An Introduction to Business Resilience

Speak to a BCM expert

Whatever the nature or size of your problem, we are here to help. Get in touch today using one of the contact methods below.

What is business resilience?

Business resilience is an enterprise-wide term which encompasses crisis management and business continuity, and responds to all types of risk that an organisation may face, from cyber threat to natural disaster, and much else besides. As well as addressing the consequences of a major incident, business resilience relates to the ability of an organisation to adapt to the new environment and circumstances following that incident.

Business resilience planning is a governance and risk management responsibility that boards must address to enable them to survive and thrive in an increasingly hostile environment.

Business Resilience, Business Continuity or Disaster Recovery?

Business continuity (under which the older concept of disaster recovery was subsumed) has now been largely supplanted by the broader approach of business resilience, which encompasses crisis management and business continuity into a cultural approach which is applicable across an organisation.

The overlap between the various concepts of business resilience, business continuity and disaster recovery can be confusing. Essentially:

Business resilience is more a strategic risk management approach, which integrates many disciplines into a single set of integrated processes, and is tailored to an individual organisation’s requirements;
Business continuity is a process-driven approach which can be standardised, and which leads an organisation out of a major incident so that it can continue operations; and
Crisis management addresses specific crises (man-made and natural events).

Business continuity events, for example, can be triggered by crisis management events, but a crisis is not necessary for business continuity.

Why Business Resilience?

All organisations, of any size or type, anywhere in the world, face a wide range of risks which could cause them long-term harm, from financial penalty to reputational damage:

Natural disasters
Economic disruption and market turbulence
Terrorist-related incidents and disruption
Cyber crime and cyber terrorism (read more)
Civil emergencies, strikes, and similar action
Pandemic threats, including SARS and Avian Flu
Compliance failures
Disruptive technological advances
Technology failure
Supply chain failure

Business Resilience Strategy

In order to ensure the resilience of an organisation in the face of these varied risks, it is essential to have a business resilience strategy, which should have four core strands:

A business continuity plan which plans and rehearses a response to all identified and likely operational disruptions. We recommended the implementation of a business continuity management system (BCMS) according to ISO22301.
A disaster recovery plan which enables the organisation to recover from real disasters.
A value protection plan which ensures that shareholder value is protected at times of disruption.
An exploitation plan which enables the organisation to spot, and exploit, commercial opportunities that may present themselves during times of substantial disruption.

Business resilience standards

There are three main standards for business resilience. Two of them are American and one is international.

ISO 22301:2012 is the international standard for a Business Continuity Management (BCM) system.
ASIS SPC.1-2009 Organisational Resilience (Security Preparedness and Continuity Management Systems).
National Fire Protection Association 1600:2007 (Standard on Disaster/Emergency Management and Business Continuity Programs).