A Standard-Based Concept of the Integration of the Corporate Recovery Management Systems: Coping with Adversity and Uncertainty during a Pandemic

Abstract

The aim of this study is to develop a conceptual model for the better coordination of recovery management systems to improve organizational performance in light of the new challenges of the COVID-19 pandemic. The author provides a revision of “the corporate recovery prism” model by presenting an extended standard-based concept of the integration of the corporate recovery management systems. It offers, among others, two new dimensions which result in a “pentagonal pyramid”. They emphasize the type of events in the individual elements of the concept and highlight the basis of the concept on standardization. The concept has been designed in order to develop the planning, preparation, and response to incidents from an event up to a crisis and, ultimately, to improve the company’s ability to thrive and prosper in an uncertain environment. For the initial validation of the concept, empirical research was conducted in Polish enterprises. The methodology of the survey is based on a questionnaire of the best practices in addressing the COVID-19 crisis in organizations. It is used for checking the relationships between organizational performance and a triad of the concept elements, such as organizational resilience (OR), crisis management (CM), and business continuity management (BCM). Using the survey results, a strong correlation was found between the triad and the performance. Therefore, the main finding of the survey shows that elements of the concept build better performance and sustainability in enterprises during a pandemic.

1. Introduction

The outbreak of the COVID-19 pandemic has affected societies around the world. Most of the formal actions related to this situation were taken late by the governments of the European countries, after the declaration of a pandemic by the World Health Organization (WHO). For this reason, these were mainly activities based on a strategy related to minimizing the effects of the crisis, such as maintaining social distance, as broadly understood. These actions were intended to slow and spread the effects of the pandemic over time in a way that would allow the functioning of the health service and prevent the collapse of the health care system. Health-related crises are a good example of extreme destabilization that can affect different sectors of modern society and human productivity in such a negative way that they can face huge survival problems [1]. The pandemic and the above-mentioned government actions affected most societies and organizations vulnerable to this type of threat. In this aspect, the issues of crisis management, business continuity management, and broadly understood organizational resilience play very important roles. The triad represents the elements of societal security in the context of protecting society/organizations from, and responding to, incidents, emergencies, and disasters caused by intentional and unintentional human acts, natural hazards, and technical failures. Societal security is a concept developed by the Copenhagen School of Security Studies that focuses on a society’s ability to survive in its fundamental nature in changing conditions and possible or actual threats. It was developed in the 1990s in the context of the end of the Cold War. This paradigm reduces the role of state power in ensuring security by confronting threats and highlights instead the questions of community identity and social dynamics [2].

An example of the idea is the National Security Strategy of the Swedish Emergency Management Agency depicted in Figure 1.

Moreover, in order to manage the constantly increasing dynamics and hostility of the environment, companies need to change as well and, at the same time, maintain the sustainability of their products, processes, organization, and strategy. In a highly competitive market, the fittest will survive. It is important that each company has its own individualized, sustainable improvement strategy to strengthen the company’s ability to thrive and prosper in an uncertain environment [4]. An uncertain environment causes adversity in the form of many threats that negatively affect the functioning of an organization, such as incidents, disruptions, crises, or disasters. The results of those events also often have an effect on the environment, economy, and society. As far as the environment is concerned, one can divide it into environmental degradation, biodiversity loss, climate change, overconsumption, and population growth. Environmental degradation and climate change, especially, have a huge influence on environmental sustainability. These aspects attract the attention of scientists in areas such as the techno-economic analyses of the emission of air pollutants [5], the reduction in soil pollutants [6], wastewater management [7], drinking water treatment [8], modern energy sources [9], or the recovery of elements from the technological processes of biogas [10] or sludge water [11]. As far as the economy and society are concerned, the concept of Industry 4.0 as a new paradigm of modern business is very important [12]. This phenomenon requires continuous development and in this context two options can be considered. The first is the application of the principles of corporate social responsibility; the second is to gain a competitive advantage of the enterprises and at the same time to increase the corporate profits [13]. Project management is also a useful tool for effective planning and management [14]. Information technology (IT) plays a crucial role in Industry 4.0. The top challenges for organizations are to implement smart manufacturing solutions and to adopt artificial intelligence [15]. The complexity of local computer networks also brings increasing demands for the continuous monitoring of their proper performance, which is a precondition of their safety and reliability [16]. All of the above-mentioned aspects of an environment, economy, and society in the event of disruption may cause failures in the socio-technical systems. It is sufficient to mention the large industrial accidents, which devastate the natural and technological environment. The condition of the organization’s survival in an uncertain environment seems to be absolutely essential in allowing the organization to subsequently realize its sustainable development.

Studies in the field of security, among others, are in a large measure dependent on clear and universally agreed definitions of the terms and well-defined parameters, as having them gives the possibility of standardization and facilitates the sharing of knowledge [17]. In security standardization, an important role is played by the International Organization for Standardization (ISO), which, among others, after showing a lack of international disaster preparedness standards, such as in the case of the sinking of the Kursk, a Russian submarine, in the Barents Sea, asked the ISO/TC 223, the Technical Committee for Societal Security, in 2006, to investigate the feasibility of developing a standard in this case [18]. A series of activities related to disaster preparedness was presented in the ISO/PAS 22399: 2007 societal security standard, written as a guide, which will be helpful in preparing for incidents and ensuring the continuity of activities [19]. ISO/PAS 22399 has now been replaced by ISO 22320: 2018 Security and resilience. ISO/TC 223—Societal security is a technical committee of the International Organization for Standardization created in 2001 to develop standards in societal security. In 2015, ISO/TC 223 was transformed into ISO/TC 292 Security and resilience. The committee was created to develop standards in security and resilience. The triad of crisis management (CM), business continuity management (BCM), and organizational resilience (OR) comprises the absolutely key elements of the societal security of sustainable organization, especially in the context of incident response and recovery management.

