Business Continuity Planning Part 2: Vulnerability Risk Assessment

Business Continuity Planning Part 2: Vulnerability Risk Assessment

As discussed in “Business Continuity Planning Part 1: Managing Risk by Developing a Business Continuity Plan,” it is often the case that the difference between a failing business and company of great value, surviving for generations – is the ability to plan for, adapt to, and survive the unexpected. Business Continuity Planning (“BCP”) is the process of creating a system of prevention and recovery from potential interruptions and other threats to an organization.


As discussed in Part 1, the first step in Business Continuity Planning is to form the BCP Team, create the Mission, and draft the Policy. The next step is to conduct a vulnerability risk assessment. That is to:

  • Analyze the probability of particular emergencies the company is vulnerable to; and then,
  • Prioritize those emergencies most likely to occur or most likely to result in an interruption, compared against more remote or improbable emergencies or those most likely to represent minor inconveniences.

This is done by conducting a Vulnerability Risk Assessment. Part of such analyses should include the potential for human impact, including the possibility of death or injury, as well as the possibility for contractual delays or other impacts affecting contractual performance.

To begin assessing risk, the BCP Team should identify mission-critical products, services, relationships, and operations – e.g., what the company does to create revenue and earn a profit; customers relied upon; equipment and materials required; relationships with and dependency on suppliers; reliance on utilities or third-party service providers; and more. From there, the Team should assess the relative vulnerabilities of such mission-critical functions. For more specific examples of how this can be done, contact the author.


Protecting the lives, health and safety of employees, as well as other onsite personnel and those involved with ongoing operations, should be of paramount concern – but particularly during an emergency or business interruption event. The Life Safety aspect of any Vulnerability Assessment should align with policies and instructions related to topics such as evacuation procedures and routes, jobsite security (including stored materials and equipment), personnel accountability, designated meeting places and shelters, and all other forms of preparedness during an emergency situation or other interruption event.

The Vulnerability Assessment should also consider potential Financial Vulnerabilities, such as costs to repair or replace damaged or stolen materials or equipment, as well as legal fees or other types of costs that may be incurred as a result of an emergency. Attention should also be paid to billpaying and payment-requests, as well as employee payroll systems, to avoid missing payment obligations during a crisis.

Contractual Vulnerability must be assessed due the impact an interruption may have on performance obligations. A company should become familiar with performance deadlines; change request and time extension requirements; along with cost- or liability-shifting provisions, such as “no damage for delay” clauses, indemnities, liquidated damages, and liability caps; as well as any other contractual agreement that may shift cost or liability obligations in the wake of an emergency or other interruption. The Team should pay particular attention to excuse for non-performance provisions, including force majeure, recognizing that many emergencies and interruptions may not be included in the contract language.

The BCP Team should also assess particular vulnerabilities to a variety of property types and locations. Such Property Vulnerability assessments should include a review of applicable insurance policies providing coverage for various business and real property, whether there are specific project policies in place, and whether important business property can be relocated or secured during interruption events. Assessments for whether certain business property is able to be repaired or easily replaced, and whether temporary property replacements can be readily accommodated, should also be considered.


The key elements within a Vulnerability Assessment should include:

  • Identification of revenue-generating functions (mission-critical products, services, relationships, and operations)
  • Assessed relative vulnerabilities to risk for each function, including:
    • Life Safety
    • Financial and Contractual
    • Business and Real Property

The list provided in this section is only representative. Every business is different and vulnerabilities other than those presented here may need to be assessed. Every aspect of a business responsible for revenue creation and overall profitability should be analyzed for specific vulnerabilities.

It is strongly recommended that companies interested in developing a Business Continuity Plan consult with licensed legal counsel, an HR consultant, and/or insurance professional to thoroughly analyze their business organization’s susceptibility to interruptions, and to put together a thorough and specific Business Continuity Plan that complies with applicable regulatory or other legal requirements. If you have particular questions on how to assess vulnerabilities not covered in this section, or analyzing whether a function is critical to the ongoing viability of the business, contact Shutts attorney Michael C. Kelley or an experienced local insurance professional experienced in BCP methodologies and the typical insurance coverages available in your industry. In most cases, Business Continuity Planning should be conducted in conjunction with an overall threat assessment, as well as the procurement of various types of insurance coverages, such as business interruption insurance, which will be discussed in this series.

This is the second of a multi-part series of blog posts which will introduce the concept of Business Continuity Planning and explain the elements that go into making a typical Business Continuity Plan. This series will focus on:

  • The Fundamental Elements of a Business Continuity Plan (Part 1);
  • Vulnerability Risk Assessments;
  • Emergency Action Plans;
  • Disaster Recovery Strategies;
  • Business Interruption Insurance; and
  • Useful BCP Checklists.

Search Blog

Follow Us

Recent Posts

Popular Categories



Jump to Page

Shutts & Bowen, established in 1910, is a full-service business law firm with approximately 270 lawyers located in eight offices across Florida.

By using this site, you agree to our updated Privacy Policy and our Terms of Use.