I am glad you asked that question.
The first step is for the organisation to analyse business impacts and determine the business continuity priorities and requirements. In this process you need to define the impact types and criteria relevant to the organisational context. Also need to identify processes and activities that support those prioritised activities, and so on.
Then you identify the risks of disruption to the organisation's prioritised processes and activities and to the required resources. Risks are then analysed and evaluated to determine which risks require treatment.
By looking at the risks to the prioritised activities, automatically the risks to the business is also covered.
If you can get hold of the ISO standard ISO 22301 Business Continuity Management Requirements, it is well stated.
Please feel free to ask any other clarifications.