What is business resilience?

Why is business resilience planning important?

It is no longer sufficient to simply recover business operations and mission-critical applications after a natural disaster, cyberattack or other event. Organizations must be ready to adapt as circumstances change. In the COVID-19 pandemic, businesses had to adjust quickly to changing work environments. This included support of remote work and hybrid setups.

While the pandemic is history, what remains is the potential for business disruptions, including loss of critical business functions that could result in financial losses, damage to supply chains, loss of competitive advantage and reputational damage.

Organizations have a responsibility to remain in business, unless extenuating circumstances -- such as a merger -- make it impossible. Shareholders and other stakeholders expect the business to remain operational despite the chance of a damaging event, like a cyberthreat or supply chain disruption.

A return to the previous norms might not be enough; the old ways might not accommodate the way the business now operates. Resilience encompasses the agility, adaptability and sustainability organizations need to adjust to long-term operational changes.

What should a business resilience plan include?

A business resilience plan should include the following:

• Business impact analysis.
• Risk assessment.
• Risk management.
• Testing and running exercises.
• Emergency communications plan.
• BC plan.
• DR plan.
• Crisis management plan.
• Incident response plan.
• Emergency management plan.

Each of these components can stand alone. Combined, they create a framework for an overall resilience plan.

The most important aspect of a business resilience plan is to define the organization's end state after completing all recovery plan and resumption processes. When a business has recovered from an incident and resumed operations, does that mean it's resilient? Ultimately, an organization must determine what constitutes a state of resilience.

A business resilience plan combines various types of business continuity and disaster recovery planning.

Following completion of response activities after an event, business continuity and DR activities get the business back in operation. However, depending on how the event affects the organization's ability to conduct business, a new normal might require new or modified business activities. It's here that an organization demonstrates resiliency.

Steps for building a business resilience plan

A business resilience plan can be as simple as combining business continuity management, DR and other plans into the plan. Chances are, many of those activities will be in the resilience plan.

Here are four key steps in a business resilience plan:

1. Identify how the organization should function after the event.
2. Define how it anticipates the potential for an incident and prepares for it.
3. Determine alternate or interim methods of operating the business.
4. Identify the effect of the company culture on recovering the business.

Current standards for resilience have no specific frameworks for developing resilience plans. They primarily define activities to include in a holistic plan.

Who should be the business resilience manager in an organization?

Who should lead business resilience management activities is a perennial question. Some organizations have standalone BC and /DR departments. Others divide the decision-making and other duties among business leaders in various groups and departments, such as information technology, legal, human resources, senior management, compliance, risk management, emergency management and facilities management.

In the federal government, resilience-related activities align with two federal standards: Federal Continuity Directive 1 (FCD 1) and Federal Continuity Directive 2 (FCD 2). Complying with the requirements in these directives helps federal agencies build continuity of operations plans and achieve a level of resilience. Most federal agencies, especially those in the executive branch, must regularly demonstrate compliance with FCD 1 and 2. Each agency assigns FCD compliance to different departments, but most often, administrative units manage them.

Business resilience standards and guidelines

Two standards currently define resilience and establish methods for achieving it. They are as follows:

ASIS SPC.1-2009 dates to 2009. Developed by ASIS International, it's titled, "Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use." It uses the same management system model as other standards organizations like the International Organization for Standardization (ISO).

ISO 22316:2017 is titled "Security and resilience -- Organizational resilience -- Principles and attributes." ISO 22316:2017 uses risk management and other techniques to better identify potential business risks, threats and vulnerabilities before they happen. This standard also embraces the need to focus on company culture as part of an organization's ability to prepare for and prevent disruptive events.

Additional standards that tangentially address business resilience issues include the following:

ISO 22301:2019 is the de facto international standard for BC management.

FFIEC Business Continuity Handbook – is used in financial institutions for BC planning; it includes guidance for audit preparation.

NFPA 1600 is the U.S. standard for DR and BC planning for business and government

NIST SP800-34 is a standard that addresses IT contingency planning and is used in both governments and businesses.

Pros and cons of business resilience

While most business professionals agree that business resilience is desirable, they might not agree universally on its importance. Here are some pros and cons of business resilience:

Benefits include facilitating business operations continuity, greater adaptability to changes in how the business might need to operate, improved employee morale, compliance with established standards, stronger focus on risk management and a potentially improved reputation.

Costs and complexity needed to implement resilience are two negatives. Additional issues include management resistance to change, difficulty establishing a company culture that embraces resilience, and the time and resources (especially staffing) needed to implement and manage a resilient organization.

Business resilience products and services

Business resilience software tools are available for on-site deployment and from the cloud. Business Continuity as a Service (BCaaS) is growing in popularity as it is completely cloud-based and, along with cloud data backups and other measures to protect mission-critical assets, provides an effective approach to resilience.

Some BC products to consider include the following:

• Agility Recovery Planner.
• Archer Business Resiliency.
• BC in the Cloud.
• CL360 Business Continuity.
• Fusion Framework System.
• Ncontracts.
• Oracle Risk Management and Compliance.
• Riskonnect.
• SafetyCulture.
• SAI360.

Artificial intelligence and business resilience

Business resilience activities are excellent candidates for enhancement and automation through the use of artificial intelligence (AI). With features like predictive analytics, automation and scheduling of various activities, and optimization of key functions, AI can benefit just about every BC activity.

The results include improved risk analysis and management, enhanced decision-making and more overall efficiency. Perhaps the most intriguing application of AI is in assessing the performance of BC/DR and resilience plans in a simulated yet realistic situation. Being able to create a variety of events and analyze how well plans are likely to perform is the holy grail of resilience.

While traditional plan exercising is an essential activity, it is limited by the types of exercises that can be performed. Simulating an event, analyzing how a plan's procedures, key elements and personnel respond to the event, and then reporting on how well the organization did in the aftermath provide invaluable data on the plan. It can guide the organization in ways to improve both its plan and its resilience.

Without adequate support, resilience initiatives are unlikely to succeed. Check out six ways individuals and departments can foster business resilience.