When the term resilience first made its appearance more than two decades ago, the business continuity community…
wondered if it meant the end of the term business continuity and of the profession that has been around since the 1980s. In the years since its emergence, resilience has become an increasingly important factor in how business and government organizations operate.
Resilience has evolved into a key component of the overall business and government survivability landscapes, whereas BC remains as an important operational activity that is often used interchangeably with business resilience.
What does business continuity mean?
According to ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, business continuity is defined as the “capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.”
In practice, BC merges a number of specific activities — disaster recovery (DR) and incident management, for example — into a holistic approach that establishes a series of internal and external activities an organization can initiate to respond to an incident, recover from the situation and resume business operations to an acceptable level. When this level of activity is achieved, the organization can notify its employees and stakeholders that it has resumed business operations.
What does business resilience mean?
The term organizational resilience can be considered another way of saying business resilience. ISO 22316:2017, Security and resilience — Organizational resilience — Principles and attributes, defines organizational or business resilience as the “ability of an organization to absorb and adapt in a changing environment.”
For example, when a rubber band is stretched and then released, it returns to its original shape. A resilient business has the people, culture, procedures, technology, facilities and more to return to its previous state of operation. This can happen following an event that might otherwise disrupt the firm or shut it down. Such an organization can deliver resilience using the following techniques:
A business resilience plan, also referred to as an organizational resilience plan, results from the collaboration and blending of the above activities and their outcomes into a concise plan.
The flavors of resilience
Organizational resilience and operational resilience are among the current implementations of resilience.
At the moment, much of the attention focuses on organizational resilience, which addresses the entire organization, its people, culture, business processes, technology infrastructure and physical facilities. The idea is to link all relevant elements of an organization into a cohesive unit that can collectively regroup, recover, modify as needed and resume operations following an incident.
By contrast, operational resilience focuses more on actual business processes, such as an assembly line the organization uses to prepare its work product. Although the terms seem to be separate entities, it makes more sense to position operational resilience as a necessary component of organizational resilience.
Another variant, supply chain resilience, defines steps to ensure that supply chains can be quickly recovered and returned to their normal functions. The concept also enables changes to the supply chain that can provide yet more survivability. Supply chain resilience has been embraced as a result of the COVID-19 pandemic, which has crippled many supply chains over the past two years.
What are the differences between business resilience vs. business continuity?
Think of business continuity as a set of procedures that, when activated, help an organization return to operational status so it can resume providing products and services. Business or organizational resilience is the capability to absorb a shock to operations and then rebound to a level of operations that is acceptable to company management, employees and stakeholders.
Figure 1 provides a visual comparison of the two terms. With business continuity, the goal is to resume operations sufficiently to provide products and services. By contrast, a business resilience plan assumes operations will resume and accommodates the possibility of changes. Depending on the event and how it affects the business, the organization might have to adapt how it operates to support a new normal resulting from the event. The obvious example of this resilience is the many business and government entities that had to embrace remote working during the pandemic and then found that their corporate cultures and how they functioned daily had to change.
Continuity and resilience plans
BC and business resilience plans might have similar structures and require the same analytical processes, such as BIA and risk analysis. Both plans will likely include procedures to recover from and resume business operations.
However, a business resilience plan might go beyond a BC plan by providing guidance and procedures to return the business — especially the culture — to a state that is more conducive and adaptive to how the business should operate in the aftermath of the disruption. The business resilience plan might even be a separate document that is activated once the BC plan has achieved its goals or recovered business functions.
Creating a business resilience plan can be as simple as redefining a business continuity plan, as most of the activities are the same. Key goals in a business resilience plan include the following:
- identifying how the business should function following the event;
- defining how the business anticipates the potential of an incident and prepares for it;
- determining alternate or interim methods of operating the business; and
- recognizing the effect of company culture on business recovery.
Standards for resilience
Two standards currently define and establish methods for achieving resilience. The first standard, ASIS SPC.1-2009, Organizational Resilience: Security, Preparedness, and Continuity Management Systems — Requirements with Guidance for Use, dates back to 2009 and was developed by ASIS International. It uses the management system model used by other standards organizations, such as ISO.
The more recent resilience standard is ISO 22316:2017, as noted earlier in this article. One of the key differences between business resilience and BC standards is the importance of anticipating potential disruptions instead of simply responding to them. Using risk management and other techniques to better identify potential business risks, threats and vulnerabilities, the new standard also embraces the need for more management processes that focus on company culture as part of an organization’s ability to prepare for and prevent disruptive events.
How are business resilience and business continuity similar?
Business continuity provides procedures to return critical business functions, systems, facilities where the work is done and the people that support them to a state where the organization can fulfill its commitments and obligations. These activities are part of an overall program to ensure the organization can minimize the chances for an incident to occur and — if one does occur — has the resources, culture and commitment to mitigate the event, recover, survive and prosper.
Business resilience builds on each of the activities noted above to return the organization to a normal state of operation.
Why you need a business resilience plan and how it works
For organizations committed to protecting their ability to function, especially following a disruptive event, a business resilience plan built on a BC plan foundation could be the answer. Before reaching that point, however, ensure the various plans and activities listed earlier in this article are developed and regularly exercised to ensure they fulfill their specific objectives.
Perhaps a key aspect of a business resilience plan is to define the end state of the organization following completion of all relevant recovery and resumption processes. It’s easy to say an organization has recovered from an incident. But does that mean it’s resilient? Ultimately, the organization must determine what constitutes a state of resilience.