The main research hypothesis of the study concerns the possibility of improving an organization’s performance during a pandemic through the coordination and integration of the recovery management systems in an organization. The result of the research is to propose a concept model designed to increase organizational robustness and, finally, the company’s capacity to sustain and prosper in the uncertain environment.

The paper structure consists of the abstract (summarizing the article’s aim, methods, results, and conclusions); the introduction (placing the study briefly, in a broad context of the aspects of societal security and the sustainable improvement strategy, and stating the research hypothesis); a literature review (describing the topic with respect to the previous and present theoretical background of recovery management frameworks); the materials and methods (describing the methods used in the research by explanation of the individual steps and listing them); the results (providing a precise description of the survey results of the best practices in addressing the COVID-19 crisis in organizations); the discussion (discussing the results and limitations and how they can be interpreted in the perspective of the research hypotheses); and the conclusions (indicating clear confirmation of the research hypothesis).

2. Review of the Literature

Regardless of the kind of organization, one of the basic problems is its survival. It is also an original aim of every organization, which, in order to maximize profitability, first of all has to exist and operate. Nowadays, it is understood that the safety of an organization is not its condition free from threats, but a condition in which an organization can manage its threats, i.e., reduce vulnerability to threats and minimize the effects of their occurrence. Only the organization that has those abilities is capable of properly operating in an uncertain environment and developing in a sustainable manner. A sustainable company/organization concentrates on the development of knowledge, creativity, analytical skills, and learning in order to exceed the existing requirements/standards and consequently achieve a permanent competitive advantage in the future [20].

Faulkner defines crises as internal in nature, which can be controlled by a community or an organization, whereas disasters are external and beyond their control [21]. Faulkner presents six phases of disaster in a disaster management structure. These phases include pre-event, prodromal, emergency, intermediate, long-term recovery, and resolution. The COVID-19 pandemic is that thing which Parsons calls a highly uncertain environmental event, which has a huge negative effect on the organizations influenced by it [22]. Brown et al. describe a disaster as a sudden event in which the agent is beyond the current control of the subject influenced (community and/or business); an event that disrupts the functioning of the subject and requires additional resources to react [23] and restore [24] to the previous state after the event. In the context of sustainable development, it is also important to create the conditions for permanent organizational development after the quickest possible post-disruption restoration. In the literature, a crisis usually has a more general meaning than a disaster and includes all the crisis situations caused by social, technical, and natural factors [22]. Pardeep and Clark claim that when a crisis begins, there is little time for reaction and organization [25]. Therefore, an organization has to be prepared for these types of events in advance. Disasters usually consist of cycles, and a cycle consists of phases. The typical cycle phases include mitigation, preparation, response, and recovery [26]. Mitigation reduces (or eliminates) possible threats. Preparation is a state of being ready for the risk, which cannot be reduced or eliminated. Response is a reaction to an event with a prepared action plan, and recovery is a return to a normal state after an event, including limiting or eliminating potential threats. In all these cycles of disaster management, the concept is based on the management process, which starts before the appearance of disruption, via reduction and preparation, through reaction and restoration, to learning and using the lesson for future planning. The example of the course of a crisis situation is illustrated in Figure 2.

The y-axis refers to the risk level, R1, and the x-axis refers to the time, t, from the pre-event situation to the resolution. On average, it is understood that the most difficult phase of a crisis situation lasts up to several months, depending on the situation and organization. However, the crisis situation lasts significantly longer and may even last for several years [27]. Crisis management is an important part of management theory, which concerns companies, organizations, or the whole country in times of large disasters [25]. Crisis management consists of the preparation of companies for survival before and after a crisis [28]. At the same time, it provides companies with useful tools that can help to minimize negative consequences and overcome a potential collapse [29]. Currently, the ISO is developing the standard ISO/CD 22361 Security and resilience—Crisis management—Guidelines for a strategic capability. Due to the lack of an ISO standard on crisis management at present, the concept presented uses the commonly known standard of The British Standards Institution [30]. The British Standard (BS) defines the principles and best practice in terms of crisis management, realized by the top management of any organization of any size, in the public or the private sector.

As a form of crisis management, Business continuity management (BCM) has been changing since the 1970s in response to the technical and operational risks that threaten the return to the normal operation of an organization after the appearance of disruptions [31]. Potential disruptions can threaten a company’s operational efficiency, business continuity, and ability to provide constant value to shareholders. This is the reason why business enterprises are increasingly aware of the importance of the ISO standard for business continuity management [32]. In the literature, the term “business continuity management” is used more often than “business continuity planning” (BCP), as planning means the beginning and the end of the process, whereas BCM is a dynamic, proactive, and constant process. It must be updated, and then, it can reduce losses and damages and help in a quick return to the normal situation after disruptions. The standard mentioned specifies the requirements that concern the planning, establishing, implementing, operating, monitoring, reviewing, maintaining, and constant improving of the documented management system.

The strength of resilience manifests itself in an organization coping with the aftermath of accidents [33]. Resilience was called an integrative concept for understanding how organizations successfully adapt in the face of adversity [34]. It was historically essential in the organizational sciences [35], but it was relatively absent in the literature on crises [36]. Organizational resilience takes into account the physical properties [37] and the organizational structure and its capabilities [38]. Brown et al. claim that a thriving organization should detect unexpected events early and then develop resilience capabilities in order to react to the negative consequences of unexpected events and quickly restore the original state before the appearance of the disturbance, or it should pass to a new best possible state after the appearance of a risk and continue business activity as efficiently as possible [24,35]. Organizations must integrate resilience elements with everyday business practices to improve the response to adversities [39]. Organizational resilience is described in the literature through the prism of four key organizational capabilities: reacting, monitoring, predicting, and learning [40]. Meyer uses the term “resilience” in reference to the organization’s ability to absorb a discrete environmental shock and then restore the previous order [41]. Therefore, organizational resilience includes the interaction between an organization, its stakeholders, and the environment when confronting adversities [42]. The very similar definitions has the resilience standard [43].

