Analysis and Evaluation of Business Continuity Measures Employed in Critical Infrastructure during the COVID-19 Pandemic

: The purpose of the presented research was to determine the effectiveness and sufﬁciency of measures put in place to protect the business continuity of critical infrastructure (CI) and key services (KSs) during the COVID-19 pandemic. The wide variety of research conducted in the area of business continuity maintenance during the COVID-19 pandemic does not change the fact that there is still a research gap in this area, particularly in terms of issues related to CI and KS protection. A systematic review of scientiﬁc publications revealed the need for continued research into this topic given the fact that only 19 papers related to CI continuity and 8 directly to KS operators could be identiﬁed. Holistic and interdisciplinary research is particularly needed to organize and systematize the existing scientiﬁc knowledge on the subject, and in practical terms, help organizations and institutions to better prepare for future continuity disruptions. A survey conducted between March and May 2021 among entities operating in Poland and classiﬁed as critical infrastructure operators as well as key service operators, subcontractors, and suppliers crucial to maintaining the continuity of critical infrastructure operations revealed that entrepreneurs, surprised by the speed and aggressive nature of the pandemic, mainly resorted to protective measures that were immediately available, standard solutions that did not require excessive ﬁnancial and organizational effort. But in the face of long-term pandemic threat, such measures may no longer be sufﬁcient, so it is important to intensify research into those precautions that require readaptation of work organization and organizational processes to protect key workers, increase supply chain resilience, and protect the work process.


Introduction
Maintaining business continuity during the COVID-19 pandemic and seamlessly recovering from the crisis is a task that poses a significant challenge to all managers and participants in socioeconomic processes. The ISO 22301 definition of business continuity as the ability of an organization to continuously deliver a product or service within an acceptable timeframe with acceptable performance during disruptions [1] takes on particular significance with respect to the security of critical infrastructure (CI) and key services (KSs) given that the very concept of CI is centered on the assumption that these facilities are important to economic security, national defense, and the functioning of the society [2].
According to the classic definition, critical infrastructure comprises systems and assets, whether physical or virtual, that are so essential to a nation that any disruption of their services could have a serious impact on national security, economic well-being, public health or safety, or any combination thereof [3]. There is no global consensus as to which specific systems should be considered CI, but at the most general level, it includes elements that are vital to the operation of a society [4]; hence, systems such as electricity, transport, healthcare, gas and oil, telecommunications, banking and finance, emergency services, government continuity, and water supply are typically recognized as CI systems [5].
Key services, introduced into the economic and scientific debate by the NIS Directive of 21 April 2016 [6], are an elaboration on this basic understanding of CI. This redefined approach to identifying critical facilities is based on the premise that it is the unavailability of KSs that generates negative consequences for the society, the state, and the environment. Therefore, in order to identify the actual CI, it is necessary to identify the KSs characteristic for a specific critical process and their dependencies on specific vulnerable resources. Some of said resources directly influence the capacity for continued KS provision, and it is those very resources that should be considered as CI, particularly in the context of maintaining business continuity.
Observing the change in the approach to CI and KS protection over the years, it is important to note the progression from protecting specific systems and entities [7] to developing holistic policies that improve their resilience globally-politically, socially, and economically [8]. This is a consequence of the shift from a CI-centric approach to a more KS-oriented perspective. The experience of the COVID-19 pandemic further reinforced the above postulates, leading to a surge in research and publications centered around assessing the impact of different types of precautions on the ability to maintain business continuity during a crisis and the efficiency of recovery from the same once restrictions and limitations are lifted. The research conducted in this area is twofold-global and individual to reflect the directions of CI and KS protection outlined above. In the global dimension, researchers try to characterize particular phenomena and develop practical recommendations for management, economics, finance, and law. In the individual dimension, the effectiveness of actions taken and measures applied is assessed, and the ability of a specific organization or group of organizations to flexibly adapt to a crisis situation is analyzed.
The wide variety of research conducted in the area of business continuity maintenance during the COVID-19 pandemic notwithstanding, the systematic review of scientific papers carried out in the present study (Section 2) revealed that there is still a research gap in this area, particularly in terms of CI and KS protection. In this context, two research questions were formulated: RQ1: What specific topics of existing academic research address business continuity in the context of the pandemic, including considerations pertaining to CI protection and KS provision? RQ2: What has been the effectiveness and sufficiency of the measures actually put in place to protect CI business continuity during the pandemic, as reflected in the present study and secondary research?
The answer to RQ1 was derived from a systematic literature review presented in Section 2. The answer to RQ2 is contained in  where the results of the quantitative survey are presented, discussed, and related to the literature reports analyzed in Section 2. A summary of the entire paper with indications for further research is presented in Section 6.

