If there is one thing that businesses around the world have learned this year, it is this: nothing is certain. When we wished each other Happy New Year, most of us expected life to go on as usual. But as Dr. Spencer Johnson said in his best-selling book Who Moved My Cheese,
“Life is no straight and easy corridor along which we travel free and unhampered, but a maze of passages, through which we must seek our way, lost and confused, now and again checked in a blind alley”.
All businesses want to flourish regardless of the season, but this calls for forward planning and risk management to make one prepared for the unforeseen. And this brings us to two terms—business continuity and business resiliency—that are used interchangeably but are different in some ways.
Let’s take a look.
What is Business Continuity?
The ISO 22300:2018 standard defines business continuity as:
“The capability of an organization to continue the delivery of products or services at acceptable predefined levels following a disruption”.
A disruption could be anything from your superstar employee moving to your competitor, new legislation forcing you to make drastic changes to your products, or an unforeseen event in the local or global economy that destroys what you have taken years to build. Business continuity means anticipating such disruptions and preparing a plan to ensure that you can continue business operations if the disruptions materialize.
We can use the Plan Do Check Act (PDCA) cycle to describe the activities involved in business continuity management:
Planning for business continuity mainly involves:
- Understanding the environment in which your organization operates.
- Identifying potential risks which, if they materialize, can disrupt day-to-day operations. As you identify risks, you’ll classify, prioritize, and determine mitigation actions.
In addition, business impact analysis exercises are used to identify critical business processes, the underlying assets that support them, and the potential impact the organization faces should the assets or processes be disrupted. Here, key metrics such as RTO, RPO, and MAO are used to determine the acceptable disruption and required speed of continuity.
This involves implementing the control measures that would ensure continuity in case disruption occurs in line with the business continuity plan. These would include:
- Appropriate IT systems
- Defined target metrics
As people are expected to implement the business continuity plan, you must provide training for key players and create awareness for everyone involved to ensure alignment and preparation for the unexpected.
The organization must continue to regularly check whether the control measures are working and remain relevant to meeting the organization’s needs, especially as the environment changes. Testing will identify whether the continuity metrics can be met using existing measures or more is required.
Based on the results of the tests and actual disruptions, the leadership will need to take both corrective and preventive action to ensure the business continuity plan remains effective for the ever-evolving context that the business faces.
What is Business Resiliency?
The ISO 22316:2017 standard defines organizational resilience as:
“The ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.”
ITIL 4 defines resilience as the ability of an organization to anticipate, prepare for, respond to, and adapt to both incremental changes and sudden disruptions from an external perspective.
In simple terms, it means taking a blow and recovering from it. For a business, that means that when disruption occurs, you have mechanisms in place to absorb the hit without significant impairment to your business operations.
In order to have a framework for effective organizational resilience, there are certain principles that need to be adhered to. Resilience requires:
- Behaviour that is aligned with a shared vision and purpose
- An up-to-date understanding of an organization’s context
- Ability to absorb, adapt, and effectively respond to change
- Good governance and management
- Diversity of skills, leadership, knowledge, and experience
- Coordination across management disciplines and contributions from technical and scientific areas of expertise
- Effective risk management
With these principles in place, you can deploy a coordinated approach that provides:
- A mandate to ensure the organization’s leadership is committed to enhance organizational resilience
- Adequate resources needed to enhance the organization’s resilience
- Appropriate governance structures to achieve the effective coordination of organizational resilience activities
- Mechanisms to ensure investments in resilience activities are appropriate to the organization’s internal and external context
- Systems that support the effective implementation of organizational resilience activities
- Arrangements to evaluate and enhance resilience in support of organizational requirements
- Effective communications to improve understanding and decision making
Continuity vs Resilience: Next steps
According to PWC, business resilience builds on the principles of business continuity but extends much further to help enhance an organization’s immune system to be able to tackle challenges, fend off illness and bounce back more quickly.
How to increase Business Resiliency
As there is no single approach to enhance an organization’s resilience, it is more realistic to consider it the result of:
- The relationships and interactions of attributes and activities.
- Contributions from other management disciplines such as disaster recovery, crisis management, and business continuity, which by themselves are insufficient to lead to resilience.
Similar to business continuity, there is a lot of emphasis in organizational resilience on understanding the environment, identifying and assessing potential risks that could disrupt the business operations, and planning to deal with the disruption if it occurs. However, while business continuity is process centric, resilience is more strategic in nature, being a holistic approach that is influenced by a unique interaction and combination of strategic and operational factors.
For more on business practices and culture, explore the BMC Business of IT Blog and these articles: