Risk‑based vs service‑based continuity planning: focus on survival, not paperwork

Posted by: Inoni – Dec 04, 2025

When we talk about business continuity, the point isn’t to keep every individual service running on paper. The point is to keep the business alive when something big goes wrong. That distinction is exactly where risk‑based continuity planning outperforms the traditional service‑based approach.

Service‑based planning can look thorough: every service gets a Business Impact Analysis (BIA), every service gets a plan, and the binder gets heavier. But in practice, it often becomes too big, too slow, and too fragmented to help when you need it most.

A risk‑based approach starts with the scenarios that could stop you operating and builds coordinated responses around them. That is closer to how crises unfold in the real world—across teams, sites, suppliers, systems and customers—not inside isolated services.

Definitions that matter

Service‑based continuity planning

  • Starts from a catalogue of services or functions.
  • Runs a BIA for each and writes a plan per service.
  • Optimises service recovery in isolation.

Risk‑based continuity planning

  • Starts from the major risks and disruption scenarios that could threaten survival.
  • Identifies the minimum viable business outcomes and the critical activities that enable them.
  • Designs coordinated, cross‑functional playbooks to protect those outcomes under stress.

Those different starting points lead to very different programmes.

The problem with service‑based planning

If you’re a knowledge‑centric or professional services firm, a service‑led view can feel natural: people + IT are your main dependencies. But even there, service‑based planning tends to:

  • Inflate scope and cost
    Every service gets equal attention, regardless of its impact on survival. SMEs and mid‑sized organisations end up with dozens of plans and little confidence that they’ll work together.

  • Fragment the response
    In a real incident—cyber, utility outage, supply chain failure—service owners reach for their individual plans. Those plans rarely share assumptions, dependencies, priorities or communications. You get overlap, gaps and conflicting decisions.

  • Answer the wrong question
    “How do we keep each service running?” is not the same as “How do we keep operating?” You can perfectly recover a non‑critical service and still be unable to ship, invoice or meet regulatory obligations.

None of that means service plans are useless. It means they’re incomplete without scenario‑level coordination and prioritisation.

Why risk‑based planning trumps

A risk‑based programme makes the business the unit of analysis, not the service. It:

  • Prioritises survival
    Focuses on the outcomes you must protect (customers served, orders shipped, safety maintained, compliance met) and the minimum level of operation you can tolerate.

  • Concentrates effort
    Puts time and money into the scenarios that would materially hurt you—loss of site, cyber incident, critical supplier outage, prolonged IT recovery, utility failure, regulatory intervention.

  • Coordinates the whole response
    Establishes clear decision rights, communications, workarounds and resource allocation across departments, sites and suppliers for each scenario.

  • Reflects modern dependencies
    People and IT matter everywhere, but the mix changes. Manufacturing and logistics add physical plant, materials, maintenance, quality, OT/ICS and transport. A scenario lens captures those interdependencies in a way service silos can’t.

Don’t forget the operational reality: manufacturing is different

For manufacturers, service‑based planning is especially weak because physical and supply chain dependencies dominate.

  • Loss of a single site can stop production, quality control, warehousing and distribution simultaneously. You need relocation, subcontracting, alternative routing and customer prioritisation—none of which live inside one service plan.

  • Supplier fragility matters. A Tier‑2 raw material issue or a packaging shortage can halt multiple lines. Scenario playbooks must include approved substitutes, expedited qualification, and customer communication.

  • OT and ICS introduce specific risks. A cyber incident affecting PLCs or HMIs isn’t just an IT problem; it’s a safety, quality and throughput issue. Coordinated plans must span IT, engineering, production, EHS and compliance.

Risk‑based planning fits these realities because it models how disruptions actually propagate.

Risk‑based planning and insurance assurance

Another reason risk‑based continuity planning is gaining traction: insurers care about scenarios, not silos. When underwriting business interruption or cyber policies, insurers want confidence that you can respond effectively to the events most likely to cause a claim—such as a ransomware attack, a major fire, or a supply chain failure.

Service‑based planning struggles here because:

  • It produces isolated plans that don’t show how the organisation will coordinate under stress.
  • It rarely demonstrates readiness for the insurer’s own “worst-case” scenarios.

Risk‑based planning, on the other hand:

  • Aligns directly with insurer expectations by focusing on high-impact incidents.
  • Provides clear, scenario-driven playbooks that show decision-making, communication, and recovery priorities.
  • Makes it easier to evidence resilience during renewal or claims handling.

If you need to prove continuity capability to insurers, risk-based planning is the smarter, leaner, and more credible approach.

What a risk‑based programme looks like

  1. Establish your minimum viable business outcomes
    Define the outcomes you must preserve under stress (ship X priority orders per day, maintain patient safety, meet mandatory reporting). Identify the maximum tolerable period of disruption for each.

  2. Identify your top scenarios
    Use risk assessment to select the events most likely to threaten those outcomes: cyber incident, loss of building, supplier failure, utility outage, major absenteeism, transport disruption, regulatory suspension.

  3. Map critical activities and dependencies
    For each outcome, list the activities that enable it and the people, sites, systems, data, equipment and suppliers those activities rely on.

  4. Design scenario playbooks
    Create concise, cross‑functional playbooks that set decision-making structure, communications, workarounds, resource allocation and external engagement for each scenario.

  5. Build workarounds and tolerances
    Document manual or alternative processes (e.g., paper pick lists, offline QA checks, telephony failover), and define clear recovery time and data loss tolerances (RTO/RPO) aligned to the outcomes.

  6. Exercise and refine
    Tabletop and functional exercises to validate assumptions, train teams, and continuously improve. Measure time to decision, time to minimum viable operation, and customer impact.

  7. Govern and maintain
    Keep the programme lean: update high‑impact scenarios, retire unused artefacts, and align supplier and IT recovery commitments with business tolerances.

Conclusion

Service‑based continuity planning puts effort into every service, whether or not it matters in a crisis. Risk‑based planning concentrates your time and money where survival depends on it, and it gives you the cross‑functional coordination that real incidents demand. For knowledge‑centric organisations, it keeps things lean and effective. For manufacturers and other operational businesses, it’s the only way to capture the complexity of sites, supply chains and OT. And if you need to demonstrate resilience to insurers, risk-based planning is the approach that speaks their language.

If you’re drowning in service plans, start small: pick the five scenarios most likely to stop you operating, write one‑page playbooks for each, and exercise them. You’ll get more resilience, faster—and your teams will thank you when it matters.

 

Find out about our BCP services