Towards a Reference Architecture for a Business Continuity

Rūta Pirta-Dreimane

and Jānis Grabis

Information Technology Institute, Riga Technical University, 6A Kipsalas Street, Riga LV-1048, Latvia

Keywords: Business Continuity, Enterprise Architecture, Architecture Principles, Reference Architecture.

Abstract: During turbulent times, enterprises need to find ways how to adapt, become resilient and strengthen abilities

to cope with emerging threats. Business continuity management (BCM) is an enterprise strategic managerial

capability. The recent global pandemic increased BCM maturity in many enterprises, still the importance of

the capability is underestimated, and the enterprises are facing challenges to design and implement it across

different enterprise architecture (EA) dimensions. In this paper, a business continuity (BC) framework for

BCM capability development is proposed. The framework aims to provide guidance on design of BCM along

different EA dimensions. It summarizes BC architecture principles and conceptualizes BC knowledge from

related research as a reference architecture. The paper highlights challenges faced in BCM implementation,

presents conceptual design of the BC Framework and its components. The application of the framework is

demonstrated using an example from a target EA development project at a public sector institution.

1 INTRODUCTION

The world is facing several unexpected disruptive

events, as global pandemic, supply chain issues,

natural disasters, cybercrime, terrorist attacks and

wars. These events cause variety of challenges for

organizations. Being affected by Covid-19, the

organizations had to substantially modify their

operations to avoid supply chain breakdowns,

to adapt services to customer demand and to

mitigate work safety risks and their negative effects

on the health of employees and society in general

(Margherita & Heikkilä, 2021). Enterprises need to

find ways how to adapt, become resilient and

strengthen abilities to cope with emerging threats.

Business continuity (BC) “broadly refer to a

company’s socio-technical ability to withstand and

restore from intra- and extra-organizational

contingencies” (Niemimaa, 2015b). Business

continuity management (BCM) is an enterprise

strategic capability (Herbane et al., 2004; Niemimaa,

2015a; Niemimaa et al., 2019). The recent global

pandemic “transformed the dynamics of workplace

and workforce” (Agility Recovery, 2022). At the

same time, it also led to a significant increase of BCM

maturity across enterprises. However, the enterprises

http://orcid.org/0000-0001-8568-0276

http://orcid.org/0000-0003-2196-0214

still face challenges to design and to implement the

BCM capability, including (Hamid, 2018; Hussain et

al., 2021; Obrenovic et al., 2020; Lingeswara &

Tammineedi, 2012): missing capabilities,

commitment and involvement issues, inadequate

standardization, low preparation level for crisis and

high costs. The enterprises need to carefully evaluate

their business processes and economic factors to be

better prepared for the crisis (Obrenovic et al., 2020).

Enterprise architecture (EA) is a widely used

discipline for multi-dimensional enterprise design. It

serves as a conceptual blueprint that guides

enterprises in decision taking. It aims to connect and

enhance the mutual alignment of business and IT

(Gregor et al., 2007; Zhang et al., 2018). Reference

architectures incorporate the best practices in a

particular domain (Aulkemeier et al., 2016) providing

valuable knowledge for design of an enterprise-

specific architecture. EA is guided by architecture

principles advising EA design toward defined goals

and envisioned value (Haki & Legner, 2021).

The objective of this paper is to propose a BC

Framework to direct enterprises in implementation of

the BCM capability. The framework consists of three

components: (1) BC architecture principles, that

represent characteristics of a resilient enterprise; (2)

Pirta-Dreimane, R. and Grabis, J.

Towards a Reference Architecture for a Business Continuity.

DOI: 10.5220/0011837700003467

In Proceedings of the 25th International Conference on Enterprise Information Systems (ICEIS 2023) - Volume 2, pages 553-565

ISBN: 978-989-758-648-4; ISSN: 2184-4992

 2023 by SCITEPRESS – Science and Technology Publications, Lda. Under CC license (CC BY-NC-ND 4.0)

553

Reference architecture for BC that suggests

architecture components required in a resilient

enterprise and (3) BC Maturity Model for BCM

maturity evaluation. The framework aims to solve

main BCM problems identified in scientific literature

and industry survey.

The nested design science problem solving

approach (Wieringa, 2009) is used, following four

main phases: problem investigation, solution design,

design validation and solution implementation. This

paper presents the first two phases – the problem

domain and an overview of the proposed BC

Framework and its components.

The rest of the paper is organized as follows.

Section 2 reviews related existing work that serves as

a basis for the BC Framework design. The Section 3

presents research methodology. The problem domain

description is provided in the Section 4. The proposed

solution in a form of a BC Framework is presented in

the Section 5. The framework application in target EA

development for Latvian public sector institution is

demonstrated in the Section 6. Section 7 concludes.

2 BACKGROUND

BCM has been evolving from 1970s as a technical

and operational risk response to disruptions,

incorporating disaster recovery planning and risk

management (Corrales-Estrada et al., 2021a; Hamid,

2018). The International Standardization

Organization defines BCM as “a holistic management

process that identifies potential threats to an

organization and the impacts to business operations

that those threats if realized, might cause; and which

provides a framework for building organizational

resilience with the capability for an effective response

that safeguards the interests of its key stakeholders,

reputation, brand, and value-creating activities” (ISO,

2019). In recent years enterprises have acknowledged

BCM importance, mainly after business interruptions

caused by global pandemics and other disturbing

events. However, still the importance of the capability

is underestimated (Prataviera et al., 2022) and its

maturity must be increased in enterprises across the

world (Agility Recovery, 2022).

Characteristics of BC are investigated in several

studies that analyze three interconnected concepts:

organizational resilience, BC and sustainability.

Relationships among those concepts are discussed in

the (Corrales-Estrada et al., 2021), concluding that

implementation of BCM practices promote

organizational resilience and sustainability. The study

summarizes organizational characteristics that impact

BCM: adaptivity, flexibility, agility and others. Key

factors affecting organizion’s resilience and

sustainability are also summarized in (Obrenovic et

al., 2020). The authors claim that organizations with

a distributed leadership, workforce and adaptive

culture sustain business operations during distributive

events. Similar resilient enterprise characteristics are

also highlighted in other studies (Boin & van Eeten,

2013; Pal et al., 2014; Boin & McConnell, 2007).