Systematization of the Relevant Literature
Business continuity management (BCM) is a management process based on a risk and business impact assessment to build organizational resilience [9]. CI and KS operators treat BCM as a mandatory part of their core business. Therefore, they can be considered as the group with the highest culture development of business continuity plans, protection measures, and social impact in the security field. Given the above, it is reasonable to investigate the effectiveness and sufficiency of the protections they applied during a pandemic. The systematic literature review shown in Figure 1 is subordinated to this thesis. Step 1 The current situation of pandemic and post-pandemic recovery has activated academic circles towards business and organizational continuity research. As indicated by the results of Table 1, there has been considerable interest in the topics of both business continuity and the impact of the COVID-19 pandemic, but there are still few studies that combine the two.  The search results presented in Table 1 demonstrate that there is a significant research gap in terms of interdisciplinary studies investigating business continuity management issues during the COVID-19 pandemic. Based on the above, requirements were formulated for a systematic literature review aimed at identifying research focusing on business continuity during the COVID-19 pandemic. The literature review was conducted based on the two scientific databases, WoS CC and Scopus, as these are the databases commonly used in bibliometric and systematic analyses of literature and research papers [10,11].
Step 2 Exploration of the existing literature concerning one-way and two-way relationships between the terms of business continuity and the COVID-19 pandemic involved filtering the databases using a specific set of keywords. The selection of an appropriate set of keywords was preceded by the identification of terms, synonyms, and abbreviations related to "business continuity" and "COVID-19", as used in the most frequently cited or most recent scientific publications thematically related to business continuity and the COVID- Step 1 The current situation of pandemic and post-pandemic recovery has activated academic circles towards business and organizational continuity research. As indicated by the results of Table 1, there has been considerable interest in the topics of both business continuity and the impact of the COVID-19 pandemic, but there are still few studies that combine the two. Table 1. Search results for "Business continuity" AND "COVID-19" in Scopus and Web of Science Core Collection databases (author's own elaboration). The search results presented in Table 1 demonstrate that there is a significant research gap in terms of interdisciplinary studies investigating business continuity management issues during the COVID-19 pandemic. Based on the above, requirements were formulated for a systematic literature review aimed at identifying research focusing on business continuity during the COVID-19 pandemic. The literature review was conducted based on the two scientific databases, WoS CC and Scopus, as these are the databases commonly used in bibliometric and systematic analyses of literature and research papers [10,11].
Step 2 Exploration of the existing literature concerning one-way and two-way relationships between the terms of business continuity and the COVID-19 pandemic involved filtering the databases using a specific set of keywords. The selection of an appropriate set of keywords was preceded by the identification of terms, synonyms, and abbreviations related to "business continuity" and "COVID-19", as used in the most frequently cited or most recent scientific publications thematically related to business continuity and the COVID-19 pandemic, based on the entries in the WoS CC and Scopus databases associated with the areas of management science and economics.
Based on the results, a query was formulated to search for relationships between the topics of business continuity and the COVID-19 pandemic across titles, keywords, and abstracts, without timeframe or language restrictions. The query was entered into the Scopus (Q1) and WoS CC (Q2) databases in October 2021: Q1: TITLE-ABS-KEY (business AND continuity AND COVID-19 OR pandemic OR epidemic OR SARS-CoV-2).
In the WoS CC database, 119 papers matching the criteria were identified; in the Scopus database, 276 papers. After eliminating duplicates and papers posted without abstracts, a total of 295 unique publications were qualified for further analysis. The resulting dataset was analyzed using machine learning methods, under the latent Dirichlet allocation (LDA) model. LDA is a generative probabilistic model in which documents are represented as random mixtures over latent topics, where each topic is characterized by a distribution over words [12]. Structures similar to LDA are often studied in Bayesian statistical modeling, where they are referred to as hierarchical models [13], or as conditionally independent hierarchical models [14].
Analysis of the data showed that the highest degree of coherence was obtained by dividing the analyzed set into 16 themes (coherence coefficient 0.298). There was some overlap between four themes in this configuration. Therefore, the division into eight themes (coherence coefficient 0.288) was the first option to not include overlapping themes. Theme 2.1 covers the impact of disasters in a general meaning, including pandemics (especially pandemic influenza), on the implementation of organizational and operational continuity plans, e.g., [15][16][17]. The most common keywords in this selection were as follows: pandemic, disaster, business, plan, flu, and risk. Theme 2.2 addresses the most sensitive area of pandemic impact, which is business continuity in the context of supply chain resilience to the COVID-19 crisis, e.g., [18][19][20][21]. The most common keywords in this selection were as follows: business, pandemic, covid, continuity, risk, impact, plan, crisis, strategy, resilience, and supply chain. Theme 2.3 presents the impact of the COVID-19 pandemic on business continuity in the context of defining emergency plans, crisis response, and organizational management model, e.g., [22][23][24]. The most common keywords in this selection were as follows: pandemic, business, continuity, covid, plan, crisis, work, model, organization, response, and emergency. Theme 2.4 refers to the characterization of the COVID-19 pandemic crisis in the context of response strategies, e.g., [25][26][27]. This is a particularly important topic because of the effectiveness and efficiency of management in view of the next crises. The most common keywords in this selection were as follows: business, continuity, pandemic, company, covid, crisis, risk, strategy, and response. Theme 2.5 contains considerations on organizational preparedness for the COVID-19 crisis in the context of its critical services, e.g., [28][29][30]. The most common keywords in this selection were as follows: business, pandemic, continuity, crisis, covid, preparedness, service, and critical. Theme 2.6 focuses on the provision of medical services during pandemics. In this context, the references made were not only to the COVID-19 pandemic but also to previous similar occurrences, e.g., [31,32]. The most common keywords in this selection were as follows: health, pandemic, service, care, risk, business, and continuity.
Theme 2.7 presents the patient's perspective and health system continuity during the COVID-19 pandemic, e.g., [33][34][35]. The most common keywords in this selection were as follows: business, pandemic, continuity, covid, patient, system, health, and care. Theme 2.8 is not determined by any keywords and included only seven qualifiable publications. Due to the difficulty of establishing a central theme and the small size of the sample, a decision was made to exclude it from further analysis.
In summary, it is possible to determine two main thematic lines of this researchgeneral, considering the pandemic and its impact in a generalized meaning (where the main representatives are the themes 2.1, 2.3-2.5), and specific, referring to specific areas of this impact (where the main representatives are the themes 2.2, 2.6-2.8).
