an enhanced risk assessment framework for business ... enhanced risk assessment framework for...

Safety Science 89 (2016) 201–218

Contents lists available at ScienceDirect

Safety Science

journal homepage: www.elsevier .com/locate /ssc i

An enhanced risk assessment framework for business continuitymanagement systems

http://dx.doi.org/10.1016/j.ssci.2016.06.0150925-7535/� 2016 Elsevier Ltd. All rights reserved.

⇑ Corresponding author.E-mail addresses: [email protected] (S.A. Torabi), [email protected] (R. Giahi),

[email protected] (N. Sahebjamnia).

S. Ali Torabi a,⇑, Ramin Giahi a, Navid Sahebjamnia b

a School of Industrial Engineering, College of Engineering, University of Tehran, Tehran, IranbDepartment of Industrial Engineering, University of Science and Technology of Mazandaran, Behshahr, Iran

a r t i c l e i n f o a b s t r a c t

Article history:Received 10 October 2015Received in revised form 10 June 2016Accepted 18 June 2016Available online 29 June 2016

Keywords:Risk assessmentBusiness continuity managementOrganizational resilienceBest-worst methodResource allocationBenefit-cost analysis

Every organization is exposed to several risks (e.g. cyber-attacks and disruptions caused by natural dis-asters). To respond to these risks properly, an effective risk management system should be implemented.Business continuity management is one of the most recent risk management frameworks, which enablesthe organizations to improve their resilience in order to cope with the identified risks. Risk assessment isone of the main parts of a business continuity management system (BCMS). In this paper, an enhancedrisk assessment framework is proposed within the context of BCMS while accounting for specific stepsand requirements of a BCMS. The proposed framework benefits from a suite of analytic techniques toenhance and facilitate the risk assessment and management within the well-known four-step framework(i.e. identifying, analyzing, evaluating, and responding to risks). The results of applying the proposedframework in a real case study demonstrate that it can effectively handle risk assessment and manage-ment process when implementing BCMS in an organization.

� 2016 Elsevier Ltd. All rights reserved.

1. Introduction

The high rate of disruptive incidents, such as natural ortechnological ones, which take place around the world, encouragesorganizations to design and implement their own customizedbusiness continuity management system (BCMS) in order to getprepared for dealing with any possible disruption. Throughimplementing a BCMS, suitable business continuity plans (BCPs)are provided to respond to possible incidents (that could damagethe organization’s resources) in an efficient and effective way(Sahebjamnia et al., 2015). In this way, BCM could be viewed as arisk management system that enables organizations to improvetheir organizational resilience level.

According to (BS25999, 2007), the BCM life-cycle consists of sixelements: BCM program management, understanding theorganization, determining and identifying BCM strategies, develop-ing and implementing BCM responses, embedding BCM in theorganizational culture and also training, exercising, maintainingand reviewing the BCM plan. Understanding the organization isthe key part of BCM. Business impact analysis (BIA) and risk assess-ment (RA) are two major tools of understanding the organizationin the context of BCM (BS25999, 2007; Torabi et al., 2014). The

purpose of BIA is to identify the critical functions needed to deliverkey products/services, impact of disrupted activities on theorganizations’ objectives, and those resources needed to resumethe critical activities after a crisis happens (BS25999, 2007). Also,RA is defined as the ‘‘overall process of risk identification, risk anal-ysis and risk evaluation”. The main objectives of RA in BCM are theidentification of risks threatening the organization, their analysisand evaluation, and preparation for risk treatment and responseplanning (‘‘ISO 22301,” 2012).

The World Economic Forum’s Global Risks 2015 report (GlobalRisks 2015, 10th Edition, 2015) states that risks threaten thehuman lives and organizations’ activities. Organizations areexposed to a number of risks, which may disrupt their activitiesand cause lots of damages. For instance, a fire at a sub-supplier’splant caused $400 million losses for Ericsson in 2000 (Norrmanand Jansson, 2004). Therefore, risks should be managed regularlyto prevent losing resources and assets.

Owing to the fact that BCM is a kind of risk management itcould be used as an appropriate tool to deal with risks. BCM isimplemented to ensure delivery of the key products of organiza-tions at any circumstances even after a risk occurs. However,BCM requires a comprehensive RA framework by which those risksthreatening the organizations’ activities could be identified,analyzed, evaluated, and responded. An appropriate RA frameworkhelps organizations to make contingency plans to stop losingresources in the aftermath of a risk occurrence. In this paper, some

http://crossmark.crossref.org/dialog/?doi=10.1016/j.ssci.2016.06.015&domain=pdf

http://dx.doi.org/10.1016/j.ssci.2016.06.015

mailto:[email protected]



http://dx.doi.org/10.1016/j.ssci.2016.06.015

http://www.sciencedirect.com/science/journal/09257535

http://www.elsevier.com/locate/ssci

202 S.A. Torabi et al. / Safety Science 89 (2016) 201–218

analytical techniques are suggested to enhance and facilitate therisk assessment process within the BCMS context. For this, the lit-erature of supply chain risks and organizational risks is first inter-rogated to find out the potential risks in service/manufacturingorganizations. Then, risk factors (i.e. impact and likelihood of risks)are exploited by studying some relevant papers introducing riskfactors. Thereupon, two effective methods are used to determinethe impact and likelihood of risks (Feng et al., 2014; Hallidayet al., 1996; Kangas and Kangas, 2004; Kull and Closs, 2008;Ritchie and Brindley, 2007; Samantra et al., 2014). Finally, afterevaluating the risks, appropriate response plans are proposed tocope with them effectively. The main contributions of this papercan be outlined as follows:

� Conducting a comprehensive literature review to identify themost potential risks in the manufacturing and serviceorganizations.

� Suggesting some analytical techniques to enhance and facilitatethe risk assessment in the context of implementing the BCMS inan organization.

� Suggesting new sub-factors, which would help decision makersto measure the impact of risks more accurately.

� Proposing a new method to evaluate and respond to the identi-fied risks.

� Developing a new method to provide needed resources torespond to a happened risk with regards to results of BIA andbenefit/cost analysis.

� Applying the proposed framework and its suggested analyticaltools in a real case study to handle the risk assessment andmanagement process when implementing BCMS in a serviceorganization.

In brief, the contributions of this paper are mainly related toproposing a suite of analytic techniques to improve while facilitateconducting the risk assessment and management process in thecontext of business continuity management systems within thewell-known four-step framework of RA (see ISO 31010 for generaloverview of risk assessment & management). Noteworthy, thisframework includes: (1) risk identification in which the potentialrisks of the organization are identified; (2) risk analysis in whichthe risk factors (i.e. risk likelihood and impact) are quantifiedand analyzed; (3) risk evaluation in which those risks needingtreatment are determined; and finally (4) risk response planningin which the suitable response plans are developed.

The rest of the paper is organized as follows. Relevant literatureis reviewed in Section 2. The suggested analytical tools for enhanc-ing while facilitating the risk assessment process in the context ofBCMS are elaborated in Section 3. In Section 4, applicability of theproposed framework and its analytical tools is demonstratedthrough conducting a real case study. Several managerial insightsare derived from the numerical results in Section 5. Finally,Section 6 provides concluding remarks and directions for furtherresearch.

2. Literature review

Researchers have approached to RA in different ways. We groupthe literature review into the two main related areas including thesupply chain and organizational RA.

2.1. RA in supply chains

RA is the main element of different risk managementapproaches (ISO 31010, 2009). Several works have been done toanalyze, assess and manage supply chain risks (Hallikas et al.,2004; Kleindorfer and Saad, 2005; Lockamy, 2014). Hallikas et al.

(2004) propose a risk management process for supply networks,which contains identification, assessment, treatment and monitor-ing risks. The paper states that risks are originated from: too low orinappropriate demand; problems in fulfilling customer needs; costand prices; weakness in resources, development and flexibility.Kleindorfer and Saad (2005) propose a conceptual framework tomanage disruption risks in supply chains. The paper categorizesthe disruption risks as natural disasters, labor strikes, economicdisruptions and terrorist attacks. Their proposed framework con-sists of three main steps including the identification of the sourcesof risks and vulnerabilities, risk assessment and mitigation. Wuet al. (2006) present a methodology to identify supplier-orientedrisk factors and manage inbound supply risks. They classify theinbound risks according to their internal or external sources andcontrollability. Lockamy (2014) proposes a methodology to modeland assess the suppliers’ disaster risks in a supply chain network.After identifying the suppliers’ risks, a Bayesian network is usedto determine the risks’ probabilities and the impact that a suppliercould have on an organization using the Value-at-Risk (VAR) mea-sure by which managers can decide whether continue with a sup-plier or not. The proposed methodology is also applied in anautomotive company.

2.2. RA in organizations

There are some discrepancies with RA in manufacturing andservice organizations (e.g. banking, tourism, hospitals andairports). In manufacturing and service organizations, risks areusually assessed by considering the delivery of products and ser-vices, respectively. It should be noted that although some partsof manufacturing organizations are comprised of service opera-tions (e.g. customer relationship management and marketing oper-ations), however, RA methods for manufacturing organizationscannot be used for all kinds of service organizations. In this section,the literature is reviewed in two separate but relevant streams, i.e.,RA in manufacturing and service organizations.

2.2.1. RA in manufacturing organizationsAlthough conducting RA in industrial firms is very important,

many researchers have only focused on safety analysis and occupa-tional risk assessment. Fera and Macchiaroli (2010) present amixed qualitative-quantitative RA method for assessing the safetyrisks in the small and medium enterprises (SMEs). The authorsintroduce three steps for safety RA including the: (1) building ateam to identify risks and comparing them with each other, (2)assessing them through a quantitative model to calculate the fre-quency and consequences of each identified risk and, (3) finally,providing improvement actions. Marhavilas and Koulouriotis(2012) present a framework for safety risk assessment in the worksites. In this framework, potential hazards are identified and theirfrequencies and consequences are analyzed using gathered rele-vant statistical data. After evaluating the hazards’ quantities, suit-able decisions about them are made (i.e. whether accept ormitigate each hazard).

There are several RA techniques which are often used in manu-facturing organizations. Among them, failure mode and effect anal-ysis (FMEA) (Chang and Cheng, 2010; Liu et al., 2015b; Song et al.,2014), fault tree analysis (FTA) (Lindhe et al., 2009; Liu et al., 2014),and hazards and operability study (HAZOP) (Trammell and Davis,2001; Vinnem et al., 2006) are the most practical approaches.Table 1 shows a brief description on these methods.

Several models and frameworks have been proposed to conductRA process in manufacturing organizations. Wulan and Petrovic(2012) present a framework for risk assessment within the contextof enterprise collaboration. In this framework, different risks in thelife cycle of enterprise collaboration including the pre-creation,

Table 1Description of RA techniques.

RAtechniques

Description Reference

FMEA FMEA is a component driven approach for the system’s hardware analysis to identify the potential failure modes, theircauses and effects

Liu et al. (2015b) andStamatis (2003)

FTA FTA shows potential events (i.e. faults) within a system producing undesirable outcomes via a fault tree. It systematicallyshows the possible propagation of a fault from basic events to a hazardous top event

Chang et al. (2006)

HAZOP HAZOP is a function driven approach for analyzing process operations in order to identify operability problems within thesystem

Dunjó et al. (2010)

Business Impact Analysis (BIA)

Risk Assessment (RA)

Risk Response Plans

Organization’s goals

Fig. 1. Relationships between RA and other elements of a BCMS.

S.A. Torabi et al. / Safety Science 89 (2016) 201–218 203

creation, operation and termination are first identified. Then, theprobability and impact of each risk are determined by fuzzylinguistic terms. The proposed framework is also tested in an auto-motive company. Lai and Lau (2012) present a risk managementmodel in order to manage the risks of a textile manufacturing com-pany. In this framework, the potential risks are first identified.Then, likelihood, consequence, and the amount of risks areobtained. Afterwards, the risk assessment matrix is divided intothe four regions according to the impact and likelihood of risks.Finally, four actions are suggested as the risk response plansaccording to these four regions. These plans include: accept therisk (for those with low likelihood, low impact), avoid the risk(for those with high likelihood, low impact), transfer (for thosewith low likelihood, high impact), and mitigate (for those withhigh likelihood, high impact). Samantra et al. (2014) present aquantitative methodology in which those risks related to informa-tion technology outsourcing are assessed. The authors introducefour major steps for the methodology: (1) identifying the riskswithin the context of information technology outsourcing, (2) col-lecting aggregated linguistic data about the likelihood and theimpact of risks from the experts’ opinions, (3) calculating theamount of each risk by multiplying the respective likelihood andimpact (4) developing suitable action plans for treating the risks.Shafiee (2015) presents a methodology to select the mostappropriate risk mitigation strategies for offshore wind farms. Inthe proposed method, a mitigation strategy is chosen accordingto some criteria using fuzzy analytic network process (FANP).

