks for input from the participants, in the form
of answers to questionnaires and their comments to these answers. The contributions are
then summarized by the facilitator into a list that is send to each participant. The partici-
pants then add additional thoughts to the summarized list. This process continues until
there are no more thoughts generated. This technique can be conducted using any form
of communication technology such as e-mail or telephone. One of the advantages of the
Delphi technique is that the individuals can participate from many different locations.
Brainstorming Technique: The Brainstorming technique is one of the most common
group dynamics techniques. In the brainstorming technique a group of participants are
summoned to a meeting. The participants are then asked by the facilitator to name any
risk that they can think of, no matter their significance. The risks are then listed by the
facilitator on a board. The main purpose of the brainstorming technique is to create a
kind of chain reaction of identification of risks. For example the ideas generated by one
participant will generate new ideas from another participant. The downside of brains-
torming technique is that the whole process is dependent on an excellent facilitator. If
the process lacks a good facilitator there will be minimum involvement from the partic-
ipants. This downside will even get bigger if there is a big difference in the status of the
participating individuals. An individual who has more authority may dominate the
meeting with his thoughts and ideas.
The second part of the risk management process is dealing with categorizing the risks.
Risk categorization is the process of evaluating the risks that have been identified. The
19
purpose of categorizing the risks is to set up a way of classifying the risks in the order
of their importance. Several statistical methods of defining the degree of risk exists, but
the simplest and most effective method is to depict risks as high, medium or low. The
level of the risk depends on two characteristics; the probability and the impact of the
risk. The probability and the impact of the risk can be evaluated on a scale of one to ten.
When the impact and the probability value are multiplied together the result will
represent the expected severity value of the risk. Figure 3.1 and 3.2 illustrates a method
of determining the degree of a risk.
Figure 3.1 Risk Evaluation Table Figure 3.2 Risk Evaluation Table
Note: Scales are arbitrary http://www.staffordshireprepared.gov.uk/risk/default.htm
http://site.ebrary.com/lib/jonhh/Doc?id=10040405&ppg=34
By categorizing risks one can identify the risks that are the most critical ones and con-
sequently require the most attention.
When the potential risks are identified and ranked one can start to plan how to strategi-
cally respond to those risks. There are a number of strategies available for dealing with
risks. These strategies are; acceptance, avoidance, transfer, and mitigation strategy.
Acceptance: Risks that are not so harmful fall into the domain of acceptance strategy.
This means that risks that are low-ranked should be accepted but not fully ignored. If
the planning efforts for fixing the risk would cost more than the actual cost of fixing it,
then the organization should just fix the risk when it occurs. The acceptance strategy
consists of two types of acceptance; active and passive. An active acceptance is when a
plan is made for what to do if an accepted risk occurs. Normally low-ranked risks tend
to occur more frequently. Therefore it is much more effective to have a plan when these
types of risks occur. In contrast to active acceptance, passive acceptance is when no
plan has been made for when a risk occur. These risks are very small risks that are hard-
ly noticeable. The cost of dealing with the risk without preparation is often lower than
documenting and developing a plan for the risk.
20
Avoidance: This strategy is used when one prevent a risk to be a possibility. The risk is
avoided before an occurance is possible. This is for example done by changing the de-
sign of a product or system so the risk cannot occur.
Transfer: This strategy focuses on giving the responsibility of a risk to someone outside
the organization. This does not mean that the risk disappears it is only the responsibility
of the risk that transferred to someone else. One way to do this is to give the responsi-
bility of the risk to a contractor such as a software vendor. Another alternative which is
possible is to buy insurance for a specific product or system. The cost of the insurance is
often smaller than the cost of the risk.
Mitigation: The mitigation strategy is often used towards medium and high ranked
risks. This strategy focuses on lowering the overall severity of the risks by reducing the
possibility or the impact of the risks. Using this strategy involves transferring out some
money from the contingency budget. The money should then be used in the strategy
plan to mitigate the risks. When the probability or impact of a risk is reduced the ex-
pected value of the risk will be reduced as well. This in turn will result into a reduced
contingency budget.
One of the biggest problems with risks tends to be that they get forgotten in the regular
day to day routines. Managing the risks is the process of monitoring, controlling and
reevaluating the risks that have been identified. From this process it is possible to identi-
fy new potential risks. There are three methods for managing risks: group meetings, sta-
tus reports and manager reflection.
During regular group meetings one should devote a part of each meeting to a risk re-
view wherein the risks are discussed by each group member. This will make the risks
visible and all members will be aware of potential risks. The main purpose of the risk
review is to identify what risks exists and if they have changed. The risk review will al-
so facilitate the process of uncovering new risks and their potential consequences to the
organization. Status reports are also an important part of managing risks. By conti-
nuously reporting risks, the management will be aware of the risks and prepared for bad
news and surprises. Figure 3.3 illustrates how a risk management process can possibly
appear.
21
Figure 3.3 the process of risk management
http://www.ermanz.govt.nz/about/riskmgm-bckground.html
3.4 Soft systems methodology
The soft systems methodology (SSM) is an approach which is used for change man-
agement and problem solving within organizations and has its roots from the systems
theory. It was developed at the University of Lancaster in Britain, by Peter Checkland
and others, with the help from an action research program.
The methodology is helping to understand and analyze organizational problems. SSM is
ought to model processes in the organization but also to include the involved people in
the system together with their social and political environment in order to match the real
world better. A hard systems approach would focus more on simplistic formal business
processes which are rooted in physical science while the soft approach is seen as part of
social and management science (Checkland, 2000).
A soft system methodology approach has in mind that organizations are systems and
systems are complex which might make it difficult to reach a solution to a certain prob-
lem. A narrow and specialized problem solving approach is not what this methodology
is emphasizing on but rather on a wider approach where a lot of parties together with
their environments can be taken into consideration. Therefore, this approach will help in
getting a better insight in the complexity of the problem situations that might exist. The
approach can though be very complex and difficult to conduct since humans with dif-
ferent attitudes, beliefs, and world views are included and the analyst might therefore
need to take many different perspectives into consideration.
When conducting the action from the framework of the methodology the analyst is sup-
posed to work as a participant of the research in order to get the most efficient insights
of the situations. The SSM framework is built up of a guideline with 7 stages which are
recommended to follow in order to understand the organizational problems (Checkland,
22
2000). The stages do not necessarily need to be followed in order but can be used itera-
tively and interchangeably.
The SSM stages revealed:
1. Problem situation: unstructured
This stage is concerned with finding out the problem situation. The problem analyst
takes part of all views from people which are part of the problem situation. Here the
analyst also tries to reveal the processes occurring in the context of the problems.
2. Problem situation: expressed
From the information conducted in stage one this stage will express the information in a
formal way. Drawing a picture diagram of the perceived situation can be a good way of
expressing the state together with problem identification. The drawing can be seen as a
tool for communication used by the analyst to express the perception of the current
state. It can contain things like the people involved, areas of problem, information flow,
and relations.