Step 3 At this stage of the systematic literature review, the focus was on analyzing publications pertaining to CI and KS operators. To this end, the available scientific papers were reviewed again, with the intention of establishing a set of keywords that uniquely identify relevant studies. The databases were searched again by combining keywords characterizing business continuity, COVID-19, CI, and KSs in the form of queries Q3 (Scopus) and Q4 (WoS CC): Q3: TITLE-ABS-KEY (("business continuity") AND (COVID-19 OR pandemic OR epidemic OR SARS-CoV-2) AND ("critical infrastructure" OR "critical base" OR "critical substructure" OR "critical services" OR "key services" OR "key resources" OR "essential services" OR "crisis management")).
The search yielded 27 papers from the Scopus database and 14 papers from the WoS CC database. After removing duplicates and papers not containing abstracts, the final result was a collection of 29 papers. In this case, the LDA analysis was not applied due to the scarcity of records in the analyzed set. An attempted analysis using the LDA method indicated that the highest coherence coefficient was for 29 themes, which meant that each study would be treated as a separate, significantly different area of research. For this reason, the analysis of this collection of studies was carried out using the method of narrative analysis [36], which allowed the final identification of five distinct thematic groups. Theme 3.1 comprised studies largely indicating (more broadly than just in the context of the COVID-19 pandemic) the need for and effectiveness of using business continuity plans under pandemic conditions [20,33]. In this group, attention was paid, among other things, to situations where business requirements force the system performance to closely align with market demand and, at the same time, to account for the shortage of reserves that are necessary to meet the challenges of emergency situations, such as a pandemic [37][38][39].
Theme 3.2 comprised texts indicating the operational risk management tools derived from the theory of management science as effective and necessary in the process of preparing the organization for the potential occurrence of a threat. Papers in this group included a study discussing strategies for mitigating the socioeconomic-environmental risks of emergencies resulting from the COVID-19 pandemic [22]. Other studies in this group included considerations on the use of risk assessment to identify areas for which a business continuity plan should be developed in the event of a crisis [25], and the use of risk management methods to better identify risks associated with resuming or continuing operations under COVID-19 pandemic conditions, including effective and sufficient protective measures [40]. Theme 3.3 comprised papers showing the effectiveness of using other management tools that are not exclusively associated with risk management. In this group, attention was drawn, among other things, to the advisability of using process analysis to identify areas that require protection. Under this approach, operational resilience is achieved by identifying critical processes and resources, and consequently by protecting said resources and ensuring the business continuity of said processes [19]. Other elaborations providing a more in-depth insight included studies on the simulation and use of different scenarios in decision making [20,41]. The summary of this group creates a conclusion that the inclusion of risk and crisis management strategies in business continuity management facilitates better resilience of businesses to the effects of negative phenomena and incidents [24]. Theme 3.4 comprised studies on the role of leadership in times of crisis. Among other things, this group highlighted the advantages of an agile organization and strong leadership in the context of organizational adaptation to pandemic conditions [42]. Also included here were research findings on transformational leadership and communication systems as business continuity tools during COVID-19 [43]. In addition, the role of crisis management managers was also highlighted as an appropriate and effective crisis response tool [44].
Theme 3.5 comprised texts that indicate the effectiveness of specific actions to ensure business continuity in organizations. The research papers included in this group confirmed the effectiveness of teleworking, testing for SARS-CoV-2, and modifying the organization of customer service by changing communication contact points within the organization. With these measures in place, the organization's operational capacity was limited only due to decisions of state authorities, but never completely undermined [32]. Another study discussing the efficacy of selected precautions in production processes proved not only their effectiveness for the duration of the pandemic, but also their applicability afterward. This is due to the fact that the protection measures employed have effectively created a new functional model of an organization that facilitates stability in terms of the intended level of production without the need to significantly increase employment in order to achieve and maintain this stability in the event of a major disruption [45]. This group of papers also included a study presenting the results of a survey conducted in a group of 118 CI experts affiliated with the European Reference Network for Critical Infrastructure Protection coordinated by the European Commission's Joint Research Centre. The study examined the actions taken by CI operators to ensure the business continuity of the companies they manage [46].
In summary, the above considerations confirm the validity and usefulness of research output developed even before the pandemic and aimed at increasing CI flexibility, adaptability, and resilience to change, the overall premise thereof being that in the long term, risks cannot be avoided but vulnerability thereto can and indeed should be effectively reduced [47]. Ongoing cross-sectoral research has revealed the importance and potential of interorganizational relationships such as networking, which have helped to significantly diminish problems of resource unavailability or supply chain disruptions [46]. An analysis performed from the perspective of public administration entities revealed that nationwide CI disruptions were most often due to staff absenteeism and interruptions of the supply chains of the CI operators [48]. These observations have global implications that bear significantly on the overall perception of management, especially in terms of reducing warehouse stocks, which are dependent on the high efficiency and consistency of supply chains.
In addition to general research, in-depth case studies are also conducted with a view to identifying the specific precautions and solutions put in place by businesses, as well as their respective effectiveness and utility during the COVID-19 pandemic [49,50]. Interestingly, some of said studies indicate that the COVID-19 pandemic has fundamentally changed the approach to management, particularly with regard to the role of leadership and sustainability management [51], as well as the operational and business models that will henceforth continually entrench and advance business continuity management [45]. From the perspective of economic analysis, the protective measures employed ought to be effective in terms of limiting the impact of the crisis on business operations, as well as the impact on the continuity of supply chains and the ability to maintain customer relationships during a period of reduced contact. The global analysis of this phenomenon led to certain conclusions regarding the effectiveness of crisis response, which was found to be primarily dependent on the following [52]: the agility of business processes and the use of digital technologies in the communication of these processes, the existence of technical provisions useful to ensure the sustainability of operations during the transition phase and to support the smooth adaptation of the organization to a changing business situation, adopting efficient business analytics methods and tools that effectively support intraorganizational communication and decision making, and the ability to create differentiated and modular product/service portfolios and adaptable business models that foster faster improvement.