Identified characteristics can be translated to

architecture principles.

Several studies investigate EA usage in BCM

implementation (Anir et al., 2019; Gomes et al.,

2017). The BCM integration in EA is assessed by

Anir et al. (2019). The authors analyse integration of

BCM aspects in EA and propose a metamodel and BC

aspects implementation approach. The paper focuses

on implementation of the BCM capability, although

its scope is limited to the metamodel only. EA usage

to assist BC planning is investigated in Gomes et al.

(2017), however this paper also focuses on evaluation

and implementation of BCM without suggestions for

reference architecture.

Reference architectures are a widely used tool for

knowledge reuse in a problem domain (Timm et al.,

2017). They aim to describe the best practices in

particular industries, such as banking (Farzi, 2022),

telecommunications (Seraoui et al., 2020) or specific

domains, as e-commerce (Aulkemeier et al., 2016),

health information systems (Tummers et al., 2021).

In the BCM domain, few reference architectures

exist. A reference architecture for emergent

behaviours control is proposed in Bemthuis et al.

(2020). The model realizes main requirements of

resilient enterprise: operational independence,

managerial independence, distribution, evaluation

development, heterogeneity, emergent behavior. It

proposes architecture components required to support

the execution and control of business logic for

detecting and monitoring emergent behaviors. The

model focuses on information system and technology

architecture dimensions, while concepts of the

business architecture are addressed partly.

While development of BCM related reference

architectures is an open opportunity, several studies

and industry frameworks propose BCM, resilience

and sustainability measurement approaches. Maturity

models are frequently used (Hernantes et al., 2019;

Pinto et al., 2022; Virtual Corporation, 2003), as

“maturity models offer organizations a simple but

effective possibility to measure the quality of their

processes” (Wendler, 2012).

To summarize, BCM is a widely investigated

topic, what highlights its importance. The existing

ICEIS 2023 - 25th International Conference on Enterprise Information Systems

554

studies provide useful insights about processes,

resources and behaviours promoting resilience, BC

and sustainability. Still, they focus on a single

dimension or domain and a multi-dimensional view

structuring best practices is an open challenge what

we aim to address with the proposed framework.

3 RESEARCH METHODOLOGY

The nested design science problem solving approach

(Wieringa, 2009) is used for the research design

(Figure 1).

Figure 1: The research methodology.

The research starts with a problem investigation

to validate hypothesis that enterprises face challenges

in the implementation and provision of BC. The

problem domain analysis is done in two steps,

according to the Design Thinking methodology

(Kelly & Gero, 2021). Firstly, divergent thinking is

applied to widely explore the problem. Then

convergent thinking is employed to define the point-

of-view. The problem domain investigation is based

on two main sources: professional and research

papers and industry survey. The literature analysis is

conducted to explore and integrate the existing

knowledge base following an approach described in

the (Webster & Watson (2002). It is assumed that

BCM is a mature topic where the accumulated body

of research exists that can be analyzed and

synthesized for knowledge conceptualization. The

industry survey supplements the findings from the

literature.

Solution design is based on the best practices

recommendations from two main sources: structured

interviews with experienced industry experts and

related research recommendations. A solution is

prepared following a “top-down driven” architecture

design approach (Nolan, 1997). Firstly, solution’s

conceptual architecture is prepared, and afterwards all

of its components are specified.

The solution design is validated in two steps:

expert assessment and solution implementation in the

pilot cases as a part of applied research project jointly

with an IT consulting company. The framework is

refined according to the validation results.

Implementation of the solution is done by

providing BCM implementation support services for

enterprises. The case studies enable continuous

improvement of the framework.

This paper represents the first research phases: (I)

problem investigation (Section 4) and (II) solution

design, presenting BC Framework (Section 5).

4 PROBLEM INVESTIGATION

The BC implementation and provision problems are

collated from literature sources describing BCM key

issues and industry survey (25 responses from mid-

sizes enterprises from different industries). Results of

the problem-driven investigation are summarized in

the Table 1. The list includes problems that are

Table 1: The list of BC problems.

Commitment and involvement issues (Hamid, 2018; Hussain

et al., 2021; Obrenovic et al., 2020; Lingeswara & Tammineedi,

2012; Bakar et al., 2015)

Time consuming BC implementation; Gap in attitude between

experts and users; Lack of management involvement;

Conflicting priorities; No responsibility and trust issues. Low

senior management commitment; BCM implementation for the

wrong reasons.

Inadequate standardization (ES, (Hamid, 2018; Hussain et

al., 2021; Obrenovic et al., 2020; Lingeswara & Tammineedi,

2012))

Inconsistencies of the BCM adaptation; Different workplace

recovery arrangements; Business impact analysis (BIA)

sessions conducted in silos; Manual BCM processes.

Business/IT Disconnect; Weakly defined BC roles and

responsibilities; Several BCM standards and frameworks in

use; Unoptimized resource utilization.

Ineffective strategies and an inappropriate approach (ES,

(Hamid, 2018; Hussain et al., 2021; Lingeswara &

Tammineedi, 2012))

Risks and uncertainties on actual recovery activities;

Insufficient consideration of employee preferences; Limited

data analysis, lack of data-driven decisions; Dependence on

third parties (“Single-supplier” politics, locally partners only);

Location-

ased risk assessments; Inappropriate BIA approach.

Low preparation level for a crisis ES, (Hussain et al., 2021;

Bakar et al., 2015)

Insufficient business processes and economic actors

evaluation.; Low system-level reliability. Low system

flexibility.

Lack of resources (knowledge, financial, human) (ES,

(Hamid, 2018; Hussain et al., 2021; Lingeswara &

Tammineedi, 2012;, Bakar et al., 2015; Peterson, 2009))

Significant financial resources required; Lack of knowledge

about enterprise; Low BC awareness. Limited technology

awareness; Missing knowledge about “good practices”;

Unavailability of human resources; Lack of thorough

understanding of the data dynamics and dependencies;

Incorrect and inappropriate assumptions.

Towards a Reference Architecture for a Business Continuity

555

mentioned in at least three sources (literature or

industry survey, further referred as ES).

