Towards a Reference Architecture for a Business Continuity
Rūta Pirta-Dreimane
a
and Jānis Grabis
b
Information Technology Institute, Riga Technical University, 6A Kipsalas Street, Riga LV-1048, Latvia
Keywords: Business Continuity, Enterprise Architecture, Architecture Principles, Reference Architecture.
Abstract: During turbulent times, enterprises need to find ways how to adapt, become resilient and strengthen abilities
to cope with emerging threats. Business continuity management (BCM) is an enterprise strategic managerial
capability. The recent global pandemic increased BCM maturity in many enterprises, still the importance of
the capability is underestimated, and the enterprises are facing challenges to design and implement it across
different enterprise architecture (EA) dimensions. In this paper, a business continuity (BC) framework for
BCM capability development is proposed. The framework aims to provide guidance on design of BCM along
different EA dimensions. It summarizes BC architecture principles and conceptualizes BC knowledge from
related research as a reference architecture. The paper highlights challenges faced in BCM implementation,
presents conceptual design of the BC Framework and its components. The application of the framework is
demonstrated using an example from a target EA development project at a public sector institution.
1 INTRODUCTION
The world is facing several unexpected disruptive
events, as global pandemic, supply chain issues,
natural disasters, cybercrime, terrorist attacks and
wars. These events cause variety of challenges for
organizations. Being affected by Covid-19, the
organizations had to substantially modify their
operations to avoid supply chain breakdowns,
to adapt services to customer demand and to
mitigate work safety risks and their negative effects
on the health of employees and society in general
(Margherita & Heikkilä, 2021). Enterprises need to
find ways how to adapt, become resilient and
strengthen abilities to cope with emerging threats.
Business continuity (BC) “broadly refer to a
company’s socio-technical ability to withstand and
restore from intra- and extra-organizational
contingencies” (Niemimaa, 2015b). Business
continuity management (BCM) is an enterprise
strategic capability (Herbane et al., 2004; Niemimaa,
2015a; Niemimaa et al., 2019). The recent global
pandemic “transformed the dynamics of workplace
and workforce” (Agility Recovery, 2022). At the
same time, it also led to a significant increase of BCM
maturity across enterprises. However, the enterprises
a
http://orcid.org/0000-0001-8568-0276
b
http://orcid.org/0000-0003-2196-0214
still face challenges to design and to implement the
BCM capability, including (Hamid, 2018; Hussain et
al., 2021; Obrenovic et al., 2020; Lingeswara &
Tammineedi, 2012): missing capabilities,
commitment and involvement issues, inadequate
standardization, low preparation level for crisis and
high costs. The enterprises need to carefully evaluate
their business processes and economic factors to be
better prepared for the crisis (Obrenovic et al., 2020).
Enterprise architecture (EA) is a widely used
discipline for multi-dimensional enterprise design. It
serves as a conceptual blueprint that guides
enterprises in decision taking. It aims to connect and
enhance the mutual alignment of business and IT
(Gregor et al., 2007; Zhang et al., 2018). Reference
architectures incorporate the best practices in a
particular domain (Aulkemeier et al., 2016) providing
valuable knowledge for design of an enterprise-
specific architecture. EA is guided by architecture
principles advising EA design toward defined goals
and envisioned value (Haki & Legner, 2021).
The objective of this paper is to propose a BC
Framework to direct enterprises in implementation of
the BCM capability. The framework consists of three
components: (1) BC architecture principles, that
represent characteristics of a resilient enterprise; (2)
Pirta-Dreimane, R. and Grabis, J.
Towards a Reference Architecture for a Business Continuity.
DOI: 10.5220/0011837700003467
In Proceedings of the 25th International Conference on Enterprise Information Systems (ICEIS 2023) - Volume 2, pages 553-565
ISBN: 978-989-758-648-4; ISSN: 2184-4992
Copyright
c
2023 by SCITEPRESS Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)
553
Reference architecture for BC that suggests
architecture components required in a resilient
enterprise and (3) BC Maturity Model for BCM
maturity evaluation. The framework aims to solve
main BCM problems identified in scientific literature
and industry survey.
The nested design science problem solving
approach (Wieringa, 2009) is used, following four
main phases: problem investigation, solution design,
design validation and solution implementation. This
paper presents the first two phases the problem
domain and an overview of the proposed BC
Framework and its components.
The rest of the paper is organized as follows.
Section 2 reviews related existing work that serves as
a basis for the BC Framework design. The Section 3
presents research methodology. The problem domain
description is provided in the Section 4. The proposed
solution in a form of a BC Framework is presented in
the Section 5. The framework application in target EA
development for Latvian public sector institution is
demonstrated in the Section 6. Section 7 concludes.
2 BACKGROUND
BCM has been evolving from 1970s as a technical
and operational risk response to disruptions,
incorporating disaster recovery planning and risk
management (Corrales-Estrada et al., 2021a; Hamid,
2018). The International Standardization
Organization defines BCM as “a holistic management
process that identifies potential threats to an
organization and the impacts to business operations
that those threats if realized, might cause; and which
provides a framework for building organizational
resilience with the capability for an effective response
that safeguards the interests of its key stakeholders,
reputation, brand, and value-creating activities” (ISO,
2019). In recent years enterprises have acknowledged
BCM importance, mainly after business interruptions
caused by global pandemics and other disturbing
events. However, still the importance of the capability
is underestimated (Prataviera et al., 2022) and its
maturity must be increased in enterprises across the
world (Agility Recovery, 2022).
Characteristics of BC are investigated in several
studies that analyze three interconnected concepts:
organizational resilience, BC and sustainability.
Relationships among those concepts are discussed in
the (Corrales-Estrada et al., 2021), concluding that
implementation of BCM practices promote
organizational resilience and sustainability. The study
summarizes organizational characteristics that impact
BCM: adaptivity, flexibility, agility and others. Key
factors affecting organizion’s resilience and
sustainability are also summarized in (Obrenovic et
al., 2020). The authors claim that organizations with
a distributed leadership, workforce and adaptive
culture sustain business operations during distributive
events. Similar resilient enterprise characteristics are
also highlighted in other studies (Boin & van Eeten,
2013; Pal et al., 2014; Boin & McConnell, 2007).
Identified characteristics can be translated to
architecture principles.