Materials and Methods
The study based on a CAWI internet survey was conducted in a target-selected respondent group. The survey took place in March and May 2021 and was made available, via the Government Security Centre (GSC), to all entities operating in Poland (100% population) and classified as follows: Since the above characteristics often occur complimentarily (e.g., a CI owner is also a KS operator, and may also be a key supplier to maintaining business continuity at other CI and KS operators), the structure of the surveyed population included 77% CI operators, 40% KS operators, and 60% key subcontractors and suppliers maintaining CI business continuity. Most of them (51% of the population) are former CI operators and key subcontractors and suppliers at the same time. This means that most of the entities surveyed were responsible not only for the business continuity of their own organization, but also for related organizations in the supply network. This fact significantly affected the scope of the formulated questions in the research survey.
The survey was structured by type of protection measures to reflect both the applicable government regulations and recommendations, in particular concerning the protection of CI and KSs, and the accumulated practical experience in terms of relevant types of protective measures. For this purpose, the protection categories used were extracted from the content of the analyzed articles. Table 2 lists the particular categories used in the research survey.  [27,31,34,45,52,53] A total of 73 responses were returned in the survey structured as follows: • General part-including characteristics of the conducted activity, the experienced level of infections and disruptions caused by the SARS-CoV-2 virus; • Questions addressed to all respondents with regard to the deployment and assessment of particular protection measures: formal and legal, individual, collective, and in terms of work organization; • Questions to production entities regarding the deployment and evaluation of production process protection measures; • Questions to non-production entities regarding the deployment and evaluation of measures employed to protect work processes (other than the production process).
The effectiveness of the employed protective measures was evaluated on the 5-point Likert scale interpreted as follows: 1-ineffective; 2-low efficiency; 3-average efficiency; 4-above average efficiency; 5-high efficiency. The respondents' professional competence, confirmed by the GSC (the institution tasked with disseminating and conducting the survey), ensured the high reliability of the answers provided.
As regards the results of the general part of the questionnaire, the respondents surveyed were primarily CI operators (56 entities, 77% of the surveyed population)-public, national entities with at least 250 employees and an annual turnover of over EUR 10 million. Work in such entities is typically carried out in 3 shifts, 7 days a week. Nearly 1/3 of the entities (20 entities, 27% of the population) declared involvement in production activities, which was important from the perspective of testing the applicability and effectiveness of work process protection measures in both production and non-production environments. The surveyed organizations declared having faced the problem of infections and related business disruptions (Table 3). The results in Table 3 indicate that during the pandemic (until March 2021), the surveyed respondents experienced low (up to 10% of the workforce) to medium (11-50% of the workforce) incidence of infections. The resulting disturbances did not adversely affect the ability of the organization to maintain business continuity (only 1 case of suspension of operations) but did nonetheless adversely affect work processes in some cases due to quarantine requirements (11 entities, 15% of the population) or other reasons (8 entities, 11% of the population).