3. Root definitions of relevant systems
This stage is about from which perspectives the problem solver should see the prob-
lems. Here the analyst together with the problem owner defines the problems and the re-
levant systems. The root definition is therefore also a way of stating what the system is.
By the use of the CATWOE technique the analyst can create a root definition.
CATWOE is a helpful tool to take all aspects of the perspectives that can exist in a sys-
tem; customer, actor, transformation process, weltanschauung, owner and environment.
4. Building conceptual models
From the help of the defined root definitions from previous stage a conceptual model is
created in this stage. The model is supposed to be a diagram with activities that tell what
the system will do, and is meant to describe something relevant to the problem situation.
In this stage a debate is welcomed to shape the model between the actors in order to
create a model related to the real world.
5. Comparing conceptual models with reality
This stage compares the models created in stage four with the drawings from stage two.
Since all illustrations are created with the help from people with different views, this
process can be difficult.
23
6. Assessing feasible and desirable changes
By analyzing the results from stage five the problem solver proposes the desirable
changes needed.
7. Action to improve problem situation
The last stage is dealing with the suggestions of actions in need to solve the desirable
changes.
To keep in mind is that this methodology is building up a framework of how to work in
order to understand certain problems and is not providing any certain guidelines of how
to solve the problems. As told before the seven steps might not necessarily be per-
formed in order but might have to be conducted iteratively and interchangeably to reach
for the most sufficient understanding of a certain problem. Due to that many perspec-
tives are being considered there might be difficulties to reach a consensus when using
this methodology. However, the SSM approach is perhaps one of the most effective
tools in order to reveal the real situation when analyzing an organizational system.
3.5 Reflections from the theoretical framework
The material presented is of great importance to us in order to succeed with our thesis.
All literature is created within the timeframe of 15 years which makes the literature ac-
cordingly to us up to date. In order for us to analyze and identify problems within an or-
ganization we need a frame to work with, therefore the concept of SSM approach is
seen as the most suitable. As well the theory has the ability to help us to gain new in-
sights from the case when following it as a guideline.
A Business Continuity Process is a guideline for how to establish a resilient work envi-
ronment. Risk management and training are in turn parts of the Business Continuity
Plan. Risk management is the process of identifying risks and problems which we will
emphasize conduct from our empirical data in the analysis.
Training is as well a tool within the BCP concept, since training benefits the awareness
of the BCP and how to use it. Therefore the training approach can be a suggestion for
the organization to use when preparing for a BCP.
24
4 Empirical findings
To gather the appropriate data from the case for our purpose we have used the soft sys-
tems methodology as a guideline to help us reveal the organizational situation and its
problems. The empirical findings section will start off with a description of the case.
Continuously the perspectives of important organizational key persons will be presented
with their problem perception. These persons will be the Nordic operating manager, the
local IT manager, and agents. This step is the first part of the guideline from the SSM
approach which is concerned about revealing the problem situation in an unstructured
way (Checkland 2000).
4.1 Case observation
The following case description is conducted by observations. Since one of our group
members is employed at the department, he has the ability to gain useful information for
our case description as stated earlier in the methodology section.
The case of our study is within a department of a service-oriented organization located
in Sweden. The company is one of the biggest retail businesses in Sweden. The main
headquarter is located in Norway where many of the strategic plans and decisions are
executed. The specific department in the organization where the research is conducted is
a call center. Customers from entire Sweden and other Nordic countries contact the call
center for support of a product, to ask questions about the products offered or to pur-
chase a product. The department is divided into three sub areas, sales, after sales and
helpdesk. The sales department works with customers who are interested in purchasing
products. The after sales department supports customers with service related matters.
Lastly the helpdesk is responsible for supporting customers with computer related ques-
tions.
Unfortunately the department experiences many different problems mainly from their
IT/IS and related work processes which affect their organization badly. As it seems to-
day they do not have any Business Continuity Plan in order to deal more efficiently and
resilient with their current problems.
4.2 Interviews
The following interviews are conducted with three different kinds of employees with
different roles at the department; Nordic Operating Manager, local IT Manager and
Agents. Interview number one is conducted with the Nordic Operating Manager and in-
terview two and three with the local IT manager while the fourth and last interview in-
volves the agents. As told in the methodology part our reasons for choosing different
employees with different roles is to gain many perspectives of the situation in order to
make the findings consistent. This is also the first step in the SSM which we use as a
guideline and concerns the identification of the problem situation in a rather unstruc-
tured way. At the same time this data gathering is a part of the BCP which concerns the
business impact analysis.
Hereby we present the most relevant findings from the interview to support our report.
25
4.2.1 Interview 1
The Nordic operating manager has a very important role in the organization where she
has the ability to establish strategic decisions. She attends board meetings at the contact
center in Norway and is positioned just under the Nordic board. At the same time she
works with tasks such as human resources, development, customer expectations and is
additionally the owner of the CRM system.
When it comes to workflow and how business functions are performed in the organiza-
tion the Nordic operating manager means that the business is quite big and complex
which reduces the organization’s flexibility. The business is also very focused on sever-
al key performance indicators and the organization measures productivity in hours
available for the customers.
When it comes to problems in the context of workflow and business functions the first
main problem is that it is difficult to reach the right competence at the right time. Se-
condly she argues that “...there is no system in order to find sufficient information for
achieving quick handling time”.
The Nordic operating manager explained some problems within the IT/IS context that
she perceived; the broadband is sometimes slow, no clear routines, no local backup
plan. Some of their systems are still under development and might take 1-2 more years
before they are fully implemented. And obviously all the problems affect the organiza-
tion badly.
When asking the Nordic operating manager how the errors of system issues are handled,
she explained that they document all their problems in a log and when their information
systems crash or go down the twin servers at the headquarter are switched on. This is
seen as a backup solution. In most cases the employees ask the local IT manager when
an IS/IT related problem occur. If the local IT manager cannot solve the problem, he in
turn calls the headquarter/IT support for assistance.
The department does not have any documented follow up routines for the problems;
they are instead in the local IT manager’s head.
The final question in our interview was to ask what the Nordic operating manager think
a about a local BCP. She replied that she for sure would prefer one. Though at the same
time, she says that they do not have the time to develop a BCP.
4.2.2 Interview 2
Accordingly to the local IT manager a BCP is a preferable plan for the department,
which does not exist though. A plan to handle the load of all the existing problems at
the department is of need.
When dealing with IT/IS problems the local IT manager explains that there is a system
support located at the headquarter where he calls or mails to get assistance to problems
he cannot solve himself. Most problems are with the contact management system and
can be very deep. The responsibility for fault assurance lies at the very top which can
make it hard to solve errors. The manager mentioned that it is difficult to find the right
person for support which is the first main problem. “Help is needed mostly very fast and
the helpdesk is big so it is hard to get to the right guy. Receiving the help depends on
the problem, since different people have different responsibilities.”