2.2.2. RA in service organizationsIn the context of service organizations, there are limited works

which holistically assess risks in all aspects of an organization.Tsai and Chen (2010) propose some strategies (i.e. mitigation, andtransfer strategies) to cope with the earthquake risk in the tourismindustry. The model is also applied in a hotel case in Taiwan. OuYang et al. (2013) present a method to assess information securityrisks. In this paper, after identifying the risks, three multi criteriadecision making approaches, i.e., VIKOR, DEMATEL, and ANP, arecombined to assess the identified risks. The proposedmethod is alsoapplied in an information technology company. Shafieezadeh et al.(2015) present a decision framework whichmanages terrorism riskat airports. The proposed framework allocates required resources tomitigate the risk of terrorism attack to civil infrastructures. Liu et al.(2015a) propose a novel FMEA approach and apply it within a hos-pital. In this paper, risks are analyzed through the proposedapproach whenever the failure modes of an equipment are identi-fied. Feng et al. (2014) propose a model to analyze security risksof information systems. A Bayesian network is also utilized to deter-mine risks and their associated causal pathways. Finally, the pro-posed model is applied in a service company’s information system.

Despite the importance of RA for developing an effective BCMS,according to our knowledge, few works have been done to assessrisks in the context of BCM. Halliday et al. (1996) propose aframework for analyzing risks in information technology basedorganizations to implement BCMS. This framework consists of sev-eral steps including the: identification of those risks threatening

the organization’s critical business processes, classification of risksaccording to their primary effects, recording the frequency, impactand growth rate of each risk on business processes, representing athree-dimensional chart consisting of impact, frequency, andgrowth rate of risks, prioritization of risks, and recommendationof appropriate countermeasures according to the proposed chart.Zsidisin et al. (2005) state the importance of BCM to manage risksin the organizations through presenting a case study research. Gibband Buchanan (2006) propose a framework in which risks are man-aged in the organizations via applying BCM. Tjoa et al. (2008)explain how risk-oriented process evaluation methodologyenhances BIA and RA in BCM. The paper introduces three stepsfor RA in BCM, which includes: identifying threats on businessactivities, analyzing the likelihood of each threat and its impacton activities, and prioritizing essential information for risk man-agement. Wijnia and Nikolic (2007) consider risks as a chain ofcauses and effects in the context of information technology busi-ness continuity. They assume the information technology risk asa process that causes unavailability of resources, process outageand business impact. Also, they present a mathematical formula-tion to find risks’ quantities.

The literature review about the current models and frameworksfor conducting RA process within the organizations, demonstratesthe lack of a comprehensive RA framework comprising of system-atic (i.e. step-by-step) while quantified steps in the context ofBCMS benefiting from suitable analytical tools. To fill this gap, anenhanced framework equipped by some analytic techniques isdeveloped in this paper to conduct the RA process in the contextof BCMS in an effective while systematic manner.

3. Enhanced RA framework equipped with analytical tools

RA is a methodological way to use available information to findout which risks may occur and how they may impact the organiza-tions’ goals. This process involves assessing the likelihood andimpact of those risks, which threat the organization’s activitiesand preparing response plans to those critical ones (Mahdevariet al., 2014). Fig. 1 shows the relationship between RA and otherparts of a BCMS.

As can be seen, RA and BIA have undeniable relationships witheach other as the results of RA and BIA are jointly used to developsuitable BC plans to cope with identified risks. In other words, the

Table 2Risk related terms and their definitions.

Term Definition Reference

Risk Negative effects of uncertainties and disruptive threats on the objectives of the organization BS25999 (2007) and‘‘ISO 22301” (2012)

Likelihood Chance of risk occurring, whether defined objectively or subjectively, and can be stated quantitatively or qualitatively BS25999 (2007)

Impact Results/outcomes of a risk that will have an impact on the organization’s goals BS25999 (2007)

Vulnerability A weakness of an asset/resource that can be exploited by one or more threats ISO 27005 (2008)

Disruption risk Any threat or event which may cause major disruption in the organization such as earthquake, terrorism attack, and strike. Tang (2006)

Operational risk Any inherent uncertainty such as uncertainty in demand, supply, and environmental data that might lead to negative effectson the objectives of the organization

Tang (2006)

Risk appetite Maximum amount of risks that an organization can tolerate to pursue or retain in order to meet its objectives ‘‘ISO 22301” (2012)


outputs of BIA (i.e. the key functions, risk appetite, minimum busi-ness continuity objective (MBCO), and maximum tolerable periodof disruption (MTPD)) together with the results of RA are jointlyused to prepare the most suitable response plans. Furthermore,RA should satisfy the organization’s goals and helps managers toattain their goals (Torabi et al., 2014). In this paper, some analyticaltechniques are suggested for conducting an effective RA processwithin the context of BCMS. In the first step, the most potentialorganizational risks are identified form a comprehensive list drawnfrom the literature. Then, identified risks are analyzed for whichthe impact of each risk is calculated by means of the recentlydeveloped multi-attribute decision making (MADM) method, i.e.,the best worst method (BWM) (Rezaei, 2015); and the likelihoodof each risk is also estimated based upon the experts’ judgmentalopinions. In the third step, the deviation of the organization’sachievements from its pre-defined goals after the risk occurrenceis calculated and compared with the risk appetite (see Table 2 fora definition on risk appetite). Finally, the evaluated risks areresponded by allocating needed resources for resuming key func-tions to at least the so-called MBCO level. Fig. 2 depicts theenhanced RA framework equipped with analytical tools whosesteps are elaborated in the next sections.

3.1. Risk identification

Risk identification is defined as ‘‘the process of finding, recog-nizing and recording risks” (ISO 31010, 2009). Risk identificationdetermines which risks might affect the organization under con-sideration. In this manner, decision makers become aware aboutthose events that may disrupt the organization through the riskidentification process (Hallikas et al., 2004). It is worth noting thatthere are several definitions for risk in the related literature andinternational standards (e.g. ISO 31000). However, in this paperwe adopt the definition provided by ISO 22301 (the internationalstandard for BCM) as ‘‘Negative effects of uncertainties and disrup-tive threats on the objectives of the organization”. Furthermore,there are several risk classification schemes in the literature,among them; we adopt the classification of Tang (2006) in thispaper. This classification is one of the most applied ones in the lit-erature of supply chain risk management, which classifies risksinto the two broad classes, i.e., operational and disruption risks.

It should also be noted that the terms ‘‘operational risks” and‘‘disruption risks” are actually referring to threats or causes of risks(according to the traditional RM literature). Nevertheless, in thispaper, we simply name those threats as risks and also the multipli-cation of impact and likelihood of each threat as the risk level/-value. These terms are commonly used in the context of supplychain risk management (see Tang, 2006). In other words, if the neg-ative effects are occurring due to decision making and business-as-usual uncertainties, such causes are simply called as ‘‘operationalrisks” here. Similarly, the disruptive events affecting an organiza-

tion or supply chain drastically are simply named as ‘‘disruptionrisks”. Consequently, to avoid any misunderstanding, we have sim-ply used the ‘‘operational risks” and ‘‘disruption risks” expressionsinstead of threats or causes of risks originating from uncertaintiesand disruptive threats, respectively. Table 2 highlights some of riskrelated definitions, categories and concepts, which have been usedin this paper.

In Tables 3 and 4, service and manufacturing related potentialrisks derived from our thorough literature survey have beenclassified in two main categories including the operational anddisruption risks (Tang, 2006). Moreover, identified risks are sub-classified in some major groups (e.g. natural and environmentaldisruption risks). This helps managers to find out importance ofeach group of risks and get collective viewpoint about them (Wuet al., 2006).

It is noteworthy that the essence of disruption and operationalrisks is different with each other. Disruption risks originate fromdisruptive events caused by natural, man-made or technologicalthreats such as earthquakes, floods, terrorist attacks or employeestrikes. Furthermore, operational risks originate from inherentuncertainties in demand data (due to inaccurate forecasting), costrate, and also supply data that inevitably exist in supply chains(Torabi et al., 2015). In this paper, disruption risks are categorizedin four major groups, i.e., natural, environmental, technological,and man-made risks. Tables 3 and 4 show the potential disruptionand operational risks in the service/manufacturing organizations,respectively.

Beyer and Sendhoff (2007) identified the sources ofuncertainties in a system based on the system perspective (seeFig. 3). Moreover, they introduced four sources of uncertainties,which include: changing environmental and operational condi-tions, production tolerance and actuator imprecision, uncertaintyin the system’s outputs, and feasibility uncertainty.

According to Beyer and Sendhoff’s (2007) definition ofuncertainties and Tang’s (2006) definition of operational risks,we define four major sources of operational risks (see Table 4)including the suppliers’ risks (as the input uncertainty), internalrisks (as the uncertainty in the decision making and internal oper-ations), environmental risks (as the environmental uncertainty),and market risks (as the output uncertainty).

For sharpening up the meaning of uncertainty, it is worth not-ing that there are two types of uncertainty: the one expressingthe probability of the event, and the uncertainty in the values usedto calculate the impacts/consequences of the risk (see Section 3.2).In this way, the magnitude of uncertainty directly relates to themagnitude of the risk. The higher the uncertainty, the greater thedegree of risk is. Nevertheless, if the level of each risk is properlyestimated, the risk assessment will be appropriately conducted.This highlights a main aspect of uncertainty, which is modelinguncertainty (i.e. uncertainty in decision-making). If the system isimproperly/incorrectly modeled, the resulting output is not very

Risk Identification

Risk Analysis

Risk Evaluation

Risk Response Planning

Identifying disruption risks according to Table 3

Identifying operational risks according to Table 4

Estimating the risks’ impact

Estimating likelihood of risks

Defining sub-factors and calculating their weights

BWM method

Determining the best and worst criteria

Determining preference of the best criterion over other criteria

Determining preference of all criteria over the worst criterion

Calculating the weights of sub factors

Estimating the identified risks’ sub-factors

Computing the level of each risk by WSM

Computing the risk probability

Computing the risk possibility through experts’ opinion

Yes No

Are statistical data available about risks?

BIA outputs

Determining the number of resources

Determining the key functions and their related weights in each goal

Determining MBCO and MTPD of key functions

Determining the risk appetite

Defining the organization’s goals and their weights

Determining the vulnerability of resources to risks

Calculating the deviation of the goals after risk occurrence by Eq.(3)

> risk

appetite

Creating

set (preparing suitable BCplan for the risk

Accepting and controlling the risk

Calculating needed resources by Eq.(4) for resuming key functions after occurrence

Calculating benefit-cost for each strategy by which needed resources are prepared

t* denotes the minimum time, before which preparing required resources is not economically feasible.

Computing resources preparing time for resuming key function at MBCO level (t* < t < min {MTPDj})

Selecting suitable BC plans according to resources preparing times and benefit-cost analysis

Decision-making about risks

Selecting BC plans

Yes No

Fig. 2. The enhanced RA framework equipped with analytical tools.


useful. Model validation/calibration, thus, is an important aspect inaccounting for modeling uncertainty.

3.2. Risk analysis

In the risk analysis step, a numerical value is assigned for eachidentified risk as the level (i.e. value) of that risk, which is the mul-tiplication of risk likelihood and its impact/consequences. This esti-

mation might be qualitative, quantitative, or semi-quantitative.Finding the level of each risk is an important issue that should benoticed accurately. As mentioned before, if the level of each riskis properly estimated, the risk assessment will be appropriatelyconducted. For doing so, suitable risk factors and their sub-factors should be defined first. In what follows, we explain thosefactors and sub-factors that are used to measure the level of risksin this paper.

Table 3Potential disruption risks in service/manufacturing organizations.

