Business Continuity Planning: Assess Risks and Define Critical Functions

Business Continuity Planning: Assess Risks and Define Critical Functions

In December, I wrote a general article on business continuity, what it is, and the 10 steps to complete a business continuity plan. (Read full article here).

I want to begin 2014 by going into more details and explain these steps a little bit further, but first let's recap what Business Continuity is...It is an"ongoing management-level process to ensure that necessary steps are regularly taken to identify probable accidents, disasters, emergencies, and/or threats."

As mentioned previously, Agility Recovery has outlined 10 business continuity steps.  I will discuss the first two steps today.

1. Assess your risks – both internally and externally.

The first step is to conduct a risk assessment and identify potential hazards that could disrupt your business.  Last October, I wrote an article on using the Threat and Hazard Identification and Risk Assessment (THIRA).  THIRA is a four-step hazard and risk assessment tool that can be used to begin your business continuity and emergency planning process.  Using a risk assessment like THIRA will help you assess and identify the potential issues that could disrupt your daily operations and help you identify ways to reduce risks associated with those threats/hazards.  I also mentioned that this fiscal year each healthcare coalition in the state of Illinois, who received funding for emergency preparedness under the Public Health Emergency Preparedness Grant, Healthcare Preparedness Program, or Cities Readiness Initiative from the Illinois Department of Public Health (IDPH) or Chicago Department of Public Health, will need to complete a THIRA report to continue receiving grant funding.

Now, let's take a look at the four steps of the THIRA process (

1. Identify Threats and Hazards of Concern:  Based on a combination of experience, forecasting, subject matter expertise, and other available resources, identify a list of the threats and hazards of primary concern to the community.

2. Give the Threats and Hazards Context:  Describe the threats and hazards of concern, showing how they may affect the community.

3. Establish Capability Targets:  Assess each threat and hazard in context to develop a specific capability target for each core capability identified in the National Preparedness Goal.  The capability target defines success for the capability.

4. Apply the Results:  For each core capability, estimate the resources required to achieve the capability targets through the use of community assets and mutual aid, while also considering preparedness activities, including mitigation opportunities.


2. Define & Document your critical business functions.
Next, you’ll perform a business impact analysis (BIA) to gauge the operational and financial impact of each potential risk.  If you go to the website, it explains that a "business impact analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies."  To begin this process, you will start with BIA questionnaire and then write a report on it.

BIA Questionnaire
To gain the proper input about business services and functions, use this questionnaire with core staff and then spread it out to departments and divisions for input on the questionnaire.  You can survey those with detailed knowledge of how the business provides its services and ask them to identify the potential impacts if the business function or process that they are responsible for is interrupted.  The BIA should also identify the critical business processes and resources needed for the business to continue to function at different levels.

BIA Report
When you write a BIA report, be sure to include and document your findings on the potential impacts found by your staff in your BIA questionnaire and discussions on disruption of business functions and services.  Provide the scenarios that would result in significant business interruption, and try to include, to the best of your ability, the financial impact of this interruptions.  These costs should be compared with the costs for possible recovery strategies.  The next step in your report is to prioritize your findings and the order of events for recovery and restoration of the business.  Business processes with the greatest operational and financial impacts should be restored first.

The website further explains that, "Identifying and evaluating the impact of disasters on business provides the basis for investment in recovery strategies, as well as investment in prevention and mitigation strategies."

Impacts to Consider: (As posted on

  • Lost sales and income
  • Delayed sales or income
  • Increased expenses (e.g., overtime labor, outsourcing, expediting costs, etc.)
  • Regulatory fines
  • Contractual penalties or loss of contractual bonuses
  • Customer dissatisfaction or defection
  • Delay of new business plans

Recovery Strategies:
Recovery strategies require resources, including people, facilities, equipment, materials, and information technology.  An analysis of the resources required to execute recovery strategies should be conducted to identify gaps.

Strategies May Involve:

  • Contracting with third parties
  • Entering into partnership or reciprocal agreements called Memorandum of Understanding (MOU).  MOUs should be negotiated in writing and documented in the business continuity plan, and they need a periodic review to determine if there is a change in the ability of each party to support the other.
  • Displacing other activities within the company
  • Limiting services
  • Relocation of operations to an alternate site, assuming both are not impacted by the same incident.
  • Telecommuting is a strategy employed when staff can work from home through remote connectivity.  It can be used in combination with other strategies to reduce alternate site requirements.
  • Use alternate space within the building, such as the cafeteria, conference rooms, and training rooms.