The literature offers suggestions for appropriate solutions to integrate crisis management, business continuity management, and organizational resilience as recovery management disciplines, an example of which is the concept ‘the corporate recovery prism’ presented by Véronneau, Cimon, and Roy in 2013 [44]. The prism is depicted in Figure 3.

The corporate recovery prism provides a method for improving the preparedness of organizations by formalizing a planning framework to maximize the likelihood of organizational continuity. The highest level of the prism is BCP, which involves top management at a strategic level. At the next level, there is CM, which is organized by operations managers on a tactical horizon.

Finally, the last level is OR, which involves all the employees on an operational horizon. The integration and application of the concepts formalized in the prism should provide superior resilience to adversity and ultimately ensure organizational continuity [44].

3. Materials and Methods

The ISO/TC 223 Technical Committee developed international standards that aimed to increase societal security and enhance societal resilience, i.e., the protection of society from, and the response to, incidents, emergencies, and disasters caused by intentional and unintentional human acts, natural hazards, and technical failures. A clear conceptual understanding of the key terms is very useful. ISO 22300: 2018 “Security and resilience—vocabulary” defines different occurrences connected with CM, BCM, and OR [45]. The standard is proposed for the concept, and its definitions of occurrences are presented in

Table 1. Definitions of occurrences connected with crisis situation derived from [45].

Type of Occurrence	Definition
Event	Occurrence or change of a particular set of circumstances
Disruption	Event, whether anticipated or unanticipated, that causes an unplanned, negative deviation from expected delivery of products or services according to an organization’s objectives
Incident	A situation that can be or could lead to a disruption, loss, emergency, or crisis
Emergency	Sudden, urgent, usually unexpected occurrence or event requiring immediate action
Contingency	Possible future event, condition, or eventuality
Disaster	Situation where widespread human, material, economic, or environmental losses have occurred which exceeded the ability of the affected organization, community, or society to respond and recover using its own resources
Crisis	Unstable condition involving an impending abrupt or significant change that requires urgent attention and action to protect life, assets, property, or the environment

. There are also alternative definitions of occurrences proposed in the context of CM, BCM, and OR, inter alia, by [30,31,32].

All these occurrences, according to [45], can be presented in the order related to the severity of the effects in the form of a triangle of the severity of the occurrences, as is shown in Figure 4. In the literature, occurrences are often equated with incidents. The management of these events should take into account a combination of the infrastructure, equipment, personnel, organizational structure, procedures, and communication. Incident management is based on the understanding that in any incident there are certain management functions that must be performed, regardless of the number of people available or involved in the incident response. In the context of a sustainable safety management system, incident management has been one of the major triggers for improvement and changes. The objective was essentially this: something that has happened should never happen again, and everything should be done to prevent the incidents from recurring and to reduce the risk to which employees are exposed and the risk of operations [46]. The incident management process should not be limited to the activities of the incident manager but should also apply to all those involved in the incident management and investigation team, at all levels of responsibility [47].

In this context, an organization should establish internal channels (a reporting system) enabling an employee to report potential irregularities, as only the people that work inside a given organization best know its problems and the mechanisms of their emergence. Because of this, it is worth implementing the reporting system in a way that will guarantee safety and build trust among the organization’s members, knowing that reporting will change something and not pose problems for the reporting person. The employer should be required to establish reporting rules. Thanks to them, an employee can find out how to report, how long the consideration of the case will last, and how the confidentiality of a report is protected. The general decision-making process to respond to all the occurrences mentioned in Table 1, based on the ISO/TC223 recommendation, is shown in Figure 5.

An all-hazards perspective is used to cover the adaptive, proactive, and reactive strategies in all phases before, during, and after a disruptive incident or crisis. Modern incident management and its applied tools must address various stakeholders from different perspectives [46]. The area of societal security is multidisciplinary and involves actors from both the public and the private sectors, including not-for-profit organizations. The prepared concept of the integration was partially based on the corporate recovery prism presented by Véronneau et al. in 2013 [44].

This concept was modified and developed by the author of the paper and presented as an extended standard-based concept of the integration of the corporate recovery management systems in the formula of the pentagonal pyramid. The pentagonal pyramid integrates the ideas of organizational resilience (OR) with business continuity management (BCM) and crisis management (CM) as a triad of the concept elements. The modification and development have been made in the following way:

• Replacing the corporate recovery prism (3 dimensions) with a pentagonal pyramid (5 dimensions) to emphasize the type of events considered in the individual elements of the concept and highlighting the basis of the concept on standardization (ISO and BS standards), which was the postulate of the original version;
• Developing a hierarchy of occurrences related to their consequences in the concept based on the proposed triangle of the severity of the occurrences;
• Proposing implementation of the incident response and management system as an element of the concept according to [47] and some of the author’s tips;
• Changing the vertical order of the components of the pyramid—increasing the rank of crisis management as that of a superior one connected with management at the highest level in relation to business continuity management as an element of the concept mainly connected with the tactical level of management in accordance with the presented triangle of the severity of the occurrences;
• Explaining of the concept by some specific definitions and components of organizational resilience, business continuity management, and crisis management based on the so-called resilience triangle;
• Explaining of the concept by a table with CM, BCM, and OR specific characteristics, such as definition, main method, measure, main parameters, phases, types of occurrences, management level, main actors, priorities, early warning system, continuous improvement, and standards. The explanation was based on the standards, respectively, for CM—[30], for BCM—[32], and for OR—[43];
• Arranging the terminology in the concept according to one standard—[45];
• Using in the concept the term “business continuity management” (BCM) instead of “business continuity planning” (BCP) because planning implies that there is the beginning and the end to the process, but BCM is a dynamic, proactive, and ongoing process (Deming’s circle);
• Basing the model on the aspects of societal security and the sustainable improvement strategy as a coherent and logical whole concept.