Disruption risks Description/examples References

Natural Biological Epidemic and Insect infestation Galindo and Batta (2013), Holzmann and Jørgensen (2001), Olson andWu (2010) and Hiles (2010)

Climatological Drought, extreme temperature, and wildfire Bubeck et al. (2012), Galindo and Batta (2013), Holzmann and Jørgensen(2001), Kangas and Kangas (2004)

Geophysical Earthquake, mass movement, volcano, subsidence, rock-falls, expansive soils, landslides,tsunamis, and avalanche

Ebrahim Nejad et al. (2014), Heckmann et al. (2015), Hiles (2010),Holzmann and Jørgensen (2001), Karimi and Hüllermeier (2007),Wallace and Webber (2010), Park et al. (2013)

Hydrological Flood and storm Asgary et al. (2012), Hiles (2010), Kleindorfer and Saad (2005), Knemeyeret al. (2009), Wallace and Webber (2010) and Park et al. (2013)

Atmospheric/meteorological

Hailstorms, hurricane, lightning, tornadoes, and tropical storms Hiles (2010), Kleindorfer and Saad (2005), Knemeyer et al. (2009) andWallace and Webber (2010)

Environmental Social Those risks that are originated in the social activities/conditions such as war, strike, riot,revolution, demonstration, social or labor unrest

Craighead et al. (2007), Kleindorfer and Saad (2005), Norrman andJansson (2004), Sawik (2011) and Tang (2006)

Competitor Those risks that are incurred by competitors. Making disruption in the joint supply chain bychanging the price and copying the design of the service/product

Christopher et al. (2011) and Olson and Wu (2010)

Supplier Purchasing the poor quality products, delayed arrival of parts, disruption in supplieractivities, and breaking the contract

Christopher et al. (2011), Ganguly and Guin (2010), Lockamy (2014) andTrkman and Mccormack (2009)

Governmental Changes in legislations, sanctions, disruptions in the political relation between countries,fluctuation in the foreign exchange rates, inflation, and changes in the interest and tax rate

Christopher et al. (2011), Clarke and Varma (1999), Hiles (2010), Noccoand Stulz (2006) and Trkman and Mccormack (2009)

Regulation Changing environmental, ecological, free trade, safety, and labor rules Chang and Cheng (2010), Christopher et al. (2011), Holzmann et al.(2003), Oke and Gopalakrishnan (2009) and Samantra et al. (2014)

Market Changes in market condition and new competitor entrants Chopra et al. (2007), Christopher et al. (2011), Olson and Wu (2010)

Technological(Information systems)

Hardware Hardware failure, viruses, worms, cyber-attack, amateur hackers, disruption in thecommunication ways (such as phone, internet, wireless phone, etc.), disruption in the ISP(internet service provider), and political hack or cyber protest may cause losing hardwarefacilities

Aagedal et al. (2002), Cerullo and Cerullo (2004), Gibb and Buchanan(2006), Nijaz et al. (2011) and Olson and Wu (2010)

Software Wrong software loaded, Loss of customer data privacy/confidentiality, software failure,viruses, worms, cyber-attack, amateur hackers, and political hack or cyber protest maycause losing software facilities

Cerullo and Cerullo (2004), Gibb and Buchanan (2006) and Olson andWu(2010)

Technological(Equipment)

Losing the equipment Power outage, explosions (such as gas explosion), pipes’ bursts (water pipes), fires, machinefailure, equipment failure

Cerullo and Cerullo (2004), Gibb and Buchanan (2006), Greenberg et al.(2007) and Shafiee (2014)

Man-made (Sabotage) Terrorism attack All things that have been done in order to destroy the assets of the organization; human andfinancial resources, transportation and information systems such as bioterrorism, bombing,and missile throwing

Altay and Ramirez (2010), Lavastre et al. (2014), Oke and Gopalakrishnan(2009), Parnell et al. (2010) and Tang (2006)

Stealing The act of Stealing the assets of the organization such as internet thieving, and physicalthieving

Espionage The discovering of secrets of the organization Aagedal et al. (2002) and Cerullo and Cerullo (2004)Bribe, embezzlementand tampering

Try to make employee(s) of the organization to do something wrong by giving him (them)money

Aagedal et al. (2002) and Herbane (2013)

Man-made (Insouciance) Human error, personnelshortfalls and decisionmaking errors

Something unplanned has been done in the organization that was not intended by the actoror not desired by rules

Cerullo and Cerullo (2004), Dunjó et al. (2010) and Skogdalen andVinnem (2011)

Insufficient educationand knowledge

Acting not well because of inadequate knowledge and education about tasks Cerullo and Cerullo (2004), Samantra et al. (2014) and Wreathall (2004)

Losing human resources Risks which cause losing human resources in the organization such as resignation,dismissal, and absence of the employees

206S.A

.Torabiet

al./SafetyScience

89(2016)

201–218

Table 4The potential operational risks in service/manufacturing organizations.

Operationalrisks

Description/examples References

Supplier risks Contractual risks with suppliers, transportation uncertainty, misalignment of interestswith suppliers, inflexibility in supply

Lockamy (2014) and Manuj and Mentzer (2008)

Internal risks Credit uncertainty, labor uncertainty, inappropriate staffing, Low efficiency andeffectiveness, policy fluctuation, process changes, investment risks, changing in thesenior managers, lack of technical expertise, change in organization leadership, andfinancial uncertainty

Finch (2004), Harland et al. (2003) and Ojala and Hallikas(2006)

Environmentalrisks

Changing social concerns, energy price, globalizations, changing the government, fiscaland monetary reforms, innovation by competitors, emerging technology, and negativemedia and news

Olson and Wu (2010), Trkman and Mccormack (2009)

Market risks Inadequate knowledge about people and their culture and needs, poor service/productquality, shifts in markets, changes in customer tastes, availability of substitute services/products, scarcity of complementary services/products, service/products obsolesces,increasing in service/products price, missing services/products, delay in fulfilling aservice/products, service/products liability, error in forecasting the demands, longreplenishment times (lack of agility in responding to demand), and lack of usercommitment and ineffective communications with customers

Lai and Lau (2012), Lavastre et al. (2014), Lockamy (2014),Manuj and Mentzer (2008) and Tuncel and Alpan (2010)

Input Uncertai

Uncertaint

Enviro

nty

y in Decisio

nmental Unce

System

n Making and

rtainty

Output

Internal Op

Uncertainty

erations

Fig. 3. Sources of uncertainties in a system (Adopted from Beyer and Sendhoff,2007).


Likelihood and impact are two main factors that can describethe level of each risk admissibly. Likelihood is defined as the‘‘chance of risk occurring, whether defined objectively orsubjectively, and can be stated quantitatively or qualitatively”(BS25999, 2007). Therefore, in order to estimate the likelihood, his-torical data and/or experts’ subjective judgments could be applied.If enough while reliable historical data about the past occurrencesof a risk is available, it is better to fit a probabilistic distributionfunction (PDF) or at least calculate the past frequency of the riskto estimate the probability of the risk occurrence. Marhavilas andKoulouriotis (2012) define the frequency factor as f = N/t (whereN is the number of similar events, which have happened duringthe time period t) to estimate the frequency of hazards/threats inthe industrial environment. Furthermore, by counting frequenciesof precursors (e.g. alarms, near misses), putting up an event treeand processing data with Hierarchical Bayesian Analysis (HBA),the frequency factor of a rare final event can be estimated moreaccurately (Kelly and Smith, 2009). Nevertheless, if it is not possi-ble to find the probability of a risk using related PDF or frequencyfactor due to lack of historical data, the subjective opinions of theexperts can be exploited to find out the possibility distribution ofthe risk occurring using the possibility theory as an analogy toprobability theory (see for instance Torabi et al., 2015 for moredetails about the possibilistic data). Notably, in this case, the sub-jective probability could also be used as an alternative method topossibility approach by casting experts’ subjective judgmentsdirectly into subjective probability distributions when there isnot enough historical data (see Cooke, 1991 and Goossens et al.,2008 for more details on methods and tools supporting the formalapplication of experts’ judgments).

Furthermore, the consequence of a risk is defined as the‘‘results/outcomes of a risk that will have an impact on the organi-zation’s goals” (BS25999, 2007). The impact and consequence of arisk can be used interchangeably. In this paper, we use five sub-factors for calculating the impact of a risk, which collectively canestimate the impact factor more accurate than the case they areused separately. These include human and financial losses of therisk, required cost and time for recovering the organization afterthe risk occurrence, capability to bring about other risks, non-detectability degree of the risk, and growth rate of the risk. Sinceeach risk may have an impact on the resources of the organizationand cause financial or human losses, the cost of risk occurring isconsidered as one of the sub-factors of risk impact. Furthermore,each risk may lead to disruption of the organization’s activities.The cost and time needed to return the critical activities of theorganization to the acceptable operating level should also be con-sidered as another sub-factor of risk impact. Ritchie and Brindley(2007) considered three dimensions for each risk including thelikelihood of an event, consequence of the event, and causal path-way leading to the event. In contrast to the causal pathway of arisk, a risk might lead to occurrence of other risks. Thus, the capa-bility of risk to bring about other ones should be considered asanother sub-factor of risk impact. The World Economic Forum’sGlobal Risks 2015 report (Global Risks 2015, 10th Edition, 2015)also considers the interconnection between risks in their report.If a risk cannot be detected before occurrence, it might bring abouta larger impact in comparison with a risk that might be detectedeasily before occurrence. Detectability degree of each risk helpsthe organization to react far more favorably. Therefore, it shouldbe considered as another sub-factor of impact. Halliday et al.(1996) considers the risk growth as another risk factor. Growth fac-tor shows possible future developments of a particular risk. A riskwith a low growth factor may diminish soon. On the other hand, arisk with low impact but a high growth factor would grow to alarger one. Hence, the growth of a risk is one of the importantsub-factors when estimating the risk impact. Table 5 summarizesthe considered factors and sub-factors when estimating the riskimpact of each identified risk.

In order to calculate the impact of each risk quantitatively, theamount of five aforementioned sub-factors should be first calcu-lated. We have also adopted an effective MADM technique calledBest-Worst Method (BWM), which has recently been developedby Rezaei (2015); to find the weights of these sub-factors (seeAppendix A for more details about this approach and its advan-tages over the well-known AHP method). After calculating the

Table 5Risk factors and their sub-factors.

Riskfactors

Risk sub-factors Description of the sub factor Reference

Impact Human and financial losses (F1) The human and financial losses of risk occurring It is a new sub-factorRecovery cost and time (F2) The required cost and time to recover the disrupted activities It is a new sub-factorCausal pathway and bringing about otherrisks (F3)

The degree of bringing about other risks Feng et al. (2014) and Ritchie and Brindley(2007)

Non-detectability degree (F4) The inability to detect and explore the risk before occurrence FMEA approachGrowth rate (F5) The rate of increasing or decreasing the impact of the risk

over timeHalliday et al. (1996)

Likelihood Possibility (F6) The possibility level of risk occurring according to thesubjective experts’ opinions when there is not enoughhistorical data

Kangas and Kangas (2004) and Samantraet al. (2014)

Probability (F7) Probabilistic distribution function or frequency of riskoccurring according to the available historical data orsubjective probability according to the subjective experts’judgments when there is not enough historical data

Kangas and Kangas (2004) and Kull and Closs(2008)


weights of these sub-factors, the impact of each risk is calculatedby the well-known weighted sum method (WSM) through formu-lae (1).

Ii ¼X5j¼1

wj � aij ð1Þ

where Ii,wj and aij denote the impact of ith risk, weight of sub-factorj, and the score of ith risk in respect to the sub-factor j, respectively.Notably, both wj and aij values are represented in the interval of[0,1], thus Ii values are also calculated in this interval. After estimat-ing the likelihood and impact of each risk according to the afore-mentioned techniques and information, the risks are thenprioritized in the risk evaluation step, which is elaborated in thenext section.

3.3. Risk evaluation

After analyzing the likely risks, suitable actions should beselected to tackle them. Generally, there are limited resources torespond to risks in an organization. Therefore, the managers needto know which risks have higher impacts on the organization’sgoals in order to manage their limited resources when respondingthe risks. In this stage, the results of the BIA and RA are merged toidentify those risks which may cause a deviation in the organiza-tion’s goals more than the pre-determined maximum deviation(i.e. the risk appetite). In addition, finding the relation betweenthe key functions and the identified risks helps the organizationto find those risks with adverse effects on the goals and preparethe required action plans to cope with them.

When a risk occurs, it may cause loss of specific resource(s).When such resource(s) is/are lost, the operational level of thekey functions is decreased and some deviations from the organiza-tion’s goals may occur. To calculate the amount of deviation fromthe goals, the risks’ impacts on resources are considered. A riskmay have a high impact and likelihood, but it may have no effecton the specific resource (e.g. earthquake may cause loss of humanand financial resources, facilities and equipment while a cyber-attack may only cause loss of equipment and financial resources).Hence, the effects of identified risks on the organization’s resourcesdepend on the vulnerability of those resources. For example, earth-quakes with the same impacts and likelihoods may have differenteffects on the resources of two different organizations. Accordingto the nature of the organization and its geographical locationand infrastructures, various resources may be more or less vulner-able to the risks. Thus, the vulnerability of the resources, whichshow the effects of risks (i.e. the magnitude of their impacts) onresources, should be considered for evaluating the risks.The effect

of ith risk on the kth resource (bik) is obtained by multiplying threeparameters including the impact and likelihood of the ith risk, andthe vulnerability level of the kth resource to the ith risk. Therefore,the lost amount of the kth resource after occurrence of ith risk iscalculated by Eq. (2).

bik ¼ hik � Ii � Li 8i; k ð2Þ

where hik; Ii and Li represent the vulnerability level of the kthresource to the ith risk, impact of the ith risk and likelihood of theith risk, respectively. Noteworthy, impact can be easily misunder-stood as comprising the damage to a receptor, but we assume it isrestricted to a potentially damaging mechanism.