26
Secondly he mentions that the department does not have any routine of how to report
problems. “The entire chain is in need of a routine. Today when a problem occurs the
employees e-mail me about the problem, come by and ask face to face, just run around,
and sometimes they do nothing, just lazy.” When the agents experience computer prob-
lems they regularly do not solve the problems but wait for feedback from the local IT
manager.
Thirdly he explains that one of the biggest issues is the contact management system
since there are many bugs in the system causing problems. When it comes to the conse-
quences from when the contact management system is down the response was; “Loos-
ing customers, customers lose faith, losing money and not reaching the goals”.
The local IT manager means that they document all problems which cannot be solved
by him in a log. Deeper problems, such as code errors are not documented since only
the system vendors have the rights and the knowledge to handle these problems.
The most time consuming tasks to handle are the computer software and hardware prob-
lems. These can be problems such as: logging problems, crashing problems, hardware
malfunctions. When asking how the communication between him and the vendors
works, he replied that he does not get that much time with them as he would like to.
Normally he only contacts the Nordic IT department and in turn they contact the ven-
dors. There needs to be a standardized way of how to rout and log problems according
to the local IT manager. It is therefore necessary to have education and training for the
employees about routing of problems.
4.2.3 Interview 3
To begin the local IT manager was asked to depict the organizational hierarchy and the
system structure of the company (see appendix 3). Subsequently the manager was asked
if the IT related problems and risks are addressed during the management meetings and
if that was the case, how and how often. The local IT manager explained that the meet-
ings are conducted once a month with a decent structure. During the meetings 30 mi-
nutes are provided for the local IT manager to address issues related to the IT and IS. He
continues to explain that during each meeting a protocol is kept and the progress of the
discussions is checked at the following meeting according to the protocol. He stresses
that he do not have so much authority in the overall organization in contrast to the au-
thority that he has locally. Problems and issues that are beyond his authority are for-
warded to the IT department in Norway, “some of these problems tend to take twice as
much time to solve”.
The interview continued with the local IT manager explaining some unknown problems
that we had identified. These problems were A: “CMS server full every morning, log
files too big”, B: “.NET error messages”, C: “IVR” and D: “back + save” problem.
Problem A is associated with when the contact management server that is located in
Norway gets full with log files, this results that the department cannot receive any in-
coming calls from its customers. “The problem has been known more than three months
and still no actions have been taken to solve it.” The IT department in Norway does not
want to solve the problem; they claim that it is the software vendor who has the respon-
sibility for that. Problem B is related to the contact management .NET framework;
sometimes unexplained error messages appear which leads to a computer crash at the
department. In this case there is a conflict between the IT departments in Norway the
27
software vendor as well. Problem C is linked with the interactive voice response (IVR)
issues. IVR is the voice menu of the contact management system. A number of issues
are related to the IVR. “The voice menu has bad sound quality which irritates many
customers, sometimes choices don’t work and at times the customers are put in any
queue but not in the one of choice.”
Lastly, the local IT manager explained that problem D occurs when the back button and
the save button are clicked after each other in the contact management system applica-
tion and therefore the software sometimes crashes. The interview ended with that the lo-
cal IT manager helped with assessing the likelihood and impact of the identified prob-
lems in relation to the risk evaluation table.
4.2.4 Interview 4
This part will cover the findings from the questionnaire with the agents. The agents are
the ones who operate at the lowest level in the organization and they are the ones who
frequently interact with the systems. Therefore an important aspect of our empirical data
was to get a better understanding of the agent’s problem perspective. Ten agents ans-
wered the questionnaire, of them seven male and three female.
In the questionnaire the agents were asked to answer what possible problems exist in the
organization and to what extent these problems limit their working capacity and work-
ing goals. Each agent had the option to state more than one problem and subsequently
suggest what possible actions are needed in order to prevent or eliminate these prob-
lems. The problems from the first question were then summarized into five categories:
management, system/technical issues, knowledge/resource, lack of marketing and work
environment issues.
The majority of the agents (70%) felt that the major problem/problems are technical is-
sues or problems related to the systems. Problems such as; incoming calls are not loud
enough, system crashes and freezes, difficulties with the payment system or the problem
of working with too many systems was highlighted more than once by the agents. For
instance one of the respondents answered “The major problems are all the problems re-
lated to the contact management system. It is too instable with too many bugs. It crashes
and freezes at least once a day.” The second most mentioned problem was related to
the lack of knowledge and resources. 60% of the agents stressed that they experience
lack of knowledge and resources in their daily work. Some of the respondents said: “We
know too little about our products, lack of product knowledge is the main problem”, “It
would be much more efficient to have a better homepage with more information about
the products, today one have to look after information from other sites or from the col-
leagues”, “We also lack resources (information) that our competitors have”.
A number of other problems were also highlighted. These problems consisted of issues
related to the management, work environment and marketing. For more detailed infor-
mation see appendix 5. However these problems were only mentioned from 10 to 20%
of the agents. Diagram 4.1 illustrates how often a problem related to a specific problem
category was mentioned by the agents.
Diagram 4.1
Additionally the agents were asked what needs to be done in order to prevent or elim
nate these problems. Concerning the first problem categor
recommended that there is a need of a better approach in giving feedback about the
problems and that someone needs to work with the problems regularly. They also su
gested that in order to solve most of the technical issues the management n
ize that the systems need
occur.
For the system and technical issues the agents suggested that more investment should be
allocated on less sensitive and stable systems. In additio
platform is needed in order to integrate all the applications with each other.
agents felt that they lacked resources and knowledge in their daily work. As a solution
to solve this they felt that they needed more inform
with and better sales tools that facilitates their work. They also expressed that they need
better and more frequent education. Lastly a number of the employees suggested that
their customers should receive more advertise
0%
Work Environment
Lack of marketing
Knowledge/Resource
System/Technical issues
Management
Problems from Agents perspective
28
Additionally the agents were asked what needs to be done in order to prevent or elim
problems. Concerning the first problem category “Managem
recommended that there is a need of a better approach in giving feedback about the
problems and that someone needs to work with the problems regularly. They also su
gested that in order to solve most of the technical issues the management n
ize that the systems need to be improved and take proper actions so that changes really
For the system and technical issues the agents suggested that more investment should be
allocated on less sensitive and stable systems. In addition, they expressed that a new
platform is needed in order to integrate all the applications with each other.
agents felt that they lacked resources and knowledge in their daily work. As a solution
to solve this they felt that they needed more information about the products they work
with and better sales tools that facilitates their work. They also expressed that they need
better and more frequent education. Lastly a number of the employees suggested that
their customers should receive more advertisement about their specific
0% 10% 20% 30% 40% 50% 60%
Problems from Agents perspective
Percentage of Agents
Additionally the agents were asked what needs to be done in order to prevent or elimi-
“Management” the agents
recommended that there is a need of a better approach in giving feedback about the
problems and that someone needs to work with the problems regularly. They also sug-
gested that in order to solve most of the technical issues the management needs to real-
to be improved and take proper actions so that changes really
For the system and technical issues the agents suggested that more investment should be
they expressed that a new
platform is needed in order to integrate all the applications with each other. Several
agents felt that they lacked resources and knowledge in their daily work. As a solution
ation about the products they work
with and better sales tools that facilitates their work. They also expressed that they need
better and more frequent education. Lastly a number of the employees suggested that
ment about their specific department.
