Uncertainty has become a permanent part of the operating environment for organisations. Disruptions rarely stay contained, but emerge through complex dependencies and spread quickly across functions, systems and teams.
These themes were explored in an expert discussion between Mikko Kinnanen, Founder and CEO of Prosecom and Security and Privacy Specialist, together with Granite’s CEO Teppo Kattilakoski and GRC Consultant Jukka Mäkitalo. The conversation examined business continuity from a practical perspective, focusing on the role of risk management, planning and regular exercising.
What business continuity means in practice
Business continuity starts with understanding your own operations. Before an organisation can prepare for disruptions, it needs to know which processes, systems and people enable the business, and how they are connected.
In practice, this means identifying critical activities and the threats and dependencies related to them.
Teppo Kattilakoski highlights the importance of prioritisation. Not all activities are equally critical, and the core of business continuity lies in focusing attention and resources on what truly matters. This helps avoid situations where time and effort are spent on activities whose disruption would not actually stop the organisation.
Risk management gives direction to business continuity
Business continuity is closely linked to risk management. Risk management identifies threats, deviations and vulnerabilities, while business continuity answers the question of how to act when those risks materialise. Jukka Mäkitalo describes the connection clearly:
“Business continuity prepares for situations where risks are no longer theoretical, but become real disruptions.”
When risks, activities and dependencies are linked together, a clearer overall picture emerges. A single risk may appear minor until it becomes evident that it affects several critical activities at the same time.
Jukka Mäkitalo encourages organisations to visualise dependencies. When it is clear what a specific activity or system is connected to, it becomes easier to understand why certain risks require special attention. This helps focus development efforts where they will have the greatest impact.
The role of regulation was also discussed, particularly in relation to CRA, NIS2 and DORA. According to Mikko Kinnanen, regulation does not in itself make an organisation resilient, but it forces attention on issues that might otherwise be overlooked. When senior management is required to take a position on regulatory requirements, it often creates genuine commitment to improving business continuity.
Resilience is built through practice, not assumptions
Resilience is visible in how an organisation responds to disruptions, including situations that were not precisely anticipated. Jukka Mäkitalo describes resilience as the ability to act in a controlled manner when things do not go according to plan. This capability cannot be achieved through documentation alone.
Teppo Kattilakoski puts it plainly:
“Real business continuity is more about what is done in practice than what is written on paper.”
Exercising turns plans into action. Exercises reveal unclear responsibilities, gaps in preparedness and assumptions that do not hold up when tested. Mikko Kinnanen gives an example where, during an exercise, the operating model related to cyber insurance proved unclear even from the insurer’s perspective. Insights like this only emerge through testing.
“In a real disruption, there is no time left to learn how things work.”
Exercises do not need to be large or involve the entire organisation. A tabletop exercise with the right experts can be enough to highlight key improvement areas and strengthen shared situational awareness.
Good practices and tools for embedding business continuity into everyday work
Identifying and documenting critical activities so they are clearly linked to business objectives
Making dependencies between systems, processes and stakeholders visible
Defining recovery objectives and acceptable downtime for concrete activities
Regularly testing continuity and recovery plans through tabletop exercises and simulations
Documenting gaps identified in exercises and addressing them systematically
Combining risk management and business continuity information into a single view to maintain a clear overall picture
Using tools that support structured work, responsibility management and continuous improvement
Active involvement from senior management, so business continuity is seen as part of organisational capability rather than a separate obligation