Finding the key functions’ importance degrees is a critical activ-ity in implementing BCMS in an organization. Torabi et al. (2014)defined ten measures to identify key functions in an organization.Also, they applied a combined technique of DEMATEL and ANP toconsider the interrelationships between them. Their approachcan be applied as a tool to find the importance degrees of thekey functions. Furthermore, the importance degrees of the organi-zation’s goals can be estimated through applying the BWMmethod. For this, the organization goals are first defined by topmanagers. Then, the best and the worst (i.e. the most and the leastimportant) goals are identified by using their opinions. Afterwards,the preference of the best goal over other goals and the preferenceof all goals over the worst goal are gathered through their opinions.Finally, the importance degrees of the organization’s goals are esti-mated by the BWM method.

After finding the importance degrees of the organization’s goals,the maximum tolerability of reduction in attaining each pre-defined goal is determined by the top managers’ professional opin-ions. Then, the well-knownWSMmethod is applied to find the riskappetite (in percentage).

Now according to the BIA outputs (i.e. key functions and theircontinuity measures), the risk appetite and the key functions’importance degrees, the deviation of the organization’s goals aftera risk occurrence are calculated by Eq. (3). In this equation, pi

shows the deviation of the organization’s goals after ith riskoccurrence.

pi ¼Xj

Xg

v 0gv jg �max

k2Kj

fbikg 8i; k ð3Þ

where Kj is the set of required resources for performing the keyfunctions that are needed to achieve the pre-defined goals. Also,v 0g and v jg are the importance degrees of gth organization’s goal

and the jth key function, respectively.One of the important steps in the BIA process is to find the key

functions of the organization and their related activities. Losing the

……

…

v11

vj1 v

j2

…

v12

v22

Organization

G1Goals

F1 F

2Fj

Key functions

v21

R1 R2R3

Ri

Disruption and operational

Risks

Resources

G2

F1 F

2F

j

Gg

F1 F

2F

j…

v1g

v2g

vjg

Fig. 4. Relationships between operational and disruption risks, organizational resources, key functions, and the goals of an organization.


resources after risk occurrence leads to a degradation in the oper-ating level of the key functions which in turn leads to deviations ofthe organization’s goals. Furthermore, organizations shoulddetermine the risk appetite for their goals which indicates theirmaximum tolerability of reduction in attaining pre-defined goals.It means that the deviation of organization’s goals is acceptablewhenever it is less than the risk appetite. Fig. 4 indicates the hier-archical relationships between the risks, organizational resources,key functions, and the organization’s goals. Occurrence of anythreat (which is defined as disruption or operational risk in thispaper), may cause loss of specific organization’s resource(s), whichin turn leads to reduction of those key functions’ operating levelsthat use these resources. Then, according to the importanceweights of the key functions, the organization’s goals may facewith considerable deviations after risk occurring. For example, asupplier risk (e.g. increasing the lead time of supplying a rawmate-rial) may decrease the operating level of production line comparedto its pre-defined schedule. Thus, the organization may not fulfillthe demand of customers completely. Therefore, some goals oforganization (e.g. increasing the satisfaction level of customersand increasing the market share) would be deviated.

For those risks whose amount of pi is more than the risk appe-tite, suitable response (i.e., continuity) plans should be proposed.Other risks are accepted since they produce a tinier deviation thanthe organization’s risk appetite. Nevertheless, these risks should bebrought under control to prevent a likely deviation. Doingcorrective actions when needed, employees training, processimprovement, and utilization of new technologies are some exam-ples for controlling such risks.

3.4. Risk response planning

Risk response planning is the implementation of decisions (i.e.response plans) obtained from the risk assessment/evaluationphase. Responding to the risks is divided into two stages. At thefirst stage, those risks that might cause deviation in the organiza-tion’s goals and have great effects on the key functions should beresponded properly through invoking BCPs. Moreover, in thesecond stage, risk response strategies (e.g. transfer and mitigation)can be applied to cope with low-impact/medium- or high-likelihood risks.

BCPs (i.e. risk response plans) are being applied to resume andrestore those critical functions in the organization after occurrenceof a risk, which may cause deviation in the organization’s goals.Thus, these risks should be properly responded to ensure continu-ation of the key operations at least at the minimum acceptableoperating level (i.e., MBCO) immediately after a risk occurrencewithin the maximum acceptable time (i.e., MTPD) through utilizingappropriate BCPs. Noteworthy, MBCO is defined as the minimumacceptable operating level of key functions of the organization. Inaddition,MTPD is defined as the maximum period of time in whichthe key functions can be interrupted, after which the key functionsshould be resumed at least at the level of MBCO (‘‘ISO 22301,”2012). Both MBCO and MTPD should be defined for organization’skey functions. In order to present BCPs, two essential measuresshould be considered; first, the minimum required resources tocontinue the key functions at the pre-defined MBCO level, and sec-ond, the time required to prepare the needed resources. If theremaining resources after risk occurrence are less than the amountofMBCO; thus the required excess resources should be prepared byinvoking appropriate plans. The minimum necessary resourcesafter a risk occurrence can be calculated by Eq. (4).

wijk ¼ maxf0; ðMBCOjk þ hik � Ii � 1Þ � sjkg 8j; k; i 2 fi ð4Þ

where fi is the set of the risks which cause deviation in the organi-zation goals; wijk denotes the kth resource needed for resuming thejth key function at the level of MBCOjk after occurrence of ith risk;MBCOjk denotes the minimum acceptable level of resuming the jthkey function by considering kth resource, and sjk designates thetotal amount of the kth resource for accomplishing the jth key func-tion. As mentioned earlier, the organization has the limited time torecover the jth key function to the MBCO level (up to MTPDj).Therefore, before reaching MTPDj, the required resources for jthkey function should be prepared.

Cost-benefit analysis is one of the approaches that could beadopted to analyze the risks response plans. Balancing betweencosts and benefits assists the organization in selecting the appropri-ate strategies to provide the needed resources. In this way, accord-ing to the MTPDs and the cost-benefit analysis, the best strategiesfor providing the required resources should be selected among thecandidate ones. The resources needed for resuming a specific key


function, when it is disrupted, should be prepared earlier than therelatedMTPD. So, when is the best time for preparing the resourceswhile considering the cost-benefit analysis? As mentioned before,finding the optimal time for preparing the needed resources is thecrucial question that should be answered. Results of cost-benefitanalysis regarding the candidate strategies help the BCM team tofind the best strategies to prepare the needed resources for dis-rupted key functions’ recovery. Providing required resources imme-diately after a risk occurrence; needs high expenditure. For thispurpose, for example, organizations should consider the reserved(backup) skillful staff members to be substituted with lost staff. Itmeans the organization should consider two people for a specifickey function. This causes high expenditure and is an ineffective riskmanagement process. Therefore, finding the feasible time forpreparing the required resources after the risk occurrence is animportant issue. Fig. 5 indicates that selecting the best responsestrategy to cope with a specific risk depends upon the cost-benefitanalysis of strategies and MTPD of the affected key functions.

As strategies’ graph shows in Fig. 5, the amount of benefit-costfor some candidates is negative. Therefore, these strategies cannotbe used to prepare needed resources. Required time for preparingresources is the key element in putting forward BCPs. Preparingneeded resources immediately after a risk occurrence is usuallyexpensive, which is not economically feasible. In this case, therequired resources should be reserved earlier to some extent. Sup-pose that some of the organization’s experts might be lost due tostriking an earthquake with a high impact. In this case, some ofthe following candidate strategies might be selected to provideneeded human resource in response to such risk.

� Training reserved (backup) skillful staff members to be able toimmediately substitute them with the lost people.

� Recruiting new skillful staff and using them instead of lostpeople.

� Training semi-skilled people and substitute them with the lostpeople after a while.

Required time and cost for each aforementioned strategy differsfrom other choices. Benefit-cost of the first strategy would benegative but the required time for resource preparation is approx-imately zero. Furthermore, the benefit-cost of the second and thirdstrategies would be positive and the required time for resourcepreparation for both of them will be less than MTPD of the keyfunctions.

Benefit-cost analysis provides the minimum required time forpreparing resources. As shown in Fig. 5, t⁄ indicates the time after

2 6 8

t*

Benefit-Cost

Accepte

Nee

ded

Reso

urce

Risk occurrence

Fig. 5. Selecting strategies based on the benefi

which the benefit-cost of the candidate strategies are positive.Therefore, those strategies whose required time for preparingresources is more than t⁄ could be considered as the appropriatechoices. Also, MTPD of the key functions is considered as the upperbound for the resources preparing time. Therefore, those strategieswhose required times for preparing resources are between t⁄ andMTPD constitute the feasible choices.

Transferring (e.g. insurance), mitigating (e.g. alleviating thelikelihood and impact of the risks), avoiding (e.g. removing thesources of risks) are some response plans to deal with risks causingdeviation in the organization’s goals; though the amount of w forthese risks might be zero. It means that after occurrence of theserisks, the level of required resources to resume the key functionsdo not remain less than MBCO. These types of risks have lowimpact while high or medium likelihood and also affect the organi-zation’s goals more than the risk appetite. Based on the nature ofthe risks and the assigned budget to the risk management’sresponse plans, risk response plans could be invoked to cope withthem. Suppose that error in demand forecasting is frequent and itsimpact on an organization’s goals is more than the risk appetite.Then, for coping with this risk, avoiding strategy (e.g. changingor improving the current demand forecasting approach) can beapplied.

4. Case study

In this section, the proposed RA framework is calibratedthrough applying it for a real service organization named as theorganization X here (due to confidentiality), which is in charge ofdisaster management services in city of Tehran. Noteworthy, vali-dation requires more than just a case study while calibration canbe addressed via an application to a single case study (Campbelland Stanley, 1963).

This organization has around 100 employees. BCMS hasrecently been implemented in the organization due to theimportance of continuity of the organization’s key functions afterany risk occurrence. The proposed RA framework with itssuggested analytical techniques is applied to enhance andfacilitate conducting the risk assessment process within the BCMScontext in the organization whose details are elaborated hereafter.

4.1. Identifying the risks

In order to identify the potential risks threatening the organiza-tion X, a questionnaire was designed and eight experts includingfour top managers of the organization plus four experts were asked

10 12 14 16 18MTPD

Strategies Resource

Resource

MBCO

d �me for Strategy selec�on

Time

t-cost analysis and MTPD of key functions.

Table 6The impact and likelihood of identified risks in organization X.