Several studies investigate EA usage in BCM
implementation (Anir et al., 2019; Gomes et al.,
2017). The BCM integration in EA is assessed by
Anir et al. (2019). The authors analyse integration of
BCM aspects in EA and propose a metamodel and BC
aspects implementation approach. The paper focuses
on implementation of the BCM capability, although
its scope is limited to the metamodel only. EA usage
to assist BC planning is investigated in Gomes et al.
(2017), however this paper also focuses on evaluation
and implementation of BCM without suggestions for
reference architecture.
Reference architectures are a widely used tool for
knowledge reuse in a problem domain (Timm et al.,
2017). They aim to describe the best practices in
particular industries, such as banking (Farzi, 2022),
telecommunications (Seraoui et al., 2020) or specific
domains, as e-commerce (Aulkemeier et al., 2016),
health information systems (Tummers et al., 2021).
In the BCM domain, few reference architectures
exist. A reference architecture for emergent
behaviours control is proposed in Bemthuis et al.
(2020). The model realizes main requirements of
resilient enterprise: operational independence,
managerial independence, distribution, evaluation
development, heterogeneity, emergent behavior. It
proposes architecture components required to support
the execution and control of business logic for
detecting and monitoring emergent behaviors. The
model focuses on information system and technology
architecture dimensions, while concepts of the
business architecture are addressed partly.
While development of BCM related reference
architectures is an open opportunity, several studies
and industry frameworks propose BCM, resilience
and sustainability measurement approaches. Maturity
models are frequently used (Hernantes et al., 2019;
Pinto et al., 2022; Virtual Corporation, 2003), as
“maturity models offer organizations a simple but
effective possibility to measure the quality of their
processes” (Wendler, 2012).
To summarize, BCM is a widely investigated
topic, what highlights its importance. The existing
ICEIS 2023 - 25th International Conference on Enterprise Information Systems
554
studies provide useful insights about processes,
resources and behaviours promoting resilience, BC
and sustainability. Still, they focus on a single
dimension or domain and a multi-dimensional view
structuring best practices is an open challenge what
we aim to address with the proposed framework.
3 RESEARCH METHODOLOGY
The nested design science problem solving approach
(Wieringa, 2009) is used for the research design
(Figure 1).
Figure 1: The research methodology.
The research starts with a problem investigation
to validate hypothesis that enterprises face challenges
in the implementation and provision of BC. The
problem domain analysis is done in two steps,
according to the Design Thinking methodology
(Kelly & Gero, 2021). Firstly, divergent thinking is
applied to widely explore the problem. Then
convergent thinking is employed to define the point-
of-view. The problem domain investigation is based
on two main sources: professional and research
papers and industry survey. The literature analysis is
conducted to explore and integrate the existing
knowledge base following an approach described in
the (Webster & Watson (2002). It is assumed that
BCM is a mature topic where the accumulated body
of research exists that can be analyzed and
synthesized for knowledge conceptualization. The
industry survey supplements the findings from the
literature.
Solution design is based on the best practices
recommendations from two main sources: structured
interviews with experienced industry experts and
related research recommendations. A solution is
prepared following a “top-down driven” architecture
design approach (Nolan, 1997). Firstly, solution’s
conceptual architecture is prepared, and afterwards all
of its components are specified.
The solution design is validated in two steps:
expert assessment and solution implementation in the
pilot cases as a part of applied research project jointly
with an IT consulting company. The framework is
refined according to the validation results.
Implementation of the solution is done by
providing BCM implementation support services for
enterprises. The case studies enable continuous
improvement of the framework.
This paper represents the first research phases: (I)
problem investigation (Section 4) and (II) solution
design, presenting BC Framework (Section 5).
4 PROBLEM INVESTIGATION
The BC implementation and provision problems are
collated from literature sources describing BCM key
issues and industry survey (25 responses from mid-
sizes enterprises from different industries). Results of
the problem-driven investigation are summarized in
the Table 1. The list includes problems that are
Table 1: The list of BC problems.
Commitment and involvement issues (Hamid, 2018; Hussain
et al., 2021; Obrenovic et al., 2020; Lingeswara & Tammineedi,
2012; Bakar et al., 2015)
Time consuming BC implementation; Gap in attitude between
experts and users; Lack of management involvement;
Conflicting priorities; No responsibility and trust issues. Low
senior management commitment; BCM implementation for the
wrong reasons.
Inadequate standardization (ES, (Hamid, 2018; Hussain et
al., 2021; Obrenovic et al., 2020; Lingeswara & Tammineedi,
2012))
Inconsistencies of the BCM adaptation; Different workplace
recovery arrangements; Business impact analysis (BIA)
sessions conducted in silos; Manual BCM processes.
Business/IT Disconnect; Weakly defined BC roles and
responsibilities; Several BCM standards and frameworks in
use; Unoptimized resource utilization.
Ineffective strategies and an inappropriate approach (ES,
(Hamid, 2018; Hussain et al., 2021; Lingeswara &
Tammineedi, 2012))
Risks and uncertainties on actual recovery activities;
Insufficient consideration of employee preferences; Limited
data analysis, lack of data-driven decisions; Dependence on
third parties (“Single-supplier” politics, locally partners only);
Location-
b
ased risk assessments; Inappropriate BIA approach.
Low preparation level for a crisis ES, (Hussain et al., 2021;
Bakar et al., 2015)
Insufficient business processes and economic actors
evaluation.; Low system-level reliability. Low system
flexibility.
Lack of resources (knowledge, financial, human) (ES,
(Hamid, 2018; Hussain et al., 2021; Lingeswara &
Tammineedi, 2012;, Bakar et al., 2015; Peterson, 2009))
Significant financial resources required; Lack of knowledge
about enterprise; Low BC awareness. Limited technology
awareness; Missing knowledge about “good practices”;
Unavailability of human resources; Lack of thorough
understanding of the data dynamics and dependencies;
Incorrect and inappropriate assumptions.
Towards a Reference Architecture for a Business Continuity
555
mentioned in at least three sources (literature or
industry survey, further referred as ES).
The main problem areas are related to the low
standardization, insufficient resources (financial,
knowledge, human), as well as cultural aspects (low
commitment, conflicting priorities etc.). The selected
problem areas for further investigation are: low
standardization and lack of knowledge.
