Business resilience is an enterprise-wide term which encompasses crisis management and business continuity, and responds to all types of risk that an organisation may face, from cyber threat to natural disaster, and much else besides. As well as addressing the consequences of a major incident, business resilience relates to the ability of an organisation to adapt to the new environment and circumstances following that incident.
Business resilience planning is a governance and risk management responsibility that boards must address to enable them to survive and thrive in an increasingly hostile environment.
Business Resilience, Business Continuity or Disaster Recovery?
Business continuity (under which the older concept of disaster recovery was subsumed) has now been largely supplanted by the broader approach of business resilience, which encompasses crisis management and business continuity into a cultural approach which is applicable across an organisation.
The overlap between the various concepts of business resilience, business continuity and disaster recovery can be confusing. Essentially:
- business resilience is more a strategic risk management approach, which integrates many disciplines into a single set of integrated processes, and is tailored to an individual organisation’s requirements;
- business continuity is a process-driven approach which can be standardised, and which leads an organisation out of a major incident so that it can continue operations; and
- crisis management addresses specific crises (man-made and natural events).
Business continuity events, for example, can be triggered by crisis management events, but a crisis is not necessary for business continuity.
Why Business Resilience?
All organisations, of any size or type, anywhere in the world, face a wide range of risks which could cause them long-term harm, from financial penalty to reputational damage:
- Natural disasters
- Economic disruption and market turbulence
- Terrorist-related incidents and disruption
- Cyber crime and cyber terrorism (read more)
- Civil emergencies, strikes, and similar action
- Pandemic threats, including SARS and Avian Flu
- Compliance failures
- Disruptive technological advances
- Technology failure
- Supply chain failure
Business Resilience Strategy
In order to ensure the resilience of an organisation in the face of these varied risks, it is essential to have a business resilience strategy, which should have four core strands:
- A business continuity plan which organises and rehearses a response to all identified and likely operational disruptions. We recommend the implementation of a business continuity management system (BCMS) according to ISO 22301.
- A disaster recovery plan which enables the organisation to recover from real disasters.
- A value protection plan which ensures that shareholder value is protected at times of disruption.
- An exploitation plan which enables the organisation to spot, and exploit, commercial opportunities that may present themselves during times of substantial disruption.
Business resilience standards
There are three main Standards for business resilience. Two of them are American and one is international.
- ISO 22301:2012 is the international standard for a Business Continuity Management (BCM) system.
- ASIS SPC.1-2009 Organisational Resilience (Security Preparedness and Continuity Management Systems) is available for download here.
- National Fire Protection Association 1600:2007 (Standard on Disaster/Emergency Management and Business Continuity Programs) is available for download here.
IT Governance provides a broad range of standards, toolkits, training and consultancy to help you implement:
Business Continuity and Disaster Recovery
- The ISO 22301:2012 sets out the requirements for a BCMS, which will demonstrate an organisation’s preparedness for a disruptive incident.
- The ISO 22301 BCMS Implementation Toolkit will speed and simplify the ISO 22301 implementation process. The full contents are available
- ISO 27001 is the world's only cyber security standard, and details the requirements for an information security management system (ISMS)
- We also carry a broad selection of ISO 27001 Books and Toolkits.
- The ISO 31000 Risk Management Guidelines provide principles and generic guidelines on risk management.
- vsRisk is the Definitive Standalone ISO 27001:2013-compliant cyber security risk assessment tool.