Risks Pessimistic scenario Realistic scenario Optimistic scenario

Impact Likelihood Impact Likelihood Impact Likelihood

F1 F2 F3 F4 F5 F6 F1 F2 F3 F4 F5 F6 F1 F2 F3 F4 F5 F6

Epidemic (R1) 0.8 0.6 0.9 0.8 0.9 0.65 0.7 0.5 0.8 0.7 0.8 0.56 0.6 0.5 0.7 0.6 0.7 0.41Earthquake (R2) 0.6 0.7 0.8 0.9 0.3 0.65 0.5 0.6 0.7 0.8 0.3 0.57 0.5 0.5 0.6 0.7 0.2 0.37Flood (R3) 0.7 0.6 0.4 0.3 0.3 0.57 0.6 0.5 0.3 0.3 0.3 0.43 0.5 0.5 0.3 0.2 0.2 0.28Lightning (R4) 0.5 0.4 0.3 0.8 0.3 0.48 0.4 0.3 0.3 0.7 0.3 0.38 0.4 0.3 0.2 0.6 0.2 0.13Tornadoes (R5) 0.6 0.6 0.3 0.5 0.3 0.48 0.5 0.5 0.3 0.4 0.3 0.39 0.5 0.5 0.2 0.4 0.2 0.18War (R6) 0.8 0.6 0.7 0.3 0.3 0.39 0.7 0.5 0.6 0.3 0.3 0.29 0.6 0.5 0.5 0.2 0.2 0.19Strike (R7) 0.6 0.5 0.9 0.3 0.8 0.59 0.5 0.4 0.8 0.3 0.7 0.42 0.5 0.4 0.7 0.2 0.6 0.23Riot (R8) 0.5 0.5 0.6 0.3 0.5 0.58 0.4 0.4 0.5 0.3 0.4 0.49 0.4 0.4 0.4 0.2 0.4 0.37Labor unrest (R9) 0.6 0.6 0.5 0.3 0.6 0.49 0.5 0.5 0.4 0.2 0.5 0.39 0.4 0.4 0.3 0.2 0.4 0.27Breaking the contracts by suppliers (R10) 0.3 0.5 0.4 0.5 0.3 0.37 0.2 0.4 0.3 0.4 0.2 0.28 0.2 0.3 0.3 0.3 0.2 0.17Purchasing poor quality products (R11) 0.3 0.5 0.7 0.3 0.3 0.39 0.2 0.4 0.6 0.2 0.2 0.21 0.2 0.3 0.5 0.2 0.2 0.17Changes in legislation (R12) 0.3 0.3 0.6 0.3 0.3 0.38 0.2 0.2 0.5 0.2 0.2 0.29 0.2 0.2 0.4 0.2 0.2 0.19Sanctions (R13) 0.8 0.8 0.6 0.1 0.6 0.67 0.7 0.7 0.5 0.1 0.5 0.50 0.5 0.5 0.4 0.1 0.4 0.39Fluctuation in the foreign exchange rates (R14) 0.5 0.5 0.5 0.4 0.3 0.55 0.4 0.4 0.4 0.3 0.2 0.40 0.3 0.3 0.3 0.3 0.2 0.31Inflation (R15) 0.6 0.4 0.5 0.3 0.5 0.59 0.5 0.3 0.4 0.2 0.4 0.45 0.4 0.3 0.3 0.2 0.3 0.22Changing the labor rules (R16) 0.3 0.3 0.3 0.4 0.3 0.37 0.2 0.2 0.2 0.3 0.2 0.26 0.2 0.2 0.2 0.3 0.2 0.14Demands fluctuation (R17) 0.4 0.3 0.6 0.6 0.4 0.77 0.3 0.2 0.5 0.5 0.3 0.51 0.3 0.2 0.4 0.4 0.3 0.36Hardware failure (R18) 0.6 0.7 0.5 0.4 0.4 0.44 0.5 0.6 0.4 0.3 0.3 0.20 0.4 0.5 0.3 0.3 0.3 0.11Viruses (R19) 0.8 0.7 0.7 0.6 0.5 0.69 0.7 0.6 0.6 0.5 0.4 0.45 0.5 0.5 0.5 0.4 0.3 0.29Cyber-attack (R20) 0.9 0.8 0.7 0.7 0.7 0.53 0.7 0.7 0.6 0.6 0.6 0.49 0.6 0.5 0.5 0.5 0.5 0.38Disruption in the communication ways (R21) 0.4 0.3 0.3 0.3 0.5 0.78 0.3 0.2 0.2 0.2 0.4 0.50 0.3 0.2 0.2 0.2 0.3 0.38Loss of customer data privacy (R22) 0.6 0.6 0.4 0.3 0.3 0.68 0.5 0.5 0.3 0.2 0.2 0.40 0.4 0.4 0.3 0.2 0.2 0.24Power outage (R23) 0.8 0.7 0.7 0.4 0.4 0.49 0.7 0.6 0.6 0.3 0.3 0.32 0.5 0.5 0.5 0.3 0.3 0.18Explosions (R24) 0.7 0.7 0.6 0.5 0.4 0.39 0.6 0.6 0.5 0.4 0.3 0.28 0.5 0.5 0.4 0.3 0.3 0.16Fires (R25) 0.8 0.7 0.5 0.7 0.5 0.58 0.7 0.6 0.4 0.6 0.4 0.38 0.5 0.5 0.3 0.5 0.3 0.21Equipment failure (R26) 0.5 0.5 0.5 0.3 0.3 0.58 0.4 0.4 0.4 0.2 0.2 0.45 0.3 0.3 0.3 0.2 0.2 0.28Bioterrorism (R27) 0.7 0.6 0.5 0.6 0.5 0.57 0.6 0.5 0.4 0.5 0.4 0.40 0.5 0.4 0.3 0.4 0.3 0.23Bombing (R28) 0.7 0.8 0.6 0.7 0.6 0.54 0.6 0.6 0.5 0.6 0.5 0.31 0.5 0.5 0.4 0.5 0.4 0.29Stealing (R29) 0.6 0.4 0.3 0.4 0.3 0.69 0.5 0.3 0.2 0.3 0.2 0.43 0.4 0.3 0.2 0.3 0.2 0.32Espionage (R30) 0.5 0.5 0.4 0.3 0.4 0.44 0.4 0.4 0.3 0.2 0.3 0.39 0.3 0.3 0.3 0.2 0.3 0.256Bribe (R31) 0.4 0.3 0.4 0.3 0.5 0.38 0.3 0.2 0.3 0.2 0.4 0.29 0.3 0.2 0.3 0.2 0.3 0.16Human error (R32) 0.7 0.6 0.5 0.4 0.3 0.89 0.6 0.5 0.4 0.3 0.2 0.59 0.5 0.4 0.3 0.3 0.2 0.37Decision making errors (R33) 0.5 0.5 0.6 0.3 0.3 0.68 0.4 0.4 0.5 0.2 0.2 0.52 0.3 0.3 0.4 0.2 0.2 0.47Insufficient knowledge (R34) 0.5 0.4 0.4 0.4 0.5 0.48 0.4 0.3 0.3 0.3 0.4 0.36 0.3 0.3 0.3 0.3 0.3 0.28Absence of the employees (R35) 0.4 0.4 0.4 0.3 0.3 0.79 0.5 0.3 0.3 0.2 0.2 0.55 0.4 0.3 0.3 0.2 0.2 0.34Resignation of the employees (R36) 0.6 0.5 0.5 0.4 0.4 0.59 0.5 0.4 0.4 0.3 0.3 0.45 0.4 0.3 0.3 0.3 0.3 0.35Transportation uncertainty (R37) 0.4 0.3 0.3 0.3 0.3 0.37 0.3 0.2 0.2 0.2 0.2 0.29 0.3 0.2 0.2 0.2 0.2 0.19Misalignment of Interest with supplier (R38) 0.3 0.3 0.4 0.5 0.4 0.39 0.2 0.2 0.3 0.4 0.3 0.21 0.2 0.2 0.3 0.3 0.3 0.15Contractual risks with supplier (R39) 0.5 0.4 0.5 0.3 0.3 0.37 0.4 0.3 0.4 0.2 0.2 0.25 0.3 0.3 0.3 0.2 0.2 0.11Inappropriate staffing (R40) 0.4 0.5 0.7 0.4 0.5 0.59 0.3 0.4 0.6 0.3 0.4 0.35 0.2 0.3 0.4 0.2 0.3 0.17Policy fluctuation (R41) 0.5 0.4 0.6 0.4 0.3 0.69 0.4 0.3 0.5 0.3 0.2 0.45 0.3 0.2 0.4 0.2 0.2 0.25Lack of technical expertise (R42) 0.7 0.6 0.5 0.3 0.3 0.54 0.6 0.5 0.4 0.2 0.2 0.45 0.4 0.4 0.3 0.2 0.2 0.38Financial uncertainty (R43) 0.5 0.4 0.4 0.3 0.3 0.48 0.4 0.3 0.3 0.2 0.2 0.36 0.3 0.2 0.2 0.2 0.2 0.23Poor service quality (R44) 0.4 0.3 0.3 0.3 0.4 0.64 0.3 0.2 0.2 0.2 0.3 0.47 0.2 0.2 0.2 0.2 0.2 0.37Shifts in markets (R45) 0.5 0.4 0.4 0.6 0.3 0.68 0.4 0.3 0.3 0.5 0.2 0.58 0.3 0.2 0.2 0.4 0.2 0.25Changes in customer tastes (R46) 0.4 0.3 0.5 0.5 0.4 0.67 0.3 0.2 0.4 0.4 0.3 0.49 0.3 0.2 0.3 0.3 0.3 0.31Missing services (R47) 0.4 0.3 0.3 0.5 0.3 0.59 0.3 0.2 0.2 0.4 0.2 0.31 0.3 0.2 0.2 0.3 0.2 0.20Delay in fulfilling a service (R48) 0.5 0.3 0.4 0.4 0.3 0.49 0.4 0.2 0.3 0.3 0.2 0.32 0.3 0.2 0.3 0.3 0.2 0.10Error in forecasting the demands (R49) 0.6 0.4 0.5 0.5 0.5 0.64 0.5 0.3 0.4 0.4 0.4 0.43 0.4 0.3 0.3 0.3 0.3 0.20Ineffective communications with customers

(R50)0.4 0.3 0.3 0.3 0.4 0.58 0.3 0.2 0.2 0.2 0.3 0.48 0.3 0.2 0.2 0.2 0.3 0.25


to fill out the questionnaire. Identified risks were then categorizedinto twomain groups (i.e. disruption and operational risks). Amongthe potential disruption and operational risks in service organiza-tions which have already been presented in Tables 3 and 4, fiftyrisks threatening the organization X have been presented inTable 6. As was confirmed by the organization’s managers, Tables3 and 4 were so helpful in identifying the disruption and opera-tional risks in this organization.

4.2. Analyzing the risks

According to the organization’s conditions and the nature ofidentified risks, the impact and likelihood of each risk can bedifferent according to its scale of occurrence. For example, anearthquake according to its scale may have low, medium or highimpact. Therefore, three scenarios including the optimistic, realis-tic, and pessimistic scenarios are generated to measure the impact

and likelihood of each risk at its different scale of occurrence(Sahebjamnia et al., 2015). Defining these scenarios would helpthe top management to have comprehensive insight about the like-lihood and impact of risks at different situations. In order to ana-lyze the risks, a questionnaire was designed and eight expertsincluding the four top managers and four middle managers wereasked to fill out the questionnaire. These experts’ judgments aboutthe sub-factors of the risks’ impacts and likelihoods in each sce-nario were gathered in the form of linguistic terms which werethen transformed to their numerical equivalents by associatingeach linguistic term with a trapezoidal fuzzy number (TFN) (seeAppendix B for more details). Also, the well-known center of area(COA) method was used to defuzzify these TFNs. After this defuzzi-fication and estimating the amount of each sub-factor, the impactof each risk was finally calculated by the WSM method throughformulae (1). Furthermore, the weights of the sub-factors (includ-ing the F1 to F5 defined in Table 2) were computed using BWM

Table 7Impact of identified risks in each scenario.

Risks Impact of the risk Risks Impact of the risk

Pessimistic scenario Realistic scenario Optimistic scenario Pessimistic scenario Realistic scenario Optimistic scenario

R1 0.78 0.68 0.61 R26 0.45 0.35 0.28R2 0.65 0.56 0.50 R27 0.60 0.50 0.40R3 0.53 0.45 0.39 R28 0.69 0.57 0.47R4 0.44 0.37 0.33 R29 0.43 0.33 0.30R5 0.49 0.43 0.39 R30 0.45 0.35 0.29R6 0.61 0.54 0.46 R31 0.38 0.28 0.27R7 0.63 0.54 0.50 R32 0.55 0.45 0.38R8 0.50 0.41 0.38 R33 0.47 0.37 0.29R9 0.55 0.45 0.36 R34 0.45 0.35 0.30R10 0.39 0.29 0.25 R35 0.44 0.34 0.31R11 0.42 0.32 0.28 R36 0.51 0.41 0.33R12 0.35 0.25 0.24 R37 0.33 0.23 0.23R13 0.67 0.58 0.43 R38 0.35 0.25 0.24R14 0.46 0.36 0.29 R39 0.43 0.33 0.28R15 0.49 0.39 0.32 R40 0.49 0.39 0.28R16 0.31 0.21 0.21 R41 0.46 0.36 0.27R17 0.43 0.33 0.30 R42 0.54 0.44 0.33R18 0.56 0.46 0.38 R43 0.41 0.31 0.23R19 0.70 0.60 0.46 R44 0.35 0.25 0.20R20 0.79 0.66 0.53 R45 0.44 0.34 0.25R21 0.36 0.26 0.25 R46 0.40 0.30 0.28R22 0.49 0.39 0.33 R47 0.35 0.25 0.24R23 0.66 0.56 0.45 R48 0.39 0.29 0.26R24 0.62 0.52 0.43 R49 0.51 0.41 0.33R25 0.67 0.57 0.44 R50 0.35 0.25 0.25

Table 8Vulnerability of the resources to the risks.

Risks Vulnerability of the resources Risks Vulnerability of the resources

Human resources Financial resource Facilities Equipment Human resource Financial resources Facilities Equipment

R1 1 – – – R26 – 0.6 – 1R2 1 1 1 1 R27 1 – – –R3 1 1 1 1 R28 1 1 1 1R4 0.3 0.6 0.7 1 R29 – 1 – –R5 0.1 0.7 0.3 0.3 R30 – 1 – –R6 1 1 1 0.7 R31 – 1 – –R7 1 1 – – R32 1 1 – 1R8 1 1 – – R33 1 1 – 1R9 0.7 0.8 – – R34 – 1 – –R10 – 1 – – R35 1 0.5 – –R11 – 1 – 0.5 R36 1 0.7 – –R12 0.3 0.8 – – R37 – 1 – –R13 – 1 – – R38 – 1 – –R14 – 1 – – R39 – 1 – –R15 – 1 – – R40 1 1 – 1R16 0.6 0.5 – – R41 – 1 – –R17 – 1 – – R42 1 0.6 – 0.3R18 – 0.4 – 1 R43 – 1 – –R19 – 0.7 – 1 R44 – 0.4 – –R20 – 1 – 1 R45 – 0.6 – –R21 – 0.7 – 0.6 R46 – 0.7 – –R22 – 1 – – R47 – 1 – –R23 – 0.5 – 1 R48 – 1 – –R24 0.8 0.8 1 1 R49 – 1 – –R25 1 1 1 1 R50 – 0.3 – –


method as (w1 = 0.33, w2 = 0.25, w3 = 0.18, w4 = 0.10, w5 = 0.14)(see Appendix C). Table 6 shows the detailed data pertaining tothe risk factors of the identified risks in each scenario. Noteworthy,the values of impact’s sub-factors in each scenario are thedefuzzified ones of related linguistic terms. Furthermore, amongthe possible risks, those related to human and industrial safety(such as explosions, fires, human errors and decision makingerrors) could be of special attention when implementing a BCMSwithin an organization.

