While risk is generally considered in a negative light, that is, as having an adverse impact, the Standard contemplates not only events that may lead to loss or harm, but also those that may lead to gain or advantage.
A business continuity event (described as an ,outage’ in this Guide) is an adverse risk event. The primary objective of managing such events is to prevent them from occurring in the first place, where it is both within the control of the organization and where it is cost-effective to do so. Treatments designed to prevent risk events occurring are commonly referred to as preventative controls. However, even the best-designed controls can breakdown in operation and an outage may occur.
In addition, certain risk events may be outside the control of the organization (referred to as external risks). This is particularly the case in relation to natural (e.g.. fire, flood); political (e.g.. change of government policy, changes to legislation), and economic (eg. financial market collapses, economic downturn) events.
The primary objective, when any risk event (including an outage) becomes a reality, is to have in place treatments that will mitigate the business impact of the event. In the case of an outage, the preferred outcome is to maintain the continuity of service.
A comprehensive approach to risk management will therefore consider risk treatments both proactively-by designing and implementing controls to prevent risk events occurring-and reactively-by mitigating the consequences of such events, should they actually occur. This philosophy can be best summed up as plan for the best but be prepared for the worst. In practice, this requires risk managers to undertake an analysis of risks and risk treatments from the top down-starting with possible risk events and designing controls-and from the bottom up-assuming a risk event has occurred and preparing appropriate contingency plans. These approaches are complementary and should be undertaken in parallel, using the process described in the Risk Management Standard.
Source: http://it.toolbox.com/blogs/enterprise-solutions/business-continuity-is-about-managing-risk-70651