Skip to main content

The Role of Business Continuity Management in Moving Risk Upstream

How business continuity management can elevate your risk conversations with insurers and vendors

Business Continuity Management (BCM) has taken on a new level of importance as a critical part of risk management strategies during the COVID-19 pandemic and ongoing supply chain disruptions -  and will continue to do so as companies plan for the future. The stakes are high: An infrastructure failure can cost an average of $100,000 per hour, and a critical application failure can cost between $500,000 and $1 million per hour.[1]

In the evolving insurance market, many companies are seeking ways to take control of their insurance program. Having a strong BCM strategy can help. Companies can take a three-pronged approach: 


Companies can take a three-pronged approach:

Sharing information with carriers
Conducting a vendor resiliency analysis
Assessing company agility



Sharing information with carriers

Carriers are increasingly encouraging insureds to share their own BCM plans as part of the underwriting process. It’s not a requirement to share BCM plans with your insurer as part of the underwriting process, however, many insurance carriers are “significantly encouraging” insureds to do so.

Underwriters are looking for evidence that you have taken the planning steps necessary to protect your business operations, including growing cyber risks. In the current hard market, some carriers are even asking to see copies of the plan. Business continuity leaders recommend thinking of your BCM plan as operational intellectual property, and risk managers should be cautious about sharing details in their entirety outside the organization—even with your underwriter.

If the request to see your BCM plan is made by your underwriter, be general in your response by alerting the carrier that you have a business continuity management program in place, which consists of such elements as an emergency response plan, crisis management plan, IT disaster recovery plan, etc., that you identified critical processes and resources surrounding them, and have exercised them over time. You can also seek out standards set forth by organizations such as the Business Continuity Institute to solidify your plans.


Conducting a vendor resiliency analysis

Successful organizations are also requesting BCM plans from their vendors as a best practice to better understand their suppliers’ resiliency and to also move risk upstream. Alerting your carrier that you have reviewed vendor BCM plans will also strengthen your position at renewal time.

It’s important that risk managers know what their supply chain risks are, to gauge how resilient their suppliers are and ensure that the supplier’s problems don’t cascade upon your business and threaten your operations. To figure out your risks, conduct a vendor resiliency analysis of your key vendors—any supplier whose missed commitments might cause the organization to not achieve a stakeholder’s significant expectation, or who is crucial to recovering from a crisis event.

To start, make sure you’re not dependent on any one third-party vendor—if that’s the case, have a conversation with leadership and ensure it’s a conscious decision that fits within the company’s overall risk appetite and business strategy.

Next, ask your suppliers what they’ve done to identify risk and quantify impact to their business in these four areas of BCM: emergency response, crisis management, business unit continuity and IT recovery.

  • Emergency response. Have they planned a coordinated, effective and timely response to an emergency? The goal is to avoid or minimize injury to personnel and damage to company assets.
  • Crisis management. Have they determined their strategies to manage an event, including the internal and external communications necessary to protect corporate reputation and brand image?
  • Business unit continuity. Have they made necessary preparations to identify the impact of potential business interruptions? These include formulating recovery strategies, developing business continuity plans and administering a training, exercise and maintenance process.
  • IT disaster recovery. Have they listed the technological tenets of their business continuity program, with a focus on restoration, possibly at an alternate location, of data center services and computing capabilities?

Then, ask what they will do to support your company in the event of a crisis, through an increase or decrease in materials, service or information. No matter which response you receive, you’ll gain important information about the vendor’s operational well-being.

Throughout the conversation, take time to collect critical information, from emergency contacts to how your business fits within their overall customer hierarchy: are you the top customer, or further down the line? Knowing these details will help inform action plans when issues arise.


Assessing company agility

Companies should also assess their own BCM plans’ agility to test their own resiliency in the event of a disruption. Business continuity leaders recommend auditing your own strategies, structures and processes to find out how ready—or not ready—your business is to adapt to change in the event of a crisis or loss of vendor support. The goal is to protect the five key variables at risk if an event occurs: operations, finance, customer service, brand reputation, and regulatory compliance.

  • Audit your strategy: What are you trying to accomplish, and how will your crisis response align with the core company mission?
  • Audit your structure: What are the resources you’ll need if an event occurs? How will you recover, and in what order? Do you have a clear, flat structure, role accountability and hands-on governance?
  • Audit your processes: Can you iterate rapidly, is your technology up to date, do you have a standardized way of working and do you promote continuous learning?

A well-documented BCM plan should include recovery solutions based on loss of facility, loss of IT (corporate and/or local), loss of key personnel, and loss of key vendors/suppliers.


Developing a full BCM plan, and making a vendor resiliency analysis a priority, will help ensure that a vendor’s downstream problems don’t become your problems as well. In this current market, a strong, resilient and adaptable supply chain is imperative for business survival and growth.

[1] Adapt and respond to risks with a business continuity plan