After estimating the importance degrees of impact’s sub-factorsusing BWM method, the impact of each risk in each scenario is cal-culated through Eq. (1) (see Table 7).

4.3. Evaluating the risks

Four types of resources including the human resources, finan-cial resources, facilities and equipment are used in the organizationX to undertake the activities. In this study, the vulnerability ofthese resources to identified risks is obtained using experts’ opin-ions in the intervals [0,1]. Table 8 shows the amount of parameterhik for identified risks. These data were gathered through conduct-ing some interviews with the organization’s experts.The amountsof sjk, MTPDj, MBCOj, vjg, and v0g which are the outputs of BIAprocess are then utilized to find out the impact of identified riskson the organization’s goals. Increasing customer satisfaction (i.e.

Table 9The deviation of the organization’s goals after each risk occurrence.

Risks The amount of pi in each scenario (%) Risks The amount of pi in each scenario (%)

Pessimistic Realistic Optimistic Pessimistic Realistic Optimistic

R1 2.54 1.90 1.25 R26 1.31 0.79 0.39R2 2.11 1.60 0.93 R27 1.71 1.00 0.46R3 1.51 0.97 0.55 R28 1.86 0.88 0.68R4 1.06 0.70 0.21 R29 0.00 0.00 0.00R5 0.35 0.25 0.11 R30 0.00 0.00 0.00R6 1.19 0.78 0.44 R31 0.00 0.00 0.00R7 1.86 1.13 0.58 R32 2.45 1.33 0.70R8 1.45 1.00 0.70 R33 1.60 0.96 0.68R9 0.94 0.61 0.34 R34 0.00 0.00 0.00R10 0.00 0.00 0.00 R35 1.74 0.94 0.53R11 0.41 0.17 0.12 R36 1.50 0.92 0.58R12 0.20 0.11 0.07 R37 0.00 0.00 0.00R13 0.00 0.00 0.00 R38 0.00 0.00 0.00R14 0.00 0.00 0.00 R39 0.00 0.00 0.00R15 0.00 0.00 0.00 R40 1.45 0.68 0.24R16 0.34 0.16 0.09 R41 0.00 0.00 0.00R17 0.00 0.00 0.00 R42 1.46 0.99 0.63R18 1.23 0.46 0.21 R43 0.00 0.00 0.00R19 2.42 1.35 0.67 R44 0.00 0.00 0.00R20 2.09 1.62 1.01 R45 0.00 0.00 0.00R21 0.84 0.39 0.29 R46 0.00 0.00 0.00R22 0.00 0.00 0.00 R47 0.00 0.00 0.00R23 1.62 0.90 0.41 R48 0.00 0.00 0.00R24 1.21 0.73 0.34 R49 0.00 0.00 0.00R25 1.94 1.08 0.46 R50 0.00 0.00 0.00

Pessimistic Scenario

Realistic Scenario

Optimistic Scenario

Likelihood

Impact Those risks which may cause considerable deviation in the organization's goals

Fig. 6. The impact and likelihood of identified risks.


g1), market share (i.e. g2) and reducing overall costs (i.e. g3) are thethree goals of the organization which have been defined by the topmanagers. In this paper, BWM method is used to find the impor-tance degrees of the organization’s goals. The amount of pi for eachrisk in each scenario is also calculated by Eq. (3). Table 9 shows theanticipated deviation of the organization’s goals after occurrence ofeach risk.

Fig. 6 shows the likelihood and impact of identified risks in dif-ferent scenarios. In this figure, those risks whose pi values aremore than the organization’s risk appetite and therefore may causea considerable deviation in the organization’s goals (i.e. beyond therisk appetite), have been specified.

4.4. Responding to the risks

The key functions of the organization X are identified by con-ducting the BIA process proposed by Torabi et al. (2014). In thisway, ten key functions are identified. Table 10 shows the amountof required resources, MBCO, and MTPD for these key functions.

The risk appetite of each goal has been identified by conductingsome interviews with top managers. Then, the overall risk appetiteis calculated as 1.6% by considering the importance degrees ofgoals which have already been determined using WSM method.Now, according to Table 10, the amount of pi for R1, R2, R7, R19,R20, R23, R25, R27, R28, R32, R33, and R35 in the pessimistic scenarioare greater than the risk appetite. In the realistic scenarios, R1,R2, and R20 may cause considerable deviations in the organization’sgoals (i.e. more than the risk appetite). The needed resources toresume the key functions at their MBCO levels after occurrence ofthese risks have been calculated by Eq. (4) and reported inTable 11.

The resources needed for continuing the key functions at leastat their MBCO levels should be prepared by suitable BCPs, consid-ering MTPDs of the key functions and the cost-benefit analysis.Notably, the cost-benefit analysis is conducted to select the properstrategy for providing the required resources after occurrence ofeach risk.

Three factors (i.e. prevent losing reputation, lost sale, and inter-nal dissatisfaction) are defined for measuring the benefits of each

Table 10The information about the key functions and their resources.

Key functions MBCOj (%) MTPDj (week) sjk vjg v0g � vjgHuman resources Financial resources Facilities Equipment g1(0.1) g2(0.6) g3(0.3)

KF1 40 4 5 500 – – 0.07 0.09 0.06 0.08KF2 62 3 – – 50 3 0.12 0.09 0.15 0.12KF3 74 3 5 – 150 5 0.02 0.09 0.06 0.07KF4 45 6 5 240 – – 0.06 0.08 0.12 0.09KF5 61 5 – – 120 6 0.18 0.09 0.07 0.09KF6 55 4 7 800 400 – 0.21 0.18 0.14 0.17KF7 45 3 3 300 – 7 0.07 0.09 0.10 0.09KF8 67 4 – 200 100 – 0.04 0.14 0.14 0.13KF9 75 3 – 900 600 – 0.17 0.12 0.07 0.11KF10 20 8 5 – – 4 0.06 0.03 0.09 0.05

Table 11The resources needed for the key functions after risk occurrence.

Scenario Risks wijk

KF1 KF2 KF3 KF4 KF5

Pessimistic R1 0.9 0 0 0 0 0 0 0 2.6 0 0 0 1.15 0 0 0 0 0 0 0R2 0.25 25 0 0 0 0 13.5 0.81 1.95 0 58.5 1.95 0.5 24 0 0 0 0 31.2 1.56R7 0.15 15 0 0 0 0 0 0 1.85 0 0 0 0.4 19.2 0 0 0 0 0 0R19 0 0 0 0 0 0 0 0.96 0 0 0 2.2 0 0 0 0 0 0 0 1.86R20 0 95 0 0 0 0 0 1.23 0 0 0 2.65 0 57.6 0 0 0 0 0 2.4R23 0 0 0 0 0 0 0 0.84 0 0 0 2 0 0 0 0 0 0 0 1.62R25 0.35 35 0 0 0 0 14.5 0.87 2.05 0 61.5 2.05 0.6 28.8 0 0 0 0 33.6 1.68R27 0 0 0 0 0 0 0 0 1.7 0 0 0 0.25 0 0 0 0 0 0 0R28 0.45 45 0 0 0 0 15.5 0.93 2.15 0 64.5 2.15 0.7 33.6 0 0 0 0 36 1.8R32 0 0 0 0 0 0 0 0.51 1.45 0 0 1.45 0 0 0 0 0 0 0 0.96R33 0 0 0 0 0 0 0 0.27 1.05 0 0 1.05 0 0 0 0 0 0 0 0.48R35 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Realistic R1 0.4 0 0 0 0 0 0 0 2.1 0 0 0 0.65 0 0 0 0 0 0 0R2 0 0 0 0 0 0 9 0.54 1.5 0 45 1.5 0.05 2.4 0 0 0 0 20.4 1.02R20 0 30 0 0 0 0 0 0.84 0 0 0 2 0 26.4 0 0 0 0 0 1.62

KF6 KF7 KF8 KF9 KF10

Pessimistic R1 2.31 0 0 0 0.69 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0R2 1.4 160 80 0 0.3 30 0 0.7 0 64 32 0 0 360 240 0 0 0 0 0R7 1.26 144 0 0 0.24 24 0 0 0 60 0 0 0 342 0 0 0 0 0 0R19 0 32 0 0 0 0 0 1.05 0 32 0 0 0 216 0 0 0 0 0 0R20 0 272 0 0 0 72 0 1.68 0 92 0 0 0 486 0 0 0 0 0 0R23 0 0 0 0 0 0 0 0.77 0 0 0 0 0 72 0 0 0 0 0 0R25 1.54 176 88 0 0.36 36 0 0.84 0 68 34 0 0 378 252 0 0 0 0 0R27 1.05 0 0 0 0.15 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0R28 1.68 192 96 0 0.42 42 0 0.98 0 72 36 0 0 396 264 0 0 0 0 0R32 0.7 80 0 0 0 0 0 0 0 44 0 0 0 270 0 0 0 0 0 0R33 0.14 16 0 0 0 0 0 0 0 28 0 0 0 198 0 0 0 0 0 0R35 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Realistic R1 1.61 0 0 0 0.39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0R2 0.77 88 44 0 0.03 3 0 0.07 0 46 23 0 0 279 186 0 0 0 0 0R20 0 168 0 0 0 33 0 0.77 0 66 0 0 0 369 0 0 0 0 0 0

Table 12The benefit-cost analysis for providing human resources.

Time(week)

Strategy Benefits ($ per week): prevent losing Totalbenefit

Cost ($ per week)

Reputation(0.4)

Lost sale(0.4)

Internaldissatisfaction(0.2)

Cost of providingthe humanresources

t = 0 Training reserved (backup) skillful staff members to be able tosubstitute them instead with lost people immediately

700 300 200 440 1000

t = 1 Recruiting new skillful staff and using them instead of lost people 500 200 150 310 250

t = 3 Training semi-skilled people and substitute them with lost peopleafter a while

400 150 120 244 200


candidate strategy. These factors help the BCM team to find thebenefits of the strategies in an accurate way. In Table 12, we haveprovided an example to show how to use the benefit-cost analysisto estimate the benefits and cost of the candidate strategies. Thebenefits and cost of providing human resources after an earth-

quake (e.g. in the pessimistic scenario) are provided in Table 12.According to the results shown in Table 10, some key functionsare performed by using human resources. For these key functions,the estimated MTPD is three weeks. Therefore, the upper bound forpreparing human resources after risk occurrence is three weeks.

Table 13Selected strategy for providing the required resources after an earthquake occurrence.

Resources Selected strategy for providing resources

Humanresources

Training semi-skilled people and substituting them with lostpeople after a while

Financialresources

Borrowing money from bank with the lowest interest rate

Facilities Repairing the lost facilities and reusing themEquipment Purchasing new equipment instead of the lost equipment


After calculating the benefit-cost of candidate strategies for provid-ing the human resources to continuing the key functions at thelevel of MBCO, 1 6 t 6 3 weeks is considered as the acceptableduration for preparing the needed resources after an earthquake(see Table 12). Implementing a strategy to prepare neededresources has some benefits and costs. Comparing the candidatestrategies using this criterion helps top management to choosethe best one. The benefit-cost of training semi-skilled people andsubstituting them with lost people after a while is more than thatof recruiting new skillful staff and using them instead of lost peo-ple. Therefore, it is selected as an appropriate strategy for provid-ing human resources after risk occurrence.

The same processes have been carried out to provide otherresources (i.e. financial resources, facilities, and equipment) afteran earthquake occurrence. Table 13 shows the results of benefit-cost analysis for providing the needed resources.

Similar procedures are often utilized to provide the resourcesneeded to resume the key functions after a risk occurrence. Note-worthy, the available strategies for providing the requiredresources to cope with any occurred risk are often similar. Forexample, after an epidemic disease occurs, the alternative humanresources can be provided by training semi-skilled people and sub-stituting them with lost people after a while.

When the risk named as the absence of the employees (R35)occurs, the resources needed for resuming the key functions willnot be less than MBCO of the key functions. As previously men-tioned, a strategy such as a transferring, avoiding, or a mitigatingone can be used for coping with this risk. For instance, avoidingstrategy (i.e. eliminating the source of risk) can be applied by sub-stituting new staff instead of erratic staff member.

5. Managerial highlights

In this study, an improved RA framework equipped with someanalytical techniques is developed to improve while facilitate con-ducting the RA process when implementing a BCMS in an organi-zation, which is a key part of any BCMS. To apply the suggestedanalytical techniques within this framework, the following man-agerial tips should be highlighted:

� Risk identification: in this study, risks are categorized in twomain categories including the operational and disruption risks.Furthermore, several groups are defined within each categoryto classify the potential risks accurately. This classification helpstop managers to identify their organization’s risks in a compre-hensive while simple way.