The main problem areas are related to the low

standardization, insufficient resources (financial,

knowledge, human), as well as cultural aspects (low

commitment, conflicting priorities etc.). The selected

problem areas for further investigation are: low

standardization and lack of knowledge.

5 PROPOSED SOLUTION

This section presents BC Framework.

5.1 BC Framework Overview

Figure 2: BC Framework overview.

A proposed BC Framework aims to support

enterprises in implementation of the BCM. It can be

used as an architecture assessment, planning and

design tool. The model formalizes knowledge in three

components (Figure 2): architecture principles,

reference architecture and maturity model.

The BC architecture principles are used to guide

resilient EA design. The reference architecture lists

BC essential architecture components thus supporting

modelling target EA. While the BC maturity model is

used to evaluate enterprise’s current BC maturity

across the different EA dimensions.

5.2 Architecture Principles

An architecture principle (The Open Group, 2019)

“represents a statement of intent defining a general

property that applies to any system in a certain

context in the architecture.” The principles are

abstract, high-level propositions, that aim to support

enterprises to accomplish their goals (Stelzer, 2010).

Enterprises can use the principles on their BC

implementation journey to build their operating

model, information systems and other relevant

concepts (Table 2). The following principles

classification is used (Stelzer, 2010): EA principle

(EAP), technology / infrastructure principle (TIP),

software architecture principle (SAP), organization

principle (OP) and business principle (BP).

Table 2: BC architecture principles.

Interoperability (Bemthuis et al., 2020; Nadhamuni et al.,

2021; R. S. Gomes, 2016), EA

Technical, syntactic, semantic, and organizational

interoperability; Data and states exchange; Interaction

following the business logic; Interact through cyber or physical

channels; Standard interfaces and protocols.

Autonomy and decentralization (Duchek, 2020; Obrenovic et

al., 2020; Weick, 1993; Bemthuis et al., 2020), EA

Power based on expertise and shared responsibilities;

Distributed leadership; More informed and decentralized

decision-making; networked structure; respectful interaction.

Vertical or horizontal integration (Hussain et al., 2021;

Bemthuis et al., 2020; R. S. Gomes, 2016; Birkel & Müller,

2021), EAP

Machines, internet, people, and value chain integration in real

time scenarios; Communication and coordination to support

inte

-operations.

Transparency (Birkel & Müller, 2021), EAP

Data consistency and traceability across the supply chain;

Vertical interconnection in real time.

Agility, adaptability and flexibility (Corrales-Estrada et al.,

2021a; Agility Recovery, 2022; Hussain et al., 2021; Obrenovic

et al., 2020; Weick, 1993; Ismail et al., 2011; R. S. Gomes,

2016),

P & OP

Flexible roles and responsibilities, Flexible and straightforward

guidelines; Adaptive and flexible culture; Improvisation and

bricolage; Shorter and more diversified supply chain; Multi-

sourcing / alternative sourcing; Strategic agility.

Independence (Bemthuis et al., 2020),

P & O

Operational independence; Managerial independence.

Robustness (Corrales-Estrada et al., 2021a; Ismail et al., 2011),

Robust business processes and capabilities.

Smart Services Orientation (Hussain et al., 2021; R. S.

Gomes, 2016; Falazi et al., 2020), SA

Service-oriented architecture and integration; Digitally

integrated systems; Flexible systems that implement changing

business processes quickly; Extensive use of reusable

components.

Modularity (Hussain et al., 2021; Nadhamuni et al., 2021;

Ezzahra et al., 2021), SA

Application decomposition in integrated modules.; Modules

serving specific business domain or services; Individual

modules expanding or replacing due to changing business

requirements.

Scalability (Ezzahra et al., 2021), TIP

Horizontal scaling; Vertical scaling.

Decentralized Controlling (Hussain et al., 2021), TI

Separate components capable of making independent decisions

in the direction of circumstances without local or individual

control.

5.3 Reference Architecture

The reference architecture for BC is presented in the

three dimensions: Business architecture; Information

System architecture and Technology Architecture.

ICEIS 2023 - 25th International Conference on Enterprise Information Systems

556

Figure 3: BC Business capabilities reference map.

5.3.1 Business Architecture

Proposed Business architecture aims to define

Business Capabilities that enterprise must have to

ensure BC. The Open Group define Business

Capability as “particular ability that a business may

possess or exchange to achieve a specific purpose”

(The Open Group, 2005). This means, a Business

Capability is an abstraction of a business function,

which captures what an organization does, instead of

trying to explain how, why or where it is done (The

Open Group, 2016). Business Capabilities typically

consists of 4-5 levels. Leveling is the process of

decomposing each top-level Business capability into

lower levels to communicate more detail – at a level

appropriate to the audience or stakeholder group

concerned (The Open Group, 2016). On this paper

two Business capabilities levels are considered.

Business architecture is represented in Business

capability map viewpoint (Figure 3) what is well-

known tool for addressing the challenge of business-

IT alignment; it presents enterprise major Business

capabilities enabling the organization’s business

model and reflects enterprise strategic direction

(Bondel et al., 2018).

Resilience results from both operational and

strategic capabilities (Ismail et al., 2011). BCM is the

main capability, other strategic and operational

capabilities supports or triggers BC (Table 3).

Table 3: BC Business capabilities list.

Strategy management

Strategy management defines BC related strategies, as business

strategy, business recovery strategy, risk tolerance strategy

(Gibb & Buchanan, 2006, Pinto et al., 2022). The strategic plans

can rectify some of the existing society vulnerabilities,

employing strategic planning, enterprises are more in control of

their fate (Obrenovic et al., 2020). In terms of the BC, it is

important to carefully plan supply chain strategies, including

sourcing strategies (Agility Recovery, 2022).

Policy management

Policy management defines and describes organization BC

related policies, based on defined strategies. Policies and

actions, including prevention and incident response contributes

in workforce protection (Obrenovic et al., 2020). Typical BC

related policies are (Pinto et al., 2022, Gibb & Buchanan, 2006):

BCM policy, training and induction policy, documentation and

reporting policy. It is concluded that organizations with

financial contingency plans and policies sustain their operation

etter in distributive events (Obrenovic et al., 2020).