5 PROPOSED SOLUTION
This section presents BC Framework.
5.1 BC Framework Overview
Figure 2: BC Framework overview.
A proposed BC Framework aims to support
enterprises in implementation of the BCM. It can be
used as an architecture assessment, planning and
design tool. The model formalizes knowledge in three
components (Figure 2): architecture principles,
reference architecture and maturity model.
The BC architecture principles are used to guide
resilient EA design. The reference architecture lists
BC essential architecture components thus supporting
modelling target EA. While the BC maturity model is
used to evaluate enterprise’s current BC maturity
across the different EA dimensions.
5.2 Architecture Principles
An architecture principle (The Open Group, 2019)
“represents a statement of intent defining a general
property that applies to any system in a certain
context in the architecture.” The principles are
abstract, high-level propositions, that aim to support
enterprises to accomplish their goals (Stelzer, 2010).
Enterprises can use the principles on their BC
implementation journey to build their operating
model, information systems and other relevant
concepts (Table 2). The following principles
classification is used (Stelzer, 2010): EA principle
(EAP), technology / infrastructure principle (TIP),
software architecture principle (SAP), organization
principle (OP) and business principle (BP).
Table 2: BC architecture principles.
Interoperability (Bemthuis et al., 2020; Nadhamuni et al.,
2021; R. S. Gomes, 2016), EA
P
Technical, syntactic, semantic, and organizational
interoperability; Data and states exchange; Interaction
following the business logic; Interact through cyber or physical
channels; Standard interfaces and protocols.
Autonomy and decentralization (Duchek, 2020; Obrenovic et
al., 2020; Weick, 1993; Bemthuis et al., 2020), EA
P
Power based on expertise and shared responsibilities;
Distributed leadership; More informed and decentralized
decision-making; networked structure; respectful interaction.
Vertical or horizontal integration (Hussain et al., 2021;
Bemthuis et al., 2020; R. S. Gomes, 2016; Birkel & Müller,
2021), EAP
Machines, internet, people, and value chain integration in real
time scenarios; Communication and coordination to support
inte
r
-operations.
Transparency (Birkel & Müller, 2021), EAP
Data consistency and traceability across the supply chain;
Vertical interconnection in real time.
Agility, adaptability and flexibility (Corrales-Estrada et al.,
2021a; Agility Recovery, 2022; Hussain et al., 2021; Obrenovic
et al., 2020; Weick, 1993; Ismail et al., 2011; R. S. Gomes,
2016),
B
P & OP
Flexible roles and responsibilities, Flexible and straightforward
guidelines; Adaptive and flexible culture; Improvisation and
bricolage; Shorter and more diversified supply chain; Multi-
sourcing / alternative sourcing; Strategic agility.
Independence (Bemthuis et al., 2020),
B
P & O
P
Operational independence; Managerial independence.
Robustness (Corrales-Estrada et al., 2021a; Ismail et al., 2011),
BP
Robust business processes and capabilities.
Smart Services Orientation (Hussain et al., 2021; R. S.
Gomes, 2016; Falazi et al., 2020), SA
P
Service-oriented architecture and integration; Digitally
integrated systems; Flexible systems that implement changing
business processes quickly; Extensive use of reusable
components.
Modularity (Hussain et al., 2021; Nadhamuni et al., 2021;
Ezzahra et al., 2021), SA
P
Application decomposition in integrated modules.; Modules
serving specific business domain or services; Individual
modules expanding or replacing due to changing business
requirements.
Scalability (Ezzahra et al., 2021), TIP
Horizontal scaling; Vertical scaling.
Decentralized Controlling (Hussain et al., 2021), TI
Separate components capable of making independent decisions
in the direction of circumstances without local or individual
control.
5.3 Reference Architecture
The reference architecture for BC is presented in the
three dimensions: Business architecture; Information
System architecture and Technology Architecture.
ICEIS 2023 - 25th International Conference on Enterprise Information Systems
556
Figure 3: BC Business capabilities reference map.
5.3.1 Business Architecture
Proposed Business architecture aims to define
Business Capabilities that enterprise must have to
ensure BC. The Open Group define Business
Capability as “particular ability that a business may
possess or exchange to achieve a specific purpose”
(The Open Group, 2005). This means, a Business
Capability is an abstraction of a business function,
which captures what an organization does, instead of
trying to explain how, why or where it is done (The
Open Group, 2016). Business Capabilities typically
consists of 4-5 levels. Leveling is the process of
decomposing each top-level Business capability into
lower levels to communicate more detail at a level
appropriate to the audience or stakeholder group
concerned (The Open Group, 2016). On this paper
two Business capabilities levels are considered.
Business architecture is represented in Business
capability map viewpoint (Figure 3) what is well-
known tool for addressing the challenge of business-
IT alignment; it presents enterprise major Business
capabilities enabling the organization’s business
model and reflects enterprise strategic direction
(Bondel et al., 2018).
Resilience results from both operational and
strategic capabilities (Ismail et al., 2011). BCM is the
main capability, other strategic and operational
capabilities supports or triggers BC (Table 3).
Table 3: BC Business capabilities list.
Strategy management
Strategy management defines BC related strategies, as business
strategy, business recovery strategy, risk tolerance strategy
(Gibb & Buchanan, 2006, Pinto et al., 2022). The strategic plans
can rectify some of the existing society vulnerabilities,
employing strategic planning, enterprises are more in control of
their fate (Obrenovic et al., 2020). In terms of the BC, it is
important to carefully plan supply chain strategies, including
sourcing strategies (Agility Recovery, 2022).
Policy management
Policy management defines and describes organization BC
related policies, based on defined strategies. Policies and
actions, including prevention and incident response contributes
in workforce protection (Obrenovic et al., 2020). Typical BC
related policies are (Pinto et al., 2022, Gibb & Buchanan, 2006):
BCM policy, training and induction policy, documentation and
reporting policy. It is concluded that organizations with
financial contingency plans and policies sustain their operation
b
etter in distributive events (Obrenovic et al., 2020).
