Bolster an operational resilience strategy with these tips

What is resilience, exactly?

The Merriam-Webster dictionary defines resilience as "an ability to recover from or adjust easily to misfortune or change." In enterprise IT, the relationship between business continuity, disaster recovery and resilience gets a little murky.

There are two types of resilience related to business continuity: operational resilience and organizational resilience.

Organizational resilience is the ability of an entire business and its components -- including all its people, processes, technologies and facilities -- to respond to and recover from a disruptive event.

Think of organizational resilience as the end goal of properly designed and implemented BCDR program activities, as shown in Figure 1.

An operational resilience strategy focuses on business components that must continually operate for the company to produce and deliver its products and services. In this way, operational resilience is a subset of organizational resilience. IT resilience is an important component of operational resilience -- and this is where DR activities are essential.

Figure 2 depicts how BCDR, incident response and emergency management activities can support both operational and organizational resilience.

Operational resilience best practices

A company should manage, maintain and aim to improve its operational resilience strategy.

First, identify the operational activities that are essential for the organization to produce its products and services. A business impact analysis (BIA) is an important tool to determine those assets. A BIA defines mission-critical business processes, as well as the people, technology and facility resources that enable those processes. It also assesses the potential effect on the organization if it cannot perform those processes.

In addition, perform a risk assessment to identify internal and external threats to the organization's ability to conduct business. A vulnerability analysis is also helpful to identify weaknesses that could increase the risk of operational disruption.

Structure BC plans to ensure critical operational activities can recover and return to normal. Do the same for technology DR plans, which should bring mission-critical systems back to full operation as quickly as possible to maintain IT resilience.

Supply chains are mission-critical components of the organization. If an event occurs that disrupts one or more supply chains, procedures should be in place to recover the chains as quickly as possible. To achieve this, use alternate suppliers and alternate transportation companies; have a process to expedite contracts to activate alternate arrangements.

Assuming the organization uses a variety of technology-based systems and network services, DR plans must ensure IT teams can quickly recover these elements, test them for proper operation and put them back into production. If it's difficult or impossible to replace unique, special-function systems in a timely fashion, make arrangements with other organizations to use their systems. In addition, contact manufacturers of special-purpose systems to ask how they can assist.

Document all procedures to recover operational components. Store documents in a secure location and make them available electronically for maximum speed of access. Include general operational procedures for mission-critical systems, in case the primary operators are unavailable and other employees must step in.

Regularly exercise and update all necessary procedures to ensure an up-to-date operational resilience strategy, especially as mission-critical assets or overall business processes change. Embed activities in those exercises that continuously improve resilience.