Business resilience vs.

business continuity:
Key differences
Business continuity and resilience go hand in hand and play
a role in an organization's disaster recovery plan.
Essentially, business continuity is needed to achieve
resilience.
When the term resilience first made its appearance more than two decades ago, the business continuity
community wondered if it meant the end of the term business continuity and of the profession that has
been around since the 1980s. In the years since its emergence, resilience has become an increasingly
important factor in how business and government organizations operate.

Resilience has evolved into a key component of the overall business and government survivability
landscapes, whereas BC remains as an important operational activity that is often used interchangeably
with business resilience.

What does business continuity mean?

According to ISO 22301:2019, Security and resilience -- Business continuity management

systems -- Requirements, business continuity is defined as the "capability of an organization to
continue the delivery of products and services within acceptable time frames at predefined
capacity during a disruption."

In practice, BC merges a number of specific activities -- disaster recovery (DR) and incident
management, for example -- into a holistic approach that establishes a series of internal and
external activities an organization can initiate to respond to an incident, recover from the
situation and resume business operations to an acceptable level. When this level of activity is
achieved, the organization can notify its employees and stakeholders that it has resumed business
operations.

What does business resilience mean?

The term organizational resilience can be considered another way of saying business resilience.
ISO 22316:2017, Security and resilience -- Organizational resilience -- Principles and attributes,
defines organizational or business resilience as the "ability of an organization to absorb and
adapt in a changing environment."

For example, when a rubber band is stretched and then released, it returns to its original shape. A
resilient business has the people, culture, procedures, technology, facilities and more to return to
its previous state of operation. This can happen following an event that might otherwise disrupt
the firm or shut it down. Such an organization can deliver resilience using the following
techniques:

 BC management;
 technology DR;
 incident response and management;
 emergency management;
 business impact analysis (BIA);
 risk management;
 testing the plan and associated technologies;
 emergency communications;
 a culture of resilience embraced by employees; and
 senior leadership committed to resilience.

A business resilience plan, also referred to as an organizational resilience plan, results from the
collaboration and blending of the above activities and their outcomes into a concise plan.

The flavors of resilience

Organizational resilience and operational resilience are among the current implementations of
resilience.

At the moment, much of the attention focuses on organizational resilience, which addresses the
entire organization, its people, culture, business processes, technology infrastructure and physical
facilities. The idea is to link all relevant elements of an organization into a cohesive unit that can
collectively regroup, recover, modify as needed and resume operations following an incident.

By contrast, operational resilience focuses more on actual business processes, such as an

assembly line the organization uses to prepare its work product. Although the terms seem to be
separate entities, it makes more sense to position operational resilience as a necessary component
of organizational resilience.

Another variant, supply chain resilience, defines steps to ensure that supply chains can be
quickly recovered and returned to their normal functions. The concept also enables changes to
the supply chain that can provide yet more survivability. Supply chain resilience has been
embraced as a result of the COVID-19 pandemic, which has crippled many supply chains over
the past two years.

What are the differences between business resilience vs. business continuity?

Think of business continuity as a set of procedures that, when activated, help an organization
return to operational status so it can resume providing products and services. Business or
organizational resilience is the capability to absorb a shock to operations and then rebound to a
level of operations that is acceptable to company management, employees and stakeholders.
Figure 1 provides a visual comparison of the two terms. With business continuity, the goal is to
resume operations sufficiently to provide products and services. By contrast, a business
resilience plan assumes operations will resume and accommodates the possibility of changes.
Depending on the event and how it affects the business, the organization might have to adapt
how it operates to support a new normal resulting from the event. The obvious example of this
resilience is the many business and government entities that had to embrace remote working
during the pandemic and then found that their corporate cultures and how they functioned daily
had to change.

Continuity and resilience plans

BC and business resilience plans might have similar structures and require the same analytical
processes, such as BIA and risk analysis. Both plans will likely include procedures to recover
from and resume business operations.

However, a business resilience plan might go beyond a BC plan by providing guidance and
procedures to return the business -- especially the culture -- to a state that is more conducive and
adaptive to how the business should operate in the aftermath of the disruption. The business
resilience plan might even be a separate document that is activated once the BC plan has
achieved its goals or recovered business functions.

Creating a business resilience plan can be as simple as redefining a business continuity plan, as
most of the activities are the same. Key goals in a business resilience plan include the following:

 identifying how the business should function following the event;

 defining how the business anticipates the potential of an incident and prepares for it;
 determining alternate or interim methods of operating the business; and
 recognizing the effect of company culture on business recovery.
Standards for resilience

Two standards currently define and establish methods for achieving resilience. The first standard,
ASIS SPC.1-2009, Organizational Resilience: Security, Preparedness, and Continuity
Management Systems -- Requirements with Guidance for Use, dates back to 2009 and was
developed by ASIS International. It uses the management system model used by other standards
organizations, such as ISO.

The more recent resilience standard is ISO 22316:2017, as noted earlier in this article. One of the
key differences between business resilience and BC standards is the importance of anticipating
potential disruptions instead of simply responding to them. Using risk management and other
techniques to better identify potential business risks, threats and vulnerabilities, the new standard
also embraces the need for more management processes that focus on company culture as part of
an organization's ability to prepare for and prevent disruptive events.

How are business resilience and business continuity similar?

Business continuity provides procedures to return critical business functions, systems, facilities
where the work is done and the people that support them to a state where the organization can
fulfill its commitments and obligations. These activities are part of an overall program to ensure
the organization can minimize the chances for an incident to occur and -- if one does occur -- has
the resources, culture and commitment to mitigate the event, recover, survive and prosper.

Business resilience builds on each of the activities noted above to return the organization to a
normal state of operation.

Why you need a business resilience plan and how it works

For organizations committed to protecting their ability to function, especially following a

disruptive event, a business resilience plan built on a BC plan foundation could be the answer.
Before reaching that point, however, ensure the various plans and activities listed earlier in this
article are developed and regularly exercised to ensure they fulfill their specific objectives.
Figure 2. Incorporate and test various processes in the business resilience plan.

Perhaps a key aspect of a business resilience plan is to define the end state of the organization following
completion of all relevant recovery and resumption processes. It's easy to say an organization has
recovered from an incident. But does that mean it's resilient? Ultimately, the organization must
determine what constitutes a state of resilience.