BCM

BCM includes BC planning capabilities, as well as monitoring,

crisis management, recovery and learning (Hamid, 2018, Pinto

et al., 2022).The best practices and international standards (ISO,

2019) suggest enterprises to perform business impact analysis

(BIA), identify critical processes, resources, possible disturbing

events and define alternative processes and resources in BC

plans. Disaster recovery (DR) plans are prepared accordingly.

Besides BC and DR planning, it is essential also to test plans

and train employees (Gibb & Buchanan, 2006). To detect

disruptive events, monitoring must be applied. Crisis

management deals with actual crisis situation in terms of

communication and collaboration. While recovery activities

returns business as usual. Lessons learned must be analyzed to

ensure capability continuous improvement.

Towards a Reference Architecture for a Business Continuity

557

Table 3: BC Business capabilities list (cont.).

Risk and compliance management

Risk and compliance management identifies and oversees

different kinds of organization risks, their levels, defines risk

reaction strategies and treatments ; Pinto et al., 2022, Gibb &

Buchanan, 2006). Typical risk categories are (Buhr, 2015; ;

White et al., 2020): business risks, financial risks, operational

risks, IT security risks, third party risks, geopolitical risks,

climate risks. The pandemic has spotlighted dependencies on

third parties and their resilience (Agility Recovery, 2022), so

third-party risk category is essential. Risk and compliance

management is directly interrelated with BCM, as risk

assessment is key activity in BIA and based on it BC and DR

are planned.

Facility management

Facility management deals with facilities related assets

management, as buildings, physical workplaces etc. Typically,

BC plans focuses on IT related assets, meantime facilities are

critical assets that must be considered in BIA (Pitt & Goyal,

2004). Facility monitoring activities must be applied to detect

distributions and damages. Facility management enables

workplace transformation by implementing remote ang hybrid

workplaces required in crisis situations (Tanpipat et al., 2021).

IT management

IT management ensures digital assets BC, as well as provide

BC supporting Application and Technology components .

People and culture management

People and culture management ensures that right people with

required competences are executing BCM roles (as operational

and IT risk managers and others) (Agility Recovery, 2022). The

capability enables enterprise sustainability (Yadav et al., 2019)

and resilience (Lengnick-Hall et al., 2011) and is responsible

about employees training and education to create resilient

workforce (Duchek, 2020). Enterprise culture also take

important role in BCM – culture must provide sense of

openness, stability and safety (Agility Recovery, 2022). Culture

must promote continuous learning.

Public relationship & communication management

Public relationship & communication management is essential

capability if crisis situation occurs and external stakeholders are

involved (for example, enterprise customers) (Agility

Recovery, 2022). Besides external stakeholders, enterprises

must ensure information flow between internal business units

and employees (Obrenovic et al., 2020). Multichannel

communication is advised to reach different stakeholders

groups (Obrenovic et al., 2020).

Safety, health and environmental management

Safety, health and environmental management is responsible

about workplace accidents reduce and work environment safety

increase what aims to increase enterprise resilience and

sustainability (Asah-Kissiedu et al., 2020; Asah-Kissiedu et al.,

2021).

Third party management

Third party management oversees different kinds of third

parties as due to partners ecosystems evolvement third parties

play important role enterprises products and services delivery

(Hamid, 2018).

Capability consists of four main components:

roles, business processes, information and

tools/applications (The Open Group, 2016). Each

Level 1 business capability is described in a

capability card (Table 4).

Table 4: Business capability card (example).

Capability: Business continuity managemen

(BCM)

Description: Ability to ensure continuou

operation in case of infectio

outbrea

in organization

Components: Roles Users: Product owner, proces

owner

Stakeholders: Enterprise mana

gement, SMEs, IT administrators,

IT support specialists

Business units (Hamid, 2018):

Continuity Management Team,

Coordinator Team, Crise

Command Team, Busines

Recovery Team, IT Recover

Team, Administrative Suppor

Team

Sub-capabilities BIA, BC planning, Inciden

response planning, Disaste

recovery planning, Monitoring,

Crisis management, Recovery

lessons learned analysis

Data Enterprise products, Enterpris

rocesses, Enterprise assets, Risks,

Controls

Applications HR application, ERP application,

Incidents monitoring tool, Asse

management system, Knowledge

database, BCM tool

5.3.2 Information System Architecture

Information System reference architecture presents

Application Components that can support Business

Capabilities. An Application Component (The Open

Group, 2019) “represents an encapsulation of

application functionality aligned to implementation

structure, which is modular and replaceable.”

Information system reference architecture is

represented in the Application Map viewpoint what is

typically used to create an overview of the application

landscape of an organization (Figure 4). BC can be

supported by different kind of applications and

technologies (Papadopoulos et al., 2020). Enterprises

need to relay on Enterprise resource planning (ERP)

systems, digital libraries, asset management and

inventory management systems (Madhubhashini,

2019). An important role in the BCM plays the

organization’s knowledge base (Duchek, 2020).

Geographical information systems and Geographical

positioning systems bring value by helping to detect

location of the affected areas (Vogt et al., 2011).

Meanwhile, data analytics solutions support

enterprises in data driven decisioning in BCM

(Hussain et al., 2021; Sheng et al., 2021). Digital

twins support disaster scenarios simulation (Hussain

et al., 2021; Birkel & Müller, 2021). Intranet, social

media, and online communication platforms are

widely used for communication (Obrenovic et al.,

2020).

ICEIS 2023 - 25th International Conference on Enterprise Information Systems

558

BA interaction with IA is represented in the form

of matrix (Table 5).

Figure 4: Application map.

Table 5: The Business Capabilities and Application

Components matrix.

Business

Capability

Application

Component

Main use case

Strategy

management

Intranet Strategies communication

DMS Strategies coordination and

communication

Communication

tools

Strategies communication

Data analytics tools Strategic decisions support

Policy

management

Intranet Strategies communication

DMS Strategies coordination and

communication

Communication

tools

Strategies communication

BCM ERP systems Assets and resources

identification

AMS system Assets and resources

identification

KMS Lessons learned & knowledge

capturing

BCM tools BIA; Alternative processes

scenarios definition; BCM

implementation plan preparation

& tracking; BCM

documentation preparation &

storing

Data analytics

solutions

BC decisions support

GIS and GPS Disasters affected areas

determination

Digital twins Disaster scenarios simulation

5.3.3 Technology Architecture

Technology reference architecture aims to define

Nodes, Equipment and Facilities, that provide

grounds for Application Components operation.