BCM
BCM includes BC planning capabilities, as well as monitoring,
crisis management, recovery and learning (Hamid, 2018, Pinto
et al., 2022).The best practices and international standards (ISO,
2019) suggest enterprises to perform business impact analysis
(BIA), identify critical processes, resources, possible disturbing
events and define alternative processes and resources in BC
plans. Disaster recovery (DR) plans are prepared accordingly.
Besides BC and DR planning, it is essential also to test plans
and train employees (Gibb & Buchanan, 2006). To detect
disruptive events, monitoring must be applied. Crisis
management deals with actual crisis situation in terms of
communication and collaboration. While recovery activities
returns business as usual. Lessons learned must be analyzed to
ensure capability continuous improvement.
Towards a Reference Architecture for a Business Continuity
557
Table 3: BC Business capabilities list (cont.).
Risk and compliance management
Risk and compliance management identifies and oversees
different kinds of organization risks, their levels, defines risk
reaction strategies and treatments ; Pinto et al., 2022, Gibb &
Buchanan, 2006). Typical risk categories are (Buhr, 2015; ;
White et al., 2020): business risks, financial risks, operational
risks, IT security risks, third party risks, geopolitical risks,
climate risks. The pandemic has spotlighted dependencies on
third parties and their resilience (Agility Recovery, 2022), so
third-party risk category is essential. Risk and compliance
management is directly interrelated with BCM, as risk
assessment is key activity in BIA and based on it BC and DR
are planned.
Facility management
Facility management deals with facilities related assets
management, as buildings, physical workplaces etc. Typically,
BC plans focuses on IT related assets, meantime facilities are
critical assets that must be considered in BIA (Pitt & Goyal,
2004). Facility monitoring activities must be applied to detect
distributions and damages. Facility management enables
workplace transformation by implementing remote ang hybrid
workplaces required in crisis situations (Tanpipat et al., 2021).
IT management
IT management ensures digital assets BC, as well as provide
BC supporting Application and Technology components .
People and culture management
People and culture management ensures that right people with
required competences are executing BCM roles (as operational
and IT risk managers and others) (Agility Recovery, 2022). The
capability enables enterprise sustainability (Yadav et al., 2019)
and resilience (Lengnick-Hall et al., 2011) and is responsible
about employees training and education to create resilient
workforce (Duchek, 2020). Enterprise culture also take
important role in BCM culture must provide sense of
openness, stability and safety (Agility Recovery, 2022). Culture
must promote continuous learning.
Public relationship & communication management
Public relationship & communication management is essential
capability if crisis situation occurs and external stakeholders are
involved (for example, enterprise customers) (Agility
Recovery, 2022). Besides external stakeholders, enterprises
must ensure information flow between internal business units
and employees (Obrenovic et al., 2020). Multichannel
communication is advised to reach different stakeholders
groups (Obrenovic et al., 2020).
Safety, health and environmental management
Safety, health and environmental management is responsible
about workplace accidents reduce and work environment safety
increase what aims to increase enterprise resilience and
sustainability (Asah-Kissiedu et al., 2020; Asah-Kissiedu et al.,
2021).
Third party management
Third party management oversees different kinds of third
parties as due to partners ecosystems evolvement third parties
play important role enterprises products and services delivery
(Hamid, 2018).
Capability consists of four main components:
roles, business processes, information and
tools/applications (The Open Group, 2016). Each
Level 1 business capability is described in a
capability card (Table 4).
Table 4: Business capability card (example).
Capability: Business continuity managemen
t
(BCM)
Description: Ability to ensure continuou
s
operation in case of infectio
n
outbrea
k
in organization
Components: Roles Users: Product owner, proces
s
owner
Stakeholders: Enterprise mana
-
gement, SMEs, IT administrators,
IT support specialists
Business units (Hamid, 2018):
Continuity Management Team,
Coordinator Team, Crise
s
Command Team, Busines
s
Recovery Team, IT Recover
y
Team, Administrative Suppor
t
Team
Sub-capabilities BIA, BC planning, Inciden
t
response planning, Disaste
r
recovery planning, Monitoring,
Crisis management, Recovery
&
lessons learned analysis
Data Enterprise products, Enterpris
e
p
rocesses, Enterprise assets, Risks,
Controls
Applications HR application, ERP application,
Incidents monitoring tool, Asse
t
management system, Knowledge
database, BCM tool
5.3.2 Information System Architecture
Information System reference architecture presents
Application Components that can support Business
Capabilities. An Application Component (The Open
Group, 2019) “represents an encapsulation of
application functionality aligned to implementation
structure, which is modular and replaceable.”
Information system reference architecture is
represented in the Application Map viewpoint what is
typically used to create an overview of the application
landscape of an organization (Figure 4). BC can be
supported by different kind of applications and
technologies (Papadopoulos et al., 2020). Enterprises
need to relay on Enterprise resource planning (ERP)
systems, digital libraries, asset management and
inventory management systems (Madhubhashini,
2019). An important role in the BCM plays the
organization’s knowledge base (Duchek, 2020).
Geographical information systems and Geographical
positioning systems bring value by helping to detect
location of the affected areas (Vogt et al., 2011).
Meanwhile, data analytics solutions support
enterprises in data driven decisioning in BCM
(Hussain et al., 2021; Sheng et al., 2021). Digital
twins support disaster scenarios simulation (Hussain
et al., 2021; Birkel & Müller, 2021). Intranet, social
media, and online communication platforms are
widely used for communication (Obrenovic et al.,
2020).
ICEIS 2023 - 25th International Conference on Enterprise Information Systems
558
BA interaction with IA is represented in the form
of matrix (Table 5).
Figure 4: Application map.
Table 5: The Business Capabilities and Application
Components matrix.
Business
Capability
Application
Component
Main use case
Strategy
management
Intranet Strategies communication
DMS Strategies coordination and
communication
Communication
tools
Strategies communication
Data analytics tools Strategic decisions support
Policy
management
Intranet Strategies communication
DMS Strategies coordination and
communication
Communication
tools
Strategies communication
BCM ERP systems Assets and resources
identification
AMS system Assets and resources
identification
KMS Lessons learned & knowledge
capturing
BCM tools BIA; Alternative processes
scenarios definition; BCM
implementation plan preparation
& tracking; BCM
documentation preparation &
storing
Data analytics
solutions
BC decisions support
GIS and GPS Disasters affected areas
determination
Digital twins Disaster scenarios simulation
5.3.3 Technology Architecture
Technology reference architecture aims to define
Nodes, Equipment and Facilities, that provide
grounds for Application Components operation.