� Risk factors and vulnerability: this study introduces severalsub-factors to measure the risks’ impacts in a quantitative whileinclusive manner. That is, in the risk analysis step, in order toestimate the impact of each risk, some new sub-factors are con-sidered, which can help BCM team to calculate the identifiedrisks’ impacts in an accurate way. In addition, one of the mostimportant hints is considering the vulnerability level of eachresource type for each risk. When a risk occurs it may not havean impact on some resources while affects other ones consider-ably. Therefore, it is important to find the vulnerability level of

each resource for each risk. Therefore, finding the vulnerabilityof resources as well as the impacts will definitely help managersto have a comprehensive insight about identified risks.

� Deviation of the organization’s goals: each organizationattempts to achieve certain pre-defined goals such as financialgoals. Devising a technique to calculate the amount of deviationin each goal after occurrence of any risk is a crucial task in everyorganization. However, this paper presents a novel while simplemethod by which any deviation could be calculated when a risktakes place. This calculation is performed through anticipatinglost resources, which may lead to some deviations in key func-tions’ operating levels.

� Resource allocation and benefit-cost analysis: responding to theidentified risks through providing the needed resources for keyfunctions to ensure their continuation, is the proposed approachin this paper to return the organization to an acceptable operat-ing level in which the key functions are resumed. For this, theminimum amount of required resources is determined for con-tinuing the key functions after a risk occurrence. Furthermore,according to the pre-defined levels for MBCO and MTPD mea-sures, needed resources can be provided by several methods.Nevertheless, using the benefit-cost analysis can assist the topmanagers in selecting an appropriate strategy for preparationof required resources.

6. Concluding remarks

RA is one of the important elements of a BCMS. In this article, anenhanced RA framework equipped with a suite of analytical tech-niques is developed within the context of BCMS to assess potentialrisks in manufacturing/service organizations. In this framework,the potential threats of the organization under consideration areidentified and sub-classified as disruption and operational risks.For doing this, several papers were investigated to provide a com-prehensive list of risks, which can be used by organizations’ man-agers as a practical guide to identify their potential risks. In the riskanalysis step, seven sub-factors are defined to measure the impactand likelihood of the identified risks more accurately than previousstudies. More specifically, we use five sub-factors for calculatingthe impact of each risk, which collectively can estimate the impactfactor more accurate than the case they are used separately. Wehave also adopted an effective MCDM technique (i.e. BWM) to findthe weights of these sub-factors. In order to find the impact of riskson an organization’s goals, lost resources (e.g. human and financialresources) after risk happening are taken into account. Finding thevulnerability level of resources as well as the risks’ impacts willdefinitely help top managers to have a comprehensive insightabout identified risks by which the deviations of the organization’sgoals are also calculated. Finally, those risks causing considerabledeviations in the organization’s goals (i.e. their risk values arebeyond the risk appetite) are responded by allocating the neededresources through appropriate strategies to resume key functionsat least at their respective MBCO levels. It is a new approach torespond the risks by which needed resources are provided withregards to results of BIA and the benefit-cost analysis.

The proposed risk assessment and management framework isalso applied in a real case study whose results demonstrate thatthe enhanced RA framework and its suggested analytical toolscan effectively handle risk assessment process when implementingBCMS in an organization as it comprehensively accounts for BCMrequirements and prerequisites while conducting the well-knownfour-step RA framework in a mixed quantitative-qualitative way.

There are several directions for further research to furtherimprove the risk assessment and management process in the con-text of BCMS among them we highlight the following ones:


� Applying some other techniques such as Bayesian networks inorder to calculate the risk factors’ values.

� Using other MADM techniques such as ANP and DEMATEL toreflect the interrelations between risks factors.

� Designing appropriate mathematical models such as those to beused in the project selection area (see for instance Shakhsi-Niaeiet al., 2011) to find the best strategies to prepare requiredresources for continuation of the key functions.

� Investigating different risk assessment techniques through acomprehensive literature review from the perspective of mod-eling uncertainty due to high importance of such uncertaintyon the results of any RA process.

Acknowledgement

This research was supported by University of Tehran under theresearch grant number 8109920/1/17. The authors appreciate theconstructive comments made by the anonymous reviewers, whichhelped to improve presentation of the paper.

Appendix A

In BWM, the best and worst criteria are first determined by thedecision makers. Then, the preference degrees of the best criterionover all other criteria along with the preference degrees of all cri-teria over the worst criterion are obtained by the decision makers’opinions through the well-known Likert scale. Finally, the optimalweights of criteria are found by solving the linearized version ofmodel (A.1) (i.e. model (A.2)).

minmaxwB

wj� aBj

��; wj

ww� ajW

��

� �

s:t:Xj

wj ¼ 1

wj P 0; for all j

ðA:1Þ

where

aBj
Indicates the preference degree of the best criterion Bover criterion j
Table B.1Applied linguistic terms to determine the value of impact’s sub-factors.

ajW
Indicates the preference degree of the best criterion Bover criterion j
Experts’ opinions about the impact’s Corresponding trapezoidal fuzzy
wj sub-factors number (TFN)
is the final weight of criteria j, which is calculated by theBWM.

Very low (0, 0.1, 0.2, 0.3)Low (0.1, 0.2, 0.3, 0.4)Medium (0.3, 0.4, 0.5, 0.6)High (0.5, 0.6, 0.7, 0.8)Very high (0.7, 0.8, 0.9, 1)

Model (A.1) is a non-linear programming model. Therefore, it isconverted to its linear counterpart (i.e. model (A.2)) as follows.

min k

s:twB

wj� aBj 6 k; for all j

wB

wj� aBj P �k; for all j

wj

ww� ajW 6 k; for all j

wj

ww� ajW P �k; for all j

Xj

wj ¼ 1

wj P 0; for all j

ðA:2Þ

By solving the linear model (A.2), the optimal weights (wj) canbe obtained for concerned criteria.

One of the outstanding features of BWM is that it requires lesscomparison data compared to other pair-wise comparison basedmethods like AHP. As shown by Rezaei (2015), this method gener-ates more reliable criteria weights than other MCDM methodswhile reduces the required data (i.e. the number of requiredpair-wise comparisons) considerably.

Appendix B

In order to deal with vagueness and impreciseness of theexperts’ opinions about risks, it is better to use linguistic terms.In this case, judgmental data provided by experts are first gatheredin the form of linguistic terms (see Table B.1). From the practicalviewpoint, experts can conveniently express their qualitative opin-ions in terms of linguistic terms (Ganguly and Guin, 2010). Then,each linguistic term is associated with a trapezoidal fuzzy numberwhose membership function has been presented in Table B.1. Eq.(B.1) shows the membership function of the trapezoidal fuzzynumber (l, m, n, u) and Fig. B.1 depicts its graph.

lMðxÞ ¼

x�lm�l l < x < m

1 m < x < nu�xu�n n < x < u

0 otherwise

8>>><>>>:

ðB:1Þ

Appendix C

After determining the amount of sub-factors regarding theimpact of risks, these sub-factors should be aggregated with a suit-able function. For this, these sub-factors should be first prioritizedaccording to their importance degrees from the top managers’viewpoints. According to the experts’ opinion, human and financiallosses and the non-detectability degree of risk are considered asthe best and the worst sub-factors, respectively. Then, the prefer-ence of the best criterion (F1) over other criteria and the preferenceof all criteria over the worst criterion (F4) are gathered by expertopinion as aBj = [1, 1.5, 2, 3, 2.5] and ajW = [3, 2.5, 2, 1, 1.5], respec-

Fig. B.1. The membership function of the trapezoidal fuzzy number (l, m, n, u).

Table D.1Acronyms and their meanings.

Acronym Meaning

BC Business ContinuityBCM Business Continuity ManagementBCMS Business Continuity Management SystemBCP Business Continuity PlanningBCPs Business Continuity PlansRA Risk AssessmentBIA Business Impact AnalysisMBCO Minimum Business Continuity ObjectiveMTPD Maximum Tolerable Period of DisruptionMCDM Multiple Criteria Decision MakingMADM Multiple Attribute Decision MakingANP Analytic Network ProcessAHP Analytic Hierarchy ProcessDEMATEL Decision Making Trial And Evaluation Laboratory


tively. Finally, model (C.1) is solved to find the weights of theimpact’s sub factors.

min k

s:t

w1

w1� 1

�� 6 k;

w2

w4� 2:5

�� 6 k

w1

w2� 1:5

�� 6 k;

w3

w4� 2

�� 6 k

w1

w3� 2

�� 6 k;

w5

w4� 1:5

�� 6 k

w1

w4� 3

�� 6 k;

w1

w5� 2:5

�� 6 k:

Xj

wj ¼ 1wj P 0; for all j

ðC:1Þ

In this way, the weight vector is calculated as: w1 = 0.33,w2 = 0.25, w3 = 0.18, w4 = 0.10, w5 = 0.14.

Appendix D

In order to facilitate reading the acronyms used in the paper,they are presented in Table D.1 associated with their meaning.

References

Aagedal, J.O., Den Braber, F., Dimitrakos, T., Gran, B.A., Raptis, D., Stolen, K., 2002.Model-based risk assessment to improve enterprise security. In: EnterpriseDistributed Object Computing Conference, 2002. EDOC’02. Proceedings. SixthInternational. IEEE, pp. 51–62.

Altay, N., Ramirez, A., 2010. Impact of disasters on firms in different sectors:implications for supply chains. J. Supply Chain Manage. 46 (4), 59–80.

Asgary, A., Anjum, M.I., Azimi, N., 2012. Disaster recovery and business continuityafter the 2010 flood in Pakistan: case of small businesses. Int. J. Disaster RiskReduction 2, 46–56.

Beyer, H., Sendhoff, B., 2007. Robust optimization – a comprehensive survey.Comput. Methods Appl. Mech. Eng. 196 (33–34), 3190–3218.

BS25999, B.S., 2007. Business Continuity Management-Part2: Specification BusinessContinuity Management.

Bubeck, P., Botzen, W.J.W., Aerts, J.C.J.H., 2012. A review of risk perceptions andother factors that influence flood mitigation behavior. Risk Anal: Off. Publ. Soc.Risk Anal. 32 (9), 1481–1495.

Campbell, D.T., Stanley, J.C., 1963. Experimental and Quasi-Experimental Designsfor Research.

Cerullo, V., Cerullo, M.J., 2004. Business continuity planning: a comprehensiveapproach. Inform. Syst. Manage. 21 (3), 70–78.

Chang, J.-R., Chang, K.-H., Liao, S.-H., Cheng, C.-H., 2006. The reliability of generalvague fault-tree analysis on weapon systems fault diagnosis. Soft Comput. 10(7), 531–542.

Chang, K.-H., Cheng, C.-H., 2010. A risk assessment methodology using intuitionisticfuzzy set in FMEA. Int. J. Syst. Sci. 41 (12), 1457–1471.

Chopra, S., Reinhardt, G., Mohan, U., 2007. The importance of decoupling recurrentand disruption risks in a supply chain. Naval Res. Logist. 54 (5), 544–555.

Christopher, M., Mena, C., Khan, O., Yurt, O., 2011. Approaches to managing globalsourcing risk. Supply Chain Manage.: Int. J. 16 (2), 67–81.

Clarke, C.J., Varma, S., 1999. Strategic risk management: the new competitive edge.Long Range Plan. 32 (4), 414–424.

Cooke, R.M., 1991. Experts in Uncertainty: Opinion and Subjective Probability inScience. Oxford University Press, New York.

Craighead, C.W., Blackhurst, J., Rungtusanatham, M.J., Handfield, R.B., 2007. Theseverity of supply chain disruptions: design characteristics and mitigationcapabilities. Decis. Sci. 38 (1), 131–156.

Dunjó, J., Fthenakis, V., Vílchez, J.A., Arnaldos, J., 2010. Hazard and operability(HAZOP) analysis. A literature review. J. Hazard. Mater. 173 (1–3), 19–32.

Ebrahim Nejad, A., Niroomand, I., Kuzgunkaya, O., 2014. Responsive contingencyplanning in supply risk management by considering congestion effects. Omega48, 19–35.

Feng, N., Wang, H.J., Li, M., 2014. A security risk analysis model for informationsystems: causal relationships of risk factors and vulnerability propagationanalysis. Inform. Sci.; Bus. Intell. Risk Manage. 256, 57–73.

Fera, M., Macchiaroli, R., 2010. Appraisal of a new risk assessment model for SME.Saf. Sci. 48 (10), 1361–1368.

Finch, P., 2004. Supply chain risk management. Supply Chain Manage.: Int. J. 9 (2),183–196.

Galindo, G., Batta, R., 2013. Review of recent developments in OR/MS research indisaster operations management. Eur. J. Oper. Res. 230 (2), 201–211.

