When the term resilience first made its appearance over a decade ago, the business continuity community wondered...
if it meant the end of the term business continuity -- and of the profession -- which has been around since the 1980s.
In reality, the term resilience has evolved to become a part of the overall survivability landscape, and business continuity (BC) remains in place as an important operational activity.
What is business resilience?
If you stretch out a rubber band and then release it, it returns to its normal shape. A resilient business can return to its previous state of operation following an event that might otherwise disrupt it or shut it down. Such an organization achieves its state of resilience using a number of techniques:
- Business continuity management
- Technology disaster recovery
- Incident response and management
- Emergency management
- Business impact analysis
- Risk management
- Testing and exercising
- Emergency communications
A business resilience plan is the result of the above activities and their outcomes consolidated into a concise plan.
What is the difference between business resilience vs. business continuity?
To achieve business resilience, an organization must be able to resume operations in the aftermath of a disaster. It does this using a business continuity plan that provides procedures for returning critical business functions, the people and systems that support them, and the facilities where the work is done to a state where the organization can fulfill its commitments and obligations.
It also performs the activities listed above as part of an overall program to ensure that the organization can minimize the chances for an incident to occur, and -- if one does occur -- has the resources, culture and commitment to mitigate the event and then recover and resume business operations.
In the above context, BC is needed to achieve business resilience.
Two types of resilience
There are two types of resilience: organizational resilience and operational resilience. Most of the attention today focuses on organizational resilience, which addresses the entire organization, its people, culture, business processes, technology infrastructure and physical facilities.
This article is part of
By contrast, operational resilience focuses more on the actual business processes, e.g., an assembly line or a television studio that the organization uses to prepare its work product. Although the terms seem to be separate entities, it makes more sense to position operational resilience as a necessary component of organizational resilience.
Standards for resilience
Two standards define resilience and establish methods for achieving it. The first dates back to 2009, was developed by ASIS International and is called ASIS SPC.1-2009, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use. It uses the management system model used by other standards organizations, such as the International Organization for Standardization (ISO). Examining the components of the standard shows many of the activities later outlined in the ISO business continuity standard, ISO 22301:2012 -- latest version released in 2019 -- Societal security -- Business Continuity Management Systems -- Requirements.
The more recent resilience standard is ISO 22316:2017 Security and resilience -- Organizational resilience -- Principles and attributes. One of the key differences between business resilience and business continuity standards is the importance of anticipating potential disruptions instead of simply responding to them. Using risk management and other techniques to better identify potential business risks, threats and vulnerabilities, the new standard also embraces the need for more management processes that focus on company culture as part of an organization's ability to prepare for and prevent disruptive events.
Why you need a business resilience plan and how it works
If your organization is committed to protecting its ability to function, especially following a disruptive event, a business resilience plan could be the answer. Before reaching that point, however, ensure that the various plans and processes noted in Figure 1 below are developed and, as much as possible, exercised to ensure they fulfill their specific objectives.
A business resiliency program builds on each of the above activities. Perhaps the most important aspect of a business resilience plan is to define the end state of the organization following completion of all relevant recovery and resumption processes. It's easy to say that an organization has recovered from an incident. But does that mean it's resilient? Ultimately, the organization must determine what constitutes a state of resilience.
In terms of what a business resilience plan looks like, it can be as simple as redefining a business continuity plan as a business resilience plan. Chances are most of the activities in the BC plan will be in the resilience plan. Key goals in a business resilience plan are to:
- identify how the business should be functioning following the event;
- define how the business anticipates the potential for an incident and prepares for it;
- determine alternate or interim methods of operating the business; and
- identify the effect of the company culture on recovering the business.
Think of resilience as a state of operations that delineates the activities the organization must perform in order to -- just like a rubber band -- snap back to how it was running before the incident.
Survey: Better corporate resilience needed
Organizations should develop cyber-resilience
Dig Deeper on Disaster recovery planning - management
Related Q&A from Paul Kirvan
A remote access VPN connects remote users from any location to a corporate network. A site-to-site VPN, meanwhile, connects individual networks to ... Continue Reading
Network managers and users might opt to set up two VPN connections at the same time, from the same remote device. But that might not be possible -- ... Continue Reading
Risk assessments help identify and, more importantly, prioritize activities an organization needs to address its most serious threats and ... Continue Reading