The presented integrated areas, such as crisis management, business continuity management, and organizational resilience, together can support societal security and organizational continuity and allow the maintenance of the safety and sustainability of an organization. It is also essential that managers successfully manage crises and incidents. The pentagonal pyramid provides a method for enhancing the organizations’ preparedness for incident management and mitigation of the severity of the disruption. It is a prerequisite for the survival of an organization in an uncertain environment. Only an organization so prepared to minimize the risk of business continuity loss and crisis-situation escalation can realize sustainable development. Figure 6 shows the pentagonal pyramid from a top-down view.

The pyramid illustrates the role and scope of each of the areas described above. At the uppermost level is CM, which involves the top management on a strategic level. One level down is BCM, which is organized by operations managers on a tactical level. Finally, at the last level, there is OR, which involves all the employees and line managers at an operational level. These layers are mutually complementary and complement each other, creating a coherent concept. Based on the level of severity, an incident response is characterized as one of the following:

• Organizational resilience—for resource and asset-related occurrences with the least severity or without it, but with the potential to occur (contingency, event);
• Business continuity management—for resource-related occurrences; the organization can also establish Emergency Response—for asset-related occurrences (emergency, disruption, incidents);
• Crisis Management—strategic or organization-wide occurrences when an asset or business continuity occurrence escalates as the severity of the occurrence increases (crisis, disaster).

Crisis management should also be responsible for the delivery of a crisis management capability and the coordination of all the aspects of the triad in an organization. As a crucial issue for all stakeholders, the organization should establish a crisis management team, as a group of individuals functionally responsible for the coordination of activities to lead, direct, and control an organization with regard to a crisis. This team should also supervise and coordinate managers or persons appointed to manage business continuity, whereas the team and persons designated to manage business continuity should supervise line managers and employees in the implementation of activities related to organizational resilience. When building its resilience, the organization should anticipate various types of events and prepare for them by developing contingency plans. The concept of integration presented in the pentagonal pyramid aims to protect employees, stakeholders, and the environment of the organization according to incident management. Maintaining this capacity protects assets, resources, local communities, and the environment in which the organization operates when an incident, emergency, or crisis occurs. The concept and supporting frameworks adopt recognized standards, including [30,32,43], and set the approach to maintain effective plans and respond to incidents from an event up to a crisis. To have a robust organization, all employees should apply this concept to minimize the risk of a crisis.

For better understanding of the concept, it is useful to explain some specific definitions and components of CM, BCM, and OR, based on the so-called resilience triangle, as commonly used and applied in technological systems. It is hoped that such an approach would lead to a better understanding of the meaning of the concept of integration. The resilience triangle presents a decrease in the functionality of the organization (system) due to the ongoing crisis or disruption. The triangle, in taking into account linear relationships, is obviously a simplified model because in reality we are dealing with curvilinear relationships. In Figure 7, the curve depicts the performance changing over time during a crisis.

The y-axis refers to the level of performance, P (t), and the x-axis refers to the time, t, from the preparedness phase to the mitigation phase. The so-called resilience triangle is formed by vertices at [t₀, P(t₀)], [t₂, P(t₂)], and [t₅, P(t₅)]. The slope of the decreasing section (simply described as the change in change in the ratio of the altitude change to the horizontal distance [P(t) − P(t₀)]/t − t₀ between two points on the line t₀ < t < t₂) of the performance curve provides data on the redundancy of the system. The slope of the rising section (simply described as the ratio of the altitude change to the horizontal distance [P(t) − P(t₅)]/t − t₅) between two points on the line t₂ < t < t₅) of the performance curve provides data on the resourcefulness of the system. Performance level P(t₀) provides information about the initial performance level just before the interruption. P(t₂) provides information about robustness of the system—P(t₂) should be the largest possible. Section |t₅ − t₀| describes the speed of overcoming the crisis (rapidity). Section |t₅ − t₀| can be divided into two sections. The first section, |t₂ − t₀|, symbolizes the time of the crisis escalation from its occurrence to its culmination (dampen time); often in the literature, with very sudden events, it is assumed at a 0 level. The second section |t₅ − t₂| shows the time after the peak to recover back to the pre-crisis level (recovery time). The value of P(t₀) − P(t₂) represents the amount of system performance lost or, in other words, the severity of the disruption. The area under the curve between time t₀ and t₅ symbolizes the organization’s resilience to the crisis. The mathematical calculation of the loss of performance (ρ) can be presented as the area in the Figure 6 between the beginning of a disturbing event (t₀) and the end of the recovery process from disruption (t₅). It can be obtained mathematically as:

$$\mathsf{\rho }={\displaystyle \underset{{\mathrm{t}}_0}{\overset{{\mathrm{t}}_5}{\int }}{[\mathrm{P}(\mathrm{t}}_0)-\mathrm{P}(\mathsf{\tau })]\mathrm{d}}\mathsf{\tau }\mathrm{where}\mathrm{t}\in {(\mathrm{t}}_0{,\mathrm{t}}_5)$$

(1)

where P(τ) represents the measure of system performance, and P(t₀) is the initial level of system performance.

For resilient and sustainable organizations, it should be understood that after a disruption incident ρ should be the smallest possible, and P(t₂) should be the largest possible (robustness).

