Threat vs Activity-Based Approaches
Business Continuity Planning (BCP) ensures that organisations can operate through and recover from disruptions. Unlike emergency planning, which focuses on immediate response, BCP takes a longer-term view, ensuring that essential functions can continue in the face of disruptions.
For organisations of all sizes, whether in healthcare, manufacturing, retail, public services, or technology, there are two main approaches to structuring a BCM process: the Threat-Based Approach and the Activity-Based Approach. Each has its strengths and challenges; in many cases, a hybrid approach is the most effective. DEDICO has worked with our clients on developing the strategy that is just right for their situation, and below, you will find our best practice guidance for how to organise your own BCM. If you need help, we are available!
1. Threat-Based Approach: Preparing for Common Disruptions
This method identifies major risks that could affect multiple operations and develops response plans for different activities.
Key Steps
Identify common disruptions that impact various sectors, such as:
Technology failures (e.g., IT system outages affecting hospital patient records, financial transactions, or airline booking systems)
Power and infrastructure disruptions (e.g., electricity failures stopping public transport, disrupting manufacturing processes, or affecting food storage facilities)
Supply chain issues (e.g., delays in raw materials affecting pharmaceutical production, vehicle manufacturing, or supermarket stock)
Extreme weather events (e.g., storms disrupting logistics, heatwaves affecting power grids, or floods impacting agriculture)
Workforce disruptions (e.g., industrial action delaying essential services, health crises reducing staff availability in hospitals, or talent shortages in technology)
Cybersecurity threats (e.g., ransomware attacks on government databases, hacking of retail payment systems, or data breaches in healthcare)
Health & safety risks (e.g., contamination in food production, hazardous material leaks in industrial settings, or security threats at public events)
Map these risks to various operational functions:
For example, a cybersecurity attack could affect hospitals, financial institutions, online retail, and government records, but each sector would experience different consequences.
Instead of creating separate continuity plans for every department, organisations can develop a centralised cybersecurity response plan with sector-specific adaptations.
Advantages
Efficiency, Reduces redundancy by addressing shared risks with a unified approach.
Scalability, Ensures focus on major risks rather than trying to cover every possible scenario.
Limitations
May overlook unique risks that affect only specific functions.
Can make it harder to prioritise recovery efforts for different activities.
2. Activity-Based Approach: Protecting Critical Functions
This approach ensures that key activities can continue during and after a disruption, regardless of the cause.
Key Steps
Identify the most essential activities, such as:
Healthcare services (e.g., emergency medical care, surgical procedures, pharmacy operations)
Transport & logistics (e.g., air travel, cargo transport, urban public transport)
Retail & service industries (e.g., e-commerce platforms, supply chain management, customer support)
Manufacturing & production (e.g., food processing, pharmaceutical manufacturing, industrial production lines)
Public services & utilities (e.g., emergency response, energy distribution, water supply management)
Conduct a Business Impact Analysis (BIA) for each activity:
What resources are required to keep this function running?
What are the biggest threats specific to this activity?
How long can this function be disrupted before serious consequences occur?
Develop continuity plans for specific threats to each activity.
For example, in public transport systems:
Key risks might include mechanical failures, severe weather, or IT network disruptions affecting traffic control systems.
A continuity plan should include alternative transport routes, backup communication systems, and emergency staffing protocols.
Advantages
Ensures detailed recovery plans tailored to specific operational needs.
Makes it easier to prioritise response efforts based on the criticality of each function.
Limitations
Some risks (e.g., IT failures) affect multiple areas, leading to redundant plans.
Requires more resources, as separate plans need to be created for different functions.
3. The Hybrid Approach: Combining Both Methods
For large or complex organisations, the most effective strategy is often a hybrid model that incorporates both approaches:
Step 1: Use the Activity-Based Approach to identify the most critical functions (e.g., patient care in hospitals, online order fulfilment in e-commerce, production lines in manufacturing).
Step 2: Apply the Threat-Based Approach to group common threats (e.g., cybersecurity breaches, natural disasters, IT failures) that affect multiple areas.
This creates a structured yet flexible approach, ensuring both general risks and specific operational needs are covered efficiently.
Choosing the Right Approach
The best BCP strategy depends on an organisation's size, complexity, and sector.
Smaller organisations with fewer interdependent functions may benefit from a threat-based approach, focusing on shared risks.
Larger, diverse operations often require an activity-based approach, ensuring continuity in key functions.
Most organisations find that a hybrid approach provides the best balance, ensuring that essential operations continue with minimal disruption while avoiding unnecessary duplication of effort.
By integrating both methods, organisations can build stronger resilience, reduce risk, and improve their ability to adapt to disruptions, ensuring stability across industries and sectors.
DEDICO works with a variety of Irish based clients on Business Continuity Planning and Management. Our Business Continuity programmes are always tailored to your organisation's needs, not generic, off-the-shelf, one-size-fits-all. Reach out to us today.
Frequently asked questions
What is the difference between threat-based and activity-based BCP?
Threat-based plans for major shared risks across functions; activity-based plans for keeping each critical function running regardless of cause.
Which is best for SMEs?
Smaller organisations often benefit from a threat-based approach. Larger or more diverse operations usually need a hybrid model.