As Risks Evolve, Is Your Business Continuity Plan Up to Date?

By Severio Pacini | Published June 05, 2020

The fourth industrial revolution – which includes new technologies that range from artificial intelligence to robotics to the Internet of Things – brings the promise of connecting humans worldwide and solving many business problems. However, that very interconnectedness creates significant risks for businesses and critical infrastructure, and will likely cause long-lasting changes to governments, commerce and society.


A new risk landscape is emerging, in which intangible and interconnected risks present a critical challenge for businesses and the insurance industry. This is why planning for the impact of these new risks, or considering the effect of a minor modification to current exposures, is a crucial foundation for any risk management strategy.


As your business reviews its response to risk this year, be sure to ask one key question: “Is our business continuity plan up to date?” 


Well-documented incidents


Last year, a number of events in Canada demonstrated the importance of having a business continuity plan that adequately assesses current and emerging threats. Take the medical test laboratory LifeLabs cyberattack, which revealed that the privacy of up to 15 million patients had been compromised. If you sit on the board of a company, or are part of the executive management team, this latest attack is yet another reminder that cyber risk needs to be at or towards the top of your business continuity plan agenda. 


Business leaders should ask some hard questions about their company’s cyber preparedness – specifically, whether the control environment is aligned with the level of risk the business believes it has accepted. Unfortunately, many will discover they are not as prepared as they thought.  


Another recent example is the global uncertainty caused by the COVID-19 pandemic. This event has highlighted challenges with the control environment and cyber security, and disrupted numerous businesses and industries.


Business continuity plan objectives


While we can learn from each incident, these events also act as an important reminder – preventing loss is better than being compensated after a loss has occurred.  


To help ensure your business is well prepared for a variety of risks, consider the following questions:


1. Is your business continuity plan current?


This might seem like an obvious question. However, more often than not, business continuity plans are duplicated each year with little thought given to how new exposures might impact what is already in place. 


A business continuity plan should be a living document that is reviewed after any change that could impact it, even if the change is relatively minor. 


The culture around risk within a business plays an important part in the overall success and relevancy of a business continuity plan. Ideally, business leaders should use a business continuity document as they make changes to the business, to ensure they are constantly building in business resilience as part of the development organization. It’s about having fewer hazards, less threats and less loss potential.


2. What technological changes are you making this year, and what is your formal management of change process for this modification?


It’s crucial to think about how any changes you make will impact your overall business resilience and ability to recover from an unplanned outage. However, when it comes to technology and its potential impact on a business continuity plan, you are never really “done”. New technical vulnerabilities are discovered every day, and every business process change can create unintended process or system vulnerabilities. The cyber risk exposure needs to be effectively managed, utilising effective loss prevention techniques with the help of specialist advice. 


3. Within your organization, do you have clear responsibilities and accountabilities?


Minor changes can have a big impact on business continuity planning if you’re not aware of threats or the consequences to your business. We are observing more than ever the need for effective oversight of these challenging risk areas.


Within your organization, does your management of change process effectively identify supply chain changes that could significantly impact the resilience of your business – for example, the merger of two independent suppliers into a single supplier of a key raw material?


With the increased usage of technology, including web interfacing products, does your organization have adequate business resilience in the event of an issue with a technology solution – for example, a synchronized independent backup mirror web system facility? What about the ability to manually process customer orders in the event a technology system has an extended period of unplanned downtime, such as a cyber ransomware attack?


Need more details or assistance in building or updating a business continuity strategy? Our Guidance Notes will provide valuable information and aid in the creation of a plan for your business.



In Canada, products and/or services described are provided by Continental Casualty Company, a CNA property/casualty insurance company. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

Severio Pacini
Vice President, Risk Control

Severio joined CNA Canada in November 1999 and currently serves as Vice President, Risk Control. He is responsible for leading and executing the Risk Control function of underwriting risk assessments and "value added" customer services to support CNA Canada’s underwriting strategic plans. Prior to joining CNA, Severio held the position of Casualty Manager of Risk Services at Liberty International Underwriters Canada and Manager of the Loss Control/Boiler Inspection departments in Ottawa and Toronto at Chubb Insurance. Severio graduated from Seneca College of Applied Arts and Technology as a fire protection technologist and earned his Certificate of Risk Management (CRM). He is also a Level II Certified Infrared Thermographer (CIRT) and UL Recognized Risk Engineer (RRE).