Results
The survey respondents were asked about the implementation of specific actions under the predefined categories of protective measures. The number of activities included in respective categories varied (Table 4). Not all of the activities listed in the survey were put into practice by the respondents. The number of measures declared by more than 90% of the respondents as employed during the COVID-19 pandemic (most popular measures) also varied between particular categories (Table 4). Based on the results in Table 4, three levels of popularity applicable to the protective measures in each category could be identified (Table A1): unpopular actions, averagepopularity actions, and popular actions.
Unpopular actions are those for which the percentage of non-applicability ("average percentage of the population not taking action" column) was higher than the average percentage of the whole population not employing these measures in the specified category ("population-wide" cell). Average-popularity actions are those for which the percentage of non-applicability was at most equal to the average percentage of the whole population not employing these measures in a given category, but at the same time was not less than 10%. Finally, popular actions are those for which the level of applicability was over 90% of the whole population.
When analyzing the results presented in Table A1 (Appendix A), it should be noted that in the first three categories of protection measures (formal, individual, and collective) the numbers of popular and unpopular protection measures are proportional. On the other hand, the two subsequent categories (work organization and organization of work processes) show a clear decrease in the use of specific measures. Steps that did not directly follow from the generally applicable formal and legal regulations and pandemic restrictions we less frequent, similarly to those requiring major organizational changes (e.g., special arrangement of the workspace), technological changes (e.g., automated transport), or additional financial outlays (e.g., parallel backups for leadership positions). Unpopular solutions also included protection measures that significantly affected the comfort of work and the level of employee satisfaction (e.g., giving up air conditioning, obliging employees to remain on standby outside normal working hours at the workplace or another place designated by the employer).
Actions rated above 3 on a Likert scale were considered effective in terms of maintaining business continuity during the COVID-19 pandemic. On average, the highest effectiveness was reported in the areas of formal and legal protection measures, work organization, and production process organization (Table 5). However, it should be noted that the highest proportions of measures deemed as effective were observed in the context of personal protective equipment (40% of all actions) and work area protection equipment (25% of all actions). Table 5. Effectiveness of particular protection measure categories in the context of maintaining business continuity as rated by the research group entities (author's own elaboration). Specific actions deemed as effective and the average effectiveness ratings given thereto are presented in Table A2 (Appendix A). It is notable that these measures were simultaneously (with one exception) characterized by high applicability, with over 90% of the respondents employing the same. The largest numbers of such activities belong to the individual protection (4 activities of 10 total) and work organization protection (5 activities of 20 total) measures. Their specificity is the typicality and the universality of their use, not only in CI facilities, but in any organization during a pandemic, such as hand disinfection, covering the nose and mouth, teleconferencing, or measures to reduce the density of people in buildings.

