IT incidents and business impacts: Validating a framework for continuity management in information systems

•The relationship between IT incidents and business impacts is studied.•An information systems continuity management framework is validated.•Validation is based on a survey of CIOs in large private and public organisations.•Embeddedness of continuity practices seems to decrease impacts of IT incidents.

Information technology (IT) incidents that make data inaccessible may cause businesses to lose customers, reputation and market position. Previous studies on information management have identified data availability as a key priority, and the literature on disaster recovery and business continuity describes ways of preparing for and avoiding IT incidents. However, no frameworks for information system continuity management (ISCM) have yet been validated. This research draws on a framework for business continuity management, and extends it to the context of information systems. The framework is validated in a survey of IT managers and chief information officers in large private and public organisations operating in Finland. The results suggest that the embeddedness of continuity practices in an organisation has perceived business impacts whereas, in contradiction of previous theory, there is no such direct relation in the case of organisational alertness and preparedness. The theoretical contribution is to validate the ISCM framework statistically. On the practical level, social factors such as committed managers and employees are influential in decreasing negative business impacts. Further research on the embeddedness of continuity practices is called for.