One of the most widespread trends in business continuity is for practitioners to focus more on checking off boxes than improving recoverability. A new vision of BC centered on identifying and reducing risk could bring tremendous gains in continuity, practitioner satisfaction, and management support.
Summary
- Many BC programs drift into “check-the-box” work that shows activity but does not improve recoverability.
- A risk-reduction mindset reframes BC around one goal: identifying exposure and bringing it down.
- This shift sharpens BIAs, TRAs, standards, plans, and exercises by forcing follow-through and prioritization.
- It also helps management see impact (risks reduced) instead of effort (tasks completed).
Related: The Risk Management Process: Manage Uncertainty, Then Repeat
A Check-the-Box Approach to Continuity
One of the privileges of being a business continuity consultant is the opportunity it provides to see the inner workings of BC at organizations of all types and sizes. This has enabled MHA’s consultants to identify a pervasive trend in the BC programs of companies today.
The most common approach to BC is what you might call a check-the-box approach. Many companies recognize that there is a growing expectation from their stakeholders and others that they take steps to protect themselves from disruptions. But their hearts aren’t in it.
The BC practitioners at these organizations, perceiving a lack of full support, tend to take a minimalist approach to program execution. This might mean performing the occasional BIA, developing only critical plans and strategies, and conducting an annual tabletop exercise (often using the same scenario every year). Once these things are done, the BC staff can safely conclude they have done all that is expected of them.
This approach to continuity does not functionally protect the organization, is demoralizing for the practitioner, and does little to win management support or respect for BC activities.
Moving Toward a Focus on Reducing Risk
In recent months, CEO Michael Herrera and the rest of MHA’s BC experts have been converging on a new vision for BC professionals. We’ve begun encouraging the practitioners we work with to discard any view they might have of themselves as people whose job is to perform a certain slate of activities and check them off as they go. We want them to think of themselves as being guided by the single mission of identifying the risks facing their organizations and reducing them.
That’s the whole job: risk reducer.
This description is simple and easy to understand. It offers wide scope for individual initiative and creativity. It is also comprehensive, including everything BC has always been and should be. As a significant bonus, it delivers benefits that are likely to be readily understood and valued by management and the business departments.
A BC practitioner who views him or herself as a risk reducer will take a unique approach. They will constantly be identifying and toting up the risks the organization faces and seeking to reduce them. They will reflexively assess risks based on the likelihood of their occurrence and the severity of the impact if they did occur. They will habitually evaluate every proposed BC activity and investment in light of these goals.
They will soon learn to differentiate between activity that is performed out of habit and activity that actively reduces risk—and specialize in the latter.
For practitioners to think of their main job as reducing risk is not a new methodology for doing BC. However, it might be considered a new vision. It’s an approach that has the potential to sharpen the performance of traditional BC activities, making them more pointed and effective. It also makes them more fulfilling to carry out.
What the New Mindset Means in Practice
Let’s look at how focusing on risk reduction alters the way we approach three core elements of traditional BC methodology.
-
-
Business Impact Analyses (BIAs)
-
The BIA remains foundational. It is a critical tool for understanding which business functions matter most, how quickly they need to be recovered, and what dependencies support them. However, the risk reduction mindset makes an important distinction. It recognizes that a BIA by itself is just data. Simply having a BIA does not reduce risk any more than knowing you don’t have a spare tire prevents a flat.” For a risk-focused practitioner, the BIA is only a beginning. Risk is reduced and true progress made only when the BIA’s findings are acted upon. The risk-minded BC professional is strongly motivated to follow through in this way.
-
-
Threat and Risk Assessments (TRAs)
-
Many BC programs treat risk assessment as a secondary activity. Under a risk reduction mindset, the TRA is a partner with the BIA. The TRA should be updated, if not every year, then on a cadence that reflects the pace of change in the organization and industry. A meaningful TRA looks beyond generic scenarios and examines real exposures, including single points of failure, operational vulnerabilities, and technology risks. It also extends into capability, asking questions such as whether staff are adequately trained on recovery procedures. A risk-focused approach treats these matters as central. The TRA assesses threats based on likelihood and severity of impact and becomes a starting point for reducing the most salient risks.
-
-
Business Continuity Standards
-
BC standards remain as important as ever. The benefit in looking at them from the point of view of risk reduction is, it reveals their meaning and purpose. Standards typically outline a set of required activities, but they do not determine the depth, rigor, or effectiveness with which those activities are carried out. When guided by a risk reduction mindset, standards become more than a compliance exercise. They become a framework for action, helping practitioners understand why each element matters and how it contributes to reducing exposure.
