Technical Advisory Bulletin: Business continuity management

July 24, 2017
| United States

Disasters can occur from natural causes, human error or criminal activity; and virtually every company has a genuine exposure to catastrophe.

The answer is to be prepared: to have ready both a business continuity plan and a disaster recovery strategy through which immediate, effective action can be taken should disaster strike. Whatever the threat to company assets, a current, detailed and flexible plan will enable your organization to survive.

The goals of a business continuity program

  • Minimize the extent of disruption and damage and prevent its escalation
  • Establish alternative means of operation
  • Minimize the impact of economic losses
  • Train and educate personnel and familiarize them with emergency operations and functions
  • Provide for a smooth and rapid transition of services
  • Ensure the life safety of employees and visitors


Business continuity is the availability of critical resources within an organization that will not be interrupted at a level acceptable to senior management. The key resources fall into five categories:

  1. People – Key executives, technicians, specialists, etc.
  2. Information technology – Includes hardware, software and telecommunications
  3. Facilities and utilities – Support services
  4. Materials, products and components – From your suppliers or being provided by you
  5. Company’s reputation – Public image, customer relations, shareholders’ interests

The reasons for program implementation

  • Many organizations are no longer independent. In most, processes are very interdependent and complex; the loss of one process can cause a chain reaction in others.
  • Organizations are running at such high output with products and services and a minimal number of personnel, that most any type of loss can have large, negative competitive consequences.
  • Due to the interdependencies and networking within most companies and with their suppliers, adverse reactions to a loss at one location or department can quickly escalate with far more significant consequences for the overall company.
  • Companies have been strongly trending toward reducing processes to their simplest elements without any redundancies.
  • For publicly held companies, the board of directors is responsible for assessing significant risks to the organization and planning accordingly to mitigate these threats. A business continuity plan fulfills part of this responsibility

Plan implementation guidelines

The Professional Practices for Business Continuity Practitioners, developed by Disaster Recovery Institute International, provides an excellent framework for creating, implementing, and maintaining business continuity and disaster recovery plans. Below is a summary of this document, upon which Willis Towers Watson’s business continuity management consultancy is based.

Program Initiation and Management: Establishes the need for a business continuity plan, including management support at all levels of the organization. It is important to organize and manage the project to completion within agreed upon time and budget limits.

Risk Assessment: Determines the frequency and severity of natural, manmade and political perils that can affect the organization and its facilities. By identifying and quantifying these exposures, controls can be implemented to mitigate them as well as provide a cost-benefit analysis to justify investment in these controls.

Business Impact Analysis: Identifies the effects of a disaster by employing techniques that identify critical organization/departmental functions. This helps establish recovery priorities, such as the number of personnel needed, the type of equipment needed, and the organization’s inter-dependencies so recovery time objectives (how quickly functions need to be restored) can be set.

  1. On-site review of various operations and their interdependency; development of total process flow chart
  2. Identification of critical operations and components of each
  3. Assignment of a risk factor or class to each event
  4. Identification of most critical operations and events
  5. Preparation of a written/formal plan to address post-loss and continued operation of critical processes
  6. A test review of business continuity action for significant events identified
  7. Development of recommendations for mitigation, additional procedures or insurance needs
  8. Presentation of information in a formal report, including an executive summary

Business Continuity Strategies: Selects recovery-operating strategies for business and information technologies, including such methods as use of a commercial hot-site, duplication of key records, contractual agreements and off-site storage.

Incident Response: Develops and implements procedures for responding to and handling a disaster. This includes establishing and managing the Emergency Operations Center, designating a person who is in charge and a framework for dealing with the overall management of the emergency (such as an incident management system).

Plan Development and Implementation: Designs, develops and implements the physical document that is formulated as a result of the risk evaluation and business continuity strategies that were developed/performed.

Awareness and Training Programs: Develops a program to create corporate awareness and enhance the skills required developing, implementing, maintaining, and using the developed plans.

Business Continuity Plan Exercise, Assessment and Maintenance: Establishes an exercise, testing, maintenance and audit program to ensure plans will perform as designed as well as validate that the plans are current and accurate.

Crisis Communications: Develops best practices to handle the media and how to disseminate information to employees’ families, key suppliers, customers and owners/stockholders during a crisis.

Coordination with External Agencies: Develops procedures for coordinating response, continuity and restoration activities with local, regional and national authorities and with compliance to statutes and regulations.


A business continuity program must become an advanced strategic plan designed to be an integral component of an organization’s corporate culture. It has to be demonstrated that it does contribute to enhancement of the bottom line by protecting share value and an organization’s competitiveness. A business continuity program can do this by addressing such important aspects as process availability, integrity, quality, and the strength and depth of the particular processes. It should look at the impact these processes will have if a catastrophe were to occur and just how things are going to operate. The key is reviewing and improving the design and development of the process so that minor mistakes, and possibly even major ones, can be eliminated and disruptions and breakdowns can be reduced or mitigated.