Node “represents a computational or physical
resource that hosts, manipulates, or interacts with
other computational or physical resources”, while
Equipment “represents one or more physical
machines, tools, or instruments that can create, use,
store, move, or transform materials” and Facility is
“physical structure or environment.”(The Open
Group, 2019). Physical elements are used to model
cyber-physical ecosystem. Reference architecture is
represented in the Technology viewpoint (Figure 5)
what contains hardware and physical technology
elements ensuring Application Components
operation. Technology architecture is represented in
an abstract level, as it varies based on Information
system architecture realization and enterprise
technological choices (vendors, sourcing policy,
etc.).
Besides “traditional” Technology architecture
components, as servers and devices, emerging
technologies, as cyber-physical systems, the
intelligent machines, autonomous robotics supports
cooperation of enterprises key assets: machines,
internet, people, and value chain in real time
scenarios (Hussain et al., 2021; Bemthuis et al.,
2020). The use of Internet of Things and physical
sensors to monitor facilities and ensure safe
workplace is a globally identified opportunity
(Otoom et al., 2020,Petrovic & Kocić, 2020, Bashir
et al., 2020). The cloud computing (Hussain et al.,
2021; Sheng et al., 2021; R. S. Gomes, 2016) allows
computing resources to be available when needed,
offering agility and scalability.
Figure 5: Technology architecture.
5.4 Maturity Model
The BC Maturity Model is an assessment tool, that
supports enterprises in evaluation of their current BC
maturity. It consists of a questionnaire and a maturity
assessment model, that shows desirable EA
Towards a Reference Architecture for a Business Continuity
559
characteristics for on each maturity level. The
questionnaire is built following the defined BC
principles and the reference architecture. It consists of
a set of the statements about enterprise BC in different
EA dimensions (Table 6). The Likert scale is used to
provide the responses. The output of the
questionnaire is a maturity radar.
Table 6: TCA Maturity Level Matrix (a fragment).
Area/
Level
Architecture Principles: Interoperability
Level 0 Manual data exchanges across business processes,
applications and technology components.
Level 1 Semi-manual data exchange between applications.
Siloed information exchange between business
processes.
Level 2 Automated data exchange between applications.
Level 3 Automated data exchange between business
processes, applications and technology components.
Defined integration patterns.
Level 4 Automated data exchange between business
processes, applications and technology components.
Defined integration patterns. Standardized interfaces
and protocols.
Level 5 Optimized flows between business processes,
applications and technology components. Business
logic-oriented interaction via cyber and physical
channels. Defined integration patterns. Standardized
interfaces and protocols. Common business glossary
and data architecture in place.
Area/
Level
Architecture Principles: Autonomy &
decentralization
Level 0 Hierarchical organization structure with centralized
leadership and central decision taking bodies.
Formal and asynchronous communication and
interaction.
Level 1 Hierarchical organization structure with distributed
leadership and central decision taking bodies.
Formal and synchronous communication and
interaction.
Level 2 Hierarchical organization structure with distributed
leadership and central decision taking bodies. Shared
responsibilities. Formal and synchronous
communication and interaction.
Level 3 Networked structure with distributed leadership and
central decision bodies. Shared responsibilities.
Synchronous, open and respectful communication
and interaction.
Level 4 Networked structure with distributed leadership and
power based on expertise and shared responsibilities.
Transparent, decentralized decision-making.
Synchronous, open and respectful communication
and interaction.
Level 5 Networked structure with distributed leadership and
power based on expertise and shared responsibilities.
Transparent and decentralized decision-making.
Synchronous, open and respectful communication
and interaction. Vertically and horizontally
integrated autonomous, decentralized applications
and technologies.
The model uses CMMI five levels of maturity and
it considers such categories: (1) Principles - how well
BC principles are implemented across EA
dimensions; (2) Business Capabilities - if all
capabilities are implemented and what are their
quality and effectiveness; (3) Applications which
components are implemented and what are their
integration level; (4) Technology which
components supports enterprise BC.
6 DEMONSTRATION
The framework application is demonstrated in a
public sector institution target EA development
project.
6.1 The Case Overview
The public sector institution operating in a tax and
customs administration area (further referred as TCA)
has a complex EA. The number of employees exceeds
4000, and they are located in subsidiaries across the
country. IT function is centralized in headquarters,
and it is responsible about institutional digitalization
and provision of the stable IT environment. The TCA
has about 70 information systems, including about 20
state information systems supporting delivery of
critical government services. Most of the systems are
deployed in a local data centre, located in the
headquarters. Historically, there is large technology
diversity. The institution is willing to define their
target EA and engage external IT consultants to
advise them. The project includes 3 phases: existing
situation analysis; target EA definition; EA roadmap
preparation. The project scope is limited to
Information system and Technology architecture
dimensions.
6.2 BC Maturity Assessment
Existing situation analysis includes different EA
assessment factors, as compliance to business and
technology requirements and the best practices,
maintainability, cost effectiveness and others. TCA is
providing essential public services thus BC is
considered as a critical institution capability.
The average TC BC maturity level is 2, it is
repeatable, but initiative (Figure 6). The lowest
maturity dimensions are: (1) compliance to
Architecture Principles caused by of historically
evolved EA and centralized decisions making
structure and (2) Technology Architecture, as mainly
“traditional” components (servers, devices) are used.
ICEIS 2023 - 25th International Conference on Enterprise Information Systems
560
The highest maturity level is in Business Capabilities
dimension, as public sector institutions are regulated
and risk averse. Still, also this dimension maturity
level is low and must be increased.
Figure 6: TCA BC maturity radar.
Besides the maturity levels and improvement
path, results of the existing situation assessment
highlight several BC related problems, such as: (1)
business processes disruption due to unstable
operation of the critical systems (downtown tends to
exceed defined recovery time objective); (2) disaster
recovery difficulties; (3) information unavailability
due to low systems performance. The root causes of
the problems were investigated and lack of
standardization and limited knowledge were among
them.