-
-
Plans and Exercises
-
Plans and exercises are created with the same view in mind. Risk-minded practitioners ask questions such as, What strategies and exercises will prepare the organization for outage or crisis events? And which will best reduce the risk and minimize the impact to operational activities? Exercises crafted with a view toward reducing risk share a few common traits. They ensure that proper preparation exists and that the needed steps have not just been noted in plans but have been practiced by the people who would need to perform them in an event.
In each of these areas, a shift toward a risk reduction approach identifies their best use and real purpose.
An Approach That Resonates with Management and Practitioners
Another advantage of focusing on risk reduction is that it changes how BC programs are understood and valued, both by management and by the practitioners themselves.
One of the persistent challenges in BC is demonstrating value to senior leadership. Too often, practitioners report metrics that describe effort, not impact, such as the number of BIAs conducted. A risk reduction mindset shifts the conversation, allowing practitioners to talk about risks identified and reduced. This is the sort of practical benefit managers appreciate. Programs that can claim such results are more likely to earn leaders’ respect and support.
Just as importantly, this approach improves the experience of the practitioners doing the work. A check-the-box approach to BC tends to be dull and demoralizing. A focus on risk reduction creates space for judgment, initiative, and creativity.
Practitioners intent on reducing risk naturally roam widely in identifying risks and thinking up ways of bringing them down. Guided by the north star of their goal of reducing risk, they can proceed confidently in such activities as finding novel ways of obtaining information needed for the BIA, devising better exercises, and addressing single points of failure.
Instead of being people who check off boxes, risk-minded BC practitioners are the captains of their own ship. For many practitioners, this shift brings a greater sense of purpose and fulfillment.
From Check-the-Box to Meaningful Risk Reduction
Too many business continuity programs today are defined by a check-the-box mentality. By shifting the focus from completing tasks to actively identifying and reducing risk, organizations can make their BC efforts more meaningful, more effective, and more closely aligned with real-world needs.
This change in mindset strengthens rather than replaces traditional BC practices such as BIAs, TRAs, and standards. At the same time, this approach enables more productive conversations with management and creates a more engaging and rewarding role for practitioners.
Organizations that want to move beyond a check-the-box approach and build BC programs that deliver measurable risk reduction do not have to do so on their own. MHA Consulting helps clients rethink, refine, and strengthen their continuity programs to better address real-world risks. Contact MHA to learn how we can help you put this vision into practice.
Further Reading
- Managing Enterprise Risk: Understanding the 8 Risk Domains
- The Risk Management Process: Manage Uncertainty, Then Repeat
- The Essentials of Resilience: Mitigate Your Risks and Prepare for Outages
- The ABCs of ERM: The Rise of Enterprise Risk Management
- Top 8 Risk Mitigation Controls for Operational Resilience
Risk Reduction - Frequently Asked Questions
In the view of MHA Consulting, what is the most prevalent approach to business continuity today and why is it inadequate?
MHA observes that many organizations take a check-the-box approach to business continuity. Practitioners complete expected activities—such as BIAs, plan updates, and annual exercises—and consider the job done. This is inadequate because it emphasizes activity over impact; risks may be identified, but they are not consistently addressed, leaving the organization exposed despite the appearance of preparedness.
What does MHA recommend as a new vision for BC?
MHA recommends that BC practitioners adopt a simple but powerful new vision: to see their role as identifying and reducing risk. Rather than focusing on completing a predefined set of tasks, practitioners should orient their work around understanding the risks facing the organization and taking practical steps to reduce them.
How does having a risk reduction mindset change one’s approach to business continuity?
A risk reduction mindset shifts the focus from performing activities to achieving outcomes. Practitioners continually assess risks based on likelihood and impact and evaluate BC efforts in terms of how effectively they reduce exposure. This leads to more deliberate decision-making, greater prioritization of high-impact issues, and a clearer distinction between routine activity and work that produces meaningful improvements in resilience.
How does prioritizing risk reduction affect the practice of such traditional BC activities as doing BIAs and TRAs and implementing standards?
It sharpens their purpose and use. BIAs are no longer seen as deliverables, but as starting points for identifying and addressing vulnerabilities. TRAs take on a more central role, helping practitioners focus on the most significant and relevant risks. Standards remain important, but are treated as a baseline rather than the end goal, guiding action without limiting the depth or effectiveness of the program.
How does switching to a risk reduction mindset tend to affect a BC practitioner’s relationship with management?
It usually improves it. When practitioners can point to specific risks that have been identified and reduced, they are speaking in terms that management understands and values. This moves the conversation beyond reporting on completed activities to demonstrating tangible business impact. As a result, BC programs are more likely to gain credibility, earn support, and be seen as contributing directly to organizational resilience.