Node “represents a computational or physical

resource that hosts, manipulates, or interacts with

other computational or physical resources”, while

Equipment “represents one or more physical

machines, tools, or instruments that can create, use,

store, move, or transform materials” and Facility is

“physical structure or environment.”(The Open

Group, 2019). Physical elements are used to model

cyber-physical ecosystem. Reference architecture is

represented in the Technology viewpoint (Figure 5)

what contains hardware and physical technology

elements ensuring Application Components

operation. Technology architecture is represented in

an abstract level, as it varies based on Information

system architecture realization and enterprise

technological choices (vendors, sourcing policy,

etc.).

Besides “traditional” Technology architecture

components, as servers and devices, emerging

technologies, as cyber-physical systems, the

intelligent machines, autonomous robotics supports

cooperation of enterprises key assets: machines,

internet, people, and value chain in real time

scenarios (Hussain et al., 2021; Bemthuis et al.,

2020). The use of Internet of Things and physical

sensors to monitor facilities and ensure safe

workplace is a globally identified opportunity

(Otoom et al., 2020,Petrovic & Kocić, 2020, Bashir

et al., 2020). The cloud computing (Hussain et al.,

2021; Sheng et al., 2021; R. S. Gomes, 2016) allows

computing resources to be available when needed,

offering agility and scalability.

Figure 5: Technology architecture.

5.4 Maturity Model

The BC Maturity Model is an assessment tool, that

supports enterprises in evaluation of their current BC

maturity. It consists of a questionnaire and a maturity

assessment model, that shows desirable EA

Towards a Reference Architecture for a Business Continuity

559

characteristics for on each maturity level. The

questionnaire is built following the defined BC

principles and the reference architecture. It consists of

a set of the statements about enterprise BC in different

EA dimensions (Table 6). The Likert scale is used to

provide the responses. The output of the

questionnaire is a maturity radar.

Table 6: TCA Maturity Level Matrix (a fragment).

Area/

Level

Architecture Principles: Interoperability

Level 0 Manual data exchanges across business processes,

applications and technology components.

Level 1 Semi-manual data exchange between applications.

Siloed information exchange between business

processes.

Level 2 Automated data exchange between applications.

Level 3 Automated data exchange between business

processes, applications and technology components.

Defined integration patterns.

Level 4 Automated data exchange between business

processes, applications and technology components.

Defined integration patterns. Standardized interfaces

and protocols.

Level 5 Optimized flows between business processes,

applications and technology components. Business

logic-oriented interaction via cyber and physical

channels. Defined integration patterns. Standardized

interfaces and protocols. Common business glossary

and data architecture in place.

Area/

Level

Architecture Principles: Autonomy &

decentralization

Level 0 Hierarchical organization structure with centralized

leadership and central decision taking bodies.

Formal and asynchronous communication and

interaction.

Level 1 Hierarchical organization structure with distributed

leadership and central decision taking bodies.

Formal and synchronous communication and

interaction.

Level 2 Hierarchical organization structure with distributed

leadership and central decision taking bodies. Shared

responsibilities. Formal and synchronous

communication and interaction.

Level 3 Networked structure with distributed leadership and

central decision bodies. Shared responsibilities.

Synchronous, open and respectful communication

and interaction.

Level 4 Networked structure with distributed leadership and

power based on expertise and shared responsibilities.

Transparent, decentralized decision-making.

Synchronous, open and respectful communication

and interaction.

Level 5 Networked structure with distributed leadership and

power based on expertise and shared responsibilities.

Transparent and decentralized decision-making.

Synchronous, open and respectful communication

and interaction. Vertically and horizontally

integrated autonomous, decentralized applications

and technologies.

The model uses CMMI five levels of maturity and

it considers such categories: (1) Principles - how well

BC principles are implemented across EA

dimensions; (2) Business Capabilities - if all

capabilities are implemented and what are their

quality and effectiveness; (3) Applications – which

components are implemented and what are their

integration level; (4) Technology – which

components supports enterprise BC.

6 DEMONSTRATION

The framework application is demonstrated in a

public sector institution target EA development

project.

6.1 The Case Overview

The public sector institution operating in a tax and

customs administration area (further referred as TCA)

has a complex EA. The number of employees exceeds

4000, and they are located in subsidiaries across the

country. IT function is centralized in headquarters,

and it is responsible about institutional digitalization

and provision of the stable IT environment. The TCA

has about 70 information systems, including about 20

state information systems supporting delivery of

critical government services. Most of the systems are

deployed in a local data centre, located in the

headquarters. Historically, there is large technology

diversity. The institution is willing to define their

target EA and engage external IT consultants to

advise them. The project includes 3 phases: existing

situation analysis; target EA definition; EA roadmap

preparation. The project scope is limited to

Information system and Technology architecture

dimensions.

6.2 BC Maturity Assessment

Existing situation analysis includes different EA

assessment factors, as compliance to business and

technology requirements and the best practices,

maintainability, cost effectiveness and others. TCA is

providing essential public services thus BC is

considered as a critical institution capability.

The average TC BC maturity level is 2, it is

repeatable, but initiative (Figure 6). The lowest

maturity dimensions are: (1) compliance to

Architecture Principles caused by of historically

evolved EA and centralized decisions making

structure and (2) Technology Architecture, as mainly

“traditional” components (servers, devices) are used.

ICEIS 2023 - 25th International Conference on Enterprise Information Systems

560

The highest maturity level is in Business Capabilities

dimension, as public sector institutions are regulated

and risk averse. Still, also this dimension maturity

level is low and must be increased.

Figure 6: TCA BC maturity radar.

Besides the maturity levels and improvement

path, results of the existing situation assessment

highlight several BC related problems, such as: (1)

business processes disruption due to unstable

operation of the critical systems (downtown tends to

exceed defined recovery time objective); (2) disaster

recovery difficulties; (3) information unavailability

due to low systems performance. The root causes of

the problems were investigated and lack of

standardization and limited knowledge were among

them.

