Skip to main content

The Role of Business Continuity Management in Moving Risk Upstream

How business continuity management can elevate your risk conversations with insurers and vendors

Business Continuity Management (BCM) has grown in critical importance and has come to the forefront of companies’ risk management strategies during the COVID-19 pandemic, and will continue to do so as companies plan for the future. In the current hard insurance market, many companies are seeking ways to take control of their insurance program. Having a strong BCM strategy can help.


The stakes are certainly high. An infrastructure failure can cost an average of $100,000 per hour, and a critical application failure can cost between $500,000 and $1 million per hour.[1]

  • Because of this, carriers are increasingly encouraging insureds to share their own BCM plans as part of the underwriting process. However, be careful of what information you share with anyone outside your organization.
  • Successful organizations are also requesting BCM plans from their vendors as a best practice to better understand their suppliers’ resiliency and to also move risk upstream.
  • At the same time, you will want to assess your own BCM plans’ agility to test your own resiliency in the event of a disruption.

Here are further detailed recommendations for each of these three important areas:


What to share with your carrier when they ask for the BCM plan.

It’s not a requirement to share BCM plans with your insurer as part of the underwriting process, however, many insurance carriers are “significantly encouraging” insureds to do so. Underwriters are looking for evidence that you have taken the planning steps necessary to protect your business operations, including growing cyber risks. In the current hard market, some carriers are even asking to see copies of the plan.

Business continuity leaders recommend thinking of your BCM plan as operational intellectual property, and risk managers should be cautious about sharing details in their entirety outside the organization—even with your underwriter. This can be a tough line to walk, because you want to make sure the underwriter gets what they need, without locking yourself into specific promises.

If the request to see your BCM plan is made by your underwriter, be general in your response by alerting the carrier that you have a business continuity management program in place, which consists of such elements as an emergency response plan, crisis management plan, IT disaster recovery plan, etc., that you identified critical processes and resources surrounding them, and have exercised them over time. Be wary of sharing your plan in detail with any outside organization, with an exception being compliance with FDA, USDA, SEC, FDIC and other federal regulations in the US, where you do need to give specifics.

There are three primary organizations that can provide business continuity standards and help you understand what to share with the insurance carrier, now and in the future: the Disaster Recovery Institute International (DRII), the Business Continuity Institute (BCI) and the National Fire Protection Association (NFPA). You can also seek out ISO 22301 and ISO 22330 certifications to show underwriters that you meet overarching standards for general business continuity.


Do a vendor resiliency analysis.

A supply chain disruption on the vendor side can have a ripple effect—and companies need to show they’ve managed their risk and put in the work to maintain business continuity from multiple angles.

Ensuring vendors have a BCM plan in place can push risk upstream and minimize your downtime and costs associated with a vendor service disruption. Alerting your carrier that you have reviewed vendor BCM plans will also strengthen your position at renewal time.

In a worse-case scenario, if suppliers don’t have a BCM plan in place, they’ll need to identify recovery actions and procedures on the fly in the event of a disruption. That can lead to missing important steps, overlooking risks and increasing a disruption on your end.

It’s important that risk managers know what their supply chain risks are, to gauge how resilient their suppliers are and ensure that the supplier’s problems don’t cascade upon your business and threaten your operations. To figure out your risks, conduct a vendor resiliency analysis of your key vendors—any supplier whose missed commitments might cause the organization to not achieve a stakeholder’s significant expectation, or who is crucial to recovering from a crisis event.

A vendor resiliency analysis is the examination of a critical vendor to ensure that, in the event of a crisis, they can continue to support your organization with their products and services. Business continuity management leaders recommend doing this analysis with all of your vendors, and even asking them to do so with their vendors—as far upstream as you can go, to find out how resilient your supply chain is.

To start, make sure you’re not dependent on any one third-party vendor, which could threaten your own business continuity management program. A single-source vendor could potentially disrupt your business operations, should they be knocked out. Or, if you do use a single-source vendor, make sure you’ve had a conversation with leadership and it’s a conscious decision that fits within the company’s overall risk appetite and business strategy.

Next, ask your suppliers what they’ve done to identify risk and quantify impact to their business in these four areas of BCM: emergency response, crisis management, business unit continuity and IT recovery.

  • Emergency response. Have they planned a coordinated, effective and timely response to an emergency? The goal is to avoid or minimize injury to personnel and damage to company assets.
  • Crisis management. Have they determined their strategies to manage an event, including the internal and external communications necessary to protect corporate reputation and brand image?
  • Business unit continuity. Have they made necessary preparations to identify the impact of potential business interruptions? These include formulating recovery strategies, developing business continuity plans and administering a training, exercise and maintenance process.
  • IT disaster recovery. Have they listed the technological tenets of their business continuity program, with a focus on restoration, possibly at an alternate location, of data center services and computing capabilities?

Then, ask what they will do to support your company in the event of a crisis, through an increase or decrease in materials, service or information. You’ll typically receive one of three responses:

  1. They have a full BCM plan: the best-case scenario. You can depend on this vendor.
  2. They have some business continuity plans in place.
  3. They say that contractually, they don’t have to tell you anything. You may not be able to depend on this vendor to support you should a disruption occur.

No matter which response you receive, you’ll gain important information about the vendor’s operational well-being. You’ll get a better understanding of your risk relative to external suppliers and a way to address potential loss of vendor support.

Once you are aware of your vendor’s BCM plan, you can ask them how your business fits within their overall customer hierarchy: are you the top customer, or further down the line? You can also use this opportunity to identify emergency contacts and procedures at both organizations. Business continuity management leaders encourage companies to include the vendor’s BCM plan in your service level agreement.


Assess your own agility.

As part of a robust risk management practice, business continuity leaders recommend auditing your own strategies, structures and processes to find out how ready—or not ready—your business is to adapt to change in the event of a crisis or loss of vendor support. The goal is to protect the five key variables at risk if an event occurs: operations, finance, customer service, brand reputation, and regulatory compliance.

Audit your strategy: What are you trying to accomplish, and how will your crisis response align with the core company mission?

Audit your structure: What are the resources you’ll need if an event occurs? How will you recover, and in what order? Do you have a clear, flat structure, role accountability and hands-on governance?

Audit your processes: Can you iterate rapidly, is your technology up to date, do you have a standardized way of working and do you promote continuous learning?

A well-documented BCM plan should include recovery solutions based on the following possible loss scenarios:

  • Loss of facility
  • Loss of IT (corporate and/or local)
  • Loss of key personnel
  • Loss of key vendor/supplier

[1] Adapt and respond to risks with a business continuity plan