60% 70% 80%
Problems from Agents perspective
29
5 Analysis
Hereby the data from the empirical findings part will be analyzed. The analysis will fol-
low the framework of the Soft Systems Methodology (Checkland, 2000) in conjunction
with the Business Continuity Plan guideline (Karakasidis, 1997). With the help of the
risk management approach the risks and problems will be assessed, evaluated, and rela-
tions among the problems will be established. This will present the answer to the first
research question.
When following the BCP approach, step one to five will be used. This will happen due
to the fact that step six and further are out of our research scope. This section is aiming
to provide answers to research questions number two and three. Therefore, possible so-
lutions to IT/IS related problems and ways to make the organization more resilient on
this issue will be provided.
30
5.1
Categorization of problems
Staff
Resources
Technology/Software
Workflow
S1
. A
ll I
T r
esp
onsi
bil
ity
dep
end
s o
n o
ne
ind
ivid
-
ual
R1
. L
ack o
f su
ffic
ient
in-
form
atio
n
to
sup
po
rt
wo
rk o
f ag
ents
T1.
Gho
st c
alls
W
1.
Fin
din
g t
he
rig
ht
con
sult
ati
on p
erso
n
S2
. S
taff
no
t re
ally
pre
-
par
ed
to
han
dle
p
rob
-
lem
s
R2
. N
ot
eno
ug
h i
n-h
ouse
IT k
no
wle
dge
T2.
Re-
con
nec
t to
cust
om
er
W2
. P
rob
lem
rep
ort
ing
S3
. L
oca
l IT
m
anager
no
t av
aila
ble
T
3.
Co
nnec
t cu
sto
mer
to
ano
ther
agent
W3
. In
suff
icie
nt
com
mu
nic
atio
n/r
elat
ion
ship
b
e-
twee
n N
ord
ic I
T d
epar
tment/
loca
l IT
manager
and
ven
do
r
T4.
Cust
om
er a
ble
to
lis
ten t
o a
gen
t-to
-agent
con
ver
sati
ons
W4
. A
ssig
nin
g k
ey r
ole
s
T5.
Agent
can
no
t hea
r cust
om
er
(Sil
ent
call
) ->
dis
con
nec
ted
-> C
MS
so
meti
mes
cra
sh
W5
. P
rob
lem
hand
lin
g r
outi
nes
T6.
Syst
em
ter
min
ates
call
s W
6.
No
fo
rmal
d
ocu
menta
tio
n
of
loca
l IT
m
an
-
ager
’s k
no
wle
dge
T7.
Sen
din
g/r
ecei
vin
g p
rob
lem
s w
ith e
-mai
ls
T8.
Del
ay o
f d
isp
layin
g i
nco
min
g c
all
po
p-u
p b
ar (
5-6
sec
.)
T9.
An
swer
butt
on f
reez
es f
or
5-6
sec
.
T10
. S
yst
em
mix
es u
p i
nco
min
g a
nd
outg
oin
g r
ingto
nes
T11
. B
eep
to
nes
duri
ng t
he
call
s
T12
. P
ress
ing c
onsu
ltat
ion b
utt
on 2
x
-> C
MS
fre
ezes
-> A
gent
hea
rs c
ust
om
er a
nd
co
nsu
ltat
ion a
t th
e sa
me
tim
e
T13
. B
ackup
Syst
em
T14
. C
MS
ser
ver
is
full
ever
y m
orn
ing –
lo
g f
iles
too
big
T15
. .N
ET
err
or
mess
ages
T16
. Q
ual
ity o
f in
tera
ctiv
e vo
ice
resp
onse
menu
T17
. C
alls
can
no
t b
e re
ceiv
ed
T18
. B
ack +
Sav
e
T19
. P
aym
ent
issu
es
wit
h t
he
pay
ment
syst
em
31
The displayed problems in the table above are based on the information gained from the
interviews with the Nordic operating manager, local IT manager, and agents. The identi-
fied problems are categorized according to Hallows (2005) suggestions which were
mentioned in the theoretical framework part before.
The problem categories we chose were Staff, Resources, Technology/Software, and
Workflow. These categories were partly suggested in the theory and partly adjusted to
and created from the identified problems. Staff problems include areas related to em-
ployees and particular persons within the organization. The second problem category is
about resource issues. This group of problems includes issues like the lack of sufficient
information to support the work of the agents or the absence of enough in-house IT
knowledge. The biggest category consists of the technology related problems. This
group is made up by software and technological equipment problems. The last group of
problems is called workflow related problems. This category includes problems which
are related to the way of working.
5.2 Risk Evaluation
The following is a risk evaluation of the problems perceived by the IT and Nordic oper-
ating manager. A risk evaluation model from our theoretical framework of risk man-
agement has been applied. It is ought to help identifying the likelihood and impact of
the risks and problems within the department. Our evaluation was conducted together
with the local IT manager.
The stages in the evaluation process are; high (H), medium (M) and low (L). The Like-
lihood is the first letter while impact is the second letter in each title.
