business resilience

What is business resilience?

Business resilience is the ability of an organization to quickly adapt to disruptions while maintaining continuous business operations and safeguarding people, assets and overall brand equity. Business resilience goes beyond disaster recovery (DR) and business continuity by offering post-disaster strategies to avoid costly downtime, shore up vulnerabilities and maintain business operations in the face of additional, unexpected breaches.

Business resilience begins with an understanding that business processes and workflows must be preserved for organizations to survive unexpected events. Among the important challenges of business resilience planning is the human element. People must be prepared and educated on how to respond to a chaotic situation.

A business resilience plan is sometimes referred to as a business continuity plan (BCP). Resilience is an outcome of various approaches to readiness, including business continuity, technology DR, crisis management, risk management and incident management.

Business resilience includes various elements of overall resilience, such as organizational resilience, operational resilience, cyber resilience and supply chain resilience. The expansion of the term reflects how important resilience has become to businesses, governments and other organizations.

Why is business resilience planning important?

It is no longer sufficient to simply recover business operations and mission-critical applications after a natural disaster, cyber attack or other event. Organizations must be ready to adapt as circumstances change. As the COVID-19 crisis demonstrated, businesses had to quickly adjust to changing work environments that included support of remote work and hybrid setups.

Organizations have a responsibility to remain in business, unless extenuating circumstances -- such as a merger -- make it impossible. Shareholders and other stakeholders expect the business to remain operational despite the chance of a disruptive event hurting the firm.

In many cases, it may not be enough to return to the previous norms; the old ways might not accommodate the way the business now operates. Resilience goes beyond strict business continuity and DR, providing the agility, adaptability and sustainability organizations need to adjust to long-term changes in how they operate.

What should a business resilience plan include?

A business resilience plan includes various elements. Among them are the following:

• business impact analysis
• risk assessment
• risk management
• testing and running exercises
• emergency communications plan
• BCP
• DR plan
• incident response plan
• emergency management plan

Each of these components can stand alone. However, combined they create a framework from which an overall resilience plan is developed.

The most important aspect of a business resilience plan is to define the end state of the organization following completion of all recovery plan and resumption processes. It's easy to say a business has recovered from an incident once it has resumed operations. But does that mean it's resilient? Ultimately, an organization must determine what its end state should be following an incident. To achieve that, it must determine what constitutes a state of resilience.

Following an event and the completion of response activities, business continuity and DR activities get the business back in operation. However, based on the specific event and how it affects the organization's ability to conduct business, it may be necessary to establish new or modify existing business activities for the new normal. It's this last part where an organization demonstrates it has a resilient business.

Steps for building a business resilience plan

A business resilience plan can be as simple as combining business continuity management, DR and other plans into a business resilience plan. Chances are, many of those activities will be in the resilience plan.

The following are four key steps in a business resilience plan:

1. Identify how the organization should function after the event.
2. Define how it anticipates the potential for an incident and prepares for it.
3. Determine alternate or interim methods of operating the business.
4. Identify the effect of the company culture on recovering the business.

The current standards for resilience have no specific frameworks for developing resilience plans. They primarily define the activities that should be part of a holistic plan.

Who should be the business resilience manager in an organization?

Determining who should lead business resilience management activities has been a perennial question. Some organizations have standalone business continuity and disaster recovery (BCDR) departments. Others divide the decision-making and other duties up among business leaders in various groups and departments, such as information technology, legal, human resources, senior management, compliance, risk management, emergency management and facilities management.

In the federal government, resilience-related activities align with two federal standards, Federal Continuity Directive 1 (FCD 1) and Federal Continuity Directive 2 (FCD 2). Achieving compliance with the requirements in these two directives helps federal agencies build continuity of operations plans and achieve a level of resilience. Most federal agencies, especially those in the executive branch, must regularly demonstrate compliance with FCD 1 and 2. Each agency assigns FCD compliance to different departments, but most often administrative units manage them.

Business resilience standards and guidelines

Two standards currently define resilience and establish methods for achieving it. They are the following:

ASIS SPC.1-2009 was developed by ASIS International and dates back to 2009. It is titled Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use. It uses the same management system model that other standards organizations, such as the International Organization for Standardization (ISO), use.

ISO 22316:2017 is titled Security and resilience -- Organizational resilience -- Principles and attributes. ISO 22316:2017 uses risk management and other techniques to better identify potential business risks, threats and vulnerabilities before they happen. This standard also embraces the need to focus on company culture as part of an organization's ability to prepare for and prevent disruptive events.

Learn about the five essential areas to pay attention to when building a business resilience plan, including power and system protection, data backup, staffing and cybersecurity.