What is business resilience?
Business resilience is an enterprise-wide term which encompasses crisis management and business continuity, and responds to all types of risk that an organisation may face, from cyber threat to natural disaster, and much else besides. As well as addressing the consequences of a major incident, business resilience relates to the ability of an organisation to adapt to the new environment and circumstances following that incident.
Business resilience planning is a governance and risk management responsibility that boards must address to enable them to survive and thrive in an increasingly hostile environment.
Business Resilience, Business Continuity or Disaster Recovery?
Business continuity (under which the older concept of disaster recovery was subsumed) has now been largely supplanted by the broader approach of business resilience, which encompasses crisis management and business continuity into a cultural approach which is applicable across an organisation.
The overlap between the various concepts of business resilience, business continuity and disaster recovery can be confusing. Essentially:
- Business resilience is more a strategic risk management approach, which integrates many disciplines into a single set of integrated processes, and is tailored to an individual organisation’s requirements;
- Business continuity is a process-driven approach which can be standardised, and which leads an organisation out of a major incident so that it can continue operations; and
- Crisis management addresses specific crises (man-made and natural events).
Business continuity events, for example, can be triggered by crisis management events, but a crisis is not necessary for business continuity.
Why Business Resilience?
All organisations, of any size or type, anywhere in the world, face a wide range of risks which could cause them long-term harm, from financial penalty to reputational damage:
- Natural disasters
- Economic disruption and market turbulence
- Terrorist-related incidents and disruption
- Cyber crime and cyber terrorism
- Civil emergencies, strikes, and similar action
- Pandemic threats, including SARS and Avian Flu
- Compliance failures
- Disruptive technological advances
- Technology failure
- Supply chain failure
Business Resilience Strategy
In order to ensure the resilience of an organisation in the face of these varied risks, it is essential to have a business resilience strategy, which should have four core strands:
- A business continuity plan which organises and rehearses a response to all identified and likely operational disruptions. We recommend the implementation of a business continuity management system (BCMS) according to ISO 22301.
- A disaster recovery plan which enables the organisation to recover from real disasters.
- A value protection plan which ensures that shareholder value is protected at times of disruption.
- An exploitation plan which enables the organisation to spot, and exploit, commercial opportunities that may present themselves during times of substantial disruption.
Business resilience standards
There are three main Standards for business resilience. Two of them are American and one is international.