6.3 Target EA Design
The target EA is designed considering defined BC
Architecture Principles and the Reference
Architecture. The principles are detailed into the
TCA architecture requirements (Table 7). An
architecture requirement (The Open Group,
2005): “represents a statement of need defining a
property that applies to a specific system as
described by the architecture.” The architecture
requirements realize architecture principles. The
principles are generalized to wider audience, while
the requirements represent principles realization in
particular organization EA design.
Table 7: BC architecture principles and requirements map
(a fragment).
Principle - Interoperability
Requirement EA comp. Required changes
Provide
centralized
integration point
for standard
interfaces
Integration
platform
Replace existing
platform (extended
platform services, new
technology).
Standardize (rebuild)
existing interfaces
(priority unsecure
protocols).
Eliminate historical
integration
components.
Provide 360
customer view
Data analytics
solution,
Customer
relationship
management
(CRM) system
Implement new
application services
(CRM system).
Integrate new data
sources in Data
analytics solution
(social media, others).
Provide business
processes
orchestration
and common
tasks
management
Business process
management
(BPM) system
Implement new
application component
(BPM system)
Ensure metadata
management
Master data
management
(MDM) system
Implement new
component (MDM
system)
Principle - Smart Services Orientation
Requirement EA comp. Required changes
Provide self-
service for public
services users
(citizens,
enterprises) in
digital channels
E-services portal,
Mobile app
Implement new
application services
(E-services portal).
Redesign E-services
portal architecture.
Integrate CRM and
wider data analytics.
Implement new
application component
(Mobile app).
Provide online
information
availability users
(citizens, other
public
institutions)
Data analytics
solution, Open
data portal
Implement new
application services
(data analytics
solution).
Redesign open data
transformation service.
Divide
application in
service-oriented,
flexible
microservices
Customs system
Redesign system
architecture
Reuse available
state level
services
Document
storage service
Integrate document
storage service.
Migrate documents
and eliminate existing
data stores.
Reuse external
standard
services
E-services portal,
Messaging
service,
Surveying
service
Redesign E-services
portal architecture.
Integrate new external
services (Messaging
service, Surveying
service).
1,5
2,5
2,2
1,8 0
1
2
3
4
5
Architecture
Principles
Business
Capabilities
Applications
Technology
Towards a Reference Architecture for a Business Continuity
561
The target EA components realize the requirements
thus it is assumed that the TCA BC level will increase
after target EA implementation. The fragment of the
TCA target EA in the form of ArchiMate
Requirement Realization Viewpoint is shown in the
Figure 7.
Figure 7: TCA target EA (fragment).
The reference architecture components are used to
validate target EA components. The gaps between
envisioned EA and reference model components are
highlighted according to the TOGAF gap analysis
technique recommendations (The Open Group,
2005).
6.4 Discussion
The example demonstrates application of a part of the
BC Framework. The BC Maturity Model allows to
identify BC maturity level and highlight development
needs. The principles support design of the target EA,
as well evaluate particular solution alternatives. The
principles can be decomposed to organization
specific architecture requirements to integrate BC
best practices; proper requirement management is the
central part of an EA design. BC Reference
Architecture can be used to validate target EA
components and guide their development.
Several limitations have been observed during the
case to be addressed in the further research. To
translate architecture principles in architecture
requirements, expert involvement and deep domain
knowledge is required. We claim that main BC
component is Business Capabilities. While EAM
covers several dimensions, including Business
architecture, empirical observations in numerous EA
design projects in the Baltics region shows that still
EA typically is perceived as IT discipline. It rises
challenges in Business architecture related principles
and Business Capabilities realization as part of EAM
initiatives.
Not all defined BC Architecture Principles and EA
components are relevant in every industry
andenterprise. For example, in the public sector
institutions, the organization culture mainly is
“traditional”, involving centralized decision taking and
relatively low agility and autonomy. The organization
structure, roles, responsibilities are well defined, and
everybody is expected to perform particular tasks.
Cultural aspects change is a long-term activity
requiring the highest leadership commitment, what
typically it is not part of EAM initiatives.
7 CONCLUSION
The paper proposes the BC Framework, that provide
guidance of BCM capabilities implementation across
different EA dimensions. The proposed framework
aims to address enterprises issues related to the low
standardization and missing knowledge. The
architecture principles encapsulate related research
results, thus providing knowledge base what can be
used for EA design. The standardization is promoted
by the reference architecture for BC. The reference
architecture proposes BC related architecture
components decomposition, thus promoting
standardization. Standardization may trigger the costs
decrease. It is assumed that the BC Framework would
increase enterprise competences in BCM and enable
better preparation for crisis, as the framework
incorporates knowledge from the best practices.
In the design science research cycle, the current
paper has focused on the investigation and solution
design phases. The framework evaluation will be
performed in the next research phase. Jointly with IT
consulting company it is planned to apply framework
for the company’s clients. The first step will be
enterprises current BC maturity evaluation, using BC
Maturity Model. Afterwards the maturity increase
plan will be prepared, based on the BC principles and
reference architecture. The maturity will be re-
measured after the plan implementation. Besides the
framework practical application, the enterprises
feedback will be collected and integrated in the
framework next versions.
ACKNOWLEDGEMENTS
Project Platform for the Covid-19 safe work
environment” (ID. 1.1.1.1/21/A/011) is founded by
ICEIS 2023 - 25th International Conference on Enterprise Information Systems
562
European Regional Development Fund specific
objective 1.1.1 «Improve research and innovation
capacity and the ability of Latvian research
institutions to attract external funding, by investing in
human capital and infrastructure». The project is co-
financed by REACT-EU funding for mitigating the
consequences of the pandemic crisis.
REFERENCES
Agility Recovery. (2022). The State of Business Continuity
Industry Observations and Trends for 2022 and Beyond
Guide.
Anir, H., Fredj, M., & Kassou, M. (2019). Towards an
Approach for Integrating Business Continuity
Management Into Enterprise Architecture.
International Journal of Computer Science and
Information Technology, 11(02).
Asah-Kissiedu, M., Manu, P., Booth, C. A., Mahamadu, A.
M., & Agyekum, K. (2021). An integrated safety,
health and environmental management capability
maturity model for construction organisations: A case
study in Ghana. Buildings, 11(12).
Asah-Kissiedu, M., Manu, P., Booth, C., & Mahamadu, A.-
M. (2020). Organisational Attributes that Determine
Integrated Safety, Health and Environmental
Management Capability. MATEC Web of Conferences,
312.
