Skip to main content

Three Rules for Elevating Your Business Continuity Strategy

The COVID-19 pandemic has tested the meaning of risk and resilience for many organizations. In a global survey, 82% of respondents said that prior to COVID-19, a pandemic or other major health crisis was not a top 10 risk on their organization’s risk register.[1]

But still, leaders across the business community have risen to the challenge. Many revisited their business continuity strategy, incorporating three critical components—discovery, planning and validation/governance. Now, as business leaders and risk managers look ahead to the future of work, they are seeking to not only create and update their business continuity strategy, but to elevate it. Doing so can help make sure organizations are prepared for the unexpected and managing their total cost of risk most effectively. Below are three rules for elevating strategy, which draw from lessons learned from the COVID-19 pandemic and other risk considerations.


Rule #1: Always do a risk assessment

Too few companies do a risk assessment, or do one regularly—but this is a critical first step for a stronger business continuity strategy. And because risks are evolving, from weather to cyber, and what companies value—take, for instance, the growing value of intellectual property—it can never be a one-and-done exercise.

Companies need to know what risks are inherent in their business, culture, geography and beyond, how susceptible they are to those risks and what are the possible negative impacts if that risk occurs. If they have a footprint in California, have they fully assessed wildfire risk not only as it relates to property, but also the supply chain? Their people? Employees’ ability to work as expected? What about Gulf coast operations, which face hurricane risk? The important differentiator is not just knowing the risks but the extent of vulnerability and impact.

And beyond that, what companies currently have in place to mitigate both, from physical infrastructure to external resources. The risk assessment can help quantify risk and establish a risk threshold and form the basis of critical processes and resources to manage and respond if an event occurs. These include business continuity plans and insurance.


Rule #2: Rethink your risk management structure

As companies continue to navigate the pandemic, they’re assessing gaps in their risk management strategy and structure and business continuity planning.

Around a third of respondents in a recent survey said their existing enterprise risk management program was insufficient in dealing with the pandemic’s impact, and nearly 80% plan to depend more heavily on risk management to reduce volatility in performance in the future.

To do so, many will need to change their risk management structure to allow for more dynamic and integrated risk management and business continuity strategies—and elevate those to a strategic level.

In addition to fostering more agility across the organization, rethinking risk structure and roles can also change how organizations use data and analytics to push decision making. The use of data and analytics—and building more sophisticated capabilities—can go a long way in business continuity strategy and enable companies to make better decisions faster. To make these changes, companies will need to source talent differently, thinking of risk roles as a strategic and executive-level function.


Rule #3: Build a risk framework

In the event of an incident—from an IT or cyber incident to a tornado—companies need to be able to switch quickly to crisis response mode with the goal to protect, among other things, employees, customers, financial stability, the brand, property, technology and operational integrity. With a pre-designed, well-established, thoughtful risk and business continuity framework, they’re more able to do that.

A strong risk framework:
  • Utilizes each of the three critical components -- discovery, planning and validation/governance.
  • Allows companies to act and make decisions quickly for a number of risks, with more agility and flexibility and a shared understanding of what needs to happen across teams and functional groups.
  • Can help companies quickly identify priorities and actions. For instance, understanding the impact of a given incident on people, facilities, IT, and the supply chain—and where to act first. They can quickly identify their most resilient vendors and what needs to happen to maintain operations in the event of an incident or crisis.

Also important is that with this risk framework, companies have a stronger narrative to share with insurers—letting them know what they’ve done to protect themselves and mitigate risks. As those risk solutions evolve to meet the changing needs of companies and their business continuity strategies, the framework can help guide both strategic and operational decisions. 


There are lessons to be learned from the COVID-19 pandemic, and companies have an opportunity today to strengthen their organizations for the future. Business continuity strategies will continue to play a critical role in responding to crisis—and these three rules can help set companies apart.

[1] Reprioritizing Risk and Resilience for a Post-COVID-19 Future