Ganguly, K.K., Guin, K.K., 2010. Supply side risk assessment: an application ofYager’s methodology based on fuzzy sets. Int. J. Bus. Continuity Risk Manage. 1(2), 136–150.

Gibb, F., Buchanan, S., 2006. A framework for business continuity management. Int.J. Inform. Manage. 26 (2), 128–141.

Goossens, L.H.J., Cooke, R.M., Hale, A.R., Rodic-Wiersma, L.J., 2008. Fifteen years ofexpert judgment at TUDelft. Saf. Sci. 46 (2), 234–244.

World Economic Forum, 2015. Global Risks 2015, 10th ed. Retrieved from <http://www3weforum.org/docs/WEF_Global_Risks_2015_Report15.pdf>.

Greenberg, M.R., Lahr, M., Mantell, N., 2007. Understanding the economic costsand benefits of catastrophes and their aftermath: a review and suggestionsfor the U.S. federal government. Risk Anal. : Off. Publ. Soc. Risk Anal. 27 (1),83–96.

Halliday, S., Badenhorst, K., Von Solms, R., 1996. A business approach to effectiveinformation technology risk analysis and management. Inform. Manage.Comput. Secur. 4 (1), 19–31.

Hallikas, J., Karvonen, I., Pulkkinen, U., Virolainen, V.-M., Tuominen, M., 2004. Riskmanagement processes in supplier networks. Int. J. Prod. Econ. 90 (1), 47–58.

Harland, C., Brenchley, R., Walker, H., 2003. Risk in supply networks. J. PurchasingSupply Manage. 9 (2), 51–62.

Heckmann, I., Comes, T., Nickel, S., 2015. A critical review on supply chain risk –definition, measure and modeling. Omega 52, 119–132.

Herbane, B., 2013. Exploring crisis management in UK small and medium sizedenterprises. J. Contingencies Crisis Manage. 21 (2), 82–95.

Hiles, A., 2010. The Definitive Handbook of Business Continuity Management. JohnWiley & Sons.

Holzmann, R., Jørgensen, S., 2001. Social Risk Management: a new conceptualframework for Social Protection, and beyond. Int. Tax Pub. Finance 8 (4), 529–556.

Holzmann, R., Sherburne-Benz, L., Tesliuc, E., Unit, S.P., 2003. Social RiskManagement: The World Bank’s Approach to Social Protection in aGlobalizing World. World Bank, Washington, DC.

ISO 22301, 2012. Societal Security—Business Continuity Management Systems –Requirements. International Organization for Standardization, Switzerland.

ISO 31010, 2009. Risk Management-Risk Assessment Techniques. InternationalOrganization for Standardization.

ISO 27005, 2008. Information Security Risk Management. InternationalOrganization for Standardization.

Kangas, A.S., Kangas, J., 2004. Probability, possibility and evidence: approaches toconsider risk and uncertainty in forestry decision analysis. For. Policy Econ. 6(2), 169–188.

Karimi, I., Hüllermeier, E., 2007. Risk assessment system of natural hazards: a newapproach based on fuzzy probability. Fuzzy Sets Syst. 158 (9), 987–999.

Kelly, D.L., Smith, C.L., 2009. Bayesian inference in probabilistic risk assessment –the current state of the art. Reliab. Eng. Syst. Saf. 94, 628–643.

Kleindorfer, P., Saad, G., 2005. Managing disruption risks in supply chains. Prod.Oper. 14 (1), 53–68.

Knemeyer, a.M., Zinn, W., Eroglu, C., 2009. Proactive planning for catastrophicevents in supply chains. J. Oper. Manage. 27 (2), 141–153.

Kull, T., Closs, D., 2008. The risk of second-tier supplier failures in serial supplychains: implications for order policies and distributor autonomy. Eur. J. Oper.Res. 186 (3), 1158–1174.

Lai, I.K.W., Lau, H.C.W., 2012. A hybrid risk management model: a case study of thetextile industry. J. Manuf. Technol. Manage. 23 (5), 665–680.

Lavastre, O., Gunasekaran, A., Spalanzani, A., 2014. Effect of firm characteristics,supplier relationships and techniques used on Supply Chain Risk Management(SCRM): an empirical investigation on French industrial firms. Int. J. Prod. Res.52 (11), 3381–3403.

Lindhe, A., Rosén, L., Norberg, T., Bergstedt, O., 2009. Fault tree analysis forintegrated and probabilistic risk analysis of drinking water systems. Water Res.43 (6), 1641–1653.

http://refhub.elsevier.com/S0925-7535(16)30126-6/h0005





















































http://www.elsevier.com/xml/linking-roles/text/html

http://www.elsevier.com/xml/linking-roles/text/html























































Liu, H.C., Li, P., You, J.X., Chen, Y.Z., 2015a. A novel approach for FMEA: Combinationof interval 2-tuple linguistic variables and gray relational analysis. Qual. Reliab.Eng. Int. 31 (5), 761–772.

Liu, H.C., You, J.X., Lin, Q.L., Li, H., 2015b. Risk assessment in system FMEAcombining fuzzy weighted average with fuzzy decision-making trial andevaluation laboratory. Int. J. Comput. Integr. Manuf. 28 (7), 701–714.

Liu, Y., Fan, Z.-P., Yuan, Y., Li, H., 2014. A FTA-based method for risk decision-makingin emergency response. Comput. Oper. Res. 42, 49–57.

Lockamy III, A., 2014. Assessing disaster risks in supply chains. Ind. Manage. DataSyst. 114 (5), 755–777.

Mahdevari, S., Shahriar, K., Esfahanipour, A., 2014. Human health and safety risksmanagement in underground coal mines using fuzzy TOPSIS. Sci. Total Environ.488, 85–99.

Manuj, I., Mentzer, J.T., 2008. Global supply chain risk management strategies. Int. J.Phys. Distrib. Logist. Manage. 38 (3), 192–223.

Marhavilas, P.K., Koulouriotis, D.E., 2012. Developing a new alternative riskassessment framework in the work sites by including a stochastic and adeterministic process: a case study for the Greek Public Electric Power Provider.Saf. Sci. 50 (3), 448–462.

Nijaz, B., Mario, S., Lejla, T., 2011. Implementation of the IT governance standardsthrough business continuity management: cases from Croatia and Bosnia-Herzegovina. In: Information Technology Interfaces (ITI), Proceedings of the ITI2011 33rd International Conference on. IEEE, pp. 43–50.

Nocco, B.W., Stulz, R.M., 2006. Enterprise risk management: theory and practice. J.Appl. Corp. Finance 18 (4), 8–20.

Norrman, A., Jansson, U., 2004. Ericsson’s proactive supply chain risk managementapproach after a serious sub-supplier accident. Int. J. Phys. Distrib. Logist.Manage. 34 (5), 434–456.

Ojala, M., Hallikas, J., 2006. Investment decision-making in supplier networks:management of risk. Int. J. Prod. Econ. 104 (1), 201–213.

Oke, A., Gopalakrishnan, M., 2009. Managing disruptions in supply chains: a casestudy of a retail supply chain. Int. J. Prod. Econ. 118 (1), 168–174.

Olson, D.L., Wu, D.D., 2010. A review of enterprise risk management in supply chain.Kybernetes 39 (5), 694–706.

Ou Yang, Y.P., Shieh, H.M., Tzeng, G.H., 2013. A VIKOR technique based on DEMATELand ANP for information security risk control assessment. Inf. Sci. 232, 482–500.

Park, J., Seager, T.P., Rao, P.S.C., Convertino, M., Linkov, I., 2013. Integrating risk andresilience approaches to catastrophe management in engineering systems. RiskAnal.: Off. Publ. Soc. Risk Anal. 33 (3), 356–367.

Parnell, G.S., Smith, C.M., Moxley, F.I., 2010. Intelligent adversary risk analysis: abioterrorism risk management model. Risk Anal.: Off. Publ. Soc. Risk Anal. 30(1), 32–48.

Rezaei, J., 2015. Best-worst multi-criteria decision-making method. Omega 53, 49–57.

Ritchie, B., Brindley, C., 2007. Supply chain risk management and performance: aguiding framework for future development. Int. J. Oper. Prod. Manage. 27 (3),303–322.

Sahebjamnia, N., Torabi, S.A., Mansouri, S.A., 2015. Integrated business continuityand disaster recovery planning: towards organizational resilience. Eur. J. Oper.Res. 242 (1), 261–273.

Samantra, C., Datta, S., Mahapatra, S.S., 2014. Risk assessment in IT outsourcingusing fuzzy decision-making approach: an Indian perspective. Expert Syst. Appl.41 (8), 4010–4022.

Sawik, T., 2011. Selection of supply portfolio under disruption risks. Omega 39 (2),194–208.

Shafiee, M., 2015. A fuzzy analytic network process model to mitigate the risksassociated with offshore wind farms. Expert Syst. Appl. 42 (4), 2143–2152.

Shafieezadeh, A., Cha, E.J., Ellingwood, B.R., 2015. A decision framework formanaging risk to airports from terrorist attack. Risk Anal. 35 (2), 292–306.

Shakhsi-Niaei, M., Torabi, S.A., Iranmanesh, S.H., 2011. A comprehensive frameworkfor project selection problem under uncertainty and real-world constraints.Comput. Ind. Eng. 61 (1), 226–237.

Skogdalen, J.E., Vinnem, J.E., 2011. Quantitative risk analysis offshore—human andorganizational factors. Reliab. Eng. Syst. Saf. 96 (4), 468–479.

Song, W., Ming, X., Wu, Z., Zhu, B., 2014. A rough TOPSIS approach for failure modeand effects analysis in uncertain environments. Qual. Reliab. Eng. Int. 30 (4),473–486.

Stamatis, D.H., 2003. Failure Mode and Effect Analysis: FMEA from Theory toExecution. ASQC Quality Press.

Tang, C.S., 2006. Perspectives in supply chain risk management. Int. J. Prod. Econ.103 (2), 451–488.

Tjoa, S., Jakoubi, S., Quirchmayr, G., 2008. Enhancing business impact analysis andrisk assessment applying a risk-aware business process modeling andsimulation methodology. In: Third International Conference on Availability,Reliability and Security, pp. 179–186.

Torabi, S.A., Rezaei Soufi, H., Sahebjamnia, N., 2014. A new framework for businessimpact analysis in business continuity management (with a case study). Saf. Sci.68, 309–323.

Torabi, S.A., Baghersad, M., Mansouri, A., 2015. Resilient supplier selection and orderlot-sizing under operational and disruption risks. Transport. Res. Part E: Logist.Transport. Rev. 79, 22–48.

Trammell, S.R., Davis, B.J., 2001. Using a modified HAZOP/FMEA methodology forassessing system risk. In: Engineering Management for Applied Technology,2001. EMAT 2001. Proceedings. 2nd International Workshop on. IEEE, pp. 47–53.

Trkman, P., Mccormack, K., 2009. Supply chain risk in turbulent environments—aconceptual model for managing supply chain network risk. Int. J. Prod. Econ.119 (2), 247–258.

Tsai, C.H., Chen, C.W., 2010. An earthquake disaster management mechanism basedon risk assessment information for the tourism industry-a case study from theisland of Taiwan. Tourism Manage. 31 (4), 470–481.

Tuncel, G., Alpan, G., 2010. Risk assessment and management for supply chainnetworks: a case study. Comput. Ind. 61 (3), 250–259.

Vinnem, J.E., Aven, T., Husebø, T., Seljelid, J., Tveit, O.J., 2006. Major hazard riskindicators for monitoring of trends in the Norwegian offshore petroleum sector.Reliab. Eng. Syst. Saf. 91 (7), 778–791.

Wallace, Michael, Webber, Lawrence, 2010. The Disaster Recovery Handbook: AStep-by-Step Plan to Ensure Business Continuity and Protect Vital Operations,Facilities, and Assets. AMACOM Div American Mgmt Assn.

Wijnia, Y., Nikolic, I., 2007. Assessing business continuity risks in IT. 2007 IEEEInternational Conference on Systems, Man and Cybernetics, 3547–3553.

Wreathall, J., 2004. Assessing risk: the role of probabilistic risk assessment (PRA) inpatient safety improvement. Qual. Saf. Health Care 13 (3), 206–212.

Wu, T., Blackhurst, J., Chidambaram, V., 2006. A model for inbound supply riskanalysis. Comput. Ind. 57 (4), 350–365.

Wulan, M., Petrovic, D., 2012. A fuzzy logic based system for risk analysis andevaluation within enterprise collaborations. Comput. Ind. 63 (8), 739–748.

Zsidisin, G.A., Melnyk, S.A., Ragatz, G.L., 2005. An institutional theory perspective ofbusiness continuity planning for purchasing and supply management. Int. J.Prod. Res. 43 (16), 3401–3420.
















































































































an enhanced risk assessment framework for business ... enhanced risk assessment framework for...

Documents