Aulkemeier, F., Schramm, M., Iacob, M. E., & van
Hillegersberg, J. (2016). A service-oriented e-
commerce reference architecture. Journal of
Theoretical and Applied Electronic Commerce
Research, 11(1), 26–45.
Bakar, Z. A., Yaacob, N. A., & Udin, Z. M. (2015). The
effect of business continuity management factors on
organizational performance: A conceptual framework.
International Journal of Economics and Financial
Issues, 5.
Bashir, A., Izhar, U., & Jones, C. (2020). IoT-Based
COVID-19 SOP Compliance and Monitoring System
for Businesses and Public Offices. 14.
Bemthuis, R., Iacob, M. E., & Havinga, P. (2020). A design
of the resilient enterprise: A reference architecture for
emergent behaviors control. Sensors (Switzerland),
20(22).
Birkel, H., & Müller, J. M. (2021). Potentials of industry
4.0 for supply chain management within the triple
bottom line of sustainability A systematic literature
review. In Journal of Cleaner Production (Vol. 289).
Boin, A., & McConnell, A. (2007). Preparing for critical
infrastructure breakdowns: The limits of crisis
management and the need for resilience. Journal of
Contingencies and Crisis Management, 15(1).
Boin, A., & van Eeten, M. J. G. (2013). The Resilient
Organization. Public Management Review, 15(3).
https://doi.org/10.1080/14719037.2013.769856
Bondel, G., Faber, A., & Matthes, F. (2018). Reporting
from the Implementation of a Business Capability Map
as Business-IT Alignment Tool. Proceedings - IEEE
International Enterprise Distributed Object Computing
Workshop, EDOCW, 2018-October, 125–134.
Buhr, B. (2015). Élargir le champ de l’analyse du risque de
crédit. Revue d’économie Financière
, N° 117(1).
Buhr, B. (2017). Assessing the sources of stranded asset
risk: a proposed framework. Journal of Sustainable
Finance and Investment, 7(1).
Corrales-Estrada, A. M., Gómez-Santos, L. L., Bernal-
Torres, C. A., & Rodriguez-López, J. E. (2021).
Sustainability and resilience organizational capabilities
to enhance business continuity management: A
literature review. Sustainability (Switzerland), 13(15).
Duchek, S. (2020). Organizational resilience: a capability-
based conceptualization. Business Research, 13(1).
Ezzahra, E. F., Noureddine, E. A. A., Mohamed, Y., &
Omar, B. (2021). Scalable and Reactive Multi Micro-
Agents System Middleware for Massively Distributed
Systems. International Journal of Advanced Computer
Science and Applications, 12(11).
Falazi, G., Lamparelli, A., Breitenbuecher, U., Daniel, F.,
& Leymann, F. (2020). Unified Integration of Smart
Contracts through Service Orientation. In IEEE
Software (Vol. 37, Issue 5).
Farzi, N. (2022). Investigation the Place of BIAN Standard
in Digital Banking Enterprise Architecture. Technium
Social Sciences Journal, 27.
Gibb, F., & Buchanan, S. (2006). A framework for business
continuity management. International Journal of
Information Management, 26(2).
Gomes, P., Cadete, G., & da Silva, M. M. (2017). Using
enterprise architecture to assist business continuity
planning in large public organizations. Proceedings -
2017 IEEE 19th Conference on Business Informatics,
CBI 2017, 1.
Gomes, R. S. (2016). Resilience and enterprise architecture
in SMEs. Journal of Information Systems and
Technology Management, 12(3).
Gregor, S., Hart, D., & Martin, N. (2007). Enterprise
architectures: Enablers of business strategy and IS/IT
alignment in government. Information Technology &
People, 20(2).
Haki, K., & Legner, C. (2021). The mechanics of enterprise
architecture principles. Journal of the Association for
Information Systems, 22(5).
Hamid, A. H. A. (2018). Limitations and challenges
towards an effective business continuity management
in Nuklear Malaysia. IOP Conference Series: Materials
Science and Engineering, 298(1).
Hamit, L. C., Sarkan, H. M., Mohd Azmi, N. F., Mahrin,
M. N. ri, Chuprat, S., & Yahya, Y. (2020). Adopting an
ISO/IEC 27005:2011-based risk treatment plan to
prevent patients from data theft. International Journal
on Advanced Science, Engineering and Information
Technology, 10(3).
Herbane, B., Elliott, D., & Swartz, E. M. (2004). Business
Continuity Management: time for a strategic role? Long
Range Planning, 37(5).
Hernantes, J., Maraña, P., Gimenez, R., Sarriegi, J. M., &
Labaka, L. (2019). Towards resilient cities: A maturity
Towards a Reference Architecture for a Business Continuity
563
model for operationalizing resilience. Cities, 84.
Hussain, A., Farooq, M. U., Habib, M. S., Masood, T., &
Pruncu, C. I. (2021). Covid-19 challenges: Can industry
4.0 technologies help with business continuity?
Sustainability (Switzerland), 13(21).
Ismail, H. S., Poolton, J., & Sharifi, H. (2011). The role of
agile strategic capabilities in achieving resilience in
manufacturing-based small companies. International
Journal of Production Research, 49(18).
ISO. (2019). ISO 22301:2019(en) Security and resilience
— Business continuity management systems —
Requirements.
Kelly, N., & Gero, J. S. (2021). Design thinking and
computational thinking: A dual process model for
addressing design problems. Design Science.
Lengnick-Hall, C. A., Beck, T. E., & Lengnick-Hall, M. L.
(2011). Developing a capacity for organizational
resilience through strategic human resource
management. Human Resource Management Review,
21(3).
Lingeswara, R., & Tammineedi, S. (2012). Key Issues,
Challenges & Resolutions in Implementing Business
Continuity Projects. ISACA Journal, 1.
Madhubhashini, G. T. (2019). The use of information and
communication technologies (ICTs) for natural disaster
management in Sri Lanka. International Journal of
Interdisciplinary Global Studies, 14(2).
Margherita, A., & Heikkilä, M. (2021). Business continuity
in the COVID-19 emergency: A framework of actions
undertaken by world-leading companies. Business
Horizons, 64(5), 683–695.
