Export (0) Print
Expand All

How Microsoft Reduces Operational Risk through Business Continuity Management

Published: October 2010

Business Continuity Management (BCM) equips Microsoft IT with operational intelligence to enhance their decision-making processes, manage risk, and gain a competitive advantage in preparation for adverse situations. Microsoft IT implements BCM frameworks within the company to ensure maximum employee safety and continued critical business processes and system availability with the goal of minimizing adverse impacts to Microsoft employees, customers, partners, and stakeholders.


Intended Audience

Products & Technologies

Download Article, 357 KB, Microsoft Word file

Download Video

  • Business Decision Makers
  • Technical Decision Makers


  • Microsoft Office
  • Microsoft Lync
  • Microsoft SharePoint


The Business Continuity team in Microsoft IT is responsible for building a culture of operational resiliency to maintain services or recover services in a disrupted environment. This article discusses how the Business Continuity team is implementing a Business Continuity Enterprise Framework and what the team is doing to put business continuity resiliency in place.

Business-Driven Approach to Business Continuity

Microsoft prefers a business-driven philosophy to business continuity that promotes a holistic review of dependencies and creates accountability for a business unit’s operational risks. With a business-driven approach:

  1. Business units are dedicated to having resiliency within their unit. The executive within the organization is aware of his/her BCM risk profile, supports the recovery strategies, and provides the necessary resources to execute solutions. This helps the business take accountability for the risks within the business unit.
  2. The business uses an industry-standard business impact assessment framework to organize its processes by impact to its stakeholder community. Business process owners holistically evaluate dependencies—people, locations, technology, and vendors—to understand overall recovery capability, identify second-level dependencies, and uncover any recovery gaps.

Figure 1 shows the Business Continuity Enterprise Framework.

Figure 1. Business Continuity Enterprise Framework

Figure 1. Business Continuity Enterprise Framework

The long-term success of any Business Continuity Program requires support from the senior leadership of the company. At Microsoft, the Board of Directors has affirmed this commitment and has asked the Enterprise BCM program office and the Internal Audit and Enterprise Risk Management groups to create and monitor the progress of the industry standard methodology.

Microsoft IT created a scorecard that gets visibility across the highest levels of the company.  Business units are also encouraged to embed business continuity expertise in their own organizations. As a result, Microsoft can leverage the expertise of best-in-class subject matter experts in each of the business units. These subject matter experts are very involved in external communities and governance committees that focus on business continuity and disaster recovery.

Vendor and Supply Chain Business Continuity Assessment

Like many companies, Microsoft’s business model has evolved over time to depend more on vendors and supply chains. As a result, more and more of what Microsoft does is not necessarily under Microsoft’s direct control. To address this situation, the Business Continuity team pursued the concept of vendor/supply chain resiliency that has the following three areas of focus:

  1. Be proactive about making sure that there is business continuity language in the contracts when signing a vendor or renegotiating a contract. This includes reviewing contracts that may have already been signed. It is critical to make sure that the language is strong enough and truly speaks to the business continuity efforts that would be required of a vendor in a time of disaster. The Business Continuity teams work proactively with the legal department and procurement groups to make sure that this business continuity language is inserted in the contracts ahead of time.
  2. Routinely assess the vendors and their capability. Microsoft must feel confident that their most critical vendors can actually recover in the time that Microsoft needs them to.
  3. Take advantage of opportunities to exercise with critical vendors to make sure that Microsoft and the vendor see things the same way and to make sure that dependencies have not changed. For example, the vendor may have outsourced a service and Microsoft may not be aware of that.

The Importance of Standards

Standards offer a consistent framework and a common language for communicating with senior management. Standards also create a common taxonomy that enables integration between interdependent organizations inside and outside the company.

The US government, through the Department of Homeland Security, is currently working on an initiative to establish PS-Prep as a standard for private sector preparedness. Microsoft has been involved in these efforts from the very beginning and provides feedback that is helping to shape that standard. Microsoft also benchmarks its program against the BS 25999 standard.

Increasingly, other companies depend on Microsoft as a vendor. By basing programs and methodologies on standards, Microsoft can communicate its position on business continuity to their customers in a non-subjective way.

Changes in Strategy and the Effect on Risk

When the Business Continuity team conducts business impact analyses to determine the critical processes within each of the business units, the team takes into account where the company is headed from a strategic standpoint. For example, Microsoft has adopted an "all in" strategy for the cloud. These types of strategic decisions can dramatically affect where the Business Continuity team makes its investments.

Business Continuity Tools

To execute a Business Continuity Program, companies can purchase specialized business continuity tools (risk and compliance type tools) or they can use tools like Microsoft® Office that are already available in many organizations. Purchasing specialized software may require extensive customization, which may not be feasible, especially in a difficult economic environment. Microsoft uses its own tools to implement their Business Continuity Program. For example, Microsoft uses:

  • Microsoft Office Outlook® and Microsoft Lync™ (formerly Microsoft Office Communicator) to schedule workshops for people in different locations, saving money on travel expenses
  • Microsoft Office to create business continuity artifacts
  • Microsoft SharePoint and Microsoft Excel®  to create scorecards (out-of-the box functionality)
  • SharePoint to manage reporting and monitor workflows (out-of-the-box functionality)


The Business Continuity team in Microsoft IT uses a holistic, business-driven framework to structure, drive, and create accountability in its Business Continuity Program. With this approach, each business owns its operational risk profile and mitigation plans. When executing a Business Continuity Program, it is critical to do an assessment of all dependencies, including vendor/supply chain dependencies.

Microsoft bases its Business Continuity Program on standards and relies on its own tools rather than using customized software. These same tools are already available in many enterprises. Companies can save money by taking advantage of these tools.

For More Information

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:



This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Excel, Lync, Outlook, SharePoint, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
© 2014 Microsoft