A function P(τ) in periods of no-crisis time for sustainable organizations should be non-decreasing (habitual situation):

P(τ) ≥ P(t₀)

(2)

During an occurrence of a disruption incident for sustainable organizations, a function P(τ) should not decrease less than P(t₃) (emergency situation):

P(t₃) ≤ P(τ) ˂ P(t₀)

(3)

The OR and BCM are used to reduce the loss of P(τ) and then to accelerate the recovery time during that condition. This guarantees business continuity. When an incident of disruption escalates as the severity of the occurrence increases (crisis, disaster), the performance of the organization is in a critical situation and at unacceptable level of risk:

P(t₂) ≤ P(τ) ˂ P(t₃)

(4)

The role of the concept, and especially CM at this point, is to reduce the loss of P(τ) as much as possible (robustness)

P(t₀) − P(t₂) → min [P(τ)]

(5)

and then accelerate the recovery time from t₂ through t₃ and finally to t₅ to reach the value of P(t₅)≈ P(t₀) as soon as possible (resourcefulness).

|t₅ − t₂| → min (τ)

(6)

Then, after the disruption is over, the organization can pursue sustainable development again (2).

Resilience can be achieved by implementing actions previously prepared or by adapting normal functioning to a changing situation. These actions will allow the organization (system) to absorb the impact of the disruption, while adaptation options help the system cope with and recover from a disturbing event in order to return to a pre-disturbance level of performance as rapidly as possible. Only then can an organization develop in a sustainable manner. The BCM elements are represented in the resilience triangle by the following terms: the section |t₄ − t₁| shows RTO—recovery time objective (period of time following an incident within which a product or a service or an activity is resumed, or resources are recovered). The value of P (t₁) represents RPO—recovery point objective (point to which the information used by an activity is restored to allow the activity to operate at resumption). The section |t₄ − t₀| symbolizes MTPD—the maximum tolerable period of disruption (the time it would take from the adverse impact, which can arise as a result of not providing a product/service or performing an activity, to become unacceptable). The value of P (t₃) represents MBCO—the minimum business continuity objective (minimum level of service and/or products that is acceptable for an organization to achieve its business objective during a disruption). The P(t₅) and P(t₀) values represent BAU—business as usual (the normal execution of standard functional operations within an organization).

The definitions of RTO, RPO, MTPD, and MBCO were taken from [20]. There are two conditions for these parameters to maintain business continuity in an organization.

RTO ≤ MTPD

(7)

and

RPO ≥ MBCO

(8)

The levels of an organization’s performance are depicted in Figure 7 by three horizontal areas: the habitual situation (normal level of performance that is acceptable for an organization to achieve its business objective); the emergency situation (level between normal and minimum of performance that is acceptable for an organization to achieve its minimum business objective); and the critical situation (level below minimum of performance that is acceptable for an organization to achieve its business objective). A thorough CM, BCM framework for building OR proceeds through four phases: preparation, response, recovery, and mitigation. It begins with the preparation phase that prepares an organization before an emergency (including planning, training, and exercising). Next, there is the response phase that helps protect lives, environment, property, and reputation during a crisis. Then, there is the recovery phase that allows the rebuilding after a disaster. Finally, it ends with the mitigation phase that reduces future risks of hazards [36]. Focusing only on this response phase is not enough. All phases are necessary to effectively overcome disruptions. Managing resilience also requires four similar phases, such as planning, preparedness, response, and recovery [48,49]. During the planning phase, vulnerability is very important. Additionally, adaptive capacity plays an important role during the preparation phase. Absorption and redundancy are crucial in the reactive phase and, finally, adaptation and resourcefulness play the main role during the recovery phase. Sections |t₀| and |t − t₅| symbolize the preparation/mitigation (planning) phase. Section |t₃ − t₀| symbolizes the response phase and section |t₅ − t₃| symbolizes the recovery phase. The presented concept allows for a complex management approach of an organization against all disturbances and for adequate and proportionate actions depending on the situation. The first important thing is organizational resilience, which forms the basis of the concept, although in terms of management, the most important, coordinating role is played by the crisis management, which also supervises the BCM elements. As with the human body, the important thing is the prevention of disease, building resistance; an organization should allow itself to manage small incidents from the beginning and not allow their escalation. However, in the case of illness, other measures must be taken, which involve, in the case of human health, going to a doctor and taking medicine, and, in the case of an organization, implementing previously adopted procedures of business continuity management. If, however, these actions do not work, a sick person will be hospitalized, and doctors will take appropriate measures to save life and health; similarly, in the case of an organization, the crisis management procedures will be activated, including establishing a crisis management team in an organization. All three elements of the concept complement each other. It is important that these procedures are prepared earlier in an organization and practiced regularly to improve.

It is worth emphasizing that CM, BCM, and OR rely on and use risk assessment and, in accordance with the standards specifying them, are based on the concept of continuous improvement, which allows taking actions aimed at improving the organization. The continuous improvement process is illustrated by the PDCA cycle (Deming cycle). The PDCA cycle is: P—plan, plan development; D—do, execution of planned actions; C—check, control, comparison of the results with the assumed plan; and A—action, implementation of corrective actions. The operation of the cycle assumes that the process is repeatable and continuous. In addition, CM, BCM, and OR have an Early Warning System (EWS), which is one of the components used to assess the condition and efficiency of the organization in selected areas of the concept. It enables us to identify threats early and initiate appropriate remedial action. The EWS is also part of the information system in a given organization, which collects, analyzes, and communicates deliberately selected areas of observation and sets of indicators.

Table 2. Concept of CM, BCM, and OR integration based on specific characteristics.