6.3 Target EA Design

The target EA is designed considering defined BC

Architecture Principles and the Reference

Architecture. The principles are detailed into the

TCA architecture requirements (Table 7). An

architecture requirement (The Open Group,

2005): “represents a statement of need defining a

property that applies to a specific system as

described by the architecture.” The architecture

requirements realize architecture principles. The

principles are generalized to wider audience, while

the requirements represent principles realization in

particular organization EA design.

Table 7: BC architecture principles and requirements map

(a fragment).

Principle - Interoperability

Requirement EA comp. Required changes

Provide

centralized

integration point

for standard

interfaces

Integration

platform

• Replace existing

platform (extended

platform services, new

technology).

• Standardize (rebuild)

existing interfaces

(priority – unsecure

protocols).

• Eliminate historical

integration

components.

Provide 360

customer view

Data analytics

solution,

Customer

relationship

management

(CRM) system

• Implement new

application services

(CRM system).

• Integrate new data

sources in Data

analytics solution

(social media, others).

Provide business

processes

orchestration

and common

tasks

management

Business process

management

(BPM) system

• Implement new

application component

(BPM system)

Ensure metadata

management

Master data

management

(MDM) system

• Implement new

component (MDM

system)

Principle - Smart Services Orientation

Requirement EA comp. Required changes

Provide self-

service for public

services users

(citizens,

enterprises) in

digital channels

E-services portal,

Mobile app

• Implement new

application services

(E-services portal).

• Redesign E-services

portal architecture.

• Integrate CRM and

wider data analytics.

• Implement new

application component

(Mobile app).

Provide online

information

availability users

(citizens, other

public

institutions)

Data analytics

solution, Open

data portal

• Implement new

application services

(data analytics

solution).

• Redesign open data

transformation service.

Divide

application in

service-oriented,

flexible

microservices

Customs system

• Redesign system

architecture

Reuse available

state level

services

Document

storage service

• Integrate document

storage service.

• Migrate documents

and eliminate existing

data stores.

Reuse external

standard

services

E-services portal,

Messaging

service,

Surveying

service

• Redesign E-services

portal architecture.

• Integrate new external

services (Messaging

service, Surveying

service).

1,5

2,5

2,2

1,8 0

Architecture

Principles

Business

Capabilities

Applications

Technology

Towards a Reference Architecture for a Business Continuity

561

The target EA components realize the requirements

thus it is assumed that the TCA BC level will increase

after target EA implementation. The fragment of the

TCA target EA in the form of ArchiMate

Requirement Realization Viewpoint is shown in the

Figure 7.

Figure 7: TCA target EA (fragment).

The reference architecture components are used to

validate target EA components. The gaps between

envisioned EA and reference model components are

highlighted according to the TOGAF gap analysis

technique recommendations (The Open Group,

2005).

6.4 Discussion

The example demonstrates application of a part of the

BC Framework. The BC Maturity Model allows to

identify BC maturity level and highlight development

needs. The principles support design of the target EA,

as well evaluate particular solution alternatives. The

principles can be decomposed to organization

specific architecture requirements to integrate BC

best practices; proper requirement management is the

central part of an EA design. BC Reference

Architecture can be used to validate target EA

components and guide their development.

Several limitations have been observed during the

case to be addressed in the further research. To

translate architecture principles in architecture

requirements, expert involvement and deep domain

knowledge is required. We claim that main BC

component is Business Capabilities. While EAM

covers several dimensions, including Business

architecture, empirical observations in numerous EA

design projects in the Baltics region shows that still

EA typically is perceived as IT discipline. It rises

challenges in Business architecture related principles

and Business Capabilities realization as part of EAM

initiatives.

Not all defined BC Architecture Principles and EA

components are relevant in every industry

andenterprise. For example, in the public sector

institutions, the organization culture mainly is

“traditional”, involving centralized decision taking and

relatively low agility and autonomy. The organization

structure, roles, responsibilities are well defined, and

everybody is expected to perform particular tasks.

Cultural aspects change is a long-term activity

requiring the highest leadership commitment, what

typically it is not part of EAM initiatives.

7 CONCLUSION

The paper proposes the BC Framework, that provide

guidance of BCM capabilities implementation across

different EA dimensions. The proposed framework

aims to address enterprises issues related to the low

standardization and missing knowledge. The

architecture principles encapsulate related research

results, thus providing knowledge base what can be

used for EA design. The standardization is promoted

by the reference architecture for BC. The reference

architecture proposes BC related architecture

components decomposition, thus promoting

standardization. Standardization may trigger the costs

decrease. It is assumed that the BC Framework would

increase enterprise competences in BCM and enable

better preparation for crisis, as the framework

incorporates knowledge from the best practices.

In the design science research cycle, the current

paper has focused on the investigation and solution

design phases. The framework evaluation will be

performed in the next research phase. Jointly with IT

consulting company it is planned to apply framework

for the company’s clients. The first step will be

enterprises current BC maturity evaluation, using BC

Maturity Model. Afterwards the maturity increase

plan will be prepared, based on the BC principles and

reference architecture. The maturity will be re-

measured after the plan implementation. Besides the

framework practical application, the enterprises

feedback will be collected and integrated in the

framework next versions.

ACKNOWLEDGEMENTS

Project “Platform for the Covid-19 safe work

environment” (ID. 1.1.1.1/21/A/011) is founded by

ICEIS 2023 - 25th International Conference on Enterprise Information Systems

562

European Regional Development Fund specific

objective 1.1.1 «Improve research and innovation

capacity and the ability of Latvian research

institutions to attract external funding, by investing in

human capital and infrastructure». The project is co-

financed by REACT-EU funding for mitigating the

consequences of the pandemic crisis.

REFERENCES

Agility Recovery. (2022). The State of Business Continuity

Industry Observations and Trends for 2022 and Beyond

Guide.

Anir, H., Fredj, M., & Kassou, M. (2019). Towards an

Approach for Integrating Business Continuity

Management Into Enterprise Architecture.

International Journal of Computer Science and

Information Technology, 11(02).

Asah-Kissiedu, M., Manu, P., Booth, C. A., Mahamadu, A.

M., & Agyekum, K. (2021). An integrated safety,

health and environmental management capability

maturity model for construction organisations: A case

study in Ghana. Buildings, 11(12).

Asah-Kissiedu, M., Manu, P., Booth, C., & Mahamadu, A.-

M. (2020). Organisational Attributes that Determine

Integrated Safety, Health and Environmental

Management Capability. MATEC Web of Conferences,

312.

