Business Continuity vs Crisis Management: Two Disciplines, One Bad Day
- Jun 7
- 6 min read
Updated: 21 hours ago
The short answer
Business continuity keeps critical operations running through disruption; crisis management leads the organisation through the wider event.
Business continuity is the operational discipline of keeping, or quickly restoring, an organisation's most important activities when disruption strikes. Crisis management is the strategic discipline of leading the whole organisation through a serious event: making decisions under pressure, protecting people and reputation, and communicating with those who matter. Continuity asks "how do we keep working?" Crisis management asks "how do we lead through this?" A serious incident usually demands both at once.
Primary question: business continuity asks how to keep critical operations running, while crisis management asks how to lead the organisation through the event.
Focus: business continuity focuses on processes, systems, sites, suppliers and the availability of people, while crisis management focuses on decisions, stakeholders, reputation and direction.
Nature of event: business continuity deals with foreseeable disruption that has definable workarounds, while crisis management deals with events that are often novel, ambiguous and fast moving.
Typical owners: business continuity sits with operations or a resilience function, while crisis management sits with senior leadership and the crisis team.
Core tools: business continuity relies on impact analysis, recovery objectives and continuity plans, while crisis management relies on clear structure, escalation, decision making and communication.
Measure of success: business continuity succeeds when critical activities are restored within tolerance, while crisis management succeeds when judgement, control and confidence hold under pressure.
Why the two are so often confused
Both respond to disruption, so many organisations assume one plan covers both.
The confusion is understandable. Both disciplines exist for the day something goes wrong. Both involve plans, roles and rehearsal. In smaller organisations they are often owned by the same person. So it is common to find a business continuity plan presented, in good faith, as the organisation's crisis plan.
The distinction becomes clear under pressure. A continuity plan can tell you how to relocate a team, restore a system or switch supplier. It cannot tell you what to say to a regulator, how to handle media interest, whether to inform clients now or once facts are confirmed, or who holds decision making authority when senior people disagree. Those are crisis management questions, and they tend to arrive earlier, and matter more, than the operational ones.
What business continuity actually covers
Continuity is about predefined responses to definable disruptions.
Business continuity works from a simple premise: identify the activities the organisation cannot afford to lose, understand how long it can tolerate losing them, and build arrangements to keep them running or restore them in time. Loss of a site, loss of systems, loss of a key supplier, reduced availability of people. For each, the discipline produces workarounds, recovery priorities and clear time objectives.
Its strength is precisely that it deals with the foreseeable. Continuity planning rewards thoroughness. The scenarios may vary, but the consequences are definable in advance, which is why the responses can be too. Done well, it removes a whole category of decisions from the worst day, because they were made calmly, in advance.
What crisis management actually covers
Crisis management exists for the parts of the event that no plan can script.
A crisis is rarely just an operational outage. It is the wider event: the harm to people, the questions from clients and counterparties, the regulatory dimension, the reputational exposure, the speed at which a narrative forms before facts are confirmed. These elements are ambiguous, fast moving and often novel. They cannot be reduced to a workaround.
That is why crisis management is built around judgement rather than procedure. Its core components are a clear structure, defined decision making authority, disciplined information flow and measured communication. The early phase is where this is tested hardest; we have written about why organisations struggle in the first 24 hours of a crisis. A continuity plan is of limited help in those hours. What matters is whether leadership can think and decide under pressure.
Where organisations get the boundary wrong
The most common error is mistaking operational recovery for organisational response.
Several patterns appear repeatedly.
The first is the continuity plan masquerading as a crisis plan. The organisation has documented how to restore operations and concludes it is crisis ready. Then an event arrives that is reputational, legal or human rather than operational, and the plan has nothing to say. A data incident, an allegation against a senior figure or a threat to a principal's family does not stop the servers, but it can be the most serious event the organisation faces.
The second is the reverse: a leadership team focused on messaging and stakeholders while no one is gripping operational recovery. Communication without restored capability quickly loses credibility.
The third is structural. The two disciplines are owned in different parts of the organisation, planned on different cycles and exercised separately. In a real event they must run in parallel, feeding each other constantly. Recovery timelines shape what leaders can honestly say. Strategic decisions, such as whether to suspend a service voluntarily, change the continuity task. If the two teams meet for the first time during an incident, the seams show.
The fourth is escalation. Incidents are often held at the operational level because the continuity machinery appears to be coping. Whether systems are recovering is the wrong test. The right test is whether the event carries strategic consequence, for people, reputation, clients or regulators. If it does, it is a crisis, whatever the recovery dashboard says.
What good integration looks like
One framework, two disciplines, and a rehearsed handover between them.
Organisations that handle serious events well treat continuity and crisis management as distinct disciplines inside a single response framework. The continuity capability reports into the crisis structure, not alongside it. Escalation triggers are defined by consequence, not by operational severity alone. Leaders understand recovery realities well enough to make honest external commitments, and the continuity team hears strategic decisions early enough to act on them.
Most importantly, they exercise the two together. A continuity test that restores systems on schedule proves little about whether leadership can manage the regulator, the clients and the media at the same time. Realistic, combined rehearsal, of the kind we deliver through immersive simulations at the Academy at Bylaugh, is where the gaps between the disciplines become visible while they are still cheap to fix. Our training and preparedness page sets out how we approach this.
There are also events where the right answer is to bring in independent support, particularly when the crisis dimension outweighs the operational one. We have set out a practical view on when to bring in external crisis advisers.
The question boards should ask
Not "do we have plans?" but "do the plans meet in the middle?"
Most boards can confirm that a continuity plan and a crisis plan exist. Far fewer can say with confidence how the two connect: who escalates, on what trigger, and whether the people involved have rehearsed together. Those are the questions worth asking before an event answers them for you. We explore this further in the five questions every board should be asking about risk.
Business continuity protects what the organisation does. Crisis management protects what the organisation is. On a serious day you will need both, working as one. If you would like an independent view of how well yours connect, our services page outlines how we support clients across the full span of preparedness and response.
Frequently asked questions
Is business continuity part of crisis management?
They are distinct disciplines that operate within one response framework. In a serious event, business continuity usually reports into the crisis structure: the crisis team sets direction and manages stakeholders, while the continuity capability restores critical operations. Neither replaces the other.
Do I need a crisis management plan if I have a business continuity plan?
Yes. A continuity plan addresses operational disruption with predefined workarounds. It does not address decision making authority, stakeholder handling, reputation or communication, which are often the most consequential elements of a serious event. Many crises, such as allegations, data incidents or threats to people, involve little or no operational outage at all.
Which comes first in an incident, business continuity or crisis management?
In practice they run in parallel, but the crisis decision usually comes first. The earliest judgements, what we know, who decides, what we say and to whom, are crisis management questions, and they typically arrive before recovery work has produced results. Escalation should be driven by the consequence of the event, not by whether operations appear to be coping.
About SJ Group International
SJ Group International is a discreet, executive led consultancy supporting clients through security, risk and crisis matters.
SJ Group International advises private clients, family offices, corporates and advisers on security, risk, crisis management and preparedness. The firm is known for calm, senior level support, discreet delivery, and a practical approach shaped by real world experience, serving clients internationally since 2019.