What does a business continuity consultant actually do?
If you’ve just been handed responsibility for business continuity — perhaps by a client, an insurer, or an auditor who wants to see evidence of a plan — you might not be entirely sure what you’re supposed to do next. You might not even be sure what a business continuity consultant is supposed to do. That’s a perfectly reasonable place to start.
The honest answer is that it depends — not in a vague, non-committal way, but genuinely, because business continuity work varies enormously depending on where an organisation is starting from and what it actually needs.
Most people come to us with a problem, not a brief
In an ideal world, organisations would approach a consultant with a clear brief and a good understanding of what they need. In practice, most of our conversations start somewhere else entirely. Often, someone has been told they need something — by a client who requires it as a condition of doing business, an insurer with new requirements, or an auditor who has flagged the absence of a plan as a finding.
Sometimes people arrive knowing they need “something to do with business continuity” but aren’t sure what that means in practice. Others arrive with very specific ideas that — gently — wouldn’t actually meet the standard or the need they’re trying to address. Part of our job is sorting that out before we put pen to paper.
There are also the organisations that come to us after something has already happened. They’ve had a disruption — a supplier failure, a systems outage, a building they couldn’t access — and the response didn’t go as well as they’d hoped. Those conversations tend to be very focused. They know exactly what went wrong. They want to make sure it doesn’t happen the same way again.
The scope can be a single session or a full programme
One of the things people are often surprised by is how flexible the engagement can be. There’s no minimum order. We’ve run a single tabletop exercise for an organisation that wanted to test their existing arrangements. We’ve also worked with organisations over an extended period to build a business continuity programme from scratch — including conducting a business impact analysis, developing plans, training staff, and preparing them for external certification against ISO 22301.
In between, there’s everything from internal audits and plan reviews to helping an organisation that has an existing plan but suspects — rightly, in most cases — that it wouldn’t hold up if they actually needed it.
Where word-of-mouth brings someone to us, conversations tend to move faster. They’ve usually spoken to someone who has worked with us before and has a clearer sense of what to expect. That’s not a prerequisite — but it does help to know that the relationship tends to be a fairly direct one. We ask a lot of questions. We’d rather spend time at the start understanding what an organisation actually needs than deliver something technically correct that doesn’t work for the people who have to use it.
What we can’t do
It’s worth being honest about this, because it matters. A consultant can build the framework, develop the plans, facilitate the exercises, and provide the expertise. What we cannot do is implement the changes that resilience actually requires inside an organisation.
Cross-training staff so that critical knowledge isn’t held by a single person. Investing in the backup systems or alternative suppliers that a risk assessment has identified. Getting senior leadership to sign off on a plan, and then actually read it. Those things have to happen internally. The projects we’ve seen struggle — not many, but some — have usually been the ones where the organisation was looking for a document rather than a capability. We produce the former, but the goal is always the latter.
What good looks like
The engagements we’re most proud of tend to share a few things in common. The organisation understood that business continuity is an ongoing commitment, not a one-off project. The people involved were genuinely engaged, not just compliant. And when something happened — because sooner or later, something always does — the response was demonstrably better than it would have been.
Getting through an ISO 22301 certification audit with no non-conformities is satisfying. But hearing from a client that they had a crisis and actually knew what to do is better.
If you’ve been handed the BC problem and aren’t sure where to start, the most useful thing we can do is talk. We’re used to starting from scratch — including helping you work out what you actually need before we agree on anything else.