Nadhamuni, S., John, O., Kulkarni, M., Nanda, E.,
Venkatraman, S., Varma, D., Balsari, S., Gudi, N.,
Samantaray, S., Reddy, H., & Sheel, V. (2021). Driving
digital transformation of comprehensive primary health
services at scale in India: An enterprise architecture
framework. BMJ Global Health, 6.
Niemimaa, M. (2015a). Extending “toolbox” of business
continuity approaches: Towards practicing continuity.
2015 Americas Conference on Information Systems,
AMCIS 2015.
Niemimaa, M. (2015b). Interdisciplinary review of
business continuity from an information systems
perspective: Toward an integrative framework.
Communications of the Association for Information
Systems, 37.
Niemimaa, M., Järveläinen, J., Heikkilä, M., & Heikkilä, J.
(2019). Business continuity of business models:
Evaluating the resilience of business models for
contingencies. International Journal of Information
Management,
49.
Nolan, R. L. (1997). Top-down driven architecture design.
Information Management & Computer Security, 5(4).
Obrenovic, B., Du, J., Godinic, D., Tsoy, D., Khan, M. A.
S., & Jakhongirov, I. (2020). Sustaining enterprise
operations and productivity during the COVID-19
pandemic: “Enterprise effectiveness and sustainability
model.” Sustainability (Switzerland), 12(15).
Otoom, M., Otoum, N., Alzubaidi, M. A., Etoom, Y., &
Banihani, R. (2020). An IoT-based framework for early
identification and monitoring of COVID-19 cases.
Biomedical Signal Processing and Control, 62.
Pal, R., Torstensson, H., & Mattila, H. (2014). Antecedents
of organizational resilience in economic crises - An
empirical study of Swedish textile and clothing SMEs.
International Journal of Production Economics,
147(PART B).
Papadopoulos, T., Baltas, K. N., & Balta, M. E. (2020). The
use of digital technologies by small and medium
enterprises during COVID-19: Implications for theory
and practice. International Journal of Information
Management, 55.
Peterson, C. A. (2009). Business Continuity Management
& guidelines. Proceedings of the 2009 Information
Security Curriculum Development Annual Conference,
InfoSecCD’09.
Petrovic, N., & Kocić, Đ. (2020). IoT-based System for
COVID-19 Indoor Safety Monitoring SCOR (Semantic
COordination for Rawfie) View project. http://mqtt.org/
Pinto, D., Fernandes, A., da Silva, M. M., & Pereira, R.
(2022). Maturity Models for Business Continuity-A
Systematic Literature Review. International Journal of
Safety and Security Engineering, 12(1).
Pitt, M., & Goyal, S. (2004). Business continuity planning
as a facilities management tool. Facilities, 22.
Prataviera, L. B., Creazza, A., Melacini, M., & Dallari, F.
(2022). Heading for Tomorrow: Resilience Strategies
for Post-COVID-19 Grocery Supply Chains.
Sustainability (Switzerland), 14(4).
Seraoui, Y., Raouyane, B., Belmekki, M., & Bellafkih, M.
(2020). eTOM to NFV mapping for flexible mobile
service chaining in 5G networks: IMS use case.
Heliyon, 6(6).
Sheng, J., Amankwah-Amoah, J., Khan, Z., & Wang, X.
(2021). COVID-19 Pandemic in the New Era of Big
Data Analytics: Methodological Innovations and Future
Research Directions. British Journal of Management,
32(4).
Stelzer, D. (2010). Enterprise architecture principles:
Literature review and research directions. Lecture
Notes in Computer Science (Including Subseries
Lecture Notes in Artificial Intelligence and Lecture
Notes in Bioinformatics)
, 6275 LNCS.
Tanpipat, W., Lim, H. W., & Deng, X. (2021).
Implementing remote working policy in corporate
offices in Thailand: Strategic facility management
perspective. Sustainability (Switzerland), 13(3).
The Open Group. (2005). The TOGAF ® Standard.
www.opengroup.org/legal/licensing.
The Open Group. (2016). Open Group Guide Business
Capabilities.
The Open Group. (2019). Archimate® 3.1 Specification. In
The Open Group.
Timm, F., Sandkuhl, K., & Fellmann, M. (2017). Towards
A Method for Developing Reference Enterprise
Architectures. Proceedings Der 13. Internationale
Tagung Wirtschaftsinformatik (WI 2017).
Tummers, J., Tobi, H., Catal, C., & Tekinerdogan, B.
(2021). Designing a reference architecture for health
ICEIS 2023 - 25th International Conference on Enterprise Information Systems
564
information systems. BMC Medical Informatics and
Decision Making, 21(1).
Virtual Corporation. (2003). Business Continuity Maturity
Model. Virtual Corporation.
Vogt, M., Hertweck, D., & Hales, K. (2011). Strategic ICT
alignment in uncertain environments: An empirical
study in emergency management organizations.
Proceedings of the Annual Hawaii International
Conference on System Sciences.
Webster, J., & Watson, R. T. (2002). Analyzing the Past to
Prepare for the Future: Writing a Literature Review.
MIS Quarterly, 26(2).
Weick, K. E. (1993). The Collapse of Sensemaking in
Organizations: The Mann Gulch Disaster.
Administrative Science Quarterly, 38(4).
Wendler, R. (2012). The maturity of maturity model
research: A systematic mapping study. Information and
Software Technology, 54(12).
White, B. S., King, C. G., & Holladay, J. (2020).
Blockchain security risk assessment and the auditor. In
Journal of Corporate Accounting and Finance (Vol. 31,
Issue 2).
Wieringa, R. (2009). Design science as nested problem
solving. Proceedings of the 4th International
Conference on Design Science Research in Information
Systems and Technology, DESRIST ’09.
Yadav, M., Kumar, A., Mangla, S. K., Luthra, S., Bamel,
U., & Garza-Reyes, J. A. (2019). Mapping the human
resource focused enablers with sustainability
viewpoints in Indian power sector. Journal of Cleaner
Production, 210.
Zhang, M., Chen, H., & Luo, A. (2018). A Systematic
Review of Business-IT Alignment Research with
Enterprise Architecture. IEEE Access, 6.
Towards a Reference Architecture for a Business Continuity
565