HH
� W3. Insufficient communication/relationship between Nordic IT depart-
ment/local IT and vendor (HH)
HM
� S1. All IT responsibility depends on one individual (HM)
� W6. No formal documentation of local IT manager’s knowledge (HM)
HL
� T16. Interactive voice response (IVR) menu system (HL)
MH
� W1. Finding the right consultation person (MH)
� T1. Ghost calls (MH)
� T8. Delay of displaying the popup bar of incoming calls 5 – 6 sec (MH)
� T9. Answer button freezes for 5 – 6 sec (MH)
� T14. Contact management system server is full every morning, log files too big
(MH)
� T17.Calls from customers cannot be received (MH)
32
MM
� S2. Staff not really prepared to handle problems (MM)
� R2. Not enough in-house IT knowledge (MM)
� W5. Problem handling routines (MM)
� W4. Assigning key roles (MM)
LH
� S3. Local IT Manager not available (LH)
� T4. Customer able to listen to agent-to-agent conversations (LH)
� T5. Agent cannot hear customer (Silent call) → disconnected → CMS some-
times crashes (LH)
� T2.Re-connecting to customer (LH)
� T6. System terminates calls (LH)
� T7. Sending, receiving problems with e-mails (LH)
� T13. Back-up system (LH)
� T12.Pressing consultation button 2x -> CMS freezes and sometimes agent hears
customer and consultation at the same time (LH)
� T18. Back + Save (LH)
� T15. .NET error messages (LH)
LM
� R1. Lack of sufficient information to support work of agents (LM)
� W2. Problem reporting (LM)
LL
� T3.Problem when connecting customer to another agent (LL)
� T10.System mixes up incoming and outgoing ringtones (LL)
� T11.Beep tones during calls (LL)
5.3 Problem relation analysis
The following diagram is about the existing problems at the organization and there rela-
tions. This is conducted in order to identify the main factors that are causing the conti-
nuous upcoming problems and the consequences of the problems. The diagrams can be
seen as step 4 from the SSM theory, which is about building conceptual models. At the
same time the diagram is a part of the impact analysis step from the BCP which is ex-
plained in the theoretical framework.
A main and abstract problem is always put at the top of the diagram while it is divided
into a branch of problems relating to each other along the way down in the diagram. The
results from the problems are presented in circles at the bottom of the diagram.
33
Explanation of the components from the diagrams:
Consequnce
from problem(s)
Relational arrow
Diagram 5.3
Insufficient communication/partnership between local IT manager and vendors is one of
the most critical problems. Many other problems occur, develop and result due to this
circumstance.
Based on the lack of communication the organization is missing a standard way of re-
porting problems. This means that the vendors do not get a standardized report about the
problems because of hierarchy issues within the organization. This concludes in a con-
flict between the Nordic IT department and the vendors. Furthermore, the vendor is
34
convinced that the organization should deal with the problems itself and therefore the
vendors are missing to fix these problems in an adequate way. The issue with problem
reporting occurs on different levels within the company. There are no standardized re-
porting procedures from the agents towards the local IT manager and from the local IT
manager towards the Nordic IT department as well. However, due to a lack of insight
into the relationship between the Nordic IT department and the vendors the analysis of
the cooperation is based on the perspective of the local IT manager.
Due to the reason that the department does not have a standard way of problem report-
ing, many technical problems related to the contact management system still exist at the
department. The technical errors are causing delays in work and frustration among the
agents which in turn lead to a decrease level of service quality.
The major problem associated with the contact management system is the problem with
overloaded servers when business activities start. The overload occurs due to log files
which are too big and not getting deleted in time. While the servers are overloaded with
log files the contact management cannot function properly. The consequence of this is
that customers cannot reach the call center. Therefore there is a risk that the company
loses their calling customers to its competitors. In this case a backup system is started
automatically which tells the customer to send his/her request via email. However, the
email functions are also down at that moment. Consequently, the emails can only be re-
ceived again when the log files have been deleted and the system is running again. The
backup system is also put in place when the system is down due to other issues.
Nevertheless there are also other technical problems at the department which are not on-
ly related to the contact management system. One of these problems is related to the
payment system. When a customer calls to order a product, sometimes the agent cannot
create an invoice due to system errors. The consequence is that a purchase cannot be
conducted and the business is losing its customers which in turn lead to possible profit
losses.
Another problem for the local IT manager is to find the right consultation person at the
Nordic IT department in order to get the right support. There is no clear knowledge of
who to contact. Additionally there seems to be too little sufficient information about the
products in order to support the work of the agents. The consequences of this and the
previous problem mentioned lead to a delay of work which in turn leads to a decrease of
service quality.
All IT responsibility at the department depends on one individual which is the local IT
manager. This can as well be seen as a major problem with huge possible impacts on the
organization. The department does not see the importance of documenting his valuable
knowledge to keep it in-house. In this case, no one in the company can actually recapi-
tulate or understand his work and might plan future improvements in the way of work-
ing. If the local IT manager would leave the company a lot of valuable information can
in turn get lost which could lead to a decrease of quality. Moreover, the new local IT
manager would need to learn everything from scratch and it would require him to take a
while in order to get an overview about everything. This would influence the perfor-
mance of the company really bad.
35
Even though the local IT manager is just absent due to any reason, there will be no IT
support available locally. This would result in the consequence that no one can handle
or fix the occurring problem immediately which would decrease the service quality or
make the department in a paralyzed state, in the worst case.
As the Nordic operating manager identified that the organization could need more in-
house IT knowledge since all IT responsibility depends on the local IT manager. This
also affects the training and preparedness of the agents. We experienced that the em-
ployees are not really prepared and do not really know what to do when a problem oc-
curs.
There are no assigned key roles at the department and no systematic ways of assigning
necessary roles which can be of need when the local IT manager is absent or a problem
occurs. This is tightly connected to the fact that there are no problem handling routines.
All problems mentioned above could lead to decreased service quality which in turn can
result in a loss of customers. When the organization loses customers the obvious conse-
quence is that the organization loses profits.
5.4 Suggested components to become resilient
When it comes to developing a Business Continuity Plan the most important thing is to
obtain top management support for this activity. Without top management it will be dif-
ficult to get the resources needed to develop a good BCP. Moreover, a BCP and its ne-
cessary activities could be communicated in a satisfying way when top management
support is provided. Top management involvement would show the rest of the organiza-
tion that the BCP is a needed and important issue and therefore could motivate and en-
courage people to better understand and support it as well. This would probably lead to
a better acceptance of the BCP developing activities within the organization. Obtaining
top management support is also considered as the initial step when developing a BCP
according to the BCP literature. Applying this to the case would mean that the Nordic
board and local top management need to understand the impact and affects of the prob-
lem and possible risks that can occur towards the business. Subsequently, they need to
understand that the consequences would be a loss of customers and profits. Moreover,
top management needs to recognize the benefits of a BCP and in what ways a BCP ap-
proach can improve the way of working and business processes overall.
The second step in developing a BCP should include that top management establishes a
BCP committee. This committee will become the driving force for planning a BCP and
implementing it later on. Members of this committee should not only come from the IT
department of the company. It is also necessary to include business people in order to
align the BCP efforts with the ongoing business strategy and to effectively communi-
cate the planned efforts. In the specific case it would be advisable to include the Nordic
operating manager, call center manager, local IT manager, and the department manager
in the BCP committee. Since the Nordic operating manager and the call center manager
have an overall picture of the business it is wise to put them in the committee. The local
IT manager should be included due to his specific knowledge about the IT infrastruc-
ture. Moreover, the department managers could add useful feedback from the operating
level and daily work routines such as that there is a lack of sufficient information to
support the work of the agents.
36
This committee should also assign key roles to individuals who will be responsible to
minimize specific risks or to guide the process of problem solving when a problem oc-
curs. These roles have to be clearly stated and the individuals need to know exactly
what is expected from them in particular situations. In turn, this would support and im-
prove the problem handling routines.