Category of Protection Average Application Efficiency Number of Effective Actions Percentage of Effective Actions
Activities rated below 3 on the adopted Likert scale were considered ineffective activities in terms of maintaining business continuity during the COVID-19 pandemic. On average, the lowest effectiveness was reported in the group of collective protection measures, the area of organization of other (non-production) work processes, and individual protection ( Table 6). Table 6. Protection measures rated by the respondents as ineffective in terms of maintaining business continuity (author's own elaboration). It should be noted that the rankings of individual protection measures presented in Tables 5 and 6 are almost identical, which confirms the higher effectiveness of formal protection measures, as well as measures in the work organization area and production process organization area, relative to measures in terms of individual protection, collective protection, and other (non-production) work processes. At the same time, there are twice as many protective measures deemed to be ineffective as there are those assessed as effective.

Category of Protection Measures Average Application Efficiency Number of Ineffective Actions Percentage of Ineffective Actions
The leaders in the group of ineffective activities (Table A3) are protection measures of the work organization (9 activities of 20 total) and the production process (7 activities of 11 total). This group was dominated by activities that negatively affect the comfort and psyche of employees (for example, full face covering, cancellation of air conditioning, limiting the number of entry points to facilities) and require a great deal of organizational effort and financial outlay (for example, parallel backups for leadership positions, automatic record of production plan execution, automated transport, deliberate workspace arrangement to minimize the need for employee contacts).
The specific activities identified as ineffective by the respondents correspond to those not used by many of the respondents. As follows from the above specific analyses, actions deemed as ineffective were, quite naturally, avoided by the respondents. On the other hand, the actions considered effective were universally employed by a vast majority of the surveyed population. The average level of non-applicability of ineffective solutions was 35%, while for effective measures this ratio was only 3% (Table 7). Table 7. A comparative analysis of effective and ineffective measures identified by the respondents (author's own elaboration).

Category of Specific Actions
Average Action Effectiveness It is therefore reasonable to hypothesize that based on previous experience in terms of CI and KS protection, the respondents avoided using and testing protective measures that they had previously identified as ineffective.
To summarize the results obtained in the survey, it should be noted that the most popular business continuity measures were easily available, were commonly used, did not require extensive expenditures or organizational effort, and were most often required directly by law. Less popular measures were typically those not directly imposed by formal and legal regulations and pandemic restrictions, and ones that required substantial organizational and technological changes or additional financial outlays. Finally, unpopular measures were those that significantly reduced employee comfort and satisfaction, regardless of their effectiveness in terms of maintaining business continuity.

Discussion
The conducted literature review and previous research experience allowed us to prepare a research survey whose results reflect the sufficiency and effectiveness of the protective measures employed by Polish CI and KS operators during the recent pandemic. The survey was unique in terms of the scope and multidimensionality of the questions, which pertained to the formal-legal, personal, collective, and organizational protection measures.
Our assessment of the resilience of Polish CI and KS operators revealed that it proved sufficient to maintain business continuity during the pandemic. This was evidenced by the fact that despite the moderate to medium incidence of infections among the surveyed population (from 10 to 50% of the workforce) and the resulting quarantine requirements (in 54% of cases), only eight entities reported interruption of operations (11% of the surveyed population), and only one reported complete suspension thereof (1.5% of the surveyed population).
The effectiveness of security measures put in place by the respondents was largely influenced by compliance with risk mitigation recommendations from a variety of advisory and regulatory sources (Table 8). Table 8. Sources of knowledge and advice on pandemic impact risk reduction indicated by the surveyed entities (author's own elaboration).

Initiative Subgroup Size Population Percentage
Own initiative 3 4.1% Government guidelines 10 13.7% Industry recommendations 0 0.0% Other initiatives 60 82.2% The above results indicate an urgent need for a public and widely moderated debate on the effectiveness of security management and business continuity to be undertaken in the political, economic, and social domains. Since the unquestionable motivator for action is appropriate legislation, national governments should analyze in detail which protection measures, omitted or reduced during the current pandemic, should be included in the event of another threat. The results also underscore the need for systemic solutions within the scope outlined by the OECD in 2019 [8]. This, in turn, reinforces the importance of continued research on the effectiveness of particular protective measures, as the resulting general knowledge can prove extremely valuable in mitigating both present and future risks.
Viewed from the perspective of an organization as a member of a community, committed to the principles of sustainable development and social responsibility, the above results should also be considered in the context of three distinct profiles applicable to such measures-preventive, intraorganizational, and extraorganizational.