Characteristics	CM	BCM	OR
Definition	Development and application of organizational capacity to deal with crises. (BS:11200:2014)	Holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities. (ISO 22301:2019)	Ability of an organization to absorb and adapt in a changing environment. (ISO 22316:2017)
	Holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience, with the capability for an effective response that safeguards the interested parties, reputation, brand, and value-creating activities, as well as effectively restoring operational capabilities. (ISO 22300:2018)	Holistic management process that identifies potential threats to an organization and the impact those threats, if realized, can cause to business operations, that and provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities. (ISO 22300:2018)	Ability to absorb and adapt in a changing environment. (ISO 22300:2018)
Main method	Risk Assessment	Business Impact Analysis	Absorption and adaptation, as well as effective reaction to changes consisting in Risk Assessment.
Measure	Both quantitative and qualitative	Mostly quantitative	Both quantitative and qualitative.
Main parameters	The Probability of a Crisis occurrence, and the consequences of a crisis	RTO, RPO, MTPD, MBCD, BAU	Robustness, severity of disruption, dampen time, recovery time, redundancy, resourcefulness.
Phases	Preparation, mitigation, response, recovery	Preparation, mitigation, response, recovery	Preparation, planning, response, recovery.
Types of occurrences	Mainly: crises, disasters, though it also applies to other incidents	Mainly: emergencies, disruptions, and incidents,	Mainly: events and contingencies.
Management level	Mostly strategic, although it also applies to other levels	Mostly tactical, although it also applies to other levels	Mostly operational, although it also applies to other levels.
Main actors	Top management	Operations managers	Line managers, employees.
Priorities	The ability to see the symptoms of a crisis and get out of it, preparing the organization to act in a crisis	Focusing mainly on events that have a potential or real impact on the business	Ability to respond to regular and irregular threats in a robust yet flexible (adaptive) manner, • monitor what is going on, including its own performance, • anticipate risk events and opportunities, • learn from experience.
Early warning system	Yes	Yes	Yes
Continuous improvement	Yes	Yes	Yes
Standard	BS:11200:2014	ISO 22301:2019	ISO 22316:2017

summarizes the most important features/characteristics of CM, BCM, and OR resulting from the presented concept of integrating these elements.

After developing a concept, to initially validate it the set of data was used. It had previously been utilized by the author to a lesser extent in another study [50]. One prepares a questionnaire to check out the best practices in addressing the COVID-19 crisis in organizations connected with BC, OR, CM, Triad (mean of BC, OR and CM), and Performance. The sample includes the companies cooperating with the Poznan University of Technology in the context of a student internship. One uses student internships for the survey because of the specific situation in Poland that at that time related to the second wave of COVID-19, which was much more severe than previous one. During that time companies had some restrictions associated with the limited access to them. For this reason, the student internship was an excellent opportunity to get access for external observers and then conduct research. Each student of management, logistics, and safety engineering of the Faculty of Engineering Management had the opportunity to conduct an internship in one of about a thousand companies registered for cooperation. Prior to sending the questionnaire, one tried initially to validate a questionnaire. The first step was connected with establishing face validity. After that, the pilot test of the questionnaire represented the second step. The questionnaire was sent to the 184 students. It was sent with a cover letter explaining the purpose of the research. The students were obliged to analyze the company’s processes and prepare written reports. The survey was conducted online. It took place between 25 October 2020 and 5 December 2020. Two weeks after the original questionnaire was sent, a letter of reminder was sent. Finally, 60 responses (extended version) were received (response rate 32.6%). No incorrect questions were identified. The characteristics of the research subjects are depicted in

Table 3. Features of the research subjects.

Size of Company	Industrial	Other Sectors	All
All	30	30	60
Micro and small	3	11	14
Medium	12	12	24
Big	15	7	22

.

The third step of the validation was checked in the context of the internal consistency of questions belonging to the same scales. First, the normal distribution of the variables was checked by carrying out a Shapiro–Wilk test. The test reached statistical significance (p < α), which proves the distribution deviating from the Gaussian curve (the α-level of significance = 0.05). That was the reason for using the Spearman correlation coefficients for the internal consistency. The total-item correlation fluctuated from 0.13 to 0.80. As far as the strength of the correlation is concerned, it ranged from weak (0.1–0.20) to very strong (0.7–0.79), but the values were mostly in a moderate, strong, or very strong interval of strength [51]. As a tool for a measurement of the questions’ reliability, the overall Cronbach’s alpha coefficient was used. It reached the value of 0.91, confirming that the questionnaire is reliable for data evaluation [52]. The division of the enterprise size (micro, small, medium, or large) was made on the basis of [53]. In a further analysis, due to the small number, companies from transport, construction, trade, and insurance services were put into one category: other. The survey has some limitations described in the discussion section. The dataset was analyzed with the Statistica 13 application. The results of the semi-qualitative assessment were used in this questionnaire. It contained 21 questions, each rated on a 7-point Likert scale (from “strongly disagree” to “strongly agree”). These questions were then selectively allocated to the individual scales: OR, CBM, CM, Triad, and Performance.

4. Results

The following are the questions that describe the best practices in addressing the COVID-19 crisis in organizations. The item-total correlation varied. The results of the internal consistency analysis are depicted in

Table 4. Results of the internal consistency analysis.