The BCP committee should also schedule regular meetings which could be weekly or
monthly. This can be decided depending on the size of the organization. In our case, a
weekly meeting at least in the beginning would be reasonable due to the high number of
existing problems and risks. Areas covered in these meetings include problem handling,
risk management, status reports about progress, and reflections. In general, these meet-
ings should be used to assess which risks and problems occur, what needs to be done in
order to fix it, and to govern and control the ongoing problem solving processes. The
BCP committee should also evaluate critical needs and prioritize business requirements
in these meetings which could be done by using the risk management evaluation criteria
as a solid ground. In order to identify problems and risks in the future the BCP commit-
tee should use the Business Impact Analysis. This can be seen as an ongoing repeatable
process of identifying, solving and evaluating problems.
To have a good communication strategy is really crucial for an organization. However,
it is not enough to just have a good internal communication strategy. There is also a big
need of having an excellent external communication, especially between the organiza-
tion and the software vendors. As our example showed, when the external communica-
tion is not optimized several problems are not getting solved. The same thing counts for
the part that is responsible for the maintenance of the organization and even more if
maintenance is outsourced. With good communication it is easier to find the right con-
sultation person, report problems, and spread knowledge.
An important aspect is to consider training in order to communicate and raise awareness
of the BCP. As stated by Morwood (1998) the first action that should be taken is aware-
ness training. In this case, all the employees get informed about the BCP and its compo-
nents. This will provide them with knowledge about how to react in specific situations
when problems occur. From our perspective every employee should be provided with
the possibility to take part in awareness training. General awareness training could pre-
pare the staff to react in an efficient way when problems occur in organizations. In these
briefing sessions employees should also be provided with a manual where the most im-
portant facts are written down for further recapitulations. In addition, problem handling
routines would be improved by common standards. This would also decrease the delays
of work and therefore increase the service quality within the organization.
Furthermore, a documentation plan could be of helpful use. It can be seen as a support-
ing tool for the communication strategy and knowledge sharing. A documentation plan
can also be a part of the problem reporting routine. When employees experience a prob-
lem they need to report it in a standardized way. This can be an efficient way of identi-
fying and understanding problems that exist. Moreover, a good documentation plan can
capture all the activities and knowledge of the local IT manager which could be useful
in the future when he might be absent or leave the company. Eventually, this will in-
crease the IT competence of some other persons within the company as well.
37
6 Conclusion
Since business processes get more and more influenced by information technology, the
need of a working Business Continuity Plan is increasing. Organizations are more de-
pendent on their information technology infrastructure, and therefore need to be as resi-
lient as possible in case problems occur.
The specific case analyzed showed that organizations should focus on risks that are eva-
luated with high likelihood and high impact. These risks can cause lots of negative re-
sults to an organization’s business process outcomes such as the key performance indi-
cators. Additionally, they have to get the most attention based on the fact that they cause
lots of other problems due to their high impact on the organization. In case of problems
with a low likelihood and a low impact on the organization, the acceptance strategy
should be applied.
Service quality is highly affected by the problems that exist at the company. Therefore
the organization is in need to deal with the issues in order to improve their service level.
Obviously as the results show the problems existing are in turn causing loss in profits
and without any improvements the organization will continue to lose money. Therefore
a BCP can be a great tool in order to perform better.
6.1 Fulfilling the purpose
The purpose was to show how problems can be assessed and relationships among these
problems can be drawn, and how problem related working processes can be improved.
Furthermore, the purpose was to provide guidelines for components of a BCP and of
how to develop a BCP. We believe that we achieved our purpose by identifying and
evaluating problems, showing their relationships, and presenting guidelines.
6.2 Future research
Future research can include areas such as investigating and developing strategies of how
to measure the impact of a Business Continuity Plan on organizations. Our research is
proposing guidelines and not taking in consideration the measurement of the outcomes.
Additionally, the investigation of other cases within the same or another business sector
could lead to a better foundation of our results.
Since our research is aiming for generalizations, a more specific approach could help
other particular companies due to their need of certain particular requirements.
38
References
APM PRAM (2006), Association for Project Management, Project Risk Analysis and
Management Guide (2nd
edition), APM Publishing: High Wycombe, Bucks, UK,
Botha, J. & von Solms, R. (2004) A cyclic approach to business continuity planning. In-
formation Management & Computer Security, Vol. 12, No. 4, pp. 328-337, Emerald
Group Publishing Limited.
Checkland, P. (2000). Soft Systems Methodology: A Thirty Year Retrospective. Sys-
tems Research and Behavioral Science, Vol. 17, S11–S58
Colorado State University Department of English (2009) Generalizability: Definition,
http://writing.colostate.edu/guides/research/gentrans/com2b1.cfm
Retrieved May 27th 2009
Doughty, K. (2000) Best Practices, Volume 15 : Business Continuity Planning : Pro-
tecting Your Organization's Life.
Boca Raton, FL, USA: Auerbach Publishers, Incorporated, p 6, 8.
http://site.ebrary.com.bibl.proxy.hj.se/lib/jonhh/Doc?id=10074957&ppg=29
Goldkuhl. G. (1998). Kunskapande. Internationella Handelshögskolan i Jönköping.
Centrum för studier av Människa, Teknik och Organisation (CMTO). Linköpings uni-
versitet
Hallows, J. (2005) Information Systems Project Management: How to Deliver Function
and Value in Information Technology Projects, Second Edition, Chapter 4, Amacon
Karakasidis, K. (1997) A project planning process for business continuity, Information
Management &Computer Security, pp 72–78, MCB University Press
McCrackan, Andrew. Practical Guide to Business Continuity Assurance.
Norwood, MA, USA: Artech House, Incorporated, 2004. pp. 64-65, 97-98, 123.
http://site.ebrary.com/lib/jonhh/Doc?id=10082015&ppg=109
Morwood, G. (1998) Business Continuity: Awareness and Training Programmes. In-
formation Management & Computer Security, MCP University Press.
Newell, M. & Grashina, M. (2004) The Project Management Question and Answer
Book, Chapter 8, Amacon
Potter, S. (2002) Doing Postgraduate Research. Sage Publications, p.160
Reuvid, J. (2007). Managing Business Risk (4th Edition), London, GBR: Kogan Page,
Limited, p 6
Reuvid, J. (2006) Secure Online Business Handbook: A Practical Guide to Risk Man-
agement and Business Continuity (4th Edition).
London, GBR: Kogan Page, Limited. p 141, 146.
39
Saunders, M. et al. (2007) Research Methods for Business Students. 4th
Edition, Prentice
Hall, p 61.