Preventive measures
The pandemic has changed business attitudes toward preventive measures implemented to secure business continuity. Admittedly, most CI and KS operators had business continuity protocols in place even before the pandemic (60% of the surveyed population), but the experience of COVID-19 significantly increased this percentage (84% of the surveyed population). Practically the entire surveyed population developed detailed procedures for dealing with infections (90-98% of the respondents), and in more than 40% of cases, these procedures were employed more than 10 times. A parallel comparison survey of non-CI and non-KS entities showed that the use of business continuity plans was high also in that population (67% of the surveyed population). Unfortunately, the comparative analysis also revealed that protective procedures were used by only half of the same (53% of the surveyed population), and crisis management plans were put in place by only a third thereof (33%). This seems to corroborate the thesis that preventive measures and good preparedness for an impending crisis or disaster can effectively reduce the consequences and losses resulting from such events, and that all organizations, not only CI and KS operators, should routinely employ this type of measures. The thesis is further supported by the results of other ongoing studies that point to the need to introduce business continuity and crisis management plans not only in enterprises, but also in public administration institutions [46], and present the organizational and financial consequences of not having such plans, as observed at the beginning of the current pandemic [22].

Intraorganizational measures
In addition to the much-needed preventive solutions, the most common measures implemented by entrepreneurs during the pandemic could be described as intraorganizational and included ready-made solutions in terms of formal and legal protection, individual protection, collective protection, work organization, and the organization of the work process. Indeed, most of the same fell under the category of formal and legal or individual measures. Other types of solutions were selected very carefully in response to particular needs, but also subject to the applicable financial, time, HR-related, and organizational limitations. For example, the predominance of measures implemented to protect the organization of the work process was clearly noticeable in production enterprises, while non-production enterprises were more careful to protect the organization of work in a more general sense. Naturally, this is hardly surprising given the fact that the manufacturing environment is particularly vulnerable to business continuity risks related to employee health [45]. And although at the time of the survey, the protection measures in place appeared to be sufficient, one must consider the possibility that they may not be enough in the long term. It is therefore crucial that preventive measures and internal organizational solutions are carefully planned and prepared during relatively peaceful periods if we are to ensure lasting and reliable resilience in times of crisis and disaster. As demonstrated in other ongoing research, it is necessary to facilitate both scientific diagnostic studies [46] and organizational self-assessment [49] to evaluate the actual effectiveness, sufficiency, and adequacy of the protective measures currently in place.

Extraorganizational measures
The last group of measures discussed above pertained to external organizational protection, i.e., the organization's social responsibility for the safety of its customers, cooperators, contractors, and society as a whole. The specific measures in this group related to two distinct aspects: protection of customers, contractors, and co-workers coming in contact with the entity, and supply chain disruptions.
As follows from the present and other studies [31], in terms of minimizing the contribution of an organization's employees to the spread of infections in the organization's environment, it is extremely important that relevant governmental regulations and restrictions are strictly followed both inside and outside the place of employment. Hence, there is an advantage of Asian over European countries in this regard, as Eastern culture is characterized by much stronger discipline and strict adherence to the letter of the law. The social responsibility of companies and institutions was particularly noticeable during the pandemic. It seems that there was no entity that did not realize the responsibility and the impact it has on the health and safety of its environment. This is one aspect of the pandemic that should be considered positive and integrates all economic and social entities.
The analysis indicated a particularly strong commitment to the implementation of such measures in production enterprises. This is understandable, given that companies from this subgroup are particularly vulnerable to disruptions of the supply chain which is crucial to their ability to continue operations and fulfill orders [52]. Hence, the scope of the protective measures employed in this subgroup had to go beyond the internal scope of the entities themselves [54]. It should be emphasized that the consequences of the disruption of international supply chains caused by the pandemic are still being felt, despite most of the pandemic restrictions having been lifted and the return to at least seeming normalcy. This fact also leads to a completely different approach to business continuity planning that is no longer a matter of individual preparedness, but rather a strategy encompassing the entire network of collaboration and dependency, in accordance with the currently prevailing Industry 4.0 approach [55].

