Business Continuity vs. Operational Resilience

  • 15 Nov 2022
  • Viktorija,  Stéphane
BC_vs_OR_CMS.png 1

We are nearing the end of 2022, another year has almost passed, and despite the lockdowns, social distancing, masks, vaccines, and boosters, the pandemic is still not over. We have learned how to coexist with COVID-19, however, even if we are witnessing cities going back to a (new) normal way of living, as a society, we are changed forever.

It is a peculiar time for Business Continuity professionals. I remember vividly, back in March 2020, the day when the first lockdown was implemented. It was my son’s birthday. I also remember a tsunami of work phone calls and Teams meetings, all while my little champion was blowing out his candles to a quiet ‘happy birthday to you’.

In those initial days of the pandemic, organizations were turning to their Business Continuity managers hoping for a miracle solution, only to find out that their planned pandemic strategies were not fit to meet the situation.

Newspapers began featuring Business Continuity, which in a brief time - perhaps because of the context around the situation - was transformed into "Resilience", without clarifying the differences between the two. Driven by this trend, many professionals hurried up to replace (CTRL + H) the much-loved terminology with a new, and more flamboyant one (ranging between the concepts of business, organizational or Operational Resilience), but without justifying the change of concept. That’s why I find the BCI’s first report on Operational Resilience interesting, because it highlighted the misunderstood confusion that ‘Operational Resilience is just Business Continuity done well.’

This article is the first of a series produced with the valuable support of Viktorija Goryte. The series will focus on Operational Resilience with a personal representation of the main differences between Operational Resilience and Business Continuity (no, they are not the same thing!), leveraging on different disciplines that deal with the matters of prevention and preparedness.

Stephane Speich

Defining Business Continuity and Operational Resilience

When trying to define the differences between Business Continuity and Operational Resilience, it is necessary to analyze the documents published by the international organizations which guide the professionals on the subject. The BCI defines Business Continuity as “the strategic and tactical capability of the organization to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level.”

When it comes to the definition of Resilience, from the international ISO 22301 standard, the Basel Committee on Banking Supervision Principles (Principles for Operational Resilience), to The BCI and the latest Policy of the Financial Conduct Authority (FCA), we can find some similarities and differences:

  • In its 2012 version, the ISO standard introduced the concept of Resilience, linking it to the ability to identify and assess the impact of threats with the potential to cause disruption to services; or rather to the definition of a Resilience (organizational) model for ensuring an effective response
  • the Basel Committee defines Operational Resilience as the ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from, disruptive events in order to minimise their impact on the delivery of critical operations through disruption.
  • Finally, the FCA defines (Operational) Resilience as the ability to prevent, adapt, respond, recover, and learn from operational disruptions, while introducing an element of novelty, namely the assessment of impact and the (intolerable) damage that the organization could cause for its clients in the event of interruption of the services offered.

These are some of the most representative definitions of Resilience and continuity, recognized internationally, thus by following them continuity and Resilience can therefore be referred to respectively as:

    • the reactive ability to survive and restart, or to continue to provide services / products (at a minimum acceptable level) in the face of a serious sudden event.
    • or the fundamental ability to resist external stresses, often associated with a concept of proactivity and increased (own) flexibility.

Two approaches, one goal

To analyze the two approaches, it is essential to shed some light and simplify the basic concepts of business, organizational and operational. These concepts can be defined as follows:

    • Business, meaning the characteristic activity of a company, the main one carried out and helping to distinguish it from other companies. It bases its functioning on different internal and external capacities, such as: organizational, operational, financial, administrative, communication, etc.
    • Organizational, meaning the structure of the organization implemented through cross-functional models that represent the functioning of the entire organization (e.g., by process or organizational structure) in its strategic, tactical, and operational levels.
    • Operational, meaning the set of resources (e.g., people, systems, infrastructures, sites, information, etc.) that constitute the beating heart of an organization, or its operational capacity.

Thus, having defined continuity and Resilience, and simplified the concepts of business, organizational and operations, some considerations about the two arise.

Firstly, Business Continuity’s most distinctive feature is that it trains the reactive ability of an organization to respond to serious events, while Operational Resilience is defined by developing the (preventive) ability of an organization to be flexible in any distressing situation.

“Flexibility during distressing situations is an essential quality for a resilient organization, this can be compared to a bamboo cane that bends but does not break.”

To understand the flexibility of Operational Resilience, we can use the example a bamboo cane that bends but does not break (still fresh in my mind, during a trip to Hong Kong, the astonishment after seeing how bamboo was used for building support).

 

Secondly, Business Continuity is developed with a cost-benefit approach, dependent on the possibility of an event happening, while Operational Resilience considers that the event will happen (Black Swan concept). Therefore, Operational Resilience does not require “activation”, as it is part of the way an organization operates, while Business Continuity solutions are “activated” during extraordinary events.

However, it is important to note that being operationally resilient, within the different dimensions of an organization (e.g., operational, IT and infrastructural, HR, Corporate Security, Digital Security, etc.), does not necessarily mean being able to restart all services immediately in the face of an extraordinary event. It concerns more the ability to continue to provide certain "important" services while working on restoring the remaining ones thanks to acquired flexibility.

By identifying “important services” and safeguarding every step of its “process chain” (including outsourced processes), and implementing alternative solutions and workarounds, an organization can become flexible enough to avoid interrupting the supply of services to its clients - regardless of the scenario’s type and intensity.

Proactivity plays a key role here. It is important that resiliency solutions and workarounds are embedded in the ordinary management of those important services. In this way, when an extraordinary event occurs an organization can avoid having to activate lengthy procedures. The essential trait of Operational Resilience is flexibility, thus there should not be any unnecessary delays in switching to alternative solutions.

Does Operational Resilience replace Business Continuity?

The short answer is no. The two disciplines should not be seen as opposite, or one being the predecessor to another. An effective Business Continuity process enables Operational Resilience, even if it is not the panacea for all ills. A well implemented Business Continuity Management process provides an organization with strategies to manage disruptive events that bring a partial or complete unavailability of its key assets, such as people, building, ICT and/or suppliers.

On the other hand, Operational Resilience manages daily events which can pose a risk to the continuity of important services. The flexible nature of Resilience allows organizations to contain most disruptive events and prevent them from escalating into larger crisis situations that would require the activation of Business Continuity strategies. However, for those disruptive events that cannot be contained, Business Continuity Plans must be activated.

This planning and preparation process allows for Operational Resilience to manage daily risks and threats, and limits the activation of Business Continuity measures to only when severe disruptions occur.

An Opportunity for Operational Resilience

Today, most financial sector organizations have well established Business Continuity Management processes in place. Moreover, several national and international regulators now require it.  

However, Operational Resilience strategies are still a work in progress. The soon to be released new directives (e.g., ECB, Basel, DORA, etc.) clarify the common interest in undertaking the path to Resilience. These should be taken as an opportunity for improvement by reviewing organizations’ Risk Management processes and how to make them more efficient towards Operational Resilience. Making the most of an implemented Business Continuity Management process (BIA interviews, impact assessment, etc.) can be a great start for a strategic review of services and strategies striving for Resilience.

In our next article “Getting ready for the unpredictable: how to find a right approach?” we will be discussing three approaches that an organization can take.

More on
About the author