Investment in Prevention Strategies:
Yes, your place of business can make investments in prevention to reduce the frequency of or even avoid many hazards, such as fire and hazardous spills.  To reduce criminal activity, you will need to use deterrence as a strategy.

  • Have clear lines of sight and lighting around the building's perimeter.
  • Utilize security measures at all entrances (e.g., locked employee-only entrances, security cameras, gatekeepers at public entrances with access to emergency-assist measures, etc.).
  • Screen all visitors, contractors, employees, and packages to ensure a good security program.
  • Have a properly designed and installed intrusion detection system.
  • Teach all employees that Security begins with them.  Consider providing basic training for all employees, so they know how they can contribute to a secure workplace.
  • Include cyber or information security to be a part of the security program.
  • Install antivirus and anti-spyware software, and maintain strong firewalls for essential protection of network and information security.
  • Keep computers updated with the latest operating system and application “patches” as part of the cyber security program.
  • Realize that natural hazards, such as flooding, tornadoes, and earthquakes cannot be prevented, but there are still opportunities to reduce damage from natural hazards called mitigation.

Mitigation Strategies:
Mitigation covers efforts taken to reduce either the probability or consequences of a threat.  These may range from physical measures (protective fences) to financial measures (stockpiling cash, insurance).  Hazards, accidents, and intentional acts that were not deterred can result in property damage and business disruptions.  If you plan and use mitigation strategies, the effect of those impacts could be reduced.

  • Consider site selection.  Selecting a building site that is not subject to flood, storm surge, significant ground shaking from earthquakes, or in proximity to hazardous facilities is a first consideration.  Building construction should meet applicable building codes that include requirements for fire protection and life safety.
  • Determine high-valued assets to determine the most appropriate protection in accordance with national standards.  Computer network security should be evaluated to determine whether electronic information is secure.
  • Provide uninterrupted power supplies (UPS) and an emergency standby generator for critical equipment.
  • Develop a business continuity plan with recovery strategies.
  • Research applicable fire prevention regulations, national standards, and best practices to identify mitigation opportunities and requirements.
  • Confer with your insurance agent to determine if they provide consultation services to assist with the development of customized protection specifications for a new or renovated facility.
  • Get proper insurance!  Insurance is Financial Risk Mitigation.
  • Losses caused by flood, earthquake, terrorism, or pollution may not be covered by standard property insurance policies.
  • Flood insurance coverage for a facility located within a flood zone may be purchased through the National Flood Insurance Program.
  • Earthquake, terrorism, and pollution coverage may be purchased separately or as an endorsement to an existing policy.
  • Coverage for other hazards such as mold may be provided as part of the basic property insurance, but the amount of loss payable under the policy may be limited.

In conclusion, taking the time to work on each of the steps with your coalition members is vital as you will be going through the process together, therefore allowing your continuity plan to be streamlined and cohesive.  Conducting a hazard and risk assessment allows you to know upfront what your vulnerabilities are and possible impacts they could have on your business and response capabilities.  Determining critical business functions allows you to prioritize and develop recovery strategies.  Both of these steps equip your coalition with more knowledge about your business and community, enabling it to have the background and history to move forward and develop effective response and recovery strategies.  Concrete strategies enable the coalition to respond, when needed the most, during a disaster.  As with any planning, this takes time, but it is essential to know where you start from and what could be coming your way.

Tsoetsy Harris, MPH, MEP

Tsoetsy Harris, MPH, MEP

Independent Consultant

Recent Post

Related Post


we're on a mission

In all we do, we seek to reduce human suffering and loss of life caused by disasters.

We get it done by connecting the preparedness efforts of healthcare organizations, emergency management agencies, and public health departments through effective, financially self-sustaining healthcare coalitions.

Yes, we believe healthcare coalitions are the path forward.

Karl Schmitt, Passionate Founder & CEO, bParati

Karl SchmittPassionate Founder & CEO

(217) 953-0843
600 Wind Meadow Drive
Chatham, IL  62629

send message
bParati eNews logo
bParati logo

600 Wind Meadow Dr, Chatham, IL 62629 | (217) 622-0915 | Send Us A Message Here