Research insights
The presented results for RQ1 clearly indicated the subject areas wherein the existing academic studies effectively address business continuity issues in the context of the pandemic, particularly in terms of CI protection and KS provision. Eight leading research themes were identified in academic research pertaining to business continuity management during the pandemic, and five themes were specific to the same area of research but conducted among CI and KS operators. A systematic analysis of scientific publications evidenced the urgent need for further research on this topic seeing as only 19 papers on CI continuity and 8 papers related directly to KS operators could be identified. The topics that were identified in both step 2 and step 3 of the systematic literature analysis dominantly concerned the following: the impact of disasters, including pandemics (flu pandemic in particular), on the implementation of organizational plans and continuity of its operations; the supply chain resilience to the COVID-19 crisis; and the organization's preparedness for a COVID-19 crisis in the context of its critical services and processes. In particular, research of a holistic and interdisciplinary nature is needed to facilitate scientific organization and systematization of thematic knowledge and provide practical guidelines for organizations and institutions to help them better prepare for future epidemic events.
In terms of the results relevant to RQ2, the applicability and effectiveness of CI business continuity protection measures employed during the pandemic were determined by conducting a survey in a group composed of CI and KS operators and their key suppliers and manufacturers. The sufficiency of the precautions implemented was confirmed in view of the fact that complete suspension of operations was necessary only in 1 out of 73 cases examined. Nevertheless, the observed pattern shows that entrepreneurs, surprised by the speed and aggressive nature of the pandemic, mainly resorted to protective measures that were immediately available, standard solutions that did not require excessive financial and organizational effort. But in the face of long-term pandemic threat, such measures may no longer be sufficient, so it is important to intensify research into those precautions that require readaptation of work organization and processes to protect key workers, increase supply chain resilience, and protect the work process. The study presented in this paper focuses on such highly advanced and non-universal solutions that can transform future operating environments while significantly reducing their vulnerability to business interruption, which in the case of CI and KS operators is not only an organizational challenge but more importantly a social responsibility. Against this context and taking into account the three analytical profiles highlighted in the discussion section, conclusions were formulated, the final findings of which are presented below.
Preventive measures and good preparedness for impending crises or disasters can effectively reduce the consequences and losses resulting from the same. Therefore, all organizations, not only CI and KS operators, should broadly employ this type of measures, and business continuity planning should become as prevalent as risk assessment or crisis management planning. If we are to ensure high resistance to crisis and disaster, preventive measures and internal organizational solutions should be carefully planned and prepared during relatively peaceful periods. This, however, requires both in-depth scientific diagnostics and organizational capacity for self-assessment in terms of the effectiveness, sufficiency, and adequacy of the protective measures already in place. Operating under conditions of social responsibility and sustainable development not only means that extraorganizational measures become equally important as the other two discussed categories, but also guarantees the survival of cross-organizational supply chains, thus ensuring business continuity for all participants therein.

Research limitations and further studies
The primary limitation of the survey presented above was the scope of the questions included which, although pertaining to five key security areas, did not encompass all issues relevant to effective preparation for future threats. Thus, it is necessary to continue research in areas outlined by existing literature but not considered in the above analysis. Above all, future research should include the following: assessment of the mental and physical condition of workers, in particular key employees and managers [45,56]; the social impact of the organization and its protective measures and the possibility for the organization to become involved in support programs launched in the region (social responsibility) [52]; the impact of the environment and existing environmental solutions on the organization's ability to maintain business continuity (sustainability development) [49]; opportunities to increase organizational flexibility and resilience by taking advantage of scientific and technological advances [27]; and implementation of effective learning-by-doing techniques to improve existing protective measures as well employee competences and skills [22]. The purpose of such a focus for further research is not only to meet the demand for holistic and interdisciplinary research on the pandemic in various areas of social impact, including CI and SK, but also to find answers to questions about the changes that have irrevocably transformed our economies and societies after the COVID-19 pandemic period [57,58].
To recapitulate, it should be reiterated that while crises and disasters are unavoidable, the scale and severity of their impact largely depend on us and our determination in preparing for such occurrences, which can be significantly aided by further scientific research exploring these issues, and the scope and diversity of this research will determine future success.

Conflicts of Interest:
The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; or in the decision to publish the results.
Appendix A Table A1. Classification of the popularity of detailed actions for each analyzed category of protection measures (author's own elaboration).

Unpopular Actions Actions of Average Popularity Popular Actions
Formal and legal protection measures:  Restricting or excluding buffet dining options and switching to a "take-away" mode "Permanently" assigned equipment/tools used in the work process Obligation for employees to remain on standby outside normal working hours in the workplace or in another place designated by the employer Employee work schedules planned to minimize contact between employees working in the same department Other work process protection measures (population of 53 respondents): A minimum distance of 1.5 m between workstations 3.74 6 11.32% Table A3. Activities considered by the respondents as ineffective in the context of business continuity (author's own elaboration).