gosphotodesign - Fotolia
Organizational vs. operational resilience: What's the difference?
Achieving both operational and organizational resilience is key to ensuring that a company can protect and adapt its processes and bounce back in the event of a disaster.
Resilience has become a prominent element in the business continuity and disaster recovery professions, as well as in the cybersecurity space. Organizational and operational resilience are two areas of IT resilience that your organization will need to consider if it hopes to survive and prosper over time.
Organizational resilience (OR) generally embodies the entire organization, including technology, people, facilities, processes and everything needed to operate the business. If each of these elements is protected from disruptive events, and plans are in place to recover and restore them to normal operation, we could say that organizational resilience has been achieved.
Adaptability is also a part of most OR definitions. Ideally, a resilient organization can bend and flex during a disruptive event and return to normal operations once the event has passed.
What is operational resilience?
Now let's examine operational resilience (OpR), which has been in the shadows of OR and is now a term of growing interest. If you're not familiar with the term, several prominent organizations have described OpR and its role in business continuity and disaster recovery (BC/DR).
Gartner described OpR as "a set of techniques that allow people, processes and informational systems to adapt to changing patterns. It is the ability to alter operations in the face of changing business conditions."
In the standard BS 65000:2014, Guidance on organizational resilience, the British Standards Institution (BSI) refers to operational resilience as: "[the] ability of an organization to anticipate, prepare for, and respond and adapt to incremental change and sudden disruptions in order to survive and prosper."
The International Organization for Standardization also has a standard on organizational resilience, ISO 22316:2017, Security and resilience -- Organizational resilience -- Principles and attributes. This standard defines a framework for organizations to ensure that their business activities can be protected and maintained now and in the future. A key element of the standard is the focus on preparing organizations to better anticipate and respond to potential risks and threats, while also identifying and mitigating vulnerabilities.
How to establish OpR
Operational resilience examines what the business actually does and what it needs to continue performing those activities. This differs from organizational resilience in that OR looks at the entire organization, while OpR is more process-oriented, examining how the business functions and what the organization needs to protect those processes.
What do businesses need to operate today? As with any business initiative, the push for OpR must start at the top. Senior management must be aware of the importance of maintaining OpR and must support initiatives such as the creation of policies, frameworks and structures that support OpR. These then filter down to operational teams to implement programs, controls and procedures to produce products and services.
The BSI presents a model for OpR that makes good sense. It describes OpR as one of three contributors to overall OR. The other two are information resilience and supply chain resilience, as noted in the figure below.
Assuming that all components of an organization's operational structure are functioning properly and are protected from disruptive events, OpR has been established.
When information-related assets such as systems, data, intellectual property and networks are working properly, are secure and protected, and can be safely recovered and returned to service following an interruption, an organization has established information resilience.
Finally, the mechanisms that provide components the organization needs to produce and deliver its products and services to customers must be available and not compromised by internal or external events.
BC/DR, cybersecurity and supply chain initiatives are all essential building blocks for achieving organizational resilience as noted in the above figure. Ideally, each of these initiatives works with the others to minimize the likelihood of disruptive events occurring and maximize the security and survivability of each element.
Along with protecting your organization, achieving organizational and operational resilience can also benefit your company's image. A reputation for organizational resilience can greatly enhance an organization's survival over time, as the firm is more likely to weather disruptions. Organizations that are perceived as being able to stay operational despite disruptive events are likely to be more in-demand, well-positioned and highly competitive within their marketplaces.
Operational resilience frameworks hinge on breaking down silos