Free service-level agreement template for DR plans How to build and train organizational resilience teams

Compare and contrast business resilience vs. business continuity

Business continuity and resilience go hand in hand and play a role in an organization's disaster recovery plan. Essentially, business continuity is needed to achieve resilience.

When the term resilience first made its appearance over a decade ago, the business continuity community wondered...

if it meant the end of the term business continuity -- and of the profession -- which has been around since the 1980s.

In reality, the term resilience has evolved to become a part of the overall survivability landscape, and business continuity (BC) remains in place as an important operational activity.

What is business resilience?

If you stretch out a rubber band and then release it, it returns to its normal shape. A resilient business can return to its previous state of operation following an event that might otherwise disrupt it or shut it down. Such an organization achieves its state of resilience using a number of techniques:

A business resilience plan is the result of the above activities and their outcomes consolidated into a concise plan.

What is the difference between business resilience vs. business continuity?

To achieve business resilience, an organization must be able to resume operations in the aftermath of a disaster. It does this using a business continuity plan that provides procedures for returning critical business functions, the people and systems that support them, and the facilities where the work is done to a state where the organization can fulfill its commitments and obligations.

It also performs the activities listed above as part of an overall program to ensure that the organization can minimize the chances for an incident to occur, and -- if one does occur -- has the resources, culture and commitment to mitigate the event and then recover and resume business operations.

In the above context, BC is needed to achieve business resilience.

Two types of resilience

There are two types of resilience: organizational resilience and operational resilience. Most of the attention today focuses on organizational resilience, which addresses the entire organization, its people, culture, business processes, technology infrastructure and physical facilities.

By contrast, operational resilience focuses more on the actual business processes, e.g., an assembly line or a television studio that the organization uses to prepare its work product. Although the terms seem to be separate entities, it makes more sense to position operational resilience as a necessary component of organizational resilience.

Standards for resilience

Two standards define resilience and establish methods for achieving it. The first dates back to 2009, was developed by ASIS International and is called ASIS SPC.1-2009, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use. It uses the management system model used by other standards organizations, such as the International Organization for Standardization (ISO). Examining the components of the standard shows many of the activities later outlined in the ISO business continuity standard, ISO 22301:2012 -- latest version released in 2019 -- Societal security -- Business Continuity Management Systems -- Requirements.

The more recent resilience standard is ISO 22316:2017 Security and resilience -- Organizational resilience -- Principles and attributes. One of the key differences between business resilience and business continuity standards is the importance of anticipating potential disruptions instead of simply responding to them. Using risk management and other techniques to better identify potential business risks, threats and vulnerabilities, the new standard also embraces the need for more management processes that focus on company culture as part of an organization's ability to prepare for and prevent disruptive events.

Why you need a business resilience plan and how it works

If your organization is committed to protecting its ability to function, especially following a disruptive event, a business resilience plan could be the answer. Before reaching that point, however, ensure that the various plans and processes noted in Figure 1 below are developed and, as much as possible, exercised to ensure they fulfill their specific objectives.

Business resilience plan processes
Figure 1. Incorporate and test various processes in the business resilience plan.

A business resiliency program builds on each of the above activities. Perhaps the most important aspect of a business resilience plan is to define the end state of the organization following completion of all relevant recovery and resumption processes. It's easy to say that an organization has recovered from an incident. But does that mean it's resilient? Ultimately, the organization must determine what constitutes a state of resilience.

In terms of what a business resilience plan looks like, it can be as simple as redefining a business continuity plan as a business resilience plan. Chances are most of the activities in the BC plan will be in the resilience plan. Key goals in a business resilience plan are to:

  1. identify how the business should be functioning following the event;
  2. define how the business anticipates the potential for an incident and prepares for it;
  3. determine alternate or interim methods of operating the business; and
  4. identify the effect of the company culture on recovering the business.

Think of resilience as a state of operations that delineates the activities the organization must perform in order to -- just like a rubber band -- snap back to how it was running before the incident.

Next Steps

Survey: Better corporate resilience needed

Organizations should develop cyber-resilience

Follow these standards for business continuity and resilience

Texas power outage flags need to revisit business continuity

Dig Deeper on Disaster recovery planning and management