Aulkemeier, F., Schramm, M., Iacob, M. E., & van

Hillegersberg, J. (2016). A service-oriented e-

commerce reference architecture. Journal of

Theoretical and Applied Electronic Commerce

Research, 11(1), 26–45.

Bakar, Z. A., Yaacob, N. A., & Udin, Z. M. (2015). The

effect of business continuity management factors on

organizational performance: A conceptual framework.

International Journal of Economics and Financial

Issues, 5.

Bashir, A., Izhar, U., & Jones, C. (2020). IoT-Based

COVID-19 SOP Compliance and Monitoring System

for Businesses and Public Offices. 14.

Bemthuis, R., Iacob, M. E., & Havinga, P. (2020). A design

of the resilient enterprise: A reference architecture for

emergent behaviors control. Sensors (Switzerland),

20(22).

Birkel, H., & Müller, J. M. (2021). Potentials of industry

4.0 for supply chain management within the triple

bottom line of sustainability – A systematic literature

review. In Journal of Cleaner Production (Vol. 289).

Boin, A., & McConnell, A. (2007). Preparing for critical

infrastructure breakdowns: The limits of crisis

management and the need for resilience. Journal of

Contingencies and Crisis Management, 15(1).

Boin, A., & van Eeten, M. J. G. (2013). The Resilient

Organization. Public Management Review, 15(3).

https://doi.org/10.1080/14719037.2013.769856

Bondel, G., Faber, A., & Matthes, F. (2018). Reporting

from the Implementation of a Business Capability Map

as Business-IT Alignment Tool. Proceedings - IEEE

International Enterprise Distributed Object Computing

Workshop, EDOCW, 2018-October, 125–134.

Buhr, B. (2015). Élargir le champ de l’analyse du risque de

crédit. Revue d’économie Financière

, N° 117(1).

Buhr, B. (2017). Assessing the sources of stranded asset

risk: a proposed framework. Journal of Sustainable

Finance and Investment, 7(1).

Corrales-Estrada, A. M., Gómez-Santos, L. L., Bernal-

Torres, C. A., & Rodriguez-López, J. E. (2021).

Sustainability and resilience organizational capabilities

to enhance business continuity management: A

literature review. Sustainability (Switzerland), 13(15).

Duchek, S. (2020). Organizational resilience: a capability-

based conceptualization. Business Research, 13(1).

Ezzahra, E. F., Noureddine, E. A. A., Mohamed, Y., &

Omar, B. (2021). Scalable and Reactive Multi Micro-

Agents System Middleware for Massively Distributed

Systems. International Journal of Advanced Computer

Science and Applications, 12(11).

Falazi, G., Lamparelli, A., Breitenbuecher, U., Daniel, F.,

& Leymann, F. (2020). Unified Integration of Smart

Contracts through Service Orientation. In IEEE

Software (Vol. 37, Issue 5).

Farzi, N. (2022). Investigation the Place of BIAN Standard

in Digital Banking Enterprise Architecture. Technium

Social Sciences Journal, 27.

Gibb, F., & Buchanan, S. (2006). A framework for business

continuity management. International Journal of

Information Management, 26(2).

Gomes, P., Cadete, G., & da Silva, M. M. (2017). Using

enterprise architecture to assist business continuity

planning in large public organizations. Proceedings -

2017 IEEE 19th Conference on Business Informatics,

CBI 2017, 1.

Gomes, R. S. (2016). Resilience and enterprise architecture

in SMEs. Journal of Information Systems and

Technology Management, 12(3).

Gregor, S., Hart, D., & Martin, N. (2007). Enterprise

architectures: Enablers of business strategy and IS/IT

alignment in government. Information Technology &

People, 20(2).

Haki, K., & Legner, C. (2021). The mechanics of enterprise

architecture principles. Journal of the Association for

Information Systems, 22(5).

Hamid, A. H. A. (2018). Limitations and challenges

towards an effective business continuity management

in Nuklear Malaysia. IOP Conference Series: Materials

Science and Engineering, 298(1).

Hamit, L. C., Sarkan, H. M., Mohd Azmi, N. F., Mahrin,

M. N. ri, Chuprat, S., & Yahya, Y. (2020). Adopting an

ISO/IEC 27005:2011-based risk treatment plan to

prevent patients from data theft. International Journal

on Advanced Science, Engineering and Information

Technology, 10(3).

Herbane, B., Elliott, D., & Swartz, E. M. (2004). Business

Continuity Management: time for a strategic role? Long

Range Planning, 37(5).

Hernantes, J., Maraña, P., Gimenez, R., Sarriegi, J. M., &

Labaka, L. (2019). Towards resilient cities: A maturity

Towards a Reference Architecture for a Business Continuity

563

model for operationalizing resilience. Cities, 84.

Hussain, A., Farooq, M. U., Habib, M. S., Masood, T., &

Pruncu, C. I. (2021). Covid-19 challenges: Can industry

4.0 technologies help with business continuity?

Sustainability (Switzerland), 13(21).

Ismail, H. S., Poolton, J., & Sharifi, H. (2011). The role of

agile strategic capabilities in achieving resilience in

manufacturing-based small companies. International

Journal of Production Research, 49(18).

ISO. (2019). ISO 22301:2019(en) Security and resilience

— Business continuity management systems —

Requirements.

Kelly, N., & Gero, J. S. (2021). Design thinking and

computational thinking: A dual process model for

addressing design problems. Design Science.

Lengnick-Hall, C. A., Beck, T. E., & Lengnick-Hall, M. L.

(2011). Developing a capacity for organizational

resilience through strategic human resource

management. Human Resource Management Review,

21(3).

Lingeswara, R., & Tammineedi, S. (2012). Key Issues,

Challenges & Resolutions in Implementing Business

Continuity Projects. ISACA Journal, 1.

Madhubhashini, G. T. (2019). The use of information and

communication technologies (ICTs) for natural disaster

management in Sri Lanka. International Journal of

Interdisciplinary Global Studies, 14(2).

Margherita, A., & Heikkilä, M. (2021). Business continuity

in the COVID-19 emergency: A framework of actions

undertaken by world-leading companies. Business

Horizons, 64(5), 683–695.