No.	Rated Item	Mean	SD	Item-Total Correlations
1.	I have been provided with sufficient personal protective equipment by the company.	4.95	1.92	0.68
2.	Employees used masks or helmets at work to protect themselves from COVID-19 infection.	4.60	2.26	0.75
3.	At the very beginning of the internship, I was thoroughly trained in the field of health and safety requirements in the company.	5.67	1.47	0.61
4.	At the very beginning of the internship, I was informed in detail about the company’s rules related to COVID-19.	5.60	1.63	0.73
5.	The company scrupulously followed the procedures related to reporting cases of justified suspicions of COVID-19 disease.	5.20	1.50	0.73
6.	The company limited the number of employees staying in the workplace at the same time (shift system, rotation system, flexible working hours, in order to avoid a large number of infected persons and maintain business continuity in the event of an infection).	4.72	1.81	0.63
7.	Educational posters informing about the proper way of washing hands and other hygienic practices were placed in prominent places in the company.	5.62	1.62	0.68
8.	The company had rules for keeping social distance (information boards, increasing the distance of workplaces, limiting the presence of a certain number of people in the area of rooms, marking seats).	5.08	1.83	0.76
9.	Daily routine disinfection of frequently touched surfaces in the workplace (door handles, work surfaces, desks, keyboards, sinks, toilets, soap dispensers, and others) was carried out on a regular basis.	5.30	1.72	0.68
10.	Near the entrance of the company and in many visible places on its premises, skin disinfectant dispensers are available for employees.	5.93	1.31	0.59
11.	The company created a competent crisis-response team that coordinated the organization’s activities in the field of COVID-19.	4.67	1.84	0.79
12.	Management personnel effectively enforced the implemented regimes and procedures.	5.05	1.60	0.80
13.	The company promoted remote work among employees wherever possible.	4.02	1.76	0.51
14.	The internship tutor was with me most of the time and if he was unavailable at a given moment, there was always someone to replace him.	5.77	1.25	0.39
15.	The company has adapted to the pandemic situation and was able to take advantage of the opportunities associated with it.	5.03	1.46	0.26
16.	I did not have any obstacles in reporting the observed comments to the internship supervisor and entering them into the internship report.	5.62	1.04	0.26
17.	Due to the pandemic, I had serious difficulties in meeting the required internship deadlines.	3.60	1.92	0.13
18.	I would recommend the company as a place for internships to my friends from the younger years of studies.	5.55	1.59	0.61
19.	All employees were subjected to temperature measurements on a daily basis, before entering the company.	3.97	2.33	0.51
20.	During the internship, the company maintained business continuity despite the ongoing pandemic.	6.37	0.82	0.19
21.	Due to problems during the pandemic, the company was not forced to lay off employees	4.83	1.57	0.20

.

The use of vaccines to maintain business continuity by companies during the pandemic was not taken into account as they were not available at the time of the study. The obtained results were further elaborated in order to find a tool for calculating the CM, BCM, OR, Triad, and Performance scales. They are depicted in

Table 5. Scales of CM, BCM, OR, Triad, and Performance and their results.

Scale	Item’s List	Industry	Other	1–49	50–250	250+	Total	Cronbach’s Alpha Coefficient	Item-Total Correlations
CM	5, 11, 12	4.77	5.18	4.57	4.92	5.29	4.97	0.90	0.73–0.80
BCM	4, 6, 8, 13, 19	4.50	4.85	4.47	4.68	4.80	4.68	0.91	0.51–0.76
OR	1, 2, 3, 7, 9, 10	5.15	5.54	4.69	5.43	5.67	5.34	0.91	0.59–0.68
Triad	1–13, 19	4.81	5.19	4.58	5.01	5.25	5.25	0.88	0.51–0.80
Performance	14–18, 20, 21	5.15	5.35	5.07	5.0	5.40	5.00	0.96	0.13–0.61

.

Table 6. The results of the Spearman correlation between CM, BCM, OR, Triad, and Performance scales.

Variable	CM	BCM	OR	Triad	Performance
CM	1.00	-	-	-	-
BCM	0.82	1.00	-	-	-
OR	0.82	0.77	1.00	-	-
Triad	0.95	0.93	0.92	1.00	-
Performance	0.59	0.50	0.51	0.58	1.00

shows the calculated results of the Spearman correlation between the CM, BCM, OR, Triad, and Performance scales.

5. Discussion

In this study, a standard-based concept of the integration of the corporate recovery management systems is presented as a proposal for the societal security aspects of a sustainable organization. The concept basically deals with crisis management frameworks, with reference to the COVID-19 pandemic. However, it can be applicable to any other crisis situation. When a crisis starts, there is little time for action and organization. That is why the organization must be prepared in advance using the proposed concept. The prepared concept was partially based on the corporate recovery prism presented by Véronneau, Cimon, and Roy in 2013, and then, it was modified and developed in the formula of the standards-based pentagonal pyramid (see Figure 6) by replacing the corporate recovery prism (3 dimensions) with a pentagonal pyramid (5 dimensions) in order to emphasize the type of events considered (see Figure 4) and the reference to a set of the applicable ISO and BS standards (see Figure 6). Further improvements consist, among other things, of a proposal of definitions and characteristics of the concept elements (see Table 1 and Table 2). Due to the graphical presentation of the parameters of the concept under consideration, it is easier to understand the interrelationships of the parameters and their distribution at the time of a crisis situation (see Figure 6 and Figure 7). Using existing standards presented in the concept by an organization (both by their certification and only as a good practice) guarantees a unified and proven approach to the discussed issues, with its own clearly understandable terminology of concepts and definitions. The fulfillment of the standards’ requirements gave the organization the possibility of effective risk management, which in turn contributed to the reduction in the number, severity, and frequency of incidents, increasing employee awareness of threats and their consequences. This prepared concept will allow for the faster restoration of the organization and consequently, in the given circumstances, its better sustainable development.