Wan, S. (2009) Analysis Using Business Continuity Planning Processes. Campus-Wide
Information Systems, Vol. 26 No. 1
Weems, T.L. (1999) Business continuity planning – for the rest of us. Disaster Recovery
Journal in Botha, J. & von Solms, R. (2004) A cyclic approach to business continuity
planning. Information Management & Computer Security, Vol. 12, No. 4, pp. 328-337,
Emerald Group Publishing Limited.
Yin, R. K. (2003) Case Study Research: Design and Methods (3rd Edition), Thousand
Oaks, CA, Sage in Saunders, M. et al. (2007) Research Methods for Business Students.
4th
Edition, Prentice Hall, p 61.
40
Appendix
Appendix 1
Interview with the Nordic operating manager
1. What role do you have in the organization?
Nordic operating manager. I am working closely with the contact center in Norway,
where the board meetings occur.
2. What are the main tasks in your position?
Strategic tasks mostly such as coaching, development, HR, systems, customer expecta-
tions, talent management, and CRM system owner.
3. What authority do you have?
High - below the highest board.
4. How are the Business processes / workflow functioning?
� Since the organization is very complex and spread, the degree of flexibility is
not too high.
� The organization’s performance and strategies are mostly based on several key
performance indicators (KPI) such as availability, adherence, average handling
time (AHT), and fix at first time.
� The organization measures productivity in hours available for the customer.
Problems with the business processes:
� To get the right competence at the right time
� There is no system, in order to find sufficient information for achieving quick
handling time (related to fix at first time)
5. How are the errors of system issues handled?
� The organization is working with a twin system solution at the headquarter loca-
tion. This means that there is a spare server provided if the regular one goes
down.
� Organization has a log to document the problems
Problem with the systems:
� IT support is outsourced due to system centralization, Feels that in-house com-
petence would be nice to have – but not possible
� Broadband problems – slows down the business flow
� Different system have different problems
41
- Speed problems
- Some systems are still in the development phase, it will approximately take
1-2 more years to get a finished product that the organization can live with
� No backup plan
� No routines
6. How do the problems affect the organization?
Each problem has a direct or indirect impact on the KPI’s, with other words tremendous
impact.
7. How do you handle the problems?
Some of the problems, mainly technical are documented in the log. In most cases the
employees ask the local IT manager when a problem occurs. If the local IT manager
cannot solve the problem he asks the headquarter/IT support.
8. Do you have any follow up routines to the problems?
No, more or less all the follow up routines is in the local IT manager’s head.
9. Do you have any BCP? If not, why? – if not, are you thinking of developing one
No, we have not been thinking about it and we have not the time for it. We would prefer
to have one but there is no plan in developing one.
42
Appendix 2
Interview 1 with the local IT Manager for the department
1. Do you have a BCP/Strategy?
There is no plan. There is not much effort put in to it. It would be preferred to have one,
due to all the existing problems.
2. How do you deal with the problems?
-The contact management system covers email, support, sales, and ticket system.
- It is quite easy to get support with the contact management system. We have a contact
management system support in Norway. When a problem occurs I usually e-mail the
support in Norway about the problem.
-Contact management system problems can be very locally but some problems can be
very deep which I can’t solve by myself. Responsibility for fault assurance lies at the
very top.
3. Which problems do you experience as the most extensive?
1. Finding the right support guy/getting to the right guy. Help is needed mostly very
fast and the helpdesk in Norway is very big, this aggravates the process of finding
the right guy. Receiving the help depends on the problem, since different people have
different responsibilities.
2. Routine how to report problems/problem reports. Problems can be very deep. We
are in need of a routine of how to act. The entire chain is in need of a routine. Today
when a problem occurs the employees e-mail me about the problem, come by and
ask face to face, just run around, and sometimes they do nothing, just lazy.
3.The biggest problem/issue is with the contact management system and vendor
problems.
When I´m gone a local IT manager in Norway helps the department to handle the
problems. It is descent to reach him.
4. What are the consequences when Contact management system is down?
-Losing customers, customers lose faith, losing money and not reaching the goals
-The company keeps track of the problems, collecting info and will in the end try to cal-
culate how much they lose in downtime.
5. Do you have a documentation plan for the problems?
The problems that I can solve are kept in a log. The deep problems such as code errors
are not documented, because it is only the software vendor who has the right knowledge
and the rights. Also all the local IT-problems are documented.
43
6. Which of the working tasks are the most time consuming?
-Computer problems are most time consuming such as hardware, logging in problems,
crashing problems etc.
-The backup action when the contact management system crashes is to turn on a ma-
chine that tells customers that they have technical problems and that they can mail in-
stead. But the e-mail doesn’t work when Contact management system is down.
-The company has everything centralized in their databases at the plant, and a backup is
sent to Norway regularly which is time consuming.
7. How does the communication work between you and the consultants and the
vendor?
-I don’t get that much time with the consultants as I would need/like to. Normally I am
not in contact with the vendor, the consultants contact the vendor.
8. How do employees solve problems?
-They wait for feedback from group leaders
9. How is the training conducted?
-The leaders (Department Managers) together with me are forming the training.
10. What would you like to include in the training?
-I would like more training and education around routing of problems.
-There is no standard way of logging problems; I log the problems in my own way.
44
Appendix 3
Interview 2 with the local IT Manager for the department
1. How does the organizational structure look like (picture)?
2. How does system structure look like (picture)?
3. What is your title and authority do you have in the organization?
45
IT manager for the call center in Sweden. High authority locally and low authority cen-
trally. Problems and issues that are beyond my authority are forwarded to the IT de-
partment in Norway. Some of these problems tend to take twice as much time to solve.
4. Are problems and risk assessment addressed in the management meetings, if so
how and how often?
Yes, we have meetings once a month with a decent structure. During the meetings I get
approximately 30 minutes to talk about the systems and issues related to them. We also
keep protocols during each meeting and at following meeting the progress is checked
according to the protocol.
5. Unknown problems
a. The CMS server full every morning – log files too big
The CMS server located in Norway is getting full with the log files, this result into that
we cannot receive calls from the customers when we open. The problem has been
known more than three months and still no actions have been taken to solve it. The IT
department in Norway does not want to solve the problem; they claim that it is the soft-
ware vendor who has the responsibility for that.
b. .NET error messages
The Contact Management System is based on a .Net framework; sometimes we get un-
explained error messages which results into client’s crash. Even here the IT department
in Norway blames the responsibility on the software vendor.
c. IVR
IVR stands for “interactive voice response” it is the voice menu of our contact man-
agement system. We have a number of issues related our IVR. The voice menu have
bad sound quality which irritates many customers, sometimes choices don’t work and
at times the customers are put in any queue but not in the one of choice.
d. Back + Save
After clicking the back button and then save button the client sometimes crashes.
6. What is the likelihood and impact of the identified problems in relation to the
risk evaluation table?
