How To Build A Successful Business Continuity Program Based On Risk

The most successful business continuity programs are built with one important thing in mind:


Any business continuity strategy that uses risk as its linchpin has a greater chance of achieving its goal—recoverability—while optimizing the resources needed to accomplish it.

Boiled down simply, a risk-based business continuity strategy takes into account the following three areas:

  1. Human-factor risks.
  2. Critical business operations risks.
  3. Recoverability risks (for critical areas only).

If you can successfully minimize these risks, your business continuity program will deliver a high return on investment.

Minimize the risks associated with your recovery plans with the help of this free guide to creating and implementing a business recovery plan.

Risk-Based Business Continuity Management

1. Human-Factor Risks

The single biggest risk in almost every organization is the one most people overlook: the human factor. You might have the best strategies and solutions possible, and solid recovery plans for all your technology, but all of it will fail if you haven’t prepared your people. Human-factor risks include:

  • Employees at all levels aren’t aware of the program and its importance.
  • Employees don’t know what to do/what not to do when the time comes.
  • Employees aren’t ready to execute on the plan because they haven’t been trained.

Assess your human-factor risk—is it high, medium, or low? Depending on your answer, find ways to develop your program to address this type of risk.

2. Critical Business Operations Risks

Too many business continuity programs strive to protect too many areas of the company without any real reason to do so. It’s a waste of resources—time, energy, money, and people—to protect something that isn’t critical to business operations.

Instead, do the necessary legwork to identify the business units that are core to your company. What areas really keep it up and running? (A Business Impact Analysis, or BIA, will give you a definitive answer to this question.) Then, work on understanding the risks associated with those business units only. Focus on the 20 percent of your business that produces 80 percent of your revenue or output. Understand the key risks associated with that critical 20 percent—including people, technology, and processes—and consider ways to best mitigate those risks.

3. Recoverability Risks (For Critical Areas Only)

It all comes down to recoverability: Can the business recover from a business continuity event, or not? To ensure the answer is yes, consider the risks surrounding recoverability for your most critical units:

  • Is systems recovery (IT) aligned with business unit recovery needs? If a particular business unit needs to be recovered within 24 hours, yet the IT systems associated with that unit cannot be recovered within that time frame, this presents a major risk to your recoverability. In fact, systems and business units that are not aligned represent the most significant—and most common—exposure to risk in this area. Your BIA should reveal any such inconsistencies early on in the process.
  • Do you have recovery strategies in place? Are they effective and proven? As part of your business continuity process you should be measuring the effectiveness of your recovery strategies. If you haven’t done so, the risks associated with your recovery strategies are higher.
  • Do you regularly conduct recovery exercises? You can minimize risk in this area by regularly conducting practice exercises to the highest level possible, based on the criticality of the business unit.

Essential Tools For A Risk-Based Business Continuity Program

Our business continuity management software has all the tools you need to assess and manage risk in your program. Within the BCMMetrics™ suite is BIA On-Demand (BIAOD), a secure cloud-based tool you can use to conduct a complete and thorough Business Impact Analysis. You’ll be able to easily determine the criticality of your business units and the processes associated with them without outside help, and even generate insightful reports that can be shared with stakeholders.

Additionally, the Residual Risk (R2) tool gives you a quantitative method to evaluate risk in your business recovery plans. It also helps you clearly see areas where you have successfully managed risk, as well as opportunities for improvement, and generates easy-to-read management reports. Along with these tools you’ll receive eight hours of consulting with a business continuity expert, as needed, to provide help anywhere along the way.

If you’d like to see the BCMMetrics™ suite of online tools in action, schedule a free demo today.

Michael Herrera is the Chief Executive Officer (CEO) of MHA. In his role, Michael provides global leadership to the entire set of industry practices and horizontal capabilities within MHA. Under his leadership, MHA has become a leading provider of Business Continuity and Disaster Recovery services to organizations on a global level. He is also the founder of BCMMETRICS, a leading cloud based tool designed to assess business continuity compliance and residual risk. Michael is a well-known and sought after speaker on Business Continuity issues at local and national contingency planner chapter meetings and conferences. Prior to founding MHA, he was a Regional VP for Bank of America, where he was responsible for Business Continuity across the southwest region.

Leave a Reply

Your email address will not be published. Required fields are marked *

Business continuity consulting for today’s leading companies.

Follow Us

© 2024 · MHA Consulting. All Rights Reserved.

Learn from the Best

Get insights from almost 30 years of BCM experience straight to your inbox.

We won’t spam or give your email away.

  • Who We Are
  • What We Do
  • Blog