What is business resilience?
Lately, the world of business continuity is abuzz with talk of organizational vs. operational resilience. Some are confused, some aspects are befuddling, and all of it speaks to the evolving nature of our world. If you are following my blogs, you know these are topics I’ve touched on for a while. So, let’s jump right in. Many ask if these two things are the same and related to business continuity.
None of them is the same thing, but I would argue that they are all interrelated. ISO’s 22316 provides worldwide guidance for organizational resilience if you haven’t read it. ISO 22316, Security and resilience – Organizational resilience – Principles and attributes, provides a framework to help organizations future-proof their business. Operational resilience is a systems approach to understanding all critical aspects of a business’s essential services. As two structures, these support overall business resilience, which is ultimately the ability for an organization to have the tools to manage risk, fulfill objectives, and continue to thrive in the face of crisis events.
Organizational resilience is trending
Everyone is talking about resilience these days. Whether organizational or personal resilience, it’s all relevant–from boards to individual employees. The interest is in sustainability and recovery but, more importantly, the ability to thrive in the face of challenging situations. In the workplace, leadership is committed to understanding the business, gaps, tolerances, and the ability to absorb interruptions and, ideally, come back stronger. In today’s fast-paced marketplace, downtime is barely tolerable. Customers don’t want to wait and expect service fulfillment.
Organizational resilience addresses this by taking an approach that expects companies to understand their risk exposure and take steps to mitigate where possible. The framework focuses on achieving organizational goals while encouraging coordination among aligned disciplines by anticipating and preparing for vulnerabilities. Business continuity is a relevant management discipline and should be a defining pillar of sound practice. It already provides reliable data about business functions and strategies for recovery.
Regulators want operational resilience
I took on the task of explaining the differences between organizational vs. operational resilience in a series of articles I co-wrote with my colleague, Andreas Bryant. Andreas currently works in UK Finacial Services where the operational resilience policy was born. If you haven’t scanned the policy paper and supporting documents, I recommend doing so, even if you are working for an org that does not fall into its jurisdiction.
Now, I’m not in the position of having to conform but do see operational resilience as a natural tie-in with business continuity. We’ve been connecting dependencies as part of our standard work for decades, and it makes sense to go up a level higher to align functions to a service level. Admittedly, my interest is from an operational perspective, but aligning systems makes total sense. Although the UK’s interest for OpsRes is for banks, investments firms, and some insurers, I expect this approach to migrate across industries. Two years ago, the Federal Reserve released a joint paper on the topic, signaling future intent.
Join me live for a live webinar
There is so much to say on this topic, and many have more significant expertise than I. However, I am excited to share that I will be joining my co-founders, Mark Hoffman and Lisa Jones, from the Resilience Think Tank on Friday, February 18th. The webinar hosted by ClearRisk enables us to speak about Operational Resilience: The Relationship between Risk and Resilience. Please join as we discuss the connections between these disciplines and touch on operational resilience considerations.