46
Appendix 4
Questionnaire supplied to the Agents
Frågeformulär
Detta frågeformulär är avsett för en kandidatuppsats som skrivs av 3 studenter på hög-
skolan i Jönköping. Uppsatsen behandlar betydelsen av en kontinuitetsplan inom före-
tag.
All data kommer att hanteras anonymt.
För frågor rörande uppsatsen så kan vi nås på följande mail adress: [email protected],
eller telefon: 0736-xxxxx.
1. Kön?
Man Kvinna
2. Hur lång tid har du jobbat här?
0- 3 månader 4-6 månader 6-12 månader 1 år eller mer
3. Vilka eventuella problem känner du existerar på avdelningen som begränsar din ar-
betsförmåga/arbetsmål?
4. Hur skall man, tycker du gå, tillväga för att förhindra/eliminera proble-
met/problemen?
47
Appendix 5
Questionnaire answers from the Agents
1. Gender?
Men = 7 Women = 3
2. How long have you worked for the call center?
0-3 Months = 0 4-6 Months = 0 6-12 Months = 2 1 Year or more = 8
3. What possible problems do you feel exist at the call center and to what extent do
these problems limit your working capacity and working goals?
Respondent 1: We know too little about our products. Lack of product knowledge is the
main problem
Respondent 2: Many system related problems, the payment process muddle too often;
this creates irritation both with the customers and the agents. The contact management
system is too often down. It also feels that we have too many different systems; it would
have been easier with one or at least fewer systems. It would be much more efficient to
have a better homepage with more information about the products, today one have to
look after information from other sites or from the colleagues.
Respondent 3: I think that we work with too many systems/applications, this result into
an inefficient way of working, time consuming.
Respondent 4: The requirements on the invoice function are too high. It feels like only 1
of 3 invoice processes succeeds. Installment function would be nice to have online/by
phone also to be able to accept gift cards.
Respondent 5: In most cases it is the technical issues such as system failure that limit
my working capacity/goals. We also lack resources (information) that our competitors
have. There is also too little marketing towards our customers about us.
Respondent 6: Technology, applications that crashes or lags. Parts of the management. 5Management to inflexible.
Respondent 7: To high loudness level, tight with space. To low sound on incoming
calls. Not enough product knowledge.
Respondent 8: Low commitment from the management. Lack of knowledge.
Respondent 9: To high loudness level, this result into frustration and difficulties of un-
derstanding what the customers are saying. This forces me to talk louder with the cus-
tomer which sometimes is perceived in a bad way from the customers.
Respondent 10: The major problems are all the problems related to the contact man-
agement system. It is too instable with too many bugs. I crashes and freezes at once a
48
day. The second problem is the lack of information available to us. The product infor-
mation available is insufficient most of the times. This forces most of us to tell the cus-
tomer to wait and look for the information from other sources.
4. From your point of view, what needs to be done in order to prevent/eliminate the
problem/problems?
Respondent 1 (W): More product knowledge, more knowledge and focus on the prod-
ucts with good margin.
Respondent 2 (W): I think we need more than one IT-manager, one is not enough. More
communication about the system problems, we need to be able to give feedback about
the problems and someone needs to work with them regularly.
Respondent 3: A platform that enables all the applications integrated with each other.
Respondent 4: Lower the requirements of payment system
Respondent 5: Market the call center to the customers. Focus on attaining better and
more sales tools ex. Installation of products in all Sweden not only in Stockholm, return
freight, installment. Be able to give the customer more packaged prices and discounts
than we have today.
Respondent 6: Prevent technical issues/problems with more stable and less sensitive
systems. Restructure the management. More flexibility for the agents.
Respondent 7: Take advantage of the work space available. Invest in working systems!
Allocate more resources in providing more information about the products.
Respondent 8: Put more effort in employment. Better and more frequent education.
Respondent 9: One problem was that our department lacked cohesion, to solve that we
moved the agent’s tables closer to each other. This action resulted instead to a new
problem, such as the loudness issue.
Respondent 10: The management needs to realize that the systems need to be improved
and they need to take action so changes really happen. Better information resources and
tools needs to be available for us.
49
Appendix 6
Problems from agent’s perspective
System/technical issues
� Many system related problems
� The contact management system is too often down. It also feels that we have too
many different systems; it would have been easier with one or at least fewer sys-
tems
� I think that we work with too many systems/applications, this result into an inef-
ficient way of working, time consuming
� In most cases it is the technical issues such as system failure that limit my work-
ing capacity/goals
� Technology, applications that crashes or lags
� To low sound on incoming calls
� The major problem is all the problems related to the contact management sys-
tem. It is too instable with too many bugs. I crashes and freezes at once a day
Payment issues
� The payment process muddle too often; this creates irritation both with the cus-
tomers and the agents
� Requirements on the invoice function are too high. It feels like only one out of
three invoice processes succeeds
Knowledge/resource issues
� We know too little about our products. Lack of product knowledge is the main
problem
� It would be much more efficient to have a better homepage with more informa-
tion about the products, today one have to look after information from other sites
or from the colleagues
� We also lack resources (information) that our competitors have
� Lack of knowledge
� The second problem is the lack of information available to us. The product in-
formation available is insufficient most of the times. This forces most of us to
tell the customer to wait and look for the information from other sources
Work Environment
� To high loudness level, this result into frustration and difficulties of understand-
ing what the customers are saying. This forces me to talk louder with the cus-
tomer which sometimes is perceived in a bad way from the customers
� To high loudness level, tight working space. Too low sound on incoming calls
� Not enough product knowledge
Management
� Parts of the management
� Management to inflexible
50
Lack of marketing
� There is also too little marketing towards our customers about us
Solutions from Agents perspective
System/technical issues
� A platform that enables all the applications integrated with each other
� Lower the requirements of payment system
� Prevent technical issues/problems with more stable and less sensitive systems
� Invest in working systems!
� The management needs to realize that the systems need to be improved and they
need to take action so changes really happen
Knowledge/resource issues
� More product knowledge, more knowledge and focus on the products with good
margin
� Focus on attaining better and more sales tools ex. Installation of products in all
Sweden not only in Stockholm, return freight, installment. Be able to give the
customer more packaged prices and discounts than we have today
� More flexibility for the agents
� Take advantage of the work space available
� Allocate more resources in providing more information about the products
� Better and more frequent education
� Better information resources and tools needs to be available for us
Work Environment
� One problem was that our department lacked cohesion, to solve that we moved
the agent’s tables closer to each other. This action resulted instead to a new
problem, such as the loudness issue
Management
� More communication about the system problems, we need to be able to give
feedback about the problems and someone needs to work with them regularly
� The management needs to realize that the systems need to be improved and they
need to take action so changes really happen
� Put more effort in employment
� I think we need more than one IT-manager, one is not enough
Lack of marketing
� Market the call center to the customers