Nadhamuni, S., John, O., Kulkarni, M., Nanda, E.,

Venkatraman, S., Varma, D., Balsari, S., Gudi, N.,

Samantaray, S., Reddy, H., & Sheel, V. (2021). Driving

digital transformation of comprehensive primary health

services at scale in India: An enterprise architecture

framework. BMJ Global Health, 6.

Niemimaa, M. (2015a). Extending “toolbox” of business

continuity approaches: Towards practicing continuity.

2015 Americas Conference on Information Systems,

AMCIS 2015.

Niemimaa, M. (2015b). Interdisciplinary review of

business continuity from an information systems

perspective: Toward an integrative framework.

Communications of the Association for Information

Systems, 37.

Niemimaa, M., Järveläinen, J., Heikkilä, M., & Heikkilä, J.

(2019). Business continuity of business models:

Evaluating the resilience of business models for

contingencies. International Journal of Information

Management,

49.

Nolan, R. L. (1997). Top-down driven architecture design.

Information Management & Computer Security, 5(4).

Obrenovic, B., Du, J., Godinic, D., Tsoy, D., Khan, M. A.

S., & Jakhongirov, I. (2020). Sustaining enterprise

operations and productivity during the COVID-19

pandemic: “Enterprise effectiveness and sustainability

model.” Sustainability (Switzerland), 12(15).

Otoom, M., Otoum, N., Alzubaidi, M. A., Etoom, Y., &

Banihani, R. (2020). An IoT-based framework for early

identification and monitoring of COVID-19 cases.

Biomedical Signal Processing and Control, 62.

Pal, R., Torstensson, H., & Mattila, H. (2014). Antecedents

of organizational resilience in economic crises - An

empirical study of Swedish textile and clothing SMEs.

International Journal of Production Economics,

147(PART B).

Papadopoulos, T., Baltas, K. N., & Balta, M. E. (2020). The

use of digital technologies by small and medium

enterprises during COVID-19: Implications for theory

and practice. International Journal of Information

Management, 55.

Peterson, C. A. (2009). Business Continuity Management

& guidelines. Proceedings of the 2009 Information

Security Curriculum Development Annual Conference,

InfoSecCD’09.

Petrovic, N., & Kocić, Đ. (2020). IoT-based System for

COVID-19 Indoor Safety Monitoring SCOR (Semantic

COordination for Rawfie) View project. http://mqtt.org/

Pinto, D., Fernandes, A., da Silva, M. M., & Pereira, R.

(2022). Maturity Models for Business Continuity-A

Systematic Literature Review. International Journal of

Safety and Security Engineering, 12(1).

Pitt, M., & Goyal, S. (2004). Business continuity planning

as a facilities management tool. Facilities, 22.

Prataviera, L. B., Creazza, A., Melacini, M., & Dallari, F.

(2022). Heading for Tomorrow: Resilience Strategies

for Post-COVID-19 Grocery Supply Chains.

Sustainability (Switzerland), 14(4).

Seraoui, Y., Raouyane, B., Belmekki, M., & Bellafkih, M.

(2020). eTOM to NFV mapping for flexible mobile

service chaining in 5G networks: IMS use case.

Heliyon, 6(6).

Sheng, J., Amankwah-Amoah, J., Khan, Z., & Wang, X.

(2021). COVID-19 Pandemic in the New Era of Big

Data Analytics: Methodological Innovations and Future

Research Directions. British Journal of Management,

32(4).

Stelzer, D. (2010). Enterprise architecture principles:

Literature review and research directions. Lecture

Notes in Computer Science (Including Subseries

Lecture Notes in Artificial Intelligence and Lecture

Notes in Bioinformatics)

, 6275 LNCS.

Tanpipat, W., Lim, H. W., & Deng, X. (2021).

Implementing remote working policy in corporate

offices in Thailand: Strategic facility management

perspective. Sustainability (Switzerland), 13(3).

The Open Group. (2005). The TOGAF ® Standard.

www.opengroup.org/legal/licensing.

The Open Group. (2016). Open Group Guide Business

Capabilities.

The Open Group. (2019). Archimate® 3.1 Specification. In

The Open Group.

Timm, F., Sandkuhl, K., & Fellmann, M. (2017). Towards

A Method for Developing Reference Enterprise

Architectures. Proceedings Der 13. Internationale

Tagung Wirtschaftsinformatik (WI 2017).

Tummers, J., Tobi, H., Catal, C., & Tekinerdogan, B.

(2021). Designing a reference architecture for health

ICEIS 2023 - 25th International Conference on Enterprise Information Systems

564

information systems. BMC Medical Informatics and

Decision Making, 21(1).

Virtual Corporation. (2003). Business Continuity Maturity

Model. Virtual Corporation.

Vogt, M., Hertweck, D., & Hales, K. (2011). Strategic ICT

alignment in uncertain environments: An empirical

study in emergency management organizations.

Proceedings of the Annual Hawaii International

Conference on System Sciences.

Webster, J., & Watson, R. T. (2002). Analyzing the Past to

Prepare for the Future: Writing a Literature Review.

MIS Quarterly, 26(2).

Weick, K. E. (1993). The Collapse of Sensemaking in

Organizations: The Mann Gulch Disaster.

Administrative Science Quarterly, 38(4).

Wendler, R. (2012). The maturity of maturity model

research: A systematic mapping study. Information and

Software Technology, 54(12).

White, B. S., King, C. G., & Holladay, J. (2020).

Blockchain security risk assessment and the auditor. In

Journal of Corporate Accounting and Finance (Vol. 31,

Issue 2).

Wieringa, R. (2009). Design science as nested problem

solving. Proceedings of the 4th International

Conference on Design Science Research in Information

Systems and Technology, DESRIST ’09.

Yadav, M., Kumar, A., Mangla, S. K., Luthra, S., Bamel,

U., & Garza-Reyes, J. A. (2019). Mapping the human

resource focused enablers with sustainability

viewpoints in Indian power sector. Journal of Cleaner

Production, 210.

Zhang, M., Chen, H., & Luo, A. (2018). A Systematic

Review of Business-IT Alignment Research with

Enterprise Architecture. IEEE Access, 6.

Towards a Reference Architecture for a Business Continuity

565