For initial validation of the concept, empirical research was conducted in Polish enterprises (see Table 3). One prepares a twenty-one-question questionnaire connected with the concept elements to check out the best practices in addressing the COVID-19 crisis in organizations (see Table 4). On the basis of the survey, four scales related to the CM, BCM, OR, and Performance were prepared (see Table 5). Additionally, the Triad scale was proposed in order to compare aggregate results (mean of BC, OR, and CM). The average response results were calculated in the context of the type of activity (industrial and other) and the size of employment. The largest measures of the triad were obtained by enterprises related to ‘other’ types of activity, the average of which was 5.19 against 4.81 in the industrial enterprises. The results were related to the degree of implementation of the mandatory sanitary regime in enterprises, which was more advanced in commercial and service enterprises than in industrial ones as the branches had more contact with external customers. The same criterion in terms of the size of the company was better for large plants (5.25), medium plants (5.01), and small ones (4.58), respectively. It was related to better resources and a more systemic approach presented by the larger plants. As far as the specific elements of the triad are concerned, OR gets the best total score (5.34), and then, CM (4.97) and BCM (4.68) are located. As it was earlier indicated, the organizational resilience and crisis management are the most important in the concept, and thanks to this, the performance results were generally better than the results of the triad, and, for instance, OR exceeded them, respectively, for the businesses: industry (0.34) and others (0.16). This means that despite the measures taken in relation to the pandemic, other industries did not achieve results as adequate as those of the industry companies. This emphasizes the importance of the specificity of the business and its context for the final performance result with specific threats. The raging pandemic and subsequent governmental actions have mainly affected branches vulnerable to this type of threat. The sectors most affected seem to be those other (trade and services) than industry. In addition, the Spearman rank-order correlations between CM, BCM, OR, Triad, and Performance were calculated (see Table 6). On the basis of the calculations, a very strong correlation between the parameters was found. The results of the pairs are as follows: CM/BCM—0.82, CM/OR—0.82, and BCM/OR—0.77, respectively. This means that the elements of the concept are strongly correlated and complement each other, creating a coherent concept. Another important thing is the strong correlation between triad and performance, which was 0.58. It can be concluded that the better the use of the concept elements in an enterprise after a disruption incident, the greater the performance of the organization [see conditions (5) and (6)]. OR and BCM has an impact on performance during an emergency, while CM has the main impact on performance during a critical situation. The concept allows loss of performance ρ to be reduced as much as possible. These actions will allow the organization to absorb the impact of the disruption, while adaptation options help the system cope with and recover from a disturbing event in order to return to a pre-disturbance level of performance as rapidly as possible. Only then can an organization develop in a sustainable manner, i.e., its performance is within the range of habitual or emergency areas [see Figure 7 and conditions (2) and (3)], and it avoids the critical one [see Figure 7 and condition (4)]. This research comes with some limitations. This finding applies only to the sample which was surveyed. Due to the size of the sample, this study is not conclusive and may not be generalized. Because of the difficult epidemic situation, it was not possible to conduct a study in some industries which were temporarily closed at that time by the government, such as the hotel industry. Additionally, the sample includes only the companies cooperating with the Poznan University of Technology. For these reasons, it can be perceived as a selection bias. In the “characteristics of the surveyed” section of the questionnaire, the question should also be added on whether the proposed standards are implemented or only treated as good practices in the surveyed organizations. That is why further surveys should be taken in more enterprises, as well as in other industries, to eventually validate the concept. However, one believes that the studied enterprises provide satisfactory statistical representativeness for preliminary conclusions. This allows them to be an interesting element in the discussion about future concept development.

6. Conclusions

Using the survey results, a strong correlation was found between the triad and performance of the organizations during the pandemic (0.58). Therefore, the main finding of the survey shows that elements of the standard-based concept of the integration of the corporate recovery management systems build better performance and sustainability in enterprises during the COVID-19 crisis. This clearly indicates that the main research hypothesis tends to be confirmed. The impact of the concept on the performance after a disturbance occurs is twofold. First, it reduces the severity of the disturbance and then the recovery time. These activities are aimed at keeping these parameters within the ranges acceptable to the organization. The expected benefits of this concept are the integration of the corporate recovery management systems based on international standards that have been implemented or taken as a reference. The concept also allows for the integration and interoperability of the procedures, systems, and technologies, as well as an increased level of cooperation and coordination between entities. The integration in question will allow for a better and more efficient use of the capacity of all entities to carry out actions in all phases before, during, and after disruptive events related to the pandemic. It is anticipated that the standard may find a universal model in other crisis situations for sustainable improvement and better coordination of recovery management systems in an organization. Furthermore, an organization using a systemic approach should improve the incident reporting system, obtaining at the same time an increase in the number of reported incidents and the benefits of the corrective actions implemented, contributing to the improvement of the system and the elimination of similar causes of incidents in the future. The effectiveness of the concept will depend primarily on its quality of implementation as a comprehensive, systemic approach, covering the entire company in the process of planning, preparation, and implementation. In addition, it is very important to understand the concept and involve top management in its implementation. Top management should demonstrate leadership and commitment to the implementation of the concept through, inter alia, taking responsibility for the concept implementation, ensuring the integration of the concept requirements with the organization’s business processes, and ensuring the availability of the resources needed to establish, implement, maintain, and improve the concept and ensure appropriate communication. It is equally important to involve middle-management personnel. They should encourage employees to follow the established rules. Ultimately all employees should participate and cooperate in the concept too.

An important factor is that the concept was based on the aspects of societal security and sustainable improvement strategy. The realization of the idea of societal security consists of the responsibility of the organization for resisting normal disruptions caused by events from an incident to a crisis. The disturbances of the pandemic situation proved the importance of preparation in advance, and the need to maintain sustainability to deal with changes of various ranges and scope. The survey shows that a lot depends on the branch and the context in which the organization operates. Preparation against the disturbances is different for different branches. For instance, implementation of the concept can be easier in the IT and banking sectors because they have already had many regulations associated with resilience, business continuity, and crisis management. Examples are regulations such as ISO/IEC 27001—the international standard regulating information security management systems [54] or the International Standard of Assurance Engagement 3402—security, reliability, and quality of services [55]. However, it should be remembered that disruptions related to a pandemic are slightly different from the most common data failures, data leaks, or IT failures. These crises often reveal significant weaknesses of the organization at many management levels, including the highest ones; therefore, it is important that the presented concept should also be included at the risk management level of the company’s strategy in terms of corporate governance arrangements.

Finally, this paper also provides information on the benefits that companies can obtain by adopting the concept of prospering in an uncertain environment, mainly by improving organizational robustness, recovery management, and sustainable strategy.